Before the first run of a node, it is recommended to check the settings of the embedded database for better performances.

Transcription

1 Node settings Before the first run of a node Database configuration Other settings SSL cipher suites and protocols configuration Modify the granularity of evolution of the Time Machine latest knowledge time Modify the Time Machine live lag time Modify the maximum number of rows displayed in pagelets and instance editor Modify the maximum number of instances in constants and threshold level editors and for dashboard parameters instances Modify the maximum number of paths in selection popup Modify the duration of indicator recomputation beyond which a warning popup is shown Modify the interval between automatic checkpoints Modify the default rhythm and lag to trigger computings Modify the default number of days for which to allow data absorption in the future Recomputing settings Purge scheduling Scheduler settings HTTP settings HTTPS settings Web session timeout Web context root and reverse proxy settings Deactivate inactive accounts Data integration Authentication settings JMX server settings High volume daily memory flush (titanium-temporal) Branding HTML5 Dashboards UI Before the first run of a node Database configuration Before the first run of a node, it is recommended to check the settings of the embedded database for better performances. Persistence parameter Update the field com.systar.titanium.initialperiodvalidtimeend in (Value is a date). com.systar.titanium.initialperiodvalidtimeend= t00:00: Example 1: if the node is set up on simply put this date. Example 2: the node is set up on , but past data up to is injected, then configure the date for optimal performances Once the node has started at least once (and so has some saved data), this parameter can no longer be changed. High volume If your application will collect a high volume of data, it is recommended to update the following parameters in to 256MB memtable: com.systar.titanium.memtable.globalmaxsize=4g com.systar.titanium.memtable.individualmaxsize=256m

2 Also, in this case, it is best to have a 31 GB or 48+ GB JVM heap configuration. Don't configure a heap size between 32GB and 47GB since it will be less efficient than using a 31GB heap. -Xmx31G conf/jvm.conf Other settings SSL cipher suites and protocols configuration Location: fields in Parameter Description

3 com.systar.platform.ciphersuites.included Comma-separated list of SSL cipher suites to include. The order of this list is important because it enables the server to select first the most secure cipher suite. This is the default value used for: org.apache.felix.https.jetty.ciphersuites.included com.systar.boson.jmx.ssl.ciphersuites.included Default value TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_EMPTY_RENEGOTIATION_INFO_SCSV For more information and all available values, see supported cipher suites. Note: Although it is recommended to use the included cipher suites, it is also possible to combine them with excluded cipher suites using: org.apache.felix.https.jetty.ciphersuites.excluded com.systar.boson.jmx.ssl.ciphersuites.excluded The resulting setting is computed by first including cipher suites and then excluding. As a result, if a cipher suite is in both the included and the excluded list, it will be excluded. com.systar.platform.protocols.included Comma-separated list of SSL protocols to exclude. This is the default value used for: org.apache.felix.https.jetty.protocols.included com.systar.boson.jmx.ssl.protocols.included TLSv1.2 Default value Note: You can also combine included protocols with excluded using: org.apache.felix.https.jetty.protocols.excluded com.systar.boson.jmx.ssl.protocols.excluded The resulting setting is computed by first including protocols and then excluding. As a result, if a protocol is in both the included and the excluded list, it will be excluded.

4 Modify the granularity of evolution of the Time Machine latest knowledge time Location: field com.systar.nitrogen.dashboards.timemachine.mostcurrentttgranularity in Default value is: 3000 (3 seconds) Value is in milliseconds. Zero or negative values will be ignored. com.systar.nitrogen.dashboards.timemachine.mostcurrentttgranularity=3000 Modify the Time Machine live lag time Location: field com.systar.nitrogen.dashboards.timemachine.absorptiondelay in Default value is: (1 minute) Value is in milliseconds com.systar.nitrogen.dashboards.timemachine.absorptiondelay=30000 Modify the maximum number of rows displayed in pagelets and instance editor Pagelets consist of the activity pagelet and query pagelets (datagrid, image map, and Instance pagelets). You can use parameters for the query pagelets and the search by criteria pagelet. Location: field com.systar.carbon.queryservice.limitedresultnumber in Default value is: 500 com.systar.carbon.queryservice.limitedresultnumber=500 Modify the maximum number of instances in constants and threshold level editors and for dashboard parameters instances Location field com.systar.carbon.dataservices.limitedresultnumber in Default value is 50 com.systar.carbon.dataservices.limitedresultnumber=50

5 Modify the maximum number of paths in selection popup Location: field com.systar.carbon.dataservices.maxnumberofpaths in Default value is: 5 com.systar.carbon.dataservices.maxnumberofpaths=5 Modify the duration of indicator recomputation beyond which a warning popup is shown Location: field com.systar.oxygen.configurationeditor.durationbeforewarning in Type: Optional Default value when not set: P2D (2 days) com.systar.oxygen.configurationeditor.durationbeforewarning=p2d Format of durationbeforewarning follows ISO_8601 (wikipedia) For example, P2Y10M14DT20H13M45S means 2 years, 10 months, 14 days, 20 hours, 13 minutes, 45 seconds (care about the "T" separator) Modify the interval between automatic checkpoints Location: field com.systar.calcium.automaticcheckpointcreationinterval in Default value is: 1800 com.systar.calcium.automaticcheckpointcreationinterval=1800 The value is expressed in seconds, use 0 (zero) to disable the functionality. Modify the default rhythm and lag to trigger computings Location: fields com.systar. krypton.scheduler.collector.defaultcomputingrhythm(scalar unit), com.systar.kypton.scheduler.collector.defaultcomputinglag.(scalar unit) in com.systar.krypton.scheduler.collector.defaultcomputingrhythm.scalar=1 com.systar.krypton.scheduler.collector.defaultcomputingrhythm.unit=minutes com.systar.krypton.scheduler.collector.defaultcomputinglag.scalar=2 com.systar.krypton.scheduler.collector.defaultcomputinglag.unit=seconds Possible values for defaultcomputingrhythm.unit and defaultcomputinglag.unit are : seconds, minutes, hours, days.

6 Modify the default number of days for which to allow data absorption in the future This setting dictates the maximum number of days in the future when data is still absorbed. Absorptions that exceed this limit are rejected. If no value is set in a default of 366 days will be used. com.systar.calcium.futureabsorptionrejectthresholdindays=366 Recomputing settings Located in Field com.systar.krypton.scheduler.latedatahandler.maximumnumberofevents Indicates the number of past events you must receive before a recomputing in the past is triggered. Default value is Can be deactivated by setting it to 0. Field com.systar. krypton.scheduler.latedatahandler.maximumtimetolive Indicates the maximum age of a past event before a recomputing is triggered. Unit is millisecond. Default value is (15 minutes). This means the node won't wait more than 15 minutes before a recomputing is triggered. Can be deactivated by setting it to 0. com.systar.krypton.scheduler.latedatahandler.maximumnumberofevents= com.systar.krypton.scheduler.latedatahandler.maximumtimetolive= Purge scheduling Location: field com.systar.titanium.purge.periodic.full in You must specify a reference instant, a duration scalar and a duration type (days, weeks, months, etc.). All items are comma separated. Default value is 1 run per day at 01:00. com.systar.titanium.purge.periodic.full= t01:00:00.000,1,days Scheduler settings Located in Field com.systar.krypton.scheduler.maximumjobduration.(scalar unit) Indicates the maximum computation batch window. This affects the recomputing and the catch-up. The rule of thumbs to set these value is to calculate the smallest computed attribute rhythm divided by percentage of memory used in live. For instance, if you use 33% of memory in live and your computings are rhythmed at one minute, you should set it at 3 minutes. Default value is 1 hour. Valid units are minutes and hours (always use the plural form even if the number of unit is 1).

7 com.systar.krypton.scheduler.maximumjobduration.scalar=1 com.systar.krypton.scheduler.maximumjobduration.unit=hours HTTP settings To change the HTTP settings, modify the following parameter in : org.osgi.service.http.port=8080 Parameters: Parameter org.osgi.service.http.port Description The port used for servlets and resources available via HTTP. org.osgi.service.http.host Restrict access to the HTTP service to a certain host name or IP address. org.apache.felix.http.enable Flag to enable the use of HTTP. The default value is true. com.systar.boson.http.1_0.enable Flag to enable HTTP/ 1.0 requests. The default value is false. HTTPS settings HTTPS and HTTP listening can be activated/deactivated independently (that is HTTP only, HTTPS only, or both HTTP and HTTPS). If both are activated, connections to HTTP will be redirected to HTTPS. To change the settings, modify the following parameters in : org.apache.felix.https.enable=true org.osgi.service.http.port.secure=443 org.apache.felix.https.keystore=<absolute path to key store> org.apache.felix.https.keystore.password=<key store password> Parameters: Parameter Description org.apache.felix.https.enable Flag to enable the use of HTTPS. The default value is false. If it's set to redirected to HTTPS. org.apache.felix.http.enable Flag to enable the use of HTTP. The default value is true. org.osgi.service.http.port.secure The port used for servlets and resources available via HTTPS.

8 org.apache.felix.https.keystore The name of the file containing the key store. It's recommanded to use an dir>/conf directory, then use the ${com.systar.platform.conf.d For example: org.apache.felix.http.keystore=${com.sy org.apache.felix.https.keystore.password org.apache.felix.https.jetty.ciphersuites.included The password for the key store. Comma-separated list of SSL cipher suites to include. All HTTPS request p referenced on this list. Default values are the same as com.systar.platform.ciphersuite org.apache.felix.https.jetty.ciphersuites.excluded Comma-separated list of SSL cipher suites to exclude. All HTTPS request referenced on this list. By default, no cipher suites are excluded. org.apache.felix.https.jetty.protocols.included Comma-separated list of SSL protocols to include. All HTTPS request proc on this list. Default values are the same as com.systar.platform.protocols.i org.apache.felix.https.jetty.protocols.excluded Comma-separated list of SSL protocols to exclude. All HTTPS request pro this list. By default, no protocols are excluded. com.systar.boson.http.hstsmaxage HSTS setting ( specifying the number of se the UA regards the host (from whom the message was received) as a Kno value is strictly superior to 0. The default value is (for 6 months). See How to create a key store for HTTPS communication? to know how to create a key store for HTTPS. The key store for the HTTPS communication must contain only one key. If several keys exist in the key store, the node will not start. Web session timeout By default, the Web session timeout is set to milliseconds (i.e. 20 minutes). After 20 minutes of inactivity, the session is de-authenticated, forcing the user to authenticate to use the application. Inactivity is when the Decision Insight tab is closed. The Web session timeout cannot be lower than milliseconds (i.e. 1 minute). To change the web session timeout, add the following parameter to com.systar.photon.application.sessiontimeout= Web context root and reverse proxy settings By default, the web context root is /, that is the URL to connect to the Web application is You may want to change the web context root so that the URL becomes for example. To change the web context root, modify the following parameter in

9 com.systar.boson.http.contextroot=/bam The value of com.systar.boson.http.contextroot must start with a / character. Decision Insight can also be installed behind a reverse proxy. Only the following schemes are currently supported: Without context path Public URL http[s]://<proxy hostname>:<proxy port> Examples Internal URL http[s]://<node hostname>:<node port> Examples Reverse proxy configuration Example for Apache configured as reverse proxy: <Location /> Order allow,deny Allow from all ProxyPass ProxyPassReverse </Location> platform.properties com.systar.boson.http.proxyurl = com.systar.boson.http.contextr oot=/ org.osgi.service.http.port=808 0 With a context path The context path must be identical in the public and internal URL

10 Public URL http[s]://<proxy hostname>:<proxy port>/<context path> Examples /bam Internal URL http[s]://<node hostname>:<node port>/<context path> Examples Reverse proxy configuration Example for Apache configured as reverse proxy: <Location /bam> Order allow,deny Allow from all ProxyPass hostname>:8080/bam ProxyPassReverse hostname>:8080/bam </Location> platform.properties com.systar.boson.http.proxyurl = com.systar.boson.http.contextr oot=/bam org.osgi.service.http.port=808 0 Deactivate inactive accounts Property Default value Description com.systar.cobalt.security.user.maximuminactiveinterval 0 Maximum idle duration (in days) of inactive users before their account is deactivated. Value 0 means the functionnality is deactivated. Known limitation on primary/replica clusters: To ensure users sending Webservice or JMX calls directly to a replica node are always active, they must also send requests to the primary node so the maximum idle duration between two requests is never reached on that server.

11 Data integration General settings Property Default value Description com.systar.aluminium.log.file.maxfilesize (10Mb) Maximum size of a data integration file before rolling to another one (in bytes) com.systar.aluminium.log.file.maxbackupindex 9 Maximum number of backup log file before deleting them com.systar.aluminium.log.memory.maxsize (1Mb) Maximum size of the in-memory logs (in bytes) com.systar.aluminium.mappings.exchangecachepermapping 5 Number of exchanges to cache per Mapping, only the latest ones are stored. Value 0 means no cache at all, the maximum value is com.systar.aluminium.contexts.manualstoptimeout 300 Delay after which a routing context is forcibly stopped when a user request to stop a routing context (in seconds) com.systar.aluminium.contexts.platformshutdowntimeout 30 Delay after which routing contexts are forcibly stopped when the node shuts downs (in seconds) com.systar.aluminium.contexts.autostart true Set to false in order to disable routing contexts automatic startup The properties are configured in. Example: com.systar.gluon.nodeid=1 com.systar.gluon.clusterid= com.systar.aluminium.log.file.maxfilesize= Encryption settings To encrypt data integration properties, configure the following: The key store. The cryptographic RSA keys. When the key store is configured, some of the data is written in the database in an encrypted manner. The rest of the data in the database is not. Currently, only the data integration part of Decision Insight supports cryptographic capabilities (to store values of password properties in an encrypted form). Property Mandatory / Forbidden / Optional Description

12 com.systar.aluminium.crypto.keystore Mandatory if com.systar.aluminium.crypto.keysto repassword is set. Forbidden otherwise. The absolute path to operty. For example: com.sys com.systar.aluminium.crypto.keystorepassword Mandatory if com.systar.aluminium.crypto.keysto re is set. Forbidden otherwise. The password of the com.systar.aluminium.crypto.keystoretype Optional. The type of the key com.systar.aluminium.crypto.keystoreprovider Optional. The provider of the k com.systar.aluminium.crypto.keyalias com.systar.aluminium.crypto.keypassword Mandatory if com.systar.aluminium.crypto.keysto re is configured. Forbidden otherwise. Mandatory if com.systar.aluminium.crypto.keysto re is configured. Forbidden otherwise. The alias of the cryp The password of the The properties are configured in. Example: com.systar.gluon.nodeid=1 com.systar.gluon.clusterid= com.systar.aluminium.crypto.keystore=c:/app/crypto.keystore com.systar.aluminium.crypto.keystorepassword=some-p@ssword! com.systar.aluminium.crypto.keyalias=aluminium com.systar.aluminium.crypto.keypassword=loremipsum Useful information is available in on. For information about how to create a keystore and cryptographic RSA keys, see KeyStore Manager user guide. Decision Insight supports only RSA keys. Authentication settings LDAP To configure such an authentication, create or edit the conf/photon-authentication/settings.xml XML file. For more information, see Configuring User Directories (LDAP).

13 Single sign-on (SSO) To configure the SSO authentication, modify the com.systar.photon.application.auth.ssomode and com.systar.photon.application.auth.sso RoleProvisioning properties in according to Configure Single sign-on (SSO). Admin account management The built-in admin account is enabled by default, but for security reasons, you might want to disable it. To do this, set the com.systar.cobalt.se curity.admin.enabled property in to false. JMX server settings Except if specified during the installation, JMX connector is disabled by default with the port number configuration. See below: Port number To configure the listening JMX port, modify the com.systar.boson.jmx.port property in. If this property is missing, empty( default configuration), equal to 0 or negative, the JMX connector is disabled. Otherwise, the node listens to JMX connections on the specified port: com.systar.boson.jmx.port=1090 Network interface By default, the node listens for the JMX connection only on the local network interface ( ), that is, a connection can be established only from within the server hosting the node. To configure the node so that it listens on a different network interface, modify the com.systar.boson.jmx.interface property in conf/platform.properties: com.systar.boson.jmx.interface= SSL encryption By default, the node does not encrypt the JMX communication and credentials are sent unencrypted over the wire. To secure the JMX connection using SSL, create a key store with a certificate and modify the following properties in conf/platform.propert ies as follows. com.systar.boson.jmx.ssl.enable=true com.systar.boson.jmx.ssl.keystore=<absolute path to key store> com.systar.boson.jmx.ssl.keystorepassword=<key store password> com.systar.boson.jmx.ssl.ciphersuites.excluded=<cipersuites> Parameters: Parameter Description

14 com.systar.boson.jmx.ssl.enable Flag to enable the use of SSL encryption. The default value is false. com.systar.boson.jmx.ssl.keystore The absolute path to the key store file. T o use a path relative to the <node dir f.dir} property. For example: com.systar.boson.jmx.ssl.keystore=${com.sy com.systar.boson.jmx.ssl.password com.systar.boson.jmx.ssl.ciphersuites.included The password for the key store. Comma-separated list of SSL cipher suites to include. All requests processed by this list. Default values are the same as com.systar.platform.ciphersuites.in com.systar.boson.jmx.ssl.ciphersuites.excluded Comma-separated list of SSL cipher suites to exclude. All request processed by list. By default, no cipher suites are excluded. com.systar.boson.jmx.ssl.protocols.included Comma-separated list of SSL protocols to include. All requests processed by cli this list. Default values are the same as com.systar.platform.protocols.inclu com.systar.boson.jmx.ssl.protocols.excluded Comma-separated list of SSL protocols to exclude. All requests processed by cl list. By default, no protocols are excluded. To create the certificate and key store, see How to create a key store for HTTPS communication? When the JMX connection is encrypted with SSL and you try to connect to the node using jconsole, you might not be able to connect because jconsole does not trust the certificate installed on the server. In this case, you should add the certificate to the default trust store commonly named cacert or you should provide a key store containing the certificate to jconsole. To add a certificate to a key store (including the default trust store), see KeyStore Manager user guide. To start jconsole using a custom key store, use the following command line: jconsole -J-Djavax.net.ssl.trustStore=<path to key store> -J-Djavax.net.ssl.trustStorePassword=<key store password> High volume daily memory flush (titanium-temporal) This setting is disabled by default. If you have a high volume of daily collected data and computations not wider than the current day, you can activate this mode to force flushing all memory data once a day. For instance, flushing all memory data every day at 23h59 (node time), in order to start the next day with a fresh new empty memory. (Memory data will be still flushed when the titanium max memory size is reached). To activate this option, set the com.systar.titanium.periodicflush.enabled field to true in.

15 com.systar.titanium.periodicflush.enabled=true You can also configure the time at which the flush is triggered by setting the following parameters in default settings are 23:59.. The com.systar.titanium.periodicflush.hour=23 com.systar.titanium.periodicflush.minute=59 Branding It is possible to replace the Axway logo with your own logo. For more information, see How to change the branding? Change the product name The product name is displayed in various locations, including the login page title or the Web services documentation. To change it, for each node in your deployment, edit the file and modify the following line: com.systar.platform.label=acme Monitoring Hide the Powered By Axway Decision Insight label To hide the Powered By Axway Decision Insight message that appears in the bottom-right corner of the login page screen, for each node in your deployment edit the configuration file and add the following line: com.systar.photon.application.auth.hidepoweredbymention=true HTML5 Dashboards UI HTML5 User interface is enabled by default. It can be accessed at the URL <node URL>/ui (ex: The classic User Interface remains accessible at the URL <node URL>/app. To disable the HTML5 User interface and make it not accessible by users, edit the file and add the following line: com.systar.helium.html.ui.enabled=false