..
This file is part of GNU Taler.
Copyright (C) 2021 Taler Systems SA
GNU Taler is free software; you can redistribute it and/or modify it under the
terms of the GNU Affero General Public License as published by the Free Software
Foundation; either version 2.1, or (at your option) any later version.
GNU Taler is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License along with
GNU Taler; see the file COPYING. If not, see
@author Florian Dold
GNU Taler Exchange Setup Guide
##############################
This setup guide walks a system administrator through all steps required to
install an exchange and check that it is functional. For more background,
please read the Operator Manual.
System Requirements
===================
This guide assumes that you are running Ubuntu 20.04 (Focal Fossa).
We recommend the setup of offline signing keys to be done on a second machine that
does not have internet access.
In the guide, we mark commands that are supposed to be executed on the online
exchange machine as `[root@exchange-online]#` / `[$user@exchange-online]$` and commands for the offline
machine as `[root@exchange-offline]#` /`[$user@exchange-offline]$`. It is possible to do the entire setup
on one machine, but we do not recommend this for security reasons.
Installation
============
To install the exchange, first make sure that your system is up-to-date
and that the ``gnupg`` package has been installed.
.. code-block:: shell-session
[root@exchange-online]# apt-get update
[root@exchange-online]# apt-get upgrade
[root@exchange-online]# apt-get install -y gnupg
Next, add the ``focal-fossa`` apt repository provided by Taler Systems S.A. to
your package sources:
.. code-block:: shell-session
[root@exchange-online]# cat > /etc/apt/sources.list.d/taler.list <
.. warning::
While ``taler-config`` also supports rewriting configuration files, we strongly
recommend to edit configuration files manually, as ``taler-config`` does not
preserve comments and, by default, rewrites ``/etc/taler/taler.conf``.
Services, users, groups and file system hierarchy
=================================================
The *taler-exchange-httpd* package will create several system users
to compartmentalize different parts of the system:
* taler-exchange-httpd: the user that runs the HTTP daemon with the core business logic
* taler-exchange-secmod-rsa: the user that manages the RSA private online signing keys
* taler-exchange-secmod-eddsa: the user that manages the EdDSA private online signing keys
* taler-exchange-closer: a helper process that closes reserves
* taler-exchange-aggregator: a helper process that aggregates deposits into larger wire transfer requests
* taler-exchange-wire: the user that performs wire transfers with the bank
* postgres: the user running the Postgres database (from *postgres* package)
* www-data: the user running the frontend HTTPS service with the TLS keys (from *nginx* package)
.. note::
The *taler-merchant-httpd* package additionally creates a taler-merchant-httpd user
to runs the HTTP daemon with the merchant business logic.
The exchange setup uses the following system groups:
* taler-exchange-db: group for all Taler users with direct database access, specifically taler-exchange-httpd, taler-exchange-wire, taler-exchange-closer and taler-exchange-aggregator
* taler-exchange-secmod: FIXME: how is this used right now?
* taler-exchange-offline: FIXME: how is this used right now?
The package will deploy systemd service files in
``/usr/lib/systemd/system/`` for the various components:
* taler-exchange-aggregator.service: FIXME - explain
* taler-exchange-closer.service: FIXME - explain
* taler-exchange-httpd.service: FIXME - explain
* taler-exchange-httpd.socket: FIXME - explain
* taler-exchange-secmod-eddsa.service: FIXME - explain
* taler-exchange-secmod-rsa.service: FIXME - explain
* taler-exchange.target: FIXME - explain
* taler-exchange-transfer.service: FIXME - explain
* taler-exchange-wirewatch.service: FIXME - explain
(FIXME: Explain the Debian package users, groups and locations. -- anything missing?)
FIXME: I do not see how secmod keys are kept isolated from
the other users!
Basic Setup: Currency and Denominations
=======================================
A Taler exchange only supports a single currency. The currency
and the smallest currency unit supported by the bank system
must be specified in ``/etc/taler/taler.conf``.
.. code-block:: ini
:caption: /etc/taler/taler.conf
[taler]
CURRENCY = EUR
CURRENCY_ROUND_UNIT = EUR:0.01
# ... rest of file ...
.. warning::
When editing ``/etc/taler/taler.conf``, take care to not accidentally remove
the @inline-matching@ directive to include the configuration files in ``conf.d``.
Next, the electronic cash denominations that the exchange offers must be
specified. The ``taler-wallet-cli`` has a helper command that generates a
reasonable denomination structure.
.. code-block:: shell-session
taler-wallet-cli deployment gen-coin-config --currency EUR > /etc/taler/conf.d/exchange-coins.conf
.. note::
FIXME: change tool to not take currency from configuration, but instead
to accept unit currency as the argument; (i.e. EUR:0.0025). Also take
another argument for how many denominations to generate (2^XX). Finally,
do use the unit currency as the default deposit fee.
You can manually review and edit the generated configuration file. The main
change that is possibly required is updating the various fees.
Wire Gateway Setup
==================
The Taler Wire Gateway is an API that connects the Taler exchange to
the underlying core banking system.
LibEuFin is an implementation of the Wire Gateway API for the EBICS.
Please follow the setup instructions in ??? to set up a Taler Wire Gateway with
LibEuFin for an EBICS bank account.
The exchange must be configured with the right settings to
access the Taler Wire Gateway. An exchange can be configured
to use multiple bank accounts by using multiple Wire Gateways.
Typically only one Wire Gateway is used.
A Taler Wire Gateway is configured in a configuration section that follows the
pattern ``exchange-account-$id``, where ``$id`` is an internal identifier for
the bank account accessed with the Wire Gateway. The configuration file
``/etc/taler/conf.d/exchange-system.conf`` by default loads the section
``exchange-account-1`` from the secret file
``/etc/taler/secrets/exchange-accounts.secret.conf``. The latter file
should already be only readable for the taler-exchange-wire user. Other
exchange processes should not have access to this information.
.. code-block:: ini
:caption: /etc/taler/secrets/exchange-accounts.secret.conf
[exchange-account-1]
enable_credit = yes
enable_debit = yes
# LibEuFin expects basic auth
wire_gateway_auth_method = basic
# username and password set in LibEuFin
username = ...
password = ...
# base URL of the wire gateway set up with LibEuFin
wire_gateway_url = ...
# Account identifier in the form of an RFC-8905 payto:// URI
# For SEPA, looks like payto://sepa/$IBAN
payto_uri =
The Wire Gateway configuration can be tested with the following command:
.. code-block:: shell-session
[root@exchange-online]# taler-exchange-wire-gateway-client \
--section exchange-account-1 --debit-history
[root@exchange-online]# taler-exchange-wire-gateway-client \
--section exchange-account-1 --credit-history
Exchange Database Setup
=======================
The access credentials for the exchange's database are configured in
``/etc/taler/secrets/exchange-db.secret.conf``. Currently, only postgres is
supported as a database backend.
The following users must have access to the exchange database:
* taler-exchange-httpd
* taler-exchange-wire
* taler-exchange-aggregator
* taler-exchange-closer
These users are all in the taler-exchange-db group, and the
``exchange-db.secret.conf`` is should already be only readable by users in
this group.
To create a database for the Taler exchange on the local system, run:
.. code-block:: shell-session
[root@exchange-onlie]# su - postgres
[postgres@exchange-online]# createuser taler-exchange-httpd
[postgres@exchange-online]# createuser taler-exchange-wire
[postgres@exchange-online]# createuser taler-exchange-aggregator
[postgres@exchange-online]# createuser taler-exchange-closer
[postgres@exchange-online]# createdb -O taler-exchange-httpd taler-exchange
[postgres@exchange-online]# exit
This will create a ``taler-exchange`` database owned by the
``taler-exchange-httpd`` user. We will use that user later to perform
database maintenance operations.
Next, we need to grant the other accounts limited access:
.. code-block:: shell-session
[root@exchange-onlie]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-aggregator";' \
| sudo -u taler-exchange-httpd psql taler-exchange
[root@exchange-onlie]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-closer";' \
| sudo -u taler-exchange-httpd psql taler-exchange
[root@exchange-onlie]# echo 'GRANT SELECT,INSERT,UPDATE ON ALL TABLES IN SCHEMA public TO "taler-exchange-wire";' \
| sudo -u taler-exchange-httpd psql taler-exchange
Assuming the above database setup, the database credentials to configure
in the configuration file would simply be:
.. code-block:: ini
:caption: /etc/taler/secrets/exchange-db.secret.conf
[exchangedb-postgres]
CONFIG=postgres:///taler-exchange
If the database is run on a different host, please follow the instructions
from the Postgres manual for configuring remote access.
After configuring the database credentials, the exchange database needs
to be initialized with the following command:
.. code-block:: shell-session
[root@exchange-online]# sudo -u taler-exchange-httpd taler-exchange-dbinit
Offline Signing Setup
=====================
The offline signing keys of the exchange should be stored on a different machine.
The responsibilities of this offline signing machine are:
* generation of the exchange's offline master signing key
* secure storage of the exchange's offline master signing key
* generation of certificates (signed with the offline master signing key) that will be imported by the exchange
.. code-block:: shell-session
[root@exchange-offline]# sudo -u taler-exchange-offline taler-exchange-offline setup
< ... prints the exchange master public key >
The public key printed as the output of this command should must be put into the configuration
of the online machine:
.. code-block:: ini
:caption: /etc/taler/conf.d/exchange-business.conf
[exchange]
MASTER_PUBLIC_KEY = YE6Q6TR1ED...
# ... rest of file ...
Exchange Web service / API Setup
================================
By default, the ``taler-exchange-httpd`` service listens for HTTP connections
on a UNIX domain socket. To make the service publicly available, a reverse
proxy such as nginx should be used. We strongly recommend to configure nginx
to use TLS.
The public URL that the exchange will be served under should
be put in ``/etc/taler/conf.d/exchange-business.conf`` configuration file.
.. code-block:: ini
:caption: /etc/taler/conf.d/exchange-business.conf
[exchange]
BASE_URL = https://example.com/
# ... rest of file ...
The ``taler-exchange`` package ships with a sample configuration that can be
enabled in nginx:
.. code-block:: shell-session
[root@exchange-online]# vim /etc/nginx/sites-available/taler-exchange
< ... customize configuration ... >
[root@exchange-online]# ln -s /etc/nginx/sites-available/taler-exchange \
/etc/nginx/sites-enabled/taler-exchange
[root@exchange-online]# systemctl reload nginx
The exchange HTTP service can now be started:
.. code-block:: shell-session
[root@exchange-online]# systemctl start taler-exchange.service
[root@exchange-online]# export BASE_URL=$(taler-config -s exchange -o base_url)
[root@exchange-online]# curl ${BASE_URL}management/keys
.. note::
At this point, the exchange service not yet fully operational.
To check whether the exchange is running correctly under the advertise
base URL, run:
.. code-block:: shell-session
[root@exchange-online]# export BASE_URL=$(taler-config -s exchange -o base_url)
[root@exchange-online]# curl ${BASE_URL}management/keys
Offline Signing Procedure
=========================
The exchange HTTP service should be running now, but is not yet completely
operational. To make the exchange HTTP service operational, the following
steps involving the offline signing machine must be completed:
1. The public keys of various online keys used by the exchange service are exported
via a management HTTP API
2. The offline signing system validates this request and signs it.
Additionally, the offline signing system signs policy messages
to configure the exchange's bank accounts and associated fees.
3. The messages generated by the offline signing system are uploaded
to via the management API of the exchange HTTP service.
.. code-block:: shell-session
[root@exchange-online]# taler-exchange-offline \
download > sig-request.json
[root@exchange-offline]# taler-exchange-offline \
sign < sig-request.json > sig-response.json
[root@exchange-offline]# taler-exchange-offline \
enable-account payto://sepa/$IBAN > acct-response.json
[root@exchange-offline]# taler-exchange-offline \
enable-account wire-fee 2021 sepa EUR:0 EUR:0 > fee-response.json
[root@exchange-online]# taler-exchange-offline upload < sig-response.json
[root@exchange-online]# taler-exchange-offline upload < acct-response.json
[root@exchange-online]# taler-exchange-offline upload < fee-response.json
Testing and Troubleshooting
===========================
The following shell session illustrates how the wallet can be used to withdraw
electronic cash from the exchange and subsequently spend it. For these steps,
a merchant backend is not required, as the wallet acts as a merchant.
.. code-block:: shell-session
# This will now output a payto URI that money needs to be sent to in order to allow withdrawal
# of taler coins
$ taler-wallet-cli advanced withdraw-manually --exchange $EXCHANGE_URL --amount EUR:10.50
# Show the status of the manual withdrawal operation
$ taler-wallet-cli transactions
#
# At this point, a bank transfer to the exchange's bank account
# needs to be made with the correct subject / remittance information
# as instructed by the wallet after the first step.
#
# Check whether the exchange received an incoming bank transfer
[root@exchange-online]# taler-exchangewire-gateway-client --section exchange-account-1 --credit-history
# Once the transfer has been made, try completing the withdrawal
$ taler-wallet-cli run-pending
# Check status of transactions and show balance
$ taler-wallet-cli transactions
$ taler-wallet-cli balance
# Now, directly deposit coins with the exchange into a target account
# (Usually, a payment is made via a merchant. The wallet provides
# this functionality for testing.)
$ taler-wallet-cli deposit create EUR:5 payto://sepa/$IBAN
# Check if transaction was successful.
# (If not, fix issue with exchange and run "run-pending" command again)
$ taler-wallet-cli transactions
# The wallet can also track if the exchange wired the money to the merchant account.
# The "deposit group id" can be found in the output of the transactions list.
$ taler-wallet-cli deposit track $DEPOSIT_GROUP_ID
# Check whether the exchange sent an outgoing transfer
[root@exchange-online]# taler-exchangewire-gateway-client --section exchange-account-1 --debit-history
# After enough time has passed, the money should arrive at the specified IBAN
FIXMEs
======
* we need to make sure that after every step there is some command
that can be executed to make sure the previous step succeeded /
the admin is on the right track.
* We should describe the systemd services that need to be running
* we should have some summary with the inventory of services that should be running
* how do we know what offline signing steps are still required? We don't have
a tool for that ...
* when multiple TWGs are configured, which one will be used by the taler-exchange-transfer?
* we should have some tooling to show the current configuration state of the exchange,
which then tells the admin what to do next (sign keys, configure account, configure wire fee),
based on the /management and /keys / /wire APIs
* On Ubuntu focal fossa, I get the following warning on "apt update", are we doing something wrong?
N: Skipping acquire of configured file 'main/binary-i386/Packages' as
repository 'https://deb.taler.net/apt/ubuntu focal-fossa InRelease' doesn't
support architecture 'i386'