Configuration Properties in the nevisadmin4.yml File
The properties on this page apply to the nevisAdmin 4 application itself. To configure Nevis functionality and components such as nevisProxy and nevisAuth, refer to the Nevis Configuration Guide.
You configure the settings that influence the behavior of the nevisAdmin 4 application in the file /var/opt/nevisadmin4/conf/nevisadmin4.yml.
The table below lists all currently supported settings.
info
Nested format Due to the nature of YAML, you have to convert the properties to nested format. For an example of this format, see the DB Connection settings in the chapter Initial Setup.
| Property Name | Default | Description |
|---|---|---|
| db.datasource.url | The MariaDB nevisAdmin 4 URL. | |
| db.datasource.username | The MariaDB nevisAdmin 4 application user name. | |
| db.datasource.password | The MariaDB nevisAdmin 4 application user password. To avoid having a plaintext password in the file, you can set the environment variable DB_DATASOURCE_PASSWORD instead. | |
| db.migration.username | The MariaDB nevisAdmin 4 schema owner user name (used for schema updates during DB migration). | |
| db.migration.password | The MariaDB nevisAdmin 4 schema owner password. To avoid having a plaintext password in this file, you can set the environment variable DB_MIGRATION_PASSWORD instead. | |
| db.auto-migration.enabled | true (false in Kubernetes setups) | Set this property to "false", if you want to disable automated DB migration on application startup.(info) In case of Kubernetes setups, the migration is done by the nevisadmin4-dbschema image instead. |
| server.port | 9080 | The nevisAdmin 4 server port. |
| server.servlet.context-path | /nevisadmin | The nevisAdmin 4 context path. |
| server.tls.keystore | The keystore containing the certificate used for HTTPS. | |
| server.tls.keystore-passphrase | The keystore password. To avoid having a plaintext password in this file, you can set the environment variable SERVER_TLS_KEYSTORE_PASSPHRASE instead. | |
| server.tls.keystore-type | pkcs12 | The keystore type. The recommended type is "pkcs12". |
| server.tls.key-alias | Alias that identifies the key in the keystore. | |
| server.tls.protocol | TLS | SSL protocol to use. |
| server.tls.supported-protocols | Supported SSL protocols. Possible values are: SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2. | |
| server.tls.cipher-suites | Supported SSL cipher suites. | |
| management.server.port | 9089 | The nevisAdmin 4 management server port. The management server provides additional endpoints (for example, health-check). |
| authentication.realm.local.enabled | true | If set to "true" (the default), nevisAdmin 4 authenticates the username/ password against the database. |
| authentication.realm.ldap.enabled | false | If set to "true", nevisAdmin 4 authenticates the username/ password against LDAP. If both local and LDAP authentication are enabled, then user authentication happens in the following order: first LDAP, then local. For the configuration of the LDAP authentication, see the authentication.ldap.* properties below. |
| authentication.ldap.user.dn.template | {0} | The query string used to authenticate a user. The default value "{0}" is replaced with the user ID.You do not need this property if you use search properties and domain suffix. For more information, see the *.principal-suffix and the *.*search.* properties below. |
| authentication.ldap.context.url | The LDAP server URL. | |
| authentication.ldap.context. system-user-name | The ID of a read-only user that has permissions to retrieve user and group information. If this property is not set, the fetching of user (and group membership) details is disabled. This means that in this case only LDAP is used for authentication. | |
| authentication.ldap.context. system-user-password | The password of the read-only system user. | |
| authentication.ldap.context. principal-suffix | Appended to the user ID, to simplify the logon information that users must use to log in. If this property is not set, AD requires a user ID fully qualified with domain information. Note: Also appended to the system username. | |
| authentication.ldap.search.base-dn | Defines the base distinguished name (DN) from which the directory search starts. This property is mandatory for synchronization of user attributes and group assignments with LDAP. | |
| authentication.ldap.search.filter | The LDAP search filter expression "{0}" is being replaced with the encoded user ID. Occurrences of "{1}" are replaced with the username only (without domain).This property is mandatory for synchronization of user attributes and group assignments with LDAP. | |
| authentication.ldap.truststore | JRE cacert | The path to the truststore that contains the CA certificate for the LDAPS connection. |
| authentication.ldap. truststore-passphrase | The truststore password. To avoid having a plaintext password in the file, you can set the environment variable AUTHENTICATION_LDAP_TRUSTSTORE_PASSPHRASE instead. | |
| authentication.ldap. truststore-type | pkcs12 | The type of the truststore. |
| jwt.token.expiration.period | 43200000 | The expiration period of JSON web tokens issued by nevisAdmin 4, in milliseconds. |
| jwt.signer.hmac.shared.key | A random secret is generated on startup | The secret that is used for JSON web token signing. |
| cors.allowed.origins | Defines which origins are available for cross origin requests. | |
| cors.allowed.origin-patterns | Alternative to cors.allowed.origins that supports origins declared via wildcard patterns. This property allows more flexible patterns, for example https://*.domain1.com. Furthermore it always sets the Access-Control-Allow-Origin response header to the matched origin and never to *, nor to any other pattern, and therefore can be used in combination with cors.allow.credentials set to true. | |
| cors.allowed.methods | GET,HEAD,POST | HTTP methods to allow (GET,HEAD,POST,PUT,DELETE,PATCH). Use * to allow all. When running behind nevisProxy, allowing GET,HEAD,POST,PUT,DELETE,PATCH and configuring 'origins' may also be required. |
| cors.allowed.headers | * | Defines the headers that can be listed by a preflight request. These headers are allowed for use during an actual request. Use * to allow all headers. |
| cors.allow.credentials | Defines whether the browser should send credentials, such as cookies, along with cross domain requests to the annotated endpoint. The configured value is set on the Access-Control-Allow-Credentials response header of preflight requests. | |
| cors.max.age | 1800 | Defines how many seconds a client may cache the response from a preflight request. |
| nevisadmin.plugins.install.dir | Location of the standard plugin libraries. Suggested config: /opt/nevisadmin4/libs. | |
| nevisadmin.docker.image. repository.url | URL for the repository containing the docker images of the deployable instance patterns. | |
| nevisadmin.git.commit.user | runtime user | The name of the technical user that is used by nevisAdmin 4 to access the GIT repository management system. |
| nevisadmin.git.commit.email | The email address of the technical GIT repository management system user (optional). | |
| nevisadmin.git.ssh. privatekey.file | <user.home>/.ssh/id_rsa | Defines the path to the private key file that is used for the SSH connection between nevisAdmin 4 and the GIT repository management system. The public key file (with ending .pub) as well as the known_hosts file should be available in the same folder. |
| nevisadmin.git.ssh. privatekey.passphrase | The passphrase needed to access the private key file (optional). | |
| nevisadmin.git.tls.username | Username to be used when accessing GIT via HTTPS. | |
| nevisadmin.git.tls.password | Password to be used when accessing GIT via HTTPS. | |
| nevisadmin.deployment.ssh. privatekey.file | Path to the private key file that is used for the SSH connection between nevisAdmin 4 and remote hosts. | |
| nevisadmin.deployment.ssh. privatekey.passphrase | The passphrase needed to access the private key file (required only if the private key is encrypted). | |
| nevisadmin.deployment.ssh. known-hosts | The known hosts to use when connecting to remote hosts (optional). If you do not set this property, then the system will trust all hosts. | |
| nevisadmin.secret. max-file-size | 1 | File size limit in megabytes for inventory secret file attachments. Secrets larger than 1MB cannot stored on a Kubernetes cluster. |