Skip to content

Authentication and Authorization Service

Available Setup Tasks

    all                      Runs all setup tasks
    download-ca-cert         Download CMS root CA certificate
    download-cert-tls        Download CA certificate from CMS for tls
    database                 Setup authservice database
    admin                    Add authservice admin username and password to database and assign respective
                             roles to the user
    jwt                      Create jwt signing key and jwt certificate signed by CMS
    create-credentials       Generates credentials to support third party authentication and authorization
    update-service-config    Sets or Updates the Service configuration

Environment Variables for Setup Tasks

Below are the environment varables that can be used to configure the setup tasks:

Download-ca-cert

    CMS_BASE_URL                CMS base URL in the format https://{{cms}}:{{cms_port}}/cms/v1/
    CMS_TLS_CERT_SHA384         SHA384 hash value of CMS TLS certificate

Download-cert-tls

    CMS_BASE_URL        CMS base URL in the format https://{{cms}}:{{cms_port}}/cms/v1/
    BEARER_TOKEN        Bearer token for accessing CMS api

Download-cert-tls

    TLS_CERT_FILE       The file to which certificate is saved
    TLS_KEY_FILE        The file to which private key is saved
    TLS_COMMON_NAME     The common name of signed certificate
    TLS_SAN_LIST        Comma separated list of hostnames to add to Certificate, including IP addresses and DNS names

Database

    DB_VENDOR                   Vendor of database, or use AAS_DB_VENDOR alternatively
    DB_PORT                     Database port, or use AAS_DB_PORT alternatively
    DB_NAME                     Database name, or use AAS_DB_NAME alternatively
    AAS_DB_PASSWORD             Database password, or use DB_PASSWORD alternatively
    DB_SSL_MODE                 Database SSL mode, or use AAS_DB_SSL_MODE alternatively
    DB_SSL_CERT_SOURCE          Database SSL certificate to be copied from, or use AAS_DB_SSLCERTSRC alternatively
    DB_CONN_RETRY_TIME          Database connection retry time
    DB_HOST                     Database host name, or use AAS_DB_HOSTNAME alternatively
    AAS_DB_USERNAME             Database username, or use DB_USERNAME alternatively
    DB_SSL_CERT                 Database SSL certificate, or use AAS_DB_SSLCERT alternatively
    DB_CONN_RETRY_ATTEMPTS      Database connection retry attempts

Admin

    AAS_ADMIN_USERNAME  Authentication and Authorization Service Admin Username 
    AAS_ADMIN_PASSWORD  Authentication and Authorization Service Admin Password

Jwt

Mandatory:

    CMS_BASE_URL        CMS base URL in the format https://{{cms}}:{{cms_port}}/cms/v1/
    BEARER_TOKEN        Bearer token for accessing CMS api
Optional:

    KEY_FILE            The file to which private key is saved
    COMMON_NAME         The common name of signed certificate
    CERT_FILE           The file to which certificate is saved

Create-credentials setup:

    CREATE_CREDENTIALS                  Trigger to run create-credentials setup task when set to True. Default is False
    NATS_OPERATOR_NAME                  Set the NATS operator name, default is "ISecL-operator"
    NATS_OPERATOR_CREDENTIAL_VALIDITY   Set the NATS operator credential validity in terms of duration (ex: "300ms","-1.5h" or "2h45m"), default is 5 years
    NATS_ACCOUNT_NAME                   Set the NATS account name, default is "ISecL-account"
    NATS_ACCOUNT_CREDENTIAL_VALIDITY    Set the NATS account credential validity in terms of duration (ex: "300ms","-1.5h" or "2h45m"), default is 5 years
    NATS_USER_CREDENTIAL_VALIDITY       Set the NATS user credential validity in terms of duration (ex: "300ms","-1.5h" or "2h45m"), default is 1 year

Update-service-config setup:

    NATS_USER_CREDENTIAL_VALIDITY               Set the NATS user credential validity, default is 1 year
    JWT_INCLUDE_KID                             Includes JWT Key Id for token validation
    JWT_TOKEN_DURATION_MINS                     Validity of token duration
    AUTH_DEFENDER_MAX_ATTEMPTS                  Auth defender maximum attempts
    SERVER_READ_TIMEOUT                         Request Read Timeout Duration in Seconds
    SERVER_WRITE_TIMEOUT                        Request Write Timeout Duration in Seconds
    NATS_OPERATOR_NAME                          Set the NATS operator name, default is "ISecL-operator"
    LOG_MAX_LENGTH                              Max length of log statement
    AUTH_DEFENDER_LOCKOUT_DURATION_MINS         Auth defender lockout duration in minutes
    NATS_ACCOUNT_CREDENTIAL_VALIDITY            Set the NATS account credential validity, default is 5 years
    LOG_LEVEL                                   Log level
    SERVER_PORT                                 The Port on which Server Listens to
    SERVER_READ_HEADER_TIMEOUT                  Request Read Header Timeout Duration in Seconds
    NATS_ACCOUNT_NAME                           Set the NATS account name, default is "ISecL-account"
    LOG_ENABLE_STDOUT                           Enable console log
    JWT_CERT_COMMON_NAME                        Common Name for JWT Certificate
    AUTH_DEFENDER_INTERVAL_MINS                 Auth defender interval in minutes
    SERVER_IDLE_TIMEOUT                         Request Idle Timeout in Seconds
    SERVER_MAX_HEADER_BYTES                     Max Length Of Request Header in Bytes
    NATS_OPERATOR_CREDENTIAL_VALIDITY           Set the NATS operator credential validity, default is 5 years

Aas-credentials secrets:

AAS_ADMIN_USERNAME   
AAS_ADMIN_PASSWORD

Aasdb-credentials

AAS_DB_USERNAME   
AAS_DB_PASSWORD