8.2.9.2. Configuration / fichiers utiles

Les fichiers de configuration sont gérés par les procédures d’installation ou de mise à niveau de l’environnement VITAM. Se référer au DIN.

Les fichiers de configuration sont définis sous /vitam/conf/ihm-demo.

8.2.9.2.1. Fichier access-external-client.conf

Ce fichier permet de définir l’URL d’accès au service access-external.

serverHost: {{ vitam.accessexternal.host }}
serverPort: {{ vitam.accessexternal.port_service }}
secure: true
sslConfiguration :
 keystore :
  - keyPath: {{ vitam_folder_conf }}/keystore_{{ vitam_struct.vitam_component }}.p12
    keyPassword: {{ keystores.client_external.ihm_demo }}
 truststore :
  - keyPath: {{ vitam_folder_conf }}/truststore_{{ vitam_struct.vitam_component }}.jks
    keyPassword: {{ truststores.client_external }}
hostnameVerification: true

8.2.9.2.2. Fichier ihm-demo.conf

serverHost: {{ ip_service }}
port: {{ vitam_struct.port_service }}

baseUrl: "{{ vitam_struct.baseurl }}"
baseUri: /{{ vitam_struct.baseuri }}
secureMode:
{% for realm in vitam_struct.authentication_realms %}
- {{ realm }}
{% endfor %}

jettyConfig: jetty-config.xml
authentication: true
enableXsrFilter: true
enableSession: true

allowedMediaTypes:
{% for mediaType in vitam_struct.allowedMediaTypes %}
    - type: {{ mediaType.type }}
      subtype: {{ mediaType.subtype }}
{% endfor %}

tenants : liste des tenants disponibles sur l’ihm-demo.

8.2.9.2.3. Fichier ingest-external-client.conf

serverHost: {{ vitam.ingestexternal.host }}
serverPort: {{ vitam.ingestexternal.port_service }}
secure: true
sslConfiguration :
 keystore :
  - keyPath: {{ vitam_folder_conf }}/keystore_{{ vitam_struct.vitam_component }}.p12
    keyPassword: {{ keystores.client_external.ihm_demo }}
 truststore :
  - keyPath: {{ vitam_folder_conf }}/truststore_{{ vitam_struct.vitam_component }}.jks
    keyPassword: {{ truststores.client_external }}
hostnameVerification: true

8.2.9.2.4. Fichier shiro.ini

# =======================
# Shiro INI configuration
# =======================

[main]
# Objects and their properties are defined here,
# Such as the securityManager, Realms and anything
# else needed to build the SecurityManager


# Cache Manager
builtInCacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager

# Security Manager
securityManager.cacheManager = $builtInCacheManager

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionMode = native
securityManager.sessionManager.globalSessionTimeout = {{ vitam_struct.session_timeout }}
securityManager.sessionManager.sessionIdUrlRewritingEnabled = false
securityManager.sessionManager.sessionIdCookie.secure = {{ vitam_struct.secure_cookie }}
securityManager.rememberMeManager.cookie.secure = {{ vitam_struct.secure_cookie }}
securityManager.rememberMeManager.cookie.httpOnly = true

# Notice how we didn't define the class for the FormAuthenticationFilter ('authc') - it is instantiated and available already:
authc.loginUrl = /#!/login


# credentialsMatcher
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher

{% if "iniRealm" in vitam_struct.authentication_realms %}
iniRealm.credentialsMatcher = $sha256Matcher
{% endif %}

{% if "ldapRealm" in vitam_struct.authentication_realms %}
contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory
contextFactory.url = {{ ldap_authentification.ldap_protocol }}://{{ ldap_authentification.ldap_server }}:{{ ldap_authentification.ldap_port }}
{% if ldap_authentification.ldap_login is defined and ldap_authentification.ldap_pwd is defined %}
{% if ldap_authentification.ldap_login != "" and ldap_authentification.ldap_pwd != "" %} 
contextFactory.systemUsername = {{ ldap_authentification.ldap_login }}
contextFactory.systemPassword = {{ ldap_authentification.ldap_pwd }}
{% endif %} 
{% endif %}

ldapRealm = fr.gouv.vitam.common.auth.core.realm.LdapRealm
ldapRealm.ldapContextFactory = $contextFactory
ldapRealm.searchBase = "{{ ldap_authentification.ldap_base }}"
ldapRealm.groupRequestFilter = {{ ldap_authentification.ldap_group_request }}
ldapRealm.userDnTemplate = {{ ldap_authentification.ldap_userDn_Template }}
ldapRealm.groupRolesMap = "{{ ldap_authentification.ldap_admin_group }}":"admin", "{{ ldap_authentification.ldap_user_group }}":"user", "{{ ldap_authentification.ldap_guest_group }}":"guest"
{% endif %}

x509 = fr.gouv.vitam.common.auth.web.filter.X509AuthenticationFilter

x509.useHeader = False

x509credentialsMatcher = fr.gouv.vitam.common.auth.core.authc.X509CredentialsSha256Matcher

{% if "x509Realm" in vitam_struct.authentication_realms %}
x509Realm = fr.gouv.vitam.common.auth.core.realm.X509KeystoreFileWithRoleRealm
x509Realm.grantedKeyStoreName = {{ vitam_folder_conf }}/grantedstore_ihm-demo.jks
x509Realm.grantedKeyStorePassphrase = {{ password_grantedstore }}
x509Realm.trustedKeyStoreName = {{ vitam_folder_conf }}/truststore_ihm-demo.jks
x509Realm.trustedKeyStorePassphrase = {{ password_truststore }}
x509Realm.credentialsMatcher = $x509credentialsMatcher
x509Realm.certificateDnRoleMapping = "CN=userAdmin,O=Vitam,L=Paris":"admin", "CN=userUser,O=Vitam,L=Paris,C=FR":"user"
{% endif %}

securityManager.realms = {% for realm in vitam_struct.authentication_realms %}{% if not loop.first %},{% endif %}${{ realm }}{% endfor %}

{% if "iniRealm" in vitam_struct.authentication_realms %}

[users]
# The 'users' section is for simple deployments
# # when you only need a small number of statically-defined
# # set of User accounts.
# #username = password
{% for item in vitam_users %}
 {{ item.login }}={{ item.password|hash('sha256') }}, {{ item.role }}
{% endfor %}

{% endif %}


[roles]
admin = *
user = messages:*, archivesearch:*, logbook:*, ingest:*, archiveupdate:*, archiveunit:*, ingests:read, admin:formats:read, admin:rules:read, admin:accession-register:read, logbookunitlifecycles:*, logbookobjectslifecycles:*, clear:delete, check:read, traceability:content:read, accesscontracts:read, profiles:read, contracts:read, contexts:read, archiveunitprofiles:read, ontologies:read, accessionregisterssymbolic:read
guest = archivesearch:*, archiveunit:*, units:*, unit:*, admin:accession-register:read, accesscontracts:read


[urls]
# make sure the end-user is authenticated.  If not, redirect to the 'authc.loginUrl' above,
# and after successful authentication, redirect them back to the original account page they
# were trying to view:
/v1/api/login = anon
/v1/api/logout = logout
/v1/api/messages/logbook = anon
/v1/api/tenants = anon
/v1/api/securemode = anon
/v1/api/admintenant = anon
/v1/api/permissions = x509
/v1/api/** = authc, x509
/#/** = authc