Stack 8 Cloud AWS

R21 Internal Runbook 1.0 July 2021

Stack 8 Cloud AWS Internal Runbook

Contents
1 About this runbook 5
1.1 Legal 6
1.2 History 7
2 Introduction 8
2.1 Prerequisites 8
2.2 Terminology 9
2.3 Architecture 10
2.4 AWS Transact architecture diagram 11
2.5 Architecture diagram 13
3 Creating the IAM roles 14
3.1 Creating the ECS role 14
4 Creating the VPC 17
5 Creating the VPC endpoints 18
5.1 Creating the shared security group 18
5.2 Creating an Elastic Container Registry (ECR) endpoint 18
5.3 Creating a CloudWatch endpoint 19
5.4 Creating an S3 endpoint 20
5.5 Creating a Secrets Manager endpoint 20
6 Creating the Subnets 22
7 Creating the Amazon MQ Broker 24
7.1 Creating the broker security group 24
7.2 Creating the broker 24
8 Restoring an RDS instance 26
8.1 Creating the RDS snapshot 26
8.2 Creating the database subnet group 27
8.3 Creating the RDS security group 27
8.4 Restoring the database 27
9 Creating secrets in Secrets Manager 29
9.1 Configuring an MQ broker secret 29
9.2 Creating an RDS instance secret 31
10 Creating the ECS services 32
10.1 Creating the cluster 32
10.2 Creating the task definitions 33
10.2.1 Creating the application task definition 33
10.2.2 Creating the web task definition 37

2
Stack 8 Cloud AWS Internal Runbook

10.2.3 Creating the API task definition 40

10.2.4 Creating the UXP application task definition 43
10.2.5 Creating the UXP web task definition 45
11 Creating and configuring security groups 47
11.1 Creating the VPC link security group 47
11.2 Creating the application load balancer security group 47
11.3 Creating the Web service security group 48
11.4 Creating the application service security group 49
11.5 Creating the API service security group 49
11.6 Updating the Amazon MQ broker security group 50
11.7 Updating the RDS instance security group 53
11.8 Updating the load balancer security group 54
11.9 Updating the shared security group 56
12 Creating the load balancer 58
13 Creating services 60
13.1 Creating an application service 60
13.2 Creating the web service 61
13.3 Creating the API service 63
13.4 Creating the application UXP service 64
13.5 Creating the web UXP service 66
14 Updating the application load balancer configuration 68
14.1 Modifying web target group health check parameters 68
14.2 Modifying API target group health check parameters 69
15 API Gateway 70
15.1 Creating the VPC link 70
15.2 Creating the API 70
15.3 Configuring the API 71
16 Interacting with Transact 73
16.1 Logging in to BrowserWeb 73
16.2 Payments API 73
16.2.1 Sending a POST request 73
16.2.2 GET request 75
16.2.3 View account balances 76
17 Configuring application service scaling 77
18 AWS Troubleshooting 79
18.1 Accessing the CloudWatch logs in the AWS Console 79
18.1.1 Displaying parsed JSON in CloudWatch 81
18.1.2 Searching the logs in CloudWatch 82

3
Stack 8 Cloud AWS Internal Runbook

18.1.3 Identifying TAFJ log files in CloudWatch 84

18.1.4 Locating logs in CloudWatch for a specific task 84
19 Using CloudWatch to check Transact start-up 86
20 Downloading the CloudWatch logs 88
20.1 Using AWS CLI 88
20.2 Using the JQ command line tool 89
21 TAFJEE Servlet 92
22 Glossary 93

4
Stack 8 Cloud AWS Internal Runbook

1 About this runbook

This Stack 8 Cloud AWS Runbook will guide you through creating and deploying the R21 AWS
Transact1 architecture, running Transact, the front-end application (BrowserWeb, UXP Browser) and
Temenos APIs in Amazon Elastic Container Service (ECS).

1Temenos' core banking solution.

5
 Stack 8 Cloud AWS Internal Runbook

1.1 Legal

© Copyright 2021 Temenos Headquarters SA. All rights reserved.

TM
The information in this guide relates to TEMENOS information, products and services. It also
includes information, data and keys developed by other parties.

While all reasonable attempts have been made to ensure accuracy, currency and reliability of the
content in this guide, all information is provided "as is".

There is no guarantee as to the completeness, accuracy, timeliness or the results obtained from the
use of this information. No warranty of any kind is given, expressed or implied, including, but not limited
to warranties of performance, merchantability and fitness for a particular purpose.

In no event will TEMENOS be liable to you or anyone else for any decision made or action taken in
reliance on the information in this document or for any consequential, special or similar damages, even
if advised of the possibility of such damages.

TEMENOS does not accept any responsibility for any errors or omissions, or for the results obtained
from the use of this information. Information obtained from this guide should not be used as a substitute
for consultation with TEMENOS.

References and links to external sites and documentation are provided as a service. TEMENOS is not
endorsing any provider of products or services by facilitating access to these sites or documentation
from this guide.

The content of this guide is protected by copyright and trademark law. Apart from fair dealing for the
purposes of private study, research, criticism or review, as permitted under copyright law, no part may
be reproduced or reused for any commercial purposes whatsoever without the prior written permission
of the copyright owner. All trademarks, logos and other marks shown in this guide are the property of
their respective owners.

6
 Stack 8 Cloud AWS Internal Runbook

1.2 History

Version Date Change Author

Aidan Pasquale and

1.0 March 2019 First release
Dominik Wietrzak

Aidan Pasquale and

1.1 March 2019 Addition of five new tasks.
Dominik Wietrzak

September Troubleshooting sections Andrew McGuinness

2.0
2019 added. and Jonathan Page

Various revisions Aidan Pasquale and

3.0 October 2019
throughout the runbook. Jonathan Page

Added "Creating the IAM

December Aidan Pasquale and
4.0 roles". Various minor
2019 Jonathan Page
revisions.

February Chitra Rajaran and

4.1 Minor updates.
2020 Jonathan Page

Revised architecture &

Aidan Pasquale and
4.2 May 2021 deployment procedure,
Jonathan Page
added UXP deployment.

Revised architecture &

Aidan Pasquale and
4.2 May 2021 deployment procedure,
Jonathan Page
added UXP deployment.

7
 Stack 8 Cloud AWS Internal Runbook

2 Introduction
This Stack 8 Cloud AWS Runbook will guide you through creating the AWS Transact1 architecture
shown in the diagram below.

This runbook covers:

l Creating an RDS instance2 by restoring it from a snapshot.

l Creating a VPC3.

l Creating an Amazon MQ4 broker (if deploying classic BrowserWeb)..

l Creating an ECS5 Fargate6 cluster.

l Creating task definitions for services.

l Creating subnets for services.

l Creating the application load balancer (ALB).

l Setting up and configuring BrowserWeb and/or UXP Browser,Transact and a Temenos API
services.

NOTE: This runbook does not cover creation of the Transact app, BrowserWeb, UXP web or API container
images or restoring a Transact database in RDS. For guidance on building the container images, please
refer to the delivery note document in your preimage kit. To find out how to do the RDS database restore,
this, see Saving Database Images as EBS AWS Snapshots.

2.1 Prerequisites

To use this guide effectively, there are a few requirements regarding your AWS environment. You
need:

1Temenos' core banking solution.

2Amazon Relational Database Service (or Amazon RDS) is a distributed relational database service by Amazon Web Services (AWS). It is a web
service running "in the cloud" designed to simplify the setup, operation, and scaling of a relational database for use in applications.
3A virtual private cloud (VPC) is an on-demand configurable pool of shared computing resources allocated within a public cloud environment,
providing a certain level of isolation between the different organizations (denoted as users) using the resources.
4A managed message broker service for ActiveMQ that makes it easy to set up and operate message brokers in the cloud.
5AWS container orchestration service that supports Docker containers
6A compute engine for Amazon ECS that lets you run containers without having to manage servers or clusters.

8
 Stack 8 Cloud AWS Internal Runbook

l Access to an AWS account.

l An existing Transact Oracle or PostgreSQL database in RDS.

l Transact app, web and API containers stored in ECR.

l UXP app and web container stored in ECR if deploying UXP Browser.

l A valid SSL certificate linked to a domain name that is either stored in ACM or can be uploaded to
ACM when required. This is needed for using SSL listeners on the load balancer.

2.2 Terminology

In this guide, you will create a cluster, task definitions, and then services to run instances of the task
definitions in the cluster.

Cluster
A cluster is a regional grouping of one or more container instances on which you can run task
requests. Each account receives a default cluster the first time you use the Elastic Container Service
(ECS1).

It is possible to associate Virtual Machines with a cluster to run tasks on, but we are only using
Fargate2 services, and the cluster automatically provisions hardware for the tasks belonging to
Fargate services.

Container
A container is an environment in which a piece of software can run, isolated like a virtual machine but
more lightweight.

Task Definition
A task definition sets the parameters for a task. The definition sets the name of the task, the amount of
allocated hardware for the task to utilise, and one or more container configurations. Each container
configuration section defines the name of the container within the task, the container image to be
used, the network ports to be exposed, and environment variables. (It is approximately equivalent to a
deployment in Kubernetes.)

Service

1AWS container orchestration service that supports Docker containers

2A compute engine for Amazon ECS that lets you run containers without having to manage servers or clusters.

9
 Stack 8 Cloud AWS Internal Runbook

A service lets you specify how many copies of your task definition to run and maintain in a cluster, and
what network subnets to run them in. You can optionally use an Elastic Load Balancing load balancer
to distribute incoming traffic to the tasks in your service. Amazon ECS maintains that number of tasks
and coordinates task scheduling with the load balancer.

Task
A task is a running instance of a task definition in a service. It consists of one or more containers. (It is
equivalent to a pod in Kubernetes.)

Container Image
A container image is what the container defined in a task definition will run. The images used in this
reference architecture consist of an operating system (typically CentOS or Alpine Linux), and installed
software.

In this reference architecture, the images used will have OpenJDK1, WildFly2, and Transact/TAFJ
installed and configured. The image also contains a command that is executed when the image is run
in a task. In this case, the command starts the WildFly servers, which run the Temenos products
(UXP,BrowserWeb, TAFJJEE and so on.).
NOTE: In this guide, you will create a cluster, task definitions, and then services to run instances of the task
definitions in the cluster.

2.3 Architecture

In this revised architecture for 2021, we have deprecated the following:

l Use of AWS CloudFront.

l REST APIs in API Gateway.

l The network load balancer (NLB) .

l The Lambda function (handled routing between the network & application load balancers (ALB) )

1OpenJDK is a free and open-source implementation of the Java Platform, Standard Edition.
2WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by JBoss, now developed by Red Hat.

10
 Stack 8 Cloud AWS Internal Runbook

These have been replaced with a single HTTP API in the API Gateway. When we previously designed
the architecture with the ‘isolated’ network configuration (i.e. the VPC was not directly exposed via the
internet, rather it was accessed over a Private Link via API Gateway and CloudFront) HTTP APIs were
not available, so we had to use REST APIs.

The REST APIs could only be linked to an NLB that resided in the VPC, not an ALB, so despite the fact
we used an ALB to route traffic to our front-end products, we had to go via an NLB so that we could use
the API Gateway. This required a Lambda function that routed traffic from the NLB to the ALB via a
periodic DNS lookup, and then on to the application. This was a stopgap and not a desirable solution in
the long run. Now however, with the release of HTTP APIs, we can simplify the architecture by
removing CloudFront, the network load balancer and the Lambda function.

In this architecture, both the classic ‘BrowserWeb’ and the new UXP Browser have been tested – this
runbook will include the process for deploying both browsers. You can opt to use one browser and only
follow the appropriate sections, or you can deploy both. It should be noted that for UXP, the app image
has additional deployments and configuration compared to a standard app image used only by
BrowserWeb or APIs, so if you choose to deploy both browsers you will have two app services, though
they will ultimately still talk to the same Transact database.

2.4 AWS Transact architecture diagram

The architecture consists of three services - a Transactapplication service, a BrowserWeb1 service and
a PSD22 payments API service. BrowserWeb and the API are accessed from outside the VPC through
the API gateway and load balancers that you will set up using this guide.

1A Temenos browser, used for accessing the Transact application.

2Revised Directive on Payment Services (PSD2). The new rules aim to better protect consumers when they pay online, promote the development and
use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer.

11
Stack 8 Cloud AWS Internal Runbook

We will deploy a CloudFront1 (a content delivery network service) distribution in front of the API
gateway to mitigate issues that the BrowserWeb redirects can cause. From there, BrowserWeb and the
API services will communicate with the Transactapplication service through an Amazon MQ2 broker.

1A fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and
high transfer speeds.
2A managed message broker service for ActiveMQ that makes it easy to set up and operate message brokers in the cloud.

12
 Stack 8 Cloud AWS Runbook

2.5 Architecture diagram

13
 Stack 8 Cloud AWS Internal Runbook

3 Creating the IAM roles

Because many services in AWS link to one another, they require IAM1 (Identity and Access
Management) roles that define the actions that a given service can perform. A role is a collection of
policies and policies define permitted actions. For example, to pull container images in ECS2 (Elastic
Container Service) from ECR3 (Elastic Container Registry), you need to allow ECR read access to the
ECS cluster.

3.1 Creating the ECS role

Procedure

1. In the AWS console, go to Services > IAM > Roles.

2. Click Create role.

3. Choose Elastic Container Service.

1Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or
digital identities. You can use an IAM framework to control user access to critical information within an organisation.
2AWS container orchestration service that supports Docker containers
3Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry.

14
Stack 8 Cloud AWS Internal Runbook

4. Under Select your use case, select Elastic Container Service Task.

5. Click Next: Permissions.

15
Stack 8 Cloud AWS Internal Runbook

6. Search for secretsmanager and select SecretsManagerReadWrite.

7. Search for ecstask and select AmazonECSTaskExecutionRolePolicy.

8. Click Next: Tags.

9. Click Next: Review.

10. Set the Role name to ecsTaskExecutionRole.

11. Click Create role.

16
Stack 8 Cloud AWS Internal Runbook

4 Creating the VPC

You now need to create a Virtual Private Cloud (VPC). This is a virtual network that is logically isolated
from other networks.

Procedure

1. Go to Services > VPC > Your VPCs > Create VPC.

2. Give the VPC the name Name-T24Transact-VPC.

NOTE: You can give the resource any name you choose. We've followed this format, where Name- is
a variable of your own choosing, for demonstration purpose

3. Set the CIDR block to [Link]/16. This will define the range of IP addresses in your VPC.

4. Click Create VPC.

5. On the next screen go to the Actions dropdown. Click Edit DNS hostnames.

6. Enable DNS hostnames.

7. Click Save changes.

8. Now go to Actions again and go to Edit DNS resolution and check the Enable checkbox.

9. Click Save changes.

17
 Stack 8 Cloud AWS Internal Runbook

5 Creating the VPC endpoints

As this architecture has no internet connectivity to isolate it for security and resiliency, we need to use
VPC endpoints that allow resources within the architecture to reach other services, for example when
pulling container images.

5.1 Creating the shared security group

First we need a shared security group for the endpoints – this will allow your app and web services to
connect to the endpoint services.

1. Go to Services > EC2 > Security Groups > Create security group.

2. Set the Name to Name-Endpoints-SG.

3. Set the Description to Shared endpoints sg.

4. Choose your VPC from the VPC drop-down menu.

5. Click Add rule.

6. Set the Type to HTTPS.

7. Click in the Source search box and select your app, web & API security groups from the
dropdown menu.

8. Click Create security group.

5.2 Creating an Elastic Container Registry (ECR) endpoint

Procedure

1. Go to Services > VPC > Endpoints > Create Endpoint.

2. In the Service Name table, find [Link] and select it.

3. Scroll down and select your VPC from the VPC drop-down menu.

18
 Stack 8 Cloud AWS Internal Runbook

4. Ensure that both of your subnets are selected.

5. In the Security group table, select your ECR endpoint security group named Name-Endpoints-
SG.

6. Click Create endpoint

7. Go to Services > VPC > Endpoints > Create Endpoint.

8. In the Service Name table, find [Link] and select it.

9. Scroll down and select your VPC from the VPC drop-down menu.

10. Ensure that both of your subnets are selected.

11. In the Security group table, select your ECR endpoint security group named Name-Endpoints-
SG.

12. Click Create endpoint.

5.3 Creating a CloudWatch endpoint

Procedure

1. Go to Services > VPC > Endpoints > Create Endpoint

2. In the Service Name table, find [Link] and select it.

3. Scroll down and select your VPC from the VPC drop-down menu.

4. Ensure that both of your subnets are selected.

5. In the Security group table, select your endpoint security group named Name-Endpoints-SG.

6. Click Create endpoint.

19
 Stack 8 Cloud AWS Internal Runbook

5.4 Creating an S3 endpoint

Procedure

1. Go to Services > VPC > Endpoints > Create Endpoint.

2. In the Service Name table, find [Link]-west-1.s3 and select the Gateway.

3. Scroll down and select your VPC from the VPC drop-down menu.

4. Select the main route table.

5. Click Create endpoint.

5.5 Creating a Secrets Manager endpoint

Procedure

20
Stack 8 Cloud AWS Internal Runbook

1. Go to Services > VPC > Endpoints > Create Endpoint.

2. In the Service Name table, find [Link] and select it.

3. Scroll down and select your VPC from the VPC drop-down menu.

4. Ensure that both of your subnets are selected.

5. In the Security group table, select your endpoint security group named Name-Endpoints-SG.

6. Click Create endpoint.

21
Stack 8 Cloud AWS Internal Runbook

6 Creating the Subnets

We need to create just two isolated subnets for this architecture.

No services are directly publicly exposed, so there is no need for any publicly exposed subnets.
We need to create two, each in a separate availability zone (AZ) for high availability.

Procedure

1. Go to Services > VPC > Subnets and click Create subnet.

2. Choose your VPC from the VPC ID dropdown.

3. Set the name to Name-isolated-a.

4. Set the Availability Zone the 1a for the given zone.

22
Stack 8 Cloud AWS Internal Runbook

5. Set the IVP4 CIDR block to [Link]/18.

6. Click Add new subnet at the bottom of the page.

7. Set the name to Name-isolated-b.

8. Set the Availability Zone to the second zone for the given region – in US-WEST-1 for example
this would be 1c.

9. Set the IVP4 CIDR block to [Link]/18.

10. Click Create subnet.

23
 Stack 8 Cloud AWS Internal Runbook

7 Creating the Amazon MQ Broker

We need to create an Amazon MQ broker, a managed message broker service for ActiveMQ . This
broker facilitates JMS communication between the webBrowserWeb, API and app containers. UXP
Browser will not use the AMQ broker for communication with the app server, this will instead be handled
by the ECS service discovery which will be configured at a later stage in this runbook.

If you are only deploying UXP and not BrowserWeb, APIs or any other JMS based products, then this
section can be skipped.

7.1 Creating the broker security group

Procedure

1. Go to Services > EC2 > Security Groups, located in the left menu bar under the Network &
Security section.

2. Click Create Security Group.

3. Set the Security group name to Name-Transact-MQ-SG.

4. Set the Description field to MQ Security group.

5. Select your VPC from the VPC drop-down menu.

6. Click CreateSecurity group.

7.2 Creating the broker

Procedure

1. Go to Services > Amazon MQ > Create brokers.

2. Select Apache ActiveMQ and click Next.

3. Choose Singleinstance- broker and click Next.

4. Give the broker the name Name-Transact-Broker.

24
Stack 8 Cloud AWS Internal Runbook

5. Set a username and password.

NOTE: Remember to make a note of the username and password

6. Expand Additional settings.

7. Under Network and security, set VPC and subnets to Select existing VPC and subnet(s).
Select your VPC and one of your isolated subnets from the drop-down menus.

8. Under Security group(s), select the option Select existing security groups and select your
security group (Name-Transact-MQ-SG).

9. Set Public accessibility to No.

10. Click Create broker.

NOTE: The broker takes approximately 10 - 15 minutes to create. You can continue with the next
section.

25
 Stack 8 Cloud AWS Internal Runbook

8 Restoring an RDS instance

This guide assumes that you have an existing Transact Oracle or PostgreSQL RDS instance that you
restored from a model bank dump file (see Prerequisites). You now need to create a snapshot of your
existing instance to restore another database that you will use in this environment.

8.1 Creating the RDS snapshot

1. Go to Services > RDS > Databases > Your Database.

2. From the Actions dropdown menu, select Take Snapshot.

3. Set the Snapshot name to a name of your choosing, for example Transactdb, and then click
Take Snapsho.

26
 Stack 8 Cloud AWS Internal Runbook

8.2 Creating the database subnet group

Procedure

1. Go to Services > RDS > Subnet groups > Create DB Subnet Group.

2. Name it name-db-sng.

3. Set the Description field to Database subnets.

4. Set the Name-Transact-VPC.

5. In the Add subnets section, check both availability zones in the Availability Zones drop down.

6. Then check both subnets in the Subnets dropdown.

7. Click Create.

8.3 Creating the RDS security group

Procedure

1. Go to Services > EC2 > Security Groups > Create Security Group.

2. Set the Security group name to Name-DB-SG.

3. Set the Description field to SG for RDS instance.

4. Choose your VPC from the VPC drop-down menu..

5. Click Create security group. We will add ingress rules to the group at a later stage that allow the
app service to connect to the database.

8.4 Restoring the database

Procedure

27
Stack 8 Cloud AWS Internal Runbook

1. Go to Services > RDS and navigate to the Snapshots tab in the left side bar.

2. Search for the snapshot - in this case,Transactdb - and select it.

3. Click Actions > Restore Snapshot.

4. Set the DB Instance Class to db-m4-large.

NOTE: This instruction is for demonstration purposes only. Configure the hardware settings
according to your needs.

5. Set the DB Instance Identifier to Name-Transact-DB

6. Set the VPC toName-Transact-VPC.

7. Set the Subnet group to Name-db-sng

8. Set the Public access to No

9. In the VPC security groups section, select Choose existing VPC security groups.

10. Choose your DB security group.

11. Remove the default (VPC) security group by clicking the cross.

12. Click Restore DB cluster.

28
 Stack 8 Cloud AWS Internal Runbook

9 Creating secrets in Secrets Manager

Our containers use environment variables that are consumed at runtime to configure their database
and messaging broker connections (connection string, username and password). In an AWS
environment, these environment variables are set in the task definitions. To avoid setting the
passwords in plain text, we use Secrets Manager1, a managed service for encrypting and decrypting
credentials.

9.1 Configuring an MQ broker secret

NOTE: Skip this section if you have not deployed Amazon MQ.

Procedure

1. Go to Service > Secrets Manager > Store a new secret.

2. Set secret type to Other type of secrets.

3. Go to the Plaintext tab.

1AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. It also allows you to control access to
secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises.

29
Stack 8 Cloud AWS Internal Runbook

4. In the text box, delete the existing characters and enter the password that you set when you
were creating the user at broker creation.

NOTE: See Creating the Amazon MQ Broker

5. Click Next.

6. Set Secret Name to Name-MQ-Secret.

7. Click Next.

8. Leave Disable automatic rotation selected.

NOTE: Automatic rotation is the process of periodically changing the encrypted key of the secret to
ensure ongoing security of the stored value(s). This is good practice in a production environment but
we won't use automatic rotation for this demonstration environment.

9. Click Next.

10. Click Store.

30
 Stack 8 Cloud AWS Internal Runbook

9.2 Creating an RDS instance secret

Procedure

1. Go to Service > Secrets Manager > Store a new secret.

2. Set secret type to Credentials for RDS database.

3. Set your database username and password in the User name and Password boxes.

4. Select your RDS instance from the list at the bottom of the page.

5. Click Next.

6. Set the Secret name to Name-RDS-Secret and click Next.

7. Click Next again and finally click Store.

31
 Stack 8 Cloud AWS Internal Runbook

10 Creating the ECS services

To create the services that run and manage the Transact1 app, web, UXP and API containers, you
need to create:

1. The ECS2 cluster.

2. The task definitions that specify the container parameters.

3. The load balancers that route traffic from the API gateway to the services.

4. Security groups that allow the flow of traffic between resources.

5. The services themselves that instantiate the task definitions.

10.1 Creating the cluster

Procedure

1. Go to Services > ECS > Clusters and click Create Cluster.

2. Choose Networking only and click Next step.

1Temenos' core banking solution.

2AWS container orchestration service that supports Docker containers

32
 Stack 8 Cloud AWS Internal Runbook

3. Give the cluster the name Name-Transact-Cluster and click Create.

4. Click View Cluster.

10.2 Creating the task definitions

Before you can create services that run the Transact containers in your newly created cluster, you must
create task definitions that define the container parameters, such as container image, dedicated
memory, the number of virtual CPUs, and the runtime environment variables.

10.2.1 Creating the application task definition

Procedure

1. In the ECS console, go to Task Definitions on the left menu bar.

2. Click Create new Task Definition. On the next page choose Fargate and click Next step.

3. Give the task definition the name Name-Transact-App, and set the Task Role to
ecsTaskExecutionRole.

4. Scroll down to the section titled Task Size. This is where you define the memory and number of
virtual CPUs to be allocated to the task. As this is going to be the application service running
Transact, set the memory to 4GB, and the number of vCPUs to 2.

5. Click Add container.

33
Stack 8 Cloud AWS Internal Runbook

6. Name the container Transact-App. In the Image text box, paste the following ECR endpoint URI
of your app image.

7. Under Port mappings, add an entry of 8443.

8. In a new tab in your browser (do not close your current task definition tab), go to the AWS
console and navigate to Services > AmazonMQ, find your broker and click it.

9. Copy the OpenWire value from the Connections section.

10. Switch back to your ECS task definition tab, scroll down to the Environment section and add a
Key field, set to JMS_URL.

11. In the Value field, paste the copied string.

34
Stack 8 Cloud AWS Internal Runbook

12. In your second tab, navigate to Services > RDS > DB Instances and click on your instance ID.
Copy the Endpoint value.

13. Switch back to your task definition tab and set a new Key value to DB_URL.

14. In the Value field, paste the copied endpoint.

15. Insert the following before the copied endpoint in the Value field.
For Oracle:

jdbc:oracle:thin:@

For PostgreSQL:

jdbc:postgresql://.

16. Append the following to the end of the connection string where <DBNAME> is the database
name:

For Oracle:

:1521/<DBNAME>

For PostgreSQL:

:1521/<DBNAME>

35
Stack 8 Cloud AWS Internal Runbook

17. Add a Key of JMS_USER, and set the value to the username that you specified when creating
the broker.

NOTE: See "Creating the Amazon MQ Broker"

18. Add another Key named DB_USER and set the value to change the Value dropdown to
ValueFrom.

19. In the other tab, navigate to Services > Secrets Manager.

20. Go to your RDS secret and copy the Secret ARN.

21. Switch back to your task definition tab and paste the copied ARN in the Value box, and append
:username::

22. Add another Key of DB_PASSWORD.

23. Change the Value dropdown to ValueFrom.

24. Paste the copied ARN in the Value box and append :password:

36
 Stack 8 Cloud AWS Internal Runbook

25. Switch back to your Secrets Manager tab and go to your MQ secret.

26. Copy the Secret ARN value.

27. Switch back to your task definition tab and add another Key entry with the value JMS_
PASSWORD.

28. From the Value drop-down menu, select ValueFrom.

29. Click Add and then Create.

10.2.2 Creating the web task definition

Procedure

1. Go back to the task definitions section in ECS. Click Create new Task Definition, choose
Fargate and click Next step.

2. Name it Name-Transact-Web and set the Task Role to ecsTaskExecutionRole.

Set the Task memory to 2GB and Task CPU to 0.5 vCPU.

37
Stack 8 Cloud AWS Internal Runbook

3. Click Add container.

4. Give it the name Transact-Web and paste the ECR endpoint URI of your web image in the
Image text box.

5. Under Port Mappings, set 8443.

6. In a new tab in your browser (do not close your current task definition tab). Go to the AWS
console and navigate to Services > AmazonMQ, find your broker and click it.

7. Copy the OpenWire value from the Connections section.

8. Switch back to your ECS task definition tab and set the Key field to JMS_URL under the
Environment section.

38
Stack 8 Cloud AWS Internal Runbook

9. In the Value field, paste the copied string.

10. Add a Key of JMS_USER and set the value to the user username that you specified when you
created the broker.

NOTE: See Creating the Amazon MQ Broker

11. In your other open tab, navigate to Services > Secrets Manager.

12. Go to your MQ secret.

13. Copy the Secret ARN value.

14. Switch back to your task definition tab and add another Key entry named JMS_PASSWORD.

15. From the Value drop-down menu, select ValueFrom.

39
 Stack 8 Cloud AWS Internal Runbook

16. In the Add value field, paste the copied ARN.

17. Click Add and then click Create.

10.2.3 Creating the API task definition

The API service deploys a PSD21 payments API. This allows GET and POST requests to be executed
from a REST client against Transactthat can create payment orders and retrieve information regarding
existing orders.

Procedure

1. Go back to the task definitions section in ECS. Click Create new Task Definition, choose
Fargate and click Next step.

2. Name it Name-Transact-API and set Task Role to ecsTaskExecutionRole.

3. Set the task size to 4GB and 2 vCPU.

1Revised Directive on Payment Services (PSD2). The new rules aim to better protect consumers when they pay online, promote the development and
use of innovative online and mobile payments such as through open banking, and make cross-border European payment services safer.

40
Stack 8 Cloud AWS Internal Runbook

4. Click Add container.

5. Give it the name Transact-API paste the ECR endpoint URI of your API image in the Image text
box.

6. Set the Port mappings field to 8443.

7. In a new tab in your browser (do not close your current task definition tab), go to the AWS
console and navigate to Services > AmazonMQ, find your broker and click it.

8. Copy the OpenWire value from the Connections section.

9. Switch back to your ECS task definition tab and set the Key field to JMS_URL under the
Environment section.

10. In the Value field, paste the copied string.

41
Stack 8 Cloud AWS Internal Runbook

11. Add a Key of JMS_USER and set the value to the username that you specified when created the
broker.

NOTE: See Creating the Amazon MQ Broker

12. In your other open tab, navigate to Services > Secrets Manager.

13. Go to your MQ secret.

14. Copy the Secret ARN value.

15. Switch back to your task definition tab and add another Key entry named JMS_PASSWORD.

16. From the Value drop-down menu, select ValueFrom.

17. In the Add value field, paste the copied ARN.

18. Click Add and then click Create.

42
 Stack 8 Cloud AWS Internal Runbook

10.2.4 Creating the UXP application task definition

Procedure

1. In the ECS console, go to Task Definitions on the left menu bar.

2. Click Create new Task Definition. On the next page choose Fargate and click Next step.

3. Give the task definition the name Name-Transact-App-UXP and set the Task Role to
ecsTaskExecutionRole.

4. Scroll down to the section titled Task Size. This is where you define the memory and number of
virtual CPUs to be allocated to the task. As this is going to be the application service running
Transact with the UXP components, set the memory to 12GB, and the number of vCPUs to 4.

5. Click Add container.

6. Name the container Transact-App-UXP. In the Image text box, paste the ECR endpoint URI of
your UXP app image.

7. Set the Port mappings to 9080.

8. In your second tab, navigate to Services > RDS > DB Instances and click on your instance ID.
Copy the Endpoint value.

9. Switch back to your task definition tab and under the Environment section set a new Key value
to DB_URL.

10. In the Value field, paste the copied endpoint.

11. Insert the following before the copied endpoint in the value field.

For Oracle:

43
Stack 8 Cloud AWS Internal Runbook

jdbc:oracle:thin:@.

For PostgreSQL:

jdbc:postgresql://.

12. Append the following to the end of the connection string:

For Oracle:

:1521/TRANSACTDB

For PostgreSQL:

:5432/TRANSACTDB?autosave=always

13. Add another Key named DB_USER and change the Value dropdown to ValueFrom.

14. In the other tab, navigate to Services > Secrets Manager.

15. Go to your RDS secret and copy the Secret ARN.

16. Switch back to your task definition tab and paste the copied ARN in the Value box, and append
:username::

17. Add another Key with the value of DB_PASSWORD and change the Value dropdown to
ValueFrom.

44
 Stack 8 Cloud AWS Internal Runbook

18. Paste the copied ARN and append :password::

19. Add another Key named APP_PWD and value 123456.

20. Add another Key named APP_USER and value SSOUSER1.

21. Add another Key named BRP_HOME and value /srv/Temenos.

22. Add another Key named WWW_PORT and value 9080.

23. Scroll down to the Resource Limits section and set the dropdown to NOFILE.

24. Set the Soft limit to 1024 and the Hard limit to 5048.

25. Click Add and then Create.

10.2.5 Creating the UXP web task definition

Procedure

1. Go back to the task definitions section in ECS. Click Create new Task Definition, choose
Fargate and click Next step.

2. Name it Name-Transact-Web-UXP and set the Task Role to ecsTaskExecutionRole.

3. Set the Task memory to 4GB and Task CPU to 2 vCPU.

4. Click Add container.

5. Give it the name Transact-Web-UXP and paste the image ECR URI in the Image text box.

6. Under Port Mappings, set 8443.

7. Under the Environment section, add a Key named APP_PWD and set the value to 123456.

45
Stack 8 Cloud AWS Internal Runbook

8. Add another Key named APP_USER and value SSOUSER1.

9. Add another Key named BRP_HOME and value /srv/Temenos.

10. Click Add and then click Create.

46
 Stack 8 Cloud AWS Internal Runbook

11 Creating and configuring security

groups
Before creating the services, API and the load balancers, you must create the security groups that
define what traffic can reach which parts of the architecture.

11.1 Creating the VPC link security group

At a later stage in this runbook, you will create an API in the AWS API Gateway service. This API will
utilise a VPC Link which is a private connection to a given resource that resides within a private VPC. In
this architecture, the VPC Link will be to your application load balancer. The VPC link needs a security
group – this will then be referenced in you ALB security group, thus allowing the API traffic to reach the
ALB.

Procedure

1. Go to Services > EC2 > Security Groups > Create security group.

2. Set the Security group name to Name-VPC-Link-SG.

3. Set the Description field to VPC link SG.

4. Select your VPC from the VPC drop-down menu.

5. Click Create security group.

6. Copy the security group ID.

11.2 Creating the application load balancer security group

Now you will create the security group for the application load balancer. This will permit traffic from the
API Gateway & VPC Link to the load balancer, and thus the Temenos applications

47
 Stack 8 Cloud AWS Internal Runbook

1. Go to Services > EC2 > Security Groups > Create security group.

2. Set the Security group name to Name-LB-SG.

3. Set the Description field to ALB SG.

4. Select your VPC from the VPC drop-down menu.

5. Click Create security group.

6. Select your ALB security group, and go to Actions > Edit inbound rules.

7. In the Type dropdown, select HTTPS.

8. In the Source field, paste the ID of the VPC link security group that you copied in the previous
section.

9. Click Save rules.

11.3 Creating the Web service security group

In this section you will create the security group which allows traffic from the load balancer to the front-
end Temenos application tasks.

Procedure

1. Go to Services > EC2 > Security Groups.

2. Find your load balancer security group (Name-LB-SG).

3. Select it and copy the Group ID value by clicking the clipboard icon.

4. Click Create Security Group.

5. Set the Security group name to Name-Web-SG.

6. Set the Description field to Web service SG.

7. Select your VPC from the VPC dropdown menu.

48
 Stack 8 Cloud AWS Internal Runbook

8. Click Add Rule.

9. Set Type to HTTPS

10. In the Source field, paste the copied group ID value and select the security group from the
dropdown.

11. Click Create security group.

11.4
Creating the application service security group

In this section you will create the security group which allows traffic from the load balancer to the
Transact tasks.

Procedure

1. Go to Services > EC2 > Security Groups > Create Security Group.

2. Set the Security group name to Name-App-SG.

3. Set the Description field to App service SG.

4. Select your VPC from the VPC dropdown menu.

5. Click Add rule and set the Port range to 9080.

6. Click in the Source field, and in the dropdown, find and select your web security group (Name-
Web-SG).

7. Click Create security group.

11.5
Creating the API service security group

Here you will create the security group that allows traffic from the load balancer to the API tasks.

Procedure

49
 Stack 8 Cloud AWS Internal Runbook

1. Go to Services > EC2 > Security Groups > Create Security Group.

2. Set the Security group name to Name-API-SG.

3. Set the Description field to API service SG.

4. Select your VPC from the VPC drop-down menu.

5. Click Add Rule.

6. Set Type to Custom TCP.

7. Set Port Range to 8080.

8. In the Source field, paste the copied group ID value.

9. Click Create.

11.6
Updating the Amazon MQ broker security group

After you have created your app and web service security groups, you need to update your MQ broker
security group to allow connections from them and to allow the web and app containers to connect to
the broker.

Skip this section if you did not create an Amazon MQ broker

50
Stack 8 Cloud AWS Internal Runbook

Procedure

1. Go to Services > EC2 > Security Groups.

2. Find your app security group (Name-App-SG).

3. Select it and copy the Group ID.

4. Search for your MQ broker security group (Name-Transact-MQ-SG).

5. Go to the Inbound tab and click Edit.

6. From the Type drop-down menu, select Custom TCP.

7. Set the Port Range to 61617.

8. Paste the copied group ID in the Source field.

9. Click Save.

51
Stack 8 Cloud AWS Internal Runbook

10. Search for your web service security group (Name-Web-SG).

11. Again, copy the Group ID value.

12. Now search for your MQ security group again (Name-Transact-MQ-SG) and select it.

13. Go to the Inbound tab and click Edit.

14. Click Add Rule.

15. Ensure the Type is set to Custom TCP.

16. Set the Port Range to 61617.

17. Paste the copied value in the Source field.

18. Click Save.

19. Search for your API service security group (Name-API-SG) and select it.

20. Again, copy the Group ID value.

52
 Stack 8 Cloud AWS Internal Runbook

21. Search for your MQ security group again (Name-Transact-MQ-SG) and select it.

22. Go to the Inbound tab and click Edit.

23. Click Add Rule.

24. Ensure the Type is set to Custom TCP.

25. Set the Port Range to 61617.

26. Paste the copied value in the Source field.

27. Click Save. Your services will now be allowed to connect to the messaging broker when they are
deployed.

11.7
Updating the RDS instance security group

You also need to update your database security group to allow connections from the application service
only.

Procedure

1. Go to Services > EC2 > Security Groups.

2. Find your app security group (Name-App-SG).

53
 Stack 8 Cloud AWS Internal Runbook

3. Select it and copy the Group ID.

4. Search for your RDS broker security group (Name-DB-SG).

5. Go to the Inbound tab and click Edit.

6. Click Add rule.

7. From the Type drop-down menu, select Oracle-RDS or PostgreSQL depending on which
database you are using.

8. Paste the copied group ID in the Source field.

9. Click Save.

11.8 Updating the load balancer security group

Now you need to update the load balancer security group to ensure traffic can be routed to the app and
web services.

Procedure

1. Go to Services > EC2 > Security Groups.

2. Find your app security group (Name-App-SG).

3. Select it and copy the Group ID.

54
Stack 8 Cloud AWS Internal Runbook

4. Search for your MQ broker security group (Name-Transact-MQ-SG).

5. Go to the Inbound tab and click Edit.

6. From the Type drop-down menu, select Custom TCP.

7. Set the Port Range to 61617.

8. Paste the copied group ID in the Source field.

9. Click Save.

10. Search for your web service security group (Name-Web-SG).

11. Again, copy the Group ID value.

12. Now search for your MQ security group again (Name-Transact-MQ-SG) and select it.

13. Go to the Inbound tab and click Edit.

14. Click Add Rule.

15. Ensure the Type is set to Custom TCP.

16. Set the Port Range to 61617.

17. Paste the copied value in the Source field.

55
 Stack 8 Cloud AWS Internal Runbook

18. Click Save.

19. Search for your API service security group (Name-API-SG) and select it.

20. Again, copy the Group ID value.

21. Search for your MQ security group again (Name-Transact-MQ-SG) and select it.

22. Go to the Inbound tab and click Edit.

23. Click Add Rule.

24. Ensure the Type is set to Custom TCP.

25. Set the Port Range to 61617.

26. Paste the copied value in the Source field.

27. Click Save. Your services will now be allowed to connect to the messaging broker when they are
deployed.

11.9 Updating the shared security group

You must now update your shared security group to allow traffic from your web, app and API security
groups– this will allow your services to connect to the endpoints.

1. Go to Services > EC2 > Security Groups and find your endpoints security group (Name-
Endpoints-SG) and select it.

2. Go to the Inbound rules tab and click Edit inbound rules.

3. Click Add rule.

56
Stack 8 Cloud AWS Internal Runbook

4. Set the Type to HTTPS.

5. Click in the Source search box and select your app, web & API security groups from the
dropdown menu.

6. Click Save rules.

57
Stack 8 Cloud AWS Internal Runbook

12 Creating the load balancer

This architecture uses a layer 7 application load balancer. The API Gateway is the single point-of-entry
to the VPC through a VPC link. The VPC link routes traffic to the application load balancer over a
secure connection.

Procedure

1. Go to Services > EC2 > Load Balancers > Create Load Balancer.

2. Choose Application Load Balancer.

3. Name the load balancer Name-ALB.

4. For Scheme, select internal.

5. Set the Load Balancer Protocol to HTTPS.

6. Under the Availability Zones section, select your VPC from the VPC drop-down menu.

7. Select both availability zone check boxes.

8. Click Next: Configure Security Settings.

NOTE: Note: At this point you need to either choose an existing ACM or IAM or certificate or upload
one.

9. Choose the certificate and then click Next: Configure Security Groups.

10. Choose Select an existing security group.

58
Stack 8 Cloud AWS Internal Runbook

11. Select the load balancer security group that you created previously (Name-LB-SG).

12. Click Next: Configure Routing.

13. Set the Name field to Name-Default-ALB-TG.

14. Click Next: Register Targets.

15. Click Next: Review.

16. Click Create.

59
 Stack 8 Cloud AWS Internal Runbook

13 Creating services
Now that you have your task definitions and subnets ready, it is time to create the services for Transact
and BrowserWeb.

13.1 Creating an application service

Procedure

1. Go to Services > ECS > Clusters > Name-Transact-Cluster > Services > Create.

2. Choose the launch type as Fargate.

3. Set the Task definition as Name-Transact-App and the revision as latest.

4. Give the Service name as Name-Transact-App.

5. Set number of tasks to one.

6. Click Next step.

7. Set the Cluster VPC to your VPC.

8. From the subnets drop-down menu, select both of your subnets.

9. Click Edit in the Security groups section.

60
 Stack 8 Cloud AWS Internal Runbook

10. Choose Select existing security group and select your app security group (Name-App-SG)
and click Save.

11. Scroll down and leave Load balancer type set to None.

12. Click Next step.

13. Click Next step again.

14. Click Create Service.

13.2 Creating the web service

Now we need to create the web service.

Procedure

1. Go to Services > ECS > Name-Transact-Cluster > Services > Create.

2. For launch type, select Fargate.

3. For task definition, choose Name-Transact-Web and for the revision choose the latest.

4. For service name, use Name-Transact-Web.

5. Set the number of tasks to 1.

6. Click Next step.

7. Choose your VPC for Cluster VPC, and both web subnets for the Subnets field.

8. Click the Edit button next to Security groups.

9. Choose Select existing security group.

61
Stack 8 Cloud AWS Internal Runbook

10. Select your web security group (Name-Web-SG) and click Save.

11. Set Auto-assign public IP to DISABLED.

12. Under the load balancer section, select Application Load Balancer.

13. Select your load balancer from the drop-down menu.

14. Set the Health check grace period above the load balancer section to 180.

15. Click Add to Load Balancer.

16. Set the Production listener port to 443.

17. Set Target group name to Create new and name it Name-BrowserWeb-TG.

18. Set the Target group protocol to HTTPS.

19. Set the Path Pattern to /BrowserWeb* and the Evaluation order to 1.

20. Set Health check path to /.

21. Click Next step, Next step again and then Create Service.

62
 Stack 8 Cloud AWS Internal Runbook

13.3 Creating the API service

You can create the API service, which will allow POST and GET requests to be executed against
Transact.

Procedure

1. Go to Services > ECS >Name-Transact-Cluster> Services > Create.

2. For launch type, select Fargate.

3. For task definition, choose Name-Transact-API, and for the revision choose the latest.

4. For service name, use Name-Transact-API.

5. Set the number of tasks to 1.

6. Click Next step.

7. Choose your VPC for Cluster VPC, and both web subnets for the Subnets field.

8. Click the Edit button next to Security groups.

9. Choose Select existing security group and choose Name-API-SG.

10. Set Auto-assign public IP to DISABLED.

11. Under the Load balancing section, select Application Load Balancer.

12. Set the Health check grace period above the load balancer section to 180.

13. Select your application load balancer from the drop-down menu (Name-ALB).

14. Click Add to load balancer.

15. Set the Production listener port to 80:HTTP.

16. Set Target group name to create new and name it Name-API-TG.

17. 17. Set the Path pattern to /irf-psd2-BG-LUXHUB-* and the Evaluation Order to 1.

63
 Stack 8 Cloud AWS Internal Runbook

18. Set the Health check path to /.

19. Click Next step.

20. Click Next step again and then Create Service.

13.4 Creating the application UXP service

Procedure

1. Go to Services > ECS > Clusters > Name-Transact-Cluster > Services > Create.

2. Choose the launch type as Fargate .

3. Set the Task definition as Name-Transact-App-UXP and the revision as latest.

4. Give the Service name as Name-Transact-App-UXP.

5. Set Number of tasks to 1.

6. Click Next step.

7. Set the Cluster VPC to your VPC.

64
Stack 8 Cloud AWS Internal Runbook

8. From the subnets drop-down menu, select both of your subnets.

9. Click Edit in the Security groups section.

10. Choose Select existing security group and select your app security group (Name-App-SG)
and click Save.

11. Set Auto-assign public IP to Disabled.

12. Scroll down and leave Load balancer type set to None.

13. Enable service discovery by checking the Enable service discovery integration checkbox.

14. In the Namespace dropdown, select create new private namespace.

15. In the Namespace name box, set the name to uxp.

16. In the Service discovery name box, enter transact-app-svc.

17. Click Next step.

18. Click Next step again.

19. Click Create Service.

65
 Stack 8 Cloud AWS Internal Runbook

13.5 Creating the web UXP service

Procedure

1. Go to Services > ECS > Clusters > Name-Transact-Cluster > Services > Create.

2. Choose the launch type as Fargate .

3. Set the Task definition as Name-Transact-Web-UXP and the revision as latest.

4. Give the Service name as Name-Transact-Web-UXP.

5. Set Number of tasks to 1.

6. Click Next step.

7. Set the Cluster VPC to your VPC.

8. From the subnets drop-down menu, select both of your subnets.

9. Click Edit in the Security groups section.

10. Choose Select existing security group and select your app security group (Name-Web-
SG) and click Save.

11. Set Auto-assign public IP to Disabled.

12. Scroll down and leave Load balancer type set to Application Load Balancer.

13. Set the Health check grace period above the load balancer section to 180.

14. Select your load balancer in the Load balance name dropdown.

66
Stack 8 Cloud AWS Internal Runbook

15. Click Add to load balancer.

16. Set the Production listener port to 443:HTTPS.

17. Set the Target group name to create new and set the name to name-UXP-TG.

18. Set the Target group protocol to HTTPS.

19. Set the Path pattern to /Browser*

20. Set the Evaluation order to 2.

21. Set the Health check path to /

22. Enable service discovery by checking the Enable service discovery integration checkbox.

23. In the Namespace dropdown, select create new private namespace.

24. In the Namespace name box, set the name to uxp.

25. In the Service discovery name box, enter transact-app-svc.

26. Click Next step.

27. Click Next step again.

28. Click Create Service.

67
 Stack 8 Cloud AWS Internal Runbook

14 Updating the application load balancer

configuration
Once the web service is registered with the load balancer, you need to configure rules that determine
how the load balancer handles redirects that BrowserWeb1 issues when you request the log in page.

You also need to configure health check parameters that give the web container more time to start up
and an increased timeout lenience - this prevents the health check from unnecessarily killing tasks it
deems to be unhealthy.

14.1 Modifying web target group health check parameters

Procedure

1. Go to Services > EC2 > Target Groups and select your web target group (Name-
BrowserWeb-TG).

2. Go to the Health checks tab.

3. Click Edit health check.

4. Set Healthy threshold to 2.

5. Set Unhealthy threshold to 5.

6. Set Timeout to 30.

1A Temenos browser, used for accessing the Transact application.

68
 Stack 8 Cloud AWS Internal Runbook

7. Set Interval to 60.

8. Click Save.

14.2 Modifying API target group health check parameters

Procedure

1. Go to Services > EC2 > Target Groups and select your API target group (Name-API-TG).

2. Go to the Health checks tab.

3. Click Edit health check.

4. Set Healthy threshold to 2.

5. Set Unhealthy threshold to 5.

6. Set Timeout to 30.

7. Set Interval to 60.

8. Click Save.

69
 Stack 8 Cloud AWS Internal Runbook

15 API Gateway
Our AWS reference architecture uses API gateway as the single point of access to the VPC1.

15.1 Creating the VPC link

Procedure

1. Go to Services > API Gateway > VPC links and click Create.

2. On the next screen select VPC link for HTTP APIs.

3. Then set the name to Name-Transact-VPC-Link.

4. Set the VPC to your Transact VPC (Name-Transact-VPC).

5. Select both of your subnets in the Subnets section.

6. Select your VPC link security group in the Security groups section (Name-VPC-Link-SG).

7. Click Create.

15.2 Creating the API

Procedure

1. Now go to APIs in the left menu bar.

2. Click Create API in the top right.

3. Select Build in the HTTP API box.

1A virtual private cloud (VPC) is an on-demand configurable pool of shared computing resources allocated within a public cloud environment,
providing a certain level of isolation between the different organizations (denoted as users) using the resources.

70
 Stack 8 Cloud AWS Internal Runbook

4. Set the API name to Name-Transact-API, click Review and Create and then click Create.

15.3 Configuring the API

Procedure

1. Now go to Integrations on the left menu bar.

2. Go to the Manage integrations tab.

3. Click Create.

4. In the Integration type drop down, select Private resource.

5. In the Integration details, choose Select manually.

71
Stack 8 Cloud AWS Internal Runbook

6. Then in the Load balancer dropdown, select your load balancer (Name-ALB).

7. Set the listener to HTTPS in the Listener dropdown.

8. Now expand the Advanced settings section.

9. In the Secure server name field, you need to specify the domain name that your SSL certificate
it assigned to.

10. In the VPC link dropdown select your VPC link (Name-Transact-VPC-Link) and then click
Create.

11. Now go to Routes on the left menu bar and click Create.

12. Replace the / character with $default and click Create.

13. Now go to Integrations again on the left menu bar and click on $default.

14. In the Choose an existing integration dropdown, select your integration (HTTPS:443 - Name-
ALB) and then click Attach integration on the right-hand side.

72
 Stack 8 Cloud AWS Internal Runbook

16 Interacting with Transact

After you have deployed your API gateway and Transact ECS services, you can test logging in to
BrowserWeb and querying the API.

16.1 Logging in to BrowserWeb

Procedure

1. Go to Services > API Gateway > Your API and click the Invoke URL hyperlink.

2. Append /BrowserWeb or /Browser depending on which browser you deployed and login.

16.2 Payments API

16.2.1 Sending a POST request

Procedure

73
Stack 8 Cloud AWS Internal Runbook

1. In a REST client, for example Insomnia, paste the API Gateway endpoint URL, append the
following string and set the method to POST:

/irf-psd2-BG-LUXHUB-PX/api/v1.0.0/order/paymentOrder/instantPayment

2. Set the body of the request to JSON, and paste the following data:

{
"header":{
},
"body":{
"debitAccountId": "14613",
"beneficiaryName": "TESTER",
"beneficiaryAccount": "10968",
"transactionAmount": 10000.40,
"paymentCurrency": "USD",
"chargeBearer": "OUR",
"instructionIdentification": "NOTHING",
"endToEndIdentification": "IDENTIFIED",
"paymentProduct": "DOMESTIC",
"chargeType": "COMMP2",
"chargeAmount": "10",
"chargeCurrency":"USD"

3. Send the request.

4. Copy the ID in the response.

74
 Stack 8 Cloud AWS Internal Runbook

16.2.2 GET request

Procedure

1. Change the method to GET.

2. Paste the copied payment order ID at the end of the URL used for the POST request, for
example:

/irf-psd2-BG-LUXHUB-PX/api/v1.0.0/order/paymentOrder/PI191070HTH6Y3QJ/paymentStatus

3. Send the request.

The response should look similar to the following:

75
 Stack 8 Cloud AWS Internal Runbook

16.2.3 View account balances

Procedure

In a REST client, for example Insomnia, paste the API Gateway URL, append the following string and
set the method to GET.

/irf-psd2-BG-LUXHUB-PZ/api/v1.0.0/party/accounts/balance/14613

The JSON response displays balance details of the account ID passed in the URL.

76
Stack 8 Cloud AWS Internal Runbook

17 Configuring application service scaling

One of the primary advantages of running Transact in containers in Fargate1 is the ability to elastically
scale to cater to the load on the system. In this case, we are going to configure the application service
to scale when the load on the container reaches a given threshold.

Procedure

1. Go to Services > ECS > Clusters > Name-T24-Cluster > Name-T24-App > Update.

2. Click Next step and then Next step again.

3. Set Service Auto Scaling to Configure Service Auto Scaling to adjust your service’s
desired count.

4. Set Minimum number of tasks to one.

5. Set Desired number of tasks to one.

6. Set Maximum number of tasks to five.

7. Set IAM role for Service Auto Scaling to ecsAutoscaleRole.

8. Click Add scaling policy.

1A compute engine for Amazon ECS that lets you run containers without having to manage servers or clusters.

77
Stack 8 Cloud AWS Internal Runbook

9. Set Scaling policy type to Target tracking.

10. Set the Policy name to Name-T24-App-Scaling.

11. Set the ECS service metric to ECSServiceAverageCPUUtilization.

12. Set Target value to 25.

13. Set Scale-out cooldown period to 120.

14. Set Scale-in cooldown period to 120.

15. Click Save, Next step and Update Service. Your app service will now scale up when the
average CPU utilization hits 25%.

78
 Stack 8 Cloud AWS Internal Runbook

18 AWS Troubleshooting

18.1 Accessing the CloudWatch logs in the AWS Console

The logs from each container are captured in ECS. You can access them through the AWS console in
various ways, but the view of the logs is better in the CloudWatch console than in the ECS console.

If you navigate to your Service in the console, you can get aggregated logs from each of the Tasks for
that service. These are sorted with the most recent output at the top. The Task Id is included.

NOTE: There are limitations to this view. The way the tasks are sorted leaves less room to see what is
actually going on - even when you expand an entry you cannot see much detail. Use this view for quickly
verifying that everything is okay rather than for diagnosing problems.

If you navigate to your Task in the console, there is a Logs tab, which is also sorted with the most
recent output at the top.

79
Stack 8 Cloud AWS Internal Runbook

If you stay on the Details tab of the Task view, you can open up the container details. You will find a link
there to the logs for that container.

80
 Stack 8 Cloud AWS Internal Runbook

Following that link takes you to the CloudWatch Console, which gives you a much better view of the
logs.

In this view, the logs are sorted with older logs first. As you scroll down it will automatically populate the
more recent logs on the screen. If you are looking for something recent you can use the time selectors
at the top right (for example, 30s or 5m).

18.1.1 Displaying parsed JSON in CloudWatch

Expanding a log entry shows you parsed JSON.

81
 Stack 8 Cloud AWS Internal Runbook

18.1.2 Searching the logs in CloudWatch

On any of the screens you can search using the text box at the top. For instance, entering
ERROR returns the following results.

82
Stack 8 Cloud AWS Internal Runbook

Entering DATABASE returns the following results.

A search term entered:

l In lower case characters performs a case-insensitive search.

l With some upper case characters is a case-sensitive search.

There is an advanced search syntax which can reference the JSON fields of the log output. This means
you can pull out the logs from a single thread, for example:

[$ thread="default-threads - 24"]

83
 Stack 8 Cloud AWS Internal Runbook

18.1.3 Identifying TAFJ log files in CloudWatch

The TAFJ log files that in a legacy deployment would be found in separate log files are all included in
these logs. The JSON field loggerName identifies these log files.

For instance, to see the EJB log you would enter the following:

[$ loggerName="EJB"]

NOTE: You can also reach this screen without navigating through the ECS console. Go directly to
CloudWatch and select Logs from the left hand menu.

18.1.4 Locating logs in CloudWatch for a specific task

The Logs screen in CloudWatch lists Log Groups. For ECS, one log group is created for each task
definition – so all logs from all tasks that use the same task definition will be in the same log group.

A log group starts with /ecs/, so you can search for it on the main Logs screen, using the Filter box.

84
Stack 8 Cloud AWS Internal Runbook

NOTE: If you know the name of the task definition you can search for it directly.

When you select a log group, you will see the log streams in that log group. Each container creates its
own log stream. The name of the log stream is /ecs/<Container Name>/<Task ID>

The container name is the name of the container within the task definition. Most of our task definitions
have only a single container, but there is a possibility of putting more than one container in a task
definition if they need to work closely together.

85
Stack 8 Cloud AWS Internal Runbook

19 Using CloudWatch to check Transact

start-up
With a new ECS deployment of Transact, the first thing we check for, usually, is that the connections
have been successfully made to the message broker and to the database.

The application layer container will make a connection to the message broker as soon as it has
completed initialising. Look for the message Successfully established connection to broker. You
can search for the message in CloudWatch.

The application will not attempt to connect to the database until it receives a request that causes
Transact code to run. To look for database errors, search for the DATABASE log file.

86
Stack 8 Cloud AWS Internal Runbook

87
Stack 8 Cloud AWS Internal Runbook

20 Downloading the CloudWatch logs

As powerful as the CloudWatch console is, sometimes it is easier to download logs and analyse them
with tools or in an editor. You can do this in Windows or in Linux.

20.1 Using AWS CLI

Any AWS resources can be accessed using the AWS CLI.

NOTE: The AWS user guide explains how to access AWS resources using the AWS CLI. The CLI
configuration and obtaining an access key are also explained in the user guide.

1. Download the CLI

[Link]

2. Configure the CLI. This includes logging in to your account. You do not log in to the CLI with your
password, you log in with an AWS Access Key which you can create in the AWS Console. See
the AWS user guide for more information.

[Link]

3. To obtain the logs you need, you need to get the log group name and log stream name, just as in
the CloudWatch console.
Remember that:

l The log group name is ecs/<Task Definition>.

l The log stream name is ecs/<Container Name>/<Task ID>.

Download the logs you want with the aws logs command. In the follwing example:

l T24-DB-5 is the task definition.

l T24-App is the container name (within the task definition).

l be173d8b-3f98-etc is the task ID.

88
 Stack 8 Cloud AWS Internal Runbook

aws logs get-log-events --start-from-head --log-group-name

/ecs/T24-DB-5 --log-stream-name ecs/T24-App/be173d8b-3f98-4a86-9edc
-cf7b62b8dc67 >[Link]

NOTE: Take care - the log group name starts with a leading slash (/ecs/… ), while the log stream
name starts without one (ecs/…)

The output file is a JSON object, containing the field events, which is an array of log entries. The log
entries contain a 'message' field, which is the actual log output. In our containers this is usually (but not
always) in JSON format too.

20.2 Using the JQ command line tool

If you want to process the log files further, the jq command line tool is useful for parsing JSON files. It is
available on Linux or Windows:

[Link]

Using jq gives you a lot of flexibility. The following command:

l Extracts the message from each log event.

l Selects the actual JSON formatted entries.

l Identifies the RUNTIME log entries.

l Outputs the timestamp and the log message.

$ jq -r -c '.events[].message' [Link] | grep '^{' | jq

'.loggerName = "RUNTIME"|{timeMillis,message}'

This next command identifies messages with a chosen timestamp and a particular error code in the
stackTrace field and then outputs that field unescaped.

$ jq -r '.events[].message|select(match("^{"))|fromjson|.timestamp?
= "2019-05-17T[Link].221Z"|select(.stackTrace?|strings|match
("IJ031084"))|.stackTrace'

The steps in the second jq invocation are as follows:

89
Stack 8 Cloud AWS Internal Runbook

Extract the message field of each item.

Take only the values that match a regular expression, in this case those that start with a {. Most (not
all) of our log messages are in JSON format, so jq can parse those and process their contents.

Step Description

jq -r -r means output a raw string without quoting and escaping.

Extract the events field of the input JSON, which is an array,

‘.events[]
and then take each element of the array as a new item.

.message Extract the message field of each item.

| is a pipe, taking the output of the previous step, apply a

|select(
selection of entries.

Take only the values that match a regular expression, in this

case those that start with a {. Most (not all) of our log
match(“^{“))
messages are in JSON format, so jq can parse those and
process their contents.

Parse each string that has passed through the previous

|fromjson|
select() into a new JSON object.

'.timestamp? = "2019-05- Filter for the timestamp value I want. The ? prevents an error if
17T[Link].221Z" there is no timestamp field in a given entry.

|select( Another select, choosing the entries that meet a condition.

Within the select condition, extract the stackTrace item and

.stackTrace?|strings continue using it only if it is a string. (It is usually a string, but it
can be null if there is no stackTrace field)

Still within select, do a regular expression match the output of

|match("IJ031084")
the previous step (the stackTrace as a string) .

End the select and pipe the entries that matched in the select
to another step. Only entries with a stackTrace field
containing “IJ0301084” will be piped to the next step. Note
)|
they are output complete, the things that were done within the
select condition were only to calculate the entries to use, they
did not modify those entries.

Output the stackTrace field. By default the output is as a

Javascript string literal, quoted and with newlines escaped as
.stackTrace'
\n, but the -r option outputs it unescaped, so we can read the
lines of the stacktrace easily.

90
Stack 8 Cloud AWS Internal Runbook

NOTE: Using these tools gives you as much access to log output as a traditional deployment.

91
Stack 8 Cloud AWS Internal Runbook

21 TAFJEE Servlet
The TAFJEE Servlet is not currently available in the container image builds.

92
22 Glossary
A

ACR
Azure Container Registry allows you to store images for all types of container deployments.

Active Directory
Active Directory is a directory service developed by Microsoft for Windows domain networks. It is
included in most Windows Server operating systems as a set of processes and services.

ActiveMQ
Apache ActiveMQ is an open source message broker written in Java together with a full Java
Message Service client.

Amazon MQ
A managed message broker service for ActiveMQ that makes it easy to set up and operate
message brokers in the cloud.

Amazon RDS
Amazon Relational Database Service (or Amazon RDS) is a distributed relational database
service by Amazon Web Services (AWS). It is a web service running "in the cloud" designed to
simplify the setup, operation, and scaling of a relational database for use in applications.

AMQ
Apache ActiveMQ is an open source message broker written in Java together with a full Java
Message Service client.

AMQP
The Advanced Message Queuing Protocol (AMQP) is an open standard for passing business
messages between applications or organizations.

93
Apache Maven
Maven is a build automation tool used primarily for Java projects.

Apigee
Apigee, part of Google Cloud, helps you design, secure, and scale application programming
interfaces (APIs).

AWS
Amazon Web Services (AWS) is a subsidiary of Amazon that provides cloud computing platforms
to both individuals and organisations.

AWS CLI
AWS Command Line Interface (CLI) is a unified tool to manage your AWS services.

AWS Kinesis
Processes big data in real time. AWS Kinesis can process hundreds of terabytes per hour from
high volumes of streaming data from sources such as operating logs, financial transactions and
social media feeds

AWS Lambda
AWS Lambda is an event-driven, serverless computing platform provided by Amazon as a part of
the Amazon Web Services.

AWS Secrets Manager

AWS Secrets Manager helps you protect secrets needed to access your applications, services,
and IT resources. It also allows you to control access to secrets using fine-grained permissions
and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-
premises.

AWS API Gateway

Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and
securing REST and WebSocket APIs at any scale.

94
AWS DynamoDB
A fully managed proprietary NoSQL database service that supports key-value and document data
structures. It is offered by [Link] as part of the Amazon Web Services portfolio.

Axis2
Apache Axis2 is a core engine for Web services. Axis2 provides the capability to add Web
services interfaces to Web applications.

Azure Bastion
A platform-managed PaaS service you provision inside your virtual network. It provides secure
and seamless RDP/SSH connections.

Azure CLI
Azure command-line tool for managing Azure resources

Azure Cloud Shell

Azure Cloud Shell is an authenticated, browser-accessible shell for managing Azure resources.

Azure Event Hubs

Event Hubs is a fully managed, real-time data ingestion service from Microsoft Azure

Azure Functions
Azure Functions is the serverless computing service hosted on the Microsoft Azure public cloud.

Azure Kubernetes Services (AKS)

Microsoft's service for deploying and managing containerised applications.

Azure Monitor
Platform capability for monitoring your Azure resources. Azure Monitor allows you to collect
granular performance and utilisation data, activity and diagnostics logs, and notifications from
your Azure resources.

95
B

BrowserWeb
A Temenos browser, used for accessing the Transact application.

Cloudflare Workers
Cloudflare Workers lets developers deploy serverless JavaScript applications on Cloudflare's
global cloud network

CloudFront
A fast content delivery network (CDN) service that securely delivers data, videos, applications,
and APIs to customers globally with low latency and high transfer speeds.

CloudWatch
Collects monitoring and operational data in the form of logs, metrics, and events, providing you
with a unified view of AWS resources, applications, and services that run on AWS and on-
premises servers.

Container Registry
A private container image registry that runs on Google Cloud Platform. To control access to your
images you need to use a private registry such as Container Registry.

DDoS
Distributed Denial of Service. DDoS is a type of DOS attack where multiple compromised systems
are used to target a single system, causing a Denial of Service (DoS) attack.

Docker
A set of platform-as-a-service products that use virtualisation to deliver software in containers.

96
Dockerfile
Text document that contains all the commands a user could call on the command line to assemble
an image. Using docker build users can create an automated build that executes several
command-line instructions in succession.

EBS
Amazon Elastic Block Store (EBS) is an easy to use, high performance block storage service
designed for use with Amazon Elastic Compute Cloud (EC2).

EC2
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides compute capacity in
the cloud.

ECR
Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry.

ECS (Elastic Container Service)

AWS container orchestration service that supports Docker containers

Elasticsearch
A search engine based on the Lucene library. It provides a distributed, multitenant-capable full-
text search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch
is developed in Java.

Fargate
A compute engine for Amazon ECS that lets you run containers without having to manage servers
or clusters.

97
FQDN
A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or
host, on the internet. The FQDN consists of two parts: the hostname and the domain name.

GCE
Google Compute Engine (GCE) is the Infrastructure as a Service (IaaS) component of Google
Cloud Platform which is built on the global infrastructure that runs Google's search engine, Gmail,
YouTube and other services. Google Compute Engine enables users to launch virtual machines
(VMs) on demand.

GCP
Google Cloud Platform, offered by Google, is a suite of cloud computing services that runs on the
same infrastructure that Google uses internally for its end-user products, such as Google Search
and YouTube.

GCP IAM
Google Cloud Platform (GCP) offers Identity and Access Management (IAM), which lets you grant
granular access to specific GCP resources and prevents unwanted access to other resources.

GlusterFS
The GlusterFS architecture aggregates compute, storage, and I/O resources into a global
namespace. Each server plus attached storage is considered to be a node. Capacity is scaled by
adding either nodes or additional storage to each node. Performance is increased by deploying
storage among more nodes. High availability is achieved by replicating data n-way between
nodes.

HAProxy
HAProxy is open source software that provides a high availability load balancer and proxy server
for TCP and HTTP-based applications. HAProxy spreads requests across multiple servers.

98
helm
A tool that streamlines installing and managing Kubernetes applications.

IAM
Identity and access management (IAM) is a framework of business processes, policies and
technologies that facilitates the management of electronic or digital identities. You can use an IAM
framework to control user access to critical information within an organisation.

IIB v10
IBM Integration Bus version 10

Infinity
Temenos' digital front office, focused on customer journeys from acquisition through retention.

ingress
An object that allows access to your Kubernetes services from outside the Kubernetes cluster.
You configure access by creating a collection of rules that define which inbound connections
reach which services.

Insomnia
A cross-platform GraphQL and REST client, available for Mac, Windows, and Linux.

Integration
Communication between two or more systems.

Interaction
Communication between an automated system and a human user.

99
J

JBoss
JBoss Application Server (JBoss AS) is an open-source, cross-platform Java application server
developed by JBoss, a division of Red Hat Inc. JBoss AS is an open-source implementation of
Java 2 Enterprise Edition (J2EE) that is used for implementing Java applications and other Web-
based applications and software.

JDK
Java Development Kit

JMS
Java Message Service (JMS) is an application program interface (API) from Sun Microsystems
that supports the formal communication known as messaging between computers in a network.

jumpbox
A jump server, jump host or jump box is a computer on a network used to access and manage
devices in a separate security zone. The most common example is managing a host in a DMZ
from trusted networks or computers.

Kafka
Apache Kafka is an open-source stream-processing software platform developed by LinkedIn and
donated to the Apache Software Foundation, written in Scala and Java.

Kube client
Rust client for Kubernetes, containing rust reinterpretations of the Reflector and Informer
abstractions (but without all the factories) to allow writing kubernetes controllers/operators easily.

kubectl
Kubernetes tool used to deploy applications, inspect and manage cluster resources, and view
logs.

100
Kubernetes
Kubernetes (K8s) is an open-source system for automating deployment, scaling, and
management of containerized applications.

Kubernetes (K8S)
Open-source system for automating deployment, scaling, and management of containerized
applications

MongoDB
MongoDB is a cross-platform document-oriented database program. Classified as a NoSQL
database program, MongoDB uses JSON-like documents with schema.

MQTT
Lightweight messaging protocol for small sensors and mobile devices.

nginx-ingress
nginx-ingress is an Ingress controller that uses ConfigMap to store the nginx configuration. To
use, add the [Link]/[Link]: nginx annotation to your Ingress resources.

NMS
The NMS API (.Net Message Service API) provides a standard .NET interface to Messaging
Systems.

NSG
A Network Security Group is a networking filter (firewall) containing a list of security rules allowing
or denying network traffic to resources connected to Azure VNets.

NuoDB
Distributed SQL database built for the Enterprise.

101
O

OpenJDK
OpenJDK is a free and open-source implementation of the Java Platform, Standard Edition.

Oracle 12c
Oracle Database 12c is an enterprise-class database from Oracle. Its features include pluggable
databases and multitenant architecture.

Oracle SQL Developer

Oracle SQL Developer is an Integrated development environment for working with SQL in Oracle
databases

Postman
Postman is a Google Chrome app for interacting with HTTP APIs. It includes a GUI for
constructing requests and reading responses.

PSD2
Revised Directive on Payment Services (PSD2). The new rules aim to better protect consumers
when they pay online, promote the development and use of innovative online and mobile
payments such as through open banking, and make cross-border European payment services
safer.

RabbitMQ
RabbitMQ is the open-source message-broker software that originally implemented the Advanced
Message Queuing Protocol

RDP
Remote desktop protocol (RDP) is a secure network communications protocol designed for
remote management, as well as for remote access to virtual desktops, applications and an RDP

102
 terminal server.

RDS
Amazon Relational Database Service (or Amazon RDS) is a distributed relational database
service by Amazon Web Services (AWS). It is a web service running "in the cloud" designed to
simplify the setup, operation, and scaling of a relational database for use in applications.

rkt
An application container engine developed for production cloud-native environments.

Route 53
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web
service.

S3
Amazon S3 or Amazon Simple Storage Service is a service offered by Amazon Web Services that
provides object storage through a web service interface.

Service Fabric Mesh

A cloud-scale platform from Microsoft Azure for hosting Windows or Linux container applications

SOAP
SImple Object Access Protocol. An XML-based messaging protocol that uses HTTP.

SQL Server MI
Managed instance is a deployment option of Azure SQL Database, which is fully compatible with
the latest SQL Server on-premises (Enterprise Edition) Database Engine

SSH
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely
over an unsecured network.

103
stdout
Stdout, also known as standard output, is the default file descriptor where a process can write
output. In Unix-like operating systems, such as Linux, macOS X, and BSD, stdout is defined by the
POSIX standard.

STOMP
Simple (or Streaming) Text Oriented Message Protocol (STOMP), formerly known as TTMP, is a
simple text-based protocol, designed for working with message-oriented middleware (MOM).

TAFJ
Temenos Application Framework Java

TAP
Triple'A Plus™ is the private banking platform from Temenos. It incorporates the best practices
adopted by the leading international financial institutions that specialise in wealth management
solutions for high net worth and ultra high net worth individual clients.

TLS
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications
security over a computer network.

tOP
Splunk-based Temenos data monitoring application

TPH
Temenos payments solution for high-value, low-volume payments in the corporate banking space

Transact
Temenos' core banking solution.

104
U

UXP Browser
The new browser from Temenos, designed to access the Transact application

VirtualBox
Oracle VM VirtualBox is a free and open-source hosted hypervisor for x86 virtualization,
developed by Oracle Corporation.

vNET
Azure Virtual Network (VNet) enables Azure resources, such as Azure Virtual Machines (VM), to
securely communicate with each other, the internet, and on-premises networks.

VPC
A virtual private cloud (VPC) is an on-demand configurable pool of shared computing resources
allocated within a public cloud environment, providing a certain level of isolation between the
different organizations (denoted as users) using the resources.

VPN
A virtual private network (VPN) is a network that connects remote users or regional offices through
the Internet to a company's private, internal network.

WebSocket
WebSocket is a computer communications protocol, providing full-duplex communication
channels over a single TCP connection.

WebSphere MQ
Renamed IBM MQ in 2014. IBM's enterprise messaging solution. It allows independent and
potentially non-concurrent applications in a distributed system to communicate securely with each
other.

105
Wildfly
WildFly, formerly known as JBoss AS, or simply JBoss, is an application server authored by
JBoss, now developed by Red Hat.

WIP
Work In Progress

106