Configuration

Keycloak

Once Keycloak has been deployed, a realm must be created (matching the values defined in the DS API configuration):
Create Realm
A client must also be created:
Create Client
Configure Client
Configure your client with the correct Web Origins and Valid Redirect URIs for your setup. If you wish to obtain access tokens via a password grant, enable Direct Access Grants and Implicit Flow. This may simplify obtaining tokens for an initial setup of the DS
In order for the Kong gateway to be able to validate the tokens issued by the realm client, the DS keystore must be configured as a Key Provider
Add Keystore - Java Keystore
Configure Key Provider
When configuring the keystore, specify the keystore path (either mounted as a volume in your container or on the server filesystem) in the Keystore field. Also you must make sure the keystore has a higher Priority value than the other default providers.
The keystore must contain the same key pair as the keystore used by the DS API
After creating a user, you can obtain an access token using the implicit flow by performing the following request:
1
curl --location --request POST 'http://localhost:9999/auth/realms/trust1connector/protocol/openid-connect/token' \
2
--header 'Content-Type: application/x-www-form-urlencoded' \
3
--data-urlencode 'client_id=trust1connector' \
4
--data-urlencode '[email protected]' \
5
--data-urlencode 'password=test_password' \
6
--data-urlencode 'grant_type=password'
Copied!
This token can then be used to address the secured DS API endpoints

Distribution Service API

The configuration of the Distribution Service API can be done entirely through environment variables, or directly by editing the application.conf which can be found in the conf folder in the server distributable. An overview of both configuration options can be found below.

Configuration Options

Key
Environment Variable
Type
Description
t1c-ds.general.max-page-size
DS_MAX_PAGE_SIZE
Integer
The maximum allowed pagination size for results. This can be used in order to prevent the retrieval of too large a sample result. Default value is 100.
t1c-ds.t1c.domain
T1C_DOMAIN
String
The domain the T1C runs on.
t1c-ds.t1c.port
T1C_PORT
Integer
The port the T1C runs on.
t1c-ds.t1c.implicit-version-creation
T1C_IMPLICIT_VERSION_CREATION
Boolean
Whether implicit version creation should be enabled. Default value is false.
t1c-ds.t1c.uri-template
T1C_VERSION_URI_TEMPLATE
String
The template to use to generate version URI when implicit version creation is enabled. There are 3 placeholders that can be used:
[[OS]], [[VERSION]], and [[FILENAME]]. The version placeholder will always be replaced by the appropriate T1C version.
t1c-ds.t1c.os-template-values
T1C_VERSION_OS_TEMPLATE_VALUES
JSON
A JSON representation of a string dictionary containing the values for the [[OS]] placeholder of the URI template. See application.conf example. The keys can be one of the following: MACOS, MACOSARM, UNIX, WIN32, and WIN64.
t1c-ds.t1c.filename-template-values
T1C_VERSION_FILENAME_TEMPLATE_VALUES
JSON
A JSON representation of a string dictionary containing the values for the [[FILENAME]] placeholder of the URI template. See application.conf example. The keys can be one of the following: MACOS, MACOSARM, UNIX, WIN32, and WIN64.
t1c-ds.rmc.label
RMC_LABEL
String
The application label that can be used by the RMC web application.
t1c-ds.rmc.url
RMC_URL
String
The URL for the RMC application. Only the URL defined here or the DS host will be allowed to obtain a RMC application token.
t1c-ds.development.include-stacktrace
INCLUDE_STACKTRACE
Boolean
Include a stacktrace in the application's JSON response, which can be useful for debugging purposes. Must be set to false in production environments
t1c-ds.development.require-gateway-headers
REQUIRE_GATEWAY_HEADERS
Boolean
Incoming requests are checked for the presence of a X-Consumer-Custom-ID header placed by the gateway
t1c-ds.keystore.path
DS_KEYSTORE_PATH
String
The path (can be relative to the application root) to the DS API keystore in PKCS12 format, containing the DS certificate/keypair.
t1c-ds.keystore.password
DS_KEYSTORE_PASSWORD
String
The password to the DS API keystore. This is sensitive information. We recommend storing it as an environment variable.
t1c-ds.keystore.alias
DS_KEYSTORE_ALIAS
String
The alias of the DS API certificate/keypair stored in the keystore.
t1c-ds.security.enabled
DS_SECURITY_ENABLED
Boolean
Enables or disables the parsing of JSON web tokens on incoming requests. If set to false, all JWT payloads will be set to a default blank value. This must be set to true in production environments.
t1c-ds.security.jwt.ds-issuer
DS_ISSUER
String
The name of the DS API token issuer. It is used to generate JSON web tokens containing digests of configuration files.
t1c-ds.security.jwt.idp-issuer
DS_IDP_ISSUER
String
The name of the IDP token issuer. This is the value that can be found in the iss property in tokens issued by your configured IDP client. For Keyloak, this will take the form of https://{{idp-url}}/auth/realms/{{realmId}}.
t1c-ds.security.jwt.registration-token-validity-seconds
DS_REG_TOKEN_VALIDITY_SECONDS
Integer
The seconds a token issued for a registration API key should remain valid.
t1c-ds.security.jwt.application-token-validity-seconds
DS_APP_TOKEN_VALIDITY_SECONDS
Integer
The seconds a token issued for a label API key should remain valid.
t1c-ds.gateway.enabled
DS_GATEWAY_ENABLED
Boolean
Set to false while developing in order to test the DS API without needing a Kong gateway to be available. Must be set to true for production environments.
t1c-ds.gateway.url
DS_GATEWAY_URL
String
The Kong gateway URL. This value is used to generate download links for the Trust1Connector installer.
t1c-ds.gateway.admin-url
DS_GATEWAY_ADMIN_URL
String
The Kong gateway admin API URL. This URL is used to dynamically create API keys for labels and versions.
t1c-ds.gateway.ds-base-path
DS_GATEWAY_BASE_PATH
String
Used for generation of download links. If you route the DS on a non-default path, i.e. not on the root of the Kong gateway, you can specify it here. Default value is an empty string
t1c-ds.gateway.config.consumers.registration
DS_GATEWAY_CONSUMER_REGISTRATION
String
The username and custom_id of the registration consumer entity on the Kong gateway.
t1c-ds.gateway.config.consumers.application
DS_GATEWAY_CONSUMER_APPLICATION
String
The username and custom_id of the registration application entity on the Kong gateway.
t1c-ds.gateway.config.consumers.user
DS_GATEWAY_CONSUMER_USER
String
The username and custom_id of the registration consumer entity on the Kong gateway.
slick.dbs.default.db.url
T1C_DB_URL
String
The JNDI value for the PostgreSQL database to be used by the DS API, e. jdbc:postgresql://localhost:5433/t1c-ds
slick.dbs.default.db.user
T1C_DS_DB_USER
String
The PostgreSQL database username that has owner access to the t1c-ds database. We recommend storing this information as an environment variable.
slick.dbs.default.db.password
T1C_DS_DB_PWD
String
The PostgreSQL database user's password. We recommend storing this information as an environment variable.
play.evolutions.db.default.enabled
T1C_EVOLUTIONS_ENABLED
Boolean
Toggle whether database evolutions are enabled. We recommend setting it to false in production environments and manually updating the database models with a script.
play.evolutions.db.default.autoApply
T1C_EVOLUTIONS_AUTO
Boolean
Toggle whether database evolutions are automatically applied. We recommend setting it to false in production environments and manually updating the database models with a script.
play.evolutions.db.default.autoApplyDowns
T1C_EVOLUTIONS_AUTO_DOWNS
Boolean
Toggle whether database evolution downgrades are automatically applied. This must be set to false in production environments or data loss may occur.
play.http.secret.key
PLAY_SECRET
String
A secret used for built-in encryption utilities, signing session cookies and CSRF tokens, amongst other. This value must be set, and must be unique per environment.
pidfile.path
PIDFILE_PATH
String
The path where the RUNNING_PID file will be created. For dockerized environments, this must be set to /dev/null

Sample Configuration File

1
# Application specific config. Every property is duplicated with a value that can be read from the environment variables
2
# So that we can reuse the same config file in various environments
3
4
t1c-ds {
5
rmc {
6
label = "rmc"
7
label = ${?RMC_LABEL}
8
url = "http://localhost:3000"
9
url = ${?RMC_URL}
10
}
11
t1c {
12
domain = "t1c.t1t.io"
13
domain = ${?T1C_DOMAIN}
14
port = 51983
15
port = ${?T1C_PORT}
16
implicit-version-creation = false
17
implicit-version-creation = ${?T1C_IMPLICIT_VERSION_CREATION}
18
uri-template = "https://storage.googleapis.com/t1c-dependencies-dev/[[OS]]/v[[VERSION]]/Release/trust1team/[[FILENAME]]"
19
uri-template = ${?T1C_VERSION_URI_TEMPLATE}
20
os-template-values = "{\"MACOS\":\"mac\",\"MACOSARM\":\"mac\",\"UNIX\":\"unix\",\"WIN32\":\"win\",\"WIN64\":\"win\"}"
21
os-template-values = ${?T1C_VERSION_OS_TEMPLATE_VALUES}
22
filename-template-values = "{\"MACOS\":\"Trust1Connector-x86.dmg\",\"MACOSARM\":\"Trust1Connector-arm.dmg\",\"UNIX\":\"trust1connector.deb\",\"WIN32\":\"t1c-x86.msi\",\"WIN64\":\"t1c-x64.msi\"}"
23
filename-template-values = ${?T1C_VERSION_FILENAME_TEMPLATE_VALUES}
24
}
25
general {
26
max-page-size = 100
27
max-page-size = ${?DS_MAX_PAGE_SIZE}
28
}
29
development {
30
include-stacktrace = true
31
include-stacktrace = ${?INCLUDE_STACKTRACE}
32
require-gateway-headers = false
33
require-gateway-headers = ${?REQUIRE_GATEWAY_HEADERS}
34
}
35
keystore {
36
path = "conf/t1cds.p12"
37
path = ${?DS_KEYSTORE_PATH}
38
password = "v8%j22HVvHEiC9>e"
39
password = ${?DS_KEYSTORE_PASSWORD}
40
alias = "t1cds"
41
alias = ${?DS_KEYSTORE_ALIAS}
42
}
43
security {
44
enabled = false
45
enabled = ${?DS_SECURITY_ENABLED}
46
jwt {
47
ds-issuer = "t1c-ds"
48
ds-issuer = ${?DS_ISSUER}
49
# For example
50
# idp-issuer = "https://idp.t1t.io/auth/realms/trust1connector"
51
idp-issuer = "http://localhost:9999/auth/realms/trust1connector"
52
idp-issuer = ${?DS_IDP_ISSUER}
53
registration-token-validity-seconds = 600
54
registration-token-validity-seconds = ${?DS_REG_TOKEN_VALIDITY_SECONDS}
55
application-token-validity-seconds = 600
56
application-token-validity-seconds = ${?DS_APP_TOKEN_VALIDITY_SECONDS}
57
}
58
}
59
gateway {
60
enabled = true
61
enabled = ${?DS_GATEWAY_ENABLED}
62
url = "http://localhost:8000"
63
url = ${?DS_GATEWAY_URL}
64
admin-url = "http://localhost:8001"
65
admin-url = ${?DS_GATEWAY_ADMIN_URL}
66
# If the DS isn't hosted on the root of the gateway, set the path prefix here
67
ds-base-path = ""
68
ds-base-path = ${?DS_GATEWAY_BASE_PATH}
69
config {
70
consumers {
71
registration = "t1cds-reg"
72
application = "t1cds-app"
73
user = "t1cds-user"
74
registration = ${?DS_GATEWAY_CONSUMER_REGISTRATION}
75
application = ${?DS_GATEWAY_CONSUMER_APPLICATION}
76
user = ${?DS_GATEWAY_CONSUMER_USER}
77
}
78
}
79
}
80
}
81
82
slick {
83
db.default.logSql=true
84
dbs.default.profile = "slick.jdbc.PostgresProfilequot;
85
dbs.default.db.driver = "org.postgresql.Driver"
86
dbs.default.db.url = "jdbc:postgresql://localhost:5433/t1c-ds"
87
dbs.default.db.url = ${?T1C_DB_URL}
88
dbs.default.db.user = "postgres"
89
dbs.default.db.user = ${?T1C_DS_DB_USER}
90
dbs.default.db.password = "postgres"
91
dbs.default.db.password = ${?T1C_DS_DB_PWD}
92
}
93
94
pidfile.path = ${?PIDFILE_PATH}
95
96
play {
97
assets {
98
path = "/public"
99
urlPrefix = "/assets"
100
}
101
## Play HTTP settings
102
# ~~~~~
103
http {
104
## Secret key
105
# https://www.playframework.com/documentation/latest/ApplicationSecret
106
# ~~~~~
107
# The secret key is used to sign Play's session cookie.
108
# This must be changed for production, but we don't recommend you change it in this file.
109
secret.key = ${?PLAY_SECRET}
110
## Router
111
# https://www.playframework.com/documentation/latest/JavaRouting
112
# https://www.playframework.com/documentation/latest/ScalaRouting
113
# ~~~~~
114
# Define the Router object to use for this application.
115
# This router will be looked up first when the application is starting up,
116
# so make sure this is the entry point.
117
# Furthermore, it's assumed your route file is named properly.
118
# So for an application router like `my.application.Router`,
119
# you may need to define a router file `conf/my.application.routes`.
120
# Default to Routes in the root package (aka "apps" folder) (and conf/routes)
121
#router = my.application.Router
122
123
## Action Creator
124
# https://www.playframework.com/documentation/latest/JavaActionCreator
125
# ~~~~~
126
#actionCreator = null
127
128
## ErrorHandler
129
# https://www.playframework.com/documentation/latest/JavaRouting
130
# https://www.playframework.com/documentation/latest/ScalaRouting
131
# ~~~~~
132
# If null, will attempt to load a class called ErrorHandler in the root package,
133
#errorHandler = null
134
135
## Session & Flash
136
# https://www.playframework.com/documentation/latest/JavaSessionFlash
137
# https://www.playframework.com/documentation/latest/ScalaSessionFlash
138
# ~~~~~
139
session {
140
# Sets the cookie to be sent only over HTTPS.
141
142
cookieName = "T1C-DS"
143
144
secure = true
145
146
# Sets the cookie to be accessed only by the server.
147
httpOnly = true
148
149
# Sets the max-age field of the cookie to 5 minutes.
150
# NOTE: this only sets when the browser will discard the cookie. Play will consider any
151
# cookie value with a valid signature to be a valid session forever. To implement a server side session timeout,
152
# you need to put a timestamp in the session and check it at regular intervals to possibly expire it.
153
maxAge = 1800
154
155
sameSite = "none"
156
157
# Sets the domain on the session cookie.
158
#domain = "example.com"
159
}
160
161
flash {
162
# Sets the cookie to be sent only over HTTPS.
163
#secure = true
164
165
# Sets the cookie to be accessed only by the server.
166
#httpOnly = true
167
}
168
}
169
## Evolutions
170
# https://www.playframework.com/documentation/latest/Evolutions
171
# ~~~~~
172
# Evolutions allows database scripts to be automatically run on startup in dev mode
173
# for database migrations. You must enable this by adding to build.sbt:
174
#
175
# libraryDependencies += evolutions
176
#
177
## Evolutions
178
evolutions {
179
db.default.enabled = true
180
db.default.autoApply = true
181
db.default.autoApplyDowns = true
182
schema = "public"
183
db.default.enabled = ${?T1C_EVOLUTIONS_ENABLED}
184
db.default.autoApply = ${?T1C_EVOLUTIONS_AUTO}
185
db.default.autoApplyDowns = ${?T1C_EVOLUTIONS_AUTO_DOWNS}
186
schema = ${?T1C_EVOLUTIONS_SCHEMA}
187
}
188
## Modules
189
# https://www.playframework.com/documentation/latest/Modules
190
# ~~~~~
191
# Control which modules are loaded when Play starts. Note that modules are
192
# the replacement for "GlobalSettings", which are deprecated in 2.5.x.
193
# Please see https://www.playframework.com/documentation/latest/GlobalSettings
194
# for more information.
195
#
196
# You can also extend Play functionality by using one of the publically available
197
# Play modules: https://playframework.com/documentation/latest/ModuleDirectory
198
modules {
199
# By default, Play will load any class called Module that is defined
200
# in the root package (the "app" directory), or you can define them
201
# explicitly below.
202
# If there are any built-in modules that you want to disable, you can list them here.
203
#enabled += my.application.Module
204
205
# If there are any built-in modules that you want to disable, you can list them here.
206
#disabled += ""
207
}
208
## IDE
209
# https://www.playframework.com/documentation/latest/IDE
210
# ~~~~~
211
# Depending on your IDE, you can add a hyperlink for errors that will jump you
212
# directly to the code location in the IDE in dev mode. The following line makes
213
# use of the IntelliJ IDEA REST interface:
214
#editor="http://localhost:63342/api/file/?file=%s&line=%s"
215
## Internationalisation
216
# https://www.playframework.com/documentation/latest/JavaI18N
217
# https://www.playframework.com/documentation/latest/ScalaI18N
218
# ~~~~~
219
# Play comes with its own i18n settings, which allow the user's preferred language
220
# to map through to internal messages, or allow the language to be stored in a cookie.
221
i18n {
222
# The application languages
223
langs = [ "en" ]
224
225
# Whether the language cookie should be secure or not
226
#langCookieSecure = true
227
228
# Whether the HTTP only attribute of the cookie should be set to true
229
#langCookieHttpOnly = true
230
}
231
## Filters
232
# https://www.playframework.com/documentation/latest/ScalaHttpFilters
233
# https://www.playframework.com/documentation/latest/JavaHttpFilters
234
# ~~~~~
235
# Filters run code on every request. They can be used to perform
236
# common logic for all your actions, e.g. adding common headers.
237
#
238
filters {
239
## Filter Configuration
240
# https://www.playframework.com/documentation/latest/Filters
241
# ~~~~~
242
# There are a number of built-in filters that can be enabled and configured
243
# to give Play greater security.
244
#
245
# Enabled filters are run automatically against Play.
246
# CSRFFilter, AllowedHostFilters, and SecurityHeadersFilters are enabled by default.
247
# enabled += play.filters.https.RedirectHttpsFilter
248
249
# Disabled filters remove elements from the enabled list.
250
disabled += play.filters.hosts.AllowedHostsFilter
251
disabled += play.filters.csrf.CSRFFilter
252
# Enabled filters add elements to the enabled list
253
254
# This is the custom CORS filter for the DS. You can disable it entirely by adding it to the disabled list
255
enabled += play.filters.cors.DynamicCorsFilter
256
257
## CSRF Filter
258
# https://www.playframework.com/documentation/latest/ScalaCsrf#Applying-a-global-CSRF-filter
259
# https://www.playframework.com/documentation/latest/JavaCsrf#Applying-a-global-CSRF-filter
260
# ~~~~~
261
# Play supports multiple methods for verifying that a request is not a CSRF request.
262
# The primary mechanism is a CSRF token. This token gets placed either in the query string
263
# or body of every form submitted, and also gets placed in the users session.
264
# Play then verifies that both tokens are present and match.
265
csrf {
266
# Sets the cookie to be sent only over HTTPS
267
#cookie.secure = true
268
269
# Defaults to CSRFErrorHandler in the root package.
270
#errorHandler = MyCSRFErrorHandler
271
}
272
273
## Security headers filter configuration
274
# https://www.playframework.com/documentation/latest/SecurityHeaders
275
# ~~~~~
276
# Defines security headers that prevent XSS attacks.
277
# If enabled, then all options are set to the below configuration by default:
278
headers {
279
# The X-Frame-Options header. If null, the header is not set.
280
#frameOptions = "DENY"
281
282
# The X-XSS-Protection header. If null, the header is not set.
283
#xssProtection = "1; mode=block"
284
285
# The X-Content-Type-Options header. If null, the header is not set.
286
#contentTypeOptions = "nosniff"
287
288
# The X-Permitted-Cross-Domain-Policies header. If null, the header is not set.
289
#permittedCrossDomainPolicies = "master-only"
290
291
# The Content-Security-Policy header. If null, the header is not set.
292
#contentSecurityPolicy = "default-src 'self'"
293
}
294
295
## Allowed hosts filter configuration
296
# https://www.playframework.com/documentation/latest/AllowedHostsFilter
297
# ~~~~~
298
# Play provides a filter that lets you configure which hosts can access your application.
299
# This is useful to prevent cache poisoning attacks.
300
hosts {
301
# Allow requests to example.com, its subdomains, and localhost:9000.
302
#allowed = [".example.com", "localhost:9000"]
303
allowed = [ "localhost:4600", "localhost:8000", "localhost:9000"]
304
allowed = [ ${?DS_ALLOWED_HOST} ]
305
}
306
https {
307
#strictTransportSecurity = "max-age=31536000; includeSubDomains"
308
#xForwardedProtoEnabled = true
309
}
310
}
311
## Netty Provider
312
# https://www.playframework.com/documentation/latest/SettingsNetty
313
# ~~~~~
314
server.netty {
315
# Whether the Netty wire should be logged
316
#log.wire = true
317
318
# If you run Play on Linux, you can use Netty's native socket transport
319
# for higher performance with less garbage.
320
#transport = "native"
321
}
322
## WS (HTTP Client)
323
# https://www.playframework.com/documentation/latest/ScalaWS#Configuring-WS
324
# ~~~~~
325
# The HTTP client primarily used for REST APIs. The default client can be
326
# configured directly, but you can also create different client instances
327
# with customized settings. You must enable this by adding to build.sbt:
328
#
329
# libraryDependencies += ws // or javaWs if using java
330
#
331
ws {
332
# Sets HTTP requests not to follow 302 requests
333
#followRedirects = false
334
335
# Sets the maximum number of open HTTP connections for the client.
336
#ahc.maxConnectionsTotal = 50
337
338
## WS SSL
339
# https://www.playframework.com/documentation/latest/WsSSL
340
# ~~~~~
341
ssl {
342
# Configuring HTTPS with Play WS does not require programming. You can
343
# set up both trustManager and keyManager for mutual authentication, and
344
# turn on JSSE debugging in development with a reload.
345
#debug.handshake = true
346
#trustManager = {
347
# stores = [
348
# { type = "JKS", path = "exampletrust.jks" }
349
# ]
350
#}
351
}
352
}
353
## Cache
354
# https://www.playframework.com/documentation/latest/JavaCache
355
# https://www.playframework.com/documentation/latest/ScalaCache
356
# ~~~~~
357
# Play comes with an integrated cache API that can reduce the operational
358
# overhead of repeated requests. You must enable this by adding to build.sbt:
359
#
360
# libraryDependencies += cache
361
#
362
cache {
363
# If you want to bind several caches, you can bind the individually
364
#bindCaches = ["db-cache", "user-cache", "session-cache"]
365
}
366
}
367
368
## Akka
369
# https://www.playframework.com/documentation/latest/ScalaAkka#Configuration
370
# https://www.playframework.com/documentation/latest/JavaAkka#Configuration
371
# ~~~~~
372
# Play uses Akka internally and exposes Akka Streams and actors in Websockets and
373
# other streaming HTTP responses.
374
akka {
375
# "akka.log-config-on-start" is extraordinarly useful because it log the complete
376
# configuration at INFO level, including defaults and overrides, so it s worth
377
# putting at the very top.
378
#
379
# Put the following in your conf/logback.xml file:
380
#
381
# <logger name="akka.actor" level="INFO" />
382
#
383
# And then uncomment this line to debug the configuration.
384
#
385
#log-config-on-start = true
386
}
Copied!

Kong

The Kong gateway can be configured in 2 ways:
    1.
    By letting the DS bootstrap the gateway using its default and configured values
    2.
    By running a script
The second option requires that the machine the script is executed on can access the admin API of the Kong Gateway.

DS Bootstrapping

Using a valid token obtained from Keycloak, execute the following request:
1
curl --location --request POST 'http://localhost:4600/v3/gateway/bootstrap' \
2
--header 'Authorization: Bearer eyJ...MZA' \
3
--header 'Content-Type: application/json' \
4
--data-raw '{
5
"dsServiceName": "t1c-ds-v3",
6
"dsServiceHost": "t1c-ds",
7
"dsPort": 9000
8
}'
Copied!
Property
Description
dsServiceName
The name of the DS API service to create on the gateway. Can be freely chosen.
dsServiceHost
The hostname of the DS API service
dsPort
The port to which the gateway can proxy requests

Script

You can also run a script to configure the Kong gateway. However, you need to adjust the script to your needs prior to executing it. You must also run it on a device on which curl is available.
1
# Adjust the service host and port to the correct values, as well as the gateway admin URL
2
3
# Create service
4
curl \
5
--verbose \
6
--request PUT \
7
--header 'Content-Type: application/json' \
8
--data '{"name":"t1c-ds-v3-5","host":"t1c-ds-v3-5","port":9000}' \
9
'http://localhost:8001/services/t1c-ds-v3-5'
10
# Create JWT Auth route
11
curl \
12
--verbose \
13
--request PUT \
14
--header 'Content-Type: application/json' \
15
--data '{"name":"jwt-route-v3-5","strip_path":false,"paths":["/v3_5/configurations/","/v3_5/configurations","/v3_5/devices/","/v3_5/devices","/v3_5/gateway/","/v3_5/labels/","/v3_5/labels","/v3_5/organizations/","/v3_5/organizations","/v3_5/registration/","/v3_5/versions/","/v3_5/versions","/v3_5/transactions/"]}' \
16
'http://localhost:8001/services/t1c-ds-v3-5/routes/jwt-route-v3-5'
17
# Create Key Auth route
18
curl \
19
--verbose \
20
--request PUT \
21
--header 'Content-Type: application/json' \
22
--data '{"name":"key-auth-route-v3-5","strip_path":false,"paths":["/v3_5/tokens/"]}' \
23
'http://localhost:8001/services/t1c-ds-v3-5/routes/key-auth-route-v3-5'
24
# Create No-Auth route
25
curl \
26
--verbose \
27
--request PUT \
28
--header 'Content-Type: application/json' \
29
--data '{"name":"no-auth-route-v3-5","strip_path":false,"paths":["/v3_5/system/","/v3_5/device/","/v3_5/downloads/", "/v3_5/agents/", "/v3_5/agents", "/v3_5/rmc/","/v3_5/rmc","/mgt/","/mgt","/"]}' \
30
'http://localhost:8001/services/t1c-ds-v3-5/routes/no-auth-route-v3-5'
31
# Create JWT route plugin
32
curl \
33
--verbose \
34
--request POST \
35
--header 'Content-Type: application/json' \
36
--data '{"name":"jwt","route":{"name":"jwt-route-v3-5"},"config":{"run_on_preflight":false,"claims_to_verify":["exp"]}}' \
37
'http://localhost:8001/routes/jwt-route-v3-5/plugins'
38
# Create Key-Auth route plugin
39
curl \
40
--verbose \
41
--request POST \
42
--header 'Content-Type: application/json' \
43
--data '{"name":"key-auth","route":{"name":"key-auth-route-v3-5"},"config":{"run_on_preflight":false}}' \
44
'http://localhost:8001/routes/key-auth-route-v3-5/plugins'
45
# Create User consumer
46
curl \
47
--verbose \
48
--request PUT \
49
--header 'Content-Type: application/json' \
50
--data '{"username":"t1cds-user","custom_id":"t1cds-user"}' \
51
'http://localhost:8001/consumers/t1cds-user'
52
# Create Registration consumer
53
curl \
54
--verbose \
55
--request PUT \
56
--header 'Content-Type: application/json' \
57
--data '{"username":"t1cds-reg","custom_id":"t1cds-reg"}' \
58
'http://localhost:8001/consumers/t1cds-reg'
59
# Create Application consumer
60
curl \
61
--verbose \
62
--request PUT \
63
--header 'Content-Type: application/json' \
64
--data '{"username":"t1cds-app","custom_id":"t1cds-app"}' \
65
'http://localhost:8001/consumers/t1cds-app'
66
# Create Registration consumer JWT plugin. Replace the rsa_public_key by the PEM encoded DS public key
67
curl \
68
--verbose \
69
--request POST \
70
--header 'Content-Type: application/json' \
71
--data '{"key":"t1cds-reg","algorithm":"RS256","rsa_public_key":"-----BEGIN PUBLIC KEY-----\n ... [[PEM PUBLIC KEY]] ... \n-----END PUBLIC KEY-----\n"}' \
72
'http://localhost:8001/consumers/t1cds-reg/jwt'
73
# Create Application consumer JWT plugin. Replace the rsa_public_key by the PEM encoded DS public key
74
curl \
75
--verbose \
76
--request POST \
77
--header 'Content-Type: application/json' \
78
--data '{"key":"t1cds-app","algorithm":"RS256","rsa_public_key":"-----BEGIN PUBLIC KEY-----\n ... [[PEM PUBLIC KEY]] ... \n-----END PUBLIC KEY-----\n"}' \
79
'http://localhost:8001/consumers/t1cds-app/jwt'
80
# Create User consumer JWT plugin. Replace the rsa_public_key by the PEM encoded DS public key
81
curl \
82
--verbose \
83
--request POST \
84
--header 'Content-Type: application/json' \
85
--data '{"key":"http://localhost:9999/auth/realms/trust1connector","algorithm":"RS256","rsa_public_key":"-----BEGIN PUBLIC KEY-----\n ... [[PEM PUBLIC KEY]] ... \n-----END PUBLIC KEY-----\n"}' \
86
'http://localhost:8001/consumers/t1cds-user/jwt'
Copied!
The script contains requests to create every required entity on the Kong gateway. An overview can be found in the table below:
Entity Name
Entity Type
Enabled Plugins
Paths
t1c-ds-v3-5
Service
jwt-route-v3-5
Route
jwt
"/v3_5/configurations/", "/v3_5/configurations", "/v3_5/devices/", "/v3_5/devices", "/v3_5/gateway/", "/v3_5/labels/", "/v3_5/labels", "/v3_5/organizations/", "/v3_5/organizations", "/v3_5/registration/", "/v3_5/versions/", "/v3_5/versions", "/v3_5/transactions/"
key-auth-route-v3-5
Route
key-auth
"/v3_5/tokens/"
no-auth-route-v3-5
Route
"/v3_5/system/", "/v3_5/device/", "/v3_5/downloads/", "/v3_5/agents/", "/v3_5/agents", "/v3_5/rmc/", "/v3_5/rmc", "/mgt/", "/mgt", "/"
t1cds-reg
Consumer
jwt (key-auth plugin will be dynamically added when creating a new version)
t1cds-app
Consumer
jwt (key-auth plugin will be dynamically added when creating a new label)
t1cds-user
Consumer
jwt
Last modified 1mo ago