Configuration

Configuration for agency deployment.

Overall Findy Agency Deployment Architecture

Internet-facing reverse proxy

Nginx, AWS load balancer etc. can work as a reverse proxy. It is recommended to use single domain for request routing to avoid hassle with FIDO2 origin requirements and CORS.

Port 443

PathTargetNote
/pwaStatic html
/queryvaultGQL queries from PWA. Websocket support needed.
/register, /loginauthWebauthn requires HTTPS. Domain needs to match with PWA.
/a2aagencyEndpoint can be set with the agency’s start up flag.

Port 50051

Agency gRPC interface communication.

Note: Currently also all internal microservices assume gRPC SSL/TLS communication. Unencrypted communication should be enabled within private network in the future.

findy-agent

Sources and more documentation in repository findy-agent

Docker image registry in GitHub Packages.

Settings

VariableExampleDefaultDescription
FCLI_IMPORT_WALLET_FILE/steward.exported/steward.exportedFile path to steward wallet to import
FCLI_IMPORT_WALLET_NAMEstewardstewardSteward wallet name
FCLI_IMPORT_WALLET_FILE_KEYimport-indy-keyKey to wallet file to import
FCLI_IMPORT_WALLET_KEY, FCLI_AGENCY_STEWARD_WALLET_KEYvalid-indy-keySteward wallet key
FCLI_AGENCY_STEWARD_DIDTh7MpTaRZVRYnPiabds81YSteward DID
FCLI_POOL_GENESIS_TXN_FILE/genesis_transactions/genesis_transactionsLedger genesis file path
FCLI_POOL_NAME, FCLI_AGENCY_POOL_NAMEfindyfindyLedger pool name
FCLI_AGENCY_HOST_ADDRESSagency.example.comlocalhostHost address as seen from internet
FCLI_AGENCY_HOST_PORT808080Host port as seen from internet
FCLI_AGENCY_SERVER_PORT80808080Server port in local network
FCLI_AGENCY_PSM_DATABASE_FILE/root/findy.bolt/root/findy.boltPSM database file path
FCLI_AGENCY_REGISTER_FILE/root/findy.json/root/findy.jsonHandshake register file path
FCLI_AGENCY_HOST_SCHEMEhttpshttpScheme of the host’s url address
FCLI_AGENCY_ENCLAVE_KEY0ADF..00DCAE""Secure enclave for wallet keys
FCLI_AGENCY_ENCLAVE_PATHfindy-enclave.bolt~/.indy_client/enclave.boltSecure enclave’s filename
FCLI_AGENCY_GRPCtruetrueWhether to enable gRPC service or not
FCLI_AGENCY_GRPC_CERT_PATH/certsrc/github.com/findy-network/findy-common-go/certFile path to gRPC client and server certificates*
FCLI_AGENCY_GRPC_JWT_SECRETrandomstringJWT key for token validation
FCLI_AGENCY_GRPC_PORT5005150051gRPC interface port
FCLI_AGENCY_ADMIN_IDroot039499findy-rootAgency API user ID which is to authorization
FCLI_AGENCY_ENCLAVE_BACKUP~/backups/enclave.bolt.bak""Full file name template for enclave backup file
FCLI_AGENCY_ENCLAVE_BACKUP_TIME04:00""Time of day when enclave backup is started
FCLI_AGENCY_WALLET_BACKUP~/wallet/backups""Path for wallet backups
FCLI_AGENCY_WALLET_BACKUP_TIME05:00""Time of day when when wallet backup is started
FCLI_AGENCY_REGISTER_BACKUP~/backups/findy.json.bak""Full file name template for register backup file
FCLI_AGENCY_REGISTER_BACKUP_INTERVAL20m:30s12hTime interval between backup starts

*Cert path is the root. Both server and client certificates needs be in this folder in their own separated folders named accordingly: server and client.

Configuration files

  • Steward wallet
  • Genesis transactions
  • gRPC client certificate + key (if TLS termination not handled by reverse proxy)
  • gRPC server certificate + key (if TLS termination not handled by reverse proxy)

Data storage (file system)

  • Handshake register (has backup capability): Text file (JSON) for onboarded agent ids
  • PSM database: Bolt db for protocol state machine data
  • Enclave (has backup capability): Bolt db for wallet key data
  • Indy wallets (has backup capability): SQLite db for wallet data
    • in backup recovery wallet must be imported to system with indy SDK API call

findy-agent-auth (FIDO2)

Sources and more documentation in repository findy-agent-auth

Docker image registry in GitHub Packages.

Settings

VariableExampleDefaultDescription
--port8888Port for auth service
--agencylocalhostAgency gRPC service host
--gport5005150051Agency gRPC service port
--domainagency.example.comSite domain name
--originhttps://agency.example.comRequest origin URL
--jwt-secretrandomstringJWT key for access token generation
-sec-filefido-enclave.boltsec enclave file name
-sec-key0A0834BF...DFEAsec enclave master encrypt key
-adminfindy-03029394findy-rootagency admin id
-cert-path/cert""gRPC cert root folder
-sec-backup-file~/backups/fido-enclave.bolt.bak""Full file name template for enclave backup file
-sec-backup-interval1224Time interval between backup checks

Configuration files

  • gRPC client certificate + key
  • gRPC server certificate

Data storage (file system)

  • FIDO enclave it’s key/value database and encrypted by enclave-key which should be transferred as an important secret to the app.
    • Bolt db for user data
    • Uses file system for data storage and backups as well
    • a DB is a single file

findy-agent-vault

Sources and more documentation in repository findy-agent-vault.

Docker image registry in GitHub Packages.

Settings

VariableExampleDefaultDescription
FAV_SERVER_PORT80858085Port for vault service
FAV_JWT_KEYrandomstringJWT key for access token validation
FAV_DB_HOSTxxx.rds.amazonaws.comPostgres db host address
FAV_DB_PORT54325432Postgres db port
FAV_DB_PASSWORDdb-passwordPostgres db password
FAV_AGENCY_HOSTlocalhostlocalhostAgency gRPC server host
FAV_AGENCY_PORT5005150051Agency gRPC server port
FAV_AGENCY_GRPC_CERT_PATH/certAgency gRPC certificate path

Configuration files

  • gRPC client certificate + key
  • gRPC server certificate

Data storage (postgres)

  • Database
    • Postgres (e.g. AWS RDS)
    • Note: Already on first start, vault service expects that the database called vaultexists in the db instance

findy-wallet-pwa

Sources and more documentation in repository findy-wallet-pwa

Settings (buildtime)

VariableExampleDefaultDescription
REACT_APP_GQL_HOSTagency.example.comlocalhost:8085Agency vault service host address
REACT_APP_AUTH_HOSTagency.example.comlocalhost:8088Agency auth service host address
REACT_APP_HTTP_SCHEMEhttpshttpHTTP URL scheme
REACT_APP_WS_SCHEMEwsswsWebsocket URL scheme