❗Note❗ This repository is currently not under active maintenance and therefore archived. If you plan on picking up this product again, feel free to reach out ot the Eclipse Tractus-X projects leads via mailing list.
DAPS Registration Service is a security mediator sitting between DAPS service and an admin user responsible for registering new clients (EDCs) to the DAPS. The admin user is protected with keycloak bearer token and shall have appropriate role to create records at DAPS side. Therefore, the secrets for admin interface of the DAPS are not disclosed to the requester.
Helm version is v2.1.0
Application version is v2.1.0
For user authentication, Connector Registration Service relies on the Catena-X identity provider (keycloak). Connector Registration Service has access to a secret which allows using the remote administration plugin of the DAPS.
- An admin user holding a bearer token with appropriate privileges calls REST interface of the service providing necessary information for registering new client (e.g. the client certificate)
- The Service converts the request to the format acceptable by DAPS admin plugin and sends registration calls to that plugin. DAPS plugin secret is used for authentication. This secret is not disclosed to the caller.
Here is definition of the interface in Java:
public void createClient(@RequestParam String clientName, @RequestParam(required = false) String securityProfile,
@RequestParam(required = false) String referringConnector, @RequestPart("file") MultipartFile file);
Two parameters are mandatory:
- clientName: name of client
- file: Connector's certificate (public part)
Other parameters are optional:
- securityProfile: security profile. Default Value is
idsc:BASE_SECURITY_PROFILE
- referringConnector: url of the Connector. By convention, we add BPN number at the end of the URL to keep reference to the BPN inside of DAT token
POST api/v1/daps?clientName=MyCompany HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------9051914041544843365972754266
-----------------------------9051914041544843365972754266
Content-Disposition: form-data; name="file"; filename="certificate.crt"
Content-Type: text/plain
CONTENT OF A CERTIFICATE
-----------------------------9051914041544843365972754266
The configuration property file is located under resources
folder and is incorporated
into the fat jar during build process. It can be customized before building if needed.
Or,the another one can be used as its location can be overridden:
java -jar dapsreg-0.0.1-SNAPSHOT.jar --spring.config.location=file:./custom-config/
Here application.yaml will be searched in custom-config dir.
An example of application.yaml
for Daps registration service is given bellow:
keycloak:
auth-server-url: https://centralidp.demo.catena-x.net/auth
realm: CX-Central
resource: Cl2-CX-Portal
bearer-only: true
use-resource-role-mappings: true
principal-attribute: preferred_username
app:
build:
version: ^project.version^
daps:
apiUri: https://daps-pen.int.demo.catena-x.net/api/v1
tokenUri: https://daps-pen.int.demo.catena-x.net/token
clientId: <ClientId>
clientSecret: <ClientSecret>
security:
createRole: create_daps_client
updateRole: update_daps_client
deleteRole: delete_daps_client
Here keycloak
section defines keycloak's parameters for authentication client requests.
app.daps.apiUri
specifies URI of the API for the Admin pluging of the
omejdn DAPS service. This API DAPS registration service uses for
registering clients on DAPS side.
app.daps.tokenUri
is an endpoint used to fetch authorization token. This token is
used for calling omejdn admin API plugin.
app.daps.clientId
is the client ID of the admin account registerd at DAPS
app.daps.clientSecret
is client secret of the admin account
app.security
- sets the roles a user must hold for creating, updating and removing
clients at DAPS side.
Daps registration service use Maven for building process. To build a service from sources one need to go to the project directory and trigger building process:
cd tx-daps-registration-service
./mvnw clean install
Please note, the test process uses Docker for performing the tests.
An image with Omejdn DAPS server is expected to exist. The name
of the image shall be provided in the app.daps.imageName
section
of the test configuration file (application-test.yml
) located at
test/resources
directory.
Then fat jar file can be found in target
folder as well as in local Maven repository.
it can be run with this command:
java -jar target/dapsreg-2.0.0.jar
Please note the name of jar-file as it may differ if version is changed.