MS2 Demo Scenario infrastructure

Owned by Allan Bernard
Last updated: Oct 13, 2023
5 min read

 

  1. SandBox preconfigured x-road servers use kubernetes service names as service urls inside the cluster. This means that access between preconfigured components is only available inside the same namespace as x-road central server. In order to allow access from outside the namespace, we needed to change all server configuration (manually) in Cenrtal Server Admin GUI ( https://cs.im.sandbox-playground.com:4000/ user: xrd, pass: secret).

    1. Change the central server URL to sandbox-xroad-cs.sandbox-im.svc.cluster.local

    2. Change the security server addresses to sandbox-xroad-ss#.sandbox-im.svc.cluster.local

    3. Change the TSA, OCSP addresses to *.sandbox-im.svc.cluster.local

    4. The configuration changes should automatically be synced to security servers via x-road globalconfiguration

  2. In order for the security servers to be able to send messages to each other, they need to know the location of the TSA service in order to add timestamps to messages. In case the security servers do not have a TSA server configured (even though it is declared in the global configuration).

    1. For each security server admin service

      1. Log in as user:xrd pass: secret

      2. Add new TSP with full url

  3. Register management-api (& messaging-api) subsystem(s) in SS3 admin

    1. Remember to disable HTTPS between the security server and the service application (management-api) .

    2. Add REST services under Services (Add REST button) with proper service codes


      messaging-api - http://messaging-api.im.sandbox-playground.com:8090/openapi?format=json
      management-api - http://management-api.im.sandbox-playground.com:8080/v3/api-docs

    3. Click on the created service codes (open the accordion for each) and add access rights to SANDBOX:ORG:CLIENT:TEST (in the modal, just search with default empty fields, it will show up)

    4. Make request, to SS2 pubsub management-api:

      1. In postman, add header "X-Road-Client":"SANDBOX/ORG/CLIENT/TEST"

      2. make requests to https://ss2.im.sandbox-playground.com:8443/r1/SANDBOX/GOV/PROVIDER/TEST/management-api/rooms/SANDBOX%2FORG%2FCLIENT%2FTEST/PatientPortal/subscriptions

  4. Register new X-Road Member (SS4) in CS

    1. Log into CS at https://cs.im.sandbox-playground.com:4000/ as xrd/secret -> Clients -> [ADD MEMBER]

    2. Member Details:

      1. Member name: Client2

      2. Member class: ORG

      3. Member code: CLIENT2

      4. [NEXT]

    3. Download X-Road Instance Internal Configuration Anchor from CSS from -> Global Configuration -> Internal Configuration -> Anchor -> [RE-CREATE] + [DOWNLOAD]

  5. Log into SS4 at https://niis-ss.ss04.im.sandbox-playground.com:4000/

    1. Initialize configuration wizard is shown.

    2. Apply X-Road Instance Internal Configuration Anchor File from (from 4.c)
      https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> [UPLOAD] -> anchor from  step 4.c -> [CONFIRM] -> [CONTINUE]

    3. Initial configuration for Security Server instance

      1. Member class, select class defined in CS setup step 4.b (eg. ORG)

      2. Member code, select class defined in CS setup step 4.b (eg. CLIENT2)

      3. Security Server Code (eg. SS4)

      4. [CONTINUE]

      5. Input software token PIN & Confirm PIN (eg. 0123456789Aa) -> [SUBMIT]

      6. "Please enter soft token PIN" -> [LOG IN] -> Token PIN (from step 5.c.v) -> [LOG IN]

    4. Create SIGN key

      1. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> Token: softToken-0 [V] -> [ADD KEY]

      2. Key label: none -> [NEXT]

      3. Keytype and format

        1. Usage: SIGNING

        2. Client: SANDBOX:ORG:CLIENT2

        3. Certificate Service: Test CA

        4. CSR Format: DER

        5. [CONTINUE]

      4. [GENERATE CSR] -> [DONE]

    5. Create AUTH key

      1. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> Token: softToken-0 [V] -> [ADD KEY]

      2. Key label: none -> [NEXT]

      3. Keytype and format

        1. Usage: AUTHENTICATION

        2. Certificate Service: Test CA

        3. CSR Format: DER

        4. [CONTINUE]

      4. [GENERATE CSR] -> [DONE]

    6. Use fake CA UI to sign the CSRs

      1. http://cs.im.sandbox-playground.com:9998/

      2. Sign SIGNING CSR

        1. [Browse] -> select CSR created in step 5.d -> Type: Autodetect from file name -> [Sign]

      3. Sign AUTHENTICATION CSR

        1. [Browse] -> select CSR created in step 5.e -> Type: Autodetect from file name -> [Sign]

    7. Import SIGN and AUTHENTICATION certificates

      1. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> [IMPORT CERT.] -> select certificate received from step 5.3

      2. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> [IMPORT CERT.] -> select certificate received from step 5.4

    8. Activate the authentication certificate

      1. Keys and certificates -> Click on key name (Test CA ##) -> Press [ACTIVATE] in cert popup

      2. NB! Takes time for the certificate activation to be propagated to CS and global configuration

    9. Register Security Server

      1. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> Token: softToken-0 [V] -> Auth Key and Certificate -> [Register]

      2. Security server DNS name or IP address: x-road-niis-ss.ss04-sandbox-im.svc.cluster.local -> [ADD]

    10. Setup Timestamping service

      1. https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> SETTINGS -> Timestamping Services -> [ADD] -> select "Test TSA" -> [ADD]

  6. Register PUBSUB subsystem in SS4

    1. Log into https://niis-ss.ss04.im.sandbox-playground.com:4000/ as user:xrd pass:secret

    2. Clients -> [ADD SUBSYSTEM] ->  Subsystem Code: PUBSUB -> [ADD SUBSYSTEM]

    3. Clients -> [REGISTER]
      NB! May time until registration is complete and subsystem gets registered

  7. Register PubSub APIs as services in newly created PUBSUB subsystem

    1. open https://niis-ss.ss04.im.sandbox-playground.com:4000/ as user:xrd pass:secret

    2. Clients -> PUBSUB subsystem -> Services -> [ADD REST]

      1. http://messaging-api.ss04.im.sandbox-playground.com:8090/openapi?format=json

      2. http://management-api.ss04.im.sandbox-playground.com:8080/v3/api-docs

    3. Add access for client subsystem SANDBOX:ORG:CLIENT:TEST

      1. Clients -> PUBSUB subsystem -> Service Clients ->  [ADD SUBJECT]

      2. Select "Client" (SANDBOX:ORG:CLIENT:TEST) -> [NEXT]

      3. Tick both API services -> [ADD SELECTED]

    4. Activate services

      1. Clients -> PUBSUB subsystem -> Services

      2. Toggle both API services to active

  8. Should be able to query pubsub services now through SS2 (SANDBOX:ORG:CLIENT:TEST)

    1.  

      curl \ --location 'https://ss2.im.sandbox-playground.com:8443/r1/SANDBOX/ORG/CLIENT2/PUBSUB/management-api/rooms/SANDBOX%2FORG%2FCLIENT%2FTEST/PatientPortal/subscriptions' \ --header 'X-Road-Client: SANDBOX/ORG/CLIENT/TEST' \ --insecure

       

Security Server API access key issuance for management API

  1. Management api consumes X-Road Security Server Admin API in order to find all members that are eligible to access IMBB PubSub service. In order to access the Security Servcer Admin API, an API Key must be issued from Security Server Admin UI.

    1. Log into security server (any security server that wants to provide pubsub service, eg. https://ss3.im.sandbox-playground.com:4000/, user: xrd, pass: secret

    2. Navigate to: Keys and Certificates → API Keys → [CREATE API KEY]

    3. The required role for querying members list is Service Administrator. Select it and press next.

    4. Click [CREATE KEY] to generate new API key. Copy the API key for usage later. For security purposes, fhe API key can be viewed only once in the Admin UI.

    5. The API key must be used as a configuration parameter management.xroad-admin-client.api-key value in management-api component configuration.