nordic-institute · raits · Oct 13, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 15, 2025
@@ -90,16 +90,14 @@ RUN useradd xrd-sec && adduser xrd-sec xroad-security-officer && sh -c "echo 'xr
     && adduser xroad softhsm
 
 COPY --chown=xroad:xroad files/etc /etc/
+COPY --chown=xroad:xroad files/usr/share/xroad/autologin/custom-fetch-pin.sh /usr/share/xroad/autologin/custom-fetch-pin.sh
 COPY --chown=xroad:xroad build/libs /usr/share/xroad/jlib/
 
 COPY files/ss-entrypoint.sh /root/entrypoint.sh
 COPY --chown=xroad:xroad files/override-docker.ini /etc/xroad/conf.d/
 COPY --chown=root:root files/ss-xroad.conf /etc/supervisor/conf.d/xroad.conf
-COPY --chown=root:root files/ss-hwtoken-xroad.conf /etc/supervisor/conf.d/hwtoken-xroad.conf
-COPY --chown=root:root files/ss-hwtoken-login-inactive-token.sh /usr/share/xroad/autologin/login-inactive-token.sh
-RUN chmod 755 /usr/share/xroad/autologin/login-inactive-token.sh
 
 CMD ["/root/entrypoint.sh"]
 
 VOLUME ["/etc/xroad", "/var/lib/xroad", "/var/lib/postgresql/16/main/", "/var/lib/softhsm/tokens"]
-EXPOSE 8080 8443 4000 5432 5500 5577 5558 80
+EXPOSE 8080 8443 4000 5432 5500 5577 5558 80
@@ -21,13 +21,21 @@ Alternatively, it's possible to use the image (`niis/xroad-security-server`) ava
 ## Running
 
 Publish the container ports (`8080` and/or `8443`, `4000`, and optionally `5500` and `5577`) to localhost (loopback address).
-Also, it's possible to pass the token pin code for autologin using the `XROAD_TOKEN_PIN` environment variable.
+Also, it's possible to pass the token pin code for autologin using environment variables. Use `XROAD_TOKEN_PIN` for token 0, or `XROAD_TOKEN_<id>_PIN` for specific token IDs.
 
 Running a locally built image:
 ```shell
 docker run -p 127.0.0.1:4000:4000 -p 127.0.0.1:8080:8080 --name my-ss -e XROAD_TOKEN_PIN=1234 xroad-security-server
 ```
 
+For multiple tokens:
+```shell
+docker run -p 127.0.0.1:4000:4000 -p 127.0.0.1:8080:8080 --name my-ss \
+  -e XROAD_TOKEN_0_PIN=1234 \
+  -e XROAD_TOKEN_1_PIN=5678 \
+  xroad-security-server
+```
+
 Running an image available on [Docker Hub](https://hub.docker.com/r/niis/xroad-security-server):
 ```shell
 docker run -p 127.0.0.1:4000:4000 -p 127.0.0.1:8080:8080 --name my-ss -e XROAD_TOKEN_PIN=1234 niis/xroad-security-server:focal-7.1.0
@@ -97,3 +105,10 @@ One can create the autologin file by hand after initializing the Security Server
 docker exec my-ss su -c 'echo 1234 >/etc/xroad/autologin' xroad
 docker exec my-ss supervisorctl start xroad-autologin
 ```
+
+For multiple tokens, use one line per token in the format `token-id:token-pin`:
+
+```shell
+docker exec my-ss su -c 'echo -e "0:1234\n1:5678" >/etc/xroad/autologin' xroad
+docker exec my-ss supervisorctl start xroad-autologin
+```
@@ -29,13 +29,6 @@ else
     echo "WARN: Installed version ($INSTALLED_VERSION) does not match packaged version ($PACKAGED_VERSION)" >&2
 fi
 
-if [  -n "$XROAD_TOKEN_PIN" ]
-then
-    echo "XROAD_TOKEN_PIN variable set, writing to /etc/xroad/autologin"
-    echo "$XROAD_TOKEN_PIN" > /etc/xroad/autologin
-    unset XROAD_TOKEN_PIN
-fi
-
 log "Enabling public postgres access.."
 sed -i 's/#listen_addresses = \x27localhost\x27/listen_addresses = \x27*\x27/g' /etc/postgresql/*/main/postgresql.conf
 sed -ri 's/host    replication     all             127.0.0.1\/32/host    all             all             0.0.0.0\/0/g' /etc/postgresql/*/main/pg_hba.conf

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+file="/etc/xroad/autologin"
+
+declare -a token_ids
+declare -a token_pins
+count=0
+
+for var in $(compgen -e | grep '^XROAD_TOKEN_.\+_PIN$' | sort -V); do
+    token_id="${var#XROAD_TOKEN_}"
+    token_id="${token_id%_PIN}"
+    pin_value="${!var}"
+
+    if [ -n "$pin_value" ]; then
+        token_ids+=("$token_id")
+        token_pins+=("$pin_value")
+        ((count++))
+    fi
+done
+
+if [ -n "$XROAD_TOKEN_PIN" ]; then
+    echo "${XROAD_TOKEN_PIN}"
+    exit 0
+elif [ "$count" -eq 1 ] && [ "${token_ids[0]}" = "0" ]; then
+    echo "${token_pins[0]}"
+    exit 0
+elif [ "$count" -eq 1 ] && [ "${token_ids[0]}" != "0" ]; then
+    >&2 echo "ERROR: Found XROAD_TOKEN_${token_ids[0]}_PIN but no other token PINs. Multiple token PINs are expected when using numbered tokens (other than 0)."
+    exit 127
+elif [ "$count" -gt 1 ]; then
+    for i in "${!token_ids[@]}"; do
+        echo "${token_ids[$i]}:${token_pins[$i]}"
+    done
+    exit 0
+elif [ -f "$file" ]
+then
+    >&2 echo "XROAD_TOKEN_PIN variable is not set, returning PIN code at $file"
+    cat $file
+    exit 0
+else
+    >&2 echo "PIN code not available at $file"
+    exit 127
+fi
@@ -36,7 +36,8 @@ services:
   ss1:
     container_name: ss1
     environment:
-      - XROAD_TOKEN_PIN=Secret1234
+      - XROAD_TOKEN_0_PIN=Secret1234
+      - XROAD_TOKEN_31_PIN=Secret1234
     ports:
       - "4300:4000" # Frontend
       - "4310:8080" # Proxy
@@ -91,4 +92,4 @@ networks:
   # Use implicitly named network so that is easier to add container outside the compose
   xroad-network:
     name: xroad-network
-    driver: bridge
+    driver: bridge
@@ -1,9 +1,15 @@
 # E2E specific hurl execution on boot.
 services:
+  ss0:
+    environment:
+      - XROAD_TOKEN_PIN=Secret1234
   ss1:
     entrypoint: [ "/usr/local/bin/init-token-and-run-entrypoint.sh" ]
     volumes:
       - ./ss1/init-token-and-run-entrypoint.sh:/usr/local/bin/init-token-and-run-entrypoint.sh:ro
+    environment:
+      - XROAD_TOKEN_0_PIN=Secret1234
+      - XROAD_TOKEN_31_PIN=Secret1234
 
   hurl:
     command: >

@@ -13,10 +13,11 @@ if ! grep -q "\[softhsm2\]" /etc/xroad/devices.ini 2>/dev/null; then
   printf "\n[softhsm2]\n\
     library = /usr/lib/softhsm/libsofthsm2.so\n\
     slot_ids = %s\n\
+    token_id_format = 1\n\
     os_locking_ok = true\n\
     library_cant_create_os_threads = true\n" "$slot_id" >> /etc/xroad/devices.ini
 fi
 
 chown -R xroad /var/lib/softhsm/tokens
 
-exec /root/entrypoint.sh
+exec /root/entrypoint.sh
@@ -233,16 +233,6 @@ Content-Type: application/json
 
 HTTP 201
 
-# Log in to the Security Servers token
-PUT https://{{ss0_host}}:4000/api/v1/tokens/0/login
-X-XSRF-TOKEN: {{ss0_xsrf_token}}
-Content-Type: application/json
-{
-  "password": "Secret1234"
-}
-
-HTTP *
-
 # Get the CA name
 GET https://{{ss0_host}}:4000/api/v1/certificate-authorities
 X-XSRF-TOKEN: {{ss0_xsrf_token}}
@@ -593,16 +583,6 @@ Content-Type: application/json
 
 HTTP 201
 
-# Log in to the Security Servers token
-PUT https://{{ss1_host}}:4000/api/v1/tokens/0/login
-X-XSRF-TOKEN: {{ss1_xsrf_token}}
-Content-Type: application/json
-{
-  "password": "Secret1234"
-}
-
-HTTP *
-
 # Add auth key to the Security Server token
 POST https://{{ss1_host}}:4000/api/v1/tokens/0/keys-with-csrs
 X-XSRF-TOKEN: {{ss1_xsrf_token}}
@@ -681,16 +661,6 @@ HTTP 200
 [Captures]
 ss1_token_id: jsonpath "$[?(@.type == 'HARDWARE')].id" nth 0
 
-# Log in to the Security Servers token
-PUT https://{{ss1_host}}:4000/api/v1/tokens/{{ss1_token_id}}/login
-X-XSRF-TOKEN: {{ss1_xsrf_token}}
-Content-Type: application/json
-{
-  "password": "Secret1234"
-}
-
-HTTP *
-
 # Add sign key to the Security Server token
 POST https://{{ss1_host}}:4000/api/v1/tokens/{{ss1_token_id}}/keys-with-csrs
 X-XSRF-TOKEN: {{ss1_xsrf_token}}

@@ -1,6 +1,6 @@
 # X-Road: Autologin User Guide
 
-Version: 1.4
+Version: 1.5
 Doc. ID: UG-AUTOLOGIN
 
 
@@ -11,6 +11,7 @@ Doc. ID: UG-AUTOLOGIN
 | 15.11.2018 | 1.2     | Ubuntu 18.04 updates                                                                              |
 | 11.09.2019 | 1.3     | Remove Ubuntu 14.04 support                                                                       |
 | 26.09.2022 | 1.4     | Remove Ubuntu 18.04 support                                                                       |
+| 14.10.2025 | 1.5     | Add multiple token support documentation                                                          |
 
 ## Table of Contents
 
@@ -44,23 +45,42 @@ See X-Road terms and abbreviations documentation \[[TA-TERMS](#Ref_TERMS)\].
   * Ubuntu: apt install xroad-autologin
   * RedHat: yum install xroad-autologin
 
-2. If storing the PIN code on the server in plaintext is acceptable, create file `/etc/xroad/autologin` that contains the PIN code. 
+2. If storing the PIN code on the server in plaintext is acceptable, create file `/etc/xroad/autologin` that contains the PIN code(s).
   * File should be readable by user `xroad`
   * If `/etc/xroad/autologin` does not exists, and you have not implemented `custom-fetch-pin.sh`, the service will not start
-3. If you do not want to store PIN code in plaintext, implement bash script 
+  * For a single token (token ID 0), the file should contain just the PIN code:
+    ```
+    1234
+    ```
+  * For multiple tokens, each line should be in the format `token-id:token-pin`:
+    ```
+    0:1234
+    1:5678
+    ```
+3. If you do not want to store PIN code in plaintext, implement bash script
 `/usr/share/xroad/autologin/custom-fetch-pin.sh`
-  * The script needs to output the PIN code to stdout
+  * The script needs to output the PIN code(s) to stdout
   * Script should be readable and executable by user `xroad`
   * Script should exit with exit code
     * 0 if it was able to fetch PIN code successfully
     * 127 if it was not able to fetch PIN code, but this is not an actual error that should cause the service to fail (default implementation uses this if `/etc/xroad/autologin` does not exist)
     * other exit codes in error situations that should cause the service to fail
+  * Single token example:
   ```bash
   #!/bin/bash
-  PIN_CODE=$(curl https://some-address)
+  PIN_CODE=$(curl https://some-address/token-pin)
   echo "${PIN_CODE}"
   exit 0
   ```
+  * Multiple tokens example (output one `token-id:token-pin` per line):
+  ```bash
+  #!/bin/bash
+  TOKEN_0_PIN=$(curl https://some-address/token-0-pin)
+  TOKEN_1_PIN=$(curl https://some-address/token-1-pin)
+  echo "0:${TOKEN_0_PIN}"
+  echo "1:${TOKEN_1_PIN}"
+  exit 0
+  ```
 
 ### 2.2 Implementation details
 
@@ -70,4 +90,4 @@ See X-Road terms and abbreviations documentation \[[TA-TERMS](#Ref_TERMS)\].
   * Wrapper script handles retries in error situations.
 * Service tries to enter the PIN code using script `signer-console`
   * If the PIN was correct or incorrect, it exits
-  * If an error occurred (for example because `xroad-signer` has not yet fully started), it keeps retrying indefinitely
+  * If an error occurred (for example because `xroad-signer` has not yet fully started or been initialised), it keeps retrying indefinitely
@@ -289,6 +289,7 @@ For example the following configuration could be stored as a Kubernetes secret:
 * Sensitive Sidecar environment variables:
   * Software token PIN code:
     * `XROAD_TOKEN_PIN`
+    * `XROAD_TOKEN_X_PIN` (in case of multiple tokens)
   * Security server GUI admin user:
     * `XROAD_ADMIN_USER`
     * `XROAD_ADMIN_PASSWORD`

@@ -1,6 +1,6 @@
 # Security Server Sidecar User Guide <!-- omit in toc -->
 
-Version: 1.19  
+Version: 1.20
 Doc. ID: UG-SS-SIDECAR
 
 ## Version history <!-- omit in toc -->
@@ -27,6 +27,7 @@ Doc. ID: UG-SS-SIDECAR
 | 26.03.2025 | 1.17    | Syntax and styling                                      | Pauline Dimmek            |
 | 02.04.2025 | 1.18    | Added autologin paragraph                               | Mikk-Erik Bachmann        |
 | 28.08.2025 | 1.19    | Added paragraph about custom ACME challenge port number | Mikk-Erik Bachmann        |
+| 14.10.2025 | 1.20    | Document multiple token autologin support               | Raido Kaju                |
 
 ## License
 
@@ -374,9 +375,29 @@ The memory allocation for the Proxy Service can be configured using helper scrip
 
 ### 3.4 Autologin
 
-The Autologin feature logs onto the Signer keys' token automatically when the container has been restarted (for more info see [Autologin User Guide](../Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md)). 
+The Autologin feature logs onto the Signer keys' token automatically when the container has been restarted (for more info see [Autologin User Guide](../Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md)).
 
-For Sidecar, Autologin uses a custom script `custom-fetch-pin.sh` which looks at the environment variable `XROAD_TOKEN_PIN` first. This is set in the above example with a flag `-e XROAD_TOKEN_PIN=<token pin>`. When the Security Server is initialized for the first time, the token pin configured in the third step needs to match this variable. Given that for the autologin to succeed the token needs to be initialized and xroad-signer needs to be running, there can be retry statements in the logs when the autologin process starts before one of these things has happened. Eventually the autologin process should exit with a log message `xroad-autologin (exit status 0; expected)` which indicates that the autologin has succeeded. When the environment variable is not set, autologin might fail because by default the sidecar container doesn't have the token pin in its fallback location `/etc/xroad/autologin`. This file can be manually added with the correct pin if having the pin as plain text in that file is acceptable.
+For Sidecar, Autologin uses a custom script `custom-fetch-pin.sh` which supports both single and multiple token configurations:
+
+Single token configuration:
+
+* Set the environment variable `XROAD_TOKEN_PIN` (e.g., `-e XROAD_TOKEN_PIN=<token pin>`)
+* This PIN will be used for token ID 0
+* When the Security Server is initialized for the first time, the token pin configured needs to match this variable
+
+Multiple tokens configuration:
+
+* Set environment variables in the format `XROAD_TOKEN_<id>_PIN` where `<id>` is the token ID
+* Example: `-e XROAD_TOKEN_0_PIN=1234 -e XROAD_TOKEN_1_PIN=5678`
+* Each token will be logged in with its respective PIN
+* If using numbered tokens (other than 0), multiple token PINs must be provided
+
+Fallback configuration:
+
+* If no environment variables are set, the script will read from `/etc/xroad/autologin`
+* This file can contain either a single PIN (for token 0) or multiple lines in the format `token-id:token-pin`
+
+Given that for the autologin to succeed the token needs to be initialized and xroad-signer needs to be running, there can be retry statements in the logs when the autologin process starts before one of these things has happened. Eventually the autologin process should exit with a log message `xroad-autologin (exit status 0; expected)` which indicates that the autologin has succeeded.
 
 ## 4 Upgrading
 

@@ -1,10 +1,37 @@
 #!/bin/bash
 
 file="/etc/xroad/autologin"
-if [ -n "$XROAD_TOKEN_PIN" ]
-then
+
+declare -a token_ids
+declare -a token_pins
+count=0
+
+for var in $(compgen -e | grep '^XROAD_TOKEN_.\+_PIN$' | sort -V); do
+    token_id="${var#XROAD_TOKEN_}"
+    token_id="${token_id%_PIN}"
+    pin_value="${!var}"
+
+    if [ -n "$pin_value" ]; then
+        token_ids+=("$token_id")
+        token_pins+=("$pin_value")
+        ((count++))
+    fi
+done
+
+if [ -n "$XROAD_TOKEN_PIN" ]; then
     echo "${XROAD_TOKEN_PIN}"
     exit 0
+elif [ "$count" -eq 1 ] && [ "${token_ids[0]}" = "0" ]; then
+    echo "${token_pins[0]}"
+    exit 0
+elif [ "$count" -eq 1 ] && [ "${token_ids[0]}" != "0" ]; then
+    >&2 echo "ERROR: Found XROAD_TOKEN_${token_ids[0]}_PIN but no other token PINs. Multiple token PINs are expected when using numbered tokens (other than 0)."
+    exit 127
+elif [ "$count" -gt 1 ]; then
+    for i in "${!token_ids[@]}"; do
+        echo "${token_ids[$i]}:${token_pins[$i]}"
+    done
+    exit 0
 elif [ -f "$file" ]
 then
     >&2 echo "XROAD_TOKEN_PIN variable is not set, returning PIN code at $file"