Configuring services
The types of values used in the description of parameters are:
| Type | Example | Description |
|---|---|---|
| String | "an example" | String value |
| Bool | true, false | Boolean value |
| Int | 42 | Whole number value |
| Port | 22 | Number between 0 and 65535 |
| Range | "5000-5010" | Range of ports |
| Duration | 1 minute, 3 days | Duration with unit of measure |
| Size | 16 MiB, 3 GB | File size with unit of measure |
| ArrPort | [5000, 5002, 5005] | List/Array of port values |
| ArrString | ["a", "b", "c"] | List/Array of string values |
| ArrNET | [ 172.24.0.0/16 ] | List/Array of IP networks |
Each of the ten services that make up tiCrypt backend has its own configuration file and options. Two of the services require complicated settings, and they have their own chapters:
ticrypt-auth: See ticrypt-authticrypt-vm: See ticrypt-vm
Shared Sections
Almost all the services need the following sections. The configuration is virtually identical across services.
mongodb section
All tiCrypt services use MongoDB as the backing database. Each of the ten services has its own database that can have its unique connectivity options. The supported parameters are the same.
| Parameter | Type | Required | Description |
|---|---|---|---|
database | String | The name of the MongoDB database | |
hostname | String | Hostname hosting the MongoDB server | |
port | Port | Port of MongoDB | |
user | String | User name for MongoDB | |
password | String | The password of user |
Alternatively, the uri parameter can be specified It has the form:
"mongodb://user:password@localhost:27017/${database}"
Do not specify both the uri and the hostname,port,user, password` parameters.
ticrypt.auth section
All the services need to know how to contact ticrypt.auth. They all must have the section ticrypt.auth in their configuration file with the parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
hostname | String | Hostname of ticrypt.auth | |
port | Port | Port on which ticrypt.auth runs |
akka parameters
The tiCrypt services use the AKKA framework to communicate. Two parameters are controlling the AKKA communication.
akka.remote.netty.tcp.hostname
Specifies the interface on which to listen. If all the services run on a single server, the value 127.0.0.1 is appropriate.
akka.remote.netty.tcp.port
This is the port number on which the component listens. Keep the default value for each component since it guarantees non-collision. It can be changed, but with caution.
ticrypt-rest` config
ticrypt-rest section
| Parameter | Type | Required | Description |
|---|---|---|---|
mongodb | Section | ✅ | See mongo-ti |
http.host | String | The host to listen to | |
http.port | Port | The port to listen to | |
allowed-origins | ArrString | List of origins. Empty means all | |
vm.internal-networks | ArrNET | ✅ | List of internal nets. |
validation.request-json | on, off | ✅ | Turn on JSON request validation? |
validation.response-json | on, off | ✅ | Turn on JSON response validation |
session.search-raw-header | Bool | Fix for cookie problem |
akka.http.server section
The goal of this section is to specify AKKA parameters controlling the HTTP server.
| Parameter | Type | Required | Description |
|---|---|---|---|
parsing.max-content-length | Size | Max content size | |
request-timeout | Duration | Max duration of request | |
idle-timeout | Duration | Max duration of connection | |
pipelining-limit | Int | How many request in parallel? |
parsing.max-content-length must be 50% more than the length of a chunk. The default "16 MiB" value is recommended.
idle-timeout must be longer than request-timeout
ticrypt-file-manager config
Parameters for section ticrypt.filemanager
| Parameter | Type | Required | Description |
|---|---|---|---|
mongodb | Section | ✅ | See mongo-ti |
chunk-size | Size | Chunk size | |
max-header-size | Int | Max header size | |
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
There should be no reason to change the chunk-size value from 8GB.
max-header-size is a dangerous value to change—the default of 64 bytes future-proofs the tiCrypt instance.
ticrypt-storage config
Parameters for the section ticrypt.storage:
| Parameter | Type | Required | Description |
|---|---|---|---|
path | String | ✅ | Path to file storage directory |
idle-time | Duration | How long to wait on connection | |
idle-check | Duration | How often to check on connection | |
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
ticrypt-proxy config
Parameters for the section ticrypt.proxy:
| Parameter | Type | Required | Description |
|---|---|---|---|
interface | String | ✅ | Interface to listen on |
ports | ArrPorts | ✅ | Ports to use |
proxy-ttl | Duration | How much to wait for connection | |
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
interface parameter is critical. You must listen only to the domain used for proxying. Failure to do so can open security attacks.
ports can specify ranges. E.g. [ "6000-6010" ]
The ports specified by the ports parameter must be accessible from the outside. The firewall rules must be coordinated with this option.
ticrypt-logger config
Parameters for the section ticrypt.logger:
| Parameter | Type | Required | Description |
|---|---|---|---|
drivers | Section | ✅ | See below |
rotate-log | on, off | Rotate the logs? | |
rotate-log-frequency | Duration | How often? | |
rotate-log-suffix-format | String | Format 1 | |
rotate-log-suffix-timezone | String | Timezone, default UTC | |
max-buffered-lines | Int | How many lines to buffer? | |
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
See the Joda.org - Time and Date.
The default parameters should be suitable for most situations. The only parameter you should contemplate changing is max-buffered-lines if you notice performance degradation.
drivers section
The goal of this section is to specify how the logs are stored. A typical setup is the following:
drivers {
main-file-logger {
main = true
immutable = true
type = "file"
log-file = "/var/log/ticrypt/ticrypt-secure-log.log"
}
tcp-logger {
immutable = false
main = false
type = "tcp"
host = "localhost"
port = 25000
send-timeout = 30s
retry-timeout = 5s
}
}
The main-file-logger is a master copy of the log and is kept locally. The tcp-logger specifies a remote logger that is updated on port 25000 hosted on localhost.
The tcp-logger is primarily used by tiCrypt Audit.
Changing the main-file-logger is problematic since it might result in a non-functioning system.
ticrypt-stats config
Parameters for the section ticrypt.stats:
| Parameter | Type | Required | Description |
|---|---|---|---|
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
ticrypt-notifications config
Parameters for the section ticrypt.notifications:
| Parameter | Type | Required | Description |
|---|---|---|---|
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
ticrypt-maintainance config
Parameters for the section ticrypt.maintainance:
| Parameter | Type | Required | Description |
|---|---|---|---|
account-locker | Section | ✅ | See below |
akka.remote.netty.tcp.hostname | See akka | ||
akka.remote.netty.tcp.port | See akka |
account-locker section
| Parameter | Type | Required | Description |
|---|---|---|---|
enabled | Bool | Is the feature enabled? | |
frequency | Duration | How often to check? | |
time-before-account-old | Duration | When is the account old? |