MTG CMP Configuration

application.properties

Here you will find properties used to configure MTG CMP. The properties are defined in the application.properties file.

Property Required Default Description

Property	Required	Default	Description
server.port	false	8504	Server HTTP port.
clm.url	true	-	Points to the HTTP location where the CLM is running.
clm.apiclient.id	true	-	The provider ID that the RA API Client uses for the connection to the CLM. This can be obtained from the CLM when an API client with a default policy is configured. Example: ffc0d281-f9df-45cd-a30d-1881cd67012a
clm.apiclient.secret	true	-	The secret that the RA API Client uses for the connection to the CLM. This can be obtained from the CLM when an API client with a default policy is configured.
openid.provider.baseUrl	true	-	Points to the HTTP location where the Keycloak server is running.
logging.level.app	false	INFO	Specifies the log level of the log messages which are created directly by the application. This property is only used if the property `logging.file.name` or `logging.file.path` is configured.
logging.level.web	false	WARN	This property sets the log level of the webserver layer.
logging.level.sql	false	WARN	This property sets the log level of the database layer.
logging.config	false	WARN	Specifies the path to a log4j2/logback configuration file. The path can be an exact location or to the current directory. This property cannot be used together with the `logging.file.name` or `logging.file.path` property.
logging.file.path	false	/var/log/mtg/mtg-cmp-server/	Specifies the directory where the application log files are stored. The directory path can be an exact location or relative to the current directory. This property cannot be used together with the `logging.config` or `logging.file.name` property.
logging.level.*	false	-	Specifies the level of the log messages which are created by third party components. It allows very fine granular control of the logging level. See also docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#logging.level . This property is only used if the property `logging.file.name` or `logging.file.path` is configured. Examples: logging.level.sql=DEBUG, logging.level.web=WARN
logging.logback.rollingpolicy.file-name-pattern	false	${LOG_FILE}.%d{yyyy-MM-dd}.%i.gz	The filename pattern used to create log archives. (Copied verbatim from LogRotation.)
logging.logback.rollingpolicy.clean-history-on-start	false	false	If log archive cleanup should occur when the application starts. (Copied verbatim from LogRotation.)
logging.logback.rollingpolicy.max-file-size	false	10MB	The maximum size of log file before it is archived. (Copied verbatim from LogRotation.)
logging.logback.rollingpolicy.total-size-cap	false	0B	The maximum amount of size log archives can take before being deleted. (Copied verbatim from LogRotation.)
logging.logback.rollingpolicy.max-history	false	7	The maximum number of archive log files to keep. (Copied verbatim from LogRotation.)
tomcat.ajp.enable	false	false	If set to true, this property enables the additional embedded tomcat ajp connector that is required by Apache HTTPd.
tomcat.ajp.port	false	8704	Specifies the port for the ajp connector. It is used only if tomcat.ajp.enable is set to true.
tomcat.ajp.secret.required	false	false	If set to true, this property specified that an ajp secret is required by the ajp connector. It is used only if tomcat.ajp.enable is set to true.
tomcat.ajp.secret	false	-	Specifies the ajp secret to be used by the ajp connector. It is used only if tomcat.ajp.enable is set to true.
server.ssl.enabled	false	true	Enables TLS for CMP server
server.ssl.enabled-protocols	false	TLSv1.2	Define SSL enabled protocols
server.ssl.key-store	false	classpath:keystore.p12	Path to the server SSL keystore
server.ssl.key-store-type	false	PKCS12	The format used for the keystore. It could be set to JKS in case it is a JKS file
server.ssl.key-store-password	false	-	The password of the keystore (see parameter server.ssl.key-store).
server.ssl.key-alias	false	-	The alias of the keystore entry used
server.ssl.trust-store	false	-	The location of a truststore file containing trusted certificates that are used to verify all TLS connections that the application is initiating.
server.ssl.trust-store-type	false	JKS	The type of the truststore (see parameter server.ssl.trust-store).
server.ssl.trust-store-password	false	-	Trust store password (see parameter server.ssl.trust-store).
server.ssl.client-auth	false	need	SSL client authentication
clm.client.truststore.path	false	-	The location of a keystore file containing certificates that are used to verify the TLS connection to the RA. It can be left empty.
clm.client.truststore.password	false	-	The password protecting the truststore (see property clm.client.truststore.path). It can be left empty.
clm.client.truststore.type	false	JKS	The format of the truststore (see property clm.client.truststore.path). Valid values are `JKS`, `JCEKS` or `PKCS12`.
clm.client.tls.version	false	TLSv1.2	The version of the TLS protocol to use in the connection to the CLM. Valid values are `TLSv1.2` or `TLSv1.3`. It can be left empty.
clm.client.timeout.seconds	false	120	An integer value specifying the seconds to timeout the connection to the CLM. It can be left empty.
openid.client.truststore.path	false	-	The location of a keystore file containing certificates that are used to verify the TLS connection to the Keycloak server. It can be left empty.
openid.client.truststore.password	false	-	The password protecting the truststore (see property openid.client.truststore.path). It can be left empty.
openid.client.truststore.type	false	JKS	The format of the truststore (see property openid.client.truststore.path). Valid values are `JKS`, `JCEKS` or `PKCS12`. It can be left empty.
openid.client.tls.version	false	TLSv1.2	The version of the TLS protocol to use in the connection to the Keycloak server. Valid values are `TLSv1.2` or `TLSv1.3`. It can be left empty.
openid.client.timeout.seconds	false	120	An integer value specifying the seconds to timeout the connection to Keycloak server. It can be left empty.
clm.client.http.proxy.host	false	-	Specifies the host of the HTTP proxy server for the connection to CLM. It can be left empty.
clm.client.http.proxy.port	false	-	Specifies the port of the HTTP proxy server for the connection to CLM. It can be left empty.
openid.client.http.proxy.host	false	-	Specifies the host of the HTTP proxy server for the connection to the OpenID server. It can be left empty.
openid.client.http.proxy.port	false	-	Specifies the port of the HTTP proxy server for the connection to the OpenID server. It can be left empty.
management.elastic.metrics.export.enabled	false	-	If set to true then metrics are sent to an OpenSearch server. It can be left empty.
management.elastic.metrics.export.host	false	-	Specifies the URL where the OpenSearch server can be accessed. It can be left empty.
management.elastic.metrics.export.user-name	false	-	Specifies the user who has access to the OpenSearch server. It can be left empty.
management.elastic.metrics.export.password	false	-	Specifies the password of the user of the OpenSearch server. It can be left empty.
debug.requests	false	false	If set to true then the incoming requests are written under /tmp/cmpRequests.
cmp.response.verbose.error	false	false	If set to true then the CMP responses contain more verbose information in case of an error.
sender.naming.strategy	false	subject	If set to `subject` the subjectDN of the CMP signer certificate is used in the sender field of the response. If set to `issuer` the issuerDN of the CMP signer certificate is used in the sender field of the response. If set to `recipient` the recipient field of the CMP client request is used in the sender field of the response.
cmp.confirm.wait.time	false	0	Specifies the time in seconds the server intends to wait for the certificate confirmation before revoking the certificate and deleting the transaction. See also Section of 5.1.1.2. of RFC4210. If the value is not set or it is set to zero (0) or less then the server waits for three days.

server.port

false

8504

Server HTTP port.

clm.url

true

Points to the HTTP location where the CLM is running.

clm.apiclient.id

true

The provider ID that the RA API Client uses for the connection to the CLM. This can be obtained from the CLM when an API client with a default policy is configured.

Example: ffc0d281-f9df-45cd-a30d-1881cd67012a

clm.apiclient.secret

true

The secret that the RA API Client uses for the connection to the CLM. This can be obtained from the CLM when an API client with a default policy is configured.

openid.provider.baseUrl

true

Points to the HTTP location where the Keycloak server is running.

logging.level.app

false

INFO

Specifies the log level of the log messages which are created directly by the application. This property is only used if the property logging.file.name or logging.file.path is configured.

logging.level.web

false

WARN

This property sets the log level of the webserver layer.

logging.level.sql

false

WARN

This property sets the log level of the database layer.

logging.config

false

WARN

Specifies the path to a log4j2/logback configuration file. The path can be an exact location or to the current directory. This property cannot be used together with the logging.file.name or logging.file.path property.

logging.file.path

false

/var/log/mtg/mtg-cmp-server/

Specifies the directory where the application log files are stored. The directory path can be an exact location or relative to the current directory. This property cannot be used together with the logging.config or logging.file.name property.

logging.level.*

false

Specifies the level of the log messages which are created by third party components. It allows very fine granular control of the logging level. See also docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#logging.level . This property is only used if the property logging.file.name or logging.file.path is configured.

Examples: logging.level.sql=DEBUG, logging.level.web=WARN

logging.logback.rollingpolicy.file-name-pattern

false

${LOG_FILE}.%d{yyyy-MM-dd}.%i.gz

The filename pattern used to create log archives. (Copied verbatim from LogRotation.)

logging.logback.rollingpolicy.clean-history-on-start

false

If log archive cleanup should occur when the application starts. (Copied verbatim from LogRotation.)

logging.logback.rollingpolicy.max-file-size

false

10MB

The maximum size of log file before it is archived. (Copied verbatim from LogRotation.)

logging.logback.rollingpolicy.total-size-cap

false

The maximum amount of size log archives can take before being deleted. (Copied verbatim from LogRotation.)

logging.logback.rollingpolicy.max-history

false

The maximum number of archive log files to keep. (Copied verbatim from LogRotation.)

tomcat.ajp.enable

false

If set to true, this property enables the additional embedded tomcat ajp connector that is required by Apache HTTPd.

tomcat.ajp.port

false

8704

Specifies the port for the ajp connector. It is used only if tomcat.ajp.enable is set to true.

tomcat.ajp.secret.required

false

If set to true, this property specified that an ajp secret is required by the ajp connector. It is used only if tomcat.ajp.enable is set to true.

tomcat.ajp.secret

false

Specifies the ajp secret to be used by the ajp connector. It is used only if tomcat.ajp.enable is set to true.

server.ssl.enabled

false

true

Enables TLS for CMP server

server.ssl.enabled-protocols

false

TLSv1.2

Define SSL enabled protocols

server.ssl.key-store

false

classpath:keystore.p12

Path to the server SSL keystore

server.ssl.key-store-type

false

PKCS12

The format used for the keystore. It could be set to JKS in case it is a JKS file

server.ssl.key-store-password

false

The password of the keystore (see parameter server.ssl.key-store).

server.ssl.key-alias

false

The alias of the keystore entry used

server.ssl.trust-store

false

The location of a truststore file containing trusted certificates that are used to verify all TLS connections that the application is initiating.

server.ssl.trust-store-type

false

JKS

The type of the truststore (see parameter server.ssl.trust-store).

server.ssl.trust-store-password

false

Trust store password (see parameter server.ssl.trust-store).

server.ssl.client-auth

false

need

SSL client authentication

clm.client.truststore.path

false

The location of a keystore file containing certificates that are used to verify the TLS connection to the RA. It can be left empty.

clm.client.truststore.password

false

The password protecting the truststore (see property clm.client.truststore.path). It can be left empty.

clm.client.truststore.type

false

JKS

The format of the truststore (see property clm.client.truststore.path). Valid values are JKS, JCEKS or PKCS12.

clm.client.tls.version

false

TLSv1.2

The version of the TLS protocol to use in the connection to the CLM. Valid values are TLSv1.2 or TLSv1.3. It can be left empty.

clm.client.timeout.seconds

false

120

An integer value specifying the seconds to timeout the connection to the CLM. It can be left empty.

openid.client.truststore.path

false

The location of a keystore file containing certificates that are used to verify the TLS connection to the Keycloak server. It can be left empty.

openid.client.truststore.password

false

The password protecting the truststore (see property openid.client.truststore.path). It can be left empty.

openid.client.truststore.type

false

JKS

The format of the truststore (see property openid.client.truststore.path). Valid values are JKS, JCEKS or PKCS12. It can be left empty.

openid.client.tls.version

false

TLSv1.2

The version of the TLS protocol to use in the connection to the Keycloak server. Valid values are TLSv1.2 or TLSv1.3. It can be left empty.

openid.client.timeout.seconds

false

120

An integer value specifying the seconds to timeout the connection to Keycloak server. It can be left empty.

clm.client.http.proxy.host

false

Specifies the host of the HTTP proxy server for the connection to CLM. It can be left empty.

clm.client.http.proxy.port

false

Specifies the port of the HTTP proxy server for the connection to CLM. It can be left empty.

openid.client.http.proxy.host

false

Specifies the host of the HTTP proxy server for the connection to the OpenID server. It can be left empty.

openid.client.http.proxy.port

false

Specifies the port of the HTTP proxy server for the connection to the OpenID server. It can be left empty.

management.elastic.metrics.export.enabled

false

If set to true then metrics are sent to an OpenSearch server. It can be left empty.

management.elastic.metrics.export.host

false

Specifies the URL where the OpenSearch server can be accessed. It can be left empty.

management.elastic.metrics.export.user-name

false

Specifies the user who has access to the OpenSearch server. It can be left empty.

management.elastic.metrics.export.password

false

Specifies the password of the user of the OpenSearch server. It can be left empty.

debug.requests

false

If set to true then the incoming requests are written under /tmp/cmpRequests.

cmp.response.verbose.error

false

If set to true then the CMP responses contain more verbose information in case of an error.

sender.naming.strategy

false

subject

If set to subject the subjectDN of the CMP signer certificate is used in the sender field of the response. If set to issuer the issuerDN of the CMP signer certificate is used in the sender field of the response. If set to recipient the recipient field of the CMP client request is used in the sender field of the response.

cmp.confirm.wait.time

false

Specifies the time in seconds the server intends to wait for the certificate confirmation before revoking the certificate and deleting the transaction. See also Section of 5.1.1.2. of RFC4210. If the value is not set or it is set to zero (0) or less then the server waits for three days.

Additional properties that can be configured can be found here: docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html