@@ -5,6 +5,7 @@ This guide explains how to:
55 * set up the server address list file
66 * add certificates of other SORMAS instances to the local truststore
77 * add other servers to the local server list
8+ * handling self-signed ssl certificates on test systems
89
910### Prerequisites
1011
@@ -14,31 +15,40 @@ See [Installing Java](SERVER_SETUP.md#java-11)
1415### Using the certificate generation script
1516
16171 . Run `` bash ./generate-cert.sh ``
17- 2 . If the `` sormas2sormas `` directory is not found, you will be prompted to provide its path.
18- 3 . If the `` SORMAS_PROPERTIES `` environment variable is not available, the script will search for the `` sormas.properties ``
19- file in `` /opt/domains/sormas/sormas.properties `` by default. If it is not found there, you will be prompted to provide
20- the path to the `` sormas.properties `` file.
21- 4 . For the generation of the certificate, the following data is needed: a password, a * Common Name* (CN)
22- and an * Organization* (O). These may be set in environment variables (recommended), or provided
23- manually as the script executes.
24- * The password environment variable should be named `` SORMAS_S2S_CERT_PASS `` . Please note that the password has to be
25- at least 6 characters, or you will be prompted for a new one.
26- * the * Common Name* environment variable should be named `` SORMAS_S2S_CERT_CN `` .<br />
27- ** Important** : for Germany, this value should be the SurvNet Code Site. <br />
28- E.g. * 2.03.1.01.*
29- * the * Organization* (O) environment variable should be named `` SORMAS_S2S_CERT_ORG `` .<br />
18+ 2 . If the `` SORMAS2SORMAS_DIR `` environment variable is not available, the script will search for `` /opt/sormas2sormas `` by default.
19+ If it is not found there, you will be prompted to provide the pat to the * sormas2sormas* directory.
20+ 3 . If the `` SORMAS_DOMAIN_DIR `` environment variable is not available, the script will search for `` /opt/domains/sormas `` by default.<br >
21+ If it is not found there, you will be prompted to provide the path to the * sormas domain directory* .
22+ > If you don't have a local sormas installation, for example you are using the docker environment,
23+ > you can specify any existing directory and after the script finishes you will find a `` sormas.properties `` file there
24+ > that contains the necessary configuration that must be added to the `` sormas.properties `` file of your installation
25+ 4 . For the generation of the certificate, the following data is needed:
26+ an identifier of the * Organization* , the name of the * Organization* , the host name of the SORMAS server, the ** https** port of the server,
27+ a password for the certificate keystore and a password for the REST user to be used when sharing data through the REST api.
28+ These may be set in environment variables (recommended), or provided manually as the script executes.
29+
30+ * the identifier of the * Organization* environment variable should be named `` SORMAS_ORG_ID `` .
31+ This variable is also used as * Common Name* (CN) of the certificate<br />
32+ ** Important** : for Germany, this value should be the SORMAS SurvNet Code Site (e.g. 2.99.1.01 if the regular Code Site was 1.99.1.01). <br />
33+ * the name of the organization * Organization* (O) environment variable should be named `` SORMAS_ORG_NAME `` .<br />
3034 ** Important** : for Germany, this value should be the name of the Health Department (Gesundheitsamt)
3135 to which the SORMAS instance will be assigned. <br />
32- E.g. * GA Braunschweig*
36+ E.g. * GA Musterhausen*
37+ * the host name variable should be named `` SORMAS_HOST_NAME `` . <br />
38+ E.g. * sormas.gesundheitsamt-musterhausen.de*
39+ * the https port environment variable should be named `` SORMAS_HTTPS_PORT `` . If it is not found, you will be prompted to provide it.
40+ If you press enter without typing a port number the default 443 will be used.
41+ * The password environment variable should be named `` SORMAS_S2S_CERT_PASS `` . Please note that the password has to be
42+ at least 6 characters, or you will be prompted for a new one.
43+ * the REST user password environment variable should be named `` SORMAS_S2S_REST_PASSWORD `` .
44+ Please note that the password has to be at least 12 characters, or you will be prompted for a new one.
45+
33465 . After providing the requested data, the certificate files will be generated. <br />
3447 The generated certificate has a validity of 3 years.
3548 The certificate files will be available in the root SORMAS directory, in the folder `` /sormas2sormas `` .
36496 . A CSV file containing the access data for this instance will also be generated in the folder `` /sormas2sormas `` .
37- It will be named `` server-access-data.csv `` .
38- The file will contain on the first two columns of the first row the Common Name and the Organization, as provided
39- when creating the certificate. <br />
40- ** Please fill in on the third column the full URL of the server.** <br />
41- You will also have to set up a user for communicating with other SORMAS instances.
50+ It will be named `` {host name}-server-access-data.csv `` .
51+ The file will contain the organization identifier, organization name, host name and the REST user password.<br />
42527 . The generated `` .p12 `` file should not be shared with third parties. <br />
4353 The generated `` .crt `` file will be verified and shared with other SORMAS instances, from which this instance
4454 will be able to request data. Conversely, in order to enable other SORMAS instances to request data from this
@@ -53,23 +63,42 @@ To enable other SORMAS instances to send and receive data from this instance, th
5363truststore of this instance. Furthermore, the access data of other instances must be added to the local server
5464list. To complete this setup, please follow the next steps:
55651 . Run `` bash ./import-to-truststore.sh ``
56- 2 . If the `` sormas2sormas `` directory is not found, you will be prompted to provide its path.
57- 3 . If the `` SORMAS_PROPERTIES `` environment variable is not available, the script will search for the `` sormas.properties ``
58- file in `` /opt/domains/sormas/sormas.properties `` by default. If it is not found there, you will be prompted to provide
59- the path to the `` sormas.properties `` file.
66+ 2 . If the `` SORMAS2SORMAS_DIR `` environment variable is not available, the script will search for `` /opt/sormas2sormas `` by default.
67+ If it is not found there, you will be prompted to provide the path to the * sormas2sormas* directory.
68+ 3 . If the `` SORMAS_DOMAIN_DIR `` environment variable is not available, the script will search for `` /opt/domains/sormas `` by default.
69+ If it is not found there, you will be prompted to provide the path to the * sormas domain directory* .
70+ > If you don't have a local sormas installation, for example you are using the docker environment,
71+ > you can specify any existing directory and after the script finishes you will find a `` sormas.properties `` file there
72+ > that contains the necessary configuration that must be added to the `` sormas.properties `` file of your installation
73+
60744 . If `` sormas2sormas.truststore.p12 `` is not found in the folder `` /sormas2sormas `` , it will be created.
6175 The truststore password may be provided in an environment variable `` SORMAS_S2S_TRUSTSTORE_PASS `` .
6276 * If the aforementioned environment variable is not available, the truststore password will be searched in the
6377 `` sormas.properties `` file.
6478 * If it is not found there, you will be prompted to provide the truststore password.
6579 * The relevant properties will be automatically set by the script in the `` sormas.properties `` file.
66805 . If the server address list file `` server-list.csv `` is not found in the folder `` /sormas2sormas `` , it will also be created.
67- 6 . You will be prompted to provide the file name of the certificate to be imported. This certificate should be located
68- in the `` /sormas2sormas `` folder. Please provide the name including the extension. E.g `` mycert.crt ``
81+ 6 . You will be prompted to provide the * host name* of the organization that's certificate is being imported.
82+ If the certificate was generated with the ` generate-cert.sh ` script, the identifier can be found at the beginning of the file.
83+ This certificate should be located in the `` /sormas2sormas `` folder.
69847 . After providing the requested data, the certificate will be imported to the truststore.
70- 8 . You should have also received a CSV file with the server access data. From this file, copy the line corresponding to the
71- instance you would like to communicate with and add it to the local server address list file. This file is named
72- `` server-list.csv `` and is located in the `` /sormas2sormas `` folder. <br />
73- * Note* : You may check that the Common Name and the Organization of the certificate match the ones corresponding to
74- the server in the CSV file.
75- 9 . You may now delete the `` .crt `` file.
85+ 8 . The content of the `` server-access-data.csv `` provided together with the certificate will be copied to the `` server-list.csv `` file.
86+ 9 . You may now delete the `` .crt `` and `` server-access-data.csv `` files.
87+
88+ 10 . * Optional for test systems and other systems with self-signed ssl certificates* <br >
89+ You must import the SSL certificate of the other server into the `` cacerts.jks `` of your sormas domain.
90+ * For getting the SSL certificate you can use `` openssl `` <br >
91+ e.g.
92+ ``` shell script
93+ openssl s_client -showcerts -servername sormas.gesundheitsamt-musterhausen.de -connect sormas.gesundheitsamt-musterhausen.de:443 < /dev/null | sed -ne ' /-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.cer
94+ ```
95+ * To import the SSL certificate you can use ` ` ` ` < br>
96+ e.g.
97+ ` ` ` shell script
98+ keytool -importcert -trustcacerts -noprompt -keystore /opt/domains/sormas/config/cacerts.jks -alias sormas_dev -storepass changeit -file certificate.cer
99+ ` ` `
100+ Note that the alias can be used only once.
101+
102+ After the certificate is generated and at least one other certificate is imported,
103+ on some pages of the application you will see a new box with a * Share* button and information about sharing.
104+
0 commit comments