FME Proxy Servlet

The FME Server Proxy Servlet is an additional server component designed to handle various integration scenarios between FME Server and security.manager authenticated users. This is the most versatile option and should be used in most scenarios.

Installation & Configuration

As a first step you need to deploy the FME Proxy Servlets *.war file in your Tomcat webapp folder. The necessary configuration can now be done in two files:

  • application.properties

    • Webapp configuration for security.manager access, logging, etc.

  • fme-proxy-configuration.json

    • Configuration of FME Server connections

application.properties

The default location for the application.properties is: ${user.home}/.fmesrv/application.properties

user.home usually points to: C:\Windows\ServiceProfiles\LocalService\.fmesrv or C:\User\<user>\.fmesrv

Please note that this folder has to be created manually: mkdir .fmesrv

Within the application.properties the connection to security.manager has to be established. These settings can be copied from the map.apps properties.

security.sso.cookie.name=ct_SSO
security.sso.cookie.domain=
security.sso.cookie.bindToIP=false

security.keystore.location=<keystore location>\\.keystore
security.keystore.passwd=changeit
security.keystore.key.alias=ct-security
security.keystore.key.passwd=changeit


security.administration.url=https://<security.manager url>/administration

fme-proxy-configurations.json

Within this file, you can define the individual FME Server URLs you want to use within map.apps ETL.

The basic configuration looks like this:

{
    "fmeserver1": {
        "url": "http://<fmeserver url 1>",
        "technicalUser": {
            "token": "<FME REST Token>"
        },
        // technical user form above is used for all requests
        "userMappingMode": "technical_user",
        // sec.man rules allowed to use this proxy
        "allowedRoles": ["maAdmin"]
    },
    "fmeserver2": {
        "url": "https://<fmeserver url 2>",
        "technicalUser": {
            "token": "<FME REST Token>"
        },
        // "map" requires a user with the same name as in sec.man in FME. In this case the technical user above must be a administrator
        "userMappingMode": "map",
        // empty array allows access to every authenticated user
        "allowedRoles": [],
        // transmits the currently logged in user with user name ("User") and/or roles ("Roles") and mail address ("Mail") as URL parameters (JSON key) to FME
        "additionalParameter": {
            "mapapps_etl_roles": "Roles",
            "mapapps_etl_user": "User",
            "opt_requesteremail": "Mail"
        }
    },
    "fmeserver3": {
        "url": "https://<fmeserver url 3>",
        "technicalUser": {
            "token": "<FME REST Token>"
        },
        // "map" requires a user with the same name as in sec.man in FME. In this case the technical user above must be a administrator
        "userMappingMode": "technical_user",
        "allowedRoles": [],
        "guestAccess": true
    }
}

The json keys fmeserver1 and fmeserver2 can be choosen freely. In this example, the URLs used in map.apps ETL would be:

https://<your host name>/fmeproxy/fmeserver1
https://<your host name>/fmeproxy/fmeserver2

FME Connection Settings

Parameter

Explanation

url

Base URL to your FME Server (without /fmeserver)

technical_user.token

FME Server Token used to authenticate against FME. If userMappingMode is 'technical_user', then only the FME permissions to execute the required FME Workspaces are necessary. If the userMappingMode is 'map', then this token has to be created with All Permissions by an FME administrator.

userMappingMode

technical_user: All FME workspaces are run using the defined technical user account

map: The FME Proxy will search for a FME user account with exactly the same name as the security.manager user account and use this account to run the FME workspace. This setting requires a FME token with administrative permissions.

allowedRoles

security.manager roles allowed to use this connection. If empty, every authenticated user will be allowed.

additionalParameter

The parameters Roles, User and Mail (security.manager roles, currently logged in user, user mail adress) can be appended to the FME request URL. The json keys define, how the URL parameter should be named. This allowes FME Workspace authors to use these information in FME. E.g. by using the Published Parameter FME_SERVER_REQUEST_PARAMETERS.

guestAccess

No security.manager authentication is required. Everyone is allowed to use this connection. Can only be used with: userMappingMode=technical_user