The IDS Clearing House functions as an intermediary within the IDS ecosystem. In this capacity, the IDS Clearing House (CH) facilitates communication between a Data Provider (DP) and a Data Consumer (DC), ensuring that both parties fulfill their contractual obligations.
To comprehensively understand the functionality of the IDS Clearing House, explore potential enhancements, and gain practical insights, the existing project which is devoped by Fraunhofer AISEC serves as the foundational base.
The project can be found here: https://github.com/Fraunhofer-AISEC/ids-clearing-house-service/tree/master/clearing-house-app
- CH Core Processor: Is a component that integrates the Clearing House Logging Service into a Connector.
- Logging Service: Is a REST API which depends on two micro services ( Document API and Keyring API).
- Document API: Is responsible for storing the data and performs basic encryption and decryption for which it depends on the Keyring API.
- Keyring API: Is responsible for creating keys and the actual encryption and decryption of stored data
Prerequisites:
- openssl
- Docker
- Your favorite IDE for java
Steps:
- git clone https://github.com/Fraunhofer-AISEC/ids-clearing-house-service.git
- From https://industrial-data-space.github.io/trusted-connector-documentation/docs/getting_started download the examples zip file.
- Create a folder named clearing-house
- In this folder create an empty docker-compose.yml file.
- Copy the below code inside docker-compose.yml
version: "3.7"
services:
tc-core-server:
container_name: "tc-core-server"
image: fraunhoferaisec/trusted-connector-core:7.2.0
tty: true
stdin_open: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data/trusted-connector/application.yml:/root/etc/application.yml
- ./data/trusted-connector/allow-all-flows.pl:/root/deploy/allow-all-flows.pl
- ./data/trusted-connector/server-keystore.p12:/root/etc/keystore.p12
- ./data/trusted-connector/truststore.p12:/root/etc/truststore.p12
environment:
TC_DAPS_URL: https://daps-dev.aisec.fraunhofer.de/v4
SERVICE_SHARED_SECRET: ${SERVICE_SHARED_SECRET}
TC_CH_ISSUER_CONNECTOR: "https://w3id.org/idsa/core/issuerConnector"
TC_CH_AGENT: "https://w3id.org/idsa/core/Agent"
SERVICE_ID_TC: tc-core-server
SERVICE_ID_LOG: logging-service
expose:
- "9999"
- "8443"
- "8080"
- "29292"
ports:
- "8443:8443"
- "9999:9999"
- "8080:8080"
- "29292:29292"
networks:
- ch_network
networks:
ch_network:
name: ch_network
driver: bridge
- Create the path which is used for this container as volume
./data/trusted-connector/ - From deploy folder under trusted-connector example (trusted-connector-examples_latest) copy
all-all-flows.plfile toclearing-house/data/trusted-connector - From
ids-clearing-house-service/dockerfolder copyapplication.ymland move it underclearing-house/data/trusted-connector. - From
ids-clearing-house-service/clearing-house-processors/src/intTest/resourcescopytruststore.p12andsever-keystore.p12and move them underclearing-house/data/trusted-connector. - Add an .env file that will contain the
SERVICE_SHARED_SECRET - Save docker-compose.yml
- Go to the clearing-house-service repository and open clearing-house-processors project with your IDE and build it. Should be created a jar file named
clearing-house-processors-0.10.0.jar. - Copy this jar under
./data/trusted-connector/ - In the clearing-house under trusted-connector folder create a new folder with name
routes. In clearing-house-processors project there is an xml file undersrc/routesnamedclearing-house-routes.xml. Copyclearing-house-routes.xmltoroutesfolder. - After that the docker-compose.yml Should be like:
version: "3.7"
services:
tc-core-server:
container_name: "tc-core-server"
image: fraunhoferaisec/trusted-connector-core:7.2.0
tty: true
stdin_open: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data/trusted-connector/application.yml:/root/etc/application.yml
- ./data/trusted-connector/allow-all-flows.pl:/root/deploy/allow-all-flows.pl
- ./data/trusted-connector/server-keystore.p12:/root/etc/keystore.p12
- ./data/trusted-connector/truststore.p12:/root/etc/truststore.p12
- ./data/trusted-connector/clearing-house-processors-0.10.0.jar:/root/jars/clearing-house-processors.jar
- ./data/trusted-connector/routes/clearing-house-routes.xml:/root/deploy/clearing-house-routes.xml
environment:
TC_DAPS_URL: https://daps-dev.aisec.fraunhofer.de/v4
SERVICE_SHARED_SECRET: ${SERVICE_SHARED_SECRET}
TC_CH_ISSUER_CONNECTOR: "https://w3id.org/idsa/core/issuerConnector"
TC_CH_AGENT: "https://w3id.org/idsa/core/Agent"
SERVICE_ID_TC: tc-core-server
SERVICE_ID_LOG: logging-service
expose:
- "9999"
- "8443"
- "8080"
- "29292"
ports:
- "8443:8443"
- "9999:9999"
- "8080:8080"
- "29292:29292"
networks:
- ch_network
networks:
ch_network:
name: ch_network
driver: bridge
- The next step is to build the images for clearing house app part. There are 3 components.
logging-servicedocument-api,keyring-apiand their databases (mongo) - To build images for these components we need to go under
ids-clearing-house-servicefolder (the folder that we clone the clearing house repository). There is a directory nameddocker. - We should check if the entrypoint.sh is CLF or LF. If is CLF we should change it to LF. This can be done easily using Visual Studio. (This step make sense only if you try to deploy CH in Windows)
- After that, we should change some lines of 3 Docker files (document-api-multistage, keyring-api-multistage, logging-service-multistage)
- For each we should make these changes :
- In line 6 FROM
ubuntu:20.04-> TOubuntu:22.04 - In line 11 && apt-get --no-install-recommends install -y -q ca-certificates gnupg2 libssl1.1 libc6 -> && apt-get --no-install-recommends install -y -q ca-certificates gnupg2 libssl3 libc6
- Between COPY docker/entrypoint.sh. And ENTRYPOINT ["/server/entrypoint.sh"] add this command: RUN chmod 777 /server/entrypoint.sh
- In line 6 FROM
- Go to the upper folder and run the below commands to build the images
docker build -f docker/logging-service-multistage.Dockerfile . -t logging-servicedocker build -f docker/document-api-multistage.Dockerfile . -t document-apidocker build -f docker/keyring-api-multistage.Dockerfile . -t keyring-api
- After that type docker image ls. Should be existed 3 images.
- In the clearing-house folder we need to create some folders and copy some files from clearing-house-service repository.
- For now we have under
clearing-housefolder one subfolder nameddata. Insidedatawe have a folder namedtrusted-connector. In thedatafolder we need to create the following subfolders:certs,document-api,keyring-api->init_db(init_db is subfoler of keyring-api folder) ,keys,mongo->(document-api,keyring-api,logging-service(3 subfolders under mongo folder)). - Let’s copy some mandatory files form clearing-house-service repo to our project.
- Copy
ids-clearing-house-service/clearing-house-app/logging-service/Rocket.tomltoclearing-house/data - Copy
ids-clearing-house-service/clearing-house-app/document-api/Rocket.tomltoclearing-house/data/document-api - Copy
ids-clearing-house-service/clearing-house-app/keyring-api/Rocket.tomltoclearing-house/data/keyring-api - Copy
ids-clearing-house-service/clearing-house-app/keyring-api/init_db/default_doc_type.jsontoclearing-house/data/keyring-api/init_db - Copy
ids-clearing-house-service\clearing-house-app\certs\daps.derandids-clearing-house-service\clearing-house-app\certs\daps-dev.dertoclearing-house/data/certs - In keys folder we need to create a key. This could be happen if we run the following command :
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform der -out private_key.der - The final docker-compose.yml file should be like the below :
version: "3.7"
services:
tc-core-server:
container_name: "tc-core-server"
image: fraunhoferaisec/trusted-connector-core:7.2.0
tty: true
stdin_open: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data/trusted-connector/application.yml:/root/etc/application.yml
- ./data/trusted-connector/allow-all-flows.pl:/root/deploy/allow-all-flows.pl
- ./data/trusted-connector/server-keystore.p12:/root/etc/keystore.p12
- ./data/trusted-connector/truststore.p12:/root/etc/truststore.p12
- ./data/trusted-connector/clearing-house-processors-0.10.0.jar:/root/jars/clearing-house-processors.jar
- ./data/trusted-connector/routes/clearing-house-routes.xml:/root/deploy/clearing-house-routes.xml
environment:
TC_DAPS_URL: https://daps-dev.aisec.fraunhofer.de/v4
SERVICE_SHARED_SECRET: ${SERVICE_SHARED_SECRET}
TC_CH_ISSUER_CONNECTOR: "https://w3id.org/idsa/core/issuerConnector"
TC_CH_AGENT: "https://w3id.org/idsa/core/Agent"
SERVICE_ID_TC: tc-core-server
SERVICE_ID_LOG: logging-service
expose:
- "9999"
- "8443"
- "8080"
- "29292"
ports:
- "8443:8443"
- "9999:9999"
- "8080:8080"
- "29292:29292"
networks:
- ch_network
logging-service:
container_name: "logging-service"
image: "logging-service:latest"
depends_on:
- document-api
- keyring-api
- logging-service-mongo
environment:
# Allowed levels: Off, Error, Warn, Info, Debug, Trace
- API_LOG_LEVEL=Debug
- SERVICE_ID_LOG=logging-service
- SERVICE_ID_DOC=document-api
- SERVICE_ID_KEY=keyring-api
- SHARED_SECRET=${SERVICE_SHARED_SECRET}
ports:
- "8000:8000"
volumes:
- ./data/Rocket.toml:/server/Rocket.toml
- ./data/keys:/server/keys
- ./data/certs:/server/certs
networks:
- ch_network
document-api:
container_name: "document-api"
image: "document-api:latest"
depends_on:
- keyring-api
- document-mongo
environment:
# Allowed levels: Off, Error, Warn, Info, Debug, Trace
- API_LOG_LEVEL=Info
- SERVICE_ID_LOG=logging-service
- SERVICE_ID_DOC=document-api
- SERVICE_ID_KEY=keyring-api
- SHARED_SECRET=${SERVICE_SHARED_SECRET}
ports:
- "8001:8001"
volumes:
- ./data/document-api/Rocket.toml:/server/Rocket.toml
- ./data/certs:/server/certs
networks:
- ch_network
keyring-api:
container_name: "keyring-api"
image: "keyring-api:latest"
depends_on:
- keyring-mongo
environment:
# Allowed levels: Off, Error, Warn, Info, Debug, Trace
- API_LOG_LEVEL=Info
- SERVICE_ID_LOG=logging-service
- SERVICE_ID_DOC=document-api
- SERVICE_ID_KEY=keyring-api
- SHARED_SECRET=${SERVICE_SHARED_SECRET}
ports:
- "8002:8002"
volumes:
- ./data/keyring-api/init_db:/server/init_db
- ./data/keyring-api/Rocket.toml:/server/Rocket.toml
- ./data/certs:/server/certs
networks:
- ch_network
logging-service-mongo:
container_name: "logging-service-mongo"
image: mongo:latest
environment:
MONGO_INITDB_DATABASE: process
ports:
- "27019:27017"
volumes:
- ./data/mongo/logging-service:/data/db
networks:
- ch_network
document-mongo:
container_name: "document-mongo"
image: mongo:latest
environment:
MONGO_INITDB_DATABASE: document
ports:
- "27017:27017"
volumes:
- ./data/mongo/document-api:/data/db
networks:
- ch_network
keyring-mongo:
container_name: "keyring-mongo"
image: mongo:latest
environment:
MONGO_INITDB_DATABASE: keyring
ports:
- "27018:27017"
volumes:
- ./data/mongo/keyring-api:/data/db
networks:
- ch_network
networks:
ch_network:
name: ch_network
driver: bridge
The final Tree of CH Project should be like the below:
clearing-house
¦ .env
¦ docker-compose.yml
¦
+---data
¦ Rocket.toml
¦
+---certs
¦ daps-dev.der
¦ daps.der
¦
+---document-api
¦ Rocket.toml
¦
+---keyring-api
¦ ¦ Rocket.toml
¦ ¦
¦ +---init_db
¦ default_doc_type.json
¦
+---keys
¦ private_key.der
¦
+---mongo
¦ +---document-api
¦ +---keyring-api
¦ +---logging-service
+---trusted-connector
¦ allow-all-flows.pl
¦ application.yml
¦ clearing-house-processors-0.10.0.jar
¦ server-keystore.p12
¦ truststore.p12
¦
+---routes
clearing-house-routes.xml
Execute the following command docker-compose up –d in the directory where the docker-compose.yml is located
For using connector console open a browser and browse to http://<your_ip>:8080 . The default credentials are username: ids password: ids
The documentation that describes the communication between an IDS Clearing House and IDS Connector using the Multipart protocol can be found here:
https://github.com/International-Data-Spaces-Association/IDS-G/tree/main/Communication/protocols/multipart#42-clearing-house-interactions
An example of Clearing House REST API can be found here:
https://www.postman.com/crimson-escape-67103/workspace/clearing-house/request/13905546-c4ba3b82-36f1-4131-bd08-4c1ba72a5cb6