Gateway System Properties

This topic lists the properties that can be used in the system.properties file. These properties are used to override the default behavior of the gateway.
gateway94
This topic lists the properties that can be used in the 
system.properties
 file. These properties are used to override the default behavior of the 
Layer7 API Gateway
.
 
WARNING!
 Configuring system properties should only be attempted by advanced users or as directed by CA Technical Support. Improper use may degrade performance of your Gateway or even render it inoperable. The list in this appendix represents only a fraction of the available system properties.
To modify a Gateway system property: 
  1. Locate and open the following file in a text editor:
    /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
  2. Add a line in the format:
    [system property name] = [value]
  3. Save and exit the file, then stop and restart the Gateway.
    In the following list, 
    <SSG>
     is the home directory for the Gateway: 
    /opt/SecureSpan/Gateway
    .
System Properties
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxConnectionsPerHost
 
The maximum number of concurrent outbound HTTP connections permitted from the Gateway to a given remote host. Default: 
1500
 
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxTotalConnections
 
The total number of concurrent outbound HTTP connections permitted from the Gateway, regardless of the number of remote hosts. Default: 
3000
 
com.l7tech.common.http.prov.apache.CommonsHttpClient.staleCheckCount
 
Number of stale checked connections per interval
Default: 
1
 
com.l7tech.common.http.prov.apache.CommonsHttpClient.useExpectContinue
 
Use the "Expect: 100-continue" header during HTTP routing. Default: 
false
 
com.l7tech.common.http.prov.apache.CommonsHttpClient.noKeepAlive
 
Permits use of persistent connections. Default: 
false
 
com.l7tech.common.http.
strictCookieExpiryFormat
How to respond if date format of cookie is not recognized:
  • true 
     - An exception is thrown, event is logged, and cookie is not sent. (Default)
  • false 
     - No exception thrown, cookie returns to client with a max age of "0"
 
com.l7tech.common.mime.allowLaxEmptyMultipart
How empty multipart messages are treated.
  • true 
     - Incoming empty multipart messages is treated as an empty single part message, while retaining a multipart Content Type.
  • false 
     - No change to how empty multipart messages are treated. (Default)
com.l7tech.external.assertions.hazelcastembeddedprovider.network.port
 
The inbound port on which the Gateway Hazelcast instance listens. Default: 
8777
 
com.l7tech.external.assertions.hazelcastembeddedprovider.tcpip.connection.timeout
 
The length of time for members to accept client connection requests, before timeout occurs. Default: 
5
 (seconds)
com.l7tech.external.assertions.rawtcp.defaultRequestSizeLimit
 
The maximum number of bytes in a raw TCP routing request (to the back-end service). Default: 
1048576
 
com.l7tech.external.assertions.rawtcp.defaultResponseSizeLimit
 
The maximum number of bytes in a raw TCP routing response (returned to the Gateway). The default setting of "-1" indicates that the limit should be retrieved from the cluster property io.xmlPartMaxBytes. Default: 
-1
 
 
com.l7tech.external.assertions.samlpassertion.validateSSOProfile
 
Whether the Build SAML Protocol Response Assertion should validate profile rules.
  •  
    true 
     - Rules are validated; if a rule is broken, assertion fails and warning audit is logged. (Default)
  •  
    false
     - Rules are not validated
 
com.l7tech.external.assertions.ssh.server.enableMacMd5
 
Removes the HMAC-MD5 algorithm from the MAC algorithm list.
  • true 
     - Does not remove the HMAC-MD5 algorithm from the MAC algorithm list.
  • false 
     - Removes the HMAC-MD5 algorithm from the MAC algorithm list. (Default)
com.l7tech.external.assertions.ssh.server.enableMacNone
 
Removes the "none" MAC algorithm from the MAC algorithm list
  • true 
     - Does not remove the "none" MAC algorithm from the MAC algorithm list. The MAC algorithm is not used.
  • false
     - Removes the "none" MAC algorithm from the MAC algorithm list. (Default)
com.l7tech.gateway.config.backuprestore.nouniqueimagename
 
Make the backup image name unique.
  • true 
     - Prefix the image name with a timestamp yyyyMMddHHmmss
  • false 
     - Do not add a timestamp to the image name (Default)
com.l7tech.hacounter.batchLimit
 
Number of individual writers to batch together before writing to the database. Lower values cause more individual writes to the database, based on how many entries are in the queue to be written.  Default: 
4096
 
com.l7tech.hacounter.coreThreads
 
Core number of threads to have writing to the database. Default: 
16
 
bcom.l7tech.hacounter.counterQueueSize
 
Counter queue size. This can be reflective of the number of requests per unit time that you expect to see. For example, with the write flush at 1, this means the Gateway can handle at most 4096 x 1 sec = 4096 requests/sec. Larger values allow more requests through, but at the expense of more system resource usage. This setting is closely tied to the flush time for writes (com.l7tech.hacounter.flushTimeWriteDatabase). Default: 
4096
 
com.l7tech.hacounter.flushTimeWriteDatabase
 
Time limit until a flush of the writes to the database from the write queue. Change only if you require more or less frequent flushes. This may affect the frequency of database writes and the allowed access may exceed the permitted throughput in some instances. Default: 
500
 (milliseconds)
com.l7tech.hacounter.keepAliveSec
 
Length of time to keep alive the write to the database maximum. Default: 
10
 (seconds)
com.l7tech.hacounter.maxThreads
 
Maximum number of threads to have writing to the database. Default: 
128
 
com.l7tech.hacounter.supervisorQueueSize
 
Supervisor queue size. The default means there can be 4096 counters, each having a counter queue size (com.l7tech.hacounter.counterQueueSize). Larger values consume more RAM.  Default: 
4096
 
com.l7tech.hacounter.timeClearReadCache
 
Time limit before clearing the counter cache, which causes another read of the counter from the database. Changing the value may affect the throughput. Default: 
60000
 (milliseconds)
com.l7tech.http.maxParameterLength
 
Maximum length of a single field within an HTTP form post body (content type application/x-www-form-urlencoded). Default: 
1000000
 
com.l7tech.kmp.properties
 
Location of kmp.properties file, either absolute or else relative to the directory where omp.dat would normally be found. The default value assumes this file is located in the same directory as the omp.dat file. Default: 
kmp.properties
 
com.l7tech.message.httpParamsMaxFormPost
 
Maximum number of bytes to buffer when processing an HTTP form post (application/x-www-form-urlencoded). Default: 
5242880
 
This system property has been superseded by the cluster property  
io.httpParamsMaxFormPostBytes
. However if both are used, the system property takes precedence.
com.l7tech.ncipher.preference
 
This property automatically applied when Gateway use of nCipher is enabled via the Gateway main menu, if using a FIPS level 3 security world. Manually adding this system property should not be necessary unless upgrading an existing Gateway. Default: 
highest
 
com.l7tech.security.secureconversation.defaultDerivedKeyLengthInBytescom.l7tech.security.secureconversation.defaultSecretLengthInBytes
 
Add these properties to change the derived key length for the default WS-SecureConversation. Default: 
32
 
The following property must also be set in the 
XML VPN Client
:
com.l7tech.security.secureconversation.defaultDerivedKeyLengthInBytes=16
 
com.l7tech.policy.assertion.HttpPassthroughRuleSet.headersToSkip
 
This property defines which headers should 
not
 be passed through in the Route via HTTP(S) Assertion (Headers tab). If this property is not defined explicitly, the Gateway excludes all default headers.
Default: 
keep-alive, connection, server, content-type, date, content-length, transfer-encoding, content-encoding, host
To force one of the excluded headers to be passed through, update the default list by removing the desired header.
com.l7tech.server.attachmentDirectory
 
Directory for caching large SOAP attachments. 
Default: 
 
<SSG>
/node/default/var/attachments/
com.l7tech.server.audit.messageThreshold
 
Minimum level required of a Message Audit record for it to be saved to the database. Default: 
WARNING
 
 com.l7tech.server.audit.adminThreshold
 
Minimum Level required of an Admin Audit record for it to be saved to the database. Default:
 INFO
 
com.l7tech.server.audit.detailThreshold
 
Minimum Level required of an audit detail message for it to be saved to the database. Default: 
INFO
 
com.l7tech.server.audit.hinting
 
Enable audit messages to provide hints for audited information (such as request XML). Default: 
true
 
com.l7tech.server.audit.assertionStatus
 
Use the highest assertion status level when checking if a record should be saved. Default: 
true
 
com.l7tech.server.audit.detailThresholdRespected
 
Use the audit detail level when checking if a record should be saved. Default: 
true
 
com.l7tech.server.audit.purgeMinimumAge
 
Minimum age of audit records that can be purged. Default: 
168
 (hours)
com.l7tech.server.audit.log.format
 
Available as of Version 9.4 CR1. Affects Container Gateway form factor only. Enrich logs to provide the same level of information or details as audits and to correlate between a single action. Enter 'json' as a value to enable rich logs and JSON formatting. 
If log enrichment is enabled, this supercedes the following audit cluster properties:
com.l7tech.server.audit.log.service.headerFormat
com.l7tech.server.audit.log.service.footerFormat
com.l7tech.server.audit.log.service.detailFormat
 
 
com.l7tech.server.audit.admin.saveToInternal
 
 
Available as of Version 9.4 CR1. Save Admin Audit Records to the database. Default: 
true
 
 
 
com.l7tech.server.audit.message.saveToInternal
 
Available as of Version 9.4 CR1. Save Message Audit Records to the database. Default: 
true
 
 
 
com.l7tech.server.audit.system.saveToInternal
 
Available as of Version 9.4 CR1. Save System Audit Records to the database. Default: 
true
 
 
com.l7tech.server.cassandra.consistencyLevel
 
Available as of Version 9.4 CR1. Sets the default consistency level of the Perform Cassandra Query assertion.  Default: 
ONE
 
 
com.l7tech.server.clusterStaleNodeCleanupTimeoutSeconds
 
Period of time before the Gateway removes inactive nodes. Default: 
7776000 
(seconds = 3 months)
In environments that use the environment variable.
 
com.l7tech.server.configDirectory
 
Directory for Gateway configuration files. Default:
 
<SSG>
/node/default/etc/conf
 
 
com.l7tech.server.documentDownload.maxSize
 
Maximum default size (in bytes) of a document download. A value of "0" (zero) indicates unlimited size. Default: 10485760
 
com.l7tech.server.extension.sharedClusterInfoProvider
 
Sets the cluster information service used by the Gateway. Value is one of (case sensitive):
  •  
    ssgdb
     to use the MySQL-backed implementation (MysqlClusterInfoService)
  •  
    externalhazelcast
     to use the external Hazelcast implementation
Default: '
ssgdb
'. 
If this system property is defined in the environment variable, that value overrides whatever is defined in the 
system.properties
 file.
Switching between providers will not migrate existing data to the newly configured provider.
 
com.l7tech.server.extension.sharedCounterProvider
 
Sets the cluster information service used by the Gateway. Value is one of (case sensitive):
  •  
    ssgdb
     to use the MySQL-backed implementation
  •  
    externalhazelcast
     to use the external Hazelcast implementation
Default: '
ssgdb
'. 
If this system property is defined in the environment variable, that value overrides whatever is defined in the 
system.properties
 file.
Switching between providers will not migrate existing data to the newly configured provider.
 
com.l7tech.server.extension.sharedKeyValueStoreProvider
 
Name of the shared state provider that is used to retrieve the key value store. Value is one of (case sensitive):
  •  
    embeddedhazelcast
     
     
    to use the Hazelcast service key value store that is embedded inside the Gateway implementation.
  •  
    externalhazelcast
     to use the external Hazelcast key value store implementation
Default: 
'embeddedhazelcast'
 
If this system property is defined in the environment variable, that value overrides whatever is defined in the 
system.properties
 file.
Switching between providers will not migrate existing data to the newly configured provider.
 
com.l7tech.server.home
 
Home directory for Gateway files. Default:
 <SSG>
 
 
com.l7tech.server.hostname
 
Gateway hostname. Default: <OS hostname>
 
com.l7tech.server.httpPort
 
HTTP port used by Gateway. Must update 
server.xml
 as well. Default: 
8080
 
 
com.l7tech.server.httpsPort
 
HTTPS port used by Gateway. Must update 
server.xml
 as well. Default: 
8443
 
 
com.l7tech.server.jdbcDriver
 
Override default JDBC Driver class setting (as defined in serverconfig.properties, "jdbcConnection.driverClass.whiteList"). Requires Gateway restart to take effect.
 
com.l7tech.server.keystore.enablehsm
 
Indicates whether an internal Hardware Security Module is present. Default: 
false
 
 
com.l7tech.server.ldapTemplatesPath
 
Path to LDAP templates
 
com.l7tech.server.log.console.threshold 
 
Available as of Version 9.4 CR1. Sets the logging threshold level for console logs using Java logging levels. See Logs for the Container Gateway in Docker for more information. Default: 
INFO
 
 
com.l7tech.server.maxLdapSearchResultSize
 
Number of max results in an identity provider search result operation. Default: 
50
 
 
com.l7tech.server.metrics.fineBinInterval
 
Time period for fine Service Metrics bins. Default: 
5000
 (milliseconds)
 
com.l7tech.server.multicastAddress
 
Multicast address for server cluster. Default: randomly created
 
com.l7tech.server.outConnectTimeout
 
I/O timeout for outbound connection. Default: 30000 (milliseconds)
 
com.l7tech.server.outTimeout
 
I/O timeout for outbound response. Default: 
60000
 (milliseconds)
 
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable
 
Set to "true" to ensure the Keep-alive option is respected in outbound HTTPS routing when the key is used to avoid SSL traffic.
Requires a Gateway restart after changing this property. Default: 
true 
 
 For best effect, also set these other system properties when setting 
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable 
to 'true':
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxConnectionsPerHost=1500
com.l7tech.common.http.prov.apache.CommonsHttpClient.maxTotalConnections=3000
 If the Route via HTTP(S) Assertion is configured to "Use HTTP Credentials from Request" (in the Authentication tab) and HTTP Credentials are NOT set to NTLM, then that assertion takes priority over the 
com.l7tech.server.policy.assertion.ServerHttpRoutingAssertion.statePool.enable
 system property.
 
com.l7tech.server.rateLimit
 
Minimum permissible rate for incoming requests (bytes per second). Default: 
1024
 
 
com.l7tech.server.rateTimeout
 
I/O timeout for incoming request rate checking. Default: 
60000
 (milliseconds)
 
com.l7tech.server.response.header.server
 
The server name that you want to appear in the response header. For security reasons, the Gateway does not return the name of the actual web server by default. 
To override this system property per listen port:
  1. Select the Advanced tab.
  2. Add the advanced property "
    server=
     
    <value>
    ", where 
    "<value>"
     is the server name to be returned.  For more information, see "Advance Properties" under "Configuring the [Advanced] Tab" in Listen Port Properties
 If neither the 
com.l7tech.server.response.header.server
 system property nor the "server" advanced listen port property are present, then the Gateway returns this message:
"server: CA-API-Gateway/
<majorVersion>
",
where 
"<majorVersion>"
 is "9.0" for all version 9.x Gateways, etc. Do not confuse "9.0" with the actual Gateway version 9.0. For more information, refer to this article: https://en.wikipedia.org/wiki/Request_for_Comments 
 
com.l7tech.server.serverID
 
Numeric server identifier. Default: IP address of Gateway
 
com.l7tech.server.stepdebug.inactiveSessionCleanIntervalMillis
 
Time period between the cleanup of Policy Manager debugger sessions that have been inactive for 
com.l7tech.server.stepdebug.inactiveSessionTimeoutMillis
 period of time.  Default: 
86460000
 (milliseconds; 24 hrs + 1m)
 
com.l7tech.server.stepdebug.inactiveSessionTimeoutMillis
 
Period of time for a Policy Manager debugger session to be inactive before it will be cleaned up at the 
com.l7tech.server.stepdebug.inactiveSessionCleanIntervalMillis
 interval. Default: 
86400000
 (milliseconds; 24 hrs)
 
com.l7tech.server.timeout
 
I/O timeout for incoming requests. Default: 
60000 
(milliseconds)
 
com.l7tech.server.transport.jms.detectJmsTypes
 
Auto detect JMS provider type, if using ActiveMQ or WebLogic. Contact CA Technical Support if connecting to more than one JMS provider.
  •  
    true - 
     Auto detect the JMS type (either queue or topic). If unable to detect the type, generic JMS connection type is used. (Default)
  •  
    false 
     - Do not auto detect the JMS type; always use generic JMS connection type.
 
com.l7tech.server.transport.jms.topicMasterOnly
 
Specifies if the master node processes the message and executes the policy.
  •  
    true
     - (Default) Only master node processes the message and executes the policy.
  •  
    false
     - Disables using only the master node to execute the policy.
 
com.l7tech.server.uddi.auto_republish
 
Republish to UDDI as needed (e.g., when the cluster hostname or port number changes). Default: 
true
 
 
com.l7tech.util.allowDuplicateIdAttrsOnElem
 
Allow messages with an element that has duplicate ID attributes. Default: 
true
 
 For greater security, set this property to "false" to reject any message with an element that has more than one attribute recognized as an ID attribute.
 
policyValidation.maxPaths
 
The maximum number of possible paths through a policy before the policy is considered to be too complex to attempt server-side validation. Default:
 500000
 
 
com.l7tech.external.assertions.ssh.enabledKexAlgs
 
(Available as of version 9.4 CR3) Specifies the ordered CSV list of enabled KEX algorithms. Default list does not include the weak algorithm, 
diffie-hellman-group1-sha1
.
 
tomcat.util.http.parser.HttpParser.requestTargetAllow = {}|<>
 
Prevents the response processing from failing if the request URL contains "unwise" characters that violate RFC 2396. Only enable the characters you need. Note that you need to escape the backward slash.