Amazon Common Services Shared Connection Resource
The Amazon connection is a shared resource that describes the Amazon connection. You can use the Amazon Common Services shared connection resource to specify the configuration details that connect an Amazon Common Services Client to various AWS services.
General
The General tab shows the package that stores the Amazon Common Services shared resource and the shared resource name. You can also describe the shared resource on this tab.
-Dcom.tibco.aws.useregionalendpoint=true
The following table describes the fields on the General tab of the Amazon Common Services shared resource:
| Field | Module Property? | Description |
|---|---|---|
| Package | No | Package to be added |
| Name | No | Name to be displayed as a label for the shared resource |
| Description | No | A short description for the shared resource |
Amazon Connection Configuration
You can provide the information required to establish the connection with Amazon Common Services. You can configure the connection using AWS Credential, SAML Authentication, Container Credentials, or Default Credentials Provider Chain authentication.
| Condition Applicable | Field | Module Property? | Description |
|---|---|---|---|
| N/A | AWS Region Name | Yes | The name of the AWS region to which you want to connect. For a complete list of regions, refer to the AWS documentation. |
| N/A | Authentication Type | Yes | You can use the following types of authentication:
Note: The Container Credentials authentication type is loaded from the Amazon ECS when the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. See the AWS documentation for Amazon ECS container credentials.
Note: The External Temporary Credentials are short-term credentials that are configured to last for a few minutes to several hours.
External Temporary Credentials are provided from the
Input tab of GetConnection activity.
|
| Condition Applicable | Field | Module Property? | Description |
|---|---|---|---|
| Available only when the Authentication Type is selected as AWS Credential | AWS Key ID | Yes | This is the ID of the secret key for AWS. Keys can be created through the AWS console and downloaded as CSV files. |
| AWS Secret | Yes | This is the encrypted secret key for access to AWS. | |
| Available only when the Authentication Type is selected as AWS Credential, Container Credentials, and Cross-Account Access check box is selected | Cross Account Access | No | Use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. This parameter uses temporary security credentials for cross-account access created by AssumeRole. For more details about Temporary Security Credentials, see AWS documentation. |
| Role ARN | Yes | The Amazon Resource Name (ARN) of the role to assume. For more details about RoleARN, see the AWS documentation. | |
| Role Session Name | An identifier for the assumed role session used to uniquely identify a session when the same role is assumed by different principals or for different reasons. For more details about RoleSessionName, see the AWS documentation. | ||
| External ID | Yes | A unique identifier that might be required when you assume a role in another account. It is used to address the confused deputy problem. For more details about ExternalId, see the AWS documentation. | |
| Expiration Duration (min) | Yes |
Parameter to specify the duration in minutes for which the temporary security credentials remain valid using Assume Role. For more details about ExpirationDuration, see the AWS documentation. |
|
| Available only when the Authentication Type is selected as SAML Authentication | Identity Provider (IdP) | No | The service provider that manages your user identities. With an IdP, you can manage user identities outside of AWS instead of creating AWS Identity and Access Management (IAM) users in your account. After establishing the trust relationship between IdP and AWS, your users can access AWS resources using their corporate credentials. The following identity providers can be used:
Note: Ensure that Form authentication is enabled for the identity provider.
Note: When using ADFS IdP, if the Windows Integrated Authentication (WIA) is enabled and it is accessed by using Intranet, then set the system property
-Dcom.tibco.bw.awsplugins.saml.useragent=Java1.8 to fallback to form authentication. For more information, see ADFS documentation.
|
| Identity Provider Login URL | Yes |
IdP login URL that is generated when you configure the identity provider in the identity provider console. Example URL for PingFederate: https://<host>:<port>/idp/startSSO.ping?PartnerSpId=urn%3Aamazon%3Awebservices Example URL for ADFS: https://<host>:<port>/adfs/ls/ IdpInitiatedSignOn.aspx? loginToRp=urn:amazon: webservices |
|
| Username | Yes | User name that is configured with your identity provider | |
| Password | Yes | Password that is configured with your identity provider | |
| AWS Role | Yes | AWS IAM role | |
| Token Expiration Duration | Yes | Duration for which the token is valid
Note: This is configured in AWS IAM policy when creating the role. If the user specifies the value as 0, the value is taken as 60 minutes.
|
|
| SSL Client Configuration | No | Establishes secure connection with IdP
For more information about SSL Client Configuration, see the Shared Resource section of the TIBCO ActiveMatrix BusinessWorks™ Bindings and Palettes Reference guide. |
|
| Use Proxy | Yes | The call to the identity provider through the proxy can be enabled when using
Advanced configuration with a custom client type.
Note: To enable basic authentication, set JVM argument as
-Djdk.http.auth.tunneling.disabledSchemes= Refer setting bwappnode-<AppNodeName>.tra file in Setting JVM Parameters for the AppNode Manually section in the TIBCO ActiveMatrix BusinessWorks documentation. With TIBCO BusinessStudio for BusinessWorks: Add this argument in |
Amazon Connection Advanced Configuration
The following table describes the fields in the Amazon Connection Advanced Configuration tab of the Amazon Common Services shared resource:
| Field | Module Property? | Description |
|---|---|---|
| Client Type | No | Select between the default or customized AWS client configuration
Defaults to the default client type |
| Connection Timeout | Yes | Number of milliseconds that the attempt to create an AWS client connection waits before timing out
Defaults to 10 seconds |
| ClientExecutionTimeout | Yes | Default HTTP timeout for all requests made on this connection
Disabled by default: 0 seconds |
| MaxErrorRetry | Yes | Number of retries the AWS client attempts for HTTP error code 5xx before reporting an error |
| RequestTimeout | Yes | Number of milliseconds any request can take before being timed out.
A request may constitute several individual HTTP requests. This is the difference between this setting and the ClientExecutionTimeout setting. Disabled by default: 0 |
| Use Gzip | Yes | Uses Gzip communications
Defaults to false |
| Use Proxy Settings | No | Enables or disables the fields related to proxy settings
Disabled by default. If disabled no proxy server is used. |
| NonProxy Hosts | Yes | List of hosts that should be reached directly, bypassing the proxy.
This is a list of patterns separated by '|'. The patterns might start or ends with a '*' for wildcards. Any host matching one of these patterns is reached through a direct connection instead of through the proxy. |
| Preemptive Basic Proxy Auth | Yes | Sets whether to attempt to authenticate preemptively against proxy servers by using basic authentication |
| Proxy Domain | Yes | Sets the optional Windows domain name for configuring an NTLM proxy |
| Proxy Workstation | Yes | Sets the optional Windows workstation name for configuring NTLM proxy support |
| Proxy Host | Yes | Sets the proxy host the client connects through |
| Proxy Port | Yes | Sets the proxy port the client connects through |
| Proxy Username | Yes | Sets the proxy user name to use |
| Proxy Password | Yes | Sets the proxy password to use |