Configuring services
The types of values used in the description of parameters are:
Type | Example | Description |
---|---|---|
String | "an example" | String value |
Bool | true, false | Boolean value |
Int | 42 | Whole number value |
Port | 22 | Number between 0 and 65535 |
Range | "5000-5010" | Range of ports |
Duration | 1 minute, 3 days | Duration with unit of measure |
Size | 16 MiB, 3 GB | File size with unit of measure |
ArrPort | [5000, 5002, 5005] | List/Array of port values |
ArrString | ["a", "b", "c"] | List/Array of string values |
ArrNET | [ 172.24.0.0/16 ] | List/Array of IP networks |
Each of the ten services that make up tiCrypt backend has its own configuration file and options. Two of the services require complicated settings, and they have their own chapters:
ticrypt-auth
: See ticrypt-authticrypt-vm
: See ticrypt-vm
Shared Sections
Almost all the services need the following sections. The configuration is virtually identical across services.
mongodb
section
All tiCrypt services use MongoDB as the backing database. Each of the ten services has its own database that can have its unique connectivity options. The supported parameters are the same.
Parameter | Type | Required | Description |
---|---|---|---|
database | String | The name of the MongoDB database | |
hostname | String | Hostname hosting the MongoDB server | |
port | Port | Port of MongoDB | |
user | String | User name for MongoDB | |
password | String | The password of user |
Alternatively, the uri
parameter can be specified It has the form:
"mongodb://user:password@localhost:27017/${database}"
Do not specify both the uri
and the hostname
,port
,user
, password` parameters.
ticrypt.auth
section
All the services need to know how to contact ticrypt.auth
. They all must have the section ticrypt.auth
in their configuration file with the parameters:
Parameter | Type | Required | Description |
---|---|---|---|
hostname | String | Hostname of ticrypt.auth | |
port | Port | Port on which ticrypt.auth runs |
akka
parameters
The tiCrypt services use the AKKA framework to communicate. Two parameters are controlling the AKKA communication.
akka.remote.netty.tcp.hostname
Specifies the interface on which to listen. If all the services run on a single server, the value 127.0.0.1
is appropriate.
akka.remote.netty.tcp.port
This is the port number on which the component listens. Keep the default value for each component since it guarantees non-collision. It can be changed, but with caution.
ticrypt-rest` config
ticrypt-rest
section
Parameter | Type | Required | Description |
---|---|---|---|
mongodb | Section | ✅ | See mongo-ti |
http.host | String | The host to listen to | |
http.port | Port | The port to listen to | |
allowed-origins | ArrString | List of origins. Empty means all | |
vm.internal-networks | ArrNET | ✅ | List of internal nets. |
validation.request-json | on, off | ✅ | Turn on JSON request validation? |
validation.response-json | on, off | ✅ | Turn on JSON response validation |
session.search-raw-header | Bool | Fix for cookie problem |
akka.http.server
section
The goal of this section is to specify AKKA parameters controlling the HTTP server.
Parameter | Type | Required | Description |
---|---|---|---|
parsing.max-content-length | Size | Max content size | |
request-timeout | Duration | Max duration of request | |
idle-timeout | Duration | Max duration of connection | |
pipelining-limit | Int | How many request in parallel? |
parsing.max-content-length
must be 50% more than the length of a chunk. The default "16 MiB" value is recommended.
idle-timeout
must be longer than request-timeout
ticrypt-file-manager
config
Parameters for section ticrypt.filemanager
Parameter | Type | Required | Description |
---|---|---|---|
mongodb | Section | ✅ | See mongo-ti |
chunk-size | Size | Chunk size | |
max-header-size | Int | Max header size | |
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
There should be no reason to change the chunk-size
value from 8GB.
max-header-size
is a dangerous value to change—the default of 64 bytes future-proofs the tiCrypt instance.
ticrypt-storage
config
Parameters for the section ticrypt.storage
:
Parameter | Type | Required | Description |
---|---|---|---|
path | String | ✅ | Path to file storage directory |
idle-time | Duration | How long to wait on connection | |
idle-check | Duration | How often to check on connection | |
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
ticrypt-proxy
config
Parameters for the section ticrypt.proxy
:
Parameter | Type | Required | Description |
---|---|---|---|
interface | String | ✅ | Interface to listen on |
ports | ArrPorts | ✅ | Ports to use |
proxy-ttl | Duration | How much to wait for connection | |
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
interface
parameter is critical. You must listen only to the domain used for proxying. Failure to do so can open security attacks.
ports
can specify ranges. E.g. [ "6000-6010" ]
The ports specified by the ports
parameter must be accessible from the outside. The firewall rules must be coordinated with this option.
ticrypt-logger
config
Parameters for the section ticrypt.logger
:
Parameter | Type | Required | Description |
---|---|---|---|
drivers | Section | ✅ | See below |
rotate-log | on, off | Rotate the logs? | |
rotate-log-frequency | Duration | How often? | |
rotate-log-suffix-format | String | Format 1 | |
rotate-log-suffix-timezone | String | Timezone, default UTC | |
max-buffered-lines | Int | How many lines to buffer? | |
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
See the Joda.org - Time and Date.
The default parameters should be suitable for most situations. The only parameter you should contemplate changing is max-buffered-lines
if you notice performance degradation.
drivers
section
The goal of this section is to specify how the logs are stored. A typical setup is the following:
drivers {
main-file-logger {
main = true
immutable = true
type = "file"
log-file = "/var/log/ticrypt/ticrypt-secure-log.log"
}
tcp-logger {
immutable = false
main = false
type = "tcp"
host = "localhost"
port = 25000
send-timeout = 30s
retry-timeout = 5s
}
}
The main-file-logger
is a master copy of the log and is kept locally. The tcp-logger
specifies a remote logger that is updated on port 25000
hosted on localhost
.
The tcp-logger
is primarily used by tiCrypt Audit.
Changing the main-file-logger
is problematic since it might result in a non-functioning system.
ticrypt-stats
config
Parameters for the section ticrypt.stats
:
Parameter | Type | Required | Description |
---|---|---|---|
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
ticrypt-notifications
config
Parameters for the section ticrypt.notifications
:
Parameter | Type | Required | Description |
---|---|---|---|
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
ticrypt-maintainance
config
Parameters for the section ticrypt.maintainance
:
Parameter | Type | Required | Description |
---|---|---|---|
account-locker | Section | ✅ | See below |
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
account-locker
section
Parameter | Type | Required | Description |
---|---|---|---|
enabled | Bool | Is the feature enabled? | |
frequency | Duration | How often to check? | |
time-before-account-old | Duration | When is the account old? |