MTG KMS UI Software configuration

The application is configured using the configuration file in

/etc/opt/mtg-kms-ui/application.properties

Server HTTPS configuration

To secure the server with https, set both NITRO_SSL_CERT & NITRO_SSL_KEY to the server key and server certificate respectively, if both are present, this will launch the server in HTTPS mode. In the vast majority of cases, this should not be used other than for testing, and the Nitro server should be run behind a reverse proxy like apache which terminates TLS.

To send any intermediate certificate with the server certificate, simply append that certificate to the server certificate file:

cat server.crt  ca.crt  > server-chain.crts

and set NITRO_SSL_CERT to the server-chain.crts

The server private key should be owned by the kms user and by group kms (daemon user for the MTG KMS UI):

# chown  kms:kms  server.key.private
# chmod 400 server.key.private

Apache web server configuration

You can use Apache in front of the MTG KMS UI to terminate the TLS connection or/and as a loadbalancer. If you have both applications running on the same machine, you can bind the application to the loopback network interface and use the following apache configuration to terminate TLS:

SSLEngine on
SSLCertificateFile /etc/opt/apache2/ssl.cert/server.crt
SSLCertificateKeyFile /etc/opt/apache2/ssl.key/server.key.private
SSLCACertificateFile /etc/opt/apache2/ca/ca.crt

<Location /kms-ui/>
 SSLRequireSSL
 ProxyPass  http://127.0.0.1:3000/kms-ui/
 ProxyPassReverse  http://127.0.0.1:3000/kms-ui/
</Location>

Where:

  • server.crt / server.key.private: is the apache web server certificate/key

  • ca.crt: is the certificate of the certificate issuer of the server certificate

To bind the MTG KMS UI application server to the ip address of loopback network interface, set HOST property to 127.0.0.1

High availability settings

To run multiple instances of MTG KMS UI in a cluster, the Apache web server could be used as a loadbalancer. Make sure all instances are configured in an identical manner. The following is a possible apache correct configuration:

SSLEngine on
SSLCertificateFile /etc/opt/apache2/ssl.cert/server.crt
SSLCertificateKeyFile /etc/opt/apache2/ssl.key/server.key.private
SSLCACertificateFile /etc/opt/apache2/ca/ca.crt

<Proxy balancer://mtg-kms-ui-cluster>
    BalancerMember http://<server1>:3000
    BalancerMember http://<server2>:3000
    ProxySet lbmethod=bytraffic
</Proxy>

<Location /kms-ui/>
 SSLRequireSSL
 ProxyPass  "balancer://mtg-kms-ui-cluster/kms-ui/"
 ProxyPassReverse  "balancer://mtg-kms-ui-cluster/kms-ui/"
</Location>

Where:

  • server.crt / server.key.private: is the apache web server certificate/key

  • ca.crt: is the certificate of the certificate issuer of the server certificate

If the Apache remote connection (apache < == > mtg-kms-ui cluster ) is set to use TLS, then Apache should trust the issuer of the server certificate you have set in HTTPS_SERVER_CERT property. Either SSLProxyCACertificateFile or SSLProxyCACertificatePath could be used for this purpose.

Server logging properties

The application will write its logs into /var/log/mtg/mtg-kms-ui/frontend.log

To check logs during run time, perform the following command:

# tail -n 300 -f /var/log/mtg/mtg-kms-ui/frontend.log

or

# journalctl -n 300 -f -u mtg-kms-ui

System configuration

Environmental variables

In this section, we describe the properties, which are used to configure the MTG KMS UI Server. The properties are defined in the nuxt.config.ts file, and they can be configured through environmental variables. Configuration options are shown in Configuration properties for the MTG KMS UI Server in the nuxt.config.ts file.

Table 1. Configuration properties for the MTG KMS UI Server in the nuxt.config.ts file
Property Default Description

NUXT_PUBLIC_KMS_SERVER_BASE_PATH

localhost:8601/kms/

The base URL of the MTG KMS-Server.

NUXT_PUBLIC_KMS_CRYPTO_API_BASE_PATH

localhost:8607/kms-crypto-api/

The base URL of the MTG KMS-Crypto-API.

NUXT_PUBLIC_ISSUER_URI

localhost:8081/auth/realms/mtg-ers

The URL of the OpenIDConnect Provider (Keycloak).

NITRO_PORT or PORT

3005

The port to be used by the server.

Keycloak Configuration

Property NUXT_PUBLIC_ISSUER_URI is set to:

https://FRONTEND_URL/realms/mtg-ers

where FRONTEND_URL is set by the Keycloak property keycloak.hostname.default.frontendUrl in

/etc/opt/keycloak/application.properties

Example: auth.example.com/auth/realms/mtg-ers

Make sure to update the mtg-kms-ui client in keycloak.

KMS Backend Configuration

The property NUXT_PUBLIC_KMS_SERVER_BASE_PATH and NUXT_PUBLIC_KMS_CRYPTO_API_BASE_PATH is set to the url of KMS-backend e.g. host.example.com/kms.

Check server.servlet.context-path property in:

/etc/opt/mtg-kms-server/application.properties
/etc/opt/mtg-kms-crypto-api/application.properties

High-availability

It is possible to run multiple instances of an MTG KMS UI Server. These instances must run behind a load balancer.

MTG KMS UI System Startup

Package mtg-kms-ui is integrated with systemd. To check the status of the systemd service, apply the following command:

# systemctl status mtg-kms-ui

To start/restart mtg-kms-ui, apply the following commands respectively:

# systemctl start mtg-kms-ui
systemctl restart mtg-kms-ui

To enable mtg-kms-ui on system boot:

# systemctl enable mtg-kms-ui

The server web interface of MTG KMS UI is accessible under

http://<HOST>:<NITRO_PORT>/kms-ui/

If property HOST is set to 0.0.0.0 then <HOST> is the IP address associated to any network interface on the system.

If all NITRO_SSL_CERT & NITRO_SSL_KEY are correctly set, then the connection schema is https://

Healthcheck

To monitor the application and to check the health of the running application following endpoint is available:

 http://<HOST>:<NITRO_PORT>/kms-ui/api/health

The response in case where the application runs is: {"status":"UP"}

Requests to this endpoint do not need to be secured.