CA API Gateway 9.1

9.4 9.1

Listen Port Properties

When you create or view details about a  listen port, the Listen Port Properties appear. The port properties are organized across these tabs:
gateway94
When you create or view details about a 
API Gateway
listen port, the Listen Port Properties appear. The port properties are organized across these tabs:
  • Basic Settings
  • SSL/TLS Settings
  • Pool Settings
  • FTP Settings
  • Other Settings
  • Advanced
A listen port automatically restarts when its properties are edited.
Contents:
The following are some important details about FTP(S) support on the Gateway:
  • Common FTP clients such as: FileZilla, FireFTP, and WinSCP are supported.
  • Only passive FTP is supported
  • The FTP(S) server uses the specified private key for its SSL listener (client certificates not supported). Files may only be transferred in binary mode (ASCII/EBCDIC not supported).
  • For upload-only FTP requests, the Content-Type is assumed to be “text/xml”, while the SOAPAction header is assumed to be empty. For extended mode, the content type is "application/octet-stream."
To access the properties for a listen port
:
  1. Run the Manage Listen Ports task.
  2. Select a port and then select [
    Properties
    ]. You can also select [Create] to enter the properties for a new port. The Listen Port Properties appear.
  3. Configure each tab within the properties as necessary. Refer to the appropriate section below for a complete description of each tab.
  4. Select [
    OK
    ] when done.
Configuring the [Basic Settings] Tab
The [Basic Settings] tab configures basic information relevant to all listen ports, regardless of type.
Setting
Description
Name
Describe the purpose of the listen port. This "friendly" description is displayed on the Manage Listen Ports dialog.
Enabled
Select this check box to listen for traffic on the specified port. If the listener is disabled for a port, the Gateway behaves as if no listener had been configured for the port.
Example
: If you disable the listener on port 8080, the system behaves as if there was no listener configured for port 8080. Attempts to connect to that port results in a "connection refused" error.
Protocol
From the drop-down list, select the protocol to be used:
HTTP
,
HTTPS
,
FTP
,
FTPS
, or
SSH2
. If custom transport protocols have been added, they are listed here. There is one predefined custom transport protocol l7.raw.tcp.
Port
Enter the TCP port number. For FTP and FTPS, this is the port number used to open the control connection. The passive data connections use ports that are allocated from the FTP passive range that is configured on the [
FTP Settings
] tab.
If the listen port is using the SSH2 protocol, avoid using port 22, as it may conflict with the default SSH port 22 on Linux or Unix systems.
Interface
From the drop-down list, select an interface or IP address to monitor. The list displays all available IP addresses on the Gateway and interfaces configured using the [Manage] button.
To listen on all available addresses, select
All
.
Understanding the message:
"Possible Input Error. With a cluster, using an interface identified by a raw IP address can have unexpected effects."
 This error warns you that you have defined an interface tag based on an entire IP address (as opposed to a pattern). This could be problematic because in a cluster, listen ports bound to this interface tag will only be able to open the cluster node that owns this IP address. There may also be other ramifications.
Exception:
 You may ignore
this message if you are intentionally creating an interface tag to bind a listen port to a loop-back address (for example, "127.0.0.1") and you expect each cluster node to accept connections to this listen port only from its own local processes.
Manage
Select [
Manage
] to add or remove interfaces from the list. For more information, see Managing Interfaces.
Enabled Features: This section determines which Gateway services can be accessed through this listen port.
Published service message input
Allow requests to be submitted to the message processor, where they are resolved to a service and processed by a policy. To learn more about how a request is resolved, see Gateway Service Resolution Process.
Allows requests to be made to the following built-in services. Use  and  to expand and collapse the list of built-in services.
Select the
Built-in services
 check box to enable all applicable services. Clear the check box to disable all the built-in services.
A cleared check box may also indicate one or more services has been disabled.
You can also enable or disable specific services:
  • Policy download service
    : Used by the  
    API Gateway
     - XML VPN Client
  • Ping service
    : Used to test Gateway availability. For more information, see Ping URI Test.
  • WS-Trust security token service
    : Used by the
    API Gateway
     - XML VPN Client for getting SAML assertions and establishing WS-SecureConversation sessions
  • Certificate signing (CA) service
    : Used by the
    API Gateway
     - XML VPN Client (only available when the 'Protocol' for the port is set to HTTPS).
  • Password changing service
    : Used by the
    API Gateway
     - XML VPN Client (only available when the 'Protocol' for the port is set to HTTPS).
  • WSDL download service
    : Used by the
    API Gateway
     - XML VPN Client and end-user programs.
  • SNMP query service
    : HTTP-based SNMP query service that uses localhost as host.
    This option can be suppressed by changing the
    builtinService.snmpQuery.enabled
     cluster property
Policy Manager access
Allows the desktop client version of the Policy Manager to access the Gateway.
Browser-based administration
Allows the browser client version of the Policy Manager to access the Gateway. This option is available only when [
Policy Manager access
] is enabled.
Enabling browser-based administration also enables the following features:
  • ability to back up the Gateway (for more information, see Back Up Gateways.
  • ability to ping the Gateway(for more information, see Ping URI Test.
Enterprise Manager access
Allows the Enterprise Service Manager to access the Gateway.
The associated port number must be set in the
admin.esmPort
 cluster property so that the Gateway can communicate with the
API Gateway
 cluster. For more information, see "Time Units" in Gateway Cluster Properties.
The Enterprise Manager access check box is available only when the listener uses HTTPS (“Protocol” field in the [
Basic Settings
] tab) and permits client authentication (The “Client Authentication” field in the [
SSL/TLS Settings
] tab is set to either “Optional” or “Required”).
Inter-Node Communication
Allows communication between nodes and is required for certain administrative functionality, such as viewing logs. If disabled, logs for other nodes in the cluster cannot be viewed.
Node Control
Allows each Gateway node in a cluster to be individually stopped/started. If disabled, the Gateway status cannot be retrieved. Node control must be enabled for correct operation of a Gateway appliance.
The Node Control feature is available only when listening on "(All)" or a loopback/localhost address (for example, "127.0.0.1" or "::1").
Security Zone
Optionally choose a security zone. To remove this entity from a security zone (security role permitting), choose "No security zone".
For more information about security zones, see Understanding Security Zones.
This control is hidden if either: (a) no security zones have been defined, or (b) you do not have Read access to any security zone (regardless of whether you have Read access to entities inside the zones).
Configuring the [SSL/TLS Settings] Tab
If the listener protocol is HTTPS or FTPS, complete the settings in the [SSL/TLS Settings] tab.
Setting
Description
Server Private Key
From the drop-down list, select the server private key to be used for the listen port. An SSL listener can use any private key in the system, from any keystore. If you do not see the appropriate private key, select [
Manage Private Keys
] to add it. For more information, see Manage Private Keys.
If the Server Private Key is set to anything other than the default SSL key, then the [
Policy Manager access
] and [
Browser-based administration
] options are disabled on the [
Basic Settings
] tab.
Specify whether the client must present a certificate to authenticate:
  • None
    : The client never needs to present a certificate. This setting does not permit login via client certificate when connecting to the Gateway using the desktop client. However this setting results in fewer security prompts when connecting to the Gateway using the browser client version of the Policy Manager.
  • Optional
    : The client can optionally present a certificate. This setting permits login via client certificate when connecting to the Gateway.
  • Required
    : The client must always present a certificate to authenticate. With this setting, the [
    Policy Manager access
    ] and [
    Browser-based administration
    ] options are disabled on the [
    Basic Settings
    ] tab.
The Gateway accepts any client certificate during the SSL handshake, provided that the client holds the corresponding private key.
Enabled TLS Versions
Select the check box next to the TLS versions to be enabled for the listen port.
Enabled Cipher Suites
Select the cipher suites that will be enabled on the SSL listen port. During the SSL handshake, both sides negotiate a cipher suite based on what is available on each side and the preference order.
If you disable a cipher suite on a listener, the Gateway will never allow it to be selected for use during an SSL handshake using that listener. If the client and server have no other cipher suites in common, the SSL handshake fails.
Use the [
Move Up
] and [
Move Down
] buttons to change the preference of a cipher suite, if the client and server have more than one cipher suite in common. Cipher suites closer to the top of the list are preferred over those closer to the bottom.
The list of ciphers that are presented may vary, depending on the security configuration of the Gateway. For a list of all the supported cipher suites, see Selecting Cipher Suites.
Use Default List
Click this button to restore the cipher list to the system default preference order and enable state.
Configuring the [Pool Settings] Tab
The [Pool Settings] tab allows configuration of the thread pool used by the listener, and is enabled only for these protocols: HTTP, HTTPS, or a custom transport protocol. By default, all new listeners use a shared thread pool. You may configure a listener to use a private thread pool if necessary. Private thread pools allow you to separate Gateway resources and dedicate them to a particular listener. Message processing traffic should use the shared pool, but you could use private pools if you wanted to dedicate resources to particular listeners (perhaps for different users of your services) or for listen ports with high message traffic.
Restrictions caused by using private thread pools include:
  • Private threads cannot be used by other listeners, so this is a less flexible approach.
  • The Gateway cannot support an unlimited number of threads, so using private pools will require other configuration changes to support this (for example, reduce the shared thread pool size, increase the number of available DB connections, reduce the maximum message size, etc.).
A private thread pool does not take threads away from the shared thread pool. For example, consider this configuration:
  • Cluster of three Gateways
  • Each node has
    io.httpMaxConcurrency
     = 1500 and a listen port with private thread pool for Service ABC= 300
In this scenario, Service ABC allows up to 900 private threads (300 x 3), while the rest of the services on the Gateway share the 4500 threads (1500 x 3) in the shared thread pool.
The default node configuration and control listen port 2124 ("Node Control") for the Gateway uses a private thread pool for maximum performance.
Setting
Description
Use private thread pool
Enable the listener to use a private thread pool.
Thread pool size
Specify how many threads to allocate to this private pool. The minimum is
1
 and the maximum is
10000
 (not recommended).
WARNING:
 If you intend to use a large value for thread pool size, contact CA Support for additional Gateway configuration changes that may be required.
Configuring the [FTP Settings] Tab
If the listener protocol is FTP or FTPS, complete the settings in the [FTP Settings] tab.
Setting
Description
First Passive Port
Specify the first port in the range to use for passive data connections.
Number of Passive Ports
Specify the number of ports in the range to use for passive connections.
FTP Command Handling
Choose an FTP command handling mode to use. For a detailed description of each mode, see "Understand the FTP Command Handling Modes" below.
The default mode is "Process STOR/STOU commands only...", which replicates FTP command handling capability prior to version 8.2.0.
Understanding the FTP Command Handling Modes
Process STOR/STOU commands only, resolve service by working directory if no service associated
Choose this option if your needs are limited to upload-only FTP command set and handling. This option is best suited to non-interactive upload scenarios. In this mode:
  • When a STOR or STOU command is sent, the file is transferred from the client by the Gateway and is used to create a Request message to a published service.
  • PORT, PASS, TYPE, and most other standard connection-related commands behave as expected.
  • Directory navigation commands (such as CWD, CDUP) always succeed. The Gateway does not confirm the existence of the directory. The client assumes all requested directories exist and that they are empty.
  • Other commands may produce unexpected or erroneous results. Because of this, it is recommended that you select the "Support extended FTP command set..." option if you need to route more than STOR/STOU commands.
Support extended FTP command set, resolve requests to the associated service
Choose this option to use the extended FTP command set. This option is intended for use with the Route via FTP(S) Assertion in a FTP proxy scenario. Ensure that a published service is associated with the listen port (defined in the [
Advanced
] tab).
In this mode, all commands that can be proxied are processed as requests to the specified service.
Command
Description
APPE
Append a file
CDUP
Change working directory to parent
CWD
Change working directory
DELE
Delete the specified file
LIST
List the specified file or contents of the specified directory
MDTM
Return the last modified time of a specified file over the control connection
MKD
Make directory
MLSD
List the details of the files in the specified directory in a standardized format
MLST
Returns info on the specified file over the control connection
NLST
List the names of files in the specified directory
NOOP
No operation
PWD
Return the working directory over the control connection
RETR
Retrieve (download/get) the specified file
RMD
Remove directory
SIZE
Returns the size of the file in bytes over the control connection
STOR
Store (i.e., upload/put) the specified file in the remote working directory
STOU
Store (i.e., upload/put) the specified file uniquely in the remote working directory
Support for STOU (Store Unique)routing is not selectable from within the Route via FTP(S) Assertion and will be routed as a STOR command if encountered (for example, in a context variable). A NOOP (No operation) command will be routed if specified in a context variable (for example, the variable set by the listen port), but it is not selectable from within the Route via FTP(S) Assertion.
The following commands are accepted by the FTP listen port, but is not processed as messages by the associated policy:
Command
Description
RFC
Notes
ABOR
Abort an active file transfer
959
AUTH
Establish authentication/security mechanism
2228
EPRT
Specifies extended address & port for connection
2428
EPSV
Enter extended passive mode
2428
FEAT
List the supported extended features
2389
Content of lists depends on "FTP command handling" mode of listen port
HELP
Help
959
LANG
Language negotiation
2640
Only English currently supported.
MODE
Specify transfer mode
959
'Streaming' and 'Compressed' only
OPTS
Select options for a feature
2228
As 'UTF8' is the listen port server default, the setting 'OPTS UTF8' has no effect.
"OPTS MLSD" commands do not affect the format of MLSD results because they depend on the settings of the remote FTP server.
PASS
Specify user password
959
User name and password are not authenticated by the listen port server, but are part of the request that is made to the associated service, so they may be authenticated there.
PASV
Enter passive mode
959
PBSZ
Protection buffer size
2228
Supports PBSZ 0 only.
PORT
Specify address and port to connect to
959
PROT
Set Data Channel Protection Level
2228
Supports 'Clear' and 'Private'.
QUIT
Disconnect
959
REIN
Reinitialize user connection
959
STAT
Returns the current status
959
Listen port server only; does not reflect the status of the remote FTP server
STRU
Set file transfer structure
959
File structure only
SYST
Return system type
959
Corresponds to "os.name" Java system property of the Gateway.
TYPE
Set the transfer mode
959
Accepts Binary and ASCII options, but routed transfer commands will fail if not set to Binary.
USER
Authentication username
959
User name and password are not authenticated by the listen port server, but are part of the request that is made to the associated service, so they may be authenticated there.
Unsupported FTP Commands
The following commands are currently not supported:
Command
Description
RFC
ACCT
Account information
959
ALLO
Allocate disk space
959
CCC
Clear command channel
2228
ADAT
Authentication/Security mechanism
2228
CONF
Confidentiality protection command
2228
ENC
Privacy protected command
2228
MIC
Integrity protected command
2228
LPRT
Specify long address & port
1639
LPSV
Enter long passive mode
1639
REST
Restart file transfer
3659
RNFR
Rename from
959
RNTO
Rename to
959
SITE
Issue site-specific commands
959
SMNT
Mount file structure
959
X***
All RFC 775 commands
775
Example: How to Configure an Extended FTP Command Support Proxy
The following example shows how to use the extended FTP commands along with the listen ports and Route via FTP(S) Assertion. This configuration is compatible with FileZilla, FireFTP, WinFTP, and WinSCP clients.
Precondition
:
  • A configured remote FTP server
  • A service policy that includes the Route via FTP(S) Assertion configured to route to the remote FTP server with the relevant host, security and port settings.
To configure an extended FTP command support proxy
:
  1. Complete the [
    Basic Settings
    ] tab of the Listen Port Properties.
  2. Complete the [
    FTP Settings
    ] tab of the Listen Port Properties. Be sure to choose the "Support extended FTP..." option.
  3. Complete the [
    Advanced
    ] tab of the Listen Port Properties as follows:
    1. If you need to support large uploads (>2GB), select the "Override maximum message size" check box and specify a new limit or allow unlimited message size.
    2. Associate the port with a published service. This is required to support the extended FTP command set.
    3. Configure the Advanced Properties if you need to override any of the cluster properties for this listen port. The following are the available FTP-related advanced properties, with their default values:
      ftp.sessionIdleTimeout=60
      ftp.maxRequestProcessingThreads=10
      ftp.anonymousLoginsEnabled=true
      ftp.maxAnonymousLogins=10
      ftp.maxConcurrentLogins=10
      ftp.userMaxConcurrentLogins=10
      ftp.userMaxConcurrentLoginsPerIp=10
    For a description of these properties, see FTP Cluster Properties.
  4. Construct a service policy. The following example shows how to use the extended FTP commands along with the listen ports and the Route via FTP(S) Assertion. In this example, the credentials that are supplied by the FTP client are used for authenticating the connection to the remote FTP server:
    Require FTP Credentials
    Request: Configure Message Streaming: enable streaming
    Route via FTPS Server
    The Configure Message Streaming Assertion allows the transparent uploading of files and more accurate progress monitors in FTP clients. Omitting this assertion will slow down the routing of most (non-trivial) uploads and introduce the potential for timeouts.
  5. Configure these settings in the [
    Connection
    ] tab of the FTP(s) Routing Properties as follows:
    1. Select "
      From Variable
      " for the command and then enter 
      request.ftp.command
       for the command variable.
    2. Enter 
      ${request.ftp.path}
       as the directory.
    3. Enter 
      ${request.ftp.argument}
       as the argument.
    4. Select the assertion outcome "
      Never fail as long as target replies
      ". This setting permits the FTP clients to receive useful responses from the remote FTP server. The responses should indicate the reasons for failure (for example, insufficient privileges, incorrectly formatted arguments).
  6. Configure all the remaining settings in the assertion properties as appropriate for your environment. For a description of each setting, see the Route via FTP(S) Assertion.
The following is a high-level overview of FTP request proxying using the LIST command as an example:
  1. The FTP client connects to the Gateway on the designated listen port.
  2. The FTP client sends a request to the Gateway to list the contents of the working directory using the FTP command "LIST".
  3. The Gateway processes this command and opens a data connection to the FTP client. The FTP request variables are populated.
  4. After the user's credentials are extracted by the Require FTP Credential Assertion (if using the credentials from the FTP client for authentication), the Route via FTP(S) Assertion:
    1. Reads the values of the FTP request variables to find the command, working directory, and argument.
    2. Connects to the remote server using the extracted credentials.
  5. The Route via FTP(S) Assertion issues the LIST command to the remote server and receives the listing, which it uses to create a response message. The FTP response variables are populated.
  6. The response message body is transferred to the FTP client over the data connection, which is closed when the transfer is complete. The reply code and text from the remote FTP server is sent to the FTP client over the control connection.
Configuring the [Other Settings] Tab
The [Other Settings] tab is available when either SSH2 or a custom transport protocol has been selected on the [
Basic Settings
] tab. If SSH2 was selected, the following fields display.
Setting
Description
Enable
 Select the network protocol(s) to support on the SSH2 server. Both SCP and SFTP are enabled by default..
Supported SCP Commands
PUT
Select this option to allow SCP clients to upload files.
GET
Select this option to allow the file to be sent back to the SCP client.
  • Retrieve file size from context variable: Select this option to retrieve the file size from the specified context variable. Clear this check box to not retrieve the file size from a context variable. In this case, the entire message stream needs to be read to detect the file size.  
Supported SFTP Commands
PUT
Select this option to allow SFTP clients to upload files.
  • Forward SFTP partial uploads to policy: Select this option to allow uploading files in parts. This executes policy once for every file partially uploaded. Clear this check box to not allow partial uploads.
GET
Select this option to allow SFTP clients to download files.
  • Forward SFTP partial downloads to policy: Select this option to allow downloading files in parts. This executes policy once for every file partially downloaded. Clear this check box to not allow partial downloads.
LIST
Select this option to allow SFTP clients to list files. When the SFTP client sends the LIST command, the policy is called with the LIST set as the request.command.type.
STAT
Select this option to retrieve the file attributes for the file specified. When the SFTP client sends the STAT command, the policy is called with the STAT set as the request.command.type.
You must enable STAT or LIST to be able to upload and download files. If both are disabled, only one of GET or PUT can be enabled. In this case dummy file statistics will be returned to the SFTP client.
DELETE
Select this option to retrieve the file attributes for the file specified.
  • Delete file on truncate request: Select this optional check box if you have selected "Forward SFTP partial uploads" under PUT. Usually the files are automatically truncated before they are overwritten. Clear this check box to retain the file on truncated requests.
MOVE
Select this option to allow SFTP clients to move or rename the files.
MKDIR
Select this option to allow SFTP clients to create directories.
RMDIR
Select this option to allow SFTP clients to remove directories.
Common Configurations
Host private key type
Select [
Manage Stored Passwords
] to enter a private key for the SSH2 server. For more information, see Manage Stored Passwords. This field is required.
Idle timeout (in minutes)
Enter the number of minutes for the idle timeout. This field is required.
The default is
10
 minutes.
Max. concurrent session(s) per user:
Enter how many concurrent sessions are permitted for a user. A value of "0" (zero) means unlimited. The default is
10
.
The concurrent sessions allowed for a user is limited by the maximum number of concurrent sessions permitted (see the following setting).
Max. concurrent session(s):
Enter the total maximum number of concurrent sessions permitted. A value of "0" (zero) means unlimited. The default is
10
.
If a custom transport protocol was selected, the contents of this tab depend on the protocol. For the "l7.raw.tcp" transport protocol, the following field is shown:
  • Socket timeout
    : Enter the period of time before the socket times out, in milliseconds.
KEX Algorithms for SSH2 Protocol
By default, the KEX algorithm, 
diffie-hellman-group1-sha1
, is disabled. You can include or exclude KEX algorithms either by using the system property, com.l7tech.external.assertions.ssh.enabledKexAlgs or the following Connector level property:
  • l7.ssh.enabledKexAlgs
    : Specifies the ordered list of enabled KEX algorithms separated by
    <split>
    .
The following KEX Algorithms are supported:
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group14-sha256
  • diffie-hellman-group15-sha512
  • diffie-hellman-group16-sha512
  • diffie-hellman-group17-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group14-sha1
  • diffie-hellman-group1-sha1
Configuring the [Advanced] Tab
The Advanced tab is used to define advanced settings for the listen port. In particular, it is recommended that only advanced technical users modify the Advanced Properties table.
Setting
Description
Request Properties
Override maximum message size
Select this check box to override the permitted maximum size of the routing message. Clear this check box to use the value set in the
io.xmlPartMaxBytes
 cluster property.
  • Restrict messages to: Enter the maximum permitted size of the request message, in bytes. You may reference context variables.
  • Allow unlimited message size (not recommended): Select this option to allow response messages of unlimited size. This is not recommended and should be used only under the direction of CA Support.
Service Resolution:
The settings under "Service Resolution" are available for all types of transport, predefined, or custom. These two settings are designed for transports that do not communicate information that is necessary for correct operation of the listen port.
Associate port with single published service
Select this option to preselect a published service for the listen port. Any message arriving via this listen port is routed immediately to the specified published service. Select the service to use from the drop-down list. For more information about published services, see Publish SOAP Web Service.
Always use specified request content type
Select this option to preselect a Content-Type for the listen port. Select the Content-Type to use from the drop-down list or type a valid Content-Type.
Advanced Properties
This section is used to define additional settings for the listen port. CA Support can assist you when additional properties are necessary.
The following are some examples for advanced properties:
  • For added security, the Gateway obfuscates the default server for the Gateway HTTP listener as follows:
    • If there is an advanced property for the listen port with the entry
      server=<anyValue>
      , the response returns "server: <anyValue>" as the server name in the response.
    • If there is no advanced property present, but the Gateway system property
      com.l7tech.server.response.header.server
       exists, then the response returns the value of the system property for the server name. (If the advanced property exists as well, it takes precedence.)
    • If the advanced property or the system property are not defined, the response returns "server: CA-API-Gateway/
      <majorVersion>
      ", where
      "<majorVersion>"
       is "9.0" for all 9.x Gateways, etc.
    At no time is the name of the actual web server returned.
  • If you need to allow renegotiations, add the advanced property
    allowUnsafeLegacyRenegotiation = true
    . This suppresses the application-level disablement of renegotiation and allows the underlying JSSE provider to handle it.
    Setting this advanced property does not introduce any security vulnerabilities with current JDK versions.
  • By default, the Gateway truncates any space between the Content-Type and the charset in the response header. To prevent this, add the advanced property
    trimContentType = false
    Note:
     This does not affect the outbound request headers. Truncation does not occur in outbound request headers.
    • You can override the default FTP(S) listen port behavior for a specific listen port, by using the following advanced properties:
      ftp.sessionIdleTimeout
      ftp.maxRequestProcessingThreads
      ftp.anonymousLoginsEnabled
      ftp.maxAnonymousLogins
      ftp.maxConcurrentLogins
      ftp.userMaxConcurrentLogins
      ftp.userMaxConcurrentLoginsPerIp
      These properties match their corresponding FTP cluster property counterparts. For more information about these properties, see FTP Cluster Properties.
      Technical tip:
       Impact of setting processing threads to zero. The default value for
      ftp.maxRequestProcessingThreads
      (10) should suffice for most instances. However if you set it to zero, there are circumstances where the resulting threads will be non-zero.
      If
      ftp.maxConcurrentLogins
      is set to unlimited, then the Gateway uses the default thread number of 10.
      If
      ftp.maxConcurrentLogins
      is set to any other fixed value, then the maximum number of threads created will be equal to that value.
      If the same FTP advanced property and cluster property are set, then the advanced property will take precedence for the listen port.
  • By default, the maximum number of headers that can be retrieved in a single GET call is 100. If you need to retrieve a greater number, add the advanced property
    maxHeaderCount =
    <new maximum value>
  • To track the current concurrency of each HTTP(S) thread pool, add the advanced property
    concurrencyWarningThreshold
     with a specific threshold value. When the thread pool concurrency exceeds this threshold, the Gateway logs an audit record at specific intervals. The interval period is defined by the 
    io.httpConcurrencyWarning.repeatDelay
     cluster property and defaults to 60 seconds.
    Connectors not using a private thread pool share the global thread pool. These are controlled by the
    io.httpCoreConcurrency
     and
    io.httpMaxConcurrency
     cluster properties.
    The logged audits include:
    • System audit record:
       Server: HTTP Listeners components, action: "Concurrency Exceeded", message: "Listener concurrency exceeded: 999" (where "999" is the current concurrency).
    • Audit detail record:
       2403, WARNING, "Listener concurrency too high: {0} {1}" (where "{0}" is the current concurrency and "{1}" is the connector identifier)
  • The default maximum HTTP header size for a listen port is 8KB (8192 bytes). This should suffice in most instances. However this value may need to be increased for exceptional use cases (for example, running many iterations in the Run Assertions for Each Item Assertion). To do this, add the advanced property: 
    maxHttpHeaderSize =
    <new value in bytes>
  • By default, a Gateway HTTPS listener will wait 60 seconds for another request before closing the connection and a Gateway HTTP listener will wait 20 seconds for another request before closing the connection. If you need to adjust these defaults, add the advanced property
    keepAliveTime = <new value in milliseconds> 
     

Content feedback and comments