Deployment
Prerequisites
An internet accessible server with:
- Node 14+
- NPM, installed globally
- OpenSSL
- Firebase Project and Credential
- Privakey uses Firebase by default for notification delivery. Support for other frameworks can be added if necessary.
- MySQL 5.7
- With minimal support from Privakey, other relational databases can be supported.
- AWS DynamoDB
- If a NoSQL solution is desired, DynamoDB is also supported.
- SSL protected endpoints
- If SSL is managed by the Node server (versus, for example, a load balancer or reverse proxy) SSL certificates will need to be acquired, stored and referenced in environment variables.
MySQL Database Installation
- Initialize the Database
- Create the database:
- Default Name: privakey_cx
- Create a user with read / write access to run initial scripts
- This user can also be used for Auth Service access, alternatively, you can create a distinct user for Auth Service access to the DB.
- Run DB Scripts
- Scripts are found in /sql directory
- Execute privakeycx.sql first. (items in this file should not be changed)
- Execute insert_constants.sql (items in this file should not be changed)
- Execute config_table_values.sql script.
- Create the database:
DynamoDB Database Installation
- Run the DB installation script
- Script is found in /nosql directory
- Edit createDB.js and change the parameters as documented within the script
- Execute 'node createDB.js'
Server Installation
- Copy the PrivakeyCX Auth Service distribution to the server.
- Run
npm install --production
from the project root. - Generate a signing certificate on the Node Server.
From within the root of the PrivakeyCX directory, execute the following commands:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 1000 -out certificate.pem
-sha256 -subj "/CN=localhost"
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out privakeyservice.pfx
Make a note of the password used during this step, as it will need to be saved in an environment variable later.
- Review and set Config Values in config.json found in the project’s root directory
port | The port the service will run on. |
logLevel | Options include: off, error, warn, info, verbose, debug or silly. |
logName | Path and name of where the file should be generated, relative to project root. |
maxRequestSize | Maximum, overall size of generateRequest object allowable. Reccomended size: 2mb |
signingCertPath | The path, relative to the project root, of the signing certificate generated in Step 3. |
firebaseFilePath | The path, relative to the project root, of the firebase configuration file used during bootstrapping |
Set up initial Environment Variables:
Key | Value / Value Description |
---|---|
CX_ENV | production or development . Set this to development to load environment variables from a .env, and to allow HTTP instead of HTTPS for cookies in the CX Wizard and Portal. |
CERT_PW | The password for the certificate created in step 3. |
OPENSSL_PATH | The path to the Open SSL executable. This normally can be discovered by typing which openssl at a command prompt. |
DATA_TYPE | mysql or dynamodb |
DATA_HOST | Address of the DB |
DATA_PORT | Port for the DB |
DATA_USER | A user with read / write access to DB set up in step 1 of the Database Installation. |
DATA_PW | Password for DATA_USER |
DATA_NAME | privakey_cx Should not be changed unless the database script was modified with an alternate name. |
DATA_REGION | For DynamoDB only The AWS region that contains the DB. us-east-1 by default |
DATA_ENDPOINT | For DynamoDB only Optional endpoint for connecting to DynamoDB service. Generally not needed if connecting to production DynamoDB |
CX_DATA_KEY | Any string, used for data at rest encryption (primarily for challenge origin credential storage) |
USE_SSL | true if the application is managing SSL. Otherwise, false |
SSL_KEY_PATH | Required if USE_SSL is true. ./cert/server.key is the recommended location/name for this key. |
SSL_CERT_PATH | Required if USE_SSL is true. ./cert/server.crt is the recommended location/name for this file. |
COMM_SERVER_URL | http://[server name]:[server port]/communication/send For example, if using CX's built-in communication service and CX is running on the default port 8080, this will be http://localhost:8080/communication/send |
COMM_SERVER_KEY | Generated during the bootstrapping process. See bootstrap the system |
COMM_SERVER_ID | 2 |
SESSION_KEY | A passphrase used to encrypt the login session cookie in the Admin Portal |
SMTP_USER | The username for authenticating to the email service used by the Admin Portal |
SMTP_PW | The password for authenticating to the email service used by the Admin Portal |
SMTP_PORT | The port used by the email service |
SMTP_TLS | Flag denoting whether to use TLS when connecting to the email service. True/False |
SMTP_FROM | The email address that will be labeled on emails sent by the Auth Service |
SMTP_FROM_NAME | The display name that will be labeled on emails sent by the Auth Service |
PORTAL_LOCATION | The URL of the Admin Portal, including port. This value should denote the location of Privakey CX with a path of /admin/portal |
CX_SHOW_TITLE | A flag denoting whether to display the splash title on the console during server start up. 0/1 |
Updated over 1 year ago
What’s Next
The Bootstrap Wizard is ready to be run to add the first Admin User to the system.