Skip to main content
Version: 8.2411.x.x RR

Server configuration

You can configure the server settings through the following properties in the file logrend.properties (see the following list).

  • server.name (required)

    Example value: instance

    Name of the server. Give each server a unique name, for the sake of identification. This name will also be logged.

  • server.protocol

    Default value: https

    Enumeration: https, http

    Set this property to "https" if you would like to use TLS.

  • server.port

    Default value: 8988

    Configures the port where the server will listen for incoming requests.

  • server.host

    Default value: localhost

    Configures the address on which the server will listen for incoming requests.

  • server.tls.keystore (required if server.protocol = "https")

    Example value: /var/opt/keybox/default/node_keystore.jks

    Keystore object used for the TLS.

  • server.tls.keystore-passphrase (required if server.protocol = "https")

  • server.tls.truststore (required if server.protocol = "https")

    Example value: /var/opt/keybox/default/truststore.jks

    Truststore object used for the TLS.

  • server.tls.truststore-passphrase (required if server.protocol = "https")

  • server.tls.client-auth

    Example value: required

    Possible values: required, requested, disabled

    • required is the successor of the server.tls.require-client-auth: true setting. It means that client authentication is required.
    • requested allows client authentication if the client certificate is sent. In case the client certificate was not sent, no client authentication will be performed.
    • disabled is the successor of the server.tls.require-client-auth: false setting.
  • server.tls.verify-hostname

    Default value: flase

    If set to true and a two-way TLS connection is required, the server verifies that the IP address in the certificate presented by the client matches the IP address of the client.

    info
    • The IP address is specified in the Subject Alternative Names field of the certificate.
    • A required two-way TLS connection corresponds with the following setting: server.tls.client-auth="required"

    In the TLS connection setups of Nevis, nevisProxy acts as a client whereas nevisLogRend acts as a server. Hostname verification is a client-side feature by design, which allows for a stricter verification of the server identity. On the server side, there is not enough information: You can verify the IP address only, because the hostname is not available. Therefore, to use the hostname verification feature in a Nevis TLS setup, the client (that is, nevisProxy) needs a fixed IP address. Alternatively, regenerate the certificates each time the IP address changes.

    It is recommended leaving this configuration disabled, that is, setting the property server.tls.verify-hostname to "false". Instead, enable the client-side hostname verification in the HttpsConnectorServlet of nevisProxy. For more information, see the chapter HttpsConnectorServlet in the nevisProxy reference guide.

    If you set this property to "true", you may need to regenerate the client certificates used to connect to nevisLogRend. See the section Creating Self-Signed Certificates with Subject Alternative Names below. Typically, the Subject Alternative Name (SAN) is not included in the certificates by default.

  • server.tls.supported-protocols

    Default value: TLSv1.2

    Provides a list of protocols that are accepted by the client when trying to initiate a connection with TLS.

  • server.tls.cipher-suites

    Default values:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

    Provides a list of ciphers that are accepted by the client when trying to initiate a connection with TLS.

    The cipher name format is the one used in the Java Cryptography Architecture Oracle Providers Documentation for JDK 8.

  • server.max-threads

    Default value: 200

    Number of threads used to process incoming requests.

  • server.max-http-header-size

    Default value: 8192 (8 kilobytes)

    Defines the maximum size of the request and response HTTP headers, in bytes.

    info

    Larger headers allow for more and/or larger cookies as well as larger form content encoded in a URL. However, larger headers also consume more memory and can make a server more vulnerable to denial of service attacks.

  • management.server.port

    Default value: 8997

    The port where the server exposes the liveness endpoint used by Kubernetes. Currently, only HTTP is supported. This property is experimental and may change in future releases.

  • management.healthchecks.enabled

    Default value: false

    Shows whether the health endpoints (readiness and liveness) are enabled or not. This property is experimental and may change in future releases.

Variable syntax

The server configuration property values in the file logrend.properties may change in the future. The following list shows the available syntax:

  • ${exec:command}

    Executes the given command and uses its output as value.

    Examples
    server.tls.keystore-passphrase: ${exec:/var/opt/keys/own/instance/keypass.sh}
    server.host: ${exec:hostname -f}
  • ${env:variablename}

    Uses the value of the specified environment variable.

    Example
    server.host: ${env:HOSTNAME}

Creating Self-Signed Certificates with Subject Alternative Names (SAN)

The commands in the following code block generate certificates that you can use in a test environment including a nevisLogRend instance with two-way client authentication and hostname verification.

The neviskeybox command creates a keystore with two Subject Alternative Names (SANs): One of type DNS, and the other of type IP. You can use this keystore in nevisProxy to connect to nevisLogRend.

Note that nevisLogRend only uses the DNS name in the SAN to verify the IP but not the client identity.

The following code sample shows the correct syntax:

neviskeybox certreq -slot default -label node -subject 'cn=siven.ch,ou=auth,o=o=nevis-security,dc=com' -subjectAltName 'DNS:siven.ch,IP:10.0.0.1'
neviskeybox sign -ca testCA -out /tmp/node_new_cert.pem -file /var/opt/keybox/default/node_request.pem
neviskeybox import -file /tmp/node_new_cert.pem
neviskeybox access -slot default -label node -group nvbgroup -user nvpuser
neviskeybox passwd -keep -slot default -label node