nevisadmin-plugin-nevisdetect

ActiveMQ Client Configuration

Using the pattern, you can connect to an external ActiveMQ service using TLS/SSL.

Message Broker URL

Set the URL for the ActiveMQ message broker. Example:

ssl://my-message-broker:61616

BehavioSec Risk Plugin

The pattern configures BehavioSec risk scores to be integrated with nevisDetect.

For more information, see BehavioSec Developer Docs.

URL

Service URL used to connect to the BehavioSec service from the plugin. For example: https://mycompany.behaviosec.com/BehavioSenseAPI/

Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Proxy

Outbound proxy, optional

Web App URL

BehavioSec Dashboard URL

Fraudulent Flags

List of BehavioSec report flag names. Please add each entry line-by-line.

If any of these flags contains true value in the report, the request is marked as fraudulent and the request fails.

If the field remains empty, the items marked with (*) will be part of the default configuration.

Potential flag names (as of 5.4):

• advancedUser (*)
• autoModel
• coached (*)
• deviceChanged (*)
• deviceIdShared (*)
• deviceIntegrity (*)
• diError (*)
• drFlag (*)
• finalized
• ipChanged (*)
• ipShared (*)
• isDataCorrupted (*)
• isBot (*)
• isDuplicate (*)
• isOneHand
• isRemoteAccess (*)
• isReplay (*)
• isSessionCorrupted (*)
• isWhitelisted
• locationMismatch (*)
• newCountry (*)
• newsubprofile
• numpadAnomaly (*)
• numpadUsed
• numrowUsed
• ohFlag (*)
• otjsError (*)
• pdError (*)
• pnFlag (*)
• pocAnomaly (*)
• pocUsed
• tabAnomaly (*)
• tabUsed
• travelTooFast (*)
• uiConfidenceFlag (*)
• uiScoreFlag (*)

Flag / Description Mappings

List of BehavioSec report flag names with their description name in the following format: <flagName>=<descriptionName>. Please add each entry line-by-line.

If any of these flags contain true value in the report, it will be added to the respective header field along with the mapped description value.

To delete a default mapping, omit the description field's name: <flagName>=. If the flag is part of the default mapping, it will be overwritten, otherwise added.

Default combined values (flag name/description name):

• advancedUser/advancedUserScore
• deviceChanged/deviceDesc
• deviceIntegrity/deviceIntegrityDesc
• diError/diDesc
• finalized/finalizeTimestamp
• isBot/botDesc
• isDuplicate/duplicateDesc
• isRemoteAccess/raDesc
• isReplay/replayDesc
• isSessionCorrupted/isSessionCorruptedDesc
• locationMismatch/locationMismatchDesc
• newCountry/ipCountry
• numpadUsed/numpadRatio
• otjsError/otjsDesc
• pdError/pdDesc
• pocUsed/pocRatio
• tabUsed/tabRatio
• travelTooFast/travelTooFastDesc
• uiConfidenceFlag/uiConfidence
• uiScoreFlag/uiScore

Custom Risk Score Weight Configuration

Use the pattern for custom risk score weight configuration. Every weight must be between 0 and 1 inclusive. The higher the value the more impact the component has on the aggregate score. Set the weight to 0 to disregard the analyzer completely. Default values are the same as for Balanced configuration.

Geolocation Weight

Configuration of the risk score weight for the geolocation analyzer's risk score.

IP Weight

Configuration of the risk score weight for the ip analyzer's risk score.

IP Reputation Weight

Configuration of the risk score weight for the ip reputation analyzer's risk score.

IP Velocity Weight

Configuration of the risk score weight for the ip velocity analyzer's risk score.

Suspicious Country Weight

Configuration of the risk score weight for the suspicious country analyzer's risk score.

Device Cookie Weight

Configuration of the risk score weight for the device cookie analyzer's risk score.

Fingerprint Weight

Configuration of the risk score weight for the fingerprint analyzer's risk score.

Generic nevisAdapt Instance Settings

Use this add-on pattern to set low-level properties in configuration files of a nevisAdapt Instance.

Java Opts

Add additional entries to the JAVA_OPTS environment variable.

For instance, you may configure nevisAdapt to create a heap dump on out of memory as follows:

-XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/var/opt/nevisadapt/log/

Be aware that this example will not work for Kubernetes as the pod will be automatically restarted on out of memory and the created heap dump files will be lost.

Generic nevisDetect Instance Settings

Use this add-on pattern to set low-level properties in configuration files of a nevisDetect Instance.

Java Opts

Add additional entries to the JAVA_OPTS environment variable.

Use the expression ${instance} for the instance name.

For instance, you may configure nevisDetect to create a heap dump on out of memory as follows:

-XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/var/opt/nevisdetect/${instance}/log/

Be aware that this example will not work for Kubernetes as the pod will be automatically restarted on out of memory and the created heap dump files will be lost.

Proxy Risk Plugin

Set up a default configuration of a custom risk plugin to be used in nevisDetect.

The risk plugin is defined by its name, REST endpoints and descriptions.

A custom set of risk scores (defined by name and chart color shown in nevisDetect GUI) can be associated with it.

For more information, see Proxy plug-in.

URL

Service URL used to connect to the plugin

Service Mapping

Mapping entries between RESTful addressees and services. One line per mapping, for example:

requestData=/processRequestData
terminateSession=/processSessionTermination
getVersion=/getVersion

Risk Scores

Risk scores to be delivered. Please add entries in the following format:

RiskScoreName=#ColorCode

Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Web App URL

BehavioSec Dashboard URL

Description

Add description(s) for this proxy plugin

Shared Storage Settings

Pattern to override the default settings of the shared storage used in Kubernetes deployments.

Claim Name

The name of the PersistentVolumeClaim.

For more information regarding persistent volumes in Kubernetes please visit this page

Storage Size

The size of the persistent volume. The minimum size is 1 gigabyte, we recommend to use at least 4 gigabytes.

For example: 4GB

Storage Class

The name of the StorageClass. The selected storage should support ReadWriteMany access.

For example: azurefile

For more information regarding persistent volume types in Kubernetes please visit this page

Mount Path

The path where the volume will be mounted and used by the service.

For example: /var/opt/shared

For more information regarding persistent volumes in Kubernetes please visit this page

User Notification (Adaptive Authentication)

The pattern works out-of-the-box as a follow-up for nevisAdapt Authentication Connector step.

It sends notifications to users about suspicious login attempts.

Configure nevisIDM to send notifications as described here.

nevisIDM

Reference for the nevisIDM service. The nevisAdapt Authentication Connector uses nevisIDM's REST API to send notification emails to the user if the calculated weighted risk score exceeds the configured threshold.

On Success

Set the step to continue with on successful authentication.

Notification type

This mandatory property selects the actual communication event and thus the used template text type.

Sending method

This mandatory property defines the communication method. For the configuration and usage of these methods, refer to the nevisIDM reference guide.

Asynchronous communication

This property defines whether the communication should happen immediately (disabled) or via the EventQueue (enabled).

nevisAdapt Authentication Connector

Using the pattern, you can integrate nevisAdapt as an authentication step in nevisAuth. Depending on the risk score, a different AuthState can follow this step.

nevisAdapt

Reference for the nevisAdapt service to calculate risk scores during authentication.

On Success

Set the step to continue with on successful authentication.

On Failure

Set the step to continue with in case of error. If nothing is set, the authentication fails.

On Timeout

Set the step to continue with in case the authentication attempt runs into a timeout.

Risk Profile configuration: Setting this step is optional, but the highest available from High and Medium step will replace it.

Risk Event configuration: Setting this step is mandatory.

On Untrained User

Set the step to continue with in case the user is untrained.

Risk Profile configuration: Setting this step is optional, but the highest available from High and Medium step will replace it.

Risk Event configuration: Setting this step is mandatory.

On Medium Risk

Will be considered only if Profile is set to either balanced, strict or custom.

Set the step to continue with if the calculated risk score exceeds the Medium threshold.

In case it remains unset:

1. On High Risk becomes mandatory
2. Applies the same next step as On Success

On High Risk

Will be considered only if Profile is set to either balanced, strict or custom.

Set the step to continue with if the calculated risk score exceeds the High threshold.

In case it remains unset:

1. On Medium Risk becomes mandatory
2. Applies the same next step as On Medium Risk

On Logout Done

Optional. Reference for the next step in the logout authentication flow. If missing, this is the last step and the result will be AUTH_DONE.

Key Store

The key store used by this pattern to establish a connection with the nevisAdapt component. For a client TLS connection, this key store should be trusted by the nevisAdapt Instance. If no pattern is assigned here automatic key management will provide the key store.

Trust Store

The trust store used by this pattern to establish a connection with the nevisAdapt component. This trust store must trust the nevisAdapt Instance's key store. Please reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin automatic key management.

Medium Risk Threshold

Will be considered only if Profile is set to either balanced, strict or custom.

Set the risk score threshold [0...1] for medium threat.

High Risk Threshold

Will be considered only if Profile is set to either balanced, strict or custom.

Set the risk score threshold [0...1] for high threat.

Profile

The profile used during processing the results of the analysis done by the nevisAdapt service.

There are 2 ways to react on the returned values:

• React on the returned events directly
• React based on the calculated weighted sum of the risk scores

Supported values are:

• balanced - balanced risk profile
• strict - strict risk profile with higher weights
• custom - to define own weights for the risk profile
• events - react on the returned events instead of the risk scores

You can find more information about the Risk profiles in the documentation.

Custom Risk Score Weight Configuration

Custom risk score weight configuration for the calculation. Set the weights to be considered for each risk score analyzer.

Analyzer list:

• Suspicious country
• Device cookie
• Fingerprint
• IP
• IP location
• IP velocity
• IP reputation

Suspicious Events Configuration

Will be considered only if Profile is set to events.

Select which events to react on. The events are identified and returned by the nevisAdapt service and the first event combination that they match successfully will determine the next step in the authentication flow. No further entries of this list will be considered.

One event combination entry consists of the following properties:

• Risk Events: set of suspicious event(s) to match against
• Minimum Match Count: minimum number of events to consider the matching valid (all by default). They have to be present in the service response to classify the entire combination as matching.
• Authentication Step: next authentication step if the matching is valid

Complete example with full ruleset:

Combination 1:

• Risk Events: [ 'ip-reputation-blacklisted', 'suspicious-country' ]
• Minimum Match Count: 1
• Authentication Step: Authentication Fails

This combination will match successfully if any of the two selected events are being reported by the nevisAdapt service. If this is the case, neither Combination 2 or 3 will be checked as the authentication fails immediately.

Combination 2:

• Risk Events: [ 'unknown-device', 'unknown-country', 'unknown-fingerprint' ]
• Minimum Match Count: 2
• Authentication Step: mTAN

This combination will match successfully if any 2 of the three selected events are being reported by the nevisAdapt service. If this is the case, Combination 3 will not be checked and the next authentication step will be mTAN.

Combination 3:

• Risk Events: [ 'unknown-country', 'high-ip-velocity' ]
• Minimum Match Count: all
• Authentication Step: email

This combination will match successfully only if both events were reported by the nevisAdapt service. If this is the case, a notification email will be sent to the user.

Otherwise, authentication succeeds without any further complication.

Cookie Domain

If unset, the cookie will not be scoped to subdomains. Set this value to a specific domain to include more than one hostname.

Example: The user wants to login through example.com

If no value is given, the cookie will be effective for requests with the following addresses:

• https://example.com/one/two/three...

If the value is actually set as example.com, the cookie will be effective for requests against subdomains as well:

• https://shopping.example.com/one...
• https://account.example.com/two...
• https://example.com/three...

FingerprintJS version

This configuration option gives the administrator the ability to ensure backwards compatibility in case so far V2 fingerprints have been in use.

• V2 - to ensure backward compatibility, FingerprintJS V2 will be used
• V3 - default option, uses FingerprintJS V3

Pass-through Mode

The passthrough mode disables the nevisAdapt validation. All analysers are still executed and results (risks/active sessions) are persisted.

When enabled, all risks follow the On Success step. High and Medium risk actions are ignored.

This mode is useful for data gathering and troubleshooting.

nevisAdapt Database

Configures nevisAdapt to use a MariaDB database. Assign to nevisAdapt Instance as Database.

When deploying to Kubernetes, the database and connection user will be created automatically. The database schema will be migrated automatically when upgrading Nevis on the next deployment.

In classic VM deployments a database including tables must be set up before deployment.

Setup instructions can be found in the nevisAdapt technical documentation. See Database setup for details.

If you want to use an Oracle database you have to set Custom Connection URL, instead of using the high-level settings, and upload the JDBC Driver.

Database Type

Choose between MariaDB and Oracle and PostgresSQL.

We recommend to use MariaDB as it is supported by all Nevis components that have a database.

Note: PostgresSQL database is only experimental configuration.

Database Host

Enter the host name of the database service.

The database service must be up when you deploy.

In a classic deployment the Database User and Database Password is used to connect.

In Kubernetes deployment a connection user and password will be generated and the Root Credential will be used to set up the database schema.

Database Name

Here you can change the name of the database.

The database name only needs to be changed when the database service contains multiple databases.

Root Credential

Enter the name of a Kubernetes secret which contains the user and password of a database root account.

Required in Kubernetes deployment when Advanced Settings / Database Management is to complete or schema.

This is the default behaviour in Kubernetes.

With complete the secret should contain the following:

username: <root-user
password: <root-password>

If the Database Management is set to schema the root user can be omitted, but the application and schema user has to be specified:

ownerUsername: <some-username>
ownerPassword: <some-password>
appUsername: <some-username>
appPassword: <some-password>

If used with complete the app and owner users will be created with the credentials specified in the secret.

Due to the usage of schemas, it is recommended to create a separate Kubernetes secret for each database pattern with the app and owner credentials when using Oracle or PostgreSQL.

Root Credential Namespace

Set if the Root Credential is in a different Kubernetes namespace.

Database User

Provide the DB user name here.

Database Password

Provide the DB password here.

TLS Encryption

If enabled the query parameter useSSL=true will be added to enable 1-way TLS.

If no Trust Store is assigned then trustServerCertificate=true will be added to the connection string.

Assignment of a Trust Store is recommended for production use.

Note: PostgresSQL database connection configuration doesn't support TLS connection yet.

Trust Store

Assign a trust store which provides the CA certificate of the DB endpoint.

JDBC Driver

Due to licensing, nevisAdapt cannot ship the JDBC driver to connect to Oracle databases, Therefore, those who want to use an Oracle database need to obtain and provide the Oracle JDBC driver on their own.

The .jar files can be downloaded from Oracle

Uploading any other .jar files containing JDBC drivers is possible as well.

Volume Claim

Due to licensing restrictions, we cannot ship any Oracle dependencies.

If you are using an Oracle database, are deploying to Kubernetes, and Database Management is enabled (complete or schema), then you have to provide a Kubernetes volume containing an Oracle driver and client.

For more information, see Preparing Oracle Volume.

Enter the name of that volume here.

The volume will be mounted in the nevisadapt-dbschema image to set up and patch the database schema.

The volume will be mounted in the nevisadapt image to connect to the database. Because of that, there is no need to upload a JDBC Driver.

Data Tablespace

Name of the data tablespace for the oracle database used for the Kubernetes migration. It's recommended to keep the default value unless the pattern is used with an existing database that has a different one.

Application Role

Name of the application role for the oracle database used for the Kubernetes migration. It's recommended to keep the default value unless the pattern is used with an existing database that has a different one.

Owner Role

Name of the owner role for the oracle database used for the Kubernetes migration. It's recommended to keep the default value unless the pattern is used with an existing database that has a different one.

Database Management

The pattern can set up the database, and it's schema when deploying to Kubernetes.

The complete option, on top of handling the schema migration, will do the initial database preparation like creating the actual database or tablespace in case of oracle, as well as creating the required database users.

The schema option will skip the initial preparation and will only take care of the actual schema migration. This requires the schema owner and the application user credentials to be present in the root credential secret. The root user information can be omitted with this option.

You can select disabled here to opt out. In this case you have to create and migrate the database schema yourself.

This feature is set to recommended by default which aims for the most convenient solution based on the deployment type. In case of Kubernetes deployments, it uses complete. In a classical VM deployment, it will use schema if the pattern allows setting Schema User and Schema Password, otherwise it's disabled.

Flyway License Key

Please provide a licence key in case you would use the Flyway Teams Edition.

This is recommended only in case you would use an old database version (more than 5 years old). If you do not provide a licence key, the Flyway Community Edition will be used by default.

For more information about Flyway editions please visit this page Flyway.

Datasource Configuration Method

Select which method of generation should be applied when configuring the Hikari datasource for the database connection.

Possible options:

• recommended: the default option, this sets up three explicit values:
  • Maximum session lifetime: 300s
  • Session idle timeout: 100s
  • Maximum pool size: 50
• custom: specify values in the next text area, separate keys and values with =.
  • The valid keys can be found at HikariCP - GitHub.
• unmodified: this configuration doesn't generate anything, leaving all default configurations coming from the library in effect.

Datasource Configuration Values

Specify custom values for Hikari datasource configuration. Separate keys and values with =. The valid keys can be found at HikariCP - GitHub.

Example to set the same as if selecting recommended:

maxLifetime=300000
idleTimeout=100000
maximumPoolSize=50

Connection Parameters

Enter parameters for the DB connection string.

Enter 1 parameter per line.

Lines will be joined with &.

The default is:

useMysqlMetadata=true

The default value will be used only when no parameters are entered.

If you want to keep the default parameters, add them as well.

Connection URL

Set only if you have to use a JDBC connection string which the pattern cannot generate.

If the prefix of the connection string works for you and you only have to add or overwrite query parameters, set Connection Parameters instead.

If you have to use this setting, please consult your setup with your integration partner.

In Kubernetes deployments the connection string configured here is used by the component only. It is not used to set up and migrate the database schema.

Thus, this setting should only be used in classic deployments, or when Database Management is disabled.

nevisAdapt Event

Configure how to react on nevisAdapt events.

Risk Events

Select at least one event for the combination to react on:

• unknown-device : this is the first time for this device cookie
• unknown-country : this is the first time for this geolocation (country)
• unknown-fingerprint : this is the first time for this browser fingerprint
• suspicious-country : the login request came from a prohibited country
• high-ip-velocity : the current geolocation is physically too far to be reachable since the last login
• ip-reputation-blacklisted : the login request came from an IP address with low reputation

For technical details check Event-based configuration.

Minimum Match Count

Specify the minimum number of matching risk events to continue with Authentication Step. Picking a number that exceeds the size of selected Risk Events will set all during generation.

Authentication Step

Select which authentication step to continue with in case at least Minimum Match Count out of the selection provided in Risk Events are present in the report coming from the nevisAdapt service.

nevisAdapt Feedback Configuration

Pattern to configure details for the feedback feature.

nevisAuth Instance

Add nevisAuth Instance reference pattern(s) to enable session termination in connected components. If the session store is shared, it is enough to add one instance per database.

Please make sure that all involved nevisAuth Instances have ManagementService enabled. Add or extend a Generic nevisAuth REST Service for each with the following configuration:

<RESTService name="ManagementService" class="ch.nevis.esauth.rest.service.session.ManagementService" />

nevisProxy Instance

Reference for the nevisProxy instance to set up frontend addresses.

Feedback Token Encryption Key

Enter a 256-bit encryption key represented in Base64.

To generate a new random key, you may run the following console command:

openssl rand -base64 32

Regular expression for valid values: [a-zA-Z0-9+/]{43}=

Example: fq7J7E1xVFNHcEJ2MSQojLibKOQOMIlp2qXVqvv5y9w=

Feedback Token Behavior

The authentication step is able to generate a short-term feedback token if there are suspicious circumstances around the authentication attempt.

The registered user receives a URL in a notification email (in a notification step if configured), following that link within the token's lifetime would perform the configured task:

• disabled - no token will be generated
• session - following the link distrusts the suspicious session (even retroactively)
• device - following the link distrusts the suspicious session and all other sessions associated with the same device
• all - following the link removes all sessions and observations for the user

All options apart from disabled require access to SessionManagement API in all involved nevisAuth Instance.

In case of all, please set Enable Indexing value to on for all involved nevisAuth Instance.

Feedback Token Lifetime

Set the maximum lifetime for the feedback token.

Feedback Redirect URL

Provide a URL to redirect to after sending a report by pressing the feedback link in the notification. This can either be a base homepage or a more security-oriented one (for example page for password reset).

If it remains unset, a basic informative text is displayed about the report instead of a redirect.

nevisAdapt Instance

This pattern sets up a nevisAdapt instance, which is mainly used as a plug-in for nevisDetect.

For details check the nevisAdapt Documentation.

nevisAdapt implements adaptive, context-aware, and continuous authentication based on multiple attributes, like device information or geolocation. Together, these multiple attributes create a unique, digital user footprint.

In case of multi-host deployment, up to one nevisAdapt is supported per isolating line.

TCP Service Port

Enter the port on which nevisAdapt will listen.

Database

Add a database connection reference pattern.

Required properties to be set in the connector pattern are as follows:

• JDBC Driver (Oracle or MariaDB)
• JDBC URL
• DB user/password

Log Settings

Assign nevisAdapt Log Settings to change the log configuration.

Frontend Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Frontend Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

SecToken Signer Trust Store

Assign the Trust Store provider for verifying the NEVIS SecToken. If no pattern is assigned the signer key will be provided by the nevisAdmin 4 PKI.

File Selection

Set a file code only if the provider is IP2LOCATION or MaxMind and also set the access token in that case.

Provide a file code that identifies the database file to be downloaded.

The supported values are:

• upload - no update mechanism will be in place for custom uploads by default. Must be .csv/.CSV, up to 20MB.
• DB1BIN - commercial version, IP-Country
• DB1BINLITE - free version, IP-Country
• DB5BIN - commercial version, IP-Country-City-GPS
• DB5BINLITE - free version, IP-Country-City-GPS
• Geo2-City - MaxMind GeoIP2 City Database
• GeoLite2-City - free version of the MaxMind GeoIP2 City Database

nevisAdapt doesn't provide any access token by default. They have to be generated after registration (in case of the commercial version, purchase).

You can find more information about the supported geolocation databases at the IP2LOCATION and MaxMind websites.

Mapping File Upload

Provide a file attachment for the IP-to-Location service to use.

Please consider uploading the file manually if its size exceeds 20MB, then adjust the path ipToLocationMappingFile in nevisadapt.properties after deployment if needed.

With file upload, only the IP-Country database is supported, with fields listed as follows (CC is the 2-letter country code, no header row):

"IP range min (decimal)","IP range max (decimal)","CC","COUNTRY"

The file must adhere to the following formatting rules: all fields must be separated by commas and surrounded by double-quotes. The IP ranges should not intersect each other. File name must end with either .csv or .CSV.

If IP velocity analysis is required, it is handled through IP2LOCATION updates. No other provider is supported at this point. Please switch to either DB5BIN or DB5LITEBIN.

The IP-mapping file has to be updated regularly for the service to stay relevant.

Uploaded files are not updated by default.

We recommend setting up periodic update of IP geolocation and reputation mappings.

Update Schedule

Pick the update frequency of the IP-to-location database.

Valid values:

• disabled - no update mechanism will be triggered. Not recommended for productive environment.
• hourly
• daily
• weekly
• monthly

When selecting disabled, it's highly recommended having a mechanism in place for keeping the database file up-to-date. We recommend setting up periodic update of IP geolocation and reputation mappings.

Download Token

Provide a secret download token for authentication.

Shared Storage Settings

Configure this to override the default configurations used for the shared storage in Kubernetes deployments. If you would use an existing shared volume please only set the claim name. This storage should support the ReadWriteMany access mode.

For more information regarding persistent volumes in Kubernetes please visit this page

Mapping File Upload

Provide a file attachment for the IP reputation service to use.

Please consider uploading the file manually if its size exceeds 20MB, then adjust the path ipReputationMappingFile in nevisadapt.properties after deployment if needed.

Every line should contain a single blacklisted IPv4 range in CIDR format:

A.B.C.D/E or A.B.C.D (A/B/C/D: [0-255]; E: [0-32])

The IP ranges should not intersect each other.

The IP-mapping file has to be updated regularly for the service to stay relevant. We recommend setting up periodic update of IP geolocation and reputation mappings.

Update Schedule

Pick the update frequency of the IP reputation database.

Valid values:

• disabled - no update mechanism will be triggered. Not recommended for productive environment.
• hourly
• daily
• weekly
• monthly

When selecting 'disabled', it's highly recommended having a custom mechanism in place for keeping the database file up-to-date. We recommend setting up periodic update of IP geolocation and reputation mappings.

Update URL

Provide a download URL for the database file. The file is downloaded then moved over to the path defined above.

Memory Limit

This setting defines the maximum amount of RAM than can be used by this instance.

VM Deployment

By default, the Java process will use 1/4 of the available RAM.

Depending on how many instances are deployed to the same target host this may be either too much or too little.

The value configured here will be used for the maximum heap size of the Java process (-Xmx).

Kubernetes Deployment

In Kubernetes deployment the value configured here will be ignored and the Java process will be configured to use a percentage of the available RAM.

Note that -Xmx is not set to avoid file changes when adapting the limit.

As the docker container runs only 1 process the JVM flags -XX:+UseContainerSupport and -XX:MaxRAMPercentage=80.0 will be applied so that Java process can use up to 80% of the configured limit.

Initial Memory Ratio

Use the given percentage of Memory Limit for the initial memory usage (-Xms).

This setting applies to classic VM deployments only.

Start Inactive

In a classic VM deployment the instance is restarted when a configuration file changes that requires a restart. The instance is not restarted when a configuration file changes that does not require a restart.

This setting defines if the instance should also be started when it is down.

This setting applies to classic VM deployment only. In Kubernetes deployment the container pods are always recreated when any configuration file changes.

Check Minimum Version

Select enabled to perform basic version checks.

In classic VM deployment we run a command on each target host, to check which version of the component is installed.

In Kubernetes deployment we check the version of the docker image instead.

This check can be disabled for testing purposes.

Open Telemetry

OpenTelemetry is used for several use cases:

• cross-component tracing in logs
• exposing metrics

By default, OpenTelemetry is enabled and a Java agent is loaded.

If that Java agent is not present on the machines you are deploying to, then you have to provide it at /opt/agent/opentelemetry-javaagent.jar or select disabled.

Observation timeframe

Please provide the observation period length in days (365 by default).

Suspicious Country Code List

Provide a list of two-letter ISO country codes of considerable risk.

Input method 1: Single line - comma-delimited

Input method 2: One country code entry per line

ISO code description can be found at: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

Forward proxy host

Enter the host for the forward proxy if available.

Forward proxy port

Enter the port of the forward proxy if available.

3182

Distrust Feedback Settings

Provide additional settings for defining the details of the distrust session mechanism:

• JWE key to generate new tokens with
• nevisAuth reference to distrust and terminate sessions there as well
• nevisProxy reference to build the distrust feedback URI
• action to take on received token
• token lifetime
• redirect URL after sending the token

Bind Host

Enter a custom host name to listen on.

This setting is relevant in classic VM deployment, when working with multi-homed target hosts.

In Kubernetes the component listens on 0.0.0.0 and thus this setting is discouraged.

Device Cookie Name

Provide a name for the cookie that will be used as the volatile identification for a browser.

Leave this configuration empty if you want to keep the default value of DEVICE_COOKIE.

Additional Settings

Assign an add-on pattern to customize the configuration.

nevisAdapt Log Settings

Defines log levels and log retention of nevisAdapt. Assign to a nevisAdapt Instance using Log Settings.

Default Log Level

Change the level of the root logger. This impacts all logging apart from Log Levels.

Note that Syslog appenders have a threshold which ensures that only INFO, WARN, or ERROR messages are forwarded.

Log Levels

Configure log levels.

See nevisDetect Reference Guide, chapter Logging Configuration for details.

Hint: If you only change log levels nevisAdmin 4 does not restart the component in classic VM deployment. The new log configuration will be reloaded within 60 seconds after deployment.

The default configuration is:

ch.nevis.nevisadapt = INFO
ch.nevis.nevisdetect.util.logging.OpTracer = DEBUG

Examples:

org.springframework.web.filter.CommonsRequestLoggingFilter=DEBUG
ch.nevis.nevisdetect.entrypoint.icap.RequestProcessingHelper=INFO

Rotation Type

Select log rotation type.

Choose between:

• size - defines the maximum file size before the log files are rolled over
• time - defines the time span after which logs are rolled over

If you rotate by time we recommend you monitor the disk usage as log files can be huge.

Note: a combination of size and time based log rotation is not supported.

Max Backup Files

Maximum number of backup files to keep in addition to the current log file. When Rotation Type is time, this property is used as Logback's maxHistory property. This means that logs will be archived for this number of time units where time unit is as defined in Rotation Interval.

Max File Size

Maximum allowed file size (in bytes) before rolling over.

Suffixes "KB", "MB" and "GB" are allowed. 10KB = 10240 bytes, etc.

Note: not relevant when rotation type is time.

Rotation Interval

Rotation interval after which log files are rolled over.

This configuration is not used when Rotation Type is set to size.

Choose between:

• daily - the postfix of rotated files will be .%d{yyyy-MM-dd}
• hourly - the postfix of rotated files will be .%d{yyyy-MM-dd-HH}

Log Format

Logback log format for the default SERVER logs. This pattern is used for non-kubernetes deployments.

Note: not relevant when Log Targets is set to syslog.

Syslog Format

Logback log format for the SERVER SYS logs.

Note: not relevant when Log Targets is set to default.

Log Targets

Select the type of appender.

In Kubernetes the default appender writes to system out so that log messages appear in the docker logs.

Choose between:

• default - log to default target
• default + syslog - log to default target and forward to a Syslog server
• syslog - forward to a Syslog server only

Syslog Host

Defines where to send logs to via syslog.

This configuration is used only when syslog forwarding is enabled (see Log Targets).

The syslog facility is localhost3 and the threshold is INFO.

nevisAdapt REST API

The pattern exposes the nevisAdapt REST API on a nevisProxy Virtual Host.

The nevisAdapt REST API is available via /nevisadapt/api.

nevisAdapt Instance

Reference to the nevisAdapt Instance pattern.

Trust Store

Assign the trust store for outbound TLS connections.

If no pattern is assigned a trust store will be provided by nevisAdmin 4 automatic key management.

Hostname Validation

Enable to verify that the hostname on the certificate presented by the backend matches the hostname of nevisAdapt Instance

Virtual Host

Assign a Virtual Host which shall serve as entry point.

Authentication Realm

Mandatory setting to enforce authentication.

Application Access Token

Propagate a token to the backend application. The token informs the application about the authenticated user.

Please assign a NEVIS SecToken. This is mandatory to have access to the Administration UI.

Additional Settings

Assign add-on patterns to customize the behaviour of this service.

Example use cases:

• Authorization Policy to enforce roles or an authentication level.
• URL Handling to redirect or forward requests.
• HTTP Header Customization to add, replace, or remove HTTP headers in requests or responses.

CSRF Protection

Cross-Site Request Forgery (CSRF) is an attack to force an authenticated user to send unwanted requests.

• off (default) - no CSRF protection. Recommended for applications which may be called from other sites.
• header-based - GET and HEAD requests are allowed (assumption: these methods must not manipulate server-side state). For other requests the Referer and Origin headers must match the Host header.

nevisAdapt Remember Me Step

Using the pattern, you can integrate nevisAdapt as a remember-me service in nevisAuth.

If the provided token is found and still valid, the authentication process is cut shorter.

If no remember-me token is provided or it's no longer valid, the step generates a new one then initiates the original full authentication process. If all the authentication steps complete successfully, nevisAdapt persists the new token so that it can be used for quick entry later. Keep On Success empty in order to shortcut the authentication flow.

CAUTION: if On Success and Original Authentication Flow are set to the same step, it disables the remember-me functionality.

nevisAdapt

Reference for the nevisAdapt service to check for the presence of the provided remember-me token.

On Success

Decides what to do if the remember-me token is present and valid. Leave empty for skipping to the end of the authentication flow immediately.

CAUTION: It will disable the remember-me functionality if you set it to the same step as the Original Authentication Flow.

Original Authentication Flow

Set the first step of the full authentication flow to continue with in case no valid remember-me cookie was found:

• the remember-me cookie is not present in the headers
• the remember-me cookie is present but no longer valid
• the associated user is no longer active
• the browser fingerprint has changed

CAUTION: It will disable the remember-me functionality if you set it to the same step as the On Success.

Key Store

The key store used by this pattern to establish a connection with the nevisAdapt component. For a client TLS connection, this key store should be trusted by the nevisAdapt Instance. If no pattern is assigned here automatic key management will provide the key store.

Trust Store

The trust store used by this pattern to establish a connection with the nevisAdapt component. This trust store must trust the nevisAdapt Instance's key store. Please reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin automatic key management.

FingerprintJS version

This configuration option gives the administrator the ability to ensure backwards compatibility in case so far V2 fingerprints have been in use.

• V2 - to ensure backward compatibility, FingerprintJS V2 will be used
• V3 - default option, uses FingerprintJS V3

nevisAdapt Risk Plugin

The pattern configures nevisAdapt risk scores to be propagated to the nevisDetect backend for further processing.

For more information, see Risk score mapping for nevisAdapt.

nevisAdapt

Pattern reference for the nevisAdapt Instance to connect to.

Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Propagate NevisAdaptDeviceFingerprint Risk Scores

Risk scores to be delivered to the client in the request headers. This option configures enables device fingerprint risk score to be propagated.

Propagate NevisAdaptDeviceRecognition Risk Scores

Risk scores to be delivered to the client in the request headers. This option configures enables device cookie risk score to be propagated.

Propagate NevisAdaptGeolocation Risk Scores

Risk scores to be delivered to the client in the request headers. This option configures enables geolocation risk score to be propagated.

Custom Properties

Set the value for the following optional parameters if the default ones do not match the requirements:

• cacheDisabled = (default 'false')
• ignoreHttpRequest = (default 'false')
• ignoreTlsObservation = (default 'true')

nevisDetect Admin Instance

Using the pattern, you can set up the administration service for nevisDetect.

TCP Service Port

Enter the port on which nevisDetect Admin service will listen.

nevisDetect Message Queue

Add references (at least one) for the patterns configuring Java Messaging Service. In case of Kubernetes deployment, only one configuration is allowed.

Two different options are allowed at this time:

• nevisDetect Message Queue Instance - deployment pattern for a dedicated MQ component
• ActiveMQ Client Configuration - connect to an external ActiveMQ service via SSL

WARNING: In case of Kubernetes deployment, only ActiveMQ Client Configuration is supported.

Log Settings

Assign nevisDetect Log Settings to change the log configuration.

Frontend Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Frontend Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

SecToken Signer Trust Store

Assign the Trust Store provider for verifying the NEVIS SecToken. If no pattern is assigned the signer key will be provided by the nevisAdmin 4 PKI.

Message Queue Client Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Message Queue Client Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Memory Limit

This setting defines the maximum amount of RAM than can be used by this instance.

VM Deployment

By default, the Java process will use 1/4 of the available RAM.

Depending on how many instances are deployed to the same target host this may be either too much or too little.

The value configured here will be used for the maximum heap size of the Java process (-Xmx).

Kubernetes Deployment

In Kubernetes deployment the value configured here will be ignored and the Java process will be configured to use a percentage of the available RAM.

Note that -Xmx is not set to avoid file changes when adapting the limit.

As the docker container runs only 1 process the JVM flags -XX:+UseContainerSupport and -XX:MaxRAMPercentage=80.0 will be applied so that Java process can use up to 80% of the configured limit.

Initial Memory Ratio

Use the given percentage of Memory Limit for the initial memory usage (-Xms).

This setting applies to classic VM deployments only.

Start Inactive

In a classic VM deployment the instance is restarted when a configuration file changes that requires a restart. The instance is not restarted when a configuration file changes that does not require a restart.

This setting defines if the instance should also be started when it is down.

This setting applies to classic VM deployment only. In Kubernetes deployment the container pods are always recreated when any configuration file changes.

Check Minimum Version

Select enabled to perform basic version checks.

In classic VM deployment we run a command on each target host, to check which version of the component is installed.

In Kubernetes deployment we check the version of the docker image instead.

This check can be disabled for testing purposes.

Open Telemetry

OpenTelemetry is used for several use cases:

• cross-component tracing in logs
• exposing metrics

By default, OpenTelemetry is enabled and a Java agent is loaded.

If that Java agent is not present on the machines you are deploying to, then you have to provide it at /opt/agent/opentelemetry-javaagent.jar or select disabled.

Bind Host

Enter a custom host name to listen on.

This setting is relevant in classic VM deployment, when working with multi-homed target hosts.

In Kubernetes the component listens on 0.0.0.0 and thus this setting is discouraged.

Additional Settings

Assign an add-on pattern to customize the configuration.

nevisDetect Administration GUI

The pattern exposes the nevisDetect Frontend GUIs on a nevisProxy Virtual Host.

The Administration GUI is available on /nevisdetect/admin.

nevisDetect Admin

Reference for the pattern with the details of the web application.

Supported patterns:

• nevisDetect Admin Instance

Trust Store

Assign the trust store for outbound TLS connections.

If no pattern is assigned a trust store will be provided by nevisAdmin 4 automatic key management.

Hostname Validation

Enable to verify that the hostname on the certificate presented by the backend matches the hostname of nevisDetect Admin

Virtual Host

Assign a Virtual Host which shall serve as entry point.

Authentication Realm

Mandatory setting to enforce authentication.

Application Access Token

Propagate a token to the backend application. The token informs the application about the authenticated user.

Please assign a NEVIS SecToken. This is mandatory to have access to the Administration UI.

Additional Settings

Assign add-on patterns to customize the behaviour of this service.

Example use cases:

• Authorization Policy to enforce roles or an authentication level.
• URL Handling to redirect or forward requests.
• HTTP Header Customization to add, replace, or remove HTTP headers in requests or responses.

nevisDetect Authentication Connector

Using the pattern, you can integrate nevisDetect as an authentication step in nevisAuth.

It is required to send the authentication requests to nevisDetect for analysis, and set the device recognition cookie for nevisAdapt.

nevisDetect Core

Pattern reference for the nevisDetect Core Instance to connect to.

nevisAdapt

Optional pattern reference for the nevisAdapt Instance to help configure the device cookie name.

On Success

Set the step to continue with on successful authentication.

On Failure

Set the step to continue with in case of error. If nothing is set, the authentication fails.

Message Queue Client Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Message Queue Client Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Cookie Domain

If unset, the cookie will not be scoped to subdomains. Set this value to a specific domain to include more than one hostname.

Example: The user wants to login through example.com

If no value is given, the cookie will be effective for requests with the following addresses:

• https://example.com/one/two/three...

If the value is actually set as example.com, the cookie will be effective for requests against subdomains as well:

• https://shopping.example.com/one...
• https://account.example.com/two...
• https://example.com/three...

nevisDetect Core Instance

Using the pattern, you can set up the plugin administration for nevisDetect.

TCP Service Port

Enter the port on which nevisDetect Core will listen.

nevisDetect Persistency

Add reference for a nevisDetect Persistency Instance pattern.

nevisDetect Message Queue

Add reference for the pattern providing Java Messaging Service.

Two different options are allowed at this time:

• nevisDetect Message Queue Instance - deployment pattern for a dedicated MQ component
• ActiveMQ Client Configuration - connect to an external ActiveMQ service via SSL

WARNING: In case of Kubernetes deployment, only ActiveMQ Client Configuration is supported.

Risk Plugins

List of Risk Plugins that are loaded by this nevisDetect Core component

Log Settings

Assign nevisDetect Log Settings to change the log configuration.

Frontend Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Frontend Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Message Queue Client Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Message Queue Client Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Memory Limit

This setting defines the maximum amount of RAM than can be used by this instance.

VM Deployment

By default, the Java process will use 1/4 of the available RAM.

Depending on how many instances are deployed to the same target host this may be either too much or too little.

The value configured here will be used for the maximum heap size of the Java process (-Xmx).

Kubernetes Deployment

In Kubernetes deployment the value configured here will be ignored and the Java process will be configured to use a percentage of the available RAM.

Note that -Xmx is not set to avoid file changes when adapting the limit.

As the docker container runs only 1 process the JVM flags -XX:+UseContainerSupport and -XX:MaxRAMPercentage=80.0 will be applied so that Java process can use up to 80% of the configured limit.

Initial Memory Ratio

Use the given percentage of Memory Limit for the initial memory usage (-Xms).

This setting applies to classic VM deployments only.

Start Inactive

In a classic VM deployment the instance is restarted when a configuration file changes that requires a restart. The instance is not restarted when a configuration file changes that does not require a restart.

This setting defines if the instance should also be started when it is down.

This setting applies to classic VM deployment only. In Kubernetes deployment the container pods are always recreated when any configuration file changes.

Check Minimum Version

Select enabled to perform basic version checks.

In classic VM deployment we run a command on each target host, to check which version of the component is installed.

In Kubernetes deployment we check the version of the docker image instead.

This check can be disabled for testing purposes.

Open Telemetry

OpenTelemetry is used for several use cases:

• cross-component tracing in logs
• exposing metrics

By default, OpenTelemetry is enabled and a Java agent is loaded.

If that Java agent is not present on the machines you are deploying to, then you have to provide it at /opt/agent/opentelemetry-javaagent.jar or select disabled.

Bind Host

Enter a custom host name to listen on.

This setting is relevant in classic VM deployment, when working with multi-homed target hosts.

In Kubernetes the component listens on 0.0.0.0 and thus this setting is discouraged.

Additional Settings

Assign an add-on pattern to customize the configuration.

nevisDetect Database

Configures nevisDetect to use a MariaDB database. Assign to nevisDetect Persistency Instance as Database.

When deploying to Kubernetes, the database and connection user will be created automatically. The database schema will be migrated automatically on the next deployment when upgrading Nevis.

In classic VM deployments a database including tables must be set up before deployment.

Setup instructions can be found in the nevisDetect technical documentation. See Database setup for details.

If you want to use an Oracle database you have to set Custom Connection URL, instead of using the high-level settings, and upload the JDBC Driver.

Database Type

Choose between MariaDB and Oracle and PostgresSQL.

We recommend to use MariaDB as it is supported by all Nevis components that have a database.

Note: PostgresSQL database is only experimental configuration.

Database Host

Enter the host name of the database service.

The database service must be up when you deploy.

In a classic deployment the Database User and Database Password is used to connect.

In Kubernetes deployment a connection user and password will be generated and the Root Credential will be used to set up the database schema.

Database Name

Enter the name of the database.

This database will be created in the database service.

Root Credential

Enter the name of a Kubernetes secret which contains the user and password of a database root account.

Required in Kubernetes deployment when Advanced Settings / Database Management is to complete or schema.

This is the default behaviour in Kubernetes.

With complete the secret should contain the following:

username: <root-user
password: <root-password>

If the Database Management is set to schema the root user can be omitted, but the application and schema user has to be specified:

ownerUsername: <some-username>
ownerPassword: <some-password>
appUsername: <some-username>
appPassword: <some-password>

If used with complete the app and owner users will be created with the credentials specified in the secret.

Due to the usage of schemas, it is recommended to create a separate Kubernetes secret for each database pattern with the app and owner credentials when using Oracle or PostgreSQL.

Root Credential Namespace

Set if the Root Credential is in a different Kubernetes namespace.

Database User

Enter the user for the DB connection.

Database Password

Enter the password of the DB connection user.

TLS Encryption

If enabled the query parameter useSSL=true will be added to enable 1-way TLS.

If no Trust Store is assigned then trustServerCertificate=true will be added to the connection string.

Assignment of a Trust Store is recommended for production use.

Note: PostgresSQL database connection configuration doesn't support TLS connection yet.

Trust Store

Assign a trust store which provides the CA certificate of the DB endpoint.

JDBC Driver

Due to licensing, nevisDetect cannot ship the JDBC driver to connect to Oracle databases, Therefore, those who want to use an Oracle database need to obtain and provide the Oracle JDBC driver on their own.

The .jar files can be downloaded from Oracle

Uploading any other .jar files containing JDBC drivers is possible as well.

Database Management

The pattern can set up the database, and it's schema when deploying to Kubernetes.

The complete option, on top of handling the schema migration, will do the initial database preparation like creating the actual database or tablespace in case of oracle, as well as creating the required database users.

The schema option will skip the initial preparation and will only take care of the actual schema migration. This requires the schema owner and the application user credentials to be present in the root credential secret. The root user information can be omitted with this option.

You can select disabled here to opt out. In this case you have to create and migrate the database schema yourself.

This feature is set to recommended by default which aims for the most convenient solution based on the deployment type. In case of Kubernetes deployments, it uses complete. In a classical VM deployment, it will use schema if the pattern allows setting Schema User and Schema Password, otherwise it's disabled.

Flyway License Key

Please provide a licence key in case you would use the Flyway Teams Edition.

This is recommended only in case you would use an old database version (more than 5 years old). If you do not provide a licence key, the Flyway Community Edition will be used by default.

For more information about Flyway editions please visit this page Flyway.

Datasource Configuration Method

Select which method of generation should be applied when configuring the Hikari datasource for the database connection.

Possible options:

• recommended: the default option, this sets up three explicit values:
  • Maximum session lifetime: 300s
  • Session idle timeout: 100s
  • Maximum pool size: 50
• custom: specify values in the next text area, separate keys and values with =. The valid keys can be found at HikariCP - GitHub.
• unmodified: this configuration doesn't generate anything, leaving all default configurations coming from the library in effect.

Datasource Configuration Values

Specify custom values for Hikari datasource configuration. Separate keys and values with =. The valid keys can be found at HikariCP - GitHub.

Example to set the same as if selecting recommended:

maxLifetime=300000
idleTimeout=100000
maximumPoolSize=50

Connection Parameters

Enter parameters for the DB connection string.

Enter 1 parameter per line.

Lines will be joined with &.

The default is:

useMysqlMetadata=true

The default value will be used only when no parameters are entered.

If you want to keep the default parameters, add them as well.

Connection URL

Set only if you have to use a JDBC connection string which the pattern cannot generate.

If the prefix of the connection string works for you and you only have to add or overwrite query parameters, set Connection Parameters instead.

If you have to use this setting, please consult your setup with your integration partner.

In Kubernetes deployments the connection string configured here is used by the component only. It is not used to set up and migrate the database schema.

Thus, this setting should only be used in classic deployments, or when Database Management is disabled.

nevisDetect Feature Correlator Instance

Using the pattern, you can set up the feature correlation within nevisDetect to be able to correlate the requests coming from nevisProxy.

See also nevisDetect Feature Correlator.

TCP Service Port

Enter the port on which nevisDetect Feature Correlator will listen.

nevisDetect Persistency

Add reference for a nevisDetect Persistency Instance pattern.

nevisDetect Message Queue

Add reference for the pattern providing Java Messaging Service.

Two different options are allowed at this time:

• nevisDetect Message Queue Instance - deployment pattern for a dedicated MQ component
• ActiveMQ Client Configuration - connect to an external ActiveMQ service via SSL

WARNING: In case of Kubernetes deployment, only ActiveMQ Client Configuration is supported.

Log Settings

Assign nevisDetect Log Settings to change the log configuration.

Content-Type Restriction

Apply restriction based on request header Content-Type

Sub-path Restriction

Set to apply this pattern on some sub-paths only.

Sub-paths must be relative (e.g. not starting with /) and will be appended to the frontend path(s) of the virtual host (/) or applications this pattern is assigned to.

Sub-paths ending with / are treated as a prefix, otherwise an exact filter-mapping will be created.

The following table provides examples to illustrate the behaviour:

Frontend Path	Sub-Path	Effective Filter Mapping
/	secure/	/secure/*
/	accounts	/accounts
/	api/secure/	/api/secure/*
/	api/accounts	/api/accounts
/app/	secure/	/app/secure/*
/app/	accounts	/app/accounts
/app/	api/secure/	/app/api/secure/*
/app/	api/accounts	/app/api/accounts

Frontend Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Frontend Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Message Queue Client Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Message Queue Client Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Memory Limit

This setting defines the maximum amount of RAM than can be used by this instance.

VM Deployment

By default, the Java process will use 1/4 of the available RAM.

Depending on how many instances are deployed to the same target host this may be either too much or too little.

The value configured here will be used for the maximum heap size of the Java process (-Xmx).

Kubernetes Deployment

In Kubernetes deployment the value configured here will be ignored and the Java process will be configured to use a percentage of the available RAM.

Note that -Xmx is not set to avoid file changes when adapting the limit.

As the docker container runs only 1 process the JVM flags -XX:+UseContainerSupport and -XX:MaxRAMPercentage=80.0 will be applied so that Java process can use up to 80% of the configured limit.

Initial Memory Ratio

Use the given percentage of Memory Limit for the initial memory usage (-Xms).

This setting applies to classic VM deployments only.

Start Inactive

In a classic VM deployment the instance is restarted when a configuration file changes that requires a restart. The instance is not restarted when a configuration file changes that does not require a restart.

This setting defines if the instance should also be started when it is down.

This setting applies to classic VM deployment only. In Kubernetes deployment the container pods are always recreated when any configuration file changes.

Check Minimum Version

Select enabled to perform basic version checks.

In classic VM deployment we run a command on each target host, to check which version of the component is installed.

In Kubernetes deployment we check the version of the docker image instead.

This check can be disabled for testing purposes.

Open Telemetry

OpenTelemetry is used for several use cases:

• cross-component tracing in logs
• exposing metrics

By default, OpenTelemetry is enabled and a Java agent is loaded.

If that Java agent is not present on the machines you are deploying to, then you have to provide it at /opt/agent/opentelemetry-javaagent.jar or select disabled.

Bind Host

Enter a custom host name to listen on.

This setting is relevant in classic VM deployment, when working with multi-homed target hosts.

In Kubernetes the component listens on 0.0.0.0 and thus this setting is discouraged.

Additional Settings

Assign an add-on pattern to customize the configuration.

nevisDetect Log Settings

Defines log levels and log retention of nevisDetect. Assign to a nevisDetect <Subcomponent> Instance using Log Settings.

Default Log Level

Change the level of the root logger. This impacts all logging apart from Log Levels.

Note that Syslog appenders have a threshold which ensures that only INFO, WARN, or ERROR messages are forwarded.

Log Levels

Configure log levels.

See nevisDetect Reference Guide, chapter Logging Configuration for details.

Hint: If you only change log levels nevisAdmin 4 does not restart the component in classic VM deployment. The new log configuration will be reloaded within 60 seconds after deployment.

The default configuration is:

ch.nevis.nevisadapt = INFO
ch.nevis.nevisdetect.util.logging.OpTracer = DEBUG

Examples:

org.springframework.web.filter.CommonsRequestLoggingFilter=DEBUG
ch.nevis.nevisdetect.entrypoint.icap.RequestProcessingHelper=INFO

Rotation Type

Select log rotation type.

Choose between:

• size - defines the maximum file size before the log files are rolled over
• time - defines the time span after which logs are rolled over

If you rotate by time we recommend you monitor the disk usage as log files can be huge.

Note: a combination of size and time based log rotation is not supported.

Max Backup Files

Maximum number of backup files to keep in addition to the current log file. When Rotation Type is time, this property is used as Logback's maxHistory property. This means that logs will be archived for this number of time units where time unit is as defined in Rotation Interval.

Max File Size

Maximum allowed file size (in bytes) before rolling over.

Suffixes "KB", "MB" and "GB" are allowed. 10KB = 10240 bytes, etc.

Note: not relevant when rotation type is time.

Rotation Interval

Rotation interval after which log files are rolled over.

This configuration is not used when Rotation Type is set to size.

Choose between:

• daily - the postfix of rotated files will be .%d{yyyy-MM-dd}
• hourly - the postfix of rotated files will be .%d{yyyy-MM-dd-HH}

Log Format

Logback log format for the default SERVER logs. This pattern is used for non-kubernetes deployments.

Note: not relevant when Log Targets is set to syslog.

Syslog Format

Logback log format for the SERVER SYS logs.

Note: not relevant when Log Targets is set to default.

Log Targets

Select the type of appender.

In Kubernetes the default appender writes to system out so that log messages appear in the docker logs.

Choose between:

• default - log to default target
• default + syslog - log to default target and forward to a Syslog server
• syslog - forward to a Syslog server only

Syslog Host

Defines where to send logs to via syslog.

This configuration is used only when syslog forwarding is enabled (see Log Targets).

The syslog facility is localhost3 and the threshold is INFO.

nevisDetect Message Queue Instance

Using the pattern, you can set up an ActiveMQ service for nevisDetect.

Message Broker Name

The name for the broker to configure ActiveMQ with.

Server Port

Enter the port on which nevisDetect MQ will listen.

Frontend Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Frontend Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Memory Limit

This setting defines the maximum amount of RAM than can be used by this instance.

VM Deployment

By default, the Java process will use 1/4 of the available RAM.

Depending on how many instances are deployed to the same target host this may be either too much or too little.

The value configured here will be used for the maximum heap size of the Java process (-Xmx).

Kubernetes Deployment

In Kubernetes deployment the value configured here will be ignored and the Java process will be configured to use a percentage of the available RAM.

Note that -Xmx is not set to avoid file changes when adapting the limit.

As the docker container runs only 1 process the JVM flags -XX:+UseContainerSupport and -XX:MaxRAMPercentage=80.0 will be applied so that Java process can use up to 80% of the configured limit.

Initial Memory Ratio

Use the given percentage of Memory Limit for the initial memory usage (-Xms).

This setting applies to classic VM deployments only.

Start Inactive

In a classic VM deployment the instance is restarted when a configuration file changes that requires a restart. The instance is not restarted when a configuration file changes that does not require a restart.

This setting defines if the instance should also be started when it is down.

This setting applies to classic VM deployment only. In Kubernetes deployment the container pods are always recreated when any configuration file changes.

Check Minimum Version

Select enabled to perform basic version checks.

In classic VM deployment we run a command on each target host, to check which version of the component is installed.

In Kubernetes deployment we check the version of the docker image instead.

This check can be disabled for testing purposes.

Open Telemetry

OpenTelemetry is used for several use cases:

• cross-component tracing in logs
• exposing metrics

By default, OpenTelemetry is enabled and a Java agent is loaded.

If that Java agent is not present on the machines you are deploying to, then you have to provide it at /opt/agent/opentelemetry-javaagent.jar or select disabled.

Bind Host

Enter a custom host name to listen on.

This setting is relevant in classic VM deployment, when working with multi-homed target hosts.

In Kubernetes the component listens on 0.0.0.0 and thus this setting is discouraged.

Additional Settings

Assign an add-on pattern to customize the configuration.

nevisDetect Persistency Instance

Using the pattern, you can set up the persistency service for nevisDetect.

TCP Service Port

Enter the port on which nevisDetect Persistency will listen.

Database

Add a database connection reference pattern.

Required properties to be set in the connector pattern are as follows:

• JDBC Driver (Oracle or MariaDB)
• JDBC URL
• DB user/password

nevisDetect Message Queue

Add reference for the pattern providing Java Messaging Service.

Two different options are allowed at this time:

• nevisDetect Message Queue Instance - deployment pattern for a dedicated MQ component
• ActiveMQ Client Configuration - connect to an external ActiveMQ service via SSL

WARNING: In case of Kubernetes deployment, only ActiveMQ Client Configuration is supported.

Log Settings

Assign nevisDetect Log Settings to change the log configuration.

Frontend Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Frontend Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

SecToken Signer Trust Store

Assign the Trust Store provider for verifying the NEVIS SecToken. If no pattern is assigned the signer key will be provided by the nevisAdmin 4 PKI.

Message Queue Client Key Store

Used when simple or mutual (2-way) HTTPs is configured. If no pattern is assigned here automatic key management will provide the key store.

Message Queue Client Trust Store

Reference a trust store provider pattern or leave empty to manage the trust store with nevisAdmin.

Memory Limit

This setting defines the maximum amount of RAM than can be used by this instance.

VM Deployment

By default, the Java process will use 1/4 of the available RAM.

Depending on how many instances are deployed to the same target host this may be either too much or too little.

The value configured here will be used for the maximum heap size of the Java process (-Xmx).

Kubernetes Deployment

In Kubernetes deployment the value configured here will be ignored and the Java process will be configured to use a percentage of the available RAM.

Note that -Xmx is not set to avoid file changes when adapting the limit.

As the docker container runs only 1 process the JVM flags -XX:+UseContainerSupport and -XX:MaxRAMPercentage=80.0 will be applied so that Java process can use up to 80% of the configured limit.

Initial Memory Ratio

Use the given percentage of Memory Limit for the initial memory usage (-Xms).

This setting applies to classic VM deployments only.

Start Inactive

In a classic VM deployment the instance is restarted when a configuration file changes that requires a restart. The instance is not restarted when a configuration file changes that does not require a restart.

This setting defines if the instance should also be started when it is down.

This setting applies to classic VM deployment only. In Kubernetes deployment the container pods are always recreated when any configuration file changes.

Check Minimum Version

Select enabled to perform basic version checks.

In classic VM deployment we run a command on each target host, to check which version of the component is installed.

In Kubernetes deployment we check the version of the docker image instead.

This check can be disabled for testing purposes.

Open Telemetry

OpenTelemetry is used for several use cases:

• cross-component tracing in logs
• exposing metrics

By default, OpenTelemetry is enabled and a Java agent is loaded.

If that Java agent is not present on the machines you are deploying to, then you have to provide it at /opt/agent/opentelemetry-javaagent.jar or select disabled.

Bind Host

Enter a custom host name to listen on.

This setting is relevant in classic VM deployment, when working with multi-homed target hosts.

In Kubernetes the component listens on 0.0.0.0 and thus this setting is discouraged.

Additional Settings

Assign an add-on pattern to customize the configuration.

nevisDetect Persistency REST API

The pattern exposes the nevisDetect Frontend GUIs on a nevisProxy Virtual Host.

The nevisDetect Persistency REST API is available on /nevisdetect/persistency.

nevisDetect Persistency

Reference for the pattern with the details of the web application.

Supported patterns:

• nevisDetect Persistency Instance

Trust Store

Assign the trust store for outbound TLS connections.

If no pattern is assigned a trust store will be provided by nevisAdmin 4 automatic key management.

Hostname Validation

Enable to verify that the hostname on the certificate presented by the backend matches the hostname of nevisDetect Persistency

Virtual Host

Assign a Virtual Host which shall serve as entry point.

Authentication Realm

Mandatory setting to enforce authentication.

Application Access Token

Propagate a token to the backend application. The token informs the application about the authenticated user.

Please assign a NEVIS SecToken. This is mandatory to have access to the Administration UI.

Additional Settings

Assign add-on patterns to customize the behaviour of this service.

Example use cases:

• Authorization Policy to enforce roles or an authentication level.
• URL Handling to redirect or forward requests.
• HTTP Header Customization to add, replace, or remove HTTP headers in requests or responses.