Define settings

Owned by M
Last updated: Apr 26, 2022 by Mathias Søby Jensen
Describes the process of initially defining the general repository settings and reference settings.


RepositorySettings

A RepositorySettings files needs to be available to all components in a Bit Repository system, as it describes the contract for the system.

The RepositorySettings format is specified in the RepositorySettings.xsd schema definition.

For at template including desciptions of the individual elements see these example RepositorySettings.

Not all parts of the settings file are relevant for all components, so irrelevant parts may be removed when distributed to the different components. This may introduce errors, so it is recommended to distribute the full RepositorySettings file to all repository participants.

ReferenceSettings

See ReferenceSettings at GitHub, showing how the ReferenceSettings file should be defined.

Certificate Creation

The following is an instruction on how to create the certificates needed in the collection settings.


Certificates are used intensively throughout a Bit Repository system for authentication and authorization. The rules for using the certificates are specified in the RepositorySettings.

The general organizational policy for creating and managing certificates should be used for Bit Repository systems.

Self-signed Certificates


For test and development purposes self-signed certificated can be used. The following describes how to create self-signed certificates for test purposes. 

# For HTTPS servers remember to put the
# server FQDN in the CN.

KEY="$CN.key"
CSR="$CN.csr"
CRT="$CN.crt"

# Generate key
openssl genrsa -out "$KEY" 1024 || exit 1

# Certificate Signing Request (Remember to modify the signing request subject)
openssl req -new -key "$KEY" -out "$CSR" -subj "/C=DK/O=TestOrganization/OU=TestDepartment/CN=$CN" || exit 1

# Self sign
openssl x509 -req -days 1000 -in "$CSR" -out "$CRT" -signkey "$KEY" || exit 1

Optionally this can be packaged into a web browser friendly pkcs-12 file along with the server certificate:

openssl pkcs12 -export -in browser.crt -inkey browser.key -out browser.p12 -certfile /path/to/server.crt

See also Using SSL in Java

Creating a certificate authority for test

$ mkdir /path/to/ca/                 # CA root
$ mkdir /path/to/ca/ca.db.certs      # Signed certificates
$ touch /path/to/ca/ca.db.index      # Index of signed certificates
$ echo 01 > /path/to/ca/ca.db.serial # Next (sequential) serial number
$ cp ca.conf /path/to/ca/            # Configuration file (see below)

$ cd /path/to/ca
$ openssl genrsa -out ca.key 1024    # Generate CA private key
$ openssl req -new -key ca.key \
                   -out ca.csr       # Create Certificate Signing Request
$ openssl x509 -req -days 10000 \
               -in ca.csr \
               -out ca.crt \
               -signkey ca.key       # Create self-signed certificate

ca.conf:

[ ca ]
default_ca = ca_default

[ ca_default ]
dir = ./ca
certs = $dir
new_certs_dir = $dir/ca.db.certs
database = $dir/ca.db.index
serial = $dir/ca.db.serial
RANDFILE = $dir/ca.db.rand
certificate = $dir/ca.crt
private_key = $dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

Creating and signing webserver certificate:

$ openssl genrsa -out server.key 1024 # Create private/public key pair for server
$ openssl req -new -key server.key \
                   -out server.csr    # Create certificate signing request
                                      # (Remember: Common name *MUST* match server address)
$ openssl ca -config ca.conf \
             -in server.csr \
             -cert ca.crt \
             -keyfile ca.key \
             -out server.crt          # Sign certificate request with CA certificate.

# Create PEM file with the server key and certificate for use with lightttpd
$ cat server.key server.crt > server.pem

Creating a client certificate for use with web browsers (remember it will also usually need the CA certificate used in signing):

# openssl genrsa -out client.key 1024 # Generate public/private key for client
# openssl req -new -key client.key \
                   -out client.csr    # Create certificate signing request
# openssl ca -config ca.conf \
             -in client.csr \
             -cert ca.crt \
             -keyfile ca.key \
             -out client.crt          # Sign certificate

# openssl pkcs12 -export -clcerts \
                 -in client.crt \
                 -inkey client.key \
                 -out client.p12      # Create PKCS12 keystore for use with web browsers

References:
Client certificates with apache