From 9be9eba1b22923f20047b4fa5f904fe5463eb246 Mon Sep 17 00:00:00 2001 From: Madhumita Date: Wed, 2 Nov 2022 18:12:14 +0530 Subject: [PATCH 1/3] docs: #2840 --- docs/admin/fido/config.md | 116 +++++++++++++++++++++++++++++++++++++- 1 file changed, 114 insertions(+), 2 deletions(-) diff --git a/docs/admin/fido/config.md b/docs/admin/fido/config.md index 263c941ff16..43998ca53f9 100644 --- a/docs/admin/fido/config.md +++ b/docs/admin/fido/config.md @@ -1,7 +1,119 @@ --- tags: - administration - - fido + - fido2 + --- -This page will be the landing page for the Janssen Project admin documentation +### Configuration Parameters of Janssen's FIDO2 server: +| Field named | Example | Description| +|--|--|--| +|issuer| https://my-jans-server.jans.io | URL using the https scheme with no query or fragment component. The OP asserts this as its Issuer Identifier| + |baseEndpoint| https://my-jans-server/jans-fido2/restv1 | Base URL of the FIDO2 server Endpoints | + | cleanServiceInterval | 60| Time interval for the Clean Service in seconds. | + |cleanServiceBatchChunkSize | 10000| Each clean up iteration fetches chunk of expired data per base dn and removes it from storage. | + | useLocalCache | true| Boolean value specifying whether to enable local in-memory cache for attributes, scopes, clients and organization configuration| + | disableJdkLogger |true| Boolean value specifying whether to enable JDK Loggers | + |loggingLevel | "INFO" or "TRACE" or "DEBUG" | Logging level for FIDO2 server| + |loggingLayout |"text" or "json"|Contents of logs as plain text or json format| + |externalLoggerConfiguration||Path to external log4j2 logging configuration| + |metricReporterInterval|300|The interval for metric reporter in seconds.| + |metricReporterKeepDataDays|15|The number of days to retain metric reported data in the system| + |metricReporterEnabled| true |Boolean value specifying whether to enable Metric Reporter| + | personCustomObjectClassList | ["jansCustomPerson", "jansPerson" ] |LDAP custom object class list for dynamic person enrollment.| + |fido2Configuration|See JSON contents in the below example | FIDO2 Configuration | +| authenticatorCertsFolder | /etc/jans/conf/fido2/authenticator_cert |Authenticators certificates fodler. | +| mdsCertsFolder | /etc/jans/conf/fido2/mds/cert |MDS TOC root certificates folder. | +| mdsTocsFolder | /etc/jans/conf/fido2/mds/toc |MDS TOC files folder. | +| serverMetadataFolder | /etc/jans/conf/fido2/server_metadata | Authenticators metadata in json format. Example: virtual devices.| +|requestedCredentialTypes|["RS256","ES256"]| | +| requestedParties| [{"name":"https://my-jans-server.jans.io","domains":["my-jans-server.jans.io"]}]| Requested party name.| + |userAutoEnrollment |false|Allow to enroll users on enrollment/authentication requests.| + |unfinishedRequestExpiration| 180|Expiration time in seconds for pending enrollment/authentication requests| + |authenticationHistoryExpiration|1296000|Expiration time in seconds for approved authentication requests.| + +### Configuring the FIDO2 server: +#### 1. Read Configuration parameters: + +Use the following command to obtain configuration parameters: + +`/opt/jans/jans-cli/config-cli.py --operation-id get-properties-fido2` + +Response: +``` +{ + "issuer":"https://.jans.io", + "baseEndpoint":"https://my-jans-server.jans.io/jans-fido2/restv1", + "cleanServiceInterval":60, + "cleanServiceBatchChunkSize":10000, + "useLocalCache":true, + "disableJdkLogger":true, + "loggingLevel":"INFO", + "loggingLayout":"text", + "externalLoggerConfiguration":"", + "metricReporterInterval":300, + "metricReporterKeepDataDays":15, + "metricReporterEnabled":true, + "personCustomObjectClassList":[ + "jansCustomPerson", + "jansPerson" + ], + "fido2Configuration":{ + "authenticatorCertsFolder":"/etc/jans/conf/fido2/authenticator_cert", + "mdsCertsFolder":"/etc/jans/conf/fido2/mds/cert", + "mdsTocsFolder":"/etc/jans/conf/fido2/mds/toc", + "serverMetadataFolder":"/etc/jans/conf/fido2/server_metadata", + "requestedCredentialTypes":[ + "RS256", + "ES256" + ], + "requestedParties":[ + { + "name":"https://my-jans-server.jans.io", + "domains":[ + "my-jans-server.jans.io" + ] + } + ], + "userAutoEnrollment":false, + "unfinishedRequestExpiration":180, + "authenticationHistoryExpiration":1296000 + } +} + +``` + + +#### 2. Update configuration parameters: + Steps: + A. Create a JSON file say `/tmp/config_values.json` by editing the JSON from Point 1 + B. Use the following command + `/opt/jans/jans-cli/config-cli.py --operation-id post-config-scripts --data /tmp/config_values.json` + +#### 3. Change log level of FIDO2 server + Steps: + A. Create a JSON file say `/tmp/config_values.json` by editing the JSON from Point 1. Edit `loggingLevel` to `TRACE` or `DEBUG` or `INFO` + B. Use the following command + `/opt/jans/jans-cli/config-cli.py --operation-id put-properties-fido --data /tmp/config_values.json` + +#### 4. Locating FIDO2 configuration in Persistence Layer + +While it is not recommended that an administrator directly edits a configuration at the persistence layer, it may be useful information for a developer. + +##### A. MySQL +```mermaid +erDiagram + jansAppConf { + string doc_id PK "" + string ou "jans-fido2" + string jansConfDyn "json configuration for the app" + } +``` + +##### B. LDAP + +```mermaid +graph LR +A[ou=jans] --> V(ou=configuration) + V --> V5[ou=jans-fido2] +``` From 77aada6c27c6133829eec72234d09198ecdb478b Mon Sep 17 00:00:00 2001 From: Madhumita Date: Thu, 3 Nov 2022 21:32:29 +0530 Subject: [PATCH 2/3] docs: #2840 --- docs/admin/fido/vendor-metadata.md | 234 ++++++++++++++++++++++++++++- docs/assets/fido2-metadata.png | Bin 0 -> 24779 bytes 2 files changed, 232 insertions(+), 2 deletions(-) create mode 100644 docs/assets/fido2-metadata.png diff --git a/docs/admin/fido/vendor-metadata.md b/docs/admin/fido/vendor-metadata.md index 263c941ff16..dc35f404f5c 100644 --- a/docs/admin/fido/vendor-metadata.md +++ b/docs/admin/fido/vendor-metadata.md @@ -1,7 +1,237 @@ --- tags: - administration - - fido + - fido2 + - metadata Service + - attestation --- -This page will be the landing page for the Janssen Project admin documentation +### Metadata Service: + +The metadata service is a centralized, trusted database of FIDO authenticators. It is used by the Relying Party to validate authenticators i.e. attest the genuine-ness of a device. If implemented in organizations like government, federal agencies, banking and healthcare organizations for example) and/or organizations handling sensitive data (media companies, R&D institutions, corporations, etc), this information can help protect organizations against security vulnerabilities. + +### 1. Local metadata service: +Janssen's FIDO server has a [configuration parameter](./config.md) called `serverMetadataFolder` which by default points to a directory location `/etc/jans/conf/fido2/server_metadata` where the administrator can (obtain from a vendor and ) place authenticator metadata in json format. + +Example of authenticator metadata: +``` +{ + "aaguid": "83c44309-....-8be444b573cb", + "metadataStatement": { + "legalHeader": "Submission of this statement and retrieval and use of this statement indicates acceptance of the appropriate agreement located at https://fidoalliance.org/metadata/metadata-legal-terms/.", + "aaguid": "83c44309-....-8be444b573cb", + "description": "Just an example", + "authenticatorVersion": 448962, + "protocolFamily": "fido2", + "schema": 3, + "upv": [ + { + "major": 1, + "minor": 0 + }, + { + "major": 1, + "minor": 1 + } + ], + "authenticationAlgorithms": [ + "ed25519_eddsa_sha512_raw", + "secp256r1_ecdsa_sha256_raw" + ], + "publicKeyAlgAndEncodings": [ + "cose" + ], + "attestationTypes": [ + "basic_full" + ], + "userVerificationDetails": [ + [ + { + "userVerificationMethod": "passcode_external", + "caDesc": { + "base": 64, + "minLength": 4, + "maxRetries": 8, + "blockSlowdown": 0 + } + }, + { + "userVerificationMethod": "presence_internal" + } + ], + [ + { + "userVerificationMethod": "passcode_external", + "caDesc": { + "base": 64, + "minLength": 4, + "maxRetries": 8, + "blockSlowdown": 0 + } + } + ], + [ + { + "userVerificationMethod": "fingerprint_internal", + "baDesc": { + "selfAttestedFRR": 0, + "selfAttestedFAR": 0, + "maxTemplates": 5, + "maxRetries": 5, + "blockSlowdown": 0 + } + }, + { + "userVerificationMethod": "presence_internal" + } + ], + [ + { + "userVerificationMethod": "none" + } + ], + [ + { + "userVerificationMethod": "fingerprint_internal", + "baDesc": { + "selfAttestedFRR": 0, + "selfAttestedFAR": 0, + "maxTemplates": 5, + "maxRetries": 5, + "blockSlowdown": 0 + } + } + ], + [ + { + "userVerificationMethod": "presence_internal" + } + ] + ], + "keyProtection": [ + "hardware", + "secure_element" + ], + "matcherProtection": [ + "on_chip" + ], + "cryptoStrength": 128, + "attachmentHint": [ + "external", + "wired" + ], + "tcDisplay": [], + "attestationRootCertificates": [ + "MII....psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw==" + ], + "icon": "data:image/png;base64,iVBORw0KGgoAAAA....k5+36hF7vXAAAAAElFTkSuQmCC", + "authenticatorGetInfo": { + "versions": [ + "FIDO_2_0", + "FIDO_2_1_PRE", + "FIDO_2_1" + ], + "extensions": [ + "credProtect", + "hmac-secret", + "largeBlobKey", + "credBlob", + "minPinLength" + ], + "aaguid": "83c.....73cb", + "options": { + "plat": false, + "rk": true, + "clientPin": true, + "up": true, + "uv": false, + "pinUvAuthToken": true, + "largeBlobs": true, + "ep": false, + "bioEnroll": false, + "userVerificationMgmtPreview": false, + "authnrCfg": true, + "credMgmt": true, + "credentialMgmtPreview": true, + "setMinPINLength": true, + "makeCredUvNotRqd": false, + "alwaysUv": true + }, + "maxMsgSize": 1200, + "pinUvAuthProtocols": [ + 2, + 1 + ], + "maxCredentialCountInList": 8, + "maxCredentialIdLength": 128, + "transports": [ + "usb" + ], + "algorithms": [ + { + "type": "public-key", + "alg": -7 + }, + { + "type": "public-key", + "alg": -8 + } + ], + "maxSerializedLargeBlobArray": 1024, + "forcePINChange": false, + "minPINLength": 4, + "firmwareVersion": 328965, + "maxCredBlobLength": 32, + "maxRPIDsForSetMinPINLength": 1, + "preferredPlatformUvAttempts": 3, + "uvModality": 2, + "remainingDiscoverableCredentials": 25 + } + }, + "statusReports": [ + { + "status": "FIDO_CERTIFIED_L1", + "effectiveDate": "2021-08-06", + "url": "www.yubico.com", + "certificationDescriptor": "An example", + "certificateNumber": "FIDO2.....001", + "certificationPolicyVersion": "1.3", + "certificationRequirementsVersion": "1.4" + }, + { + "status": "FIDO_CERTIFIED", + "effectiveDate": "2021-08-06" + } + ], + "timeOfLastStatusChange": "2021-08-16" + } +``` + + +### 2. Metadata service for authenticators approved by [FIDO Alliance (MDS3)](https://fidoalliance.org/metadata/) + +Metadata entries for trusted authenticators registered with FIDO Alliance can be found on - https://fidoalliance.org/certification/fido-certified-products/ + +![Metadata](../../assets/fido2_metadata.png) + +Draw.io reference for image: +``` + +7Vlbc6M2FP41nrYPyXAx2Hl07HUv052kdWe7fVRAAU0EokLEdn/9noOEsQBnva6ZnZ3ZJ3M+ISG+79yEJ/4y2/0sSZG+FzHlE8+JdxN/NfE8158F8IPIXiOzYKqBRLLY3NQCG/YfNaBj0IrFtLRuVEJwxQobjESe00hZGJFSbO3bngW3n1qQhPaATUR4H/2bxSrV6DxwWvwXypK0ebLrmJGMNDcboExJLLZHkP9u4i+lEEpfZbsl5Uhew4uetz4xetiYpLk6Z0L6cRW7f/0ZB+E2cD9U+8dy+ceNUeeV8Mq88G8kL2/Wv64eEN9Q+Uql2b/aN6SUW5ZxkoN1/yxyZVRz52Cb9ahUdHdyo+7h9cFvqMioknu4xUyY+oYx4zJzY25b/g9Yesx9aEBiNE8OS7e0wIVh5gtY8nssIUGALDhnJI/oDyUY76kiMVGk5ooomuH7wm7yGJ1WVqW2olQMMJqSAi9zoZDVbcoU3RQkQmwLkQVYqjKOLMPlE4leEimqPH6oFGc5NXhM5MsDzGIKqXNuneBcRU47x0mZvMBSaRr0VLoL+iLNg5E0mvY0+l1AGNu6bFpdvn0B3FlHgbCnwGxAgdlYCsx6CvRYpnm8wKQMVsRJWbLI5rWmlOJDnJO5hca9jH0ZjUc8BQPppMEk5USxV/uZQ+SZJzwKVsf9zqbbiORNO0mqFJWMqJl0nL7fXsf1O+soIhOqeuvUSh5e+nJxwy9NgVg6GISPF3KFEQM5L0zw6sdUKSzeC9yjt35msSBmjVshE9zdYZX1Tz0Xsl3kM3E6QnUKHLs6+d655amr/NUCbz4QeJp1fH+LvvDfSjQDN2XNDOjguF6xq+lpxhuxoGPJuSBIOPZYBWw2JBmynD+Vhb6R6wlr/TA9rycbEK5sbQhnSY6JAIiHHsO/R1kYpOyFGchYHOP0e0lhp+SpXgpFL9DJaxKD+0mwwrUqJUqjM5ilkuKFLgWHSospXXcqjPMuNL57eGHfPVxvwD1G8467/+8d8xPe0aSASqVAD2insLU5zyEujmPvOkK5ri3UoXE/Fmo2FMfeWEo1OxqvggI3cv/RDNbGP3WfEjTmanc8uNo31o4pnObeOk5obD0TD3jabqeicTzzkUoGDGGQ19gZddxAuji+RZlpzXX1+1z9+lo9gD/r1Iy7C5uAqddZqJs1Ru4CXHd0D208zfKyt33siv5091XdZN6pHe6lbtI5QfdOxmO7iTdeR7JQiuLxmon8e+9hlzS/W9L8fkkb6kxHaz3c/oeTq/UenabD+QB559vpPuzDnD/UJA4pNR9Nqf7nk6tFLLCiyAvFLUDIOsNNoxNhBD6jeRTZ7amxe+7QX9UkTViJEYzUAXOH1ZsT5fcU0el65x3PG/q4OlTiLvi2Cmb7dVuXlvY/Av/dJw== +``` + +Janssen's FIDO2 server - + +1. Downloads, verifies and caches metadata BLOBs from the FIDO Metadata Service. +1. Re-downloads the metadata BLOB when it expires. +1. Provides trust root certificates for verifying attestation statements during credential registrations. + + + +### 3. Skip metadata validation +Metadata validation is recommended but not mandatory as per FIDO2 specifications. As per the current implementation, there is no provision in the jans-fido2 server to turn this feature off. However, the intention is to implement it in the future. + + +### References: + +1. https://fidoalliance.org/announcing-the-new-streamlined-and-simplified-metadata-service-for-authenticator-vendors-and-customers/ diff --git a/docs/assets/fido2-metadata.png b/docs/assets/fido2-metadata.png new file mode 100644 index 0000000000000000000000000000000000000000..ee72dce5f1b0687ebfd4334cd9263d87504fd2bf GIT binary patch literal 24779 zcmd?RcTiMc*Ch;s1OW*uISPVG&L9~i=O8%<*fcrkEFd6RkRTw4WXU;$NRo`?93|(R zVb10EJm34i^;J#HA5$|^GgV4=-@bjr>2vm8d#$zmqmqIo)&t@P2nYyR(o(Ng5D<{i z5D*Z(&``jZZ%&GG-~rJ=MN$-@u#a>dyg-JF$crE#ltf}&8Qur4(QT!)91sxj9HIY+ zvnCX-U>_AnaZN`nR}(W!7{W7lv45UDV`DM3ad3Rb{`wgko1v{O(>pUmxV@p31Cuq( z5o`kQTiLubGckj``)40E7B)6UR#rw9b~RSEXY3-ZoZt@!3lldxhxR}F8^U4M|2iNi z6AL)Na}6`=cQ!5#;HiQd_`}KqHnWR@XW$Jkj(?uIa&f!>TSRPaEnylkBUv+Wb_q^) zZYFjvu=%;Hl$yNUGd3~s+|tYf1|B3~#uhfvN5o9+ZLGi+304*^CUEGxbE+De7}}ft z=R=6Uga3c~u(ETrFmZyLgYFOJXbAu3-ZVH&Eo@lciK=t(8aNrrh{$m%$p5pCGtAz> z%*OiPL%_tz#QM)0j&8QFf40JHY~YsQGQgmSgW>(xID+Gw{cGeztXXYdvxu><%A3iU zxUxC&I9Y;QgRa2Z5M2M=H=qOtkMZu%?BcB2YNAHAE-vEIh9;uU8gIm$&j!V?QUcGPKDJ*+g!p;1jg&mDQlrF>aL{XXm$4q8}JcDHDgCZ z4kJZwBU$K*v|KF=rPQog&Dq|8YjQI((s1E^XT;^qZttY_TAY&y?80m0q5!U0!W}Me zq6Rn7n@$rL>e9%P`RM8V0VmiPA^q@fKQQ1e4v5JQwj4hZ)9DEe4bI3N9uSU8%D zs$V%;>pjHBQ7@^=5fG6lY<6P=THNT$mJ8gvuj>jMoL!t(_fl!juti9EJSB%N2jz()faT0H`}F%G2FyH;FA-e|!1 zwu;4OGG1@c%i+*StE37e2wG29b2ZNvj|x)?v>MyYAY# z&rV5ZqZQdbJzv_%8Wrm&N1Wm= zu?oJw#NwXD3AC!5Fqt5>$j8+`?D3fPxxHSf!R!{r^Ig1B;8_S@;n!<_K6Apq_9{-M zE?UohJ@ec(h{D@7$txjb=&_E}t5-!4TNcNPcNfP>gP1N6{-9#!#VmV$eki7%(OT9c z+`rx@WvRU}$bS8$*6ea+)kqz&>e?@oILuUX7T`7T-oz(?hsh|LI@UEXSF(LUT6DYG zXK|WOlh|M~XlrgO0{9G?Q37Z4{tHfdSqfh#X<6tHzfbe+*0YoFyV?@AuOjcQS9S3!ZSYhjq2Etji#3!PI_N%TNH5&K;Pn#edn{5i;+6Yi|?UK50)}#zAQHWsM0h0 z_?DlX0RtUDYSHMx<#M}fb=kVKlh#lZzWPS4n8Ws;s~M0H7M8@~L2K+bzg10_jC{zs z|II>rt5o&#$ynr}v_O>vvA_ZC{f^m&T-)-~~}Er7{6X5)vOGz(Zhxsf0Bq|qdDn`v`wObRMSe>A+5 z{3i7itu|*k?@8qK*pOt2ji*60Eh_Rg@@>hKvH*>CInTf#p3WncAX0m&aci@x%xZbJ zjLZD-A0-<<@=U-Cw%?u+MZQG7reyv0gv$DGydfuV$UDsn^k=Z zHjEU!Fm>(ay!REWK6EXJ9BEeF=6YgA6K+i=Gao)qj8`}7%cPEc_QG#{{P+i*H0_C@F1h(;ZbM{u;>ochMZxUE$JgP@?+lV%X59=mCu4KySD)Q|T^JdN`dd$< zow2EGnNf;qu#pS+tJ4)EGvC{|v)Uz=x9+^yuMIf*GeS^>&up(yCFUM3Jb8?Qe6{Yl z?nGq9B5%^cWPEs7<-v%S@-?+#`QuEjGumr7z^Q` z`X<*U?X+CaQG9okvPxpQ^>MzwyNMQsofb_ZjNVtOOe}pZ*h0yuh3nS`I&JksLNuXW zD@{DbjW8G0r&`~V-fTULT@+{;vesO`-$;hLsxhsI+cI>ne5iPu@96XXbbFf|e^)A? z6hE^tIUc1_7+Mgra8CXqmt(|sCFTzVYBS17|h%K*qOI` zmRslQo!ieO0WwCkJrt+@Pk6{cw5r>#>_)*N=J-ZoQBa}o-1bCcxH357y|q&2j}z^N z$8G46cOEvE1k@;eh)BayS4^!#?7bz7ZOazgpIdOT)e;4#LXU$c@p@wYPuwTE@y zrAhEnfZ$IgO|SPIxwT@7q#ERP7*)+hKG&O;XL}11%kc&&+oj!16^g^kUi;NXU)(T1 zzy7o9?d8l0hGnAIu%#4(xt`^6I9o9G`lPC<0Bc0Jg|!$YI(JM=TWIWFut-OB_`da{ z1cQhYd_Wk5?nfhS-h!Y^j)as1J=YFE{LYVp!UWA#wXVDEG0^rO^eDlz6DIR)(uA&e z=}-(g_)5`F`qxj`cb?(|D9vWc;r(T0vAug9M@ZRa{Pryrv7{N7jPPRdZ zyuLe?IXBX4H_Rgg=(=*nFmaYy2ZW$`tJWcKIvrzGy%0F@O~ikazde#7Rp5A7b>jCY z>K2~2niH<#ZEW4`FN~7?u?2ZN)-&VH#qi@=uCyXZZ0cD(Z;pl(gW$8Lp8;@Sy4->b zS@`n!exW%Mg3iOa*XPp6p2QAUP|sC6=wR(2RlO`Pc%;BXMFDU2yFZa0DL6@sNNG!# z&^Yghaj>t1d80~m@3Vgpx%+eev9eY?*>|d0a-Ega_T7_FDf^A54gCmqzU$ST|)n-A;V4n? zw+LB|DGqgQv&<+doV_YP^^m;6+Lty3nqZ;*a(GSI;r{8{>-@3Q+pEOpVVnGjk1rI(&ex{|@v8s53hC`>2oWR(0bx@H;EG36` zAqXZn68;QBwdUu<(Z?0`tH}-uuDuR$^L6d7f@G1)8xfRhWUBQj?*(tnlxEN>4zUH# z-frt%{%J7%6@WewEz3j{9b+6RP+6XtMjnxyFpg85Ek*d8yN&g9*XOqG#9BG^td&mm z^l2sfM=^K#))4x_1g|BMx!)&qKDU;;4X1sAH~Wz!luWc{W2K8V0S@w43@NJsPX4^f z9QjtZN)Z##*o!PO=-V1Oml>~5e2?6(cs2k-Zt79MkJIlKxYBK1^hKoFh;aaOiEAV9 z;M;(;VhMmr5tdf)q+2br9hR7!!t>q2x*ctrTt=~|-_%S<%N#ANRV#@Wqq7wizaG#B zFiASHhG5s?XPVl*P4R4R8=sxYS+%nywf{|J=+m)dT)yJ#)l$-K8xcyxZW6G6o;>;@ zY9N|sP%pm>3?URBkW})|uclW83A|~HHPFq6b24Y(sa~Z^5qwPihk^w&%z0myB)Mj5 z*(zmNtnDt!PYP#U>lM2dEZ&E5dauLn$T!HwC9{+5WpZk=ldzjl*Z!o7?X`PH8tql? zx03{|KBvW7=foI3i+NYhoeSzeu0%tkn!fo+pDSb6eohn!DxP^4Kiq$HKQQKZme&xG z^Za|%KnvWb+PIiF9{BHt#y;5cw;4w`Jh+S+rDJl2^XQHC0pM9|P(!a#&#sY9Q$h`H zg%-LMJVgBK9Q4649h(MzLK04Mwd&#+j8~CDH)nf29^U-u8;jzpX1%(Y$TfUeoE7{A zt_vTid}Xp%B@-zbN7r`1y2@P2ltN30FiT*bk$0uA`}49})M^1#0aM5+8*VgitcKJH z+3H*~*;^LYb~3&0q}VV<31o*bMM?tJhlu1If6Dp=bx5=$5I$MIF4wngJYSih6FTp- z{p85+yve&&+)~;>;luC9dA=7UlHm?F*vjE1f*L-Fvx;UR?+! zK~L(+OK#1s-OiWe52u##?Plk7gU7w{=|Q*^0AUb?^xlOloN%BbJ=S}M=E?M@z`~~` zCJ_|6U9z~tPmsJ=lIv<)eT!y4kSg;)YGMG>CUmnlZw5bVpT-}&RvPeF}{m?MyF3%7`*$cOFWTUQ&j5-zjl3qr?}C2 zTu#lUxKPWqJ%~t;c=fV=^}DCGUu|NC@SKq!rPpkLiVc@dhhlP7-!vWMs=iAQHfb(t$h{0{_8rzCqCCOW#$3B-yEV6c zm{##IAgVR$5Os`_CE4Ne>W?Jr+FY(>QMD9DCk)ZQtOG6ylt+*DL&=dMOC`5bN&O#_ z*GpLHGbo6$v-S=SziP7!MT^*Jyxg%>+#$MTv70Q7vNTP#ZoXdA$i?MdMO? zxXxd`N0DZ=t}Ns;A;f7X6`D(up?<>}M3l}2<+3E$-m7M5-;=1H5biU*+3!Cy^;%5+ zWs8TdO=l*u%&V?xdyT$YboB6zUZ?Rl8y1l@ID|vCGGY{7dOc?LrB_W(5zI#B)%`6! zpQ7&>IHvExm>g`nanm7mgRAgzOwUEnl{PBv63HtI{YqyaRMQ_ajMBrox|l#v-D)E+ z$oCrb=Exlsx;kG?1wqKu-CfIlsP>eLW{3vX#@C*~X>mO8?8OZ|(-|x6pRBl4pA7lS z+e7MP=eg%byxKLUpO=mJ+p|3j*`G7j4aXBwI%B#q*FE7C9; zE;jNEd4|3^jcUaLj-%m3+AFLH%v*J+7=AOV>(JZ9ST(J3nQ^_y^@Yny+e#`^1#9Qm z$=@2fSVmcwjrH@iqGW~fQ%jOc<(J;5XUW^`7ki|UU(RNNcil3UIY|1B?3!Bbm}>q; zUwI@%bZj17b{1<4p_A zmGi^Z)A95~ngF-H1lIIQWPv>9o%EE&xOF6LUSH#RW&C-93T_dE=3B!cGW7|gP{x-~ z4kJ7PU)>w$X}gXtji!qc@o4|x1<%IiI30Cz*ZKF81NO-b5|QM3yo~Xbam3Dl6ohr>)N$-5j35(b%|jMsL`8I#a&N3 z^cPq{OP@HUpJyq|Gl{D2u${yvKa7OCu)N-+8)Wc_p7cNbFHY$V&ShYG^Ua2&D{ccK zsGMIZ^g&$h0$^B2I~(ARoYIzud;teO7elF|f(4NW87GN6c1CAAV?&QR-njHp)4Hsm zlI~y5b@3+IO(t!1%mplZhCZ)~g{?7NpV$8(7_<8JETl(gdCMpxu72Cf21EY+bS2YG z_sSfY3j_TP7u1ghnOpV*PR6M(Hw|uy$-`~Qkd`4}zre(Ll_^9J?VLgJw{G^haLZ%v zQh)8DwP8zUj^6Iz0azs zGo~K*b5sn*vu|H;xa>^t6~#;oMjbRB7uZz1D4HmJ9VR>B*#A9`V6%^X_sa^Hk_KyC zr2rp(*wLLk?{oQe@;wy8MQec=rxt%CiDH?;>*$XbC+maFU*#oNi?99&g!#N)o>Qu+ z6X#^j_j>BY*vPEg)Vx1xP}jQeML+v2^b|AR{ZXM%PJ5uhjp@@>R>senRI&1``g&>O+C7#vl;*V9&T zq^fvJ8oa%?uITfMIdXq(sncHQ;5W5={Il;pb5|?e3x2lI7+v2<3-2#5J-R*b_c_p^ zR!HP{aoGbGjM*-3c}Vriu-;?0ft!Z@ctsM=ZoiEns7|#wOs?B;C`%sWP=4&AaJYrS z!&htHqUJMwhH0FhMeK4ntjkYe`<%6Gk?p!lHpxAf8kOFui9m+G~1-A>oXW2@MsU+RRSgfpN;&9!W|Da}-w!fm5(CFM{x>uymU#ov&S>~-44?9DoT z9T=+b0xE!kMBLpv@{%hku6eMYfr&C_YsWZsNKJ7rWwrL}pyn(LV^}KKG&5N6C=L5V zf9B5Xr(G@~#-Ep}glHegGFGU$rl?-B3#Ob4X0NK=bBIQ1?C>PN#bLf)64ZA%M9f;| zZ#(}mwPnvIyGQigziv?J1wz+?s7pJ%*4<}7!-oGjIf15>S*70QxGLF>CuP!qPH-nc zGuZ}r*;$-FZMGjdEj8DLAYFau?J(wy#-I*EmXLKg3z-m)8G_zxtaA`5@oJwaC!v}D z%)MTbEL7eUlWcYS48apIBjKNN!V0nyo&zdB?GJdD#KXHR?!*2}76Yuh()^m5xqeU7 zRQ{W|ueBHi_{%PL>WZv|#pe|V_I6yF_?ou$T2ohxnQO$Jh-kz2kXBkGJt)>^{uq7V z^QX9?T zC_*KaRZne6k*5P)6h{@WQflM%28T(Y$uNx4q4PNt``%37_sa*1*my$Z!_nMz623mL zjLYte%_0MmLHuTf0#xLxVcU*x3%57Bx1vq%wR=4vKFe=AE6#VseoIU&U-Z|h!_#zm z(q##|PVqeGjKUm%1*>D!a{j5svw2fh{iG@eo1%c6fEsCv@HCI`x`g-hI$MdMs40_a5QHCL_)`!dP3?WpOJ2+Kau`(}Ex zs*PUDBXGG@wqRr$9cyx$ll8&>t)JCv%1_^q{kEmKiwou4Gt_MbusYt!VKyGb76rUc zz}W6C99hp>tk6!zjt9lepheXhN&>AyNhakYzicMLnA|?^6k{b`Mgh8b!HtN4$L(*$ znHDCq4J;7H9^ZC#QzR-Sb$ks&qiMe1J!~@63#D-Vj9b3WW@exB?kxac>>M2zNVj+am<%+h~H=Wr5NPUa}^8@0Q|T7FqqJ)n3o-P1Y0>UW&MAYo|lAA(4msMzSS4(ZRH?RMM3{E zJXEd6JU4TbNSJ|kAhok@t@hfAdCty{r|#K@VkCd>#!poq?+E9UZh7qgl}}Ww0rl!js9rx1x^G+?%G_98+KfUH;5O|zB!8az=*caAjwR0& z?e!4bimH6zONZ6If^cO)vXB-Xy|_jG^Yl`4%2XRMLAc(M^UZjNp!zw8+{)*G6CuB8 zjqv#{F>$4IB55W^5sCDfQG-4~V#8d(PS>=~t>1VXF6ZeO|vn!PC6XJKsTFjg$3$g!YV)bml)HGpWUM$l@S)#mo|K@_I$c&Q* zfUUB_ej%Z0r>yZ1ob1q{R@e^>{l{beup|KwXRDly#vVwq0M#w}q@vLEk?q){6p%Z9 z*?M$Bg3y%YLD2zn_cWXRY`vRdeZ$FQo+H1Xr+)tzcDk!PMp}hr!jxvAo=1C!=b&hB zY5JSB{Jy`YfM$q&7GnCZ($6L!d5(x-C__4?6vF3b8i1ghOu%6EvHsfWNf@uAISZJ* z3Pl3ONT+$b-&8>XhTJobs$4!dSCixBMI4ArpLS#gL($(-7etJGP4Gz+{$X<`eSAeb z18O3n_j0VpN;CIq1~a?GXg);n^^HPI-^XWhXs3CKyHtw2pPL1Cf-s4qu_y%jF(a2* zXMqA3Wz}#zYIp${#-P7cvrFXrWlm#y+@JqoZay0O=rQHcf2pSBMuV4RRjCEhDyy4m zC)D2}&bg;DM}~?AaRGEa5jhj>m3&ptt}ib zSb#LVr!oZTtvJG&XQ$e&iEnG4jEE6Xw||T*Uru}DxGmlN++xJ^{-y}Q%NzN4d(9hw zLx%+miW;PYf$S=5FZ}i^%1DWL(55(#I!~OdUJ<>f9lzhr_)F!{`{8D5`0cE%_0lp# z@m^ge!H)W2l6fc}5vt>s2gI8X1to|!&1;G>DYXNky|AI{d+0a?`ZBZ&;??V;Gg*Lz(N7}?~ZBmrcwv6euC4t|YTB#CJ;*f^652S?kJLz+K{dLwKvMIK8Zxnf+t+$ZoJRY@0-bJ{JEqy zlSUUoA34*OEo5`4K4t|LRV-8ptPYo(4ZR$pVXR;IayrsV71nLhddd#(!`uyBYFo%% zgac+gH;j<=X{rx{|0(9`;nS>4%r4Q|{Pj(B#=@naK+CubFO0P1qyu;yZU=t>Nm855 zS*O{cuTea{oz1Q{pjmi4s>9q=U~O3=Rb;Gm3xkA(a>6!?2SzTGwSIq=>79wFmA}>D z5HxddJizau#$A&lDE|(T?~YDJ`i?8XNyr9s_}|y$D^!!PWlb>!h0C&!_u+%wZI_w&95$g2w#hx|-Sy zMdKk#$+VRStqZz@#6q&nc=EenDY8F;TA~`TaMKxwvfUvrO&(#exwOAqes#z=c<@|^({8bqYsmJL z*xHHc(>DgqV#+JoLlEQu^d7hc^$A}ckUD-j%JtVbGqSl%Syi!MxukxqntV5leA{CT zd<_#I0#4E(*5>jP0cJGdbd~Xk8EFFntbWnw@u5cwuaqn5y-tYa& z$KAyB7A#>ZG&m2eRq)o#ZC&rf^H95!33w_CmUIU?UGhLN25xoWJm6@s#)w(SW`ZF3 zcQSi9ft!G`j6qH^?*jpiEKP^5zh>@#_hGoL61aJ6N#rSdDJR)zZGv`oHCDoKY!x-ULhR~Oa0-luh-4%Wj@d6rvd z38dv7+kZ>ToRXW(e6#xzTd^AYowFyERWL=t^Na#C6%1fJf@6RP?nPLD!uoq*LLFK9 zD-1)F;%#8wT?A`h`cYDTOj-Iw#5{a8{=)LkT_K}`{d9IJgff@?zn*3UoJNMe;4|PA zY`Wrf?K`*Dvr`}L5&&}xz!DY{fW(H;`wjd4`#{*QHuK9w?QI98={~$eI9%!N23q0n zhXqe2X)?qAdJ#_6^toPFeZz3S0aRNAS+DomkDNGte(J1NMo)I^%6S1ulcC>Du{T;% zka4olrzNZ|E-4%#FgCalrCowjJ6;K6l>l6v)5iTDxA6DNX1GD$c}xy z+e}4tqpBN`|7kT5BjmVcqj(Q|6Pc*CTQV0T_#XImf!~PHYw{jWb|yZ>>9m6)m;K-0 zTYn@euv$8RIkE6KWRr9ahx-pbI;F2&3(rz%C9H8=QBV7q)sR4G-Vzg{b_S`dU# z6E5JYW9bDN=NI`DeqJbpltQWGGh&K{f!DERW~};y-OR?{Q1thX5Ki_@^mPMJ`8OAE z2U>zqzrgNy0?E;sOYH4b)`a3R$cJJoozpz7gJv>GN6 zTL#w=*6Ey&&-3_iZh)Ge(D&GW()BhGq`7yHH*To_h}mv~%9Xlr^{j#F>X}kfk4oWL zyx^W?L}W+yd+~0B>A72}pRRygz}Vs|<`FJq;cM#-XI$l$6&e2wh&2 zidbU44Gn2QAJot^{ICVmu?P7X9%T{a3K^7T{(46;gSv;JJ#fvDoBTjhq!&bA!B}gBrPRVs&dJ;qsLlTV|jg~R>!a9_`u=>}I_y)mU z7+6IcG{Z`GH4->m}_tOQ+ z^Lc!L??JUfT0Ti1i0NOdD3vf2g;SUaLN-OeI9@I!`blhl36aK_dH<8`j~6gSl0Rq} zTA$#`=dMnn(zp0oZpWugJ{7Pd=gh3)136s=5sHBoBoJ=iiS8TuY9nVa<>nM%1@}r| z2K~@)`}dP%Al%R3o(Ypw1bT}@zd$@{Pr)KFlAl=?-5z|FwK}Uw=rAj908j&j7gwr$ z{qXV!t;>tm$-;-SJBz${(^A#C^1uu?(%=0f1_P3$p`|O~2ZD zc z6(v*dKmsWPvigh5Uj&U&z`&|)SR2kg%fq*lU|b4CQZ99i6u>!H_6wZ$0OidE2B{)e zraJkk-Tm&v9{rVXla5TF1nLYjX_eMVMDTL)%;}8F+!mxgdku~P=Tj-9${E(XGL)lU z9sqX~#^L6JeV#3>Zodw44~9!%0eciNb2Q!rGTJZJ*_f`zbb&j&tG8*Y*GZ?stM!b* z4xsqWPHG-M$p)f>Q0nzz>Mdq-*GIaPYANB9#ZczJ*Kb1^D}RGjmiiTVys5rjED|&& zT<=Hv^ax%pV8cPgvF=73^*Wu2p8?_(BpyZgCa_WiV(>=e@^wM=`ASk5piRG>6f)w` z;x$Jkf*5&n+H~7+V!gky0jmKzhnSH&s1D!|b;EPgbd<>q!xlJF0@mm{m=GZHH)wxf zf4oZ~IPb3@FU270dqwuP^`_hF-JsF;5N4*5sy!N%wJKTt=ABajwd4GKikFFm=S8U2^O8rpU^* z1bFWPkl$zcCu-GVa~`xlQhdifZ7Wv!M}h>_5{QMthzDE?R@+0Pu}-WPQ*$??Ss25> z;-5qY{QVO{ib8rMOW}nwGz6$*j!I~Qgtt0#7wSp-KRwL9ya+lN=OWN^R8G=1(bj-C zVVC5prt9sAA9;m|4VN>!eNaMY*#d5xzVlV#zXZrZ zgbATJv@2*5;Y7t6zPiWI-f(+!X(87AM2>bS_KR}gsX zOn~_KTLBQO18gN=Zo;!u+|5mi+yH55ZpKWB7qbuC(Cq?)mEP!W0Uts zqxeaz)|$W7A$sL#3Y#o9tDrjWP2w(6!8)NI`I*U;p^}S2oOUHKWB?j93`yI)K(M6m zAal`u9&|wb5vGB(GZ`iR#{X1?bG$H&T%eW>aLX)VFfFT!k(X7|_Oh-Nto&bXCOj(d zPa%U28tqJC$~QmWd$~rM3v2O$0E_=6VmTSa8BL)*e($R@uBER4HO88YDt!SIx@#oB z)fH@ja+Tq9#p>?o8EMTu0AZkxt6g-&w-QoC)PB4-wfapmuHdPT_19eNWi0UfRh9y? zsygIVmEjc0#j>Ke<|B{fKak2K4p7gM`=WAr6z&8Q2+z`}r*AgAXaw*BO0B#qZO!_*s@G&&w^)IUimX|<8qdnZQD>o{SfL{GGdH20_99s zz_idMcv2DxgB%cq>R6tooTHlQLj?2`z$ZBYEct{N7m~x{4&nC-P|YwzIfeVV06SdV z`;)!mEZ>6D6k}7K;Gs6sVB?jI_hFJ47FPk*XL&5vnV_{e`#Up$x%&(M$&K&8*)3?9 zUe@=D-V(d^3DC>!(^k&c(j)aVFf@p|zDWpdo4gK1?!Nk{==ro>vBa~Sr})b9wmLaX z@sxOn<_(s$g>jYmX>2!h6Tj}^C!>Z58>q%{?HAv1?EGGbeTX>a1XVgS@4u^e(+_-5ce4UK{r;br-s3WYfM@=^&cl-NkGLOOWn9|k!zFq*D z>(EbH@p*9#+zbL0hdfokiU|GuWFvBh4$v`%zw?8`d28Hqy4ntOXAmS)^3$Ti)>ajY zD}ntgsE`~+7$i97h(u*eJrIU{g8g21;sQs?`@GxWAv)rv1<*Y(yvEka#YzVr#HAur zfg!3QI?tvuqM;?P`bayTR52dtJNTSpJcWj}`sBLzYe0P&xGAv~(NgQ6eB*Z?Lo`}=AiU3-9naUWCGbN42{>isnFI>czW2`tFgXX^k(efhePj~9)Oqi)# znvkG0(xz^pS62lAtXq0s+oq|6zdQk_noTI83{cC|C}K{;8M*&ZO!w^r zKLtN+CYr*r`@wv;f9?qv%g(C@GU4d9$_mS~BnhH@t|_iaC!inl3Kkl6KOWI&xj!)c zJ=)UNjtx=ULwQqvTTmMJz1{|-Ds%Ss_zOq2X1Hc2s@tA^(Q}@7ri&~;*xHs8uji~a z^qK)A*|n9|_U$LjURvE~-Mk(rTMsJ+l$cy540Tkx`#iMeO`l04`K&aTmg%WjCLQg( zDu~m_Vjmhj4t(dU9>hjd<*2$yNH?(4!xg$H_>^_!sga+H_LHt!g7?M|Nl1^YsOCNb zluGXyxe>B_*Q&@!^*aS>V_U3=!4P3XE5_!T_qDB)w(iy3LJ>pgopEJqJX^F~C8||= zjO(c9(94-75&JemaDClhaI7cB?a@&MfmgpYrj$~SR-_190Y2IJ5Q{eF88c#SQWV1L z>A}y(lv30Qf3+XPeIZ_a+=*U518aWnB7bq#A(Z06hj^Io-ew|+yj}M{b(ZFgztN0OyiX}jlHBM7sZz>W%1HwnQCZ` zKGHqU{17aJXZ)%X>GorDfi@BMQv^C;7{wm%Qi+1D%_o%ng1DdvCRw7|XZr>Ox_QmF zI0MIFacJcAE58hx{8o5YT`l{$ECO}}LCa#~r-6~pdx1QPl~lKkzb-x{IPlwTs^TRV zY8RRt{imG2xJ^&;MWgz|)5QX*&`8cP-7?7M2a>bX%#4q*X`-D5jy)T^z>;-OL(4M3k$q|6ZTYQH*|Ch6^a2q*yg`H3RDTiM2>q z=^LbsE(N}AwJ)s363c*Z#B3=9n4U%7t`;~LVBWhPb9rh=LrSz&$_>EtV4lkKIpR@O zCn(&s-4;F&m>V-}%zErvm62(!0uqGV(%*fNk!@(o+n(eP#nn8j;Z$EDCq1Uvgx#;| ztvPc%yipivdCCtXgrk34810oby}DG8~@ckEzXa*YDjA=VaI>Dl0k81kV%}Z z0d+rk>hVha5U~YqNTOypVV9!xoSRmN}(a3fNz`FEuW%d%ckBK{wpy0C-4ouP75 zU0n2+DNpQV2NwlJC(7I0N+W>s)pg3NtySo*X)rlvUXB?_4~w7@;{Pn2x-LsQ#k!Q=LAW>F^Ku_je+9p;OK48vA|o{@|ae z<73y&A-!QUdk|L@FlB#GRD0tryYY|~ZNmj{Hp2#ca79IdV>MSR3~=CIHSHEqs}Ssr zZtOk=en9KIm5qna2~;I`9CXr^?SkaMc-{Po#z~?Z{THBEiEqd~pkf%RiYEsm7HB#; znd4dviVw#&`CVsXfYmzWaMOJHcoA@ay-;J)UZmeK|IOLbg3WZ(;n&?GDMq#FLeMx} zg!PGLqy_XvgG!thB^p084iEX>?=S3d6NvCTyIh~LX#z&)jy>-FCQ$X1LcV9Ncl+z> zu=SmDyD^NL+G`u1OPv$&ZD(>hDnp*96VQx7eU&L758C=>{kuqN37lwHt3i2C1{@Oa zpf1k3mknJni)-st@;(WHx;T`<;h@64-^2l#eIbGsI;yRG889bme zB=v-O+QS`GRtwFWji#W*w-2gOx1fHJb#J3_u;^m2NVphufCb+|?3r}K{ac@bPxwgp zK6S>>!Ba1Wvr9)b3>vt~IblyUL-RxH>px~5wUV$j> z0l4n6lXcPK()2~!lvAMmZGjr|0m0kMrLqIaEW%TwOi~PLFxYCUkGH9bJk&QmA%aTw z*c!28=_eAlW!ZPT6sQhyhFYWF*5uch!afci%sah4@5!F!e{l#Jm%9YPcm{@cB+P*# zZ_3e|G88h%v>YtilYz$ag~stPF&Ad@;1G4dH{)EzP!<=205aAxJ~K}HCB^8IsmJ+> zuO4>00bAJ!C`C1jTx@K?^m|7w8PUVckiQB7i|$`Si^vE$pFZBzfNNz>C3U+RUM`^T zFLAb&uk-Yzf2tPh?)nkLwsiJ&##(&cy#r=UPWFjuby3a6qofcFs^Pezny;e?pNjYN z*t!Lyw+|?u%Rny+k0aG~cMc;2loG8#i**H6=tETWp3F=?&U-n6uED@Mc9yWPkIZ}`^v#y7*s~yZes0+Ng)vd&eVn)F3Yk+?K1HD3 zbG|qECtWhgY5sL|+?c7BN|@q#q`-+L^qT>Js71LIlzT9~D?k!q?*d}`a0`$_4-aXT z;NDOPEyjDiatb-afjl;I;1sePUoZr2=Si*WzJEO^oC05`V_rgxjm;XddTa3=?SQXi zi974E%yoaW60D@4N&1r|&?xvdoP?XH?sV3}!kA&0Y*RpK&ui;;-sqxad=g}nvd(fuSK!R^UGmV$|M`*x|Ixap*6RX+SfiF8Z0tFkh@#+I+xf(5 z$YRtJLwN(#4vSn=(fUB^Ud}Ph{@|8bU|SD_y`9K;_ubRGg{O#xU*20QrSM0wD1Gev z-d3vwCOG{vew9~x$gAS5-qCEW<+lO_mPOU|uqU2!6vp(U@0Ws|jAjP6{f;!BTO(zK zULJ#%EleNUGsvjm$hRcol332bp|e`LL=NDndSs1y*XCB~w=+E>-Aa-%{4#8k+(KC| z$Yp{__NrXvniYLFPeeGA_?;Tm`yg}NO%X`-uxO`zGU`KDpoZexSb*%`{1DPy@FIo( zj-ra)_!VfFgAy9Mfl{dEzaew{S3MUcIu@kdrh{-B&vX^6w-&~4UIMbrJTp-`7eO9}ZHFW5Fd4 zL8I2-tLluNYJS|M;zE9Q@}uD1$Od7giWPN`4`-AEvsP~x(XRBgX`y4WvSPegelhkIkTQRFN%o6 zmX}!gt(hBr*2_U_pww7y^~~Tpp*m^&`EU~LOdKfzEH&47JW%|~+kUGjku#6$Z@8C= zJmE`d9WR5v6Y*t0nR=bc>zI6jy#)M)6Jg}xtEP%D2jCX?a0+WNa_d=zT=KzKCOrwt z6M!J1A3>m*E3&IMA5b|TDe``@(z5&TkRSM#TX=#yocIHub}hTSxRwuZ`GGF63~V@P z-6w$86q3`C_x`nudib~b$`10+x|KHObFZF(?%Ik{V4YZ=d!q~Tis88y_UP(Z(~T1k zGfP;%FsVKGMT9qZO)~o(6cnSm#2Ig#L1bmYUinbHQ*!0LyJTNkrCaI6iH><04I|^V zf0yL-v05-6X%lZO$jc4*TLbOJPyA7_9}cN1FwpC*x@%A9+qvC}A&5k@YX|m-nv9_ywyrg6k8Ks};Hy&GCH zTXm1CjKl7So+)ryiR4)KC_R!7=g6^J{5869&*{Qw`TMvGF4Q$U0a4+$Sje1{9CU-L zQ47NXYAzoIm-uV2rP=#w9zqL@k6m}t=jcLGV?{cr6!v6AXQ!Wl)nNOh` z;may0YvZp$FLpPesf#{@2BcSC^@Iw(h3z!m-fXQT+4TKDb()<)mD8D-NOQh5xV_M@ zGL3`uWvV5sz^O&34J1^qzs+KJTD7IM)cKezlfO2jWNZC`g>1rcSZ{MitLbW)Su9+P z(-pJ(r~mQy`vK~Y8o5W_(pgf}TFwLB{x?(gykEZicL*Yv+uBi9Y#tq3aFG2l7_>ET zXitm#(Eo!jiiIiFaIy8{LJe*rc1>Zx`goz<^-L@Hb(K#AAYvL$u~0;K1ZHZ&1OHoT z=NZ)0zG!h#>H!2qK{-HZ0tcj5K|!R6v;)$mOAx7v^w6XU(xnr6@4a^{V_vOu-c{BG@zGNnQ{(J9#S?jk}^l!xj^5ckQ7yP*cq&{-oSoECvy++a1 zNr*%D5doii-IHpcBG#NvvFVlgVOXLQkQ=tRR@@aiBJdOLMO0N{uSzoP?cVSk>)B>c zS8hmmY){a_xSas1$g`A8Y>yrYLa_~e^?mXyM!vfZeZ=1X7!@wIeYi5a(G-UIm z#xx5W2Q9v0u>upclClbAw0yE^!w6kJLDU6z=4mY>Md4&5HVj(ez4FTVs!1)r_hOoO z*JBkUZ^yPQ^mMj*V!z4=_4oqF$Mmx;sKTzwi0{n+C=-1PB;93HC0i`jXISO|pxf$E zHlV5%@WR^z9~FmX&h1a4;A&tAfuR^Fc_;6avDjUJnGANO>E~FL@Qt=nUrb(<2!OBu zY+7s#LGGTUB5&u?-t-!E4)ymDk-5vi@zxCDI<95mo7Nc0`r72*@6GtS(3Gub zx*^^8tZ&cW27LqNa>Bc0mZ}`WFW+JyOQGaUq|<9JM_<0OC^hgv%B=tFk26ny)`t94 z?+LrZwq})*YrR|_08wh`%fp*#ijk9l5hW16UO8_b_TiTXkPZ=~p-K%JHo^}?jk3Si zg<6QJez%&W5lZHQ5z5}YuyLjlp>jDCj~p;EhG<~kHD+xYZx697VpUNp@dA>ALDhH_ zijM}-qRGat6S}iyugC4B(tz_itIg7{+c)h3V7`kf8Bm*t*-%7c3Qm${Tpl(^#d97* z;t$uiOd;bLfW7}!+myx}P`LE-kFtPc#GT3da`<>ChrPLjzSO(sY2K>IMOP+T?mjnu9RDzWJy|+{p67dPsK$v9_8Y&A%0E(@UGqXUl?hL;pqVkLF)mYSQ6WYX)-A*SX5}nY$KC1G zZOaO;was-R@3ftzUCk^_2OEXOyP6t`kp=7qt0b)kaT&zBbr_moeMVTsI-fgDy-)nT zW2duR48>SJfxFjkdKU5LL(9t|J|4SwHU;003M#EJ^WVZDIYkK^vL%ff8(bX=aOQ87 zYH-An&slnDV<&^df>OU?>3L`9A!`x0{GeZ3QOc?CwNh9=iOO^2qgckIhokEZI?uHp z^me=q{1|GnF;JnM7{ABFej`^mVFBD_d}MfO>-u=g=O?)tDS=^anBveUu>2u|JJ;So zWKP#&;xoESug=J^)@SBrueBF1$*c78#oWY+_jiFksT5o4&Fn%+69gQ&&<_ci98?^dnr1XM`cT7P_@*Hw#T^SOUB%< zgDYglUVP0W`53wgJV}-hh4hoR5X<7FWL|i>boMMK`%X z5Uni@N_^TpP&~!mYiF4yrU`J7y6F>d`J1y)p0pxTwVA{4@;foiBy-L4>7R+?cg48w z9XYGzoCu4R`YYAqNGFROpsC*@IdaYwDHc8R#3sXO2Zr}xvAJ{^Z`!ACc1bz6-P;zI ztNQA;*h(`MK9%++xqy3)YEw(iWz120Q)@d!Y^yNY>ib{;a8DXcY9Y*`XL8$7*qr-4 z${e@H_eK?l+YHR2rj$kiv~?yf`Z=Gt7YW3SZfZ0+r$9BemkI~-RrzpbS_nKCS0 z8yyBb+h{x2A486vEo3+47{rD}k9QufuCE=)K`fD~O%lB7@nuhBsR>7M^qFz;`iCI} zkAqhJ0S$$3B5dJHnozen*D3yMIktT^gJs7j?_|pX_nPHkxo{;;EyYsQi5WLnXwNZ5Og)D&Rc@34&2XEn(%-m zyU91IAs%^v<;06RD5L6sI)L)<9!3%!01In+Khc8X&>_w(_w;EmLex&q91>&SOHt|ln^>Uq) zG;R7F&&5HZZ2LdKvgWL7CC^8`Mw5xrS@E}Vy~yGvCm_0{3<0w2skW@*Ec9A1IaRNl zd}q#^z#htCwZ_=^A7#H5F!$!U|I#ZEZ9Q;j_3LJn4KvjDTN3%36N~(4h-}!!2?Q`` zeu|u3>=Rjep4`a~+kYc{$LjM3@KBO{@jH;)t#Wf+zz3)55F2%5d8+d36TxY$SAtA@)xVn4-{H zq=~yxN|ZVBvYSY$O~Z-&MV9x{CoVVc^X;-}rcjcvvi+V$?88!f8Lm-S>O6Y8&BwUH zDG~*H{RV-4PL+pT(vzw0RT|i1H4=ljb=cMVg=-ie(LyEg&l9!;kkH&E-$mu{ZHX@; zTyIyth%y#>_em8Dd_4g1uIb|l@&c!VdGA?gM|cMKzQ6qmDWsqgwXCWum4gypcKF- z#`4U^(m+v0-zVHJ4Ew;*njBT) z4{Mqm2SV61j`$vSq_n$ZQ~N`#j!1@JwC#=Nf6B`}OvKw5%tL0w^fW(aN32J?J4 z?q{MdP?Pr7REDar*gDvPVf=NWUe9Gbzp|FT=HP*m}O`~wQ~JA+M5Go9Sbk{ zqANMok2@)6|7e~DsBiipIQ%zpW8ss75&3=3p+}gNx{bsLD5^^|p59LcJ&8N(-W2_- zlz}nCv!GKM{=~QOekH>q-}~7i+Ycti#K{)vLjczT^HM=)wH>#uK0WouzVF$?w?|_e z8!;y`Jb#)RL(uu&M`Y)mOk6`rySHUd7GbYPZTBF)xmp-y8>rXBYg3)Lq@C2vtt0?x zmi;CjW!A8OPk4~@dG+qB5L4rXD?jsb`4)SRr>NA*k5{J3N%`}~oNO|eKuVp~al)*p zMi0V7Rg^bhAkr^lCJ2~LDtvXV4khvVbX^wQ&k_x9P5*ehllRaRjHO1c;_LN z_u{ReDexAfG?F!?Hpv#*62B7S-E6#&33D{yBRW3ztseocoDtoOib33F7<+>cYBud< zY+i@Ixeu7mbf;H4H&AUS^T9S}gyY#>QGhKP-N8MaBy%BQL_;({>UWuKinQ=IEXvg| zZ5cii(52X;?bM^Vfys&c^T)^^U}`?Z4^p6%8t(0`cJ;TK$#!)=Gx;isqk@(jZO*?5 z-~hcKaGN4sKir~JUe=(_jGV{4WKzZxxJUdFplG`1 z$Zi^#<(pq-R>5&7k%8xMrLP1V%VNhrg5=D9B8&g`$2e6RfLG0YA%Uc&11xtvs|gZ?FBUB+?$Jh5j$WkE{xhZKPMS*+&ci^CRikVUFpjTobd}(jz z6zJ)U1Boh!#HT~-8sRm|1p86@w=#Qiqd!~=Rz;Y zjxw_lPLUVWE?4Pc8- z_ffGs&?Qjb%=LjIMvdkfEvzxDOIoopO;WZ67i0f->jhBLH`T|j zEU0pvGA$O&5zv#P#t`HLa22d45qt!_%b!4!2824P#4rLKCzcIYXZR4D2cQd1pe4CY z17jMjL{Tp3WO;^-(~9AnC^uVOeFzs67(kWZ&&>z*E_L_M)0=sQgHQbt?F{RBJ)XTJ zVn2EraEPMdjy*K*K5p&k&TC?ATyOi6= z3MM=40a=F?mZyi5IUb}I94!yRk?N%+>fLCWrfzel>Z!*=3w_SVrovSzcHYrszrHMBSsy`y>i1~x^SJL357b(Pq2fO@AgneyM zSS?PIxUf$ODc}L!0y&+@3>5D1r6(>*w1;cCn?E&RX0{h;Ffke%Y6#~Ogfj+g*ZlC9 z^!H(EJ%ah%;NvTIFft0+rkctrVBFA4nP`kkj(inyku%gJLA zRKu>ZE##~8K;n$ZMNDOT*bj(R*EM%`0(q7D_HuuBT9za8{JZ|g$&Jku2iKARe=6;N zeUn%ha;4vTmhiGy-bnje+-8IYyab}vB)JLNh`0BF%mg*Cw9f_ahnqzFS3mS$UuTJJ r8lbz8%uYXVU*r<-MyYY5;E2yUn-YA94ZHxKw1<^^q5 literal 0 HcmV?d00001 From 8984d5be6d073fab517119035ad12ec0fd6dec05 Mon Sep 17 00:00:00 2001 From: Madhumita Date: Fri, 4 Nov 2022 13:16:56 +0530 Subject: [PATCH 3/3] docs: #2840 --- docs/admin/fido/logs.md | 71 +++++++++++++++++++++++++++++- docs/admin/fido/vendor-metadata.md | 2 +- 2 files changed, 71 insertions(+), 2 deletions(-) diff --git a/docs/admin/fido/logs.md b/docs/admin/fido/logs.md index 263c941ff16..a58c60ee23e 100644 --- a/docs/admin/fido/logs.md +++ b/docs/admin/fido/logs.md @@ -4,4 +4,73 @@ tags: - fido --- -This page will be the landing page for the Janssen Project admin documentation +### Log level and Logging Layout Parameters of Janssen's FIDO2 server: + +| Field named | Example | Description| +|loggingLevel | "INFO" or "TRACE" or "DEBUG" | Logging level for FIDO2 server| +|loggingLayout |"text" or "json" |Contents of logs as plain text or json format| + +#### 1. Read Configuration parameters: + +Use the following command to obtain configuration parameters: + +`/opt/jans/jans-cli/config-cli.py --operation-id get-properties-fido2` + +Response: +``` +{ + "issuer":"https://.jans.io", + "baseEndpoint":"https://my-jans-server.jans.io/jans-fido2/restv1", + "cleanServiceInterval":60, + "cleanServiceBatchChunkSize":10000, + "useLocalCache":true, + "disableJdkLogger":true, + "loggingLevel":"INFO", + "loggingLayout":"text", + "externalLoggerConfiguration":"", + "metricReporterInterval":300, + "metricReporterKeepDataDays":15, + "metricReporterEnabled":true, + "personCustomObjectClassList":[ + "jansCustomPerson", + "jansPerson" + ], + "fido2Configuration":{ + "authenticatorCertsFolder":"/etc/jans/conf/fido2/authenticator_cert", + "mdsCertsFolder":"/etc/jans/conf/fido2/mds/cert", + "mdsTocsFolder":"/etc/jans/conf/fido2/mds/toc", + "serverMetadataFolder":"/etc/jans/conf/fido2/server_metadata", + "requestedCredentialTypes":[ + "RS256", + "ES256" + ], + "requestedParties":[ + { + "name":"https://my-jans-server.jans.io", + "domains":[ + "my-jans-server.jans.io" + ] + } + ], + "userAutoEnrollment":false, + "unfinishedRequestExpiration":180, + "authenticationHistoryExpiration":1296000 + } +} + +``` + + +#### 2. Update `loggingLevel` or `loggingLayout`: + Steps: + A. Create a JSON file say `/tmp/config_values.json` by editing the JSON from Point 1 and + - edit `loggingLevel` to `TRACE` or `DEBUG` or `INFO` + - edit `loggingLayout` to `text` or `json` + + B. Use the following command to update the logging level + `/opt/jans/jans-cli/config-cli.py --operation-id post-config-scripts --data /tmp/config_values.json` + + + ### Location of logs in FIDO2 server: + + Logs can be found at `/opt/jans/jetty/jans-fido2/logs` diff --git a/docs/admin/fido/vendor-metadata.md b/docs/admin/fido/vendor-metadata.md index dc35f404f5c..e2d6be86531 100644 --- a/docs/admin/fido/vendor-metadata.md +++ b/docs/admin/fido/vendor-metadata.md @@ -212,7 +212,7 @@ Example of authenticator metadata: Metadata entries for trusted authenticators registered with FIDO Alliance can be found on - https://fidoalliance.org/certification/fido-certified-products/ -![Metadata](../../assets/fido2_metadata.png) +![Metadata](../../../assets/fido2_metadata.png) Draw.io reference for image: ```