v2.1.05 Upgrade Notes

MOPS 4.0 version 2.1.5

Changes have been made to services to make use of identity issuer public key caching, add (++) the following lines to security in configuration files mops-dir.config, mops-dd.config and mops-pqis-core.config:

"jwks_cache": true,                    // ++
"jwks_cache_folder": "c:\\mops\\cache" // ++

Update the configuration files mentioned above and a folder named jwks folder needs to be created under cache.

General configuration

New containers have been added to the application.

• Replace the current docker-compose.yml file with the new one from v2.1.5.
• Replace IMAGE, ENABLED and REGISTRY related settings in .env with new settings from v2.1.5.

Database

Schema and Metadata

This release have both schema and metadata updates. Make sure you run upgrade scripts to get the database schema updates and the seed scripts to get the metadata updates.

• Directory README.md

For CMS, the tank order level component/display have been updated so metadata for CMS need to be updated.

• CMS, tank order level metadata README.md

Multiple Identity Provider Support

Support has been added for Multiple Identity Providers (IDPs).

With the introduction of Multiple Identity Providers support, an Internal Identity Provider has also been provided which will also need to be configured.

Configure Internal Identity Provider

Configuration folder conf/keycloak needs to be created. Copy template configration file templates/conf/keycloak/keycloak.conf to the created folder. Replace {{databaseServer}} and {{databasePort}} with corresponding credentials. The container database uses mops4.0-db01 and 5432 respectively.

Replace {{hostname}} with the URL to access the Identity Provider with. It is prefered to set the hostname to the Fully Qualified Domain Name (FQDN) of the machine running the software. The FQDN can be fetched using

$([System.Net.Dns]::GetHostEntry($(hostname)).HostName).ToLower()

Port 28443 also needs to be appended to the hostname.

Example hostname: https://test.tl.pvt:28443

Certificates are required to enable HTTPS traffic to the Internal Identity Provider. Customers are now required to supply the application with a trusted certificate (public and private keys). A temporary solution is to use a self-signed certificate and add it to be trusted by the browser. Creating self-signed certificates can be done using tools/New-SelfSignedCert.ps1.

Certificate (public and private key) should be placed in the cert folder.

Example usage:

New-SelfSignedCert.ps1 -OpenSSL .\v2.1.5\tools\openssl\openssl.exe -OpenSSLConfig .\v2.1.5\tools\openssl\openssl.cnf -Path .\mops\cert\ -BaseName cert

Ensure that the certificate file and key file placed in the cert folder have the same name as in conf/keycloak/keycloak.conf. This is also necessary if the customer has supplied their own trusted certificate.

Self-signed certificates are not trusted by Windows by design. It is necessary to ensure that the created certificate is trusted and won’t cause any issues. This step is required by every client accessing the application when its using a self-signed certificate.

Import-Certificate -FilePath "E:\path\to\cert.crt" -CertStoreLocation cert:\CurrentUser\Root

Database changes

It is recommended to automate the following database changes mentioned in this section with tools/DB_v2.1.4_to_v2.1.5_upgrade.ps1. This script has many command line parameters, make sure to use the -Help command and view all parameters. Most parameters can be left unused as the default values would suffice. This script will also prepare and populate the database for the Internal Identity Provider.

Read through this section before executing the script.

Ensure database is updated to the latest schema version before running DB_v2.1.4_to_v2.1.5_upgrade.ps1

One new database table has been added (mops_sec_application) and one table has been altered (mops_sec_client).

mops_sec_application has the following columns:

• id
• name
• display_name
• redirect_uri
• post_logout_redirect_uri

It is required to add a database entry to mops_sec_application. Values for redirect_uri and post_logout_redirect_uri can be fetched from conf/shell/config.json. The entry in the mops_sec_client table that corresponds to the main Identity Provider needs to have application_id, response_type and scope populated. The application_id should correspond to the id of the added entry to mops_sec_application. The response_type and scope can be found in conf/shell/config.json.

Shell

Shell configuration (shell/config.json) has changed. Add (++) and remove (--) fields accordingly.

"auth": {
   "application": "<Value supplied to script flag -SecApplicationName>", // ++
   "issuer": "<issuer>",                                                 // --
   "client_id": "<client_id>",                                           // --
   "redirect_uri": "<redirect_uri>",                                     // --
   "response_type": "<response_type>",                                   // --
   "scope": "<scope>",                                                   // --
   "load_user_info": false                                               // --
}

Localization

Localization service has been temporarly disabled and translations have been moved to the file server service. New versions of Post-Localization.ps1 and Update-Versions.ps1 needs to be copied to conf/general.