Skip to main content
Version: 8.2411.x.x RR

Configuration Properties in the nevisadmin4.yml File

The properties on this page apply to the nevisAdmin 4 application itself. To configure Nevis functionality and components such as nevisProxy and nevisAuth, refer to the Nevis Configuration Guide.

You configure the settings that influence the behavior of the nevisAdmin 4 application in the file /var/opt/nevisadmin4/conf/nevisadmin4.yml. The table below lists all currently supported settings.

info

Nested format Due to the nature of YAML, you have to convert the properties to nested format. For an example of this format, see the DB Connection settings in the chapter Initial Setup.

Property NameDefaultDescription
db.datasource.urlThe MariaDB nevisAdmin 4 URL.
db.datasource.usernameThe MariaDB nevisAdmin 4 application user name.
db.datasource.passwordThe MariaDB nevisAdmin 4 application user password. To avoid having a plaintext password in the file, you can set the environment variable DB_DATASOURCE_PASSWORD instead.
db.migration.usernameThe MariaDB nevisAdmin 4 schema owner user name (used for schema updates during DB migration).
db.migration.passwordThe MariaDB nevisAdmin 4 schema owner password. To avoid having a plaintext password in this file, you can set the environment variable DB_MIGRATION_PASSWORD instead.
db.auto-migration.enabledtrue (false in Kubernetes setups)Set this property to "false", if you want to disable automated DB migration on application startup.(info) In case of Kubernetes setups, the migration is done by the nevisadmin4-dbschema image instead.
server.port9080The nevisAdmin 4 server port.
server.servlet.context-path/nevisadminThe nevisAdmin 4 context path.
server.tls.keystoreThe keystore containing the certificate used for HTTPS.
server.tls.keystore-passphraseThe keystore password. To avoid having a plaintext password in this file, you can set the environment variable SERVER_TLS_KEYSTORE_PASSPHRASE instead.
server.tls.keystore-typepkcs12The keystore type. The recommended type is "pkcs12".
server.tls.key-aliasAlias that identifies the key in the keystore.
server.tls.protocolTLSSSL protocol to use.
server.tls.supported-protocolsSupported SSL protocols. Possible values are: SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2.
server.tls.cipher-suitesSupported SSL cipher suites.
management.server.port9089The nevisAdmin 4 management server port. The management server provides additional endpoints (for example, health-check).
authentication.realm.local.enabledtrueIf set to "true" (the default), nevisAdmin 4 authenticates the username/ password against the database.
authentication.realm.ldap.enabledfalseIf set to "true", nevisAdmin 4 authenticates the username/ password against LDAP. If both local and LDAP authentication are enabled, then user authentication happens in the following order: first LDAP, then local. For the configuration of the LDAP authentication, see the authentication.ldap.* properties below.
authentication.ldap.user.dn.template{0}The query string used to authenticate a user. The default value "{0}" is replaced with the user ID.You do not need this property if you use search properties and domain suffix. For more information, see the *.principal-suffix and the *.*search.* properties below.
authentication.ldap.context.urlThe LDAP server URL.
authentication.ldap.context.
system-user-name
The ID of a read-only user that has permissions to retrieve user and group information. If this property is not set, the fetching of user (and group membership) details is disabled. This means that in this case only LDAP is used for authentication.
authentication.ldap.context.
system-user-password
The password of the read-only system user.
authentication.ldap.context.
principal-suffix
Appended to the user ID, to simplify the logon information that users must use to log in. If this property is not set, AD requires a user ID fully qualified with domain information. Note: Also appended to the system username.
authentication.ldap.search.base-dnDefines the base distinguished name (DN) from which the directory search starts. This property is mandatory for synchronization of user attributes and group assignments with LDAP.
authentication.ldap.search.filterThe LDAP search filter expression "{0}" is being replaced with the encoded user ID. Occurrences of "{1}" are replaced with the username only (without domain).This property is mandatory for synchronization of user attributes and group assignments with LDAP.
authentication.ldap.truststoreJRE cacertThe path to the truststore that contains the CA certificate for the LDAPS connection.
authentication.ldap.
truststore-passphrase
The truststore password. To avoid having a plaintext password in the file, you can set the environment variable AUTHENTICATION_LDAP_TRUSTSTORE_PASSPHRASE instead.
authentication.ldap.
truststore-type
pkcs12The type of the truststore.
jwt.token.expiration.period43200000The expiration period of JSON web tokens issued by nevisAdmin 4, in milliseconds.
jwt.token.inactivity.timeout0Users who are inactive for this period in milliseconds, will get logged out. A value of 0 means that users are never logged out due to inactivity.
jwt.signer.hmac.shared.keyA random secret is generated on startupThe secret that is used for JSON web token signing.
cors.allowed.originsDefines which origins are available for cross origin requests.
cors.allowed.origin-patternsAlternative to cors.allowed.origins that supports origins declared via wildcard patterns. This property allows more flexible patterns, for example https://*.domain1.com. Furthermore it always sets the Access-Control-Allow-Origin response header to the matched origin and never to *, nor to any other pattern, and therefore can be used in combination with cors.allow.credentials set to true.
cors.allowed.methodsGET,HEAD,POSTHTTP methods to allow (GET,HEAD,POST,PUT,DELETE,PATCH). Use * to allow all. When running behind nevisProxy, allowing GET,HEAD,POST,PUT,DELETE,PATCH and configuring 'origins' may also be required.
cors.allowed.headers*Defines the headers that can be listed by a preflight request. These headers are allowed for use during an actual request. Use * to allow all headers.
cors.allow.credentialsDefines whether the browser should send credentials, such as cookies, along with cross domain requests to the annotated endpoint. The configured value is set on the Access-Control-Allow-Credentials response header of preflight requests.
cors.max.age1800Defines how many seconds a client may cache the response from a preflight request.
nevisadmin.plugins.install.dirLocation of the standard plugin libraries. Suggested config: /opt/nevisadmin4/libs.
nevisadmin.docker.image.
repository.url
URL for the repository containing the docker images of the deployable instance patterns.
nevisadmin.git.commit.userSets a hard-coded commit username that will be used for all commits made by nevisAdmin4, regardless of who the current user is.
nevisadmin.git.commit.emailSets a hard-coded commit email that will be used for all commits made by nevisAdmin4, regardless of who the current user is. It's value is ignored if nevisadmin.git.commit.user is not set.
nevisadmin.git.commit.name-formatuserKeySpecifies the format of the username on commits made by nevisAdmin4. Options:
userKey: use the current user's key
firstNameLastName: use the current user's first name and last name, with a space in the middle
nevisadmin.git.ssh.
privatekey.file
<user.home>/.ssh/id_rsaDefines the path to the private key file that is used for the SSH connection between nevisAdmin 4 and the GIT repository management system. The public key file (with ending .pub) as well as the known_hosts file should be available in the same folder.
nevisadmin.git.ssh.
privatekey.passphrase
The passphrase needed to access the private key file (optional).
nevisadmin.git.tls.usernameUsername to be used when accessing GIT via HTTPS.
nevisadmin.git.tls.passwordPassword to be used when accessing GIT via HTTPS.
nevisadmin.git.shallow-checkouttrueWhen set to true, nevisAdmin 4 will perform shallow checkouts for both the configuration and deployments.
nevisadmin.deployment.ssh.
privatekey.file
Path to the private key file that is used for the SSH connection between nevisAdmin 4 and remote hosts.
nevisadmin.deployment.ssh.
privatekey.passphrase
The passphrase needed to access the private key file (required only if the private key is encrypted).
nevisadmin.deployment.ssh.
known-hosts
The known hosts to use when connecting to remote hosts (optional). If you do not set this property, then the system will trust all hosts.
nevisadmin.secret.
max-file-size
1File size limit in megabytes for inventory secret file attachments. Secrets larger than 1MB cannot stored on a Kubernetes cluster.
nevisadmin.yaml.literal-block-style.enabledfalseThis feature could cause false changes on the publish screen, as the visualization of multi-line strings look the same on the UI. YAML literal block style formatting can be enabled through system property or environment variable only. For example, set -Dnevisadmin.yaml.literal-block-style.enabled=true in /var/opt/nevisadmin4/conf/env.conf. It is recommended the you perform the following steps to migrate your data into the new format and see all the false changes at once:1. Finish your working branches, and merge them into your main branches. 2. Update your projects from Git. 3. Add the config to enable the feature and restart nevisAdmin 4. 4. Execute the following steps on your projects: 1. Export Project to Zip 2. Import Project from Zip. This will force the reformatting of your data. 3. Publish Project to Git.
nevisadmin.saml.idp.metadata-uriMetadata URI of the Identity Provider
nevisadmin.saml.idp.logout-origin(optional) The origin is added into the Content-Security-Policy header. Required for the logout. The default origin is parsed from the nevisadmin.saml.idp.metadata-uri.
nevisadmin.saml.sp.private-keyThe private key which is used to sign SAML messages. For example: file:/var/opt/nevisadmin4/keys/saml.key
nevisadmin.saml.sp.certificateCertificate to validate the signature of the SAML messages by the IDP. For example: file:/var/opt/nevisadmin4/keys/saml.crt
nevisadmin.saml.attribute.user-keyhttp://schemas.xmlsoap.org/
ws/2005/05/identity/
claims/emailaddress
The SAML assertion attribute name of the userKey.Used to identity the user. Must be unique and stable.
nevisadmin.saml.attribute.group-keyshttp://schemas.microsoft.com
/ws/2008/06/identity/
claims/role
The SAML assertion attribute name of the groupKeys.The group keys are automatically mapped to nevisAdmin 4 groups on login. Expected value format: comma separated list without whitespaces. For example: `group1,group2`
nevisadmin.saml.attribute.emailhttp://schemas.xmlsoap.org/
ws/2005/05/identity/
claims/emailaddress
The SAML assertion attribute name of the email.
nevisadmin.saml.attribute.first-namehttp://schemas.xmlsoap.org/
ws/2005/05/identity/
claims/givenname
The SAML assertion attribute name of the first name.
nevisadmin.saml.attribute.last-namehttp://schemas.xmlsoap.org/
ws/2005/05/identity/
claims/surname
The SAML assertion attribute name of the last name.
nevisadmin.pki.root-certificate-validity365The certificate validity in days for the root certificate used in automatic key management for classic deployments. This also applies to the validity of the internal CA generated by nevisAdmin 4.
nevisadmin.pki.end-certificate-validity365The certificate validity in days for the end certificate used in automatic key management for classic deployments.
nevisadmin.product-analytics.prometheus.urlThe base url of the Prometheus instance used for the product analytics queries.
nevisadmin.product-analytics.prometheus.usernameThe username for Prometheus in case basic authentication is enabled.
nevisadmin.product-analytics.prometheus.passwordThe password for Prometheus in case basic authentication is enabled.