Configuration Properties in the nevisadmin4.yml File
The properties on this page apply to the nevisAdmin 4 application itself. To configure Nevis functionality and components such as nevisProxy and nevisAuth, refer to the Nevis Configuration Guide.
You configure the settings that influence the behavior of the nevisAdmin 4 application in the file /var/opt/nevisadmin4/conf/nevisadmin4.yml.
The table below lists all currently supported settings.
info
Nested format Due to the nature of YAML, you have to convert the properties to nested format. For an example of this format, see the DB Connection settings in the chapter Initial Setup.
| Property Name | Default | Description |
|---|---|---|
| db.datasource.url | The MariaDB nevisAdmin 4 URL. | |
| db.datasource.username | The MariaDB nevisAdmin 4 application user name. | |
| db.datasource.password | The MariaDB nevisAdmin 4 application user password. To avoid having a plaintext password in the file, you can set the environment variable DB_DATASOURCE_PASSWORD instead. | |
| db.migration.username | The MariaDB nevisAdmin 4 schema owner user name (used for schema updates during DB migration). | |
| db.migration.password | The MariaDB nevisAdmin 4 schema owner password. To avoid having a plaintext password in this file, you can set the environment variable DB_MIGRATION_PASSWORD instead. | |
| db.auto-migration.enabled | true (false in Kubernetes setups) | Set this property to "false", if you want to disable automated DB migration on application startup.(info) In case of Kubernetes setups, the migration is done by the nevisadmin4-dbschema image instead. |
| server.port | 9080 | The nevisAdmin 4 server port. |
| server.servlet.context-path | /nevisadmin | The nevisAdmin 4 context path. |
| server.tls.keystore | The keystore containing the certificate used for HTTPS. | |
| server.tls.keystore-passphrase | The keystore password. To avoid having a plaintext password in this file, you can set the environment variable SERVER_TLS_KEYSTORE_PASSPHRASE instead. | |
| server.tls.keystore-type | pkcs12 | The keystore type. The recommended type is "pkcs12". |
| server.tls.key-alias | Alias that identifies the key in the keystore. | |
| server.tls.protocol | TLS | SSL protocol to use. |
| server.tls.supported-protocols | Supported SSL protocols. Possible values are: SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2. | |
| server.tls.cipher-suites | Supported SSL cipher suites. | |
| management.server.port | 9089 | The nevisAdmin 4 management server port. The management server provides additional endpoints (for example, health-check). |
| authentication.realm.local.enabled | true | If set to "true" (the default), nevisAdmin 4 authenticates the username/ password against the database. |
| authentication.realm.ldap.enabled | false | If set to "true", nevisAdmin 4 authenticates the username/ password against LDAP. If both local and LDAP authentication are enabled, then user authentication happens in the following order: first LDAP, then local. For the configuration of the LDAP authentication, see the authentication.ldap.* properties below. |
| authentication.ldap.user.dn.template | {0} | The query string used to authenticate a user. The default value "{0}" is replaced with the user ID.You do not need this property if you use search properties and domain suffix. For more information, see the *.principal-suffix and the *.*search.* properties below. |
| authentication.ldap.context.url | The LDAP server URL. | |
| authentication.ldap.context. system-user-name | The ID of a read-only user that has permissions to retrieve user and group information. If this property is not set, the fetching of user (and group membership) details is disabled. This means that in this case only LDAP is used for authentication. | |
| authentication.ldap.context. system-user-password | The password of the read-only system user. | |
| authentication.ldap.context. principal-suffix | Appended to the user ID, to simplify the logon information that users must use to log in. If this property is not set, AD requires a user ID fully qualified with domain information. Note: Also appended to the system username. | |
| authentication.ldap.search.base-dn | Defines the base distinguished name (DN) from which the directory search starts. This property is mandatory for synchronization of user attributes and group assignments with LDAP. | |
| authentication.ldap.search.filter | The LDAP search filter expression "{0}" is being replaced with the encoded user ID. Occurrences of "{1}" are replaced with the username only (without domain).This property is mandatory for synchronization of user attributes and group assignments with LDAP. | |
| authentication.ldap.truststore | JRE cacert | The path to the truststore that contains the CA certificate for the LDAPS connection. |
| authentication.ldap. truststore-passphrase | The truststore password. To avoid having a plaintext password in the file, you can set the environment variable AUTHENTICATION_LDAP_TRUSTSTORE_PASSPHRASE instead. | |
| authentication.ldap. truststore-type | pkcs12 | The type of the truststore. |
| jwt.token.expiration.period | 43200000 | The expiration period of JSON web tokens issued by nevisAdmin 4, in milliseconds. |
| jwt.token.inactivity.timeout | 0 | Users who are inactive for this period in milliseconds, will get logged out. A value of 0 means that users are never logged out due to inactivity. |
| jwt.signer.hmac.shared.key | A random secret is generated on startup | The secret that is used for JSON web token signing. |
| cors.allowed.origins | Defines which origins are available for cross origin requests. | |
| cors.allowed.origin-patterns | Alternative to cors.allowed.origins that supports origins declared via wildcard patterns. This property allows more flexible patterns, for example https://*.domain1.com. Furthermore it always sets the Access-Control-Allow-Origin response header to the matched origin and never to *, nor to any other pattern, and therefore can be used in combination with cors.allow.credentials set to true. | |
| cors.allowed.methods | GET,HEAD,POST | HTTP methods to allow (GET,HEAD,POST,PUT,DELETE,PATCH). Use * to allow all. When running behind nevisProxy, allowing GET,HEAD,POST,PUT,DELETE,PATCH and configuring 'origins' may also be required. |
| cors.allowed.headers | * | Defines the headers that can be listed by a preflight request. These headers are allowed for use during an actual request. Use * to allow all headers. |
| cors.allow.credentials | Defines whether the browser should send credentials, such as cookies, along with cross domain requests to the annotated endpoint. The configured value is set on the Access-Control-Allow-Credentials response header of preflight requests. | |
| cors.max.age | 1800 | Defines how many seconds a client may cache the response from a preflight request. |
| nevisadmin.plugins.install.dir | Location of the standard plugin libraries. Suggested config: /opt/nevisadmin4/libs. | |
| nevisadmin.docker.image. repository.url | URL for the repository containing the docker images of the deployable instance patterns. | |
| nevisadmin.git.commit.user | Sets a hard-coded commit username that will be used for all commits made by nevisAdmin4, regardless of who the current user is. | |
| nevisadmin.git.commit.email | Sets a hard-coded commit email that will be used for all commits made by nevisAdmin4, regardless of who the current user is. It's value is ignored if nevisadmin.git.commit.user is not set. | |
| nevisadmin.git.commit.name-format | userKey | Specifies the format of the username on commits made by nevisAdmin4. Options:userKey: use the current user's keyfirstNameLastName: use the current user's first name and last name, with a space in the middle |
| nevisadmin.git.ssh. privatekey.file | <user.home>/.ssh/id_rsa | Defines the path to the private key file that is used for the SSH connection between nevisAdmin 4 and the GIT repository management system. The public key file (with ending .pub) as well as the known_hosts file should be available in the same folder. |
| nevisadmin.git.ssh. privatekey.passphrase | The passphrase needed to access the private key file (optional). | |
| nevisadmin.git.tls.username | Username to be used when accessing GIT via HTTPS. | |
| nevisadmin.git.tls.password | Password to be used when accessing GIT via HTTPS. | |
| nevisadmin.deployment.ssh. privatekey.file | Path to the private key file that is used for the SSH connection between nevisAdmin 4 and remote hosts. | |
| nevisadmin.deployment.ssh. privatekey.passphrase | The passphrase needed to access the private key file (required only if the private key is encrypted). | |
| nevisadmin.deployment.ssh. known-hosts | The known hosts to use when connecting to remote hosts (optional). If you do not set this property, then the system will trust all hosts. | |
| nevisadmin.secret. max-file-size | 1 | File size limit in megabytes for inventory secret file attachments. Secrets larger than 1MB cannot stored on a Kubernetes cluster. |
| nevisadmin.yaml.literal-block-style.enabled | false | Experimental feature: This feature could cause false changes on the publish screen, as the visualization of multi-line strings look the same on the UI. YAML literal block style formatting can be enabled through system property or environment variable only. For example, set -Dnevisadmin.yaml.literal-block-style.enabled=true in /var/opt/nevisadmin4/conf/env.conf. It is recommended the you perform the following steps to migrate your data into the new format and see all the false changes at once:1. Finish your working branches, and merge them into your main branches. 2. Update your projects from Git. 3. Add the config to enable the feature and restart nevisAdmin 4. 4. Execute the following steps on your projects: 1. Export Project to Zip 2. Import Project from Zip. This will force the reformatting of your data. 3. Publish Project to Git. |
| nevisadmin.saml.idp.metadata-uri | Metadata URI of the Identity Provider | |
| nevisadmin.saml.idp.logout-origin | (optional) The origin is added into the Content-Security-Policy header. Required for the logout. The default origin is parsed from the nevisadmin.saml.idp.metadata-uri. | |
| nevisadmin.saml.sp.private-key | The private key which is used to sign SAML messages. For example: file:/var/opt/nevisadmin4/keys/saml.key | |
| nevisadmin.saml.sp.certificate | Certificate to validate the signature of the SAML messages by the IDP. For example: file:/var/opt/nevisadmin4/keys/saml.crt | |
| nevisadmin.saml.attribute.user-key | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | The SAML assertion attribute name of the userKey.Used to identity the user. Must be unique and stable. |
| nevisadmin.saml.attribute.group-keys | http://schemas.microsoft.com/ws/2008/06/identity/claims/role | The SAML assertion attribute name of the groupKeys.The group keys are automatically mapped to nevisAdmin 4 groups on login. Expected value format: comma separated list without whitespaces. For example: `group1,group2` |
| nevisadmin.saml.attribute.email | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | The SAML assertion attribute name of the email. |
| nevisadmin.saml.attribute.first-name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | The SAML assertion attribute name of the first name. |
| nevisadmin.saml.attribute.last-name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | The SAML assertion attribute name of the last name. |
| nevisadmin.product-analytics.prometheus.url | The base url of the Prometheus instance used for the product analytics queries. | |
| nevisadmin.product-analytics.prometheus.username | The username for Prometheus in case basic authentication is enabled. | |
| nevisadmin.product-analytics.prometheus.password | The password for Prometheus in case basic authentication is enabled. |