FintechOS Service Pipes

Service Pipes are the integration layer of the FintechOS Platform. It uses Apache Camel as routing and mediation engine to integrate the HPFI with external systems. Apache Camel is an integration framework that allows easy implementation of routing and mediation logic using a variety of domain-specific languages (DSLs) .

The FintechOS Service Pipes are built as a docker image and deployed in an Azure AppService.

App Service Configuration

To configure the Service Pipes on your Azure environment, log in to the Azure Portal and navigate to your Service Pipes app service blade. In the Configuration section, set up the following settings:

Setting Description
app.loglevel.application
(optional)
Minimum severity level for the logged messages for the Service Pipes app.
Available values are: DEBUG, ERROR, FATAL, INFO, OFF, TRACE, WARN.
Default: INFO
app.loglevel.root
(optional)
Minimum severity level for the logged messages for all the packages. For the Service Pipes app specifically, the app.loglevel.application setting will take precedence over app.loglevel.root.
Available values are: DEBUG, ERROR, FATAL, INFO, OFF, TRACE, WARN.
Default: INFO
app.loglevel.security
(optional)
Minimum severity level for security messages (authentication or authorization).
Available values are: DEBUG, ERROR, FATAL, INFO, OFF, TRACE, WARN.
Default: INFO
spring.profiles.active
(optional)
Leave empty to use the FintechOS Identity Provider for authentication. This is the default behavior and it is the recommended setting.
Set it to basicAuth if you wish to use the legacy platform credentials for authentication.
app.context.path
(optional)
The servlet path used for the Service Pipes app service, which is going to be appended to the app service URL. By default, the app will be available at the /services servlet path, for example:
https://app-myApp.azurewebsites.net/services/
app.vault.url URL of the Configuration Manager app service or Windows service.
app.vault.token Access token for the Configuration Manager.
app.vault.secrets.engine
(optional)
Secrets engine used by the Configuration Manager.
Default: kv
app.vault.environment The path where the services pipes folder is found in Vault (e.g. dev). The properties from this secrets path are required for the application startup and runtime.
app.vault.application The folder where the application properties are found. It defaults to service-pipes.
app.vault.refresh.rate The rate at which Vault properties are refreshed. It defaults to 3600000 (1h).

Configuration Manager Settings

The settings used to associate the Service Pipes with a FintechOS Portal instance are stored in the Configuration Manager. Currently, a single Service Pipes instance can be associated with a single FintechOS Portal instance. The corresponding secrets are stored in the Configuration Manager at the kv/{environment name}/service-pipes path.

Configuration for Environments Using the FintechOS Identity Provider

Key Value Description
openid.config
Copy
{
    "realm": "fintechOSRealm",
    "auth-server-url": "https://myServer.azurewebsites.net/auth",
    "ssl-required": "external",
    "resource": "admin-servicepipes-dev",
    "principal-attribute": "preferred_username",
    "credentials": {
        "secret": "TkATkOrKeTuubnZqo7ecEKGAgq6UXEvW"
    },
    "use-resource-role-mappings": "false",
    "autodetect-bearer-only": "true"
}
  • realm - The FintechOS realm configured in the FintechOS Identity Provider.
  • auth-server-url -The FintechOS Identity Provider discovery endpoint.
  • ssl-required - The default value is external meaning that HTTPS is required by default for external requests. In production environments, this should be set to all.
  • resource - Name of the Service Pipes resource as defined in the FintechOS realm configured in the FintechOS Identity Provider.
  • principal-attribute - OpenID Connect ID Token attribute used to populate the UserPrincipal name. Possible values are: sub, preferred_username, email, name, nickname, given_name, and family_name. Default: preferred_username.
  • secret - Secret key set up in the FintechOS Identity Provider for the Service Pipes.
  • use-resource-role-mappings - When true, the adapter retrieves the user's application level role mappings from the token. When false, it looks at the realm level role mappings. This should be set up in accordance with ur OpenID configuration. Default: false.

  • autodetect-bearer-only - Set it to true. Do not change.

rbac.config

Copy
{
   "apiMappings":[
      {
         "url":"/inbound",
         "roles":[
            "service-pipes-user"
         ]
      }
   ],
   "applicationMappings":[
      {
         "url":"/actuator",
         "roles":[
            "service-pipes-admin"
         ]
      }
   ],
   "swaggerMappings":[
      {
         "url":"/specifications",
         "roles":[
            "service-pipes-admin"
         ]
      }
   ]
}

Property used for configuring role based access (RBAC) in Service Pipes.

"apiMappings" - used for defining RBAC for api endpoints.

"applicationMappings" - used for defining RBAC for application managing/configuration URLs (here power-users or administrator roles should be configured).

"swaggerMappings" - used for RBAC of API documentation pages.

portal.url https://myServer.azurewebsites.net/portal/api/openApiV2/CallAction URL of the FintechOS Portal instance associated with the Service Pipes.
openapi.enabled

true

Flag used to determine if requests are forwarded to OpenAPI instead of Portal.
openi.url https://myServer.azurewebsites.net/ftosapi/automation-processors/actions/ URL address of the OpenAPI component.
portal.username

{username}

Used by Service Pipes when generating an access token to call the platform.
portal.password

{password}

Used by Service Pipes when generating an access token to call the platform.
throttle.config
Copy
{
  "enabled": true,
  "cacheRequestsMillis": ,
  "pool": {
      "maxConnections": ,
      "connectionsPerRoute": ,
      "timeoutConnectionRequest": ,
      "socketTimeout"
  },
  "refreshCacheCron": "",
  "clients": [
    {
      "name": "",
      "allowedRequests": ,
      "allowedTimeFrameMs": ,
      "timeToLive"
    }
  ]
}
This property is needed only if Service Pipes application is started with the "throttiling" profile.

Configuration for Environments Using Legacy Authentication (non-FintechOS Identity Provider)

Key Value  
username {username} User name used by the associated Portal instance to authenticate when calling the Service Pipes. A matching key-value pair must be set up in the Configuration Manager on the associated Portal environment at kv/<environment>/<portalName>/app-settings.
password {password} Password used by the associated Portal instance to authenticate when calling the Service Pipes. A matching key-value pair must be set up in the Configuration Manager on the associated Portal environment at kv/<environment>/<portalName>/app-settings.
portal.url https://myServer.azurewebsites.net/myPor tal URL of the FintechOS Portal instance associated with the Service Pipes.
ebs.config

 

 

User Roles

When using the FintechOS Identity Provider for identity and access management, make sure you assign the following user roles accordingly:

  • service-pipes-admin - Role needed for users responsible for monitoring the Service Pipes. This will provide them access to the Service Pipes monitoring tool available at the <Service Pipes URL>/actuator/hawtio path. E.g.: https://myServer.azurewebsites.net/services/actuator/hawtio
  • service-pipes-user - Role needed for users who need to authenticate to the Service Pipes, such as user accounts that will run digital journeys that make calls to the Service Pipes server.

For advanced configurations, roles can be further customized using the Configuration Manager.