Deployment

Prerequisites

An internet accessible server with:

  • Node 8.11
  • NPM, installed globally
  • OpenSSL
  • Firebase Project and Credential
    • Privakey uses Firebase by default for notification delivery. Support for other frameworks can be added if necessary.
  • MySQL 5.7
    • With minimal support from Privakey, other relational databases can be supported.
  • AWS DynamoDB
    • If a NoSQL solution is desired, DynamoDB is also supported.
  • SSL protected endpoints
    • If SSL is managed by the Node server (versus, for example, a load balancer or reverse proxy) SSL certificates will need to be acquired, stored and referenced in environment variables.

MySQL Database Installation

  1. Initialize the Database
    1. Create the database:
      1. Default Name: privakey_cx
      2. Create a user with read / write access to run initial scripts
      3. This user can also be used for Auth Service access, alternatively, you can create a distinct user for Auth Service access to the DB.
    2. Run DB Scripts
      1. Scripts are found in /sql directory
      2. Execute privakeycx.sql first. (items in this file should not be changed)
      3. Execute insert_constants.sql (items in this file should not be changed)
      4. Execute config_table_values.sql script.

DynamoDB Database Installation

  1. Run the DB installation script
    1. Script is found in /nosql directory
    2. Edit createDB.js and change the parameters as documented within the script
    3. Execute 'node createDB.js'

Server Installation

  1. Copy the PrivakeyCX Auth Service distribution to the server.
  2. Run npm install --production from the project root.
  3. Generate a signing certificate on the Node Server.
    From within the root of the PrivakeyCX directory, execute the following commands:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 1000 -out certificate.pem 
-sha256 -subj "/CN=localhost"

openssl pkcs12 -inkey key.pem -in certificate.pem -export -out privakeyservice.pfx

Make a note of the password used during this step, as it will need to be saved in an environment variable later.

  1. Review and set Config Values in config.json found in the project’s root directory
portThe port the service will run on.
logLevelOptions include: off, error, warn, info, verbose, debug or silly.
logNamePath and name of where the file should be generated, relative to project root.
maxRequestSizeMaximum, overall size of generateRequest object allowable.
Reccomended size: 2mb
signingCertPathThe path, relative to the project root of the signing certificate generated in Step 3.

Set up initial Environment Variables:

KeyValue / Value Description
CX_ENVproduction or development. Set this to development to load environment variables from a .env, and to allow HTTP instead of HTTPS for cookies in the CX Wizard and Portal.
CERT_PWThe password for the certificate created in step 3.
OPENSSL_PATHThe path to the Open SSL executable.
This normally can be discovered by typing which openssl at a command prompt.
DATA_TYPEmysql or dynamodb
DATA_HOSTAddress of the DB
DATA_PORTPort for the DB
DATA_USERA user with read / write access to DB set up in step 1 of the Database Installation.
DATA_PWPassword for DATA_USER
DATA_NAMEprivakey_cx
Should not be changed unless the database script was modified with an alternate name.
DATA_REGIONFor DynamoDB only
The AWS region that contains the DB. us-east-1 by default
DATA_ENDPOINTFor DynamoDB only
Optional endpoint for connecting to DynamoDB service. Generally not needed if connecting to production DynamoDB
CX_DATA_KEYAny string, used for data at rest encryption (primarily for challenge origin credential storage)
FIREBASE_CREDThe path to the Firebase credentials JSON file.
This file is generated through the Firebase console, by navigating to Project settings > Service accounts.
FIREBASE_DBThe Firebase database URL
USE_SSLtrue if the application is managing SSL. Otherwise, false
SSL_KEY_PATHRequired if USE_SSL is true.
./cert/server.key is the recommended location/name for this key.
SSL_CERT_PATHRequired if USE_SSL is true.
./cert/server.crt is the recommended location/name for this file.
COMM_SERVER_URLhttp://[server name]:[server port]/communication/send

For example, if using CX's built-in communication service and CX is running on the default port 8080, this will be http://localhost:8080/communication/send
COMM_SERVER_KEYGenerated during the bootstrapping process. See bootstrap the system
COMM_SERVER_ID2
SESSION_KEYA passphrase used to encrypt the login session cookie in the Admin Portal
SMTP_USERThe username for authenticating to the email service used by the Admin Portal
SMTP_PWThe password for authenticating to the email service used by the Admin Portal
SMTP_PORTThe port used by the email service
SMTP_TLSFlag denoting whether to use TLS when connecting to the email service. True/False
SMTP_FROMThe email address that will be labeled on emails sent by the Auth Service
SMTP_FROM_NAMEThe display name that will be labeled on emails sent by the Auth Service
PORTAL_LOCATIONThe URL of the Admin Portal, including port. This value should denote the location of Privakey CX with a path of /admin/portal
CX_SHOW_TITLEA flag denoting whether to display the splash title on the console during server start up. 0/1

What’s Next

The Bootstrap Wizard is ready to be run to add the first Admin User to the system.