Gateway System Properties

This topic lists the properties that can be used in the system.properties file. These properties are used to override the default behaviour of the gateway.
gw10cr2
Modifying the System Properties File
This topic lists the properties that can be used in the
system.properties
file. These properties are used to override the default behaviour of the
. Whenever possible, property changes should be done at the cluster property level. When a conflict arises for property values configured by both system or cluster properties, the value defined in the system properties generally takes precedence unless described otherwise.
Configuring system properties should only be attempted by advanced users or as directed by Layer7 Technical Support. Improper use may degrade performance of your Gateway or even render it inoperable. The list in this appendix represents only a fraction of the available system properties.
To modify a Gateway system property:
  1. Locate and open the following file in a text editor:
    /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  2. Add a line in the format:
    [system property name] = [value]
  3. Save and exit the file, then stop and restart the Gateway.
    In the following list,
    <SSG>
    is the home directory for the Gateway:
    /opt/SecureSpan/Gateway
    .
System Properties
HTTP Connections
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxConnectionsPerHost
The maximum number of concurrent outbound HTTP connections permitted from the Gateway to a given remote host. Default:
1500
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxTotalConnections
The total number of concurrent outbound HTTP connections permitted from the Gateway, regardless of the number of remote hosts. Default:
3000
com.l7tech.common.http.prov.apache.CommonsHttpClient.staleCheckCount
Number of stale checked connections per interval
.
Default:
1
com.l7tech.common.http.prov.apache.CommonsHttpClient.useExpectContinue
Use the "Expect: 100-continue" header during HTTP routing. Default:
false
com.l7tech.common.http.prov.apache.CommonsHttpClient.noKeepAlive
Permits use of persistent connections. Default:
false
Cookies
com.l7tech.common.http.
strictCookieExpiryFormat
How to respond if date format of cookie is not recognized:
  • true
    - An exception is thrown, event is logged, and cookie is not sent. (Default)
  • false
    - No exception thrown, cookie returns to client with a max age of "0"
Multipart Messages
com.l7tech.common.mime.allowLaxEmptyMultipart
How empty multipart messages are treated.
  • true
    - Incoming empty multipart messages is treated as an empty single part message, while retaining a multipart Content Type.
  • false
    - No change to how empty multipart messages are treated. (Default)
Hazelcast
com.l7tech.external.assertions.hazelcastembeddedprovider.network.port
The inbound port on which the Gateway Hazelcast instance listens. Default:
8777
com.l7tech.external.assertions.hazelcastembeddedprovider.tcpip.connection.timeout
The length of time for members to accept client connection requests, before timeout occurs. Default:
5
(seconds)
Raw TCP
com.l7tech.external.assertions.rawtcp.defaultRequestSizeLimit
The maximum number of bytes in a raw TCP routing request (to the back-end service). Default:
1048576
com.l7tech.external.assertions.rawtcp.defaultResponseSizeLimit
The maximum number of bytes in a raw TCP routing response (returned to the Gateway). The default setting of "-1" indicates that the limit should be retrieved from the cluster property io.xmlPartMaxBytes. Default:
-1
SAML
com.l7tech.external.assertions.samlpassertion.validateSSOProfile
Whether the Build SAML Protocol Response Assertion should validate profile rules.
  • true
    - Rules are validated; if a rule is broken, assertion fails and warning audit is logged. (Default)
  • false
    - Rules are not validated
SSH Server
com.l7tech.external.assertions.ssh.server.enableMacMd5
Removes the HMAC-MD5 algorithm from the MAC algorithm list.
  • true
    - Does not remove the HMAC-MD5 algorithm from the MAC algorithm list.
  • false
    - Removes the HMAC-MD5 algorithm from the MAC algorithm list. (Default)
com.l7tech.external.assertions.ssh.server.enableMacNone
Removes the "none" MAC algorithm from the MAC algorithm list
  • true
    - Does not remove the "none" MAC algorithm from the MAC algorithm list. The MAC algorithm is not used.
  • false
    - Removes the "none" MAC algorithm from the MAC algorithm list. (Default)
Backup Restore
com.l7tech.gateway.config.backuprestore.nouniqueimagename
Make the backup image name unique.
  • true
    - Prefix the image name with a timestamp yyyyMMddHHmmss
  • false
    - Do not add a timestamp to the image name (Default)
High Availability
com.l7tech.hacounter.batchLimit
Number of individual writers to batch together before writing to the database. Lower values cause more individual writes to the database, based on how many entries are in the queue to be written.  Default:
4096
com.l7tech.hacounter.coreThreads
Core number of threads to have writing to the database. Default:
16
bcom.l7tech.hacounter.counterQueueSize
Counter queue size. This can be reflective of the number of requests per unit time that you expect to see. For example, with the write flush at 1, this means the Gateway can handle at most 4096 x 1 sec = 4096 requests/sec. Larger values allow more requests through, but at the expense of more system resource usage. This setting is closely tied to the flush time for writes (com.l7tech.hacounter.flushTimeWriteDatabase). Default:
4096
com.l7tech.hacounter.flushTimeWriteDatabase
Time limit until a flush of the writes to the database from the write queue. Change only if you require more or less frequent flushes. This may affect the frequency of database writes and the allowed access may exceed the permitted throughput in some instances. Default:
500
(milliseconds)
com.l7tech.hacounter.keepAliveSec
Length of time to keep alive the write to the database maximum. Default:
10
(seconds)
com.l7tech.hacounter.maxThreads
Maximum number of threads to have writing to the database. Default:
128
com.l7tech.hacounter.supervisorQueueSize
Supervisor queue size. The default means there can be 4096 counters, each having a counter queue size (com.l7tech.hacounter.counterQueueSize). Larger values consume more RAM.  Default:
4096
com.l7tech.hacounter.timeClearReadCache
Time limit before clearing the counter cache, which causes another read of the counter from the database. Changing the value may affect the throughput. Default:
60000
(milliseconds)
HTTP Field Length
com.l7tech.http.maxParameterLength
Maximum length of a single field within an HTTP form post body (content type application/x-www-form-urlencoded). Default:
1000000
KMP Properties
com.l7tech.kmp.properties
Location of kmp.properties file, either absolute or else relative to the directory where omp.dat would normally be found. The default value assumes this file is located in the same directory as the omp.dat file. Default:
kmp.properties
com.l7tech.message.httpParamsMaxFormPost
Maximum number of bytes to buffer when processing an HTTP form post (application/x-www-form-urlencoded). Default:
5242880
This system property has been superseded by the cluster property
io.httpParamsMaxFormPostBytes
. However if both are used, the system property takes precedence.
com.l7tech.ncipher.preference
This property automatically applied when Gateway use of nCipher is enabled via the Gateway main menu, if using a FIPS level 3 security world. Manually adding this system property should not be necessary unless upgrading an existing Gateway. Default:
default
- the provider is appended to the end of the provider list. If the value is set to
highest
, then it is inserted at the top of the list.
com.l7tech.security.secureconversation.defaultDerivedKeyLengthInBytescom.l7tech.security.secureconversation.defaultSecretLengthInBytes
Add these properties to change the derived key length for the default WS-SecureConversation. Default:
32
The following property must also be set in the
:
com.l7tech.security.secureconversation.defaultDerivedKeyLengthInBytes=16
com.l7tech.policy.assertion.HttpPassthroughRuleSet.headersToSkip
This property defines which headers should
not
be passed through in the Route via HTTP(S) Assertion (Headers tab). If this property is not defined explicitly, the Gateway excludes all default headers.
Default:
keep-alive, connection, server, content-type, date, content-length, transfer-encoding, content-encoding, host
To force one of the excluded headers to be passed through, update the default list by removing the desired header.
Server Related
com.l7tech.server.attachmentDirectory
Directory for caching large SOAP attachments.
Default:
<SSG>
/node/default/var/attachments/
com.l7tech.server.audit.messageThreshold
Minimum level required of a Message Audit record for it to be saved to the database. Default:
WARNING
com.l7tech.server.audit.adminThreshold
Minimum Level required of an Admin Audit record for it to be saved to the database. Default:
INFO
com.l7tech.server.audit.detailThreshold
Minimum Level required of an audit detail message for it to be saved to the database. Default:
INFO
com.l7tech.server.audit.hinting
Enable audit messages to provide hints for audited information (such as request XML). Default:
true
com.l7tech.server.audit.assertionStatus
Use the highest assertion status level when checking if a record should be saved. Default:
true
com.l7tech.server.audit.detailThresholdRespected
Use the audit detail level when checking if a record should be saved. Default:
true
com.l7tech.server.audit.purgeMinimumAge
Minimum age of audit records that can be purged. Default:
168
(hours)
com.l7tech.server.cassandra.consistencyLevel
Sets the default consistency level of the Perform Cassandra Query assertion.  Default:
ONE
com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds
Period of time before the Gateway removes inactive nodes. Default:
7776000
(seconds = 3 months)
In environments that use the environment variable.
com.l7tech.server.configDirectory
Directory for Gateway configuration files. Default:
<SSG>
/node/default/etc/conf
com.l7tech.server.documentDownload.maxSize
Maximum default size (in bytes) of a document download. A value of "0" (zero) indicates unlimited size. Default: 10485760
com.l7tech.server.extension.sharedClusterInfoProvider
Sets the cluster information service used by the Gateway. Value is one of (case sensitive):
  • ssgdb
    to use the MySQL-backed implementation (MysqlClusterInfoService)
  • externalhazelcast
    to use the external Hazelcast implementation
Default: '
ssgdb
'.
If this system property is defined in the environment variable, that value overrides whatever is defined in the
system.properties
file.
Switching between providers will not migrate existing data to the newly configured provider.
com.l7tech.server.extension.sharedCounterProvider
Sets the cluster information service used by the Gateway. Value is one of (case sensitive):
  • ssgdb
    to use the MySQL-backed implementation
  • externalhazelcast
    to use the external Hazelcast implementation
Default: '
ssgdb
'.
If this system property is defined in the environment variable, that value overrides whatever is defined in the
system.properties
file.
Switching between providers will not migrate existing data to the newly configured provider.
com.l7tech.server.extension.sharedKeyValueStoreProvider
Name of the shared state provider that is used to retrieve the key value store. Value is one of (case sensitive):
  • embeddedhazelcast
    to use the Hazelcast service key value store that is embedded inside the Gateway implementation.
  • externalhazelcast
    to use the external Hazelcast key value store implementation
Default:
'embeddedhazelcast'
If this system property is defined in the environment variable, that value overrides whatever is defined in the
system.properties
file.
Switching between providers will not migrate existing data to the newly configured provider.
com.l7tech.server.home
Home directory for Gateway files. Default:
<SSG>
com.l7tech.server.hostname
Gateway hostname. Default: <OS hostname>
com.l7tech.server.httpPort
HTTP port used by Gateway. Must update
server.xml
as well. Default:
8080
com.l7tech.server.httpsPort
HTTPS port used by Gateway. Must update
server.xml
as well. Default:
8443
com.l7tech.server.jdbcDriver
Override default JDBC Driver class setting (as defined in serverconfig.properties, "jdbcConnection.driverClass.whiteList"). Requires Gateway restart to take effect.
com.l7tech.server.keystore.enablehsm
Indicates whether an internal Hardware Security Module is present. Default:
false
com.l7tech.server.ldapTemplatesPath
Path to LDAP templates
com.l7tech.server.log.console.threshold
Sets the logging threshold level for console logs using Java logging levels. Default:
INFO
com.l7tech.server.maxLdapSearchResultSize
Number of max results in an identity provider search result operation. Default:
50
com.l7tech.server.metrics.fineBinInterval
Time period for fine Service Metrics bins. Default:
5000
(milliseconds)
com.l7tech.server.multicastAddress
Multicast address for server cluster. Default: randomly created
com.l7tech.server.outConnectTimeout
I/O timeout for outbound connection. Default: 30000 (milliseconds)
com.l7tech.server.outTimeout
I/O timeout for outbound response. Default:
60000
(milliseconds)
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable
Set to "true" to ensure the Keep-alive option is respected in outbound HTTPS routing when the key is used to avoid SSL traffic.
Requires a Gateway restart after changing this property. Default:
true
For best effect, also set these other system properties when setting
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable
to 'true':
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxConnectionsPerHost=1500
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxTotalConnections=3000
If the Route via HTTP(S) Assertion is configured to "Use HTTP Credentials from Request" (in the Authentication tab), then that takes priority over the
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable
system property.
com.l7tech.server.rateLimit
Minimum permissible rate for incoming requests (bytes per second). Default:
1024
com.l7tech.server.rateTimeout
I/O timeout for incoming request rate checking. Default:
60000
(milliseconds)
com.l7tech.server.response.header.server
The server name that you want to appear in the response header. For security reasons, the Gateway does not return the name of the actual web server by default.
To override this system property per listen port:
  1. Select the Advanced tab.
  2. Add the advanced property "
    server=
    <value>
    ", where
    "<value>"
    is the server name to be returned.  For more information, see "Advance Properties" under "Configuring the [Advanced] Tab" in Listen Port Properties.
If neither the
com.l7tech.server.response.header.server
system property nor the "server" advanced listen port property are present, then the Gateway returns this message:
"server: Layer7-API-Gateway/
<majorVersion>
",
where
"<majorVersion>"
is "9.0" for all version 9.x Gateways, etc. Do not confuse "9.0" with the actual Gateway version 9.0. For more information, refer to this article: https://en.wikipedia.org/wiki/Request_for_Comments
com.l7tech.server.serverID
Numeric server identifier. Default: IP address of Gateway
com.l7tech.server.stepdebug.inactiveSessionCleanIntervalMillis
Time period between the cleanup of Policy Manager debugger sessions that have been inactive for
com.l7tech.server.stepdebug.inactiveSessionTimeoutMillis
period of time.  Default:
86460000
(milliseconds; 24 hrs + 1m)
com.l7tech.server.stepdebug.inactiveSessionTimeoutMillis
Period of time for a Policy Manager debugger session to be inactive before it will be cleaned up at the
com.l7tech.server.stepdebug.inactiveSessionCleanIntervalMillis
interval. Default:
86400000
(milliseconds; 24 hrs)
com.l7tech.server.syslog.connectTimeout
Message dropping percentage comparing to the entire queue size. Default: 1%
min: 1
max: 100
com.l7tech.server.syslog.queueSize
Maximum number of messages will be buffered in the system. Default: 10000
min: 10000
max: 2147483647
com.l7tech.server.syslog.reconnectAttempts
The maximum number of reconnection attempts per syslog host before trying an alternate syslog host. Default: 1
min: 1
max: 100
com.l7tech.server.syslog.reconnectInterval
The time between reconnection attempts in milliseconds. Default: 1000ms
min: 1
max: 60000
com.l7tech.server.timeout
I/O timeout for incoming requests. Default:
60000
(milliseconds)
com.l7tech.server.transport.jms.detectJmsTypes
Auto detect JMS provider type, if using ActiveMQ or WebLogic. Contact Support if connecting to more than one JMS provider.
  • true -
    Auto detect the JMS type (either queue or topic). If unable to detect the type, generic JMS connection type is used. (Default)
  • false
    - Do not auto detect the JMS type; always use generic JMS connection type.
com.l7tech.server.transport.jms.topicMasterOnly
Specifies if the master node processes the message and executes the policy.
  • true
    - (Default) Only master node processes the message and executes the policy.
  • false
    - Disables using only the master node to execute the policy.
com.l7tech.server.uddi.auto_republish
Republish to UDDI as needed (e.g., when the cluster hostname or port number changes). Default:
true
Note:
UDDI support is deprecated in
.
com.l7tech.util.allowDuplicateIdAttrsOnElem
Allow messages with an element that has duplicate ID attributes. Default:
true
For greater security, set this property to "false" to reject any message with an element that has more than one attribute recognized as an ID attribute.
policyValidation.maxPaths
The maximum number of possible paths through a policy before the policy is considered to be too complex to attempt server-side validation. Default:
500000
External Assertions
com.l7tech.external.assertions.ssh.enabledKexAlgs
Specifies the ordered CSV list of enabled KEX algorithms. Default list does not include the weak algorithm,
diffie-hellman-group1-sha1
.
com.l7tech.external.assertions.http2.routing.clientPoolSize
Specifies the maximum client pool size. If the pool size exceeds the maximum set value, then the least recently used client is replaced with the new HTTP client.
Default:
100
com.l7tech.external.assertions.http2.routing.clientPoolItemIdleTimeout
Specifies the time period in milliseconds that an item in the cache is kept unused.
Default:
1800000
com.l7tech.external.assertions.http2.routing.clientPoolEvictionSchedulerTimePeriod
Specifies the time period in milliseconds for which the pool eviction scheduler is active to perform cache cleanup activity.
Default:
300000
com.l7tech.external.assertions.http2.routing.connectionIdleTimeout
Specifies the time period in milliseconds that the pooled connection is active.
Default:
30000
com.l7tech.external.assertions.http2.routing.sslSessionTimeout
Specifies the SSL session timeout period in milliseconds.
Default:
600000
com.l7tech.external.assertions.http2.routing.sslSessionCacheSize
Specifies the SSL session cache size in bytes.
Default:
10000
com.l7tech.external.assertions.http2.routing.gzipStreamThreshold
Specifies the GZIP stream threshold value.
Default:
Unlimited
com.l7tech.external.assertions.http2.routing.settingsHeaderTableSize
Specifies the maximum size of the header compression table that is used to decode header blocks for HTTP/2.
Default:
4096
com.l7tech.external.assertions.http2.routing.settingsInitialWindowSize
Specifies the sender's initial window size for stream-level flow control.
Default:
8388608
com.l7tech.external.assertions.http2.transport.servletFilterEnabled
Specifies if diagnostic information such as listen port ID and port name, client IP are set into the context.
Default:
True
com.l7tech.external.assertions.http2.transport.acceptQueueSize
Specifies the size of the pending connection backlog that are queued for acceptance when the connector port has reached maximum number of connections.
Default:
100
com.l7tech.external.assertions.http2.transport.enableBlacklistedCiphers
(
HTTP2 (Secure) Listen Ports
) Set this value to true to enable blacklisted cipher suits. See https://tools.ietf.org/html/rfc7540#appendix-A for the blacklisted cipher suites list.
Default:
false
com.l7tech.external.assertions.openapi.schemaCacheSize
Specifies the maximum number of items (JSON schema objects) that can be cached in a given time.
Default:
200
com.l7tech.external.assertions.openapi.schemaCacheItemIdleTimeout
Specifies the maximum timeout value in milliseconds for evicting the item from cache if it is found to be unused.
Default:
5000
com.l7tech.external.assertions.openapi.maxRequestBodyLength
Specifies the maximum size of the request body in kilobytes. Validation is ignored if the request body size exceeds the configured value.
Default:
-1 (unlimited)
com.l7tech.external.assertions.kafka.routing.clientPoolSize
Specifies the maximum client pool size. If the pool size exceeds the maximum set value, then the least recently used client is replaced with the new Kafka Producer client.
Default:
100
com.l7tech.external.assertions.kafka.routing.clientPoolItemIdleTimeout
Specifies the time period in milliseconds that a Kafka Producer client in the cache is kept unused.
Default:
300000
com.l7tech.external.assertions.kafka.routing.clientPoolEvictionSchedulerTimePeriod
Specifies the time period in milliseconds for which the pool eviction scheduler is active to perform Kafka producer client cache cleanup activity.
Default:
300000
Miscellaneous
com.safelogic.cryptocomply.rsa.allow_multi_use
Applies to Gateway version 10.0 CR3+ with CryptoComply for Java (CCJ)  version 3.0.1 cryptographic library installed. Version 3.0.1 is a major release and enforces stricter security guidelines per FIPS 140-2. It now restricts a private key to one set of functions either to decrypt/encrypt or sign SSL certificates but not both. To maintain backwards compatibility, this new system property has been set to true. If required, you may set the value to 'false' instead to enforce the single-function usage rule for increased security.
Default:
true
com.l7tech.server.bundling.ignoreKeyExportErrors
Configure this property value to
true
to ignore the key export errors and continue the bundle export with partial details for an SSG_KEY_ENTRY entity.
Default:
false
com.l7tech.server.bundling.ignoreKeyImportErrors
Configure this property value to
true
to ignore the key import errors and continue the bundle import for the remaining entities in it.
Default:
false