# Configuration and Startup ## Startup To ensure a quick and efficient initial setup and startup of Amiko in the Issuer Bank's test environment, we offer sessions with engineering experts. Typically, the setup can be completed in one or a few sessions. {% hint style="warning" %} Please complete the [Preparation Tasks](/amiko-documentation/JL6JD0mRhH1awRHP2Gz0/deployment-and-operations/edge-connector/preparation-tasks.md) in advance of the session to keep the session as efficient as possible for everyone. {% endhint %} To ensure a successful session, the following expert engineers from the issuing bank must be present: * Deployment and Hosting (e.g. Kubernetes) * Infrastructure (e.g. Firewall, Proxies, WAF) * IAM (OIDC Single Sign-on) To execute system changes effectively during the session, engineer experts must have the authority to modify the test environment. They should also be prepared to utilise shortcuts and workarounds if necessary to meet the session's objectives, with plans to refine these changes afterward. Expert engineers don't need to attend the entire session but should be available when needed. ## Concept As the Edge Connector serves as a connectivity hub and adheres to the security and privacy principles inherent in the product's design, there are essential configurations that must be performed on-site, locally in the customer environment. In terms of connectivity, this involves enabling the Edge Connector to establish a connection with the Amiko Cloud and ensuring that Amiko is accessible as an internal application for users. From a security and privacy standpoint, **all** sensitive configuration (credentials, private keys, secrets) must be configured on-site. In addition to the on-site configuration, non-sensitive configurations are hosted on the Amiko Cloud and are loaded when the Edge Connector boots up. The Edge Connector retrieves the non-sensitive configuration from the Amiko Cloud and merges it with its existing on-site configurations. During this merging process, the on-site configurations for the Edge Connector take precedence, effectively acting as overrides. {% hint style="info" %} Amiko Edge does not include a built-in secret manager, necessitating the use of an internal secret manager at the Issuer Bank. Deployment requires the accompanying the secrets, so the deployment pipeline must manage this process. Amiko Edge does not call a secret manager at runtime to access credentials. {% endhint %} ## Main Elements
ElementDescription
httpWeb server configuration of Amiko Edge Connector.
external-proxyThe configuration for the proxy between the Amiko Edge Connector and the internet (external). This impacts connectivity to Amiko Cloud services as well as card scheme APIs and other external APIs (see Communication Matrix).
rivero-cloudConnectivity configuration to Amiko Cloud services.
oidcUser authentication and authorisation configuration.
encrypted-text-configConfiguration for the encryption of free text fields.
Please find in /pages/6LfGyxAl8C6FzH85WNmI more information and an example how to create a keystore.
amiko-api-authenticationConfiguration for the authentication mechanisms for the APIs hosted by Amiko Edge Connector.
logLocal logging configuration (stdout, local files, Rivero cloud).
file-exportDaily report file export.
mastercardCredentials for Mastercard Mastercom API access.
mastercard-fldCredentials for Mastercard FLD API access.
visaCredentials for VISA VROL API access.
ethoca-configCredentials for Ethoca API access.
issuer-integration-apisConfiguration for the connection for the APIs hosted by the Issuer Bank.
deeplConfiguration for the use of DeepL Translate service.
## Startup {% hint style="info" %} In order to bring the Edge Connector up you will need to create the Edge Connector configuration file. {% endhint %} The Edge Connector needs the path to its configuration file as an argument. You can place the configuration file in any location you prefer. E.g. adding: ``` args: ["/etc/amiko/amiko-edge.conf"] ``` ## Configuration The Edge Connector configuration file uses the [HOCON (Human-Optimized Config Object Notation)](< https://github.com/lightbend/config/blob/main/HOCON.md>) format. {% hint style="info" %} The configuration file supports environment variable substitution using the `${ENV_VAR}`, allowing you to avoid including passwords and other variables in plain text. {% endhint %} ### Overview {% tabs %} {% tab title="Base" %} ```json // WEB SERVER http = { port = 8080 host = "0.0.0.0" run-mode = { type = "unsecured" } } // FORWARD PROXY external-proxy = { type = "with-proxy-and-basic-auth" http-uri = localhost http-port = 9999 https-uri = localhost https-port = 9999 username = "user" password = "pass" } // RIVERO AMIKO CLOUD rivero-cloud = { base-uri = "https://0.amiko-preprod.rivero.app" authentication = { sa-keyfile = "/path/to/creds.json" } } // OIDC oidc = { oidc-discovery-base-url = "https://login.microsoftonline.com//v2.0/" } // TEXT ENCRYPTION encrypted-text-config = { keystore-file-name = "/path/to/encrypted_text_keystore.p12" keystore-password = "storepass" key-password = "keypass" encryption-key-alias = "alias" } // RIVERO AMIKO API AUTHENTICATION amiko-api-authentication = { jwt = { keystore-file-name = "/keystore/keystore.p12" keystore-password = "somepasswd" public-key-alias = edge jwt-subject = amiko } key = { api-key-header-value = ${EXTERNAL_API_KEY} api-key-header-name = "dev-api-key" } } ``` {% endtab %} {% tab title="Integration APIs " %} Depending on the integration API's implemented, additional objects are being added. 
// ISSUER INTEGRATION API'S
issuer-integration-apis = {

  card-status-config = {
    base-uri = ""
    authentication = {
      type = "api-key-only"
      api-key-header-name = ""
      api-key-header-value = ""
    }
  }

  file-store-config = {
    base-uri = ""
    authentication = {
      type = "api-key-only"
      api-key-header-name = ""
      api-key-header-value = ""
    }
  }
  
  booking-config = {
    base-uri = ""
    authentication = {
      type = "api-key-only"
      api-key-header-name = ""
      api-key-header-value = ""
    }
  }
   
  event-notification-config = {
    base-uri = ""
    authentication = {
      type = "api-key-only"
      api-key-header-name = ""
      api-key-header-value = ""
    }
  }
}
{% endtab %} {% tab title="Scheme Services" %} Depending on the scheme services used, additional objects are being added. 
// MASTERCARD MASTERCOM
mastercard = {
  base-64-file-content = ${MASTERCOM_PK_BASE64}
  key-alias = ${MASTERCOM_KEY_ALIAS}
  password = ${MASTERCOM_KEY_PW}
  consumer-key = ${MASTERCOM_CONSUMER_KEY}
}

// MASTERCARD FLD, CONFIRMED API
mastercard-fld = {
  keystore-file-name = "/keystore/keystore.p12"
  encryption-key-fingerprint = ${MASTERCARD_FLD_ENCRYPTION_KEY_FINGERPRINT}
  encryption-certificate-file-name = "/keystore/encryptionkey.pem"
  key-alias = "edge"
  keystore-password = "somepasswd"
  consumer-key = ${MASTERCARD_FLD_CONSUMER_KEY}
}

// VISA VROL
visa = {
  system-id = ${VISA_VROL_SYSTEM_ID}
  password = ${VISA_VROL_PASSWORD}
  keystore-file-name = "/keystore/vrol.p12"
  keystore-password = ${VISA_VROL_KEYSTORE_PASSWORD}
  key-password = ${VISA_VROL_KEYSTORE_MANAGER_PASSWORD}
}

// ETHOCA
ethoca-config = {
  authentication = {
      type = "basic-auth-only"
      username = ${ETHOCA_USER}
      password = ${ETHOCA_PW}
    }
}
{% endtab %} {% tab title="Additional" %} Depending on the features used, additional objects are being added. ```json // LOG log = { out-file = null err-file = null path-to-google-cloud-credentials-json-file = ${GOOGLE_APPLICATION_CREDENTIALS} } // TRANSLATION SERVICE deepl = { base-uri = "" authorization-token = "" } // DAILY REPORT file-export = { reports-directory-path = "/home/amiko/reports" } ``` {% endtab %} {% endtabs %} ### Minimal Configuration In a early stage installation of Edge Connector, you may like to focus on hosting, basic setup, basic connectivity and OIDC topics only. The setup of the Issuer Integration APIs and Scheme APIs , as well the overall setup, can be postponed to a later stage. For this situation one can use this minimal configuration: ```json // WEB SERVER // readonly-mode = true http = { port = 8080 host = "0.0.0.0" run-mode = { type = "unsecured" } } // FORWARD PROXY external-proxy = { type = "with-proxy-and-basic-auth" http-uri = localhost http-port = 9999 https-uri = localhost https-port = 9999 username = "user" password = "pass" } // RIVERO AMIKO CLOUD rivero-cloud = { base-uri = "https://0.amiko-preprod.rivero.app" authentication = { sa-keyfile = "/path/to/creds.json" } } // OIDC oidc = { oidc-discovery-base-url = "https://login.microsoftonline.com//v2.0/" } // TEXT ENCRYPTION encrypted-text-config = { keystore-file-name = "/path/to/encrypted_text_keystore.p12" keystore-password = "storepass" key-password = "keypass" encryption-key-alias = "alias" } ``` ### Full Configuration 
//
// INTRO
// This file holds all essential configurations, technical coordinates, and credentials crucial for the customer. 
// These settings need to be defined on-site to enable Amiko Edge Connector to access all necessary systems and ensure the availability and usability of Amiko as an application.
//

// 
// BASE CONFIG
//

// WEB SERVER
http = {
  port = 8080 // The port that the Edge Connector should listen on. By default the edge connector docker image exposes port 8080 (and must be used here if docker image is used). If you wish to start the connector in plain HTTP mode please set this parameter to “80”. 
  host = "0.0.0.0" // The host IP that the Edge Connector should bind to. Either this is "localhost" or a different network interface depends on your network setup.
  // This section is the HTTPs configuration.
  run-mode = {
    type = "secured" //  Must be one of "secured" (HTTPs) or "unsecured" (plain HTTP).
    // These options may be omitted if run mode is "unsecured".
    // keystore-file-name = “/path/to/cert.p12” // The full certificate chain must be available in a proper keystore format so the JVM can read the certificate files and start an HTTPs server.
    // We suggest that you use the PKCS12 (p12) format for keystore since it’s an open standard. You can use the following command to create the keystore:
    // openssl pkcs12 -export -in <certificate-file>.pem -inkey <private-key-file>.pem -certfile <fullchain-certificate-file>.pem -out keystore.p12 
    // keystore-password = "" // The password to unlock the keystore.
    // key-password = "" // The password of the certificate private key itself.
  }
  // Optional parameters  
  // base-path = "" // Specifies the path segment that is added to the domain in a setup where edge is running behind a proxy. Example value would be "amiko" in a setup where edge is accessible under `yourdomain.com/amiko`. The value should not have any `/` at the beginning or end. 
  // base-path-stripped-from-api = false // Should be set to true if edge is running with a basePath that is removed by the proxy from the request before it reaches edge. 
}

// FORWARD PROXY
// If there is a forward proxy between the Edge Conector and services on the internet (Amiko Cloud, OIDC provider, scheme APIs) please fill in the following section.
external-proxy = {
  type = "" // Must be any of "no-proxy", "with-proxy", or "with-proxy-and-basic-auth"
  // These options may be be ommitted if type is "no-proxy".
  // http-uri = "" // The HTTP forward proxy location.
  // http-port = "" // The HTTP forward proxy port.
  // https-uri = "" // The HTTPs forward proxy location.
  // https-port = "" // The HTTPs forward proxy port.
  // These options are only needed if type is "with-proxy-and-basic-auth"
  // username = "" // The username for basic auth.
  // password = "" // The password for basic auth.
  // Optional parameters
  // exclude-oidc = false // Controls if the forward proxy should be used for request towards the identity provider.
}

// TRUST CONFIGURATION
// If Amiko is going to need to talk to some apis that are internal and are using self-signed certificates those certifcates need to be added to the application trust store.
// trust-configuration = {
//  additional-trust-material = [ // List of keystores with certificates that should be trusted
//    {
//      filename = "" // Path to the .p12 file containing the certificates that should be trusted
//      password = "" // Keystore password
//    }
//  ]
//}

// RIVERO AMIKO CLOUD
// This section contains the settings for communicating with the Amiko Cloud services.
rivero-cloud = {
  base-uri = "https://0.amiko-preprod.rivero.app" // This URI will be provided to you by Rivero and is the location of the Amiko Cloud Services. This URL will be different for production servers.
  authentication = {
    sa-keyfile = "/path/to/creds.json" // The filesystem path were the Amiko Connector credentials file is located. The credentials file is sensitive and will be provided by Rivero in a separate file. Once received and placed in the directory of your choice, please modify the parameter accordingly. 
  }
}

// OIDC
// If the OpenID Connect server you are using is Microsoft Azure AD, then the local Edge Conector configuration is limited to the oidc-discovery-base-url parameter.
// All other parameters are applied as defaults be the system. If a different IAM system is used,
// then the full set of OIDC relevant parameters can be used to be able to cover specific scenarios and configurations. 
oidc = {
  oidc-discovery-base-url = "" // The base URL of the OIDC provider, from there Amiko can reach the "well know" service discovery endpoint. For Azure AD https://login.microsoftonline.com/<EntraTenantID>/v2.0/
  // These options may be omitted if using Microsoft Azure AD, otherwise remain mandatory.
  // client-id = "" // The client id we send towards the OIDC provider. Needs to match the account created for Amiko on the OIDC server.
  // secret = "" // Secret for the Edge Connector to authenticate towards the token endpoint of the OIDC server.
  // jwt-token-expiry-hours = "" // 
  // scopes = "" // The scopes request from the OIDC server. Must contain at least openid and profile for Amiko to receive the mandatory claims in the ID token.
  // redirects-in-https = "" // Whether OIDC redirect are done using https. Which is typically true unless it is a local debugging setup. 
  // issuer = "" // The issuer of the token, iss claim in the JWT
  // These options may be omitted if using Microsoft Azure AD, otherwise remain optional.
  // claim-identifier-override-subject = "" // Some OIDC providers do not use the default property name “sub” in such case this config can be set to specify the property name.
  // claim-identifier-override-roles = "" // In case the ID token claim that contains the role information is not actually called roles by the OIDC server.  Defaults to "roles"
  // user-cookie-name-override = "" // In case a customer operates the Edge Connector behind a portal server and the default cookie name (which stores the Amiko issued access token) is already used, a different name can be defined. Defaults to "user".
  // oidc-role-prefix = "" // In case the OIDC providing the Amiko role information with a prefix to the specified string. Defaults to empty string.
  // redirect-host-override = "" // In case edge connector is running behind a proxy and a different host should be used in redirect than the one from http headers.
}

// TEXT ENCRYPTION
// - This section contains the settings for encryption of free-text fields. Keys are generated and managed by you.
encrypted-text-config = {
  keystore-file-name = "" // The keystore which contains the keys.
  keystore-password = "" // The password for that keystore.
  key-password = "" // The password for a private key used for encryption.
  encryption-key-alias = "" // The alias of a private key used for encryption.
}

// RIVERO AMIKO API AUTHENTICATION
// Configure if you use the APIs exposed by Amiko hosted by the Edge Conector.
// Remove this section if not used and the api is simply not being exposed. For a simplified approach at the beginning it's possible to use an api-key instead of a signed jwt. 
amiko-api-authentication = {
  // STATIC JWT
  jwt = {
    keystore-file-name = "" // The keystore which contains the keys in format PKCS#12
    keystore-password = "" // The password for that keystore
    public-key-alias = "" // Alias of a public key
    jwt-subject = "" // Subject used in jwt token
  }
  // DYNAMIC JWT
// dynamic-jwt = {
//  jwks-url = "https://identity-provider.com/jwks.json"
//  audience = "amiko-resource-server"
//  required-scopes = ["cases:read"] # optional list
​// }
  // API KEY
  key = {
    api-key-header-name = "" // The name of the header you will send the api key under
    api-key-header-value = "" // The value accepted in the api-key header for external API authentication
  }
}

//
// ISSUER INTEGRATION API'S
// 

issuer-integration-apis = {

  // the optional key "authentication" refers to "AUTHENTICATION STRATEGIES" below

  card-status-config = {
    base-uri = ""          // Required, base URI of the service
    // authentication = {} // Optional, but needed for authentication
  }  
        
  file-store-config = {
    base-uri = ""          // Required, base URI of the service
    // authentication = {} // Optional, but needed for authentication
  }
  
  // Optional Issuer Integration API, remove if not used
  booking-config = {
    base-uri = ""          // Required, base URI of the service
    // authentication = {} // Optional, but needed for authentication
  }
  
   // Optional Issuer Integration API, remove if not used
   event-notification-config = {
    base-uri = ""          // Required, base URI of the service
   // authentication = {} // Optional, but needed for authentication
  }
}

// AUTHENTICATION STRATEGIES IN ISSUER INTGEGRATION API'S

// autentication properties for type "api-key-only":
// authentication = {
//   type = "api-key-only"
//   api-key-header-name = ""
//   api-key-header-value = ""
// }

// autentication properties for type "mutual-tls-authentication":
// authentication = {
//   type = "mutual-tls-authentication"
//   keystore-file-name = ""
//   keystore-password = ""
//   key-password = ""
//   private-key-alias = ""
//   api-key-header-name = "" // optional, use if mutual-tls combined with an api-key
//   api-key-header-value = "" // optional, use if mutual-tls combined with an api-key 
// }

// autentication properties for type "jwt-authentication":
// authentication = {
//   type = "jwt-authentication"
//   keystore-file-name = ""
//   keystore-password = ""
//   key-password = ""
//   private-key-alias = ""
//   expiration = "" // e.g. "1 minute", "2 minutes", "1 hour", "2 hours", "1 day", "2 days"
//   subject = ""
//   audience = ""
//   issuer = ""
//   additional-claims = ""
// }

// autentication properties for type "o-auth-2-authentication":
// authentication = {
//   type = "o-auth-2-authentication"
//   token-endpoint = ""
//   token-endpoint-use-proxy = true
//   client-id = ""
//   client-secret = ""
//   audience = ""
// }

//
// SCHEME SERVICE CONFIG
// 

// MASTERCARD MASTERCOM
// This section contains the settings for communicating with Mastercom and are provided by Mastercard to you when requesting Mastercom APIs access.
// Remove this section if not used
mastercard = {

  base-64-file-content  = ""    // the source is specified here inline as a string
  // keystore-file-name = ""    // alternative to "base-64-file-content", the source is specified as a file reference e.g. "/etc/amiko/keystore.p12"

  // needs to be specified in both cases of "base-64-file-content" or "keystore-file-name"
  key-alias = ""
  password = ""
  consumer-key = ""
}

// MASTERCARD FLD, CONFIRMED API
// Used for Amiko to integrate with the Mastercard FLD API. Provided to you when requesting FLD APIs access.
// Remove this section if not used
mastercard-fld {
    keystore-file-name= ""
    encryption-key-fingerprint= ""
    encryption-certificate-file-name= ""
    key-alias= ""
    keystore-password= ""
    consumer-key= ""
}

// VISA VROL
// This section contains the settings for communicating with VROL and are provided by Visa to you when requesting VROL RTSI access.
// Remove this section if not used
visa = {
  system-id = "" // RTSI username
  password = "" // RTSI password
  keystore-file-name = ""
  keystore-password = "" 
  // key-password = "" Optional, should be provided if the private key password was set
}

// ETHOCA
// Used for Amiko to integrate with Ethoca. Requires a contract with Ethoca and credentials are provided by Ethoca to you.
// Remove this section if not used
// autentication properties for (default) type "basic-auth-only":
ethoca-config = {
  authentication = {
      type = "basic-auth-only"
      username = ""
      password = ""
    }
}

// mTLS needs an approval from Ethoca
// autentication properties for type "basic-auth-with-mtls-authentication":
// ethoca-config = {
//   authentication = {
//       type = "basic-auth-with-mtls-authentication"
//       username = ""
//       password = ""
//       keystore-file-name = ""
//       keystore-password = ""
//       key-password = ""
//     }
// }

//
// ADDITIONAL CONFIG
// 

// LOG
// The locations of the information and error logs of the connector. You might want to change them according to your preference.
// We support these logging options: 
// - stdout: log to Edge Connectors std-out (publish-logs-to-std-out)
// - local files: log to files in the local filesystem (out-file and err-file; either have both set or none of both)
// - Rivero cloud: log to Rivero cloud (publish-logs-to-google-cloud, path-to-google-cloud-credentials-json-file)
log = {
  out-file = "/var/log/amiko/amiko-edge.log"
  err-file = "/var/log/amiko/amiko-edge-error.log"
  publish-logs-to-google-cloud = "" // Boolean, whether logs should also be sent (sanitized!) to Rivero cloud - usually this must always be enabled as it allows us to inspect and help with problems. 
  path-to-google-cloud-credentials-json-file = "" // The filesystem path were the connector credentials file is located. This file will be provided to you by Rivero.
  locally-log-pii = "" // Boolean, Whether the logging should log entities that contain PII, note that this is only admissible for file and stdout logging (boolean). Defaults to false.
  publish-logs-to-std-out = "" // Boolean, Whether to produce logs to std out/err as well in addition to pubsub and/or logfiles. Defaults to false.
}

// TRANSLATION SERVICE
// DeepL Translation
// deepl = {
//   base-uri = ""
//   authorization-token = ""
// }

// DAILY REPORT
// Configure if you want Amiko to export daily reports to your file system
// Note, there is a standard way to export reports over UI and API
// Reach out to us to configure the reports you want to have on the file system
// file-export = {
//   reports-directory-path = "/home/amiko/reports"
// }
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rivero.gitbook.io/amiko-documentation/JL6JD0mRhH1awRHP2Gz0/deployment-and-operations/edge-connector/configuration-and-startup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.