This project is derived and expanded from scripts and docker-compose found in Arrowhead framework core project.
- Setup Arrowhead core services utilizing containers and
docker-compose.yml - Generate certificates for secured Arrowhead communication
Makefilefor quick configuration of the container network and certificates for Arrowhead services
Arrowhead services included (more can be easily added):
- Service registry
- Authorization
- Orchestrator
- Certificate authority
- Gatekeeper
- Gateway
- Eventhandler
- Docker
- Docker Compose
- Arrowhead services version
4.6.0
To just run a test version of a secure Arrowhead cloud (Arrowhead service configuration, certificates, SQL database tables, start containers with logs in terminal). Drop the desired Arrowhead services under the services folder (unzipped, foldername: i.e. arrowhead-<service>-4.6.0). Then run the command:
make all
Booting up all services may take a couple of minutes. If this doesn't work, keep reading the following sections. Arrowhead services may throw multiple errors on first boot as MySQL server is not ready yet with initializing the database.
Clean up generated files with:
make clean
Create and set desired settings and names as environment variables to a .env file at project root. The default vaules can be seen in Makefile. The settings configurable in .env file:
# Information for the Arrowhead cloud certificates (keep it simple)
COMPANY=company
CLOUD=cloud
COMMON_SAN=dns:localhost,ip:127.0.0.1
# Relay system certificate name and SAN
RELAY_NAME=your_relay
RELAY_SAN=dns:localhost,ip:127.0.0.1
# Password for generated .p12 certificate/key stores
PASSWORD=123456
# Timezone used for Arrowhead service and MySQL database connection
TIMEZONE=Europe/Budapest
# MySQL root password. Default defined in docker-compose.yml.
MYSQL_ROOT_PASSWORD=changethispassword
# Debug flag (Arrowhead services log to terminal)
DEBUG=true
Arrowhead services are placed under the services directory to launch them containers with the docker-compose.yml.
- Latest released Arrowhead service files can be found in the official releases.
- If
- Instuctions on how to build
.jarfiles for Arrowhead services can be found in the official repository.
Each Arrowhead service under services folder should include .jar and application.properties files. For example, services/arrowhead-serviceregistry-4.6.0/ contains:
application.propertiesarrowhead-serviceregistry-4.6.0.jarlog4j2.xml
Arrowhead service application.properties vary between services. This repository provides scripts to automatically configure the properties of services found in services folder.
The properties require network addresses to be updated for the services to find each other within the container network formed by the docker-compose.yml. This can be automatically configured to all services using the commands in Makefile.
make network
Depending on the Arrowhead services that are used, additional configuration is required to specific application.properties of services.
To generate certificates and configure Arrowhead services to use secured communication:
make secure
If you want to remake the certificates, delete the certs folder before calling the previous command:
make clean-certs
Run following to download an organize SQL database files for MySQL service to use:
make sql
Arrowhead services can be made to consume less memory at the cost of performance by changing the startup command in arrowhead-common.yml:
command: java -jar app.jar
to
command: java -XX:+UseSerialGC -Xmx1G -Xms32m -jar app.jar
More services can be added by configuring the following appropriately:
docker-compose.yaml- Add service container configuration
scripts/create_p12.certs.sh- Add certificate generation call to the list with other services:
create_consumer_system_keystore "arrowheadservicename"
- Add certificate generation call to the list with other services:
- Get SQL privilege scripts for the services from the official repository
- Add privileges to
sql/privilegesfolder - Update
sql/create_empty_arrowhead_db.sqlaccordingly- Check that the service
application.propertiesusername and password match the SQL file
- Check that the service
- Add privileges to
Start the Arrowhead services with:
make all
or
docker compose up
Stop services with (CTRL+C if running attached) and with command:
make down
or
docker compose down
Use sysop certificates found in ./certs to access secured Arrowhead core systems.
Instructions on how to import the sysop.p12 certificate to your browser can be found here.
Default pasword for the .p12 file is 123456 (if unchanged in the .env settings).
With browser you may now access Arrowhead core Swagger ui from:
https://localhost:8443/ # Service registry
https://localhost:8445/ # Authorization
https://localhost:8441/ # Orchestrator
https://localhost:8448/ # Certificate authority
https://localhost:8449/ # Gatekeeper
https://localhost:8453/ # Gateway
https://localhost:8455/ # Event handler
make echo
You may generate system certificate for Arrowhead relay systems with:
make relay-certs
To completely remove all genearted certificates, SQL commands, downloaded container images, and created volumes:
make clean
For Arrowhead related issues refer to the official documentation.
- If you run into errors executing the scripts (directly or via
make) you may need to rundos2unix/unix2doson the scripts depending on which OS you're using. make sqlmay fail if the resources accessed in initSQL.sh are not available. Comment out missing table generation rules from the generatedsql/create_empty_arrowhead_db.sqlfile.- Check that service names and external paths are correct in the
docker-compose.yml.
Commands below may be helpful, not normally needed.
Certificate
openssl pkcs12 -in your_client.p12 -clcerts -nokeys > your_client.crt
Private Key
openssl pkcs12 -in your_client.p12 -nocerts -nodes > your_client.key
CA Certificates
openssl pkcs12 -in your_client.p12 -cacerts -nokeys -chain > your_client.ca
Supply a password with option:
-passin pass:your_pass
Show SAN from .crt/.key/.ca:
openssl x509 -text -noout -in your_client.pem | grep DNS