Gateway System Properties

This topic lists the properties that can be used in the system.properties file. These properties are used to override the default behavior of the gateway.
gateway92
This topic lists the properties that can be used in the
system.properties
file. These properties are used to override the default behavior of the
Layer7 API Gateway
.
WARNING!
Configuring system properties should only be attempted by advanced users or as directed by CA Technical Support. Improper use may degrade performance of your Gateway or even render it inoperable. The list in this appendix represents only a fraction of the available system properties.
To modify a Gateway system property: 
  1. Locate and open the following file in a text editor:
    /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  2. Add a line in the format:
    [system property name] = [value]
  3. Save and exit the file, then stop and restart the Gateway.
    In the following list,
    <SSG>
    is the home directory for the Gateway:
    /opt/SecureSpan/Gateway
    .
System Properties
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxConnectionsPerHost
The maximum number of concurrent outbound HTTP connections permitted from the Gateway to a given remote host.
Default:
1500
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxTotalConnections
The total number of concurrent outbound HTTP connections permitted from the Gateway, regardless of the number of remote hosts.
Default:
3000
com.l7tech.common.http.prov.apache.CommonsHttpClient.staleCheckCount
Number of stale checked connections per interval
. Default:
1
com.l7tech.common.http.prov.apache.CommonsHttpClient.useExpectContinue
Use the "Expect: 100-continue" header during HTTP routing.
Default:
false
com.l7tech.common.http.prov.apache.CommonsHttpClient.noKeepAlive
Permits use of persistent connections.
Default:
false
com.l7tech.common.http.
strictCookieExpiryFormat
How to respond if date format of cookie is not recognized:
  • true
    - An exception is thrown, event is logged, and cookie is not sent. (Default)
  • false
    - No exception thrown, cookie returns to client with a max age of "0"
com.l7tech.common.mime.allowLaxEmptyMultipart
How empty multipart messages are treated.
  • true
    - Incoming empty multipart messages is treated as an empty single part message, while retaining a multipart Content Type.
  • false
    - No change to how empty multipart messages are treated. (Default)
com.l7tech.external.assertions.rawtcp. defaultRequestSizeLimit
The maximum number of bytes in a raw TCP routing request (to the backend service).
Default:
1048576
com.l7tech.external.assertions.rawtcp. defaultResponseSizeLimit
The maximum number of bytes in a raw TCP routing response (returned to the Gateway). The default setting of "-1" indicates that the limit should be retrieved from the cluster property io.xmlPartMaxBytes.
Default:
-1
com.l7tech.external.assertions.samlpassertion.validateSSOProfile
Whether the Build SAML Protocol Response Assertion should validate profile rules.
  • true
    - Rules are validated; if a rule is broken, assertion fails and warning audit is logged. (Default)
  • false
    - Rules are not validated
com.l7tech.external.assertions.ssh.server.enableMacMd5
Removes the HMAC-MD5 algorithm from the MAC algorithm list.
  • true
    - Does not remove the HMAC-MD5 algorithm from the MAC algorithm list.
  • false
    - Removes the HMAC-MD5 algorithm from the MAC algorithm list. (Default)
com.l7tech.external.assertions.ssh.server.enableMacNone
Removes the "none" MAC algorithm from the MAC algorithm list
  • true
    - Does not remove the "none" MAC algorithm from the MAC algorithm list. The MAC algorithm is not used.
  • false
    - Removes the "none" MAC algorithm from the MAC algorithm list. (Default)
com.l7tech.gateway.config.backuprestore.nouniqueimagename
Make the backup image name unique.
  • true
    - Prefix the image name with a timestamp yyyyMMddHHmmss
  • false
    - Do not add a timestamp to the image name (default)
com.l7tech.hacounter.batchLimit
Number of individual writers to batch together before writing to the database. Lower values cause more individual writes to the database, based on how many entries are in the queue to be written. 
Default:
4096
com.l7tech.hacounter.coreThreads
Core number of threads to have writing to the database.
Default:
16
com.l7tech.hacounter.counterQueueSize
Counter queue size. This can be reflective of the number of requests per unit time that you expect to see. For example, with the write flush at 1, this means the Gateway can handle at most 4096 x 1 sec = 4096 requests/sec. Larger values allow more requests through, but at the expense of more system resource usage. This setting is closely tied to the flush time for writes (com.l7tech.hacounter.flushTimeWriteDatabase).
Default:
4096
com.l7tech.hacounter.flushTimeWriteDatabase
Time limit until a flush of the writes to the database from the write queue. Change only if you require more or less frequent flushes. This may affect the frequency of database writes and the allowed access may exceed the permitted throughput in some instances.
Default:
500 milliseconds
com.l7tech.hacounter.keepAliveSec
Length of time to keep alive the write to the database maximum.
Default:
10 seconds
com.l7tech.hacounter.maxThreads
Maximum number of threads to have writing to the database.
Default:
128
com.l7tech.hacounter.supervisorQueueSize
Supervisor queue size. The default means there can be 4096 counters, each having a counter queue size (com.l7tech.hacounter.counterQueueSize). Larger values consume more RAM. 
Default:
4096
com.l7tech.hacounter.timeClearReadCache
Time limit before clearing the counter cache, which causes another read of the counter from the database. Changing the value may affect the throughput.
Default:
60000 milliseconds
com.l7tech.http.maxParameterLength
Maximum length of a single field within an HTTP form post body (content type application/x-www-form-urlencoded).
Default:
1000000
com.l7tech.kerberos.useSpnFromInboundTicket
Enables the Service Principal Name (SPN) to be correctly determined in scenarios where the Gateway is dealing with multiple SPNs in a keytab file.
Default:
false
com.l7tech.kmp.properties
Location of kmp.properties file, either absolute or else relative to the directory where omp.dat would normally be found. The default value assumes this file is located in the same directory as the omp.dat file.
Default:
kmp.properties
com.l7tech.message.httpParamsMaxFormPost
Maximum number of bytes to buffer when processing an HTTP form post (application/x-www-form-urlencoded).
Default:
5242880
This system property has been superseded by the cluster property
io.httpParamsMaxFormPostBytes
. However if both are used, the system property takes precedence.
com.l7tech.ncipher.preference
This property automatically applied when Gateway use of nCipher is enabled via the Gateway main menu, if using a FIPS level 3 security world. Manually adding this system property should not be necessary unless upgrading an existing Gateway.
Default:
highest
com.l7tech.policy.assertion.HttpPassthroughRuleSet.headersToSkip
This property defines which headers should
not
be passed through in the Route via HTTP(S) Assertion (Headers tab). If this property is not defined explicitly, the Gateway excludes all default headers.
Default:
keep-alive, connection, server, content-type, date, content-length, transfer-encoding, content-encoding, host
To force one of the excluded headers to be passed through, update the default list by removing the desired header.
com.l7tech.security.secureconversation.defaultDerivedKeyLengthInBytescom.l7tech.security.secureconversation.defaultSecretLengthInBytes
Add these properties to change the derived key length for the default WS-SecureConversation.
Default:
32
The following property must also be set in the
XML VPN Client
:
com.l7tech.security.secureconversation.defaultDerivedKeyLengthInBytes=16
com.l7tech.server.attachmentDirectory
Directory for caching large SOAP attachments.
Default:
<SSG>
/node/default/var/attachments/
com.l7tech.server.audit.messageThreshold
Minimum level required of a Message Audit record for it to be saved to the database.
Default:
WARNING
com.l7tech.server.audit.adminThreshold
Minimum Level required of an Admin Audit record for it to be saved to the database.
Default:
INFO
com.l7tech.server.audit.detailThreshold
Minimum Level required of an audit detail message for it to be saved to the database.
Default:
INFO
com.l7tech.server.audit.hinting
Enable audit messages to provide hints for audited information (such as request XML).
Default:
true
com.l7tech.server.audit.assertionStatus
Use the highest assertion status level when checking if a record should be saved.
Default:
true
com.l7tech.server.audit.detailThresholdRespected
Use the audit detail level when checking if a record should be saved.
Default:
true
com.l7tech.server.audit.purgeMinimumAge
Minimum age of audit records that can be purged (in hours).
Default:
168 (1 week)
com.l7tech.server.configDirectory
Directory for Gateway configuration files.
Default:
<SSG>
/node/default/etc/conf
com.l7tech.server.documentDownload.maxSize
Maximum default size (in bytes) of a document download. A value of "0" (zero) indicates unlimited size.
Default:
10485760
com.l7tech.server.home
Home directory for Gateway files.
Default:
<SSG>
com.l7tech.server.hostname
Gateway hostname.
Default:
OS hostname
com.l7tech.server.httpPort
HTTP port used by Gateway. Must update
server.xml
as well.
Default:
8080
com.l7tech.server.httpsPort
HTTPS port used by Gateway. Must update
server.xml
as well.
Default:
8443
com.l7tech.server.jdbcDriver
Override default JDBC Driver class setting (as defined in serverconfig.properties, "jdbcConnection.driverClass.whiteList"). Requires Gateway restart to take effect.
com.l7tech.server.keystore.enablehsm
Indicates whether an internal Hardware Security Module is present.
Default:
false
com.l7tech.server.ldapTemplatesPath
Path to LDAP templates
com.l7tech.server.maxLdapSearchResultSize
Number of max results in an identity provider search result operation.
Default:
50
com.l7tech.server.metrics.fineBinInterval
Time period for fine Service Metrics bins.
Default:
5000 (milliseconds)
com.l7tech.server.multicastAddress
Multicast address for server cluster.
Default:
randomly created
com.l7tech.server.outConnectTimeout
I/O timeout for outbound connection.
Default:
30000 (milliseconds)
com.l7tech.server.outTimeout
I/O timeout for outbound response.
Default:
60000 (milliseconds)
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable
Set to "true" to ensure the Keep-alive option is respected in outbound HTTPS routing when the key is used to avoid SSL traffic.
Requires a Gateway restart after changing this property.
Default:
false
For best effect, also set these other system properties when setting
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable
to 'true':
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxConnectionsPerHost=1500
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxTotalConnections=3000
com.l7tech.server.rateLimit
Minimum permissible rate for incoming requests (bytes per second).
Default:
1024
com.l7tech.server.rateTimeout
I/O timeout for incoming request rate checking.
Default:
60000 (milliseconds)
com.l7tech.server.serverID
Numeric server identifier.
Default:
IP address of Gateway
com.l7tech.server.stepdebug.inactiveSessionCleanIntervalMillis
Time period between the cleanup of  Policy Manager debugger sessions that have been inactive for 
com.l7tech.server.stepdebug.inactiveSessionTimeoutMillis
 period of time.  Default: 
86460000
 (milliseconds; 24 hrs + 1m)
com.l7tech.server.stepdebug.inactiveSessionTimeoutMillis
Period of time for a  Policy Manager debugger session to be inactive before it will be cleaned up at the 
com.l7tech.server.stepdebug.inactiveSessionCleanIntervalMillis
 interval. Default: 
86400000
 (milliseconds; 24 hrs)
com.l7tech.server.timeout
I/O timeout for incoming requests.
Default:
60000 (milliseconds)
com.l7tech.server.transport.jms.detectJmsTypes
Auto detect JMS provider type, if using ActiveMQ or WebLogic. Contact CA Technical Support if connecting to more than one JMS provider.
  • true -
    Auto detect the JMS type (either queue or topic). If unable to detect the type, generic JMS connection type is used. (Default)
  • false
    - Do not auto detect the JMS type; always use generic JMS connection type.
com.l7tech.server.transport.jms.topicMasterOnly
Specifies if the master node processes the message and executes the policy.
  • true
     - (Default) Only master node processes the message and executes the policy.
  • false
     - Disables using only the master node to execute the policy.
com.l7tech.server.uddi.auto_republish
Republish to UDDI as needed (e.g., when the cluster hostname or port number changes).
Default:
true
com.l7tech.util.allowDuplicateIdAttrsOnElem
Allow messages with an element that has duplicate ID attributes.
Default:
true
For greater security, set this property to "false" to reject any message with an element that has more than one attribute recognized as an ID attribute.
policyValidation.maxPaths
The maximum number of possible paths through a policy before the policy is considered to be too complex to attempt server-side validation.
Default:
500000