Skip to content
CA API Gateway - 9.3
Documentation powered by DocOps

Miscellaneous Cluster Properties

Last update September 5, 2018

The following cluster properties control various aspects of CA API Gateway behavior.

Refer to "Time Units" under Cluster Properties for a list of the valid time units that you can use for time-related properties.

Property

Description

admin.
certificateDiscoveryEnabled

Allows the Policy Manager to securely discover this Gateway's SSL certificate without user intervention. Value is a Boolean.

  • true = Automatic certificate discovery is enabled, without user intervention required.

  • false = Automatic certificate discovery is disabled. When the Policy Manager attempts to trust a server certificate for the first time, a confirmation dialog is displayed and you must explicitly accept or reject the certificate.

Default: true

Tip: See also services.certificateDiscoveryEnabled.

attachment.diskThreshold

Threshold of attachments in a single request to keep in RAM.

Default: 1048576 bytes

builtinService.snmpQuery.enabled

Controls the availability of the SNMP query service check box in the Listen Port Properties [Basic Settings] tab.

  • true = The check box displays among the other built-in service check boxes.

  • false = The check box is suppressed.

Default: true

CA WSDM Gateway Observer


contentType.otherTextualTypes

Textual Content-Types. By default, the gateway recognizes these Content-Types: text, xml, json and form encoded. Each Content-Type should be on a separate line and may include a charset—for example:

application/custom; charset="UTF-8"

customerMapping.
addToGatewayAuditEvents

Controls whether the Gateway saves the mapping information with the audits:

  • true = mapping information is saved in the Gateway audit, enabling them to be viewed in the Gateway Audit Events window.

  • false = mapping information is not saved in the Gateway audit.

Default: true

customerMapping.
addToServiceMetrics

Determines whether the Gateway saves the mapping information with the service metrics:

  • true = mapping information is saved with the service metrics, allowing them to be used in the Dashboard.

  • false = mapping information is not saved with the service metrics.

Default: true

dataGrid.protocol

The protocol Hazelcast uses to discover cluster members. Restart all nodes in the cluster for changes to take effect.

Default: tcpip

Notes: (1) The Hazelcast cache is used for message replay protection and is a key component of assertions such as the Protect Against Message Replay Assertion . (2) This is a hidden cluster property that is edited by typing its name in the Key field in Manage Cluster-Wide Properties. Modify this only under the direction of CA Support.

dataGrid.tcpip.connectionTimeout

Maximum time Hazelcast will try to connect to a well known member before timing out. Value is a time unit.

Default: 5s

Tip: The "Notes" under dataGrid.protocol above also apply here.

datetime.autoFormats

Values for built-in set of supported date formats. This property determines the values that the Set Context Variable assertion can parse by default when "<auto>" is selected and what values the Compare Expression assertion can automatically convert when "Date/Time" is selected as the data type.

This is a hidden cluster property that is edited by typing in its name in the Key field in Manage Cluster-Wide Properties. By default, these formats are supported:

Example: 1997-07-16T 19:20:30.45-1:00

  • W3C ISO 8601 (http://www.w3.org/TR/NOTE-datetime)

  • HTTP-Date (RFC1123, RFC 850, asc time)

  • RFC 1123  Example: Sun, 06 Nov 1994 08:49:37 GMT

  • RFC 822 (and RFC1036) Example: Sun, 06 Nov 94 08:49:37 GMT

  • RFC 850 Example: Friday, 19-Nov-82 16:14:55 EST

  • asc time Example:. Fri Nov 12 13:02:02 2012

Observe these guidelines when configuring this property:

  • The string must be formatted as <format><^pattern$>.

  • The pattern must begin with the ^ character and end with the $ character.

  • White space is not required and is ignored if present.

  • Any pairs with an invalid format or pattern are ignored and an audit is generated.

  • The Policy Manager does not validate the value for this property.

The default value for the cluster property is as follows (line breaks added here for readability and to minimize horizontal scrolling when viewing this page):

yyyy-MM-dd'T'HH:mm:ss.SSSXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}\.\d{3}(?:Z|(?:\+|-)\d{2}:\d{2})$

yyyy-MM-dd'T'HH:mm:ss.SSXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}\.\d{2}(?:Z|(?:\+|-)\d{2}:\d{2})$

yyyy-MM-dd'T'HH:mm:ss.SXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}\.\d{1}(?:Z|(?:\+|-)\d{2}:\d{2})$

yyyy-MM-dd'T'HH:mm:ssXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}:\d{2}(?:Z|(?:\+|-)\d{2}:\d{2})$

yyyy-MM-dd'T'HH:mmXXX ^\d{4}-\d{2}-\d{2}T\d{2}:
\d{2}(?:Z|(?:\+|-)\d{2}:\d{2})$

yyyy-MM-dd ^\d{4}-\d{2}-\d{2}$

yyyy-MM ^\d{4}-\d{2}$

yyyy ^\d{4}$

EEE, dd MMM yyyy HH:mm:ss z ^[a-zA-Z]{3},\s\d{2}
\s[a-zA-Z]{3}\s\d{4}\s\d{2}:\d{2}:\d{2}\s(?:
[a-zA-Z]{3}|(?:\+|-)\d{4})$

EEE, dd MMM yy HH:mm:ss Z ^[a-zA-Z]{3},\s\d{2}
\s[a-zA-Z]{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?:
[a-zA-Z]{3}|(?:\+|-)\d{4})$

EEE, dd-MMM-yy HH:mm:ss z ^
(?:Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday),
\s\d{2}-[a-zA-Z]{3}-\d{2}\s\d{2}:\d{2}:\d{2}\s(?:[a-zA-Z]{3}|(?:\+|-)\d{4})$

EEE MMM dd HH:mm:ss yyyy ^[a-zA-Z]{3}\s[a-zA-Z]{3}
\s(\d{2}|\s\d)\s\d{2}:\d{2}:\d{2}\s\d{4}$

datetime.customFormats

Customizes the values displayed in the "Format" drop-down list in the Set Context Variable assertion. User can modify datetime.customFormats by adding new formats or by removing the existing formats. To add additional formats, enter them here, separating each format with a semicolon. Changing datetime.customFormats does not affect values in datetime.autoFormats.

db.replicationDelayThreshold

The threshold for auditing a warning due to slow or failed replication. Enter "0" (zero) to disable audits. Value is a time unit.

Default: 60s

db.replicationErrorAuditInterval

Minimum interval between successive database replication failure audits. This allows the number of audits to be restricted, so auditing will occur only once per hour (or whatever is configured) when replication is failing. Value is a time unit.

Default: 60m

ekeycache.maxEntries

Maximum number of cached ephemeral key thumbprints (per-node).

Default: 1000

help.url

Location of the online help system. By default, the Policy Manager uses the Gateway documentation located at http://docops.ca.com/gateway. Change this setting only if your organization has installed an offline version of the document due to internet restrictions (see Install Offline Help).

Default: blank (which indicates the factory default help location is in use)

Notes: (1) The new help file location will take effect the next time you log in to the Policy Manager. (2) New value must point to a web server that supports http or https.

icap.channelIdleTimeout

Maximum idle time for a connected channel in the connection pool to an ICAP server. Any channels exceeding this timeout value will be disconnected and removed from the pool. Value is a time unit; the allowable range is between 1 second and 1 hour.

Default: 1m

keyStore.searchForAlias

Determines how the Gateway searches for key aliases:

  • true = If an assertion refers to a private key in a non-existent keystore, the Gateway checks all other keystores for an identical private key alias. If one is found, it will be used instead. In the Policy Manager, a warning validator message is displayed for any affected assertions.

  • false =  If an assertion refers to a private key in a non-existent keystore, an error is returned and the policy containing this assertion will be inoperative. Other keystores are not examined.

Default: true

For more information about private keys, see Manage Private Keys. For more information on how to select a private key to use, see Select a Custom Private Key.

keyStore.signWithSha1

Sets the default signature hash to use for the message digest when signing certificates. Value is a Boolean.

  • true = use SHA-1

  • false = use SHA-384

Default: false

krb5.kdc

Sets the "kdc" value in the krb5.conf (Kerberos configuration) file. The default value is determined by parsing the user's domain in the kerberos.keytab file, then performing a host/IP lookup to determine the KDC value.

krb5.realm

Sets the "default_realm" value in the krb5.conf (Kerberos configuration) file. The default value is determined by parsing the user's domain in the kerberos.keytab file, then performing a host/IP lookup to determine the realm.

license.expiryWarningPeriod

Time in the future to display impending expiration of the Gateway license or SSL certificate. Value is a time unit.

Default: 30d

metrics.fineInterval

Time interval for Service Metrics fine resolution bins.

Default: 5000 milliseconds

For more information about service metrics bins, see Dashboard - Service Metrics.

Note: Restart the cluster if you change this value.

mtom.decodeSecuredMessages

Controls whether secured MTOM-encoded message are automatically decoded. Value is a Boolean.

  • true = MTOM-encoded messages containing a WS-Security header that is processed by the Gateway is automatically decoded to a regular SOAP message for security processing.

  • false = MTOM-encoded messages is not automatically decoded prior to WS-Security processing. An undecoded secure MTOM message can cause WS-Security processing to fail.

Default: true

Note: This cluster property only acts on messages containing a WS-Security destined for the Gateway. All other message are unaffected by this property and MTOM decoding occurs only when a Decode MTOM Message assertion is present in the policy.

pingServlet.mode

Determines how the Gateway responds to PING commands. Values are:

  • OFF: No response to any ping attempts.

  • REQUIRE_CREDS: Responds only when request is submitted using SSL on port 8443, with credentials in the request.

  • OPEN: Minimal response when request is submitted without SSL (port 8080); full response when request is submitted with SSL (port 8443).

  • MONITOR: Returns a minimal status message to the client, while denying access to any node system information.

Default: REQUIRE_CREDS

See Ping URI Test for a more detailed description of each setting.

policyValidation.
maxConcurrency

Maximum number of server-side policy validation jobs that may be active simultaneously.

Default: 15

Requires a Gateway restart for changes to take effect.

policyValidation.maxPaths

Maximum number of possible paths through a policy before the policy is considered to be too complex to attempt server-side validation.

Default: 500000

policyVersioning.maxRevisions

Maximum number of policy revisions to retain. Only revisions that are not active and which do not have a comment count toward the maximum. If set to zero, only the active version and commented versions are retained. Revisions with comments are always retained, regardless of the setting of this cluster property.

Default: 20

relayGatewayMetrics.enable

Controls whether the Gateway publishes performance metrics events for use by modular assertions created specifically for this purpose. Currently, assertion metrics such as start/end time and latency are available.

CA Technologies continue to enhance the metrics being recorded and will provide a range of modular assertions to meet various needs. Contact your CA Technologies representative for more information.

Default: true

Note: This cluster property takes effect only when an appropriate modular assertion is present on the Gateway, otherwise this cluster property is ignored.

request.compress.gzip.allow

Determines whether GZIP compressed requests are accepted:

  • true = compressed requests are accepted by the Gateway

  • false = all compressed requests are rejected

Default: true

response.compress.gzip.allow

Determines whether GZIP compressed responses can be returned to the client:

  • true = compressed response can be returned to the client

  • false = force a non-compressed response from the Gateway to the client, regardless of the accept-encoding requested response

Default: true

restman.request.message.maxSize Configures the maximum request message size going to the REST Management Service to support large migrations. The io.xmlPartMaxBytes cluster property has no affect on the REST Management Service. Default = 50MB. 

rbac.autoRole.managePolicy.
autoAssign

Determines if a non-admin user should be added to the auto-created Manage Policy role, when a new Policy is successfully created.

  • true = the non-admin user is assigned to the Manage Policy role

  • false = the non-admin user is not assigned to the Manage Policy role

Default: true

rbac.autoRole.manageProvider.
autoAssign

Determines if a non-admin user should be added to the auto-created Manage Provider role, when a new Policy is successfully created.

  • true = the non-admin user is assigned to the Manage Provider role

  • false = the non-admin user is not assigned to the Manage Provider role

Default: true

rbac.autoRole.manageService.
autoAssign

Determines if a non-admin user should be added to the auto-created Manage Service role, when a new Published Service is successfully created.

  • true = the non-admin user is assigned to the Manage Service role

  • false = the non-admin user is not assigned to the Manage Service role

Default: true

rsasigcache.maxEntries

Number of verified signatures to cache. The property sets the size of the RSA signature cache, which keeps track of recently-verified XML snippets. Only the SHA1 hash is cached, not the entire XML snippet.

Caching is disabled by default, which enhances overall security with a slight performance penalty. When caching is enabled, the RSA decrypt operation is skipped and the signature is assumed verified if the exact same signed XML is presented, verified with exactly the same public key and signature value. The cached signature is not used if there are changes to the XML, public key, or signature value.

Enable this property when:

  • Your Gateway repeatedly validates the same signed XML snippets (for example, SAML assertions) and maximum throughput is important.

  • Your organization's security policy permits cached signatures.

  • Caching code in the signature validation code path is acceptable. 

A setting of zero disables the cache.

Default: 0 (caching disabled)

Requires a Gateway restart for changes to take effect.

scheduledTask.maxThreads

The maximum number of threads for the task scheduler. Must be greater than or equal to 1.

Default: 10

Requires a Gateway restart for changes to take effect.


security.fips.enabled

Enable FIPS-compliant cryptographic algorithms. Value is a Boolean.

  • true = Places the RSA software cryptographic provider into FIPS mode, but security providers from the runtime environment continue to be available. If a Gateway feature is enabled that requires a non-FIPS algorithm (for example, the Certificate Discovery Service or an SSL cipher that uses RC4 or MD5), then the Gateway tries to use the built-in security provider for that feature.

When the security.fips.enabled property is set to "true", non-FIPS ciphers are not accepted. There is no assurance that the built-in TLS implementation can correctly process all non-FIPS algorithms.

  • false = The built-in non-FIPS Sun provider is always used; FIPS mode is never enabled.

Default: false

serverModuleFile.upload.enable

Enable or disable the Manage Server Module Files task in the Policy Manager.

Default: true

serverModuleFile.upload.maxSize

The maximum server module file size permitted to be uploaded. The default is 20MB. A value of "0" (zero) indicates unlimited size.

Default: 20971520 (bytes).

Notes: (1) This value should be less than the DB packet size limit. For example for MySQL, this is the max_allowed_packet value within my.cnf or my.ini. (2) Increasing the default value may cause database replication issues in a clustered environment.

siteminder12.agent.configuration

Configures the agent for the Authenticate with SiteMinder R12 Protected Resource assertion. For more information, see Install the SiteMinder R12 Protected Resource Assertion.

soap.actors

soap.roles

The SOAP actors or roles in the security header that are processed by the Gateway. Each actor or role should be separated with a space or placed on a separate line.

Default:

secure_span
http://www.layer7tech.com/ws/policy

  • If the Gateway - XML VPN Client is used, do not remove the "secure_span" actor or role.

  • Any new actor or role added to these properties are treated in the same manner as the "secure_span" actor when it comes to processing of security headers in routing assertions (that is, if the "Remove Layer 7 actor and mustUnderstand attributes from processed Security header" option is chosen for WSS header handling in a routing assertion property).

Unless otherwise configured in the policy, response messages use the actor/role value from the request message (if the request message uses one of the configured additional values).

soap.rejectMustUnderstand

Controls how messages with unrecognized SOAP headers addressed to the Gateway are handled:

  • true =  Messages containing "mustUnderstand" SOAP headers other than "Security" and "Timestamp" that are addressed to the Gateway role are rejected immediately, during security processing.

  • false = Messages containing such SOAP headers are passed through security processing and into policy processing.

Default: true

swagger.maxDownloadSize

Maximum size (in bytes) of a Swagger specification document download. A value of "0" (zero) indicates unlimited size.

Default: 10485760 bytes (uses the value from the ${documentDownload.maxSize} context variable)

template.
defaultMultivalueDelimiter

Delimiter between values when a multi-valued context variable is interpolated.

Default: , (comma space)

template.partBodyMaxSize

Maximum size of message part bodies to interpolate in memory.

Default: 5242880 bytes

template.strictMode

Determines what happens when a context variable cannot be resolved for whatever reason. Value is a Boolean.

  • true = Nonexistent variables in a template can cause assertions or policy processing to fail.

  • false = Nonexistent variables in a template triggers a warning audit event and an empty string is used instead; this does not cause assertions or policy processing to fail.

Default: false

wsdlDownload.maxSize

Maximum size of a WSDL document download. A value zero indicates unlimited size.

Default: 10485760 bytes (uses the value from the ${documentDownload.maxSize} context variable)

wsdm.notification.enabled

Enables notifications when subscribing to a WSDM resource. Value is a Boolean.

Default: true

wsdm.notification.interval

Time between WSDM subscription notifications attempts. This applies only to metrics notifications; status changes are sent as they occur.

Default: 60000 milliseconds

xslDownload.maxSize

Maximum size in bytes of a XSL document download. A value of "0" (zero) indicates unlimited size.

Default: 10485760 bytes (uses the value from the ${documentDownload.maxSize} context variable)

xacml.pdp.maxDownloadSize

Maximum size of a XACML policy document download. A value of zero indicates unlimited size.

Default: 10485760 bytes (uses the value from the ${documentDownload.maxSize} context variable)

xacml.pdp.policyCache.
maxAge

Time to cache a XACML policy in memory. When the Evaluate XACML Policy assertion is processed within the policy, the policy is re-downloaded if the cached policy is older than the value of this cluster property.

Default: 300000 milliseconds

Requires a Gateway restart for changes to take effect.

xacml.pdp.policyCache.
maxEntries

Maximum number of cached XACML policies loaded from URLs across all Evaluate XACML Policy assertions on a single Gateway node. Enter zero to disable caching.

Default: 100

Requires a Gateway restart for changes to take effect.

xacml.pdp.policyCache.
maxStaleAge

Maximum expiration of cached policies loaded from URLs. A setting of "-1" indicates no expiry.

Default: -1

Requires a Gateway restart for changes to take effect.

xslt.engine.force20

Determines when the XSLT 2.0 engine (currently Saxon) is used to process XSLT/XPath stylesheets. Value is a Boolean.

  • true – Forces the use of the XSLT 2.0 engine to process v1.0 stylesheets in software.

  • false – Uses the XSLT 2.0 engine only for v2.0 XSLT/XPath operations. This setting is the default.

 Requires a Gateway restart for changes to take effect.

Was this helpful?

Please log in to post comments.