ETL proxy

The ETL proxy servlet is an additional server component designed to handle various integration scenarios between map.apps and FME Server. This is the most versatile option and should be used in most scenarios. Using the proxy servlet, the map.apps authentication provided by ArcGIS Online/Portal, Keycloak or security.manager EE (deprecated) can be used to secure FME Server requests.

Installation & configuration

As a first step you need to deploy the ETL proxy servlet WAR file in your Tomcat webapp folder. The necessary configuration can now be done in two files:

application.properties: Webapp configuration for security.manager EE access, logging, etc.
fme-proxy-configuration.json: Configuration of FME Server connections

application.properties

The default location for the application.properties is ${user.home}/.fmesrv/application.properties.

user.home usually points to C:\Windows\ServiceProfiles\LocalService\.fmesrv or C:\User\<user>\.fmesrv.

Please note that you have to create this folder manually: mkdir .fmesrv.

map.apps application.properties

Allow the path to the ETL Proxy in the custom-application.properties of the map.apps installation.

security.oauth.tokenRules=http://<etl proxy url>,BEARER

Keycloak oAuth

Configure the connection to Keycloak.

security.mode=OAUTH
security.oauth.self.service.url=https://<map.apps URL>/account/self
security.oauth.provider=keycloak

ArcGIS Online / Portal oAuth

Configure the connection to ArcGIS Online or ArcGIS Portal.

security.mode=OAUTH
security.oauth.self.service.url=https://<map.apps URL>/account/self
security.oauth.provider=arcgis

security.manager EE

Configure the connection to security.manager EE. Copy these settings from the map.apps properties.

security.mode=INTEGRATED

security.sso.cookie.name=ct_SSO
security.sso.cookie.domain=
security.sso.cookie.bindToIP=false

security.keystore.location=<keystore location>\\.keystore
security.keystore.passwd=changeit
security.keystore.key.alias=ct-security
security.keystore.key.passwd=changeit

security.administration.url=https://<security.manager url>/administration

fme-proxy-configuration.json

Within this file, you can define the individual FME Server URLs you want to use within map.apps ETL.

The basic configuration looks like this:

{
    "fmeserver1": {
        "url": "http://<fmeserver url 1>",
        "technicalUser": {
            "token": "<FME REST Token>"
        },
        // technical user form above is used for all requests
        "userMappingMode": "technical_user",
        // sec.man rules allowed to use this proxy
        "allowedRoles": ["maAdmin"]
    },
    "fmeserver2": {
        "url": "https://<fmeserver url 2>",
        "technicalUser": {
            "token": "<FME REST Token>"
        },
        // "map" requires a user with the same name as in sec.man in FME.
        // In this case the technical user above must be a administrator.
        "userMappingMode": "map",
        // empty array allows access to every authenticated user
        "allowedRoles": [],
        // transmits the currently logged in user with user name ("User") and/or
        //roles ("Roles") and mail address ("Mail") as URL parameters (JSON key) to FME.
        "additionalParameter": {
            "mapapps_etl_roles": "Roles",
            "mapapps_etl_user": "User",
            "opt_requesteremail": "Mail"
        }
    },
    "fmeserver3": {
        "url": "https://<fmeserver url 3>",
        "technicalUser": {
            "token": "<FME REST Token>"
        },
        // "map" requires a user with the same name as in sec.man in FME.
        //In this case the technical user above must be a administrator.
        "userMappingMode": "technical_user",
        "allowedRoles": [],
        "guestAccess": true
    }
}

The json keys fmeserver1 and fmeserver2 can be chosen freely. In this example, the URLs used in map.apps ETL are:

https://<your host name>/fmeproxy/fmeserver1
https://<your host name>/fmeproxy/fmeserver2

FME connection settings

url: Base URL to your FME Server (without /fmeserver).
technical_user.token: FME Server Token used to authenticate against FME. If userMappingMode is technical_user, then only the FME permissions to execute the required FME Workspaces are necessary. If the userMappingMode is map, then this token has to be created with All Permissions by an FME administrator.
userMappingMode: technical_user: All FME workspaces are run using the defined technical user account.

map: The ETL Proxy will search for a FME user account with exactly the same name as the user account logged into map.apps and use this account to run the FME Workspace. This setting requires a FME token with administrative permissions. By default, domains will be removed from the user name. This setting can be changed with: keepDomainAtUsername: "true".
allowedRoles: User roles allowed to use this connection. If empty, every authenticated user will be allowed.
additionalParameter: The parameters Roles, User and Mail (roles, currently logged in user, user mail address) can be appended to the FME request URL. The JSON keys define, how the URL parameter should be named. This allows FME Workspace authors to use these information in FME. E.g. by using the Published Parameter FME_SERVER_REQUEST_PARAMETERS.
guestAccess: No authentication is required. Everyone is allowed to use this connection. Can only be used with: userMappingMode=technical_user.