eid-ops/global/overlay/etc/puppet/modules/eid/templates/idm/idm.yml.erb

server:
  port: 8082
  ssl:
    bundle: infra
  servlet:
    context-path: /

spring:
  application:
    name: IdM-Service
  mail:
    host: relay-1.swedenconnect.se
    port: 587
    username: <%= scope.call_function('safe_hiera', ['smtp_user'])  %>
    password: <%= scope.call_function('safe_hiera', ['smtp_password'])  %>
  security:
    oauth2:
      resourceserver:
        jwt:
          public-key-location: classpath:connector-oauth2.pub
          audiences:
            - ${idm.oauth2-id}
  ssl:
    bundle:
      pem:
        infra:
          keystore:
            private-key: file:/etc/ssl/private/<%= @fqdn %>_infra.key
            certificate: file:/etc/ssl/certs/<%= @fqdn %>_infra.crt
          truststore:
            certificate: file:/etc/ssl/certs/infra.crt
  data:
    redis:
      password: '<%= scope.call_function('safe_hiera', ['redis_password'])  %>'
      cluster:
        nodes:
          <%- @redises.each do |host| -%>
          - <%= host %>:6379
          - <%= host %>:6380
          <%- end -%>
      ssl:
        enabled: true
      ssl-ext:
        # redis or java require IP addresses in cert if verifcation is turned on
        # Caused by: java.util.concurrent.CompletionException:
        # javax.net.ssl.SSLHandshakeException: No subject alternative names
        # matching IP address 89.46.20.236 found
        enable-hostname-verification: false
        credential:
          resource: file:/etc/ssl/private/<%= @fqdn %>_infra.p12
          password: qwerty123
        trust:
          resource: file:/etc/ssl/certs/infra.p12
          password: qwerty123

  datasource:
    url: jdbc:mariadb:loadbalance://<%= @dbs_string %>/idm
    username: idm
    password: <%= scope.call_function('safe_hiera', ['sql_password'])  %>

  liquibase:
    enabled: true # Generates database schema/tables
    change-log: classpath:changelogs/changelog-master.xml

navet:
  authorization-url: https://sysorgoauth2.test.skatteverket.se/oauth2/v1/sysorg/token
  base-url: https://api.test.skatteverket.se/folkbokforing/folkbokforingsuppgifter-for-offentliga-aktorer/v2
  bestallnings-identitet: 00000236-FO01-0001
  organisationsnummer: 162021004748
  secret:
    key-store: classpath:/certificate/navet/64905004722e1.p12
    key-store-password: 4729451359506045
    credentials:
      gateway:
        client-id: d3e1d1563a504f17acb2b33a51097a99
        client-secret: 9eE7A58695fc46DF9f563B058ffB36F1
      authorization-server:
        client-id: d34f109e3a11d02d744394423a020023e9bab0cd3ff78d63
        client-secret: ebc8b00ca4b08e790b208dc0abd460273fa6c459bc2f0023e9bab0cd3ff78d63

idm:
  # XXX fix URL replacement
  # XXX fix OAUTH
  mrecord:
    api:
      connector-id: <%= scope.call_function('safe_hiera', ['connector_id'])  %>
      check-scope:  ${idm.oauth2-id}/idrecord_check
      get-scope: ${idm.oauth2-id}/idrecord_get
    db:
      key-store-type: jceks
      key-store: classpath:dbkey.jceks
      key-store-password: secret
      key-alias: dbkey
      key-password: secret
  auth:
    destination-url: <%= scope.call_function('safe_hiera', ['destination_url'])  %>
    auth-return-url: <%= scope.call_function('safe_hiera', ['auth_return_url'])  %>
    discover-return-url: <%= scope.call_function('safe_hiera', ['discover_return_url'])  %>
    client-id: <%= scope.call_function('safe_hiera', ['client_id'])  %>
    trusted-certificates:
    - classpath:idp.cert
    id-strategy: STATIC
  rate-limits:
    capacity: 4
    time: 86400
  email:
    enabled: true
    no-reply-email: noreply@swedenconnect.se
  storage:
    pending-relative-sign-time-to-live-in-hours: 336
  oauth2-id: <%= scope.call_function('safe_hiera', ['oauth2_id'])  %>


signservice:
  discovery:
    metadata-cache-file: /tmp/metadata-cache.xml
    allowed-entity-ids:
      - http://local.dev.swedenconnect.se/idp
      - https://bankid.swedenconnect.se/idp/local
      - https://idp-sweden-connect-valfr-2017-sandbox.test.frejaeid.com
    federation-metadata-location: https://eid.svelegtest.se/metadata/mdx/role/idp.xml
    metadata-validation-certificate: classpath:certificate/metadata/sandbox-metadata.crt
  config:
    policy: localdev
    default-sign-requester-id: https://sandbox.swedenconnect.se/idm
    default-return-url: https://sandbox.swedenconnect.se/idm/frontend/common/validateSign
    sign-service-id: https://sandbox.swedenconnect.se/signservice
    default-destination-url: https://sandbox.swedenconnect.se/signservice/sign/idm/signreq
    default-signature-algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    sign-service-certificates:
      - classpath:certificate/signservice/signservice.crt
    trust-anchors:
      - classpath:certificate/signservice/test-ca.crt
  credential:
    type: JKS
    resource: classpath:certificate/signservice/sign-client.jks
    password: secret
    alias: client
    key-password: secret
  response:
    config:
      strict-processing: false
      maximum-allowed-response-age: 180000
      allowed-clock-skew: 60000
      require-assertion: true
Configuration 2024-02-26 11:26:43 +01:00			`server:`
			`port: 8082`
			`ssl:`
			`bundle: infra`
Wrong indentation 2024-03-18 14:09:36 +01:00			`servlet:`
			`context-path: /`
Configuration 2024-02-26 11:26:43 +01:00
			`spring:`
From example configuration 2024-02-26 12:43:21 +01:00			`application:`
			`name: IdM-Service`
Configure mail stuff 2024-05-29 13:57:13 +02:00			`mail:`
			`host: relay-1.swedenconnect.se`
			`port: 587`
			`username: <%= scope.call_function('safe_hiera', ['smtp_user']) %>`
			`password: <%= scope.call_function('safe_hiera', ['smtp_password']) %>`
oauth config 2024-02-29 13:33:09 +01:00			`security:`
			`oauth2:`
			`resourceserver:`
			`jwt:`
as.pub nolonger exist 2024-11-22 09:58:45 +01:00			`public-key-location: classpath:connector-oauth2.pub`
oauth config 2024-02-29 13:33:09 +01:00			`audiences:`
Match example configuration 2024-04-30 11:12:03 +02:00			`- ${idm.oauth2-id}`
Configuration 2024-02-26 11:26:43 +01:00			`ssl:`
			`bundle:`
			`pem:`
			`infra:`
			`keystore:`
			`private-key: file:/etc/ssl/private/<%= @fqdn %>_infra.key`
			`certificate: file:/etc/ssl/certs/<%= @fqdn %>_infra.crt`
			`truststore:`
			`certificate: file:/etc/ssl/certs/infra.crt`
			`data:`
			`redis:`
No prefix 2024-02-26 12:22:49 +01:00			`password: '<%= scope.call_function('safe_hiera', ['redis_password']) %>'`
Configuration 2024-02-26 11:26:43 +01:00			`cluster:`
			`nodes:`
			`<%- @redises.each do \|host\| -%>`
			`- <%= host %>:6379`
			`- <%= host %>:6380`
			`<%- end -%>`
			`ssl:`
			`enabled: true`
			`ssl-ext:`
			`# redis or java require IP addresses in cert if verifcation is turned on`
			`# Caused by: java.util.concurrent.CompletionException:`
			`# javax.net.ssl.SSLHandshakeException: No subject alternative names`
			`# matching IP address 89.46.20.236 found`
			`enable-hostname-verification: false`
			`credential:`
			`resource: file:/etc/ssl/private/<%= @fqdn %>_infra.p12`
			`password: qwerty123`
			`trust:`
			`resource: file:/etc/ssl/certs/infra.p12`
			`password: qwerty123`
Configure SQL 2024-02-27 13:30:55 +01:00
			`datasource:`
Access all cluster nodes 2024-02-27 13:36:51 +01:00			`url: jdbc:mariadb:loadbalance://<%= @dbs_string %>/idm`
Configure SQL 2024-02-27 13:30:55 +01:00			`username: idm`
			`password: <%= scope.call_function('safe_hiera', ['sql_password']) %>`
Database should be created and handled 2024-02-27 13:41:26 +01:00
			`liquibase:`
			`enabled: true # Generates database schema/tables`
			`change-log: classpath:changelogs/changelog-master.xml`
Add navet example configuration From https://github.com/swedenconnect/docker-eidas-identity-matching/blob/main/config/application-qa.yml so there is no real secrets here. 2024-02-29 10:46:04 +01:00
			`navet:`
			`authorization-url: https://sysorgoauth2.test.skatteverket.se/oauth2/v1/sysorg/token`
			`base-url: https://api.test.skatteverket.se/folkbokforing/folkbokforingsuppgifter-for-offentliga-aktorer/v2`
			`bestallnings-identitet: 00000236-FO01-0001`
			`organisationsnummer: 162021004748`
			`secret:`
New path 2024-02-29 11:18:02 +01:00			`key-store: classpath:/certificate/navet/64905004722e1.p12`
Add navet example configuration From https://github.com/swedenconnect/docker-eidas-identity-matching/blob/main/config/application-qa.yml so there is no real secrets here. 2024-02-29 10:46:04 +01:00			`key-store-password: 4729451359506045`
			`credentials:`
			`gateway:`
			`client-id: d3e1d1563a504f17acb2b33a51097a99`
			`client-secret: 9eE7A58695fc46DF9f563B058ffB36F1`
			`authorization-server:`
			`client-id: d34f109e3a11d02d744394423a020023e9bab0cd3ff78d63`
			`client-secret: ebc8b00ca4b08e790b208dc0abd460273fa6c459bc2f0023e9bab0cd3ff78d63`
IDM configuraiton 2024-02-29 11:01:01 +01:00
			`idm:`
			`# XXX fix URL replacement`
			`# XXX fix OAUTH`
			`mrecord:`
			`api:`
Variable configuration 2024-06-04 14:31:32 +02:00			`connector-id: <%= scope.call_function('safe_hiera', ['connector_id']) %>`
Match example configuration 2024-04-30 11:12:03 +02:00			`check-scope: ${idm.oauth2-id}/idrecord_check`
			`get-scope: ${idm.oauth2-id}/idrecord_get`
IDM configuraiton 2024-02-29 11:01:01 +01:00			`db:`
			`key-store-type: jceks`
			`key-store: classpath:dbkey.jceks`
			`key-store-password: secret`
			`key-alias: dbkey`
			`key-password: secret`
			`auth:`
Variable configuration 2024-06-04 14:31:32 +02:00			`destination-url: <%= scope.call_function('safe_hiera', ['destination_url']) %>`
			`auth-return-url: <%= scope.call_function('safe_hiera', ['auth_return_url']) %>`
			`discover-return-url: <%= scope.call_function('safe_hiera', ['discover_return_url']) %>`
client-id from Stefan 2024-04-29 11:20:42 +02:00			`client-id: <%= scope.call_function('safe_hiera', ['client_id']) %>`
IDM configuraiton 2024-02-29 11:01:01 +01:00			`trusted-certificates:`
			`- classpath:idp.cert`
			`id-strategy: STATIC`
Defaults won't do it 2024-03-18 09:51:03 +01:00			`rate-limits:`
			`capacity: 4`
			`time: 86400`
IDM configuraiton 2024-02-29 11:01:01 +01:00			`email:`
			`enabled: true`
			`no-reply-email: noreply@swedenconnect.se`
			`storage:`
			`pending-relative-sign-time-to-live-in-hours: 336`
Variable configuration 2024-06-04 14:31:32 +02:00			`oauth2-id: <%= scope.call_function('safe_hiera', ['oauth2_id']) %>`
Sign-service configruation 2024-02-29 13:33:44 +01:00

			`signservice:`
			`discovery:`
			`metadata-cache-file: /tmp/metadata-cache.xml`
			`allowed-entity-ids:`
			`- http://local.dev.swedenconnect.se/idp`
			`- https://bankid.swedenconnect.se/idp/local`
			`- https://idp-sweden-connect-valfr-2017-sandbox.test.frejaeid.com`
			`federation-metadata-location: https://eid.svelegtest.se/metadata/mdx/role/idp.xml`
			`metadata-validation-certificate: classpath:certificate/metadata/sandbox-metadata.crt`
			`config:`
			`policy: localdev`
			`default-sign-requester-id: https://sandbox.swedenconnect.se/idm`
			`default-return-url: https://sandbox.swedenconnect.se/idm/frontend/common/validateSign`
			`sign-service-id: https://sandbox.swedenconnect.se/signservice`
			`default-destination-url: https://sandbox.swedenconnect.se/signservice/sign/idm/signreq`
			`default-signature-algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`
			`sign-service-certificates:`
			`- classpath:certificate/signservice/signservice.crt`
			`trust-anchors:`
			`- classpath:certificate/signservice/test-ca.crt`
			`credential:`
			`type: JKS`
			`resource: classpath:certificate/signservice/sign-client.jks`
			`password: secret`
			`alias: client`
			`key-password: secret`
			`response:`
			`config:`
			`strict-processing: false`
			`maximum-allowed-response-age: 180000`
			`allowed-clock-skew: 60000`
			`require-assertion: true`