Merge pull request #2375 from nordic-institute/XRDDEV-2695

feat(CS): EC key support for global configuration
nordic-institute · Nov 20, 2024 · 6a33f26 · 6a33f26
2 parents 577093c + c27b3e1
commit 6a33f26
Show file tree

Hide file tree

Showing 122 changed files with 2,899 additions and 1,360 deletions.
diff --git a/Docker/centralserver/files/etc/xroad/services/local.conf b/Docker/centralserver/files/etc/xroad/services/local.conf
@@ -1,4 +1,5 @@
 XROAD_CS_ADMIN_SERVICE_PARAMS=" -Xdebug -agentlib:jdwp=transport=dt_socket,address=*:9950,server=y,suspend=n $XROAD_CS_ADMIN_SERVICE_PARAMS"
 XROAD_CS_MANAGEMENT_SERVICE_PARAMS=" -Xdebug -agentlib:jdwp=transport=dt_socket,address=*:9951,server=y,suspend=n $XROAD_CS_MANAGEMENT_SERVICE_PARAMS"
 XROAD_CS_REGISTRATION_SERVICE_PARAMS=" -Xdebug -agentlib:jdwp=transport=dt_socket,address=*:9952,server=y,suspend=n $XROAD_CS_REGISTRATION_SERVICE_PARAMS"
-XROAD_CONFCLIENT_PARAMS=" -Xdebug -agentlib:jdwp=transport=dt_socket,address=*:9953,server=y,suspend=n $XROAD_CONFCLIENT_PARAMS"
+XROAD_CONFCLIENT_PARAMS=" -Xdebug -agentlib:jdwp=transport=dt_socket,address=*:9953,server=y,suspend=n $XROAD_CONFCLIENT_PARAMS"
+XROAD_SIGNER_PARAMS="$XROAD_SIGNER_PARAMS -Xdebug -agentlib:jdwp=transport=dt_socket,address=*:9994,server=y,suspend=n $SIGNER_JMX_PARAMS $SIGNER_TELEMETRY_PARAMS"
diff --git a/Docker/xrd-dev-stack/compose.dev.yaml b/Docker/xrd-dev-stack/compose.dev.yaml
@@ -14,6 +14,7 @@ services:
       - "4191:9951" # Management debug
       - "4192:9952" # Registration debug
       - "4193:9953" # Conf Client debug
+      - "4194:9994" # Signer debug port
     networks:
       - xroad-network
   ss0:

diff --git a/Docker/xrd-dev-stack/tools/deploy.sh b/Docker/xrd-dev-stack/tools/deploy.sh
@@ -6,6 +6,7 @@ deploy_module() {
   local -a containers=("$@")
   local jar_path
   local service_name
+  local target_path
 
   case $module_name in
   "proxy")
@@ -16,6 +17,11 @@ deploy_module() {
     jar_path="$XROAD_HOME/src/addons/messagelog/messagelog-addon/build/libs/messagelog-addon.jar"
     service_name="xroad-proxy"
     ;;
+  "hwtoken-addon")
+    jar_path="$XROAD_HOME/src/addons/hwtoken/build/libs/hwtoken-1.0.jar"
+    service_name="xroad-signer"
+    target_path="usr/share/xroad/jlib/addon/signer"
+    ;;
   "metaservice-addon")
     jar_path="$XROAD_HOME/src/addons/metaservice/build/libs/metaservice-1.0.jar"
     service_name="xroad-proxy"
@@ -26,7 +32,7 @@ deploy_module() {
     ;;
   "signer")
     jar_path="$XROAD_HOME/src/signer/application/build/libs/signer-1.0.jar"
-    service_name="all"
+    service_name="xroad-signer"
     ;;
   "configuration-client")
     jar_path="$XROAD_HOME/src/configuration-client/application/build/libs/configuration-client-1.0.jar"
@@ -55,17 +61,20 @@ deploy_module() {
   esac
 
   for container in "${containers[@]}"; do
-    docker cp "$jar_path" "$container:/usr/share/xroad/jlib/"
+    docker cp "$jar_path" "$container:${target_path:-/usr/share/xroad/jlib/}"
     docker exec -it "$container" supervisorctl restart "$service_name"
   done
 }
 
 set -o xtrace
 
 case $1 in
-"proxy" | "messagelog-addon" | "metaservice-addon" | "proxy-ui-api" | "signer" | "configuration-client" | "op-monitor-daemon")
+"proxy" | "messagelog-addon" | "metaservice-addon" | "proxy-ui-api" | "configuration-client" | "op-monitor-daemon")
   deploy_module "$1" "ss0" "ss1"
   ;;
+"signer" | "hwtoken-addon")
+  deploy_module "$1" "ss0" "ss1" "cs"
+  ;;
 "cs-admin-service" | "cs-management-service" | "cs-registration-service")
   deploy_module "$1" "cs"
   ;;

diff --git a/doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md b/doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md
diff --git a/doc/Manuals/ig-ss_x-road_v6_security_server_installation_guide.md b/doc/Manuals/ig-ss_x-road_v6_security_server_installation_guide.md
diff --git a/doc/Manuals/ug-cp_x-road_v6_configuration_proxy_manual.md b/doc/Manuals/ug-cp_x-road_v6_configuration_proxy_manual.md
diff --git a/doc/Manuals/ug-cs_x-road_6_central_server_user_guide.md b/doc/Manuals/ug-cs_x-road_6_central_server_user_guide.md
@@ -179,6 +179,9 @@ Doc. ID: UG-CS
 - [18 Migrating to Remote Database Host](#18-migrating-to-remote-database-host)
 - [19 Additional Security Hardening](#19-additional-security-hardening)
 - [20 Passing additional parameters to psql](#20-passing-additional-parameters-to-psql)
+- [21 Migrating to EC Based Configuration Signing Keys](#21-migrating-to-ec-based-configuration-signing-keys)
+  - [21.1 Steps to Enable EC Based Signing Keys](#211-Steps-to-enable-EC-based-signing-keys)
+  - [21.2 Backwards Compatibility](#212-Backwards-compatibility)
 <!-- tocstop -->
 
 # License
@@ -1757,3 +1760,25 @@ This example shows how SSL configurations for _psql_ could look like. List of po
 Some of the variables like `PGOPTIONS`, `PGDATABASE`, `PGUSER`, `PGPASSWORD` are already used by scripts(created and initialized with values from `/etc/xroad/db.properties` file) so adding same variables to `db_libpq.env` won't have any effect on script behaviour.
 
 In case it is needed to pass additional flags to internally initialized `PGOPTIONS` variable, then `PGOPTIONS_EXTRA` variable can be used. It will be appended to `PGOPTIONS` variable.
+
+# 21 Migrating to EC Based Configuration Signing Keys
+
+## 21.1 Steps to Enable EC Based Signing Keys
+
+Since version 7.6.0 Central Server supports ECDSA based configuration signing keys. By default, both internal and external configuration signing keys use the RSA algorithm as in previous versions. The EC algorithm can be enabled separately for internal and external keys so migration can be done in steps, e.g., first internal and then external keys or vice versa. The instructions on how to start using internal and external signing EC keys are listed below.
+
+1. Update the configuration to use EC based keys. This can be done by updating the configuration file `/etc/xroad/conf.d/local.ini` and adding the following lines:
+
+```ini
+[admin-service]
+internal-key-algorithm = EC
+external-key-algorithm = EC
+```
+
+2. Restart the `xroad-center` service to apply the changes made to the configuration file.
+3. Follow the instructions in the [Generating a Configuration Signing Key](#541-generating-a-configuration-signing-key) to generate new keys, which will be using EC algorithm now.
+
+## 21.2 Backwards Compatibility
+
+When Central Server is configured to use EC based signing keys, then Security Servers prior to version 7.6.0 are not be able to use the global configuration. In other words, EC based internal signing keys can be used only when all the Security Servers in the local ecosystem use X-Road version 7.6.0 or later. Instead, in a federated setup, EC based external signing keys can be used only when all the Security Servers in all the federated ecosystems use X-Road version 7.6.0 or later.
+Before migrating to EC based configuration signing keys, always remember to make sure that all the Security Servers in all the affected ecosystems use X-Road version 7.6.0 or later.
diff --git a/doc/Manuals/ug-sc_x-road_signer-console_user_guide.md b/doc/Manuals/ug-sc_x-road_signer-console_user_guide.md
@@ -10,26 +10,26 @@ Doc. ID: UG-SC
 
 ## Version history <!-- omit in toc -->
 
- Date     | Version | Description                                                               | Author
- -------- |---------|---------------------------------------------------------------------------| --------------------
- 20.11.2014 | 0.1     | First draft                                                               |
- 20.11.2014 | 0.2     | Some improvements done                                                    |
- 01.12.2014 | 1.0     | Minor corrections done                                                    |
- 19.01.2015 | 1.1     | License information added                                                 |
- 02.04.2015 | 1.2     | "sdsb" changed to "xroad"                                                 |
- 30.06.2015 | 1.3     | Minor corrections done                                                    |
- 09.09.2015 | 2.0     | Editorial changes made                                                    |
- 14.09.2015 | 2.1     | Audit log added                                                           |
- 20.09.2015 | 2.2     | Editorial changes made                                                    |
- 06.09.2015 | 2.3     | Added certificate request format argument                                 |
- 03.11.2015 | 2.4     | Added label parameter for key generation command                          |
- 10.12.2015 | 2.5     | Editorial changes made                                                    |
- 26.02.2021 | 2.6     | Convert documentation to markdown                                         | Caro Hautamäki
- 01.03.2021 | 2.7     | Added [2.4.19 update-software-token-pin](#2419-update-software-token-pin) | Caro Hautamäki
- 25.08.2021 | 2.8     | Update X-Road references from version 6 to 7                              | Caro Hautamäki
- 01.06.2023 | 2.9     | Update references                                                         | Petteri Kivimäki
-
- 
+| Date       | Version | Description                                                               | Author               |
+|------------|---------|---------------------------------------------------------------------------|----------------------|
+| 20.11.2014 | 0.1     | First draft                                                               |                      |
+| 20.11.2014 | 0.2     | Some improvements done                                                    |                      |
+| 01.12.2014 | 1.0     | Minor corrections done                                                    |                      |
+| 19.01.2015 | 1.1     | License information added                                                 |                      |
+| 02.04.2015 | 1.2     | "sdsb" changed to "xroad"                                                 |                      |
+| 30.06.2015 | 1.3     | Minor corrections done                                                    |                      |
+| 09.09.2015 | 2.0     | Editorial changes made                                                    |                      |
+| 14.09.2015 | 2.1     | Audit log added                                                           |                      |
+| 20.09.2015 | 2.2     | Editorial changes made                                                    |                      |
+| 06.09.2015 | 2.3     | Added certificate request format argument                                 |                      |
+| 03.11.2015 | 2.4     | Added label parameter for key generation command                          |                      |
+| 10.12.2015 | 2.5     | Editorial changes made                                                    |                      |
+| 26.02.2021 | 2.6     | Convert documentation to markdown                                         | Caro Hautamäki       |
+| 01.03.2021 | 2.7     | Added [2.4.19 update-software-token-pin](#2419-update-software-token-pin) | Caro Hautamäki       |
+| 25.08.2021 | 2.8     | Update X-Road references from version 6 to 7                              | Caro Hautamäki       |
+| 01.06.2023 | 2.9     | Update references                                                         | Petteri Kivimäki     |
+| 06.11.2024 | 2.10    | Added key algorithm argument                                              | Ovidijus Narkevicius |
+
 ## Table of Contents <!-- omit in toc -->
 
 <!-- toc -->
@@ -274,6 +274,7 @@ A command may have one or more arguments, and may or may not produce any output.
 **Arguments:**
 * ***token id***: the identifier of the token. Use *[list-tokens](#241-list-tokens)* to look up token identifiers.
 * ***label***: the label of the key is set for SSCD devices.
+* ***algorithm***: the algorithm used by generated key, Possible values: RSA, EC. Prior to version 7.6.0 only RSA is supported.
 
 **Output:** The id of the generated key.