Merge pull request #15665 from CDCgov/engagement/rest-documentation

Added documentation for newly supported auth types and working with keys
CDCgov · Aug 27, 2024 · 6ee8ea1 · 6ee8ea1
2 parents 8bb0755 + 384bcc4
commit 6ee8ea1
Show file tree

Hide file tree

Showing 2 changed files with 98 additions and 6 deletions.
diff --git a/prime-router/docs/onboarding-users/transport/rest.md b/prime-router/docs/onboarding-users/transport/rest.md
@@ -23,14 +23,15 @@ For authentication, you need to do both step a and step b.
 <ol type="a">
 <li>Generate the "Credential in JSON format" for authentication</li>
 
-Currently, RESTTransport uses the one of the three options:
+Currently, RESTTransport uses the one of the following options:
 
       i) UserPass, 
-     ii) UserApiKey with JKS, or 
+     ii) UserApiKey with JKS
     iii) UserApiKey with two-legged credential type to authenticate and obtain Bearer token from STLT. 
-User can use **primeCLI** command with credential-create option to generate the "Credential in JSON format" as given below.
+     iv) UserJks
+User can use the **primeCLI** command with credential-create option to generate the "Credential in JSON format" as given below.
 
-- With STLT's credential username and password given to us by STLT, user needs to run the following command to generate the UserPass credential type object:
+- With STLT's credential username and password given to us by the STLT, user needs to run the following command to generate the UserPass credential type object:
 
         Command:
             ./prime credential-create --type UserPass --user <username> --pass <password>
@@ -118,9 +119,9 @@ The receiver's RESTTransport includes the following fields:
                   }"
               type: "REST"
 
-    c) See UserApiKey+Tow-legged RESTTransport setting Example below:
+    c) See UserApiKey+Two-legged RESTTransport setting Example below:
 
-        FLEXION--ETOR-SERVICE-RECEIVER uses UserApiKey + Tow-legged authentication type:
+        FLEXION--ETOR-SERVICE-RECEIVER uses UserApiKey + Two-legged authentication type:
         ================================================================================
             transport: !<REST>
               reportUrl: "https://sample.net/v1/etor/orders"
@@ -139,6 +140,31 @@ The receiver's RESTTransport includes the following fields:
                 sourceLabName: "CDC PRIME REPORTSTREAM"
               type: "REST"
 
+    d) See UserApiKey without OAuth RESTTransport setting Example below:
+
+        FLEXION--ETOR-SERVICE-RECEIVER uses UserApiKey
+        ================================================================================
+            transport: !<REST>
+              reportUrl: "https://sample.net/v1/etor/orders"
+              authType: "apiKey"
+              tlsKeystore: null
+              headers:
+                Content-Type: "elims/json"
+              type: "REST"
+
+    e) See JKS without OAuth RESTTransport setting Example below:
+
+        CA-DPH--FULL-ELR-REST-JKS uses UserJKS
+        ================================================================================
+            transport: !<REST>
+              reportUrl: "https://sample.net/v1/etor/orders"
+              authType: "jks"
+              tlsKeystore: "jks"
+              tlsKeystore: "CA-DPH--FULL-ELR-REST-JKS"
+              headers:
+                Content-Type: "text/plain"
+              type: "REST"
+
 ## 4. Final Step is to test/check the receiver's REST transport is connected successfully
 Now that you have completed/created REST Transport setting please do the following:
 - Create PR - which includes the receiver's setting code

diff --git a/prime-router/docs/onboarding-users/transport/working-with-keys.md b/prime-router/docs/onboarding-users/transport/working-with-keys.md
@@ -0,0 +1,66 @@
+### Working with Keys
+
+#### Introduction
+Each STLT has a unique configuration for server authentication. This documentation provides examples of how we've configured keys to successfully authenticate with different STLTs.
+
+### Public/Private Key Pair
+Most STLTs use public/private key pairs for authentication. Here's how to generate and configure these keys:
+
+1. **Generate a PEM file:**  
+   This command creates a PEM file containing both a private and public key:
+   ```bash
+   openssl genrsa -out my_rsa_private_key.pem 2048
+   ```
+
+2. **Extract the Public Key:**  
+   To extract the public key from the PEM file and share it with the STLT, run the following command:
+   ```bash
+   ssh-keygen -y -f my_rsa_private_key.pem > my_rsa_public_key.pub
+   ```
+
+3. **Convert PEM to PPK:**  
+   The PEM file needs to be converted into a PPK file and stored in Azure for ReportStream authentication. Use this command to convert the file:
+   ```bash
+   puttygen my_rsa_private_key.pem -o my_rsa_private_key.ppk
+   ```
+4. **Create ReportStream Credential:**
+    Use the primeCLI create-credential command to store the ppk file in JSON to be able to store it in Azure so that ReportStream can use it.
+   ```bash
+    ./prime create-credential --type UserPpk  --ppk-file /Users/vic/Downloads/texas/tx_rsa_private_key.ppk
+   ```
+
+### STLT generates Public/Private key pair
+Sometimes a STLT will generate and public private key pair and send them to ReportStream to authenticate. The format in which they are sent can differ from STLT to STLT.
+Some STLTs will send a PFX file and that file will need to be converted to JKS so that ReportStream can use it.
+
+1. **Convert PFX to JKS:**  
+   This command creates a PEM file containing both a private and public key:
+   ```bash
+   keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS
+   ```
+2. **Create ReportStream Credential:**
+   Use the primeCLI create-credential command to store the jks file in JSON to be able to store it in Azure so that ReportStream can use it.
+   ```bash
+    ./prime credential-create --type UserJks --jks-use <IF APPLICABLE> --jks-file-pass <IF APPLICABLE> --jks-file <PATH to JKS File>
+   ```
+
+### Importing STLTs Self-Signed Certificate to ReportStream
+
+As of the time this document was written, the process for importing self-signed certificates into ReportStream involves adding the certificate to ReportStream's Docker container.
+
+1. **Add the Certificate:**
+   Place the certificate in the following directory:
+   ```
+   prime-reportstream/prime-router/certs/
+   ```
+
+2. **Update the Dockerfile:**
+   Add the certificate to the `prime-reportstream/prime-router/Dockerfile.dev` by including the following line:
+   ```bash
+   COPY ./certs/CDC-G2-S1.crt $JAVA_HOME/conf/security
+   RUN cd $JAVA_HOME/conf/security \
+   && $JAVA_HOME/bin/keytool -cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias <ALIAS> -file <PATH TO CERT>
+   ```
+
+  
+