-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1196 from wultra/develop
Merge develop to master
- Loading branch information
Showing
97 changed files
with
2,831 additions
and
883 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| name: Run SCP deploy | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| scp-deploy: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - name: Set up JDK 17 | ||
| uses: actions/setup-java@v3 | ||
| with: | ||
| java-version: 17 | ||
| distribution: 'temurin' | ||
| server-id: jfrog-central | ||
| server-username: INTERNAL_USERNAME | ||
| server-password: INTERNAL_PASSWORD | ||
| cache: maven | ||
| - name: Run Maven Package Step | ||
| run: | | ||
| mvn -B -U package -Dmaven.test.skip=true | ||
| env: | ||
| INTERNAL_USERNAME: ${{ secrets.JFROG_USERNAME }} | ||
| INTERNAL_PASSWORD: ${{ secrets.JFROG_PASSWORD }} | ||
| - name: Set up SSH key | ||
| run: | | ||
| mkdir -p ~/.ssh | ||
| echo "${{ secrets.SCP_CERTIFICATE }}" > ~/.ssh/id_rsa | ||
| chmod 600 ~/.ssh/id_rsa | ||
| ssh-keyscan -t rsa ${{ secrets.SCP_HOST }} >> ~/.ssh/known_hosts | ||
| - name: Deploy powerauth-java-server.war | ||
| shell: bash | ||
| run: | | ||
| scp -i ~/.ssh/id_rsa **/target/powerauth-java-server-*.war ${{ secrets.SCP_USERNAME }}@${{ secrets.SCP_HOST }}:/opt/apache-tomcat/webapps/powerauth-java-server.war | ||
| - name: Deploy powerauth-admin.war | ||
| shell: bash | ||
| run: | | ||
| scp -i ~/.ssh/id_rsa **/target/powerauth-admin-*.war ${{ secrets.SCP_USERNAME }}@${{ secrets.SCP_HOST }}:/opt/apache-tomcat/webapps/powerauth-admin.war |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,169 +1,3 @@ | ||
| # Installing Bouncy Castle | ||
|
|
||
| Since PowerAuth Server in version 1.1.x, installing the Bouncy Castle in OS or Java container is no longer required. The latest version is bundled with the app and cryptographic primitives should work out of the box. | ||
|
|
||
| ## Legacy: Installing Before 1.1.x | ||
|
|
||
| In order to function correctly, PowerAuth software requires Bouncy Castle to be available. | ||
|
|
||
| Bouncy Castle library installation depends on Java version and used web container. | ||
|
|
||
| PowerAuth server uses dynamic initialization of Bouncy Castle provider, so it is not required to configure security provider statically in the Java Runtime configuration. | ||
|
|
||
| You can get the Bouncy Castle provider here: | ||
| https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on | ||
|
|
||
| ### Installing on Java 11 | ||
|
|
||
| Java 11 no longer provides a library extension mechanism and thus Bouncy Castle library must be installed in the web container. | ||
|
|
||
| #### Bouncy Castle on Tomcat | ||
|
|
||
| Copy [`bcprov-jdk18on-176.jar`](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on) to your `${CATALINA_HOME}/lib` folder. | ||
|
|
||
| <!-- begin box warning --> | ||
| Bouncy Castle library will not work properly in case any war file deployed to Tomcat contains another copy of the Bouncy Castle library, even if the war file is not related to PowerAuth. | ||
| Bouncy Castle library must be only present in the `${CATALINA_HOME}/lib` folder. The `key spec not recognized` error message will appear in Tomcat log in this case. | ||
| <!-- end --> | ||
|
|
||
| #### Bouncy Castle on JBoss / Wildfly | ||
|
|
||
| PowerAuth server requires a specific version of Bouncy Castle library: `bcprov-jdk18on-176.jar` | ||
|
|
||
| In order to make PowerAuth Server work on JBoss / Wildfly, you need to add and enable the external Bouncy Castle module on the server | ||
| by adding the `<global-modules>` element in the `standalone.xml` file: | ||
|
|
||
| ```xml | ||
| <subsystem xmlns="urn:jboss:domain:ee:4.0"> | ||
| <global-modules> | ||
| <module name="org.bouncycastle.external" slot="main"/> | ||
| </global-modules> | ||
| </subsystem> | ||
| ``` | ||
|
|
||
| The module should be defined using a new module XML file in JBoss folder `modules/system/layers/base/org/bouncycastle/external/main`: | ||
| ```xml | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <module name="org.bouncycastle.external" xmlns="urn:jboss:module:1.8"> | ||
| <resources> | ||
| <resource-root path="bcprov-jdk18on-176.jar"/> | ||
| </resources> | ||
| </module> | ||
| ``` | ||
|
|
||
| Finally, copy the Bouncy Castle library `bcprov-jdk18on-176.jar` into folder `modules/system/layers/base/org/bouncycastle/external/main` so that it is available for the module. | ||
|
|
||
| <!-- begin box warning --> | ||
| Do not reuse Bouncy Castle module `org.bouncycastle` from JBoss, because version of library provided by JBoss may differ from version required by PowerAuth. | ||
| <!-- end --> | ||
|
|
||
| #### Testing the Installation | ||
|
|
||
| You can test the installation in web container using our simple [bc-check.war application](https://github.com/wultra/powerauth-crypto/releases/download/0.23.0/check-bc.war). | ||
|
|
||
| The application performs following checks after startup: | ||
| - Check whether BC provider is correctly installed. | ||
| - Generate an ECSDA keypair. | ||
| - Compute and validate an ECSDA signature. | ||
|
|
||
| Once you deploy the application to the web container, you should see following messages in container log: | ||
| ``` | ||
| BC provider is installed. | ||
| ECSDA signature validation succeeded. | ||
| ``` | ||
|
|
||
| In case of any error or different output, please check the troubleshooting guide below. | ||
|
|
||
| ### Installing on Java 8 | ||
|
|
||
| Java 8 provides a library extension mechanism which can be used to installed Bouncy Castle with exception of JBoss / Wildfly which has it's own mechanism for installing Bouncy Castle. | ||
|
|
||
| #### Bouncy Castle on Tomcat | ||
|
|
||
| ##### Standalone Tomcat | ||
|
|
||
| When running a standalone Tomcat instance, all you need to do is to copy [`bcprov-jdk18on-176.jar`](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on) to your `${JDK_HOME}/jre/lib/ext` folder. | ||
|
|
||
| ##### Embedded Tomcat | ||
|
|
||
| In case you are running Spring Boot application with the embedded Tomcat server, you also might need to register the provider in the Java security configuration file. To do this, add a new line to `$JAVA_HOME/jre/lib/security/java.security` and enable Bouncy Castle security provider on a system level: | ||
|
|
||
| ``` | ||
| security.provider.N=org.bouncycastle.jce.provider.BouncyCastleProvider | ||
| ``` | ||
|
|
||
| Make sure to add the provider to the top of the list (ideally, N=2). | ||
|
|
||
| #### Bouncy Castle on JBoss / Wildfly | ||
|
|
||
| PowerAuth server requires a specific version of Bouncy Castle library: `bcprov-jdk18on-176.jar` | ||
|
|
||
| In order to make PowerAuth Server work on JBoss / Wildfly, you need to add and enable the external Bouncy Castle module on the server | ||
| by adding the `<global-modules>` element in the `standalone.xml` file: | ||
|
|
||
| ```xml | ||
| <subsystem xmlns="urn:jboss:domain:ee:4.0"> | ||
| <global-modules> | ||
| <module name="org.bouncycastle.external" slot="main"/> | ||
| </global-modules> | ||
| </subsystem> | ||
| ``` | ||
|
|
||
| The module should be defined using a new module XML file in JBoss folder `modules/system/layers/base/org/bouncycastle/external/main`: | ||
| ```xml | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <module name="org.bouncycastle.external" xmlns="urn:jboss:module:1.8"> | ||
| <resources> | ||
| <resource-root path="bcprov-jdk18on-176.jar"/> | ||
| </resources> | ||
| </module> | ||
| ``` | ||
|
|
||
| Finally, copy the Bouncy Castle library `bcprov-jdk18on-176.jar` into folder `modules/system/layers/base/org/bouncycastle/external/main` so that it is available for the module. | ||
|
|
||
| <!-- begin box warning --> | ||
| Do not reuse Bouncy Castle module `org.bouncycastle` from JBoss, because version of library provided by JBoss may differ from version required by PowerAuth. | ||
| <!-- end --> | ||
|
|
||
| Note that when Bouncy Castle module for JBoss / Wildfly is used, Bouncy Castle should not be present in the `lib/ext` folder of the Java runtime, otherwise the following error can occur: `key spec not recognized` due to clash of Bouncy Castle libraries. | ||
|
|
||
| #### Testing the Installation | ||
|
|
||
| You can test the installation using our [simple Java utility](./util/check-bc.jar): | ||
|
|
||
| ```sh | ||
| $ java -jar check-bc.jar | ||
| ``` | ||
|
|
||
| The utility uses following source code to check the provider installation: | ||
|
|
||
| ```java | ||
| import java.security.Security; | ||
|
|
||
| public class SimpleTest | ||
| { | ||
| public static void main(String[] args) | ||
| { | ||
| String name = "BC"; | ||
| if (Security.getProvider(name) == null) | ||
| { | ||
| System.out.println("not installed"); | ||
| } | ||
| else | ||
| { | ||
| System.out.println("installed"); | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| ## Troubleshooting Bouncy Castle Installation Issues | ||
|
|
||
| In case you get the following error: `key spec not recognized`, there are possible issues: | ||
|
|
||
| - Tomcat on Java 11: Check that Bouncy Castle library is installed in `${CATALINA_HOME}/lib`. | ||
| - Tomcat on Java 8: Check that Bouncy Castle library is installed in `${JDK_HOME}/jre/lib/ext` and it is not present in `${CATALINA_HOME}/lib`. | ||
| - JBoss / Wildfly on Java 11: Check that Bouncy Castle library is installed as a module in JBoss / Wildfly. | ||
| - JBoss / Wildfly on Java 8: Check that Bouncy Castle library is not installed in `${JDK_HOME}/jre/lib/ext` and it is installed as an external module in JBoss / Wildfly. | ||
| - All containers on Java 8/11: Check that none of the deployed war files contains Bouncy Castle library, even if the war file is not related to PowerAuth. | ||
| Another copy of Bouncy Castle library would clash with the globally installed version of the library. This rule applies only for PowerAuth `2019.05` or later. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # Migration from 1.5.x to 1.6.0 | ||
|
|
||
| This guide contains instructions for migration from PowerAuth Server version `1.5.x` to version `1.6.0`. | ||
|
|
||
| ## Database Changes | ||
|
|
||
| For convenience you can use liquibase for your database migration. | ||
|
|
||
| For manual changes use SQL scripts: | ||
|
|
||
| - [PostgreSQL script](./sql/postgresql/migration_1.5.3_1.6.0.sql) | ||
| - [Oracle script](./sql/oracle/migration_1.5.3_1.6.0.sql) | ||
| - [MSSQL script](./sql/mssql/migration_1.5.3_1.6.0.sql) | ||
|
|
||
| ### Allow Non-personalized Operations | ||
|
|
||
| The column `user_id` in table `pa_operation` is nullable now. | ||
|
|
||
| ### Forbid name duplication for operation templates. | ||
|
|
||
| Add unique constraint to `templateName` column in `pa_operation_template` table. | ||
|
|
||
| Applying this change may fail if there are duplicates in the `pa_operation_template` table. Please make sure there are | ||
| no two records with the same name `templateName`. If necessary, remove any duplicities from the table manually. Consider | ||
| creating a backup before this operation. | ||
|
|
||
| ### Add foreign key constraints to operations and applications relation. | ||
|
|
||
| Add foreign key constraints to relating table `pa_operation_application`. | ||
|
|
||
| Applying this change may fail if there is an inconsistency between tables `pa_operation_application` | ||
| and `pa_application` or `pa_operation`. Make sure that `pa_operation_application.application_id` contains references to | ||
| existing `pa_application.id` and `pa_operation_application.operation_id` contains references to | ||
| existing `pa_operation.id`. If necessary, manually remove orphaned records in `pa_operation_application`. Consider | ||
| creating a backup before this operation. | ||
|
|
||
| ### Add activation_id Column | ||
|
|
||
| Add a new column `activation_id` to the `pa_operation` table. This column is a foreign key that references | ||
| the `activation_id` column in the `pa_activation` table. Storing the `activation_id` in the `pa_operation` table | ||
| provides several enhancements: | ||
|
|
||
| * It allows the creation of a new operation tied to a specific mobile device, identified by its activation ID. | ||
| * It ensures that the operation can only be approved on that specific mobile device, again identified by its activation ID. | ||
|
|
||
| ### Add activation_name Column to pa_activation_history | ||
|
|
||
| Add a new column `activation_name` to the `pa_activation_history` table. | ||
| Since it is possible to change the activation name, it is recorded in the history. |
Oops, something went wrong.