Closed SowAbdoul closed 1 month ago
petkivim
commented
2 months ago Hi @asow25! It's nice to hear that you have found the available resources useful. 😄
Are you deploying a single Security Server or an entire X-Road environment? In the latter case (entire X-Road environment), please follow this configuration guide. Instead, in the first case (single Security Server), please complete only the steps 3.1-3.6 of the configuration guide.
SowAbdoul
commented
1 month ago Thanks a lot @petkivim, How to access Central Server's admin interface? Port 4000 is not listening on the central server.
petkivim
commented
1 month ago Did you try with https://<CENTRAL_SERVER_ADDRESS>:4000? The Central Server admin interface only supports https and http is no supported. If that's not the cause of the issue, please see the Central Server post-installation checks.
SowAbdoul
commented
1 month ago root@xroad-cs:~# sudo systemctl list-units "xroad*"
UNIT LOAD ACTIVE SUB DESCRIPTION
xroad-base.service loaded active exited X-Road initialization
xroad-signer.service loaded active running X-Road signer
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
2 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
root@xroad-cs:~#
root@xroad-cs:~#
root@xroad-cs:~# dpkg -l | grep xroad
ii xroad-base 7.4.2-1.ubuntu22.04 amd64 X-Road base components
rc xroad-center 7.4.2-1.ubuntu22.04 all X-Road central server
rc xroad-center-management-service 7.4.2-1.ubuntu22.04 all X-Road Central Server Management Service
rc xroad-center-registration-service 7.4.2-1.ubuntu22.04 all X-Road Central Server Registration Service
rc xroad-centralserver-monitoring 7.4.2-1.ubuntu22.04 all Monitoring client configuration for X-Road central
ii xroad-confclient 7.4.2-1.ubuntu22.04 amd64 X-Road configuration client components
ii xroad-confproxy 7.4.2-1.ubuntu22.04 all X-Road configuration proxy
ii xroad-database-local 7.4.2-1.ubuntu22.04 all Meta-package for X-Road local database dependencies
ii xroad-nginx 7.4.2-1.ubuntu22.04 amd64 X-Road nginx component
ii xroad-signer 7.4.2-1.ubuntu22.04 amd64 X-Road signer component
root@xroad-cs:~#
root@xroad-cs:~#
root@xroad-cs:~# telnet localhost 4000
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refusedIt seems that some packages are missing and there's at least one extra package too. Here's how the package list should look like:
root@test-cs:~# dpkg -l | grep xroad
ii xroad-base 7.4.2-1.ubuntu22.04 amd64 X-Road base components
ii xroad-center 7.4.2-1.ubuntu22.04 all X-Road central server
ii xroad-center-management-service 7.4.2-1.ubuntu22.04 all X-Road Central Server Management Service
ii xroad-center-registration-service 7.4.2-1.ubuntu22.04 all X-Road Central Server Registration Service
ii xroad-centralserver 7.4.2-1.ubuntu22.04 all X-Road central server
ii xroad-centralserver-monitoring 7.4.2-1.ubuntu22.04 all Monitoring client configuration for X-Road central
ii xroad-confclient 7.4.2-1.ubuntu22.04 amd64 X-Road configuration client components
ii xroad-database-local 7.4.2-1.ubuntu22.04 all Meta-package for X-Road remote database dependencies
ii xroad-nginx 7.4.2-1.ubuntu22.04 amd64 X-Road nginx component
ii xroad-signer 7.4.2-1.ubuntu22.04 amd64 X-Road signer componentCould you share the Ansible hosts file that you used in the installation? It seems that you have tried to install the Configuration Proxy component on the same host with the Central Server. However, they must be run on separate hosts. Also, the Configuration Proxy is an optional component so you can skip.
SowAbdoul
commented
1 month ago I've got 02 machines
[xroad:children]
cs_servers
ss_servers
cp_servers
ca_servers
#central servers
[cs_servers]
cs1.dev.net ansible_host=x.x.x.x
#security servers
[ss_servers]
ss1.dev.net ansible_host=x.x.x.x
#configuration proxies
[cp_servers:children]
cs_servers
#certification authority, time stamping authority and ocsp service server
[ca_servers:children]
ss_servers
[ss_servers:vars]
variant=vanillaI resumed, this time without the proxy.
I logged in to the dashboard and there are URLs https://
petkivim
commented
1 month ago So you're able to access the dashboard now. That's good news! The next step is to follow this configuration guide. The internal conf configuration data will be available only after completing the initial configuration.
petkivim
commented
1 month ago In order to complete the configuration, you need to have a CA with OCSP and a timestamping service. The easiest way is to use the Test CA and install it on the same host with the Central Server using Ansible.
#central servers
[cs_servers]
cs1.dev.net ansible_host=x.x.x.x
#certification authority, time stamping authority and ocsp service server
[ca_servers]
cs1.dev.net ansible_host=x.x.x.xHello @petkivim, I hope you are well, thank you very much! I finished the configuration and at the end, there is a test, we create a subsystem on SS and then approved on the CS and it has a registered status.
SowAbdoul
commented
1 month ago Excuse me, I have 02 questions:
How will Consumer use it? I've seen X-Road architectures: Consumer <----> Provider
How do you use it? Sorry if my question is off-topic, I'm discovering the solution and I'm very excited! For example, in my mind, I thought of the NextCloud schema, but X-Road goes beyond all limits, so I allow myself to ask you the question. Is this the operational schema of X-Road:
+- Register your services: Providers register the services they wish to share with other entities in the X-Road environment.
+- Define access permissions: Providers define access permissions for each service, determining who can access them and under what conditions.
+- Make requests: Consumers send requests to providers to access the data or services they need. These requests are based on the services registered in X-Road.
+- Respond to requests: Providers receive requests from consumers and respond by providing the requested data, provided that the defined permissions allow it.
How to add SSL to the CS and SS web portal?
petkivim
commented
1 month ago Are you already familiar with the X-Road Academy? It provides several free online courses that help you to get started with X-Road.
SowAbdoul
commented
1 month ago Thank you for your attention, @petkivim
SowAbdoul
commented
1 month ago Hello, @petkivim! How are you? I took the course with the X-Road Academy, and it was incredible. Many thanks! How do I configure TLS certificates on Central Server?
petkivim
commented
1 month ago Hi @asow25! That's great to hear! 😄
What TLS certificate(s) do you mean? Do you want to change 1) the admin UI/API TLS certificate (port 4000) and/or 2) the global configuration download certificate (port 443)?
Instructions to change the global configuration download certificate (2) are available here. Instead, you can change the admin UI/API TLS certificate (1) by following these instructions. Please note, that the instructions are for the Security Server and therefore, you must replace proxy-ui-api with center-admin-service, e.g., /etc/xroad/ssl/proxy-ui-api.key => /etc/xroad/ssl/center-admin-service.key.
SowAbdoul
commented
1 month ago Thanks a lot! The courses are great, I even got certifications at the end. Is it possible to change the port 4000 to another one?
petkivim
commented
1 month ago In theory, changing the port is possible, but it requires changes to multiple places and the process is not documented. Therefore, I don't recommend changing it.
SowAbdoul
commented
1 month ago I realise... On the Security Server, I had this error Edit Security Server Address :
AxiosError: Request failed with status code 500or
error_code.core.InternalError
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target executing POST https://127.0.0.1:4000/api/v1/management-requestsYes, those are consequences of changing the port. To get rid of them, you should modify the source code, build your own installation packages and do the installation using your own packages.
SowAbdoul
commented
1 month ago I have not changed ports. I enabled SSL on global-conf, proxy-ui-api, and center-admin-service. For Central Server, I used fqdn as the name instead of IP address.
petkivim
commented
1 month ago Indeed, the second error message is related to the certificate path. In that case, you should review the instructions and double check that you've completed all the steps according to them.
In step 10, the Central Server PKCS#12 container password must be center-admin-service ( -passout pass:center-admin-service) .
In step 12 on the Central Server, you must restart the xroad-center service. The related log file is /var/log/xroad/centralserver-admin-service.log.
SowAbdoul
commented
1 month ago tail -f /var/log/xroad/proxy_ui_api.log
2024-05-27T17:48:31.647Z [https-jsse-nio-4000-exec-4] correlation-id:[6654c76f04902fece9c6b1782df231ac] INFO ee.ria.xroad.common.AuditLogger - {"event":"Edit security server address failed","user":"xadmin","ipaddress":"<MY_INTERNET_ROUTER_IP_ADDRESS>","reason":"Cannot invoke \"String.equals(Object)\" because the return value of \"org.niis.xroad.securityserver.restapi.service.GlobalConfService.getSecurityServerAddress(ee.ria.xroad.common.identifier.SecurityServerId)\" is null","warning":false,"auth":"Session","url":"/api/v1/system/server-address","data":{"address":"<SECURITY_SERVER_URI>"}}
2024-05-27T17:48:31.648Z [https-jsse-nio-4000-exec-4] correlation-id:[6654c76f04902fece9c6b1782df231ac] ERROR o.n.x.r.e.ApplicationExceptionHandler - exception caught
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because the return value of "org.niis.xroad.securityserver.restapi.service.GlobalConfService.getSecurityServerAddress(ee.ria.xroad.common.identifier.SecurityServerId)" is null
at org.niis.xroad.securitysPerhaps this is because I use two SSL certificates: a commercial SSL for web consoles and OpenSSL for XRoad services.
petkivim
commented
1 month ago Unfortunately, the error message doesn't include the root cause of the problem - only that there's something wrong with your configuration. Could you share the whole /var/log/xroad/proxy_ui_api.log and /var/log/xroad/configuration_client.log log files?
SowAbdoul
commented
1 month ago I have removed the SSL certificates I had added, and it works. I was able to configure:
With Ansible, we deploy the certification authority. Is my approach correct? To have two types of SSL certificates (short-term), one for web display and OpenSSL (long-term) for communication between X-Road services? Also, should I use FQDN to rename the services or use IP addresses?
petkivim
commented
1 month ago The CA that you deploy with Ansible is meant for issuing authentication certificates for Security Servers and sign certificates for X-Road members. Using that CA for the UI and global configuration certificates doesn't bring any additional value. Instead, if you want to replace the self-signed UI and global conf certificates created during the installation process, you should use some commonly trusted CA.
In general, it's recommended to use FQDN in certificates.
Hello, I discovered the solution a few days ago and followed the training on YouTube, which was wonderful! The Ansible script deserves credit; it's excellent work! I completed an installation, launched the Security Server UI console, and it asked me:
Import the configuration anchor provided by the Central Server's administrator.Please tell me where I can locate it.