friedrta
diff --git a/‎.gitignore
+20 b/‎.gitignore
+20
diff --git a/‎README.md
+4-7 b/‎README.md
+4-7
diff --git a/‎docker/Dockerfile
+103 b/‎docker/Dockerfile
+103
diff --git a/‎docker/README.md
+60 b/‎docker/README.md
+60
diff --git a/‎docker/base64-input.sh
+46 b/‎docker/base64-input.sh
+46
@@ -23,6 +23,17 @@ server/fidoserverbeans/target/
 server/keymanager/target/
 sampleapps/java/basic/server/target/
 sampleapps/java/poc/server/target/
+sampleapps/java/sacl/sfaboaserver/target/
+sampleapps/java/sacl/sfaeco/target/
+sampleapps/java/poc/angular/tools/node_modules/
+sampleapps/java/poc/angular/dist/demo6/dist/
+sampleapps/java/poc/angular/dist/demo6/node_modules/
+sampleapps/java/sacl/sfaboa/angular/demo6/node_modules/
+sampleapps/java/sacl/sfakma/angular/demo6/node_modules/
+sampleapps/java/sacl/sfaboa/angular/demo6/dist/
+sampleapps/java/sacl/sfakma/angular/demo6/dist/
+sampleapps/java/poc/angular/dist/assets/
+sampleapps/java/poc/angular/dist/vendors/
 server/skfe/nbproject/
 server/skfs/nbproject/
 server/skfe/target/
@@ -31,3 +42,12 @@ server/apiclient/target/
 server/FIDO2Simulator/target/
 server/FIDO2SimulatorClient/target/
 server/skfsclient/target/
+server/FIDO2JWTVerify/target/
+/sampleapps/java/poc/angular/dist/demo6/nbproject/private/
+/sampleapps/java/sacl/sfaboaserver/target/
+/sampleapps/java/sacl/sfaeco/sfaeco-web/target/
+/sampleapps/java/sacl/sfaeco/sfaeco-client/target/
+/sampleapps/java/sacl/sfaeco/sfaeco-ear/target/
+/sampleapps/java/sacl/sfaeco/sfaeco-ejb/target/
+/sampleapps/java/sacl/sfakma/sfakmaserver/target/
+/sampleapps/java/sacl/sfaboa/sfaboaserver/target/
@@ -17,24 +17,21 @@ The following links provide some background on FIDO, the FIDO Alliance, and FIDO
 * Follow [the clustering instructions](docs/Clustering_Guide_Linux.md) to download the FIDO2 Server and get it running as a cluster.
 
 ## Upgrade
-Follow [the upgrade instructions](docs/Upgrade_Guide_Linux.md) to upgrade your current FIDO Server version to the latest.
+Follow [the upgrade instructions](docs/Upgrade_Guide_Linux.md) to upgrade your current version of fido server to the latest.
 
 ## Sample Applications
 Sample code is provided with a brief explanation of what each sample does:
 
 * Java Samples
-  * [Demo](https://demo4.strongkey.com/fido2poc): A basic Java application demonstrating FIDO2 registration and authentication
+  * [DEMO](https://demo5.strongkey.com): A basic Java application demonstrating FIDO2 registration and authentication
   * [Basic](https://github.com/StrongKey/fido2/tree/master/sampleapps/java/basic/): Basic Java sample application
   * [PoC](https://github.com/StrongKey/fido2/tree/master/sampleapps/java/poc/): Proof of concept (PoC) Java application
-
-## Tutorial
-A step-by-step guide to FIDO-enable your application is provided:
-*  [Node.js](https://github.com/StrongKey/fido2/tree/master/tutorial/node/): Node.js and SQLite tutorial
+  * [SSO](https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl/): FIDO Enabled sample applications demonstrating SSO
 
 ## Sample Client
 StrongKey FIDO2 Server client offers examples of the various API calls using different available methods. Read the [skfsclient docs](https://github.com/StrongKey/fido2/blob/master/server/skfsclient/skfsclient.md) for commands to test FIDO2 functionality against your sandbox.
 
-The skfsclient uses a FIDO2 simulator instead of an actual Authenticator to demonstrate the web services on the command line. Feel free to download the [simulator source code](https://github.com/StrongKey/fido2/tree/master/server/FIDO2Simulator) for your own use.
+The skfsclient uses a FIDO2 simulator instead of an actual authenticator to demonstrate the web services on the command line. Feel free to download the [simulator source code](https://github.com/StrongKey/fido2/tree/master/server/FIDO2Simulator) for your own use.
 
 ## API docs
 [Interactive OpenAPI documentation for FIDO2 Server](https://strongkey.github.io/fido2/)
 
@@ -0,0 +1,103 @@
+###############################################################
+## /**
+## * Copyright StrongAuth, Inc. All Rights Reserved.
+## *
+## * Use of this source code is governed by the GNU Lesser General Public License v2.1
+## * The license can be found at https://github.com/StrongKey/fido2/blob/master/LICENSE
+## */
+################################################################
+
+FROM centos:7
+
+# Default payara ports to expose
+# 8181: https
+# 7001-7003: StrongKey FIDO2 Server Replication
+EXPOSE 8181 7001 7002 7003
+
+# Set up environment variables
+ENV STRONGKEY_HOME=/usr/local/strongkey\
+    SKFS_HOME=/usr/local/strongkey/skfs\
+    GLASSFISH_HOME=/usr/local/strongkey/payara5/glassfish\
+    GLASSFISH_CONFIG=${GLASSFISH_HOME}/domains/domain1/config\
+    MARIACONJAR=mariadb-java-client-2.2.6.jar\
+    XMXSIZE=512m
+
+# Create strongkey user
+RUN groupadd -g 1000 strongkey &&\
+    useradd -u 1000 -m -s /bin/bash -d ${STRONGKEY_HOME} strongkey -g strongkey
+
+# Add to PATH and set up useful aliases for strongkey user
+RUN echo "\
+    export GLASSFISH_HOME=${GLASSFISH_HOME} ; \ 
+    export STRONGKEY_HOME=${STRONGKEY_HOME} ; \ 
+              export PATH=${GLASSFISH_HOME}/bin:${STRONGKEY_HOME}/bin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin ; \
+\
+alias str='cd ${STRONGKEY_HOME}' ; \ 
+alias dist='cd ${STRONGKEY_HOME}/dist' ; \ 
+alias aslg='cd ${GLASSFISH_HOME}/domains/domain1/logs' ; \ 
+alias ascfg='cd ${GLASSFISH_HOME}/domains/domain1/config' ; \ 
+alias tsl='tail --follow=name ${GLASSFISH_HOME}/domains/domain1/logs/server.log' ; \ 
+alias mys='mysql -u skfsdbuser -p\`dbpass 2> /dev/null\` skfs' ; \ 
+alias java='java -Djavax.net.ssl.trustStore=${STRONGKEY_HOME}/certs/cacerts'"\
+>> /etc/skfsrc &&\
+    if [ -f /etc/bashrc ]; then echo ". /etc/skfsrc" >> /etc/bashrc; else echo ". /etc/skfsrc" >> /etc/bash.bashrc; fi
+
+# Install and download necessary libraries and fidoserver files
+RUN yum -y install wget unzip libaio java-1.8.0-openjdk ncurses-compat-libs rng-tools curl sudo >/dev/null 2>&1 &&\
+    yum clean all &&\
+    rm -rf /var/cache/yum &&\
+    mkdir fidoserver &&\
+    cd fidoserver &&\
+    wget https://repo1.maven.org/maven2/fish/payara/distributions/payara/5.2020.7/payara-5.2020.7.zip -q &&\
+    wget https://downloads.mariadb.com/Connectors/java/connector-java-2.2.6/mariadb-java-client-2.2.6.jar -q &&\
+    wget https://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/j/jemalloc-3.6.0-1.el7.x86_64.rpm -q &&\
+    wget https://github.com/StrongKey/fido2/raw/master/fido2server-v4.4.0-dist.tgz -q &&\
+    tar xzf fido2server-v4.4.0-dist.tgz
+
+# Create necessary directories
+RUN mkdir -p ${STRONGKEY_HOME}/certs ${STRONGKEY_HOME}/Desktop ${STRONGKEY_HOME}/dbdumps ${STRONGKEY_HOME}/lib ${STRONGKEY_HOME}/bin ${STRONGKEY_HOME}/appliance/etc ${STRONGKEY_HOME}/crypto/etc ${SKFS_HOME}/etc ${SKFS_HOME}/keystores ${STRONGKEY_HOME}/skce/etc
+
+# Perform certificate/keystore tasks
+RUN cd fidoserver &&\
+    cp certimport.sh ${STRONGKEY_HOME}/bin &&\
+    exec bash
+
+# Install and set up Glassfish
+RUN cd fidoserver &&\
+    unzip payara-5.2020.7.zip -d ${STRONGKEY_HOME} >/dev/null &&\
+    chown -R strongkey. /usr/local/strongkey &&\
+    ${GLASSFISH_HOME}/bin/asadmin start-domain &&\
+    cp ${MARIACONJAR} ${GLASSFISH_HOME}/lib &&\
+    sed -ri 's|^(com.sun.enterprise.server.logging.GFFileHandler.rotationOnDateChange=).*|\1true|'  ${GLASSFISH_HOME}/domains/domain1/config/logging.properties &&\
+    sed -ri 's|^(com.sun.enterprise.server.logging.GFFileHandler.rotationLimitInBytes=).*|\1200000000|' ${GLASSFISH_HOME}/domains/domain1/config/logging.properties &&\
+    ${GLASSFISH_HOME}/bin/asadmin set server.network-config.network-listeners.network-listener.http-listener-1.enabled=false &&\
+    ${GLASSFISH_HOME}/bin/asadmin set server.network-config.protocols.protocol.http-listener-2.http.request-timeout-seconds=7200 &&\
+    ${GLASSFISH_HOME}/bin/asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.ssl3-tls-ciphers=+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&\
+    ${GLASSFISH_HOME}/bin/asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.ssl2-enabled=false &&\
+    ${GLASSFISH_HOME}/bin/asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.ssl3-enabled=false &&\
+    ${GLASSFISH_HOME}/bin/asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.tls-enabled=false &&\
+    ${GLASSFISH_HOME}/bin/asadmin set server.network-config.protocols.protocol.http-listener-2.ssl.tls11-enabled=false &&\
+    ${GLASSFISH_HOME}/bin/asadmin set server.network-config.protocols.protocol.http-listener-2.http.trace-enabled=false &&\
+    ${GLASSFISH_HOME}/bin/asadmin set server.network-config.protocols.protocol.http-listener-2.http.xpowered-by=false &&\
+    ${GLASSFISH_HOME}/bin/asadmin delete-jvm-options $(${GLASSFISH_HOME}/bin/asadmin list-jvm-options | sed -n '/\(-XX:NewRatio\|-XX:MaxPermSize\|-XX:PermSize\|-client\|-Xmx\|-Xms\)/p' | sed 's|:|\\\\:|' | tr '\n' ':') &&\
+    ${GLASSFISH_HOME}/bin/asadmin create-jvm-options -Djtss.tcs.ini.file=${STRONGKEY_HOME}/lib/jtss_tcs.ini:-Djtss.tsp.ini.file=${STRONGKEY_HOME}/lib/jtss_tsp.ini:-Xmx${XMXSIZE}:-Xms${XMXSIZE}:-Djdk.tls.ephemeralDHKeySize=2048:-Dproduct.name="":-XX\\:-DisableExplicitGC &&\
+    cp fidoserver.ear /usr/local/strongkey &&\
+    cp signingkeystore.bcfks /usr/local/strongkey &&\
+    cp signingtruststore.bcfks /usr/local/strongkey &&\
+    cp jwtsigningkeystore.bcfks /usr/local/strongkey &&\
+    cp jwtsigningtruststore.bcfks /usr/local/strongkey &&\
+    cp -r keymanager/ /usr/local/strongkey &&\
+    cp -r skfsclient/ /usr/local/strongkey &&\
+    cp keygen-jwt.sh /usr/local/strongkey &&\
+    chown -R strongkey. /usr/local/strongkey &&\
+    cd ../ &&\
+    rm -rf fidoserver
+
+# Copy entrypoint script to image to run when container is initialized
+COPY ./entrypoint.sh ${STRONGKEY_HOME}
+RUN chown -R strongkey. /usr/local/strongkey/entrypoint.sh
+
+# All operations from here on should be run as strongkey user
+USER strongkey
+WORKDIR ${STRONGKEY_HOME}
+ENTRYPOINT ["/usr/local/strongkey/entrypoint.sh"]
@@ -0,0 +1,60 @@
+
+# FIDO2 Server, Community Edition, Dockerized
+## Overview:
+This branch contains a Dockerized version of StrongKey's Certified FIDO2 Server, Community Edition. This implementation allows for the creation of a FIDO2 server within a container, which allows for the ability to be deployed in any environment. This README will focus on the Docker portion of the StrongKey FIDO2 Server; please refer to the main [README](https://github.com/StrongKey/fido2) for anything related to the FIDO side of the server.
+
+## Prerequisites: Host machine/VM
+Docker must be installed and enabled to build and use the StrongKey FIDO2 Server image.
+It is recommended that you have a machine or VM with the following minimum requirements:
+
+* 10 GB storage
+* 4 GB memory
+
+These values are also the recommended minimums for each container. CPUs and memory for each container may be manually allocated at runtime (see [example usage](https://github.com/StrongKey/fido2/blob/docker/docker/example-usage.txt)). If these flags are not set, "[by default, a container has no resource constraints and can use as much of a given resource as the host’s kernel scheduler allows](https://docs.docker.com/config/containers/resource_constraints/)."
+
+The host machine's firewall should open port 8181 (or the port bound to the Docker container's port 8181) as well as ports 7001-7003 if clustering containers.
+
+## Prerequisites: External DB and LDAP/AD
+In this specific version of the Dockerized StrongKey FIDO2 Server, both the  MySQL database and LDAP are not included, so an external MySQL 5 database and LDAP/AD are required for setup. The containers can be configured to use the external database and LDAP/AD in the *base64-input.sh* script.
+
+The database configuration should be sourced from the FIDO2 Server's *create.txt* in the server's [*fidoserverSQL* directory](https://github.com/StrongKey/fido2/tree/master/server/fidoserverInstall/fidoserverSQL). Additionally, any database insert commands found in the install-skfs.sh from a regular StrongKey FIDO2 Server should be performed on this database.
+
+Theexternal LDAP/AD must be configured in the same way as a normal FIDO2 Server as described in the distribution's *.ldif* files.
+
+## Getting Started
+1. **Build the image**.
+	```sh
+	[sudo] docker build -t fidoserver .
+	```
+2. **Configure the image settings**. Here you may configure the external LDAP/AD database, and clustering.
+	```sh
+	vi base64-input.sh
+	```
+3. Get base64 input for the container. **Save the output** of the *base64-input.sh* script somewhere for the next step.
+	```sh
+	./base64-input.sh
+	```
+4. **Run the image in a container** with the output from the *base64-input.sh* script as its only argument. The hostname flag (-h) and bound port 8181 are necessary. To debug any issues with glassfish, it may be a good idea to remove the -d (detach) flag to be able to view the logs
+	```sh
+	[sudo] docker run -dit -h fido01.strongkey.com -p 8181:8181 fidoserver <base64-input>
+	```
+To enter into a bash terminal within the container, perform the following additional steps:
+
+5. **Find the container ID**.
+	```sh
+	[sudo] docker container ls
+	```
+6. To enter into a bash terminal in the container, **execute the following**:
+	```sh
+	[sudo] docker exec -it <CONTAINER-ID> /bin/bash
+	```
+
+## Clustering
+When clustering,  for replication to work properly, open ports 7001-7003 on the container when running it. For example, 
+```sh
+[sudo] docker run -dit -h fido01.strongkey.com -p 8181:8181 -p 7001-7003:7001-7003 fidoserver <base64-input>
+```
+Further instructions on clustering can be found in the *base64-input.sh* when configuring the image settings on *Step 2* of the *Getting Started* section.
+
+
+
@@ -0,0 +1,46 @@
+#!/bin/bash
+###############################################################
+# /**
+# * Copyright StrongAuth, Inc. All Rights Reserved.
+# *
+# * Use of this source code is governed by the GNU Lesser General Public License v2.1
+# * The license can be found at https://github.com/StrongKey/fido2/blob/master/LICENSE
+# */
+###############################################################
+
+DB_URL='fido-docker.cluster-c9iyctxcjygt.us-west-1.rds.amazonaws.com'
+DB_USER='root'
+DB_PASS='BigKahuna'
+MARIA_SKFSDBUSER_PASSWORD='AbracaDabra'
+
+LDAP_URLPORT='ldap://3.236.203.121:1389'
+LDAP_TYPE='LDAP'
+LDAP_BINDDN='[email protected]'
+LDAP_PASS='dne(!nPCiVJ'
+LDAP_DNPREFIX='cn='
+LDAP_DNSUFFIX=',ou=users,ou=v2,ou=SKCE,ou=StrongAuth,ou=Applications,dc=strongkey,dc=com'
+LDAP_BASEDN='dc=strongkey,dc=com'
+LDAP_GROUPSUFFIX=',ou=groups,ou=v2,ou=SKCE,ou=StrongAuth,ou=Applications,dc=strongkey,dc=com'
+
+JWT_CREATE=false
+JWT_KEYGEN_DN='/C=US/ST=California/L=Cupertino/O=StrongAuth/OU=Engineering'
+JWT_CLUSTER_SIZE=1
+JWT_CERTS_PER_SERVER=3
+JWT_DID=1
+JWT_KEYSTORE_PASS='Abcd1234!'
+JWT_KEY_VALIDITY=365
+
+# Steps to clustering:
+# 1. Add *container* hostname entries to servers table in db, taking note of which serverid belongs to which hostname
+# 2. Set $CLUSTER to true
+# 3. Change $HOSTS and $SERVERID variables appropriately
+CLUSTER=false
+HOSTS='54.183.213.1 fido01.strongkey.com%18.144.34.248 fido02.strongkey.com'	# /etc/hosts file entries delimited by '%'
+SERVERID=1	# Same as serverid in db for this container
+
+if [ $CLUSTER = true ]
+then
+	echo $(echo "$DB_URL;$DB_USER;$DB_PASS;$MARIA_SKFSDBUSER_PASSWORD;$LDAP_URLPORT;$LDAP_TYPE;$LDAP_BINDDN;$LDAP_PASS;$LDAP_DNPREFIX;$LDAP_DNSUFFIX;$LDAP_BASEDN;$LDAP_GROUPSUFFIX;$JWT_CREATE;$JWT_KEYGEN_DN;$JWT_CLUSTER_SIZE;$JWT_CERTS_PER_SERVER;$JWT_DID;$JWT_KEYSTORE_PASS;$JWT_KEY_VALIDITY;$HOSTS;$SERVERID"| base64 --wrap=0)
+else
+	echo $(echo "$DB_URL;$DB_USER;$DB_PASS;$MARIA_SKFSDBUSER_PASSWORD;$LDAP_URLPORT;$LDAP_TYPE;$LDAP_BINDDN;$LDAP_PASS;$LDAP_DNPREFIX;$LDAP_DNSUFFIX;$LDAP_BASEDN;$LDAP_GROUPSUFFIX;$JWT_CREATE;$JWT_KEYGEN_DN;$JWT_CLUSTER_SIZE;$JWT_CERTS_PER_SERVER;$JWT_DID;$JWT_KEYSTORE_PASS;$JWT_KEY_VALIDITY"| base64 --wrap=0)
+fi