new configuration version

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/etc/nevis/k8s-nai-6ec6739e824c8e56d9633622.yaml

@@ -0,0 +1,60 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisComponent"
+metadata:
+  name: "nai"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nai"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "6ec6739e824c8e56d9633622"
+spec:
+  type: "NevisAuth"
+  replicas: 1
+  version: "8.2405.2"
+  gitInitVersion: "1.3.0"
+  runAsNonRoot: true
+  ports:
+    management: 9000
+    soap: 8991
+  resources:
+    limits:
+      cpu: "2"
+      memory: "2000Mi"
+    requests:
+      cpu: "20m"
+      memory: "1000Mi"
+  livenessProbe:
+    soap:
+      tcpSocket: true
+      periodSeconds: 5
+      timeoutSeconds: 4
+  readinessProbe:
+    management:
+      httpGet:
+        path: "/nevisauth/liveness"
+      periodSeconds: 5
+      timeoutSeconds: 6
+  startupProbe:
+    management:
+      httpGet:
+        path: "/nevisauth/liveness"
+      periodSeconds: 5
+      timeoutSeconds: 6
+      failureThreshold: 50
+  podDisruptionBudget:
+    maxUnavailable: "50%"
+  git:
+    tag: "r-46b3c950256851308e60d2bd8d5de9ae4cc6f50e"
+    dir: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai"
+    credentials: "git-credentials"
+  keystores:
+  - "nai-default-identity"
+  - "nai-sh4r3d-default-default-signer"
+  truststores:
+  - "nai-default-tls-client-trust"
+  - "nai-default-default-signer-trust"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/etc/nevis/k8s-nai-default-default-signer-trust-6ec6739e824c8e56d9633622.yaml

@@ -0,0 +1,14 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "nai-default-default-signer-trust"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nai"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "6ec6739e824c8e56d9633622"
+spec:
+  keystores:
+  - name: "nai-sh4r3d-default-default-signer"
+    namespace: "adn-postit-tknxchng-01-dev"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/etc/nevis/k8s-nai-default-identity-6ec6739e824c8e56d9633622.yaml

@@ -0,0 +1,18 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisKeyStore"
+metadata:
+  name: "nai-default-identity"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nai"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "6ec6739e824c8e56d9633622"
+spec:
+  cn: "nai"
+  usage: "<reserved for future use>"
+  san:
+    dns:
+    - "nai"
+    - "nai.adn-postit-tknxchng-01-dev"
+    email: []

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/etc/nevis/k8s-nai-default-tls-client-trust-6ec6739e824c8e56d9633622.yaml

@@ -0,0 +1,14 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "nai-default-tls-client-trust"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nai"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "6ec6739e824c8e56d9633622"
+spec:
+  keystores:
+  - name: "npi-cossa-realm-identity"
+    namespace: "adn-postit-tknxchng-01-dev"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/etc/nevis/k8s-nai-sh4r3d-default-default-signer-6ec6739e824c8e56d9633622.yaml

@@ -0,0 +1,16 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisKeyStore"
+metadata:
+  name: "nai-sh4r3d-default-default-signer"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nai"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "6ec6739e824c8e56d9633622"
+spec:
+  cn: "signer"
+  usage: "signer"
+  san:
+    dns: []
+    email: []

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/etc/nevis/nevisauth_default.yml

@@ -0,0 +1,18 @@
+schemaVersion: 1.0
+instance:
+  type: "nevisauth"
+  name: "default"
+  directory: "/var/opt/nevisauth/default"
+  pid: "systemctl show nevisauth@default -p MainPID | cut -d '=' -f2"
+  source:
+    url: "/nevisadmin/#/projects/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/patterns/6ec6739e824c8e56d9633622"
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "6ec6739e824c8e56d9633622"
+    patternClass: "ch.nevis.admin.v4.plugin.nevisauth.patterns.NevisAuthDeployable"
+  resources:
+    ports:
+    - "0.0.0.0:8991"
+  control:
+    start: "systemctl restart nevisauth@default &"
+    stop: "systemctl stop nevisauth@default"
+    status: "systemctl status nevisauth@default"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/keys/own/tokensigner/cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAesCFFJeJMyjfQq6To7dqRpfc5oDX//oMA0GCSqGSIb3DQEBCwUAMD4x
+CzAJBgNVBAYTAkNIMQ0wCwYDVQQHDARCZXJuMRAwDgYDVQQKDAdBZG5vdnVtMQ4w
+DAYDVQQDDAVjb3NzYTAeFw0yNDExMDcxMzA3NTJaFw0yNTExMDcxMzA3NTJaMD4x
+CzAJBgNVBAYTAkNIMQ0wCwYDVQQHDARCZXJuMRAwDgYDVQQKDAdBZG5vdnVtMQ4w
+DAYDVQQDDAVjb3NzYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOWq
+kbFj7UAPDlzgqua7/ws43sIswHuhA400R3jKkHcvTC/QduDuDWoTeYkiQdv8lo7k
+PVQA7tP//Pe+2O2wS0spNMrlw0Jv0MWeGlN1Jv5PH9TuOnL1nrd6w2OCKClnR7t3
+xWZUEd3t4AtM/69VKNwSvVADt5yU6tifj1vCiE4uPoDkI8TNbT92aL2aDnq+VVRL
+Eki5SpQ6ZGUlZGFGhMMOoA9efnTGqrJBsP3m50SAEUqTUpo1aH6IaJXorf8+zzEE
+zWD4A13b0kvz75A9qh1rReYZgr1sQIfWwzoP76HQwpdEQsjnAteJi1SV7rSK/ekQ
++iuJ9ql2Mjpve8vsWrsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAE4GJgtYJRI3r
+hAWb4ptd6ngPfvW6pNb8Q9do/k0yVmAzckibRVSgmCoTeFnArn56NB2nrZlpnncG
+IYB5uVI7jiEHCTZRXG7JbI/MHiwkq5P+Mf+OlvJWgiWkKFteJS46GBVo6JFVAIbv
+H/UEflHbeTbaSYsoH0Xv54S9IvIuv/IA7KooFRmuzRb10hBBV0EUdrGfdBHmSpQf
+CiSMPOTqu3nzcms4O4DLHnW2kVRyrd/G0Lkg/FUGsN4ZHyYGSC36gUOFqubGy9GV
+HJqM6758pE0Myk7LMFGd8MrlnYTeWgBnRlAmfzMVMWZaAaRGGZ5SwQrZmenVB1ne
+Ix41vfiHmA==
+-----END CERTIFICATE-----

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/keys/own/tokensigner/key.pem

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFKzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQU1w+0ZNamq3X91Bur
+d/pQZH7Yq+wCAggAMB0GCWCGSAFlAwQBKgQQ+NvXoFb05UDnOc75yNr/DQSCBNBD
+m3o2GoHnMupzBuc4G7KdllLa2iaP0zkbK5SrJ2QlBWzei3K9PfyWsCSiGDoEL1fG
+X8sjFmWDXiKg8z2KjZ8SAIVliMusz318hIjSkv7MOtcEKZ7uZ3C9e/AHl2CY55O7
+OroDbvQfiexVyKS49vd8lex9DFZQ6nrhK7sQoygDeo469NoCJKu4s1Q657L8aeoQ
+RSYBgtO3tThXIHqrW7FhuYGy8GSi8nI5axGTE7tfo3NqQo4Ap44a9W+vP8NsWUm+
+WAyoErFTWxiuzXDU8LV2ziN4IZLsMZ0dgJjElIY6lAopr9YtjmKV+3IofYcy9BDa
+q1WDfwqBBdoKdbMGLvXs8MBTPWbTinbiLGjNfRehtTdQ6zoVBYdxbPQBbw39vH2q
+k2eLYsWuJmWQHfd3vCEc1B5kAgdAIiPSKvY5wRqb2cg1V/MjQRVZy7wHUBcYVx14
+aXPqOgvkSLXYN3nt+X3PsubU5l/aOM9KCI2gT8j4AtvBjgVWzKglyVe5l0T8FGQ4
+KMykvMwFQ2x6g63GyF+xfIM9XMVo8EJ7XNafz18CJ2s7HZ7Zv6twM2D2+xTaa9iq
+CTcShTPVOLmnLfz6/3I7KKFMKOtm05rZTW7P3dOwcO8symm8qsfz5Kb4FC0H1Kmj
+MAPO3vAhCIkHOsvrQiFP5RiIk2C+Ea1ygmSl5L3VC2eVA7Hy5FCDiZg7qJAWZqCH
+ik/cttmzTKy44x2BvrPIKy5l37uGHFcRG/AgIY8hXo+1LUjeKpjjE9hs6MXSqyZh
+zTkWFOXUkWFeBHrZqR45WO+ByVx7qD55pQmo2YMQ1q7fzM3VCzpO1OD1HAdhGWRu
+3cin9Asj3+0X4SUknf/ZrVPGOdyj5Lj09ymL05hwYsiuAtWX3hH4I4ZYB6miJ3+F
+rOnIPed/exXuCsq/H0+WWLilwDxO7VOamO3ggDKm0LebwTx+N8HQaKVXl7HYh5F8
+Jmpp/bQrFswa42874GaZMJimyQx66SDsPTULjlk+0Ydc2gbWqvIbzBzerxlIm9nR
+vWsx+V4+3Zvoom5Vwuo3P7Su3DAY142pn6cmqn77TSaMapWLK23tk24D7wUt6ROY
+xRPfVuSgQ+u3xxDKmKLfFvdFbVx2YNmd174fQJFvr5cpwpMg/uqvnXdw6YwJugmd
+hGtsodhd3aoX/BjTxkur2Aw4GFpXQYCdeioVFaOIPZDsmOokNcdVw45qC8xRn2Bx
+VcZ24opYyGtnfl5DxOd2tl1dsKKxoVR4nWphHED//08ZfcUWaudeyIMfNJm790s7
+8+0smUkQpd2f1Xc3YNBKwLN+U6hUme9DvSBoF6bQn/LEBGOSrE546W/Refytg907
+SdHN1Qv5uDpFH7iIr44o/uIbwg0S1l/uLGNUR2o+ORt5SXh4fY6spjgCZc+UleUU
+hjiGE8Nqh5fSvpnud7p2KPSUhuKcybQbKmn/mTBbP2GNaL2nHHXGRHO7MXGhZpHB
+njmd8DyE+SOBtQTB+aLYlPGkRTNbFkJdyzc9gMCUJCEQs9CNrj/VGy4ZM41Khi3z
+ZG2hJNjINqaZ5mzDJCdAHuNiwsvdhNqYJVVgPXl3ZkjcBbarZuAzxSih7FlEGDRs
+43vyCSLp33X5o2gLVf9FsFRZgQxwZnJvaWl86OUWeA==
+-----END ENCRYPTED PRIVATE KEY-----

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/keys/own/tokensigner/keypass

@@ -0,0 +1,2 @@
+#!/bin/bash
+echo '09I1B4lsP4+KQB8dB3AeEyU4RawLttIo55+0EWPPh0I='

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/keys/own/tokensigner/keystore.pem

@@ -0,0 +1,50 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFKzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQU1w+0ZNamq3X91Bur
+d/pQZH7Yq+wCAggAMB0GCWCGSAFlAwQBKgQQ+NvXoFb05UDnOc75yNr/DQSCBNBD
+m3o2GoHnMupzBuc4G7KdllLa2iaP0zkbK5SrJ2QlBWzei3K9PfyWsCSiGDoEL1fG
+X8sjFmWDXiKg8z2KjZ8SAIVliMusz318hIjSkv7MOtcEKZ7uZ3C9e/AHl2CY55O7
+OroDbvQfiexVyKS49vd8lex9DFZQ6nrhK7sQoygDeo469NoCJKu4s1Q657L8aeoQ
+RSYBgtO3tThXIHqrW7FhuYGy8GSi8nI5axGTE7tfo3NqQo4Ap44a9W+vP8NsWUm+
+WAyoErFTWxiuzXDU8LV2ziN4IZLsMZ0dgJjElIY6lAopr9YtjmKV+3IofYcy9BDa
+q1WDfwqBBdoKdbMGLvXs8MBTPWbTinbiLGjNfRehtTdQ6zoVBYdxbPQBbw39vH2q
+k2eLYsWuJmWQHfd3vCEc1B5kAgdAIiPSKvY5wRqb2cg1V/MjQRVZy7wHUBcYVx14
+aXPqOgvkSLXYN3nt+X3PsubU5l/aOM9KCI2gT8j4AtvBjgVWzKglyVe5l0T8FGQ4
+KMykvMwFQ2x6g63GyF+xfIM9XMVo8EJ7XNafz18CJ2s7HZ7Zv6twM2D2+xTaa9iq
+CTcShTPVOLmnLfz6/3I7KKFMKOtm05rZTW7P3dOwcO8symm8qsfz5Kb4FC0H1Kmj
+MAPO3vAhCIkHOsvrQiFP5RiIk2C+Ea1ygmSl5L3VC2eVA7Hy5FCDiZg7qJAWZqCH
+ik/cttmzTKy44x2BvrPIKy5l37uGHFcRG/AgIY8hXo+1LUjeKpjjE9hs6MXSqyZh
+zTkWFOXUkWFeBHrZqR45WO+ByVx7qD55pQmo2YMQ1q7fzM3VCzpO1OD1HAdhGWRu
+3cin9Asj3+0X4SUknf/ZrVPGOdyj5Lj09ymL05hwYsiuAtWX3hH4I4ZYB6miJ3+F
+rOnIPed/exXuCsq/H0+WWLilwDxO7VOamO3ggDKm0LebwTx+N8HQaKVXl7HYh5F8
+Jmpp/bQrFswa42874GaZMJimyQx66SDsPTULjlk+0Ydc2gbWqvIbzBzerxlIm9nR
+vWsx+V4+3Zvoom5Vwuo3P7Su3DAY142pn6cmqn77TSaMapWLK23tk24D7wUt6ROY
+xRPfVuSgQ+u3xxDKmKLfFvdFbVx2YNmd174fQJFvr5cpwpMg/uqvnXdw6YwJugmd
+hGtsodhd3aoX/BjTxkur2Aw4GFpXQYCdeioVFaOIPZDsmOokNcdVw45qC8xRn2Bx
+VcZ24opYyGtnfl5DxOd2tl1dsKKxoVR4nWphHED//08ZfcUWaudeyIMfNJm790s7
+8+0smUkQpd2f1Xc3YNBKwLN+U6hUme9DvSBoF6bQn/LEBGOSrE546W/Refytg907
+SdHN1Qv5uDpFH7iIr44o/uIbwg0S1l/uLGNUR2o+ORt5SXh4fY6spjgCZc+UleUU
+hjiGE8Nqh5fSvpnud7p2KPSUhuKcybQbKmn/mTBbP2GNaL2nHHXGRHO7MXGhZpHB
+njmd8DyE+SOBtQTB+aLYlPGkRTNbFkJdyzc9gMCUJCEQs9CNrj/VGy4ZM41Khi3z
+ZG2hJNjINqaZ5mzDJCdAHuNiwsvdhNqYJVVgPXl3ZkjcBbarZuAzxSih7FlEGDRs
+43vyCSLp33X5o2gLVf9FsFRZgQxwZnJvaWl86OUWeA==
+-----END ENCRYPTED PRIVATE KEY-----
+
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAesCFFJeJMyjfQq6To7dqRpfc5oDX//oMA0GCSqGSIb3DQEBCwUAMD4x
+CzAJBgNVBAYTAkNIMQ0wCwYDVQQHDARCZXJuMRAwDgYDVQQKDAdBZG5vdnVtMQ4w
+DAYDVQQDDAVjb3NzYTAeFw0yNDExMDcxMzA3NTJaFw0yNTExMDcxMzA3NTJaMD4x
+CzAJBgNVBAYTAkNIMQ0wCwYDVQQHDARCZXJuMRAwDgYDVQQKDAdBZG5vdnVtMQ4w
+DAYDVQQDDAVjb3NzYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOWq
+kbFj7UAPDlzgqua7/ws43sIswHuhA400R3jKkHcvTC/QduDuDWoTeYkiQdv8lo7k
+PVQA7tP//Pe+2O2wS0spNMrlw0Jv0MWeGlN1Jv5PH9TuOnL1nrd6w2OCKClnR7t3
+xWZUEd3t4AtM/69VKNwSvVADt5yU6tifj1vCiE4uPoDkI8TNbT92aL2aDnq+VVRL
+Eki5SpQ6ZGUlZGFGhMMOoA9efnTGqrJBsP3m50SAEUqTUpo1aH6IaJXorf8+zzEE
+zWD4A13b0kvz75A9qh1rReYZgr1sQIfWwzoP76HQwpdEQsjnAteJi1SV7rSK/ekQ
++iuJ9ql2Mjpve8vsWrsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAE4GJgtYJRI3r
+hAWb4ptd6ngPfvW6pNb8Q9do/k0yVmAzckibRVSgmCoTeFnArn56NB2nrZlpnncG
+IYB5uVI7jiEHCTZRXG7JbI/MHiwkq5P+Mf+OlvJWgiWkKFteJS46GBVo6JFVAIbv
+H/UEflHbeTbaSYsoH0Xv54S9IvIuv/IA7KooFRmuzRb10hBBV0EUdrGfdBHmSpQf
+CiSMPOTqu3nzcms4O4DLHnW2kVRyrd/G0Lkg/FUGsN4ZHyYGSC36gUOFqubGy9GV
+HJqM6758pE0Myk7LMFGd8MrlnYTeWgBnRlAmfzMVMWZaAaRGGZ5SwQrZmenVB1ne
+Ix41vfiHmA==
+-----END CERTIFICATE-----

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/keys/trust/tls-swissid/keypass

@@ -0,0 +1,2 @@
+#!/bin/bash
+echo 'password'

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/keys/trust/tls-swissid/truststore.pem

@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGkzCCBHugAwIBAgIULa4PojoMOF/785XA2QNkLRQYTS4wDQYJKoZIhvcNAQEL
+BQAwUTELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzErMCkGA1UE
+AxMiU3dpc3NTaWduIFJTQSBUTFMgUm9vdCBDQSAyMDIyIC0gMTAeFw0yMjA2Mjkw
+OTMwNDdaFw0zNjA2MjkwOTMwNDdaMFAxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxT
+d2lzc1NpZ24gQUcxKjAoBgNVBAMTIVN3aXNzU2lnbiBSU0EgVExTIEVWIElDQSAy
+MDIyIC0gMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL61hlRf7Jxo
+0msjavo1pgChwWBDYix5Zd0CnhciVYUCk30Ko6BxFBICoSsZ1gXGqlT20g/AYqYL
+xuKcdNNAJ/LHT6k2zL3UhSpx+eHjeTGQ7id2jC1HKRZ9zA8YXdhtY3oJom7B3ykE
+d/j0KVmHy9tP1A0rt3ntbJLfLIS6uWogx2KfFs8MwtoAZLiGvp49SHly6p450fcz
+payPIWu12PfVQjLg7b9NitlDlYEWiCAL7R3jINw2yMwcdBvq2gy+ZZsiYkSb1m+h
+ABOGxU6SCN6w7GgRWWveSaJBvRokUvIon/wsZK51j8RM4TsoR60Wei8ftSBL75BI
+g9Us8dkBXDa8vqoDVpc9zs6pan5XN8KymNT52j4gEe161eYTtbiME4KdSWtVsA7e
+rdkHsXKJTRIxxdpUkQXxhLXEoyDed/BVgV1yhTeN6YCFX7AiocAi5rPUplc6LV58
+CCUWFMSWEJxOYQUrwWFLNzQMnE969hnvdhuO8ZeqtpwFwX/OLryWoil+jGobRm/1
+OQS9+urcVygrzZ9Dy9Q/OF/oq9NeaijvL2Ncjkj5f6uJzgXkm7PwjnHrL2FWBkhp
+oM/vyT1VAgWNoku3jIyedtyJ9lUECwPIzQuddQYOL8FwhaFmvtHnOLpiy2ctbwir
+gJW+KcsNkpHg0N5stJcPzPvlssmNBHbNAgMBAAGjggFiMIIBXjBcBggrBgEFBQcB
+AQRQME4wTAYIKwYBBQUHMAKGQGh0dHA6Ly9haWEuc3dpc3NzaWduLmNoL2Fpci1h
+ZWZmMzc0ZC0wZjdhLTRjNTUtYTAzNC0xNDQwMjkwY2ZhMzIwEgYDVR0TAQH/BAgw
+BgEB/wIBADAoBgNVHSAEITAfMAcGBWeBDAEBMAgGBgQAj3oBBDAKBghghXQBWQIB
+AzBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vY3JsLnN3aXNzc2lnbi5jaC9jZHAt
+OTY2MWMyOWYtOTEyMS00ZjQ2LWFjZDgtZWFkNGEyMmY3MTYwMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFElS
+3zCGkllfNJwlSCSrwOvRBvLWMB8GA1UdIwQYMBaAFG+OYouTQ7DhQPanw/3xD7gP
+FTilMA0GCSqGSIb3DQEBCwUAA4ICAQBugn943V4fbEbG+Leb4YXTWLLfPIC+mrdc
+H6v1+Iws+XCzoKthaDk0c346mSaXZM9to5xDOWgfEnBYbVioMyI/5EABbg4ARkgp
+dj50FPe9MtLD4kOZFv/8LoRH+WdAfQUsxS1RQincUnYWAxmRNOHLdnbyiQt3sYDl
+6tZzURSMnMUec4stxfLT4VQE1Ew6Phr06CouYOd5ON+mWkFhROz3jx5PTXcECrqQ
+IT27wJ4mzKA6W9p69ZDFi/+FcpN9vCjzksi0w8i62DwtbO8Pj3ZEOL8z6+cwXyT7
+X7Zt96vufj+bsxFo1IXQ6cb2i13qpThSHL4NA1NhUbB/ipMbxNtBJ4fwtcG8SAUs
+jRXgG/RYrXRorG90KU/dcezixY4yKnlIdkkhpV7h8jY2+XS7GbjaKee8pPeAFXgs
+Hzdi+EhZvHOVfshaKL2CAELrYn8Tzo2Zt9zsbif8L7bPJROS3xqzn+GbCFt67/8Y
+jTh84Taa4D49H6V+p01QPkvG7ub7Rw52fm56zY3mabbhbsREOceswsfunxSN/SOE
+pLKVMopuVnRcwVIWmnzH9BlBhIzLqOS4kCYA5E5Irw217j/JTGVWEdMN0ar09nGh
+WA2Eq8aDANjAP1bao/4nmxsFU2zKbTR40Tb7/HKB5jaItYdkz6ppnxQDLTWe7T6+
+nGZwqmYtbQ==
+-----END CERTIFICATE-----

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/LitDict.properties

@@ -0,0 +1,80 @@
+
+accept.button.label=Accept
+cancel.button.label=Cancel
+continue.button.label=Continue
+deputy.profile.label=(Deputy Profile)
+error.saml.failed=Please close your browser and try again.
+error_1=Please check your input.
+error_10=Please select the correct user account.
+error_100=Certificate upload not possible. Certificate already exists. Please contact your helpdesk.
+error_101=The entered email address is not valid.
+error_11=Please use another certficate or login with another credential type.
+error_2=Please select another login name.
+error_3=Your account will be locked if next authentication fails.
+error_4=Your new password does not comply with the security policy. Please choose a different password.
+error_5=Error in password confirmation.
+error_50=The new password is too short.
+error_55=The new password has to differ from old passwords.
+error_6=Password change required.
+error_7=Change of login ID required.
+error_8=Your account has been locked due to repeated authentication failures.
+error_81=No access card found, access from internet denied.
+error_83=Your access card is no longer valid. Please contact your advisor to get a new access card.
+error_9=Session take over failed.
+error_97=You are not authorized to access this resource.
+error_98=Your account has been locked.
+error_99=System problems. Please try later.
+info.logout.confirmation=Please confirm that you want to log out.
+info.logout.reminder=Your session on this application has expired. Try again with a login.
+info.oauth.consent=Do you want to authorise this application to access your data?
+info.timeout.page=Your session on this application has expired. Try again with a login.
+login.button.label=Login
+logout.label=Logout
+logout.text=You have successfully logged out.
+method.certificate.label=Certificate
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN Code
+method.oath.label=OATH Authenticator App
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Recovery Codes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Never
+policyFailure.dictionary=▪ must not be taken from a dictionary.
+policyFailure.history.History=▪ must be different from previously selected passwords.
+policyFailure.regex.control=▪ cannot contain more than {0} control characters.
+policyFailure.regex.lower=▪ must contain at least {0} lower case characters.
+policyFailure.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
+policyFailure.regex.maxLength=▪ must be at most {0} characters long.
+policyFailure.regex.minLength=▪ must be at least {0} characters long.
+policyFailure.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
+policyFailure.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
+policyFailure.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
+policyFailure.regex.nonLetter=▪ must contain at least {0} non-letter characters.
+policyFailure.regex.numeric=▪ must contain at least {0} numeric characters.
+policyFailure.regex.upper=▪ must contain at least {0} upper case characters.
+policyInfo.dictionary=▪ must not be taken from a dictionary.
+policyInfo.history.History=▪ must be different from previously selected passwords.
+policyInfo.regex.control=▪ cannot contain more than {0} control characters.
+policyInfo.regex.lower=▪ must contain at least {0} lower case characters.
+policyInfo.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
+policyInfo.regex.maxLength=▪ must be at most {0} characters long.
+policyInfo.regex.minLength=▪ must be at least {0} characters long.
+policyInfo.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
+policyInfo.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
+policyInfo.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
+policyInfo.regex.nonLetter=▪ must contain at least {0} non-letter characters.
+policyInfo.regex.numeric=▪ must contain at least {0} numeric characters.
+policyInfo.regex.upper=▪ must contain at least {0} upper case characters.
+policyInfo.title=The password has to comply with the following password policy:
+reject.button.label=Deny
+submit.button.label=Submit
+tan.sent=Please enter the security code which has been sent to your mobile phone.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorization
+title.saml.failed=Error
+title.timeout.page=Logout

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/LitDict_de.properties

@@ -0,0 +1,80 @@
+
+accept.button.label=Akzeptieren
+cancel.button.label=Abbrechen
+continue.button.label=Weiter
+deputy.profile.label=(Profil Stellvertreter)
+error.saml.failed=Bitte schliessen Sie Ihren Browser und versuchen Sie es erneut.
+error_1=Bitte überprüfen Sie Ihre Eingabe.
+error_10=Bitte wählen Sie den gewünschten Benutzer.
+error_100=Zertifikat-Upload nicht möglich. Zertifikat bereits vorhanden. Bitte kontaktieren Sie Ihren Helpdesk.
+error_101=Die angegebene E-Mail Adresse ist ungültig.
+error_11=Bitte verwenden Sie ein anderes Zertifikat oder ein alternatives Authentisierungsmittel.
+error_2=Bitte wählen Sie einen anderen Login-Namen. 
+error_3=Falls Ihr nächster Login fehlschlägt, wird Ihr Konto gesperrt.
+error_4=Ihr neues Passwort wurde nicht akzeptiert. Bitte wählen Sie eines, das den Passwortvorgaben entspricht.
+error_5=Die Eingabe zur Bestätigung des Passwortes ist falsch.
+error_50=Das neue Passwort ist zu kurz.
+error_55=Das neue Passwort muss sich von alten Passwörtern unterscheiden.
+error_6=Passwortwechsel erforderlich.
+error_7=Wechsel der Login-ID erforderlich.
+error_8=Ihr Konto wurde infolge wiederholt fehlgeschlagener Authentisierung gesperrt.
+error_81=Keine Rasterkarte gefunden, Zugang vom Internet verweigert.
+error_83=Ihre Rasterkarte ist aufgebraucht. Bitte kontaktieren Sie Ihren Berater, um eine neue zu erhalten.
+error_9=Die SSO-Session konnte nicht übernommen werden.
+error_97=Sie verfügen nicht über die für den Zugriff auf diese Ressource benötigte Berechtigung.
+error_98=Ihr Konto ist gesperrt.
+error_99=Systemfehler. Bitte versuchen Sie es später.
+info.logout.confirmation=Bitte bestätigen Sie, dass Sie sich abmelden möchten.
+info.logout.reminder=Ihre Session ist auf dieser Applikation abgelaufen. Versuchen Sie es nochmals mit einem Login.
+info.oauth.consent=Wollen Sie der Anwendung den Zugriff erlauben?
+info.timeout.page=Ihre Session ist auf dieser Applikation abgelaufen. Versuchen Sie es nochmals mit einem Login.
+login.button.label=Login
+logout.label=Logout
+logout.text=Sie haben sich erfolgreich abgemeldet.
+method.certificate.label=Zertifikat
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN-Code
+method.oath.label=OATH Authenticator-App
+method.otp.label=OTP (One-Time Passwort)
+method.recovery.label=Wiederherstellungscodes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Nie
+policyFailure.dictionary=▪ darf nicht aus einem Wörterbuch stammen.
+policyFailure.history.History=▪ muss sich von vorhergehenden Passwörtern unterscheiden.
+policyFailure.regex.control=▪ darf höchstens {0} Kontrollzeichen enthalten.
+policyFailure.regex.lower=▪ muss {0} Kleinbuchstaben enthalten.
+policyFailure.regex.maxCharacterRepetitions=▪ darf nicht eine Sequenz länger als {0} des gleichen Zeichens enthalten.
+policyFailure.regex.maxLength=Länge des Passwortes darf höchstens {0} sein.
+policyFailure.regex.minLength=Länge des Passwortes muss mindestens {0} sein.
+policyFailure.regex.nonAlnum=▪ muss {0} nicht-alphanumerische Zeichen enthalten.
+policyFailure.regex.nonAscii=▪ darf höchstens {0} Zeichen ausserhalb des ASCII-Zeichensatzes enthalten.
+policyFailure.regex.nonGraph=▪ darf höchstens {0} nicht-druckende Zeichen enthalten.
+policyFailure.regex.nonLetter=▪ muss {0} Zeichen enthalten, die keine Buchstaben sind.
+policyFailure.regex.numeric=▪ muss {0} numerische Zeichen enthalten.
+policyFailure.regex.upper=▪ muss {0} Grossbuchstaben enthalten.
+policyInfo.dictionary=▪ darf nicht aus einem Wörterbuch stammen.
+policyInfo.history.History=▪ darf keines der zuletzt verwendeten Passwörtern sein.
+policyInfo.regex.control=▪ darf höchstens {0} Kontrollzeichen enthalten.
+policyInfo.regex.lower=▪ muss mindestens {0} Kleinbuchstaben enthalten.
+policyInfo.regex.maxCharacterRepetitions=▪ darf nicht eine Sequenz länger als {0} des gleichen Zeichens enthalten.
+policyInfo.regex.maxLength=▪ darf höchstens {0} Zeichen enthalten.
+policyInfo.regex.minLength=▪ muss mindestens {0} Zeichen enthalten.
+policyInfo.regex.nonAlnum=▪ muss mindestens {0} Zeichen enthalten, die nicht Alphanumerisch sind.
+policyInfo.regex.nonAscii=▪ darf höchstens {0} Zeichen ausserhalb des ASCII-Zeichensatzes enthalten.
+policyInfo.regex.nonGraph=▪ darf höchstens {0} nicht-druckende Zeichen enthalten.
+policyInfo.regex.nonLetter=▪ muss mindestens {0} Zeichen enthalten, die keine Buchstaben sind.
+policyInfo.regex.numeric=▪ muss mindestens {0} numerische Zeichen enthalten.
+policyInfo.regex.upper=▪ muss mindestens {0} Grossbuchstaben enthalten.
+policyInfo.title=Das Passwort muss den folgenden Passwort-Richtlinien entsprechen:
+reject.button.label=Ablehnen
+submit.button.label=Senden
+tan.sent=Bitte erfassen Sie den Sicherheitscode, welcher an Ihr Mobiltelefon gesendet wurde.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorisierung
+title.saml.failed=Error
+title.timeout.page=Logout

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/LitDict_en.properties

@@ -0,0 +1,80 @@
+
+accept.button.label=Accept
+cancel.button.label=Cancel
+continue.button.label=Continue
+deputy.profile.label=(Deputy Profile)
+error.saml.failed=Please close your browser and try again.
+error_1=Please check your input.
+error_10=Please select the correct user account.
+error_100=Certificate upload not possible. Certificate already exists. Please contact your helpdesk.
+error_101=The entered email address is not valid.
+error_11=Please use another certficate or login with another credential type.
+error_2=Please select another login name.
+error_3=Your account will be locked if next authentication fails.
+error_4=Your new password does not comply with the security policy. Please choose a different password.
+error_5=Error in password confirmation.
+error_50=The new password is too short.
+error_55=The new password has to differ from old passwords.
+error_6=Password change required.
+error_7=Change of login ID required.
+error_8=Your account has been locked due to repeated authentication failures.
+error_81=No access card found, access from internet denied.
+error_83=Your access card is no longer valid. Please contact your advisor to get a new access card.
+error_9=Session take over failed.
+error_97=You are not authorized to access this resource.
+error_98=Your account has been locked.
+error_99=System problems. Please try later.
+info.logout.confirmation=Please confirm that you want to log out.
+info.logout.reminder=Your session on this application has expired. Try again with a login.
+info.oauth.consent=Do you want to authorise this application to access your data?
+info.timeout.page=Your session on this application has expired. Try again with a login.
+login.button.label=Login
+logout.label=Logout
+logout.text=You have successfully logged out.
+method.certificate.label=Certificate
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN Code
+method.oath.label=OATH Authenticator App
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Recovery Codes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Never
+policyFailure.dictionary=▪ must not be taken from a dictionary.
+policyFailure.history.History=▪ must be different from previously selected passwords.
+policyFailure.regex.control=▪ cannot contain more than {0} control characters.
+policyFailure.regex.lower=▪ must contain at least {0} lower case characters.
+policyFailure.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
+policyFailure.regex.maxLength=▪ must be at most {0} characters long.
+policyFailure.regex.minLength=▪ must be at least {0} characters long.
+policyFailure.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
+policyFailure.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
+policyFailure.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
+policyFailure.regex.nonLetter=▪ must contain at least {0} non-letter characters.
+policyFailure.regex.numeric=▪ must contain at least {0} numeric characters.
+policyFailure.regex.upper=▪ must contain at least {0} upper case characters.
+policyInfo.dictionary=▪ must not be taken from a dictionary.
+policyInfo.history.History=▪ must be different from previously selected passwords.
+policyInfo.regex.control=▪ cannot contain more than {0} control characters.
+policyInfo.regex.lower=▪ must contain at least {0} lower case characters.
+policyInfo.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
+policyInfo.regex.maxLength=▪ must be at most {0} characters long.
+policyInfo.regex.minLength=▪ must be at least {0} characters long.
+policyInfo.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
+policyInfo.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
+policyInfo.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
+policyInfo.regex.nonLetter=▪ must contain at least {0} non-letter characters.
+policyInfo.regex.numeric=▪ must contain at least {0} numeric characters.
+policyInfo.regex.upper=▪ must contain at least {0} upper case characters.
+policyInfo.title=The password has to comply with the following password policy:
+reject.button.label=Deny
+submit.button.label=Submit
+tan.sent=Please enter the security code which has been sent to your mobile phone.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorization
+title.saml.failed=Error
+title.timeout.page=Logout

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/LitDict_fr.properties

@@ -0,0 +1,80 @@
+
+accept.button.label=Accepter
+cancel.button.label=Abandonner
+continue.button.label=Continuer
+deputy.profile.label=(Profil du suppléant)
+error.saml.failed=Fermez votre navigateur et r;eacute;essayez.
+error_1=Veuillez vérifier vos données, s.v.p.
+error_10=Choisissez votre compte.
+error_100=Téléchargement du certificat pas possible. Certificat existe déjà. Veuillez contacter le helpdesk s.v.p.
+error_101=L'adresse e-mail é n'est pas valide.
+error_11=Choisissez un autre certificat, s.v.p.
+error_2=Choisissez un autre nom, s.v.p.
+error_3=Si l'authentification ne réussit pas au prochain essai, votre compte sera bloqué.
+error_4=Votre nouveau mot de passe ne conforme pas aux mesures de sécurité
+error_5=Votre confirmation du mot de passe ne correspond pas au mot de passe donné.
+error_50=Le nouveau mot de passe est trop court.
+error_55=Le nouveau mot de passe doit différer de l'ancien.
+error_6=Veuillez changer votre mot de passe, s.v.p.
+error_7=Veuillez changer votre login ID, s.v.p.
+error_8=Votre compte n'est pas active.
+error_81=Pas d'access card trouvé, l'accès par l'internet est refusé.
+error_83=Votre access card n'est plus valable, veuillez contacter votre gestionnaire.
+error_9=Il n'est pas possible de transmettre la session.
+error_97=Vous n'avez pas les autorisations nécessaires pour accéder à cette ressource.
+error_98=Votre compte a été bloqué.
+error_99=Problème technique. Veuillez essayer plus tard, s.v.p.
+info.logout.confirmation=Veuillez confirmer que vous souhaitez vous déconnecter.
+info.logout.reminder=Votre session sur cette application a expirée. Essayez encore avec un login.
+info.oauth.consent=Voulez-vous autoriser l'application?
+info.timeout.page=Votre session sur cette application a expirée. Essayez encore avec un login.
+login.button.label=Login
+logout.label=Logout
+logout.text=Au revoir
+method.certificate.label=Certificat
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=Code mTAN
+method.oath.label=Application d'authentification OATH
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Codes de récupération
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Jamais
+policyFailure.dictionary=▪ ne peut pas être pris d'un dictionnaire.
+policyFailure.history.History=▪ doit être différent des mots de passe préalablement sélectionnés.
+policyFailure.regex.control=▪ ne peut contenir plus de {0} caractères de commande.
+policyFailure.regex.lower=▪ doit contenir au moins {0} caractère(s) minuscule(s).
+policyFailure.regex.maxCharacterRepetitions=▪ ne peut contenir une séquence de plus de {0} du même caractère.
+policyFailure.regex.maxLength=La longueur doit être d'au plus {0}.
+policyFailure.regex.minLength=La longueur doit être d'au moins {0}.
+policyFailure.regex.nonAlnum=▪ doit contenir au moins  {0} caractères non alphanumériques.
+policyFailure.regex.nonAscii=▪ ne peut contenir plus de {0} caractères non ASCII ({1}).
+policyFailure.regex.nonGraph=▪ ne peut contenir plus de {0} caractères non imprimables ({1}).
+policyFailure.regex.nonLetter=▪ doit contenir au moins {0} caractères qui ne sont pas des lettres.
+policyFailure.regex.numeric=▪ doit comprendre {0} caractères numériques.
+policyFailure.regex.upper=▪ doit contenir au moins {0} caractère(s) majuscule(s).
+policyInfo.dictionary=▪ ne peut pas être pris d'un dictionnaire.
+policyInfo.history.History=▪ ne peut pas être l' précédemment choisis.
+policyInfo.regex.control=▪ ne peut contenir plus de {0} caractères de commande.
+policyInfo.regex.lower=▪ doit contenir au moins {0} caractère(s) minuscule(s).
+policyInfo.regex.maxCharacterRepetitions=▪ ne peut contenir une séquence de plus de {0} du même caractère.
+policyInfo.regex.maxLength=▪ la longueur doit être d'au plus {0}.
+policyInfo.regex.minLength=▪ la longueur doit être d'au moins {0}.
+policyInfo.regex.nonAlnum=▪ doit contenir au moins  {0} caractères non alphanumériques.
+policyInfo.regex.nonAscii=▪ ne peut contenir plus de {0} caractères non ASCII.
+policyInfo.regex.nonGraph=▪ ne peut contenir plus de {0} caractères non imprimables.
+policyInfo.regex.nonLetter=▪ doit contenir au moins {0} caractères qui ne sont pas des lettres.
+policyInfo.regex.numeric=▪ doit comprendre au minimum {0} caractères numériques.
+policyInfo.regex.upper=▪ doit contenir au moins {0} caractère(s) majuscule(s).
+policyInfo.title=Le mot de passe doit respecter les règles suivantes:
+reject.button.label=Refuser
+submit.button.label=Envoyer
+tan.sent=Veuillez saisir le code de sécurité que vous avez reçu au votre téléphone mobile.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Autorisation du client
+title.saml.failed=Error
+title.timeout.page=Logout

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/LitDict_it.properties

@@ -0,0 +1,80 @@
+
+accept.button.label=Accettare
+cancel.button.label=Abortire
+continue.button.label=Continua
+deputy.profile.label=(profilo del delegato)
+error.saml.failed=Chiudi il browser e riprova.
+error_1=Verificare i dati immessi.
+error_10=Per favore selezionare il conto utente corretto.
+error_100=Impossibile caricare il certificato. Questo certificato esiste già. La preghiamo di contattare il Suo help desk.
+error_101=L'indirizzo e-mail inserito non è valido.
+error_11=Scegliere un altro certificato.
+error_2=Per favore scegliere un altro nome.
+error_3=Il conto verrà bloccato se il prossimo login non andrà a buon fine.
+error_4=La nuova password non è stata accettata. Scegliere una password che sia conforme ai criteri di password.
+error_5=La conferma della password è errata.
+error_50=La nuova password è troppo corta.
+error_55=La nuova password deve essere diversa dalla vecchia.
+error_6=È necessario modificare la password.
+error_7=Set up inizale dell'account per il portale necessario.
+error_8=L'account è stato bloccato. Rivolgersi al servizio assistenza oppure provare con un altro strumento di autenticazione.
+error_81=Nessuna carta di accesso trovata, accesso da internet rifiutato.
+error_83=La sua carta di accesso non è più valida. Per favore contatti il suo assistente per ricevere una nuova carta di accesso.
+error_9=La sessione non può essere ripresa.
+error_97=Non si dispone delle autorizzazioni necessarie per accedere a questa risorsa.
+error_98=L'account è stato bloccato.
+error_99=Errore di sistema. Riprovare.
+info.logout.confirmation=Si prega di confermare che si desidera disconnettersi.
+info.logout.reminder=La sessione su questa applicazione è scaduta. Prova ancora con un login.
+info.oauth.consent=Vuoi consentire all'applicazione?
+info.timeout.page=La sessione su questa applicazione è scaduta. Prova ancora con un login.
+login.button.label=Login
+logout.label=Logout
+logout.text=È uscito con successo.
+method.certificate.label=Certificato
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=Codice mTAN
+method.oath.label=App di autenticazione OATH
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Codici di ripristino
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Mai
+policyFailure.dictionary=▪ non può essere presa da un dizionario.
+policyFailure.history.History=▪ deve essere diversa da password precedenti.
+policyFailure.regex.control=▪ non può contenere più di {0} caratteri di controllo.
+policyFailure.regex.lower=▪ deve conenere almeno {0} caratteri minuscoli.
+policyFailure.regex.maxCharacterRepetitions=▪ non può contentere una sequenza più lunga di {0} caratteri uguali.
+policyFailure.regex.maxLength=▪ deve contenere al massimo {0} caratteri.
+policyFailure.regex.minLength=▪ deve contenere almeno {0} caratteri.
+policyFailure.regex.nonAlnum=▪ deve conenere almeno {0} caratteri non alfanumerici.
+policyFailure.regex.nonAscii=▪ non può contenere più di {0} caratteri non ASCII.
+policyFailure.regex.nonGraph=▪ non può contenere più di {0} caratteri non stampabili.
+policyFailure.regex.nonLetter=▪ non può contenere più di {0} numeri o caratteri speciali.
+policyFailure.regex.numeric=▪ deve contenere {0} caratteri numerici.
+policyFailure.regex.upper=▪ deve conenere almeno {0} caratteri maiuscoli.
+policyInfo.dictionary=▪ non può essere presa da un dizionario.
+policyInfo.history.History=▪ deve essere diversa dalle password precedenti.
+policyInfo.regex.control=▪ non può contenere più di {0} carattere/i di controllo.
+policyInfo.regex.lower=▪ deve conenere almeno {0} carattere/i minuscolo/i.
+policyInfo.regex.maxCharacterRepetitions=▪ non può contentere una sequenza più lunga di {0} caratteri uguali.
+policyInfo.regex.maxLength=▪ deve contenere al massimo {0} carattere/i.
+policyInfo.regex.minLength=▪ deve contenere almeno {0} carattere/i.
+policyInfo.regex.nonAlnum=▪ deve conenere almeno {0} carattere/i non alfanumerico/i.
+policyInfo.regex.nonAscii=▪ non può contenere più di {0} carattere/i non ASCII.
+policyInfo.regex.nonGraph=▪ non può contenere più di {0} carattere/i non stampabile/i.
+policyInfo.regex.nonLetter=▪ non può contenere più di {0} numero/i o caratere/i speciale/i.
+policyInfo.regex.numeric=▪ deve contenere un minimo di {0} carattere/i numerico/i.
+policyInfo.regex.upper=▪ deve conenere almeno {0} carattere/i maiuscolo/i.
+policyInfo.title=La password deve rispettare le seguenti direttive:
+reject.button.label=Rifiuti
+submit.button.label=Continua
+tan.sent=Inserisci il codice di sicurezza che è stato inviato al tuo telefono cellulare.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Autorizzazione del client
+title.saml.failed=Error
+title.timeout.page=Logout

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/bc.properties

@@ -0,0 +1 @@
+bc.tracer.TraceIndentFactory=ch.nevis.bc.io.Log4jTraceIndentFactory

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/env.conf

@@ -0,0 +1,19 @@
+RTENV_SECURITY_CHECK=no_shell
+
+JAVA_OPTS=(
+    "-XX:+UseContainerSupport"
+    "-Dfile.encoding=UTF-8"
+    "-XX:MaxRAMPercentage=80.0"
+    "-Djava.net.preferIPv4Stack=true"
+    "-Djava.net.connectionTimeout=10000"
+    "-Djava.net.readTimeout=15000"
+    "-Dch.nevis.esauth.config=/var/opt/nevisauth/default/conf/esauth4.xml"
+    "-Djava.awt.headless=true"
+    "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
+    "-Dotel.javaagent.logging=application"
+    "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
+    "-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
+    "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/tls-swissid/truststore.p12"
+    "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/tls-swissid/keypass}"
+)
+

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/esauth4.security

@@ -0,0 +1,2 @@
+# this file is generated by nevisAdmin 4
+security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/esauth4.xml

@@ -0,0 +1,338 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE esauth-server SYSTEM "/opt/nevisauth/dtd/esauth4.dtd">
+<esauth-server instance="nai">
+    <!-- source: pattern://6ec6739e824c8e56d9633622, pattern://b67f81a971e4c08aa79040a2 -->
+    <SessionCoordinator sessionInitialInactivityTimeout="600" sessionInactivityTimeout="28800" sessionMaxLifetime="28800" sessionIdPreGenerate="true">
+        <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+        <LocalSessionStore maxSessions="100000"/>
+        <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+        <TokenAssembler name="DefaultTokenAssembler">
+            <Selector default="true"/>
+            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <TokenSpec ttl="28800">
+                <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+                <field src="session" key="ch.nevis.session.sessid" as="sessid"/>
+                <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+                <field src="session" key="ch.nevis.session.userid" as="userid"/>
+                <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+                <field src="session" key="ch.nevis.session.authlevel" as="authLevel"/>
+                <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+                <field src="session" key="ch.nevis.session.esauthid" as="esauthid"/>
+                <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+                <field src="session" key="ch.nevis.session.entryid" as="entryid"/>
+                <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+                <field src="session" key="ch.nevis.session.loginid" as="loginId"/>
+                <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+                <field src="session" key="ch.nevis.session.domain" as="domain"/>
+                <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+                <field src="session" key="ch.nevis.session.secroles" as="roles"/>
+            </TokenSpec>
+            <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+            <Signer key="DefaultSigner"/>
+        </TokenAssembler>
+        <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+        <KeyStore name="DefaultKeyStore">
+            <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+            <KeyObject name="DefaultSigner" certificate="/var/opt/keys/own/nai-sh4r3d-default-default-signer/cert.pem" privateKey="/var/opt/keys/own/nai-sh4r3d-default-default-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/nai-sh4r3d-default-default-signer/keypass"/>
+            <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+            <KeyObject name="DefaultSignerTrust" certificate="/var/opt/keys/trust/nai-default-default-signer-trust/truststore.jks"/>
+        </KeyStore>
+        <!-- source: pattern://d9ea344685ab4a9bb0e1e3e7 -->
+        <KeyStore name="JwtToken">
+            <!-- source: pattern://d9ea344685ab4a9bb0e1e3e7 -->
+            <KeyObject name="tokensigner" certificate="/var/opt/keys/own/tokensigner/cert.pem" privateKey="/var/opt/keys/own/tokensigner/keystore.jks" passPhrase="pipe:///var/opt/keys/own/tokensigner/keypass"/>
+        </KeyStore>
+    </SessionCoordinator>
+    <!-- source: pattern://6ec6739e824c8e56d9633622 -->
+    <LocalOutOfContextDataStore reaperPeriod="60"/>
+    <!-- source: pattern://6ec6739e824c8e56d9633622, pattern://b67f81a971e4c08aa79040a2 -->
+    <AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/var/opt/nevisauth/default/plugin:/opt/nevisauth/plugin" propagateSession="false">
+        <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+        <Domain name="cossa_realm" default="false" inactiveInterval="7200" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
+            <Entry method="authenticate" state="cossa_realm_TokenExchangeEndpoint"/>
+            <Entry method="authenticate" state="cossa_realm_TokenExchangeEndpoint" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
+            <Entry method="logout" state="cossa_realm_AuthorizationServer"/>
+            <Entry method="logout" state="cossa_realm_AuthorizationServer" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
+            <Entry method="stepup" state="cossa_realm_Selector"/>
+            <Entry method="stepup" state="cossa_realm_TokenExchangeEndpoint" selector="${request:currentResource:^http[s]?\u003A//[^/]+/token/.*$:true}"/>
+        </Domain>
+        <AuthState name="cossa_realm_TokenExchangeEndpoint" class="ch.adnovum.cossa.TokenExchangeEndpoint" authLevel="auth.weak" final="false" resumeState="true">
+            <!-- source: pattern://89578db79d2bc15d55e11141 -->
+            <ResultCond name="failed" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://89578db79d2bc15d55e11141 -->
+            <ResultCond name="invalid_client" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://89578db79d2bc15d55e11141 -->
+            <ResultCond name="invalid_grant" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://89578db79d2bc15d55e11141 -->
+            <ResultCond name="invalid_request" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://89578db79d2bc15d55e11141 -->
+            <ResultCond name="invalid_scope" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://89578db79d2bc15d55e11141 -->
+            <ResultCond name="ok" next="cossa_realm_IdTokenVerification"/>
+            <!-- source: pattern://89578db79d2bc15d55e11141 -->
+            <ResultCond name="refresh_token" next="cossa_realm_RewriteRequestForAuthorizationServerAuthstate"/>
+            <!-- source: pattern://89578db79d2bc15d55e11141 -->
+            <ResultCond name="unauthorized_client" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://89578db79d2bc15d55e11141 -->
+            <ResultCond name="unsupported_grant_type" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://89578db79d2bc15d55e11141 -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://89578db79d2bc15d55e11141 -->
+                <Gui name="Default"/>
+            </Response>
+            <propertyRef name="cossa_realm_AuthorizationServer"/>
+        </AuthState>
+        <AuthState name="cossa_realm_auth_failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
+            <!-- source: pattern://72e29eb80a951e518ce123e4 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://72e29eb80a951e518ce123e4 -->
+                <Gui name="Error">
+                    <!-- source: pattern://72e29eb80a951e518ce123e4 -->
+                    <GuiElem name="info" type="error" label="error_99"/>
+                    <!-- source: pattern://72e29eb80a951e518ce123e4 -->
+                    <GuiElem name="submit" type="button" label="continue.button.label"/>
+                </Gui>
+            </Response>
+        </AuthState>
+        <AuthState name="cossa_realm_IdTokenVerification" class="ch.adnovum.cossa.IdTokenVerification" final="false" resumeState="false">
+            <!-- source: pattern://a976546c6a56dc04c0d34592 -->
+            <ResultCond name="failed" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://a976546c6a56dc04c0d34592 -->
+            <ResultCond name="invalid_grant" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://a976546c6a56dc04c0d34592 -->
+            <ResultCond name="ok" next="cossa_realm_klpscope"/>
+            <!-- source: pattern://a976546c6a56dc04c0d34592 -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://a976546c6a56dc04c0d34592 -->
+                <Gui name="Default"/>
+            </Response>
+            <!-- source: pattern://a976546c6a56dc04c0d34592 -->
+            <property name="well_known_url" value="https://login.sandbox.pre.swissid.ch/idp/oauth2/.well-known/openid-configuration"/>
+            <!-- source: pattern://a976546c6a56dc04c0d34592 -->
+            <property name="httpclient.tls.trustAll" value="true"/>
+            <!-- source: pattern://a976546c6a56dc04c0d34592 -->
+            <property name="use_caching" value="true"/>
+        </AuthState>
+        <AuthState name="cossa_realm_RewriteRequestForAuthorizationServerAuthstate" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false">
+            <!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
+            <ResultCond name="ok" next="cossa_realm_AuthorizationServer"/>
+            <!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
+            <property name="inargs:grant_type" value="refresh_token"/>
+            <!-- source: pattern://b6cbd53b8eee023b6d65f62d -->
+            <property name="inargs:refresh_token" value="${inargs:subject_token}"/>
+        </AuthState>
+        <AuthState name="cossa_realm_AuthorizationServer" class="ch.nevis.esauth.auth.states.oauth2.AuthorizationServer" final="false" resumeState="true">
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="authenticate:valid-authorization-request" next="cossa_realm_simulatelogin"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="invalid-authorization-request" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="invalid-client" next="cossa_realm_JwtToken"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="invalid-redirect-uri" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="invalid-token-request" next="cossa_realm_auth_failed"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <ResultCond name="stepup:valid-authorization-request" next="cossa_realm_simulatelogin"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="keystoreref" value="JwtToken"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="jwt.bearer.aud" value="testaudience"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="keyobjectref" value="tokensigner"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="keyID" value="tokensigner"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="openid.idTokenLifetime" value="600"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="authCodeLifetime" value="60"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="propagationScope" value="session"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="dataSource" value="nevisMeta"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="nevismeta.location" value="https://hans.agov-d.azure.adnovum.net/nevismeta/rest/modules/oauthv2/setups/Setup_00000000000000000000000000000000/entities/"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="openid.support" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="openid.issuerId" value="https://cossa.agov-w.azure.adnovum.net"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.openid" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.openid.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.openid.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.openid.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.openid.clientCredentialsFlowPolicy" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.offline_access" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.offline_access.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.offline_access.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.offline_access.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.offline_access.clientCredentialsFlowPolicy" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.address" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.address.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.address.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.address.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.address.clientCredentialsFlowPolicy" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.profile" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.profile.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.profile.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.profile.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.profile.clientCredentialsFlowPolicy" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.email" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.email.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.email.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.email.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.email.clientCredentialsFlowPolicy" value="true"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.phone" value=""/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.phone.authorizationCodeFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.phone.refreshTokenRequestPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.phone.implicitFlowPolicy" value="NO_CONSENT_REQUIRED"/>
+            <!-- source: pattern://e02a36447ce2d3c66d8d81c0 -->
+            <property name="scope.phone.clientCredentialsFlowPolicy" value="true"/>
+        </AuthState>
+        <AuthState name="cossa_realm_klpscope" class="ch.adnovum.cossa.KLPScopeToProfileBinding" final="false" resumeState="true">
+            <!-- source: pattern://9c293034211ea47bd3e9c12b -->
+            <ResultCond name="default" next="cossa_realm_CallPolicyVerificationAPI"/>
+            <!-- source: pattern://9c293034211ea47bd3e9c12b -->
+            <Response value="AUTH_CONTINUE"/>
+            <!-- source: pattern://9c293034211ea47bd3e9c12b -->
+            <property name="prioritiesSource" value="klp-profiles.conf"/>
+            <!-- source: pattern://9c293034211ea47bd3e9c12b -->
+            <property name="profileExpression" value="oauth2.scope.${notes:scope}.metadata.klp_profile"/>
+        </AuthState>
+        <AuthState name="cossa_realm_simulatelogin" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false">
+            <!-- source: pattern://680c047dd9a5220fae3c9c3e -->
+            <ResultCond name="ok" next="cossa_realm_Prepare_Done"/>
+            <!-- source: pattern://680c047dd9a5220fae3c9c3e -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://680c047dd9a5220fae3c9c3e -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://680c047dd9a5220fae3c9c3e -->
+            <property name="request:UserId" value="39c985c5-a1e8-4c64-8c34-aeac0cd82109"/>
+            <!-- source: pattern://680c047dd9a5220fae3c9c3e -->
+            <property name="roles:add" value="1"/>
+            <!-- source: pattern://680c047dd9a5220fae3c9c3e -->
+            <property name="session:ch.adnovum.nevisidm.clientId" value="100"/>
+            <!-- source: pattern://680c047dd9a5220fae3c9c3e -->
+            <property name="session:ch.adnovum.nevisidm.profileId" value="a6d8860a-26b7-420c-8c3d-1f531d9fd968"/>
+            <!-- source: pattern://680c047dd9a5220fae3c9c3e -->
+            <property name="session:ch.nevis.session.loginid" value="meta.admin@adnovum.ch"/>
+        </AuthState>
+        <AuthState name="cossa_realm_JwtToken" class="ch.nevis.esauth.auth.states.jwt.JWTToken" final="false" resumeState="true">
+            <!-- source: pattern://a1e5d0192e082e689465a0c9 -->
+            <ResultCond name="ok" next="cossa_realm_Prepare_Done"/>
+            <!-- source: pattern://a1e5d0192e082e689465a0c9 -->
+            <Response value="AUTH_ERROR"/>
+            <!-- source: pattern://a1e5d0192e082e689465a0c9 -->
+            <property name="out.audience" value="https://www.adnovum.ch"/>
+            <!-- source: pattern://a1e5d0192e082e689465a0c9 -->
+            <property name="out.issuer" value="https://my.nevis.server"/>
+            <!-- source: pattern://a1e5d0192e082e689465a0c9 -->
+            <property name="out.time_to_live" value="86400"/>
+            <!-- source: pattern://a1e5d0192e082e689465a0c9 -->
+            <property name="token.algorithm" value="RS256"/>
+            <!-- source: pattern://a1e5d0192e082e689465a0c9 -->
+            <property name="keystoreref" value="JwtToken"/>
+            <!-- source: pattern://a1e5d0192e082e689465a0c9 -->
+            <property name="keyobjectref" value="tokensigner"/>
+        </AuthState>
+        <AuthState name="cossa_realm_CallPolicyVerificationAPI" class="ch.adnovum.cossa.CallPolicyVerificationAPI" final="false" resumeState="false">
+            <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+            <ResultCond name="multiple_profiles" next="cossa_realm_Authentication_Failed"/>
+            <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+            <ResultCond name="no_valid_profile" next="cossa_realm_Authentication_Failed"/>
+            <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+            <ResultCond name="ok" next="cossa_realm_Prepare_Done"/>
+            <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+            <Response value="AUTH_CONTINUE">
+                <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+                <Gui name="Default"/>
+            </Response>
+            <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+            <property name="evaluatePoliciesForAllProfiles" value="false"/>
+            <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+            <property name="klpURL" value="https://klp.agov-w.azure.adnovum.net/api/endpoint"/>
+            <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+            <property name="basicAuthUsername" value="testbasicauth"/>
+            <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+            <property name="basicAuthPassword" value="testtesttest"/>
+        </AuthState>
+        <AuthState name="cossa_realm_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
+            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <ResultCond name="default" next="cossa_realm_Auth_Done"/>
+            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
+        </AuthState>
+        <AuthState name="cossa_realm_Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false">
+            <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+                <Gui name="Error">
+                    <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+                    <GuiElem name="info" type="error" label="error_99"/>
+                    <!-- source: pattern://5daa6d4f525b11a4e9b0ea79 -->
+                    <GuiElem name="submit" type="button" label="continue.button.label"/>
+                </Gui>
+            </Response>
+        </AuthState>
+        <AuthState name="cossa_realm_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
+            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+        </AuthState>
+        <AuthState name="cossa_realm_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
+            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <ResultCond name="nomatch" next="cossa_realm_Prepare_Done"/>
+            <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://b67f81a971e4c08aa79040a2 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+        </AuthState>
+    </AuthEngine>
+    <!-- source: pattern://b0fedec4607e1e69103b8497 -->
+    <RESTService name="rest" class="ch.nevis.esauth.rest.service.tokenintrospection.TokenIntrospectionService" path="/oauth/introspect2/">
+        <!-- source: pattern://b0fedec4607e1e69103b8497 -->
+        <property name="authstates" value="cossa_realm_AuthorizationServer"/>
+    </RESTService>
+</esauth-server>

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/klp-profiles.conf

@@ -0,0 +1,25 @@
+suisseid_auth_address_verified
+suisseid_auth_address_required
+suisseid_auth_mobile_verified
+suisseid_auth_mobile_required
+suisseid_auth_phone_required
+suisseid_auth
+password_auth_address_verified
+password_auth_address_required
+password_auth_mobile_verified
+password_auth_mobile_required
+password_auth_phone_required
+password_auth
+email_auth_address_verified
+email_auth_address_required
+email_auth_mobile_verified
+email_auth_mobile_required
+email_auth_phone_required
+email_auth
+autologin_auth_address_verified
+autologin_auth_address_required
+autologin_auth_mobile_verified
+autologin_auth_mobile_required
+autologin_auth_phone_required
+autologin_auth
+default

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/logging.yml

@@ -0,0 +1,57 @@
+Configuration:
+  monitorInterval: 60
+  Appenders:
+    Console:
+    - name: "SERVER"
+      target: "SYSTEM_OUT"
+      PatternLayout:
+        pattern: "[esauth4sv.log] %d{ISO8601} %-15.15t %mdc{trace_id} %mdc{span_id} %-20.20c %-5.5p %m%n"
+      RegexFilter:
+        regex: ".*GET /nevisauth/liveness.*"
+        onMatch: "DENY"
+        onMismatch: "ACCEPT"
+  Loggers:
+    Logger:
+    - name: "EsAuthStart"
+      level: "INFO"
+    - name: "org.apache.catalina.loader.WebappClassLoader"
+      level: "FATAL"
+    - name: "org.apache.catalina.startup.HostConfig"
+      level: "ERROR"
+    - name: "ch.nevis.esauth.events"
+      level: "FATAL"
+    - name: "AuthEngine"
+      level: "INFO"
+    - name: "HttpClient"
+      level: "TRACE"
+    - name: "OAuth2"
+      level: "DEBUG"
+    - name: "StdStates"
+      level: "DEBUG"
+    - name: "Vars"
+      level: "INFO"
+    - name: "ch.adnovum.cossa.CachingIDTokenVerifier"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.CallPolicyVerificationAPI"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.IDTokenVerifier"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.IdTokenVerification"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.KLPScopeToProfileBinding"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.SimpleIDTokenValidator"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.SimpleIDTokenVerifier"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.TokenExchangeEndpoint"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.TokenExchangeEndpointRefresh"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.TokenGenerator"
+      level: "DEBUG"
+    Root:
+      level: "WARN"
+      additivity: "false"
+      AppenderRef:
+      - ref: "SERVER"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/nevisauth.yml

@@ -0,0 +1,16 @@
+server:
+  name: "default"
+  protocol: "https"
+  port: "8991"
+  host: "0.0.0.0"
+  tls:
+    keystore: "/var/opt/keys/own/nai-default-identity/keystore.p12"
+    keystore-passphrase: "${exec:/var/opt/keys/own/nai-default-identity/keypass}"
+    client-auth: "required"
+    truststore: "/var/opt/keys/trust/nai-default-tls-client-trust/truststore.p12"
+    truststore-passphrase: "${exec:/var/opt/keys/trust/nai-default-tls-client-trust/keypass}"
+management:
+  server:
+    port: "9000"
+  healthchecks:
+    enabled: "true"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/otel.properties

@@ -0,0 +1,4 @@
+otel.service.name = nai
+otel.traces.exporter = none
+otel.metrics.exporter = none
+otel.logs.exporter = none

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/conf/prepare_done.groovy

@@ -0,0 +1,23 @@
+// nevisProxy replaces the entire AUTH: scope when new outargs are returned by nevisAuth.
+// Thus, we have to store tokens in the session (as a String) and restore them on subsequent step-ups.
+
+// restore tokens
+session.each { key, value ->
+    if (key.startsWith('outarg.token.')) {
+        def name = key.substring(7)
+        if (outargs.containsKey(name)) {
+            LOG.debug("not restoring token (outarg: $name) from session: outarg already set")
+        }
+        else {
+            LOG.debug("restoring token (outarg: $name) from session")
+            outargs.put(name, value)
+        }
+    }
+}
+
+// store tokens
+outargs.each { name, value ->
+    if (name.startsWith('token.')) {
+        session.put('outarg.' + name, value)
+    }
+}

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai/var/opt/nevisauth/default/status.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# NAME
+#     status.sh - Checks the status of the nevisAuth instance.
+#
+# SYNOPSIS
+#     status.sh
+#
+# DESCRIPTION
+#     Performs periodic checks until the instance is up or broken or timeout is reached.
+#     The script terminates when the process of the instance stops running.
+#     There are no arguments for this script.
+#
+# EXIT CODES
+#  0    Instance is up.
+#  1    Instance process is not running.
+#  2    Instance is broken.
+#  3    Timeout reached.
+
+# Defines how much we should sleep between checking if the instance is up.
+interval=1
+# Defines how much we should wait the instance to start up until we give up and exit.
+timeout=70
+((end_time=${SECONDS}+$timeout))
+
+# Checks if the process of the instance is still running.
+# Arguments:
+#   None
+# Returns:
+#   In case it is running, returns 0, otherwise non-zero (exit code of systemctl).
+isProcessRunning() {
+  systemctl is-active --quiet nevisauth@default
+  IS_RUNNING=$?
+  return $IS_RUNNING
+}
+
+# Checks if the instance is up. (Attempts connecting to the instance)
+# Arguments:
+#   None
+# Returns:
+#   If the connection was successful and the instance up (is not broken), returns 0.
+#   If the connection was not successful, returns 1.
+checkInstance() {
+  lsof -i :8991 -sTCP:LISTEN
+  EXIT_CODE=$?
+  return $EXIT_CODE
+}
+
+# This function encapsulates the logic of checking if the process is running and if the instance is up.
+# In case the process is not running, exits with exit code 1.
+# Arguments:
+#   None
+# Returns:
+#   If the instance process is running, returns the result of the instance check function.
+check() {
+ if isProcessRunning
+  then
+    checkInstance
+    CS=$?
+    return $CS
+  else
+    echo "Process is not running."
+    exit 1
+  fi
+}
+
+# Check the status of the instance periodically.
+while ((${SECONDS} < ${end_time}))
+do
+  sleep ${interval}
+  if check
+  then
+    echo "Instance is up."
+    exit 0
+  fi
+done
+
+echo "Exceeded check timeout (70s). Instance is down."
+exit 3

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/etc/nevis/k8s-nai2-5a02ce1399ca42298422a320.yaml

@@ -0,0 +1,60 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisComponent"
+metadata:
+  name: "nai2"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nai2"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "5a02ce1399ca42298422a320"
+spec:
+  type: "NevisAuth"
+  replicas: 1
+  version: "8.2405.2"
+  gitInitVersion: "1.3.0"
+  runAsNonRoot: true
+  ports:
+    management: 9000
+    soap: 8991
+  resources:
+    limits:
+      cpu: "2"
+      memory: "2000Mi"
+    requests:
+      cpu: "20m"
+      memory: "1000Mi"
+  livenessProbe:
+    soap:
+      tcpSocket: true
+      periodSeconds: 5
+      timeoutSeconds: 4
+  readinessProbe:
+    management:
+      httpGet:
+        path: "/nevisauth/liveness"
+      periodSeconds: 5
+      timeoutSeconds: 6
+  startupProbe:
+    management:
+      httpGet:
+        path: "/nevisauth/liveness"
+      periodSeconds: 5
+      timeoutSeconds: 6
+      failureThreshold: 50
+  podDisruptionBudget:
+    maxUnavailable: "50%"
+  git:
+    tag: "r-46b3c950256851308e60d2bd8d5de9ae4cc6f50e"
+    dir: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2"
+    credentials: "git-credentials"
+  keystores:
+  - "nai2-sh4r3d-default-default-signer"
+  - "nai2-default-identity"
+  truststores:
+  - "nai2-default-default-signer-trust"
+  - "nai2-default-tls-client-trust"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/etc/nevis/k8s-nai2-default-default-signer-trust-5a02ce1399ca42298422a320.yaml

@@ -0,0 +1,14 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "nai2-default-default-signer-trust"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nai2"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "5a02ce1399ca42298422a320"
+spec:
+  keystores:
+  - name: "nai2-sh4r3d-default-default-signer"
+    namespace: "adn-postit-tknxchng-01-dev"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/etc/nevis/k8s-nai2-default-identity-5a02ce1399ca42298422a320.yaml

@@ -0,0 +1,18 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisKeyStore"
+metadata:
+  name: "nai2-default-identity"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nai2"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "5a02ce1399ca42298422a320"
+spec:
+  cn: "nai2"
+  usage: "<reserved for future use>"
+  san:
+    dns:
+    - "nai2"
+    - "nai2.adn-postit-tknxchng-01-dev"
+    email: []

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/etc/nevis/k8s-nai2-default-tls-client-trust-5a02ce1399ca42298422a320.yaml

@@ -0,0 +1,14 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisTrustStore"
+metadata:
+  name: "nai2-default-tls-client-trust"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nai2"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "5a02ce1399ca42298422a320"
+spec:
+  keystores:
+  - name: "npi-mockrelam-identity"
+    namespace: "adn-postit-tknxchng-01-dev"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/etc/nevis/k8s-nai2-sh4r3d-default-default-signer-5a02ce1399ca42298422a320.yaml

@@ -0,0 +1,16 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisKeyStore"
+metadata:
+  name: "nai2-sh4r3d-default-default-signer"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nai2"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "5a02ce1399ca42298422a320"
+spec:
+  cn: "signer"
+  usage: "signer"
+  san:
+    dns: []
+    email: []

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/etc/nevis/nevisauth_default.yml

@@ -0,0 +1,18 @@
+schemaVersion: 1.0
+instance:
+  type: "nevisauth"
+  name: "default"
+  directory: "/var/opt/nevisauth/default"
+  pid: "systemctl show nevisauth@default -p MainPID | cut -d '=' -f2"
+  source:
+    url: "/nevisadmin/#/projects/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/patterns/5a02ce1399ca42298422a320"
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "5a02ce1399ca42298422a320"
+    patternClass: "ch.nevis.admin.v4.plugin.nevisauth.patterns.NevisAuthDeployable"
+  resources:
+    ports:
+    - "0.0.0.0:8991"
+  control:
+    start: "systemctl restart nevisauth@default &"
+    stop: "systemctl stop nevisauth@default"
+    status: "systemctl status nevisauth@default"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/keys/trust/tls-swissid/keypass

@@ -0,0 +1,2 @@
+#!/bin/bash
+echo 'password'

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/keys/trust/tls-swissid/truststore.pem

@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGkzCCBHugAwIBAgIULa4PojoMOF/785XA2QNkLRQYTS4wDQYJKoZIhvcNAQEL
+BQAwUTELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzErMCkGA1UE
+AxMiU3dpc3NTaWduIFJTQSBUTFMgUm9vdCBDQSAyMDIyIC0gMTAeFw0yMjA2Mjkw
+OTMwNDdaFw0zNjA2MjkwOTMwNDdaMFAxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxT
+d2lzc1NpZ24gQUcxKjAoBgNVBAMTIVN3aXNzU2lnbiBSU0EgVExTIEVWIElDQSAy
+MDIyIC0gMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL61hlRf7Jxo
+0msjavo1pgChwWBDYix5Zd0CnhciVYUCk30Ko6BxFBICoSsZ1gXGqlT20g/AYqYL
+xuKcdNNAJ/LHT6k2zL3UhSpx+eHjeTGQ7id2jC1HKRZ9zA8YXdhtY3oJom7B3ykE
+d/j0KVmHy9tP1A0rt3ntbJLfLIS6uWogx2KfFs8MwtoAZLiGvp49SHly6p450fcz
+payPIWu12PfVQjLg7b9NitlDlYEWiCAL7R3jINw2yMwcdBvq2gy+ZZsiYkSb1m+h
+ABOGxU6SCN6w7GgRWWveSaJBvRokUvIon/wsZK51j8RM4TsoR60Wei8ftSBL75BI
+g9Us8dkBXDa8vqoDVpc9zs6pan5XN8KymNT52j4gEe161eYTtbiME4KdSWtVsA7e
+rdkHsXKJTRIxxdpUkQXxhLXEoyDed/BVgV1yhTeN6YCFX7AiocAi5rPUplc6LV58
+CCUWFMSWEJxOYQUrwWFLNzQMnE969hnvdhuO8ZeqtpwFwX/OLryWoil+jGobRm/1
+OQS9+urcVygrzZ9Dy9Q/OF/oq9NeaijvL2Ncjkj5f6uJzgXkm7PwjnHrL2FWBkhp
+oM/vyT1VAgWNoku3jIyedtyJ9lUECwPIzQuddQYOL8FwhaFmvtHnOLpiy2ctbwir
+gJW+KcsNkpHg0N5stJcPzPvlssmNBHbNAgMBAAGjggFiMIIBXjBcBggrBgEFBQcB
+AQRQME4wTAYIKwYBBQUHMAKGQGh0dHA6Ly9haWEuc3dpc3NzaWduLmNoL2Fpci1h
+ZWZmMzc0ZC0wZjdhLTRjNTUtYTAzNC0xNDQwMjkwY2ZhMzIwEgYDVR0TAQH/BAgw
+BgEB/wIBADAoBgNVHSAEITAfMAcGBWeBDAEBMAgGBgQAj3oBBDAKBghghXQBWQIB
+AzBRBgNVHR8ESjBIMEagRKBChkBodHRwOi8vY3JsLnN3aXNzc2lnbi5jaC9jZHAt
+OTY2MWMyOWYtOTEyMS00ZjQ2LWFjZDgtZWFkNGEyMmY3MTYwMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFElS
+3zCGkllfNJwlSCSrwOvRBvLWMB8GA1UdIwQYMBaAFG+OYouTQ7DhQPanw/3xD7gP
+FTilMA0GCSqGSIb3DQEBCwUAA4ICAQBugn943V4fbEbG+Leb4YXTWLLfPIC+mrdc
+H6v1+Iws+XCzoKthaDk0c346mSaXZM9to5xDOWgfEnBYbVioMyI/5EABbg4ARkgp
+dj50FPe9MtLD4kOZFv/8LoRH+WdAfQUsxS1RQincUnYWAxmRNOHLdnbyiQt3sYDl
+6tZzURSMnMUec4stxfLT4VQE1Ew6Phr06CouYOd5ON+mWkFhROz3jx5PTXcECrqQ
+IT27wJ4mzKA6W9p69ZDFi/+FcpN9vCjzksi0w8i62DwtbO8Pj3ZEOL8z6+cwXyT7
+X7Zt96vufj+bsxFo1IXQ6cb2i13qpThSHL4NA1NhUbB/ipMbxNtBJ4fwtcG8SAUs
+jRXgG/RYrXRorG90KU/dcezixY4yKnlIdkkhpV7h8jY2+XS7GbjaKee8pPeAFXgs
+Hzdi+EhZvHOVfshaKL2CAELrYn8Tzo2Zt9zsbif8L7bPJROS3xqzn+GbCFt67/8Y
+jTh84Taa4D49H6V+p01QPkvG7ub7Rw52fm56zY3mabbhbsREOceswsfunxSN/SOE
+pLKVMopuVnRcwVIWmnzH9BlBhIzLqOS4kCYA5E5Irw217j/JTGVWEdMN0ar09nGh
+WA2Eq8aDANjAP1bao/4nmxsFU2zKbTR40Tb7/HKB5jaItYdkz6ppnxQDLTWe7T6+
+nGZwqmYtbQ==
+-----END CERTIFICATE-----

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/LitDict.properties

@@ -0,0 +1,80 @@
+
+accept.button.label=Accept
+cancel.button.label=Cancel
+continue.button.label=Continue
+deputy.profile.label=(Deputy Profile)
+error.saml.failed=Please close your browser and try again.
+error_1=Please check your input.
+error_10=Please select the correct user account.
+error_100=Certificate upload not possible. Certificate already exists. Please contact your helpdesk.
+error_101=The entered email address is not valid.
+error_11=Please use another certficate or login with another credential type.
+error_2=Please select another login name.
+error_3=Your account will be locked if next authentication fails.
+error_4=Your new password does not comply with the security policy. Please choose a different password.
+error_5=Error in password confirmation.
+error_50=The new password is too short.
+error_55=The new password has to differ from old passwords.
+error_6=Password change required.
+error_7=Change of login ID required.
+error_8=Your account has been locked due to repeated authentication failures.
+error_81=No access card found, access from internet denied.
+error_83=Your access card is no longer valid. Please contact your advisor to get a new access card.
+error_9=Session take over failed.
+error_97=You are not authorized to access this resource.
+error_98=Your account has been locked.
+error_99=System problems. Please try later.
+info.logout.confirmation=Please confirm that you want to log out.
+info.logout.reminder=Your session on this application has expired. Try again with a login.
+info.oauth.consent=Do you want to authorise this application to access your data?
+info.timeout.page=Your session on this application has expired. Try again with a login.
+login.button.label=Login
+logout.label=Logout
+logout.text=You have successfully logged out.
+method.certificate.label=Certificate
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN Code
+method.oath.label=OATH Authenticator App
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Recovery Codes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Never
+policyFailure.dictionary=▪ must not be taken from a dictionary.
+policyFailure.history.History=▪ must be different from previously selected passwords.
+policyFailure.regex.control=▪ cannot contain more than {0} control characters.
+policyFailure.regex.lower=▪ must contain at least {0} lower case characters.
+policyFailure.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
+policyFailure.regex.maxLength=▪ must be at most {0} characters long.
+policyFailure.regex.minLength=▪ must be at least {0} characters long.
+policyFailure.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
+policyFailure.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
+policyFailure.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
+policyFailure.regex.nonLetter=▪ must contain at least {0} non-letter characters.
+policyFailure.regex.numeric=▪ must contain at least {0} numeric characters.
+policyFailure.regex.upper=▪ must contain at least {0} upper case characters.
+policyInfo.dictionary=▪ must not be taken from a dictionary.
+policyInfo.history.History=▪ must be different from previously selected passwords.
+policyInfo.regex.control=▪ cannot contain more than {0} control characters.
+policyInfo.regex.lower=▪ must contain at least {0} lower case characters.
+policyInfo.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
+policyInfo.regex.maxLength=▪ must be at most {0} characters long.
+policyInfo.regex.minLength=▪ must be at least {0} characters long.
+policyInfo.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
+policyInfo.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
+policyInfo.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
+policyInfo.regex.nonLetter=▪ must contain at least {0} non-letter characters.
+policyInfo.regex.numeric=▪ must contain at least {0} numeric characters.
+policyInfo.regex.upper=▪ must contain at least {0} upper case characters.
+policyInfo.title=The password has to comply with the following password policy:
+reject.button.label=Deny
+submit.button.label=Submit
+tan.sent=Please enter the security code which has been sent to your mobile phone.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorization
+title.saml.failed=Error
+title.timeout.page=Logout

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/LitDict_de.properties

@@ -0,0 +1,80 @@
+
+accept.button.label=Akzeptieren
+cancel.button.label=Abbrechen
+continue.button.label=Weiter
+deputy.profile.label=(Profil Stellvertreter)
+error.saml.failed=Bitte schliessen Sie Ihren Browser und versuchen Sie es erneut.
+error_1=Bitte überprüfen Sie Ihre Eingabe.
+error_10=Bitte wählen Sie den gewünschten Benutzer.
+error_100=Zertifikat-Upload nicht möglich. Zertifikat bereits vorhanden. Bitte kontaktieren Sie Ihren Helpdesk.
+error_101=Die angegebene E-Mail Adresse ist ungültig.
+error_11=Bitte verwenden Sie ein anderes Zertifikat oder ein alternatives Authentisierungsmittel.
+error_2=Bitte wählen Sie einen anderen Login-Namen. 
+error_3=Falls Ihr nächster Login fehlschlägt, wird Ihr Konto gesperrt.
+error_4=Ihr neues Passwort wurde nicht akzeptiert. Bitte wählen Sie eines, das den Passwortvorgaben entspricht.
+error_5=Die Eingabe zur Bestätigung des Passwortes ist falsch.
+error_50=Das neue Passwort ist zu kurz.
+error_55=Das neue Passwort muss sich von alten Passwörtern unterscheiden.
+error_6=Passwortwechsel erforderlich.
+error_7=Wechsel der Login-ID erforderlich.
+error_8=Ihr Konto wurde infolge wiederholt fehlgeschlagener Authentisierung gesperrt.
+error_81=Keine Rasterkarte gefunden, Zugang vom Internet verweigert.
+error_83=Ihre Rasterkarte ist aufgebraucht. Bitte kontaktieren Sie Ihren Berater, um eine neue zu erhalten.
+error_9=Die SSO-Session konnte nicht übernommen werden.
+error_97=Sie verfügen nicht über die für den Zugriff auf diese Ressource benötigte Berechtigung.
+error_98=Ihr Konto ist gesperrt.
+error_99=Systemfehler. Bitte versuchen Sie es später.
+info.logout.confirmation=Bitte bestätigen Sie, dass Sie sich abmelden möchten.
+info.logout.reminder=Ihre Session ist auf dieser Applikation abgelaufen. Versuchen Sie es nochmals mit einem Login.
+info.oauth.consent=Wollen Sie der Anwendung den Zugriff erlauben?
+info.timeout.page=Ihre Session ist auf dieser Applikation abgelaufen. Versuchen Sie es nochmals mit einem Login.
+login.button.label=Login
+logout.label=Logout
+logout.text=Sie haben sich erfolgreich abgemeldet.
+method.certificate.label=Zertifikat
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN-Code
+method.oath.label=OATH Authenticator-App
+method.otp.label=OTP (One-Time Passwort)
+method.recovery.label=Wiederherstellungscodes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Nie
+policyFailure.dictionary=▪ darf nicht aus einem Wörterbuch stammen.
+policyFailure.history.History=▪ muss sich von vorhergehenden Passwörtern unterscheiden.
+policyFailure.regex.control=▪ darf höchstens {0} Kontrollzeichen enthalten.
+policyFailure.regex.lower=▪ muss {0} Kleinbuchstaben enthalten.
+policyFailure.regex.maxCharacterRepetitions=▪ darf nicht eine Sequenz länger als {0} des gleichen Zeichens enthalten.
+policyFailure.regex.maxLength=Länge des Passwortes darf höchstens {0} sein.
+policyFailure.regex.minLength=Länge des Passwortes muss mindestens {0} sein.
+policyFailure.regex.nonAlnum=▪ muss {0} nicht-alphanumerische Zeichen enthalten.
+policyFailure.regex.nonAscii=▪ darf höchstens {0} Zeichen ausserhalb des ASCII-Zeichensatzes enthalten.
+policyFailure.regex.nonGraph=▪ darf höchstens {0} nicht-druckende Zeichen enthalten.
+policyFailure.regex.nonLetter=▪ muss {0} Zeichen enthalten, die keine Buchstaben sind.
+policyFailure.regex.numeric=▪ muss {0} numerische Zeichen enthalten.
+policyFailure.regex.upper=▪ muss {0} Grossbuchstaben enthalten.
+policyInfo.dictionary=▪ darf nicht aus einem Wörterbuch stammen.
+policyInfo.history.History=▪ darf keines der zuletzt verwendeten Passwörtern sein.
+policyInfo.regex.control=▪ darf höchstens {0} Kontrollzeichen enthalten.
+policyInfo.regex.lower=▪ muss mindestens {0} Kleinbuchstaben enthalten.
+policyInfo.regex.maxCharacterRepetitions=▪ darf nicht eine Sequenz länger als {0} des gleichen Zeichens enthalten.
+policyInfo.regex.maxLength=▪ darf höchstens {0} Zeichen enthalten.
+policyInfo.regex.minLength=▪ muss mindestens {0} Zeichen enthalten.
+policyInfo.regex.nonAlnum=▪ muss mindestens {0} Zeichen enthalten, die nicht Alphanumerisch sind.
+policyInfo.regex.nonAscii=▪ darf höchstens {0} Zeichen ausserhalb des ASCII-Zeichensatzes enthalten.
+policyInfo.regex.nonGraph=▪ darf höchstens {0} nicht-druckende Zeichen enthalten.
+policyInfo.regex.nonLetter=▪ muss mindestens {0} Zeichen enthalten, die keine Buchstaben sind.
+policyInfo.regex.numeric=▪ muss mindestens {0} numerische Zeichen enthalten.
+policyInfo.regex.upper=▪ muss mindestens {0} Grossbuchstaben enthalten.
+policyInfo.title=Das Passwort muss den folgenden Passwort-Richtlinien entsprechen:
+reject.button.label=Ablehnen
+submit.button.label=Senden
+tan.sent=Bitte erfassen Sie den Sicherheitscode, welcher an Ihr Mobiltelefon gesendet wurde.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorisierung
+title.saml.failed=Error
+title.timeout.page=Logout

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/LitDict_en.properties

@@ -0,0 +1,80 @@
+
+accept.button.label=Accept
+cancel.button.label=Cancel
+continue.button.label=Continue
+deputy.profile.label=(Deputy Profile)
+error.saml.failed=Please close your browser and try again.
+error_1=Please check your input.
+error_10=Please select the correct user account.
+error_100=Certificate upload not possible. Certificate already exists. Please contact your helpdesk.
+error_101=The entered email address is not valid.
+error_11=Please use another certficate or login with another credential type.
+error_2=Please select another login name.
+error_3=Your account will be locked if next authentication fails.
+error_4=Your new password does not comply with the security policy. Please choose a different password.
+error_5=Error in password confirmation.
+error_50=The new password is too short.
+error_55=The new password has to differ from old passwords.
+error_6=Password change required.
+error_7=Change of login ID required.
+error_8=Your account has been locked due to repeated authentication failures.
+error_81=No access card found, access from internet denied.
+error_83=Your access card is no longer valid. Please contact your advisor to get a new access card.
+error_9=Session take over failed.
+error_97=You are not authorized to access this resource.
+error_98=Your account has been locked.
+error_99=System problems. Please try later.
+info.logout.confirmation=Please confirm that you want to log out.
+info.logout.reminder=Your session on this application has expired. Try again with a login.
+info.oauth.consent=Do you want to authorise this application to access your data?
+info.timeout.page=Your session on this application has expired. Try again with a login.
+login.button.label=Login
+logout.label=Logout
+logout.text=You have successfully logged out.
+method.certificate.label=Certificate
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=mTAN Code
+method.oath.label=OATH Authenticator App
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Recovery Codes
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Never
+policyFailure.dictionary=▪ must not be taken from a dictionary.
+policyFailure.history.History=▪ must be different from previously selected passwords.
+policyFailure.regex.control=▪ cannot contain more than {0} control characters.
+policyFailure.regex.lower=▪ must contain at least {0} lower case characters.
+policyFailure.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
+policyFailure.regex.maxLength=▪ must be at most {0} characters long.
+policyFailure.regex.minLength=▪ must be at least {0} characters long.
+policyFailure.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
+policyFailure.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
+policyFailure.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
+policyFailure.regex.nonLetter=▪ must contain at least {0} non-letter characters.
+policyFailure.regex.numeric=▪ must contain at least {0} numeric characters.
+policyFailure.regex.upper=▪ must contain at least {0} upper case characters.
+policyInfo.dictionary=▪ must not be taken from a dictionary.
+policyInfo.history.History=▪ must be different from previously selected passwords.
+policyInfo.regex.control=▪ cannot contain more than {0} control characters.
+policyInfo.regex.lower=▪ must contain at least {0} lower case characters.
+policyInfo.regex.maxCharacterRepetitions=▪ characters must not occur more than {0} time(s) consecutively.
+policyInfo.regex.maxLength=▪ must be at most {0} characters long.
+policyInfo.regex.minLength=▪ must be at least {0} characters long.
+policyInfo.regex.nonAlnum=▪ must contain at least {0} non-alphanumeric characters.
+policyInfo.regex.nonAscii=▪ cannot contain more than {0} non-ASCII characters.
+policyInfo.regex.nonGraph=▪ cannot contain more than {0} non-printable characters.
+policyInfo.regex.nonLetter=▪ must contain at least {0} non-letter characters.
+policyInfo.regex.numeric=▪ must contain at least {0} numeric characters.
+policyInfo.regex.upper=▪ must contain at least {0} upper case characters.
+policyInfo.title=The password has to comply with the following password policy:
+reject.button.label=Deny
+submit.button.label=Submit
+tan.sent=Please enter the security code which has been sent to your mobile phone.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Client Authorization
+title.saml.failed=Error
+title.timeout.page=Logout

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/LitDict_fr.properties

@@ -0,0 +1,80 @@
+
+accept.button.label=Accepter
+cancel.button.label=Abandonner
+continue.button.label=Continuer
+deputy.profile.label=(Profil du suppléant)
+error.saml.failed=Fermez votre navigateur et r;eacute;essayez.
+error_1=Veuillez vérifier vos données, s.v.p.
+error_10=Choisissez votre compte.
+error_100=Téléchargement du certificat pas possible. Certificat existe déjà. Veuillez contacter le helpdesk s.v.p.
+error_101=L'adresse e-mail é n'est pas valide.
+error_11=Choisissez un autre certificat, s.v.p.
+error_2=Choisissez un autre nom, s.v.p.
+error_3=Si l'authentification ne réussit pas au prochain essai, votre compte sera bloqué.
+error_4=Votre nouveau mot de passe ne conforme pas aux mesures de sécurité
+error_5=Votre confirmation du mot de passe ne correspond pas au mot de passe donné.
+error_50=Le nouveau mot de passe est trop court.
+error_55=Le nouveau mot de passe doit différer de l'ancien.
+error_6=Veuillez changer votre mot de passe, s.v.p.
+error_7=Veuillez changer votre login ID, s.v.p.
+error_8=Votre compte n'est pas active.
+error_81=Pas d'access card trouvé, l'accès par l'internet est refusé.
+error_83=Votre access card n'est plus valable, veuillez contacter votre gestionnaire.
+error_9=Il n'est pas possible de transmettre la session.
+error_97=Vous n'avez pas les autorisations nécessaires pour accéder à cette ressource.
+error_98=Votre compte a été bloqué.
+error_99=Problème technique. Veuillez essayer plus tard, s.v.p.
+info.logout.confirmation=Veuillez confirmer que vous souhaitez vous déconnecter.
+info.logout.reminder=Votre session sur cette application a expirée. Essayez encore avec un login.
+info.oauth.consent=Voulez-vous autoriser l'application?
+info.timeout.page=Votre session sur cette application a expirée. Essayez encore avec un login.
+login.button.label=Login
+logout.label=Logout
+logout.text=Au revoir
+method.certificate.label=Certificat
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=Code mTAN
+method.oath.label=Application d'authentification OATH
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Codes de récupération
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Jamais
+policyFailure.dictionary=▪ ne peut pas être pris d'un dictionnaire.
+policyFailure.history.History=▪ doit être différent des mots de passe préalablement sélectionnés.
+policyFailure.regex.control=▪ ne peut contenir plus de {0} caractères de commande.
+policyFailure.regex.lower=▪ doit contenir au moins {0} caractère(s) minuscule(s).
+policyFailure.regex.maxCharacterRepetitions=▪ ne peut contenir une séquence de plus de {0} du même caractère.
+policyFailure.regex.maxLength=La longueur doit être d'au plus {0}.
+policyFailure.regex.minLength=La longueur doit être d'au moins {0}.
+policyFailure.regex.nonAlnum=▪ doit contenir au moins  {0} caractères non alphanumériques.
+policyFailure.regex.nonAscii=▪ ne peut contenir plus de {0} caractères non ASCII ({1}).
+policyFailure.regex.nonGraph=▪ ne peut contenir plus de {0} caractères non imprimables ({1}).
+policyFailure.regex.nonLetter=▪ doit contenir au moins {0} caractères qui ne sont pas des lettres.
+policyFailure.regex.numeric=▪ doit comprendre {0} caractères numériques.
+policyFailure.regex.upper=▪ doit contenir au moins {0} caractère(s) majuscule(s).
+policyInfo.dictionary=▪ ne peut pas être pris d'un dictionnaire.
+policyInfo.history.History=▪ ne peut pas être l' précédemment choisis.
+policyInfo.regex.control=▪ ne peut contenir plus de {0} caractères de commande.
+policyInfo.regex.lower=▪ doit contenir au moins {0} caractère(s) minuscule(s).
+policyInfo.regex.maxCharacterRepetitions=▪ ne peut contenir une séquence de plus de {0} du même caractère.
+policyInfo.regex.maxLength=▪ la longueur doit être d'au plus {0}.
+policyInfo.regex.minLength=▪ la longueur doit être d'au moins {0}.
+policyInfo.regex.nonAlnum=▪ doit contenir au moins  {0} caractères non alphanumériques.
+policyInfo.regex.nonAscii=▪ ne peut contenir plus de {0} caractères non ASCII.
+policyInfo.regex.nonGraph=▪ ne peut contenir plus de {0} caractères non imprimables.
+policyInfo.regex.nonLetter=▪ doit contenir au moins {0} caractères qui ne sont pas des lettres.
+policyInfo.regex.numeric=▪ doit comprendre au minimum {0} caractères numériques.
+policyInfo.regex.upper=▪ doit contenir au moins {0} caractère(s) majuscule(s).
+policyInfo.title=Le mot de passe doit respecter les règles suivantes:
+reject.button.label=Refuser
+submit.button.label=Envoyer
+tan.sent=Veuillez saisir le code de sécurité que vous avez reçu au votre téléphone mobile.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Autorisation du client
+title.saml.failed=Error
+title.timeout.page=Logout

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/LitDict_it.properties

@@ -0,0 +1,80 @@
+
+accept.button.label=Accettare
+cancel.button.label=Abortire
+continue.button.label=Continua
+deputy.profile.label=(profilo del delegato)
+error.saml.failed=Chiudi il browser e riprova.
+error_1=Verificare i dati immessi.
+error_10=Per favore selezionare il conto utente corretto.
+error_100=Impossibile caricare il certificato. Questo certificato esiste già. La preghiamo di contattare il Suo help desk.
+error_101=L'indirizzo e-mail inserito non è valido.
+error_11=Scegliere un altro certificato.
+error_2=Per favore scegliere un altro nome.
+error_3=Il conto verrà bloccato se il prossimo login non andrà a buon fine.
+error_4=La nuova password non è stata accettata. Scegliere una password che sia conforme ai criteri di password.
+error_5=La conferma della password è errata.
+error_50=La nuova password è troppo corta.
+error_55=La nuova password deve essere diversa dalla vecchia.
+error_6=È necessario modificare la password.
+error_7=Set up inizale dell'account per il portale necessario.
+error_8=L'account è stato bloccato. Rivolgersi al servizio assistenza oppure provare con un altro strumento di autenticazione.
+error_81=Nessuna carta di accesso trovata, accesso da internet rifiutato.
+error_83=La sua carta di accesso non è più valida. Per favore contatti il suo assistente per ricevere una nuova carta di accesso.
+error_9=La sessione non può essere ripresa.
+error_97=Non si dispone delle autorizzazioni necessarie per accedere a questa risorsa.
+error_98=L'account è stato bloccato.
+error_99=Errore di sistema. Riprovare.
+info.logout.confirmation=Si prega di confermare che si desidera disconnettersi.
+info.logout.reminder=La sessione su questa applicazione è scaduta. Prova ancora con un login.
+info.oauth.consent=Vuoi consentire all'applicazione?
+info.timeout.page=La sessione su questa applicazione è scaduta. Prova ancora con un login.
+login.button.label=Login
+logout.label=Logout
+logout.text=È uscito con successo.
+method.certificate.label=Certificato
+method.fido.label=Mobile Authentication
+method.fido2.label=FIDO 2
+method.mtan.label=Codice mTAN
+method.oath.label=App di autenticazione OATH
+method.otp.label=OTP (One-Time Password)
+method.recovery.label=Codici di ripristino
+method.safeword.label=SafeWord
+method.securid.label=SecurID
+method.ticket.label=Ticket
+outarg.lastLogin.never=Mai
+policyFailure.dictionary=▪ non può essere presa da un dizionario.
+policyFailure.history.History=▪ deve essere diversa da password precedenti.
+policyFailure.regex.control=▪ non può contenere più di {0} caratteri di controllo.
+policyFailure.regex.lower=▪ deve conenere almeno {0} caratteri minuscoli.
+policyFailure.regex.maxCharacterRepetitions=▪ non può contentere una sequenza più lunga di {0} caratteri uguali.
+policyFailure.regex.maxLength=▪ deve contenere al massimo {0} caratteri.
+policyFailure.regex.minLength=▪ deve contenere almeno {0} caratteri.
+policyFailure.regex.nonAlnum=▪ deve conenere almeno {0} caratteri non alfanumerici.
+policyFailure.regex.nonAscii=▪ non può contenere più di {0} caratteri non ASCII.
+policyFailure.regex.nonGraph=▪ non può contenere più di {0} caratteri non stampabili.
+policyFailure.regex.nonLetter=▪ non può contenere più di {0} numeri o caratteri speciali.
+policyFailure.regex.numeric=▪ deve contenere {0} caratteri numerici.
+policyFailure.regex.upper=▪ deve conenere almeno {0} caratteri maiuscoli.
+policyInfo.dictionary=▪ non può essere presa da un dizionario.
+policyInfo.history.History=▪ deve essere diversa dalle password precedenti.
+policyInfo.regex.control=▪ non può contenere più di {0} carattere/i di controllo.
+policyInfo.regex.lower=▪ deve conenere almeno {0} carattere/i minuscolo/i.
+policyInfo.regex.maxCharacterRepetitions=▪ non può contentere una sequenza più lunga di {0} caratteri uguali.
+policyInfo.regex.maxLength=▪ deve contenere al massimo {0} carattere/i.
+policyInfo.regex.minLength=▪ deve contenere almeno {0} carattere/i.
+policyInfo.regex.nonAlnum=▪ deve conenere almeno {0} carattere/i non alfanumerico/i.
+policyInfo.regex.nonAscii=▪ non può contenere più di {0} carattere/i non ASCII.
+policyInfo.regex.nonGraph=▪ non può contenere più di {0} carattere/i non stampabile/i.
+policyInfo.regex.nonLetter=▪ non può contenere più di {0} numero/i o caratere/i speciale/i.
+policyInfo.regex.numeric=▪ deve contenere un minimo di {0} carattere/i numerico/i.
+policyInfo.regex.upper=▪ deve conenere almeno {0} carattere/i maiuscolo/i.
+policyInfo.title=La password deve rispettare le seguenti direttive:
+reject.button.label=Rifiuti
+submit.button.label=Continua
+tan.sent=Inserisci il codice di sicurezza che è stato inviato al tuo telefono cellulare.
+title.logout=Logout
+title.logout.confirmation=Logout
+title.logout.reminder=Logout
+title.oauth.consent=Autorizzazione del client
+title.saml.failed=Error
+title.timeout.page=Logout

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/bc.properties

@@ -0,0 +1 @@
+bc.tracer.TraceIndentFactory=ch.nevis.bc.io.Log4jTraceIndentFactory

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/env.conf

@@ -0,0 +1,19 @@
+RTENV_SECURITY_CHECK=no_shell
+
+JAVA_OPTS=(
+    "-XX:+UseContainerSupport"
+    "-Dfile.encoding=UTF-8"
+    "-XX:MaxRAMPercentage=80.0"
+    "-Djava.net.preferIPv4Stack=true"
+    "-Djava.net.connectionTimeout=10000"
+    "-Djava.net.readTimeout=15000"
+    "-Dch.nevis.esauth.config=/var/opt/nevisauth/default/conf/esauth4.xml"
+    "-Djava.awt.headless=true"
+    "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
+    "-Dotel.javaagent.logging=application"
+    "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
+    "-Dotel.resource.attributes=service.version=8.2405.2,service.instance.id=$HOSTNAME"
+    "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/tls-swissid/truststore.p12"
+    "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/tls-swissid/keypass}"
+)
+

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/esauth4.security

@@ -0,0 +1,2 @@
+# this file is generated by nevisAdmin 4
+security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/esauth4.xml

@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE esauth-server SYSTEM "/opt/nevisauth/dtd/esauth4.dtd">
+<esauth-server instance="nai2">
+    <!-- source: pattern://5a02ce1399ca42298422a320, pattern://8523f0587aa8cfa7008f8171 -->
+    <SessionCoordinator sessionInitialInactivityTimeout="600" sessionInactivityTimeout="28800" sessionMaxLifetime="28800" sessionIdPreGenerate="true">
+        <!-- source: pattern://5a02ce1399ca42298422a320 -->
+        <LocalSessionStore maxSessions="100000"/>
+        <!-- source: pattern://5a02ce1399ca42298422a320 -->
+        <TokenAssembler name="DefaultTokenAssembler">
+            <Selector default="true"/>
+            <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+            <TokenSpec ttl="28800">
+                <!-- source: pattern://5a02ce1399ca42298422a320 -->
+                <field src="session" key="ch.nevis.session.sessid" as="sessid"/>
+                <!-- source: pattern://5a02ce1399ca42298422a320 -->
+                <field src="session" key="ch.nevis.session.userid" as="userid"/>
+                <!-- source: pattern://5a02ce1399ca42298422a320 -->
+                <field src="session" key="ch.nevis.session.authlevel" as="authLevel"/>
+                <!-- source: pattern://5a02ce1399ca42298422a320 -->
+                <field src="session" key="ch.nevis.session.esauthid" as="esauthid"/>
+                <!-- source: pattern://5a02ce1399ca42298422a320 -->
+                <field src="session" key="ch.nevis.session.entryid" as="entryid"/>
+                <!-- source: pattern://5a02ce1399ca42298422a320 -->
+                <field src="session" key="ch.nevis.session.loginid" as="loginId"/>
+                <!-- source: pattern://5a02ce1399ca42298422a320 -->
+                <field src="session" key="ch.nevis.session.domain" as="domain"/>
+                <!-- source: pattern://5a02ce1399ca42298422a320 -->
+                <field src="session" key="ch.nevis.session.secroles" as="roles"/>
+            </TokenSpec>
+            <!-- source: pattern://5a02ce1399ca42298422a320 -->
+            <Signer key="DefaultSigner"/>
+        </TokenAssembler>
+        <!-- source: pattern://5a02ce1399ca42298422a320 -->
+        <KeyStore name="DefaultKeyStore">
+            <!-- source: pattern://5a02ce1399ca42298422a320 -->
+            <KeyObject name="DefaultSigner" certificate="/var/opt/keys/own/nai2-sh4r3d-default-default-signer/cert.pem" privateKey="/var/opt/keys/own/nai2-sh4r3d-default-default-signer/keystore.jks" passPhrase="pipe:///var/opt/keys/own/nai2-sh4r3d-default-default-signer/keypass"/>
+            <!-- source: pattern://5a02ce1399ca42298422a320 -->
+            <KeyObject name="DefaultSignerTrust" certificate="/var/opt/keys/trust/nai2-default-default-signer-trust/truststore.jks"/>
+        </KeyStore>
+    </SessionCoordinator>
+    <!-- source: pattern://5a02ce1399ca42298422a320 -->
+    <LocalOutOfContextDataStore reaperPeriod="60"/>
+    <!-- source: pattern://5a02ce1399ca42298422a320, pattern://8523f0587aa8cfa7008f8171 -->
+    <AuthEngine useLiteralDictionary="true" literalDictionaryLanguages="en,de,fr,it" inputLanguageCookie="LANG" compatLevel="none" addAutheLevelToSecRoles="true" classPath="/var/opt/nevisauth/default/plugin:/opt/nevisauth/plugin" propagateSession="false">
+        <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+        <Domain name="MockRelam" default="false" inactiveInterval="7200" reauthInterval="0" resetAuthenticationCondition="${inargs:cancel}">
+            <Entry method="authenticate" state="MockRelam_DispatchMockRequests"/>
+            <Entry method="stepup" state="MockRelam_Selector"/>
+        </Domain>
+        <AuthState name="MockRelam_DispatchMockRequests" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
+            <!-- source: pattern://1641a38402138546573b7e71 -->
+            <ResultCond name="jwk" next="MockRelam_jwkMock"/>
+            <!-- source: pattern://1641a38402138546573b7e71 -->
+            <ResultCond name="metadata" next="MockRelam_MetadataMock"/>
+            <!-- source: pattern://1641a38402138546573b7e71 -->
+            <ResultCond name="nomatch" next="MockRelam_KlpApiMock"/>
+            <!-- source: pattern://1641a38402138546573b7e71 -->
+            <ResultCond name="wellknown" next="MockRelam_wellKownMock"/>
+            <!-- source: pattern://1641a38402138546573b7e71 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://1641a38402138546573b7e71 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://1641a38402138546573b7e71 -->
+            <property name="condition:jwk" value="${request:currentResource:/jwk:true}"/>
+            <!-- source: pattern://1641a38402138546573b7e71 -->
+            <property name="condition:metadata" value="${request:currentResource:/metadata:true}"/>
+            <!-- source: pattern://1641a38402138546573b7e71 -->
+            <property name="condition:wellknown" value="${request:currentResource:/.well-known:true}"/>
+        </AuthState>
+        <AuthState name="MockRelam_jwkMock" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
+            <!-- source: pattern://02267b7a9895eef024fd806b -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://02267b7a9895eef024fd806b -->
+                <Gui name="none"/>
+            </Response>
+            <!-- source: pattern://02267b7a9895eef024fd806b -->
+            <property name="content" value="file:///var/opt/nevisauth/default/conf/mockrelam_jwkmock.json"/>
+            <!-- source: pattern://02267b7a9895eef024fd806b -->
+            <property name="contentType" value="application/json"/>
+            <!-- source: pattern://02267b7a9895eef024fd806b -->
+            <property name="statusCode" value="200"/>
+        </AuthState>
+        <AuthState name="MockRelam_MetadataMock" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
+            <!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
+                <Gui name="none"/>
+            </Response>
+            <!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
+            <property name="content" value="file:///var/opt/nevisauth/default/conf/mockrelam_metadatamock.json"/>
+            <!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
+            <property name="contentType" value="application/json"/>
+            <!-- source: pattern://0600a4bbdea68c3aaa2fd10f -->
+            <property name="statusCode" value="200"/>
+        </AuthState>
+        <AuthState name="MockRelam_KlpApiMock" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
+            <!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
+                <Gui name="none"/>
+            </Response>
+            <!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
+            <property name="content" value="file:///var/opt/nevisauth/default/conf/mockrelam_klpapimock.json"/>
+            <!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
+            <property name="contentType" value="application/json"/>
+            <!-- source: pattern://3f7b857b6d35114fcd8c4984 -->
+            <property name="statusCode" value="200"/>
+        </AuthState>
+        <AuthState name="MockRelam_wellKownMock" class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState" final="true" resumeState="false">
+            <!-- source: pattern://1a11a59ad08eccffa1addc6a -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://1a11a59ad08eccffa1addc6a -->
+                <Gui name="none"/>
+            </Response>
+            <!-- source: pattern://1a11a59ad08eccffa1addc6a -->
+            <property name="content" value="file:///var/opt/nevisauth/default/conf/mockrelam_wellkownmock.json"/>
+            <!-- source: pattern://1a11a59ad08eccffa1addc6a -->
+            <property name="contentType" value="application/json"/>
+            <!-- source: pattern://1a11a59ad08eccffa1addc6a -->
+            <property name="statusCode" value="200"/>
+        </AuthState>
+        <AuthState name="MockRelam_Selector" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false">
+            <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+            <ResultCond name="nomatch" next="MockRelam_Prepare_Done"/>
+            <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+        </AuthState>
+        <AuthState name="MockRelam_Prepare_Done" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false">
+            <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+            <ResultCond name="default" next="MockRelam_Auth_Done"/>
+            <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+            <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/prepare_done.groovy"/>
+        </AuthState>
+        <AuthState name="MockRelam_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false">
+            <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+            <Response value="AUTH_DONE">
+                <!-- source: pattern://8523f0587aa8cfa7008f8171 -->
+                <Gui name="ContinueResponse"/>
+            </Response>
+        </AuthState>
+    </AuthEngine>
+</esauth-server>

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/logging.yml

@@ -0,0 +1,57 @@
+Configuration:
+  monitorInterval: 60
+  Appenders:
+    Console:
+    - name: "SERVER"
+      target: "SYSTEM_OUT"
+      PatternLayout:
+        pattern: "[esauth4sv.log] %d{ISO8601} %-15.15t %mdc{trace_id} %mdc{span_id} %-20.20c %-5.5p %m%n"
+      RegexFilter:
+        regex: ".*GET /nevisauth/liveness.*"
+        onMatch: "DENY"
+        onMismatch: "ACCEPT"
+  Loggers:
+    Logger:
+    - name: "EsAuthStart"
+      level: "INFO"
+    - name: "org.apache.catalina.loader.WebappClassLoader"
+      level: "FATAL"
+    - name: "org.apache.catalina.startup.HostConfig"
+      level: "ERROR"
+    - name: "ch.nevis.esauth.events"
+      level: "FATAL"
+    - name: "AuthEngine"
+      level: "INFO"
+    - name: "HttpClient"
+      level: "TRACE"
+    - name: "OAuth2"
+      level: "DEBUG"
+    - name: "StdStates"
+      level: "DEBUG"
+    - name: "Vars"
+      level: "INFO"
+    - name: "ch.adnovum.cossa.CachingIDTokenVerifier"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.CallPolicyVerificationAPI"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.IDTokenVerifier"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.IdTokenVerification"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.KLPScopeToProfileBinding"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.SimpleIDTokenValidator"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.SimpleIDTokenVerifier"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.TokenExchangeEndpoint"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.TokenExchangeEndpointRefresh"
+      level: "DEBUG"
+    - name: "ch.adnovum.cossa.TokenGenerator"
+      level: "DEBUG"
+    Root:
+      level: "WARN"
+      additivity: "false"
+      AppenderRef:
+      - ref: "SERVER"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/mockrelam_klpapimock.json

@@ -0,0 +1,20 @@
+{
+"application": "fakeapp1_b2b_internal",
+"profiles": [{
+"profileId": "12047881",
+"description": "12047881 - Marco Mojana, Via Pratocarasso 40, 6500 Bellinzona",
+"enabled": true,
+"role": "PB",
+"violatedPolicies": [],
+"currentGtcAccepted": true
+},
+{
+"profileId": "12047882",
+"description": "12047882 - Marco Mojana, Via Pratocarasso 40, 6500 Bellinzona",
+"enabled": true,
+"role": "PB",
+"violatedPolicies": [],
+"currentGtcAccepted": true
+}
+]
+}

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/mockrelam_metadatamock.json

@@ -0,0 +1,409 @@
+{
+  "Client":[
+    {
+      "id":"Client_69d3027cf5ae36b9e2b18cc9cfd9f0fe",
+      "owner":"andrea",
+      "name":"klp-client",
+      "link":"rest/modules/oauthv2/setups/Setup_b00528a7a0edc1df1a6b95240d704600/entities/Client_69d3027cf5ae36b9e2b18cc9cfd9f0fe",
+      "meta":[
+        {
+          "name":"klp_application1",
+          "value":"fakemobileoauth"
+        },
+        {
+          "name":"tokenExchangeAllowed",
+          "value":"true"
+        }
+      ],
+      "otherAttributes":{
+        "client_name#de":"Fake OpenID de",
+        "client_name#fr":"Fake OpenID fr",
+        "client_name#it":"Fake OpenID it",
+        "client_name":"Fake OpenID en"
+      },
+      "scopes":[
+        {
+          "value":"MONITOR",
+          "resource_id":"ResourceServer_ea7d36ec2adb5857de7dda7cbbbbbbd8",
+          "resource_name":"MONITORING-AGB"
+        },
+        {
+          "value":"address",
+          "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+          "resource_name":"UserInfo"
+        },
+        {
+          "value":"birthdate",
+          "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+          "resource_name":"UserInfo"
+        },
+        {
+          "value":"email",
+          "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+          "resource_name":"UserInfo"
+        },
+        {
+          "value":"name",
+          "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+          "resource_name":"UserInfo"
+        },
+        {
+          "value":"no_consent_required",
+          "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+          "resource_name":"UserInfo"
+        },
+        {
+          "value":"offline_access",
+          "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+          "resource_name":"UserInfo"
+        },
+        {
+          "value":"openid",
+          "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+          "resource_name":"UserInfo"
+        },
+        {
+          "value":"phone",
+          "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+          "resource_name":"UserInfo"
+        },
+        {
+          "value":"phone_number",
+          "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+          "resource_name":"UserInfo"
+        },
+        {
+          "value":"profile",
+          "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+          "resource_name":"UserInfo"
+        }
+      ],
+      "contacts":[
+        "br, g, o, io"
+      ],
+      "valid_from":"2023-10-04T12:58:16.000Z",
+      "redirect_uris":[
+        "http://vkld02.pnet.ch:7024/obtainingTokens",
+        "https://fakeextint1.post.ch/openid/obtainingTokens"
+      ],
+      "response_types":[
+        "code"
+      ],
+      "grant_types":[
+        "authorization_code",
+        "refresh_token"
+      ],
+      "token_exchange_allowed":true,
+      "client_id":"klp-client",
+      "client_secret":"fake-openid-secret",
+      "client_uri":"https://iam.post.ch",
+      "default_max_age":-1,
+      "confidentiality_type":"confidential",
+      "pkce_mode":"allowed",
+      "require_auth_time":false,
+      "token_endpoint_auth_method":"client_secret_basic",
+      "jwks_uri":"",
+      "logo_uri":"/login/resources/nevislogrend/applications/def/webdata/images/openid_connect.png",
+      "access_token_ttl":30,
+      "id_token_ttl":600,
+      "refresh_token_ttl":86400,
+      "presisted_consent_ttl":31104000,
+      "force_authentication":false,
+      "require_pushed_authorization_requests":false,
+      "id_token_signed_response_alg":"RS256",
+      "id_token_encrypted_response_alg":"none",
+      "id_token_encrypted_response_enc":"none"
+    },
+    {
+        "id":"Client_69d3027cf5ae36b9e2b18cc9cfd9f0fd",
+        "owner":"pippo",
+        "name":"COSSA - Monitoring Client",
+        "link":"rest/modules/oauthv2/setups/Setup_b00528a7a0edc1df1a6b95240d704600/entities/Client_69d3027cf5ae36b9e2b18cc9cfd9f0fd",
+        "meta":[
+          {
+            "name":"klp_application",
+            "value":"cossa"
+          },
+          {
+            "name":"test_monitor_meta",
+            "value":"aaa"
+          },
+          {
+            "name":"Shop_DebiNr",
+            "value":"11111111111"
+          }
+        ],
+        "otherAttributes":{
+          "client_name#de":"Fake OpenID de",
+          "client_name#fr":"Fake OpenID fr",
+          "client_name#it":"Fake OpenID it",
+          "client_name":"Fake OpenID en"
+        },
+        "scopes":[
+          {
+            "value":"MONITOR",
+            "resource_id":"ResourceServer_ea7d36ec2adb5857de7dda7cbbbbbbd8",
+            "resource_name":"MONITORING-AGB"
+          },
+          {
+            "value":"address",
+            "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+            "resource_name":"UserInfo"
+          },
+          {
+            "value":"birthdate",
+            "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+            "resource_name":"UserInfo"
+          },
+          {
+            "value":"email",
+            "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+            "resource_name":"UserInfo"
+          },
+          {
+            "value":"name",
+            "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+            "resource_name":"UserInfo"
+          },
+          {
+            "value":"no_consent_required",
+            "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+            "resource_name":"UserInfo"
+          },
+          {
+            "value":"offline_access",
+            "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+            "resource_name":"UserInfo"
+          },
+          {
+            "value":"openid",
+            "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+            "resource_name":"UserInfo"
+          },
+          {
+            "value":"phone",
+            "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+            "resource_name":"UserInfo"
+          },
+          {
+            "value":"phone_number",
+            "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+            "resource_name":"UserInfo"
+          },
+          {
+            "value":"profile",
+            "resource_id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+            "resource_name":"UserInfo"
+          }
+        ],
+        "contacts":[
+          "pippo"
+        ],
+        "valid_from":"2023-10-04T12:58:16.000Z",
+        "redirect_uris":[
+          "http://iam.post.ch/monitoring/cossa",
+          "https://iam.post.ch/monitoring/back",
+          "https://test.post.ch/pippo/back"
+        ],
+        "response_types":[
+          "code"
+        ],
+        "grant_types":[
+          "authorization_code",
+          "client_credentials",
+          "refresh_token"
+        ],
+        "client_id":"14c3890f8d8f4da3efdd61d29f24caa3",
+        "client_secret":"e6678df835d5e1a6b45f4acbe3467ec2",
+        "client_uri":"https://iam.post.ch",
+        "default_max_age":-1,
+        "confidentiality_type":"confidential",
+        "pkce_mode":"allowed",
+        "require_auth_time":false,
+        "token_endpoint_auth_method":"client_secret_basic",
+        "jwks_uri":"",
+        "logo_uri":"/login/resources/nevislogrend/applications/def/webdata/images/openid_connect.png",
+        "access_token_ttl":30,
+        "id_token_ttl":600,
+        "refresh_token_ttl":86400,
+        "presisted_consent_ttl":31104000,
+        "force_authentication":false,
+        "require_pushed_authorization_requests":false,
+        "id_token_signed_response_alg":"RS256",
+        "id_token_encrypted_response_alg":"none",
+        "id_token_encrypted_response_enc":"none"
+      }
+  ],
+  "ResourceServer":[
+    {
+      "id":"ResourceServer_561f4822c98d39267d95d3d62502e70f",
+      "owner":"oly",
+      "name":"UserInfo",
+      "link":"rest/modules/oauthv2/setups/Setup_b00528a7a0edc1df1a6b95240d704600/entities/ResourceServer_561f4822c98d39267d95d3d62502e70f",
+      "meta":[
+
+      ],
+      "otherAttributes":{
+
+      },
+      "scope":[
+        {
+          "value":"address",
+          "otherAttributes":{
+            "scope_name#fr":"Adresse",
+            "scope_name#it":"Indirizzo",
+            "scope_name#de":"Addresse",
+            "scope_description":"http://openid.com",
+            "scope_name#en":"Address"
+          },
+          "implicit_grant_policy":"disallowed",
+          "authorization_grant_policy":"consent_persisted",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        },
+        {
+          "value":"birthdate",
+          "otherAttributes":{
+            "scope_name#fr":"Anniversaire",
+            "scope_name#it":"Data di nascita",
+            "scope_name#de":"Geburtstag",
+            "scope_name#en":"Birthday"
+          },
+          "implicit_grant_policy":"disallowed",
+          "authorization_grant_policy":"consent_persisted",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        },
+        {
+          "value":"email",
+          "otherAttributes":{
+            "scope_name#fr":"Adresse e-mail",
+            "scope_name#it":"E-Mail",
+            "scope_name#de":"E-Mail",
+            "scope_description":"http://openid.com",
+            "scope_name#en":"E-mail address"
+          },
+          "implicit_grant_policy":"disallowed",
+          "authorization_grant_policy":"consent_persisted",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        },
+        {
+          "value":"name",
+          "otherAttributes":{
+            "scope_name#fr":"Nom, Prénom",
+            "scope_name#it":"Cognome, Nome",
+            "scope_name#de":"Name, Vorname",
+            "scope_description":"Name",
+            "scope_name#en":"Last name, First name"
+          },
+          "implicit_grant_policy":"disallowed",
+          "authorization_grant_policy":"consent_persisted",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        },
+        {
+          "value":"no_consent_required",
+          "otherAttributes":{
+
+          },
+          "implicit_grant_policy":"disallowed",
+          "authorization_grant_policy":"no_consent_required",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        },
+        {
+          "value":"offline_access",
+          "otherAttributes":{
+
+          },
+          "implicit_grant_policy":"disallowed",
+          "authorization_grant_policy":"no_consent_required",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        },
+        {
+          "value":"openid",
+          "otherAttributes":{
+
+          },
+          "implicit_grant_policy":"disallowed",
+          "authorization_grant_policy":"consent_persisted",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        },
+        {
+          "value":"phone",
+          "otherAttributes":{
+            "scope_name#fr":"Numéro de telefone",
+            "scope_name#it":"Numero di telefono",
+            "scope_name#de":"Telefonnummer",
+            "scope_description":"User Phone number",
+            "scope_name#en":"Phone number"
+          },
+          "implicit_grant_policy":"disallowed",
+          "authorization_grant_policy":"consent_persisted",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        },
+        {
+          "value":"phone_number",
+          "otherAttributes":{
+            "scope_name#fr":"Numéro de mobile",
+            "scope_name#it":"Numero di cellulare",
+            "scope_name#de":"Mobiltelefonnummer",
+            "scope_description":"User Phone number",
+            "scope_name#en":"Mobile phone number"
+          },
+          "implicit_grant_policy":"disallowed",
+          "authorization_grant_policy":"consent_persisted",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        },
+        {
+          "value":"profile",
+          "otherAttributes":{
+            "scope_name#fr":"Nom, Prénom",
+            "scope_name#it":"Cognome, Nome",
+            "scope_name#de":"Name, Vorname",
+            "scope_description":"http://openid.com",
+            "scope_name#en":"Last name, First name"
+          },
+          "implicit_grant_policy":"disallowed",
+          "authorization_grant_policy":"consent_persisted",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        }
+      ],
+      "valid_from":"2023-10-04T12:51:06.000Z",
+      "url":"https://apidev.pnet.ch/UserInfo"
+    },
+    {
+      "id":"ResourceServer_ea7d36ec2adb5857de7dda7cbbbbbbd8",
+      "owner":"oly",
+      "name":"MONITORING-AGB",
+      "link":"rest/modules/oauthv2/setups/Setup_b00528a7a0edc1df1a6b95240d704600/entities/ResourceServer_ea7d36ec2adb5857de7dda7cbbbbbbd8",
+      "meta":[
+
+      ],
+      "otherAttributes":{
+
+      },
+      "scope":[
+        {
+          "value":"MONITOR",
+          "otherAttributes":{
+            "scope_description":"Monitoring platform test",
+            "scope_name":"Monitoring platform test"
+          },
+          "implicit_grant_policy":"no_consent_required",
+          "authorization_grant_policy":"no_consent_required",
+          "refresh_token_grant_policy":"no_consent_required",
+          "authentication_required":false
+        }
+      ],
+      "valid_from":"2023-10-04T12:53:59.000Z",
+      "url":"https://www.post.ch/oauth/terms"
+    }
+  ]
+}

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/nevisauth.yml

@@ -0,0 +1,16 @@
+server:
+  name: "default"
+  protocol: "https"
+  port: "8991"
+  host: "0.0.0.0"
+  tls:
+    keystore: "/var/opt/keys/own/nai2-default-identity/keystore.p12"
+    keystore-passphrase: "${exec:/var/opt/keys/own/nai2-default-identity/keypass}"
+    client-auth: "required"
+    truststore: "/var/opt/keys/trust/nai2-default-tls-client-trust/truststore.p12"
+    truststore-passphrase: "${exec:/var/opt/keys/trust/nai2-default-tls-client-trust/keypass}"
+management:
+  server:
+    port: "9000"
+  healthchecks:
+    enabled: "true"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/otel.properties

@@ -0,0 +1,4 @@
+otel.service.name = nai2
+otel.traces.exporter = none
+otel.metrics.exporter = none
+otel.logs.exporter = none

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/conf/prepare_done.groovy

@@ -0,0 +1,23 @@
+// nevisProxy replaces the entire AUTH: scope when new outargs are returned by nevisAuth.
+// Thus, we have to store tokens in the session (as a String) and restore them on subsequent step-ups.
+
+// restore tokens
+session.each { key, value ->
+    if (key.startsWith('outarg.token.')) {
+        def name = key.substring(7)
+        if (outargs.containsKey(name)) {
+            LOG.debug("not restoring token (outarg: $name) from session: outarg already set")
+        }
+        else {
+            LOG.debug("restoring token (outarg: $name) from session")
+            outargs.put(name, value)
+        }
+    }
+}
+
+// store tokens
+outargs.each { name, value ->
+    if (name.startsWith('token.')) {
+        session.put('outarg.' + name, value)
+    }
+}

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nai2/var/opt/nevisauth/default/status.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# NAME
+#     status.sh - Checks the status of the nevisAuth instance.
+#
+# SYNOPSIS
+#     status.sh
+#
+# DESCRIPTION
+#     Performs periodic checks until the instance is up or broken or timeout is reached.
+#     The script terminates when the process of the instance stops running.
+#     There are no arguments for this script.
+#
+# EXIT CODES
+#  0    Instance is up.
+#  1    Instance process is not running.
+#  2    Instance is broken.
+#  3    Timeout reached.
+
+# Defines how much we should sleep between checking if the instance is up.
+interval=1
+# Defines how much we should wait the instance to start up until we give up and exit.
+timeout=70
+((end_time=${SECONDS}+$timeout))
+
+# Checks if the process of the instance is still running.
+# Arguments:
+#   None
+# Returns:
+#   In case it is running, returns 0, otherwise non-zero (exit code of systemctl).
+isProcessRunning() {
+  systemctl is-active --quiet nevisauth@default
+  IS_RUNNING=$?
+  return $IS_RUNNING
+}
+
+# Checks if the instance is up. (Attempts connecting to the instance)
+# Arguments:
+#   None
+# Returns:
+#   If the connection was successful and the instance up (is not broken), returns 0.
+#   If the connection was not successful, returns 1.
+checkInstance() {
+  lsof -i :8991 -sTCP:LISTEN
+  EXIT_CODE=$?
+  return $EXIT_CODE
+}
+
+# This function encapsulates the logic of checking if the process is running and if the instance is up.
+# In case the process is not running, exits with exit code 1.
+# Arguments:
+#   None
+# Returns:
+#   If the instance process is running, returns the result of the instance check function.
+check() {
+ if isProcessRunning
+  then
+    checkInstance
+    CS=$?
+    return $CS
+  else
+    echo "Process is not running."
+    exit 1
+  fi
+}
+
+# Check the status of the instance periodically.
+while ((${SECONDS} < ${end_time}))
+do
+  sleep ${interval}
+  if check
+  then
+    echo "Instance is up."
+    exit 0
+  fi
+done
+
+echo "Exceeded check timeout (70s). Instance is down."
+exit 3

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/etc/nevis/k8s-nli-7dc20659babc66c4401ce0dd.yaml

@@ -0,0 +1,53 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisComponent"
+metadata:
+  name: "nli"
+  namespace: "adn-postit-tknxchng-01-dev"
+  labels:
+    deploymentTarget: "nli"
+  annotations:
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "7dc20659babc66c4401ce0dd"
+spec:
+  type: "NevisLogrend"
+  replicas: 1
+  version: "8.2405.0"
+  gitInitVersion: "1.3.0"
+  runAsNonRoot: true
+  ports:
+    server: 8988
+    management: 8997
+  resources:
+    limits:
+      cpu: "500m"
+      memory: "1000Mi"
+    requests:
+      cpu: "10m"
+      memory: "500Mi"
+  livenessProbe:
+    management:
+      httpGet:
+        path: "/nevislogrend/liveness"
+      periodSeconds: 5
+      timeoutSeconds: 6
+  readinessProbe:
+    server:
+      tcpSocket: true
+      periodSeconds: 5
+      timeoutSeconds: 4
+  startupProbe:
+    server:
+      tcpSocket: true
+      periodSeconds: 5
+      timeoutSeconds: 4
+      failureThreshold: 50
+  podDisruptionBudget:
+    maxUnavailable: "50%"
+  git:
+    tag: "r-46b3c950256851308e60d2bd8d5de9ae4cc6f50e"
+    dir: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli"
+    credentials: "git-credentials"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/etc/nevis/nevislogrend_default.yml

@@ -0,0 +1,18 @@
+schemaVersion: 1.0
+instance:
+  type: "nevislogrend"
+  name: "default"
+  directory: "/var/opt/nevislogrend/default"
+  pid: "systemctl show nevislogrend@default -p MainPID | cut -d '=' -f2"
+  source:
+    url: "/nevisadmin/#/projects/DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/patterns/7dc20659babc66c4401ce0dd"
+    projectKey: "DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT"
+    patternId: "7dc20659babc66c4401ce0dd"
+    patternClass: "ch.nevis.admin.v4.plugin.nevisauth.patterns.NevisLogrendDeployable"
+  resources:
+    ports:
+    - "0.0.0.0:8988"
+  control:
+    start: "systemctl restart nevislogrend@default"
+    stop: "systemctl stop nevislogrend@default"
+    status: "systemctl status nevislogrend@default"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/conf/env.conf

@@ -0,0 +1,14 @@
+RTENV_SECURITY_CHECK=no_shell
+
+# only standalone deployment is supported with nevisAdmin 4
+LOGREND_DEPLOY_TYPE=standalone
+
+JAVA_OPTS=(
+    "-XX:+UseContainerSupport"
+    "-Dfile.encoding=UTF-8"
+    "-XX:MaxRAMPercentage=80.0"
+    "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
+    "-Dotel.javaagent.logging=application"
+    "-Dotel.javaagent.configuration-file=/var/opt/nevislogrend/default/conf/otel.properties"
+    "-Dotel.resource.attributes=service.version=8.2405.0,service.instance.id=$HOSTNAME"
+)

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/conf/logging.yml

@@ -0,0 +1,19 @@
+Configuration:
+  monitorInterval: 60
+  Appenders:
+    Console:
+    - name: "SERVER"
+      target: "SYSTEM_OUT"
+      PatternLayout:
+        pattern: "[nevislogrend.log] %d{ISO8601} %-15.15t %mdc{trace_id} %mdc{span_id} %-40.40c %-5.5p %m%n"
+      RegexFilter:
+        regex: ".*GET /nevislogrend/health.*"
+        onMatch: "DENY"
+        onMismatch: "ACCEPT"
+  Loggers:
+    Logger: []
+    Root:
+      level: "WARN"
+      additivity: "false"
+      AppenderRef:
+      - ref: "SERVER"

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/conf/logrend.properties

@@ -0,0 +1,26 @@
+
+application.accept.loginapplicationidfromuri=no
+application.gui.litdict=yes
+application.gui.substitution=yes
+application.input.charset=UTF-8
+application.inputs.htmlencode=yes
+application.loginapp.current=
+application.loginapp.default=cossa_realm
+application.loginapp.override=header:channel
+application.package.name=nevislogrend
+application.render.content.type=text/html; charset=UTF-8
+application.url.obfuscate=no
+application.webdata.path={0}{2}{1}
+application.webdata.pathparam=logrendresourcepath
+application.webdata.pathparam.default=/login/resources
+cache.revalidate.delay=15
+cache.source=file
+keytag.end=}
+keytag.start=${
+management.healthchecks.enabled=true
+path.config=/var/opt/nevislogrend/default/conf
+path.instance=/var/opt/nevislogrend/default
+server.host=0.0.0.0
+server.name=default
+server.port=8988
+server.protocol=http

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/conf/mimetype.properties

@@ -0,0 +1,3 @@
+ico=image/x-icon
+woff=font/woff
+woff2=font/woff2

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/conf/otel.properties

@@ -0,0 +1,4 @@
+otel.service.name = nli
+otel.traces.exporter = none
+otel.metrics.exporter = none
+otel.logs.exporter = none

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/resources/conf/default.properties

@@ -0,0 +1,26 @@
+# source: pattern://8523f0587aa8cfa7008f8171
+application.countries.default=CH
+# source: pattern://8523f0587aa8cfa7008f8171
+cache.file.exempt=
+# source: pattern://8523f0587aa8cfa7008f8171
+cache.filefolder.exempt=
+# source: pattern://8523f0587aa8cfa7008f8171
+application.language.source.1=param:language
+# source: pattern://8523f0587aa8cfa7008f8171
+application.language.source.2=cookie:LANG
+# source: pattern://8523f0587aa8cfa7008f8171
+application.language.source.3=gui
+# source: pattern://8523f0587aa8cfa7008f8171
+application.language.source.4=browser
+# source: pattern://8523f0587aa8cfa7008f8171
+application.languages=en,de,fr,it
+# source: pattern://8523f0587aa8cfa7008f8171
+application.languages.default=en
+# source: pattern://7dc20659babc66c4401ce0dd
+application.language.cookie.en=LANG:en
+# source: pattern://7dc20659babc66c4401ce0dd
+application.language.cookie.de=LANG:de
+# source: pattern://7dc20659babc66c4401ce0dd
+application.language.cookie.fr=LANG:fr
+# source: pattern://7dc20659babc66c4401ce0dd
+application.language.cookie.it=LANG:it

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/resources/conf/text.properties

@@ -0,0 +1,6 @@
+
+language.de=Deutsch
+language.en=English
+language.fr=Français
+language.it=Italiano
+title=NEVIS SSO Portal

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/resources/conf/text_de.properties

@@ -0,0 +1,6 @@
+
+language.de=Deutsch
+language.en=English
+language.fr=Français
+language.it=Italiano
+title=NEVIS SSO Portal

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/resources/conf/text_en.properties

@@ -0,0 +1,6 @@
+
+language.de=Deutsch
+language.en=English
+language.fr=Français
+language.it=Italiano
+title=NEVIS SSO Portal

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/resources/conf/text_fr.properties

@@ -0,0 +1,6 @@
+
+language.de=Deutsch
+language.en=English
+language.fr=Français
+language.it=Italiano
+title=NEVIS SSO Portal

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/resources/conf/text_it.properties

@@ -0,0 +1,6 @@
+
+language.de=Deutsch
+language.en=English
+language.fr=Français
+language.it=Italiano
+title=NEVIS SSO Portal

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/authcloud_login.js

@@ -0,0 +1,165 @@
+let baseURL; // base URL
+let statusToken; // used to check progress
+let dispatcherElement; // to display link or QR code
+let infoElement; // to display info text
+let errorElement; // to display error text
+
+function addInput(form, name, value) {
+  const input = document.createElement("input");
+  input.name = name;
+  input.value = value;
+  form.appendChild(input);
+}
+
+function submitStatus(status) {
+  // we have to do a form POST instead of AJAX
+  const form = document.createElement("form");
+  form.method = "POST";
+  form.style.display = "none";
+  addInput(form, "status", status);
+  document.body.appendChild(form);
+  form.submit();
+}
+
+const Status = {
+    _pollInterval: 2 * 1000, // Check every 2 seconds
+    latest: null,
+
+    startPolling: function (token, uiCallback) {
+        let interval = setInterval(async () => {
+            await this._check(token).then(function (resp) {
+                console.log("Polling status: %o", resp);
+                uiCallback && uiCallback(resp, false);
+                return Status.latest = resp;
+            })
+            .catch(function (err) {
+                console.error("Error during polling: %o", err);
+                return false;
+            });
+            if (Status.latest && (Status.latest.status === 'succeeded' || Status.latest.status === 'failed' || Status.latest.status === 'unknown')) {
+                // Done!
+                console.log('Latest status is: %o', this.latest);
+                uiCallback && uiCallback(this.latest, true);
+                clearInterval(interval);
+            }
+        }, this._pollInterval);
+    },
+
+    _check: async function (token) {
+        const payload = { statusToken: token };
+        const response = await fetch(baseURL + 'api/v1/status', {
+            method: 'POST',
+            mode: 'cors',
+            cache: 'no-cache',
+            credentials: 'omit',
+            headers: {
+                'Accept': 'application/json',
+                'Content-Type': 'application/json;charset=utf-8'
+            },
+            body: JSON.stringify(payload),
+            redirect: 'follow',
+            referrerPolicy: 'no-referrer'
+        });
+
+        return await response.json();
+    }
+};
+
+function setDeepLinkLabel(button) {
+    const text = document.getElementsByName('info.deeplink')[0].value;
+    button.innerHTML = text;
+}
+
+function messageScanQR() {
+    const text = document.getElementsByName('info.qrcode')[0].value;
+    infoElement.innerHTML = text;
+}
+
+function messageCheckPhone() {
+    const text = document.getElementsByName('info.check.phone')[0].value;
+    infoElement.innerHTML = text;
+}
+
+const Element = {
+
+    _elem: null, // QR code or deep link depending on device
+
+    show: function (appLink) {
+        const userAgent = navigator.userAgent || navigator.vendor || window.opera;
+        const isIphone = 'iPhone' === navigator.platform;
+        const isAndroid = /android/i.test(userAgent) && /mobile/i.test(userAgent);
+        if (isAndroid || isIphone) {
+            this._elem = document.createElement('a');
+            this._elem.setAttribute('href', appLink);
+            this._elem.setAttribute('class', 'btn btn-primary');
+            this._elem.setAttribute('target', '_blank');
+            dispatcherElement.appendChild(this._elem);
+            setDeepLinkLabel(this._elem);
+        }
+        else {
+            const authenticationType = document.getElementsByName('authenticationType')[0].value;
+            if (authenticationType == 'push') {
+                messageCheckPhone();
+            }
+            else {
+                messageScanQR();
+                this._elem = document.createElement('canvas');
+                dispatcherElement.appendChild(this._elem);
+                var qrcode = new QRious({
+                  element: this._elem,
+                  foreground: "#168CA9",
+                  level: "M",
+                  size: 280,
+                  value: appLink
+                });
+            }
+        }
+    },
+
+    hide: function() {
+        // hide the element which was shown
+        if (this._elem != null) {
+            this._elem.style.display = "none";
+        }
+    }
+};
+
+function authenticateUser(appLink) {
+    Element.show(appLink);
+    console.log('Starting Authentication Cloud status polling...');
+    Status.startPolling(statusToken, (st, done) => {
+        if (st.status === 'succeeded') {
+            console.log('Authentication Cloud login done.');
+            submitStatus('succeeded')
+        }
+        else if (st.status === 'failed') {
+            // failed: The transaction failed, either by timeout or because the user did not accept.
+            console.warn('Authentication Cloud login failed. User abort or timeout.');
+            submitStatus('failed')
+        }
+        else if (st.status === 'unknown') {
+            console.error('Authentication Cloud login failed. Unknown status.');
+            submitStatus('unknown')
+        }
+    });
+}
+
+function init() {
+
+    const form = document.getElementById('authcloud_login');
+
+    baseURL = form.url.value;
+    statusToken = form.statusToken.value;
+
+    infoElement = document.getElementById('authcloud_info');
+    errorElement = document.getElementById('authcloud_error');
+
+    dispatcherElement = document.getElementById('authcloud_dispatch');
+
+    const appLink = form.appLink.value;
+    authenticateUser(appLink);
+}
+
+window.onload = function() {
+  init();
+};

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/authcloud_onboard.js

@@ -0,0 +1,154 @@
+let baseURL; // base URL
+let statusToken; // used to check progress
+let dispatcherElement; // to display link or QR code
+let infoElement; // to display info text
+let errorElement; // to display error text
+
+function addInput(form, name, value) {
+  const input = document.createElement("input");
+  input.name = name;
+  input.value = value;
+  form.appendChild(input);
+}
+
+function submitStatus(status) {
+  // we have to do a form POST instead of AJAX
+  const form = document.createElement("form");
+  form.method = "POST";
+  form.style.display = "none";
+  addInput(form, "status", status);
+  document.body.appendChild(form);
+  form.submit();
+}
+
+const Status = {
+    _pollInterval: 2 * 1000, // Check every 2 seconds
+    latest: null,
+
+    startPolling: function (token, uiCallback) {
+        let interval = setInterval(async () => {
+            await this._check(token).then(function (resp) {
+                console.log("Polling status: %o", resp);
+                uiCallback && uiCallback(resp, false);
+                return Status.latest = resp;
+            })
+            .catch(function (err) {
+                console.error("Error during polling: %o", err);
+                return false;
+            });
+            if (Status.latest && (Status.latest.status === 'succeeded' || Status.latest.status === 'failed' || Status.latest.status === 'unknown')) {
+                // Done!
+                console.log('Latest status is: %o', this.latest);
+                uiCallback && uiCallback(this.latest, true);
+                clearInterval(interval);
+            }
+        }, this._pollInterval);
+    },
+
+    _check: async function (token) {
+        const payload = { statusToken: token };
+        const response = await fetch(baseURL + 'api/v1/status', {
+            method: 'POST',
+            mode: 'cors',
+            cache: 'no-cache',
+            credentials: 'omit',
+            headers: {
+                'Accept': 'application/json',
+                'Content-Type': 'application/json;charset=utf-8'
+            },
+            body: JSON.stringify(payload),
+            redirect: 'follow',
+            referrerPolicy: 'no-referrer'
+        });
+
+        return await response.json();
+    }
+};
+
+function setDeepLinkLabel(button) {
+    const text = document.getElementsByName('info.deeplink')[0].value;
+    button.innerHTML = text;
+}
+
+function messageScanQR() {
+    const text = document.getElementsByName('info.qrcode')[0].value;
+    infoElement.innerHTML = text;
+}
+
+const Element = {
+
+    _elem: null, // QR code or deep link depending on device
+
+    show: function (appLink) {
+        const userAgent = navigator.userAgent || navigator.vendor || window.opera;
+        const isIphone = 'iPhone' === navigator.platform;
+        const isAndroid = /android/i.test(userAgent) && /mobile/i.test(userAgent);
+        if (isAndroid || isIphone) {
+            this._elem = document.createElement('a');
+            this._elem.setAttribute('href', appLink);
+            this._elem.setAttribute('class', 'btn btn-primary');
+            this._elem.setAttribute('target', '_blank');
+            dispatcherElement.appendChild(this._elem);
+            setDeepLinkLabel(this._elem);
+        }
+        else {
+            messageScanQR();
+            this._elem = document.createElement('canvas');
+            dispatcherElement.appendChild(this._elem);
+            var qrcode = new QRious({
+              element: this._elem,
+              foreground: "#168CA9",
+              level: "M",
+              size: 280,
+              value: appLink
+            });
+        }
+    },
+
+    hide: function() {
+        // hide the element which was shown
+        if (this._elem != null) {
+            this._elem.style.display = "none";
+        }
+    }
+};
+
+function onboardUser(appLink) {
+    Element.show(appLink);
+    console.log('Starting Authentication Cloud status polling...');
+    Status.startPolling(statusToken, (st, done) => {
+        if (st.status === 'succeeded') {
+            console.log('Authentication Cloud onboarding done.');
+            submitStatus('succeeded')
+        }
+        else if (st.status === 'failed') {
+            // failed: The transaction failed, either by timeout or because the user did not accept.
+            console.warn('Authentication Cloud onboarding failed. User abort or timeout.');
+            submitStatus('failed')
+        }
+        else if (st.status === 'unknown') {
+            console.error('Authentication Cloud onboarding failed. Unknown status.');
+            submitStatus('unknown')
+        }
+    });
+}
+
+function init() {
+
+    const form = document.getElementById('authcloud_onboard');
+
+    baseURL = form.url.value;
+    statusToken = form.statusToken.value;
+
+    infoElement = document.getElementById('authcloud_info');
+    errorElement = document.getElementById('authcloud_error');
+
+    dispatcherElement = document.getElementById('authcloud_dispatch');
+
+    const appLink = form.appLink.value;
+    onboardUser(appLink);
+}
+
+window.onload = function() {
+  init();
+};

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/base64.js

@@ -0,0 +1,87 @@
+/*
+ * Base64URL-ArrayBuffer
+ * https://github.com/herrjemand/Base64URL-ArrayBuffer
+ *
+ * Copyright (c) 2017 Yuriy Ackermann <ackermann.yuriy@gmail.com>
+ * Copyright (c) 2012 Niklas von Hertzen
+ * Licensed under the MIT license.
+ *
+ */
+(function() {
+    "use strict";
+
+    var chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+
+    // Use a lookup table to find the index.
+    var lookup = new Uint8Array(256);
+    for (var i = 0; i < chars.length; i++) {
+        lookup[chars.charCodeAt(i)] = i;
+    }
+
+    var encode = function(arraybuffer) {
+        var bytes = new Uint8Array(arraybuffer),
+        i, len = bytes.length, base64 = "";
+
+        for (i = 0; i < len; i+=3) {
+            base64 += chars[bytes[i] >> 2];
+            base64 += chars[((bytes[i] & 3) << 4) | (bytes[i + 1] >> 4)];
+            base64 += chars[((bytes[i + 1] & 15) << 2) | (bytes[i + 2] >> 6)];
+            base64 += chars[bytes[i + 2] & 63];
+        }
+
+        if ((len % 3) === 2) {
+            base64 = base64.substring(0, base64.length - 1);
+        } else if (len % 3 === 1) {
+            base64 = base64.substring(0, base64.length - 2);
+        }
+
+        return base64;
+    };
+
+    var decode = function(base64) {
+        var bufferLength = base64.length * 0.75,
+        len = base64.length, i, p = 0,
+        encoded1, encoded2, encoded3, encoded4;
+
+        var arraybuffer = new ArrayBuffer(bufferLength),
+        bytes = new Uint8Array(arraybuffer);
+
+        for (i = 0; i < len; i+=4) {
+            encoded1 = lookup[base64.charCodeAt(i)];
+            encoded2 = lookup[base64.charCodeAt(i+1)];
+            encoded3 = lookup[base64.charCodeAt(i+2)];
+            encoded4 = lookup[base64.charCodeAt(i+3)];
+
+            bytes[p++] = (encoded1 << 2) | (encoded2 >> 4);
+            bytes[p++] = ((encoded2 & 15) << 4) | (encoded3 >> 2);
+            bytes[p++] = ((encoded3 & 3) << 6) | (encoded4 & 63);
+        }
+
+        return arraybuffer;
+    };
+
+     /**
+     * Exporting and stuff
+     */
+    if (typeof module !== 'undefined' && typeof module.exports !== 'undefined') {
+        module.exports = {
+            'encode': encode,
+            'decode': decode
+        }
+
+    } else {
+        if (typeof define === 'function' && define.amd) {
+            define([], function() {
+                return {
+                    'encode': encode,
+                    'decode': decode
+                }
+            });
+        } else {
+            window.base64url = {
+                'encode': encode,
+                'decode': decode
+            }
+        }
+    }
+})();

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/default.css

@@ -0,0 +1,222 @@
+/********************************************************
+ * Layout
+ ********************************************************/
+
+html { /* magic to position footer */
+	position: relative;
+	min-height: 100%;
+}
+
+body {
+	margin-bottom: 76px; /* == footer height */
+}
+
+.container, .container-fluid {
+ 	padding-left: 36px;
+	padding-right: 36px;
+}
+
+nav {
+	min-height: 100px;
+	padding: 36px;
+}
+
+header {
+	margin-bottom: 16px; /* h1.logintitle adds 20px => 36px */
+}
+
+.container {
+ 	min-width: 260px;
+ 	max-width: 700px;
+}
+
+h1 {
+	margin-bottom: 50px;
+}
+
+footer {
+	width: 100%;
+	position: absolute;
+	bottom: 0;
+	padding: 0 36px;
+}
+
+img {
+	width: 100%;
+}
+
+/********************************************************
+ * Header
+ ********************************************************/
+
+header .logo {
+	/* width: 20%;*/
+	/*max-width: 600px;*/
+	max-height: 150px;
+	width: auto;
+}
+
+/********************************************************
+ * Dropdown
+ ********************************************************/
+a.dropdown-toggle {
+	text-decoration: none;
+}
+
+a.dropdown-toggle:hover {
+	color: #168CA9;
+	border-bottom: 3px solid #168CA9;
+}
+
+.dropdown-menu {
+	padding: 5px 0;
+}
+
+.dropdown-menu li > a {
+	padding: 6px 28px;
+}
+
+.dropdown-menu a > .prefix {
+	display: inline-block;
+	min-width: 22px;
+	margin-right: 28px;
+	text-align: right;
+}
+
+/********************************************************
+ * Form
+ ********************************************************/
+
+/* Labels should not be bold */
+label {
+	font-weight: normal;
+}
+
+/* Make error messages bold */
+.has-error .help-block {
+	font-weight: bold;
+}
+
+/* Change button size, by default 116px in width */
+.btn {
+	min-width: 116px;
+	padding: 3px 12px;
+}
+
+/* Disable gradient in buttons, ughhhh */
+.btn.btn-primary {
+	border-color: transparent;
+	background-image: none;
+	text-shadow: none;
+	box-shadow: none;
+	-webkit-box-shadow: none;
+}
+
+.help-block a, .help-block a:visited {
+	color: #168CA9;
+  font-weight: bold;
+  text-decoration: none;
+}
+
+.help-block a:hover {
+	color: #168CA9;
+  text-decoration: underline;
+}
+
+/********************************************************
+ * Footer
+ ********************************************************/
+footer .row {
+	margin: 36px 0 0 0;
+	height: 40px;
+	padding-top: 14px;
+	line-height: 26px; /* to center text: height - padding-top = 26px */
+	border-top: 1px solid #168CA9;
+}
+
+footer .row > div { /* Fix alignment between border + text on Bootstrap grid */
+	padding: 0;
+}
+
+footer .logo-round-container {
+	position: relative;
+}
+
+footer .logo-round {
+	position: absolute;
+	left: 0;
+	right: 0;
+	top: -33px; /* found visually with Chrome Dev Tools */
+	height: 36px;
+	width: 36px;
+	border: 1px solid #00868c;
+	border-radius: 18px;
+	background: #fff;
+	padding: 8px;
+}
+
+footer .logo-round > img {
+	display: block;
+}
+
+#dispatchTargets {
+	margin-top: 20px;
+}
+
+/********************************************************
+ * Social login
+ ********************************************************/
+.btn.line {
+    background-color: transparent;
+    display: block;
+    width: 100%;
+    padding: 0;
+    margin: 1.5em 0 1em;
+    border: 0.5px solid #ccc;
+    pointer-events: none;
+}
+
+.btn.socialLogin {
+    background-color: #fff;
+    border: thin solid #ccc;
+    color: #000;
+    font-weight: 600;
+    position: relative;
+    margin: 5px;
+    min-width: 140px;
+    width: 210px;
+    border-radius: 8px;
+    padding: 8px 12px;
+    text-align: left;
+}
+
+.socialLogin img {
+    width: 1.5em;
+    height: 108%;
+    margin-right: 0.5em;
+}
+
+.btn.apple img {
+    width: 1.2em;
+}
+
+/********************************************************
+ * Show password
+ ********************************************************/
+.icon-inside {
+  position: relative;
+}
+
+.icon-inside input {
+  padding-right: calc(0.75rem + 1.25rem + 0.75rem);
+}
+
+.icon-inside button {
+  position: absolute;
+  right: 0;
+  top: 0;
+  margin-top: 0.45rem;
+  margin-right: 0.45rem;
+  background: #FFFFFF;
+  border: #FFFFFF;
+}

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/dropdown.js

@@ -0,0 +1,36 @@
+(function() {
+  var closeDropdownTimeout;
+
+  function closeDropdown(event) {
+    var dropdowns = document.querySelectorAll('.dropdown');
+    for (var i = 0; i < dropdowns.length; i++) {
+      var dropdownMenu = dropdowns[i].querySelector('.dropdown-menu');
+      if (dropdownMenu.style.display !== 'none' && !dropdowns[i].contains(event.target)) {
+        dropdownMenu.style.display = 'none';
+      }
+    }
+
+    // remove event listener till we have a new dropdown menu open
+    if (document.querySelector('.dropdown-menu:not([style*="display: none"])') === null) {
+      document.removeEventListener('click', closeDropdown);
+    }
+  }
+
+  var dropdowns = document.querySelectorAll('.dropdown');
+  for (var i = 0; i < dropdowns.length; i++) {
+    var dropdownMenu = dropdowns[i].querySelector('.dropdown-menu');
+    dropdownMenu.style.display = 'none'; // ensure menu is initially hidden
+
+    dropdowns[i].addEventListener('click', function(e) {
+      // show dropdown menu
+      var dropdownMenu = this.querySelector('.dropdown-menu');
+      dropdownMenu.style.display = 'block';
+
+      // handle clicking away
+      clearTimeout(closeDropdownTimeout);
+      closeDropdownTimeout = setTimeout(function() {
+        document.addEventListener('click', closeDropdown);
+      }, 10);
+    });
+  }
+}());

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/e2eenc.js

@@ -0,0 +1,98 @@
+var e2eenc = function() {
+
+	this.encryptForm = function(algoString, formId) {
+		// TODO: in case of an error we should return false, to prevent the for to be submitted
+		//       or replace the fields with dummy values, just to prevent the the transmission
+		//       of unencrypted values
+		
+
+		// create the array of input fields to encrypt (needs to be done before setting the form
+		// invisible
+		var fieldsToEncrypt = new Array();
+		$.each($("form input:visible"), function(index, _inputField) { fieldsToEncrypt.push($(_inputField));});
+
+		// hide the form, and display the splash screen
+		$('#loginform').css('display','none');
+		$('#e2eeSplashScreen').css('display','block');
+
+		// encryption logic
+		var pubKey = $("input[name='e2eenc.publicKey']").val();
+
+		var kemSessionKey = readPublicKeyAndGenerateSessionKey(pubKey)
+		var iv = forge.random.getBytesSync(16);
+		keyB64 = forge.util.encode64(kemSessionKey.key);
+		encapsulationB64 = forge.util.encode64(kemSessionKey.encapsulation);
+		ivB64 = forge.util.encode64(iv);
+
+		//console.log("Encrypting form " + formId + " (" + algoString + ")");
+		var fields = "";
+		$.each(fieldsToEncrypt, function(index, _inputField) {
+			var inputField = $(_inputField);
+			if (inputField.attr("type") == "text" || inputField.attr("type") == "password") {
+				//console.log("Encrypting field " + JSON.stringify(inputField));
+				var plainValue = inputField.val();
+
+				var encryptedValueB64 = encrypt(kemSessionKey, iv, plainValue);
+				//console.log("Setting encrypted value in b64: " + encryptedValueB64);
+				inputField.val(encryptedValueB64);
+				if (fields.length > 0) {
+					fields = fields + ","
+				}
+				fields = fields + inputField.attr("name");
+			}
+		});
+		$("input[name='e2eenc.iv']").val(ivB64);
+		$("input[name='e2eenc.encapsulation']").val(encapsulationB64);
+		$("input[name='e2eenc.fields']").val(fields);
+	}
+
+	function getRSApublicKey(pem) {
+	    //console.log("PEM: " + pem);
+
+	    var msg = forge.pem.decode(pem)[0];
+
+	    //console.log("msg type: " + msg.type);
+
+	    if(msg.procType && msg.procType.type === 'ENCRYPTED') {
+		throw new Error('Could not retrieve RSA public key from PEM; PEM is encrypted.');
+	    }
+
+	    // convert DER to ASN.1 object
+	    var asn1obj = forge.asn1.fromDer(msg.body);
+	    //console.log("ASN.1 obj: " + JSON.stringify(asn1obj))
+
+	    var pubKey = forge.pki.publicKeyFromAsn1(asn1obj)
+	    //console.log("PubKey: " + JSON.stringify(pubKey))
+	    return pubKey;
+	}
+
+	function generateKEMSessionKey(rsaPublicKey) {
+	    // generate key-derivation-function and initializes it with sha1
+	    var kdf1 = new forge.kem.kdf1(forge.md.sha1.create());
+	    // creates a KEM function based on the key-derivation-function created above
+	    var kem = forge.kem.rsa.create(kdf1);
+	    // generate and encapsulate a 16-byte secret key. 
+	    // The secret key is generated using the kdf defined above.
+	    var kemSessionKey = kem.encrypt(rsaPublicKey, 16);
+	    // kemSessionKey has 'encapsulation' (= pub key) and 'key' (= generated secret key)
+	    return kemSessionKey;
+	}
+
+	function readPublicKeyAndGenerateSessionKey(pem) {
+	    var rsaPublicKey = getRSApublicKey(pem);
+	    //console.log("PubKey: " + JSON.stringify(rsaPublicKey))
+	    var kemSessionKey = generateKEMSessionKey(rsaPublicKey);
+	    //console.log("KEM session key: " + JSON.stringify(kemSessionKey))
+	    return kemSessionKey;
+	}
+
+	function encrypt(kemSessionKey, iv, msg) {
+		var cipher = forge.cipher.createCipher('AES-CBC', kemSessionKey.key);
+		cipher.start({iv: iv});
+		cipher.update(forge.util.createBuffer(msg, 'utf-8'));
+		cipher.finish();
+		var encrypted = cipher.output.getBytes();
+		encryptedB64 = forge.util.encode64(encrypted);
+		return encryptedB64;
+	}
+};

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/eye-off.svg

@@ -0,0 +1,3 @@
+<svg width="22" height="20" viewBox="0 0 22 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path d="M2 1L5.58916 4.58916M20 19L16.4112 15.4112M12.8749 16.8246C12.2677 16.9398 11.6411 17 11.0005 17C6.52281 17 2.73251 14.0571 1.45825 9.99997C1.80515 8.8955 2.33851 7.87361 3.02143 6.97118M8.87868 7.87868C9.42157 7.33579 10.1716 7 11 7C12.6569 7 14 8.34315 14 10C14 10.8284 13.6642 11.5784 13.1213 12.1213M8.87868 7.87868L13.1213 12.1213M8.87868 7.87868L5.58916 4.58916M13.1213 12.1213L5.58916 4.58916M13.1213 12.1213L16.4112 15.4112M5.58916 4.58916C7.14898 3.58354 9.00656 3 11.0004 3C15.4781 3 19.2684 5.94291 20.5426 10C19.8357 12.2507 18.3545 14.1585 16.4112 15.4112" stroke="#6D7C80" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/eye.svg

@@ -0,0 +1,4 @@
+<svg width="22" height="16" viewBox="0 0 22 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+    <path d="M14 8C14 9.65685 12.6569 11 11 11C9.34315 11 8 9.65685 8 8C8 6.34315 9.34315 5 11 5C12.6569 5 14 6.34315 14 8Z" stroke="#6D7C80" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+    <path d="M1.45825 7.99997C2.73253 3.94288 6.52281 1 11.0004 1C15.4781 1 19.2684 3.94291 20.5426 8.00004C19.2684 12.0571 15.4781 15 11.0005 15C6.52281 15 2.73251 12.0571 1.45825 7.99997Z" stroke="#6D7C80" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/fido2_auth.js

@@ -0,0 +1,61 @@
+(function() {
+  'use strict'
+
+  async function assertion(options) {
+    let credential;
+    try {
+      credential = await navigator.credentials.get({ "publicKey": options });
+    }
+    // Cancel and timeout can occur besides error
+    catch (error) {
+      console.error(`Failed to get WebAuthn credential: ${error}`);
+      throw error;
+    }
+    // as this is the last call we have to do a top-level request instead of AJAX
+    const form = document.createElement("form");
+    form.method = "POST";
+    form.style.display = "none";
+    addInput(form, "path", "/nevisfido/fido2/assertion/result")
+    addInput(form, "id", credential.id);
+    addInput(form, "type", credential.type);
+    addInput(form, "response.clientDataJSON", base64url.encode(credential.response.clientDataJSON));
+    addInput(form, "response.authenticatorData", base64url.encode(credential.response.authenticatorData));
+    addInput(form, "response.signature", base64url.encode(credential.response.signature));
+    document.body.appendChild(form);
+    form.submit();
+  }
+
+  function authenticate() {
+    // WebAuthn feature detection
+    if (!isWebAuthnSupportedByTheBrowser()) {
+      cancelFido2();
+      return;
+    };
+
+    const request = {};
+    request.path = "/nevisfido/fido2/attestation/options";
+
+    // calling nevisFIDO through nevisAuth on current URL using AJAX
+    fetch("", {
+      method: "POST",
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(request)
+    })
+    .then(res => res.json())
+    .then(options => {
+      options.challenge = base64url.decode(options.challenge);
+      options.allowCredentials = options.allowCredentials.map((c) => {
+        c.id = base64url.decode(c.id);
+        return c;
+      });
+      return assertion(options);
+    }).catch((error) => {
+      console.error(`Error during FIDO2 authentication: ${error}`);
+      cancelFido2();
+    });
+  }
+
+  authenticate();
+})();

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/fido2_auth_std.js

@@ -0,0 +1,175 @@
+(function() {
+    'use strict'
+
+    async function authenticate(username, params) {
+
+        try {
+            const { authenticationOptionsEndpoint, authenticationEndpoint, statusServiceEndpoint, userVerification, originalResource, nevisAuthEndpoint } = params;
+            const { startAuthentication } = SimpleWebAuthnBrowser;
+
+            // fetch authentication options from nevisFIDO and save the returned fido2SessionId for later use
+            const authOptRespJson = await getAuthenticationOptions(username, userVerification, nevisAuthEndpoint);
+            const fido2SessionId = authOptRespJson.fido2SessionId;
+
+            // do the client side authentication using the SimpleWebAuthn JS library
+            const authRespJson = await startAuthentication(authOptRespJson);
+
+            // in case the authentication response does not contain a userHandle (e.g. virtual authenticators used in system tests)
+            // then we have to obtain it (in our case it is the IDM extId) using the Status Service since at the moment nevisFIDO always expects it
+            if (!authRespJson.response.userHandle) {
+                const statusRespJson = await getFido2SessionStatus(fido2SessionId, statusServiceEndpoint);
+
+                if (statusRespJson && statusRespJson.userId) {
+                    console.log("adding userHandle: " + statusRespJson.userId);
+                    authRespJson.response.userHandle = btoa(statusRespJson.userId); // add missing userHandle
+                }
+                else {
+                   throw new Error('userHandle is missing and could not determine it using the status service');
+                }
+            }
+            else {
+                console.log("userHandle already set: " + authRespJson.response.userHandle);
+            }
+
+            // send the assertion response created by the authenticator to nevisFIDO
+            const serverRespJson = await submitAssertion(authRespJson, authenticationEndpoint);
+
+            // checking the server response of nevisFIDO
+            if ((!serverRespJson) || (serverRespJson && serverRespJson.status !== 'ok')) {
+                let errorMessage = (serverRespJson && serverRespJson.errorMessage) ? serverRespJson.errorMessage : 'unexpected error';
+                throw new Error('authentication failed: ' + errorMessage);
+            }
+
+            // send a request to nevisAuth with the fido2SessionId in the header to trigger the synchronisation of the
+            // nevisFIDO and nevisAuth sessions (FIDO2 AuthState -> SyncFido2SessionStatusHandler) to reach AUTH_DONE
+            await updateNevisAuth(fido2SessionId, nevisAuthEndpoint);
+
+            console.log('authentication was successful');
+
+            console.log('reloading page...');
+            window.location.reload();
+        }
+        catch (error) {
+            console.error(`Error during FIDO2 authentication: ${error}`);
+            cancelFido2();
+        }
+    };
+
+    async function getAuthenticationOptions(username, userVerification, authenticationOptionsEndpoint) {
+
+        const authOptReqJson = {
+            'username': username,
+            'userVerification': userVerification,
+        };
+
+        const authOptReq = JSON.stringify(authOptReqJson);
+        console.log('authOptReq ==> ' + authOptReq);
+
+        const authOptResp = await fetch(authenticationOptionsEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            body: authOptReq,
+        });
+
+        if (!authOptResp.ok) {
+            throw new Error('authOptResp error: HTTP ' + authOptResp.status + ' ' + authOptResp.statusText);
+        }
+
+        const authOptRespJson = await authOptResp.json()
+        console.log('authOptResp <== ' + JSON.stringify(authOptRespJson));
+
+        return authOptRespJson;
+    };
+
+    async function getFido2SessionStatus(fido2SessionId, statusServiceEndpoint) {
+
+        const statusReqJson = {
+            'fido2SessionId': fido2SessionId,
+        };
+
+        const statusReq = JSON.stringify(statusReqJson);
+        console.log('statusReq ==> ' + statusReq);
+
+        const statusResp = await fetch(statusServiceEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            body: statusReq,
+        });
+
+        if (!statusResp.ok) {
+            throw new Error('statusResp error: HTTP ' + statusResp.status + ' ' + statusResp.statusText);
+        }
+
+        const statusRespJson = await statusResp.json();
+        console.log('statusResp <== ' + JSON.stringify(statusRespJson));
+
+        return statusRespJson;
+    }
+
+    async function submitAssertion(authRespJson, authenticationEndpoint) {
+
+        console.log("submitting assertion for userHandle: " + authRespJson.response.userHandle);
+
+        // TODO koenig 20230504: read btoa once nevisFIDO is adapted
+        let encodedAuthResp = {
+            "id": authRespJson.id,
+            "response": {
+                "authenticatorData": authRespJson.response.authenticatorData,
+                "signature": authRespJson.response.signature,
+                "userHandle": authRespJson.response.userHandle,
+                "clientDataJSON": authRespJson.response.clientDataJSON
+            },
+            "type": authRespJson.type
+        }
+
+        const authResp = JSON.stringify(encodedAuthResp);
+        console.log('authResp ==> ' + authResp);
+
+        const serverResp = await fetch(authenticationEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            body: authResp,
+        });
+
+        if (!serverResp.ok) {
+            throw new Error('submitAssertion error: HTTP ' + submitAssertion.status + ' ' + submitAssertion.statusText);
+        }
+
+        const serverRespJson = await serverResp.json();
+        console.log('serverResp <== ' + JSON.stringify(serverRespJson));
+
+        return serverRespJson;
+    };
+
+    async function updateNevisAuth(fido2SessionId, nevisAuthEndpoint) {
+
+        console.log('updateNevisAuth ==> ' + fido2SessionId);
+
+        const updateNevisAuthResponse = await fetch(nevisAuthEndpoint, {
+            method: 'GET',
+            credentials: 'same-origin',
+            headers: {
+                'nevis-fido2-session-id': fido2SessionId,
+            }
+        });
+
+        if (!updateNevisAuthResponse.ok) {
+            throw new Error('updateNevisAuthResponse error: HTTP ' + updateNevisAuthResponse.status + ' ' + updateNevisAuthResponse.statusText);
+        }
+
+        console.log('updateNevisAuth <== OK');
+
+        return;
+    };
+
+    // TODO koenig 20230206: we don't generate IDs into the HTML yet
+    let username = document.getElementsByName("username")[0].value;
+    params.nevisAuthEndpoint = window.location.href;
+    authenticate(username, params);
+})();

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/fido2_onboard.js

@@ -0,0 +1,70 @@
+function dispatch(name) {
+  // we have to do a top-level request instead of AJAX
+  const form = document.createElement("form");
+  form.method = "POST";
+  form.style.display = "none";
+  addInput(form, name, "true");
+  document.body.appendChild(form);
+  form.submit();
+}
+
+async function attestation(options) {
+  let credential;
+  try {
+    credential = await navigator.credentials.create({ "publicKey": options });
+  }
+  // cancel and timeout can occur besides error
+  catch (error) {
+    console.error(`Failed to create WebAuthn credential: ${error}`);
+    throw error;
+  }
+  // as this is the last call we have to do a top-level request instead of AJAX
+  const form = document.createElement("form");
+  form.method = "POST";
+  form.style.display = "none";
+  addInput(form, "path", "/nevisfido/fido2/attestation/result")
+  addInput(form, "id", credential.id);
+  addInput(form, "type", credential.type);
+  addInput(form, "response.clientDataJSON", base64url.encode(credential.response.clientDataJSON));
+  addInput(form, "response.attestationObject", base64url.encode(credential.response.attestationObject));
+  document.body.appendChild(form);
+  form.submit();
+}
+
+function start() {
+
+  if (!isWebAuthnSupportedByTheBrowser()) {
+    dispatch("unsupported");
+    return;
+  };
+
+  const request = {};
+  request.path = "/nevisfido/fido2/attestation/options";
+
+  // calling nevisFIDO through nevisAuth on current URL using AJAX
+  fetch("", {
+    method: "POST",
+    headers: {
+      'Content-Type': 'application/json'
+    },
+    body: JSON.stringify(request)
+  })
+  .then(res => res.json())
+  .then(options => {
+    options.user.id = base64url.decode(options.user.id);
+    options.challenge = base64url.decode(options.challenge);
+    if (options.excludeCredentials != null) {
+      options.excludeCredentials = options.excludeCredentials.map((c) => {
+        c.id = base64url.decode(c.id);
+        return c;
+      });
+    }
+    if (options.authenticatorSelection.authenticatorAttachment === null) {
+      options.authenticatorSelection.authenticatorAttachment = undefined;
+    }
+    return attestation(options);
+  }).catch((error) => {
+    console.log('Error during FIDO2 onboarding: ' + error);
+    dispatch("failed");
+  });
+}

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/fido2_utils.js

@@ -0,0 +1,40 @@
+function addInput(form, name, value) {
+    const input = document.createElement("input");
+    input.name = name;
+    input.value = value;
+    form.appendChild(input);
+}
+
+/**
+ * Checks whether WebAuthn is supported by the browser or not.
+ * @return true if supported, false if it is not supported or not in secure context
+ */
+function isWebAuthnSupportedByTheBrowser() {
+  if (window.isSecureContext) {
+    // This feature is available only in secure contexts in some or all supporting browsers.
+    if ('credentials' in navigator) {
+      return true;
+    }
+    console.warn('Oh no! This browser does not support WebAuthn.');
+    return false;
+  }
+  console.warn('WebAuthn feature is available only in secure contexts. For testing over HTTP, you can use the origin "localhost".');
+  return false;
+}
+
+/**
+ * Trigger on cancel pattern of the FIDO2 authentication step.
+ * 
+ * Provides an alternative when the user decides to 
+ * cancel the fido2 credential operation(create or fetch) or
+ * the operation fails and the error cannot be handled.
+ */
+function cancelFido2() {
+  // we have to do a top-level request instead of AJAX
+  const form = document.createElement("form");
+  form.method = "POST";
+  form.style.display = "none";
+  addInput(form, "cancel_fido2", "true");
+  document.body.appendChild(form);
+  form.submit();
+}

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/icons/apple/black.svg

@@ -0,0 +1 @@
+<svg width="842" height="1e3" xmlns="http://www.w3.org/2000/svg"><path d="M702 960c-54.2 52.6-114 44.4-171 19.6-60.6-25.3-116-26.9-180 0-79.7 34.4-122 24.4-170-19.6-271-279-231-704 77-720 74.7 4 127 41.3 171 44.4 65.4-13.3 128-51.4 198-46.4 84.1 6.8 147 40 189 99.7-173 104-132 332 26.9 396-31.8 83.5-72.6 166-141 227zM423 237C414.9 113 515.4 11 631 1c15.9 143-130 250-208 236z"/></svg>

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/icons/google/google.svg

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<svg viewBox="0 0 24 24" width="24" height="24" xmlns="http://www.w3.org/2000/svg">
+  <g transform="matrix(1, 0, 0, 1, 27.009001, -39.238998)">
+    <path fill="#4285F4" d="M -3.264 51.509 C -3.264 50.719 -3.334 49.969 -3.454 49.239 L -14.754 49.239 L -14.754 53.749 L -8.284 53.749 C -8.574 55.229 -9.424 56.479 -10.684 57.329 L -10.684 60.329 L -6.824 60.329 C -4.564 58.239 -3.264 55.159 -3.264 51.509 Z"/>
+    <path fill="#34A853" d="M -14.754 63.239 C -11.514 63.239 -8.804 62.159 -6.824 60.329 L -10.684 57.329 C -11.764 58.049 -13.134 58.489 -14.754 58.489 C -17.884 58.489 -20.534 56.379 -21.484 53.529 L -25.464 53.529 L -25.464 56.619 C -23.494 60.539 -19.444 63.239 -14.754 63.239 Z"/>
+    <path fill="#FBBC05" d="M -21.484 53.529 C -21.734 52.809 -21.864 52.039 -21.864 51.239 C -21.864 50.439 -21.724 49.669 -21.484 48.949 L -21.484 45.859 L -25.464 45.859 C -26.284 47.479 -26.754 49.299 -26.754 51.239 C -26.754 53.179 -26.284 54.999 -25.464 56.619 L -21.484 53.529 Z"/>
+    <path fill="#EA4335" d="M -14.754 43.989 C -12.984 43.989 -11.404 44.599 -10.154 45.789 L -6.734 42.369 C -8.804 40.429 -11.514 39.239 -14.754 39.239 C -19.444 39.239 -23.494 41.939 -25.464 45.859 L -21.484 48.949 C -20.534 46.099 -17.884 43.989 -14.754 43.989 Z"/>
+  </g>
+</svg>

DEFAULT-ADN-POST-IAM-TKNXCHNG-PROJECT/DEFAULT-ADN-POST-IAM-TKNXCHNG-INV/nli/var/opt/nevislogrend/default/data/applications/MockRelam/webdata/resources/icons/microsoft/microsoft.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" aria-label="Microsoft" role="img" viewBox="0 0 512 512"><rect width="512" height="512" rx="15%" fill="#fff"/><path d="M75 75v171h171v-171z" fill="#f25022"/><path d="M266 75v171h171v-171z" fill="#7fba00"/><path d="M75 266v171h171v-171z" fill="#00a4ef"/><path d="M266 266v171h171v-171z" fill="#ffb900"/></svg>