Environment Variables for the Container Gateway

This topic lists the environment variables that are specific to the Container Gateway application. To obtain a better understanding of how these environment variables are used, refer to the following documentation for the Docker Engine and OpenShift. CA Technologies recommends that you first review the sample files in the following documentation links before looking up the detailed descriptions.
gateway10cr2
This topic describes environment variables that are specific to the Container Gateway application. These variables were initially written for the
docker-compose.yml
Gateway deployment file, which followed a 'ENVIRONMENTAL_VALUES' format. Beginning with Gateway version 10.0 CR 2, the recommended deployment method for a cloud-based Container Gateway cluster is the Helm Chart. The same environmental variables described in this page can be used in the
values.yaml
configuration file within the Helm Chart but may be formatted differently due to different labeling conventions for Helm parameters. Other non-Gateway specific variables (parameters), as defined by Helm Chart template files, can also be found in the sample
values.yaml
file.
Available Gateway Environment Variables
Variable
Description
ACCEPT_LICENSE
Required. Default value: -
Set the ACCEPT_LICENSE environment variable to
true
to confirm that you have a valid commercial license for
Layer7 API Gateway
. You also confirm that you have reviewed and accepted the terms of the End User License Agreement (EULA) that governs your use of the
Layer7 API Gateway
.
This value is case-sensitive.
SSG_JVM_HEAP
Optional. Default value: 2G
The JVM heap size to use.
This value should be a number, followed by
m
,
M
,
k
,
K
,
g
, or
G
(not case-sensitive). For example: "4G" or "4g" (4 gigabytes), "3M" or "3m" (3 megabytes).
The
mem_limit
value should be 1GB more or 50% more than the
SSG_JVM_HEAP
value, whichever is higher.
For memory configuration guidelines, see Guidelines for Configuring Resources for the Container Gateway.
SSG_ADMIN_USERNAME
SSG_ADMIN_PASSWORD
Optional. Default value: random
These define the log in credentials for the Policy Manager.
For improved security, the username and password (a 12-character minimum is recommended) may contain alphanumeric ASCII characters and any of the following symbols:
! @ . = - _ ^ + ; : # , %
You should embed sensitive data such as passwords in plain-text within a configuration file only for convenience in development or test environments. Many container PaaS environments provide mechanisms for properly managing sensitive data.
To disable Policy Manager connectivity, leave the
SSG_ADMIN_USERNAME
and
SSG_ADMIN_PASSWORD
variables empty. Disabling Policy Manager access is ideal if you want to enforce the redeployment of the container when making changes in a production environment. You will also do this if you have a derived image that is bootstrapped.
SSG_DATABASE_JDBC_URL
Optional. Default value: -
The URL of the JDBC connection that is used to connect to the MySQL database. If this URL is not defined, the Container Gateway defaults to using the embedded database instead.
  1. If a valid URL is provided, the Container Gateway uses this JDBC connection to connect to the MySQL database(s) (MySQL mode).
  2. If a URL is not provided (empty or not declared), the Container Gateway defaults to the embedded database (Derby mode).
  • If you want to use the Policy Manager, make sure the
    SSG_ADMIN_USERNAME
    and
    SSG_ADMIN_PASSWORD
    are defined.
  • The JDBC URL can be used to configure the secondary database connection, for example:
    jdbc:mysql://mysql-server-primary:3306,mysql-server-secondary:3306/ssg
SSG_DATABASE_USER
Required if SSG_DATABASE_JDBC_URL is provided. Default value: -
The user who is connecting to the MySQL server(s). The password may contain alphanumeric ASCII characters and any of the following symbols:
! @ . = - _ ^ + ; : # , %
  • If you are using Layer7 sample deployment files:
  1. This user must match any
    MYSQL_USER
    username defined in the environment section for the MySQL service.
  2. If you specify a user name other than
    root
    , you must also define a
    MYSQL_DATABASE
    entry. This is necessary for the database user to have the correct permissions.
  • If you have deployed your own MySQL instance, then set this environment variable to match the credentials for the account created on your MySQL instance.
SSG_DATABASE_PASSWORD
Required if SSG_DATABASE_JDBC_URL is provided. Default value: -
Password that is used to connect to the MySQL server(s). The password may contain alphanumeric ASCII characters and any of the following symbols:
! @ . = - _ ^ + ; : # , %
  • If you are using the sample deployment files, then this environment variable must match any
    MYSQL_PASSWORD
    defined in the environment section for the MySQL service.
  • If you have deployed your own MySQL instance, then set this environment variable to match the credentials for the account created on your MySQL instance.
SSG_DATABASE_WAIT_TIMEOUT
Optional. Default value: 300 seconds (5 minutes).
The time to wait (in seconds) for the database to become available. This value is used by the Container Gateway when
SSG_DATABASE_JDBC_URL
is provided.
SSG_CLUSTER_HOST
Required if SSG_DATABASE_JDBC_URL is provided. Default value: ${hostname}
The cluster
hostname
of the Container Gateway.
Valid values are the quoted fully qualified domain name (FQDN) of the service endpoint; for example:
mygateway.mycompany.com
SSG_CLUSTER_PASSWORD
Required if if SSG_DATABASE_JDBC_URL is provided. Default value: random
The cluster password.
For improved security, the username and password (a 12-character minimum is recommended) may contain alphanumeric ASCII characters and any of the following symbols:
! @ . = - _ ^ + ; : # ,
EXTRA_JAVA_ARGS
Optional. Default value: -
This variable defines any extra JVM properties to add to the Java command line here, or Gateway System Properties to set. Separate multiple entries with a space. Enclose the string within quotes.
Example (line breaks added for readability):
EXTRA_JAVA_ARGS: "-XX:ParallelGCThreads=4
-Dcom.l7tech.bootstrap.env.license.enable=true
-Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER"
  • Use
    -Dcom.l7tech.server.siteminder.enabled=true
    to enable CA Single Sign-On (Siteminder). By default, this functionality is
    disabled
    .
  • Use
    -Dcom.l7tech.bootstrap.env.license.enable=true
    to enable loading the SSG license gzip, base64 string as a environment variable. By default it is
    disabled
    .
  • Use
    -Dcom.l7tech.service.metrics.enabled=false
    to disable the service metrics when using a MySQL database. By default it is
    enabled
    . The embedded database does not use this toggle as it is always disabled.
Properties defined in EXTRA_JAVA_ARGS override the same properties defined in the Gateway System Properties. However, values from EXTRA_JAVA_ARGS do not modify the
system.properties
file.
SSG_SSL_KEY
Optional. Default value: -
IMPORTANT:
Use the
SSG_SSL_KEY
environment variable in a development or test environment only. It is
not
recommended for production use, since it exposes the SSL key license in plain text in your configuration file. The preferred method is to mount the license file(s) as secret volumes.
The default Gateway SSL key as a base64 encoded string. For more information, see Manage Private Keys.
Copy the string from the output of this Linux command
cat /path/to/key.p12 | base64
(add
–wrap=0
to the
base64
command if you are running Windows OS).
SSG_SSL_KEY_PASS
Optional. Default value: -
The default Gateway SSL key password. Can be left empty if the
p12
key is not password protected.
SSG_LICENSE
Optional. Disabled by default.
IMPORTANT:
Use the
SSG_LICENSE
environment variable in a development or test environment only. It is
not
recommended for production use, since it exposes the (encoded) license in plain text in your configuration file. The preferred method is to mount the license file(s) as secret volumes.
The
Layer7 API Gateway
license as a Gzipped, Base64-encoded string (with no space characters or line breaks). A valid license is required to operate the Container Gateway.
Use this
SSG_LICENSE
env var to install a single Gateway license. To install multiple licenses, use the preferred method of mounting the license file(s) as secret volumes.
Deprecated Environment Variables
These variables were used in the previous versions of the container Gateway and are no longer in use.
Variable
SSG_CLUSTER_COMMAND
SSG_DATABASE_TYPE
SSG_DATABASE_HOST
SSG_DATABASE_PORT
SSG_DATABASE_NAME
SSG_DATABASE_ADMIN_USER
SSG_DATABASE_ADMIN_PASS
SSG_INTERNAL_SERVICES