FME Proxy Servlet
The FME Server Proxy Servlet is an additional server component designed to handle various integration scenarios between FME Server and security.manager authenticated users. This is the most versatile option and should be used in most scenarios.
Installation & Configuration
As a first step you need to deploy the FME Proxy Servlets *.war file in your Tomcat webapp folder. The necessary configuration can now be done in two files:
-
application.properties
-
Webapp configuration for security.manager access, logging, etc.
-
-
fme-proxy-configuration.json
-
Configuration of FME Server connections
-
application.properties
The default location for the application.properties is:
${user.home}/.fmesrv/application.properties
user.home usually points to: C:\Windows\ServiceProfiles\LocalService\.fmesrv
or C:\User\<user>\.fmesrv
Please note that this folder has to be created manually: mkdir .fmesrv
Within the application.properties
the connection to security.manager has to be established. These settings can be copied from the map.apps properties.
security.sso.cookie.name=ct_SSO
security.sso.cookie.domain=
security.sso.cookie.bindToIP=false
security.keystore.location=<keystore location>\\.keystore
security.keystore.passwd=changeit
security.keystore.key.alias=ct-security
security.keystore.key.passwd=changeit
security.administration.url=https://<security.manager url>/administration
fme-proxy-configurations.json
Within this file, you can define the individual FME Server URLs you want to use within map.apps ETL.
The basic configuration looks like this:
{
"fmeserver1": {
"url": "http://<fmeserver url 1>",
"technicalUser": {
"token": "<FME REST Token>"
},
// technical user form above is used for all requests
"userMappingMode": "technical_user",
// sec.man rules allowed to use this proxy
"allowedRoles": ["maAdmin"]
},
"fmeserver2": {
"url": "https://<fmeserver url 2>",
"technicalUser": {
"token": "<FME REST Token>"
},
// "map" requires a user with the same name as in sec.man in FME. In this case the technical user above must be a administrator
"userMappingMode": "map",
// empty array allows access to every authenticated user
"allowedRoles": [],
// transmits the currently logged in user with user name ("User") and/or roles ("Roles") and mail address ("Mail") as URL parameters (JSON key) to FME
"additionalParameter": {
"mapapps_etl_roles": "Roles",
"mapapps_etl_user": "User",
"opt_requesteremail": "Mail"
}
},
"fmeserver3": {
"url": "https://<fmeserver url 3>",
"technicalUser": {
"token": "<FME REST Token>"
},
// "map" requires a user with the same name as in sec.man in FME. In this case the technical user above must be a administrator
"userMappingMode": "technical_user",
"allowedRoles": [],
"guestMode": true
}
}
The json keys fmeserver1
and fmeserver2
can be choosen freely. In this example, the URLs used in map.apps ETL would be:
https://<your host name>/fmeproxy/fmeserver1 https://<your host name>/fmeproxy/fmeserver2
FME Connection Settings
Parameter |
Explanation |
url |
Base URL to your FME Server (without /fmeserver) |
technical_user.token |
FME Server Token used to authenticate against FME. If userMappingMode is 'technical_user', then only the FME permissions to execute the required FME Workspaces are necessary. If the userMappingMode is 'map', then this token has to be created with All Permissions by an FME administrator. |
userMappingMode |
technical_user: All FME workspaces are run using the defined technical user account map: The FME Proxy will search for a FME user account with exactly the same name as the security.manager user account and use this account to run the FME workspace. This setting requires a FME token with administrative permissions. |
allowedRoles |
security.manager roles allowed to use this connection. If empty, every authenticated user will be allowed. |
additionalParameter |
The parameters Roles, User and Mail (security.manager roles, currently logged in user, user mail adress) can be appended to the FME request URL. The json keys define, how the URL parameter should be named. This allowes FME Workspace authors to use these information in FME. E.g. by using the Published Parameter FME_SERVER_REQUEST_PARAMETERS. |
guestMode |
No security.manager authentication is required. Everyone is allowed to use this connection. Can only be used with: userMappingMode=technical_user |