Clean '' File

July 25th, 2023

Here is a clean version of the file for you to use should you need one.

# Copyright (C) 2023 Radix IoT LLC. All rights reserved.

By default if you make changes to the config file Mango will reload its settings

(note: this will not work for all settings)


The port at which Mango Automation will listen for browser connections


The host interface to which Mango Automation will bind and listen for new connections is the special interface that will force a bind to all available interfaces

Should Mango Automation open (if possible) a browser window when it starts up?


Create admin user on first start

Note: DO NOT SET IN or! You can set these properties via environment variables or Java system properties during provisioning.

initialize.admin.create=true initialize.admin.username=admin initialize.admin.password=admin

Web caching settings

disable caching

web.cache.noStore=false web.cache.noStore.resources=false

set max age of cached files in seconds, only if noStore=false

versioned resources are those with ?v=xxx on the query string

web.cache.maxAge=0 web.cache.maxAge.resources=86400 web.cache.maxAge.versionedResources=31536000

#Upload file size limit (bytes) -1 means no limit web.fileUpload.maxSize=250000000 #Maximum number of files allowed in a single request. -1 means no limit web.fileUpload.maxCount=100

Set this to true if you are running Mango behind a reverse proxy that sends "Forwarded" or "X-Forwarded-*" headers.

This includes accessing Mango via Cloud Connect module. By default only requests from localhost are trusted.


Set a comma separated list of IP ranges from which to trust Forwarded headers


Default database settings

The path in the db.url is relative to $ (you can also use an absolute path)

db.type=h2 db.url= db.username= db.password= #to compact the database size at shutdown (may take longer but will free up disk space) db.h2.shutdownCompact=false

#General Database Settings db.pool.maxActive=100 db.pool.maxIdle=10

relative to the logs directory configured via paths.logs, leave blank to use the same directory


setting to show query times in the logs as INFO


if set, will only log slow queries, above this threshold in ms. Will be logged at WARN level instead of INFO


#Tell the jdbc driver to fetch this many rows at a time, useful over network connected dbs (Not MySQL)

negative values will force use jdbc driver default

db.fetchSize=-1 #Number of retries for failed transactions before bailing out on error db.transaction.retries=5 #Maximum operands for IN(..) queries, will be batched into groups of this size.

On MySQL this is limited by the max_allowed_packet setting, for H2 this is undefined

MySQL database settings. Your MySQL instance must already be running and configured before this can be used.

#db.type=mysql #db.url= mysql schema name> #db.username=<your mysql username> #db.password=<your mysql password> #db.mysqldump=<location/command for mysqldump executable for backups> #db.mysql=<location/command for mysql executable for restore> #To optionally pass additional arguments to the dump command #db.mysql.extraDumpArgs=--single-transaction,--skip-lock-tables

Options for creating tables on first start

File to restore database from (relative to $), should point to a .sql or .zip file appropriate for the database type


Enable creating createTables.log file


Database settings for conversion. If the db.* settings point to a new database instance, and the convert type setting

is set, Mango Automation will attempt to convert from the convert.db.* settings to the db.* settings

Note that database conversions should not be performed in the same step as an upgrade. First upgrade, then convert.

convert.db.type= convert.db.url= convert.db.username=$ convert.db.password=$

#Enable the NoSQL module by default (if it is installed) db.nosql.enabled=true #Set the base path for where the NoSQL data will be stored, relative to $ (you can also use an absolute path) db.nosql.location=databases #Set the folder name of the point value store db.nosql.pointValueStoreName=mangoTSDB #Set the number of files the database can have open at one time db.nosql.maxOpenFiles=500 #Time after which a shard will be closed db.nosql.shardStalePeriod=36000000 #Period to check for stale shards db.nosql.flushInterval=300000 #Query Performance Tuning, File Access Type: Available[INPUT_STREAM,FILE_CHANNEL,RANDOM_ACCESS_FILE,MAPPED_BYTE_BUFFER] db.nosql.shardStreamType=MAPPED_BYTE_BUFFER #Setting to speed up NoSQL queries at the expense of a small increase in disk usage db.nosql.reversible=true #Setting this will convert your existing point value store [NONE, REVERSIBLE, UNREVERSIBLE] db.nosql.convert=NONE #Number of concurrent threads to use to convert the database db.nosql.convertThreads=4

Run the corruption scan on startup (only if database is marked dirty)


Disable creating/deleting dirty marker (.drty) files


Only run corruption scan on shards with dirty marker (.drty) files

Note: This option has no effect when db.nosql.disableDirtyFiles=true


scans for and deletes empty directories in the TSDB directory on startup


Configure chunk size for streaming values from and to the TSDB.

Defines a maximum number of point values to read/write into memory.

Increasing this setting may increase performance but will increase memory consumption when querying for point values.


Max number of attempts to lock series/shard while writing synchronously


#Password encryption scheme [BCRYPT, SHA-1, NONE] #Legacy is SHA-1, 2.8+ BCRYPT #security.hashAlgorithm=BCRYPT #security.bcrypt.log2Rounds=10

#Size of in memory cache to hold a role's inheritance list, this represents the

maximum number of roles to keep in the cache at any given time

cache.roles.size=1000 #Cache all users in memory for performance cache.users.enabled=true #Size of in memory cache to hold created Permissions, this represents the

maximum number of roles to keep in the cache at any given time


The location of the Mango Automation store from which to get license files.


Disables upgrading the core or modules, note that this does not prevent unpacking of core/module zip files


SSL/TLS setup

Note: Enabling SSL/TLS also turns on HSTS by default, see the ssl.hsts.enabled setting below

ssl.on=true ssl.port=8443

Configure the key store from which to load X.509 certificate chain and private key.

All key store settings are reloaded dynamically.

If the keystore file does not exist, a temporary self-signed certificate is used instead.

Path to a PKCS #12 or JKS key store, relative to $

By default, use the path to the key store created by the Mango PKI service.


Key store password


Key password (if not set, it is assumed to be the same as the key store password)


Watch the key store file for changes and reload the certificates/keys for SSL/TLS when it changes


#Time socket can be idle before being closed (ms) ssl.socketIdleTimeout=70000

Enable ALPN (Application-Layer Protocol Negotiation) for HTTP/2 support.

Current browsers only support HTTP/2 for SSL/TLS connections.


Configure HSTS (HTTP Strict Transport Security)

Enabled by default when ssl.on=true

Sets the Strict-Transport-Security header, web browsers will always connect using HTTPS when they

see this header and they will cache the result for max-age seconds

ssl.hsts.enabled=true ssl.hsts.maxAge=31536000 ssl.hsts.includeSubDomains=false

System time zone. Leave blank to use default VM time zone.


#Rest API Configuration rest.enabled=true

#Enable to make JSON More readable rest.indentJSON=false #Cross Origin Request Handling rest.cors.enabled=false rest.cors.allowedOrigins= rest.cors.allowedMethods=PUT,POST,GET,OPTIONS,DELETE,HEAD rest.cors.allowedHeaders=content-type,x-requested-with,authorization rest.cors.exposedHeaders= rest.cors.allowCredentials=false rest.cors.maxAge=3600

disable browser redirects


Defaults for temporary resource lifetime (Can override via endpoint parameters if supplied)

Default time before the resource is removed after completion

rest.temporaryResource.expirationPeriods=1 rest.temporaryResource.expirationPeriodType=HOURS

Default time that the task is allowed to run for before it is cancelled

rest.temporaryResource.timeoutPeriods=3 rest.temporaryResource.timeoutPeriodType=HOURS

Limits the rate at which an unauthenticated IP address can access the REST API

Defaults to an initial 10 request burst then 2 requests per 1 second thereafter

Limits the rate at which an authenticated user can access the REST API

Disabled by default

Limits the rate at which authentication attempts can occur by an IP address

Defaults to an initial 5 attempt burst then 1 attempt per 1 minute thereafter

rateLimit.authentication.ip.enabled=true rateLimit.authentication.ip.burstQuantity=5 rateLimit.authentication.ip.quanitity=1 rateLimit.authentication.ip.period=1 rateLimit.authentication.ip.periodUnit=MINUTES

Limits the rate at which authentication attempts can occur against a username

Defaults to an initial 5 attempt burst then 1 attempt per 1 minute thereafter

rateLimit.authentication.user.enabled=true rateLimit.authentication.user.burstQuantity=5 rateLimit.authentication.user.quanitity=1 rateLimit.authentication.user.period=1 rateLimit.authentication.user.periodUnit=MINUTES

#For rest API Documentation at /swagger-ui.html swagger.enabled=false #path to api-docs for swagger tools, will be appended to base REST api version URL i.e. /rest/v1/ springfox.documentation.swagger.v2.path=/swagger/v2/api-docs

Require authentication to access Swagger API documentation.

If you set this to false then you can use an authentication token (generated on the Mango Users page) from the swagger UI instead.

To use, enter: Bearer <space> <token value> into the Authorize value input in the swagger ui


#Distributor Settings distributor=IA

#Jetty Thread Pool Tuning

Time a thread must be idle before killing to keep pool size at minimum


Number of threads allowed to be created to handle incoming requests as needed (defaults to 10x number of processors, or 200, whichever is greater)


Number of threads to keep around to handle incoming connections (defaults to max threads, or 8, whichever is lesser)


Number of Requests To queue if all threads are busy (defaults 1280)


Ping timeout for response from browser

web.websocket.pingTimeoutMs=10000 #Time socket can be idle before being closed (ms) web.socketIdleTimeout=70000

Default async request timeout


Enable collection of connection statistics


Enable Jetty JMX support


#Jetty QoS filter settings

Filter enabled setting

web.qos.enabled=false #The maximum number of requests to be serviced at a time. The default is 10. web.qos.maxRequests=10 #The length of time, in milliseconds, to wait while trying to accept a new request. Used when the maxRequests limit is reached. Default is 50 ms web.qos.waitMs=50 #Length of time, in milliseconds, that the request will be suspended if it is not accepted immediately. If set to -1, the container default timeout applies. Default is 30000 ms. web.qos.suspendMs=30000

#Jetty DoS filter settings

Filter enabled setting

web.dos.enabled=false #Maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. Default is 25. web.dos.maxRequestsPerSec=75 #Delay imposed on all requests over the rate limit, before they are considered at all

100ms default, -1 = Reject request, 0 = no delay, any other value is delay in ms

web.dos.delayMs=100 #Length of time, in ms, to blocking wait for the throttle semaphore. Default is 50 ms. web.dos.maxWaitMs=50 #Number of requests over the rate limit able to be considered at once. Default is 5. web.dos.throttledRequests=5 #Length of time, in ms, to async wait for semaphore. Default is 30000. web.dos.throttleMs=30000 #Length of time to let the request run, default is 30000 (Keep above 60s for DWR Long Poll to work in legacy UI) web.dos.maxRequestMs=120000 #Length of time, in ms, to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it. Default is 30000. web.dos.maxIdleTrackerMs=30000 #If true, insert the DoSFilter headers into the response. Defaults to true. web.dos.insertHeaders=true #If true, usage rate is tracked by session if a session exists. Defaults to true. web.dos.trackSessions=true #If true and session tracking is not used, then rate is tracked by IP and port (effectively connection). Defaults to false. web.dos.remotePort=false #A comma-separated list of IP addresses that will not be rate limited.

Note: These are actual client IPs when behind a proxy server if you configure web.forwardedHeaders.trustedIpRanges to trust your proxy's IP


#Jetty Low Resource Management (Used to attempt to free resources when under heavy load)


Period in ms to check for a low resource condition, default 10000


In low resource condition all existing connection idle timeouts are set to this value, default 1000


check connectors executors to see if their ThreadPool instances that are low on threads, default true


The maximum memory in bytes that Java is allowed to use before the low resource condition is triggered.

If left empty, the default is 90% of the maximum memory the JVM is configured to use.

Set to 0 to disable the memory usage checks.


The time in milliseconds that a low resource state can persist before the low resource idle timeout is reapplied to all connections, default 5000


If false, new connections are not accepted while in low resources


Maximum number of allowed connections, defaults to 0 (disabled)


Jetty default servlet configuration (init parameters)

See for descriptions

web.defaultServlet.dirAllowed=false web.defaultServlet.maxCacheSize=256000000 web.defaultServlet.maxCachedFileSize=200000000 web.defaultServlet.maxCachedFiles=2048 web.defaultServlet.etags=false

defaults to false for Windows, defaults to true for all other OS



#iFrame Header Control iFrame Header Control 'X-Frame-Options' (case sensitive options)

SAMEORIGIN - Only allow Mango to embed i-frames when the requesting page was loaded from the Mango domain

DENY - Do not allow at all

ANY - Do not even use the header at all

One specific domain name can be supplied so that the header becomes: ALLOW-FROM

#Follow symbolic links when serving files from Jetty

Content Security Policy settings, please see

The reasons for the default policy are outlined below

style-src 'unsafe-inline' - inline styles are used by AngularJS Material for the dynamic theming

script-src 'unsafe-eval' - needed by Fabric.js used in amCharts for drawing on charts, also gives AngularJS a 30% performance boost

connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname

img-src data: - allows for small base64 encoded images to be embedded inline into the html

img-src/script-src - allows for enabling Google analytics (not enabled by default, must be manually enabled by admin via UI Settings page)

img-src/script-src - allows for using the Google maps component

style-src/font-src - allows for using Google fonts in dashboards'self''self' 'unsafe-eval''self' 'unsafe-inline''self' ws: wss:'self' data:'self'

#Regex used to match serial ports so they show up in the menu serial.port.linux.regex=((cu|ttyS|ttyUSB|ttyACM|ttyAMA|rfcomm|ttyO|COM)[0-9]|rs(232|485)-[0-9]) serial.port.linux.path=/dev/ serial.port.osx.path=/dev/ serial.port.osx.regex=(cu|tty)..* #Number of bytes read events to queue up before discarding serial.port.eventQueueSize=10000 #Rate at which to poll the serial port for new data events in Linux (Windows uses interrupts)

this is only used by the Serial data source all others directly poll the port

serial.port.linux.readPeriods=500 serial.port.linux.readPeriodType=MILLISECONDS

Start data sources in parallel threads (default 1)


Stop data sources in parallel threads (default 1)


Start publishers in parallel threads (default 1)


Stop publishers in parallel threads (default 1)


#Log number of aborted polls for a polling data source this often at a minimum (only logged after next aborted poll past this time) runtime.datasource.pollAbortedLogFrequency=3600000

Start data points in parallel threads (default: number of CPU cores)


Number of data points to start in each thread


Start published points in parallel threads (default: number of CPU cores)


Number of published points to start in each thread


#Report Javascript Execution Times at INFO Level logging

add this to log4j.xml <category name="org.perf4j.TimingLogger"><level value="info"/></category>


#Default task queue size for the Real Time Timer, should multiple tasks of the same type be queued up?

Tasks are rejected from a full queue, a size of 0 means reject multiple instances of the same task

runtime.realTimeTimer.defaultTaskQueueSize=0 #When a task queue is full should the waiting tasks be discarded and replaced with the most recent runtime.realTimeTimer.flushTaskQueueOnReject=false #Delay (in ms) to wait to rate limit task rejection log messages so they don't fill up logs and use too much cpu doing it runtime.taskRejectionLogPeriod=10000 #Maximum counts to wait to terminate the thread pool's tasks that are running or queued to run

each count is 1 second. So the default of 60 = 1 minute. Note that the medium and low

timeout happens first and then the remaining time is spent waiting of the high priority tasks.

So by setting both to the same value will result in waiting only as long as that value.

runtime.shutdown.medLowTimeout=60 runtime.shutdown.highTimeout=60

Installation directory of Mango (defaults to working directory, or legacy MA_HOME environment variable)


Base directory for storing variable data (relative to $ unless absolute)

NOTE: All of the following paths are relative to $ unless absolute path is supplied

path to the filestore base directory


path to the module data base directory


path to temporary files base directory (default: Java system property '' e.g. /tmp or C:\Users%username%\AppData\Local\Temp)

If this is set, it will override the '' system property


path to the log files base directory


default path for backups (e.g. configuration backups, SQL backups, NoSQL point value backups)

note: this is the default, some of these locations are configurable via system settings


overrides path, typically for freemarker templates (/ftl) and web overrides (/web)


PID file location (used by

Start options script (used by

HTTP session (authentication) cookie name and domain name settings.

Use the Mango GUID as the session cookie name


name takes precedence over useGuid if set

Set the domain name that the cookie is valid for, can be used to make the session login valid for subdomains too.

If left blank the session cookie can only be used for the domain that you login at.


Persist sessions into the database


Check to see if session should be saved, only saved if session was changed, 0 means always save after every request


Additional advanced session cookie settings #sessionCookie.path=/ #sessionCookie.comment=

Maximum age of the session cookie before it is cleared by the browser. A value of -1 means that it will not expire.

Note: This setting is different from the session expiration period which is configured via the System Settings page

and invalidates inactive sessions in the backend.


Controls the poll period for collecting internal metrics


Controls the poll period for collecting disk usage


Should MA_HOME and each file store directory be monitored individually in addition to the partitions?


monitor SQL database directory size


monitor TSDB (NoSQL) database directory size


enables getting operating system, process, and hardware information via the OSHI native library


These settings are used in the default log4j2.xml file included with Mango. For more control, specify your own

log4j2.xml configuration file using the log4j2.configurationFile property.

logger for messages from Mango

logger for messages from scripts

logger.script.level=trace logger.script.includeLocation=false

root logger, logs all other messages (e.g. messages from libraries used by Mango)

logger.root.level=warn logger.root.includeLocation=true

stdout console appender

appender.stdout.level=trace appender.stdout.pattern=%-5p %d (%C.%M:%L) - %m%n

ma.log file appender

appender.logfile.level=trace appender.logfile.pattern=%-5p %d (%C.%M:%L) - %m%n appender.logfile.size=100MB appender.logfile.delete.age=30d appender.logfile.delete.count=1000 appender.logfile.delete.size=1GB

script log file appender

appender.script.level=trace appender.script.pattern=%-5p %d %c - %m%n appender.script.size=100MB appender.script.delete.age=30d appender.script.delete.count=1000 appender.script.delete.size=1GB

You can configure any log4j2 property here


e.g. path to your own log4j2 configuration file (relative to $ unless absolute}}


Authentication settings

authentication.token.enabled=true authentication.basic.enabled=true authentication.basic.realm=Mango authentication.session.maxSessions=10 authentication.oauth2.enabled=false

OAuth2 client settings

comma separated list of client registration ids to enable


pre-configured providers are Google, Github, Facebook, Okta and OneLogin (see

#oauth2.client.registration..provider=onelogin #oauth2.client.registration..clientId= #oauth2.client.registration..clientSecret= #oauth2.client.registration.onelogin.authorizationUri= #oauth2.client.registration.onelogin.tokenUri= #oauth2.client.registration.onelogin.jwkSetUri= #oauth2.client.registration.onelogin.issuerUri= #oauth2.client.registration.onelogin.userInfoUri=

add provider defaults for OneLogin, to use this provider you will need to configure your registration URIs

oauth2.client.provider.onelogin.userInfoAuthenticationMethod=header oauth2.client.provider.onelogin.clientAuthenticationMethod=basic oauth2.client.provider.onelogin.authorizationGrantType=authorization_code oauth2.client.provider.onelogin.scope=openid,name,profile,groups,email,params,phone oauth2.client.provider.onelogin.clientName=OneLogin oauth2.client.provider.onelogin.userMapping.roles=groups

provider defaults for Google

provider defaults for Github

oauth2.client.provider.github.userMapping.issuer.fixed= oauth2.client.provider.github.userMapping.subject=id oauth2.client.provider.github.userMapping.username=login

provider defaults for Microsoft, to use this provider you will need to configure your registration URIs,profile,email

set default mappings to OpenID Connect claim names, see

issuer and subject are required and should form a unique pair, do not change these unless your OAuth2 provider is not OpenID Connect compliant

oauth2.client.default.userNameAttributeName=sub oauth2.client.default.userMapping.issuer=iss oauth2.client.default.userMapping.subject=sub oauth2.client.default.userMapping.username=preferred_username oauth2.client.default.userMapping.locale=locale oauth2.client.default.userMapping.timezone=zoneinfo

mapping of individual roles can be configured below


enable syncing of roles from identity provider to Mango user


ignore some roles from identity provider (comma separated list)


add prefix to roles from identity provider


add suffix to roles from identity provider


map a role from the identity provider to a different role xid

add additional roles to the user (comma separated list), user role is added implicitly


Public Key Infrastructure (PKI)

All PKI paths are relative to $ unless absolute.

Enable the PKI service


Path for storing and loading the server/client public key (PEM encoded)


Path for storing and loading the server/client private key (PEM encoded PKCS #8)


Path for storing and loading the server/client certificate (PEM encoded X.509)


Subject Alternative Names (SANs) for the certificate (DNS names or IP addresses, comma separated)

The first entry will be used as subject CN. If not set, the DNS names are automatically determined.


Path for storing a PKCS #12 key store, created from the above certificate chain and private key


Password to use for the key store and key password


Period to check PKI certificates for expiration and auto-renew

pki.monitor.checkPeriod=10 minutes

Auto-renew certificates which are expiring soon, if false alarms will still be raised


Renew certificate and/or raise alarms when certificates have less than this amount of time left before expiration.

Can be expressed as an absolute amount of time (e.g. 3 days) or a percentage of total validity (e.g. 25%).

e.g. for a certificate with 1 year validity, 25% means that with 3 months left it would be considered "expiring soon".


Enable the default Mango certificate authority (CA) service

Path for storing and loading the CA public key (PEM encoded)

Path for storing and loading the CA private key (PEM encoded PKCS #8)

Path for storing and loading the CA certificate (PEM encoded X.509)

When creating the root/intermediate CA certificate, how long is it valid for years

When signing a server/client certificate, how long is it valid for (certificates are automatically renewed before expiration) days

Name of Java security provider e.g. BC for Bouncy Castle


Key algorithm e.g. EC (elliptic curve), EdDSA (Edwards-Curve) or RSA



Curve name for EC/EdDSA (e.g. secp256r1, Ed25519) or key size for RSA (e.g. 2048, 4096)



Signature algorithm for certificates, e.g. SHA256withECDSA for EC, Ed25519 for EdDSA or SHA512WithRSA for RSA



Enable gRPC server


gRPC server TCP port


Enable gRPC reflection service


Enable TLS on the gRPC server port


Server X.509 certificate, including full certificate chain. Path to file (PEM encoded).


Server private key. Path to file (PEM encoded).


Root certificates for verification of client certificates (mTLS). If empty the OS/Java default root certificates will be used. Path to file (PEM encoded).


Client authentication options (mTLS): NONE/OPTIONAL/REQUIRE


Client X.509 certificate, including full certificate chain. Path to file (PEM encoded).


Client private key. Path to file (PEM encoded).


Root certificates for verification of the server certificate. If empty the OS/Java default root certificates will be used. Path to file (PEM encoded).


Interval to check for changes to files (used for checking changes to SSL/TLs certificates)

fileWatchService.checkInterval=10 seconds

Copyright © 2023 Radix IoT, LLC.