Gateway System Properties
This topic lists the properties that can be used in the system.properties file. These properties are used to override the default behavior of the gateway.
gateway94
This topic lists the properties that can be used in the
system.properties
file. These properties are used to override the default behavior of the CA API Gateway
.WARNING!
Configuring system properties should only be attempted by advanced users or as directed by CA Technical Support. Improper use may degrade performance of your Gateway or even render it inoperable. The list in this appendix represents only a fraction of the available system properties.To modify a Gateway system property:
- Locate and open the following file in a text editor:/opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
- Add a line in the format:[system property name] = [value]
- Save and exit the file, then stop and restart the Gateway.In the following list,<SSG>is the home directory for the Gateway:/opt/SecureSpan/Gateway.
System Properties
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxConnectionsPerHost
The maximum number of concurrent outbound HTTP connections permitted from the Gateway to a given remote host. Default:
1500
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxTotalConnections
The total number of concurrent outbound HTTP connections permitted from the Gateway, regardless of the number of remote hosts. Default:
3000
com.l7tech.common.http.prov.apache.CommonsHttpClient.staleCheckCount
Number of stale checked connections per interval
.
Default: 1
com.l7tech.common.http.prov.apache.CommonsHttpClient.useExpectContinue
Use the "Expect: 100-continue" header during HTTP routing. Default:
false
com.l7tech.common.http.prov.apache.CommonsHttpClient.noKeepAlive
Permits use of persistent connections. Default:
false
com.l7tech.common.http.
strictCookieExpiryFormatHow to respond if date format of cookie is not recognized:
- true- An exception is thrown, event is logged, and cookie is not sent. (Default)
- false- No exception thrown, cookie returns to client with a max age of "0"
com.l7tech.common.mime.allowLaxEmptyMultipart
How empty multipart messages are treated.
- true- Incoming empty multipart messages is treated as an empty single part message, while retaining a multipart Content Type.
- false- No change to how empty multipart messages are treated. (Default)
com.l7tech.external.assertions.hazelcastembeddedprovider.network.port
The inbound port on which the Gateway Hazelcast instance listens. Default:
8777
com.l7tech.external.assertions.hazelcastembeddedprovider.tcpip.connection.timeout
The length of time for members to accept client connection requests, before timeout occurs. Default:
5
(seconds)com.l7tech.external.assertions.rawtcp.defaultRequestSizeLimit
The maximum number of bytes in a raw TCP routing request (to the back-end service). Default:
1048576
com.l7tech.external.assertions.rawtcp.defaultResponseSizeLimit
The maximum number of bytes in a raw TCP routing response (returned to the Gateway). The default setting of "-1" indicates that the limit should be retrieved from the cluster property io.xmlPartMaxBytes. Default:
-1
com.l7tech.external.assertions.samlpassertion.validateSSOProfile
Whether the Build SAML Protocol Response Assertion should validate profile rules.
- true- Rules are validated; if a rule is broken, assertion fails and warning audit is logged. (Default)
- false- Rules are not validated
com.l7tech.external.assertions.ssh.server.enableMacMd5
Removes the HMAC-MD5 algorithm from the MAC algorithm list.
- true- Does not remove the HMAC-MD5 algorithm from the MAC algorithm list.
- false- Removes the HMAC-MD5 algorithm from the MAC algorithm list. (Default)
com.l7tech.external.assertions.ssh.server.enableMacNone
Removes the "none" MAC algorithm from the MAC algorithm list
- true- Does not remove the "none" MAC algorithm from the MAC algorithm list. The MAC algorithm is not used.
- false- Removes the "none" MAC algorithm from the MAC algorithm list. (Default)
com.l7tech.gateway.config.backuprestore.nouniqueimagename
Make the backup image name unique.
- true- Prefix the image name with a timestamp yyyyMMddHHmmss
- false- Do not add a timestamp to the image name (Default)
com.l7tech.hacounter.batchLimit
Number of individual writers to batch together before writing to the database. Lower values cause more individual writes to the database, based on how many entries are in the queue to be written. Default:
4096
com.l7tech.hacounter.coreThreads
Core number of threads to have writing to the database. Default:
16
bcom.l7tech.hacounter.counterQueueSize
Counter queue size. This can be reflective of the number of requests per unit time that you expect to see. For example, with the write flush at 1, this means the Gateway can handle at most 4096 x 1 sec = 4096 requests/sec. Larger values allow more requests through, but at the expense of more system resource usage. This setting is closely tied to the flush time for writes (com.l7tech.hacounter.flushTimeWriteDatabase). Default:
4096
com.l7tech.hacounter.flushTimeWriteDatabase
Time limit until a flush of the writes to the database from the write queue. Change only if you require more or less frequent flushes. This may affect the frequency of database writes and the allowed access may exceed the permitted throughput in some instances. Default:
500
(milliseconds)com.l7tech.hacounter.keepAliveSec
Length of time to keep alive the write to the database maximum. Default:
10
(seconds)com.l7tech.hacounter.maxThreads
Maximum number of threads to have writing to the database. Default:
128
com.l7tech.hacounter.supervisorQueueSize
Supervisor queue size. The default means there can be 4096 counters, each having a counter queue size (com.l7tech.hacounter.counterQueueSize). Larger values consume more RAM. Default:
4096
com.l7tech.hacounter.timeClearReadCache
Time limit before clearing the counter cache, which causes another read of the counter from the database. Changing the value may affect the throughput. Default:
60000
(milliseconds)com.l7tech.http.maxParameterLength
Maximum length of a single field within an HTTP form post body (content type application/x-www-form-urlencoded). Default:
1000000
com.l7tech.kmp.properties
Location of kmp.properties file, either absolute or else relative to the directory where omp.dat would normally be found. The default value assumes this file is located in the same directory as the omp.dat file. Default:
kmp.properties
com.l7tech.message.httpParamsMaxFormPost
Maximum number of bytes to buffer when processing an HTTP form post (application/x-www-form-urlencoded). Default:
5242880
This system property has been superseded by the cluster property
io.httpParamsMaxFormPostBytes
. However if both are used, the system property takes precedence.com.l7tech.ncipher.preference
This property automatically applied when Gateway use of nCipher is enabled via the Gateway main menu, if using a FIPS level 3 security world. Manually adding this system property should not be necessary unless upgrading an existing Gateway. Default:
highest
com.l7tech.security.secureconversation.defaultDerivedKeyLengthInBytescom.l7tech.security.secureconversation.defaultSecretLengthInBytes
Add these properties to change the derived key length for the default WS-SecureConversation. Default:
32
The following property must also be set in the
XML VPN Client
:
com.l7tech.security.secureconversation.defaultDerivedKeyLengthInBytes=16
com.l7tech.policy.assertion.HttpPassthroughRuleSet.headersToSkip
This property defines which headers should
not
be passed through in the Route via HTTP(S) Assertion (Headers tab). If this property is not defined explicitly, the Gateway excludes all default headers.Default:
keep-alive, connection, server, content-type, date, content-length, transfer-encoding, content-encoding, hostTo force one of the excluded headers to be passed through, update the default list by removing the desired header.
com.l7tech.server.attachmentDirectory
Directory for caching large SOAP attachments.
Default:
<SSG>
/node/default/var/attachments/com.l7tech.server.audit.messageThreshold
Minimum level required of a Message Audit record for it to be saved to the database. Default:
WARNING
com.l7tech.server.audit.adminThreshold
Minimum Level required of an Admin Audit record for it to be saved to the database. Default:
INFO
com.l7tech.server.audit.detailThreshold
Minimum Level required of an audit detail message for it to be saved to the database. Default:
INFO
com.l7tech.server.audit.hinting
Enable audit messages to provide hints for audited information (such as request XML). Default:
true
com.l7tech.server.audit.assertionStatus
Use the highest assertion status level when checking if a record should be saved. Default:
true
com.l7tech.server.audit.detailThresholdRespected
Use the audit detail level when checking if a record should be saved. Default:
true
com.l7tech.server.audit.purgeMinimumAge
Minimum age of audit records that can be purged. Default:
168
(hours)com.l7tech.server.audit.log.format
Available as of Version 9.4 CR1. Affects Container Gateway form factor only. Enrich logs to provide the same level of information or details as audits and to correlate between a single action. Enter 'json' as a value to enable rich logs and JSON formatting.
If log enrichment is enabled, this supercedes the following audit cluster properties:
com.l7tech.server.audit.log.service.headerFormat
com.l7tech.server.audit.log.service.footerFormat
com.l7tech.server.audit.log.service.detailFormat
com.l7tech.server.audit.admin.saveToInternal
Available as of Version 9.4 CR1. Save Admin Audit Records to the database. Default:
true
com.l7tech.server.audit.message.saveToInternal
Available as of Version 9.4 CR1. Save Message Audit Records to the database. Default:
true
com.l7tech.server.audit.system.saveToInternal
Available as of Version 9.4 CR1. Save System Audit Records to the database. Default:
true
com.l7tech.server.cassandra.consistencyLevel
Available as of Version 9.4 CR1. Sets the default consistency level of the Perform Cassandra Query assertion. Default:
ONE
com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds
Period of time before the Gateway removes inactive nodes. Default:
7776000
(seconds = 3 months)In environments that use the Container Gateway, the list of inactive nodes may grow very quickly in the database. If this occurs, set this system property to a lower value (for example, '3600' for one hour) for more frequent cleanups. For Container Gateways, you set system properties using the EXTRA_JAVA_ARGS environment variable.
com.l7tech.server.configDirectory
Directory for Gateway configuration files. Default:
<SSG>
/node/default/etc/confcom.l7tech.server.documentDownload.maxSize
Maximum default size (in bytes) of a document download. A value of "0" (zero) indicates unlimited size. Default: 10485760
com.l7tech.server.extension.sharedClusterInfoProvider
Sets the cluster information service used by the Gateway. Value is one of (case sensitive):
- ssgdbto use the MySQL-backed implementation (MysqlClusterInfoService)
- externalhazelcastto use the external Hazelcast implementation
Default: '
ssgdb
'. If this system property is defined in the Container Gateway through the EXTRA_JAVA_ARGS environment variable, that value overrides whatever is defined in the
system.properties
file.Switching between providers will not migrate existing data to the newly configured provider.
com.l7tech.server.extension.sharedCounterProvider
Sets the cluster information service used by the Gateway. Value is one of (case sensitive):
- ssgdbto use the MySQL-backed implementation
- externalhazelcastto use the external Hazelcast implementation
Default: '
ssgdb
'. If this system property is defined in the Container Gateway through the EXTRA_JAVA_ARGS environment variable, that value overrides whatever is defined in the
system.properties
file.Switching between providers will not migrate existing data to the newly configured provider.
com.l7tech.server.extension.sharedKeyValueStoreProvider
Name of the shared state provider that is used to retrieve the key value store. Value is one of (case sensitive):
- embeddedhazelcastto use the Hazelcast service key value store that is embedded inside the Gateway implementation.
- externalhazelcastto use the external Hazelcast key value store implementation
Default:
'embeddedhazelcast'
If this system property is defined in the Container Gateway through the EXTRA_JAVA_ARGS environment variable, that value overrides whatever is defined in the
system.properties
file.Switching between providers will not migrate existing data to the newly configured provider.
com.l7tech.server.home
Home directory for Gateway files. Default:
<SSG>
com.l7tech.server.hostname
Gateway hostname. Default: <OS hostname>
com.l7tech.server.httpPort
HTTP port used by Gateway. Must update
server.xml
as well. Default: 8080
com.l7tech.server.httpsPort
HTTPS port used by Gateway. Must update
server.xml
as well. Default: 8443
com.l7tech.server.jdbcDriver
Override default JDBC Driver class setting (as defined in serverconfig.properties, "jdbcConnection.driverClass.whiteList"). Requires Gateway restart to take effect.
com.l7tech.server.keystore.enablehsm
Indicates whether an internal Hardware Security Module is present. Default:
false
com.l7tech.server.ldapTemplatesPath
Path to LDAP templates
com.l7tech.server.log.console.threshold
Available as of Version 9.4 CR1. Sets the logging threshold level for console logs using Java logging levels. See Logs for the Container Gateway in Docker for more information. Default:
INFO
com.l7tech.server.maxLdapSearchResultSize
Number of max results in an identity provider search result operation. Default:
50
com.l7tech.server.metrics.fineBinInterval
Time period for fine Service Metrics bins. Default:
5000
(milliseconds)com.l7tech.server.multicastAddress
Multicast address for server cluster. Default: randomly created
com.l7tech.server.outConnectTimeout
I/O timeout for outbound connection. Default: 30000 (milliseconds)
com.l7tech.server.outTimeout
I/O timeout for outbound response. Default:
60000
(milliseconds)com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable
Set to "true" to ensure the Keep-alive option is respected in outbound HTTPS routing when the key is used to avoid SSL traffic.
Requires a Gateway restart after changing this property. Default:
true
For best effect, also set these other system properties when setting
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable
to 'true':com.l7tech.common.http.prov.apache.CommonsHttpClient.maxConnectionsPerHost=1500
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxTotalConnections=3000
If the Route via HTTP(S) Assertion is configured to "Use HTTP Credentials from Request" (in the Authentication tab) and HTTP Credentials are NOT set to NTLM, then that assertion takes priority over the
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable
system property.com.l7tech.server.rateLimit
Minimum permissible rate for incoming requests (bytes per second). Default:
1024
com.l7tech.server.rateTimeout
I/O timeout for incoming request rate checking. Default:
60000
(milliseconds)com.l7tech.server.response.header.server
The server name that you want to appear in the response header. For security reasons, the Gateway does not return the name of the actual web server by default.
To override this system property per listen port:
- Access the Listen Port Properties.
- Select the Advanced tab.
- Add the advanced property "server=<value>", where"<value>"is the server name to be returned. For more information, see "Advance Properties" under "Configuring the [Advanced] Tab" in Listen Port Properties.
If neither the
com.l7tech.server.response.header.server
system property nor the "server" advanced listen port property are present, then the Gateway returns this message:"server: CA-API-Gateway/
<majorVersion>
",where
"<majorVersion>"
is "9.0" for all version 9.x Gateways, etc. Do not confuse "9.0" with the actual Gateway version 9.0. For more information, refer to this article: https://en.wikipedia.org/wiki/Request_for_Comments com.l7tech.server.serverID
Numeric server identifier. Default: IP address of Gateway
com.l7tech.server.stepdebug.inactiveSessionCleanIntervalMillis
Time period between the cleanup of Policy Manager debugger sessions that have been inactive for
com.l7tech.server.stepdebug.inactiveSessionTimeoutMillis
period of time. Default: 86460000
(milliseconds; 24 hrs + 1m)com.l7tech.server.stepdebug.inactiveSessionTimeoutMillis
Period of time for a Policy Manager debugger session to be inactive before it will be cleaned up at the
com.l7tech.server.stepdebug.inactiveSessionCleanIntervalMillis
interval. Default: 86400000
(milliseconds; 24 hrs)com.l7tech.server.timeout
I/O timeout for incoming requests. Default:
60000
(milliseconds)com.l7tech.server.transport.jms.detectJmsTypes
Auto detect JMS provider type, if using ActiveMQ or WebLogic. Contact CA Technical Support if connecting to more than one JMS provider.
- true -Auto detect the JMS type (either queue or topic). If unable to detect the type, generic JMS connection type is used. (Default)
- false- Do not auto detect the JMS type; always use generic JMS connection type.
com.l7tech.server.transport.jms.topicMasterOnly
Specifies if the master node processes the message and executes the policy.
- true- (Default) Only master node processes the message and executes the policy.
- false- Disables using only the master node to execute the policy.
com.l7tech.server.uddi.auto_republish
Republish to UDDI as needed (e.g., when the cluster hostname or port number changes). Default:
true
com.l7tech.util.allowDuplicateIdAttrsOnElem
Allow messages with an element that has duplicate ID attributes. Default:
true
For greater security, set this property to "false" to reject any message with an element that has more than one attribute recognized as an ID attribute.
policyValidation.maxPaths
The maximum number of possible paths through a policy before the policy is considered to be too complex to attempt server-side validation. Default:
500000
com.l7tech.external.assertions.ssh.enabledKexAlgs
(Available as of version 9.4 CR3) Specifies the ordered CSV list of enabled KEX algorithms. Default list does not include the weak algorithm,
diffie-hellman-group1-sha1
.tomcat.util.http.parser.HttpParser.requestTargetAllow = {}|<>
Prevents the response processing from failing if the request URL contains "unwise" characters that violate RFC 2396. Only enable the characters you need. Note that you need to escape the backward slash.