TNG Key Distribution Service

About • Development • Documentation • Support • Contribute • Contributors • Licensing

About

This repository contains the source code of the TNG Key Distribution Service.

The TNG Key Distribution Service is part of the national backends of the participants and caches the public keys that are distributed through the Trust Network Gateway (TNG). It can be accessed by clients distributed by the particapants to update their local key store periodically e.g. for offline verification scenarios.

Development

Note: The Key Distribution Service needs a connection to the gateway in order to run. There is no standalone version available.

Prerequisites

• Open JDK 21
• Maven
• Docker
• An installation of the TNG
• Keys to access the TNG via the DDCC Connector of the DDCC-Gateway-Lib
• Authenticate to Github Packages

Acessing the Trust Network Gateway (TNG)

For accessing a local development installation of the TNG appropriate private/public key material must be generated. As the gateway checks the right keyusages of the certificates, you can either adapt to the information given at the WHO Concepts Certificate Governance Site or use the generation script provided on GitHub 'participants template' repository

For accessing the TNG a participant must be onboarded following the WHO onboarding procedure which will give access to the TNG API.

For more information on how to generate certificates for TNG and how to run your own local one, please have a look in the documentation of the TNG.

Authenticating in to GitHub Packages

As some of the required libraries (and/or versions are pinned/available only from GitHub Packages) You need to authenticate to GitHub Packages The following steps need to be followed

• Create PAT with scopes:
  • read:packages for downloading packages

GitHub Maven

• Copy/Augment ~/.m2/settings.xml with the contents of settings.xml present in this repository
  • Replace ${app.packages.username} with your github username
  • Replace ${app.packages.password} with the generated PAT

GitHub Docker Registry

• Run docker login docker.pkg.github.com/worldhealthorganization before running further docker commands.
  • Use your GitHub username as username
  • Use the generated PAT as password

For further information about the keys and certificates needed, please refer to the documentation of the TNG and the DDCC-Gateway-Lib

Build

Whether you cloned or downloaded the 'zipped' sources you will either find the sources in the chosen checkout-directory or get a zip file with the source code, which you can expand to a folder of your choice.

In either case open a terminal pointing to the directory you put the sources in. The local build process is described afterwards depending on the way you choose.

Build with maven

Building this project is done with maven.

• Check settings.xml in the root folder of this git repository as example.
  Copy the servers to your own ~/.m2/settings.xml in order to connect the GitHub repositories we use in our code. Provide your GitHub username and access token (see GitHub Help) under the variables suggested.

• Run the following command from the project root folder

mvn clean install

All required dependencies will be downloaded, the project build and the artifact stored in your local repository.

Run with docker

• Perform maven build as described above
• Place the keys and certificates named above into the certs folder.
• Adjust the values in the docker-compose.yml file to fit the url for the gateway you use and your keys and certificates you have to access it.

  - DGC_GATEWAY_CONNECTOR_ENDPOINT=https://dgc-gateway.example.com
  - DGC_GATEWAY_CONNECTOR_TLSTRUSTSTORE_PATH=file:/ec/prod/app/san/dgc/tls_trust_store.p12
  - DGC_GATEWAY_CONNECTOR_TLSTRUSTSTORE_PASSWORD=dgcg-p4ssw0rd
  - DGC_GATEWAY_CONNECTOR_TLSKEYSTORE_ALIAS=1
  - DGC_GATEWAY_CONNECTOR_TLSKEYSTORE_PATH=file:/ec/prod/app/san/dgc/tls_key_store.p12
  - DGC_GATEWAY_CONNECTOR_TLSKEYSTORE_PASSWORD=dgcg-p4ssw0rd
  - DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_ALIAS=ta
  - DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_PATH=file:/ec/prod/app/san/dgc/trust_anchor.jks
  - DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_PASSWORD=dgcg-p4ssw0rd

Note: Leave the path as is and only change the file names, as the certs folder will be mapped to this folder inside the docker container.

• Run the following command from the project root folder

docker-compose up --build

After all containers have started, you will be able to reach the service on your local machine under port 8080.

Cloud deployment

Documentation

OpenAPI Spec

Service description

Support and feedback

The following channels are available for discussions, feedback, and support requests:

Type	Channel
Issues
Other requests

How to contribute

Contribution and feedback is encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines. By participating in this project, you agree to abide by its Code of Conduct at all times.

Contributors

Our commitment to open source means that we are enabling -in fact encouraging- all interested parties to contribute and become part of its developer community.

Licensing

Copyright (C) 2021 T-Systems International GmbH and all other contributors

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.

You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the LICENSE for the specific language governing permissions and limitations under the License.