SandBox preconfigured x-road servers use kubernetes service names as service urls inside the cluster. This means that access between preconfigured components is only available inside the same namespace as x-road central server. In order to allow access from outside the namespace, we needed to change all server configuration (manually) in Cenrtal Server Admin GUI ( https://cs.im.sandbox-playground.com:4000/ user: xrd, pass: secret).
Change the central server URL to sandbox-xroad-cs.sandbox-im.svc.cluster.local
Change the security server addresses to sandbox-xroad-ss#.sandbox-im.svc.cluster.local
Change the TSA, OCSP addresses to *.sandbox-im.svc.cluster.local
The configuration changes should automatically be synced to security servers via x-road globalconfiguration
In order for the security servers to be able to send messages to each other, they need to know the location of the TSA service in order to add timestamps to messages. In case the security servers do not have a TSA server configured (even though it is declared in the global configuration).
For each security server admin service
Log in as user:xrd pass: secret
Add new TSP with full url
Register management-api (& messaging-api) subsystem(s) in SS3 admin
Remember to disable HTTPS between the security server and the service application (management-api) .
Add REST services under Services (Add REST button) with proper service codes
messaging-api - http://messaging-api.im.sandbox-playground.com:8090/openapi?format=json
management-api - http://management-api.im.sandbox-playground.com:8080/v3/api-docsClick on the created service codes (open the accordion for each) and add access rights to SANDBOX:ORG:CLIENT:TEST (in the modal, just search with default empty fields, it will show up)
Make request, to SS2 pubsub management-api:
In postman, add header "X-Road-Client":"SANDBOX/ORG/CLIENT/TEST"
make requests to https://ss2.im.sandbox-playground.com:8443/r1/SANDBOX/GOV/PROVIDER/TEST/management-api/rooms/SANDBOX%2FORG%2FCLIENT%2FTEST/PatientPortal/subscriptions
Register new X-Road Member (SS4) in CS
Log into CS at https://cs.im.sandbox-playground.com:4000/ as xrd/secret -> Clients -> [ADD MEMBER]
Member Details:
Member name:
Client2
Member class:
ORG
Member code:
CLIENT2
[NEXT]
Download X-Road Instance Internal Configuration Anchor from CSS from -> Global Configuration -> Internal Configuration -> Anchor -> [RE-CREATE] + [DOWNLOAD]
Log into SS4 at https://niis-ss.ss04.im.sandbox-playground.com:4000/
Initialize configuration wizard is shown.
Apply X-Road Instance Internal Configuration Anchor File from (from 4.c)
https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> [UPLOAD] -> anchor from step 4.c -> [CONFIRM] -> [CONTINUE]Initial configuration for Security Server instance
Member class, select class defined in CS setup step 4.b (eg.
ORG
)Member code, select class defined in CS setup step 4.b (eg.
CLIENT2
)Security Server Code (eg.
SS4
)[CONTINUE]
Input software token PIN & Confirm PIN (eg.
0123456789Aa
) -> [SUBMIT]"Please enter soft token PIN" -> [LOG IN] -> Token PIN (from step 5.c.v) -> [LOG IN]
Create SIGN key
https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> Token: softToken-0 [V] -> [ADD KEY]
Key label: none -> [NEXT]
Keytype and format
Usage:
SIGNING
Client:
SANDBOX:ORG:CLIENT2
Certificate Service:
Test CA
CSR Format:
DER
[CONTINUE]
[GENERATE CSR] -> [DONE]
Create AUTH key
https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> Token: softToken-0 [V] -> [ADD KEY]
Key label: none -> [NEXT]
Keytype and format
Usage:
AUTHENTICATION
Certificate Service:
Test CA
CSR Format:
DER
[CONTINUE]
[GENERATE CSR] -> [DONE]
Use fake CA UI to sign the CSRs
Sign SIGNING CSR
[Browse] -> select CSR created in step 5.d -> Type: Autodetect from file name -> [Sign]
Sign AUTHENTICATION CSR
[Browse] -> select CSR created in step 5.e -> Type: Autodetect from file name -> [Sign]
Import SIGN and AUTHENTICATION certificates
https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> [IMPORT CERT.] -> select certificate received from step 5.3
https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> [IMPORT CERT.] -> select certificate received from step 5.4
Activate the authentication certificate
Keys and certificates -> Click on key name (Test CA ##) -> Press [ACTIVATE] in cert popup
NB! Takes time for the certificate activation to be propagated to CS and global configuration
Register Security Server
https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> KEYS AND CERTIFICATES -> Token: softToken-0 [V] -> Auth Key and Certificate -> [Register]
Security server DNS name or IP address:
x-road-niis-ss.ss04-sandbox-im.svc.cluster.local
-> [ADD]
Setup Timestamping service
https://niis-ss.ss04.im.sandbox-playground.com:4000/ -> SETTINGS -> Timestamping Services -> [ADD] -> select "Test TSA" -> [ADD]
Register PUBSUB subsystem in SS4
Log into https://niis-ss.ss04.im.sandbox-playground.com:4000/ as user:xrd pass:secret
Clients -> [ADD SUBSYSTEM] -> Subsystem Code: PUBSUB -> [ADD SUBSYSTEM]
Clients -> [REGISTER]
NB! May time until registration is complete and subsystem gets registered
Register PubSub APIs as services in newly created PUBSUB subsystem
open https://niis-ss.ss04.im.sandbox-playground.com:4000/ as user:xrd pass:secret
Clients -> PUBSUB subsystem -> Services -> [ADD REST]
Add access for client subsystem
SANDBOX:ORG:CLIENT:TEST
Clients -> PUBSUB subsystem -> Service Clients -> [ADD SUBJECT]
Select "Client" (SANDBOX:ORG:CLIENT:TEST) -> [NEXT]
Tick both API services -> [ADD SELECTED]
Activate services
Clients -> PUBSUB subsystem -> Services
Toggle both API services to active
Should be able to query pubsub services now through SS2 (
SANDBOX:ORG:CLIENT:TEST)
curl \ --location 'https://ss2.im.sandbox-playground.com:8443/r1/SANDBOX/ORG/CLIENT2/PUBSUB/management-api/rooms/SANDBOX%2FORG%2FCLIENT%2FTEST/PatientPortal/subscriptions' \ --header 'X-Road-Client: SANDBOX/ORG/CLIENT/TEST' \ --insecure
Security Server API access key issuance for management API
Management api consumes X-Road Security Server Admin API in order to find all members that are eligible to access IMBB PubSub service. In order to access the Security Servcer Admin API, an API Key must be issued from Security Server Admin UI.
Log into security server (any security server that wants to provide pubsub service, eg. https://ss3.im.sandbox-playground.com:4000/, user: xrd, pass: secret
Navigate to: Keys and Certificates → API Keys → [CREATE API KEY]
The required role for querying members list is
Service Administrator
. Select it and press next.Click [CREATE KEY] to generate new API key. Copy the API key for usage later. For security purposes, fhe API key can be viewed only once in the Admin UI.
The API key must be used as a configuration parameter
management.xroad-admin-client.api-key
value in management-api component configuration.