Mango OS

Here is a clean version of the mango.properties file for you to use should you need one.

# # Copyright (C) 2023 Radix IoT LLC. All rights reserved. # By default if you make changes to the config file Mango will reload its settings (note: this will not work for all settings) properties.reloading=true The port at which Mango Automation will listen for browser connections web.port=8080 The host interface to which Mango Automation will bind and listen for new connections 0.0.0.0 is the special interface that will force a bind to all available interfaces web.host=0.0.0.0 Should Mango Automation open (if possible) a browser window when it starts up? web.openBrowserOnStartup=true Create admin user on first start Note: DO NOT SET IN mango.properties or env.properties! You can set these properties via environment variables or Java system properties during provisioning. initialize.admin.create=true initialize.admin.username=admin initialize.admin.password=admin initialize.admin.email=admin@localhost Web caching settings disable caching web.cache.noStore=false web.cache.noStore.rest=true web.cache.noStore.resources=false set max age of cached files in seconds, only if noStore=false versioned resources are those with ?v=xxx on the query string web.cache.maxAge=0 web.cache.maxAge.rest=0 web.cache.maxAge.resources=86400 web.cache.maxAge.versionedResources=31536000 #Upload file size limit (bytes) -1 means no limit web.fileUpload.maxSize=250000000 #Maximum number of files allowed in a single request. -1 means no limit web.fileUpload.maxCount=100 Set this to true if you are running Mango behind a reverse proxy that sends "Forwarded" or "X-Forwarded-*" headers. This includes accessing Mango via Cloud Connect module. By default only requests from localhost are trusted. web.forwardedHeaders.enabled=true Set a comma separated list of IP ranges from which to trust Forwarded headers web.forwardedHeaders.trustedIpRanges=127.0.0.0/8,::1 Default database settings The path in the db.url is relative to ${paths.data} (you can also use an absolute path) db.type=h2 db.url=jdbc:h2:databases/mah2 db.username= db.password= #to compact the database size at shutdown (may take longer but will free up disk space) db.h2.shutdownCompact=false #General Database Settings db.pool.maxActive=100 db.pool.maxIdle=10 relative to the logs directory configured via paths.logs, leave blank to use the same directory db.update.log.dir= setting to show query times in the logs as INFO db.useMetrics=false if set, will only log slow queries, above this threshold in ms. Will be logged at WARN level instead of INFO db.metricsThreshold=100 #Tell the jdbc driver to fetch this many rows at a time, useful over network connected dbs (Not MySQL) negative values will force use jdbc driver default db.fetchSize=-1 #Number of retries for failed transactions before bailing out on error db.transaction.retries=5 #Maximum operands for IN(..) queries, will be batched into groups of this size. On MySQL this is limited by the max_allowed_packet setting, for H2 this is undefined db.in.maxOperands=1000 MySQL database settings. Your MySQL instance must already be running and configured before this can be used. #db.type=mysql #db.url=jdbc:mysql://localhost/<your mysql schema name> #db.username=<your mysql username> #db.password=<your mysql password> #db.mysqldump=<location/command for mysqldump executable for backups> #db.mysql=<location/command for mysql executable for restore> #To optionally pass additional arguments to the dump command #db.mysql.extraDumpArgs=--single-transaction,--skip-lock-tables Options for creating tables on first start File to restore database from (relative to ${paths.data}), should point to a .sql or .zip file appropriate for the database type #db.createTables.restoreFrom= Enable creating createTables.log file db.createTables.createLogFile=true Database settings for conversion. If the db.* settings point to a new database instance, and the convert type setting is set, Mango Automation will attempt to convert from the convert.db.* settings to the db.* settings Note that database conversions should not be performed in the same step as an upgrade. First upgrade, then convert. convert.db.type= convert.db.url= convert.db.username=${db.username} convert.db.password=${db.password} #Enable the NoSQL module by default (if it is installed) db.nosql.enabled=true #Set the base path for where the NoSQL data will be stored, relative to ${paths.data} (you can also use an absolute path) db.nosql.location=databases #Set the folder name of the point value store db.nosql.pointValueStoreName=mangoTSDB #Set the number of files the database can have open at one time db.nosql.maxOpenFiles=500 #Time after which a shard will be closed db.nosql.shardStalePeriod=36000000 #Period to check for stale shards db.nosql.flushInterval=300000 #Query Performance Tuning, File Access Type: Available[INPUT_STREAM,FILE_CHANNEL,RANDOM_ACCESS_FILE,MAPPED_BYTE_BUFFER] db.nosql.shardStreamType=MAPPED_BYTE_BUFFER #Setting to speed up NoSQL queries at the expense of a small increase in disk usage db.nosql.reversible=true #Setting this will convert your existing point value store [NONE, REVERSIBLE, UNREVERSIBLE] db.nosql.convert=NONE #Number of concurrent threads to use to convert the database db.nosql.convertThreads=4 Run the corruption scan on startup (only if database is marked dirty) db.nosql.runCorruptionScan=false Disable creating/deleting dirty marker (.drty) files db.nosql.disableDirtyFiles=true Only run corruption scan on shards with dirty marker (.drty) files Note: This option has no effect when db.nosql.disableDirtyFiles=true db.nosql.onlyScanDirty=true scans for and deletes empty directories in the TSDB directory on startup db.nosql.deleteEmptyDirsAtStartup=true Configure chunk size for streaming values from and to the TSDB. Defines a maximum number of point values to read/write into memory. Increasing this setting may increase performance but will increase memory consumption when querying for point values. #db.nosql.chunkSize=16384 Max number of attempts to lock series/shard while writing synchronously #db.nosql.maxLockAttempts=10 #Password encryption scheme [BCRYPT, SHA-1, NONE] #Legacy is SHA-1, 2.8+ BCRYPT #security.hashAlgorithm=BCRYPT #security.bcrypt.log2Rounds=10 #Size of in memory cache to hold a role's inheritance list, this represents the maximum number of roles to keep in the cache at any given time cache.roles.size=1000 #Cache all users in memory for performance cache.users.enabled=true #Size of in memory cache to hold created Permissions, this represents the maximum number of roles to keep in the cache at any given time cache.permission.size=1000 The location of the Mango Automation store from which to get license files. store.url=https://store.mango-os.com Disables upgrading the core or modules, note that this does not prevent unpacking of core/module zip files store.disableUpgrades=false SSL/TLS setup Note: Enabling SSL/TLS also turns on HSTS by default, see the ssl.hsts.enabled setting below ssl.on=true ssl.port=8443 Configure the key store from which to load X.509 certificate chain and private key. All key store settings are reloaded dynamically. If the keystore file does not exist, a temporary self-signed certificate is used instead. Path to a PKCS #12 or JKS key store, relative to ${paths.data} By default, use the path to the key store created by the Mango PKI service. ssl.keystore.location=${pki.keyStore} Key store password ssl.keystore.password=${pki.keyStorePassword} Key password (if not set, it is assumed to be the same as the key store password) #ssl.key.password= Watch the key store file for changes and reload the certificates/keys for SSL/TLS when it changes ssl.keystore.watchFile=true #Time socket can be idle before being closed (ms) ssl.socketIdleTimeout=70000 Enable ALPN (Application-Layer Protocol Negotiation) for HTTP/2 support. Current browsers only support HTTP/2 for SSL/TLS connections. ssl.alpn.on=true Configure HSTS (HTTP Strict Transport Security) Enabled by default when ssl.on=true Sets the Strict-Transport-Security header, web browsers will always connect using HTTPS when they see this header and they will cache the result for max-age seconds ssl.hsts.enabled=true ssl.hsts.maxAge=31536000 ssl.hsts.includeSubDomains=false System time zone. Leave blank to use default VM time zone. timezone= #Rest API Configuration rest.enabled=true #Enable to make JSON More readable rest.indentJSON=false #Cross Origin Request Handling rest.cors.enabled=false rest.cors.allowedOrigins= rest.cors.allowedMethods=PUT,POST,GET,OPTIONS,DELETE,HEAD rest.cors.allowedHeaders=content-type,x-requested-with,authorization rest.cors.exposedHeaders= rest.cors.allowCredentials=false rest.cors.maxAge=3600 disable browser redirects rest.disableErrorRedirects=false Defaults for temporary resource lifetime (Can override via endpoint parameters if supplied) Default time before the resource is removed after completion rest.temporaryResource.expirationPeriods=1 rest.temporaryResource.expirationPeriodType=HOURS Default time that the task is allowed to run for before it is cancelled rest.temporaryResource.timeoutPeriods=3 rest.temporaryResource.timeoutPeriodType=HOURS Limits the rate at which an unauthenticated IP address can access the REST API Defaults to an initial 10 request burst then 2 requests per 1 second thereafter rateLimit.rest.anonymous.enabled=true rateLimit.rest.anonymous.burstQuantity=40 rateLimit.rest.anonymous.quanitity=5 rateLimit.rest.anonymous.period=1 rateLimit.rest.anonymous.periodUnit=SECONDS Limits the rate at which an authenticated user can access the REST API Disabled by default rateLimit.rest.user.enabled=false rateLimit.rest.user.burstQuantity=20 rateLimit.rest.user.quanitity=10 rateLimit.rest.user.period=1 rateLimit.rest.user.periodUnit=SECONDS Limits the rate at which authentication attempts can occur by an IP address Defaults to an initial 5 attempt burst then 1 attempt per 1 minute thereafter rateLimit.authentication.ip.enabled=true rateLimit.authentication.ip.burstQuantity=5 rateLimit.authentication.ip.quanitity=1 rateLimit.authentication.ip.period=1 rateLimit.authentication.ip.periodUnit=MINUTES Limits the rate at which authentication attempts can occur against a username Defaults to an initial 5 attempt burst then 1 attempt per 1 minute thereafter rateLimit.authentication.user.enabled=true rateLimit.authentication.user.burstQuantity=5 rateLimit.authentication.user.quanitity=1 rateLimit.authentication.user.period=1 rateLimit.authentication.user.periodUnit=MINUTES #For rest API Documentation at /swagger-ui.html swagger.enabled=false #path to api-docs for swagger tools, will be appended to base REST api version URL i.e. /rest/v1/ springfox.documentation.swagger.v2.path=/swagger/v2/api-docs Require authentication to access Swagger API documentation. If you set this to false then you can use an authentication token (generated on the Mango Users page) from the swagger UI instead. To use, enter: Bearer <space> <token value> into the Authorize value input in the swagger ui swagger.apidocs.protected=true #Distributor Settings distributor=IA #Jetty Thread Pool Tuning Time a thread must be idle before killing to keep pool size at minimum web.threads.msIdleTimeout=30000 Number of threads allowed to be created to handle incoming requests as needed (defaults to 10x number of processors, or 200, whichever is greater) web.threads.maximum= Number of threads to keep around to handle incoming connections (defaults to max threads, or 8, whichever is lesser) web.threads.minimum= Number of Requests To queue if all threads are busy (defaults 1280) web.requests.queueSize= Ping timeout for response from browser web.websocket.pingTimeoutMs=10000 #Time socket can be idle before being closed (ms) web.socketIdleTimeout=70000 Default async request timeout #web.async.timeout=120000 Enable collection of connection statistics web.connectionStatistics=true Enable Jetty JMX support web.enableJmx=true #Jetty QoS filter settings https://www.eclipse.org/jetty/documentation/current/qos-filter.html Filter enabled setting web.qos.enabled=false #The maximum number of requests to be serviced at a time. The default is 10. web.qos.maxRequests=10 #The length of time, in milliseconds, to wait while trying to accept a new request. Used when the maxRequests limit is reached. Default is 50 ms web.qos.waitMs=50 #Length of time, in milliseconds, that the request will be suspended if it is not accepted immediately. If set to -1, the container default timeout applies. Default is 30000 ms. web.qos.suspendMs=30000 #Jetty DoS filter settings https://www.eclipse.org/jetty/documentation/current/dos-filter.html Filter enabled setting web.dos.enabled=false #Maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. Default is 25. web.dos.maxRequestsPerSec=75 #Delay imposed on all requests over the rate limit, before they are considered at all 100ms default, -1 = Reject request, 0 = no delay, any other value is delay in ms web.dos.delayMs=100 #Length of time, in ms, to blocking wait for the throttle semaphore. Default is 50 ms. web.dos.maxWaitMs=50 #Number of requests over the rate limit able to be considered at once. Default is 5. web.dos.throttledRequests=5 #Length of time, in ms, to async wait for semaphore. Default is 30000. web.dos.throttleMs=30000 #Length of time to let the request run, default is 30000 (Keep above 60s for DWR Long Poll to work in legacy UI) web.dos.maxRequestMs=120000 #Length of time, in ms, to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it. Default is 30000. web.dos.maxIdleTrackerMs=30000 #If true, insert the DoSFilter headers into the response. Defaults to true. web.dos.insertHeaders=true #If true, usage rate is tracked by session if a session exists. Defaults to true. web.dos.trackSessions=true #If true and session tracking is not used, then rate is tracked by IP and port (effectively connection). Defaults to false. web.dos.remotePort=false #A comma-separated list of IP addresses that will not be rate limited. Note: These are actual client IPs when behind a proxy server if you configure web.forwardedHeaders.trustedIpRanges to trust your proxy's IP web.dos.ipWhitelist= #Jetty Low Resource Management (Used to attempt to free resources when under heavy load) https://www.eclipse.org/jetty/documentation/current/limit-load.html web.lowResource.enabled=false Period in ms to check for a low resource condition, default 10000 web.lowResource.checkPeriod=10000 In low resource condition all existing connection idle timeouts are set to this value, default 1000 web.lowResource.lowResourcesIdleTimeout=1000 check connectors executors to see if their ThreadPool instances that are low on threads, default true web.lowResource.monitorThreads=true The maximum memory in bytes that Java is allowed to use before the low resource condition is triggered. If left empty, the default is 90% of the maximum memory the JVM is configured to use. Set to 0 to disable the memory usage checks. web.lowResource.maxMemory= The time in milliseconds that a low resource state can persist before the low resource idle timeout is reapplied to all connections, default 5000 web.lowResource.maxLowResourceTime=5000 If false, new connections are not accepted while in low resources web.lowResource.acceptingInLowResources=true Maximum number of allowed connections, defaults to 0 (disabled) web.connectionLimit=0 Jetty default servlet configuration (init parameters) See for descriptions https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-webapp/src/main/config/etc/webdefault.xml web.defaultServlet.dirAllowed=false web.defaultServlet.maxCacheSize=256000000 web.defaultServlet.maxCachedFileSize=200000000 web.defaultServlet.maxCachedFiles=2048 web.defaultServlet.etags=false defaults to false for Windows, defaults to true for all other OS see https://www.eclipse.org/jetty/documentation/current/troubleshooting-locked-files-on-windows.html #web.defaultServlet.useFileMappedBuffer=true #iFrame Header Control iFrame Header Control 'X-Frame-Options' (case sensitive options) SAMEORIGIN - Only allow Mango to embed i-frames when the requesting page was loaded from the Mango domain DENY - Do not allow at all ANY - Do not even use the header at all One specific domain name can be supplied so that the header becomes: ALLOW-FROM http://foo.bar.com web.security.iFrameAccess=SAMEORIGIN #Follow symbolic links when serving files from Jetty web.security.followSymlinks=true Content Security Policy settings, please see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP The reasons for the default policy are outlined below style-src 'unsafe-inline' - inline styles are used by AngularJS Material for the dynamic theming script-src 'unsafe-eval' - needed by Fabric.js used in amCharts for drawing on charts, also gives AngularJS a 30% performance boost connect-src ws: wss: - necessary as 'self' does not permit connections to websockets on the same origin, this should be configured to restrict it to your server's actual hostname img-src data: - allows for small base64 encoded images to be embedded inline into the html img-src/script-src https://www.google-analytics.com - allows for enabling Google analytics (not enabled by default, must be manually enabled by admin via UI Settings page) img-src/script-src https://maps.google.com https://maps.googleapis.com https://maps.gstatic.com - allows for using the Google maps component style-src/font-src https://fonts.googleapis.com https://fonts.gstatic.com - allows for using Google fonts in dashboards web.security.contentSecurityPolicy.enabled=false web.security.contentSecurityPolicy.reportOnly=false web.security.contentSecurityPolicy.defaultSrc='self' web.security.contentSecurityPolicy.scriptSrc='self' 'unsafe-eval' https://maps.google.com https://maps.googleapis.com https://www.google-analytics.com web.security.contentSecurityPolicy.styleSrc='self' 'unsafe-inline' https://fonts.googleapis.com web.security.contentSecurityPolicy.connectSrc='self' ws: wss: web.security.contentSecurityPolicy.imgSrc='self' data: https://maps.google.com https://maps.gstatic.com https://www.google-analytics.com web.security.contentSecurityPolicy.fontSrc='self' https://fonts.gstatic.com web.security.contentSecurityPolicy.mediaSrc= web.security.contentSecurityPolicy.objectSrc= web.security.contentSecurityPolicy.frameSrc= web.security.contentSecurityPolicy.workerSrc= web.security.contentSecurityPolicy.manifestSrc= web.security.contentSecurityPolicy.other= #Regex used to match serial ports so they show up in the menu serial.port.linux.regex=((cu|ttyS|ttyUSB|ttyACM|ttyAMA|rfcomm|ttyO|COM)[0-9]{1,3}|rs(232|485)-[0-9]) serial.port.linux.path=/dev/ serial.port.windows.regex= serial.port.windows.path= serial.port.osx.path=/dev/ serial.port.osx.regex=(cu|tty)..* #Number of bytes read events to queue up before discarding serial.port.eventQueueSize=10000 #Rate at which to poll the serial port for new data events in Linux (Windows uses interrupts) this is only used by the Serial data source all others directly poll the port serial.port.linux.readPeriods=500 serial.port.linux.readPeriodType=MILLISECONDS Start data sources in parallel threads (default 1) #runtime.datasource.startupThreads=1 Stop data sources in parallel threads (default 1) #runtime.datasource.shutdownThreads=1 Start publishers in parallel threads (default 1) #runtime.publisher.startupThreads=1 Stop publishers in parallel threads (default 1) #runtime.publisher.shutdownThreads=1 #Log number of aborted polls for a polling data source this often at a minimum (only logged after next aborted poll past this time) runtime.datasource.pollAbortedLogFrequency=3600000 Start data points in parallel threads (default: number of CPU cores) #runtime.datapoint.startupThreads=8 Number of data points to start in each thread #runtime.datapoint.startupThreads.pointsPerThread=1000 Start published points in parallel threads (default: number of CPU cores) #runtime.publishedPoint.startupThreads=8 Number of published points to start in each thread #runtime.publishedPoint.startupThreads.pointsPerThread=1000 #Report Javascript Execution Times at INFO Level logging add this to log4j.xml <category name="org.perf4j.TimingLogger"><level value="info"/></category> runtime.javascript.metrics=false #Default task queue size for the Real Time Timer, should multiple tasks of the same type be queued up? Tasks are rejected from a full queue, a size of 0 means reject multiple instances of the same task runtime.realTimeTimer.defaultTaskQueueSize=0 #When a task queue is full should the waiting tasks be discarded and replaced with the most recent runtime.realTimeTimer.flushTaskQueueOnReject=false #Delay (in ms) to wait to rate limit task rejection log messages so they don't fill up logs and use too much cpu doing it runtime.taskRejectionLogPeriod=10000 #Maximum counts to wait to terminate the thread pool's tasks that are running or queued to run each count is 1 second. So the default of 60 = 1 minute. Note that the medium and low timeout happens first and then the remaining time is spent waiting of the high priority tasks. So by setting both to the same value will result in waiting only as long as that value. runtime.shutdown.medLowTimeout=60 runtime.shutdown.highTimeout=60 Installation directory of Mango (defaults to working directory, or legacy MA_HOME environment variable) #paths.home= Base directory for storing variable data (relative to ${paths.home} unless absolute) #paths.data= NOTE: All of the following paths are relative to ${paths.data} unless absolute path is supplied path to the filestore base directory filestore.location=filestore path to the module data base directory moduleData.location=data path to temporary files base directory (default: Java system property 'java.io.tmpdir' e.g. /tmp or C:\Users%username%\AppData\Local\Temp) If this is set, it will override the 'java.io.tmpdir' system property #paths.temp= path to the log files base directory paths.logs=logs default path for backups (e.g. configuration backups, SQL backups, NoSQL point value backups) note: this is the default, some of these locations are configurable via system settings paths.backup=backup overrides path, typically for freemarker templates (/ftl) and web overrides (/web) paths.overrides=overrides PID file location (used by start-mango.sh) paths.pid.file=ma.pid Start options script (used by start-mango.sh) paths.start.options=start-options.sh HTTP session (authentication) cookie name and domain name settings. Use the Mango GUID as the session cookie name sessionCookie.useGuid=true name takes precedence over useGuid if set sessionCookie.name= Set the domain name that the cookie is valid for, can be used to make the session login valid for subdomains too. If left blank the session cookie can only be used for the domain that you login at. sessionCookie.domain= Persist sessions into the database sessionCookie.persistent=true Check to see if session should be saved, only saved if session was changed, 0 means always save after every request sessionCookie.persistPeriodSeconds=30 Additional advanced session cookie settings #sessionCookie.secure=true #sessionCookie.path=/ #sessionCookie.comment= Maximum age of the session cookie before it is cleared by the browser. A value of -1 means that it will not expire. Note: This setting is different from the session expiration period which is configured via the System Settings page and invalidates inactive sessions in the backend. sessionCookie.maxAge=-1 Controls the poll period for collecting internal metrics internal.monitor.pollPeriod=10000 Controls the poll period for collecting disk usage internal.monitor.diskUsage.pollPeriod=1200000 Should MA_HOME and each file store directory be monitored individually in addition to the partitions? internal.monitor.diskUsage.monitorDirectories=false monitor SQL database directory size internal.monitor.diskUsage.monitorSql=false monitor TSDB (NoSQL) database directory size internal.monitor.diskUsage.monitorTsdb=false enables getting operating system, process, and hardware information via the OSHI native library internal.monitor.enableOperatingSystemInfo=true These settings are used in the default log4j2.xml file included with Mango. For more control, specify your own log4j2.xml configuration file using the log4j2.configurationFile property. logger for messages from Mango logger.mango.level=info logger.mango.includeLocation=true logger for messages from scripts logger.script.level=trace logger.script.includeLocation=false root logger, logs all other messages (e.g. messages from libraries used by Mango) logger.root.level=warn logger.root.includeLocation=true stdout console appender appender.stdout.level=trace appender.stdout.pattern=%-5p %d{ISO8601} (%C.%M:%L) - %m%n ma.log file appender appender.logfile.level=trace appender.logfile.pattern=%-5p %d{ISO8601} (%C.%M:%L) - %m%n appender.logfile.size=100MB appender.logfile.delete.age=30d appender.logfile.delete.count=1000 appender.logfile.delete.size=1GB script log file appender appender.script.level=trace appender.script.pattern=%-5p %d{ISO8601} %c - %m%n appender.script.size=100MB appender.script.delete.age=30d appender.script.delete.count=1000 appender.script.delete.size=1GB You can configure any log4j2 property here See https://logging.apache.org/log4j/2.x/manual/configuration.html#System_Properties e.g. path to your own log4j2 configuration file (relative to ${paths.data} unless absolute} #log4j2.configurationFile=path/to/log4j2.xml Authentication settings authentication.token.enabled=true authentication.basic.enabled=true authentication.basic.realm=Mango authentication.session.maxSessions=10 authentication.oauth2.enabled=false OAuth2 client settings comma separated list of client registration ids to enable oauth2.client.registrationIds= pre-configured providers are Google, Github, Facebook, Okta and OneLogin (see org.springframework.security.config.oauth2.client.CommonOAuth2Provider) #oauth2.client.registration.{registrationId}.provider=onelogin #oauth2.client.registration.{registrationId}.clientId={your client id} #oauth2.client.registration.{registrationId}.clientSecret={your client secret} #oauth2.client.registration.onelogin.authorizationUri=https://{your subdomain}.onelogin.com/oidc/2/auth #oauth2.client.registration.onelogin.tokenUri=https://{your subdomain}.onelogin.com/oidc/2/token #oauth2.client.registration.onelogin.jwkSetUri=https://{your subdomain}.onelogin.com/oidc/2/certs #oauth2.client.registration.onelogin.issuerUri=https://{your subdomain}.onelogin.com/oidc/2 #oauth2.client.registration.onelogin.userInfoUri=https://{your subdomain}.onelogin.com/oidc/2/me add provider defaults for OneLogin, to use this provider you will need to configure your registration URIs oauth2.client.provider.onelogin.userInfoAuthenticationMethod=header oauth2.client.provider.onelogin.clientAuthenticationMethod=basic oauth2.client.provider.onelogin.authorizationGrantType=authorization_code oauth2.client.provider.onelogin.scope=openid,name,profile,groups,email,params,phone oauth2.client.provider.onelogin.clientName=OneLogin oauth2.client.provider.onelogin.userMapping.roles=groups provider defaults for Google oauth2.client.provider.google.userMapping.username=email provider defaults for Github oauth2.client.provider.github.userMapping.issuer.fixed=https://github.com oauth2.client.provider.github.userMapping.subject=id oauth2.client.provider.github.userMapping.username=login oauth2.client.provider.github.userMapping.username.suffix=@users.noreply.github.com oauth2.client.provider.github.userMapping.email=login oauth2.client.provider.github.userMapping.email.suffix=@users.noreply.github.com provider defaults for Microsoft, to use this provider you will need to configure your registration URIs oauth2.client.provider.microsoft.userInfoAuthenticationMethod=header oauth2.client.provider.microsoft.clientAuthenticationMethod=basic oauth2.client.provider.microsoft.authorizationGrantType=authorization_code oauth2.client.provider.microsoft.scope=openid,profile,email oauth2.client.provider.microsoft.clientName=Microsoft oauth2.client.provider.microsoft.userInfoUri=https://graph.microsoft.com/oidc/userinfo set default mappings to OpenID Connect claim names, see org.springframework.security.oauth2.core.oidc.StandardClaimNames issuer and subject are required and should form a unique pair, do not change these unless your OAuth2 provider is not OpenID Connect compliant oauth2.client.default.userNameAttributeName=sub oauth2.client.default.userMapping.issuer=iss oauth2.client.default.userMapping.subject=sub oauth2.client.default.userMapping.username=preferred_username oauth2.client.default.userMapping.name=name oauth2.client.default.userMapping.email=email oauth2.client.default.userMapping.phone=phone_number oauth2.client.default.userMapping.locale=locale oauth2.client.default.userMapping.timezone=zoneinfo mapping of individual roles can be configured below oauth2.client.default.userMapping.roles=roles enable syncing of roles from identity provider to Mango user oauth2.client.default.userMapping.roles.sync=true ignore some roles from identity provider (comma separated list) oauth2.client.default.userMapping.roles.ignore= add prefix to roles from identity provider oauth2.client.default.userMapping.roles.prefix= add suffix to roles from identity provider oauth2.client.default.userMapping.roles.suffix= map a role from the identity provider to a different role xid #oauth2.client.default.userMapping.roles.map.xyz=superadmin add additional roles to the user (comma separated list), user role is added implicitly oauth2.client.default.userMapping.roles.add= Public Key Infrastructure (PKI) All PKI paths are relative to ${paths.data} unless absolute. Enable the PKI service pki.enabled=true Path for storing and loading the server/client public key (PEM encoded) pki.publicKey=certificates/instance.pub Path for storing and loading the server/client private key (PEM encoded PKCS #8) pki.privateKey=certificates/instance.key Path for storing and loading the server/client certificate (PEM encoded X.509) pki.certificate=certificates/instance.crt Subject Alternative Names (SANs) for the certificate (DNS names or IP addresses, comma separated) The first entry will be used as subject CN. If not set, the DNS names are automatically determined. #pki.subjectAlternativeNames= Path for storing a PKCS #12 key store, created from the above certificate chain and private key pki.keyStore=certificates/instance.p12 Password to use for the key store and key password pki.keyStorePassword=password Period to check PKI certificates for expiration and auto-renew pki.monitor.checkPeriod=10 minutes Auto-renew certificates which are expiring soon, if false alarms will still be raised pki.monitor.autoRenewEnabled=true Renew certificate and/or raise alarms when certificates have less than this amount of time left before expiration. Can be expressed as an absolute amount of time (e.g. 3 days) or a percentage of total validity (e.g. 25%). e.g. for a certificate with 1 year validity, 25% means that with 3 months left it would be considered "expiring soon". pki.monitor.expiringSoonThreshold=25% Enable the default Mango certificate authority (CA) service pki.ca.name=defaultCertificateAuthority Path for storing and loading the CA public key (PEM encoded) pki.ca.publicKey=certificates/ca.pub Path for storing and loading the CA private key (PEM encoded PKCS #8) pki.ca.privateKey=certificates/ca.key Path for storing and loading the CA certificate (PEM encoded X.509) pki.ca.certificate=certificates/ca.crt When creating the root/intermediate CA certificate, how long is it valid for pki.ca.caCertificateValidity=10 years When signing a server/client certificate, how long is it valid for (certificates are automatically renewed before expiration) pki.ca.certificateValidity=1 days Name of Java security provider e.g. BC for Bouncy Castle pki.providerName=BC Key algorithm e.g. EC (elliptic curve), EdDSA (Edwards-Curve) or RSA See https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#keypairgenerator-algorithms pki.keyAlgorithm=EC Curve name for EC/EdDSA (e.g. secp256r1, Ed25519) or key size for RSA (e.g. 2048, 4096) See https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#parameterspec-names pki.keyParameters=secp256r1 Signature algorithm for certificates, e.g. SHA256withECDSA for EC, Ed25519 for EdDSA or SHA512WithRSA for RSA See https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#signature-algorithms pki.signatureAlgorithm=SHA256withECDSA Enable gRPC server grpc.server.enabled=true gRPC server TCP port grpc.server.port=9090 Enable gRPC reflection service grpc.server.reflectionEnabled=true Enable TLS on the gRPC server port grpc.server.tlsEnabled=true Server X.509 certificate, including full certificate chain. Path to file (PEM encoded). grpc.server.certChain=${pki.certificate} Server private key. Path to file (PEM encoded). grpc.server.privateKey=${pki.privateKey} Root certificates for verification of client certificates (mTLS). If empty the OS/Java default root certificates will be used. Path to file (PEM encoded). grpc.server.rootCerts=${pki.ca.certificate} Client authentication options (mTLS): NONE/OPTIONAL/REQUIRE grpc.server.clientAuth=REQUIRE Client X.509 certificate, including full certificate chain. Path to file (PEM encoded). grpc.client.certChain=${pki.certificate} Client private key. Path to file (PEM encoded). grpc.client.privateKey=${pki.privateKey} Root certificates for verification of the server certificate. If empty the OS/Java default root certificates will be used. Path to file (PEM encoded). grpc.client.rootCerts=${pki.ca.certificate} Interval to check for changes to files (used for checking changes to SSL/TLs certificates)

fileWatchService.checkInterval=10 seconds