[WIFI-2919] Create a dockerfile for ucentralsec and ucentralfms services and add it to docker-compose (#30)

* Add dev-microservice branch to CI workflow and adapt ports in Dockerfile

* Added new microservices and related files to Docker Compose deployment

* Add centralized location for certs and add script for include ca cert in containers system trust store

* Re-add exposed ports to Dockerfile

* Add ucentralsec DB env variables to correct file

* Fix rttys cert location and add-ca-cert.sh script

* Adapt .gitignore to new directory structure

* Update README.md

* Update README.md

* Use uCentralGW master tag by default since branch will be merged anyway

.github/workflows/ci.yml

@@ -7,9 +7,11 @@ on:
       - '**.md'
     branches:
       - master
+      - dev-microservice
   pull_request:
     branches:
       - master
+      - dev-microservice
 
 defaults:
   run:

.github/workflows/cleanup.yml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - master
+      - dev-microservice
     types: [ closed ]
 
 defaults:
@@ -14,4 +15,4 @@ jobs:
   cleanup:
     runs-on: ubuntu-latest
     steps:
-      - run: curl -uucentral:${{ secrets.DOCKER_REGISTRY_PASSWORD }} -X DELETE "https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral/ucentralgw/${GITHUB_HEAD_REF#refs/heads/}"
+      - run: curl -uucentral:${{ secrets.DOCKER_REGISTRY_PASSWORD }} -X DELETE "https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral/ucentralgw/${GITHUB_HEAD_REF#refs/heads/}"

.gitignore

@@ -15,10 +15,11 @@ _deps
 /uploads/
 /logs/
 /certs/
-/docker-compose/ucentral-data/logs
-/docker-compose/ucentral-data/uploads
-/docker-compose/ucentral-data/data
+/docker-compose/certs/
+/docker-compose/*-data/data/
+/docker-compose/*-data/uploads/
 /docker-compose/.env
+/docker-compose/.env_*
 /cmake-build/
 /uploads/
 test_scripts/curl/token.json

Dockerfile

@@ -39,7 +39,7 @@ RUN cmake --build . --config Release -j8
 FROM alpine
 
 RUN mkdir /ucentral
-RUN mkdir /ucentral-data
+RUN mkdir /ucentralgw-data
 RUN apk add --update --no-cache librdkafka mariadb-connector-c libpq unixodbc
 
 COPY --from=builder /ucentralgw/cmake-build/ucentralgw /ucentral/ucentralgw
@@ -47,8 +47,9 @@ COPY --from=builder /cppkafka/cmake-build/src/lib/* /lib/
 COPY --from=builder /poco/cmake-build/lib/* /lib/
 
 EXPOSE 15002
-EXPOSE 15015
-EXPOSE 16001
+EXPOSE 16002
 EXPOSE 16003
+EXPOSE 17002
+EXPOSE 16102
 
 ENTRYPOINT /ucentral/ucentralgw

README.md

@@ -499,15 +499,22 @@ service. The path is defined under `logging.channels.c2.path`. Only `path names`
 environment variables. Here is a sample configuration:
 
 ### Docker Compose
-The repository also contains a Docker Compose file, which you can use to instantiate a complete deployment of uCentralGW and related components for local development purposes. To spin up a local development environment:
+The repository also contains a Docker Compose file, which you can use to instantiate a complete deployment of the uCentral microservices and related components for local development purposes. To spin up a local development environment:
 1. Switch into the project directory with `cd docker-compose/`.
-2. Copy your certificates into the `ucentral-data/certs/` directory and reference them in the appropriate sections of the configuration file located at `ucentral-data/ucentralgw.properties`. For more information on which certificates you need please see the [certificates section](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw#certificates) of this README and/or [CERTIFICATES.md](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/CERTIFICATES.md).  
-Be aware that the `rttys` service also uses the same certificate and key file which is used for the REST API component of uCentralGW. If you want to change that make sure to adapt the configuration in that regard.
-4. Docker Compose pulls the ucentralgw image from the JFrog repository. If you want to change the image tag or some of the image versions which are used for the other services, have a look into the `.env` file. You'll also find service specific `.env` files in this directory. Edit them if you want to change database passwords (highly recommended!) or some other configuration data. Don't forget to adapt your changes in the application configuration files.
-5. Open `ucentral-data/ucentralgw.properties` and change the value for [ucentral.fileuploader.host.0.name](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw#ucentralfileuploaderhost0name) according to your hostname. You can also set a different [password](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw#default-username-and-password) for uCentralGW (again highly recommended!) or change some other configuration values.
+2. This repository contains a gateway certificate signed by TIP and a self-signed certificate for the REST API and other components which are used by default in the Compose deployment. The certificates are valid for the `*.wlan.local` domain and the Docker Compose uCentral microservice configs use `ucentral.wlan.local` as a hostname, so make sure you add an entry in your hosts file (or in your local DNS solution) which points to `127.0.0.1`.
+3. If you have your own certificates and want to use the deployment for anything other than local development copy your certs into the `certs/` directory and reference them in the appropriate sections of the microservice configuration files. Make sure to also adapt the sections which reference the hostname. For more information on certificates please see the [certificates section](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw#certificates) of this README and/or [CERTIFICATES.md](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/CERTIFICATES.md).  
+4. Docker Compose pulls the microservice images from the JFrog repository. If you want to change the image tag or some of the image versions which are used for the other services, have a look into the `.env` file. You'll also find service specific `.env` files in this directory. Edit them if you want to change database passwords (highly recommended!) or other configuration data. Don't forget to adapt your changes in the application configuration files.
+5. Open `docker-compose/ucentralgw-data/ucentral.properties` to change [authentication data](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw#default-username-and-password) for uCentralGW (again highly recommended!).
 6. Spin up the deployment with `docker-compose up -d`.
+7. Navigate to the UI which listens to `127.0.0.1` and login with your uCentralGW authentication data.
+8. To use the [curl test script](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/main/TEST_CURL.md) to talk to the API set the following environment variables: 
+```
+export UCENTRALSEC="ucentral.wlan.local:16001"
+export FLAGS="-s --cacert docker-compose/ucentral-data/certs/restapi-ca.pem" 
+```
+The `--cacert` option is necessary since the REST API certificates are self-signed. Omit the option if you provide your own signed certificates.
 
-PS: The Docker Compose deployment creates five local volumes to persist mostly database data and data for Zookeeper and Kafka. If you want re-create the deployment once you already created one just delete the volumes with `docker volume rm $(docker volume ls -qf name=ucentral)` after you stopped the services.
+PS: The Docker Compose deployment creates five local volumes to persist mostly database data and data for Zookeeper and Kafka. If you want re-create the deployment and remove all persistent application and database data just delete the volumes with `docker volume rm $(docker volume ls -qf name=ucentral)` after you stopped the services with `docker-compose down`.
 
 ## uCentral communication protocol
 The communication protocol between the device and the controller is detailed in this [document](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/main/PROTOCOL.md).

docker-compose/.env

@@ -2,6 +2,8 @@ COMPOSE_PROJECT_NAME=ucentral
 POSTGRES_TAG=latest
 MYSQL_TAG=latest
 UCENTRALGW_TAG=master
+UCENTRALGWUI_TAG=main
+UCENTRALSEC_TAG=main
 RTTYS_TAG=3.6.0
 KAFKA_TAG=latest
 ZOOKEEPER_TAG=latest

docker-compose/.env_postgresql

@@ -1,2 +1,5 @@
-POSTGRES_PASSWORD=ucentral
-POSTGRES_USER=ucentral
+POSTGRES_PASSWORD=ucentralgw
+POSTGRES_USER=ucentralgw
+UCENTRALSEC_DB=ucentralsec
+UCENTRALSEC_DB_USER=ucentralsec
+UCENTRALSEC_DB_PASSWORD=ucentralsec

docker-compose/.env_ucentralgw

@@ -1,2 +1,2 @@
-UCENTRAL_ROOT=/ucentral-data
-UCENTRAL_CONFIG=/ucentral-data
+UCENTRALGW_ROOT=/ucentralgw-data
+UCENTRALGW_CONFIG=/ucentralgw-data

docker-compose/.env_ucentralgw-ui

@@ -0,0 +1,2 @@
+DEFAULT_UCENTRALSEC_URL=https://ucentral.wlan.local:16001
+ALLOW_UCENTRALSEC_CHANGE=false

docker-compose/.env_ucentralsec

@@ -0,0 +1,2 @@
+UCENTRALSEC_ROOT=/ucentralsec-data
+UCENTRALSEC_CONFIG=/ucentralsec-data

docker-compose/add-ca-cert.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+
+SERVICES="ucentralgw.wlan.local ucentralsec.wlan.local"
+
+for i in $SERVICES; do
+    docker-compose exec $i apk add ca-certificates
+    docker cp certs/restapi-ca.pem ucentral_$i\_1:/usr/local/share/ca-certificates/
+    docker-compose exec $i update-ca-certificates
+done

docker-compose/certs/restapi-ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcgCCQC7oc+4dT4WlTANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJD
+QTEMMAoGA1UECgwDVElQMRUwEwYDVQQDDAwqLndsYW4ubG9jYWwwHhcNMjEwNzA3
+MDkyOTAxWhcNMzEwNzA1MDkyOTAxWjAyMQswCQYDVQQGEwJDQTEMMAoGA1UECgwD
+VElQMRUwEwYDVQQDDAwqLndsYW4ubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQD67KEKKHj1xyj0Sc+/WSFeXluhp+76V/8njnGcTus8IsaHWeAj
+O1T1/PnqNMNP3CSgCpAZRn7Eom33HH89pC7iIE5t3aGrFzxZ6AxFgECUCkby1j9D
+j7PawapJ7XNqT4P4ZGEGOWlLGE9oUpF2pr3B3jBwmV9t9d/Zp8na23K7rnsr5kNn
+RXp6iPNPpynppNQFBwzsovyhu9tzk/zz3gohSY9f6oyNNaKcZwN/yrG4B8FnRfa7
+WFNvkPi5zAjJ3oEXMp+Im2/SvSqzptYwZhplb14ILZ5ClkSwAslG8FiOAzXr887r
+hgEPzqP6SNIOwy/B/AMOFQl6wPvXBwz9eNW1AgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggEBAA8Oa8jannqNRdqOuY460Pum1B61kGmf2OK2ZiMaddlxqL3ZBdXPqF02hwSd
+q6uxCVP5NgvqSm+pTHaDcODJiCBrMmGQqHT82LuoCyk1BMqH/PYm+kfazPhKF31x
+Me7E47DQzk4tMyV28HBCHH6UicQ05ryT1yBfmj8JmYNx9ezmJcanu0/eyI2Lv8Ar
+Y7mrgblfOUnsif2w/aUaOsoY1t6/ThgTBc3BTMtUXXAcMiPLu4mSdN6nCm75Qp5q
+4zl/SNPjLnmtpHhLDtr4swf6vZw0RG7ECCf6Av8lv8mJG6g53YM8jfe0EzLqbAFf
+iSuQbt5n6lMWVgv+FKwXjwAda+Q=
+-----END CERTIFICATE-----

docker-compose/certs/restapi-cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcgCCQC7oc+4dT4WlTANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJD
+QTEMMAoGA1UECgwDVElQMRUwEwYDVQQDDAwqLndsYW4ubG9jYWwwHhcNMjEwNzA3
+MDkyOTAxWhcNMzEwNzA1MDkyOTAxWjAyMQswCQYDVQQGEwJDQTEMMAoGA1UECgwD
+VElQMRUwEwYDVQQDDAwqLndsYW4ubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQD67KEKKHj1xyj0Sc+/WSFeXluhp+76V/8njnGcTus8IsaHWeAj
+O1T1/PnqNMNP3CSgCpAZRn7Eom33HH89pC7iIE5t3aGrFzxZ6AxFgECUCkby1j9D
+j7PawapJ7XNqT4P4ZGEGOWlLGE9oUpF2pr3B3jBwmV9t9d/Zp8na23K7rnsr5kNn
+RXp6iPNPpynppNQFBwzsovyhu9tzk/zz3gohSY9f6oyNNaKcZwN/yrG4B8FnRfa7
+WFNvkPi5zAjJ3oEXMp+Im2/SvSqzptYwZhplb14ILZ5ClkSwAslG8FiOAzXr887r
+hgEPzqP6SNIOwy/B/AMOFQl6wPvXBwz9eNW1AgMBAAEwDQYJKoZIhvcNAQELBQAD
+ggEBAA8Oa8jannqNRdqOuY460Pum1B61kGmf2OK2ZiMaddlxqL3ZBdXPqF02hwSd
+q6uxCVP5NgvqSm+pTHaDcODJiCBrMmGQqHT82LuoCyk1BMqH/PYm+kfazPhKF31x
+Me7E47DQzk4tMyV28HBCHH6UicQ05ryT1yBfmj8JmYNx9ezmJcanu0/eyI2Lv8Ar
+Y7mrgblfOUnsif2w/aUaOsoY1t6/ThgTBc3BTMtUXXAcMiPLu4mSdN6nCm75Qp5q
+4zl/SNPjLnmtpHhLDtr4swf6vZw0RG7ECCf6Av8lv8mJG6g53YM8jfe0EzLqbAFf
+iSuQbt5n6lMWVgv+FKwXjwAda+Q=
+-----END CERTIFICATE-----

docker-compose/certs/restapi-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQD67KEKKHj1xyj0
+Sc+/WSFeXluhp+76V/8njnGcTus8IsaHWeAjO1T1/PnqNMNP3CSgCpAZRn7Eom33
+HH89pC7iIE5t3aGrFzxZ6AxFgECUCkby1j9Dj7PawapJ7XNqT4P4ZGEGOWlLGE9o
+UpF2pr3B3jBwmV9t9d/Zp8na23K7rnsr5kNnRXp6iPNPpynppNQFBwzsovyhu9tz
+k/zz3gohSY9f6oyNNaKcZwN/yrG4B8FnRfa7WFNvkPi5zAjJ3oEXMp+Im2/SvSqz
+ptYwZhplb14ILZ5ClkSwAslG8FiOAzXr887rhgEPzqP6SNIOwy/B/AMOFQl6wPvX
+Bwz9eNW1AgMBAAECggEAZdJT3u1heEqjAc5Z8QnYEpUzlbuxrAC9V23kCEu2BScP
+bKk53NIcvd00BKf4gZWRfygKJVeH5X8MJHR55aeUJsp5SPfgvK6nHMye/iz3B5vM
+AoqSDXZow2JHGcyzQvaVVNxWytHNOl3ZCzpGMOGkquDgwzBZmyNk/Muri5X1TtbH
+DgeYdht2YiHqHdGWsLNU1vZAgzlwD8fXg65XOmNehjWnowhpNRCgpcDeJCtEuNzt
+6iXFWffjO6YTbVnoM5xhLROjLv6gYP4wxsQSZc/NGz9Jow7VxlYZg9wCE75bduFn
+7D5O4OgVgPgYbyCutpB/o4PMNURb4V/5p2OAEgLX2QKBgQD+kHYRAaawRbaY4jGf
+isj0oh2C/Z99Mqf/nnpPwmUwrhpmnQ+pRdWBw940tPrEpVoOcCPWQ5hO1zUET18d
+xQqs3zd6lEhJogmMqkjOT670YBEX/wyALd3M5F3HT/K2aixL1XaCCpAl97JB9RyB
+zGIr5c+mIOVK/uYrlFO28thXzwKBgQD8VumZIYZpWeE7pTyCg0PcDYlNATA/VKoD
+9YrGqEEHGgFNJEWj8Xj8aqBzaPoUk+eGp7NfSoOchVM+Bf3ktWy5doZCmNuxlOyq
+Ix5yrB2jyYceaSf2nxHqlD2VhKB/YJx0yTU1UkB5dG4nYnqiUg7c5JeQOVzwFKm1
+t6/Hk/cXOwKBgGT+yWjL3+cVcXFMZGWouTudSdobZ3hTbaWTqXEVbfIXUPAfJgSB
+aUi3feQpXUhBVe5efUlXvgihhy4zk0gLUcXuNWOTiu5ztBgzwvjfUkkwB/geP0Zn
+bBULEU2vIVtP2k0n3oGPUUtO71ENvwacIOLLpUuCx5WudYEasu/lfwGvAoGBAOiE
+manuF3HaTU3tu20z0YLiwkK/tpqUxDjzuBXIEmudzdcsdjNUHbzR79mIwO/XPf95
+ZjKHcfD3dbXwRXzKpE3dZmfVfJMM/GrmA3d9G67B04z1Lsr01siGIp004cOd3W1L
+vojMqvZ/j8Ug3InX/TQUO4i9IuNi1uLISOQpdwTjAoGAG33swIFnH/mz7ubu8wfE
+9nwe8NNf56kbFBG2FMuHvo8GYj0sqylwtZnh4TCwlTzqUO8e6oFdK8Ot6z7H9Fa3
+vnDD2WRwEFydRP5fbW5eFmGbzLfHlzUY+Do81qrUMF47LEN94X7yaXdb/vNW57lp
+K9hGF1Bdk8089Knm3l1Fc4w=
+-----END PRIVATE KEY-----

docker-compose/certs/websocket-cert.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgDCCA2igAwIBAgIUaKVB2xg9gr/sS6FvzMex0xSbEzswDQYJKoZIhvcNAQEL
+BQAwbDELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
+dCwgSW5jLjEMMAoGA1UECxMDVElQMSkwJwYDVQQDEyBUZWxlY29tIEluZnJhIFBy
+b2plY3QgSXNzdWluZyBDQTAeFw0yMTA3MDgxMDQ5MTVaFw0yNTA3MDgxMDQ5MTVa
+MDIxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNUSVAxFTATBgNVBAMMDCoud2xhbi5s
+b2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2rlMfV7/Si2Svx
+J1YOEz6KJLvey995/0MkQvAG0RM6TpFwgUNnpYFFozcWME8MGSxws+6hOzDoMmHC
+pgpP/KZ/Fyu9iUdzTxsJMyMxIW9sYbBMkQgBmvjkBlXDk5NfHh+yJBVxb7JlJ6vJ
+oT7EJMzgKpYpFnO+bddalUVsDp3qQIjSvJIxl77vwgZQUJx0qCm17VTBhyM2RTJ3
+jtr7kcWDm3jyyTVUvlM9g3DM9g0hUPMN0R5PP2HuqDdtYoY51krsm2mmVIYYnyAN
+BDawmwYnZJfcC4gFzZJ5wK5NFjSKmd1mYp0damlSh0/uHxPyd4rm2QhUCQH92yKM
++9qYU70CAwEAAaOCAVIwggFOMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFM0mIZuE
+6aly7ZKXl0KWjprcO9/uMB8GA1UdIwQYMBaAFLMbVLjgR6s98ziA5Dzl/QBhbdHo
+MA4GA1UdDwEB/wQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATCBhgYIKwYB
+BQUHAQEEejB4MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5vbmUuZGlnaWNlcnQu
+Y29tMEwGCCsGAQUFBzAChkBodHRwOi8vY2FjZXJ0cy5vbmUuZGlnaWNlcnQuY29t
+L1RlbGVjb21JbmZyYVByb2plY3RJc3N1aW5nQ0EuY3J0ME0GA1UdHwRGMEQwQqBA
+oD6GPGh0dHA6Ly9jcmwub25lLmRpZ2ljZXJ0LmNvbS9UZWxlY29tSW5mcmFQcm9q
+ZWN0SXNzdWluZ0NBLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAAyb7X9qW0z0QJrl2
+oAalMCh/gSJy5oER3L7iu/pnP3GREbr6bh6+1/MAf2bgnN2CUOKQHbozB7yCkM6V
+8m5RnL4ePKVP5yIrbs48uM5Hl14QFLU4ZtFao6js0haoWWEgMo3sfbeyfOU0ScyW
+ET5zfbDub3gUbWYmlz6hyV5aJoznaFjJTNP7SRQ9CHMTMHh3wAPfVlvG2TdcwwbM
+ZKkdAHpl1NwRxyiBPJfkejGWrY3ZAs10te7u9Lsc9yZZKL8SU9J/mrO9tM5HLeUr
+nCJN4RI7RyTuDw4LdMZW1Ju5QBXoZL9mj4KXIbUkDwryhbAxdQ1OnwD4O/avMChk
+TNJzIw==
+-----END CERTIFICATE-----

docker-compose/certs/websocket-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC9q5TH1e/0otkr
+8SdWDhM+iiS73svfef9DJELwBtETOk6RcIFDZ6WBRaM3FjBPDBkscLPuoTsw6DJh
+wqYKT/ymfxcrvYlHc08bCTMjMSFvbGGwTJEIAZr45AZVw5OTXx4fsiQVcW+yZSer
+yaE+xCTM4CqWKRZzvm3XWpVFbA6d6kCI0rySMZe+78IGUFCcdKgpte1UwYcjNkUy
+d47a+5HFg5t48sk1VL5TPYNwzPYNIVDzDdEeTz9h7qg3bWKGOdZK7JtpplSGGJ8g
+DQQ2sJsGJ2SX3AuIBc2SecCuTRY0ipndZmKdHWppUodP7h8T8neK5tkIVAkB/dsi
+jPvamFO9AgMBAAECggEBAJgYoaRmcJfShyhvp8WgX9pE2RQ2o3I/2Gy1BWCJdtte
+ZGbIuz+cO+IgP7QK/Q5Ge2Fht0hizp53dP9kIdYfMlEplSEkSpObahIaHIHaAh/h
+36yKmbq73tQ7tsDLpuoE2pk8Nydi4dlCuL9PXxiAHaqVEFF9/V0vldGd+BnFfyst
+retXgockCH+fqddM5Kp+H0bmjXzLke/b8T9KsdSBz7lg1Z67kmMrHLe14Q4Hgmr/
+pFBkGGWKTFn48OXfncrv+oQAGED7r9c5UEdpOB6SBDxuddfzgkw9urnpKrYC/KOs
+HLBTaGew73O81BsbaZlUiVxTdewrmFk2nG6UIPoGaxkCgYEA7IYOjIfNJOEPIWYP
+zj4eipTy6zFk4L7tX3wX4wsor93rz8ArlF8sgNoyUhbKm6H++ZfVezLs2jcjJJ8Q
+sXLwQ6L/D8aVb6AOVeC1WYJu5+wXIDX0H+1318a5+3bKVPn+hktJGEgCBvplVRnh
+yzpQ+2v1SBp9qEzoSl1sV6gm1tsCgYEAzUnZcjUhHvoXLXJ1lfagCC6QsmjqzpJv
+VdTKJlDuZ0qQGC6Ts+wKfM3MoiOsXW0pByC5lWwE43c/KU8J358j3OSSNafIFeD1
+cxtYzJlMgnw5Y2Zt9tj+QW/1BOMdOftnPSOnsk6rpdCBMW6a2tYubJjbAuge+a2O
+939XGnV0R0cCgYEA0bvmNtNNJAC2LAWWymnnJzgBWHFKZMipMNyXSethPuHo8yYS
+/tSOYAwcRxKSwwMZWDY9RavYv3/ZF+Y9JT0otLFav6B2bq9dRuWlqiOxONLvhs6R
+Faa7eIlt7gBeVpAAFRG5VWC0+38aUCZNRKsHmIsYy8FB3/Winh7NrcUb+7UCgYBi
+egCTZqUixPmFVZjOfWY7Rosm6mlo+pnp5I+sXbpfVkdVMlKsRpipUdfOF6rBjnHV
+937PDOgzbaqg2Ed2PFLpzcPNdVToGefkdcPdMdSf65Nj+WjatzEQlvJEi+YjQFQ/
+4fC5+j8g5apz2gjy3Teb5J96/3qMbxNb6nwQNzO2VQKBgHyHUJOrhvv9+vs7v8nu
+9DgV0b5eNO0g6Q4Ji7oqs24PssPQRA4gMtwmPT8Ha+wWGVzQt2U5LmjsLlrqAO6O
++Fa3c63sgmt672A8BJ3PL8LI8E2keZiH6rwADSUFp3TZoU2SHamw5NEruNRMIF1R
+0LMsuAs2KEdnwAth2ZmUF2+S
+-----END PRIVATE KEY-----

docker-compose/docker-compose.yml

@@ -20,6 +20,7 @@ services:
     restart: unless-stopped
     volumes:
       - postgresql_data:/var/lib/postgresql/data
+      - ./init-ucentralsec-db.sh:/docker-entrypoint-initdb.d/init-ucentralsec-db.sh
 
   mysql:
     image: "mysql:${MYSQL_TAG}"
@@ -30,7 +31,7 @@ services:
     volumes:
       - mysql_data:/var/lib/mysql
 
-  ucentralgw:
+  ucentralgw.wlan.local:
     image: "tip-tip-wlan-cloud-ucentral.jfrog.io/ucentralgw:${UCENTRALGW_TAG}"
     env_file:
       - .env_ucentralgw
@@ -41,13 +42,45 @@ services:
     restart: unless-stopped
     ports:
       - "127.0.0.1:15002:15002"
-      - "127.0.0.1:16001:16001"
+      - "127.0.0.1:16002:16002"
       - "127.0.0.1:16003:16003"
+      - "127.0.0.1:16102:16102"
     volumes:
-      - ./ucentral-data:/ucentral-data
-      - ../certificates/root.pem:/ucentral-data/certs/root.pem
-      - ../certificates/issuer.pem:/ucentral-data/certs/issuer.pem
-      - ../certificates/clientcas.pem:/ucentral-data/certs/clientcas.pem
+      - ./ucentralgw-data:/ucentralgw-data
+      - ./certs:/ucentralgw-data/certs
+      - ../certificates/root.pem:/ucentralgw-data/certs/root.pem
+      - ../certificates/issuer.pem:/ucentralgw-data/certs/issuer.pem
+      - ../certificates/clientcas.pem:/ucentralgw-data/certs/clientcas.pem
+
+  ucentralgw-ui:
+    image: "tip-tip-wlan-cloud-ucentral.jfrog.io/ucentralgw-ui:${UCENTRALGWUI_TAG}"
+    env_file:
+      - .env_ucentralgw-ui
+    depends_on:
+      - ucentralgw.wlan.local
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:80:80"
+
+  ucentralsec.wlan.local:
+    image: "tip-tip-wlan-cloud-ucentral.jfrog.io/ucentralsec:${UCENTRALSEC_TAG}"
+    env_file:
+      - .env_ucentralsec
+    depends_on: 
+      - postgresql
+      - kafka
+      - rttys
+      - ucentralgw.wlan.local
+    restart: unless-stopped
+    ports:
+      - "127.0.0.1:16001:16001"
+      - "127.0.0.1:16101:16101"
+    volumes:
+      - ./ucentralsec-data:/ucentralsec-data
+      - ./certs:/ucentralsec-data/certs
+      - ../certificates/root.pem:/ucentralsec-data/certs/root.pem
+      - ../certificates/issuer.pem:/ucentralsec-data/certs/issuer.pem
+      - ../certificates/clientcas.pem:/ucentralsec-data/certs/clientcas.pem
 
   rttys:
     image: "tip-tip-wlan-cloud-ucentral.jfrog.io/rttys:${RTTYS_TAG}"
@@ -55,8 +88,8 @@ services:
       - mysql
     restart: unless-stopped
     volumes:
-      - ./ucentral-data/certs/restapi-cert.pem:/etc/rttys/restapi-cert.pem
-      - ./ucentral-data/certs/restapi-key.pem:/etc/rttys/restapi-key.pem
+      - ./certs/restapi-cert.pem:/etc/rttys/restapi-cert.pem
+      - ./certs/restapi-key.pem:/etc/rttys/restapi-key.pem
       - ./rttys/rttys.conf:/rttys/rttys.conf
 
   zookeeper:

docker-compose/init-ucentralsec-db.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+    CREATE USER $UCENTRALSEC_DB_USER WITH ENCRYPTED PASSWORD '$UCENTRALSEC_DB_PASSWORD';
+    CREATE DATABASE $UCENTRALSEC_DB;
+    GRANT ALL PRIVILEGES ON DATABASE $UCENTRALSEC_DB TO $UCENTRALSEC_DB_USER;
+EOSQL

docker-compose/ucentralgw-data/ucentralgw.properties

@@ -4,12 +4,12 @@
 # address of one of your interfaces
 #
 ucentral.websocket.host.0.backlog = 500
-ucentral.websocket.host.0.rootca = $UCENTRAL_ROOT/certs/root.pem
-ucentral.websocket.host.0.issuer = $UCENTRAL_ROOT/certs/issuer.pem
-ucentral.websocket.host.0.cert = $UCENTRAL_ROOT/certs/websocket-cert.pem
-ucentral.websocket.host.0.key = $UCENTRAL_ROOT/certs/websocket-key.pem
-ucentral.websocket.host.0.clientcas = $UCENTRAL_ROOT/certs/clientcas.pem
-ucentral.websocket.host.0.cas = $UCENTRAL_ROOT/certs/cas
+ucentral.websocket.host.0.rootca = $UCENTRALGW_ROOT/certs/root.pem
+ucentral.websocket.host.0.issuer = $UCENTRALGW_ROOT/certs/issuer.pem
+ucentral.websocket.host.0.cert = $UCENTRALGW_ROOT/certs/websocket-cert.pem
+ucentral.websocket.host.0.key = $UCENTRALGW_ROOT/certs/websocket-key.pem
+ucentral.websocket.host.0.clientcas = $UCENTRALGW_ROOT/certs/clientcas.pem
+ucentral.websocket.host.0.cas = $UCENTRALGW_ROOT/certs/cas
 ucentral.websocket.host.0.address = *
 ucentral.websocket.host.0.port = 15002
 ucentral.websocket.host.0.security = strict
@@ -21,72 +21,85 @@ ucentral.websocket.maxreactors = 20
 #
 ucentral.restapi.host.0.backlog = 100
 ucentral.restapi.host.0.security = relaxed
-ucentral.restapi.host.0.rootca = $UCENTRAL_ROOT/certs/restapi-ca.pem
+ucentral.restapi.host.0.rootca = $UCENTRALGW_ROOT/certs/restapi-ca.pem
 ucentral.restapi.host.0.address = *
-ucentral.restapi.host.0.port = 16001
-ucentral.restapi.host.0.cert = $UCENTRAL_ROOT/certs/restapi-cert.pem
-ucentral.restapi.host.0.key = $UCENTRAL_ROOT/certs/restapi-key.pem
+ucentral.restapi.host.0.port = 16002
+ucentral.restapi.host.0.cert = $UCENTRALGW_ROOT/certs/restapi-cert.pem
+ucentral.restapi.host.0.key = $UCENTRALGW_ROOT/certs/restapi-key.pem
 ucentral.restapi.host.0.key.password = mypassword
 
+ucentral.internal.restapi.host.0.backlog = 100
+ucentral.internal.restapi.host.0.security = relaxed
+ucentral.internal.restapi.host.0.rootca = $UCENTRALGW_ROOT/certs/restapi-ca.pem
+ucentral.internal.restapi.host.0.address = *
+ucentral.internal.restapi.host.0.port = 17002
+ucentral.internal.restapi.host.0.cert = $UCENTRALGW_ROOT/certs/restapi-cert.pem
+ucentral.internal.restapi.host.0.key = $UCENTRALGW_ROOT/certs/restapi-key.pem
+ucentral.internal.restapi.host.0.key.password = mypassword
+
 #
 # Used to upload files to the service.
 # You should replace the 'name' vaalue with the IP address of your gateway or an FQDN
 # that your devices can reach
 #
 ucentral.fileuploader.host.0.backlog = 100
-ucentral.fileuploader.host.0.rootca = $UCENTRAL_ROOT/certs/restapi-ca.pem
+ucentral.fileuploader.host.0.rootca = $UCENTRALGW_ROOT/certs/restapi-ca.pem
 ucentral.fileuploader.host.0.security = relaxed
 ucentral.fileuploader.host.0.address = *
-ucentral.fileuploader.host.0.name = ucentral.dpaas.arilia.com
+ucentral.fileuploader.host.0.name = ucentral.wlan.local
 ucentral.fileuploader.host.0.port = 16003
-ucentral.fileuploader.host.0.cert = $UCENTRAL_ROOT/certs/restapi-cert.pem
-ucentral.fileuploader.host.0.key = $UCENTRAL_ROOT/certs/restapi-key.pem
+ucentral.fileuploader.host.0.cert = $UCENTRALGW_ROOT/certs/restapi-cert.pem
+ucentral.fileuploader.host.0.key = $UCENTRALGW_ROOT/certs/restapi-key.pem
 ucentral.fileuploader.host.0.key.password = mypassword
-ucentral.fileuploader.path = $UCENTRAL_ROOT/uploads
+ucentral.fileuploader.path = $UCENTRALGW_ROOT/uploads
 ucentral.fileuploader.maxsize = 10000
 
 #
-# This section descrive how to do autoprovisioning
-# When enabled, it will allow devices that are not in the system
-# to be managed and serviced
+# Generic section that all microservices must have
+#
+ucentral.service.key = $UCENTRALGW_ROOT/certs/restapi-key.pem
+ucentral.system.data = $UCENTRALGW_ROOT/data
+ucentral.system.debug = true
+ucentral.system.uri.private = https://ucentralgw.wlan.local:17002
+ucentral.system.uri.public = https://ucentral.wlan.local:16002
+ucentral.system.commandchannel = /tmp/app.ucentralgw
+
+#
+# Gateway Microservice Specific Section
 #
 ucentral.autoprovisioning = true
-ucentral.service.key = $UCENTRAL_ROOT/certs/websocket-key.pem
 ucentral.devicetypes.0 = AP:linksys_ea8300,edgecore_eap101,linksys_e8450-ubi
 ucentral.devicetypes.1 = SWITCH:edgecore_ecs4100-12ph
 ucentral.devicetypes.2 = IOT:esp32
-
-#
-# Callback hosts
-#
-ucentral.callback.enable = false
-ucentral.callback.id = qblat6dfDHxQAZ6yMe6MrypBpgRDhQrhUtTOovOXAKAWU8qOvjjKKiUai4t9hGjA
-ucentral.callback.0.local = local.dpaas.arilia.com:16001
-ucentral.callback.0.remote = local.dpaas.arilia.com:15055
-ucentral.callback.0.localkey = t2dEOc88OIxVDb94mw7SLcLocgnCzZzzFoQ4JJv3OCU9UO6Ou5ds5Dh4CfBnHgrk
-ucentral.callback.0.remotekey = t2dEOc88OIxVDb94mw7SLcLocgnCzZzzFoQ4JJv3OCU9UO6Ou5ds5Dh4CfBnHgrk
-ucentral.callback.0.topics = ucentralfws
+oui.download.uri = https://linuxnet.ca/ieee/oui.txt
+firmware.autoupdate.policy.default = auto
 
 #
 # rtty
 #
 rtty.enabled = true
-rtty.server = rtty
+rtty.server = rttys
 rtty.port = 5912
 rtty.token = 96181c567b4d0d98c50f127230068fa8
 rtty.timeout = 60
 rtty.viewport = 5913
 
+#############################
+# Generic information for all micro services
+#############################
 #
 # NLB Support
 #
-alb.enable = false
-alb.port = 15015
+alb.enable = true
+alb.port = 16102
 
 #
 # Kafka
 #
+ucentral.kafka.group.id = gateway
+ucentral.kafka.client.id = gateway1
 ucentral.kafka.enable = true
+# ucentral.kafka.brokerlist = a1.arilia.com:9092
 ucentral.kafka.brokerlist = kafka:9092
 ucentral.kafka.auto.commit = false
 ucentral.kafka.queue.buffering.max.ms = 50
@@ -108,9 +121,9 @@ storage.type.sqlite.maxsessions = 128
 storage.type.postgresql.maxsessions = 64
 storage.type.postgresql.idletime = 60
 storage.type.postgresql.host = postgresql
-storage.type.postgresql.username = ucentral
-storage.type.postgresql.password = ucentral
-storage.type.postgresql.database = ucentral
+storage.type.postgresql.username = ucentralgw
+storage.type.postgresql.password = ucentralgw
+storage.type.postgresql.database = ucentralgw
 storage.type.postgresql.port = 5432
 storage.type.postgresql.connectiontimeout = 60
 
@@ -123,32 +136,13 @@ storage.type.mysql.database = ucentral
 storage.type.mysql.port = 3306
 storage.type.mysql.connectiontimeout = 60
 
-#
-# Authentication
-#
-authentication.enabled = true
-authentication.default.username = tip@ucentral.com
-authentication.default.password = 13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf
-authentication.default.access = master
-authentication.service.type = internal
-
-firmware.autoupdate.policy.default = auto
-
-ucentral.system.data = $UCENTRAL_ROOT/data
-ucentral.system.debug = true
-ucentral.system.uri = https://localhost:16001
-ucentral.system.id = 1
-ucentral.system.commandchannel = /tmp/app.ucentralgw
 
 ########################################################################
 ########################################################################
 #
-# Thw following sections apply to the uCentral service
-#
 # Logging: please leave as is for now.
 #
 ########################################################################
-########################################################################
 
 logging.formatters.f1.class = PatternFormatter
 logging.formatters.f1.pattern = %Y-%m-%d %H:%M:%S %s: [%p] %t
@@ -158,7 +152,7 @@ logging.channels.c1.formatter = f1
 
 # This is where the logs will be written. This path MUST exist
 logging.channels.c2.class = FileChannel
-logging.channels.c2.path = $UCENTRAL_ROOT/logs/log
+logging.channels.c2.path = $UCENTRALGW_ROOT/logs/log
 logging.channels.c2.formatter.class = PatternFormatter
 logging.channels.c2.formatter.pattern = %Y-%m-%d %H:%M:%S %s: [%p] %t
 logging.channels.c2.rotation = 20 M
@@ -181,3 +175,6 @@ logging.loggers.root.level = debug
 # logging.channels.splitter.channels = l1,l2
 # logging.loggers.l2.name = logger2
 # logging.loggers.l2.channel = splitter
+
+
+

docker-compose/ucentralsec-data/ucentralsec.properties

@@ -0,0 +1,145 @@
+#
+# uCentral protocol server for devices. This is where you point
+# all your devices. You can replace the * for address by the specific
+# address of one of your interfaces
+#
+
+#
+# REST API access
+#
+ucentral.restapi.host.0.backlog = 100
+ucentral.restapi.host.0.security = relaxed
+ucentral.restapi.host.0.rootca = $UCENTRALSEC_ROOT/certs/restapi-ca.pem
+ucentral.restapi.host.0.address = *
+ucentral.restapi.host.0.port = 16001
+ucentral.restapi.host.0.cert = $UCENTRALSEC_ROOT/certs/restapi-cert.pem
+ucentral.restapi.host.0.key = $UCENTRALSEC_ROOT/certs/restapi-key.pem
+ucentral.restapi.host.0.key.password = mypassword
+
+ucentral.internal.restapi.host.0.backlog = 100
+ucentral.internal.restapi.host.0.security = relaxed
+ucentral.internal.restapi.host.0.rootca = $UCENTRALSEC_ROOT/certs/restapi-ca.pem
+ucentral.internal.restapi.host.0.address = *
+ucentral.internal.restapi.host.0.port = 17001
+ucentral.internal.restapi.host.0.cert = $UCENTRALSEC_ROOT/certs/restapi-cert.pem
+ucentral.internal.restapi.host.0.key = $UCENTRALSEC_ROOT/certs/restapi-key.pem
+ucentral.internal.restapi.host.0.key.password = mypassword
+
+#
+# Generic section that all microservices must have
+#
+authentication.enabled = true
+authentication.default.username = tip@ucentral.com
+authentication.default.password = 13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf
+authentication.default.access = master
+authentication.service.type = internal
+ucentral.system.data = $UCENTRALSEC_ROOT/data
+ucentral.system.debug = true
+ucentral.system.uri.private = https://ucentralsec.wlan.local:17001
+ucentral.system.uri.public = https://ucentral.wlan.local:16001
+ucentral.system.commandchannel = /tmp/app.ucentralsec
+ucentral.service.key = $UCENTRALSEC_ROOT/certs/restapi-key.pem
+
+#
+# Security Microservice Specific Section
+#
+mailer.hostname = smtp.gmail.com
+mailer.username = no-reply@arilia.com
+mailer.password = **************************
+mailer.loginmethod = login
+mailer.port = 587
+
+
+#############################
+# Generic information for all micro services
+#############################
+#
+# NLB Support
+#
+alb.enable = true
+alb.port = 16101
+
+#
+# Kafka
+#
+ucentral.kafka.group.id = security
+ucentral.kafka.client.id = security1
+ucentral.kafka.enable = true
+# ucentral.kafka.brokerlist = a1.arilia.com:9092
+ucentral.kafka.brokerlist = kafka:9092
+ucentral.kafka.auto.commit = false
+ucentral.kafka.queue.buffering.max.ms = 50
+
+#
+# This section select which form of persistence you need
+# Only one selected at a time. If you select multiple, this service will die if a horrible
+# death and might make your beer flat.
+#
+#storage.type = sqlite
+storage.type = postgresql
+#storage.type = mysql
+#storage.type = odbc
+
+storage.type.sqlite.db = security.db
+storage.type.sqlite.idletime = 120
+storage.type.sqlite.maxsessions = 128
+
+storage.type.postgresql.maxsessions = 64
+storage.type.postgresql.idletime = 60
+storage.type.postgresql.host = postgresql
+storage.type.postgresql.username = ucentralsec
+storage.type.postgresql.password = ucentralsec
+storage.type.postgresql.database = ucentralsec
+storage.type.postgresql.port = 5432
+storage.type.postgresql.connectiontimeout = 60
+
+storage.type.mysql.maxsessions = 64
+storage.type.mysql.idletime = 60
+storage.type.mysql.host = localhost
+storage.type.mysql.username = stephb
+storage.type.mysql.password = snoopy99
+storage.type.mysql.database = ucentral
+storage.type.mysql.port = 3306
+storage.type.mysql.connectiontimeout = 60
+
+
+########################################################################
+########################################################################
+#
+# Logging: please leave as is for now.
+#
+########################################################################
+logging.formatters.f1.class = PatternFormatter
+logging.formatters.f1.pattern = %Y-%m-%d %H:%M:%S %s: [%p] %t
+logging.formatters.f1.times = UTC
+logging.channels.c1.class = ConsoleChannel
+logging.channels.c1.formatter = f1
+
+# This is where the logs will be written. This path MUST exist
+logging.channels.c2.class = FileChannel
+logging.channels.c2.path = $UCENTRALSEC_ROOT/logs/log
+logging.channels.c2.formatter.class = PatternFormatter
+logging.channels.c2.formatter.pattern = %Y-%m-%d %H:%M:%S %s: [%p] %t
+logging.channels.c2.rotation = 20 M
+logging.channels.c2.archive = timestamp
+logging.channels.c2.purgeCount = 20
+logging.channels.c3.class = ConsoleChannel
+logging.channels.c3.pattern = %s: [%p] %t
+
+# External Channel
+logging.loggers.root.channel = c1
+logging.loggers.root.level = debug
+
+# Inline Channel with PatternFormatter
+# logging.loggers.l1.name = logger1
+# logging.loggers.l1.channel.class = ConsoleChannel
+# logging.loggers.l1.channel.pattern = %s: [%p] %t
+# logging.loggers.l1.level = information
+# SplitterChannel
+# logging.channels.splitter.class = SplitterChannel
+# logging.channels.splitter.channels = l1,l2
+# logging.loggers.l2.name = logger2
+# logging.loggers.l2.channel = splitter
+
+
+