Documentation for v2.0.1 release

docs/src/.vuepress/layouts/PageLayout.vue

@@ -4,7 +4,7 @@ import { useRoute, useRouter } from "vue-router";
 import { ref, onMounted } from 'vue'
 
 const version = ref("");
-const latestVersion = "v2.0.0";
+const latestVersion = "v2.0.1";
 
 
 function setVersionBasedOnCurrentPath() : void {
@@ -55,7 +55,8 @@ function navigateToNewVersion() {
       <div class="version-selector" v-if="route.path.startsWith('/operations/')">
         <label class="vp-sidebar-header" for="version-select"><strong>Version:</strong> </label>
         <select id="version-select" class="vp-sidebar-header" v-model="version" @change="navigateToNewVersion">
-        <option value="v2.0.0">latest (2.0.0)</option>
+        <option value="v2.0.1">latest (2.0.1)</option>
+        <option value="v2.0.0">2.0.0</option>
         <option value="v1.9.0">1.9.0</option>
         <option value="v1.8.0">1.8.0</option>
         <option value="v1.7.1">1.7.1</option>

docs/src/.vuepress/sidebar/operations-v2.ts

@@ -1,4 +1,84 @@
 export function generate_v2_latest_sidebar() {
+    return [
+
+      {
+        text: "Get Started",
+        icon: "tool",
+        link: "./",
+      },
+      "release-notes", "install", "upgrade-from-2", "upgrade-from-1", "allowList-mgm", "root-certificates", "passwords-secrets", {
+        text: "FHIR Reverse Proxy",
+        icon: "module",
+        children: [
+          {
+            icon: "config",
+            text: "Configuration",
+            link: "fhir-reverse-proxy/configuration",
+          }
+        ]},
+        {
+          text: "FHIR Server",
+          icon: "module",
+          prefix: "fhir/",
+          link: "fhir/",
+          children: [{
+  			icon: "config", 
+  			text: "Configuration",
+  			link: "configuration"
+  		}, {
+  			icon: "config",
+  			text: "Access Control",
+  			link: "access-control"
+  		}, {
+  			icon: "config",
+  			text: "OpenID Connect",
+  			link: "oidc"
+        }, {
+  			icon: "config",
+  			text: "Logging",
+  			link: "logging"
+  			}]
+        }, {
+          text: "BPE Reverse Proxy",
+          icon: "module",
+          children: [
+            {
+              icon: "config",
+              text: "Configuration",
+              link: "bpe-reverse-proxy/configuration",
+            }
+          ]
+        }, {
+          text: "BPE Server",
+          icon: "module",
+          prefix: "bpe/",
+          link: "bpe/",
+          children: [{
+  			icon: "config", 
+  			text: "Configuration",
+  			link: "configuration"
+  		}, {
+  			icon: "config",
+  			text: "Access Control",
+  			link: "access-control"
+  		}, {
+  			icon: "config",
+  			text: "OpenID Connect",
+  			link: "oidc"
+        }, {
+  			icon: "config",
+  			text: "Logging",
+  			link: "logging"
+  			}]
+        },
+        {
+          text: "Install Plugins",
+          icon: "plugin",
+          link: "install-plugins"
+      }]
+}
+
+export function generate_v2_0_0_sidebar() {
     return [
 
       {

docs/src/.vuepress/theme.ts

@@ -1,7 +1,7 @@
 import { slimsearchPlugin } from "@vuepress/plugin-slimsearch";
 import { hopeTheme } from "vuepress-theme-hope";
 import { generate_v1_latest_sidebar, generate_v1_gt_eq_1_7_0_sidebar, generate_v1_gt_eq_1_5_0_sidebar, generate_v1_gt_eq_1_0_0_sidebar } from "./sidebar/operations-v1";
-import { generate_v2_latest_sidebar } from "./sidebar/operations-v2";
+import { generate_v2_0_0_sidebar, generate_v2_latest_sidebar } from "./sidebar/operations-v2";
 
 export default hopeTheme({
   author: {
@@ -43,7 +43,7 @@ export default hopeTheme({
             link: "v1.9.0/readme.md",
             icon: "launch"
           }, {
-            text: "Current version - 2.0.0",
+            text: "Current version - 2.0.1",
             link: "get-started.md",
             icon: "launch"
           }, "old-versions.md"],
@@ -130,7 +130,8 @@ export default hopeTheme({
     "/operations/old-versions": [],
     "/operations/latest/": generate_v2_latest_sidebar(),
     "/operations/next/": [],
-    "/operations/v2.0.0/": generate_v2_latest_sidebar(),
+    "/operations/v2.0.1/": generate_v2_latest_sidebar(),
+    "/operations/v2.0.0/": generate_v2_0_0_sidebar(),
     "/operations/v1.9.0/": generate_v1_latest_sidebar(),
     "/operations/v1.8.0/": generate_v1_gt_eq_1_7_0_sidebar(),
     "/operations/v1.7.1/": generate_v1_gt_eq_1_7_0_sidebar(),

docs/src/operations/latest

@@ -1 +1 @@
-v2.0.0
+v2.0.1

docs/src/operations/v2.0.1/allowList-mgm.md

@@ -0,0 +1,34 @@
+---
+title: Allow List Management
+icon: share
+---
+You can read all about the concept of Allow Lists [in our introduction](/explore/concepts/allow-list.md).
+
+## Overview
+To simplify the DSF Allow List Management we have built a portal for administration. The portal is managed by the GECKO Institute at Heilbronn University. You as an DSF administrator can create or update your Allow List information. The information you provide on this portal will be transferred to us and will be used to built Allow List bundles that get distributed to the communication partners of the distributed processes. 
+
+The DSF Allow List management tool uses client certificates for authentication. You can either use a personal client certificate or the client certificate from your DSF BPE, which needs to be added to your web-browsers certificate store.
+
+
+## Prerequisites
+1. Deployed DSF instance (test or production infrastructure)
+    1.1  If none exists yet, read [the installation guide](install)
+2. Certificate 
+    2.1  If none exists yet, read [the certificate requirements](install#client-server-certificates)
+3. Organization identifier, shortest FQDN of your organizations website, e.g. `my-hospital.de`
+4. FHIR endpoint URL, e.g. `https://dsf.my-hospital.de/fhir`
+5. Contact details from a responsible person of your organization
+6. Access to the E-Mail address from your organization for verification 
+
+
+## Start here
+When you have fulfilled all the prerequisites, you can start managing your Allow Lists via the environment specific Allow List Management Tool:
+
+- [**Test** infrastructure](https://allowlist-test.gecko.hs-heilbronn.de)
+- [**Production** infrastructure](https://allowlist.gecko.hs-heilbronn.de)
+
+We use different highlight colors for the DSF Allow List Management Tool: Green for the **Test** environment and blue for the **Production** infrastructure. To access the site, you have to authenticate yourself with a client certificate. Your web-browser will show a dialog to choose a valid certificate.
+
+::: tip Ideas for improvement?
+Have you found an error or is something unclear to you? Then please feel free to contact us on the <a href="https://mii.zulipchat.com/#narrow/stream/392426-Data-Sharing-Framework-.28DSF.29">MII-Zulip Channel</a> or write us at <a href="mailto:[email protected]">[email protected]</a>. Thank you very much!
+:::

docs/src/operations/v2.0.1/bpe-reverse-proxy/README.md

@@ -0,0 +1,6 @@
+---
+title: BPE Reverse Proxy
+icon: module
+---
+## Overview
+- [Configuration Parameters](configuration)

docs/src/operations/v2.0.1/bpe-reverse-proxy/configuration.md

@@ -0,0 +1,109 @@
+---
+title: Configuration Parameters
+icon: config
+---
+
+### APP_SERVER_IP
+- **Required:** Yes
+- **Description:** Hostname or IP-Address of the DSF BPE server application container, the reverse proxy target
+- **Example:** `app`, `172.28.1.3`
+
+
+### HTTPS_SERVER_NAME_PORT
+- **Required:** Yes
+- **Description:** FQDN of your DSF BPE server with port, typically `443`
+- **Example:** `my-external.fqdn:443`
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_WS
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### PROXY_PASS_TIMEOUT_WS
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### SERVER_CONTEXT_PATH
+- **Required:** No
+- **Description:** Reverse proxy context path that delegates to the app server, `/` character at start, no `/` character at end, use `''` (empty string) to configure root as context path
+- **Default:** `/bpe`
+
+
+### SSL_CA_CERTIFICATE_FILE
+- **Required:** No
+- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`; not used by default, overrides *SSL_CA_CERTIFICATE_PATH* if not empty
+
+
+### SSL_CA_CERTIFICATE_PATH
+- **Required:** No
+- **Description:** Folder with trusted full CA chains for validating client certificates
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_ca_chains`
+
+
+### SSL_CA_DN_REQUEST_FILE
+- **Required:** No
+- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from *SSL_CA_CERTIFICATE_FILE* are used; not used by default, overrides *SSL_CA_DN_REQUEST_PATH* if not empty
+
+
+### SSL_CA_DN_REQUEST_PATH
+- **Required:** No
+- **Description:**  Folder with trusted client certificate issuing CAs, modifies the "Acceptable client certificate CA names" send to the client, uses all from *SSL_CA_CERTIFICATE_FILE* or *SSL_CA_CERTIFICATE_PATH* if not set or empty
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_issuing_cas`
+
+
+### SSL_CERTIFICATE_CHAIN_FILE
+- **Required:** No
+- **Description:** Certificate chain file, PEM encoded, must contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate), sets the apache httpd parameter `SSLCertificateChainFile`; can be omitted if either no chain is needed (self signed server certificate) or the file specified via *SSL_CERTIFICATE_FILE* contains the certificate chain
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_chain_file.pem`
+
+
+### SSL_CERTIFICATE_FILE
+- **Required:** Yes
+- **Description:** Server certificate file, PEM encoded, sets the apache httpd parameter `SSLCertificateFile`, may contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate). Omit *SSL_CERTIFICATE_CHAIN_FILE* if chain included
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_file.pem`
+
+
+### SSL_CERTIFICATE_KEY_FILE
+- **Required:** Yes
+- **Description:** Server certificate private key file, PEM encoded, unencrypted, sets the apache httpd parameter `SSLCertificateKeyFile`
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_key_file.pem`
+
+
+### SSL_EXPECTED_CLIENT_S_DN_C_VALUES
+- **Required:** No
+- **Description:** Expected client certificate subject DN country `C` values, must be a comma-separated list of strings in single quotation marks, e.g. `'DE', 'FR'`. If a client certificate with a not configured subject country `C` value is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'DE'`
+
+
+### SSL_EXPECTED_CLIENT_I_DN_CN_VALUES
+- **Required:** No
+- **Description:** Expected client certificate issuer DN common-name `CN` values, must be a comma-separated list of strings in single quotation marks. If a client certificate from a not configured issuing ca common-name is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA Client Authentication ECC', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA Client Authentication RSA', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
+
+
+### SSL_VERIFY_CLIENT
+- **Required:** No
+- **Description:** Modifies the apache mod_ssl config parameter `SSLVerifyClient`
+- **Recommendation:** Set to `optional` when using OIDC authentication
+- **Default:** `require`

docs/src/operations/v2.0.1/bpe/README.md

@@ -0,0 +1,9 @@
+---
+title: BPE Server
+icon: module
+---
+## Overview
+- [Configuration Parameters](configuration)
+- [Access Control](access-control)
+- [OpenID Connect](oidc)
+- [Logging](logging)