MTG KMS-TTLV-Proxy System configuration
Heap Size
Each application will be started with a defined heap size. The heap size is defined at the /etc/opt/mtg-kms-ttlv-proxy directory.
The following table defines the size and the file were the heap size is set for the application.
| Application | File | The maximum heap size | The initial Java heap size |
|---|---|---|---|
the MTG KMS-TTLV-Proxy |
mtg-kms-ttlv-proxy.service.conf |
-Xmx512M |
-Xms512M |
| The heap size must be adapted to your requirements. |
Configuration files
There are always two configuration files, one is the application.properties for the Java-Application and the other is the logback.xml for the log configuration.
During the initial installation, the application.properties and logback.xml are pre-set with default values copied from the corresponding configuration templates.
All values must be checked and if required, changed to their appropriate values.
The default configuration templates are stored in the /etc/opt/<ApplicationName> directory.
| After an update installation, the package management may place a newer version of the config files beside your existing. Always compare the default configuration files in with the new version. In case an update requires additional/changed parameters, those have to be added manually to the existing configuration files. Please also check the package release notes for such additional/changed parameters. |
| Parameters in configuration files are always case-sensitive. |
Configuration file of the MTG KMS-TTLV-Proxy
The MTG KMS-TTLV-Proxy is a standalone Java-Application.
The application’s application.properties is located in:
/etc/opt/mtg-kms-ttlv-proxy/application.properties
The application configuration consists of the following parts:
Netty properties
Properties for incoming client connections.
netty.port=5696 (1)
netty.boss-count=1 (2)
netty.worker-count= (3)
netty.backlog=128 (4)
netty.close-after-one-request=false (5)| 1 | The port the application is listening for incoming client connections. 5696 is the default port for handling TTLV messages. |
| 2 | The number of threads accepting incoming connections, default is 1. |
| 3 | The number of threads handling the data transfer of client connections. The default for this property is the number of available cores which the application reads itself from the Java VM. With this parameter the automatically read number of cores can be overridden. |
| 4 | The size of the queue for incoming connections not yet accepted, default is 128. |
| 5 | If true, a client connection will be closed after the response for one TTLV request message has been sent, the default is false. |
Netty SSL properties
Properties to secure incoming client connections. If not set, incoming connections will not be secured by TLS.
netty.ssl.enabled=false (1)
netty.ssl.use-insecure-trust-manager=false (2)| 1 | If false, incoming connections will not be secured by TLS. |
| 2 | If true, all client certificates will be accepted while client authentication. In this case no truststore is needed. |
Netty SSL Keystore properties
Properties for the keystore containing the certificate chain including the server certificate and the respective private key. Must be set if SSL is enabled.
netty.ssl.keystore.path= (1)
netty.ssl.keystore.type=JKS (2)
netty.ssl.keystore.password= (3)
netty.ssl.keystore.key-password= (4)| 1 | The path of the keystore file (this path includes the filename). |
| 2 | The type of the keystore file, JKS or PKCS12. |
| 3 | The password of the keystore file. |
| 4 | The password of the private key in the keystore file. By default, the password of the keystore file will be used. |
Netty SSL Truststore properties
Properties for the truststore for client authentication containing at least one root certificate.
If not set and use-insecure-trust-manager is false, the default truststore will be used for client authentication.
netty.ssl.truststore.path= (1)
netty.ssl.truststore.type=JKS (2)
netty.ssl.truststore.password= (3)| 1 | The path of the truststore file (this includes the filename). |
| 2 | The type of the truststore file, JKS or PKCS12. |
| 3 | The password of the truststore file. Must be set if path is set and if use-insecure-trust-manager is false. |
KMS properties
Properties to get access to the KMS-Server.
kms.host= (1)
kms.port=8601 (2)| 1 | The host with the KMS-Server application running. |
| 2 | The port of the KMS-Server application on the host specified above. Must be greater than 0. |
| With localhost and HTTP communication the default Port-Number ist 8601, if using TLS a valid hostname and corresponding Port-Number (normally 443) must be set, see also Communication Security. |
KMS Proxy properties (optional)
Properties for the proxy to be used to connect to the KMS-Server on the host specified above. If not set, no proxy will be used.
kms.proxy.host= (1)
kms.proxy.port=3128 (2)| 1 | The proxy host. If not set, no proxy will be used. |
| 2 | The proxy port. Must be greater than 0. |
KMS Timeout properties
Properties for the timeouts for making HTTP requests to the KMS-Server. All values must be greater than or equal to 0. If not set, the default values will be used.
kms.timeouts.connect=10s (1)
kms.timeouts.response=30s (2)
kms.timeouts.read=30s (3)
kms.timeouts.write=30s (4)| 1 | The timeout for connecting to the KMS-Server, default 10 seconds (resolution: milliseconds). The value can be specified using a chrono unit, e.g. 10500ms. The default chrono unit is s (seconds). See Chrono units for supported chrono units. |
| 2 | Specifies the maximum duration allowed between each network-level read operation while reading an HTTP response, default 30 seconds (resolution: milliseconds). The value can be specified using a chrono unit. The default chrono unit is s (seconds). |
| 3 | An exception is thrown when no data was read within the specified period of time, default 30 seconds (resolution: milliseconds). The value can be specified using a chrono unit. The default chrono unit is s (seconds). |
| 4 | An exception is thrown when a write operation cannot finish in the specified period of time, default 10 seconds (resolution: milliseconds). The value can be specified using a chrono unit. The default chrono unit is s (seconds). |
KMS SSL properties
The SSL properties for connections to the KMS-Server. If not set, connections to the KMS-Server will not be secured by TLS.
kms.ssl.enabled=false (1)
kms.ssl.use-insecure-trust-manager=false (2)| 1 | If false, connections to the KMS-Server will not be secured by TLS. |
| 2 | If true, all server certificates will be trusted and no hostname verification will be done. In this case no truststore is needed. |
KMS SSL Truststore properties
Properties for the truststore containing at least the root certificate.
If not set and use-insecure-trust-manager is false, the default truststore will be used.
If you want to trust a self-signed certificate, add it to the truststore.
kms.ssl.truststore.path= (1)
kms.ssl.truststore.type=JKS (2)
kms.ssl.truststore.password=false (3)| 1 | The path of the truststore file (this path includes the filename). |
| 2 | The type of the truststore file, JKS or PKCS12. |
| 3 | The password of the truststore file. Must be set if path is set and kms.ssl.use-insecure-trust-manager is false. |
Metrics (OpenSearch) properties
| Name | Description |
|---|---|
|
If set to true then metrics are sent to an OpenSearch server. It can be left empty. |
|
Specifies the URL where the OpenSearch server can be accessed. It can be left empty. |
|
Specifies the user who has access to the OpenSearch server. It can be left empty. |
|
Specifies the password of the user of the OpenSearch server. It can be left empty. |
|
The location of a keystore file containing certificates that are used to verify the TLS connection to Opensearch Server. This can be used to overwrite the default Java CA truststore. |
|
The password for the truststore. Must be set if metrics.client.truststore.path is set. |
|
The format of the truststore (see property |