V11.0.2 update

.gitignore

@@ -1,3 +1,12 @@
 .DS_Store
 local/*
 !*.keep
+*.swp
+ISAM-Trial-IBM.cer
+*pyenv/*
+*.pem
+*.crt
+*.key
+*.p12
+config.yml
+*.log

README.md

@@ -27,9 +27,9 @@ The docker compose scripts will create a `$HOME/dockershare` directory.  If you
 All passwords set by these scripts are `Passw0rd`.  Obviously this is not a secure password!
 
 # Create Keystores
-Before running any other scripts, run `verify-access-container-deployment/common/create-ldap-and-postgres-isvaop-keys.sh`
+Before running any other scripts, run `verify-access-container-deployment/common/create-ivia-pki.sh`
 
-This will create the `verify-access-container-deployment/local/dockerkeys` directory and populate it with keystores for PostgreSQL and OpenLDAP containers.
+This will create the `verify-access-container-deployment/local/dockerkeys` directory and populate it with keystores for PostgreSQL, OpenLDAP, IVIA WebSEAL Reverse proxy, IVIA OIDC Provider, and IVIA Digital Credential containers.
 
 # Native Docker
 To set up a native Docker environment, use the files in `verify-access-container-deployment/docker`.
@@ -74,6 +74,8 @@ These scripts assume that you have the `kubectl` utility installed and that it i
 
 First, run `./create-secrets.sh` command to create the secrets required for the environment.
 
+Next, run `./create-configmap.sh` command to create the config map required for the environment.
+
 Then, run `kubectl create -f <YAML file>` to define the resources required.
 
 There are YAML files for the following environments:

common/create-ivia-pki.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# Get directory for this script
+RUNDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+if [ -z "$RUNDIR" ] ; then
+  echo "Failed to get local path"
+  exit 1  # fail
+fi
+
+# Get environment from common/env-config.sh
+. $RUNDIR/env-config.sh
+
+LDAP_CERT_DN="/CN=openldap/O=ibm/C=us"
+POSTGRES_CERT_DN="/CN=postgresql/O=ibm/C=us"
+ISVAOP_CERT_DN="/CN=isvaop.ibm.com/O=ibm/C=us"
+ISVADC_CERT_DN="/CN=iviadc.ibm.com/O=ibm/C=us"
+ISVAWRP_CERT_DN="/CN=isvawrp.ibm.com/O=ibm/C=us"
+if [ ! -d "$DOCKERKEYS" ]; then mkdir $DOCKERKEYS; fi
+if [ ! -d "$DOCKERKEYS/openldap" ]; then mkdir $DOCKERKEYS/openldap; fi
+if [ ! -d "$DOCKERKEYS/postgresql" ]; then mkdir $DOCKERKEYS/postgresql; fi
+if [ ! -d "$DOCKERKEYS/isvaop" ]; then mkdir $DOCKERKEYS/isvaop; fi
+if [ ! -d "$DOCKERKEYS/isvaop/personal" ]; then mkdir $DOCKERKEYS/isvaop/personal; fi
+if [ ! -d "$DOCKERKEYS/isvaop/signer" ]; then mkdir $DOCKERKEYS/isvaop/signer; fi
+if [ ! -d "$DOCKERKEYS/iviadc" ]; then mkdir $DOCKERKEYS/iviadc; fi
+if [ ! -d "$DOCKERKEYS/isvawrp" ]; then mkdir $DOCKERKEYS/isvawrp; fi
+
+# Create a key/cert we can use for webseal which can be imported by the OP and DC containers
+# The PKCS12 needs to be imported to the default WebSEAL runtime keystore (pdsrv) once the ivia-config
+# container has started.
+if [ ! -f "$DOCKERKEYS/isvawrp/isvawrp.pem" ] || [ ! -f "$DOCKERKEYS/isvawrp/isvawrp.key" ]
+then
+    echo "Creating IVIA WebSEAL Reverse Proxy certificate files"
+    openssl req -newkey rsa:4096 -nodes -inform PEM -keyout $DOCKERKEYS/isvawrp/isvawrp.key -x509 -days 3650 -out $DOCKERKEYS/isvawrp/isvawrp.pem -subj $ISVAWRP_CERT_DN -addext "subjectAltName = DNS:www.iamlab.ibm.com, DNS:iviawrprp1, DNS:iviawrprp1:9443"
+    openssl pkcs12 -export -out $DOCKERKEYS/isvawrp/isvawrp.p12 -inkey $DOCKERKEYS/isvawrp/isvawrp.key -name wrp.ibm.com -in $DOCKERKEYS/isvawrp/isvawrp.pem --passout pass:Passw0rd
+else
+    echo "ISVADC PKI files found - using existing certificate and key files"
+fi
+cp "$DOCKERKEYS/isvawrp/isvawrp.pem" ${IVIAOPCONFIG}
+cp "$DOCKERKEYS/isvawrp/isvawrp.pem" ${IVIADCCONFIG}
+
+
+if [ ! -f "$DOCKERKEYS/openldap/ldap.key" ] || [ ! -f "$DOCKERKEYS/openldap/ldap.crt" ]
+then
+    echo "Creating LDAP certificate files"
+  openssl req -x509 -newkey rsa:4096 -keyout $DOCKERKEYS/openldap/ldap.key -out $DOCKERKEYS/openldap/ldap.crt -days 3650 -subj $LDAP_CERT_DN -nodes
+else
+    echo "LDAP certificate files found - using existing certificate files"
+fi
+
+# Same for dhparam.pem file
+if [ ! -f "$DOCKERKEYS/openldap/dhparam.pem" ]
+then
+    echo "Creating LDAP dhparam.pem"
+    openssl dhparam -out "$DOCKERKEYS/openldap/dhparam.pem" 2048
+else
+    echo "LDAP dhparam.pem file found - using existing file"
+fi
+
+cp "$DOCKERKEYS/openldap/ldap.crt" "$DOCKERKEYS/openldap/ca.crt"
+
+if [ ! -f "$DOCKERKEYS/postgresql/postgres.key" ] || [ ! -f "$DOCKERKEYS/postgresql/postgres.crt" ]
+then
+    echo "Creating postgres certificate files"
+    openssl req -x509 -newkey rsa:4096 -keyout $DOCKERKEYS/postgresql/postgres.key -out $DOCKERKEYS/postgresql/postgres.crt -days 3650 -subj $POSTGRES_CERT_DN -nodes -addext "subjectAltName = DNS:postgresql"
+else
+    echo "Postgres certificate files found - using existing certificate files"
+fi
+
+cat  "$DOCKERKEYS/postgresql/postgres.crt" "$DOCKERKEYS/postgresql/postgres.key" > "$DOCKERKEYS/postgresql/server.pem"
+cp "$DOCKERKEYS/postgresql/postgres.crt" ${IVIAOPCONFIG}
+
+if [ ! -f "$DOCKERKEYS/isvaop/personal/isvaop.key" ] || [ ! -f "$DOCKERKEYS/isvaop/signer/isvaop.pem" ]
+then
+    echo "Creating ISVAOP certificate files"
+    openssl req -newkey rsa:2048 -nodes -inform PEM -keyout $DOCKERKEYS/isvaop/personal/isvaop.key -x509 -days 3650 -out $DOCKERKEYS/isvaop/signer/isvaop.pem -subj $ISVAOP_CERT_DN -addext "subjectAltName = DNS:isvaop"
+    chmod g+r $DOCKERKEYS/isvaop/personal/isvaop.key
+else
+    echo "ISVAOP certificate files found - using existing certificate files"
+fi
+cp "$DOCKERKEYS/isvaop/personal/isvaop.key" ${IVIAOPCONFIG}
+cp "$DOCKERKEYS/isvaop/signer/isvaop.pem" ${IVIAOPCONFIG}
+
+if [ ! -f "$DOCKERKEYS/iviadc/iviadc.pem" ] || [ ! -f "$DOCKERKEYS/iviadc/iviadc.key" ]
+then
+    echo "Creating IVIADC certificate files"
+    openssl req -newkey rsa:4096 -nodes -inform PEM -keyout $DOCKERKEYS/iviadc/iviadc.key -x509 -days 3650 -out $DOCKERKEYS/iviadc/iviadc.pem -subj $ISVADC_CERT_DN -addext "subjectAltName = DNS:iviadc"
+    chmod g+r $DOCKERKEYS/iviadc/iviadc.key
+else
+    echo "ISVADC PKI files found - using existing certificate and key files"
+fi
+#cat "$DOCKERKEYS/iviadc/iviadc.key" "$DOCKERKEYS/iviadc/iviadc.pem" > ${IVIADCCONFIG}/keydb.pem
+cp "$DOCKERKEYS/iviadc/iviadc.pem" ${IVIADCCONFIG}/
+cp "$DOCKERKEYS/iviadc/iviadc.key" ${IVIADCCONFIG}/
+cp "$DOCKERKEYS/postgresql/postgres.crt" ${IVIADCCONFIG}/
+
+if [ ! -f "${IVIADCCONFIG}/config.yml" ] && [ -f "${IVIADCCONFIG}/config.template" ]; then
+    read -p "Digital Credential License Code: [invalid_dc_code]" DC_CODE
+    if [ -z "$DC_CODE" ]; then
+        DC_CODE="invalid_dc_code"
+    fi
+    sed -e "s|@@ISVADC_LICENSE@@|$DC_CODE|g" "${IVIADCCONFIG}/config.template" > "${IVIADCCONFIG}/config.yml"
+fi

common/env-config.sh

@@ -20,10 +20,11 @@ MY_WEB2_IP=127.0.0.4
 
 # Versions
 CONTAINER_BASE=icr.io/ivia/ivia
-ISVA_VERSION=11.0.0.0
+ISVA_VERSION=11.0.1.0
 LDAP_VERSION=latest
-DB_VERSION=11.0.0.0
-IVIAOP_VERSION=24.12
+DB_VERSION=11.0.1.0
+IVIAOP_VERSION=25.03
+IVIADC_VERSION=25.03
 
 # Get directory for this script
 PARENT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && cd .. && pwd )"
@@ -35,8 +36,10 @@ fi
 # Location where Keystores will be created
 DOCKERKEYS=${PARENT}/local/dockerkeys
 IVIAOPCONFIG=${PARENT}/common/isvaop-config
+IVIADCCONFIG=${PARENT}/common/iviadc-config
 # Location where Docker Shares will be created
 # Note that this directory is also hardcoded into YAML files
 DOCKERSHARE=${HOME}/dockershare
 export DOCKERSHARE
 export IVIAOPCONFIG
+export IVIADCCONFIG

common/isvaop-config/provider.yml

@@ -35,4 +35,4 @@ keystore:
         content: '@postgres.crt'
     key:
       - label: httpserverkey
-        content: '@isvaop_key.pem'
+        content: '@isvaop.key'

common/iviadc-config/config.template

@@ -0,0 +1,64 @@
+general:
+    log_level: "debug"
+    name: "onpremise"
+    license:
+      accept: true
+      key: "@@ISVADC_LICENSE@@"
+    url: "https://iviadc:9720"
+    request_log:
+      enabled: false
+      format: ":date[iso] :method :url :http-version :status"
+    enable_doc_cache: false
+    tls:
+      private_key: !file "/var/config/iviadc.key"
+      cert: !file "/var/config/iviadc.pem"
+    wallet:
+      name: "ivia"
+      encryption_key: "my-key"
+    auth:
+      jwt:
+        header_name: my-jwt
+        cert: !file "/var/config/iviadc.pem"
+      dynamic_client_registration:
+        endpoint: "https://iviawrprp1:9443/isvaop/oauth2"
+        ca_cert: !file "/var/config/isvawrp.pem"
+        client_id: "admin"
+        client_secret: "secret"
+        cache_access_token: true
+      introspection:
+        cache:
+          max_entries: 101
+          max_age: 102
+        providers:
+        - name: "my-provider"
+          endpoint: "https://iviawrprp1:9443/isvaop/oauth2"
+          oid4vci:
+            default_wallet_client_id: "default_oid4vci_wallet"
+          claims:
+          - name: "active"
+            value: "true"
+          type: remote
+          remote:
+            introspect_sub_path: "/introspect"
+            client_id: "admin"
+            client_secret: "secret"
+    status_registry:
+      type: "internal"
+      min_statuslist_size: 131072
+      max_statuslist_size: 131072
+      max_random_allocation_attempts: 100
+database:
+  postgresql:
+    hosts:
+    - postgresql
+    port: 5432
+    user: "postgres"
+    password: "Passw0rd"
+    ssl: true
+    skip_hostname_verify: true
+    ca_cert: !file "/var/config/postgres.crt"
+  pool:
+    min_connections: 5
+    max_connections: 20
+    max_idle_time: 10000
+    connection_timeout: 10000

compose/base_layer/README.md

@@ -0,0 +1,45 @@
+# Configuration
+This readme documents how to configure the various Verify Access containers to a "base layer" configuration.
+In this state, containers have sufficient configuration to bootstrap correctly, but likely still cannot do 
+anything particularly useful.
+
+# Requirements
+- generate required PKI and configuration files and have copies of them in your current working directory
+  * required files: `ldap.crt`, `postgres.crt`, `isvawrp.p12`, `isvaop.pem`, `req_openid_config.lua`
+    and `rsp_openid_config.lua`
+- deploy Verify Identity Access containers using `ivia-minikube.yaml` or equivalent
+- get a trial license from [IVIA trial site](https://isva-trial.verify.ibm.com/)
+
+## Configuration steps performed on the ivia-config container
+- accept eula
+- import PKI for database, ldap, iviaop and iviadc containers
+- set the High-Volume Database connection
+- import the trial license
+- configure the WebSEAL user registry / policy server
+- create the `rp1` reverse proxy instance
+- create a junction to the `iviaop` container
+- create LUA http transformation rules for the .well-known endpoints required by the `iviadc` container
+- configure the distributed session cache service
+
+This automated configuration assumes that the Verify Identity Access containers have been deployed with 
+the configuration defined in the `iamlab/docker-compose.yaml` file. If your environment differs from this, you 
+may need to update the provided configuration.
+
+The provided automation also assumes that you have set up host/domain names `lmi.iamlab.ibm.com` for the 
+management interface and `www.iamlab.ibm.com` for the `rp1` reverse proxy instance.
+
+# Running the configuration tool
+Once you have copies of the required configuration files, you can install and run the configuration tool 
+as follows:
+
+```bash
+pip install ibmvia_autoconf
+export IVIA_CONFIG_YAML=base_layer.yaml
+export IVIA_MGMT_URL=https://lmi.iamlab.ibm.com
+export MGMT_OLD_PWD=admin
+export MGMT_PWD=betterThanPassw0rd
+export IVIA_CONFIG_BASE=$(pwd)
+python -m ibmvia_autoconf
+```
+
+An example shell script which automates the above steps is provided at `base_layer.sh`