Deploying Account Management API Service
note
Account Management API is now deprecated and we recommend that you use Account Management functionality built into Elastic Path Commerce 8.2 and later.
Pre-requisites
- Ensure that all requirements described in the Requirements section are met.
- Ensure that you have the URLs for the Account Management user interface, the Account Management API, and the identity provider.
- Ensure that your identity provider is configured correctly and:
- The Client ID and Client Secret values are available.
- The Admin Studio public URL is listed as a valid redirect URI in the identity provider if you use Admin Studio. For more information, see the
redirect_uriparameter in OpenID Connect 1.0 -- Section 3.1.2.1.
- Ensure that you have access to the
account-management-2.4.x.zipfile in the Elastic Path Public Nexus repository. - Ensure that the MySQL compatible RDBMS service is provisioned, the schema is initialized, and the username, password, and other connectivity details are available.
- Ensure that the JMS (Java Message Service) server is running, and you have the URL.
Procedure
- Extract the files in the
account-management-2.4.x.zip. Ensure that all contents including theaccount-management-apifolder are extracted. This folder contains the code to build the Docker image. - On your computer, build the Docker image using
account-management-api/Dockerfile. - Push the Docker image to Amazon ECR (Elastic Container Registry).
- Deploy the Docker image in Amazon ECS (Elastic Container Service) with appropriate settings. For more information about the settings, see the Docker Image Environment Variables section.
Docker image environment variables
Mandatory Parameters
Set values for the following parameters to start the Account Management service successfully:
| Parameter | Value |
|---|---|
API_DB_USER | The username of the administrator account in the MySQL Account Management schema. |
API_DB_PASSWORD | The password of the administrator account in the MySQL Account Management schema. |
API_DB_CONNECTION_URL | jdbc:mysql//(MySQL Server IP/DNS Name):(MySQL Server Port)/(MySQL Account Management Schema)?characterEncoding=UTF-8 |
API_FELIX_WEBCONSOLE_USERNAME | The username of the administrator account for the Felix OSGi Web Console. |
API_FELIX_WEBCONSOLE_PASSWORD | The password of the administrator account for the Felix OSGi Web Console. |
API_ACCESS_TOKEN | The access token to be used for static API access to Account Management APIs. For more information, see Static API access key |
AM_OIDC_DISCOVERY_URL | A URL that points to an OpenID Provider Configuration Document as defined in the OpenID Connect Discovery 1.0 standard -- Section 4. This URL ends with /.well-known/openid-configuration. |
AM_OIDC_CLIENT_ID | The OAuth 2.0 client identifier that must be used when making OpenID Connect 1.0 -- section 3.1.2.1. |
AM_OIDC_CLIENT_SECRET | The OAuth 2.0 client secret that is used as part of a client_secret_basic request OpenID Connect -- Section 9. |
AM_OIDC_ID_TOKEN_SCOPE | A space separated list of additional scopes that clients must request when authenticating against the identity provider. The primary use of this parameter is to set additional scopes that are required so that Account Management can determine the group membership of users. For example when using Okta, this value should be groups. |
AM_OIDC_ID_TOKEN_GROUP_KEY | The key to inspect in the UserInfo endpoint to determine whether this user is an associate or seller administrator. |
AM_OIDC_ID_TOKEN_ASSOCIATE_GROUP_VALUE | The value that exists in the UserInfo endpoint that indicates that the user is an associate. |
AM_OIDC_ID_TOKEN_SELLER_USER_GROUP_VALUE | The value that exists in the UserInfo endpoint that indicates that the user is a seller administrator. |
AM_AUTH_JWT_PRIVATE_KEY | The JWT private key. For more information, see the Requirements section. |
AM_AUTH_TOKEN_LIFETIME_SECONDS | Specifies how long the authentication tokens issued to use the Account Management API are valid, in seconds. The recommended value is 3600. |
API_JMS_URL | The URL of the JMS broker that you want to use. JMS is disabled if this parameter is empty. |
API_JMS_ENDPOINT | The JMS queue to which all messages from Account Management messages are sent. The default value is ep.accountmanagement. |
Optional Parameters
You can set values for the following parameters and change the functionality of Account Management:
| Parameter | Value |
|---|---|
AM_CORS_ALLOWED_ORIGINS | Specifies the origins that can make cross origin requests to the Account Management API. This setting corresponds to the cors.allowed.origins setting in the Apache Tomcat CORS Filter. The default value is *. |
AM_CORS_ALLOWED_METHODS | Specifies the HTTP verbs that can be used in cross origin requests to the Account Management API. This setting corresponds to the cors.allowed.methods setting in the Apache Tomcat CORS Filter. The default value is DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT. |
AM_CORS_ALLOWED_HEADERS | Specifies the HTTP headers that can be sent in a cross origin request to the Account Management API. This setting corresponds to the cors.allowed.headers setting in the Apache Tomcat CORS Filter. The default value is Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,x-ep-user-id,x-ep-user-roles,x-ep-user-scopes,x-ep-user-traits,x-forwarded-base. |
AM_CORS_EXPOSED_HEADERS | Specifies the HTTP headers that can be read in the response of a cross origin request to the Account Management API. This setting corresponds to the cors.exposed.headers setting in the Apache Tomcat CORS Filter. The default value is Access-Control-Allow-Origin,Access-Control-Allow-Credentials. |
AM_OIDC_FORCE_HTTPS_ON_ALL_ENDPOINTS | Specifies that all endpoints that Account Management communicates with the identity provider must be HTTPS. You can set this value to true or false. The default setting is true. |
note
We recommend not to change the default settings, as they may break Account Management functionality or create a security vulnerability.
Validating API Service Deployment
- In a browser, navigate to
https://(Account Management API URL)/studio. - Open the Authentication tab and click Authenticate.
- Log in to the identity provider with the seller administrator credentials. The system redirects you to Account Management Studio.
- In the right pane, click Entry Points.
- In the Server Defaults field, click associates.
The system displays a successful Helix response consisting of a pagination element and
results: 0, indicating that:- The Account Management API setup is complete.
- The identity provider and Account Management API integration is successful.