Skip to main content

Temenos Explorer Installation Guide

Overview

This document is the installation guide for Temenos Explorer (TEX) framework. It should not be confused with Transact Explorer which is the user agent for accessing Transact T24 enquiries and versions.

This document does not describe the installation of individual plugin applications (User Agents) hosted within Temenos Explorer. These should be documented by the plugin owner.

There are four key parts to any Temenos Explorer installation:

  • Keycloak
  • API Gateway
  • Temenos Explorer
  • Micro Services or Transact APIs

Keycloak configuration is well documented elsewhere, but specific items of note are included here.

API Gateway allows Temenos Explorer plugins to easily access APIs on a variety of servers. This needs to be configured to know the location of Keycloak and of the Micro Services / APIs that are in use. It is envisaged that an Enterprise API gateway will be used in preference in production environments, but that is not essential.

A jboss/WAR deployment may not need to use the API Gateway if all APIs are local to the deployment (same server and port).

Temenos Explorer itself needs configuration to know the location of KeyCloak and to know the specific roles in use.

Micro Services or Transact APIs are a prerequisite and are assumed to already exist and are not described here.

Obtaining Temenos Explorer

Those within the Temenos network can obtain the latest snapshot from http://cloud-ivy.temenosgroup.com/build/TemenosEx/latest/

Those outside the network will need to obtain it from Distribution.

Installation Guide

Keycloak Users and Roles

Keycloak

Keycloak provides installation documentation, so this will not be repeated here, however additional information on Keycloak is here:

https://developer.temenos.com/temenos-explorer/docs/framework/utilities/keycloak

and here:

https://developer.temenos.com/temenos-explorer/docs/developer/keycloak/overview

Users and Roles

The following configuration is required once you have created a Keycloak realm and client:

1) Within the client, create the desired role names. Create keycloak roles

2) Create the desired users. Create keycloak users

3) On each user, assign the desired client roles. Assign user roles

4) If a user has more than one role, create the attribute “default_role” and populate this with the preferred default role that the user should get when logging in.

Assign default role

5) On early Keycloak versions such as V16 & V17 it is necessary to create a mapper in the client to include the default_role attribute in the JWT. Early keycloak versions Keycloak mapper

Record the URL at which Keycloak runs, as this will need to be input into the API Gateway and Temenos Explorer config files.

NB: Keycloak V16 includes the suffix “/auth” in the URL, whereas later versions do not.

API Gateway Configuration

The API Gateway is configured in a single file, config.json which is read during startup.

It provides CORS compliance allowing browsers running Temenos Explorer to invoke APIs on any appropriate server and provides logging of API success/failure plus logging of Javascript errors that will not persist on client machines.

Each different service requires configuration entries to enable the API Gateway to recognise requests and distribute to the appropriate endpoint.

Further information available here: https://developer.temenos.com/temenos-explorer/docs/developer/configuration/api-gateway

config.json

portPort on which to listen to http requests
portHttpsPort on which to listen to https requests (blank if https not used)
tokenValidation

Controls validation of the incoming request’s Authorization header JWT

none: no validation (not advisable for production)

internal: validation decoding the JWT using the Keycloak public key (will not detect token revocation after logout)

external: validation by invoking a Keycloak token validation endpoint (preferred option)

auth-server-urlKeycloak token validation endpoint prefix
realmKeycloak realm
RS256keyidKeycloak public key – currently unused, may be left blank
JWT-HeaderCurrently unused, may be left blank
JWT-Public-Key-FileFilename of Keycloak JWT public key file – used for “internal” token validation
sslPrivateKeyFilename of private key file if https used – This file needs to be provided by the organisation running Temenos Explorer
sslPublicCertFilename of public certificate file if https used – This file needs to be provided by the organisation running Temenos Explorer
loggingMaster switch to control logging to console and/or file
consoleLogLevelControl amount of logging to console: error
fileLogLevelControl amount of logging to file /logs/app.log: error
maxLogFileSizeMaximum size of log file before starting new log
maxLogFilesMaximum number of log files to keep
echoDelayDelay before responding to echo requests (used for development/testing only)
allowLogAccessUsersComma separated list of (authenticated) users allowed to access the logs via the API Gateway /log endpoint
corsHeadersArray of header names “header” and values “value” to respond with on all requests to ensure CORS compatibility
servicesArray of routings and handlers for each API endpoint described below

services sub-entries

ParameterDescription
serviceUnique/arbitrary service name
incomingRouteURL pattern to match incoming request for this service
baseUrlURL prefix to use to forward the incoming request i.e. real API endpoint prefix
getHandlerFunction name to invoke for GET requests, normally “genericGet”
postHandlerFunction name to invoke for POST requests, normally “genericPost”
putHandlerFunction name to invoke for PUT requests, normally “genericPut”
forwardHeadersArray of headers that should be forwarded or [“*”] to forward all incoming headers
headersObject containing headers to be added to the forwarded request – usually API keys etc
queryStringsObject containing items to be added to the URL’s query section – usually API keys etc

Example config:

      {
        "serviceName": "partyMS",
        "incomingRoute": "/ms-party-api/api*",
        "baseUrl": "http://temenosexplorer2301.northeurope.cloudapp.azure.com:3000",
        "getHandler":  "genericGet",
        "postHandler": "genericPost",
        "putHandler":  "genericPut",
        "forwardHeaders": ["*"],
        "headers": {},
        "queryStrings": {}
      },

The above config will forward requests that are received as http://{this-server-name}:8085/ms-party-api/api to <http://temenosexplorer2301.northeurope.cloudapp.azure.com:3000/ms-party-api/api>

e.g.

http://{this-server-name}:8085/ms-party-api/api/V5.0.0/party/parties

will be forwarded to

http://temenosexplorer2301.northeurope.cloudapp.azure.com:3000/ms-party-api/api/V5.0.0/party/parties

API Gateway Deployment

API Gateway runs as a Node JS application.

From the ApiGateway folder, execute the following:

npm run bootstrap This will install the application and only needs doing once

npm start This runs the application

Alternatively, if API Gateway is to run in a container, the installed application folder should be copied into the container for deployment and should run the npm start command on startup.

Temenos Explorer Configuration

Node vs WAR

Temenos Explorer config files all exist in the TemenosExplorer/public folder. However, Temenos Explorer may be deployed as a Node JS application or as a WAR file running in a web server such as Jboss.

If running as a WAR:

  • The root folder is ready-built from the TemenosExplorer/public folder. Higher folders are not part of the deployment.

  • You may wish consider taking advantage of the Temenos Explorer's ConfigServlet to manage web-server-host specific settings (via OS environment variables and template config files), thereby allowing the same physical Temenos Explorer WAR file to be deployed to (and run within) multiple target environments (system-test, production, etc).

TA_config.js

Temenos Explorer’s main configuration file is called TA_config.js (but see/consider ConfigServlet if Temenos Exporer is going to be deployed as a WAR).

Many settings contain the value \$HOSTNAME$:\$PORT$

This value does not need to be replaced unless the relevant item does not exist on the same server and port as the web site. It is automatically replaced by the JavaScript values window.location.hostname and window.location.port at runtime.

Configurations available are:

ParameterSettings
loggingtrue / false - Controls browser console debug logging – should be false for production environments. Errors will always be logged
UPDATEURLUpdate the URL to show the specific page - for deep linking
APIS, top["APIS"]IRIS or MS APIs in use. If IRIS, user info will be obtained from Transact
top["LOGINAPIS"]If IRIS APIS, get user info (appropriate companies etc) from TBSERVER or IRIS - default is IRIS
top["AUTHENTICATION"]‘KEYCLOAK’ / ‘T24’ / 'CUSTOM' – type of authentication employed – currently Keycloak or T24 Authenticator supported, if CUSTOM, TA_customIAM.js must be developed to match the IAM solution chosen
top["AUTHHEADER"]‘Authorization’ – request header name containing the authentication token – automatically changed to 'T24auth' if T24 authentication is detected
top["MERGEUSERROLES"]true / false - Permissions and menus from all of user's roles should be merged and role switching turned off?
top["ALTERNATEROLEARRAYLOCATION"]Alternate location in the JWT where roles may exist - e.g.realmAccess.roles
top["CUSTOMISATION"]Controls which L3 customisations should be applied in TEX itself – may not affect plugin applications unless they monitor this value
top["missingTranslationAction"]

Text to use when a translation is not found

default_or_key – recommended value - show a developer supplied default, or the translation key if no default was supplied

default_and_key – show a developer supplied default and the translation key

default – show a developer supplied default (or blank if not default supplied, so not recommended)

key – show the translation key

silent – as per default_or_key but do not log missing translation to console or API Gateway – useful if an incomplete new language is flooding the log with errors

top["APITIMEOUT"]Number of seconds before slow API responses are terminated and assumed failed
top["APISPEEDTHRESHOLD"]Number of seconds before an API is considered to be “slow” within the health-check window
CONFIGRuntime endpoint and default configurations described below in more detail
HEALTHCHECKArray of endpoints to invoke when performing a health check
HEALTHCHECK_PRELOGINArray of unauthenticated endpoints to invoke when performing a health check on the pre-login page
SESSIONTIMEOUTWARNNumber of seconds before session end warning is shown to the user – less than SESSIONTIMEOUT
SESSIONTIMEOUTNumber of seconds before session ends and user is logged off – should be just less than Keycloak/IAM session expiry
CONFIG valuesDescription
KEYCLOAKURL

Keycloak authentication URL endpoint

This will likely end with /auth for Keycloak V16 but not for later versions

KEYCLOAKREALMKeycloak realm
KEYCLOAKCLIENTKeycloak client
KEYCLOAKREDIRECTURL Keycloak should redirect back to after successful login – if running from a WAR file in Jboss, the application name (usually TemenosExplorer/) will need to be included
KEYCLOAKLOGOUTREDIRECTURL Keycloak should redirect back to after logout – if running from a WAR file in Jboss, the application name (usually TemenosExplorer/) will need to be included
TBSERVERROOTURLTransact Browser server root URL for API calls
TESERVERLocation of Transact Explorer APIs
TRANSACTAPIPREFIXURL prefix for Transact IRIS R18 API calls
MOCKSERVERROOTURLDevelopment API mocking only
FETCHMOCKROOTURLDevelopment API mocking only
LOGURLURL to use to log JavaScript and missing translation errors
ADDITIONALLOGOUTURLAdditional URL to invoke during logout – do not use
PERMISSIONSURLURL to get XACML based permissions for the current user role
PASSKEYCLOAKTOKENtrue / false – include Keycloak token on API requests if “Authorization”:”accesstoken” is passed by plugins (that do not know the token) – should always be true
TRANSACTROLESArray of roles that are permitted to use Temenos Explorer if using T24 authentication instead of Keycloak – or [“unrestricted”] if no restriction to be applied
DIRECTION‘ltr’ / ‘rtl’ - Default direction for new users until user selects their preference
LANGUAGEDefault language code for new users until user selects their preference
DATEFORMATDefault date format for new users until user selects their preference
TIMEFORMATDefault time format for new users until user selects their preference – not currently used
NUMERICFORMATDefault numeric format for new users until user selects their preference
LANGUAGESArray of languages available in the translation file TA_translations.js
TIMESArray of time formats selectable by users – not currently used

TA_permissions.js

Permissions are given to business operations on a per-role basis, so each role is given its own configuration and list of permissions as described below.

RoleIdRole ID as it appears in Keycloak
Role DescriptionHuman friendly role (short) description
TransactRoleIdTransact T24 equivalent role
LegalEntityTransact T24 equivalent company e.g. GB0010001
StartupStartup plugin for this role after login – can be blank if no startup plugin required
StartupParametersNot currently used - Object to pass to startup plugin – e.g. {"page":"criteria"}
DashboardNot currently used
MenusString containing a comma separated list of menus to show for this role – see TA_menus.js
Permissions

Array of business operations appropriate for this role - these may span multiple plugins if the role can access multiple plugins.

Can be an empty array if permissions are instead coming from Generic Config Micro Service at PERMISSIONSURL

ServiceRequestsNot currently used

TA_menus.js

Menus are represented as a json object tree structure. A user’s role usually has just one menu, but can have more as configured in the Menus property in TA_permissions.js

Each menu is simply an array of sub-menus and/or child items which themselves may also be menus or child items.

Menus have the following properties:

PropertyDescription
MenuIdUnique identifier that can be referred to in TA_permissions.js
MenuArray of menu items
type“menu” / “item”
labelLanguage key for menu’s text
openAlways false
childItemsArray of sub-menus or menu options
actionIdFor menu options, this is the name of the plugin. It could also be a URL if a new window is to be launched
querystringParameters to be passed to the plugin e.g. { "page":"criteria" }
dataRedundant - No longer used

TA_translations.js

Translations are defined in a standard JSON object tree structure in TA_translations.js and are broken down into a handful on namespaces listed below.

NamespaceDescription
plugin-titleTitles that appear along the Temenos Explorer navigation bar
menuMenu option labels
appBarItems that relate to the top navigation bar and its popup windows
generalGeneral translations for page contents, buttons etc – This is one of the main sections
fieldsDatabase field labels/column headings – This is one of the main sections

Within these sections, individual translations appear. Each translation has a key and within this, each language (2 character locale) has a value of the actual text to display for that language.

Translation example

The application code references the translations using a value such as “fields.account” and the translator utility converts this based on the selected language to be “Account” or “Compte” as appropriate.

Adding new languages is simply a case of adding a new entry with the appropriate language locale and translation key for each existing translation – e.g. “es”:” Cuenta”, for the fields.account item shown.

Any new language also needs adding to the LANGUAGES property of TA_config.js so that the user may select it (but see/consider ConfigServlet if Temenos Exporer is going to be deployed as a WAR).

Note: Plugin applications can also define additional translations in the same way which will supplement the translations provided in this master translation file.

XACML Policies

Whilst role-specific permissions can be defined in the TA_permissions.js configuration file, it is also possible to load permissions from the Temenos Generic Config Micro Service. In order to do this, a non-empty value must be specified for CONFIG.PERMISSIONSURL in TA_config.js This value will be the uri for the XACML policy (in json format or base64 encoded json) within the GCMS. e.g.

PERMISSIONSURL: 'http://$HOSTNAME$:8085/ms/msgenconfig/api/v1.0.0/system/configurationGroups/SECURITY.POLICY/configuration/{roleid}.json',

The above instructs Temenos Explorer to obtain the policy from the GCMS via the API Gateway, accessing the SECURITY.POLICY group and Temeos Explorer will automatically replace {roleid} in the request with the current user role id (normally defined in Keycloak) to obtain the correct policy at runtime.

Note that permissions obtained from GCMS are supplemental to those already defined in TA_permissions.js, so the role should be defined there with an empty Permissions array if the XACML policy is complete and no supplemental/hard-coded permisions are intended. Alternatively, any items present in the TA_permissions.js Permissions array will be merged with those from the XACML policy.

Temenos Explorer Deployment

Before deploying Temenos Explorer, you should check that any plugin applications are correctly configured according to their installation guide.

WAR Deployment

Once the WAR file’s config files have been adjusted it can be placed in the jboss/standalone/deployments folder and should auto-deploy.

Node Deployment

From the TemenosExplorer folder, execute the following:

npm run bootstrap This will install the application and only needs doing once

npm start This runs the application

Alternatively, if Temenos Explorer is to run in a container, the installed application folder should be copied into the container for deployment and should run the npm start command on startup:

Cloud / SaaS deployment

Cloud deployments rely on containers being created to hold Temenos Explorer and API Gateway. Scripts to build these exist in the root of the BitBucket repo...

Dockerfile-Saas-TemenosExplorer

Dockerfile-Saas-ApiGateway

These can be used to create a container for Temenos Explorer and API Gateway respectively. It is expected that these scripts will be modified based on environment requirements - e.g. choice of web server etc. See later in this section for information about ecxternalised environment variables.

Rebuilding from source

If you have made changes to source (not just config) and need to rebuild, use the command:

npm run build

Rebuilding Temenos Explorer does not rebuild plugin applications! They should be rebuilt independently from within their TemenosExplorer/public/plugins/{plugin-name} folder.

TA_config.js siblings

Temenos Explorer reads its configuration from the TA_config.js file. However, several similarly named copies of this file are present so it is easy for developers to switch between environments/configurations. In addition, there are further copies that improve deployment flexibility:

TA_config.SAAS.configservlet-template.js can be used as a template in conjunction with the ConfigServlet mentioned elsewhere in this guide for WAR file deployments.

TA_config.SAAS.js is used by the Cloud deployment script as a template to obtain environment variables which are populated by the TA_config.SAAS.update.js script run during the Dockerfile-Saas-TemenosExplorer containerisation script.

Environment Variables (externalising config)

When deployed as a container, TEX can obtain its config values from envrionment variables.

TEX supports this by providing a script that may be included in the container start-up called TA_config.SAAS.update.js.

Specifically, in container image build script Dockerfile-Saas-TemenosExplorer, you will see the startup command is “npm run start:saas”.

In package.json, you will see that this script executes the TA_config.SAAS.update.js script. TA_config.SAAS.update.js reads the environment variables and injects these into template TA_config.SAAS.js, which is then used to replace TA_config.js.

Environment variables are clearly identified in the template TA_config.SAAS.js as $ENV.XXX$ and are listed in the table below. They are defined in the Temenos Explorer helm chart.

VariableUsage
TEX_HEALTHCHECK_POSTLOGINjson object definition of the healthcheck endpoints
TEX_HEALTHCHECK_PRELOGINjson object definition of the healthcheck endpoints (before login)
TEX_APISIRIS' / 'MS' - Backed APIs mare IRIS or Micro services
TEX_CUSTOMISATIONstring identifying any customisation - blank unless code is writted to read this value and react accordingly
TEX_LOGGINGtrue / false - should there be javascript logging
TEX_UPDATE_URLtrue / false - should the URL anchor be updated with current page info (assists deep linking)
TEX_AUTHENTICATION'KEYCLOAK' / 'CUSTOM' - authentication method
TEX_API_TIMEOUTnumeric - number of secconds before API calls will be timed out
TEX_KEYCLOAK_URLroot url of Keycloak authentication e.g. http://111.222.333.444:8180/auth
TEX_KEYCLOAK_REALMkeycloak realm
TEX_KEYCLOAK_CLIENTkeycloak client
TEX_TB_SERVER_ROOT_URLroot url of Transact Explorer's tb-server e.g. http://$HOSTNAME$:8085/tb-server
TEX_TE_SERVERroot url of Transact Explorer e.g. http://$HOSTNAME$:8085
TEX_TRANSACT_API_PREFIXroot url of transact irf-provider container e.g. http://$HOSTNAME$:8085/irf-provider-container/api
TEX_LOG_URLurl endpoint to which javascript errors may be logged (usually at the API gateway) e.g. http://$HOSTNAME$:8085/log
TEX_ADDITIONAL_LOGOUT_URLurl endpoint to invoke when logout is requested
TEX_PERMISSIONS_URLurl endpoint to obtain XACML defined permissions (in json or base64 encoded json)
TEX_LANGUAGESjson object definition of available languages
TEX_TIMEOUT_WARNnumeric - number of ms before session timeout warning
TEX_TIMEOUT_LOGOUTnumeric - number of ms before session timeout forces logout
TEX_CUSTOM_JS_URLurl endpoint (in generic config) where customisation javascript is held, normally empty
TEX_TRANSLATIONS_URLurl endpoint (in generic config) where custom language definitions are held in json format, normally empty
TEX_TASKBARhide/bottom/side - default position of task bar
TEX_ALTERNATE_ROLE_ARRAY_LOCATIONalternate location of roles in the token - e.g. realmAccess.roles
TEX_CONTEXTcontect path of the Temenos Explorer web site - e.g. TemenosExplorer
TEX_MERGE_USER_ROLESfalse/true - Merge user roles and menus together and disable role switching
TEX_AUTH_HEADERAuthorization/T24Auth - header used to path authentication token to IRIS
HOLDINGS_MS_ROOT_URLroot url of the holdings MS - e.g. https://111.222.333.444:8443
PUBLISHER_API_ROOTroot url of irf-publisher-container - e.g. https://111.222.333.444:9089
PROVIDER_API_ROOTroot url of irf-provider-container - e.g. https://111.222.333.444:9089
EPD_MS_API_ROOTroot url of the EPD MS - e.g. https://111.222.333.444:8443
EPD_MS_PATHcontext path of the EPD MS - e.g. /ms-holdings-api/api
AZURE_CODE_REQfalse/true - running in AZURE?
TRANSACT_PATHpath to Transact IRIS provider APIs - e.g. /irf-provider-container/api
TRANSACT_PUBLISHER_PATHpath to Transact IRIS publisher APIs - e.g. /irf-publisher-container/api
API_GATEWAYroot url of API Gateway

Optional additional variables for API Gateway…

VariableUsage
TOKEN_VALIDATIONexternal/internal/none - type of token validation done by the gateway
AUTH_SERVER_URLroot url of authentication (keycloak)
REALMkeycloak realm
GATEWAY_CONTEXTcontect path where API gateway is running.g. gateway
PARTY_MS_ROOT_URLroot of Party MS - e.g. http://temenosexplorer2304.northeurope.cloudapp.azure.com:8085
PARTY_MS_PATHcontext path to PARTY MS APIs - e.g. /ms-party-api/api
ARRANGEMENT_MS_ROOT_URLroot of Arrangements MS
ARRANGEMENT_MS_PATHcontext path to Arrangements MS
HOLDINGS_MS_ROOT_URLroot of Holdings MS
HOLDINGS_MS_PATHcontext path of Holdings MS
CONFIG_MS_ROOT_URLroot of Generic Config MS - e.g. https://11.22.33.44:8443
CONFIG_MS_PATH contextpath of Generic Config MS - e.g. /ms-genericconfig-api/api
ANY_OTHER_MS_ROOT_URLroot of any other unknown MS - e.g. https://11.22.33.44:8443
ANY_OTHER_MS_PATHcontext path of any other unknown MS - e.g. /ms
SR_MS_ROOT_URLroot of Service Request MS
SR_MS_PATHcontext path of Service Request MS
TRANSACT_ROOTURLroot of Transact - e.g. https://11.22.33.44:9089
TRANSACT_PATHas previously mentioned above
TRANSACT_PUBLISHER_PATHas previously mentioned above
NCSA_PATHcontect path to NCSA specific APIs - e.g. /irf-provider-container-NCSANL/api
TB_SERVER_ROOT_URLroot of Transact Explorer's tb-server- e.g. https://11.22.33.44:9089
TB_SERVER_PATHcontext path of Transact Explorer's tb-server- e.g. /tb-server
TRANSACT_EXPLORER_ROOT_URLroot of Transact Explorer - e.g. https://11.22.33.44:9089
TRANSACT_EXPLORER_PATHcontext path of Transact Explorer - e.g. /transact-explorer-wa
TRACE_ORIGINAL_ROOT_URLignore
TRACE_ORIGNAL_PATHignore
TRACE_ORIGINAL_AUTHignore
ANALYTICS_ROOT_URLignore
ANALYTICS_PATHignore
ANALYTICS_AUTHignore
CODAT_ROOT_URLignore
CODAT_PATHignore
PAM_BASE_URLignore
PAM_PATHignore
DOCUMENT_MS_PATHignore
DOCUMENT_MS_ROOT_URLignore

Document History

AuthorVersionDate
R. ThorpeV0.118/07/2023
R. ThorpeV0.203/09/2024