Configure the syndication server to create release candidates

If you are using Atomio as part of your deployment, it needs to be able to read the Authoring server in order to take release candidate snapshots.

That requires two things:

  1. Network access to the Authoring server’s syndication endpoint; if it is not accessible externally, Atomio must have an internal route to this endpoint
  2. Credentials with sufficient permission to read everything in the Authoring server’s syndication endpoint.
If communities and FHIR security labels are used, the credentials given to the syndication server must have access to read all those security labels. The simplest way to achieve this is to give the credentials configured into the syndication server, as described on this page, the PERM_READ realm role. This will ensure the credentials can read all current and any future security labels without need of further configuration in future.

Network access is outside the scope of this documentation, and is an infrastructure design issue.

A cluster of environment variables is used to pass credentials to Atomio to fulfil point two above. These variables are joined with an arbitrary index identifier to tie them together, allowing multiple sets of credentials to be supplied for multiple different endpoints. These are as follows, where “x” is an arbitrary identifier to be replaced with an integer (starting from 0).

Variable nameDescription
atomio.security.client[x].url_prefixIdentifies the URL prefix where these configured credentials are to be used. Where Atomio needs to make a request of a URL beginning with this prefix, it will first get a token using the other variables with the same “x” value and include that token in the request as authorisation.
atomio.security.client[x].client_idClient identifier to use when requesting a token to be used with requests matching the corresponding URL prefix.
atomio.security.client[x].client_secretClient secret to use when requesting a token to be used with requests matching the corresponding URL prefix.
atomio.security.client[x].token_urlURL of the token issuing endpoint to use the “client_id” and “client_secret” with to get a token to authorise requests to URLs beginning with the “url_prefix”.
Some configuration/deployment technologies may have problems naming variables. Atomio is a Spring Boot application, and as such supports Spring Boot’s relaxed binding rules to accommodate different technologies’ limitations. Please refer to Relaxed Binding for details on alternatives for punctuation characters in variable names.

Here is an example of some Docker Compose configuration:

environment:
– atomio.security.client[0].url_prefix=https://authoring-server-1
– atomio.security.client[0].client_id=client_cred_1
– atomio.security.client[0].client_secret=5D483F4C-B14A-4621-B507-C965DE2A83E3
– atomio.security.client[0].token_url=https://authorisation-server-1/auth/realms/some-realm/protocol/openid-connect/token
– atomio.security.client[1].url_prefix=https://authoring-server-2 – atomio.security.client[1].client_id=client_cred_2
– atomio.security.client[1].client_secret=F0BE1DC5-7397-4726-97F5-463BDCBBBDB1
– atomio.security.client[1].token_url=https://authorisation-server-2/auth/realms/some-other-realm/protocol/openid-connect/token

This configures Atomio to:

  • Request anything starting with https://authoring-server-1 using a token from https://authorisation-server-1/auth/realms/some-realm/protocol/openid-connect/token using the client client_cred_1 and client secret 5D483F4C-B14A-4621-B507-C965DE2A83E3, and;
  • Request anything starting with https://authoring-server-2 using a token from https://authorisation-server-2/auth/realms/some-realm/protocol/openid-connect/token using the client client_cred_2 and client secret F0BE1DC5-7397-4726-97F5-463BDCBBBDB1.

As many endpoints as necessary can be configured with different sets of credentials, although in typical deployments just the Authoring terminology server is all that is required.