EFS Admin Guide

Notes

  • This guide primarily refers to the setup of EFS in the EFPF Development Environment.
  • In the EFPF Testing and Production Environments, the components of the Data Spine are deployed in the same internal network to minimise network latency as described here, and therefore, some configuration has changed.
  • In the EFPF Testing and Production Environments, the deployment and the initial configuration of the Data Spine components has been automated using Ansible Playbooks and Gitlab CI/CD infrastructure. This configuration is currently maintained in the EFPF Integration and Deployment repository.
  • Latest Connection Details: Link

EFS Deployment Guide

EFS components can be deployed as docker containers. The deployment scripts of EFS components can be found on the gitlab here : https://gitlab.fit.fraunhofer.de/efpf-pilots/efpf-security-components/efpf_efs_srfg_components

run-efac-portal.sh script allows you to start the necessary EFS docker components.

The sequence in which the components of EFS should be deployed are stated below:

Keycloak :

./run-efac-portal.sh keycloak

API Security Gateway :

./run-efac-portal.sh apisix

API Security Gateway Importer :

./run-efac-portal.sh asg-importer

How to create and renew Let’s encrypt certificate for EFPF Security Portal server

The following document explains how to setup the Let’s Encrypt certificate with the cert bot:

https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

First, add the repository and install the certbot:

sudo apt-get update

sudo apt-get install software-properties-common

sudo add-apt-repository universe

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

Then create the certificates via the following command (Make sure to stop any running Nginx containers during this process) We assume you are using NGINX as a reverse-proxy in your deployment.

    sudo certbot-auto certonly --standalone -d efpf-security-portal.salzburgresearch.at www.efpf-security-portal.salzburgresearch.at

The certificates should be available in the following directory:

    /etc/letsencrypt/live/efpf-security-portal.salzburgresearch.at

This folder will contain the following files:

    cert.pem
    chain.pem
    fullchain.pem
    privkey.pem

Use the fullchain and privatekey to configure the NGINX instance:

    ssl on;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

How to renew the certificate

  • If NGINX is running; stop Nginx via the following command:

    docker-compose stop nginx
    
  • Dry run command:

    sudo certbot-auto renew --dry-run
    
  • Renew certificates command:

    sudo certbot-auto renew
    
  • The certificates will be available in the following directory:

    /etc/letsencrypt/live/efpf-security-portal.salzburgresearch.at
    

How to write a cron job for auto-renewal

  • Use the following command to auto-renew the certificates:
    0 2 * * * sudo /usr/sbin/certbot-auto -q renew
    
Previous
Next