ETL proxy

The ETL proxy servlet is an additional server component designed to handle various integration scenarios and secure the connection between map.apps and FME Flow. This is the most versatile option and should be used in most scenarios. The following authentication options can be used:

Identity Service (starting from map.apps 4.15.0)
- including Keycloak, ArcGIS Online, ArcGIS Portal
oAuth (bevor map.apps 4.15.0)
- including Keycloak, ArcGIS Online, ArcGIS Portal
security.manager EE (deprecated)
No authentication (guest mode)

Installation & configuration

As a first step you need to deploy the ETL proxy servlet WAR file in your Tomcat webapp folder. Usually the context name etlproxy is chosen. The necessary configuration can be done in two files:

application.properties: Webapp configuration for security.manager EE access, logging, etc.
fme-proxy-configuration.json: Configuration of FME Flow connections

application.properties

The default location for the application.properties is ${user.home}/.fmesrv/application.properties.

user.home usually points to C:\Windows\ServiceProfiles\LocalService\.fmesrv or C:\User\<user>\.fmesrv.

Please note that you have to create this folder manually: mkdir .fmesrv.

map.apps / Identity Services application.properties

The following configuration is necessary to provide the authentication token to the ETL proxy.

Before map.apps 4.15.0 this has to be configured in map.apps. Starting from map.apps 4.15.0 the configuration has moved to the Identity Service. The configuration is done in the corresponding custom-application.properties.

security.oauth.tokenRules=http://<etl proxy url>,BEARER

Identity Service

Configure the connection to the Identity Service.

security.mode=IDENTITY
security.oauth.self.service.url=https://<Identity Service URL>/account/self

Keycloak oAuth

Configure the connection to Keycloak.

security.mode=OAUTH
security.oauth.self.service.url=https://<map.apps URL>/account/self
security.oauth.provider=keycloak

ArcGIS Online / Portal oAuth

Configure the connection to ArcGIS Online or ArcGIS Portal.

security.mode=OAUTH
security.oauth.self.service.url=https://<map.apps URL>/account/self
security.oauth.provider=arcgis

security.manager EE

Configure the connection to security.manager EE. Copy these settings from the map.apps properties.

security.mode=INTEGRATED

security.sso.cookie.name=ct_SSO
security.sso.cookie.domain=
security.sso.cookie.bindToIP=false

security.keystore.location=<keystore location>\\.keystore
security.keystore.passwd=changeit
security.keystore.key.alias=ct-security
security.keystore.key.passwd=changeit

security.administration.url=https://<security.manager url>/administration

fme-proxy-configuration.json

Within this file, you can define the individual FME Flow URLs you want to use within map.apps ETL.

The basic configuration looks like this:

{
    "fmeserver1": {
        "url": "http://<fmeserver url 1>",
        "technicalUser": {
            "token": "<FME REST Token>"
        },
        // technical user form above is used for all requests
        "userMappingMode": "technical_user",
        // sec.man rules allowed to use this proxy
        "allowedRoles": ["maAdmin"]
    },
    "fmeserver2": {
        "url": "https://<fmeserver url 2>",
        "technicalUser": {
            "token": "<FME REST Token>"
        },
        // "map" requires a user with the same name as in sec.man in FME.
        // In this case the technical user above must be a administrator.
        "userMappingMode": "map",
        // empty array allows access to every authenticated user
        "allowedRoles": [],
        // transmits the currently logged in user with user name ("User") and/or
        //roles ("Roles") and mail address ("Mail") as URL parameters (JSON key) to FME.
        "additionalParameter": {
            "mapapps_etl_roles": "Roles",
            "mapapps_etl_user": "User",
            "opt_requesteremail": "Mail"
        }
    },
    "fmeserver3": {
        "url": "https://<fmeserver url 3>",
        "technicalUser": {
            "token": "<FME REST Token>"
        },
        // "map" requires a user with the same name as in sec.man in FME.
        //In this case the technical user above must be a administrator.
        "userMappingMode": "technical_user",
        "allowedRoles": [],
        "guestAccess": true
    }
}

The json keys fmeserver1 and fmeserver2 can be chosen freely. In this example, the URLs used in map.apps ETL are:

https://<your host name>/etlproxy/fmeserver1
https://<your host name>/etlproxy/fmeserver2

FME connection settings

url: Base URL to your FME Flow (without /fmeserver).
technical_user.token: FME Flow Token used to authenticate against FME. If userMappingMode is technical_user, then only the FME permissions to execute the required FME workspaces are necessary. If the userMappingMode is map, then this token has to be created with All Permissions by an FME administrator.
userMappingMode: technical_user: All FME workspaces are run using the defined technical user account.

map: The ETL Proxy will search for a FME user account with exactly the same name as the user account logged into map.apps and use this account to run the FME workspace. This setting requires a FME token with administrative permissions. By default, domains will be removed from the user name. This setting can be changed with: keepDomainAtUsername: "true".
allowedRoles: User roles allowed to use this connection. If empty, every authenticated user will be allowed.
additionalParameter: The parameters Roles, User and Mail (roles, currently logged in user, user mail address) can be appended to the FME request URL. The JSON keys define, how the URL parameter should be named. This allows FME workspace authors to use these information in FME. E.g. by using the Published Parameter FME_SERVER_REQUEST_PARAMETERS.
guestAccess: No authentication is required. Everyone is allowed to use this connection. Can only be used with: userMappingMode=technical_user.