- 21 Nov 2024
-
DarkLight
-
PDF
Profile Properties
- Updated on 21 Nov 2024
-
DarkLight
-
PDF
Configuration properties for IAP are summarized below. Much of the configuration occurs within Admin Essentials → Profiles but other configuration occurs in the various Admin Essentials → Service Config interfaces and within the properties.json
file.
Configuring the Profile Properties
The following properties are configured within the Admin Essentials → Profiles →{active profile}->Configure Tab. Navigate to Edit Profile Properties and select the properties in the appropriate "section" discussed below.
Adapter Strategy
An adapter strategy can be defined for IAP to show a preference for one southbound system (provider) over another. By setting the adapterStrategy
property, an administrator of IAP can better direct how device-bound calls interact with external/southbound systems. Additionally, an exception can be setup for the runCommand
APIs and workflow tasks if the order needs to be further controlled.
Note: Any custom adapter that has implemented the device broker methods would come next after the configured preferential order has been exhausted.
Currently Supported | Values |
---|---|
Strategy Types | device |
Adapter Types | AutomationGateway NSO |
Exception | runCommand |
Sample Adapter Strategy Properties
"adapterStrategy" : {
"device": {
"adapterTypes": [
"AutomationGateway",
"NSO"
],
"exceptions": {
"runCommand": "NSO"
}
}
}
The properties of the adapterStrategy
object include the type of strategy, and currently device
is the only one supported. This object contains two properties: adapterTypes
and exceptions
.
The property value for adapterTypes
is an array of strings that are the types of the adapters; however, only AutomationGateway
and NSO
are possible values to be set. Under that section you can set the default order of the provider. In the example above, the calls that are shown in the lists below will prefer AutomationGateway
over NSO
. These names are types of adapters and not names of adapter instances defined by the user such as nso45
or nso46
. If for some reason the preferred provider cannot fulfill the request IAP will try the next one on the list. Lastly, if a custom adapter implements the device broker, then it will be attempted next. If all adapters have tried to fulfill the request and fail, an error is returned.
The exceptions
object contains key/value pairs that represent specific function level overrides. An exception definition will use the provider value for that function over the preferred provider order defined in adapterTypes
. Currently only runCommand
is supported.
Once this object is configured the way you would like, save the configuration and restart IAP.
WARNING: These are 'system-wide' properties so multiple calls will be impacted. See the tables below for the specific calls that are affected.
When IAP communicates with its registered providers it will call them in the order defined in the adapter strategy. Based on the example above IAP will call any AutomationGateway
providers first, then any NSO
providers, then any providers not listed in the strategy; unless the call is runCommand
where it will call the NSO
provider first. The strategy ensures the call will return after the first successful provider responds.
The following APIs and Workflow tasks will be affected if the adapterStrategy
property is set:
Workflow Task Name | API Route and Endpoint |
---|---|
backUpDevice |
POST /configuration_manager/devices/backups |
getDevice |
GET /configuration_manager/devices/:name |
getDeviceConfig |
GET /configuration_manager/devices/:name/configuration |
getDeviceConfigFormat |
GET /configuration_manager/devices/:name/configuration/:format |
getDevicesFiltered |
POST /configuration_manager/devices |
isAlive |
GET /configuration_manager/devices/:name/isAlive |
lookupDiff |
PUT /configuration_manager/lookup_diff |
runNodeReport |
GET /golden_config/compliance/node/:tree/:nodeid |
runReportForDevice |
GET /golden_config/compliance/:treeid/:device |
runSelectedReport |
GET /golden_config/compliance/:tree/:nodeid/:selected |
runTreeReport |
GET /golden_config/compliance/tree/:tree |
GetBootFlash |
POST /mop/GetBootFlash |
passThru |
POST /mop/passThru/:device |
ping |
POST /mop/ping |
RunCommand |
POST /mop/RunCommand |
RunTemplateDevice |
POST /mop/RunTemplateDevice |
RunTemplateDevices |
POST /mop/RunTemplateDevices |
SetBoot |
POST /mop/SetBoot |
isAlive |
POST /nso_manager/isAlive |
liveStatus |
POST /nso_manager/liveStatus |
DryRunDeletion |
POST /smart_template/st/dryrun/deletion |
ProvisionDeletion |
POST /smart_template/st/provision/deletion |
ProvisionST |
POST /smart_template/st/provision |
getDevicesFiltered |
POST /policy-manager/devices-filtered |
importPoliciesFromDevice |
POST /policy-manager/import/device |
importPoliciesPreview |
POST /policy-manager/import/preview |
pushDryrun |
POST /policy-manager/device/dryrun |
DryRunWF |
POST /smart_template/st/dryrunWF |
ProvisionWF |
POST /smart_template/st/provisionWF |
The following APIs endpoints (e.g. no corresponding workflow task) will be affected if the adapterStrategy
property is set:
API Route and Endpoint | Method Name |
---|---|
POST /configuration_manager/patch_device/:deviceName |
patchDeviceConfiguration |
POST /golden_config/addNative |
addNativeRules |
GET /golden_config/compare/:device/:tree/:nodeid |
compareDeviceToLeaf |
GET /mop/devices/:substring |
getDevicesFiltered |
GET /mop/devices/detailed/:substring |
getDevicesFilteredDetailedResults |
POST /mop/RunCommandDevices |
RunCommandDevices |
POST /mop/RunCommandTemplateSingleCommand |
RunCommandTemplateSingleCommand |
POST /mop/deviceObjects |
getDeviceObjectsFiltered |
GET /nso_manager/devices/:substring |
getDevicesFiltered |
POST /policy-manager/device/push |
pushToDevice |
POST /smart_template/st/autogenerate |
CreateST |
The following Workflow tasks (e.g. no corresponding APIs) will be affected if the adapterStrategy
property is set:
Workflow Task | Application |
---|---|
runAutoRemediation |
Configuration Manager |
runComplianceForDevice |
Configuration Manager |
runComplianceForNode |
Configuration Manager |
runComplianceForTree |
Configuration Manager |
Additionally, the following calls are affected if the exceptions
property is set:
Workflow Task Name | API Route and Endpoint |
---|---|
GetBootFlash |
POST /mop/GetBootFlash |
passThru |
POST /mop/passThru/:device |
RunCommand |
POST /mop/RunCommand |
RunTemplateDevice |
POST /mop/RunTemplateDevice |
RunTemplateDevices |
POST /mop/RunTemplateDevices |
SetBoot |
POST /mop/SetBoot |
The following APIs endpoints (e.g. no corresponding workflow task) will be affected if the exceptions
property is set:
API Route and Endpoint | Method Name |
---|---|
POST /mop/RunCommandDevices |
RunCommandDevices |
POST /mop/RunCommandTemplateSingleCommand |
RunCommandTemplateSingleCommand |
Important: All the calls above are affected by the
adapterStrategy
property setting. Use care and caution when using the property as many of these calls could be difficult to find deep within workflows.
Alarm
The alarm properties allow the administrator to configure the remote SNMP trap destinations the health check alarms will be sent to. Currently, SNMP v1 and SNMP v2 are supported. A list of alarm receivers may be configured for a high-availability solution. IAP will attempt to deliver each alarm to all configured receivers.
The following alarms are currently supported by IAP.
Alarm | Objects | Description |
---|---|---|
Pronghorn Running | IAP has successfully started and is currently operational. | |
Pronghorn System Error | System Error | Reserved for future use. |
Adapter Unreachable | Adapter ID, Remote IP Address, Remote Port | An IAP adapter could not establish a connection with its external system. |
Adapter Connected | Adapter ID, Remote IP Address, Remote Port | An IAP adapter successfully established a connection with its external system. |
Adapter Function Error | Adapter ID, Adapter Function, Adapter Error | Reserved for future use. |
The IAP SNMP MIB defining each of the supported alarms is located at /opt/pronghorn/current/snmp/pronghorn.mib
.
For a comprehensive list of SNMP notifications, see Itential SNMP MIB.
Property | Type | Default | Description |
---|---|---|---|
ip |
String | 127.0.0.1 |
The IP address of the remote alarm receiver. FQDNs are supported in this field. IPv4 and IPv6 addresses are also supported. |
community |
String | public |
The SNMP community to apply to the outgoing trap or inform. |
type |
String | trap |
The type can be configured as either a trap or inform. Traps are delivered without acknowledgement, e.g., fire-and-forget . Informs are delivered with an expected acknowledgement. |
properties.transport |
String | udp4 |
The protocol to use to send alarms to this receiver. Valid options are udp4 and udp6 . |
properties.trapPort |
Number | 162 |
The remote port of this alarm receiver. Must be a number in the range 1 - 65535. |
properties.version |
String | V2: |
The SNMP version to use when delivering notifications to this alarm receiver. Valid options are V1 and V2 . |
properties.retries |
Number | 1 |
The number of timeout cycles to wait for an acknowledgement when delivering inform type notifications. |
properties.timeout |
Number | 5000 |
The number of seconds to wait for an acknowledgement when delivering inform type notifications. |
Sample Alarm Properties
"alarmProps": [{
"ip" : "127.0.0.1",
"community" : "public",
"type" : "trap",
"properties" : {
"transport" : "udp4",
"trapPort" : 162,
"version" : "V1"
}
},{
"ip" : "127.0.0.1",
"community" : "public",
"type" : "inform",
"properties" : {
"transport" : "udp4",
"trapPort" : 162,
"version" : "V2",
"retries" : 1,
"timeout" : 5000
}
}]
Sample Alarm Configuration Option
"alarmProps": {
"ip": "127.0.0.1",
"community": "public",
"properties": {
"retries": 1,
"timeout": 5000,
"transport": "udp4",
"trapPort": 1162,
"version": "V1"
},
"type": "trap"
}
Application
The application properties are captured by the applicationProps
object.
Property Name | Type | Default | Description |
---|---|---|---|
description |
String | Application | The description property. |
directory |
String | /opt/pronghorn/current/node_modules |
This property provides the location of the node_modules directory. This property should generally remain unchanged and be set to the default. |
Sample Application Properties
"applicationProps": {
"description": "Application",
"directory": "/opt/pronghorn/current/node_modules"
}
Audit
The audit properties control whether user auditing features are enabled. If user auditing is enabled, user actions on the network are stored in the audit_trail
MongoDB collection.
Property | Type | Default | Description |
---|---|---|---|
description |
String | Audit |
The description property. |
audit |
Boolean | true |
A boolean flag indicating whether auditing is enabled. This should be set to true for production environments. |
Sample Audit Properties
"auditProps": {
"description": "Audit",
"audit": true,
}
Authentication
The authentication properties in authenticationProps
allow for optional enforcement of a unique session per user requirement and the assignment of IAP administrator groups. The ability for an AAA adapter to provide a principal document is also supported.
IAP authorization and authentication relies on an external authentication system; a property exists to specify which group within the external authentication adapter specifies the user with administrative access to IAP.
This property is set within the active IAP Profile and can contain multiple group names. Every user that is a member of the external group name within the list will be granted IAP administrator access.
Each entry in the administrator list must contain two fields: provenance and group.
Property | Description |
---|---|
provenance |
The name of the AAA adapter. |
group |
The name of the group returned by the AAA adapter. |
Property | Type | Default | Description |
---|---|---|---|
description |
String | audit |
The description property. |
uniqueSession |
Boolean | false |
When set to true, only one session may be enabled for a given user. If a second session is established for the same user, the original session will be invalidated. |
brokerPrincipal |
Boolean | false |
When set to true, the AAA adapter will supply a customized principal document. See the Developer Guide for how this is accomplished. |
admins |
Array | ["g1", "g2", ...] |
A list of groups which are authorized to perform user management activities. Members of these groups will be implicitly assigned the pronghorn_admin role. |
admins.provenance |
String | <adapter_name> |
The name of the AAA adapter in which the groups reside. |
admins.group |
String | pronghorn_admin |
The name of a user group which will have IAP user management capabilities. |
Sample Authentication Properties
"authenticationProps": {
"description": "audit",
"uniqueSession": false,
"brokerPrincipal": false,
"admins": [{
"provenance": "local_aaa",
"group": "pronghorn_admin"
}]
}
Note: Be sure to configure the AAA adapter in addition to
authenticationProps
.
Express
IAP uses the Node.js Express web server to capture incoming requests. The Express properties allow an administrator to configure whether IAP will listen on HTTP and/or HTTPS. The properties also allow an administrator to configure HTTPS keys, certificates, TLS versions, and supported cipher suites.
The private key referenced by express_https.key
property should contain one of the following patterns.
Unencrypted Private Key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
The private key may also be encrypted.
Encrypted Private Key
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
Note: If the private key contains the following pattern, the
express_https.passphrase
should be configured with the passphrase of the private key.
The certificate file referenced by the express_https.cert
property should be like the following.
Unencrypted Private Key
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
For more information on the set of cipher suites that are supported by Node.js, see Modifying the Default TLS Cipher Suite.
Property Name | Type | Default |
---|---|---|
description |
String | Express Server |
cacheControl |
Boolean | false |
timeout |
Number | Default 5 minutes; Maximum 32 minutes |
access_control_allow_origin |
String | * |
express_http.enable |
Boolean | true |
express_https.port |
Number | 3000 |
express_https.enable |
Boolean | true |
express_http.port |
Number | 3443 |
express_https.key |
String | /etc/ssl/keys/pronghorn.key |
express_https.passphrase |
String | |
express_https.cert |
String | /etc/ssl/keys/pronghorn.cert |
express_https.secureProtocol |
String | TLSv1_2_method |
express_https.ciphers |
String | See Modifying the Default TLS Cipher Suite. |
express_https.client_reneg_limit |
Number | 1 |
express_https.client_reneg_window |
Number | 600 |
Sample Express Properties
"expressProps": {
"description": "Express Server",
"cacheControl": false,
"timeout": 300000,
"access_control_allow_origin": "*",
"express_http": {
"enable": false,
"port": 3000
},
"express_https": {
"enable": true,
"port": 3443,
"key": "/etc/ssl/keys/pronghorn.key",
"passphrase": "$ENC82ee8a234a69f15bdb8e05409cda2418878b2f85af",
"cert": "/etc/ssl/keys/pronghorn.cert",
"secureProtocol": "TLSv1_2_method",
"ciphers": "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256",
"client_reneg_limit": 1,
"client_reneg_window": 600
}
}
Exposing IAP on Different Ports
For IAP, the expressProps
port for both HTTP and HTTPS is above 1024; IAP cannot be exposed on standard ports (i.e., 80-HTTP, 443-HTTPS) due to the service not running as root
. In Linux, only root
or setuid
applications can bind to ports below 1024. Please refer to Privileged Ports to learn more on running services at specific ports.
To workaround this limitation and run IAP over port 443, it will require setting HAProxy to listen on 443 and forward to localhost 3443.
Logger
The logger properties control where IAP will store its log files, how much space to dedicate to log storage, and the verbosity levels of the log messages that will be stored. IAP supports the following log levels.
Log Level | Description |
---|---|
error | The most severe level. Indicates a problem, such as a prematurely terminated program. |
warn | Used for warning conditions. Warn events may or may not indicate a problem. |
info | Used for informational messages. |
debug | Used only when debugging problems or transactions. Provides detailed information on messages between IAP adapters and external systems. |
trace | Trace events have a higher verbosity than debug. Trace events are uncommon. |
spam | The least severe level. Spam events have the highest verbosity and are rare. |
Production environments should run at either warn or info level. Running production environments in debug or trace levels will likely generate a large amount of log data and place additional load on the server. A production server should only be configured in debug mode at the request of the Itential Support.
IAP provides native support for rotation of the pronghorn.log
file. Administrators can define the total allocated storage for logs by configuring the maximum file size and maximum number of files. For example, if the maximum file size is 1 MB and the total number of files is 100, the total space consumed by pronghorn.log
files will be 100 MB. Be sure the disk that holds the IAP logs contains enough space for IAP to exercise a full log rotation cycle (100 MB).
The log levels for each application and adapter are configurable at run-time using the IAP UI. When the server is restarted, the log levels for all applications and adapters is returned to the defaults provided by the log_level
and console_level
properties.
IAP allows for the verbosity of its console logging to be configured. For systemd
based operating systems, this console logging is controlled by the system journal. The system journal may contain application life cycle error messages that are not capable of being written to the pronghorn.log
file itself. The system journal should be reviewed for errors and warnings during any troubleshooting sessions. The system journal is also written to /var/log/messages
on many systems. The storage required to store the system journal and /var/log/messages
files should also be considered during the storage planning phases.
Use the following command to monitor the system journal.
journalctl -f
Use the pronghorn.service
unit to tail the system journal and filter only IAP messages.
journalctl -f -u pronghorn.service
For more details about configuring the system journal daemon and using the journalctl
command, see the official Red Hat documentation: Using the Journal.
Property | Type | Default | Description |
---|---|---|---|
description |
String | Logging |
The description property. |
log_directory |
String | /var/log/pronghorn |
The directory to store IAP log files. |
log_filename |
String | pronghorn.log |
The name of the current IAP log file. |
log_max_file_size |
Number | 1048576 |
The maximum size of each IAP log file in bytes. Once the maximum file size is reached, the IAP log will be rotated. |
log_max_files |
Number | 100 |
The maximum number of log files maintained on the server. Once the maximum number of files is reached, the oldest file will be deleted during log rotation. |
log_timezone_offset |
Number | 0 |
The offset from GMT/UTC time that will be used when writing to the log files. Valid values are whole numbers ranging from -12-12 as is listed in List of UTC time offsets. |
log_level |
String | info |
The verbosity level the server is configured to log messages to the IAP log. This can be one of the following: error, warn, info, debug, trace or spam. As a recommendation, run production servers at info level logging. |
console_level |
String | warn |
The verbosity level the server is configured to log messages to the system journal or /var/log/messages . This can be one of the following: error, warn, info, debug, trace or spam. The verbosity of the IAP log and the system journal may be adjusted independently. |
metrics_filename |
String | metrics.log |
The name of the metrics log file inside the WorkflowEngine metrics directory. Note: This is a metrics logging specific property, that currently only pertains to Job Metrics. |
metrics_max_files |
Number | 31 |
The max number of allowed log files inside the WorkflowEngine metrics directory for retention before deleting the oldest files when a rotation occurs. Note: This is a metrics logging specific property, that currently only pertains to Job Metrics. |
metrics_rotation_interval |
String | 7d |
The maximum amount of time between metrics file rotations, before a file rotation occurs. If a file is rotated due to size before this interval is reached, then the interval timer is reset. The allowed suffix values are s (seconds), m (minutes), h (hours), d (days), or M (months). Note: This is a metrics logging specific property, that currently only pertains to Job Metrics. |
metrics_rotation_size |
String | 10M |
The maximum size a metrics file can reach before a file rotation occurs. The allowed suffix values are B (Bytes), K (KiloBytes), M (MegaBytes), or G (GigaBytes). Note: This is a metrics logging specific property, that currently only pertains to Job Metrics. |
Sample Logger Properties
"loggerProps": {
"description": "Logging",
"log_directory": "/var/log/pronghorn",
"log_filename": "pronghorn.log",
"log_max_file_size": 1048576,
"log_max_files": 10,
"log_timezone_offset": -5,
"log_level": "info",
"console_level": "warn",
"metrics_filename": "metrics.log",
"metrics_max_files": 31,
"metrics_rotation_interval": "7d",
"metrics_rotation_size": "10M"
}
Path
The path properties provide the location of customer-installed IAP applications and adapters.
Property Name | Type | Default | Description |
---|---|---|---|
description |
String | File Path Variables | The description property. |
encrypted |
Boolean | true |
A boolean flag indicating IAP core is encrypted. This should be set to true for all customer installations. |
Sample Path Properties
"pathProps": {
"description": "File Path Variables",
"sdk_dir": "/opt/pronghorn/pronghorn-applications",
"encrypted": true
}
Redis
The Redis properties, redisProps
, should be configured to point your IAP instance to a local Redis service.
Property | Type | Default | Description |
---|---|---|---|
host |
String | 127.0.0.1 |
The IP or hostname of the server running the Redis service. IPv6 and IPv4 addresses are supported. |
port |
Number | 6379 |
The port Redis is running on. Must be a number in the range 1 - 65535. |
db |
Number | 0 |
The optional Redis database number to connect to (number may be 0-15). |
password |
String | The optional passphrase protecting access to the Redis database. | |
maxRetriesPerRequest |
Number | 20 |
The maximum number of connection retries on a lost Redis link. IAP will be shutdown when maxRetriesPerRequest is reached. |
maxHeartbeatWriteRetries |
Number | 20 |
The maximum number of write retries on the lost ability to write data in Redis. IAP will be shutdown when maxHeartbeatWriteRetries is reached. |
Sample Redis Properties
"redisProps": {
"host": "127.0.0.1",
"port": 6379,
"db": 0,
"password": "$ENC87eb897b507afc1796db49409dd1251c87872e85afd2469e",
"maxRetriesPerRequest": 20,
"maxHeartbeatWriteRetries": 20
}
Retry Strategy
When a service in IAP throws a JavaScript exception without handling it, IAP will attempt to retry the service. To configure the number of times IAP will attempt to retry a failed service, set the maxRetries
property. When the number of times IAP restarts a service exceeds the maxiumum number allowed in maxRetries
, all attempts to restart the service will stop. The count will then reset if the number of milliseconds configured within the retryResetTimer
property has elapsed between any two retry attempts.
Property | Type | Default | Description |
---|---|---|---|
maxRetries |
Integer | 10 | Maximum number of retries for a service to fail before IAP will no longer attempt to restart it. |
retryResetTimer |
Integer | 60000 | Amount of time (ms) between each retry before the count (see maxRetries ) will reset. |
Sample Retry Strategy Properties
"retryStrategy" : {
"maxRetries": 15,
"retryResetTimer": 2500
}
Care should be taken when configuring each of these properties as they work together to achieve the best retry strategy. For instance, retryResetTimer
can be configured to account for occasional crashes (even expected daily crashes) by having the counter reset after a short period to avoid reaching the maxRetries
threshold for retry activity to stop.
Syslog
The syslog properties allow IAP to send log messages to a local or remote syslog daemon.
Please be aware of the maximum message length supported by the remote syslog receiver. IAP will send messages greater than 1024 bytes. Remote syslog receivers may truncate messages greater than a certain length.
See the following references for more detail:
Property | Type | Default | Description |
---|---|---|---|
level |
String | info |
The minimum log level to send to the syslog server. Possible levels are: debug, info, warning, error. |
host |
String | localhost |
The host running syslogd. IPv4 and IPv6 addresses are supported. |
port |
Number | 514 |
The port on the host that syslog is running on. Must be a number in the range 1 - 65535. |
protocol |
String | udp4 |
The network protocol to log over. Examples include: tcp4 , udp4 , udp6 , unix and unix-connect . |
path |
String | N/A | The path to the syslog dgram socket, e.g., /dev/log or /var/run/syslog on OS X). If path is used, host , port and protocol do not need to be configured. |
pid |
String | process.pid |
Process identifier (PID) of the process that log messages are coming from. |
facility |
String | local( ) |
Syslog facility to use. |
localhost |
String | localhost |
Host to indicate that log messages are coming from. |
type |
String | BSD |
The type of syslog protocol to use. Possible values are BSD and 5424 . |
app_name |
String | process.title |
The name of the application. |
eol |
String | N/A | The end of line character to be added to the end of the message. |
Sample Syslog Properties
"loggerProps": {
"syslog": {
"level": "warning",
"host": "localhost",
"port": 514,
"protocol": "udp4",
"facility": "local0",
"type": "5424"
}
}
System
The following table presents the systemProps
that may be configured.
Property | Type | Default | Description |
---|---|---|---|
launchDelay |
Number | 0 | The time in seconds that IAP will wait between launching its services. This can be used to manage the resource usage incurred by starting many services at the same time. |
launchTimeout |
Number | 600 | The time in seconds that IAP will wait for a service registration. If a service has not registered itself to IAP within this time frame, it will consider it lost. |
serviceHealthCheckInterval |
Number | 5 | Determines how often services update their health data. Measured in seconds. Default: 5 seconds Minimum: 1 |
serviceHealthCheckUnhealthyThreshold |
Number | 3 | Determines how many health check intervals a service can miss before it is considered offline. Measured in number of intervals (also in seconds when multiplied by the interval setting). Default: 3 missed health checks Minimum: 1 |
deadProcessCheck |
Boolean | false |
If true, IAP will perform a health check on its services in timed intervals set by the deadProcessCheckInterval . If a process is considered dead it will be restarted. |
deadProcessCheckInterval |
Number | 5 | The interval in seconds that IAP will check the health of its services. This check interval works in conjunction with deadProcessMaxPeriod to define when IAP considers the service lost. |
deadProcessMaxPeriod |
Number | 15 | The threshold in seconds after which IAP considers a service lost if it has not received a health update. At each check interval (see deadProcessCheckInterval ), if the last received healthcheck for this service is longer than the deadProcessMaxPeriod , then IAP will then consider the service lost.IMPORTANT: The longest interval a service can be down before being caught is the sum of deadProcessMaxPeriod and deadProcessCheckInterval . In other words, with the defaults supplied herein, it might be 20 seconds before a service is detected to be down due to the time lag of the check interval when compared against this threshold. Keep this in mind if you modify these settings. |
externalRequestTimeout |
Number | 5 | The timeout for external API requests. Measured in seconds. Minimum: 1 Maximum: 120 |
deviceCountPollingInterval |
Number | 24 | The interval for how often IAP polls for the number of devices. Measured in hours. Minimum: 1 Maximum: 168 |
servicesBlacklist |
Array | [] | A list of service types that will be "blacklisted" for the current user. This means the user will not be able to perform CRUD (CREATE, UPDATE, DELETE) operations on any of the services configured within the system that have the listed service type in this property. Only the admin user will be able to configure these service types. For example, if an admin would like to prevent all users of the system from modifying the AAA adapter then they can do so by specifying "LDAP" (if LDAP is the configured AAA system) within the servicesBlacklist property. Remember the values in the servicesBlacklist property are the service type . To find this value, navigate to the service config (e.g. Adapter Configuration) and look for the "properties" array and the "type" value for the targeted service. Use the value of "type" and remember that all adapters of this type will be restricted; in other words, it restricts by type and not by instance. |
shutdownTimeout |
Number | 3 | The time (seconds) IAP waits before it shuts down its services. This allows a service to have some time to perform any operations it may need to do before it exits. This timeout also applies to the service life-cycle actions "stop", "restart", and "crashes". If a service completes its cleanup operations before the timeout, it will exit. During a system wide shutdown, all services will stay active until every service has completed their cleanup operations. If operations are completed before the timeout, the platform will exit. If for some reason a service is unable to complete its cleanup operations within the specified shutdown timeout, it will be forcibly closed and a message written to the logs indicating the name of the service that incurred the timeout, and then the platform will exit. |
Sample System Properties
Below is a sample systemProps
configuration when used with the Advanced Mode editor.
"systemProps": {
"launchDelay": 0,
"launchTimeout": 60,
"serviceHealthCheckInterval": 5,
"serviceHealthCheckUnhealthyThreshold": 3,
"deadProcessCheck": false,
"deadProcessCheckInterval": 5,
"deadProcessMaxPeriod": 15,
"externalRequestTimeout": 5,
"deviceCountPollingInterval": 24,
"servicesBlacklist": [ "NSO", "local_aaa", "GitHub:v5" ],
"shutdownTimeout": 3
}
UI
The UI properties is captured by the uiProps
object. These properties may be used to overwrite certain pages and icons as a part of customer branding.
Property Name | Type | Default | Description |
---|---|---|---|
description |
String | UI | The description property. |
layout |
String | node_modules/@itential/pronghorn-core/ui/views/layout.pug |
The pug file that governs the overall IAP layout page. |
home |
String | node_modules/@itential/pronghorn-core/ui/lib/iap-ui/build/index.html |
The file that creates the user's individual home page. |
login |
String | node_modules/@itential/pronghorn-core/ui/lib/iap-ui/build/index.html |
The index file that creates the login page presented to unauthenticated users. |
profile |
String | node_modules/@itential/pronghorn-core/ui/views/profile.pug |
The pug file that presents the user's profile. |
fav_icon |
String | node_modules/@itential/pronghorn-core/ui/img/favicon.ico |
The path to a custom-branded icon displayed in the browser's tab and URL bars. |
Sample UI Properties
"uiProps": {
"description": "UI",
"layout": "node_modules/@itential/pronghorn-core/ui/views/layout.pug",
"home": "node_modules/@itential/pronghorn-core/ui/lib/iap-ui/build/index.html",
"login": "node_modules/@itential/pronghorn-core/ui/views/login.pug",
"profile": "node_modules/@itential/pronghorn-core/ui/views/profile.pug",
"fav_icon": "node_modules/@itential/pronghorn-core/ui/img/favicon.ico"
}