Application Configuration

The BWS applications, the gRPC services as well as the Portal, need to get some configuration at startup. Some configuration settings are required (like the MongoDB:ConnectionString), others have reasonable default values and can be adapted as needed.

Security related settings

Secrets like encryption-keys, passwords and connection strings shall not be kept in configuration files. If Docker Swarm, Kubernetes or an other orchestration tool is used, the secret management of these tools can be used.

On this page

• General settings
• BWS Portal Settings
• BWS gRPC Settings
• BWS Face Recognition Settings

General settings used by all services

Kestrel

The BWS applications use the Kestrel web server to host the services. Therefore, the Kestrel endpoint configuration options can be applied to the BWS services as well. For example, to configure TLS you can use a settings file like

{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://+:5001",
        "Certificate": {
          "Path": "<path to .pfx file>",
          "Password": "<certificate password>"
        }
      }
    }
  }
}

environment:
  ASPNETCORE_URLS: https://+:5001
  ASPNETCORE_Kestrel__Certificates__Default__Path: <path to .pfx file>
  ASPNETCORE_Kestrel__Certificates__Default__Password: <certificate password>

env:
  - name: Kestrel__Endpoints__gRPC__Protocols
    value: Http2
  - name: Kestrel__Endpoints__gRPC__Url
    value: http://*:50051
  - name: Kestrel__Endpoints__RESTful__Protocols
    value: Http1
  - name: Kestrel__Endpoints__RESTful__Url
    value: http://*:8080

Serilog

Also, all BWS applications use Serilog for structured logging. Therefore, logging can be configured using Serilog settings. Beside of the standard Serilog sinks Console and File, you can add sinks e.g. like Seq and OpenSearch.

{
  "Serilog": {
    "MinimumLevel": "Warning",
    "WriteTo": [
      {
        "Name": "Console"
      },
      {
        "Name": "Seq",
        "Args": {
          "serverUrl": "<URL of SEQ server>"
        }
      }
    ]
  }
}

environment:
  Serilog__MinimumLevel: "Warning"
  Serilog__WriteTo__0__Name: "Console"
  Serilog__WriteTo__1__Name: "Seq"
  Serilog__WriteTo__1__Args__serverUrl: "<URL of SEQ server>"

env:
  - name: Serilog__MinimumLevel
    value: Warning
  - name: Serilog__WriteTo__0__Name
    value: Console
  - name: Serilog__WriteTo__1__Name
    value: Seq
  - name: Serilog__WriteTo__1__Args__serverUrl
    value: <URL of SEQ server>

BWS Portal Settings - On-Premises

1. MongoDB:ConnectionString

   Required connection string to the database. The URL in this connection string must also contain the database name in its path.
2. KeyEncryption:Secret

   Recommended secret (Base64 encoded byte array) used to encrypt your RSA private key. Must be identical to the secret used with the other BWS containers!
3. ManagementApi:LogPath

   The folder where to log input- and output data temporary. The default is /mnt/bwslogging. The files in this folder have a default retention of 30 days and are automatically deleted after this retention period.
4. ManagementApi:TemplatesPath

   The folder where to look for full templates to load enrolled thumbnails. The default is /mnt/templates.
5. CleanUpService:RetentionDays

   Retention period for the files written to the log folder. Default is 30 days.
6. PerformanceService:RetentionDays

   Retention period for the performance counter entries in the database. Default is 30 days.
7. UsageService:IntervalMinutes

   The usage service execution interval. The usage service periodically creates the daily usage for all clients and the overall usage of the on-prem installation. The default is every 5 minutes.
8. PerformanceService:IntervalSeconds

   The performance counter service execution interval. The performance counter service periodically calculates the performance statistics for all clients and the on-prem installation. The default is 120 seconds.
9. CleanUpService:IntervalMinutes

   The cleanup service execution interval. By default every 6 hours the expired entries in the log folder are deleted.
10. OpenID Connect
11. OIDC:Authority

    URL of OpenID Connect server.
12. OIDC:ClientId

    The client identifier used to authenticate with the OpenID Connect server.
13. OIDC:ClientSecret

    The client secret used to authenticate with the OpenID Connect server.
14. OIDC:DisplayName

    An optional display name for this OpenID Connect provider. OpenIDConnect is used if no DisplayName has been set.

BWS gRPC Settings - On-Premises

1. MongoDB:ConnectionString

   Required connection string to the database. The URL in this connection string must also contain the database name in its path.
2. ClientService:Secret

   Recommended secret (Base64 encoded byte array) used to encrypt your RSA private key. Must be identical to the secret used with the other BWS containers!
3. ClientService:UpdateConfigurationInterval

   The interval in seconds used to poll the database for configuration changes. Defaults to 30 seconds.
4. DataLogging:LogPath

   The folder where to log input- and output data temporary. The default is /mnt/bwslogging.
5. Busy:HighTrafficRequests

   Number of concurrently running requests that indicate high traffic. In case of high traffic, the latest response times are used to calculate the too busy response time. Defaults to number of processors.
6. Busy:BusyResponseSeconds

   In case of high traffic, the average of the latest response times is compared to this busy response time (in seconds) to decide whether the service is busy. In this case any readiness probes on the service will return the degraded state (NOT SERVING in the case of gRPC health check). The default is 15 seconds.
7. Busy:TooBusyResponseSeconds

   In case of high traffic, the average of the latest response times is compared to this busy response time (in seconds) to decide whether the service is too busy. In this case any newly incoming request will be blocked by creating an unavailable response status. The default is 25 seconds.

BWS Face Recognition Settings - On-Premises

1. MongoDB:ConnectionString

   Required connection string to the database. The URL in this connection string must also contain the database name in its path. Note that this database is also used to store the generated compact templates.
2. ClientService:Secret

   Recommended secret (Base64 encoded byte array) used to encrypt your RSA private key. Must be identical to the secret used with the other BWS containers!
3. ClientService:UpdateConfigurationInterval

   The interval in seconds used to poll the database for configuration changes. Defaults to 30 seconds.
4. TemplateService:TemplatesPath

   The folder where to store the standard and full biometric templates. The default is /mnt/templates.
5. DataLogging:LogPath

   The folder where to log input- and output data temporary. The default is /mnt/bwslogging.
6. Busy:HighTrafficRequests

   Number of concurrently running requests that indicate high traffic. In case of high traffic, the latest response times are used to calculate the too busy response time. Defaults to number of processors.
7. Busy:BusyResponseSeconds

   In case of high traffic, the average of the latest response times is compared to this busy response time (in seconds) to decide whether the service is busy. In this case any readiness probes on the service will return the degraded state (NOT SERVING in the case of gRPC health check). The default is 15 seconds.
8. Busy:TooBusyResponseSeconds

   In case of high traffic, the average of the latest response times is compared to this busy response time (in seconds) to decide whether the service is too busy. In this case any newly incoming request will be blocked by creating an unavailable response status. The default is 25 seconds.