Origination and Assist Setup

After the environment and database have been set up, the next step in the Temenos Digitalset up process is to import and configure the Quantum Fabric app(s) pertaining to customer onboarding.

This document covers the following sections:

• Prerequisites
  • Environment Procurement
  • Third-party Components Procurement
• Download Temenos DigitalArtifacts
  • Quantum Origination Artifacts and Dependencies
  • Microservices Artifacts
  • Red Hat Artifacts
  • Temenos Transact Artifacts
• Deployment and Configurations
  • Quantum Artifacts
  • Third Party Artifacts
  • Microservices Artifacts
  • Red Hat Deployment
  • Fabric Job Deployment
  • XAI Integration
  • Journey Analytics Integration
  • Temenos Transact Deployment
  • Temenos Financial Crime Mitigation (FCM) Deployment
  • Keycloak
  • Salesforce
  • Users in Keycloak
• Configuration for Permission, Role, Queue and User Mgmt
• Configuration for Removing Documents from the App
• Enabling SSO in Servicing (OLB) and Origination apps
• HTTP Integrity Check

Prerequisites

The first step in Origination setup is to procure the following environments and third-party components that are required for Temenos Digital apps.

Environment Procurement

Make sure that you procure the following environments that are required for Temenos Digital Origination.See Software Requirements for more information.

Quantum Products

Quantum Products can be installed either via cloud instance or on-premise.

• For on-premise, following are the download links:
  • My SQL 8 (Open source) - https://dev.mysql.com/downloads/installer/
  • Quantum Fabric - 202404.0.0 (Internal - https://community.kony.com/downloads)
  • Quantum Visualizer - 202404.0.1 (Internal - https://community.kony.com/downloads)
• For cloud installation, contact distribution@temenos.com.

Microservices

Microservices support four different types of deployment: AWS, Azure, K8, and J2EE. However, K8 package is supported out-of-the-box with the Temenos Digital apps. The remaining variants require customization or implementation effort.

The minimum system requirement for on-prem installation is Standard E16ds v4 (16 vcpus, 256 GB memory).

• Procure a cloud or Azure VM.
• If it is K8 based installation, then install https://www.docker.com/products/docker-desktop

Red Hat Process Automation Manager

Red Hat Process Automation Manager is an open source software used for BPM.

The deployment of PAM in JBOSS is performed for version 202204. Follow the same steps with the required file versions for other versions

• For 202204 and 202207: download JBOSS-EAP-7.3.0-installer, goto https://developers.redhat.com/products/eap/download and download EAP installer file (.jar file).
• For 202204 and 202207: download RHPAM-installer-7.11.0, goto https://developers.redhat.com/products/rhpam/download and download RHPAM installer file.
• For 202301 and above, download RHPAM-installer-7.13.1, goto https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhpam&version=7.13.1 and download RHPAM installer file.

• For 202204 and 202207, goto https://access.redhat.com/jbossnetwork/restricted/listSoftware.html and download the following:

1. Redhat Single Sign-On 7.5.0 Client Adapter for Jboss EAP 7
   
   
2. EAP-7.3.6 Patch file
   
   

You can download and install the software based on your installation preference such as Windows, Linux, or Docker container.

The system requirement for installation is 32 GB machine with 16 GB maximum memory and 8 GB minimum memory for JBoss server. MySQL server must be allocated with 4 GB.

Transact (Core)

Transact Model bank (2023.01) with latest updates must be installed. To install Transact as on-prem, the device must have 32 GB RAM with a 50 GB disk space. Transact supports both on-premise and cloud installation.

Explainable Artificial Intelligence (XAI)

Temenos XAI product must be procured and deployed into the cloud. This is applicable for both on-prem and cloud deployments.

Journey Analytics

Journey Analytics (JA) is a cloud based solution where each client must procure an instance on the cloud server to track analytics. To procure an instance for an environment, tminstance ID (UUID) is to be provided which is set as Spotlight configuration. Contact distribution@temenos.com for instance creation.

Third Party Components Procurement

Customer must procure the service/software directly from the third-party vendors.

IDology

IDology is the out-of-the-box supported vendor by the Temenos Digital Origination solution. For procurement, follow these steps:

• Fabric IP address must be whitelisted by IDology server.
• IDology credentials and cloud server details must be procured from the vendor directly.

authID

authID is the out-of-the-box supported vendor by Temenos Digital Origination solution.

authID credentials and cloud server details must be procured from vendor directly.

Plaid

Plaid is the out-of-the-box supported vendor by Temenos Digital Onboarding solution. Plaid credentials and cloud server details must be procured from vendor directly.

Keycloak

Keycloak IDM is the out-of-the-box solution supported by Temenos Digital bank user facing apps such as Task Management, Spotlight, and Red Hat PAM. Keycloak can be installed as Docker container or manual installation on cloud.

Keycloak 16.1.0 version (Download link)

SMS Notifications

SMS notifications feature require third-party license. Twilio account is the out-of-the-box supported version from Temenos Digital apps. Get the credentials and server details from the vendor directly.

Email Notifications

Email notifications feature require third-party license. Get the email server and credentials details from the vendor directly.

Download Temenos Digital Artifacts 

To download the Temenos Digital Onboarding package, contact distribution@temenos.com.

Quantum Origination Artifacts and Dependencies

Refer to the table to determine the Quantum Fabric apps that must be set up in your system. The Quantum Fabric app file names are suffixed with a <<major_version>>.<<fix_version>> format for every release (for example, InfinityOrigination_Web_vvx.x.x.zip). The preferred approach is to get the latest 2023.01 version artifacts available with the Distribution team.

Note: Preferred approach is to get the latest version artifacts available with Distribution.

Microservices Artifacts

The following table lists Helm Container zip packages. However, you can download the respective package (AWS, Azure, and K8 helm) based on your installation requirement. The preferred approach is to get the latest version artifacts available with the Distribution team.

Receipt Microservice is discontinued from 2022.04 release. The document generation capability is now handled by Formpipe, a third-party tool, through Document Storage Microservice.

Red Hat Artifacts

The preferred approach is to get the latest version artifacts available with the Distribution team.

Temenos Transact Artifacts

Contact distribution@temenos.com for installation.

• AA (Arrangement Architecture), AL (Arrangement Loans), FL, LI, CO, AD (Arrangement Deposits), AC (Accounts), AR, ST (System Tables), EB (System Core), ES, PI, and PP - These are the modules required for Temenos Digital Origination.
• irf-provider-container is an IRIS war file that must be available and deployed in the Transact JBoss server.

Deployment and Configuration

Quantum Artifacts

The following ways are available for deploying Temenos Digital artifacts:

• Auto installer script
• Manual installation

Temenos Digital Apps Auto Installer

To prepare an Temenos Digital environment with all the Temenos Digital Quantum apps, make sure to contact distribution@temenos.com for auto-installer script and then execute the script. This script will auto install all the Fabric and client apps of Temenos Digital Quantum products. Document reference: Documentation is part of the installer script itself.

Manual Deployment

The manual installation procedure includes the process of importing, configuring, and publishing the Quantum Fabric apps. For manual deployment of Quantum artifacts, click here.

Fabric Runtime Configuration

Runtime configuration will be generated automatically during automatic installation or docker based installation.

Client App Properties

Third-party Artifacts

IDology

As described in the procurement section, IDology vendor must whitelist the Fabric instance IP address in their server as a prerequisite. The Fabric runtime configuration required for IDology are:

Auth ID

As explained in the procurement section, valid Auth ID server details must be procured from the vendor. The Fabric runtime configuration required for Auth ID are:

Twilio

Under the Engagement services section, navigate to the SMS configuration tab. Under Configurations, provide the SMS vendor details for activating SMS notifications.

Microsoft Exchange

Under the Engagement services section, navigate to the E-mail configurations tab. Under Configurations, provide the e-mail vendor details.

Google

Google credentials are mentioned in the Fabric runtime configuration.

Microservices Artifacts

Microservices Deployment

For the deployment details about all the microservices, click here.

The microservices involved in the Origination setup can be categorized as follows:

• Mandatory microservices for Origination (applicable for both microservice and direct integration business outcome)
  • Marketing Catalog
  • Origination Data Storage
  • Document
  • Consent
  • Entitlements
  • Origination Processing
  • Event Store
  • Adapter
  • Generic Config
  • Customer Due Diligence (CDD)
• Optional microservices (applicable only for microservices based environment set up)
  • Party
  • Arrangements
  • Holdings

Receipt Microservice is discontinued from 2022.04 release. The document generation capability is now handled by Formpipe, a third-party tool, through Document Storage Microservice.

Data Ingestion

The data must be synchronized from Transact core via Transact DES ingestion.

Fabric Runtime Configuration for Microservices

The Fabric runtime configuration required for the microservices are:

Data Storage Entity Definition Deployment

Prerequisite

Data Storage Microservice must be up and running.

Steps for Data Storage Definition Deployment

1. Copy the content of the entity definition from the path Origination_App-vx.x.x.zip\Origination_App-vx.x.x\Fabric\Origination_Src_vx.x.x.zip\OnboardingServer\Resources\Storage\StorageMS_Events.postman_collection.json.
2. Import the Postman collection into Postman or any other API execution tool.
3. Configure the {{baseuri}} with the Storage MS base URL as shown in the example: http://localhost:8010/ms-storage-api/api/v0.9.0/origination.
4. If it is a SaaS environment, then take the valid API code from Azure portal and pass that in the params by replacing the “code”.
5. After successful creation of entity definition, success response is returned in status field attribute in Response tab of Postman.
6. Repeat the above steps for SME and Lead entity definition APIs as well.
   1. LeadEntityDefinition (available in the Postman location)
   2. SMEEntityDefinition (available in the Postman location)

Event Store, Adapter and Generic Config MS Configuration

Refer to Microservices documentation.

Generic Config MS API Execution

Prerequisite: Generic Configuration MS must be deployed and running in the hosted environment.

Steps for Configuration: The following configuration classification is maintained in Generic Config MS:

• Events configurations for standard origination journeys and Salesforce origination journeys
• i18n configurations for language translation
• Document Microservice security policies
• GDPR erasure events

Events Configuration

• For Origination event journeys, configure APPLICATION_SUBMITTED, FUNDING_REQUEST_RAISED, DIGITAL_PROFILE_ID_LINKED, LENDING_APPLICATION_SUBMITTED and serviceRequestCreated.
• For Salesforce origination event journeys, configure CREATE_OPPORTUNITY, ENTITY_ITEM_UPDATED_ProductSelection, APPLICATION_COMPLETED, APPLICATION_PURGED, APPLICATION_WITHDRAWN, DIGITAL_PROFILE_ID_LINKED_COAPPLICANT, ENTITY_ITEM_CREATED_Address, UPDATE_COAPPLICANT_OPPORTUNITY, facilityApprovalStatusUpdated, facilityCompleted, and multicast APPLICATION_SUBMITTED.

Note that origination event journeys are also required for Salesforce with multicasting of Salesforce end points along with standard end points.

i18n Configuration

Execute the following reference bundles in Generic Config MS.

• I18nReferenceBundle

• InfinityAssistReferenceBundle, OPMSReferenceBundle, and PartyMSReferenceBundle.

Document MS Security Policies

Root Policy, Document owner Policy, Document viewer, and DocumentSystemAdmin Policy.

GDPR Event Journeys

Document Erasure

API Payload Configuration for Events (Origination and Salesforce)

1. Download the Postman collection, GenericConfigMS_Events.postman_collection.json from the Origination_App-vx.x.x.zip\Origination_App-vx.x.x\Fabric\Origination_Src_vx.x.x.zip\OnboardingServer\Resources\GenericConfig download location, and import into Postman or any other API tool.
   Sample APPLICATION_SUBMITTED event payload

   {
       "id": "APPLICATION_SUBMITTED",
       "name": "adapter-framework_pam.invokeApi policy file",
       "version": "1.0.0",
       "configData": {
           "data": "cm91dGVJZD1kaXJlY3Q6aW52b2tlRmFicmljU2VydmljZQpyb3V0ZXhtbD1UZXN0QXBwbGljYXRpb25Db250ZXh0ClRlc3RBcHBsaWNhdGlvbkNvbnRleHQ9UEQ5NGJXd2dkbVZ5YzJsdmJqMGlNUzR3SWlCbGJtTnZaR2x1WnowaVZWUkdMVGdpUHo0S0NqeGlaV0Z1Y3lCNGJXeHVjejBpYUhSMGNEb3ZMM2QzZHk1emNISnBibWRtY21GdFpYZHZjbXN1YjNKbkwzTmphR1Z0WVM5aVpXRnVjeUlLSUNBZ0lDQWdJSGh0Ykc1ek9uaHphVDBpYUhSMGNEb3ZMM2QzZHk1M015NXZjbWN2TWpBd01TOVlUVXhUWTJobGJXRXRhVzV6ZEdGdVkyVWlDaUFnSUNBZ0lDQjRiV3h1Y3pwallXMWxiRDBpYUhSMGNEb3ZMMk5oYldWc0xtRndZV05vWlM1dmNtY3ZjMk5vWlcxaEwzTndjbWx1WnlJS0lDQWdJQ0FnSUhoemFUcHpZMmhsYldGTWIyTmhkR2x2YmowaUlDQWdJQ0FnSUNCb2RIUndPaTh2ZDNkM0xuTndjbWx1WjJaeVlXMWxkMjl5YXk1dmNtY3ZjMk5vWlcxaEwySmxZVzV6SUNBZ0lDQWdJQ0FnSUNBZ2FIUjBjRG92TDNkM2R5NXpjSEpwYm1kbWNtRnRaWGR2Y21zdWIzSm5MM05qYUdWdFlTOWlaV0Z1Y3k5emNISnBibWN0WW1WaGJuTXVlSE5rSUNBZ0lDQWdJQ0JvZEhSd09pOHZZMkZ0Wld3dVlYQmhZMmhsTG05eVp5OXpZMmhsYldFdmMzQnlhVzVuSUNBZ0lDQWdJQ0JvZEhSd09pOHZZMkZ0Wld3dVlYQmhZMmhsTG05eVp5OXpZMmhsYldFdmMzQnlhVzVuTDJOaGJXVnNMWE53Y21sdVp5NTRjMlFpUGdvS0lDQWdJRHhqWVcxbGJEcHpjMnhEYjI1MFpYaDBVR0Z5WVcxbGRHVnljeUJwWkQwaWJYbFRjMnhEYjI1MFpYaDBVR0Z5WVcxbGRHVnljeUlnUGdvZ0lDQWdJQ0FnSUR4allXMWxiRHByWlhsTllXNWhaMlZ5Y3lCclpYbFFZWE56ZDI5eVpEMGlZMnhwWlc1MElqNEtJQ0FnSUNBZ0lDQWdJQ0FnUEdOaGJXVnNPbXRsZVZOMGIzSmxJSEJoYzNOM2IzSmtQU0pqYkdsbGJuUWlJSEpsYzI5MWNtTmxQU0pET2x4dGRITnNYR05zYVdWdWRDNXJaWGx6ZEc5eVpTSXZQZ29nSUNBZ0lDQWdJRHd2WTJGdFpXdzZhMlY1VFdGdVlXZGxjbk0rQ2lBZ0lDQWdJQ0FnUEdOaGJXVnNPbk5sWTNWeVpWTnZZMnRsZEZCeWIzUnZZMjlzY3o0S0lDQWdJQ0FnSUNBZ0lDQWdQR05oYldWc09uTmxZM1Z5WlZOdlkydGxkRkJ5YjNSdlkyOXNQbFJNVTNZeExqSThMMk5oYldWc09uTmxZM1Z5WlZOdlkydGxkRkJ5YjNSdlkyOXNQZ29nSUNBZ0lDQWdJRHd2WTJGdFpXdzZjMlZqZFhKbFUyOWphMlYwVUhKdmRHOWpiMnh6UGdvZ0lDQWdQQzlqWVcxbGJEcHpjMnhEYjI1MFpYaDBVR0Z5WVcxbGRHVnljejRLSUNBZ1BHTmhiV1ZzUTI5dWRHVjRkQ0I0Yld4dWN6MGlhSFIwY0RvdkwyTmhiV1ZzTG1Gd1lXTm9aUzV2Y21jdmMyTm9aVzFoTDNOd2NtbHVaeUkrQ2lBZ0lDQWdJQ0E4Y205MWRHVWdhV1E5SW1ScGNtVmpkQzV3YjNOMFVHRnRRWEJwTG5SdlZYSnNJajRLSUNBZ0lDQWdJQ0FnSUNBOFpuSnZiU0IxY21rOUltUnBjbVZqZERwcGJuWnZhMlZHWVdKeWFXTlRaWEoyYVdObElpOCtDaUFnSUNBZ0lDQWdJQ0FnUEhObGRFaGxZV1JsY2lCdVlXMWxQU0pEWVcxbGJFaDBkSEJOWlhSb2IyUWlQZ29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdQR052Ym5OMFlXNTBQbEJQVTFROEwyTnZibk4wWVc1MFBnb2dJQ0FnSUNBZ0lDQWdJRHd2YzJWMFNHVmhaR1Z5UGdvSkNTQWdJRHh6WlhSSVpXRmtaWElnYm1GdFpUMGlRWFYwYUc5eWFYcGhkR2x2YmlJK0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBOFkyOXVjM1JoYm5RK1FtRnphV01nVDFkYWFFOVVTVFZPZWxacldtcFZNVTlFWXpKT2FsRjRUMVJqZWsxRVdteFBWMWw2VGxSS2ExcFhUVFpOZWtGNFdsZE9hazFxWXpWYVJFMTVUbXBDYTAxdFZUTk5WR041VFdwSk5WcFVTbWxhUkd4b1RVUkJQVHd2WTI5dWMzUmhiblErQ2lBZ0lDQWdJQ0FnSUNBZ1BDOXpaWFJJWldGa1pYSStDZ2tKSUNBZ0lEeHRkV3gwYVdOaGMzUWdjR0Z5WVd4c1pXeFFjbTlqWlhOemFXNW5QU0owY25WbElpQnpkSEpoZEdWbmVWSmxaajBpU2xOUFRrRm5aM0psWjJGMGIzSWlJSE4wYjNCUGJrVjRZMlZ3ZEdsdmJqMGlabUZzYzJVaVBnb0pDUWtKUEhSdlJDQjFjbWs5SW1oMGRIQnpPaTh2WkdKNFpHVjJMbXR2Ym5samJHOTFaQzVqYjIwNk5EUXpMM05sY25acFkyVnpMMDl1UW05aGNtUnBibWRLWVhaaFUyVnlkbWxqWlhNdlJtbHNkR1Z5UlhabGJuUnpSbTl5VUVGTlQzQmxjbUYwYVc5dUlpOCtDZ2tKQ1FrOGRHOUVJSFZ5YVQwaWFIUjBjSE02THk5a1luaGtaWFl1YTI5dWVXTnNiM1ZrTG1OdmJUbzBORE12YzJWeWRtbGpaWE12VDI1Q2IyRnlaR2x1WjBwaGRtRlRaWEoyYVdObGN5OVRZV3hsYzJadmNtTmxSWFpsYm5SU2IzVjBaWElpTHo0S0NRa0pQQzl0ZFd4MGFXTmhjM1ErQ2lBZ0lDQWdJQ0E4TDNKdmRYUmxQZ29LSUNBZ0lEd3ZZMkZ0Wld4RGIyNTBaWGgwUGdvS0lDQWdJRHhpWldGdUlHbGtQU0p0YjJOclVtVnpjRzl1WkdWeUlpQmpiR0Z6Y3owaVkyOXRMblJsYldWdWIzTXViV2xqY205elpYSjJhV05sTG0xbFpHbGhkRzl5TG1WdVoybHVaUzVOYjJOclVtVnpjRzl1WkdWeVZYUnBiQ0l2UGdvZ0lDQWdQR0psWVc0Z2FXUTlJbTFsYzNOaFoyVlFjbTlqWlhOemIzSWlJR05zWVhOelBTSmpiMjB1ZEdWdFpXNXZjeTV0YVdOeWIzTmxjblpwWTJVdWJXVmthV0YwYjNJdVpXNW5hVzVsTGsxbGMzTmhaMlZRY205alpYTnpiM0lpTHo0S0lDQWdJRHhpWldGdUlHbGtQU0pLVTA5T1FXZG5jbVZuWVhSdmNpSWdZMnhoYzNNOUltTnZiUzUwWlcxbGJtOXpMbTFwWTNKdmMyVnlkbWxqWlM1dFpXUnBZWFJ2Y2k1bGJtZHBibVV1U2xOUFRrRm5aM0psWjJGMGIzSWlMejRLQ2p3dlltVmhibk0r",
           "configType": "properties"
       }
   }
   

2. Decode the value of the above-mentioned data key (Line no 6) to base 64 to get the following properties.
   Properties

   routeId=direct:invokeFabricService
   routexml=TestApplicationContext
   TestApplicationContext=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KCjxiZWFucyB4bWxucz0iaHR0cDovL3d3dy5zcHJpbmdmcmFtZXdvcmsub3JnL3NjaGVtYS9iZWFucyIKICAgICAgIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiCiAgICAgICB4bWxuczpjYW1lbD0iaHR0cDovL2NhbWVsLmFwYWNoZS5vcmcvc2NoZW1hL3NwcmluZyIKICAgICAgIHhzaTpzY2hlbWFMb2NhdGlvbj0iICAgICAgICBodHRwOi8vd3d3LnNwcmluZ2ZyYW1ld29yay5vcmcvc2NoZW1hL2JlYW5zICAgICAgICAgICAgaHR0cDovL3d3dy5zcHJpbmdmcmFtZXdvcmsub3JnL3NjaGVtYS9iZWFucy9zcHJpbmctYmVhbnMueHNkICAgICAgICBodHRwOi8vY2FtZWwuYXBhY2hlLm9yZy9zY2hlbWEvc3ByaW5nICAgICAgICBodHRwOi8vY2FtZWwuYXBhY2hlLm9yZy9zY2hlbWEvc3ByaW5nL2NhbWVsLXNwcmluZy54c2QiPgoKICAgIDxjYW1lbDpzc2xDb250ZXh0UGFyYW1ldGVycyBpZD0ibXlTc2xDb250ZXh0UGFyYW1ldGVycyIgPgogICAgICAgIDxjYW1lbDprZXlNYW5hZ2VycyBrZXlQYXNzd29yZD0iY2xpZW50Ij4KICAgICAgICAgICAgPGNhbWVsOmtleVN0b3JlIHBhc3N3b3JkPSJjbGllbnQiIHJlc291cmNlPSJDOlxtdHNsXGNsaWVudC5rZXlzdG9yZSIvPgogICAgICAgIDwvY2FtZWw6a2V5TWFuYWdlcnM+CiAgICAgICAgPGNhbWVsOnNlY3VyZVNvY2tldFByb3RvY29scz4KICAgICAgICAgICAgPGNhbWVsOnNlY3VyZVNvY2tldFByb3RvY29sPlRMU3YxLjI8L2NhbWVsOnNlY3VyZVNvY2tldFByb3RvY29sPgogICAgICAgIDwvY2FtZWw6c2VjdXJlU29ja2V0UHJvdG9jb2xzPgogICAgPC9jYW1lbDpzc2xDb250ZXh0UGFyYW1ldGVycz4KICAgPGNhbWVsQ29udGV4dCB4bWxucz0iaHR0cDovL2NhbWVsLmFwYWNoZS5vcmcvc2NoZW1hL3NwcmluZyI+CiAgICAgICA8cm91dGUgaWQ9ImRpcmVjdC5wb3N0UGFtQXBpLnRvVXJsIj4KICAgICAgICAgICA8ZnJvbSB1cmk9ImRpcmVjdDppbnZva2VGYWJyaWNTZXJ2aWNlIi8+CiAgICAgICAgICAgPHNldEhlYWRlciBuYW1lPSJDYW1lbEh0dHBNZXRob2QiPgogICAgICAgICAgICAgICAgPGNvbnN0YW50PlBPU1Q8L2NvbnN0YW50PgogICAgICAgICAgIDwvc2V0SGVhZGVyPgoJCSAgIDxzZXRIZWFkZXIgbmFtZT0iQXV0aG9yaXphdGlvbiI+CiAgICAgICAgICAgICAgICA8Y29uc3RhbnQ+QmFzaWMgT1daaE9USTVOelZrWmpVMU9EYzJOalF4T1Rjek1EWmxPV1l6TlRKa1pXTTZNekF4WldOak1qYzVaRE15TmpCa01tVTNNVGN5TWpJNVpUSmlaRGxoTURBPTwvY29uc3RhbnQ+CiAgICAgICAgICAgPC9zZXRIZWFkZXI+CgkJICAgIDxtdWx0aWNhc3QgcGFyYWxsZWxQcm9jZXNzaW5nPSJ0cnVlIiBzdHJhdGVneVJlZj0iSlNPTkFnZ3JlZ2F0b3IiIHN0b3BPbkV4Y2VwdGlvbj0iZmFsc2UiPgoJCQkJPHRvRCB1cmk9Imh0dHBzOi8vZGJ4ZGV2LmtvbnljbG91ZC5jb206NDQzL3NlcnZpY2VzL09uQm9hcmRpbmdKYXZhU2VydmljZXMvRmlsdGVyRXZlbnRzRm9yUEFNT3BlcmF0aW9uIi8+CgkJCQk8dG9EIHVyaT0iaHR0cHM6Ly9kYnhkZXYua29ueWNsb3VkLmNvbTo0NDMvc2VydmljZXMvT25Cb2FyZGluZ0phdmFTZXJ2aWNlcy9TYWxlc2ZvcmNlRXZlbnRSb3V0ZXIiLz4KCQkJPC9tdWx0aWNhc3Q+CiAgICAgICA8L3JvdXRlPgoKICAgIDwvY2FtZWxDb250ZXh0PgoKICAgIDxiZWFuIGlkPSJtb2NrUmVzcG9uZGVyIiBjbGFzcz0iY29tLnRlbWVub3MubWljcm9zZXJ2aWNlLm1lZGlhdG9yLmVuZ2luZS5Nb2NrUmVzcG9uZGVyVXRpbCIvPgogICAgPGJlYW4gaWQ9Im1lc3NhZ2VQcm9jZXNzb3IiIGNsYXNzPSJjb20udGVtZW5vcy5taWNyb3NlcnZpY2UubWVkaWF0b3IuZW5naW5lLk1lc3NhZ2VQcm9jZXNzb3IiLz4KICAgIDxiZWFuIGlkPSJKU09OQWdncmVnYXRvciIgY2xhc3M9ImNvbS50ZW1lbm9zLm1pY3Jvc2VydmljZS5tZWRpYXRvci5lbmdpbmUuSlNPTkFnZ3JlZ2F0b3IiLz4KCjwvYmVhbnM+

3. Then decode the value of TestApplicationContext base64 to get the following XML.
   XML code

   <?xml version="1.0" encoding="UTF-8"?>
   
   <beans xmlns="http://www.springframework.org/schema/beans"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns:camel="http://camel.apache.org/schema/spring"
          xsi:schemaLocation="        http://www.springframework.org/schema/beans            http://www.springframework.org/schema/beans/spring-beans.xsd        http://camel.apache.org/schema/spring        http://camel.apache.org/schema/spring/camel-spring.xsd">
   
       <camel:sslContextParameters id="mySslContextParameters" >
           <camel:keyManagers keyPassword="client">
               <camel:keyStore password="client" resource="C:\mtsl\client.keystore"/>
           </camel:keyManagers>
           <camel:secureSocketProtocols>
               <camel:secureSocketProtocol>TLSv1.2</camel:secureSocketProtocol>
           </camel:secureSocketProtocols>
       </camel:sslContextParameters>
      <camelContext xmlns="http://camel.apache.org/schema/spring">
          <route id="direct.postPamApi.toUrl">
              <from uri="direct:invokeFabricService"/>
              <setHeader name="CamelHttpMethod">
                   <constant>POST</constant>
              </setHeader>
   		   <setHeader name="Authorization">
                   <constant>Basic OWZhOTI5NzVkZjU1ODc2NjQxOTczMDZlOWYzNTJkZWM6MzAxZWNjMjc5ZDMyNjBkMmU3MTcyMjI5ZTJiZDlhMDA=</constant>
              </setHeader>
   		    <multicast parallelProcessing="true" strategyRef="JSONAggregator" stopOnException="false">
   				<toD uri="https://dbxdev.konycloud.com:443/services/OrigIntegrationsJavaServices/FilterEventsForPAMOperation"/>
   				<toD uri="https://dbxdev.konycloud.com:443/services/OrigIntegrationsJavaServices/SalesforceEventRouter"/>
   			</multicast>
          </route>
   
       </camelContext>
   
       <bean id="mockResponder" class="com.temenos.microservice.mediator.engine.MockResponderUtil"/>
       <bean id="messageProcessor" class="com.temenos.microservice.mediator.engine.MessageProcessor"/>
       <bean id="JSONAggregator" class="com.temenos.microservice.mediator.engine.JSONAggregator"/>
   
   </beans>

4. Change the Authorization header according to the OriginationIntegrations Micro App’s app key and app secret.
   • It must be mapped with <primary app key>:<primary app secret> of OriginationIntegrations Fabric application.
   • The mapping must then be encoded with padding as Base 64 (Line no 23 in XML in point 3).
   • The final mapping must be Basic separated by encoded value of the above.
5. Add the relevant Fabric end point in the above-mentioned toD uri value (Line no 27 in XML in point 3).
   • ServiceName/Operation for Red Hat PAM events: OrigIntegrationsJavaServices/FilterEventsForPAMOperation
   • ServiceName/Operation for Salesforce events: OrigIntegrationsJavaServices/SalesforceEventRouter (applicable only for Salesforce integrated environments)
   • ServiceName/Operation for Entitlement MS: OrigIntegrationsJavaServices/AddEntitlementsOperation
6. If an event must be routed to multiple end points, use the multicast tag as specified in the above Camel XML (Line no 25) and specify the end points to which event needs to be routed. (Line nos 26 and 27)
7. If an event must be routed to a single endpoint, remove the multicast tag (Line no 25 and Line no 28) and specify only the relevant end points.
8. Then, encode the XML back to base 64 to obtain properties using "Base 64 encode with padding".
9. Encode the properties file again to base 64 and add in the data key using "Base 64 encode with padding".
10. Copy and paste the encoded into the request payload in the data tag.
11. The API URL for events:
    • baseuri - Generic Config host URL
    • params - API code for SaaS environments
12. Execute all the events related to the API by following the steps explained above.
13.  i18n Configurations: Run the api payloads for the i18n configuration located in the postman collection of the respective fabric apps Origination and Temenos Digital Assist. Two configurations must be executed, such as: 
    • Origination
      • I18N_CONFIGURATION_VALUES (This is part of postman collection located in “Origination_App-vx.xx.zip\Origination_App-v20207.xx\Fabric\Origination_Src_vx.xx.zip\OnboardingServer\Resources\GenericConfig\GenericConfigMS_Events.postman_collection.json”)
    • Assist 
      • InfinityAssistReferenceBundle, OPMSReferenceBundle, and PartyMSReferenceBundle (This is part of postman collection located in “InfinityAssist_App-vx.xx.zip\InfinityAssist_App-vx.xx\Fabric\InfinityAssist_Src_vx.xx.zip\InfinityAssist\Resources\GenericConfig\GenericConfig_apis.postman_collection.json”)
    • The API URL for i18n configurations:
      • baseuri - generic config microservice host url
      • code - If it is an Azure Saas environment, please provide the valid api code, which can be found in the Azure portal. If it is an on-prem environment, you do not need to specify this attribute.
      • The payload does not need to be changed and can be run as is. A successful response with http status "200" is expected to complete this configuration.
14. Document Microservice security policies: As part of the installation, create the policy file configurations in Generic Config MS for Document MS functionality with the APIs available in the following path: Origination_App-vx.xx.zip\Origination_App-vx.xx\Fabric\Origination_Src_vx.xx.zip\OnboardingServer\Resources\GenericConfig\GenericConfigMS_Events.postman_collection.json.
    • Using Postman, execute the list of APIs by setting base URL to Generic Config Microservice.
    • APIs to be executed: Root Policy, Document owner Policy, Document viewer, and DocumentSystemAdmin Policy.
    • API URL changes
      • {{baseuri}}/api/v1.0.0/system/configurationGroups/I18N.CONFIGURATION/configuration/I18nReferenceBundle
      • baseuri - Generic Config Microservice host URL
      • code - If it is Azure SaaS environment, pass the valid API code which can be found in Azure portal. If it is on-prem, no need to pass this attribute.
    • No need to modify the payload and it can be executed as-is and success response of http status “200” is expected to complete this configuration.

Entitlement Microservice System User Configuration

After the deployment of Entitlements Microservice, follow these steps:

1. At the design time, create an entitlement user record with the APIs available in the following path:

Origination_App-vx.zip\Origination_App-vx\Fabric\Origination_Src_vx.zip\OnboardingServer\Resources\Entitlements\Entitlements.postman_collection.json

2. Using Postman or any other API tool, execute the APIs by setting base URL to Entitlements Microservice.
3. API URL changes
   • {{baseuri}}/system/entitlements/users/987654321?code={{code}}
   • baseuri - Entitlements Microservice host URL
   • code - If it is Azure SaaSs environment, pass the valid API code which can be found in Aazure portal. If it is on-prem, no need to pass this attribute.
4. No need to modify the payload and it can be executed as-is and success response of http status “200” is expected to complete this configuration.

Install Data on Marketing Catalog Microservice

Prerequisite: Data ingestion step must be completed before updating the data in Marketing Catalog MS.

The Marketing Catalog MS supports data ingestion for both Transact and Non-Transact core systems. Follow the steps for installation on top of Marketing Catalog MS deployment. As part of the installation, few APIs must be executed for the Origination apps to display the products.

Non-Transact Clients

1. As part of Origination artifacts, download the Marketing Catalog demo postman collection from the following location: Origination_App-vxxx.zip\Origination_App-vxxx\Fabric\Origination_Src_vxxx.zip\OnboardingServer\Resources\MarketingCatalog\Marketing Catalog - Demo data.postman_collection.json
2. Import the downloaded collection into the Postman tool.
3. Configure the Marketing Catalog MS URL in the Server property.
4. Execute the APIs into the system.
   
   

The environment variables to be set are "baseuri" and "Authorization". Ignore the other products since those are required for Transact customers.

Transact Clients

For Transact customers, data ingestion is mandatory. After the data ingestion is completed, additional configurations must be added to the products which are maintained as Postman scripts.

1. As part of Origination artifacts, download the Marketing Catalog demo Postman collection from the following location: Origination_App-vxxx.zip\Origination_App-vxxx\Fabric\Origination_Src_vxxx.zip\OnboardingServer\Resources\MarketingCatalog\Marketing Catalog - Demo data.postman_collection.json
2. Import the downloaded collection into the Postman tool.
3. Configure the Marketing Catalog MS URL in the Server property and execute all APIs into the system.
4. Execute all product scripts except Credit Cards script into the system.
   
   Journey based script execution for different products:
   • Onboarding journey - Savings, Current and Deposits products (Origination application)
   • Lending journey - Personal Loans and Overdraft products (Origination application)
   • Mortgage journey - Mortgage products (Origination and Temenos Digital Assist applications)
   • Corporate journey - Corporate products (Temenos Digital Assist)
   • BSG Products - Only for Internal Model Bank Transact systems (Origination application)
   • SME Onboarding journey - Current Accounts Products (Origination application)
   • SME Lending journey - Business Loans and Overdraft Products (Origination application)

Corporate Products

For Corporate onboarding journey, after importing the Postman collection and mapping the Marketing Catalog URL in the server property, execute all the scripts to make the corporate products available in the client environment. This execution is required for a Non-Transact customer. For Transact customers, these products come via data ingestion from Transact.

1. Download the Marketing Catalog demo Postman collection from the following location: InfinityAssist_App-vx.x.x.zip\InfinityAssist_App-vx.x.x\Fabric\InfinityAssist_Src_vx.x.x.zip\InfinityAssist\Resources\MarketingCatalog\MCMS_apis.postman_collection.json
2. Import the downloaded collection into the Postman tool.
3. Configure the Marketing Catalog MS URL in the Server property.
4. Execute all APIs listed in the Postman collection into the system.
   

Red Hat Deployment

From 2022.04, we no longer support RED HAT PAM on OpenShift Container Platform (OCP) environments.

To install Red HAT PAM, follow the below steps:

JBOSS Server Installation

1. Open command prompt from the location where the jboss-eap installation file is located: “java -jar <Installer Name>”. On execution, this will display the following window:
   
   Click OK. This will display Licensing Agreement page.
   
2. In Licensing Agreement page, select I accept the terms of this license agreement option.
   
   Click Next. This will display Installation Path page.
   
3. In the Installation Path page, define the path for JBOSS installation.
   
   Click Next. This will display Component Selection page.
   
4. In Component Selection page, select the required components.
   
   Click Next. This will display Create an Administrative User page.
   
5. In Create an Administrative User page, define the admin username and password.
   
   Click Next. This will display Configure Runtime Environment page.
   
6. In Configure Runtime Environment page, select Perform default configuration.
   
   Click Next and complete the installation.
7. After installation is complete, goto <JBOSS_BASE_FOLDER>/bin and run the following command “standalone.bat --server-config=standalone-full.xml” A http:localhost:9990 URL is launched. Enter the username and password. This will display the following page:
   
   
8. To open CLI for JBOSS, run the following command “pa” from <JBOSS_BASE_FOLDER>/bin. After running the command, run “patch apply <jboss-eap-7.3.6-patch_zipfile_path>”. On successful run of the patch file, the following screen is displayed:
   
9. Restart JBOSS.
   

RHPAM Deployment

1. Go to the rhpam installation file location and run the following command: “java -jar <RHPAM_INSTALLER_FILE_NAME”. This will display Licensing Agreement screen.
   
   
2. In Licensing Agreement screen, select I Accept the terms of this license agreement option and click Next. This will display Installation Path page.
3. In the Installation Path page, define the path where JBOSS is installed.
   
   Click Next. This will display Component Selection page.
   
4. In Component Selection page, select the following two components:
   
   Click Next. This will display User Creation page.
   
5. In the User Creation Page, define the username and password.
   
   Click Next. This will display Configure Runtime Environment page.
   
6. In Configure Runtime Environment page, select Perform default configuration option.
   
   Click Next.
   
7. After deploying Business-Central and Kie-server it should be displayed as deployed in <JBOSS_BASE_FOLDER>/standalone/deployment.
   
   
8. Extract Red Hat- Single Sign-On zip folder in <JBOSS_BASE_FOLDER>.
   
   
9. From <JBOSS_BASE_FOLDER>/bin, run the following command: “jboss-cli.bat --file=adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml”.
   

DB Persistence using MySQL

1. Download the Red Hat MySQL queries from Temenos Digital Assist artifact under the location, InfinityAssist_App-vvx.x.x.zip\InfinityAssist_App-vx\Fabric\InfinityAssist_Src_vvx.x.x.zip\InfinityAssist\Resources\RHPAM\mysql.
2. Login to the MySQL database using workbench.
3. Set the jdpm schema.
4. Execute the MySQL queries in the following order in the MySQL database:
   1. initial.sql
   2. views.sql
   3. correlationkey.sql
   4. schema_changes.sql
5. Validate the views table that contains records post the execution.
6. Download the MySQL Java Connector jar from MySQL downloads as per the following table. You can download appropriate version based on the MySQL version.

   MySQL Version	MySQL JDBC Driver
   8.X	mysql-connector-java-8.0.27.jar

7. Navigate to JBOSS_HOME/modules/system/layers/base/com and create a folder mysql and a folder main inside it.
8. Copy the connector jar to this folder and create a module.xml file with the following code.

   <module xmlns="urn:jboss:module:1.5" name="com.mysql">
       <resources>
           <resource-root path="mysql-connector-java-5.1.47.jar"/>
       </resources>
       <dependencies>
           <module name="javax.api"/>
           <module name="javax.transaction.api"/>
       </dependencies>
   </module>
   

   Make sure that you use the correct version of the jar in resource-root-path.

9. Open the standalone-full.xml and locate <subsystem xmlns="urn:jboss:domain:datasources:5.0">. Add a driver node as given in the code snippet under the xml tag <datasources>/<drivers> path:

   <driver name="mysql" module="com.mysql">
     <driver-class>com.mysql.jdbc.Driver</driver-class>
     <xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasource-class>
    </driver>

10. Add a new datasource node:

    <datasource jndi-name="java:/jbpmDS" pool-name="jbpmDS">
    	<connection-url>jdbc:mysql://localhost:3306/jbpm?useSSL=false</connection-url>
    	<driver-class>com.mysql.jdbc.Driver</driver-class>
    	<driver>mysql</driver>
    	<pool>
    		<max-pool-size>200</max-pool-size>
    	</pool>
    	<security>
    		<user-name>valid_username</user-name>
    		<password>valid_password</password>
    	</security>
    	<validation>
    		<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
    		<validate-on-match>true</validate-on-match>
    		<background-validation>false</background-validation>
    		<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
    	</validation>
    	<timeout>
    		<idle-timeout-minutes>30</idle-timeout-minutes>
    	</timeout>
    </datasource>

    Make sure the connection-url, user-name, and password are with appropriate values.

11. In the connection URL, the attributes depends on whether SSL is installed or not installed. Set the arguments appropriately as per your database setup.
12. Add the following properties to system-properties:

    <property name="org.kie.server.persistence.ds" value="java:/jbpmDS"/>
    <property name="org.kie.server.persistence.dialect" value="org.hibernate.dialect.MySQL5InnoDBDialect"/>

DB Persistence using PostgreSQL

1. Download the Red Hat PostgreSQL queries from Temenos Digital Assist artifact under the location, InfinityAssist_App-vvx.x.x.zip\InfinityAssist_App-vx\Fabric\InfinityAssist_Src_vvx.x.x.zip\InfinityAssist\Resources\RHPAM\postgres.
2. Login to the PostgreSQL database using using Dbeaver/PgAdmin.
3. Set the jdpm schema.
4. Execute the PostgreSQL queries in the following order in the MySQL database:
   • initial_postgres.sql
   • views_postgres.sql
   • correlationkey_postgres.sql
   • schema_changes_postgres.sql
5. Validate the views table that contains records post the execution.
6. Download the PostgreSQL Java Connector jar from PostgreSQL downloads as per the following table. You can download appropriate version based on the PostgreSQL version.

   Java Version	PostgreSQL Version	PostgreSQL JDBC Driver
   JAVA 11	13.2	postgresql-42.5.0.jar

7. Navigate to JBOSS_HOME/modules/system/layers/base/com and create a folder postgresql and a folder main inside it.
8. Copy the connector jar to this folder and create a module.xml file with the following code.

   <module xmlns="urn:jboss:module:1.1" name="com.postgresql">
   	<resources>
   		<resource-root path="postgresql-42.5.0.jar"/>	
   	</resources>		
   	<dependencies>
   		<module name="javax.api"/>
   		<module name="javax.transaction.api"/>
   	</dependencies>
   </module>

   Make sure that you use the correct version of the jar in resource-root-path.

9. Open the standalone-full.xml and locate <subsystem xmlns="urn:jboss:domain:datasources:6.0">. Add a driver node as given in the code snippet under the xml tag <datasources>/<drivers> path:

   <driver name="postgresql" module="com.postgresql">
    <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
   </driver>

10. Add a new datasource node:

    <datasource jndi-name="java:jboss/PostgresDS" pool-name="PostgresDS">
    <connection-url>jdbc:postgresql://localhost:5430/jbpm</connection-url>
    <driver>postgresql</driver>
    <security>
    <user-name>postgres</user-name>
    <password>Temenos@123</password>
    </security>
    <validation>
    <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"/>
    <validate-on-match>true</validate-on-match>
    <background-validation>false</background-validation>
    <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"/>
    </validation>
    </datasource>
    

    Make sure the connection-url, user-name, and password are with appropriate values.

11. In the connection URL, the attributes depends on whether SSL is installed or not installed. Set the arguments appropriately as per your database setup.
12. Add the following properties to system-properties:

    <property name="org.kie.server.persistence.ds" value="java:jboss/PostgresDS"/>
    <property name="org.kie.server.persistence.dialect" value="org.hibernate.dialect.PostgreSQLDialect"/>

Red Hat PAM Custom Views Installation

This section explains the custom views installation into PAM MySQL database.

1. Download the Assist artefact. For 202201 and higher release, pick the custom view from the following location: InfinityAssist_App-vxx.xx.zip\InfinityAssist_App-vxx.xx\Fabric\InfinityAssist_Src_vxx.xx.zip\InfinityAssist\Resources\RHPAM\MySQL\views.sql.
2. Login to the Red Hat PAM database using workbench.
3. Set the jbpm schema, take the queries from views.sql, and execute all into the database.
4. Validate the views table for records post the execution.

Custom Jar Deployment

1. Copy GetTasksCustomAPI-1.0 jar from InfinityOrigination_PAM_vvx.x.x.zip and paste it at <Red Hat base folder>/standalone/deployments/kie-server.war/WEB-INF/lib.
2. Restart the JBoss server.

Configuration in Business Central

Follow these steps to make the changes in the business central war file:

1. Login to the PAM VM instance.
2. Go to the deployment folder under EAP Home and navigate to the path, /standalone/deployments/business-central.war/WEB-INF/classes.
3. Add the errai.bus.enable_sse_support=false configuration in ErraiService.properties.
4. Go to deployments folder and redeploy business central.
   • cd “../standalone/deployments”
   • rm business-central.war.deployed
   • touch business-central.war.dodeploy
5. Check if business central is accessible after the war is deployed.
6. Restart the EAP server.

Work Item Handler Deployment

The prerequisite to deploy the work item handler is to have Maven home while Git Bash is available in the environment. Follow these steps to deploy the work item handler:

1. Copy the Origination work item handler Maven project from the following location:

   Origination_Src_vx\OnboardingServer\BPM\Java\OriginationWorkItem

2. Paste the Maven project inside the machine where Red Hat is installed. For more information, refer to Red Hat installation steps.
3. As a prerequisite,
• Maven must be installed and Maven home must be set in environment properties.
• Git Bash must be available.
• JDK home must be set.
4. Open Git Bash from the location where pom.xml exists for OriginationWorkItem Maven project, and then execute the following command:

   mvn clean install -Dmaven.test.skip=true

   After the Maven installation is completed, a success message is displayed on the Git Bash console. This implies that the workitemhandler is available in the /.m2 repository location under the path, com/temenos/infinity/OriginationWorkItem in the Maven repo of that environment.

Custom API Execution

Prerequisite: Custom views must be present in the PAM database before executing the following APIs.

1. Download the Postman collection from the following location. The image is for representation only. The release version mentioned in the image may vary with the actual release.

InfinityAssist_App-vx\Fabric\InfinityAssist_Src_vx.zip\InfinityAssist\Resources\RedHatCustomQueries


2. Execute all the APIs with the base URL mapped to the Red Hat server where it is installed.
   • If PAM is connected to MySQL DB, execute all the APIs from Redhat Custom Queries.postman_collection.json with the base URLmapped to the Red Hat server where it is installed.
   • If PAM is connected to Postgres SQL DB, execute all the APIs from Redhat Custom Queries_postgresSql.postman_collection.json with the base URL mapped to the Red Hat server where it is installed.

Red Hat PAM Project Deployment (Manual)

Follow the steps to manually import and deploy the Red Hat PAM projects (typically used to deploy to developer’s workstation).

Retail and SME Onboarding Project Deployment

1. Unzip InfinityOrigination_PAM_Source_vx.x.x.zip to a folder.
2. Open Git Bash (Git must be installed already) at this location and run the following commands:

   git init
   git add.
   git commit -m "Onboarding"

   If git-bash is not configured before, run the following commands before running the above ones:
   git configuration user.name "username", git config user.mail "user@example.com"

3. Login to Business Central and navigate to Projects. Select or create the space where the Project must be imported.
4. Inside the space, click the drop-down beside Create project and select the import project option.
5. Enter the folder where the source was unzipped into Repository URL when prompted and click Import.
6. Open the imported project and click Deploy to deploy the Red Hat PAM project.

Temenos Digital Assist PAM Project Deployment

Repeat the steps mentioned in the Retail and SME Onboarding Project Deployment section for Temenos Digital Assist PAM project, which is available in the following location:

InfinityAssist_PAM_vx\InfinityAssist_PAM_Source_vx

Red Hat PAM Project Deployment (Automated)

Follow these steps to deploy Red Hat PAM projects through automation. This step requires your PAM to be connected to a Maven repository where the Red Hat PAM projects are available.

1. Unzip InfinityOrigination_PAM_Source_vx.x.x.zip to a folder, build the project, and publish the KJAR to a Maven repository.
2. Unzip InfinityAssist_PAM_Source_vx.x.x.zip to a folder, build the project, and publish the KJAR to a Maven repository.
3. Go to InfinityAssist_App-vx\Fabric\InfinityAssist_Src_vx\InfinityAssist\PostmanCollections\PAM Deployment.postman_collection to find the APIs required to deploy Red Hat PAM projects. If your Red Hat PAM server is managed (deployed with business-central), execute the APIs present in the managed folder. Otherwise, if the PAM server is unmanaged (deployed without business-central), execute the APIs present in the unmanaged folder.

Configuration for Red Hat PAM

The following system properties must be set up in standalone-full.xml located at <RHPAM_HOME>\standalone\configuration.

<property name="org.temenos.onboarding.host.url" value="{{baseuri}}"/>
<property name="org.temenos.onboarding.identity.url" value="{{baseuri}}/login?provider=InfinityAssistUserStore"/>
<property name="org.temenos.onboarding.app.key" value="d2254f16ed56a3c8e1d2acb1f9f38554"/>
<property name="org.temenos.onboarding.app.secret" value="5518c3a94763fdc8f50c3102bd44d2f5"/>
<property name="org.temenos.onboarding.api.username" value="user@temenos.com"/>
<property name="org.temenos.onboarding.api.password" value="!hy.d3r1Ba$D"/>
<property name="org.temenos.onboarding.error.handler.process" value="RetailOnboarding.ErrorHandler"/>
<property name="org.temenos.onboarding.credit.limit" value="200"/>
<property name="org.temenos.onboarding.event.service.name" value="OrigIntegrationsJavaServices"/>
<property name="org.temenos.onboarding.event.operation.name" value="SalesforceEventRouter"/>
<property name="org.temenos.corporate.onboarding.host.url" value="{{baseuri}}"/>
<property name="org.temenos.corporate.onboarding.identity.url" value="{{identityuri}}/login?provider=InfinityAssistUserStore"/>
<property name="org.temenos.corporate.onboarding.app.key" value="72b7d7f3b5bd2f5f9ab5d65d02ba0837"/>
<property name="org.temenos.corporate.onboarding.app.secret" value="68a3e10c4e337eb6368e2ff986f0c0f9"/>
<property name="org.temenos.corporate.onboarding.api.access.token" value=" "/>
<property name="org.temenos.corporate.onboarding.api.username" value="user@temenos.com"/>
<property name="org.temenos.corporate.onboarding.api.password" value="!hy.d3r1Ba$D"/>
<property name="org.temenos.corporate.error.handler.process" value="CorporateLOS.ErrorHandler"/>
<property name="org.jbpm.ht.admin.user" value="bfleck"/>
<property name="org.jbpm.task.cleanup.enabled" value="false"/>
<property name="decisionEngine" value="Off"/>
<property name="approvalMatrix" value="On"/>
<property name="receiptMicroservice" value="On"/>
<property name="org.kie.server.sync.deploy" value="false"/>
<property name="org.temenos.onboarding.credit.limit" value="200"/>
<property name="org.temenos.onboarding.skip.user.action" value="true"/>
<property name="org.temenos.onboarding.event.service.name" value="OrigIntegrationsJavaServices"/>
<property name="org.temenos.onboarding.event.operation.name" value="SalesforceEventRouter"/>
<property name="org.jbpm.correlationkey.length" value="511"/>

Few system properties must be configured before the Red Hat PAM is invoked from the Temenos Digital Origination app. The properties are:

• org.temenos.onboarding.host.url - URL where Fabric is hosted. Replace {{baseuri}} with Fabric host URL.
• org.temenos.onboarding.identity.url - URL for the identity service "InfinityAssistUserStore". Replace {{identityuri}} with Fabric identity base URL.
• org.temenos.onboarding.app.key - App key of the Origination Fabric app.
• org.temenos.onboarding.app.secret - App secret of the Temenos Digital Origination Fabric app.
• org.temenos.onboarding.api.user - Username to be sent to the identity service. The user must be present in the Keycloak server.
• org.temenos.onboarding.api.password - Password to be sent to the identity service. The user must be present in the Keycloak server.
• org.temenos.onboarding.error.handler.process - Error process which needs to be instantiated in RHPAM for any error encountered.
• org.temenos.onboarding.credit.limit - Credit Limit.

The Fabric runtime configurations required for Red Hat are:

Identity Service Configuration for PAM

This section explains how to add identity service for PAM in Temenos Digital Assist Fabric application that is used for communication from PAM to Fabric server.

1. Sign in to Quantum Fabric console and open the Temenos Digital Assist application.
   
   
2. Open the Identity service tab of Temenos Digital Assist application inside the Fabric server.
   
3. Open the InfinityAssistUserStoreTest identity service and click Add User.
   
4. Enter User Id, First Name, Last Name, and Password. All these fields are mandatory.
   

   The User Id and Password mentioned in the identity service must match with the username and password present in the PAM server properties of standalone-full.xml file.

   • org.temenos.corporate.onboarding.api.username
   • org.temenos.corporate.onboarding.api.password
   

5. Click Update to create a user.
   
6. The user record is added successfully.
   
7. Republish the Temenos Digital Assist application.

Red Hat Integration with Keycloak

Prerequisite: Complete the Keycloak installation and then execute the following steps.

To integrate Red Hat PAM with Keycloak as an Identity Service Provider, follow these steps:

1. Login to Keycloak admin console.
2. Go to the realm to which PAM must be integrated and then add the following client details:
   • Client ID: business-central
   • Client protocol: openid-connect
   • Root URL: <URL to business central>
3. Modify the access type of the client to confidential. By default, the access type is public.
4. Download Red Hat Single Sign-on 7.5 Client Adapter for JBoss EAP 7.
5. Place the downloaded file in EAP home and unzip the file.
6. Navigate to <EAP_HOME>/bin and run the following command without starting EAP server:

   jboss-cli.bat --file=adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml
   

7. Add the following properties to <system-properties> tag in standalone-full.xml

   <property name="org.jbpm.workbench.kie_server.keycloak" value="true"/>
   <property name="org.uberfire.ext.security.management.api.userManagementServices" value="KCAdapterUserManagementService"/>
   <property name="org.uberfire.ext.security.management.keycloak.authServer" value="<Base URL to Keycloak>/auth"/>

8. Locate jboss:domain:keycloak in standalone-full.xml and add the following secure-deployment:

     <secure-deployment name="business-central.war">
      <realm>demo</realm>
      <realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</realm-public-key>
      <auth-server-url>http://localhost:8180/auth</auth-server-url>
      <ssl-required>none</ssl-required>
      <enable-basic-auth>true</enable-basic-auth>
      <resource>kie</resource>
      <credential name="secret">759514d0-dbb1-46ba-b7e7-ff76e63c6891</credential>
      <principal-attribute>preferred_username</principal-attribute>
    </secure-deployment>

   where,

   1. realm: Name of realm in Keycloak
   2. realm-public-key: Public key of realm available under Keys tab inside the realm
   3. auth-server-url: URL for Keycloak server
   4. ssl-required: If HTTPS connection is required to connect to Keycloak
   5. resource: Client ID created in Keycloak realm
   6. credential: Private key of the client available under Credential tab of the client
9. Locate urn:wildfly:elytron in standalone-full.xml and add the following under it:

   <policy name="jacc"><jacc-policy/></policy>

10. Locate urn:jboss:domain:undertow in standalone-full.xml and remove the <single-sign-on element under it.
11. Go to <system-properties> and modify the following properties to use a user belonging to the realm to which PAM must be connected to.

    <property name="org.kie.server.user" value="admin1"/>
    <property name="org.kie.server.pwd" value="Konyadmin@1"/>
    <property name="org.kie.server.controller.user" value="admin1"/>
    <property name="org.kie.server.controller.pwd" value="Konyadmin@1"/>

12. Go to the <system-properties> in standalone-full.xml and add the following property:

    <property name="org.kie.server.sync.deploy" value="false"/>

13. Go to the realm to which PAM must be integrated and add the following client:
    • Client ID: kie-server
    • Client protocol: openid-connect
    • Root URL: <URL to kie server>
14. Add another secure deployment similar to business-central.war added above.

    <secure-deployment name="kie-server.war">
         <realm>demo</realm>
         <realm-public-key>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</realm-public-key>
         <auth-server-url>http://localhost:8180/auth</auth-server-url>
         <ssl-required>external</ssl-required>
         <resource>kie-execution-server</resource>
         <enable-basic-auth>true</enable-basic-auth>
         <credential name="secret">03c2b267-7f64-4647-8566-572be673f5fa</credential>
         <principal-attribute>preferred_username</principal-attribute>
      </secure-deployment>

Fabric Job Deployment

Follow these steps to configure the task escalation Fabric job:

1. Open Job in Fabric admin console.
   
2. Click Add New.
   
3. Configure the Job details on the Job Info tab.
   
4. Define the required schedule for the job and click Save & Schedule.
   

Explainable Artificial Intelligence (XAI) Integration

Explainable Artificial Intelligence (XAI) component is integrated with Origination application. The following Fabric runtime parameters are used:

Journey Analytics Integration

Journey Analytics (JA) is an optional module used in Temenos Digital Origination. A separate cloud procurement is a must. The following Fabric runtime parameters are used:

Temenos Transact Deployment

This section explains the deployment and configuration of Temenos Transact.

Transact Deployment

The IRIS container “irf-provider-container war file must be deployed and maintained in the Transact environment. For Transact installation, see Transact documentation.

Display Transact AA.PRODUCTS in Origination

After successful integration of AA.PRODUCTS from Transact to Microservice, you can use the following options to view the T24 AA.PRODUCTS in the Origination application.

• Using Postman “Update Purposes” API
• Using Temenos Digital Spotlight Application

Using Postman “Update Purposes” API

1. Identify the product to be displayed. (With GET Product Information API/ From Database).
2. Use the “Update Purposes” API.
   Endpoint URL: /product/marketingCatalogue/purposes/products
   With the productRef * and *branchRef as Query parameters.
   Payload:
   

   {
     "purposes": [
       "Onboarding"
     ]
   }
   

3. After calling the API, confirm in the “ms_marketingcatalog_ProductInformation” table of the Marketing Catalog Micro Services database whether the “Purpose" for the corresponding product has been updated as "Onboarding".
4. Refresh the Origination page. You can view the AA.PRODUCTS in Origination application.

Using Temenos Digital Spotlight Application

1. In Temenos Digital Spotlight application, click Products. This will display Banking Products page.
   
   
2. Select a product and click the three dots available on the right hand corner, and click Edit.
   
   This will display the product details page.
   
3. In the EDIT PRODUCTS details page, from the Purpose dropdown list, select Onboarding and click Update Product button. Now, you can view the AA.PRODUCTS in Origination application.
   
   

Fabric Runtime Configuration for Transact

The following table illustrates the Fabric runtime configuration related to Transact IRIS URLs:

For payment execution,

• Run the TPH services in Transact.
• Run the DES in Transact for ingesting data into microservices. Applicable only for microservices business outcome.
• The products which are configured for Origination must be supported to allow funding.

For multi-company features, perform the following steps: 9100855762

• Configure the customer default values of Temenos Digital in Transact branch company.
• Run the DES in Transact for ingesting data into microservices. Applicable only for microservices business outcome.

Override Configuration

During fulfillment of account and customer creation, the overrides must be turned off by setting the Temenos Digital Channel to "Auto" to support the STP flow. Few examples of override for personal loan products:

• ACCT.UNAUTH.OD
• AA.CHG.FOR.CURR.ACT
• AA.MATURITY.DATE.NOT.WORKING.DAY
• DM.CONFIRM.DOC
• AA.CHG.ARR.CCY.DIFF.CHG.CCY
• AA.PS.START.DATE.NOT.WORKING.DAY
• AA.PS.PERCETAGE.RANGE.1.TO.100
• AA.ECT.MAX.EXCEED
• AA-SUSPEND.TREATMENT.ARE.DIFFERENT
• AA.TERMVALUE
• PI-UNAUTH.OVERDRAFT
• AA.PS.DUPLICATE.STATEMENT.GENERATE
• AA-PS.START.FALLS.AFTER.MATURITY
• AA.ECT.OSBP
• AA.ECT.MIN.BELOW

Examples of override for corporate loan product:

• AA.CALC.PAYMENT.DATE.MAT.DATE
• AA.EFFECTIVE.DATE.NOT.WORKING.DAY
• AA.MATURITY.DATE.NOT.WORKING.DAY
• DM.CONFIRM.DOC
• AA.CHG.FOR.CURR.ACT
• AA.CHG.ARR.CCY.DIFF.CHG.CCY
• AA-COMM.TYPE.AMOUNT.NOT.AVL
• LIMIT.EXPS.BEF.TXN

Configuration Changes for New Mortgage Product

Create and configure the following mortgage related products.

Payment schedule: AL.LINEAR+FULL.DISB+HOLIDAY.LIMIT-USD-20110414

Create a new Payment schedule product condition AL.LINEAR+FULL.DISB+HOLIDAY.LIMIT-USD-20110414 by copying AL.CONSTANT+FULL.DISB+HOLIDAY.LIMIT-USD-20110414.

• Constant payment schedules must be removed.
• Linear and Interest only payment types must be added as shown in the image.

Payment schedule: AL.INTONLY+FULL.DISB+HOLIDAY.LIMIT-USD-20110414

Create a new Payment schedule product condition AL.INTONLY+FULL.DISB+HOLIDAY.LIMIT-USD-20110414 by copying AL.CONSTANT+FULL.DISB+HOLIDAY.LIMIT-USD-20110414.

• Constant payment schedules must be removed.
• Linear and Interest only payment types must be added as shown in the image.

AA.PRODUCT.DESIGNER: MORTGAGE.LINEAR-20091202

Create a new product MORTGAGE.LINEAR by copying the MORTGAGE product. Modify the payment schedule product condition as shown in the image.

.

AA.PRODUCT.DESIGNER: MORTGAGE.INTONLY-20091202

Create a new product MORTGAGE.INTONLY by copying the MORTGAGE product. Modify the payment schedule product condition as shown in the image.

AA.PRODUCT.MANAGER: MORTGAGE.PARENT

Proof and publish the MORTGAGE.PARENT product and check the Product catalog.

Temenos Financial Crime Mitigation (FCM) Deployment

This section explains the deployment and configuration of Temenos FCM.

FCM Deployment

For FCM installation, see FCM documentation.

Keycloak Deployment

The Keycloak deployment steps include the following:

• Realm Import
• Fabric runtime configuration

A new client must be created for Salesforce under Keycloak admin console.

Realm Import

1. In Keycloak application, open Administration Console and click Select Realm on the top-left corner. 
2. Import the JSON file from the following location in Keycloak.

Spotlight_App-vx\MF\AdminConsoleAggregator\IDMDBMigrations\src\main\resources\realms\realm-export.json

3. After importing the realm in Keycloak, roles and corresponding users will be available.
4. After the realm is imported, generate the client secret for all the clients such as kie-server and business-central.
5. Then map the client secrets into the following places:
   • RHPAM standalone-full.xml file for kie-server and business-central clients.
   • Fabric runtime configuration for kie-server client.
6. The client ID of Spotlight client must be mapped to IOB_KEYCLOAK_SPOTLIGHT_CLIENT_ID in Fabric runtime configuration and can be obtained by any of the following:
   • Open the Spotlight client in Keycloak and retrieve the ID from URL.
     
   • Invoke the Get client info API present in InfinityAssist_App-vx\Fabric\InfinityAssist_Src_vx\InfinityAssist\Resources\KeyCloak.postman_collection.json and retrieve the client ID from response as shown in the image.
     

Fabric Runtime Configuration for Keycloak

Fabric runtime configurations for client app:

Fabric runtime configurations for server app:

Salesforce Configuration

A new client must be created for Salesforce under Keycloak admin console.

Security Configuration for Salesforce

Add the following property in Fabric Tomcat server in the file located at "..\QuantumFabric_9.xx_GA\tomcat\conf\context.xml".

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="None" />

Fabric Runtime Configuration for Salesforce

Following is the list of Fabric runtime configurations to be added for Salesforce Integration:

Origination App Configuration for Salesforce

Salesforce URL end points and credentials must be configured in the Origination application in the following location: Origination/Integration Services/SalesForceAPIs.

Users in Keycloak

This section lists the users to be configured and made available in Keycloak along with the roles assigned to them.

Following is the list of predefined demo users used for accessing Temenos Digital Assist app.

Username should not conflict with any role name defined in Keycloak.

Retail Lending users - Temenos Digital Assist app:

Mortgage users

SME Lending users - Temenos Digital Assist app:

Retail Onboarding users - Temenos Digital Assist app:

SME Onboarding users - Temenos Digital Assist app:

Corporate users - Temenos Digital Assist app:

Configuration for Permission, Role, Queue and User Management

For information on the various configurations required for creating and managing permissions, roles, queues, and users in the Temenos Digital Assist application, click here.

Configuration for Removing Documents from the Origination App

For information on the steps required for removing documents from the Documents section of the Origination application, click here.

Enabling SSO in Digital Banking Servicing (OLB) and Origination apps

This section explains the Single Sign On (SSO) feature between the Digital Banking Servicing (online banking) and Origination apps.

For the SSO feature to work, the Origination and Servicing composite applications must be enabled with SSO as true for identity service.

Origination Application

1. Enable SSO for DBXUserLogin Identity service for Landing MA and PartyDetails MA. On previous releases, this must be enabled only in the monolithic Origination application.
   • Landing Micro App screen
     
     
   • Party Details Micro App screen
     
     
2. After changing this flags, publish the respective fabric apps, by navigating to “Publish” tab. Note: While Publishing, ensure app key and app secrets are not changed. This can be achieved by clicking “Configure & Publish” option (Refer the image below).
   
   

Digital Banking Servicing (OLB) Application

1. For online banking application, same steps must be followed where the SSO flag must be enabled in the Micro Apps where “DBXUserLogin” identity service is available on online banking Micro Apps, Authentication MA, ExternalUserManagement MA and Arrangements MA.
   • Online Banking Composite App screen
     
     
   • External User Management App screen
     
   • Authentication App screen
     
     
2. After changing the flags, publish the respective Fabric apps, by navigating to the Publish tab. Note: While Publishing, make sure the app key and app secrets are not changed. This can be done by clicking the Configure & Publish option (refer the image below).
   

HTTP Integrity Check

Quantum Fabric supports enabling HTTP Message Body Integrity checking for an application. The Client App Security feature helps to secure data exchanged between a client app and a server app. Enterprise class applications must ensure that network traffic being exchanged between the server and client app is not tampered. The HTTP Integrity check detects and reports network traffic tampering on the data exchanged between the server and the client app.

This document describes the procedure to enable HTTP Integrity for Origination app and then modify the Identity service for enhancing the app's security.

Enable HTTP Integrity Check

To enable the HTTP integrity for Origination app, follow these steps:

1. Sign in to Quantum Fabric.
2. From the list of apps, click on Origination.
3. Navigate to Configure Services > Identity > Service Configuration.
4. Select the Enable HTTP Integrity Checking for this App check box.

   

5. If client binaries are already published, republish them.
6. Create a new Fabric app.
7. Navigate to Configure Services > Identity > Use Existing.
   
   The Existing Services list appears.
8. Select Temenos DigitalAssistUserStore and click Add.

   

   

9. Navigate to Integration > Use Existing.
   
   The Existing Services list appears.
10. Select OrigIntegrationsJavaServices and OnboardingJSONServices. Then click Add.

    

    

11. Publish the app.
12. Replace the App key and the App secret of Origination app configured in Red Hat and Adapter configurations in Generic Config microservice with that of the newly published OriginationIntegrity app.

Changes in Identity Service for App Security

To enhance the app's security, perform the following changes in the Identity service:

1. Sign in to Quantum Fabric.
2. From the list of apps, click on Origination.
3. Navigate to Configure Services > Identity > DbxUserLogin.
4. From the contextual menu, click Clone.
   
   

   

   A clone of the DbxUserLogin Identity service is created. Rename it to DbxUserLoginForProspect.

5. Navigate to Publish > Service & Web Client.

   

6. Under Service Config, click Custom. The Current Environment Configuration Vs Definition Values window appears.

   

7. Copy the Current Environment URL of the original identity service and navigate back to DbxUserLoginForProspect identity service.
8. Paste the URL in Spotlight Identity Service Endpoint text box.
9. Go to the Advanced section of the cloned Identity service and enable the Restrict to Fabric Server to Server Authentication check.

   

10. Navigate to Configure Services > Integration > ProspectLogin > OnboardingLogin.

    

11. Ensure that the Target URL points to the cloned Identity service - DbxUserLoginForProspect.
12. Save and Publish the app.
13. In Visualizer project, unlink and link the Fabric app again. Then, build and publish the client app zip.