ETL proxy
The ETL proxy servlet is an additional server component designed to handle various integration scenarios and secure the connection between map.apps and FME Server. This is the most versatile option and should be used in most scenarios. The following authentication options can be used:
-
Identity Service (starting from map.apps 4.15.0)
-
including Keycloak, ArcGIS Online, ArcGIS Portal
-
-
oAuth (bevor map.apps 4.15.0)
-
including Keycloak, ArcGIS Online, ArcGIS Portal
-
-
security.manager EE (deprecated)
-
No authentication (guest mode)
Installation & configuration
As a first step you need to deploy the ETL proxy servlet WAR file in your Tomcat webapp folder. Usually the context name etlproxy
is chosen.
The necessary configuration can be done in two files:
application.properties
-
Webapp configuration for security.manager EE access, logging, etc.
fme-proxy-configuration.json
-
Configuration of FME Server connections
application.properties
The default location for the application.properties
is ${user.home}/.fmesrv/application.properties
.
user.home
usually points to C:\Windows\ServiceProfiles\LocalService\.fmesrv
or C:\User\<user>\.fmesrv
.
Please note that you have to create this folder manually: mkdir .fmesrv
.
map.apps / Identity Services application.properties
The following configuration is necessary to provide the authentication token to the ETL proxy.
Before map.apps 4.15.0 this has to be configured in map.apps. Starting from map.apps 4.15.0 the configuration has moved to the Identity Service. The configuration is done in the corresponding custom-application.properties
.
security.oauth.tokenRules=http://<etl proxy url>,BEARER
Identity Service
Configure the connection to the Identity Service.
security.mode=IDENTITY
security.oauth.self.service.url=https://<Identity Service URL>/account/self
Keycloak oAuth
Configure the connection to Keycloak.
security.mode=OAUTH
security.oauth.self.service.url=https://<map.apps URL>/account/self
security.oauth.provider=keycloak
ArcGIS Online / Portal oAuth
Configure the connection to ArcGIS Online or ArcGIS Portal.
security.mode=OAUTH
security.oauth.self.service.url=https://<map.apps URL>/account/self
security.oauth.provider=arcgis
security.manager EE
Configure the connection to security.manager EE. Copy these settings from the map.apps properties.
security.mode=INTEGRATED
security.sso.cookie.name=ct_SSO
security.sso.cookie.domain=
security.sso.cookie.bindToIP=false
security.keystore.location=<keystore location>\\.keystore
security.keystore.passwd=changeit
security.keystore.key.alias=ct-security
security.keystore.key.passwd=changeit
security.administration.url=https://<security.manager url>/administration
fme-proxy-configuration.json
Within this file, you can define the individual FME Server URLs you want to use within map.apps ETL.
The basic configuration looks like this:
{
"fmeserver1": {
"url": "http://<fmeserver url 1>",
"technicalUser": {
"token": "<FME REST Token>"
},
// technical user form above is used for all requests
"userMappingMode": "technical_user",
// sec.man rules allowed to use this proxy
"allowedRoles": ["maAdmin"]
},
"fmeserver2": {
"url": "https://<fmeserver url 2>",
"technicalUser": {
"token": "<FME REST Token>"
},
// "map" requires a user with the same name as in sec.man in FME.
// In this case the technical user above must be a administrator.
"userMappingMode": "map",
// empty array allows access to every authenticated user
"allowedRoles": [],
// transmits the currently logged in user with user name ("User") and/or
//roles ("Roles") and mail address ("Mail") as URL parameters (JSON key) to FME.
"additionalParameter": {
"mapapps_etl_roles": "Roles",
"mapapps_etl_user": "User",
"opt_requesteremail": "Mail"
}
},
"fmeserver3": {
"url": "https://<fmeserver url 3>",
"technicalUser": {
"token": "<FME REST Token>"
},
// "map" requires a user with the same name as in sec.man in FME.
//In this case the technical user above must be a administrator.
"userMappingMode": "technical_user",
"allowedRoles": [],
"guestAccess": true
}
}
The json keys fmeserver1
and fmeserver2
can be chosen freely.
In this example, the URLs used in map.apps ETL are:
https://<your host name>/etlproxy/fmeserver1 https://<your host name>/etlproxy/fmeserver2
FME connection settings
url
-
Base URL to your FME Server (without
/fmeserver
). technical_user.token
-
FME Server Token used to authenticate against FME. If
userMappingMode
istechnical_user
, then only the FME permissions to execute the required FME workspaces are necessary. If theuserMappingMode
ismap
, then this token has to be created with All Permissions by an FME administrator. userMappingMode
-
technical_user
: All FME workspaces are run using the defined technical user account.map
: The ETL Proxy will search for a FME user account with exactly the same name as the user account logged into map.apps and use this account to run the FME workspace. This setting requires a FME token with administrative permissions. By default, domains will be removed from the user name. This setting can be changed with:keepDomainAtUsername: "true"
. allowedRoles
-
User roles allowed to use this connection. If empty, every authenticated user will be allowed.
additionalParameter
-
The parameters
Roles
,User
andMail
(roles, currently logged in user, user mail address) can be appended to the FME request URL. The JSON keys define, how the URL parameter should be named. This allows FME workspace authors to use these information in FME. E.g. by using the Published ParameterFME_SERVER_REQUEST_PARAMETERS
. guestAccess
-
No authentication is required. Everyone is allowed to use this connection. Can only be used with:
userMappingMode=technical_user
.