Deploying the Wallet
caution
Please ensure that you have Helm installed correctly before proceeding with the steps outlined below. Refer to Installing Helm for details.
Wallet Deployment using Helm Charts
All FPX components, including the Wallet, are packaged as Helm charts for easy and convenient deployment. There are two ways to gain access to the chart, either directly via the chart source code or by adding the remote repository:
$ helm repo add identos https://charts.dev.identos.ca
It should then show up with the command:
$ helm repo list
Finally, to install the Helm chart after building the configuration file, run the following command:
$ helm upgrade --install example identos/fpx-wallet -f configuration.yaml
During the installation, the components network will be deployed. Installation is complete when you run the following command and all deployments are ready, up-to-date and available (the numbers may differ based on the configuration applied):
$ kubectl get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
wallet-example 1/1 1 1 2m6s
wallet-exampleapi 1/1 1 1 2m6s
wallet-exampleui 1/1 1 1 2m6s
The deployed HTTP endpoints can be shown. Depending on your environment, the address field may or may not show an external address.
$ kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
wallet-example wallet.example.com 80, 443 6m6s
wallet-exampleapi wallet-api.example.com 80, 443 6m6s
wallet-exampleui wallet-ui.example.com 80, 443 6m6s
Building the Helm Chart Configuration File
Configuration for a Helm chart used for the deployment of a Wallet is provided as a YAML formatted file. The following table lists the configuration parameters, a description for each one, and their default values.
| Parameter | Description | Default |
|---|---|---|
| registry.remoteSecret | The name of the secret where the image container credentials are stored. | null |
| wallet.enabled | If the Wallet server should be deployed. | true |
| wallet.replicaCount | Number of replicas to deploy of the Wallet server, set to a number > 1 for redundancy purposes. Note: Replication will depend on the deployment of the Kubernetes instance. If Kubernetes is deployed in one zone on the cloud, the replica will be created within that zone. | 1 |
| wallet.registry | Docker container image location. | registry.git.identos.ca/fpx-wallet/wallet-server |
| wallet.tag | Docker container image location. | v0.11.0 |
| wallet.hostOverride | Domain name that the Wallet server will respond to for ingress rules. | null |
| wallet.config | Wallet application configuration details. Refer to Wallet Server. | {} |
| wallet.resources | Pod resources and limits. | {} |
| wallet.nodeSelector | Node selector rules. | {} |
| wallet.tolerations | Any node taints to tolerate. | {} |
| wallet.affinity | Any resource affinities for node selection. | {} |
| wallet.suffix | suffix value for wallet | null |
| wallet.refresh | Useful parameter to force application to restart when new configurations are applied. | 42 |
| wallet.deployment.annotations | Any custom annotations for this deployment object | {} |
| wallet.ingress.enabled | Boolean value enabling or disabling the creation of an ingress record. | false |
| wallet.ingress.host | Hostname with which an ingress record can be configured. | null |
| wallet.ingress.annotations | Any custom annotations for this ingress record. | {} |
| wallet.ingress.tls.hosts | Hostname of environment. | null |
| wallet.ingress.tls.secretName | Refers to SSL certificates for HTTPS | null |
| wallet.image.credentials | Name of the secret within the deploy namespace that contains the credentials for the container image. | identos |
| wallet.keystores.https.alias | The alias (or name) under which the key is stored in the keystore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details. | null |
| wallet.keystores.https.enabled | Enable HTTPS. | true |
| wallet.keystores.https.jwks | The key itself as a md5 encoded PKCS12 KeyStore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details. | null |
| wallet.keystores.https.password | The password of the keystore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details. | null |
| wallet.keystores.signingKey.enable | Key used for signing/verifying | false |
| wallet.application.mountFile | Wallet application mountfile details. | {} |
| walletapi.enabled | If the Wallet API server should be deployed. | true |
| walletapi.replicaCount | Number of replicas to deploy of the Wallet API server, set to a number > 1 for redundancy purposes. | 1 |
| walletapi.registry | Docker container image location. | registry.git.identos.ca/fpx-wallet/wallet-admin-api |
| walletapi.tag | Docker container image location. | v0.2.0 |
| walletapi.hostOverride | Domain name that the Wallet API server will respond to for ingress rules. | null |
| walletapi.config | Wallet API application configuration details. Refer to Wallet API. | {} |
| walletapi.resources | Pod resources and limits. | {} |
| walletapi.nodeSelector | Node selector rules. | {} |
| walletapi.tolerations | Any node taints to tolerate. | {} |
| walletapi.affinity | Any resource affinities for node selection. | {} |
| walletapi.refresh | Useful parameter to force application to restart when new configurations are applied. | 42 |
| walletapi.deployment.annotations | Any custom annotations for this deployment object | {} |
| walletapi.ingress.enabled | Boolean value enabling or disabling the creation of an ingress record. | false |
| walletapi.ingress.host | Hostname with which an ingress record can be configured. | null |
| walletapi.ingress.annotations | Any custom annotations for this ingress record. | {} |
| walletapi.ingress.tls.hosts | hostname of environment | null |
| walletapi.ingress.tls.secretName | Refers to SSL certificates for HTTPS | null |
| walletapi.image.credentials | Name of the secret within the deploy namespace that contains the credentials for the container image | identos |
| walletapi.keystores.https.alias | The alias (or name) under which the key is stored in the keystore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details. | null |
| walletapi.keystores.https.enabled | Enable HTTPS. | true |
| walletapi.keystores.https.jwks | The key itself as a md5 encoded PKCS12 KeyStore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details. | null |
| walletapi.keystores.https.password | The password of the keystore. This needs to be in a base64 encoded format. Refer to the Keystore Creation and Configuration section for details. | null |
| walletapi.keystores.signingKey.enable | Key used for signing/verifying | null |
| walletui.enabled | If the Wallet UI server should be deployed. | true |
| walletui.replicaCount | Number of replicas to deploy of the Wallet UI server, set to a number > 1 for redundancy purposes. Note: Replication will depend on the deployment of the Kubernetes instance. If Kubernetes is deployed in one zone on the cloud, the replica will be created within that zone. | 1 |
| walletui.registry | Docker container image location. | registry.git.identos.ca/fpx-wallet/wallet-webui |
| walletui.tag | Docker container image location. | v1.0.0 |
| walletui.hostOverride | Domain name that the Wallet server will respond to for ingress rules. | null |
| walletui.config | Wallet application configuration details. Refer to Wallet UI. | {} |
| walletui.resources | Pod resources and limits. | {} |
| walletui.nodeSelector | Node selector rules. | {} |
| walletui.tolerations | Any node taints to tolerate. | {} |
| walletui.affinity | Any resource affinities for node selection. | {} |
| walletui.i18n | Language configuration for the Wallet UI server. Refer to Language Configuration. | {} |
| mysql.enabled | Determines whether a test version of MySQL will be deployed. | {} |
| walletui.refresh | Useful parameter to force application to restart when new configurations are applied. | 42 |
| walletui.replicaCount | Number of replicas to deploy of the Wallet UI. | 1 |
| walletui.deployment.annotations | Any custom annotations for this deployment object | {} |
| walletui.ingress.enabled | Boolean value enabling or disabling the creation of an ingress record. | false |
| walletui.ingress.host | Hostname with which an ingress record can be configured. | null |
| walletui.ingress.annotations | Any custom annotations for this ingress record. | {} |
| walletui.ingress.tls.hosts | hostname of environment | null |
| walletui.ingress.tls.secretName | It refer SSL certificates for https | null |
| walletui.image.credentials | Name of the secret within the deploy namespace that contains the credentials for the container image | identos |
Keystore Creation and Configuration
The Wallet Server deployment configuration YAML consists of several parameters that address keystore values. The keystore is used to store the custom signing encryption keys for the Wallet Server and the Wallet Server API. The parameters used to define keystore-related values are:
- wallet.keystores.https.alias
- wallet.keystores.https.enabled
- wallet.keystores.https.jwks
- wallet.keystores.https.password
- wallet.keystores.signingKey.enable
- walletApi.keystores.https.alias
- walletApi.keystores.https.enabled
- walletApi.keystores.https.jwks
- walletApi.keystores.https.password
- walletApi.keystores.signingKey.enable
In order to populate the alias, JWKS key and password parameters, the following steps need to be executed:
1) Generate a keystore and alias key.
2) Apply base64 encoding for the alias name, password and JWKS key.
3) Update these base64 encoded values into the YAML config file.
To generate the key and the keystore, run the following command:
keytool -genkey -v -keystore wallet.jks -alias <custom_alias> -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -ext KeyUsage=keyCertSign -validity 10000
IMPORTANT
IMPORTANT: The keystore alias defined should always be in lowercase. The alias can be of alpha-numeric characters only.
To apply the base64 encoding for the alias name, password and JWKS key, run the following commands:
echo <alias name> | base64echo <password> | base64echo <JWKS Key> | base64
These commands will return the values in the base64 encoded format. Enter the encoded values in the configuration parameters listed above.
note
For production environments, it is recommended that individual keystores and key values exist for the Wallet Server and the Wallet Server API parameters.
Application Configuration
The following configuration files should be used in the Helm chart for the config directives under each application section including wallet.config, walletui.config, walletui.i18n, and walletapi.config. Values should be left to the defaults provided excluding the replacement values as listed in each section.
Wallet Server Application Config
The configuration details required under the wallet.config parameter are:
- Authorization Server domain name, clientid and secret (eg. https://authserver, clientid, secret)
- Wallet Server domain name (eg. https://walletserver)
- Wallet Web UI domain name (eg. https://walletui)
- Wallet Native url scheme (eg. com.identos.wallet)
- Database host, dbname, username and password (eg. dbhost, dbwallet, dbusername, dbpassword)
Using Verifiable Credentials
Verifiable Credentials is an optional feature for the FPX Wallet that needs to be enabled via specific configuration parameters under wallet.config. The sample YAML shown in this section does not contain these optional parameters. Refer to the Verifiable Credentials chapter for more details on the specific configuration required to enable this feature.
A sample YAML file is shown below followed by a detailed description of each parameter listed here, whether it's a required parameter and accepted values.
server.tomcat.remote_ip_header: x-forwarded-for
server.tomcat.protocol_header: x-forwarded-proto
server.tomcat.use-relative-redirects: true
server.error.whitelabel.enabled: false
server.port: 8084
timezone: UTC
i18n:
defaultLang: en
allLanguages: fr, en
basename: classpath:./i18n/messages
cacheEvictFixedRateString: PT30S
cors:
origins:
- http://wallet-ui.demourl
idp:
user:
account:
idpManageUrl: https://<IDP_Account_Management_URL>/
idpUserDeleteEnabled: false
idpUserDeleteUrl: https://<IDP_Account_Deletion_Endpoint_URL>
logging:
level:
com.identos.fpxwallet.walletserver: DEBUG
org.hibernate.SQL: DEBUG
org.hibernate.type: DEBUG
config: classpath:logback-dev.xml
pending-auth-request:
requestExpiryInseconds: 1800
mobile-permission-path: consent_request
mobile-host: com.identos.custom.schema.url://fpx-wallet/
server-host: http://wallet.demourl
web-host: http://wallet-ui.demourl
oidc:
provider:
issuer: ${server-host}
client:
redirectHost: ${server-host}
navigator:
fallbackBaseUrl: ${web-host}
redirects:
- baseUrl: ${mobile-host}
idpPath: /oauth_callback
consentPath: ${mobile-permission-path}
dsPath: /oauth_callback
errorPath: /error
- baseUrl: ${web-host}
idpPath: /idp-callback
consentPath: /as-authorize
dsPath: /rs-callback
errorPath: /login
errorPageRedirectUrl: ${web-host}/login
app:
device:
verificationUrl: ${mobile-host}${mobile-permission-path}
idpUserDeleteUrl: https://<IDP_Account_Deletion_Endpoint_URL>
logo: "identos.png"
name: An app name
errorPageRedirectUrl: ${web-host}/login
errorPageTitle: Error
fpxwallet.walletserver.resources.login-page.css: ${server-host}/style.css
idp.user.account.delete.enable: false
# --------------------
# Database and Spring Defaults
# --------------------
spring:
session:
store-type: jdbc
jdbc:
initialize-schema: always
table-name: SPRING_SESSION
thymeleaf:
cache: false
prefix: classpath:./templates/
datasource:
driverClassName: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://wallet-database-url/wallet?createDatabaseIfNotExist=true
username: exampleuser
password: examplepassword
jpa:
hibernate.ddl-auto: validate
generate-ddl: false
show-sql: false
open-in-view: false
flyway:
enabled: true
locations: classpath:db/development
mvc:
throw-exception-if-no-handler-found: true
pathmatch.matching-strategy: ant_path_matcher
web:
resources:
add-mappings: false
mountFile:
- filename: messages_en.properties
identifier: i18n-en
folderpath: "/etc/config/"
data: |-
error_title=Session timed out
ontario_trusted_account=CareHub account
session_timed_out_title=Session Timed Out
session_timed_out_message=Your session timed out. Please restart your account set up process.
try_again=Please Start Again
no_script=You need to enable JavaScript to run this app.
redirect_to_app=Redirect to native app
oauth_success_title=Access your account
oauth_success_message=To complete this flow and access your account, you must return to your Navigator app.
oauth_success_button=Continue in the Navigator
Global Server Parameters
Configuration directives that are used for overall application configuration.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| server.tomcat.remote_ip_header | Header to use as remote IP address for client connections. | x-forwarded-for | Yes |
| server.tomcat.protocol_header | Header to use as remote protocol for client connections. | x-forwarded-proto | Yes |
| server.tomcat.use-relative-redirects | When redirecting, assume links are relative. | True | Yes |
| server.port | Application port to listen for client connections on. | 8080 | |
| server.error.whitelabel.enabled | Enable built in spring configuration file. | false | Yes |
| spring.thymeleaf.prefix | Location of template files for Wallet selection and error pages. Can use external sources such as https:// | classpath:./templates/ | Yes |
| spring.resources.static-locations | Location of static files such as css/html/javascript for template files. | classpath:./static/ | Yes |
| mobile-host | This property is the URI to a mobile frontend application. | com.identos.demo.wallet://fpx-wallet/ | Yes |
| web-host | This property is the URL for the Wallet frontend application. | Yes | |
| server-host | This property is the URL of the Wallet Server. | http://localhost:8084 | Yes |
| fpxwallet.walletserver.resources.login-page.css | This property is configured to set the path to the CSS file for default theme. | ${server-host}/style.css | Yes |
| spring.mvc.throw-exception-if-no-handler-found | Returns an exception for 404 errors and allows the administrator to define a custom response | true | Yes |
| spring.web.resources.add-mappings | Defines whether to use spring default resource mappings - default mappings have been replaced with specifically configured mappings | false | Yes |
| spring.mvc.pathmatch.matching-strategy | This parameter is related to the spring.web.resources.add-mappings parameter and enables mapping via an ant path. | ant_path_matcher | Yes |
Identity Provider Configuration
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| idp.user.account.idpManageUrl | An endpoint that can be exposed by an identity provider to allow the Wallet Server to manage the user's account. | {{an-identity-provider-account-management-url}} | Yes |
| idp.user.account.idpUserDeleteEnabled | When receiving a request to delete a user's account, this parameter determines whether the Wallet will delete the user's account at the Identity Provider in addition to deleting the account at the Wallet. | false | Yes |
| idp.user.account.idpUserDeleteUrl | An endpoint that can be exposed by an identity provider which allows the Wallet to delete the user's account at with the provider. | {{an-identity-provider-account-deletion-url}} | Yes |
Localization
Configuration directives for localization support.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| i18n.defaultLang | Default language used for localization. | en | Yes |
| i18n.allLanguages | Comma separated list of language strings to support localization for i.e. "en, fr". | en | Yes |
| i18n.basename | Location for localization strings to use in static template files. | classpath:./i18n/messages | Yes |
| i18n.cacheEvictFixedRateString: | Defines the frequency for cached localized string (locale,key) to be evicted and re-located from a source. | PT8H | No |
| i18n.useCodeAsDefaultMessage: | Whether the unresolved localization code (key) will be returned in API responses that contain localizeable fields, in cases where there is no localization message corresponding to that code in the language_translations table | false | No, defaults to false |
Logging
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| logging | See https://docs.spring.io/spring-boot/docs/2.3.5.RELEASE/reference/html/spring-boot-features.html#boot-features-logging for logging customizations. | null | No |
| logging.level.com.identos | Controls the level at which the application's configured loggers will be permitted to log. This applies only to loggers that exist in a package that begins with "com.identos" | DEBUG | No. If not set, defaults to INFO level. |
| logging.config | Sets the configuration file for application logging. This value will output structured logs in compressed, single-line JSON format. To view the logs in a human-readable format (i.e. for development purposes), this value can be set to classpath:logback-dev.xml. | classpath:logback-spring.xml | No. If not set, defaults to classpath:logback-spring.xml. |
Pending Auth Request
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| pending-auth-request.requestExpiryInseconds | The pending-auth-request is an outgoing authorization request to either an identity provider or a resource server during a wallet account login or the data source connection flow. This parameter defines, in seconds, for how long the pending-auth-request stays valid. If the pending-auth-request reaches its expiry time before the user is able to complete authentication to login or to connect to a data source, the wallet server will reject the request and the user will be redirected to an error page. | 1800 | No, default value is 600 |
Database Configuration
Database configuration for the Wallet Server
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| spring.flyway.enabled | Enable or disable automatic Flyway migrations. | true | Yes |
| spring.flyway.locations | Location for DB migration scripts. | classpath:db/migration,classpath:db/development | Yes |
| spring.datasource.driverClassName | Driver to use for DB connections (only MySQL supported). | com.mysql.cj.jdbc.Driver | Yes |
| spring.datasource.url | Driver to use for DB connections. | jdbc:mysql://database-hostname/wallet?createDatabaseIfNotExist=true | Yes |
| spring.datasource.username | Username for database connection. | username | Yes |
| spring.datasource.password | Password for database connection. | password | Yes |
| spring.jpa.hibernate.ddl-auto | Validate database structure on startup. | validate | Yes |
| spring.jpa.show_sql | Show all SQL queries that are run against the database source in the logs. | false | No |
| spring.jpa.generate_ddl | A flag that determines whether a SQL Database should be initialized at startup. | true | Yes |
OIDC Configuration Settings
OIDC configuration settings including both client / server settings.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| oidc.client.redirectHost | Hostname to use for redirect URIs back to Wallet server after authorization | https://walletserver.com | Yes |
| oidc.provider.issuer | Issuer URL when acting as an OIDC provider | https://walletserver.com | Yes |
| oidc.provider.jwksEndpoint | Endpoint that contains JWKS for private key authentication | /jwks | No |
Navigator Configuration
Configuration for Web + Mobile IDENTOS Navigator configuration as a Wallet user interface
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| navigator.fallbackBaseUrl | Web Wallet Client URL to fallback to if other Navigator URLs don't work | https://ui.walletserver.com | Yes |
| navigator.redirectInterval | Frequency at which the Wallet Server should cycle through the list of navigators when trying to redirect to one | 50 | no |
| navigator.useIntermediateCallbackUI | Show intermediate page during redirect from Wallet server to Wallet user agent | false | no |
| navigator.redirects.baseUrl | Base URL for a Navigator | com.identos.custom.schema.url://fpx-wallet/ | Yes |
| navigator.redirects.idpPath | Path at a a Navigator that the Wallet Server will redirect to after connecting to an Identity Provider | com.identos.custom.schema.url://fpx-wallet | Yes |
| navigator.redirects.consentPath | Path for the Navigator to gather consent with end user during an authorization grant request | /consent | Yes |
| navigator.redirects.dsPath | Path for the Navigator to be redirected to at the end of connecting to an data source | /consent | Yes |
| navigator.redirects.errorPath | Path for the Navigator to be to redirected when something goes wrong | /consent | Yes |
| app.device.verificationUrl | Redirect path for mobile user agent for verification | com.identos.wallet://fpx-wallet/consent_request | Yes |
| app.device.userCodeExpiry | Expiry in seconds for user code | 240000 | No |
| app.device.confirmationCodeExpiry | Expiry in seconds for confirmation code | 240000 | No |
| app.device.accessTokenExpiry | Access token expiry in seconds | 240000 | No |
| app.sessionlength.platforms.ios | Maximum session length on iOS | 600000 | No |
| app.sessionlength.platforms.android | Maximum session length on android | 600000 | No |
| app.sessionlength.platforms.web | Maximum session length on web | 3600000 | No |
| app.sessionlength.defaultLifeTime | Default session length | 3600000 | No |
| app.logo | Filename of the image to be used as the application logo. | logo.png | No |
| app.name | Name of the application displayed on the error page. | Sample Application | No |
| app.error-page-redirect-url | Redirect URL when redirecting from the default error page. Note: The Wallet Server implements a custom error redirection scheme that can be configured using a property found in the Navigator Configuration section: navigator.redirects.errorPath. | Yes | |
| app.error-page-title | Name of the error page as displayed on the error page header. | Error | No |
| cors.origins | List of web origins to accept traffic from. | [https://ui.walletserver.com/idp-callback] | Yes |
| fpxwallet.walletserver.resources.login-page.css | Path to CSS file for default theme. | https://walletserver.com/style.css | Yes |
Wallet Admin API Application Config
The configuration details required under the walletapi.application.config parameter are as follows. Note that the values shown for spring.datasource.username and spring.datasource.password are placeholders and should be replaced with credentials for the specific database used in your deployment.
server.port: 8080
server.error.include-binding-errors: ALWAYS
server.error.include-exception: true
server.error.include-message: ALWAYS
server.error.include-stacktrace: ALWAYS
management:
endpoint:
health:
livenessState.enabled: true
readinessState.enabled: true
probes:
enabled: true
endpoints:
web:
exposure:
include: "health"
logging:
level:
com.identos.wallet.admin: DEBUG
org.springframework.web: DEBUG
org.hibernate.SQL: DEBUG
org.hibernate.type: TRACE
spring.jpa.properties.hibernate.format_sql: true
wallet-admin:
staticTokens:
- {{WS_ADMIN_STATIC_TOKEN}}
- {{ANOTHER_WS_ADMIN_STATIC_TOKEN}}
spring:
output.ansi.enabled: ALWAYS
jpa:
generate-ddl: false
hibernate:
ddl-auto: validate
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://localhost/wallet_admin?useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC
username: {{DATABASE_USERNAME}}
password: {{DATABASE_PASSWORD}}
elide:
modelPackage: 'com.identos.wallet.admin.entity'
pageSize: 1000
maxPageSize: 10000
json-api:
path: /json-api
enabled: true
graphql:
path: /graphql
enabled: false
swagger:
path: /json-api/openapi
enabled: true
name: 'Wallet Admin API'
version: "v1.0"
Spring Actuator Configuration
Make the following configurations to enable Spring Actuator and monitor the health of the Wallet Server.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| management.endpoint.health.livenessState.enabled | This parameter configures whether the liveness state health check is enabled or not. | true | No |
| management.endpoint.health.readinessState.enabled | This parameter configures whether the readiness state health check is enabled or not. | true | No |
| management.endpoint.health.probes.enabled | This parameter configures whether the liveness and readiness probes are enabled or disabled. The value should be in Boolean, which means when the value is set to "true", the health probes will be enabled. This parameter is inter-related to the management.endpoint.health.livenessState.enabled and management.endpoint.health.readinessState.enabled parameters described above which means that the value of one of these parameters along with the value of management.endpoint.health.probes.enabled must be set to true for the functionality to work. | true | No |
| endpoints.web.exposure.include | There are various actuator endpoints that allow us to monitor and interact with the application. Each endpoint can be enabled and disabled individually. This parameter allows us to configure the specific actuator endpoint that we need enabled. In this case, the "health" endpoint is being enabled to get information on the health of the application. | health | No |
Logging and Response Output
These settings control what should be logged and at what level of detail, as well as the information returned in Wallet Admin API error responses. Because this is an Admin API, we are not concerned with stack traces and application internals being returned in responses. Therefore, these can be left as default for the majority of use cases.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| server.error.include-binding-errors | The server will not be prevented from including binding errors in error response payloads | ALWAYS | No |
| server.error.include-exception | The server will not be prevented from including exceptions in error response payloads | true | No |
| server.error.include-message | The server will not be prevented from including messages in error response payloads | ALWAYS | No |
| server.error.include-stacktrace | The server will not be prevented from including stack traces in error response payloads | ALWAYS | No |
| logging.level.com.identos.wallet.admin | Controls the level at which the Wallet Admin API logs will be output | DEBUG | No |
| logging.level.org.springframework.web | Controls the level at which the Spring framework Web logs will be output | DEBUG | No |
| logging.level.org.hibernate.SQL | Controls the level at which the Hibernate framework SQL logs will be output | DEBUG | No |
| logging.level.org.hibernate.type | Controls the level at which the Hibernate framework SQL binding type logs will be output | DEBUG | No |
| spring.jpa.properties.hibernate.format_sql | This will format the SQL that is output to the logs to make it more readable | true | No |
Authentication Token Configuration
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| wallet-admin.staticTokens | Defines an array of values for static authorization tokens. The Wallet Admin API will expect one of these values to be included as an Authorization header on all requests. | a UUID | Yes |
Database Configuration
NOTE: These values should match the values defined for the Wallet Server parameters in the previous section.
| Parameter | Description | Suggested Value | Required |
|---|---|---|---|
| spring.datasource.driver-class-name | MySQL Driver name. | com.mysql.cj.jdbc.Driver | Yes |
| spring.datasource.url | Driver to use for DB connections. | jdbc:mysql://dbhost/dbname | Yes |
| spring.datasource.username | Username for database connection. | dbusername | Yes |
| spring.datasource.password | Password for database connection. | dbpassword | Yes |
| spring.jpa.generate-ddl | Whether Hibernate is responsible for generating the database schema | false | Yes |
| spring.jpa.hibernate.ddl-auto | There are two options to manage the underlying database schema when working with JPA and Hibernate (leveraged by all backend IDENTOS components): 1) You can encapsulate schema changes in migration scripts and use a tool, like Flyway, to apply the migration scripts upon starting the application. This is the method we will use to generate and update the schema for the authorization server and the Admin Server. 2) You can generate or update the database schema from the JPA and Hibernate entity mappings (extrapolate the domain classes/entity mappings of the deployed server and auto generate the database schema) using the ddl.auto tool. We will not use this method to generate the schema for any of the components. This is why the value for this field should be set to "validate" as this option instructs Hibernate to ONLY validate the underlying database schema against the entity mappings. | validate | Yes |
| spring.output.ansi.enabled | Enables coloured log output when viewed with a terminal | true | No |
JSON API Configuration
The parameters under the elide section are used to expose JSON APIs and configure their URL paths. IDENTOS recommends that these be left at the default values. For more information, refer to Elide Setup.
Wallet UI Application Config
The configuration details required under the walletui.config parameter are:
- Wallet Server domain name (eg. https://walletserver)
- Path to CSS file for style overrides (eg. https://cdn/style.css)
{
"url": "https:\/\/walletserver",
"client_id": "authserver-client-id",
"authorization_code_inputs": 6,
"qrPollingInterval": 10000,
"numberOfNotificationToShow": 2,
"whitelabel": "/config-styles/whitelabel.identos.css",
"login_page_image": {
"__html": "<img src='/assets/innovation-software-the-solution-1.png' alt=\"\" />"
},
"login_intro_content": {
"__html": "<p class=\"login-content-intro\">Share your information with your digital wallet</p>"
},
"login_guide_content": {
"__html": "<p class=\"login-content-guide\">Log into your account</p>"
},
"login_identity_verifier_logo": "/assets/identos_logos/logo@3x.png"
}
Language Configuration
The walletui.i18n parameter is used to define all text elements of the Wallet UI. This includes definitions for each error and warning message as well as UI elements such as white-labeling application name, sidebar navigation entries, on-screen instructions, alt-text etc.
Additional language files can be created and added to the i18n folder as required.
The full list of parameters under walletui.i18n is defined below:
{
"charset": "utf-8",
"title": "Wallet WebUI",
"favicon": "%PUBLIC_URL%/favicon.ico",
"noscript": "You need to enable JavaScript to run this app.",
"login__idplist_error_title": "Unable to Load Identity Verifiers",
"login__idplist_error_desc": "We were unable to load the list of Identity Verifiers. Please try again if you wish to continue.",
"login__idplist_select_error_title": "Unable to Select Identity Verifier",
"login__idplist_select_error_desc": "An error occurred while trying to connect to the selected Identity Verifier.",
"login__logging_error_title": "Unable to Log In",
"login__logging_error_desc": "An error occurred while trying to log you in.",
"login__title_content": "IDENTOS Wallet",
"login__user_and_pass_link": "Login with username and password",
"login__no_account": "No account?",
"login__sign_up_now": "Sign up now",
"alt__logo": "Telus logo",
"alt__google_icon": "Google icon",
"qr__title": "Use your <span>{{walletName}}</span> wallet account to give <span>{{clientName}}</span> access to your information",
"qr__instruction": "Log into your <span>{{walletName}}</span> wallet account ",
"qr_desc": "You can complete this request by logging into your <span>{{walletName}}</span> wallet, or use the <span>{{walletName}}</span> in the <span>{{walletName}}</span> Navigator.",
"no_account": "No account?",
"sign_up": "Sign up now",
"menu": "Menu",
"qr__login_title": "Login to my Wallet account",
"qr__login_instructions": "Select the Identity Verifier you used to log into your existing account",
"qr__login_action--username_password": "Login with username and password",
"qr__or": "or",
"qr__login_action--nav_app": "Log in using my navigator app",
"qr__one": "1.",
"qr__one_info": "Open your <span>{{walletName}}</span> Navigator on your phone",
"qr__two": "2.",
"qr__two_info": "From your Account screen, tap Scan QR Code",
"qr__three": "3.",
"qr__three_info": "Point your phone at this screen to capture the QR code",
"qr__scan_problem": "Can't scan QR code?",
"qr__use_code": "Type in this initiation code instead: <span>{{code}}</span>",
"consent__title": "The {{ clientName }} wants access to your information",
"confirmAuth__title": "Use your <span>{{walletName}}</span> Wallet account to give <span>{{clientName}}</span> access to your information",
"confirmAuth__instruction": "Confirm your authorization",
"confirmAuth__instrucion_desc": "You have agreed to give {{clientName}} access to the following:",
"confirmAuth__code_desc": "To confirm that you have authorized access to your information, and ensure no one else has access to your account, please input the 6-digit Authorization Code that is displayed on your phone. ",
"confirmAuth__auth_code": "Authorization Code:",
"confirmAuth__submit": "Submit",
"confirmAuth__what_if": "What if I can’t see a code?",
"confirmAuth__source": "Source:",
"confirmAuth__details": "details",
"resourceDetailsModal__details": "Details",
"resourceDetailsModal__whats_this": "What's this",
"resourceDetailsModal__reason": "Reason:",
"resourceDetailsModal__close": "Close",
"submissionModal__processing": "Processing Your Request…",
"submissionModal__errorTitle": "Error",
"submissionModal__close": "Ok",
"submissionModal__201_error": "Too Many Tries",
"submissionModal__201_error_desc": "You have entered the incorrect Authorization Code too many times, and now now locked out. No access has been provided to {{client}}. Please begin a new session.",
"submissionModal__400_error": "Incorrect authorization code",
"submissionModal__400_error_desc": "The code you have entered is incorrect. Please try again. ",
"submissionModal__401_error": "Session Expired",
"submissionModal__401_error_desc": "This session has expired because of inactivity. No access has been provided to {{client}}. To continue, please begin a new session.",
"submissionModal__403_error": "Expired Code",
"submissionModal__403_error_desc": "The Authorization Code entered has expired. Please begin a new session.",
"submissionModal__404_error": "Unable to Complete Request",
"submissionModal__404_error_desc": "We could not complete the request because no claim for this transaction could be found.",
"consent__subtitle": "Authorization Request",
"consent__step_one_title": "Step 1.",
"consent__step_one": "Find a connection that can send {{ clientName }} the information they are requesting.",
"consent__change": "Change",
"consent__findconnection": "Find connection",
"consent__scope": "Scope: ",
"consent__reason": "Reason: ",
"consent__whats_this": "What is this?",
"consent__learn_more": "Learn More",
"rs_name": "{{ rsName }}",
"consent__step_two_title": "Step 2.",
"consent__step_two": "Choose the requested information you wish {{ rsName }} to have access to.",
"consent__doc_links": "You may review this Service Provider's ",
"consent__terms_of_use": "Terms of Use",
"consent__privacy_policy": "Privacy Policy",
"consent_doc_and": " and ",
"consent__auth_btn": "Send Authorization",
"consent__decline_btn": "Decline Request",
"consent__allow_access": "ALLOW ACCESS TO:",
"consent__deny_access": "DENY ACCESS TO:",
"consent__connection_text": "CONNECTION:",
"consent__decline_title": "Are you sure?",
"consent__decline_desc": "Declining this request means your information will not be shared.",
"consent__decline_btn1": "Decline",
"consent__decline_btn2": "No",
"consent__loading_list_error_title": "Unable to Load Requested Information",
"consent__loading_list_error_desc": "We were unable to load the information the organization is requesting. Please begin a new session.",
"consent__sending_auth_error_title": "Unable to Send Authorization",
"consent__sending_auth_error_desc": "We were unable to send authorization to the organization. Please try again if you wish to continue.",
"consent__expired_connection_error_title": "Expired Connection ",
"consent__expired_connection_error_desc": "We were unable to send authorization to the organization because a chosen connection has expired.",
"modal__title": "Find a Source",
"modal__subtitle": "Select the source that can provide your:",
"modal__rs_names": "{{ rsNames }}",
"modal__src_name": "{{ srcName }}",
"modal__connection_btn": "Use Connection",
"modal__connection_connecting": "Connecting...",
"modal__connect_btn": "Connect",
"session_modal__title--invalid": "Session Error",
"session_modal__title--expiry": "Session Timed Out",
"session_modal__message--invalid": "Something has gone wrong. Please log in again to resolve the problem.",
"session_modal__message--expiry": "Due to inactivity, your session has timed out! Please log in again to continue.",
"session_modal__login": "Ok",
"session_modal__contact--invalid": "Can't resolve the error?",
"session_modal__contact-link--invalid": "Contact Telstra",
"modal__reconnect_btn": "Reconnect Source",
"modal__connected_source_expired": "Connection to source is expired",
"modal__connect_api_error": "We were unable to connect! Please try again.",
"fpx_dl__add_btn": "Add Item",
"fpx_dl__select_default": "-- Select One --",
"fpx_dl__empty_field": "Field is empty",
"fpx_table__title": "{{ fpxTitle }}",
"fpx_table_row__remove": "Remove",
"fpx_table_title__title": "{{ title }}",
"idp": "{{ idpName }}",
"profile__title": "Current Identity",
"profile__verified_by": "Identity Verifier",
"google": "Google",
"profile__add_verifier": "Add another identity verifier",
"profile__improve_security_title": "Improve your account security",
"profile__improve_security_body": "Protect your information by adding another level of security to your account.",
"profile__no_security_title": "Your account is not secure",
"profile__no_security_body": "Protect your information by adding security to your account.",
"profile__notifications": "Notifications",
"profile__notifications_title": "You Have No Notifications",
"profile__notifications_body": "You will be notified of updates, requests for your information and any issues with your account security.",
"profile__notifications_history": "See notification history",
"sidebar__my_account": "My Account",
"sidebar__connection": "Connections",
"sidebar__settings": "Settings",
"connections__title": "Connections",
"connections__add_button": "Connection",
"connections__search": "Search...",
"connections__name": "Name",
"connections__type": "Type",
"connections__lastActive": "Last Active",
"connections__paginationRow": "Rows per page",
"connections__paginationOF": "of",
"connections__noResultsFound": "No Results Found",
"connections__couldNotFind": "We couldn’t find any connections with that query.",
"connections__noDataTitle": "No Connections found",
"connections__noDataDesc": "You have not authorized any services, information sources or identity verifers to access your information. ",
"connections__find_connections_btn": "Find Connections",
"connections_failure_load_title": "Unable to Load Connections List",
"connections_failure_load_desc": "We were unable to load your list of Connections. Please try again.",
"connections__internet_failure_load_title": "Unable to Load Connections List ",
"connections__internet_failure_load_desc": "We were unable to load this list of connections. Check your internet connection and try again.",
"findConnections_failure_load_title": "Unable to Load Add Connections List",
"findConnections_failure_load_desc": "We were unable to load this list of connections. Please try again if you wish to continue.",
"findConnections_conenction_failure_title": "Unable to Add a Connection",
"findConnections_conenction_failure_desc": "An error occurred while trying to add this connection. Please try again if you wish to continue.",
"findConnections__title": "Find Connections",
"findConnections__connections": "Connections",
"findConnections__sub_title": "Select an organization you would like to connect with and authorize to provide requested information.",
"findConnections__cancel": "Cancel",
"findConnections__modal_title": "Success",
"findConnections__modal_desc": "You have connected to the {{rsName}} and have authorized them to access your information.",
"findConnections__modal_button": "Ok",
"findConnections__connection_not_found_title": "No Connections",
"findConnections__connection_not_found_desc": "Currently, there are no more organizations to connect to.",
"connections_modal_title": "Add a new connection",
"connections_modal_message": "Are you sure?",
"connections_modal_add_connection": "Add Connection",
"settings__title": "Settings",
"settings__activity": "Activity",
"settings__see_all_activity": "See All Activity",
"settings__security": "Security",
"settings__add_two_step": "Add Two-Step Verification",
"settings__preferences": "Preferences",
"settings__recommend_sources_title": "Recommend sources for requests",
"settings__recommend_sources_body": "When you receive an authorization request, the app will automatically recommend the best information source for the request. You will be able to change this at any time",
"settings__my_devices": "My Devices",
"logout__logout": "Log out",
"logout__cancel": "Cancel",
"logout__yes_logout": "Yes, log out",
"logout__body_text": "Would you like to log out of the Wallet account?",
"settings__logout_all_devices": "Log out from all devices",
"settings__lastActive": "Last active",
"settings__no_connected_devices": "No Connected Devices found",
"settings__lastActive_at": "at",
"connectionDetail__failure_load_title": "Unable to Load Connection Details",
"connectionDetail__failure_load_desc": "We were unable to load your list of Connections. Please try again.",
"connectionDetail__failure_disconnect_title": "Unable to Disconnect Connection",
"connectionDetail__failure_disconnect_desc": "An error occurred while trying to disconnect this connection. Please try again.",
"connectionDetail__failure_no_network_title": "Unable to Load Connection Details",
"connectionDetail__failure_no_network_desc": "We were unable to display the details of this Connection. Check your internet connection and try again.",
"connectionDetail__information": "Information",
"connectionDetail__source": "Source",
"connectionDetail__connected": "Connected",
"connectionDetail__expires": "Expires",
"connectionDetail__timesShared": "Time Shared",
"connectionDetail__recentActivity": "Recent Activity",
"connectionDetail__trustedNetworks": "Trusted Networks",
"connectionDetail__serviceProvider": "Service Provider",
"connectionDetail__disconnectServiceProvider": "Disconnect Service Provider",
"connectionDetail__reconnectServiceProvider": "Reconnect Service Provider",
"connectionDetail__serviceSubHeading": "Acting as a service provider, <span>{{name}}</span> has requested the following:",
"connectionDetail__informationSource": "Information Source",
"connectionDetail__disconnectInformationSource": "Disconnect Information Source",
"connectionDetail__reconnectInformationSource": "Reconnect Information Source",
"connectionDetail__informationSubHeading": "Acting as a source of information, <span>{{name}}</span> has provided the following:",
"connectionDetail__disconnected": "DISCONNECTED",
"connectionDetail__identityVerifier": "Identity Verifier",
"connectionDetail__disconnectIdentityVerifier": "Disconnect Identity Verifier",
"connectionDetail__identityVerifierSubHeading": "Acting as an Identity Verifier, <span>{{name}}</span> has provided proof of your identity to the following:",
"connectionDetail__informationModalBodyTop": "This action will block any service provider who you have authorized to access any information from <span>{{name}}</span> from being able to access any information from this source any longer.",
"connectionDetail__informationModalBodyBottom": "Some functionality may no longer be available, or you may lose the ability to use those services or apps.",
"connectionDetail__noThanks": "No Thanks",
"connectionDetail__disconnect": "Disconnect",
"connectionDetail__disconnectInformation": "Disconnect Information",
"connectionDetail__disconnectDetails": "Disconnect Details",
"connectionDetail__disconnetDetailsModalBodyTop": "Confirm you want to disconnect. Disconnecting will remove this Service Provider’s access to: ",
"connectionDetail__disconnetDetailsModalBody": "Your ",
"connectionDetail__Edit": "Edit",
"connectionDetail__View": "View",
"connectionResourceDetail__requested_by": "Requested By",
"connectionResourceDetail__requested_on": "Requested On",
"connectionResourceDetail__access_expires": "Access Expires",
"connectionResourceDetail__disconnect_all": "Disconnect from All Sources",
"connectionResourceDetail__sub_heading": "Your <span>{{name}}</span> has been shared with the following service providers:",
"connectionResourceDetail__disconnect_modal_sub_heading_top": "Would you like to remove all access to your <span>{{name}}</span>?",
"connectionResourceDetail__disconnect_information_modal_sub_heading_top": "Would you like to remove <span>{{client}}</span>'s access to your <span>{{name}}</span>?",
"connectionResourceDetail__disconnect_modal_sub_heading_bottom": "If you proceed, some functionality may no longer be available to you in some service providers, or you may lose the ability to use the service.",
"activity__activity": "Activity",
"activity__sub_heading": "This is a record of all activity done using this account.",
"activity__date": "Date",
"activity__type": "Type",
"activity__source": "Source",
"activity__expiry": "Expiry",
"authorization__authorization_request": "Authorization Request",
"authorization__disconnect_authorization": "Disconnect Authorization",
"authorization__sub_headingFront": "You have authorized ",
"authorization__sub_headingBack": "to access the following information:",
"authorization__requested_on": "Requested On",
"authorization__expiry": "Expiry",
"authorization__terms_of_use": "Terms of Use",
"authorization__view_details": "View Details",
"authorization__request_for_access": "Request for Access",
"authorization__view": "View",
"authorization__edit": "Edit",
"authorization__reason": "Reason: Allow tracking to be saved to health record for review by a physician",
"authorization__reason_text": "Reason:",
"disconnectAccess__disconnect_access": "Disconnect Access",
"disconnectAccess__sub_heading": "You have disconnected <span>{{name}}</span> to access the following information:",
"disconnectAccess__disconnected_on": "Disconnected On",
"disconnectAccess__disconnected_access": "Disconnected Access",
"proda": "PRODA",
"networkError__connection_failed": "No Network Connection",
"networkError__desc": "We could not process your request. Check your internet connection and try again.",
"ok": "Ok",
"reload": "Reload"
}