removing the default encryption cert/key; adding information about ge…

…nerating SP key/cert as well as an other option for setting up the database.
docker · Apr 24, 2018 · dc872c7 · dc872c7
1 parent 70dd9f3
commit dc872c7
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -111,6 +111,8 @@ RUN groupadd -r tomcat \
     && chown -R tomcat:tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/work/ \
     && chown -R tomcat:tomcat /opt/tomee/logs/ /opt/tomee/temp/ /opt/tomee/work/
 
+RUN rm /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem
+
 COPY container_files/tier-support/ /opt/tier-support/
 COPY container_files/usr-local-bin/ /usr/local/bin/
 COPY container_files/httpd/* /etc/httpd/conf.d/

diff --git a/README.md b/README.md
@@ -139,7 +139,9 @@ The Grouper UI also requires some basic Shibboleth SP configuration. The `/etc/s
 - set the SP's encryption keys
 - the identity attribute of the subject to be passed to Grouper
 
-If encryption keys are defined in the `shibboleth2.xml` file, then the key/cert files should be provided as well. The `attribute-map.xml` file has most of the common identity attributes pre-configured, but it (and other Shibboleth SP files) can be overlaid/replaced as necessary. 
+If encryption keys are defined in the `shibboleth2.xml` file, then the key/cert files should be provided as well. The `attribute-map.xml` file has most of the common identity attributes pre-configured, but it (and other Shibboleth SP files) can be overlaid/replaced as necessary.
+
+(See the section below.)
 
 ## General Configuration Mechanism
 
@@ -254,6 +256,73 @@ $ docker run -it --rm \
 
 Note: a less privileged database user maybe used when running the typical Grouper roles. This user needs SELECT, INSERT, UPDATE, and DELETE privileges on the schema objects.
 
+# Provisioning a Grouper Database
+
+Using standard methods, create a MariaDb Server and an empty Grouper database. Create a database user with privileges to create and populate schema objects. Set the appropriate database connection properties in `grouper.hibernate.properties`. Be sure to the user created with schema manipulation privileges as the db user.
+
+Next populate the database by using the following command.
+
+```console
+$ docker container run -it --rm \
+  --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
+  tier/grouper gsh -registry -check -runscript -noprompt
+```
+
+Also, it is possible to just connect directly to the container, create the DDL, and copy it out:
+
+```console
+$ docker container run -it --name grouper \
+  --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
+  tier/grouper
+
+  gsh -registry -check
+
+  exit
+
+$ docker container cp grouper:/opt/grouper/grouper.apiBinary/ddlScripts/ .
+$ docker container rm -f grouper
+``` 
+The generated DDL will be on the host in the `ddlScripts` directory.
+
+Note: a less privileged database user maybe used when running the typical Grouper roles. This user needs SELECT, INSERT, UPDATE, and DELETE privileges on the schema objects.
+
+# Configuring the SP 
+
+The Shibboleth SP needs to be configured to integrate with one or more SAML IdPs. Reference the Shibboleth SP documentation for specific instructions, but here is information on generating an encryption key/cert pair and mounting them (all of which are environment specific) and the shibboleth2.xml into the container.
+
+1. Start a temporary container and generate the key/cert pair:
+```
+$ docker container run -it --name grouper \
+  tier/grouper bash
+
+cd /etc/shibboleth
+./keygen.sh -f -h <public_hostname> 
+exit 
+```
+
+1. Copy the key, cert, and `shibboleth2.xml` files out of the container (and remove the container)
+```console
+$ docker container cp grouper:/etc/shibboleth/shibboleth2.xml .
+$ docker container cp grouper:/etc/shibboleth/sp-cert.pem .
+$ docker container cp grouper:/etc/shibboleth/sp-key.pem .
+
+$ docker container rm grouper
+```
+
+1. After updating the `shibboleth2.xml` file, save the key, cert, and shibboleth2.xml as secrets/config:
+```console
+$ docker secret create sp-key.pem sp-key.pem
+$ docker config create sp-cert.pem sp-cert.pem
+$ docker config create shibboleth2.xml shibboleth2.xml
+```
+
+1. Add the following to the service creation command to mount the environment specific settings:
+```
+  --secret source=sp-key.pem.pem,target=shib_sp-key.pem \
+  --config source=sp-cert.pem,target=/etc/shibboleth/sp-cert.pem \
+  --config source=shibboleth2.xml,target=/etc/shibboleth/shibboleth2.xml \
+```
+
 # Logging
 
 This image outputs logs in a manner that is consistent with Docker Logging. Each log entry is prefaced with the submodule name (e.g. shibd, httpd, tomcat, grouper), the logfile name (e.g. access_log, grouper_error.log, catalina.out) and user definable environment name and a user definable token. Content found after the preface will be specific to the application ands its logging configuration.