CA API Gateway 9.1

index 10.0 congw.10.0 9.4 9.3 9.2 9.1 9.0
English

Miscellaneous Cluster Properties

The following cluster properties control various aspects of  behavior.
gateway91
The following cluster properties control various aspects of 
API Gateway
 behavior.
Refer to "Time Units" under Cluster Properties for a list of the valid time units that you can use for time-related properties.
Property
Description
admin.
certificateDiscoveryEnabled
Allows the Policy Manager to securely discover this
API Gateway
's SSL certificate without user intervention. Value is a Boolean.
  • true
     = Automatic certificate discovery is enabled, without user intervention required.
  • false
     = Automatic certificate discovery is disabled. When the Policy Manager attempts to trust a server certificate for the first time, a confirmation dialog is displayed and you must explicitly accept or reject the certificate.
Default:
true
See also
services.certificateDiscoveryEnabled
.
attachment.diskThreshold
Threshold of attachments in a single request to keep in RAM.
Default:
1048576 bytes
builtinService.snmpQuery.enabled
Controls the availability of the SNMP query service check box in the Listen Port Properties [Basic Settings] tab.
  • true
     = The check box displays among the other built-in service check boxes.
  • false
     = The check box is suppressed.
Default:
true
CA WSDM Gateway Observer
contentType.otherTextualTypes
Textual Content-Types. By default, the gateway recognizes these Content-Types: text, xml, json and form encoded. Each Content-Type should be on a separate line and may include a charset—for example:
application/custom; charset="UTF-8"
customerMapping.
addToGatewayAuditEvents
Controls whether the
API Gateway
 saves the mapping information with the audits:
  • true
     = mapping information is saved in the
    API Gateway
     audit, enabling them to be viewed in the Gateway Audit Events window.
  • false
     = mapping information is not saved in the
    API Gateway
     audit.
Default:
 true
customerMapping.
addToServiceMetrics
Determines whether the
API Gateway
 saves the mapping information with the service metrics:
  • true
     = mapping information is saved with the service metrics, allowing them to be used in the Dashboard.
  • false
     = mapping information is not saved with the service metrics.
Default:
true
dataGrid.protocol
The protocol Hazelcast uses to discover cluster members. Restart all nodes in the cluster for changes to take effect.
Default:
tcpip
(1) The Hazelcast cache is used for message replay protection and is a key component of assertions such as the Protect Against Message Replay Assertion (XML Security) . (2) This is a hidden cluster property that is edited by typing its name in the Key field in Manage Cluster-Wide Properties. Modify this only under the direction of CA Support.
dataGrid.tcpip.connectionTimeout
Maximum time Hazelcast will try to connect to a well known member before timing out. Value is a time unit.
Default:
5s
The "Notes" under
dataGrid.protocol
 above also apply here.
datetime.autoFormats
Values for built-in set of supported date formats. This property determines the values that the Set Context Variable assertion can parse by default when "<
auto
>" is selected and what values the Compare Expression assertion can automatically convert when "Date/Time" is selected as the data type.
This is a hidden cluster property that is edited by typing in its name in the Key field in Manage Cluster-Wide Properties. By default, these formats are supported:
Example
: 1997-07-16T 19:20:30.45-1:00
  • W3C ISO 8601 (http://www.w3.org/TR/NOTE-datetime)
  • HTTP-Date (RFC1123, RFC 850, asc time)
  • RFC 1123  Example: Sun, 06 Nov 1994 08:49:37 GMT
  • RFC 822 (and RFC1036) Example: Sun, 06 Nov 94 08:49:37 GMT
  • RFC 850 Example: Friday, 19-Nov-82 16:14:55 EST
  • asc time Example:. Fri Nov 12 13:02:02 2012
Observe these guidelines when configuring this property:
  • The string must be formatted as <format><^pattern$>.
  • The pattern must begin with the ^ character and end with the $ character.
  • White space is not required and is ignored if present.
  • Any pairs with an invalid format or pattern are ignored and an audit is generated.
  • The Policy Manager does not validate the value for this property.
The default value for the cluster property is as follows (line breaks added here for readability and to minimize horizontal scrolling when viewing this page):
yyyy-MM-dd'T'HH:mm:ss.SSSXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}\.\d{3}(?:Z|(?:\+|-)\d{2}:\d{2})$
yyyy-MM-dd'T'HH:mm:ss.SSXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}\.\d{2}(?:Z|(?:\+|-)\d{2}:\d{2})$
yyyy-MM-dd'T'HH:mm:ss.SXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}\.\d{1}(?:Z|(?:\+|-)\d{2}:\d{2})$
yyyy-MM-dd'T'HH:mm:ssXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}(?:Z|(?:\+|-)\d{2}:\d{2})$
yyyy-MM-dd'T'HH:mmXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}(?:Z|(?:\+|-)\d{2}:\d{2})$
yyyy-MM-dd ^\d{4}-\d{2}-\d{2}$
yyyy-MM ^\d{4}-\d{2}$
yyyy ^\d{4}$
EEE, dd MMM yyyy HH:mm:ss z ^[a-zA-Z]{3},\s\d{2}
\s[a-zA-Z]{3}\s\d{4}\s\d{2}:\d{2}:\d{2}\s(?:
[a-zA-Z]{3}|(?:\+|-)\d{4})$
EEE, dd MMM yy HH:mm:ss Z ^[a-zA-Z]{3},\s\d{2}
\s[a-zA-Z]{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?:
[a-zA-Z]{3}|(?:\+|-)\d{4})$
EEE, dd-MMM-yy HH:mm:ss z ^
(?:Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday),
\s\d{2}-[a-zA-Z]{3}-\d{2}\s\d{2}:\d{2}:\d{2}\s(?:[a-zA-Z]{3}|(?:\+|-)\d{4})$
EEE MMM dd HH:mm:ss yyyy ^[a-zA-Z]{3}\s[a-zA-Z]{3}
\s(\d{2}|\s\d)\s\d{2}:\d{2}:\d{2}\s\d{4}$
datetime.customFormats
Customizes the values displayed in the "Format" drop-down list in the Set Context Variable assertion. User can modify datetime.customFormats by adding new formats or by removing the existing formats. To add additional formats, enter them here, separating each format with a semicolon. Changing datetime.customFormats does not affect values in datetime.autoFormats.
db.replicationDelayThreshold
The threshold for auditing a warning due to slow or failed replication. Enter "0" (zero) to disable audits. Value is a time unit.
Default:
60s
db.replicationErrorAuditInterval
Minimum interval between successive database replication failure audits. This allows the number of audits to be restricted, so auditing will occur only once per hour (or whatever is configured) when replication is failing. Value is a time unit.
Default:
60m
ekeycache.maxEntries
Maximum number of cached ephemeral key thumbprints (per-node).
Default:
1000
help.url
Location of the online help system. By default, the Policy Manager uses the
API Gateway
 documentation wiki as the online help. Change this setting only if your organization has installed an offline version of the document due to internet restrictions (see Install Offline Help).
Default: blank (which indicates the factory default help location is in use)
(1) The new help file location will take effect the next time you log in to the Policy Manager. (2) New value must point to a web server that supports
http
 or
https
.
icap.channelIdleTimeout
Maximum idle time for a connected channel in the connection pool to an ICAP server. Any channels exceeding this timeout value will be disconnected and removed from the pool. Value is a time unit; the allowable range is between 1 second and 1 hour.
Default:
1m
keyStore.searchForAlias
Determines how the
API Gateway
 searches for key aliases:
  • true
     = If an assertion refers to a private key in a non-existent keystore, the
    API Gateway
     will check all other keystores for an identical private key alias. If one is found, it will be used instead. In the Policy Manager, a warning validator message is displayed for any affected assertions.
  • false
     =  If an assertion refers to a private key in a non-existent keystore, an error is returned and the policy containing this assertion will be inoperative. Other keystores are not examined.
Default:
true
For more information about private keys, see Manage Private Keys. For more information on how to select a private key to use, see Selecting a Custom Private Key
keyStore.signWithSha1
Sets the default signature hash to use for the message digest when signing certificates. Value is a Boolean.
  • true
     = use SHA-1
  • false
     = use SHA-384
Default:
false
krb5.kdc
Sets the "kdc" value in the krb5.conf (Kerberos configuration) file. The default value is determined by parsing the user's domain in the kerberos.keytab file, then performing a host/IP lookup to determine the KDC value.
krb5.realm
Sets the "default_realm" value in the krb5.conf (Kerberos configuration) file. The default value is determined by parsing the user's domain in the kerberos.keytab file, then performing a host/IP lookup to determine the realm.
license.expiryWarningPeriod
Time in the future to display impending expiration of the
API Gateway
 license or SSL certificate. Value is a time unit.
Default:
30d
metrics.fineInterval
Time interval for Service Metrics fine resolution bins.
Default:
5000 milliseconds
For more information about service metrics bins, see Dashboard - Service Metrics.
Restart the cluster if you change this value.
mtom.decodeSecuredMessages
Controls whether secured MTOM-encoded message are automatically decoded. Value is a Boolean.
  • true
     = MTOM-encoded messages containing a WS-Security header that is processed by the
    API Gateway
     is automatically decoded to a regular SOAP message for security processing.
  • false
     = MTOM-encoded messages is not automatically decoded prior to WS-Security processing. An undecoded secure MTOM message can cause WS-Security processing to fail.
Default:
true
This cluster property only acts on messages containing a WS-Security destined for the
API Gateway
. All other message are unaffected by this property and MTOM decoding occurs only when a Decode MTOM Message assertion is present in the policy.
pingServlet.mode
Determines how the
API Gateway
 responds to PING commands. Values are:
  • OFF
    : No response to any ping attempts.
  • REQUIRE_CREDS
    : Responds only when request is submitted using SSL on port 8443, with credentials in the request.
  • OPEN
    : Minimal response when request is submitted without SSL (port 8080); full response when request is submitted with SSL (port 8443).
  • MONITOR
    : Returns a minimal status message to the client, while denying access to any node system information.
Default:
REQUIRE_CREDS
See Ping URI Test for a more detailed description of each setting.
policyValidation.
maxConcurrency
Maximum number of server-side policy validation jobs that may be active simultaneously.
Default:
15
Requires a
API Gateway
 restart for changes to take effect.
policyValidation.maxPaths
Maximum number of possible paths through a policy before the policy is considered to be too complex to attempt server-side validation.
Default:
500000
policyVersioning.maxRevisions
Maximum number of policy revisions to retain. Only revisions that are not active and which do not have a comment count toward the maximum. If set to zero, only the active version and commented versions are retained. Revisions with comments are always retained, regardless of the setting of this cluster property.
Default:
20
Progress Actional for SOA Operations
request.compress.gzip.allow
Determines whether GZIP compressed requests are accepted:
  • true
     = compressed requests are accepted by the
    API Gateway
  • false
     = all compressed requests are rejected
Default:
true
response.compress.gzip.allow
Determines whether GZIP compressed responses can be returned to the client:
  • true
     = compressed response can be returned to the client
  • false
     = force a non-compressed response from the
    API Gateway
     to the client, regardless of the accept-encoding requested response
Default:
true
restman.request.message.maxSize
Configures the maximum request message size going to the REST Management Service to support large migrations. The io.xmlPartMaxBytes cluster property has no affect on the REST Management Service. Default = 50MB. 
rbac.autoRole.managePolicy.
autoAssign
Determines if a non-admin user should be added to the auto-created Manage Policy role, when a new Policy is successfully created.
  • true = the non-admin user is assigned to the Manage Policy role
  • false = the non-admin user is not assigned to the Manage Policy role
Default:
true
rbac.autoRole.manageProvider.
autoAssign
Determines if a non-admin user should be added to the auto-created Manage Provider role, when a new Policy is successfully created.
  • true
     = the non-admin user is assigned to the Manage Provider role
  • false
     = the non-admin user is not assigned to the Manage Provider role
Default:
true
rbac.autoRole.manageService.
autoAssign
Determines if a non-admin user should be added to the auto-created Manage Service role, when a new Published Service is successfully created.
  • true
     = the non-admin user is assigned to the Manage Service role
  • false
     = the non-admin user is not assigned to the Manage Service role
Default:
true
rsasigcache.maxEntries
Number of verified signatures to cache. The property sets the size of the RSA signature cache, which keeps track of recently-verified XML snippets. Only the SHA1 hash is cached, not the entire XML snippet.
Caching is disabled by default, which enhances overall security with a slight performance penalty. When caching is enabled, the RSA decrypt operation is skipped and the signature is assumed verified if the exact same signed XML is presented, verified with exactly the same public key and signature value. The cached signature is not used if there are changes to the XML, public key, or signature value.
Enable this property when:
  • Your
    API Gateway
     repeatedly validates the same signed XML snippets (for example, SAML assertions) and maximum throughput is important.
  • Your organization's security policy permits cached signatures.
  • Caching code in the signature validation code path is acceptable. 
A setting of zero disables the cache.
Default:
0 (caching disabled)
Requires a
API Gateway
 restart for changes to take effect.
scheduledTask.maxThreads
The maximum number of threads for the task scheduler. Must be greater than or equal to 1.
Default:
10
Requires a
API Gateway
 restart for changes to take effect.
security.fips.enabled
Enable FIPS-compliant cryptographic algorithms. Value is a Boolean.
  • t
    rue
     = Places the RSA software cryptographic provider into FIPS mode, but security providers from the runtime environment continue to be available. If a
    API Gateway
     feature is enabled that requires a non-FIPS algorithm (for example, the Certificate Discovery Service or an SSL cipher that uses RC4 or MD5), then the
    API Gateway
     tries to use the built-in security provider for that feature.
When the security.fips.enabled property is set to "true", non-FIPS ciphers are not accepted. There is no assurance that the built-in TLS implementation can correctly process all non-FIPS algorithms.
  • false
     = The built-in non-FIPS Sun provider is always used; FIPS mode is never enabled.
Default:
false
serverModuleFile.upload.enable
Enable or disable the Manage Server Module Files task in the Policy Manager.
Default:
true
serverModuleFile.upload.maxSize
The maximum server module file size permitted to be uploaded. The default is 20MB. A value of "0" (zero) indicates unlimited size.
Default:
20971520
 (bytes).
(1) This value should be less than the DB packet size limit. For example for MySQL, this is the
max_allowed_packet
 value within my.cnf or my.ini. (2) Increasing the default value may cause database replication issues in a clustered environment.
siteminder12.agent.
configuration
Configure the agent for the Authenticate with SiteMinder R12 Protected Resource custom assertion .
soap.actors
soap.roles
The SOAP actors or roles in the security header that are processed by the
API Gateway
. Each actor or role should be separated with a space or placed on a separate line.
Default:
secure_span
http://www.layer7tech.com/ws/policy
  • If the
    API Gateway
     - XML VPN Client is used, do not remove the "secure_span" actor or role.
  • Any new actor or role added to these properties are treated in the same manner as the "secure_span" actor when it comes to processing of security headers in routing assertions (that is, if the "Remove Layer 7 actor and mustUnderstand attributes from processed Security header" option is chosen for WSS header handling in a routing assertion property).
Unless otherwise configured in the policy, response messages use the actor/role value from the request message (if the request message uses one of the configured additional values).
soap.rejectMustUnderstand
Controls how messages with unrecognized SOAP headers addressed to the
API Gateway
 are handled:
  • true
     =  Messages containing "mustUnderstand" SOAP headers other than "Security" and "Timestamp" that are addressed to the
    API Gateway
     role are rejected immediately, during security processing.
  • false
     = Messages containing such SOAP headers are passed through security processing and into policy processing.
Default:
true
swagger.maxDownloadSize
Maximum size (in bytes) of a Swagger specification document download. A value of "0" (zero) indicates unlimited size.
Default:
10485760
 bytes (uses the value from the General Context Variables context variable)
template.
defaultMultivalueDelimiter
Delimiter between values when a multi-valued context variable is interpolated.
Default:
, (comma space)
template.partBodyMaxSize
Maximum size of message part bodies to interpolate in memory.
Default:
5242880 bytes
template.strictMode
Determines what happens when a context variable cannot be resolved for whatever reason. Value is a Boolean.
  • true
     = Nonexistent variables in a template can cause assertions or policy processing to fail.
  • false
     = Nonexistent variables in a template triggers a warning audit event and an empty string is used instead; this does not cause assertions or policy processing to fail.
Default:
false
wsdlDownload.maxSize
Maximum size of a WSDL document download. A value zero indicates unlimited size.
Default:
10485760
 bytes (uses the value from the General Context Variables context variable)
wsdm.notification.enabled
Enables notifications when subscribing to a WSDM resource. Value is a Boolean.
Default:
true
wsdm.notification.interval
Time between WSDM subscription notifications attempts. This applies only to metrics notifications; status changes are sent as they occur.
Default:
60000 milliseconds
xslDownload.maxSize
Maximum size in bytes of a XSL document download. A value of "0" (zero) indicates unlimited size.
Default:
10485760
bytes (uses the value from the context variable)
xacml.pdp.maxDownloadSize
Maximum size of a XACML policy document download. A value of zero indicates unlimited size.
Default:
10485760
bytes (uses the value from the context variable)
xacml.pdp.policyCache.
maxAge
Time to cache a XACML policy in memory. When the Evaluate XACML Policy assertion is processed within the policy, the policy is re-downloaded if the cached policy is older than the value of this cluster property.
Default:
300000 milliseconds
Requires a
API Gateway
 restart for changes to take effect.
xacml.pdp.policyCache.
maxEntries
Maximum number of cached XACML policies loaded from URLs across all Evaluate XACML Policy assertions on a single
API Gateway
 node. Enter zero to disable caching.
Default:
100
Requires a
API Gateway
 restart for changes to take effect.
xacml.pdp.policyCache.
maxStaleAge
Maximum expiration of cached policies loaded from URLs. A setting of "-1" indicates no expiry.
Default:
-1
Requires a
API Gateway
 restart for changes to take effect.
xslt.engine.force20
Determines when the XSLT 2.0 engine (currently Saxon) is used to process XSLT/XPath stylesheets. Value is a Boolean.
  • true
     – Forces the use of the XSLT 2.0 engine to process v1.0 stylesheets in software.
  • false
     – Uses the XSLT 2.0 engine only for v2.0 XSLT/XPath operations. This setting is the default.
 Requires a
API Gateway
 restart for changes to take effect.