-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathconfigureServer.sh
executable file
·522 lines (463 loc) · 15.1 KB
/
configureServer.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
#!/bin/bash
#
#*******************************************************************************
# Copyright (c) 2017-2020 IBM Corp.
#
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Eclipse Public License v1.0
# and Eclipse Distribution License v1.0 which accompany this distribution.
#
# The Eclipse Public License is available at
# http://www.eclipse.org/legal/epl-v10.html
# and the Eclipse Distribution License is available at
# http://www.eclipse.org/org/documents/edl-v10.php.
#
#
# Contrinutors:
# Ranjan Dasgupta - Initial drop
#
#*******************************************************************************
#
#
# ==============================================================================
# SCRIPT IS PROVIDED TO CREATE MESSAGESIGHT DEMO ENVIRONMENT.
# DO NOT USE THIS SCRIPT TO CREATE A PRODUCTION OR TEST ENVIRONMENT.
# ==============================================================================
#
#
# This scripts can be used to run MessageSight Server docker container,
# and Open LDAP Server docker container. Open LDAP Server is configured
# as an external LDAP server in the MessageSight Server.
#
# PREREQ:
# - Create docker networks needed by IBM IoT MessageSight server and openLDAP
# server containers.
# $ ./configureNetworks.sh create
#
# - Build IBM IoT MessageSight Server docker image (imaserver:5.0) in local registry
# To build imaserver docker image:
# $ ./buildMSImages.sh server
#
# - Build open LDAP Server docker image (openldap:1.0) in local registry
# To build openLDAP Server image:
# $ cd openLDAPServer
# $ ./openldap.sh build
#
# - Build Liberty based OAuth Server docker image (oauthserver:1.0) in local registry
# To build OAuth Server image:
# $ cd libertyOAuthServer
# $ ./oauthServer.sh build
#
#
#
# To create and configure open LDAP container and MessageSight Server Containers
# ./configureServer.sh
#
# To remove MessageSight Server and Open LDAP containers
# ./configureServer.sh remove
#
# To Reset MessageSight Server configuration
# ./configureServer.sh reset [force]
#
CURDIR=`pwd`
export CURDIR
OSTYPE=`uname -s`
export OSTYPE
MAPVOL=/mnt
if [ "${OSTYPE}" == "Darwin" ]
then
MAPVOL=~/mnt
fi
export MAPVOL
ARG1=$1
ARG2=$2
ARG3=$3
function usage() {
echo
echo "ERROR: Invalid option(s) are specified: $ARG1, $ARG2, $ARG3"
echo "USAGE: Configure, reset or remove IBM IoT MessageSight v5 Server for demos."
echo " ./$0 <configure|reset|remove> [force]"
echo " Default option is configure"
echo " Optional parameter force is valid for reset option."
echo
exit 1
}
# Validate command line options
if [ $# -gt 2 ]
then
usage
fi
ACTION=$1
FORCE=$2
if [ "${ACTION}" == "" ]
then
ACTION="configure"
fi
if [ "${FORCE}" != "" ] && [ "${FORCE}" != "force" ]
then
usage
fi
if [ "${ACTION}" != "configure" ] && [ "${ACTION}" != "reset" ] && [ "${ACTION}" != "remove" ]
then
usage
fi
if [ "${ACTION}" == "reset" ]
then
if [ "${FORCE}" != "" ] && [ "${FORCE}" != "force" ]
then
usage
fi
fi
echo
echo "IBM IoT MessageSight Server demo environment setup utility"
echo "Requested action: ${ACTION}"
#
# Check if server is already configured
#
inited=0
configured=0
if [ -f ${MAPVOL}/imaserver1/.inited ]
then
inited=1
fi
if [ -f ${MAPVOL}/imaserver1/.configured ]
then
configured=1
fi
echo "Current configuration states:"
echo "Inited: $inited"
echo "Configured: $configured"
echo
# set configured to 0 for force reset option
if [ "${ACTION}" == "reset" ] && [ "${FORCE}" == "force" ]
then
echo "Configured is set to 1 because forced reset action is invoked."
configured=1
fi
#
# Process remove action - remove old MessageSight container
#
if [ "${ACTION}" == "remove" ]
then
if [ $inited -eq 0 ]
then
echo "ERROR: MessageSight server container is not found. Can not remove."
exit 1
fi
echo "Stop MessageSight server container"
sudo docker stop imaserver1
echo "Remove MessageSight server container"
sudo docker rm -f -v imaserver1
echo "Remove MessageSight server container volumn: ${MAPVOL}/imaserver1"
sudo rm -rf ${MAPVOL}/imaserver1
exit 0
fi
#
# Create directory to MAP volumes of MessageSight Server container
#
if [ ! -d ${MAPVOL}/imaserver1/var/messagesight ]
then
echo "Create volume for MessageSight container"
mkdir -p ${MAPVOL}/imaserver1/var/messagesight
fi
cd $CURDIR
#
# Run containers
#
if [ $inited -eq 0 ]
then
#
# Run LDAP Container if not created yet
#
echo "Check and run openldap container"
cd openLDAPServer
./openldap.sh run
echo "Connect docker network ms-server1-net to the container"
sudo docker network connect ms-server1-net openldap
echo "Wait for some time for LDAP server to configure and start properly"
sleep 10
cd $CURDIR
#
# Run OAuth Server Container if not created yet
#
echo "Check and run oauthserver container"
cd libertyOAuthServer
./oauthserver.sh run
echo "Connect docker network ms-server1-net to the container"
sudo docker network connect ms-server1-net oauthserver
cd $CURDIR
#
# Create MessageSight container
#
# Expose AdminEndpoint port - map 9089:9089
# Expose Other endpoint ports for messaging
# map 16102:16102 (Monitoring & Notification), 1883:1883 (MQTT non-secured) and 8883:8883 (MQTT secured)
# Use docker network ms-server1-net
# Use volume ${MAPVOL}/imaserver1/var/messagesight
#
echo "Create imaserver1 container"
sudo docker run --cap-add SYS_ADMIN --cap-add=SYS_PTRACE --security-opt seccomp=unconfined \
--env-file=${CURDIR}/mstmpdir/server/imaserver-docker.env \
--net ms-server1-net \
--publish 16102:16102 --publish 9089:9089 --publish 1883:1883 --publish 8883:8883 \
--volume ${MAPVOL}/imaserver1/var/messagesight:/var/messagesight \
--detach --memory 4G --interactive --tty --name imaserver1 imaserver:5.0
echo "Wait for imaserver1 container to start"
sleep 15
echo "Accept license"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d '{"LicensedUsage":"Production", "Accept": true}'
echo "Server gets restarted on license acceptance. Wait for 30 seconds for server to restart."
sleep 30
echo "Check server status"
curl -X GET http://127.0.0.1:9089/ima/v1/service/status
echo "Connect docker network ms-service-net used for openldap server, to the container."
sudo docker network connect ms-service-net imaserver1
# containers are inited
touch ${MAPVOL}/imaserver1/.inited
fi
#
# Configure MessageSight server
#
if [ $configured -eq 1 ]
then
# check if config reset is initiated
if [ "${ACTION}" == "reset" ]
then
# Reset MessageSight server configuration and accept license again
echo "Reset server configuration"
curl -X POST http://127.0.0.1:9089/ima/v1/service/restart -d '{"Service":"Server","Reset":"config"}'
echo "Wait for imaserver1 container to start"
sleep 15
echo "Check server status"
curl -X GET http://127.0.0.1:9089/ima/v1/service/status
rm -f ${MAPVOL}/imaserver1/.configured
exit 0
else
echo "MessageSight server is already configured to run demos"
echo
exit 0
fi
else
# check if config reset is initiated - not needed
if [ "${ACTION}" == "reset" ]
then
echo "MessageSight server is not configured to run demo yet."
echo "Server reset is not needed."
exit 0
fi
fi
#
# Delete Default Demo Endpoints and policies
#
echo "Delete DemoEndpoint"
curl -X DELETE http://127.0.0.1:9089/ima/v1/configuration/Endpoint/DemoEndpoint
echo "Delete DemoMqttEndpoint"
curl -X DELETE http://127.0.0.1:9089/ima/v1/configuration/Endpoint/DemoMqttEndpoint
echo "Delete DemoConnectionPolicy"
curl -X DELETE http://127.0.0.1:9089/ima/v1/configuration/ConnectionPolicy/DemoConnectionPolicy
echo "Delete DemoTopicPolicy"
curl -X DELETE http://127.0.0.1:9089/ima/v1/configuration/TopicPolicy/DemoTopicPolicy
#
# Configure Security related configuration objects
#
# Configure LDAP
echo "Configure and Enable External LDAP on imaserver"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"LDAP":
{
"URL": "ldap://172.27.5.1",
"BaseDN": "o=IBM",
"BindDN": "cn=Manager,o=IBM",
"BindPassword": "msDemoPassw0rd",
"UserSuffix": "ou=users,ou=MessageSight,o=IBM",
"GroupSuffix": "ou=groups,ou=MessageSight,o=ibm",
"UserIdMap": "*:cn",
"GroupIdMap": "*:cn",
"GroupMemberIdMap": "member"
}}'
echo "Test LDAP connection"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d '{ "LDAP":{"Verify":true}}'
echo "Enable LDAP"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d '{ "LDAP":{"Enabled":true}}'
# Configure OAuth Profile
echo "Configure OAuth profile"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"OAuthProfile": {
"TestOAuthProfile": {
"ResourceURL": "https://172.27.5.7:5000/oauth2/endpoint/PythonOAuthProvider/authorize",
"KeyFileName": "",
"AuthKey": "access_token",
"UserInfoURL": "https://172.27.5.7:5000/oauth2/endpoint/PythonOAuthProvider/authorize",
"UserInfoKey": "client_id",
"GroupInfoKey": "scope",
"GroupDelimiter": ","
}}}'
# Create Security Profile
echo "Configure Security Profile for OAuth and LDAP Authentication"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"SecurityProfile": {
"TestSecProfile": {
"TLSEnabled": false,
"MinimumProtocolMethod": "TLSv1.2",
"UseClientCertificate": false,
"Ciphers": "Fast",
"CertificateProfile": "",
"UseClientCipher": false,
"UsePasswordAuthentication": true,
"OAuthProfile": "TestOAuthProfile"
}}}'
#
# Configure connection policies
#
echo "Add connection policy for monitoring and notification"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"ConnectionPolicy": {
"MonitoringConnectionPolicy": {
"Description": "Connection policy for external monitoring and noficiation clients",
"ClientID": "Monitor*",
"ClientAddress": "",
"UserID": "",
"GroupID": "",
"CommonNames": "",
"Protocol": "",
"AllowDurable": false,
"AllowPersistentMessages": false,
"ExpectedMessageRate": "Default"
}}}'
echo "Add on open connection policy for other clients to connect"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"ConnectionPolicy": {
"OpenConnectionPolicy": {
"Description": "Connection policy for any client to connect",
"ClientID": "*",
"ClientAddress": "",
"UserID": "",
"GroupID": "",
"CommonNames": "",
"Protocol": "",
"AllowDurable": true,
"AllowPersistentMessages": true,
"ExpectedMessageRate": "Default"
}}}'
echo "Add Topic policy for SYSTEM topics - external monitoring and notification"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"TopicPolicy": {
"MonitoringTopicPolicy": {
"Description": "Topic policy for SYS topics",
"ClientID": "Monitor*",
"Topic": "$SYS/*",
"ActionList": "Subscribe",
"ClientAddress": "",
"UserID": "",
"GroupID": "",
"CommonNames": "",
"Protocol": "",
"MaxMessages": 5000,
"MaxMessagesBehavior": "RejectNewMessages",
"MaxMessageTimeToLive": "unlimited",
"DisconnectedClientNotification": false
}}}'
echo "Add Topic policy for durable subscriber with disconnected notification option"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"TopicPolicy": {
"DurableNotifPolicy": {
"Description": "Topic policy for durable subscriber with disconnected notification",
"ClientID": "GetNotif*",
"UserID": "",
"CommonNames": "",
"ClientAddress": "",
"GroupID": "",
"Protocol": "MQTT",
"Topic": "planets/earth",
"ActionList": "Subscribe",
"MaxMessages": 5000,
"MaxMessagesBehavior": "RejectNewMessages",
"DisconnectedClientNotification": true,
"MaxMessageTimeToLive": "unlimited"
}}}'
echo "Add Topic policy for other subscribers and publishers"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"TopicPolicy": {
"TestTopicPolicy": {
"Description": "Topic policy for subscribers and publishers",
"ClientAddress": "",
"UserID": "",
"CommonNames": "",
"ClientID": "IBMIoT*",
"GroupID": "",
"Protocol": "MQTT",
"Topic": "*",
"ActionList": "Publish,Subscribe",
"MaxMessages": 5000,
"MaxMessagesBehavior": "RejectNewMessages",
"DisconnectedClientNotification": false,
"MaxMessageTimeToLive": "unlimited"
}}}'
# Non-secured endpoints for internal clients to get moitoring and notification messages
echo "Create Endpoint for notification and monitoring clients"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"Endpoint": {
"MonitoringEndpoint": {
"Port": 16102,
"Enabled": true,
"Protocol": "All",
"Interface": "All",
"InterfaceName": "All",
"ConnectionPolicies": "MonitoringConnectionPolicy",
"TopicPolicies": "MonitoringTopicPolicy",
"SubscriptionPolicies": null,
"MaxMessageSize": "4096KB",
"MessageHub": "DemoHub",
"EnableAbout": true,
"Description": "Unsecured endpoint for notification and monitoring MQTT clients.",
"SecurityProfile": "",
"MaxSendSize": 16384,
"BatchMessages": true,
"QueuePolicies": null
}}}'
# Non-secured MqttEndpoint to handle disconnected clients
echo "Enable MqttEndpoint"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"Endpoint": {
"MqttEndpoint": {
"Port": 1883,
"Enabled": true,
"Protocol": "All",
"Interface": "All",
"InterfaceName": "All",
"ConnectionPolicies": "OpenConnectionPolicy",
"TopicPolicies": "DurableNotifPolicy,TestTopicPolicy",
"SubscriptionPolicies": null,
"MaxMessageSize": "4096KB",
"MessageHub": "DemoHub",
"EnableAbout": true,
"Description": "Unsecured endpoint for external clients.",
"SecurityProfile": "",
"MaxSendSize": 16384,
"BatchMessages": true,
"QueuePolicies": null
}}}'
# Non-secured MqttEndpoint to handle clients cinnecting using OAuth
echo "Enable MqttEndpoint OAuth"
curl -X POST http://127.0.0.1:9089/ima/v1/configuration -d \
'{"Endpoint": {
"MqttEndpointOAuth": {
"Port": 8883,
"Enabled": true,
"Protocol": "All",
"Interface": "All",
"InterfaceName": "All",
"ConnectionPolicies": "OpenConnectionPolicy",
"TopicPolicies": "TestTopicPolicy",
"SubscriptionPolicies": null,
"MaxMessageSize": "4096KB",
"MessageHub": "DemoHub",
"EnableAbout": true,
"Description": "Unsecured endpoint for external clients.",
"SecurityProfile": "TestSecProfile",
"MaxSendSize": 16384,
"BatchMessages": true,
"QueuePolicies": null
}}}'
# Mark setup complete
touch ${MAPVOL}/imaserver1/.configured