Configuring a Gateway Integration Endpoint - Microsoft Azure Blob Storage

A gateway integration endpoint (GIEP) allows STEP to communicate with an external storage system. Once a GIEP has been created and Microsoft Azure Blob Storage is selected, the configuration settings allow you to identify the location of the required data.

Prerequisites

Important: Prior to configuration, dropdown parameters that rely on a property are empty. To display the value(s) in the configuration dialog, log into the Self-Service UI, select the environment, and on the 'Configuration properties' tab, configure the property for your system.

Refer to the Self-Service UI 'User guide' for information about setting configuration properties, including the use of the ${CUSTOMER_SECRETS_ROOT} and ${CUSTOMER_CONFIG_ROOT} variables.

'Secret' configuration values are sensitive and are hidden in the display. This means that the actual values are not visible to users or to Stibo Systems, for example, via Admin Portal configuration lists and remote diagnostics.

Multiple entries can be added to the dropdown parameters using dynamic properties. Each configuration entry must have a unique integer or alpha identifier (indicated by [*]) as described below. When duplicate identifiers exist, only the last value is displayed in the dropdown.

Allow a few minutes for changes made in the Self-Service UI 'Configuration properties' tab to display in the workbench. Refer to the Self-Service UI topic for more information.

Configure data for the dropdown parameters:

Configure the Connection Info dropdown parameter using the BlobStorage.Azure.Secret.Connection.[*] property, including Using a Shared Access Signature (SAS) Credential for the Connection String as defined below. For example, using this configuration, two options are displayed in the 'Connection Info' dropdown:

Note: BlobStorage.Azure.Secret.Connection.1 cannot be added. It is reserved for Stibo Systems internal use.

On the 'Add configuration property value' dialog, the Value field must include the alias (AzureConn in the image above) separated by a comma from the connection string (starting with 'DefaultEndpointsProtocol...' in the image above). Add your own connection string in place of '[YOUR_CONNECTION_STRING]'.

Only the alias is displayed in the ‘Connection Info’ dropdown for the Gateway Integration Endpoint (explained in the next section). The connection string is hidden.

More information about connection string values and how to find or create them can be found online at https://portal.azure.com (go to Storage Accounts >> Your-Storage- Account >> Access Key >> Connection String).

Using a Shared Access Signature (SAS) Credential for the Connection String

The SAS token must be created directly on the blob storage account itself (and not on the corresponding container); and as a minimum, it must have Service, Container, and Object specified as its 'Allowed resource types' as well as Read, Write, and List for its 'Allowed permissions' to grant the proper access rights to STEP.

These resource types and permissions are required to allow STEP to perform all the needed operations to deliver the content (blobs) to the specified Azure Blob Storage account's container.

Important: If the SAS token has insufficient privileges, the delivery will result in an error message similar to this one:

If you are using a SAS token, and the server returned the error message 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call. Before going to production, disable 'Azure-Storage-Log-String-To-Sign' as this string can potentially contain PII.

Status code 403, "<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationResourceTypeMismatch</Code><Message>This request is not authorized to perform this operation using this resource type. RequestId:836910b1-801e-001a-4da2-900fc9000000 Time:2022-07-05T19:11:07.4796215Z</Message></Error>"

On the 'Add configuration property value' dialog, the Value field includes the SAS alias separated by a comma from the connection string. Add your own connection string in place of '[YOUR_CONNECTION_STRING]'. Only the alias is displayed in the ‘Connection Info’ dropdown for the Gateway Integration Endpoint (explained in the next section). The connection string is hidden.
Configure the Container Name dropdown parameter using the BlobStorage.Azure.Secret.ContainerName.[*] property. For example, using this configuration, two options are displayed in the 'Container Name' dropdown:

Note: BlobStorage.Azure.Secret.ContainerName.1 cannot be added. It is reserved for Stibo Systems internal use.

Configuring the Gateway Integration Endpoint

Once the properties described above are configured, the values created in these properties display in the configuration dialog dropdowns. If a dropdown is empty, revisit the 'Configuration properties' tab in the Self-Service UI to correct the error. Refer to the Self-Service UI topic for more information.

On the Gateway Integration Endpoint Configuration dialog, use the following parameters to specify which external system the gateway integration endpoint will access.
- Connection Info - The desired Azure connection.
- Container Name - The Azure container name to use.
- Proxy config - Proxy functionality is intended for facilitating internet access, which is always available from SaaS environments. If a proxy is necessary for your scenario, contact Stibo Systems Support.
- Connection timeout in seconds - The connection timeout on the request in seconds. If left blank, the driver default will be used.
Click Save to complete the configuration.
Enable the endpoint as defined in the Running a Gateway Integration Endpoint topic.
Test the connection from the gateway as follows:
- On the Gateway Connectivity flipper, click the Check Connectivity button.
- In the Check Connectivity dialog, in the Java Script Check Code section, add:
```
gateway.checkConnectivity()
```
- Click the Check Connectivity button and verify success or make the necessary corrections to connect.

Using the Gateway Integration Endpoint

Configuration of a GIEP is required to set up:

Asset Publisher Event Processor

For more information, refer to the Asset Publisher Processing Plugin Parameters and Triggers topic in the System Setup documentation.
Cloud Blob Storage Delivery Method

For more information, refer to the Cloud Blob Storage Delivery Method topic in the 'Export Manager Delivery Methods' section and the Cloud Blob Storage Delivery Method topic in the 'OIEP Delivery Methods' section of the Data Exchange documentation.