Skip to content
CA API Gateway - 9.3
Documentation powered by DocOps

Environment Variables for the Container Gateway

Last update November 20, 2018

This topic lists the environment variables that are specific to the Container Gateway application and includes: 

To obtain better understanding of how these environment variables are used, refer to the More Information section. We recommend that you first review the sample files before looking up the detailed descriptions.

Available Gateway Environment Variables

Variable Required? Default Description
ACCEPT_LICENSE Yes -

Set the ACCEPT_LICENSE environment variable to true to confirm that you have a valid commercial license for CA API Gateway. You also confirm that you have reviewed and accepted the terms of the CA End User License Agreement (EULA) that governs your use of the CA API Gateway.

This value is case-sensitive.

SSG_JVM_HEAP No 2G

The JVM heap size to use.

This value should be a number, followed by m, M, k, K, g, G. For example: "4G", "4000m", "4g", "3M" (m and M both mean megabyte).

Tip: This value must be set to a value that is less than the mem_limit value set in the api-gateway section of the docker-compose.yml file. The mem_limit value should be 1GB more or 50% more than the SSG_JVM_HEAP value, whichever is higher.

Note: For memory configuration guidelines, see Guidelines for Configuring Resources for the Container Gateway.

SSG_ADMIN_USERNAME No random The administrative username for the Policy Manager. May contain alphanumeric ASCII characters and any of the following symbols: ! @ . = - _ ^ + ; : # , %

SSG_ADMIN_PASSWORD

No random

The password for the administrative user. 

For improved security, the password should be at least 12 characters long. It may contain alphanumeric ASCII characters and any of the following symbols: ! @ . = - _ ^ + ; : # , %

IMPORTANT: You should embed sensitive data such as passwords in plain-text within a configuration file only for convenience in development or test environments. Many container PaaS environments provide mechanisms for properly managing sensitive data. For an example, see "Secrets" in Configure Environment Variables in OpenShift.

Tip: To disable Policy Manager connectivity, leave the SSG_ADMIN_USERNAME and SSG_ADMIN_PASSWORD variables empty. Disabling Policy Manager access is ideal if you want to enforce the redeployment of the container when making changes in a production environment. You will also do this if you have a derived image that is bootstrapped.

SSG_DATABASE_JDBC_URL

No -

The URL of the JDBC connection that is used to connect to the MySQL database. If this URL is not defined, the Container Gateway defaults to using the embedded database instead.

  1. If a valid URL is provided, the Container Gateway uses this JDBC connection to connect to the MySQL database(s) (MySQL mode).
  2. If a URL is not provided (empty or not declared), the Container Gateway defaults to the embedded database (Derby mode).

Tips:

  • If you want to use the Policy Manager, make sure the SSG_ADMIN_USERNAME and SSG_ADMIN_PASSWORD are defined.
  • The JDBC URL can be used to configure the secondary database connection, for example: jdbc:mysql://mysql-server-primary:3306,mysql-server-secondary:3306/ssg
SSG_DATABASE_USER Yes, if SSG_DATABASE_
JDBC_URL is provided
-

The user who is connecting to the MySQL server(s). Only alphanumeric ASCII characters are accepted.

Notes:

  • If you are using the CA Technologies sample deployment files:
    1. This user must match any MYSQL_USER username defined in the environment section for the MySQL service. This environment section is identified by these names:
    2. If you specify a user name other than root, you must also define a MYSQL_DATABASE entry. This is necessary for the database user to have the correct permissions.
  • If you have deployed your own MySQL instance, then set this environment variable to match the credentials for the account created on your MySQL instance.
SSG_DATABASE_PASSWORD

Yes, if SSG_DATABASE_
JDBC_URL is provided

-

Password that is used to connect to the MySQL server(s). The password may contain alphanumeric ASCII characters and any of the following symbols: ! @ . = - _ ^ + ; : # , % (special symbols supported as of v9.3 CR3).

Notes:

  • If you are using the sample deployment files, then this environment variable must match:
  • If you have deployed your own MySQL instance, then set this environment variable to match the credentials for the account created on your MySQL instance.
SSG_DATABASE_WAIT_TIMEOUT No 300 seconds (5 minutes) The time to wait (in seconds) for the database to become available. This value is used by the Container Gateway when SSG_DATABASE_JDBC_URL is provided.
SSG_CLUSTER_HOST

Yes, if SSG_DATABASE_
JDBC_URL is provided

 ${hostname}

The cluster hostname of the Container Gateway.

Valid values are the quoted fully qualified domain name (FQDN) of the service endpoint; for example: mygateway.mycompany.com

SSG_CLUSTER_PASSWORD

Yes, if SSG_DATABASE_
JDBC_URL is provided

 random

The cluster password.

For improved security, the username and password (recommended 12 characters minimum) may contain alphanumeric ASCII characters and any of the following symbols: ! @ . = - _ ^ + ; : # ,

EXTRA_JAVA_ARGS No -

Define any extra JVM flags (including system properties) to add to the Java command line here. Space separated list.

For example,  -XX:ParallelGCThreads=4 -Dcom.l7tech.bootstrap.env.license.enable=true -Dcom.l7tech.bootstrap.autoTrustSslKey=trustAnchor,TrustedFor.SSL,TrustedFor.SAML_ISSUER

Tips:

  • Use -Dcom.l7tech.server.siteminder.enabled=true to enable CA Single Sign-On (Siteminder). By default, this functionality is disabled.
  • Use -Dcom.l7tech.bootstrap.env.license.enable=true to enable loading the SSG license gzip, base64 string as a environment variable. By default it is disabled.
  • Use -Dcom.l7tech.service.metrics.enabled=false to disable the service metrics when using a MySQL database. By default it is enabled. Tip: The embedded database does not use this toggle as it is always disabled.

SSG_SSL_KEY

No

IMPORTANT: Use the SSG_SSL_KEY environment variable in a development or test environment only. It is not recommended for production use, since it exposes the SSL key license in plain text in your configuration file. The preferred method is to mount the license file(s) as secret volumes.

The default Gateway SSL key as a base64 encoded string. For more information, see Manage Private Keys.

Tip: Copy the string from the output of this Linux command cat /path/to/key.p12 | base64 (add –wrap=0 to the base64 command if you are running Windows OS).

SSG_SSL_KEY_PASS No
The default Gateway SSL key password. Can be left empty if the p12 key is not password protected.
SSG_LICENSE No/Disabled by default

IMPORTANT: Use the SSG_LICENSE environment variable in a development or test environment only. It is not recommended for production use, since it exposes the (encoded) license in plain text in your configuration file. The preferred method is to mount the license file(s) as secret volumes.

The CA API Gateway license as a Gzipped, Base64-encoded string (with no space characters or line breaks). A valid license is required to operate the Container Gateway.

Use this SSG_LICENSE env var to install a single Gateway license. To install multiple licenses, use the preferred method of mounting the license file(s) as secret volumes.

Note: Providing the license through this environment variable is disabled by default. To enable, add the following to the docker-compose.yml file in Sample Docker Compose Deployment File:

EXTRA_JAVA_ARGS: "-Dcom.l7tech.bootstrap.env.license.enable=true"
Alternatively, add this line to the gateway.env file in Sample Openshift Deployment Files:
EXTRA_JAVA_ARGS="-Dcom.l7tech.bootstrap.env.license.enable=true"

Deprecated Environment Variables

These variables were used in the previous versions of the container Gateway and are no longer in use.

Variable
SSG_CLUSTER_COMMAND

SSG_DATABASE_TYPE
SSG_DATABASE_HOST
SSG_DATABASE_PORT
SSG_DATABASE_NAME

SSG_DATABASE_ADMIN_USER
SSG_DATABASE_ADMIN_PASS

SSG_INTERNAL_SERVICES

Known Issue

The following issue occurs only in a scenario when multiple container Gateways access the same SQL database instance.

Unable to set new Admin Username and Password for Additional Container Gateways 

The Container Gateway stores values for the SSG_ADMIN_USERNAME and SSG_ADMIN_PASSWORD in the SQL database instance. If an additional Container Gateway is created and configured to use the same SQL database instance, the initial settings for admin username and password values persist.  Any new admin username and password values are ignored.

Workaround: Use different SQL database instances. 

More Information

Was this helpful?

Please log in to post comments.

  1. Mikael Diwing
    2018-01-17 04:18

    Hi the above link is dead under the SSG_LICENSE section: derive a custom image that includes the license lead to: https://docops.ca.com/display/GATEWAY/.Customize+the+Container+Gateway+v9.3

    1. Christine Heywood
      2018-01-17 04:33

      Hi, this section underwent an update today. The information has changed, resulting in the removal of the link and and a rewrite of the information. Please see the update.