FintechOS Service Pipes

Service Pipes are the integration layer of the FintechOS Platform. It uses Apache Camel as routing and mediation engine to integrate the FintechOS Platform with external systems. Apache Camel is an integration framework that allows easy implementation of routing and mediation logic using a variety of domain-specific languages (DSLs) .

The FintechOS Service Pipes are built as a docker image and deployed in an Azure AppService.

App Service Configuration

To configure the Service Pipes on your Azure environment, log in to the Azure Portal and navigate to your Service Pipes app service blade. In the Configuration section, set up the following settings:

Setting Description
app.loglevel.application
(optional)		 Minimum severity level for the logged messages for the Service Pipes app.
Available values are: DEBUG, ERROR, FATAL, INFO, OFF, TRACE, WARN.
Default: INFO
app.loglevel.root
(optional)		 Minimum severity level for the logged messages for all the packages. For the Service Pipes app specifically, the app.loglevel.application setting will take precedence over app.loglevel.root.
Available values are: DEBUG, ERROR, FATAL, INFO, OFF, TRACE, WARN.
Default: INFO
app.loglevel.security
(optional)		 Minimum severity level for security messages (authentication or authorization).
Available values are: DEBUG, ERROR, FATAL, INFO, OFF, TRACE, WARN.
Default: INFO
spring.profiles.active
(optional)		 Leave empty to use the FintechOS Identity Provider for authentication. This is the default behavior. The legacy authentication using platform credentials is no longer supported.
app.context.path
(optional)		 The servlet path used for the Service Pipes app service, which is going to be appended to the app service URL. By default, the app will be available at the /services servlet path, for example:
https://app-myApp.azurewebsites.net/services/
app.vault.url URL of the Configuration Manager app service or Windows service.
app.vault.token Access token for the Configuration Manager.
app.vault.secrets.engine
(optional)		 Secrets engine used by the Configuration Manager.
Default: kv
app.vault.environment The path where the services pipes folder is found in Vault (e.g. dev). The properties from this secrets path are required for the application startup and runtime.
app.vault.application The folder where the application properties are found. It defaults to service-pipes.
app.vault.refresh.rate The rate at which Vault properties are refreshed. It defaults to 3600000 (1h).

Configuration Manager Settings

The settings used to associate the Service Pipes with a FintechOS Portal instance are stored in the Configuration Manager. Currently, a single Service Pipes instance can be associated with a single FintechOS Portal instance. The corresponding secrets are stored in the Configuration Manager at the kv/{environment name}/service-pipes path.

Key Value Description
openid.config
Copy 
{
    "realm": "fintechOSRealm",
    "auth-server-url": "https://myServer.azurewebsites.net/auth",
    "ssl-required": "external",
    "resource": "admin-servicepipes-dev",
    "principal-attribute": "preferred_username",
    "credentials": {
        "secret": "TkATkOrKeTuubnZqo7ecEKGAgq6UXEvW"
    },
    "use-resource-role-mappings": "false",
    "autodetect-bearer-only": "true"
}
  • realm - The FintechOS realm configured in the FintechOS Identity Provider.
  • auth-server-url -The FintechOS Identity Provider discovery endpoint.
  • ssl-required - The default value is external meaning that HTTPS is required by default for external requests. In production environments, this should be set to all.
  • resource - Name of the Service Pipes resource as defined in the FintechOS realm configured in the FintechOS Identity Provider.
  • principal-attribute - OpenID Connect ID Token attribute used to populate the UserPrincipal name. Possible values are: sub, preferred_username, email, name, nickname, given_name, and family_name. Default: preferred_username.
  • secret - Secret key set up in the FintechOS Identity Provider for the Service Pipes.

  • use-resource-role-mappings - When true, the adapter retrieves the user's application level role mappings from the token. When false, it looks at the realm level role mappings. This should be set up in accordance with your OpenID configuration. Default: false.

  • autodetect-bearer-only - Set it to true. Do not change.

rbac.config
Copy 
{
   "apiMappings":[
      {
         "url":"/inbound",
         "roles":[
            "service-pipes-user"
         ]
      }
   ],
   "applicationMappings":[
      {
         "url":"/actuator",
         "roles":[
            "service-pipes-admin"
         ]
      }
   ]
}

Property used for configuring role based access (RBAC) in Service Pipes.

  • apiMappings - RBAC for API endpoints
    • url - Relative path to the API endpoints. Do not change.
    • roles - Platform user roles that have access to the API endpoints.
  • applicationMappings - RBAC for application management/configuration URL.
    • url - Relative path to the management URL. Do not change.
    • roles - Platform user roles that have access to the management URLs. Here power-users or administrator roles should be configured.
threadpool.config
Copy 
{
    "poolSize": 5,
    "maxPoolSize": "5",
    "maxQueueSize": "10"
}

To optimize the usage of system resources and improve performance, a pool of worker threads (with a corresponding work queue) is kept for all the requests that need to be routed by the Service Pipes.

  • poolSize - Default number of worker threads to be kept alive in the pool. Default: 10.
  • maxPoolSize - Maximum number of worker threads that can be active at one time. Default: 20.
  • maxQueueSize - Maximum number of pending requests waiting in the requests queue. Use -1 for an unbounded queue. Default: 1000.
portal.url https://myServer.azurewebsites.net/portal/api/openApiV2/CallAction URL of the FintechOS Portal instance associated with the Service Pipes.
openapi.enabled

true

 Flag used to determine if requests are forwarded to OpenAPI instead of Portal.
openapi.url https://myServer.azurewebsites.net/ftosapi/automation-processors/actions/ URL address of the OpenAPI component.
portal.username

{username}

 Used by Service Pipes when generating an access token to call the platform.
portal.password

{password}

 Used by Service Pipes when generating an access token to call the platform.
openapi.config Provides Service Pipes with the paths to the endpoints, entities, and digital journeys APIs.
Copy
{
    "serverUrl": "https://<openapi-app-name>.azurewebsites.net/ftosapi",
    "requestType": {
        "endpoint": "/automation-processors/actions/",
        "entity": "/evolutive-data-model/entities/",
        "digitalJourney": "/digital-journeys/"
    }
}
throttle.config
Copy 
{
  "enabled": true,
  "cacheRequestsMillis": ,
  "pool": {
      "maxConnections": ,
      "connectionsPerRoute": ,
      "timeoutConnectionRequest": ,
      "socketTimeout"
  },
  "refreshCacheCron": "",
  "clients": [
    {
      "name": "",
      "allowedRequests": ,
      "allowedTimeFrameMs": ,
      "timeToLive"
    }
  ]
}
 This property is needed only if Service Pipes application is started with the "throttiling" profile.

User Roles

When using the FintechOS Identity Provider for identity and access management, make sure you assign the following user roles accordingly:

  • service-pipes-admin - Role needed for users responsible for monitoring the Service Pipes. This will provide them access to the Service Pipes monitoring tool available at the <Service Pipes URL>/actuator/hawtio path. E.g.: https://myServer.azurewebsites.net/services/actuator/hawtio
  • service-pipes-user - Role needed for users who need to authenticate to the Service Pipes, such as user accounts that will run digital journeys that make calls to the Service Pipes server.

For advanced configurations, roles can be further customized using the Configuration Manager.