OIDC Demo

Purpose

This system provides the CAcert OpenID Connect demo client application.

Application Links

https://oidcdemo.cacert.org/

Administration

System Administration

• Primary: Jan Dittberner

Application Administration

Application	Administrator(s)
oidcdemo	Jan Dittberner

Contact

• oidcdemo-admin@cacert.org

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra03.

Logical Location

IP Internet:

213.154.225.249

IP Intranet:

172.16.2.9

IP Internal:

10.0.3.18

IPv6:

2001:7b8:616:162:3::18

MAC address:

00:ff:8f:9f:43:76 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for oidcdemo.infra.cacert.org

external checks:

Monitoring checks for oidcdemo.cacert.org

DNS

Name	Type	Content
oidcdemo.cacert.org	IN A	213.154.225.249
oidcdemo.cacert.org	IN AAAA	2001:7b8:616:162:3::18
oidcdemo.cacert.org	IN SSHFP	3 1 8509283C1A654410269643A14ECD8B9D38E907FC
oidcdemo.cacert.org	IN SSHFP	3 2 695160A4D09C9148989FA6973F6CA05044A973E414D26C011D53D8E6F93347F4
oidcdemo.cacert.org	IN SSHFP	4 1 0F11D5A25CD6BEC2F4C0522F19A2381A61DCCBC8
oidcdemo.cacert.org	IN SSHFP	4 2 8004F6504BC32BAB2025191B8977D910B71433A2263FFF979E621924129EDE96
oidcdemo.infra.cacert.org	IN A	10.0.3.18

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 13 Trixie

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	nginx	ANY	redirect to https
443/tcp	cacert-oidc-demo-app	ANY	CAcert OpenID Connect Demo application https
5665/tcp	icinga2	monitor	remote monitoring service

Running services

Service	Usage	Start mechanism
cacert-oidc-demo-app	CAcert OpenID Connect demo application	systemd unit cacert-oidc-demo-app.service
cron	job scheduler	systemd unit cron.service
dbus-daemon	System message bus	systemd unit dbus.service
Exim	SMTP server for local mail submission	systemd unit exim4.service
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
nginx	webserver for http redirect	systemd unit nginx.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
Puppet agent	configuration management agent	systemd unit puppet.service

Connected Systems

• Monitor

Outbound network connections

• DNS (53) resolver at 10.0.0.1 (Infra02)

• Emailout as SMTP relay

• Puppet (tcp/8140) as Puppet master

• Proxyout as HTTP proxy for APT

• crl.cacert.org (rsync) for getting CRLs

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:5CfQxEUITxcSVHx5hAH7ubQrnb8rKsrKxg4ADMthz68, MD5:29:2e:4f:50:1d:0f:b3:ed:05:53:3d:33:f2:27:75:e2
DSA	-
ECDSA	SHA256:aVFgpNCckUiYn6aXP2ygUESpc+QU0mwBHVPY5vkzR/Q, MD5:78:49:dc:5d:8c:ed:80:04:95:4c:b2:2f:e9:c2:82:35
ED25519	SHA256:gAT2UEvDK6sgJRkbiXfZELcUM6ImP/+XnmIZJBKe3pY, MD5:89:c3:e9:07:e4:c0:91:fd:93:ca:d0:e1:43:e8:af:80

See also

SSH host key list

Non-distribution packages and modifications

The main service on the system is the CAcert OpenID Connect demo application. The code for the application is maintained at https://code.cacert.org/cacert/oidc-demo-app. The package is installed from an internal Debian repository on Webstatic.

Risk assessments on critical packages

Critical Configuration items

Keys and X.509 certificates

cacert-oidcdemo-app configuration

The OpenID Connect demo application configuration is managed via Puppet.

Tasks

Changes

Planned

Additional documentation

See also

• Wiki page Exim4Configuration