MTG KMS Crypto API Server System Configuration

Context Path and Port Numbers of the applications

The application includes an embedded Tomcat web server that is accessible via the AJP or HTTP protocol from an Apache web server. The application has its own AJP and HTTP port number and context path, as follows:

Application	Port number	Context path
KMS Crypto API	8807 (AJP)	kms-crypto-api
KMS Crypto API	8607 (HTTP)	kms-crypto-api

Application

Port number

Context path

KMS Crypto API

8807 (AJP)

kms-crypto-api

KMS Crypto API

8607 (HTTP)

kms-crypto-api

These port numbers must be defined inside the worker.properties file.
Example for the KMS-Admin application: worker.kms-crypto-api.port=8807

Heap Size

Each application will be started with a defined heap size. The heap size is defined at the /etc/opt/mtg-kms-crypto-api directory. The following table defines the size and the file were the heap size is set for the application.

Application	File	The maximum heap size	The initial Java heap size
the MTG KMS Crypto API Server	mtg-kms-crypto-api.service.conf	-Xmx512M	-Xms512M

Application

File

The maximum heap size

The initial Java heap size

the MTG KMS Crypto API Server

mtg-kms-crypto-api.service.conf

-Xmx512M

-Xms512M

The heap size must be adapted to your requirements, in particular mtg-kms-crypto-api.service.conf.

Configuration files

There are always two configuration files, one is the application.properties for the Java-Application and the other is the logback.xml for the log configuration.

During the initial installation the application.properties and logback.xml are pre-set with default values copied from the corresponding configuration templates. All values have to be checked and if required, changed to their appropriate values.

The default configuration templates are stored in the /etc/opt/<ApplicationName> directory.

After an update installation, the package management may place a newer version of the config files beside your existing. Always compare the default configuration files in with the new version. In case an update requires additional/changed parameters, those have to be added manually to the existing configuration files. Please also check the package release notes for such additional/changed parameters.

Parameters in configuration files are always case-sensitive!

Configuration file of the MTG KMS Crypto API Server

The MTG KMS Crypto API Server is a standalone Java-Application.

The application’s application.properties is located in:

/etc/opt/mtg-kms-crypto-api/application.properties

The application configuration consists of the following parts.

Server properties

Name Description

Name	Description
`server.address`	The IP address, the server is listen on. The default value is `127.0.0.1`
`server.port`	The HTTP port number. The default value is 8607

server.address

The IP address, the server is listen on. The default value is 127.0.0.1

server.port

The HTTP port number. The default value is 8607

Tomcat properties

Name Description

Name	Description
`tomcat.ajp.enabled`	Whether AJP is enabled or not. The default value is `true`
`tomcat.ajp.port`	The AJP port number. The default value is 8807
`tomcat.ajp.maxThreads`	The maximum number of request processing threads to be created, which therefore determines the maximum number of simultaneous requests that can be handled.
`tomcat.ajp.minSpareThreads`	The minimum number of threads always kept running.
`tomcat.ajp.processorCache`	The protocol handler caches Processor objects to speed up performance. This setting dictates how many of these objects get cached.
`tomcat.ajp.secretRequired`	If this attribute is true, the AJP Connector will only start if the secret attribute is configured with a non-null, non-zero length value. The default value is `false`.
`tomcat.ajp.secret`	Only requests from workers with this secret keyword will be accepted. The default value is `null`. This attribute must be specified with a non-null, non-zero length value if `secretRequired` is explicitly configured to be `true`. Match the secret to the defined `worker<worker.list.name>.secret` in the `worker.properties` see [mod_jk configuration].

tomcat.ajp.enabled

Whether AJP is enabled or not. The default value is true

tomcat.ajp.port

The AJP port number. The default value is 8807

tomcat.ajp.maxThreads

The maximum number of request processing threads to be created, which therefore determines the maximum number of simultaneous requests that can be handled.

tomcat.ajp.minSpareThreads

The minimum number of threads always kept running.

tomcat.ajp.processorCache

The protocol handler caches Processor objects to speed up performance. This setting dictates how many of these objects get cached.

tomcat.ajp.secretRequired

If this attribute is true, the AJP Connector will only start if the secret attribute is configured with a non-null, non-zero length value. The default value is false.

tomcat.ajp.secret

Only requests from workers with this secret keyword will be accepted. The default value is null. This attribute must be specified with a non-null, non-zero length value if secretRequired is explicitly configured to be true. Match the secret to the defined worker<worker.list.name>.secret in the worker.properties see [mod_jk configuration].

KMS Server properties

Properties to get access to the KMS-Server.

Name Description

Name	Description
`kms.server.serverUrl`	KMS Server KMIP base url. Example: localhost:8080/kms/kmip
`kms.server.trustStoreFile`	The truststore file for the TLS connections. Empty, if no TLS is used.
`kms.server.trustStorePassword`	The truststore password for the TLS connections

kms.server.serverUrl

KMS Server KMIP base url.

Example: localhost:8080/kms/kmip

kms.server.trustStoreFile

The truststore file for the TLS connections. Empty, if no TLS is used.

kms.server.trustStorePassword

The truststore password for the TLS connections

Keycloak (OpenID) properties

Name Description

Name	Description
`spring.security.oauth2.resourceserver.jwt.issuer-uri`	Keycloak OPENID base url. Example: example.com/auth/realms/mtg-ers
`spring.security.oauth2.resourceserver.jwt.jwk-set-uri`	Keycloak public key endpoint, that returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Example: example.com/auth/realms/mtg-ers/protocol/openid-connect/certs
`openid.client.truststore.path`	The location of a keystore file containing certificates that are used to verify the TLS connection to Keycloak. This can be used to overwrite the default Java CA truststore.
`openid.client.truststore.password`	The password for the truststore. Must be set if openid.client.truststore.path is set.
`openid.client.truststore.type`	The format of the truststore (see property `openid.client.trustStore.path`). Valid values are JKS, JCEKS or PKCS12. Must be set if openid.client.truststore.path is set.
`openid.client.tls-version`	The version of the TLS protocol to use in the connection to Keycloak. Valid values are TLSv1.2.

spring.security.oauth2.resourceserver.jwt.issuer-uri

Keycloak OPENID base url.

Example: example.com/auth/realms/mtg-ers

spring.security.oauth2.resourceserver.jwt.jwk-set-uri

Keycloak public key endpoint, that returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK).

Example: example.com/auth/realms/mtg-ers/protocol/openid-connect/certs

openid.client.truststore.path

The location of a keystore file containing certificates that are used to verify the TLS connection to Keycloak. This can be used to overwrite the default Java CA truststore.

openid.client.truststore.password

The password for the truststore. Must be set if openid.client.truststore.path is set.

openid.client.truststore.type

The format of the truststore (see property openid.client.trustStore.path). Valid values are JKS, JCEKS or PKCS12. Must be set if openid.client.truststore.path is set.

openid.client.tls-version

The version of the TLS protocol to use in the connection to Keycloak. Valid values are TLSv1.2.

Metrics (OpenSearch) properties

Name Description

Name	Description
`management.elastic.metrics.export.enabled`	If set to true then metrics are sent to an OpenSearch server. It can be left empty.
`management.elastic.metrics.export.host`	Specifies the URL where the OpenSearch server can be accessed. It can be left empty.
`management.elastic.metrics.export.user-name`	Specifies the user who has access to the OpenSearch server. It can be left empty.
`management.elastic.metrics.export.password`	Specifies the password of the user of the OpenSearch server. It can be left empty.
`metrics.client.truststore.path`	The location of a keystore file containing certificates that are used to verify the TLS connection to Opensearch Server. This can be used to overwrite the default Java CA truststore.
`metrics.client.truststore.password`	The password for the truststore. Must be set if metrics.client.truststore.path is set.
`metrics.client.truststore.type`	The format of the truststore (see property `metrics.client.trustStore.path`). Valid values are JKS, JCEKS or PKCS12. Must be set if metrics.client.truststore.path is set.

management.elastic.metrics.export.enabled

If set to true then metrics are sent to an OpenSearch server. It can be left empty.

management.elastic.metrics.export.host

Specifies the URL where the OpenSearch server can be accessed. It can be left empty.

management.elastic.metrics.export.user-name

Specifies the user who has access to the OpenSearch server. It can be left empty.

management.elastic.metrics.export.password

Specifies the password of the user of the OpenSearch server. It can be left empty.

metrics.client.truststore.path

The location of a keystore file containing certificates that are used to verify the TLS connection to Opensearch Server. This can be used to overwrite the default Java CA truststore.

metrics.client.truststore.password

The password for the truststore. Must be set if metrics.client.truststore.path is set.

metrics.client.truststore.type

The format of the truststore (see property metrics.client.trustStore.path). Valid values are JKS, JCEKS or PKCS12. Must be set if metrics.client.truststore.path is set.

Apache Configuration

The chapter [chapter-apache-configuration] contains information on the configuration of the Apache httpd-server.

Encryption

For the SSL connection between the components from MTG KMS and external software a certificate is required. The configuration for the SSL certificate, with private key and chain is contained in the apache-config.

Health Endpoint

For the the MTG KMS Crypto API Server check, we provide an endpoint that is accessible via the following URL:

<base URL>/actuator/health

An example call would be in the browser:

kms.mtg.de/kms-crypto-api/actuator/health

or with curl:

curl kms.mtg.de/kms-crypto-api/actuator/health -i -X GET -H 'Accept: application/json'

If the MTG KMS Crypto API Server is reachable a Http response with HTTP/1.1 200 OK and the following JSON structure {"status":"UP","components":{"kms":{"status":"UP"}}} is returned.