The configuration anchor about x-road HOT 25 CLOSED

Hello @petkivim, I hope you are well, thank you very much! I finished the configuration and at the end, there is a test, we create a subsystem on SS and then approved on the CS and it has a registered status.

from x-road.

Thank you for your attention, @petkivim

from x-road.

Hi @asow25! It's nice to hear that you have found the available resources useful. 😄

Are you deploying a single Security Server or an entire X-Road environment? In the latter case (entire X-Road environment), please follow this configuration guide. Instead, in the first case (single Security Server), please complete only the steps 3.1-3.6 of the configuration guide.

from x-road.

Thanks a lot @petkivim,
How to access Central Server's admin interface? Port 4000 is not listening on the central server.

from x-road.

Did you try with https://<CENTRAL_SERVER_ADDRESS>:4000? The Central Server admin interface only supports https and http is no supported. If that's not the cause of the issue, please see the Central Server post-installation checks.

from x-road.

root@xroad-cs:~# sudo systemctl list-units "xroad*"
  UNIT                 LOAD   ACTIVE SUB     DESCRIPTION          
  xroad-base.service   loaded active exited  X-Road initialization
  xroad-signer.service loaded active running X-Road signer

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
2 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
root@xroad-cs:~# 
root@xroad-cs:~# 
root@xroad-cs:~# dpkg -l | grep xroad
ii  xroad-base                        7.4.2-1.ubuntu22.04                     amd64        X-Road base components
rc  xroad-center                      7.4.2-1.ubuntu22.04                     all          X-Road central server
rc  xroad-center-management-service   7.4.2-1.ubuntu22.04                     all          X-Road Central Server Management Service
rc  xroad-center-registration-service 7.4.2-1.ubuntu22.04                     all          X-Road Central Server Registration Service
rc  xroad-centralserver-monitoring    7.4.2-1.ubuntu22.04                     all          Monitoring client configuration for X-Road central
ii  xroad-confclient                  7.4.2-1.ubuntu22.04                     amd64        X-Road configuration client components
ii  xroad-confproxy                   7.4.2-1.ubuntu22.04                     all          X-Road configuration proxy
ii  xroad-database-local              7.4.2-1.ubuntu22.04                     all          Meta-package for X-Road local database dependencies
ii  xroad-nginx                       7.4.2-1.ubuntu22.04                     amd64        X-Road nginx component
ii  xroad-signer                      7.4.2-1.ubuntu22.04                     amd64        X-Road signer component
root@xroad-cs:~# 
root@xroad-cs:~# 
root@xroad-cs:~# telnet localhost 4000
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

from x-road.

It seems that some packages are missing and there's at least one extra package too. Here's how the package list should look like:

root@test-cs:~# dpkg -l | grep xroad
ii  xroad-base                         7.4.2-1.ubuntu22.04 amd64        X-Road base components
ii  xroad-center                       7.4.2-1.ubuntu22.04 all          X-Road central server
ii  xroad-center-management-service    7.4.2-1.ubuntu22.04 all          X-Road Central Server Management Service
ii  xroad-center-registration-service  7.4.2-1.ubuntu22.04 all          X-Road Central Server Registration Service
ii  xroad-centralserver                7.4.2-1.ubuntu22.04 all          X-Road central server
ii  xroad-centralserver-monitoring     7.4.2-1.ubuntu22.04 all          Monitoring client configuration for X-Road central
ii  xroad-confclient                   7.4.2-1.ubuntu22.04 amd64        X-Road configuration client components
ii  xroad-database-local               7.4.2-1.ubuntu22.04 all          Meta-package for X-Road remote database dependencies
ii  xroad-nginx                        7.4.2-1.ubuntu22.04 amd64        X-Road nginx component
ii  xroad-signer                       7.4.2-1.ubuntu22.04 amd64        X-Road signer component

Could you share the Ansible hosts file that you used in the installation? It seems that you have tried to install the Configuration Proxy component on the same host with the Central Server. However, they must be run on separate hosts. Also, the Configuration Proxy is an optional component so you can skip.

from x-road.

I've got 02 machines

[xroad:children]
cs_servers
ss_servers
cp_servers
ca_servers

#central servers
[cs_servers]
cs1.dev.net ansible_host=x.x.x.x

#security servers
[ss_servers]
ss1.dev.net ansible_host=x.x.x.x

#configuration proxies
[cp_servers:children]
cs_servers

#certification authority, time stamping authority and ocsp service server
[ca_servers:children]
ss_servers

[ss_servers:vars]
variant=vanilla

from x-road.

I resumed, this time without the proxy.
I logged in to the dashboard and there are URLs https://<central_server_ip>/internalconf
When I open the link, there's nothing going on.

from x-road.

So you're able to access the dashboard now. That's good news! The next step is to follow this configuration guide. The internal conf configuration data will be available only after completing the initial configuration.

from x-road.

In order to complete the configuration, you need to have a CA with OCSP and a timestamping service. The easiest way is to use the Test CA and install it on the same host with the Central Server using Ansible.

#central servers
[cs_servers]
cs1.dev.net ansible_host=x.x.x.x

#certification authority, time stamping authority and ocsp service server
[ca_servers]
cs1.dev.net ansible_host=x.x.x.x

from x-road.

Excuse me, I have 02 questions:

1. How will Consumer use it? I've seen X-Road architectures: Consumer <----> Provider
   How do you use it? Sorry if my question is off-topic, I'm discovering the solution and I'm very excited! For example, in my mind, I thought of the NextCloud schema, but X-Road goes beyond all limits, so I allow myself to ask you the question. Is this the operational schema of X-Road:
   +- Register your services: Providers register the services they wish to share with other entities in the X-Road environment.
   +- Define access permissions: Providers define access permissions for each service, determining who can access them and under what conditions.
   +- Make requests: Consumers send requests to providers to access the data or services they need. These requests are based on the services registered in X-Road.
   +- Respond to requests: Providers receive requests from consumers and respond by providing the requested data, provided that the defined permissions allow it.

2. How to add SSL to the CS and SS web portal?

from x-road.

1. The operational schema that you described is correct. More information about the actual data exchange flow is available here.
2. Could you elaborate on what do you mean by adding SSL to the CS and SS web portal? Do you want to replace the UI/API certificate with a certificate issued by a trusted CA? More information about keys and certificates used by X-Road is available here.

Are you already familiar with the X-Road Academy? It provides several free online courses that help you to get started with X-Road.

from x-road.

Hello, @petkivim! How are you? I took the course with the X-Road Academy, and it was incredible. Many thanks!
How do I configure TLS certificates on Central Server?

from x-road.

Hi @asow25! That's great to hear! 😄

What TLS certificate(s) do you mean? Do you want to change 1) the admin UI/API TLS certificate (port 4000) and/or 2) the global configuration download certificate (port 443)?

Instructions to change the global configuration download certificate (2) are available here. Instead, you can change the admin UI/API TLS certificate (1) by following these instructions. Please note, that the instructions are for the Security Server and therefore, you must replace proxy-ui-api with center-admin-service, e.g., /etc/xroad/ssl/proxy-ui-api.key => /etc/xroad/ssl/center-admin-service.key.

from x-road.

Thanks a lot!
The courses are great, I even got certifications at the end.
Is it possible to change the port 4000 to another one?

from x-road.

In theory, changing the port is possible, but it requires changes to multiple places and the process is not documented. Therefore, I don't recommend changing it.

from x-road.

I realise... On the Security Server, I had this error Edit Security Server Address :

AxiosError: Request failed with status code 500

or

error_code.core.InternalError
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target executing POST https://127.0.0.1:4000/api/v1/management-requests

from x-road.

Yes, those are consequences of changing the port. To get rid of them, you should modify the source code, build your own installation packages and do the installation using your own packages.

from x-road.

I have not changed ports.
I enabled SSL on global-conf, proxy-ui-api, and center-admin-service. For Central Server, I used fqdn as the name instead of IP address.

from x-road.

Indeed, the second error message is related to the certificate path. In that case, you should review the instructions and double check that you've completed all the steps according to them.

In step 10, the Central Server PKCS#12 container password must be center-admin-service ( -passout pass:center-admin-service) .

In step 12 on the Central Server, you must restart the xroad-center service. The related log file is /var/log/xroad/centralserver-admin-service.log.

from x-road.

tail -f /var/log/xroad/proxy_ui_api.log

2024-05-27T17:48:31.647Z [https-jsse-nio-4000-exec-4] correlation-id:[6654c76f04902fece9c6b1782df231ac] INFO  ee.ria.xroad.common.AuditLogger - {"event":"Edit security server address failed","user":"xadmin","ipaddress":"<MY_INTERNET_ROUTER_IP_ADDRESS>","reason":"Cannot invoke \"String.equals(Object)\" because the return value of \"org.niis.xroad.securityserver.restapi.service.GlobalConfService.getSecurityServerAddress(ee.ria.xroad.common.identifier.SecurityServerId)\" is null","warning":false,"auth":"Session","url":"/api/v1/system/server-address","data":{"address":"<SECURITY_SERVER_URI>"}}
2024-05-27T17:48:31.648Z [https-jsse-nio-4000-exec-4] correlation-id:[6654c76f04902fece9c6b1782df231ac] ERROR o.n.x.r.e.ApplicationExceptionHandler - exception caught
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because the return value of "org.niis.xroad.securityserver.restapi.service.GlobalConfService.getSecurityServerAddress(ee.ria.xroad.common.identifier.SecurityServerId)" is null
	at org.niis.xroad.securitys

Perhaps this is because I use two SSL certificates: a commercial SSL for web consoles and OpenSSL for XRoad services.

from x-road.

Unfortunately, the error message doesn't include the root cause of the problem - only that there's something wrong with your configuration. Could you share the whole /var/log/xroad/proxy_ui_api.log and /var/log/xroad/configuration_client.log log files?

from x-road.

I have removed the SSL certificates I had added, and it works. I was able to configure:

• cs :
  • center-admin-service
  • global-conf
• ss :
  • proxy_ui_api

With Ansible, we deploy the certification authority. Is my approach correct? To have two types of SSL certificates (short-term), one for web display and OpenSSL (long-term) for communication between X-Road services?
Also, should I use FQDN to rename the services or use IP addresses?

from x-road.

The CA that you deploy with Ansible is meant for issuing authentication certificates for Security Servers and sign certificates for X-Road members. Using that CA for the UI and global configuration certificates doesn't bring any additional value. Instead, if you want to replace the self-signed UI and global conf certificates created during the installation process, you should use some commonly trusted CA.

In general, it's recommended to use FQDN in certificates.

from x-road.