Clean 'mango.properties' File

July 25th, 2023


Here is a clean version of the mango.properties file for you to use should you need one.

#
# Copyright (C) 2023 Radix IoT LLC. All rights reserved.
#

By default if you make changes to the config file Mango will reload its settings

(note: this will not work for all settings)

properties.reloading=true

The port at which Mango Automation will listen for browser connections

web.port=8080

The host interface to which Mango Automation will bind and listen for new connections

0.0.0.0 is the special interface that will force a bind to all available interfaces

web.host=0.0.0.0

Should Mango Automation open (if possible) a browser window when it starts up?

web.openBrowserOnStartup=true

Create admin user on first start

Note: DO NOT SET IN mango.properties or env.properties! You can set these properties via environment variables or Java system properties during provisioning.

initialize.admin.create=true initialize.admin.username=admin initialize.admin.password=admin initialize.admin.email=admin@localhost

Web caching settings

disable caching

web.cache.noStore=false web.cache.noStore.rest=true web.cache.noStore.resources=false

set max age of cached files in seconds, only if noStore=false

versioned resources are those with ?v=xxx on the query string

web.cache.maxAge=0 web.cache.maxAge.rest=0 web.cache.maxAge.resources=86400 web.cache.maxAge.versionedResources=31536000

#Upload file size limit (bytes) -1 means no limit web.fileUpload.maxSize=250000000 #Maximum number of files allowed in a single request. -1 means no limit web.fileUpload.maxCount=100

Set this to true if you are running Mango behind a reverse proxy that sends "Forwarded" or "X-Forwarded-*" headers.

This includes accessing Mango via Cloud Connect module. By default only requests from localhost are trusted.

web.forwardedHeaders.enabled=true

Set a comma separated list of IP ranges from which to trust Forwarded headers

web.forwardedHeaders.trustedIpRanges=127.0.0.0/8,::1

Default database settings

The path in the db.url is relative to ${paths.data} (you can also use an absolute path)

db.type=h2 db.url=jdbc:h2:databases/mah2 db.username= db.password= #to compact the database size at shutdown (may take longer but will free up disk space) db.h2.shutdownCompact=false

#General Database Settings db.pool.maxActive=100 db.pool.maxIdle=10

relative to the logs directory configured via paths.logs, leave blank to use the same directory

db.update.log.dir=

setting to show query times in the logs as INFO

db.useMetrics=false

if set, will only log slow queries, above this threshold in ms. Will be logged at WARN level instead of INFO

db.metricsThreshold=100

#Tell the jdbc driver to fetch this many rows at a time, useful over network connected dbs (Not MySQL)

negative values will force use jdbc driver default

db.fetchSize=-1 #Number of retries for failed transactions before bailing out on error db.transaction.retries=5 #Maximum operands for IN(..) queries, will be batched into groups of this size.

On MySQL this is limited by the max_allowed_packet setting, for H2 this is undefined

db.in.maxOperands=1000

MySQL database settings. Your MySQL instance must already be running and configured before this can be used.

#db.type=mysql #db.url=jdbc:mysql://localhost/<your mysql schema name> #db.username=<your mysql username> #db.password=<your mysql password> #db.mysqldump=<location/command for mysqldump executable for backups> #db.mysql=<location/command for mysql executable for restore> #To optionally pass additional arguments to the dump command #db.mysql.extraDumpArgs=--single-transaction,--skip-lock-tables

Options for creating tables on first start

File to restore database from (relative to ${paths.data}), should point to a .sql or .zip file appropriate for the database type

#db.createTables.restoreFrom=

Enable creating createTables.log file

db.createTables.createLogFile=true

Database settings for conversion. If the db.* settings point to a new database instance, and the convert type setting

is set, Mango Automation will attempt to convert from the convert.db.* settings to the db.* settings

Note that database conversions should not be performed in the same step as an upgrade. First upgrade, then convert.

convert.db.type= convert.db.url= convert.db.username=${db.username} convert.db.password=${db.password}

#Enable the NoSQL module by default (if it is installed) db.nosql.enabled=true #Set the base path for where the NoSQL data will be stored, relative to ${paths.data} (you can also use an absolute path) db.nosql.location=databases #Set the folder name of the point value store db.nosql.pointValueStoreName=mangoTSDB #Set the number of files the database can have open at one time db.nosql.maxOpenFiles=500 #Time after which a shard will be closed db.nosql.shardStalePeriod=36000000 #Period to check for stale shards db.nosql.flushInterval=300000 #Query Performance Tuning, File Access Type: Available[INPUT_STREAM,FILE_CHANNEL,RANDOM_ACCESS_FILE,MAPPED_BYTE_BUFFER] db.nosql.shardStreamType=MAPPED_BYTE_BUFFER #Setting to speed up NoSQL queries at the expense of a small increase in disk usage db.nosql.reversible=true #Setting this will convert your existing point value store [NONE, REVERSIBLE, UNREVERSIBLE] db.nosql.convert=NONE #Number of concurrent threads to use to convert the database db.nosql.convertThreads=4

Run the corruption scan on startup (only if database is marked dirty)

db.nosql.runCorruptionScan=false

Disable creating/deleting dirty marker (.drty) files

db.nosql.disableDirtyFiles=true

Only run corruption scan on shards with dirty marker (.drty) files

Note: This option has no effect when db.nosql.disableDirtyFiles=true

db.nosql.onlyScanDirty=true

scans for and deletes empty directories in the TSDB directory on startup

db.nosql.deleteEmptyDirsAtStartup=true

Configure chunk size for streaming values from and to the TSDB.

Defines a maximum number of point values to read/write into memory.

Increasing this setting may increase performance but will increase memory consumption when querying for point values.

#db.nosql.chunkSize=16384

Max number of attempts to lock series/shard while writing synchronously

#db.nosql.maxLockAttempts=10

#Password encryption scheme [BCRYPT, SHA-1, NONE] #Legacy is SHA-1, 2.8+ BCRYPT #security.hashAlgorithm=BCRYPT #security.bcrypt.log2Rounds=10

#Size of in memory cache to hold a role's inheritance list, this represents the

maximum number of roles to keep in the cache at any given time

cache.roles.size=1000 #Cache all users in memory for performance cache.users.enabled=true #Size of in memory cache to hold created Permissions, this represents the

maximum number of roles to keep in the cache at any given time

cache.permission.size=1000

The location of the Mango Automation store from which to get license files.

store.url=https://store.mango-os.com

Disables upgrading the core or modules, note that this does not prevent unpacking of core/module zip files

store.disableUpgrades=false

SSL/TLS setup

Note: Enabling SSL/TLS also turns on HSTS by default, see the ssl.hsts.enabled setting below

ssl.on=true ssl.port=8443

Configure the key store from which to load X.509 certificate chain and private key.

All key store settings are reloaded dynamically.

If the keystore file does not exist, a temporary self-signed certificate is used instead.

Path to a PKCS #12 or JKS key store, relative to ${paths.data}

By default, use the path to the key store created by the Mango PKI service.

ssl.keystore.location=${pki.keyStore}

Key store password

ssl.keystore.password=${pki.keyStorePassword}

Key password (if not set, it is assumed to be the same as the key store password)

#ssl.key.password=

Watch the key store file for changes and reload the certificates/keys for SSL/TLS when it changes

ssl.keystore.watchFile=true

#Time socket can be idle before being closed (ms) ssl.socketIdleTimeout=70000

Enable ALPN (Application-Layer Protocol Negotiation) for HTTP/2 support.

Current browsers only support HTTP/2 for SSL/TLS connections.

ssl.alpn.on=true

Configure HSTS (HTTP Strict Transport Security)

Enabled by default when ssl.on=true

Sets the Strict-Transport-Security header, web browsers will always connect using HTTPS when they

see this header and they will cache the result for max-age seconds

ssl.hsts.enabled=true ssl.hsts.maxAge=31536000 ssl.hsts.includeSubDomains=false

System time zone. Leave blank to use default VM time zone.

timezone=

#Rest API Configuration rest.enabled=true

#Enable to make JSON More readable rest.indentJSON=false #Cross Origin Request Handling rest.cors.enabled=false rest.cors.allowedOrigins= rest.cors.allowedMethods=PUT,POST,GET,OPTIONS,DELETE,HEAD rest.cors.allowedHeaders=content-type,x-requested-with,authorization rest.cors.exposedHeaders= rest.cors.allowCredentials=false rest.cors.maxAge=3600

disable browser redirects

rest.disableErrorRedirects=false

Defaults for temporary resource lifetime (Can override via endpoint parameters if supplied)

Default time before the resource is removed after completion

rest.temporaryResource.expirationPeriods=1 rest.temporaryResource.expirationPeriodType=HOURS

Default time that the task is allowed to run for before it is cancelled

rest.temporaryResource.timeoutPeriods=3 rest.temporaryResource.timeoutPeriodType=HOURS

Limits the rate at which an unauthenticated IP address can access the REST API

Defaults to an initial 10 request burst then 2 requests per 1 second thereafter

rateLimit.rest.anonymous.enabled=true rateLimit.rest.anonymous.burstQuantity=40 rateLimit.rest.anonymous.quanitity=5 rateLimit.rest.anonymous.period=1 rateLimit.rest.anonymous.periodUnit=SECONDS

Limits the rate at which an authenticated user can access the REST API

Disabled by default

rateLimit.rest.user.enabled=false rateLimit.rest.user.burstQuantity=20 rateLimit.rest.user.quanitity=10 rateLimit.rest.user.period=1 rateLimit.rest.user.periodUnit=SECONDS

Limits the rate at which authentication attempts can occur by an IP address

Defaults to an initial 5 attempt burst then 1 attempt per 1 minute thereafter

rateLimit.authentication.ip.enabled=true rateLimit.authentication.ip.burstQuantity=5 rateLimit.authentication.ip.quanitity=1 rateLimit.authentication.ip.period=1 rateLimit.authentication.ip.periodUnit=MINUTES

Limits the rate at which authentication attempts can occur against a username

Defaults to an initial 5 attempt burst then 1 attempt per 1 minute thereafter

rateLimit.authentication.user.enabled=true rateLimit.authentication.user.burstQuantity=5 rateLimit.authentication.user.quanitity=1 rateLimit.authentication.user.period=1 rateLimit.authentication.user.periodUnit=MINUTES

#For rest API Documentation at /swagger-ui.html swagger.enabled=false #path to api-docs for swagger tools, will be appended to base REST api version URL i.e. /rest/v1/ springfox.documentation.swagger.v2.path=/swagger/v2/api-docs

Require authentication to access Swagger API documentation.

If you set this to false then you can use an authentication token (generated on the Mango Users page) from the swagger UI instead.

To use, enter: Bearer <space> <token value> into the Authorize value input in the swagger ui

swagger.apidocs.protected=true

#Distributor Settings distributor=IA

#Jetty Thread Pool Tuning

Time a thread must be idle before killing to keep pool size at minimum

web.threads.msIdleTimeout=30000

Number of threads allowed to be created to handle incoming requests as needed (defaults to 10x number of processors, or 200, whichever is greater)

web.threads.maximum=

Number of threads to keep around to handle incoming connections (defaults to max threads, or 8, whichever is lesser)

web.threads.minimum=

Number of Requests To queue if all threads are busy (defaults 1280)

web.requests.queueSize=

Ping timeout for response from browser

web.websocket.pingTimeoutMs=10000 #Time socket can be idle before being closed (ms) web.socketIdleTimeout=70000

Default async request timeout

#web.async.timeout=120000

Enable collection of connection statistics

web.connectionStatistics=true

Enable Jetty JMX support

web.enableJmx=true

#Jetty QoS filter settings

https://www.eclipse.org/jetty/documentation/current/qos-filter.html

Filter enabled setting

web.qos.enabled=false #The maximum number of requests to be serviced at a time. The default is 10. web.qos.maxRequests=10 #The length of time, in milliseconds, to wait while trying to accept a new request. Used when the maxRequests limit is reached. Default is 50 ms web.qos.waitMs=50 #Length of time, in milliseconds, that the request will be suspended if it is not accepted immediately. If set to -1, the container default timeout applies. Default is 30000 ms. web.qos.suspendMs=30000

#Jetty DoS filter settings

https://www.eclipse.org/jetty/documentation/current/dos-filter.html

Filter enabled setting

web.dos.enabled=false #Maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. Default is 25. web.dos.maxRequestsPerSec=75 #Delay imposed on all requests over the rate limit, before they are considered at all

100ms default, -1 = Reject request, 0 = no delay, any other value is delay in ms

web.dos.delayMs=100 #Length of time, in ms, to blocking wait for the throttle semaphore. Default is 50 ms. web.dos.maxWaitMs=50 #Number of requests over the rate limit able to be considered at once. Default is 5. web.dos.throttledRequests=5 #Length of time, in ms, to async wait for semaphore. Default is 30000. web.dos.throttleMs=30000 #Length of time to let the request run, default is 30000 (Keep above 60s for DWR Long Poll to work in legacy UI) web.dos.maxRequestMs=120000 #Length of time, in ms, to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it. Default is 30000. web.dos.maxIdleTrackerMs=30000 #If true, insert the DoSFilter headers into the response. Defaults to true. web.dos.insertHeaders=true #If true, usage rate is tracked by session if a session exists. Defaults to true. web.dos.trackSessions=true #If true and session tracking is not used, then rate is tracked by IP and port (effectively connection). Defaults to false. web.dos.remotePort=false #A comma-separated list of IP addresses that will not be rate limited.

Note: These are actual client IPs when behind a proxy server if you configure web.forwardedHeaders.trustedIpRanges to trust your proxy's IP

web.dos.ipWhitelist=

#Jetty Low Resource Management (Used to attempt to free resources when under heavy load)

https://www.eclipse.org/jetty/documentation/current/limit-load.html

web.lowResource.enabled=false

Period in ms to check for a low resource condition, default 10000

web.lowResource.checkPeriod=10000

In low resource condition all existing connection idle timeouts are set to this value, default 1000

web.lowResource.lowResourcesIdleTimeout=1000

check connectors executors to see if their ThreadPool instances that are low on threads, default true

web.lowResource.monitorThreads=true

The maximum memory in bytes that Java is allowed to use before the low resource condition is triggered.

If left empty, the default is 90% of the maximum memory the JVM is configured to use.

Set to 0 to disable the memory usage checks.

web.lowResource.maxMemory=

The time in milliseconds that a low resource state can persist before the low resource idle timeout is reapplied to all connections, default 5000

web.lowResource.maxLowResourceTime=5000

If false, new connections are not accepted while in low resources

web.lowResource.acceptingInLowResources=true

Maximum number of allowed connections, defaults to 0 (disabled)

web.connectionLimit=0

Jetty default servlet configuration (init parameters)

See for descriptions

https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-webapp/src/main/config/etc/webdefault.xml

web.defaultServlet.dirAllowed=false web.defaultServlet.maxCacheSize=256000000 web.defaultServlet.maxCachedFileSize=200000000 web.defaultServlet.maxCachedFiles=2048 web.defaultServlet.etags=false

defaults to false for Windows, defaults to true for all other OS

see https://www.eclipse.org/jetty/documentation/current/troubleshooting-locked-files-on-windows.html

#web.defaultServlet.useFileMappedBuffer=true

#iFrame Header Control iFrame Header Control 'X-Frame-Options' (case sensitive options)

SAMEORIGIN - Only allow Mango to embed i-frames when the requesting page was loaded from the Mango domain

DENY - Do not allow at all

ANY - Do not even use the header at all

One specific domain name can be supplied so that the header becomes: ALLOW-FROM http://foo.bar.com

web.security.iFrameAccess=SAMEORIGIN

#Follow symbolic links when serving files from Jetty web.security.followSymlinks=true

Content Security Policy settings, please see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

The reasons for the default policy are outlined below

style-src 'unsafe-inline' - inline styles are used by AngularJS Material for the dynamic theming

script-src 'unsafe-eval' - needed by Fabric.js used in amCharts for drawing on charts, also gives AngularJS a 30% performance boost

connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname

img-src data: - allows for small base64 encoded images to be embedded inline into the html

img-src/script-src https://www.google-analytics.com - allows for enabling Google analytics (not enabled by default, must be manually enabled by admin via UI Settings page)

img-src/script-src https://maps.google.com https://maps.googleapis.com https://maps.gstatic.com - allows for using the Google maps component

style-src/font-src https://fonts.googleapis.com https://fonts.gstatic.com - allows for using Google fonts in dashboards

web.security.contentSecurityPolicy.enabled=false web.security.contentSecurityPolicy.reportOnly=false web.security.contentSecurityPolicy.defaultSrc='self' web.security.contentSecurityPolicy.scriptSrc='self' 'unsafe-eval' https://maps.google.com https://maps.googleapis.com https://www.google-analytics.com web.security.contentSecurityPolicy.styleSrc='self' 'unsafe-inline' https://fonts.googleapis.com web.security.contentSecurityPolicy.connectSrc='self' ws: wss: web.security.contentSecurityPolicy.imgSrc='self' data: https://maps.google.com https://maps.gstatic.com https://www.google-analytics.com web.security.contentSecurityPolicy.fontSrc='self' https://fonts.gstatic.com web.security.contentSecurityPolicy.mediaSrc= web.security.contentSecurityPolicy.objectSrc= web.security.contentSecurityPolicy.frameSrc= web.security.contentSecurityPolicy.workerSrc= web.security.contentSecurityPolicy.manifestSrc= web.security.contentSecurityPolicy.other=

#Regex used to match serial ports so they show up in the menu serial.port.linux.regex=((cu|ttyS|ttyUSB|ttyACM|ttyAMA|rfcomm|ttyO|COM)[0-9]{1,3}|rs(232|485)-[0-9]) serial.port.linux.path=/dev/ serial.port.windows.regex= serial.port.windows.path= serial.port.osx.path=/dev/ serial.port.osx.regex=(cu|tty)..* #Number of bytes read events to queue up before discarding serial.port.eventQueueSize=10000 #Rate at which to poll the serial port for new data events in Linux (Windows uses interrupts)

this is only used by the Serial data source all others directly poll the port

serial.port.linux.readPeriods=500 serial.port.linux.readPeriodType=MILLISECONDS

Start data sources in parallel threads (default 1)

#runtime.datasource.startupThreads=1

Stop data sources in parallel threads (default 1)

#runtime.datasource.shutdownThreads=1

Start publishers in parallel threads (default 1)

#runtime.publisher.startupThreads=1

Stop publishers in parallel threads (default 1)

#runtime.publisher.shutdownThreads=1

#Log number of aborted polls for a polling data source this often at a minimum (only logged after next aborted poll past this time) runtime.datasource.pollAbortedLogFrequency=3600000

Start data points in parallel threads (default: number of CPU cores)

#runtime.datapoint.startupThreads=8

Number of data points to start in each thread

#runtime.datapoint.startupThreads.pointsPerThread=1000

Start published points in parallel threads (default: number of CPU cores)

#runtime.publishedPoint.startupThreads=8

Number of published points to start in each thread

#runtime.publishedPoint.startupThreads.pointsPerThread=1000

#Report Javascript Execution Times at INFO Level logging

add this to log4j.xml <category name="org.perf4j.TimingLogger"><level value="info"/></category>

runtime.javascript.metrics=false

#Default task queue size for the Real Time Timer, should multiple tasks of the same type be queued up?

Tasks are rejected from a full queue, a size of 0 means reject multiple instances of the same task

runtime.realTimeTimer.defaultTaskQueueSize=0 #When a task queue is full should the waiting tasks be discarded and replaced with the most recent runtime.realTimeTimer.flushTaskQueueOnReject=false #Delay (in ms) to wait to rate limit task rejection log messages so they don't fill up logs and use too much cpu doing it runtime.taskRejectionLogPeriod=10000 #Maximum counts to wait to terminate the thread pool's tasks that are running or queued to run

each count is 1 second. So the default of 60 = 1 minute. Note that the medium and low

timeout happens first and then the remaining time is spent waiting of the high priority tasks.

So by setting both to the same value will result in waiting only as long as that value.

runtime.shutdown.medLowTimeout=60 runtime.shutdown.highTimeout=60

Installation directory of Mango (defaults to working directory, or legacy MA_HOME environment variable)

#paths.home=

Base directory for storing variable data (relative to ${paths.home} unless absolute)

#paths.data=

NOTE: All of the following paths are relative to ${paths.data} unless absolute path is supplied

path to the filestore base directory

filestore.location=filestore

path to the module data base directory

moduleData.location=data

path to temporary files base directory (default: Java system property 'java.io.tmpdir' e.g. /tmp or C:\Users%username%\AppData\Local\Temp)

If this is set, it will override the 'java.io.tmpdir' system property

#paths.temp=

path to the log files base directory

paths.logs=logs

default path for backups (e.g. configuration backups, SQL backups, NoSQL point value backups)

note: this is the default, some of these locations are configurable via system settings

paths.backup=backup

overrides path, typically for freemarker templates (/ftl) and web overrides (/web)

paths.overrides=overrides

PID file location (used by start-mango.sh)

paths.pid.file=ma.pid

Start options script (used by start-mango.sh)

paths.start.options=start-options.sh

HTTP session (authentication) cookie name and domain name settings.

Use the Mango GUID as the session cookie name

sessionCookie.useGuid=true

name takes precedence over useGuid if set

sessionCookie.name=

Set the domain name that the cookie is valid for, can be used to make the session login valid for subdomains too.

If left blank the session cookie can only be used for the domain that you login at.

sessionCookie.domain=

Persist sessions into the database

sessionCookie.persistent=true

Check to see if session should be saved, only saved if session was changed, 0 means always save after every request

sessionCookie.persistPeriodSeconds=30

Additional advanced session cookie settings

#sessionCookie.secure=true #sessionCookie.path=/ #sessionCookie.comment=

Maximum age of the session cookie before it is cleared by the browser. A value of -1 means that it will not expire.

Note: This setting is different from the session expiration period which is configured via the System Settings page

and invalidates inactive sessions in the backend.

sessionCookie.maxAge=-1

Controls the poll period for collecting internal metrics

internal.monitor.pollPeriod=10000

Controls the poll period for collecting disk usage

internal.monitor.diskUsage.pollPeriod=1200000

Should MA_HOME and each file store directory be monitored individually in addition to the partitions?

internal.monitor.diskUsage.monitorDirectories=false

monitor SQL database directory size

internal.monitor.diskUsage.monitorSql=false

monitor TSDB (NoSQL) database directory size

internal.monitor.diskUsage.monitorTsdb=false

enables getting operating system, process, and hardware information via the OSHI native library

internal.monitor.enableOperatingSystemInfo=true

These settings are used in the default log4j2.xml file included with Mango. For more control, specify your own

log4j2.xml configuration file using the log4j2.configurationFile property.

logger for messages from Mango

logger.mango.level=info logger.mango.includeLocation=true

logger for messages from scripts

logger.script.level=trace logger.script.includeLocation=false

root logger, logs all other messages (e.g. messages from libraries used by Mango)

logger.root.level=warn logger.root.includeLocation=true

stdout console appender

appender.stdout.level=trace appender.stdout.pattern=%-5p %d{ISO8601} (%C.%M:%L) - %m%n

ma.log file appender

appender.logfile.level=trace appender.logfile.pattern=%-5p %d{ISO8601} (%C.%M:%L) - %m%n appender.logfile.size=100MB appender.logfile.delete.age=30d appender.logfile.delete.count=1000 appender.logfile.delete.size=1GB

script log file appender

appender.script.level=trace appender.script.pattern=%-5p %d{ISO8601} %c - %m%n appender.script.size=100MB appender.script.delete.age=30d appender.script.delete.count=1000 appender.script.delete.size=1GB

You can configure any log4j2 property here

See https://logging.apache.org/log4j/2.x/manual/configuration.html#System_Properties

e.g. path to your own log4j2 configuration file (relative to ${paths.data} unless absolute}

#log4j2.configurationFile=path/to/log4j2.xml

Authentication settings

authentication.token.enabled=true authentication.basic.enabled=true authentication.basic.realm=Mango authentication.session.maxSessions=10 authentication.oauth2.enabled=false

OAuth2 client settings

comma separated list of client registration ids to enable

oauth2.client.registrationIds=

pre-configured providers are Google, Github, Facebook, Okta and OneLogin (see org.springframework.security.config.oauth2.client.CommonOAuth2Provider)

#oauth2.client.registration.{registrationId}.provider=onelogin #oauth2.client.registration.{registrationId}.clientId={your client id} #oauth2.client.registration.{registrationId}.clientSecret={your client secret} #oauth2.client.registration.onelogin.authorizationUri=https://{your subdomain}.onelogin.com/oidc/2/auth #oauth2.client.registration.onelogin.tokenUri=https://{your subdomain}.onelogin.com/oidc/2/token #oauth2.client.registration.onelogin.jwkSetUri=https://{your subdomain}.onelogin.com/oidc/2/certs #oauth2.client.registration.onelogin.issuerUri=https://{your subdomain}.onelogin.com/oidc/2 #oauth2.client.registration.onelogin.userInfoUri=https://{your subdomain}.onelogin.com/oidc/2/me

add provider defaults for OneLogin, to use this provider you will need to configure your registration URIs

oauth2.client.provider.onelogin.userInfoAuthenticationMethod=header oauth2.client.provider.onelogin.clientAuthenticationMethod=basic oauth2.client.provider.onelogin.authorizationGrantType=authorization_code oauth2.client.provider.onelogin.scope=openid,name,profile,groups,email,params,phone oauth2.client.provider.onelogin.clientName=OneLogin oauth2.client.provider.onelogin.userMapping.roles=groups

provider defaults for Google

oauth2.client.provider.google.userMapping.username=email

provider defaults for Github

oauth2.client.provider.github.userMapping.issuer.fixed=https://github.com oauth2.client.provider.github.userMapping.subject=id oauth2.client.provider.github.userMapping.username=login oauth2.client.provider.github.userMapping.username.suffix=@users.noreply.github.com oauth2.client.provider.github.userMapping.email=login oauth2.client.provider.github.userMapping.email.suffix=@users.noreply.github.com

provider defaults for Microsoft, to use this provider you will need to configure your registration URIs

oauth2.client.provider.microsoft.userInfoAuthenticationMethod=header oauth2.client.provider.microsoft.clientAuthenticationMethod=basic oauth2.client.provider.microsoft.authorizationGrantType=authorization_code oauth2.client.provider.microsoft.scope=openid,profile,email oauth2.client.provider.microsoft.clientName=Microsoft oauth2.client.provider.microsoft.userInfoUri=https://graph.microsoft.com/oidc/userinfo

set default mappings to OpenID Connect claim names, see org.springframework.security.oauth2.core.oidc.StandardClaimNames

issuer and subject are required and should form a unique pair, do not change these unless your OAuth2 provider is not OpenID Connect compliant

oauth2.client.default.userNameAttributeName=sub oauth2.client.default.userMapping.issuer=iss oauth2.client.default.userMapping.subject=sub oauth2.client.default.userMapping.username=preferred_username oauth2.client.default.userMapping.name=name oauth2.client.default.userMapping.email=email oauth2.client.default.userMapping.phone=phone_number oauth2.client.default.userMapping.locale=locale oauth2.client.default.userMapping.timezone=zoneinfo

mapping of individual roles can be configured below

oauth2.client.default.userMapping.roles=roles

enable syncing of roles from identity provider to Mango user

oauth2.client.default.userMapping.roles.sync=true

ignore some roles from identity provider (comma separated list)

oauth2.client.default.userMapping.roles.ignore=

add prefix to roles from identity provider

oauth2.client.default.userMapping.roles.prefix=

add suffix to roles from identity provider

oauth2.client.default.userMapping.roles.suffix=

map a role from the identity provider to a different role xid

#oauth2.client.default.userMapping.roles.map.xyz=superadmin

add additional roles to the user (comma separated list), user role is added implicitly

oauth2.client.default.userMapping.roles.add=

Public Key Infrastructure (PKI)

All PKI paths are relative to ${paths.data} unless absolute.

Enable the PKI service

pki.enabled=true

Path for storing and loading the server/client public key (PEM encoded)

pki.publicKey=certificates/instance.pub

Path for storing and loading the server/client private key (PEM encoded PKCS #8)

pki.privateKey=certificates/instance.key

Path for storing and loading the server/client certificate (PEM encoded X.509)

pki.certificate=certificates/instance.crt

Subject Alternative Names (SANs) for the certificate (DNS names or IP addresses, comma separated)

The first entry will be used as subject CN. If not set, the DNS names are automatically determined.

#pki.subjectAlternativeNames=

Path for storing a PKCS #12 key store, created from the above certificate chain and private key

pki.keyStore=certificates/instance.p12

Password to use for the key store and key password

pki.keyStorePassword=password

Period to check PKI certificates for expiration and auto-renew

pki.monitor.checkPeriod=10 minutes

Auto-renew certificates which are expiring soon, if false alarms will still be raised

pki.monitor.autoRenewEnabled=true

Renew certificate and/or raise alarms when certificates have less than this amount of time left before expiration.

Can be expressed as an absolute amount of time (e.g. 3 days) or a percentage of total validity (e.g. 25%).

e.g. for a certificate with 1 year validity, 25% means that with 3 months left it would be considered "expiring soon".

pki.monitor.expiringSoonThreshold=25%

Enable the default Mango certificate authority (CA) service

pki.ca.name=defaultCertificateAuthority

Path for storing and loading the CA public key (PEM encoded)

pki.ca.publicKey=certificates/ca.pub

Path for storing and loading the CA private key (PEM encoded PKCS #8)

pki.ca.privateKey=certificates/ca.key

Path for storing and loading the CA certificate (PEM encoded X.509)

pki.ca.certificate=certificates/ca.crt

When creating the root/intermediate CA certificate, how long is it valid for

pki.ca.caCertificateValidity=10 years

When signing a server/client certificate, how long is it valid for (certificates are automatically renewed before expiration)

pki.ca.certificateValidity=1 days

Name of Java security provider e.g. BC for Bouncy Castle

pki.providerName=BC

Key algorithm e.g. EC (elliptic curve), EdDSA (Edwards-Curve) or RSA

See https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#keypairgenerator-algorithms

pki.keyAlgorithm=EC

Curve name for EC/EdDSA (e.g. secp256r1, Ed25519) or key size for RSA (e.g. 2048, 4096)

See https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#parameterspec-names

pki.keyParameters=secp256r1

Signature algorithm for certificates, e.g. SHA256withECDSA for EC, Ed25519 for EdDSA or SHA512WithRSA for RSA

See https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#signature-algorithms

pki.signatureAlgorithm=SHA256withECDSA

Enable gRPC server

grpc.server.enabled=true

gRPC server TCP port

grpc.server.port=9090

Enable gRPC reflection service

grpc.server.reflectionEnabled=true

Enable TLS on the gRPC server port

grpc.server.tlsEnabled=true

Server X.509 certificate, including full certificate chain. Path to file (PEM encoded).

grpc.server.certChain=${pki.certificate}

Server private key. Path to file (PEM encoded).

grpc.server.privateKey=${pki.privateKey}

Root certificates for verification of client certificates (mTLS). If empty the OS/Java default root certificates will be used. Path to file (PEM encoded).

grpc.server.rootCerts=${pki.ca.certificate}

Client authentication options (mTLS): NONE/OPTIONAL/REQUIRE

grpc.server.clientAuth=REQUIRE

Client X.509 certificate, including full certificate chain. Path to file (PEM encoded).

grpc.client.certChain=${pki.certificate}

Client private key. Path to file (PEM encoded).

grpc.client.privateKey=${pki.privateKey}

Root certificates for verification of the server certificate. If empty the OS/Java default root certificates will be used. Path to file (PEM encoded).

grpc.client.rootCerts=${pki.ca.certificate}

Interval to check for changes to files (used for checking changes to SSL/TLs certificates)

fileWatchService.checkInterval=10 seconds

Copyright © 2024 Radix IoT, LLC.