DAT CMS
- DAT Certificate Management Service
API
Certificates
# generate certificate
curl -X POST http://localhost:8088/certificates
# get certificates
curl http://localhost:8088/certificates
# get certificates (signing)
curl http://localhost:8088/certificates/signing
# get certificates (verifying)
curl http://localhost:8088/certificates/verifyingStatus
curl http://localhost:8088/health
curl http://localhost:8088/versionDebug (debug mode only)
DAT=$(curl -s -X POST http://localhost:8088/dat -d \
'plain data 평문 데이터
secure data 암호 데이터')
DAT_PARSE=$(curl -s http://localhost:8088/dat/"$DAT")
echo "\n"
echo "====================================================="
echo "DAT:"
echo "-----------------------------------------------------"
echo "$DAT"
echo "====================================================="
echo "DAT Parse:"
echo "-----------------------------------------------------"
echo "$DAT_PARSE"
echo "====================================================="Docker
# Docker example
# Single Server
docker run -d --name dat-cms -p 8088:80 \
-e SINGLE_SERVER=CRON \
sarolab/dat-cms
# Podman example
# Single Server With Debug Mode
podman run -d --name dat-cms -p 8088:80 \
-e SINGLE_SERVER=CRON \
-e DEBUG=1 \
sarolab/dat-cmsBinary
Linux, Mac
cp ./download-filename ./dat-cms
chmod +x dat-cms
export PORT=8088
export SINGLE_SERVER=CRON
# export DB_URI=postgresql://username:password@host:port/database
./dat-cmsWindows CMD
copy download-filename dat-cms.exe
set PORT=8088
set SINGLE_SERVER=CRON
:: set DB_URI=postgresql://username:password@host:port/database
dat-cms.exeWindows PowerShell
cp download-filename dat-cms.exe
$env:PORT="8088"
# $env:DB_URI="postgresql://username:password@host:port/database"
$env:SINGLE_SERVER="CRON"
.\dat-cms.exeKubernetes
vi dat.ymlapiVersion: apps/v1
kind: Deployment
metadata:
name: dat
namespace: yournamespace
labels:
app: dat
spec:
replicas: 2
selector:
matchLabels:
app: dat
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 100
template:
metadata:
labels:
app: dat
spec:
imagePullSecrets:
- name: nexus-registry-secret
containers:
- name: publisher-cms
image: sarolab/dat-cms:latest
ports:
- containerPort: 80
# env:
# - name: DB_URI
# value: "postgresql://username:password@host-not-local:port/database"
volumeMounts:
- name: logs
mountPath: /logs
readinessProbe:
httpGet:
path: /health
port: 80
initialDelaySeconds: 30
periodSeconds: 5
livenessProbe:
httpGet:
path: /health
port: 80
initialDelaySeconds: 30
periodSeconds: 10
terminationGracePeriodSeconds: 30
volumes:
- name: logs
hostPath:
path: /mnt/server/logs/prod
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service
metadata:
name: dat
namespace: yournamespace
labels:
app: dat
spec:
selector:
app: dat
ports:
- protocol: TCP
port: 80
targetPort: 80
type: LoadBalancer
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: dat-cronjob
namespace: yournamespace
spec:
schedule: "*/10 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 0
template:
spec:
containers:
- name: curl-worker
image: curlimages/curl:latest
imagePullPolicy: IfNotPresent
args:
- /bin/sh
- -c
- "curl -X POST http://dat/certificates"
restartPolicy: Neverkubectl apply -f dat.yml
curl http://dat.yournamespace.svc.cluster.local/versionOptions (Environment Variables)
HOSTNAME- it just name for log filename
logs/dat-<HOSTNAME>.<yyyy-MM-dd>.log - default: localhost
- it just name for log filename
PORT- service port
- default:
RELEASE BUILD80DEBUG BUILD8088
SIGNATURE- signature algorithm
- P256
- P384
- P521
- default: P256
- signature algorithm
CRYPTO- crypto algorithm
- AES GCM With Nonce
- AES128GCMN
- AES256GCMN
- AES GCM With Nonce
- default: AES128GCMN
- crypto algorithm
DB_URI- database uri
- supported:
mysqlmysql://user:password@host:port/database- MariaDB requires the mysql: prefix
postgrespostgres://user:password@host:port/databasesqlitesqlite://path/to/database.db
- default: sqlite:./data/data.db
DEBUG (1, 0)- debug mode
- default:
RELEASE BUILD0DEBUG BUILD1
LOG_CONSOLE (1, 0)- console out
- default: 0 (NO OUT)
LOG_FILE (TEXT, JSON)logs/dat-<HOSTNAME>.<yyyy-MM-dd>.log- VALUE:
- TEXT: USE TEXT LOG FILE
- JSON: USE JSON LOG FILE for ELK
- default:
<Empty>(NO LOG FILE)
SINGLE_SERVERUsing the 'CRON' value enables internal scheduling for single-server setups.
This option is incompatible with ISSUE_DELAY, ISSUE_TTL, and DAT_TTL.
For multi-server deployments, avoid this internal setting and configure an external cron instead
Kubernetes Multi Pods ExampleCRON- Schedule:
0 0/10 * * * * - Set Default value:
ISSUE_DELAY, ISSUE_TTL, DAT_TTL
- Schedule:
- default:
RELEASE BUILD<Empty>(Disabled)DEBUG BUILDCRON
ISSUE_DELAYThis option defines a padding period between the creation of a
DatKeyand the generation of aDAT.
This delay is intended to ensure synchronization across multiple servers.
For example, if microservices that issue or verify DATs synchronize theirDatKeylist every 10 minutes, this value must be greater than 10 minutes. To account for potential synchronization failures, it is recommended to set this value 2 to 5 times longer than the synchronization interval.- default:
3600(seconds)
- default:
ISSUE_TTLISSUE_TTL represents the issuance window for a DatKey.
With an ISSUE_DELAY of 30m and ISSUE_TTL of 30m, issuance starts at T+30m and lasts for 30 minutes.
Note that verification is supported beyond the issuance period, remaining valid until the DAT_TTL period ends following the issuance deadline.- default:
3600(seconds)
- default:
DAT_TTLDAT_TTL represents the DAT lifetime.
A DAT is valid for DAT_TTL seconds starting from its issuance.- default:
1800(seconds)
- default: