TAK Server 5.0-RELEASE-30

README.md

@@ -56,7 +56,7 @@ This is the CoreConfig that takserver war will look for when running from the ta
 
 See appendix B in src/docs/TAK_Server_Configuration_Guide.pdf for cert generation instructions.
 
-### Build and run TAK server locally for development
+### Build TAK server to run locally for development
 
 Note that due to Java 17, there are a lot of '--add-opens' arguments in the JDK_JAVA_OPTIONS
 ```
@@ -67,20 +67,30 @@ export IGNITE_HOME="$PWD/ignite"
 export JDK_JAVA_OPTIONS="-Dloader.path=WEB-INF/lib-provided,WEB-INF/lib,WEB-INF/classes,file:lib/ -Djava.net.preferIPv4Stack=true -Djava.security.egd=file:/dev/./urandom -DIGNITE_UPDATE_NOTIFIER=false -DIGNITE_QUIET=true -Dio.netty.tmpdir=$PWD -Djava.io.tmpdir=$PWD -Dio.netty.native.workdir=$PWD -Djdk.tls.client.protocols=TLSv1.2  --add-opens=java.base/sun.security.pkcs=ALL-UNNAMED --add-opens=java.base/sun.security.pkcs10=ALL-UNNAMED --add-opens=java.base/sun.security.util=ALL-UNNAMED --add-opens=java.base/sun.security.x509=ALL-UNNAMED --add-opens=java.base/sun.security.tools.keytool=ALL-UNNAMED --add-opens=java.base/jdk.internal.misc=ALL-UNNAMED --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.management/com.sun.jmx.mbeanserver=ALL-UNNAMED --add-opens=jdk.internal.jvmstat/sun.jvmstat.monitor=ALL-UNNAMED --add-opens=java.base/sun.reflect.generics.reflectiveObjects=ALL-UNNAMED --add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.locks=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.math=ALL-UNNAMED --add-opens=java.sql/java.sql=ALL-UNNAMED --add-opens=java.base/javax.net.ssl=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=jdk.unsupported/sun.misc=ALL-UNNAMED --add-opens=java.base/java.lang.ref=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.security.ssl=ALL-UNNAMED --add-opens=java.base/java.security.cert=ALL-UNNAMED --add-opens=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/sun.security.ssl=ALL-UNNAMED --add-opens=java.base/sun.security.x500=ALL-UNNAMED --add-opens=java.base/sun.security.pkcs12=ALL-UNNAMED --add-opens=java.base/sun.security.provider=ALL-UNNAMED --add-opens=java.base/javax.security.auth.x500=ALL-UNNAMED"
 
 ```
+### Running TAK server locally for development
 
-TAK server consists of two processes: Messaging and API. The messaging process can run independently, but the API process needs to connect to the ignite server that runs as a part of the messaging process. For both processes, -Xmx should always be specified.
+TAK server consists of three processes: Configuration, Messaging and API. 
 
-Run Messaging (note - this command and the following one to run api include the **duplicatelogs** profile. This turns off the filter that blocks duplicated log messages that cause log spam in operational deployments of TAK Server.
+The configuration process needs to be running first in order for the Messaging, API or any other services to retrieve the centralized configuration.  This is separate from the TAKIgniteConfiguration that is loaded **per service** using defaults or the overridden values in TAKIgniteConfig.xml.  
+
+The messaging process can run independently, but the API process may need to connect to the ignite server that runs as a part of the messaging process if it is not configured to run its own Ignite server. For both processes, -Xmx should always be specified.
+
+Note - These commands include the **duplicatelogs** profile. This turns off the filter that blocks duplicated log messages that cause log spam in operational deployments of TAK Server.
+
+#### Run Configuration Microservice
+```
+java -server -XX:+AlwaysPreTouch -XX:+UseG1GC -XX:+ScavengeBeforeFullGC -XX:+DisableExplicitGC -Xmx<value> -Dspring.profiles.active=config,duplicatelogs -jar ../build/libs/takserver-core-xyz.war
+```
+#### Run Messaging Microservice
 ```
 java -server -XX:+AlwaysPreTouch -XX:+UseG1GC -XX:+ScavengeBeforeFullGC -XX:+DisableExplicitGC -Xmx<value> -Dspring.profiles.active=messaging,duplicatelogs -jar ../build/libs/takserver-core-xyz.war
 ```
-
-Run API
+#### Run API Microservice
 ```
 java -server -XX:+AlwaysPreTouch -XX:+UseG1GC -XX:+ScavengeBeforeFullGC -XX:+DisableExplicitGC -Xmx<value> -Dspring.profiles.active=api,duplicatelogs -Dkeystore.pkcs12.legacy -jar ../build/libs/takserver-core-xyz.war
 ```
 
-Run Plugin Manager (useful when working on plugin capability)
+#### Run Plugin Manager Microservice (optional - useful when working on plugin capability)
 ```
 java -server -XX:+AlwaysPreTouch -XX:+UseG1GC -XX:+ScavengeBeforeFullGC -XX:+DisableExplicitGC -Xmx<value> -jar ../../takserver-plugin-manager/build/libs/takserver-plugin-manager-xyz.jar 
 ```
@@ -150,10 +160,12 @@ i.e.
 
 The TAK Server log files can be found in the _logs_ subdirectory:
 
-1. _takserver-messaging.log_ - Execution-level information about the messaging process, including client connection events, error messages and warnings.
-2. _takserver-api.log_ - Execution-level information about the API process, including error messages and warnings.
-3. _takserver-messaging-console.log_ - Java Virtual Machine (JVM) informational messages and errors, for the messaging process.
-4. _takserver-api-console.log_ - Java Virtual Machine (JVM) informational messages and errors, for the API process.
+1. _takserver-config.log_ - Execution-level information about the configuration process including setup, error messages and warnings.
+2. _takserver-messaging.log_ - Execution-level information about the messaging process, including client connection events, error messages and warnings.
+3. _takserver-api.log_ - Execution-level information about the API process, including error messages and warnings.
+4. _takserver-config-console.log_ - Java Virtual Machine (JVM) informational messages and errors, for the config process.
+5. _takserver-messaging-console.log_ - Java Virtual Machine (JVM) informational messages and errors, for the messaging process.
+6. _takserver-api-console.log_ - Java Virtual Machine (JVM) informational messages and errors, for the API process.
 
 ## Swagger
 https://localhost:8443/swagger-ui.html

src/docs/README_fedhub.md

@@ -1,6 +1,7 @@
+
 # TAK Server Federation Hub
 
-*Requires Java 11.*
+*Requires Java 17.*
 
 ## Description
 
@@ -37,18 +38,97 @@ To build the .rpm for the Federation Hub, run:
 2. broker 
 3. UI (optional)
 
-## Install and Run
+## Install and Run RHEL7
+Update yum
+
+```
+sudo yum update -y
+```
+
+Install Java 17
+```
+sudo yum install wget -y
+sudo wget https://download.oracle.com/java/17/latest/jdk-17_linux-x64_bin.rpm
+sudo yum install -y ./jdk-17_linux-x64_bin.rpm
+```
+
+To install from the .rpm, run:
+
+```
+sudo rpm -ivh takserver-fed-hub-*.noarch.rpm --nodeps
+```
+
+## Install and Run RHEL8
+Update yum
+
+```
+sudo dnf update -y
+```
+
+Install Java 17
+```
+sudo dnf install java-17-openjdk-devel -y
+```
 
 To install from the .rpm, run:
 
 ```
-sudo yum install federation-hub-*.noarch.rpm
+sudo yum install takserver-fed-hub-*.noarch.rpm -y
+```
+
+Add and Apply SELinux
+```
+sudo dnf install checkpolicy
+cd /opt/tak/federation-hub && sudo ./apply-selinux.sh && sudo semodule -l | grep takserver
 ```
 
+## Install Mongo
+Make sure /opt/tak/federation-hub/configs/federation-hub-broker.yml has your database credentials defined. Defaults will be generated otherwise
+```
+dbUsername: martiuser
+dbPassword: pass4marti
+```
+
+Mongo Setup
+```
+sudo yum install -y mongodb-org
+sudo systemctl daemon-reload
+sudo systemctl enable mongod
+sudo systemctl restart mongod
+sudo /opt/tak/federation-hub/scripts/db/configure.sh
+```
+
+## Update from RPM
+Before updating the Federation Hub, you should back up the policy file and list of authorized users:
+
+```
+mv /opt/tak/federation-hub/ui_generated_policy.json /tmp
+mv /opt/tak/federation-hub/authorized_users.yml /tmp
+```
+
+RHEL7
+```
+sudo rpm -Uvh takserver-fed-hub-*.noarch.rpm --nodeps
+```
+
+RHEL8
+```
+sudo yum upgrade takserver-fed-hub-*.noarch.rpm
+```
+
+The policy and authorized can then be replaced:
+```
+mv /tmp/ui_generated_policy.json /opt/tak/federation-hub/
+mv /tmp/authorized_users.yml /opt/tak/federation-hub/
+```
+
+## Configuration
+**The Federation Hub authenticates clients using TLS with X.509 client certificates. Scripts for generating a private security enclave, including a Certificate Authority (CA), and certs for use by the Federation Hub are in the TAK server documentation. See the TAK server configuration guide (docs/TAK_Server_Configuration_Guide.pdf) for additional information.**
+
 The Federation Hub can then be started as a system service (and enabled to run on boot):
 
 ```
-sudo systemctl start federation-hub
+sudo systemctl restart federation-hub
 sudo systemctl enable federation-hub
 ```
 
@@ -64,8 +144,6 @@ The Federation Hub consists of three processes: a policy manager, an administrat
 
 ## Client Authentication and Authorization
 
-The Federation Hub authenticates clients using TLS with X.509 client certificates. Scripts for generating a private security enclave, including a Certificate Authority (CA), and certs for use by the Federation Hub are in the TAK server documentation. See the TAK server configuration guide (docs/TAK_Server_Configuration_Guide.pdf) for additional information.
-
 To authorize clients to act as administrators and enable access to the admin UI, use `federation-hub-manager.jar`:
 
 ```

src/federation-common/build.gradle

@@ -8,14 +8,15 @@ dependencies {
   implementation group: 'org.slf4j', name: 'slf4j-api', version: slf4j_version
   implementation group: 'org.slf4j', name: 'log4j-over-slf4j', version: slf4j_version
 
+  implementation(project(':takserver-common'))
   api project(':takserver-fig-core')
 
   // Apache Ignite (cache and distributed service grid).
 //  implementation group: 'org.apache.ignite', name: 'ignite-spring', version: ignite_spring_version
 //  implementation group: 'org.apache.ignite', name: 'ignite-spring-cache-ext', version: ignite_spring_cache_version
   implementation group: 'org.springframework', name: 'spring-beans', version: spring_version
   implementation group: 'org.springframework', name: 'spring-context', version: spring_version
-
+  implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-mongodb', version: spring_boot_version
 
   implementation group: 'org.apache.ignite', name: 'ignite-kubernetes', version: ignite_version
   implementation group: 'org.apache.ignite', name: 'ignite-slf4j', version: ignite_version

src/federation-common/docker/Dockerfile.fedhub-db

@@ -0,0 +1,7 @@
+FROM mongo:6.0
+
+COPY tak/federation-hub/scripts/db /opt/tak/federation-hub/scripts/db
+
+RUN mkdir -p /var/lib/mongodb
+
+ENTRYPOINT ["/bin/sh","-c","/opt/tak/federation-hub/scripts/db/configureInDocker.sh && tail -f /dev/null"]

src/federation-common/src/main/java/tak/server/federation/FederateGroup.java

@@ -23,42 +23,6 @@ public FederateGroup(FederateIdentity federateIdentity) {
         this.filterExpression = "";
     }
 
-    public FederateGroup(FederateIdentity federateIdentity, boolean interconnected) {
-        super(federateIdentity);
-        this.interconnected = interconnected;
-        this.federatesInGroup = new HashSet<>();
-        this.filterExpression = "";
-    }
-
-    /* If there is a group filter expression, the group is interconnected. */
-    public FederateGroup(FederateIdentity federateIdentity, String filterExpression) {
-        super(federateIdentity);
-        this.interconnected = true;
-        this.filterExpression = filterExpression;
-        this.federatesInGroup = new HashSet<>();
-    }
-
-    public FederateGroup(String name, FederateIdentity federateIdentity) {
-        super(name, federateIdentity);
-        this.interconnected = true;
-        this.federatesInGroup = new HashSet<>();
-        this.filterExpression = "";
-    }
-
-    public FederateGroup(String name, FederateIdentity federateIdentity, boolean interconnected) {
-        super(name, federateIdentity);
-        this.interconnected = interconnected;
-        this.federatesInGroup = new HashSet<>();
-        this.filterExpression = "";
-    }
-
-    /* If there is a group filter expression, the group is interconnected. */
-    public FederateGroup(String name, FederateIdentity federateIdentity, String filterExpression) {
-        super(name, federateIdentity);
-        this.interconnected = true;
-        this.filterExpression = filterExpression;
-        this.federatesInGroup = new HashSet<>();
-    }
 
     public boolean isInterconnected() {
         return interconnected;

src/federation-common/src/main/java/tak/server/federation/FederationException.java

@@ -24,7 +24,7 @@ public FederationException(String additionalInformation, Throwable failureCausin
     @Override
     public String toString() {
         Throwable cause = this.getCause();
-        if(cause == null) {
+        if (cause == null) {
             return this.getMessage();
         } else if (this.additionalInformation == null) {
             return cause.toString();

src/federation-common/src/main/java/tak/server/federation/FederationFilter.java

@@ -31,7 +31,7 @@ public String getMethodName() {
     }
 
     public void addMessageAttribute(String key, Object value) {
-        if(isValueValidType(value)) {
+        if (isValueValidType(value)) {
             messageAttributes.put(key, value);
         }
     }
@@ -41,7 +41,7 @@ public Map<String, Object> getMessageAttributes() {
     }
 
     public void addSourceAttribute(String key, Object value) {
-        if(isValueValidType(value)) {
+        if (isValueValidType(value)) {
             sourceAttributes.put(key, value);
         }
     }
@@ -51,7 +51,7 @@ public Map<String, Object> getSourceAttributes() {
     }
 
     public void addDestinationAttribute(String key, Object value) {
-        if(isValueValidType(value)) {
+        if (isValueValidType(value)) {
             destinationAttributes.put(key, value);
 
         }