Configuration Manager

Starting with release 22.1, the FintechOS Platform uses the HashiCorp Vault secrets management system to store system configurations in a secure and controlled environment. This protects sensitive data, such as system parameters, environment variables, services credentials, or API keys and simplifies user access and environment management.

NOTE  
When changing system parameters from FintechOS Studio, the corresponding Vault secrets will be updated accordingly.

The Vault Agent can be installed either as an Azure web app for cloud deployments or as a Windows service for on-premise deployments.

Manage Vault Secrets

Directory Structure

The directory structure of a vault path is described below:

<kvSecretsEngine>/<environmentName>/<applicationName>/<node>

Directory Designation Description
<kvSecretsEngine> Secrets Engine FintechOS uses Vault's KV version 2 secrets engine to store system configurations as key-value pairs.
<environmentName> Environment You can define different sets of configurations specific to various environments such as development, testing, or production. This allows you to change the configurations for your system in one go by switching the environment directory.
<applicationName> Application Directory indicating the type of FintechOS system component such as an FintechOS Studio instance, a FintechOS Portal instance, or a FintechOS Identity Provider.
<node> Node Nodes allow you to group your secrets for easy classification and access management.
 

For example:

kv/production/fintech-os-portal/app-settings

Secrets

Within each node, you can define multiple secrets in the form of key-value pairs.

Vault Connection

To configure the connection between the Vault Agent and an FintechOS Studio or Portal instance, open its web.config file in a text editor and, in the app-settings node, edit the following keys:

Copy
<app-settings>
    <add key="vault__uri" value="https://myVaultWebApp" />
    <add key="vault__token" value="myVaultAuthToken" />
    <add key="vault__workspace__application_environment" value="test" />
    <add key="vault__workspace__application_name" value="fintech-os-portal" />
</app-settings>
 
Key Value
vault__uri Address of the Vault Agent web app or Windows service.
vault__token Authentication token created by Vault for the operator used to access the system configurations.
vault__workspace__application__name Type of FintechOS ecosystem component. See Application.
vault__workspace__application__environment Type of environment. See Environment.

Enable web.config Override

IMPORTANT!  
The Vault secrets management system is the default method for storing system configurations. The web.config override is only intended for development and testing purposes, not for production use.
 

To control your FintechOS Studio or FintechOS Portal application settings from the web.config file instead of Vault, open the web.config file in a text editor and, in the app-settings node, add or enable the following key:

Copy
<app-settings>
    ...
    <add key= "feature-development-mode" value="1" />
    ...
</app-settings>
 
Key Value
feature-development-mode
  • 1 - enables web.config override. If an application setting is defined both as a Vault secret and web.config key, the web.config key will take precedence.
  • 0 - disables web.config override
IMPORTANT!  
The feature-development-mode key should never be enabled in production, as it has multiple purposes targeted for developers (i.e. extra logging).

Import system parameters to Vault

Prerequisites

In the secrets engine, make sure the EbsSqlServer secret exists at the following location: <kvSecretsEngine>/<environmentName>/<applicationName>/<connection-strings>.

In order to import the system parameters from the database to Vault, use the SysParamToVault executable tool that can be found at the following path: [solution kit folder]\Tools\SysParamToVault\SysParamToVault.exe .

  1. Open Windows PowerShell with the admin role.
  2. Navigate to the SysParamToVault folder from the solution kit.
  3. Run the SysParamToVault.exe file with the following parameters:
Parameter short name Parameter long name Description
g vault-engine The name of the secret engine.
e vault-endpoint Vaul endpoint.
t vault-token Vault token.
n application-name Application name.
r application-environment Application environment.
d disable-ui-confirmations Optional parameter. The default value is 0 (false). If set to true (1), the user is must confirm the database name configured in Vault in order for the importing process to continue.
 

The system parameters are now copied to the secret engine at the following location :<kvSecretsEngine/<environmentName>/<applicationName>/<system-parameters>.

OIDC Integration with IDP

The FintechOS platform comes with the capability to set up an OpenID Connect protocol integration between the Configuration Manager (Vault) and the FintechOS Identity Provider. This feature helps with accessing and configuring different components of the platform, in particular the Configuration Manager.

The OIDC integration comes with:

  • policy based access

  • FintechOS role based access to the following security roles:

    • Developer: can read connection strings, can update app settings, b2c, FtosOpenApi.

    • Release Manager: has the same privileges as Developer security role, plus update app-features and app-configurations.

    Login to Configuration Manager with OIDC Enforced

    1. In your browser, go to the Vault instance of your environment.

    2. From the Method dropdown, pick OIDC.

    3. In the Role field, type in Developer or ReleaseManager. Click Sign in with OIDC Provider. A popup opens.

    4. Add your Username and Password. Click Sign In. The Configuration Manager opens and you will be able to see and access certain areas and secrets/configurations based on the role you have.