2.5 Setting up the Platform Authentication and Authorization Manager (PAAM)

Configuration of PAAM can be done manually as explain in the rest of this page or by using symbioteCloud.sh configure script which will do all of this steps for you.

In order to configure PAAM we need new certificates in new keystore. Certificates needs to be created by using SymbIoTeSecurity.

2.5.1 Creating PAAM certificate keystore

1. Open https://jitpack.io/#symbiote-h2020/SymbIoTeSecurity
2. At the time of writing this document latest release is e.g. 27.6.0
3. Download JAR from link that is release dependent e.g. https://jitpack.io/com/github/symbiote-h2020/SymbIoTeSecurity/27.6.0/SymbIoTeSecurity-27.6.0-helper.jar
4. Download JAR from link https://www.bouncycastle.org/download/bcprov-jdk15on-159.jar
5. If you have downloaded from the Administration the .zip containing the configuration files, then you can use the cert.properties file contained in the AuthenticationAuthorizationManager folder. Otherwise, you will have to create it yourselves with the following content:

# From CloudConfigProperties application.properties file: symbIoTe.core.interface.url
coreAAMAddress=<url to core aam - caam>
    
# The user registered through administration in the symbIoTe Core
serviceOwnerUsername=<core account>
serviceOwnerPassword=<core account>
    
# The platform ID registered to the given platform Owner
serviceId=<platform id>
    
# Generated keystore file name
keyStoreFileName=<file URL to paam-keystore.p12>
    
# used to access the keystore. MUST NOT be longer than 7 chars
# from spring bootstrap file: aam.security.KEY\STORE\PASSWORD
# Further more as the Java security package is working totally against the API - ignores the privateKeyPassword.
# IT MUST BE THE SAME as spring bootstrap file: aam.security.PV\KEY\PASSWORD
keyStorePassword=<e.g. pass>
    
# platform AAM key/certificate alias... case INSENSITIVE (all lowercase)
# from spring bootstrap file: aam.security.CERTIFICATE_ALIAS
aamCertificateAlias=<e.g. paam>
    
# root CA certificate alias... case INSENSITIVE (all lowercase)
# from spring bootstrap file:  aam.security.ROOT_CA_CERTIFICATE_ALIAS
rootCACertificateAlias=<e.g. caam>

For our concrete example here is that file:

# From CloudConfigProperties application.properties file: symbIoTe.core.interface.url
coreAAMAddress=https://symbiote-open.man.poznan.pl/coreInterface
    
# The user registered through administration in the symbIoTe Core
serviceOwnerUsername=mytest
serviceOwnerPassword=mytest
    
# The platform ID registered to the given platform Owner
serviceId=xplatform
    
# Generated keystore file name
keyStoreFileName=paam-keystore.p12
    
# used to access the keystore. MUST NOT be longer than 7 chars
# from spring bootstrap file: aam.security.KEY_STORE_PASSWORD
# Further more as the Java security package is working totally against the API - ignores the privateKeyPassword. 
# IT MUST BE THE SAME as spring bootstrap file: aam.security.PV_KEY_PASSWORD
keyStorePassword=pass
    
# platform AAM key/certificate alias... case INSENSITIVE (all lowercase)
# from spring bootstrap file: aam.security.CERTIFICATE_ALIAS
aamCertificateAlias=paam
    
# root CA certificate alias... case INSENSITIVE (all lowercase)
# from spring bootstrap file:  aam.security.ROOT_CA_CERTIFICATE_ALIAS
rootCACertificateAlias=caam

5. Start generation of certificate.
   • On Linux/Mac use the following command

   java -cp SymbIoTeSecurity-27.6.0-helper.jar:bcprov-jdk15on-159.jar eu.h2020.symbiote.security.helpers.ServiceAAMCertificateKeyStoreFactory cert.properties
   

   • On Windows use:

   java.exe -cp SymbIoTeSecurity-27.6.0-helper.jar;bcprov-jdk15on-159.jar eu.h2020.symbiote.security.helpers.ServiceAAMCertificateKeyStoreFactory .\cert.properties
   

If everything is OK it will generate paam-keystore.p12 file.

2.5.2 Configuring the PAAM component

Build the AAM module using command:

$ cd /opt/symbiote/SymbioteCloud/AuthenticationAuthorizationManager
$ gradle assemble --refresh-dependencies

Once one has done previous actions, you need to create bootstrap.properties. If you have downloaded the .zip with the configuration files, you can use the bootstrap.properties file inside the AAM folder. Otherwise, you have to edit manually for each deployment using the template below or comments from the file itself.

# REQUIRED SETTINGS:
spring.profiles.active=platform

spring.application.name=AuthenticationAuthorizationManager
logging.file=logs/AuthenticationAuthorizationManager.log

#in case of standalone AAM, cloud config should not be enabled
spring.cloud.config.enabled=true
spring.cloud.config.failFast=true
spring.cloud.config.retry.maxAttempts=1000

# username and password of the AAM module (of your choice) -- master password used to manage your AAM (e.g. register new users), not your PO credentials!
aam.deployment.owner.username=TODO
aam.deployment.owner.password=TODO

# name of the PAAM JavaKeyStore file you you generated with helper
aam.security.KEY_STORE_FILE_NAME=file:///TODO.p12

# name of the root ca certificate entry in the generated Symbiote Keystore
aam.security.ROOT_CA_CERTIFICATE_ALIAS=TODO

# name of the certificate entry in the generated Symbiote Keystore
aam.security.CERTIFICATE_ALIAS=TODO

# symbiote keystore password
aam.security.KEY_STORE_PASSWORD=TODO

# symbiote certificate private key password
aam.security.PV_KEY_PASSWORD=pass

#JWT validity time in milliseconds - how long the tokens issued to your users (apps) 
#are valid... think maybe of an hour, day, week?
aam.deployment.token.validityMillis=86400000

# allowing offline validation of foreign tokens by signature trust-chain only. Useful when foreign tokens are expected 
# to be used along with no internet access
aam.deployment.validation.allow-offline=false

A concrete example of configuration is:

# REQUIRED SETTINGS:
spring.profiles.active=platform

spring.application.name=AuthenticationAuthorizationManager
logging.file=logs/AuthenticationAuthorizationManager.log


#in case of standalone AAM, cloud config should not be enabled
spring.cloud.config.enabled=true
spring.cloud.config.failFast=true
spring.cloud.config.retry.maxAttempts=1000

# AAM settings
aam.deployment.owner.username=masterPaamUsername
aam.deployment.owner.password=masterPaamPassword

# name of the PAAM JavaKeyStore file you need to put in your src/main/resources directory
aam.security.KEY_STORE_FILE_NAME=file://#{systemProperties\['user.dir'\]}/paam-keystore.p12

# name of the root ca certificate entry in the generated Symbiote Keystore
aam.security.ROOT_CA_CERTIFICATE_ALIAS=caam

# name of the certificate entry in the generated Symbiote Keystore
aam.security.CERTIFICATE_ALIAS=paam

# symbiote keystore password
aam.security.KEY_STORE_PASSWORD=pass

# symbiote certificate private key password
aam.security.PV_KEY_PASSWORD=pass

#JWT validity time in milliseconds - how long the tokens issued to your users (apps) 
#are valid... think maybe of an hour, day, week?
aam.deployment.token.validityMillis=86400000

# allowing offline validation of foreign tokens by signature trust-chain only. Useful when foreign tokens are expected 
# to be used along with no internet access
aam.deployment.validation.allow-offline=false

The most recent version of AAM is 5.+. So to run example use:

$ java -jar AuthenticationAuthorizationManager-5.0.4-run.jar

2.5.3 Verifying that Platform AAM is working

Verify all is ok by going to: http://127.0.0.1:8080/get_available_aams. If everything is OK there you should see the connection green and the content are the symbiote security endpoints fetched from the core.

2.5.4 Verifying that InterworkingInterface is working

Verify all is ok by going to: https://<yourNginxHostname>/aam/get_available_aams

Concrete:

• production: https://symbiotedoc.tel.fer.hr/aam/get_available_aams
• hackaton: https://c879081a.ngrok.io/aam/get_available_aams

There you should see the the same results as in section 2.5.3.