From dc872c73d94f962dc6d4eacb71c41552f13e83c2 Mon Sep 17 00:00:00 2001
From: John Gasper <jtgasper3@gmail.com>
Date: Mon, 23 Apr 2018 17:10:40 -0700
Subject: [PATCH] removing the default encryption cert/key; adding information
 about generating SP key/cert as well as an other option for setting up the
 database.

---
 Dockerfile |  2 ++
 README.md  | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index f4c63ac8..6723853c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -111,6 +111,8 @@ RUN groupadd -r tomcat \
     && chown -R tomcat:tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/work/ \
     && chown -R tomcat:tomcat /opt/tomee/logs/ /opt/tomee/temp/ /opt/tomee/work/
 
+RUN rm /etc/shibboleth/sp-key.pem /etc/shibboleth/sp-cert.pem
+
 COPY container_files/tier-support/ /opt/tier-support/
 COPY container_files/usr-local-bin/ /usr/local/bin/
 COPY container_files/httpd/* /etc/httpd/conf.d/
diff --git a/README.md b/README.md
index c3562ae9..623647ed 100644
--- a/README.md
+++ b/README.md
@@ -139,7 +139,9 @@ The Grouper UI also requires some basic Shibboleth SP configuration. The `/etc/s
 - set the SP's encryption keys
 - the identity attribute of the subject to be passed to Grouper
 
-If encryption keys are defined in the `shibboleth2.xml` file, then the key/cert files should be provided as well. The `attribute-map.xml` file has most of the common identity attributes pre-configured, but it (and other Shibboleth SP files) can be overlaid/replaced as necessary. 
+If encryption keys are defined in the `shibboleth2.xml` file, then the key/cert files should be provided as well. The `attribute-map.xml` file has most of the common identity attributes pre-configured, but it (and other Shibboleth SP files) can be overlaid/replaced as necessary.
+
+(See the section below.)
 
 ## General Configuration Mechanism
 
@@ -254,6 +256,73 @@ $ docker run -it --rm \
 
 Note: a less privileged database user maybe used when running the typical Grouper roles. This user needs SELECT, INSERT, UPDATE, and DELETE privileges on the schema objects.
 
+# Provisioning a Grouper Database
+
+Using standard methods, create a MariaDb Server and an empty Grouper database. Create a database user with privileges to create and populate schema objects. Set the appropriate database connection properties in `grouper.hibernate.properties`. Be sure to the user created with schema manipulation privileges as the db user.
+
+Next populate the database by using the following command.
+
+```console
+$ docker container run -it --rm \
+  --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
+  tier/grouper gsh -registry -check -runscript -noprompt
+```
+
+Also, it is possible to just connect directly to the container, create the DDL, and copy it out:
+
+```console
+$ docker container run -it --name grouper \
+  --mount type=bind,src=$(pwd)/grouper.hibernate.properties,dst=/run/secrets/grouper_grouper.hibernate.properties \
+  tier/grouper
+
+  gsh -registry -check
+
+  exit
+
+$ docker container cp grouper:/opt/grouper/grouper.apiBinary/ddlScripts/ .
+$ docker container rm -f grouper
+``` 
+The generated DDL will be on the host in the `ddlScripts` directory.
+
+Note: a less privileged database user maybe used when running the typical Grouper roles. This user needs SELECT, INSERT, UPDATE, and DELETE privileges on the schema objects.
+
+# Configuring the SP 
+
+The Shibboleth SP needs to be configured to integrate with one or more SAML IdPs. Reference the Shibboleth SP documentation for specific instructions, but here is information on generating an encryption key/cert pair and mounting them (all of which are environment specific) and the shibboleth2.xml into the container.
+
+1. Start a temporary container and generate the key/cert pair:
+```
+$ docker container run -it --name grouper \
+  tier/grouper bash
+
+cd /etc/shibboleth
+./keygen.sh -f -h <public_hostname> 
+exit 
+```
+
+1. Copy the key, cert, and `shibboleth2.xml` files out of the container (and remove the container)
+```console
+$ docker container cp grouper:/etc/shibboleth/shibboleth2.xml .
+$ docker container cp grouper:/etc/shibboleth/sp-cert.pem .
+$ docker container cp grouper:/etc/shibboleth/sp-key.pem .
+
+$ docker container rm grouper
+```
+
+1. After updating the `shibboleth2.xml` file, save the key, cert, and shibboleth2.xml as secrets/config:
+```console
+$ docker secret create sp-key.pem sp-key.pem
+$ docker config create sp-cert.pem sp-cert.pem
+$ docker config create shibboleth2.xml shibboleth2.xml
+```
+
+1. Add the following to the service creation command to mount the environment specific settings:
+```
+  --secret source=sp-key.pem.pem,target=shib_sp-key.pem \
+  --config source=sp-cert.pem,target=/etc/shibboleth/sp-cert.pem \
+  --config source=shibboleth2.xml,target=/etc/shibboleth/shibboleth2.xml \
+```
+
 # Logging
 
 This image outputs logs in a manner that is consistent with Docker Logging. Each log entry is prefaced with the submodule name (e.g. shibd, httpd, tomcat, grouper), the logfile name (e.g. access_log, grouper_error.log, catalina.out) and user definable environment name and a user definable token. Content found after the preface will be specific to the application ands its logging configuration.