Versions Compared

Old Version 1

changes.mady.by.user Johan Marcusson

Saved on

compared with

New Version Current

changes.mady.by.user Kat Hoessel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Formatting and tweaking.

The CNaaS-NMS API uses JSON Web Tokens (JWT) for authenting authenticating and authorizing users. If you have an existing JWT server you might be able to use that. This document describes how to set up a

A minimalistic JWT auth server was developed as a proof-of-concept for supporting the CNaaS NMS project. This document describes how to set it up.

Setup using docker compose

Set up a new VM and install docker /and docker-compose. Create two new persistent docker volumes:

docker volume create cnaas-authserver-jwtcert
docker volume create cnaas-authserver-userdb

Create a new docker-compose.yaml file:

--- 
version: '3.7' 
services: 
  cnaas_auth: 
    image: docker.sunet.se/auth-server-poc:latest 
    ports: 
      - 443:1443 
    volumes: 
      - type: volume 
        source: cnaas-authserver-jwtcert 
        target: /opt/auth-server-poc/cert/ 
      - type: volume 
        source: cnaas-authserver-userdb 
        target: /opt/auth-server-poc/userdb/ 
volumes: 
  cnaas-authserver-jwtcert: 
    external: true 
  cnaas-authserver-userdb: 
    external: true

Run "docker-compose up -d" or similar to start the container.

Generating keys and certificates

Enter the docker container using "docker exec -it cnaas_auth bash" (find the correct name of the container by running "docker ps").

Inside the docker, run the following to create a new JWT private and public key pair. The key pair will be used to sign JWT tokens:

cd /opt/auth-server-poc/cert/
openssl ecparam -genkey -name prime256v1 -noout -out private.pem
openssl ec -in private.pem -pubout -out public.pem
chgrp www-data private.pem
chmod g+r private.pem

Restart the docker container or run : "killall uwsgi" inside  inside the container to start using enable the newly generated certcertificate.

Creating user accounts

Now it's time You then need to create some accounts for the users that should be able to will access the CNaaS NMS API. The user accounts are saved in a apache an Apache style .htpasswd file.

When creating the first user you need to also create the .htpasswd file , this itself has to be created. This is done by passing the "-c" parameter to the htpasswd command.

Run this inside the container to create two new users , (and remember to replace the example usernames with your wanted acconut account names):

htpasswd -c /opt/auth-server-poc/userdb/.htpasswd firstusernameindy
htpasswd /opt/auth-server-poc/userdb/.htpasswd secondusernamebob

Trying it out

To sum up: You restarted the After you have created the users and restarted the container with the newly generated JWT cert and created two users.

Now you should be able to ask the authentication API for a new JWT token. Run this from the VM/outside of the container:

curl -ks https://localhost/api/v1.0/auth -X POST -u indy -p

This will prompt for a password and, if entered correctly, should return a JSON reply with a JWT token.

Connecting the Auth POC server to CNaaS-NMS

To make sure that the CNaaS NMS will accept this JWT token you need to install the public key of the auth container on the API container for CNaaS NMS, one last step is needed: The public key of the auth container has to be "installed" on the CNaaS NMS API container.

To achieve this, simply copy the public key file /opt/auth-server-poc/cert/public.pem (on the auth container) to /opt/cnaas/jwtcert/public.pem (on the API container).