Environment Variables for the Container Gateway

This topic lists the environment variables that are specific to the Container Gateway application and includes: 
gateway93
This topic lists the environment variables that are specific to the Container Gateway application and includes: 
 
 
2
 
2
 
 
To obtain better understanding of how these environment variables are used, refer to the More Information section. We recommend that you first review the sample files before looking up the detailed descriptions.
Available Gateway Environment Variables
Variable
Required?
Default
Description
ACCEPT_LICENSE
Yes
-
Set the ACCEPT_LICENSE environment variable to 
true
 to confirm that you have a valid commercial license for CA API Gateway. You also confirm that you have reviewed and accepted the terms of the CA End User License Agreement (EULA) that governs your use of the CA API Gateway.
This value is case-sensitive.
SSG_JVM_HEAP
No
2G
The JVM heap size to use.
This value should be a number, followed by 
m
M
k
K
g
G
. For example: "4G", "4000m", "4g", "3M" (m and M both mean megabyte).
 This value must be set to a value that is less than the 
mem_limit
 value set in the 
api-gateway
 section of the  file. The 
mem_limit
 value should be 1GB more or 50% more than the 
SSG_JVM_HEAP
 value, whichever is higher.
For memory configuration guidelines, see Guidelines for Configuring Resources for the Container Gateway.
SSG_ADMIN_USERNAME
No
random
The administrative username for the Policy Manager. May contain alphanumeric ASCII characters and any of the following symbols:
 ! @ . = - _ ^ + ; : # , %
 
 
SSG_ADMIN_PASSWORD
 
No
random
The password for the administrative user. 
For improved security, the password should be at least 12 characters long. It may contain alphanumeric ASCII characters and any of the following symbols:
 ! @ . = - _ ^ + ; : # , %
 
IMPORTANT:
 You should embed sensitive data such as passwords in plain-text within a configuration file only for convenience in development or test environments. Many container PaaS environments provide mechanisms for properly managing sensitive data. For an example, see "Secrets" in Configure Environment Variables in OpenShift.
 To disable Policy Manager connectivity, leave the 
SSG_ADMIN_USERNAME
 and 
SSG_ADMIN_PASSWORD
 variables empty. Disabling Policy Manager access is ideal if you want to enforce the redeployment of the container when making changes in a production environment. You will also do this if you have a derived image that is bootstrapped.
 
 
SSG_DATABASE_JDBC_URL
 
No
-
The URL of the JDBC connection that is used to connect to the MySQL database. If this URL is not defined, the Container Gateway defaults to using the embedded database instead.
  1. If a valid URL is provided, the Container Gateway uses this JDBC connection to connect to the MySQL database(s) (MySQL mode).
  2. If a URL is not provided (empty or not declared), the Container Gateway defaults to the embedded database (Derby mode).
  • If you want to use the Policy Manager, make sure the 
    SSG_ADMIN_USERNAME
     and 
    SSG_ADMIN_PASSWORD
     are defined.
  • The JDBC URL can be used to configure the secondary database connection, for example:
    jdbc:mysql://mysql-server-primary:3306,mysql-server-secondary:3306/ssg
SSG_DATABASE_USER
Yes, if SSG_DATABASE_JDBC_URL is provided
-
The user who is connecting to the MySQL server(s). Only alphanumeric ASCII characters are accepted.
  • If you are using the CA Technologies sample deployment files:
    1. This user must match any
      MYSQL_USER
      username defined in the environment section for the MySQL service. This environment section is identified by these names:
    2. If you specify a user name other than
      root
      , you must also define a
      MYSQL_DATABASE
      entry. This is necessary for the database user to have the correct permissions.
  • If you have deployed your own MySQL instance, then set this environment variable to match the credentials for the account created on your MySQL instance.
SSG_DATABASE_PASSWORD
Yes, if SSG_DATABASE_JDBC_URL is provided
-
Password that is used to connect to the MySQL server(s). The password may contain alphanumeric ASCII characters and any of the following symbols:
 ! @ . = - _ ^ + ; : # , %
 (special symbols supported as of v9.3 CR3).
  • If you are using the sample deployment files, then this environment variable must match:
  • If you have deployed your own MySQL instance, then set this environment variable to match the credentials for the account created on your MySQL instance.
SSG_DATABASE_WAIT_TIMEOUT
No
300 seconds (5 minutes)
The time to wait (in seconds) for the database to become available. This value is used by the Container Gateway when 
SSG_DATABASE_JDBC_URL
 is provided.
 
SSG_CLUSTER_HOST
 
Yes, if SSG_DATABASE_JDBC_URL is provided
 ${hostname}
The cluster 
hostname
 of the Container Gateway.
Valid values are the quoted fully qualified domain name (FQDN) of the service endpoint; for example: 
mygateway.mycompany.com
 
SSG_CLUSTER_PASSWORD
Yes, if SSG_DATABASE_
JDBC_URL is provided
 random
The cluster password.
For improved security, the username and password (recommended 12 characters minimum) may contain alphanumeric ASCII characters and any of the following symbols: 
 ! @ . = - _ ^ + ; : # ,
 
EXTRA_JAVA_ARGS
No
-
Define any extra JVM flags (including system properties) to add to the Java command line here. Space separated list.
For example,  
-XX:ParallelGCThreads=4 -Dcom.l7tech.bootstrap.env.license.enable=true -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER
 
  • Use 
    -Dcom.l7tech.server.siteminder.enabled=true
     to enable CA Single Sign-On (Siteminder). By default, this functionality is 
    disabled
    .
  • Use 
    -Dcom.l7tech.bootstrap.env.license.enable=true
     to enable loading the SSG license gzip, base64 string as a environment variable. By default it is 
    disabled
    .
  • Use 
    -Dcom.l7tech.service.metrics.enabled=false
     to disable the service metrics when using a MySQL database. By default it is 
    enabled
    . The embedded database does not use this toggle as it is always disabled.
 
 
SSG_SSL_KEY
 
No
 
IMPORTANT:
 Use the 
SSG_SSL_KEY
 environment variable in a development or test environment only. It is 
not
 recommended for production use, since it exposes the SSL key license in plain text in your configuration file. The preferred method is to mount the license file(s) as secret volumes.
The default Gateway SSL key as a base64 encoded string. For more information, see Manage Private Keys.
 Copy the string from the output of this Linux command 
cat /path/to/key.p12 | base64
 (add 
–wrap=0
 to the 
base64
 command if you are running Windows OS).
SSG_SSL_KEY_PASS
No
The default Gateway SSL key password. Can be left empty if the 
p12
 key is not password protected.
 
SSG_LICENSE
 
No/Disabled by default
 
IMPORTANT:
 Use the 
SSG_LICENSE
 environment variable in a development or test environment only. It is 
not
 recommended for production use, since it exposes the (encoded) license in plain text in your configuration file. The preferred method is to mount the license file(s) as secret volumes.
The 
CA API Gateway
 license as a Gzipped, Base64-encoded string (with no space characters or line breaks). A valid license is required to operate the Container Gateway.
Use this 
SSG_LICENSE
 env var to install a single Gateway license. To install multiple licenses, use the preferred method of mounting the license file(s) as secret volumes.
 Providing the license through this environment variable is disabled by default. To enable, add the following to the 
docker-compose.yml
 file in Sample Docker Compose Deployment File:
EXTRA_JAVA_ARGS: "-Dcom.l7tech.bootstrap.env.license.enable=true"
Alternatively, add this line to the 
gateway.env
 file in Sample Openshift Deployment Files:
EXTRA_JAVA_ARGS="-Dcom.l7tech.bootstrap.env.license.enable=true"
Deprecated Environment Variables
These variables were used in the previous versions of the container Gateway and are no longer in use.
Variable
SSG_CLUSTER_COMMAND
 
SSG_DATABASE_TYPE
SSG_DATABASE_HOST
SSG_DATABASE_PORT
SSG_DATABASE_NAME
 
 
SSG_DATABASE_ADMIN_USER
SSG_DATABASE_ADMIN_PASS
 
SSG_INTERNAL_SERVICES
Known Issue
The following issue occurs only in a scenario when multiple container Gateways access the same SQL database instance.
Unable to set new Admin Username and Password for Additional Container Gateways 
The Container Gateway stores values for the SSG_ADMIN_USERNAME and SSG_ADMIN_PASSWORD in the SQL database instance. If an additional Container Gateway is created and configured to use the same SQL database instance, the initial settings for admin username and password values persist.  Any new admin username and password values are ignored.
Workaround: Use different SQL database instances. 
More Information