Flosum Agent - Docker Hub Details

What is the Flosum Agent Application?

Flosum Agent is a lightweight application designed to facilitate data transfer between your organization's data center and the Salesforce data center. This tool can be conveniently installed on-premise, whether within your organizational infrastructure or inside a customer-controlled DMZ (Demilitarized Zone). Flosum Agent is connected to the Salesforce data center and is also tied to the third-party applications used by the customers. Flosum Agent provides application-to-application authentication between the Flosum org and Flosum Agent, which can be further secured using certificate pinning. Certificates are exchanged between the Flosum Agent and the Flosum org, ensuring a secure data transfer between the Salesforce data center and on-premise applications. It's also important to note that all data transfers occur via the HTTPS protocol, guaranteeing encryption and thus solidifying the integrity of your data during transfers.

Installing Agent App

Flosum runs the Agent application using a Docker Compose file. Flosum also supports Docker secrets. As an alternative to passing sensitive information via environment variables, __FILE is prefixed to some environment variables, causing the initialization script to load the values for those variables from files present in the container. This requires making minor changes in the Docker Compose file. It is important to note that you don't need to obtain a license for Docker. Flosum will provide clients with the DockerHub details, allowing them to pull the images locally.

Run the Docker Compose File

Use the following command to run the Docker Compose file:

sudo docker stack deploy -c <docker compose file name> --with-registry-auth <stack name>

Note: During the Agent installation, if any issues arise, the Flosum team will need certain information to resolve them. If the customer can share the tool they use for scanning the Docker image, it would be helpful, especially if there are problems with the image scan. Knowing this tool can assist the Flosum team in fixing the issue.

Docker Compose file (without Docker secrets)

version: '3.8'
services:
  node:
    image: flosum/agent-node:4.x.x
    environment:
      NODE_ENV: production
      SALESFORCE_TOKEN: xxxxxxxxxxxxxxxxxxxx
      SMTP_HOST: 'xxxx'
      SMTP_PORT: xxxx
      SMTP_SECURE: false
      SMTP_TRACK_OPENINGS: false
      SMTP_FROM: 'sender@email.com'
      SMTP_AUTH_TYPE: 'login'
      SMTP_AUTH_USER: 'username'
      SMTP_AUTH_PASSWORD: 'password'
     volumes:
      - <path to store agent data>:/home/node/data 

Docker Compose file (with Docker secrets)

version: '3.8'
services:
  node:
    image: flosum/agent-node:4.x.x
    environment:
      NODE_ENV: production
      SMTP_HOST: 'xxxx'
      SMTP_PORT: xxxx
      SMTP_SECURE: false
      SMTP_TRACK_OPENINGS: false
      SMTP_FROM: 'sender@email.com'
      SMTP_AUTH_TYPE: 'login'
      SMTP_AUTH_USER: 'username'
      SMTP_AUTH_PASSWORD: 'password'
      SALESFORCE_TOKEN_FILE: /run/secrets/salesforce_token
    secrets:
      - salesforce_token
      
secrets:
  salesforce_token:
    external: true

Authentication and Authorization

Flosum keeps all the required authentication details for establishing connections with the Agent, Azure DevOps Git repository, and Azure DevOps Boards. The process of authorization is performed via an integration user. To ensure maximum security, no passwords are retained in Flosum; only tokens are stored in Flosum.

Internal Mechanism to Generate Token

Flosum uses a connected app framework to generate SALESFORCE_TOKEN that enables an external application to integrate with Salesforce using APIs. The standard protocol, or method, we use for this is OAuth Connect. The connected app within your current organization generates a string that contains refresh_token, client_secret, and client_id (of the type OAuth 2.0). These keys are used to obtain an access token and allow the Agent to access the Salesforce org. A Connected app can be created by going to App Launcher | Flosum | Settings | Orgs | Connected App.

Steps to Obtain SALESFORCE_TOKEN

• To obtain SALESFORCE_TOKEN for the Agent environment you should open the Settings tab by going to to App Launcher | Flosum-Git | Settings.
• Next, select the Code Quality tab in the tabs list and scroll down to see the block titled "Authorization token for Heroku services" and click the Get token button.
• A new tab will appear in your browser where you need to scroll down to see your generated token. That's it! It is your SALESFORCE_TOKEN for Flosum Agent app.

SMTP configuration for email notifications

Keeping you updated with the status of your Flosum/Git commit activities is important to give you confidence in knowing whether your tasks are being completed or are running into issues that need to be addressed. Currently, you will receive email notifications upon initial synchronization and if your syncs and commits complete or fail. This works for both Git to Flosum and Flosum to Git commits.

Notifications for initial synchronization and Flosum to Git commits are sent to the email associated with the user who launched the processes. Notifications for a Git to Flosum commit use the email associated with the webhook of the connected Git Service, for example, the email of a user authorized in Git.

In the current implementation, email notifications will be sent for initial synchronization, commits from Git to Flosum and from Flosum to Git. For initial synchronization and Flosum to Git commits, the email of the user who launched these processes will be used. For a Git to Flosum commit, the email will be taken from the webhook of the connected Git service, i.e. it will be the email of a user authorized in Git.

• SMTP_HOST: the hostname or IP address to connect to
• SMTP_PORT: the port to connect to
• SMTP_SECURE: if true the connection will use TLS when connecting to server. If false (the default) then TLS is used if server supports the STARTTLS extension. In most cases set this value to true if you are connecting to port 465. For port 587 or 25 keep it false
• SMTP_TRACK_OPENINGS: works only for AWS SES (AWS Simple Email Service). Allows to track email opening.
• SMTP_FROM: the e-mail address of the sender.
• SMTP_AUTH_TYPE: indicates the authentication type, for now supported only ‘login’ value for this variable
• SMTP_AUTH_USER: username
• SMTP_AUTH_PASSWORD: the password for the user