Skip to content

Commit

Permalink
feat: Changes of how we publich Global Configuration over https on th…
Browse files Browse the repository at this point in the history 
…e Central Server (#1817)

* feat: changes of how we publich global configuration over https on the central server

Refs: XRDDEV-2493

* fix: little code fixes

Refs: XRDDEV-2493

* fix: tests fixes

Refs: XRDDEV-2493

* docs: Central Server installation guide update

Refs: XRDDEV-2493

* fix: central server network diagram fix

Refs: XRDDEV-2493

* fix: little fix

Refs: XRDDEV-2493

* fix: image background change

Refs: XRDDEV-2493

* fix: image resolution change

Refs: XRDDEV-2493
  • Loading branch information
@enelir
enelir authored Oct 18, 2023
1 parent 72518cb commit 58c9f50
Show file tree
Hide file tree
Showing 34 changed files with 125 additions and 707 deletions.
16 changes: 9 additions & 7 deletions ansible/roles/xroad-cs/tasks/ubuntu.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,15 @@
vtype: "string" # parametrize if you add a different type of question to item list
value: "{{ item.value }}"
with_items:
- { question: "xroad-common/username", value: "{{ xroad_ui_user }}" }
- { question: "xroad-common/database-host", value: "{{ database_host }}" }
- { question: "xroad-common/admin-subject", value: "/CN={{ inventory_hostname }}" }
- { question: "xroad-common/admin-altsubject", value: "IP:{{ ansible_default_ipv4.address }},DNS:{{ inventory_hostname }}" }
- { question: "xroad-common/service-subject", value: "/CN={{ inventory_hostname }}" }
- { question: "xroad-common/service-altsubject", value: "IP:{{ ansible_default_ipv4.address }},DNS:{{ inventory_hostname }}" }
- { question: "xroad-common/skip-cs-db-migrations", value: "false" }
- { question: "xroad-common/username", value: "{{ xroad_ui_user }}" }
- { question: "xroad-common/database-host", value: "{{ database_host }}" }
- { question: "xroad-common/admin-subject", value: "/CN={{ inventory_hostname }}" }
- { question: "xroad-common/admin-altsubject", value: "IP:{{ ansible_default_ipv4.address }},DNS:{{ inventory_hostname }}" }
- { question: "xroad-common/service-subject", value: "/CN={{ inventory_hostname }}" }
- { question: "xroad-common/service-altsubject", value: "IP:{{ ansible_default_ipv4.address }},DNS:{{ inventory_hostname }}" }
- { question: "xroad-common/global-conf-subject", value: "/CN={{ inventory_hostname }}" }
- { question: "xroad-common/global-conf-altsubject", value: "IP:{{ ansible_default_ipv4.address }},DNS:{{ inventory_hostname }}" }
- { question: "xroad-common/skip-cs-db-migrations", value: "false" }
tags:
- install-xroad-cs-packages

Expand Down
13 changes: 10 additions & 3 deletions doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# X-Road: Central Server Installation Guide <!-- omit in toc -->

Version: 2.35
Version: 2.36
Doc. ID: IG-CS

---
Expand Down Expand Up @@ -52,7 +52,8 @@ Doc. ID: IG-CS
| 23.05.2023 | 2.32 | Backup Encryption Configuration | Eneli Reimets |
| 31.05.2023 | 2.33 | Add Central Server network diagram | Petteri Kivimäki |
| 28.06.2023 | 2.34 | Update database properties to the new Spring datasource version | Raido Kaju |
| 13.09.2023 | 2.35 | Database integrity check errors before center upgrade | Eneli reimets |
| 13.09.2023 | 2.35 | Database integrity check errors before center upgrade | Eneli Reimets |
| 14.10.2023 | 2.36 | Add Global configuration distribution over https | Eneli Reimets |

## Table of Contents <!-- omit in toc -->

Expand Down Expand Up @@ -164,6 +165,7 @@ Caution: Data necessary for the functioning of the operating system is not inclu
| 1.8 | | Central Server public IP address, NAT address |
| 1.9 | <by default, the server’s IP addresses and names are added to the certificate’s Distinguished Name (DN) field> | Information about the user interface TLS certificate |
| 1.10 | <by default, the server’s IP addresses and names are added to the certificate’s Distinguished Name (DN) field> | Information about the services TLS certificate |
| 1.11 | <by default, the server’s IP addresses and names are added to the certificate’s Distinguished Name (DN) field> | Information about the global configuration TLS certificate |

It is strongly recommended to protect the Central Server from unwanted access using a firewall (hardware or software based). The firewall can be applied to both incoming and outgoing connections depending on the security requirements of the environment where the Central Server is deployed. It is recommended to allow incoming traffic to specific ports only from explicitly defined sources using IP filtering. **Special attention should be paid with the firewall configuration since incorrect configuration may leave the Central Server vulnerable to exploits and attacks.**

Expand All @@ -178,7 +180,7 @@ The table below lists the required connections between different components. Ple
**Connection Type** | **Source** | **Target** | **Target Ports** | **Protocol** | **Note** |
-----------|-----------------------------------|-------------------------------|------------|-----------|---------------------------------------------------------------------------------------------|
Out | Monitoring Security Server | X-Road Member Security Server | 5500, 5577 | tcp | Operational and environmental monitoring data collection |
In | X-Road Member Security Server | Central Server | 80 | tcp | Global configuration distribution |
In | X-Road Member Security Server | Central Server | 80, 443 | tcp | Global configuration distribution |
In | X-Road Member Security Server | Central Server | 4001 | tcp | Authentication certificate registration requests from X-Road Members' Security Servers |
In | Management Security Server | Central Server | 4002 | tcp | Source in the internal network. Management service requests from Management Security Server |
In | X-Road Member Security Server | Management Security Server | 5500, 5577 | tcp | Management service requests from X-Road Members' Security Servers |
Expand Down Expand Up @@ -305,6 +307,11 @@ Upon the first installation of the Central Server software, the system asks for
The certificate owner’s Distinguished Name must be entered in the format: `/CN=server.domain.tld`
All IP addresses and domain names in use must be entered as alternative names in the format: `IP:1.2.3.4,IP:4.3.2.1,DNS:servername,DNS:servername2.domain.tld`

- Identification of the TLS certificate that is used for securing the HTTPS access point used for global configuration distribution (reference data: 1.7; 1.11). The name and IP addresses detected from the operating system are suggested as default values.

The certificate owner’s Distinguished Name must be entered in the format: `/CN=server.domain.tld`.
All IP addresses and domain names in use must be entered as alternative names in the format: `IP:1.2.3.4,IP:4.3.2.1,DNS:servername,DNS:servername2.domain.tld`

### 2.8 Installing the Support for Hardware Tokens

To configure support for hardware security tokens (smartcard, USB token, Hardware Security Module), act as follows.
Expand Down
22 changes: 10 additions & 12 deletions doc/Manuals/img/ig-cs_network_diagram.drawio
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<mxfile host="Electron" modified="2023-05-31T10:23:01.511Z" agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/21.2.8 Chrome/112.0.5615.165 Electron/24.2.0 Safari/537.36" etag="M67h9QyM8oEZq7rdtPbE" version="21.2.8" type="device">
<mxfile host="Electron" modified="2023-10-14T07:05:41.366Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/21.3.7 Chrome/112.0.5615.204 Electron/24.5.0 Safari/537.36" etag="WoXBSF3xkaiQtxA4mqvJ" version="21.3.7" type="device">
<diagram id="JbDlwLFTd4TnMdRyGuPK" name="Ubuntu">
<mxGraphModel dx="1941" dy="769" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
<mxGraphModel dx="2173" dy="783" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
<root>
<mxCell id="0" />
<mxCell id="1" parent="0" />
Expand Down Expand Up @@ -101,10 +101,10 @@
</mxGeometry>
</mxCell>
<mxCell id="u03GMos91zHW6Dz8kfea-3" value="" style="shape=image;verticalLabelPosition=bottom;labelBackgroundColor=#ffffff;verticalAlign=top;aspect=fixed;imageAspect=0;image=data:image/svg+xml,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMjBweCIgaGVpZ2h0PSIxOHB4IiB2aWV3Qm94PSIwIDAgMjAgMTgiIHZlcnNpb249IjEuMSI+JiN4YTsgICAgPCEtLSBHZW5lcmF0b3I6IFNrZXRjaCA1OCAoODQ2NjMpIC0gaHR0cHM6Ly9za2V0Y2guY29tIC0tPiYjeGE7ICAgIDx0aXRsZT5Db21iaW5lZCBTaGFwZTwvdGl0bGU+JiN4YTsgICAgPGRlc2M+Q3JlYXRlZCB3aXRoIFNrZXRjaC48L2Rlc2M+JiN4YTsgICAgPGcgaWQ9IlN0eWxlZ3VpZGUtJmFtcDstVHlwZXBhZ2VzIiBzdHJva2U9Im5vbmUiIHN0cm9rZS13aWR0aD0iMSIgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4mI3hhOyAgICAgICAgPGcgaWQ9Ikljb25zIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgtODg4LjAwMDAwMCwgLTQ3Ny4wMDAwMDApIiBmaWxsPSIjNjYzQ0RDIj4mI3hhOyAgICAgICAgICAgIDxwYXRoIGQ9Ik04OTIsNDgzIEw4OTQsNDgzIEw4OTQsNDkxIEw4OTcsNDkxIEw4OTcsNDgzIEw4OTksNDgzIEw4OTksNDkxIEw5MDIsNDkxIEw5MDIsNDgzIEw5MDQsNDgzIEw5MDQsNDkxIEw5MDYsNDkxIEw5MDYsNDkzIEw5MDgsNDkzIEw5MDgsNDk1IEw4ODgsNDk1IEw4ODgsNDkzIEw4OTAsNDkzIEw4OTAsNDkxIEw4OTIsNDkxIEw4OTIsNDgzIFogTTg5OCw0NzcgQzkwMS44MjQzMzQsNDc3IDkwNS4wNTg3NzcsNDc5LjUyNTYyMyA5MDYuMTI2Mzc1LDQ4Mi45OTk5MTQgTDg4OS44NzM2MjUsNDgyLjk5OTkxNCBDODkwLjk0MTIyMyw0NzkuNTI1NjIzIDg5NC4xNzU2NjYsNDc3IDg5OCw0NzcgWiIgaWQ9IkNvbWJpbmVkLVNoYXBlIi8+JiN4YTsgICAgICAgIDwvZz4mI3hhOyAgICA8L2c+JiN4YTs8L3N2Zz4=;" parent="1" vertex="1">
<mxGeometry x="350" y="214.0792148437497" width="20" height="18" as="geometry" />
<mxGeometry x="350" y="185.0792148437497" width="20" height="18" as="geometry" />
</mxCell>
<mxCell id="u03GMos91zHW6Dz8kfea-2" value="&lt;font color=&quot;#663cdc&quot;&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; Security&lt;br&gt;Server&lt;/font&gt;" style="rounded=1;whiteSpace=wrap;html=1;strokeColor=#663CDC;strokeWidth=2;fillColor=none;" parent="1" vertex="1">
<mxGeometry x="320" y="200.99999999999977" width="80" height="79.24375" as="geometry" />
<mxGeometry x="321" y="173.99999999999977" width="80" height="79.24375" as="geometry" />
</mxCell>
<mxCell id="LwSU-SxfXM3Ihz1b4emU-20" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;edgeStyle=orthogonalEdgeStyle;strokeColor=#663CDC;" parent="1" source="u03GMos91zHW6Dz8kfea-27" target="LwSU-SxfXM3Ihz1b4emU-5" edge="1">
<mxGeometry relative="1" as="geometry">
Expand Down Expand Up @@ -139,8 +139,8 @@
<mxPoint x="370" y="410" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="LwSU-SxfXM3Ihz1b4emU-28" value="IN&lt;br&gt;80/tcp&lt;br&gt;4001/tcp" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=14;fontColor=#663CDC;" parent="1" vertex="1" connectable="0">
<mxGeometry x="239.99965517241372" y="420.001875" as="geometry">
<mxCell id="LwSU-SxfXM3Ihz1b4emU-28" value="IN&lt;br&gt;80/tcp&lt;br&gt;443/tcp&lt;br&gt;4001/tcp" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=14;fontColor=#663CDC;" parent="1" vertex="1" connectable="0">
<mxGeometry x="239.99965517241372" y="399.001875" as="geometry">
<mxPoint x="121" y="-89" as="offset" />
</mxGeometry>
</mxCell>
Expand All @@ -149,29 +149,27 @@
<mxPoint x="380" y="300.24374999999986" as="sourcePoint" />
<mxPoint x="380" y="420" as="targetPoint" />
<Array as="points">
<mxPoint x="280" y="241" />
<mxPoint x="200" y="241" />
<mxPoint x="200" y="212" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="LwSU-SxfXM3Ihz1b4emU-40" value="&lt;span style=&quot;color: rgb(102 , 60 , 220) ; font-size: 14px&quot;&gt;IN&lt;/span&gt;&lt;br style=&quot;color: rgb(102 , 60 , 220) ; font-size: 14px&quot;&gt;&lt;span style=&quot;color: rgb(102 , 60 , 220) ; font-size: 14px&quot;&gt;5500/tcp&lt;/span&gt;&lt;br style=&quot;color: rgb(102 , 60 , 220) ; font-size: 14px&quot;&gt;&lt;span style=&quot;color: rgb(102 , 60 , 220) ; font-size: 14px&quot;&gt;5577/tcp&lt;/span&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="LwSU-SxfXM3Ihz1b4emU-33" vertex="1" connectable="0">
<mxGeometry x="0.7486" relative="1" as="geometry">
<mxPoint x="-0.009999999999999787" y="-35.17" as="offset" />
<mxPoint y="-54" as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="LwSU-SxfXM3Ihz1b4emU-36" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;strokeColor=#663CDC;entryX=1;entryY=0.5;entryDx=0;entryDy=0;" parent="1" source="LwSU-SxfXM3Ihz1b4emU-8" target="u03GMos91zHW6Dz8kfea-2" edge="1">
<mxGeometry relative="1" as="geometry">
<mxPoint x="530" y="409.9999999999998" as="sourcePoint" />
<mxPoint x="710" y="291.00374999999985" as="targetPoint" />
<Array as="points">
<mxPoint x="520" y="241" />
<mxPoint x="400" y="241" />
<mxPoint x="520" y="212" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="LwSU-SxfXM3Ihz1b4emU-38" value="&lt;span style=&quot;color: rgb(102 , 60 , 220) ; font-size: 14px&quot;&gt;OUT&lt;/span&gt;&lt;br style=&quot;color: rgb(102 , 60 , 220) ; font-size: 14px&quot;&gt;&lt;span style=&quot;color: rgb(102 , 60 , 220) ; font-size: 14px&quot;&gt;5500/tcp&lt;/span&gt;&lt;br style=&quot;color: rgb(102 , 60 , 220) ; font-size: 14px&quot;&gt;&lt;span style=&quot;color: rgb(102 , 60 , 220) ; font-size: 14px&quot;&gt;5577/tcp&lt;/span&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="LwSU-SxfXM3Ihz1b4emU-36" vertex="1" connectable="0">
<mxGeometry x="-0.5598" y="1" relative="1" as="geometry">
<mxPoint x="0.9899999999999984" y="-10.619999999999997" as="offset" />
<mxPoint x="1" y="-23" as="offset" />
</mxGeometry>
</mxCell>
</root>
Expand Down
Binary file modified doc/Manuals/img/ig-cs_network_diagram.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit 58c9f50

Please sign in to comment.