Playground biometrics demo BioID home page

Application Configuration

The BWS applications, the gRPC service and the Portal, need to get some configuration at startup, that also might be security related. Additionally, some configuration settings might change dynamically and need to be updated at runtime. Therefore different mechanisms to provide this configuration are available.

Security related settings

Secrets like encryption-keys, passwords and connection strings shall not be kept in configuration files. If Docker Swarm, Kubernetes or an other orchestration tool is used, the secret management of these tools can be used.

General settings used by all services for docker single container

Kestrel

The BWS applications uses the Kestrel web server to host the service. Therefore, the Kestrel endpoint configuration options can be applied to the BWS services as well. For example, to configure TLS you can use a settings file like 

ASPNETCORE_URLS: https://+:5001
ASPNETCORE_Kestrel__Certificates__Default__Path: <path to .pfx file>
ASPNETCORE_Kestrel__Certificates__Default__Password: <certificate password>

Serilog

Also, all BWS applications use Serilog for structured logging. Therefore, logging can be configured using Serilog settings. Beside of the standard Serilog sinks Console and File, you can add sinks e.g. like Seq and Elasticsearch. 

Serilog__MinimumLevel: "Warning"
Serilog__WriteTo__0__Name: "Console"
Serilog__WriteTo__1__Name: "Seq"
Serilog__WriteTo__1__Args__serverUrl: "<URL of SEQ server>"

BWS gRPC Settings - On-Premises

  1. MongoDB:ConnectionString
    Required connection string to the database. The URL in this connection string must also contain the database name in its path.
  2. ClientService:Secret
    Recommended secret (Base64 encoded byte array) used to encrypt your RSA private key. Must be identical to the secret used with the other BWS containers!
  3. ClientService:UpdateConfigurationInterval
    The interval in seconds used to poll the database for configuration changes. Defaults to 30 seconds.
  4. DataLogging:LogPath
    The folder where to log input- and output data temporary. The default is /mnt/bwslogging.
  5. Busy:HighTrafficRequests
    Number of concurrently running requests that indicate high traffic. In case of high traffic, the latest response times are used to calculate the too busy response time. Defaults to number of processors.
  6. Busy:BusyResponseSeconds
    In case of high traffic, the average of the latest response times is compared to this busy response time (in seconds) to decide whether the service is busy. In this case any readiness probes on the service will return the degraded state (NOT SERVING in the case of gRPC health check). The default is 15 seconds.
  7. Busy:TooBusyResponseSeconds
    In case of high traffic, the average of the latest response times is compared to this busy response time (in seconds) to decide whether the service is too busy. In this case any newly incoming request will be blocked by creating an unavailable response status. The default is 25 seconds.

BWS Portal Settings - On-Premises

  1. MongoDB:ConnectionString
    Required connection string to the database. The URL in this connection string must also contain the database name in its path.
  2. KeyEncryption:Secret
    Recommended secret (Base64 encoded byte array) used to encrypt your RSA private key. Must be identical to the secret used with the other BWS containers!
  3. ManagementApi:LogPath
    The folder where to log input- and output data temporary. The default is /mnt/bwslogging. The files in this folder have a default retention of 30 days and are automatically deleted after this retention period.
  4. CleanUpService:RetentionDays
    Retention period for the files written to the log folder. Default is 30 days.
  5. PerformanceService:RetentionDays
    Retention period for the performance counter entries in the database. Default is 30 days.
  6. UsageService:IntervalMinutes
    The usage service execution interval. The usage service periodically creates the daily usage for all clients and the overall usage of the on-prem installation. The default is every 5 minutes.
  7. PerformanceService:IntervalSeconds
    The performance counter service execution interval. The performance counter service periodically calculates the performance statistics for all clients and the on-prem installation. The default is 120 seconds.
  8. CleanUpService:IntervalMinutes
    The cleanup service execution interval. By default every 6 hours the expired entries in the log folder are deleted.
  9. OpenID Connect
  10. OIDC:Authority
    URL of OpenID Connect server.
  11. OIDC:ClientId
    The client identifier used to authenticate with the OpenID Connect server.
  12. OIDC:ClientSecret
    The client secret used to authenticate with the OpenID Connect server.
  13. OIDC:DisplayName
    An optional display name for this OpenID Connect provider. OpenIDConnect is used if no DisplayName has been set.