Docker – REST API Setup
This guide walks you through setting up the REST API using Docker and Docker Compose. It assumes that the following prerequisites are already installed and configured:
What This Guide Covers
This step-by-step guide will help you set up the REST API in a development environment using Docker:
- Download Configuration Files
- Configure Docker Compose
- Configure the REST API
- Start and Test the Application
Step 1: Download configuration files
Head to the Downloads page to get instructions on how to get the software and credentials.
Step 2: Configure Docker-Compose
Unzip the configuration-files and open the docker-compose.yml
file
nano docker-compose.yml
- MySQL / MariaDB
- PostgreSQL
Configure the Database image:
- Linux (Hosts) - MariaDB:
docker.io/mariadb:10.4
- Windows - Docker Desktop:
mysql:8.0
securosys_sql:
image: docker.io/mariadb:10.4
#image: bitnami/postgresql:latest
#image: mysql:8.0 # uncomment for Windows (Docker Desktop)
Set Database User and Password (MySQL / MariaDB)
environment:
# Configuration for MySQL / MariaDB
- MYSQL_USER=replace-me_db-username # REPLACE with your credentials
- MYSQL_PASSWORD=replace-me_db-password # REPLACE with your credentials, ${MARIADB_PASSWORD} # Use environment variable for password security
- MYSQL_DATABASE=securosys
- MYSQL_PORT=3306
- MYSQL_ROOT_PASSWORD=replace-me_db-root-password # REPLACE with your credentials
- MYSQL_LOWER_CASE_TABLE_NAMES=0
Switch to the PostgreSQL Image
Comment out the MariaDB line and uncomment the PostgreSQL line:
securosys_sql:
#image: docker.io/mariadb:10.4
image: bitnami/postgresql:latest
Update Volumes for PostgreSQL
Comment the MariaDB volume and uncomment the PostgreSQL volume:
volumes:
# Configuration for MySQL / MariaDB
#- securosys_sql_data:/var/lib/mysql
#- ./config-files/certs/db:/etc/mysql/certs:ro
#- ./custom.cnf:/etc/mysql/conf.d/custom.cnf:ro
# Configuration for PostgreSQL
- securosys_sql_data:/bitnami/postgresql
#- ./config-files/certs/db:/opt/bitnami/postgresql/certs:ro
Set Environment Variables (PostgreSQL)
Comment the MariaDB environment variables and uncomment the PostgreSQL variables:
environment:
# Configuration for MySQL / MariaDB
#- MYSQL_USER=replace-me_db-username # REPLACE with your credentials
#- MYSQL_PASSWORD=replace-me_db-password # REPLACE with your credentials, ${MARIADB_PASSWORD} # Use environment variable for password security
#- MYSQL_DATABASE=securosys
#- MYSQL_PORT=3306
#- MYSQL_ROOT_PASSWORD=replace-me_db-root-password # REPLACE with your credentials
#- MYSQL_LOWER_CASE_TABLE_NAMES=0
# Configuration for PostgreSQL
- POSTGRESQL_USERNAME=replace-me_db-username # REPLACE with your credentials
- POSTGRESQL_PASSWORD=replace-me_db-password # REPLACE with your credentials, ${POSTGRES_PASSWORD} # Use environment variable for password security
- POSTGRESQL_DATABASE=securosys
- POSTGRESQL_MAX_CONNECTIONS=200
##- POSTGRESQL_REPLICATION_MODE=master
##- POSTGRESQL_REPLICATION_USER=replicator
##- POSTGRESQL_REPLICATION_PASSWORD=xxxx
##- POSTGRESQL_ENABLE_TLS=yes
##- POSTGRESQL_TLS_CERT_FILE=/opt/bitnami/postgresql/certs/server.crt
##- POSTGRESQL_TLS_KEY_FILE=/opt/bitnami/postgresql/certs/server.key
- Set passwords withouth special-characters and 30-bytes long.
- It is strongly recommended to define all database passwords during initial setup, as changing them later may lead to connection issues.
- Consider adding a
restart: always
policy underservices.securosys_sql
indocker-compose.yml
to ensure the SQL server automatically restarts on failure or host reboot.
Step 3: Configure the Rest-API
Open the application configuration file:
nano config-files/application-local.yml
Set Database User and Password (MySQL / MariaDB)
- MySQL / MariaDB
- PostgreSQL
- Ensure the
username
andpassword
match the ones defined in yourdocker-compose.yml
.
### MariaDB (default database)
spring:
datasource:
url: jdbc:mariadb://securosys_sql:3306/securosys?allowPublicKeyRetrieval=true&sslMode=false
#url: jdbc:mariadb://securosys_sql:3306/securosys?sslMode=verify-ca&trustStore=/etc/app/config/truststore.jks&trustStorePassword=change-it
username: replace-me_db-username # REPLACE according to the `MYSQL_USER` in the docker-compose.yml file
password: replace-me_db-password # REPLACE according to the `MYSQL_PASSWORD` in the docker-compose.yml file
- Make sure the
username
andpassword
are the same as configured indocker-compose.yml
- Make sure you use the correct database url:
jdbc:postgresql:
### PostgreSQL (Comment section above & uncomment the section below if PostgreSQL is used)
spring:
datasource:
url: jdbc:postgresql://securosys_psql:5432/securosys?allowPublicKeyRetrieval=true&sslMode=false
username: replace-me_db-username # REPLACE according to the `POSTGRES_USER` in the docker-compose.yml file
password: replace-me_db-password # REPLACE according to the `POSTGRES_PASSWORD` in the docker-compose.yml file
Configure the HSM Connection
If using Securosys CloudHSM, update the following values using the details provided on the HSMaaS - Connectivity Details
##HSM CONFIGURATION
hsm:
host: 'ch01-api.cloudshsm.com,ch02-api.cloudshsm.com' # REPLACE with the hsm URL or IP
port: '2300' # REPLACE with HSM JCE-Port
user: replace-me_hsm-username # REPLACE with your HSM username (PartitionName)
setupPassword: replace-me_hsm-setupPassword # REPLACE with your HSM SetupPassword
encryptionPassword: replace-me_db-encryptionPassword # REPLACE it is used to encrypt the hsm user secret, stored in the database
Best to not use special characters in
encryptionPassword
and is at least 30 bytes long.
hsm.host
- Specify multiple hosts separated by commas, and the RestAPI will randomly select one host, falling back to the others if the first one fails (e.g., hsm.host: 'grimsel.securosys.ch,nufenen.securosys.ch').
- Provide multiple hosts separated by semicolons, and the RestAPI will always choose the first record, falling back to the others if the first one fails (e.g., hsm.host: 'grimsel.securosys.ch;nufenen.securosys.ch').
Step 4: Start the application
Log in to the container registry:
docker login securosys.jfrog.io -u robot.reader.tsb
You will be prompted for a password:
Password: #<ENTER PASSWORD FROM DOWNLOAD-LINK FILE> # if not know, check the Download page.
If you’re unsure of the password location, refer to the Downloads page.
Start the application in detached mode (-d):
docker-compose up -d
Open Swagger
Open the (Swagger) to interact with the API in your browser: http://localhost:8080/swagger-ui/index.html
Test with CURL
curl http://localhost:8080/v1/licenseInfo
Response:
{"clientFlags":["IMPORT","EXPORT","EXTRACT","KEY_AUTH","REST_API","TSB_ENGINE","EXTERNAL_STORAGE","DESTROY_OBJECTS","EXPORT_LOGS","EXTENDED_KEY_ATTRIBUTES","BTC","ETH","RIPPLE","IOTA","ROOT_KEY_STORE","TIMESTAMP_SERVICE","USEABLE_OBJECTS","CARDANO","PERSISTENT_EXTERNAL_OBJ","KYBER","DILITHIUM","SPHINCSPLUS","LMS","XMSS"]}
Listing Keys
curl -v http://localhost:8080/v1/key
Response:
['attestation-key', 'timestamp-key']
This guide outlines a default setup of the REST API without HTTPS and without API authentication.
It is intended for development and testing purposes only and must not be used in production environments.
To harden the application you can follow the guides below.
What's next?
- Configure HTTPS
- Configure Database TLS
- Setup API Authentication
- Follow the instructions to Create a Key and use it to encrypt and decrypt a payload
- Full installation Guide here