Miscellaneous Cluster Properties

The following cluster properties control various aspects of
Layer7 API Gateway
behavior.
Refer to "Time Units" under Cluster Properties for a list of the valid time units that you can use for time-related properties.
Property
Description
admin.
certificateDiscoveryEnabled
Allows the Policy Manager to securely discover this Gateway's SSL certificate without user intervention. Value is a Boolean.
  • true
    = Automatic certificate discovery is enabled, without user intervention required.
  • false
    = Automatic certificate discovery is disabled. When the Policy Manager attempts to trust a server certificate for the first time, a confirmation dialog is displayed and you must explicitly accept or reject the certificate.
Default:
true
See also
services.certificateDiscoveryEnabled
.
attachment.diskThreshold
Threshold of attachments in a single request to keep in RAM.
Default:
1048576 bytes
builtinService.snmpQuery.enabled
Controls the availability of the SNMP query service check box in the Listen Port Properties [Basic Settings] tab.
  • true
    = The check box displays among the other built-in service check boxes.
  • false
    = The check box is suppressed.
Default:
true
CA WSDM Gateway Observer
contentType.otherTextualTypes
Textual Content-Types. By default, the Gateway recognizes these Content-Types:
text, xml, json
and
form encoded
. Each Content-Type should be on a separate line and may include a charset—for example:
application/custom; charset="UTF-8"
customerMapping.
addToGatewayAuditEvents
Controls whether the Gateway saves the mapping information with the audits:
  • true
    = mapping information is saved in the Gateway audit, enabling them to be viewed in the Gateway Audit Events window.
  • false
    = mapping information is not saved in the Gateway audit.
Default:
true
customerMapping.
addToServiceMetrics
Determines whether the Gateway saves the mapping information with the service metrics:
  • true
    = mapping information is saved with the service metrics, allowing them to be used in the Dashboard.
  • false
    = mapping information is not saved with the service metrics.
Default:
true
dataGrid.protocol
(Removed in version 9.4)
This cluster property is deprecated as of version 9.4.
Reason:
Only the default value of
tcip
is valid. No other values are accepted.
The protocol Hazelcast uses to discover cluster members. Restart all nodes in the cluster for changes to take effect.
Default:
tcpip
(1) The Hazelcast cache is used for message replay protection and is a key component of assertions such as the Manage Cluster-Wide Properties. Modify this only under the direction of Support.
dataGrid.tcpip.connectionTimeout
(Removed in version 9.4)
This cluster property is deprecated as of version 9.4.
Reason:
The connection timeout is now controlled by the system property
com.l7tech.external.assertions.hazelcastembeddedprovider.tcpip.connection.timeout
.
If you have modified this cluster property in a previous release, be sure to set the above system property with your custom value.
Maximum time Hazelcast will try to connect to a well known member before timing out. Value is a time unit.
Default:
5s
The "Notes" under
dataGrid.protocol
above also apply here.
datetime.autoFormats
Values for built-in set of supported date formats. This property determines the values that the Set Context Variable assertion can parse by default when "<
auto
>" is selected and what values the Compare Expression assertion can automatically convert when "Date/Time" is selected as the data type.
This is a hidden cluster property that is edited by typing in its name in the Key field in Manage Cluster-Wide Properties. By default, these formats are supported:
Example
: 1997-07-16T 19:20:30.45-1:00
  • W3C ISO 8601 (http://www.w3.org/TR/NOTE-datetime)
  • HTTP-Date (RFC1123, RFC 850, asc time)
  • RFC 1123  Example: Sun, 06 Nov 1994 08:49:37 GMT
  • RFC 822 (and RFC1036) Example: Sun, 06 Nov 94 08:49:37 GMT
  • RFC 850 Example: Friday, 19-Nov-82 16:14:55 EST
  • asc time Example:. Fri Nov 12 13:02:02 2012
Observe these guidelines when configuring this property:
  • The string must be formatted as <format><^pattern$>.
  • The pattern must begin with the ^ character and end with the $ character.
  • White space is not required and is ignored if present.
  • Any pairs with an invalid format or pattern are ignored and an audit is generated.
  • The Policy Manager does not validate the value for this property.
The default value for the cluster property is as follows (line breaks added here for readability and to minimize horizontal scrolling when viewing this page):
yyyy-MM-dd'T'HH:mm:ss.SSSXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}\.\d{3}(?:Z|(?:\+|-)\d{2}:\d{2})$
yyyy-MM-dd'T'HH:mm:ss.SSXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}\.\d{2}(?:Z|(?:\+|-)\d{2}:\d{2})$
yyyy-MM-dd'T'HH:mm:ss.SXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}\.\d{1}(?:Z|(?:\+|-)\d{2}:\d{2})$
yyyy-MM-dd'T'HH:mm:ssXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}(?:Z|(?:\+|-)\d{2}:\d{2})$
yyyy-MM-dd'T'HH:mmXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}(?:Z|(?:\+|-)\d{2}:\d{2})$
yyyy-MM-dd ^\d{4}-\d{2}-\d{2}$
yyyy-MM ^\d{4}-\d{2}$
yyyy ^\d{4}$
EEE, dd MMM yyyy HH:mm:ss z ^[a-zA-Z]{3},\s\d{2}
\s[a-zA-Z]{3}\s\d{4}\s\d{2}:\d{2}:\d{2}\s(?:
[a-zA-Z]{3}|(?:\+|-)\d{4})$
EEE, dd MMM yy HH:mm:ss Z ^[a-zA-Z]{3},\s\d{2}
\s[a-zA-Z]{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?:
[a-zA-Z]{3}|(?:\+|-)\d{4})$
EEE, dd-MMM-yy HH:mm:ss z ^
(?:Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday),
\s\d{2}-[a-zA-Z]{3}-\d{2}\s\d{2}:\d{2}:\d{2}\s(?:[a-zA-Z]{3}|(?:\+|-)\d{4})$
EEE MMM dd HH:mm:ss yyyy ^[a-zA-Z]{3}\s[a-zA-Z]{3}
\s(\d{2}|\s\d)\s\d{2}:\d{2}:\d{2}\s\d{4}$
datetime.customFormats
Customizes the values displayed in the "Format" drop-down list in the Set Context Variable assertion. User can modify datetime.customFormats by adding new formats or by removing the existing formats. To add additional formats, enter them here, separating each format with a semicolon. Changing datetime.customFormats does not affect values in datetime.autoFormats.
db.replicationDelayThreshold
The threshold for logging a warning due to slow or failed replication. Enter "0" (zero) to disable logs. Value is a time unit.
Default:
60s
db.replicationErrorAuditInterval
Minimum interval between successive database replication failure logs. This allows the number of logs to be restricted, so logging occurs only once per hour (or whatever is configured) when replication is failing. Value is a time unit.
Default:
60m
ekeycache.maxEntries
Maximum number of cached ephemeral key thumbprints (per-node).
Default:
1000
help.url
Location of the online help system. By default, the Policy Manager uses the online documentation on Install Offline Help).
Default: blank (which indicates the factory default help location is in use)
(1) The new help file location will take effect the next time you log in to the Policy Manager. (2) New value must point to a web server that supports
http
or
https
.
icap.channelIdleTimeout
Maximum idle time for a connected channel in the connection pool to an ICAP server. Any channels exceeding this timeout value will be disconnected and removed from the pool. Value is a time unit; the allowable range is between 1 second and 1 hour.
Default:
1m
keyStore.searchForAlias
Determines how the Gateway searches for key aliases:
  • true
    = If an assertion refers to a private key in a non-existent keystore, the Gateway checks all other keystores for an identical private key alias. If one is found, it will be used instead. In the Policy Manager, a warning validator message is displayed for any affected assertions.
  • false
    =  If an assertion refers to a private key in a non-existent keystore, an error is returned and the policy containing this assertion will be inoperative. Other keystores are not examined.
Default:
true
For more information about private keys, see Manage Private Keys. For more information on how to select a private key to use, see Selecting a Custom Private Key
keyStore.signWithSha1
Sets the default signature hash to use for the message digest when signing certificates. Value is a Boolean.
  • true
    = use SHA-1
  • false
    = use SHA-384
Default:
false
krb5.kdc
Sets the "kdc" value in the krb5.conf (Kerberos configuration) file. The default value is determined by parsing the user's domain in the kerberos.keytab file, then performing a host/IP lookup to determine the KDC value.
krb5.realm
Sets the "default_realm" value in the krb5.conf (Kerberos configuration) file. The default value is determined by parsing the user's domain in the kerberos.keytab file, then performing a host/IP lookup to determine the realm.
license.expiryWarningPeriod
Time in the future to display impending expiration of the Gateway license or SSL certificate. Value is a time unit.
Default:
30d
metrics.fineInterval
Time interval for Service Metrics fine resolution bins.
Default:
5000 milliseconds
For more information about service metrics bins, see Dashboard - Service Metrics.
Restart the cluster if you change this value.
mtom.decodeSecuredMessages
Controls whether secured MTOM-encoded message are automatically decoded. Value is a Boolean.
  • true
    = MTOM-encoded messages containing a WS-Security header that is processed by the Gateway is automatically decoded to a regular SOAP message for security processing.
  • false
    = MTOM-encoded messages is not automatically decoded prior to WS-Security processing. An undecoded secure MTOM message can cause WS-Security processing to fail.
Default:
true
This cluster property only acts on messages containing a WS-Security destined for the Gateway. All other message are unaffected by this property and MTOM decoding occurs only when a Decode MTOM Message assertion is present in the policy.
pingServlet.mode
Determines how the Gateway responds to PING commands. Values are:
  • OFF
    : No response to any ping attempts.
  • REQUIRE_CREDS
    : Responds only when request is submitted using SSL on port 8443, with credentials in the request.
  • OPEN
    : Minimal response when request is submitted without SSL (port 8080); full response when request is submitted with SSL (port 8443).
  • MONITOR
    : Returns a minimal status message to the client, while denying access to any node system information.
Default:
REQUIRE_CREDS
See Ping URI Test for a more detailed description of each setting.
policyValidation.
maxConcurrency
Maximum number of server-side policy validation jobs that may be active simultaneously.
Requires a Gateway restart for changes to take effect.
Default:
15
policyValidation.maxPaths
Maximum number of possible paths through a policy before the policy is considered to be too complex to attempt server-side validation.
Default:
500000
policyVersioning.maxRevisions
Maximum number of policy revisions to retain. Only revisions that are not active and which do not have a comment count toward the maximum. If set to zero, only the active version and commented versions are retained. Revisions with comments are always retained, regardless of the setting of this cluster property.
Default:
20
relayGatewayMetrics.enable
Controls whether the Gateway publishes performance metrics events for use by modular assertions created specifically for this purpose. Currently, assertion metrics such as start/end time and latency are available.
CA Technologies continue to enhance the metrics being recorded and will provide a range of modular assertions to meet various needs. Contact your CA Technologies representative for more information.
Default:
true
This cluster property takes effect only when an appropriate modular assertion is present on the Gateway, otherwise this cluster property is ignored.
request.compress.gzip.allow
Determines whether GZIP compressed requests are accepted:
  • true
    = compressed requests are accepted by the Gateway
  • false
    = all compressed requests are rejected
Default:
true
response.compress.gzip.allow
Determines whether GZIP compressed responses can be returned to the client:
  • true
    = compressed response can be returned to the client
  • false
    = force a non-compressed response from the Gateway to the client, regardless of the accept-encoding requested response
Default:
true
restman.request.message.maxSize
Configures the maximum request message size going to the REST Management Service to support large migrations. The io.xmlPartMaxBytes cluster property has no affect on the REST Management Service. Default = 50MB.
rbac.autoRole.managePolicy.
autoAssign
Determines if a non-admin user should be added to the auto-created Manage Policy role, when a new Policy is successfully created.
  • true = the non-admin user is assigned to the Manage Policy role
  • false = the non-admin user is not assigned to the Manage Policy role
Default:
true
rbac.autoRole.manageProvider.
autoAssign
Determines if a non-admin user should be added to the auto-created Manage Provider role, when a new Policy is successfully created.
  • true
    = the non-admin user is assigned to the Manage Provider role
  • false
    = the non-admin user is not assigned to the Manage Provider role
Default:
true
rbac.autoRole.manageService.
autoAssign
Determines if a non-admin user should be added to the auto-created Manage Service role, when a new Published Service is successfully created.
  • true
    = the non-admin user is assigned to the Manage Service role
  • false
    = the non-admin user is not assigned to the Manage Service role
Default:
true
rsasigcache.maxEntries
Number of verified signatures to cache. The property sets the size of the RSA signature cache, which keeps track of recently-verified XML snippets. Only the SHA1 hash is cached, not the entire XML snippet. Requires a Gateway restart for changes to take effect.
Caching is disabled by default, which enhances overall security with a slight performance penalty. When caching is enabled, the RSA decrypt operation is skipped and the signature is assumed verified if the exact same signed XML is presented, verified with exactly the same public key and signature value. The cached signature is not used if there are changes to the XML, public key, or signature value.
Enable this property when:
  • Your Gateway repeatedly validates the same signed XML snippets (for example, SAML assertions) and maximum throughput is important.
  • Your organization's security policy permits cached signatures.
  • Caching code in the signature validation code path is acceptable.
A setting of zero disables the cache.
Default:
0
scheduledTask.maxThreads
The maximum number of threads for the task scheduler. Must be greater than or equal to 1.
Requires a Gateway restart for changes to take effect.
Default:
10
security.fips.enabled
Enable FIPS-compliant cryptographic algorithms. Value is a Boolean.
  • true
    = Places the SafeLogic CryptoComply for Java (CCJ) software cryptographic provider into FIPS mode, but security providers from the runtime environment continue to be available. If a Gateway feature is enabled that requires a non-FIPS algorithm (for example, the Certificate Discovery Service or an SSL cipher that uses RC4 or MD5), then the Gateway tries to use the built-in security provider for that feature.
When the security.fips.enabled property is set to "true", non-FIPS ciphers are not accepted. There is no assurance that the built-in TLS implementation can correctly process all non-FIPS algorithms.
  • false
    = The built-in non-FIPS Sun provider is always used; FIPS mode is never enabled.
Default:
false
About CCJ Version 3.0.1
Applies to users who have upgraded to or installed Gateway version 10.0 CR3+.
Version 3.0.1 is a major release and enforces stricter security guidelines per FIPS 140-2. It now restricts a private key to one set of functions either to decrypt/encrypt OR sign SSL certificates but not both. To maintain backwards compatibility, the following system property has been set to 'true'. However it is recommended that this property is set to 'false' for increased security:
com.safelogic.cryptocomply.rsa.allow_multi_use=false
Importing a keystore in JKS format into the Gateway using Policy Manager is not permitted by the CCJ v3.0.1 library but has been enabled by the Gateway to preserve backwards compatibility. Going forward, if you typically import JKS formatted keystores, it is recommended that you convert them to PKCS #12 format prior to importing.
Please be aware that SafeLogic's refreshed architecture and design behind CCJ v3.0.1 may pose some performance tradeoffs on cryptographic operations to accommodate improved security features as required by FIPS.
serverModuleFile.upload.enable
Enable or disable the Manage Server Module Files task in the Policy Manager.
Default:
true
serverModuleFile.upload.maxSize
The maximum server module file size permitted to be uploaded. The default is 20MB. A value of "0" (zero) indicates unlimited size.
Default:
20971520
(bytes).
(1) This value should be less than the DB packet size limit. For example for MySQL, this is the
max_allowed_packet
value within my.cnf or my.ini. (2) Increasing the default value may cause database replication issues in a clustered environment.
soap.actors
soap.roles
The SOAP actors or roles in the security header that are processed by the Gateway. Each actor or role should be separated with a space or placed on a separate line.
Default:
secure_span
http://www.layer7tech.com/ws/policy
  • If the
    Layer7 API Gateway
    - XML VPN Client is used, do not remove the "secure_span" actor or role.
  • Any new actor or role added to these properties are treated in the same manner as the "secure_span" actor when it comes to processing of security headers in routing assertions (that is, if the "Remove Layer 7 actor and mustUnderstand attributes from processed Security header" option is chosen for WSS header handling in a routing assertion property).
Unless otherwise configured in the policy, response messages use the actor/role value from the request message (if the request message uses one of the configured additional values).
soap.rejectMustUnderstand
Controls how messages with unrecognized SOAP headers addressed to the Gateway are handled:
  • true
    =  Messages containing "mustUnderstand" SOAP headers other than "Security" and "Timestamp" that are addressed to the Gateway role are rejected immediately, during security processing.
  • false
    = Messages containing such SOAP headers are passed through security processing and into policy processing.
Default:
true
swagger.maxDownloadSize
Maximum size (in bytes) of a Swagger specification document download. A value of "0" (zero) indicates unlimited size.
Default:
10485760
bytes (uses the value from the General Context Variables context variable)
template.
defaultMultivalueDelimiter
Delimiter between values when a multi-valued context variable is interpolated.
Default:
, (comma space)
template.partBodyMaxSize
Maximum size of message part bodies to interpolate in memory.
Default:
5242880 bytes
template.strictMode
Determines what happens when a context variable cannot be resolved for whatever reason. Value is a Boolean.
  • true
    = Nonexistent variables in a template can cause assertions or policy processing to fail.
  • false
    = Nonexistent variables in a template triggers a warning audit event and an empty string is used instead; this does not cause assertions or policy processing to fail.
Default:
false
wsdlDownload.maxSize
Maximum size of a WSDL document download. A value zero indicates unlimited size.
Default:
10485760
bytes (uses the value from the
${documentDownload.maxSize}
context variable)
wsdm.notification.enabled
Enables notifications when subscribing to a WSDM resource. Value is a Boolean.
Default:
true
wsdm.notification.interval
Time between WSDM subscription notifications attempts. This applies only to metrics notifications; status changes are sent as they occur.
Default:
60000 milliseconds
xslDownload.maxSize
Maximum size in bytes of a XSL document download. A value of "0" (zero) indicates unlimited size.
Default:
10485760
bytes (uses the value from the
${documentDownload.maxSize}
context variable)
xacml.pdp.maxDownloadSize
Maximum size of a XACML policy document download. A value of zero indicates unlimited size.
Default:
10485760
bytes (uses the value from the
${documentDownload.maxSize}
context variable)
xacml.pdp.policyCache.
maxAge
Time to cache a XACML policy in memory. When the Evaluate XACML Policy assertion is processed within the policy, the policy is re-downloaded if the cached policy is older than the value of this cluster property.
Requires a Gateway restart for changes to take effect.
Default:
300000 milliseconds
xacml.pdp.policyCache.
maxEntries
Maximum number of cached XACML policies loaded from URLs across all Evaluate XACML Policy assertions on a single Gateway node. Enter zero to disable caching.
Requires a Gateway restart for changes to take effect.
Default:
100
xacml.pdp.policyCache.
maxStaleAge
Maximum expiration of cached policies loaded from URLs. A setting of "-1" indicates no expiry.
Requires a Gateway restart for changes to take effect.
Default:
-1
xslt.engine.force20
Determines when the XSLT 2.0 engine (currently Saxon) is used to process XSLT/XPath stylesheets. Value is a Boolean.
  • true
    – Forces the use of the XSLT 2.0 engine to process v1.0 stylesheets in software.
  • false
    – Uses the XSLT 2.0 engine only for v2.0 XSLT/XPath operations. This setting is the default.
Requires a Gateway restart for changes to take effect.