Once Keycloak has been deployed, a realm must be created (matching the values defined in the DS API configuration):
A client must also be created:
Configure your client with the correct Web Origins and Valid Redirect URIs for your setup. If you wish to obtain access tokens via a password grant, enable Direct Access Grants and Implicit Flow. This may simplify obtaining tokens for an initial setup of the DS
In order for the Kong gateway to be able to validate the tokens issued by the realm client, the DS keystore must be configured as a Key Provider
When configuring the keystore, specify the keystore path (either mounted as a volume in your container or on the server filesystem) in the Keystore field. Also you must make sure the keystore has a higher Priority value than the other default providers.
The keystore must contain the same key pair as the keystore used by the DS API
After creating a user, you can obtain an access token using the implicit flow by performing the following request:
This token can then be used to address the secured DS API endpoints
Distribution Service API
The configuration of the Distribution Service API can be done entirely through environment variables, or directly by editing the application.conf which can be found in the conf folder in the server distributable. An overview of both configuration options can be found below.
Configuration Options
Key
Environment Variable
Type
Description
t1c-ds.general.max-page-size
DS_MAX_PAGE_SIZE
Integer
The maximum allowed pagination size for results. This can be used in order to prevent the retrieval of too large a sample result. Default value is 100.
t1c-ds.t1c.domain
T1C_DOMAIN
String
The domain the T1C runs on.
t1c-ds.t1c.port
T1C_PORT
Integer
The port the T1C runs on.
t1c-ds.rmc.label
RMC_LABEL
String
The application label that can be used by the RMC web application.
t1c-ds.development.include-stacktrace
INCLUDE_STACKTRACE
Boolean
Include a stacktrace in the application's JSON response, which can be useful for debugging purposes. Must be set to false in production environments
t1c-ds.development.require-gateway-headers
REQUIRE_GATEWAY_HEADERS
Boolean
Incoming requests are checked for the presence of a X-Consumer-Custom-IDheader placed by the gateway
t1c-ds.keystore.path
DS_KEYSTORE_PATH
String
The path (can be relative to the application root) to the DS API keystore in PKCS12 format, containing the DS certificate/keypair.
t1c-ds.keystore.password
DS_KEYSTORE_PASSWORD
String
The password to the DS API keystore. This is sensitive information. We recommend storing it as an environment variable.
t1c-ds.keystore.alias
DS_KEYSTORE_ALIAS
String
The alias of the DS API certificate/keypair stored in the keystore.
t1c-ds.security.enabled
DS_SECURITY_ENABLED
Boolean
Enables or disables the parsing of JSON web tokens on incoming requests. If set to false, all JWT payloads will be set to a default blank value. This must be set to true in production environments.
t1c-ds.security.jwt.ds-issuer
DS_ISSUER
String
The name of the DS API token issuer. It is used to generate JSON web tokens containing digests of configuration files.
t1c-ds.security.jwt.idp-issuer
DS_IDP_ISSUER
String
The name of the IDP token issuer. This is the value that can be found in the iss property in tokens issued by your configured IDP client. For Keyloak, this will take the form of https://{{idp-url}}/auth/realms/{{realmId}}.
The seconds a token issued for a label API key should remain valid.
t1c-ds.gateway.enabled
DS_GATEWAY_ENABLED
Boolean
Set to false while developing in order to test the DS API without needing a Kong gateway to be available. Must be set to true for production environments.
t1c-ds.gateway.url
DS_GATEWAY_URL
String
The Kong gateway URL. This value is used to generate download links for the Trust1Connector installer.
t1c-ds.gateway.admin-url
DS_GATEWAY_ADMIN_URL
String
The Kong gateway admin API URL. This URL is used to dynamically create API keys for labels and versions.
t1c-ds.gateway.ds-base-path
DS_GATEWAY_BASE_PATH
String
Used for generation of download links. If you route the DS on a non-default path, i.e. not on the root of the Kong gateway, you can specify it here. Default value is an empty string
t1c-ds.gateway.config.consumers.registration
DS_GATEWAY_CONSUMER_REGISTRATION
String
The username and custom_id of the registration consumer entity on the Kong gateway.
t1c-ds.gateway.config.consumers.application
DS_GATEWAY_CONSUMER_APPLICATION
String
The username and custom_id of the registration application entity on the Kong gateway.
t1c-ds.gateway.config.consumers.user
DS_GATEWAY_CONSUMER_USER
String
The username and custom_id of the registration consumer entity on the Kong gateway.
slick.dbs.default.db.url
T1C_DB_URL
String
The JNDI value for the PostgreSQL database to be used by the DS API, e. jdbc:postgresql://localhost:5433/t1c-ds
slick.dbs.default.db.user
T1C_DS_DB_USER
String
The PostgreSQL database username that has owner access to the t1c-ds database. We recommend storing this information as an environment variable.
slick.dbs.default.db.password
T1C_DS_DB_PWD
String
The PostgreSQL database user's password. We recommend storing this information as an environment variable.
play.evolutions.db.default.enabled
T1C_EVOLUTIONS_ENABLED
Boolean
Toggle whether database evolutions are enabled. We recommend setting it to false in production environments and manually updating the database models with a script.
play.evolutions.db.default.autoApply
T1C_EVOLUTIONS_AUTO
Boolean
Toggle whether database evolutions are automatically applied. We recommend setting it to false in production environments and manually updating the database models with a script.
play.evolutions.db.default.autoApplyDowns
T1C_EVOLUTIONS_AUTO_DOWNS
Boolean
Toggle whether database evolution downgrades are automatically applied. This must be set to false in production environments or data loss may occur.
play.http.secret.key
PLAY_SECRET
String
A secret used for built-in encryption utilities, signing session cookies and CSRF tokens, amongst other. This value must be set, and must be unique per environment.
pidfile.path
PIDFILE_PATH
String
The path where the RUNNING_PID file will be created. For dockerized environments, this must be set to /dev/null
Sample Configuration File
# Version -> should match version inbuild.sbtapp.version ="3.0.0"# Application specific config. Every property is duplicated with a value that can be read from the environment variables
# So that we can reuse the same config file in various environmentst1c-ds { general { max-page-size =100 max-page-size = ${?DS_MAX_PAGE_SIZE} } development { include-stacktrace =true include-stacktrace = ${?INCLUDE_STACKTRACE} require-gateway-headers =false require-gateway-headers = ${?REQUIRE_GATEWAY_HEADERS} } keystore { path ="conf/t1cds.p12" path = ${?DS_KEYSTORE_PATH} password ="v8%j22HVvHEiC9>e" password = ${?DS_KEYSTORE_PASSWORD} alias ="t1cds" alias = ${?DS_KEYSTORE_ALIAS} } security { enabled =false enabled = ${?DS_SECURITY_ENABLED} jwt { ds-issuer ="t1c-ds" ds-issuer = ${?DS_ISSUER} # For example # idp-issuer ="https://idp.t1t.io/auth/realms/trust1connector" idp-issuer ="http://localhost:9999/auth/realms/trust1connector" idp-issuer = ${?DS_IDP_ISSUER} registration-token-validity-seconds =600 registration-token-validity-seconds = ${?DS_REG_TOKEN_VALIDITY_SECONDS} application-token-validity-seconds =600 application-token-validity-seconds = ${?DS_APP_TOKEN_VALIDITY_SECONDS} } } gateway { enabled =true enabled = ${?DS_GATEWAY_ENABLED} url ="http://localhost:8000" url = ${?DS_GATEWAY_URL} admin-url ="http://localhost:8001" admin-url = ${?DS_GATEWAY_ADMIN_URL} # If the DS isn't hosted on the root of the gateway, set the path prefix here ds-base-path = "" ds-base-path = ${?DS_GATEWAY_BASE_PATH} config { consumers { registration = "t1cds-reg" application = "t1cds-app" user = "t1cds-user" registration = ${?DS_GATEWAY_CONSUMER_REGISTRATION} application = ${?DS_GATEWAY_CONSUMER_APPLICATION} user = ${?DS_GATEWAY_CONSUMER_USER} } } }}slick { db.default.logSql=true dbs.default.profile = "slick.jdbc.PostgresProfile$" dbs.default.db.driver = "org.postgresql.Driver" dbs.default.db.url = "jdbc:postgresql://localhost:5433/t1c-ds" dbs.default.db.url = ${?T1C_DB_URL} dbs.default.db.user = "postgres" dbs.default.db.user = ${?T1C_DS_DB_USER} dbs.default.db.password = "postgres" dbs.default.db.password = ${?T1C_DS_DB_PWD} # dbs.default.db.numThreads = 20 # dbs.default.db.maxConnections = 20}## Evolutions# https://www.playframework.com/documentation/latest/Evolutions# ~~~~~# Evolutions allows database scripts to be automatically run on startup in dev mode# for database migrations. You must enable this by adding to build.sbt:## libraryDependencies += evolutions### Evolutionsplay.evolutions { db.default.enabled =true db.default.autoApply =true db.default.autoApplyDowns =true schema ="public" db.default.enabled = ${?T1C_EVOLUTIONS_ENABLED} db.default.autoApply = ${?T1C_EVOLUTIONS_AUTO} db.default.autoApplyDowns = ${?T1C_EVOLUTIONS_AUTO_DOWNS} schema = ${?T1C_EVOLUTIONS_SCHEMA}}# This is the main configuration file for the application.# https://www.playframework.com/documentation/latest/ConfigFile# https://www.playframework.com/documentation/latest/Configuration# ~~~~~# Play uses HOCONasitsconfigurationfileformat. HOCONhasanumber# of advantages over other config formats, but there are two things that# can be used when modifying settings.## You can include other configuration files in this main application.conf file:#include "extra-config.conf"## You can declare variables and substitute for them:#mykey = ${some.value}## And if an environment variable exists when there is no other subsitution, then# HOCON will fall back to substituting environment variable:#mykey = ${JAVA_HOME}## Akka# https://www.playframework.com/documentation/latest/ScalaAkka#Configuration# https://www.playframework.com/documentation/latest/JavaAkka#Configuration# ~~~~~# Play uses Akka internally and exposes Akka Streams and actors in Websockets and# other streaming HTTP responses.akka { # "akka.log-config-on-start" is extraordinarly useful because it log the complete # configuration at INFO level, including defaults and overrides, so it s worth # putting at the very top. # # Put the following in your conf/logback.xml file: # # <logger name="akka.actor" level="INFO"/> # # And then uncomment this line to debug the configuration. # #log-config-on-start =true}## Secret key# https://www.playframework.com/documentation/latest/ApplicationSecret# ~~~~~# The secret key is used to sign Play's session cookie.# This must be changed for production, but we don't recommend you change it in this file.play.http.secret.key = ${?PLAY_SECRET}pidfile.path = ${?PIDFILE_PATH}## Modules# https://www.playframework.com/documentation/latest/Modules# ~~~~~# Control which modules are loaded when Play starts. Note that modules are# the replacement for "GlobalSettings", which are deprecated in 2.5.x.# Please see https://www.playframework.com/documentation/latest/GlobalSettings# for more information.## You can also extend Play functionality by using one of the publically available# Play modules: https://playframework.com/documentation/latest/ModuleDirectoryplay.modules { # By default, Play will load any class called Module that is defined # in the root package (the "app" directory), or you can define them # explicitly below. # If there are any built-in modules that you want to disable, you can list them here. #enabled += my.application.Module # If there are any built-in modules that you want to disable, you can list them here. #disabled += ""}## IDE# https://www.playframework.com/documentation/latest/IDE# ~~~~~# Depending on your IDE, you can add a hyperlink for errors that will jump you# directly to the code location in the IDE in dev mode. The following line makes# use of the IntelliJ IDEA REST interface:#play.editor="http://localhost:63342/api/file/?file=%s&line=%s"## Internationalisation# https://www.playframework.com/documentation/latest/JavaI18N# https://www.playframework.com/documentation/latest/ScalaI18N# ~~~~~# Play comes with its own i18n settings, which allow the user's preferred language# to map through to internal messages, or allow the language to be stored in a cookie.play.i18n { # The application languages langs = [ "en" ] # Whether the language cookie should be secure or not #langCookieSecure = true # Whether the HTTP only attribute of the cookie should be set to true #langCookieHttpOnly = true}## Filters# https://www.playframework.com/documentation/latest/ScalaHttpFilters# https://www.playframework.com/documentation/latest/JavaHttpFilters# ~~~~~# Filters run code on every request. They can be used to perform# common logic for all your actions, e.g. adding common headers.#play.filters { # Enabled filters are run automatically against Play. # CSRFFilter, AllowedHostFilters, and SecurityHeadersFilters are enabled by default. # Disabled filters remove elements from the enabled list. disabled +=play.filters.hosts.AllowedHostsFilter}## Play HTTP settings# ~~~~~play.http { ## Router # https://www.playframework.com/documentation/latest/JavaRouting # https://www.playframework.com/documentation/latest/ScalaRouting # ~~~~~ # Define the Router object to use for this application. # This router will be looked up first when the application is starting up, # so make sure this is the entry point. # Furthermore, it's assumed your route file is named properly. # So for an application router like `my.application.Router`, # you may need to define a router file `conf/my.application.routes`. # Default to Routes in the root package (aka "apps" folder) (and conf/routes) #router =my.application.Router ## Action Creator # https://www.playframework.com/documentation/latest/JavaActionCreator # ~~~~~ #actionCreator =null ## ErrorHandler # https://www.playframework.com/documentation/latest/JavaRouting # https://www.playframework.com/documentation/latest/ScalaRouting # ~~~~~ # If null, will attempt to load a classcalledErrorHandlerintherootpackage, #errorHandler = null ## Session & Flash # https://www.playframework.com/documentation/latest/JavaSessionFlash # https://www.playframework.com/documentation/latest/ScalaSessionFlash # ~~~~~session { # Sets the cookie to be sent only over HTTPS. #secure =true # Sets the cookie to be accessed only by the server. #httpOnly =true # Sets the max-age field of the cookie to 5 minutes. # NOTE:thisonlysetswhenthebrowserwilldiscardthecookie. Playwillconsiderany # cookie value with a valid signature to be a valid session forever. To implement a server side session timeout, # you need to put a timestamp in the session and check it at regular intervals to possibly expire it. #maxAge =300 # Sets the domain on the session cookie. #domain ="example.com" } flash { # Sets the cookie to be sent only over HTTPS. #secure =true # Sets the cookie to be accessed only by the server. #httpOnly =true }}## Netty Provider# https://www.playframework.com/documentation/latest/SettingsNetty# ~~~~~play.server.netty { # Whether the Netty wire should be logged #log.wire =true # If you run Play on Linux, you can use Netty's native socket transport # for higher performance with less garbage. #transport = "native"}## WS (HTTP Client)# https://www.playframework.com/documentation/latest/ScalaWS#Configuring-WS# ~~~~~# The HTTP client primarily used for RESTAPIs. The default client can be# configured directly, but you can also create different client instances# with customized settings. You must enable this by adding to build.sbt:## libraryDependencies += ws // or javaWs if using java#play.ws { # Sets HTTP requests not to follow 302 requests #followRedirects = false # Sets the maximum number of open HTTP connections for the client. #ahc.maxConnectionsTotal = 50 ## WS SSL # https://www.playframework.com/documentation/latest/WsSSL # ~~~~~ ssl { # Configuring HTTPS with Play WS does not require programming. You can # set up both trustManager and keyManager for mutual authentication, and # turn on JSSE debugging in development with a reload. #debug.handshake =true #trustManager = { # stores = [ # { type ="JKS", path ="exampletrust.jks" } # ] #} }}## Cache# https://www.playframework.com/documentation/latest/JavaCache# https://www.playframework.com/documentation/latest/ScalaCache# ~~~~~# Play comes with an integrated cache API that can reduce the operational# overhead of repeated requests. You must enable this by adding to build.sbt:## libraryDependencies += cache#play.cache { # If you want to bind several caches, you can bind the individually #bindCaches = ["db-cache","user-cache","session-cache"]}## Filters# https://www.playframework.com/documentation/latest/ScalaHttpFilters# https://www.playframework.com/documentation/latest/JavaHttpFilters# ~~~~~# Filters run code on every request. They can be used to perform# common logic for all your actions, e.g. adding common headers.### Filter Configuration# https://www.playframework.com/documentation/latest/Filters# ~~~~~# There are a number of built-in filters that can be enabled and configured# to give Play greater security.#play.filters.disabled +=play.filters.csrf.CSRFFilterplay.filters { ## CORS filter configuration # https://www.playframework.com/documentation/latest/CorsFilter # ~~~~~ # CORS is a protocol that allows web applications to make requests from the browser # across different domains. # NOTE: You MUST apply the CORS configuration before the CSRF filter,asCSRFhas # dependencies on CORS settings. cors { # Filter paths by a whitelist of path prefixes #pathPrefixes = ["/some/path",...] # The allowed origins. If null, all origins are allowed. #allowedOrigins = ["https://www.example.com"] # The allowed HTTPmethods. If null, all methods are allowed #allowedHttpMethods = ["GET","POST"] } ## CSRF Filter # https://www.playframework.com/documentation/latest/ScalaCsrf#Applying-a-global-CSRF-filter # https://www.playframework.com/documentation/latest/JavaCsrf#Applying-a-global-CSRF-filter # ~~~~~ # Play supports multiple methods for verifying that a request is not a CSRF request. # The primary mechanism is a CSRFtoken. This token gets placed either in the query string # or body of every form submitted, and also gets placed in the users session. # Play then verifies that both tokens are present and match. csrf { # Sets the cookie to be sent only over HTTPS #cookie.secure =true # Defaults to CSRFErrorHandler in the root package. #errorHandler = MyCSRFErrorHandler } ## Security headers filter configuration # https://www.playframework.com/documentation/latest/SecurityHeaders # ~~~~~ # Defines security headers that prevent XSS attacks. # If enabled, then all options are set to the below configuration by default: headers { # The X-Frame-Options header. If null, the header is not set. #frameOptions ="DENY" # The X-XSS-Protection header. If null, the header is not set. #xssProtection ="1; mode=block" # The X-Content-Type-Options header. If null, the header is not set. #contentTypeOptions ="nosniff" # The X-Permitted-Cross-Domain-Policies header. If null, the header is not set. #permittedCrossDomainPolicies ="master-only" # The Content-Security-Policy header. If null, the header is not set. #contentSecurityPolicy ="default-src 'self'" } ## Allowed hosts filter configuration # https://www.playframework.com/documentation/latest/AllowedHostsFilter # ~~~~~ # Play provides a filter that lets you configure which hosts can access your application. # This is useful to prevent cache poisoning attacks. hosts { # Allow requests to example.com, its subdomains, and localhost:9000. #allowed = [".example.com","localhost:9000"] }}
Kong
The Kong gateway can be configured in 2 ways:
By letting the DS bootstrap the gateway using its default and configured values
By running a script
The second option requires that the machine the script is executed on can access the admin API of the Kong Gateway.
DS Bootstrapping
Using a valid token obtained from Keycloak, execute the following request:
The name of the DS API service to create on the gateway. Can be freely chosen.
dsServiceHost
The hostname of the DS API service
dsPort
The port to which the gateway can proxy requests
Script
You can also run a script to configure the Kong gateway. However, you need to adjust the script to your needs prior to executing it. You must also run it on a device on which curl is available.
# Adjust the service host and port to the correct values,aswellasthegatewayadminURL# Create servicecurl \--verbose \--request PUT \--header 'Content-Type: application/json' \--data '{"name":"t1c-ds-v3","host":"t1c-ds","port":9000}' \'http://localhost:8001/services/t1c-ds-v3'# Create JWT Auth routecurl \--verbose \--request PUT \--header 'Content-Type: application/json' \ --data '{"name":"jwt-route","strip_path":false,"paths":["/v3/configurations/","/v3/configurations","/v3/devices/","/v3/devices","/v3/gateway/","/v3/labels/","/v3/labels","/v3/organizations/","/v3/organizations","/v3/registration/","/v3/versions/","/v3/versions","/v3/transactions/"]}' \
'http://localhost:8001/services/t1c-ds-v3/routes/jwt-route'# Create Key Auth routecurl \--verbose \--request PUT \--header 'Content-Type: application/json' \--data '{"name":"key-auth-route","strip_path":false,"paths":["/v3/tokens/"]}' \'http://localhost:8001/services/t1c-ds-v3/routes/key-auth-route'# Create No-Auth routecurl \--verbose \--request PUT \--header 'Content-Type: application/json' \ --data '{"name":"no-auth-route","strip_path":false,"paths":["/v3/system/","/v3/device/","/v3/downloads/","/rmc/","/rmc","/mgt/","/mgt","/"]}' \
'http://localhost:8001/services/t1c-ds-v3/routes/no-auth-route'# Create JWT route plugincurl \--verbose \--request POST \--header 'Content-Type: application/json' \--data '{"name":"jwt","route":{"name":"jwt-route"},"config":{"run_on_preflight":false,"claims_to_verify":["exp"]}}' \'http://localhost:8001/routes/jwt-route/plugins'# Create Key-Auth route plugincurl \--verbose \--request POST \--header 'Content-Type: application/json' \--data '{"name":"key-auth","route":{"name":"key-auth-route"},"config":{"run_on_preflight":false}}' \'http://localhost:8001/routes/key-auth-route/plugins'# Create User consumercurl \--verbose \--request PUT \--header 'Content-Type: application/json' \--data '{"username":"t1cds-user","custom_id":"t1cds-user"}' \'http://localhost:8001/consumers/t1cds-user'# Create Registration consumercurl \--verbose \--request PUT \--header 'Content-Type: application/json' \--data '{"username":"t1cds-reg","custom_id":"t1cds-reg"}' \'http://localhost:8001/consumers/t1cds-reg'# Create Application consumercurl \--verbose \--request PUT \--header 'Content-Type: application/json' \--data '{"username":"t1cds-app","custom_id":"t1cds-app"}' \'http://localhost:8001/consumers/t1cds-app'# Create Registration consumer JWTplugin. Replace the rsa_public_key by the PEM encoded DS public keycurl \--verbose \--request POST \--header 'Content-Type: application/json' \ --data '{"key":"t1cds-reg","algorithm":"RS256","rsa_public_key":"-----BEGIN PUBLIC KEY-----\n ... [[PEM PUBLIC KEY]] ... \n-----END PUBLIC KEY-----\n"}' \
'http://localhost:8001/consumers/t1cds-reg/jwt'# Create Application consumer JWTplugin. Replace the rsa_public_key by the PEM encoded DS public keycurl \--verbose \--request POST \--header 'Content-Type: application/json' \ --data '{"key":"t1cds-app","algorithm":"RS256","rsa_public_key":"-----BEGIN PUBLIC KEY-----\n ... [[PEM PUBLIC KEY]] ... \n-----END PUBLIC KEY-----\n"}' \
'http://localhost:8001/consumers/t1cds-app/jwt'# Create User consumer JWTplugin. Replace the rsa_public_key by the PEM encoded DS public keycurl \--verbose \--request POST \--header 'Content-Type: application/json' \ --data '{"key":"http://localhost:9999/auth/realms/trust1connector","algorithm":"RS256","rsa_public_key":"-----BEGIN PUBLIC KEY-----\n ... [[PEM PUBLIC KEY]] ... \n-----END PUBLIC KEY-----\n"}' \
'http://localhost:8001/consumers/t1cds-user/jwt'
The script contains requests to create every required entity on the Kong gateway. An overview can be found in the table below:
