Debbie - Validation Service
- Armando Carratala
- Julio D'Angelo
- Nestor Markowicz
Description
Debbie is a tool used to validate certificates and signatures. Its REST interface allows an easy way to obtain a JSON response that indicates if a signature is valid and if it complies with a validation policy.
Its services can be configured to respond over an HTTP or HTTPS protocol.
Debbie is available as a docker distribution or as a service (ASS).
If you need to run Debbie as a service on Windows or Linux OS platforms please contact us.
Connectivity
To perform the certificate status validation, and depending on the elements and policies that are configured, Debbie requires access to the services provided by a Certificate Authority.
These services are usually accessible through HTTP, both for the publication of the List of Revoked Certificates (CRL) and for OCSP (Online Certificate Status Protocol) services. It is convenient that you consider this need.
Service & Policy
Debbie responds to the requests in each of the URLs defined in its configuration files. Each defined policy must have its own unique URL, and these cannot be a defined URL within another.
At least one policy must be defined to start the service.
CertiSur, to perform tests of the service, makes available the following URL where the service can be accessed:
https://homo-debbie.certisur.com/<tenant>
Service configuration
The following section explains the parameters needed to configure a Debbie service deployment.
Tenant Policy Configuration
Every Debbie policy configuration file has two well-defined sections that must be configured in order to validate an End User Certificate for a given tenant.
Usage and Integration
The following section shows the different ways to request signature validations and how to interpret the corresponding responses.
Step 1- Download the Docker image
In order to download the images, the user must be registered on the aforesaid platform. Contact CertiSur to request access, and inform the Docker Hub profile to grant access to the docker image.
Login using a Docker Hub account:
# docker login -u <docker hub account> Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded
Inform your docker hub account
You have to inform your docker hub account in order to authorize to download of the package. Send an email to support@certisur.com.
Security warning
It is possible to save the user’s credentials so as to log in safely following the steps on this link(https://docs.docker.com/engine/reference/commandline/login/#credentials-store).
Step 2- Pulling an image from Docker
# docker pull certisursa/debbie:latest latest: Pulling from certisursa/debbie a02a4930cb5d: Pull complete b5ffff9dbcda: Pull complete ... 7e5f58de12ac: Pull complete Digest: sha256:332ee89371399b7c6235465beb00fbd2071868fecee33fc14d04b87ba99b265d Status: Downloaded newer image for certisursa/debbie:latest docker.io/certisursa/debbie:latest
Step 3- Run Debbie docker image
To run Debbie container you have to execute the following command line:
# docker run -d \ -it \ -p <external_port>:8080 \ -v <debbie_config_folder>:/app/config/ \ -v <debbie_log_folder>:/app/log/ \ -v <debbie_doc_repository_folder>:/app/repository/ \ debbie
It is necessary to overwrite the directory where the configuration of the tenants is located. The volume configuration is explained below.
Volumes
The following volumes must be mounted on the Docker image to overwrite the variables of each defined tenant.
| Source (host) | Path (container) | Description |
|---|---|---|
| /home/opera/docker/debbie/config | /app/config | configuration files |
| /home/opera/docker/debbie/log | /app/log | log files |
| /home/opera/docker/debbie/repository | /app/repository | doc repository |
Step 4- Test Debbie
Execute the following command to run the default Debbie docker container
# docker run -d \ -it \ --name debbie \ -p 8080:8080 \ certisursa/debbie:latest
Open your browser pointing to http://localhost:8080/acme/healthcheck (or the port defined by you) to access the URL where you published your Debbie installation. You'll see the following image.
| If you can see this image means that you have Debbie running into your docker container. |
|
Debbie default configuration
Debbie's docker image includes an ACME tenant inside. You must overwrite that definition to include your own company or project tenants.
After you have Debbie running on your own container, you can add a custom tenant following the next steps:
Step 5- Download a custom example (looney) and customize
Download the files from the following link looney-validation-demo.tgz.
Configure your docker-compose file to mount the following volumes.
| External directory | Container directory |
|---|---|
./debbie/config | /app/config |
./debbie/repository | /app/repository |
./debbie/logs | /app/log |
Note: ./debbie/config external directory is the directory included in the example tenant config file (looney-validation-demo.tgz) that you downloaded and stored on your local computer.
Step 6- Configure docker-compose.yml and restart the container
Use the previous variables and volume mappings to define the new configuration, in this example as a docker_compose.yml file.
version: '3'
services:
debbie:
image: certisursa/debbie:latest
volumes:
- "./debbie/config:/app/config"
- "./debbie/repository:/app/repository"
- "./debbie/logs:/app/log"
ports:
- 8081:8080
Launch the container from a shell
> docker-compose --verbose -f docker-compose.yml up -d
Open your browser pointing to http://localhost:8081/looney/healthcheck (or the port defined by you) to access the URL where you published your Debbie installation. You'll see the following image.
| If you can see this image means that you have Debbie running into your docker container. |
|
