config.application-ci.yml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of ca-3-s Show documentation
Show all versions of ca-3-s Show documentation
ca3s offers a unified view and administrative interface for your certificate landscape.
It's a CA system with a flexible RA part based on BPM. backed by a CMP-connected CA or an ADCS. Offers automatic
certificate distribution interfaces (like ACME and SCEP) for CAs that don't offer such interfaces.
Brushed-up codebase of the sourceforge's ca3s-project ([https://sourceforge.net/projects/ca3s/]
# ===================================================================
# Spring Boot configuration for the "prod" profile.
#
# This configuration overrides the application.yml file.
#
# More information on profiles: https://www.jhipster.tech/profiles/
# More information on configuration properties: https://www.jhipster.tech/common-application-properties/
# ===================================================================
# ===================================================================
# Standard Spring Boot properties.
# Full reference is available at:
# http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html
# ===================================================================
logging:
level:
ROOT: INFO
io.github.jhipster: INFO
de.trustable.ca3s.core: DEBUG
de.trustable.ca3s.core.schedule.RequestProxyScheduler: WARN
de.trustable.ca3s.core.service.util.CaConnectorAdapter: WARN
de.trustable.ca3s.core.service.adcs: WARN
de.trustable.ca3s.core.service.cmp: WARN
de.trustable.ca3s.core.service.dir: WARN
de.trustable.ca3s.core.security.provider.Ca3sTrustManager: WARN
de.trustable.util.CryptoUtil: WARN
org.springframework.security: DEBUG
org.apache.http.wire: DEBUG
management:
metrics:
export:
prometheus:
enabled: false
spring:
profiles:
active: prod
include:
# - swagger
# (Un)comment to activate TLS for the prod profile
# - tls
devtools:
restart:
enabled: false
livereload:
enabled: false
datasource:
# sample configuration for a h2 connection
type: com.zaxxer.hikari.HikariDataSource
url: jdbc:h2:mem:ca3sTestDB
username: root
password:
# connect to the database with user-only privileges
# the application runs with restricted rights, liquibase uses admin rights to create / alter the DB scheme
# url: jdbc:mysql://localhost:3306/ca3s_sep_roles?useUnicode=true&characterEncoding=utf8&useSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC&allowPublicKeyRetrieval=true
# username: ca3s_sr_user
# password: o2Z3je8twZ5W
hikari:
poolName: Hikari
auto-commit: false
data-source-properties:
cachePrepStmts: true
prepStmtCacheSize: 250
prepStmtCacheSqlLimit: 2048
useServerPrepStmts: true
jpa:
database: H2
show-sql: false
properties:
hibernate.id.new_generator_mappings: true
hibernate.connection.provider_disables_autocommit: true
hibernate.cache.use_second_level_cache: false
hibernate.cache.use_query_cache: false
hibernate.generate_statistics: false
# Replace by 'prod, faker' to add the faker context and have sample data loaded in production
liquibase:
contexts: prod
# changeLog: classpath:config/liquibase-3.5/master.xml
# connect to the database with admin privileges
# default-schema: ca3s_sep_roles
# user: ca3s_sr_admin
# password: MLQ738PdLpio
mvc:
pathmatch:
matching-strategy: ant_path_matcher
mail:
host: localhost
port: 25
username:
password:
thymeleaf:
cache: true
# ===================================================================
# To enable TLS in production, generate a certificate using:
# keytool -genkey -alias ca3s_jh -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
#
# You can also use Let's Encrypt:
# https://maximilian-boehm.com/hp2121/Create-a-Java-Keystore-JKS-from-Let-s-Encrypt-Certificates.htm
#
# Then, modify the server.ssl properties so your "server" configuration looks like:
#
# server:
# port: 443
# ssl:
# key-store: classpath:config/tls/keystore.p12
# key-store-password: password
# key-store-type: PKCS12
# key-alias: ca3s_jh
# # The ciphers suite enforce the security by deactivating some old and deprecated SSL cipher, this list was tested against SSL Labs (https://www.ssllabs.com/ssltest/)
# ciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
# ===================================================================
server:
# port: 8443
port: 9080
compression:
enabled: true
mime-types: text/html,text/xml,text/plain,text/css, application/javascript, application/json
min-response-size: 1024
# ===================================================================
# JHipster specific properties
#
# Full reference is available at: https://www.jhipster.tech/common-application-properties/
# ===================================================================
jhipster:
http:
cache: # Used by the CachingHttpHeadersFilter
timeToLiveInDays: 1461
cache: # Cache configuration
ehcache: # Ehcache configuration
time-to-live-seconds: 3600 # By default objects stay 1 hour in the cache
max-entries: 1000 # Number of objects in each cache entry
security:
authentication:
jwt:
# This token must be encoded using Base64 and be at least 512 bits long (you can type `openssl rand -base64 128` on your command line to generate one)
# As this is the PRODUCTION configuration, you MUST change the default key, and store it securely:
# - In the JHipster Registry (which includes a Spring Cloud Config server)
# - In a separate `application-prod.yml` file, in the same folder as your executable JAR file
# - In the `JHIPSTER_SECURITY_AUTHENTICATION_JWT_BASE64_SECRET` environment variable
base64-secret: Mjk3NjM4OWI4NWU3ZjE3NjQ3OWRiZjI3OWYwYmZiNWY1NzA2YjAzZTY2ODJhNWM5MjFjYzZmZTZlMDE4YWRhNDg0MjJlNDYzNThhODBjNmU0ZGFjMGY3MTc5OTVlNmEyZWFiZmIwMDIxYTExYzkxNGM3YmM2YmVmMmNlZWE2YmQ=
# Token is valid 24 hours
token-validity-in-seconds: 86400
token-validity-in-seconds-for-remember-me: 2592000
mail: # specific JHipster mail property, for standard properties see MailProperties
base-url: http://localhost:8080 # Modify according to your server's URL
logging:
use-json-format: false # By default, logs are not in Json format
logstash: # Forward logs to logstash over a socket, used by LoggingConfiguration
enabled: false
host: localhost
port: 5000
queue-size: 512
audit-events:
retention-period: 30 # Number of days before audit events are deleted.
# ===================================================================
# Application specific properties
# Add your own application properties here, see the ApplicationProperties class
# to have type-safe configuration, like in the JHipsterProperties above
#
# More documentation is available at:
# https://www.jhipster.tech/common-application-properties/
# ===================================================================
# ===================================================================
# Kerberos configuration
#
# 1. Define a Service Principal Name(SPN) for ca3s using HTTP and the server name ( {ca3s hostname} ) where ca3s is installed.
# Provide the Windows domain user ({domain/ca3s user}, e.g. domain\user) that is associated with the service:
# setspn -A HTTP/{ca3s hostname} {ca3s user}
#
# 2. Export the keytab to a file (e.g. ca3s.keytab)
# Associate it with the user account ('ca3sUser')
# Provide the service principal and server ('HTTP/ca3sUser@{ca3s hostname}')
# Provide the user's password
# use the KRB5_NT_PRINCIPAL
# limit the crypto parameter when required
# ktpass /out ca3s.keytab /mapuser {domain/ca3s user} /princ HTTP/{ca3s hostname}@{domain} /pass ****** /ptype KRB5_NT_PRINCIPAL /crypto All
#
# 3. configure the relevant parameter for the Kerberos connection (Active Directory domain, LDAP access point,
# the pricipal as defined above, the keytab file's path just created, the search base and search filter to identify the ca3s Windows user)
# using the corresponding properties below.
#
#### Sample calls
#
# > setspn -A HTTP/ca3s.ci-adcs ci\administrator
# Checking domain DC=ci,DC=dc#
#
# Registering ServicePrincipalNames for CN=Administrator,CN=Users,DC=ci,DC=dc
# HTTP/ca3s.ci-adcs
# Updated object
#
# > ktpass -out ca3s.keytab -princ HTTP/[email protected] -mapUser ci\administrator -mapOP set -pass ********** -crypto ALL -pType KRB5_NT_PRINCIPAL
# Targeting domain controller: ci-adcs.ci.dc
# Successfully mapped HTTP/ca3s.ci-adcs to Administrator.
# Password successfully set!
# Key created.
# Output keytab to ca3s.keytab:
# Keytab version: 0x502
# keysize 71 HTTP/ca3s.ci-adcs@CI ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x12 (AES256-SHA1) keylength 32 (0x195b90a***************************e2f970b118)
# ===================================================================
# application:
protectionSecret: bnJvbGwvV1MtMjAxOS1DQS5jcmyGK2h0dHA6Ly90cnVzdGFibGUuZXUvYWRjc1Rl
ca3s:
tlsAccess:
port: 9442
https:
certificate:
dnSuffix: O=Trustable Solutions,OU=CA3S Instance,C=DE
sans: trustable.de, www.trustable.de
# certificateSelectionAttributes: Foo,Bar,Baz
auth:
kerberos:
# Windows principal expects domain to be present
# hint: check principal with the content of the keytab file, e.g. by using 'ktpass -out {keytab file}
service-principal: HTTP/[email protected]
keytab-location: ca3s.keytab
ad-domain: foo
ldap:
url: ldap://testLDAP.eu:123
baseDN: DC=ci,DC=dc
search-base: CN=Users,DC=ci,DC=dc
search-filter: dc=testLDAP,dc=eu
group-search-base: (| (userPrincipalName={0}) (sAMAccountName={0}))
principal: cn=alice,ou=people,dc=testLDAP,dc=eu
password: s3cr3t
© 2015 - 2025 Weber Informatics LLC | Privacy Policy