Signer - Setup on Docker
For Docker-based setup the following image is provided on DockerHub:
This image requires:
- A SQL Server Database connection: the database collation must be Latin1_General_100_CI_AI or Latin1_General_CI_AI.
- Storage (shared between all instances of the image): see BlobStorage settings bellow for further information.
- OIDC Server (GrantID) Cloud or On-Premises.
The container for this image is configured using Environment variables.
Environment variable names must follow the pattern:
Section__Setting, for instance: for the General section, to
configure the SupportEmailAddress you must set a variable with name:
The required settings are presented below.
Database connection string
Under section ConnectionStrings:
- DefaultConnection: set the connection string to the database. A typical connection string looks like this:
Data Source=SERVER;Initial Catalog=DATABASE;User ID=USERNAME;Password=PASSWORD
If you created the database using advanced features such as log shipping or mirroring, your connection string may be different
ConnectionStrings__DefaultConnection=Server=SERVER;Initial Catalog=DATABASE;User ID=USERNAME;Password=PASSWORD;
Most Server endpoints require the following format for the Data Source/Server parameter:
Defines how the application will store and retrieve files.
See BlobStorage Configuration for details and examples of supported services.
Defines where application logs will be stored.
Please see Serilog Configuration for details and examples of supported services.
Open ID Connect configuration
The section Oidc configures the OpenID Connect server, required for user management. A GrantID subscription is required.
You can either use a SaaS subscription on grantid.com or run your own instance of GrantID.
- Authority: the OIDC authority (e.g. https://patorum.grantid.com)
- ApiEndpoint: the API endpoint of the OIDC server (e.g. https://api.grantid.com)
- ApiName: the API scope that will be required on access tokens
- ClientAppId: the client id of the dashboard app
- AppId: the client id of the backend app
- AppSecret: the client secret of the backend app
- RequireHttps (optional): set to
falseif the OIDC server does not use HTTPS
See Configuring a SPA Application page for instructions on how to obtain these values.
Oidc__ApiEndpoint=https://api.grantid.com Oidc__ApiName=myapp-api Oidc__AppId=myapp-backend Oidc__AppSecret=8CqeGeur46k... Oidc__Authority=https://mysubscription.grantid.com Oidc__ClientAppId=myapp Oidc__CpfClaim=cpf Oidc__CustomScopes=mysub-cpf
Under section PkiSuite:
- SdkLicense: your license for the PKI SDK, in Base64 format (required)
- WebLicense: your license for the Web PKI component in binary (Base64) format. Only required if users will issue certificates on their computers (web issuing procedure)
- WebBrand: if you have a custom setup brand on Web PKI, set it here
- SiteUrl: the URL where the application will be running from.
- SiteName: the name of the application.
- SupportEmailAddress: the support email which will be included at the bottom of every email sent by the application.
General__SiteUrl=https://signer.myapp.com General__SiteName=MyApp Signer General__SupportEmailAddressemail@example.com
- UseReverseProxy: set as
trueif the container will be executed behind a reverse proxy or load balancer. It can be omitted otherwise.
Under section Email:
- Enabled: by default, email sending is enabled. To disable it, set this setting to
falseand ignore the remainder of this section
- ServerHost: hostname of the SMTP server
- EnableSsl: by default, the SMTP conversation is performed over SSL. To disable SSL, set this setting to
- ServerPort: by default, the SMTP conversation is performed over port 587. Set this setting to use a different port
- Username and Password: if the SMTP server requires authentication, set these settings
- SenderAddress: email address to be used as sender (from field)
- SenderName: name to be used as the sender name (optional)
Email__ServerHost=email-smtp.us-east-1.amazonaws.com Email__Username=USERNAME Email__Password=PASSWORD Email__SenderAddressfirstname.lastname@example.org Email__SenderName=MYAPPNAME
Additional settings can be found at the Signer Settings page.
Pull the latest stable image, configure the required environment variables and run the container.
Start with only one container as in the first startup, the database tables will be created (more containers could create a race condition). Once the initial startup is complete, you may run as many containers as you want.
Before updating your container, it is recommended to check the Changelog to see what has changed from your current version to the latest one available.
If any of the versions included in the update have database model changes ("Updates database model: yes") then you should procceed carefully as the container will attempt to update the database upon startup.
In this scenario, it is recommended to choose one of the following options:
- Reduce the number of running containers to 1.
- Allow only one container to update the database. This is done by adding the following settings to all but one container:
Finally, to update simply pull the image with tag corresponding to the desired version and run the container.