v2.1.0 initial docs

Author: schwzr

docs/src/.vuepress/components/ImageVerification.vue

@@ -0,0 +1,41 @@
+<template>
+  <div class="image-verification">
+    <h2>Verify Image Signature</h2>
+    <p>
+      The <code>{{ image }}</code> image is signed using
+      <a href="https://docs.sigstore.dev/cosign/overview/" target="_blank" rel="noopener">Cosign</a>
+      keyless signing via the official DSF GitHub Actions release workflow.
+      Verify the signature before using the image in production:
+    </p>
+    <pre><code>cosign verify \
+  ghcr.io/datasharingframework/{{ image }}:{{ tag }}@sha256:{{ digestDisplay }} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"</code></pre>
+    <p v-if="!digest">
+      Replace <code>&lt;digest&gt;</code> with the immutable digest of the image
+      you intend to deploy. See
+      <a :href="guide">How to Verify Image Signatures</a>
+      for the complete guide, SBOM verification, and troubleshooting.
+    </p>
+    <p v-else>
+      See <a :href="guide">How to Verify Image Signatures</a> for the complete
+      guide, SBOM verification, and troubleshooting.
+    </p>
+  </div>
+</template>
+
+<script>
+export default {
+  props: {
+    image: { type: String, required: true },
+    tag: { type: String, default: '2.1.0' },
+    digest: { type: String, default: '' },
+    guide: { type: String, default: '../image-verification' }
+  },
+  computed: {
+    digestDisplay() {
+      return this.digest ? this.digest.replace(/^sha256:/, '') : '<digest>';
+    }
+  }
+}
+</script>

docs/src/.vuepress/layouts/PageLayout.vue

@@ -4,7 +4,7 @@ import { useRoute, useRouter } from "vue-router";
 import { ref, onMounted } from 'vue'
 
 const version = ref("");
-const latestVersion = "v2.0.2";
+const latestVersion = "v2.1.0";
 
 
 function setVersionBasedOnCurrentPath() : void {
@@ -55,7 +55,8 @@ function navigateToNewVersion() {
       <div class="version-selector" v-if="route.path.startsWith('/operations/')">
         <label class="vp-sidebar-header" for="version-select"><strong>Version:</strong> </label>
         <select id="version-select" class="vp-sidebar-header" v-model="version" @change="navigateToNewVersion">
-        <option value="v2.0.2">latest (2.0.2)</option>
+        <option value="v2.1.0">latest (2.1.0)</option>
+        <option value="v2.0.2">2.0.2</option>
         <option value="v2.0.1">2.0.1</option>
         <option value="v2.0.0">2.0.0</option>
         <option value="v1.9.0">1.9.0</option>

docs/src/.vuepress/sidebar/operations-v2.ts

@@ -4,14 +4,16 @@ export function generate_v2_latest_sidebar() {
 		icon: "tool",
 		link: "./",
 	},
-		"release-notes", "install", "upgrade-from-2", "upgrade-from-1", "allowList-mgm", "root-certificates", "passwords-secrets", {
+		"release-notes", "install", "upgrade-from-2", "upgrade-from-1", "allowList-mgm", "root-certificates", "passwords-secrets", "image-verification", {
 		text: "FHIR Reverse Proxy",
 		icon: "module",
+		prefix: "fhir-reverse-proxy/",
+		link: "fhir-reverse-proxy/",
 		children: [
 			{
 				icon: "config",
 				text: "Configuration",
-				link: "fhir-reverse-proxy/configuration",
+				link: "configuration",
 			}
 		]
 	},
@@ -40,11 +42,13 @@ export function generate_v2_latest_sidebar() {
 	}, {
 		text: "BPE Reverse Proxy",
 		icon: "module",
+		prefix: "bpe-reverse-proxy/",
+		link: "bpe-reverse-proxy/",
 		children: [
 			{
 				icon: "config",
 				text: "Configuration",
-				link: "bpe-reverse-proxy/configuration",
+				link: "configuration",
 			}
 		]
 	}, {

docs/src/.vuepress/theme.ts

@@ -39,7 +39,7 @@ export default hopeTheme({
           icon: "launch",
           prefix: "/operations/",
           children: [ {
-            text: "Current Version - 2.0.2",
+            text: "Current Version - 2.1.0",
             link: "get-started.md",
             icon: "launch"
           }, "old-versions.md"],
@@ -127,7 +127,8 @@ export default hopeTheme({
     "/operations/old-versions": [],
     "/operations/latest/": generate_v2_latest_sidebar(),
     "/operations/next/": [],
-    "/operations/v2.0.2/": generate_v2_latest_sidebar(),
+    "/operations/v2.1.0/": generate_v2_latest_sidebar(),
+    "/operations/v2.0.2/": generate_v2_0_0_sidebar(),
     "/operations/v2.0.1/": generate_v2_0_0_sidebar(),
     "/operations/v2.0.0/": generate_v2_0_0_sidebar(),
     "/operations/v1.9.0/": generate_v1_latest_sidebar(),

docs/src/operations/latest

@@ -1 +1 @@
-v2.0.2
+v2.1.0

docs/src/operations/old-versions.md

@@ -5,6 +5,7 @@ icon: launch
 
 ## DSF v2
 
+- [2.1.0](./v2.1.0/)
 - [2.0.1](./v2.0.1/)
 - [2.0.0](./v2.0.0/)
 

docs/src/operations/v2.1.0/allowList-mgm.md

@@ -0,0 +1,34 @@
+---
+title: Allow List Management
+icon: share
+---
+You can read all about the concept of Allow Lists [in our introduction](/explore/concepts/allow-list.md).
+
+## Overview
+To simplify the DSF Allow List Management we have built a portal for administration. The portal is managed by the GECKO Institute at Heilbronn University. You as an DSF administrator can create or update your Allow List information. The information you provide on this portal will be transferred to us and will be used to built Allow List bundles that get distributed to the communication partners of the distributed processes. 
+
+The DSF Allow List management tool uses client certificates for authentication. You can either use a personal client certificate or the client certificate from your DSF BPE, which needs to be added to your web-browsers certificate store.
+
+
+## Prerequisites
+1. Deployed DSF instance (test or production infrastructure)
+    1.1  If none exists yet, read [the installation guide](install)
+2. Certificate 
+    2.1  If none exists yet, read [the certificate requirements](install#client-server-certificates)
+3. Organization identifier, shortest FQDN of your organizations website, e.g. `my-hospital.de`
+4. FHIR endpoint URL, e.g. `https://dsf.my-hospital.de/fhir`
+5. Contact details from a responsible person of your organization
+6. Access to the E-Mail address from your organization for verification 
+ 
+
+## Start here
+When you have fulfilled all the prerequisites, you can start managing your Allow Lists via the environment specific Allow List Management Tool:
+
+- [**Test** infrastructure](https://allowlist-test.gecko.hs-heilbronn.de)
+- [**Production** infrastructure](https://allowlist.gecko.hs-heilbronn.de)
+
+We use different highlight colors for the DSF Allow List Management Tool: Green for the **Test** environment and blue for the **Production** infrastructure. To access the site, you have to authenticate yourself with a client certificate. Your web-browser will show a dialog to choose a valid certificate.
+
+::: tip Ideas for improvement?
+Have you found an error or is something unclear to you? Then please feel free to contact us on the <a href="https://mii.zulipchat.com/#narrow/stream/392426-Data-Sharing-Framework-.28DSF.29">MII-Zulip Channel</a> or write us at <a href="mailto:dsf-gecko@hs-heilbronn.de">dsf-gecko@hs-heilbronn.de</a>. Thank you very much!
+:::

docs/src/operations/v2.1.0/bpe-reverse-proxy/README.md

@@ -0,0 +1,24 @@
+---
+title: BPE Reverse Proxy
+icon: module
+---
+
+## Purpose
+
+The **DSF BPE Reverse Proxy** is an Apache HTTP Server based front for the [BPE Server](../bpe/).
+It terminates TLS for the BPE's web UI and OIDC-authenticated administrative
+endpoints, and forwards authenticated requests to the BPE backend. Unlike the
+[FHIR Reverse Proxy](../fhir-reverse-proxy/), it is intended for internal
+operator and administrator access only, not for DSF-to-DSF traffic.
+
+## Docker Image
+
+- Registry: [`ghcr.io/datasharingframework/bpe_proxy`](https://github.com/datasharingframework/dsf/pkgs/container/bpe_proxy)
+- Tag for this release: `2.1.0`
+
+<ImageVerification image="bpe_proxy" tag="2.1.0" guide="../image-verification" />
+
+## Useful Pages
+
+- [Configuration Parameters](configuration)
+- [How to Verify Image Signatures](../image-verification)

docs/src/operations/v2.1.0/bpe-reverse-proxy/configuration.md

@@ -0,0 +1,109 @@
+---
+title: Configuration Parameters
+icon: config
+---
+
+### APP_SERVER_IP
+- **Required:** Yes
+- **Description:** Hostname or IP-Address of the DSF BPE server application container, the reverse proxy target
+- **Example:** `app`, `172.28.1.3`
+
+
+### HTTPS_SERVER_NAME_PORT
+- **Required:** Yes
+- **Description:** FQDN of your DSF BPE server with port, typically `443`
+- **Example:** `my-external.fqdn:443`
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_WS
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### PROXY_PASS_TIMEOUT_WS
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### SERVER_CONTEXT_PATH
+- **Required:** No
+- **Description:** Reverse proxy context path that delegates to the app server, `/` character at start, no `/` character at end, use `''` (empty string) to configure root as context path
+- **Default:** `/bpe`
+
+
+### SSL_CA_CERTIFICATE_FILE
+- **Required:** No
+- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`; not used by default, overrides *SSL_CA_CERTIFICATE_PATH* if not empty
+
+
+### SSL_CA_CERTIFICATE_PATH
+- **Required:** No
+- **Description:** Folder with trusted full CA chains for validating client certificates
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_ca_chains`
+
+
+### SSL_CA_DN_REQUEST_FILE
+- **Required:** No
+- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from *SSL_CA_CERTIFICATE_FILE* are used; not used by default, overrides *SSL_CA_DN_REQUEST_PATH* if not empty
+
+
+### SSL_CA_DN_REQUEST_PATH
+- **Required:** No
+- **Description:**  Folder with trusted client certificate issuing CAs, modifies the "Acceptable client certificate CA names" send to the client, uses all from *SSL_CA_CERTIFICATE_FILE* or *SSL_CA_CERTIFICATE_PATH* if not set or empty
+- **Recommendation:** Override default folder content via bind mount or add *.crt files to default folder via bind mount
+- **Default:** `ca/client_issuing_cas`
+
+
+### SSL_CERTIFICATE_CHAIN_FILE
+- **Required:** No
+- **Description:** Certificate chain file, PEM encoded, must contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate), sets the apache httpd parameter `SSLCertificateChainFile`; can be omitted if either no chain is needed (self signed server certificate) or the file specified via *SSL_CERTIFICATE_FILE* contains the certificate chain
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_chain_file.pem`
+
+
+### SSL_CERTIFICATE_FILE
+- **Required:** Yes
+- **Description:** Server certificate file, PEM encoded, sets the apache httpd parameter `SSLCertificateFile`, may contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate). Omit *SSL_CERTIFICATE_CHAIN_FILE* if chain included
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_file.pem`
+
+
+### SSL_CERTIFICATE_KEY_FILE
+- **Required:** Yes
+- **Description:** Server certificate private key file, PEM encoded, unencrypted, sets the apache httpd parameter `SSLCertificateKeyFile`
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_key_file.pem`
+
+
+### SSL_EXPECTED_CLIENT_S_DN_C_VALUES
+- **Required:** No
+- **Description:** Expected client certificate subject DN country `C` values, must be a comma-separated list of strings in single quotation marks, e.g. `'DE', 'FR'`. If a client certificate with a not configured subject country `C` value is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'DE'`
+
+
+### SSL_EXPECTED_CLIENT_I_DN_CN_VALUES
+- **Required:** No
+- **Description:** Expected client certificate issuer DN common-name `CN` values, must be a comma-separated list of strings in single quotation marks. If a client certificate from a not configured issuing ca common-name is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA Client Authentication ECC', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA Client Authentication RSA', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
+
+
+### SSL_VERIFY_CLIENT
+- **Required:** No
+- **Description:** Modifies the apache mod_ssl config parameter `SSLVerifyClient`
+- **Recommendation:** Set to `optional` when using OIDC authentication
+- **Default:** `require`

docs/src/operations/v2.1.0/bpe/README.md

@@ -0,0 +1,30 @@
+---
+title: BPE Server
+icon: module
+---
+
+## Purpose
+
+The **DSF Business Process Engine (BPE)** executes the BPMN 2.0 workflows that
+drive distributed data sharing processes between DSF instances. It listens for
+new `Task` resources on the local FHIR Server, runs the corresponding process
+plugin, and creates follow-up `Task` resources on remote FHIR Servers via its
+configured FHIR client connections. The BPE is an internal component and is not
+exposed to the public network — it talks to local systeme (e.g., the local FHIR Store) and to remote
+DSF FHIR Servers through their reverse proxies.
+
+## Docker Image
+
+- Registry: [`ghcr.io/datasharingframework/bpe`](https://github.com/datasharingframework/dsf/pkgs/container/bpe)
+- Tag for this release: `2.1.0`
+
+<ImageVerification image="bpe" tag="2.1.0" guide="../image-verification" />
+
+## Useful Pages
+
+- [Configuration Parameters](configuration)
+- [Access Control](access-control)
+- [OpenID Connect](oidc)
+- [Logging](logging)
+- [FHIR Client Connections](fhir-client-connections)
+- [How to Verify Image Signatures](../image-verification)