Skip to main content
Version: 1.5.x.x LTS

Deployment types

nevisMeta is implemented as a web service in Java. It can be deployed in the following ways:

Deployment TypeRemarksState
StandalonenevisMeta deployed as a web service including an embedded container.Stable, recommended deployment type
GlassFishnevisMeta deployed as a web service.Deprecated The GlassFish deployment type is deprecated. It is recommended that you migrate to the standalone deployment.

The following sections describe the deployment types and their configuration.

Standalone

The standalone deployment type makes use of an embedded container. There is no need anymore to install a separate container application. The standalone deployment mode is the default.

The following configuration files control the behavior of nevisMeta in the standalone deployment type:

env.conf

Administration command and process environment:

  • JAVA_HOME (optional): Use specified JRE/JDK
  • No other parameter should be changed.
  • JAVA_OPTS: JVM command-line options
    • Heap size
    • Garbage collector
    • JSSE configuration properties
    • JNDI configuration properties
    • Temporary Directory

The JAVA_OPTS environment variable can be an expression that will be replaced.

Example 1: (using single quotes)

JAVA_OPTS=(
'-server'
'-Djavax.net.ssl.keyStorePassword=${exec:cat /var/opt/pwd.txt}'
)

Example 2: (using double quotes)

JAVA_OPTS=(
"-server"
"-Djavax.net.ssl.keyStorePassword=\${exec:cat /var/opt/pwd.txt}"
)

Old string syntax: (cannot handle spaces in jvm arguments and inline comments)

JAVA_OPTS="-server \
-Djavax.net.ssl.keyStorePassword=\${exec:cat /var/opt/pwd.txt}"

Important: in case if you use double quotes the $ must be escaped.

For details, see "Standalone nevismeta.properties expression ".

nevismeta.properties

Application, login, server configuration:

  • Back-end configuration options
  • Ninja authentication module configuration options
  • Scaling (concurrency with worker threads)
  • Network settings (host, port, protocol, tls, ...)

log4j.xml

Logging configuration:

  • Configuration of log levels for individual components
  • Audit channel (if the file rotation policy or output file needs to be customized)

The configuration files are located here:

  • /var/opt/nevismeta/<instance>/conf

Environment configuration

As the first priority, nevisMeta uses the Java installation defined in the file env.conf using the configuration property JAVA_HOME. If the JAVA_HOME property is not defined in the file env.conf, the Java version as defined in the PATH environment variable is used.

To define the usage of a specific Java installation, we recommend setting the configuration property JAVA_HOME in the file env.conf:

Example

JAVA_HOME=/etc/alternatives/jre_1.8.0

Server configuration properties

You can configure the server of the standalone deployment type through the properties in the file nevismeta.properties, see the following table)

server.name

Example: <instance>

server.protocol

Example: https

Default: https

server.port

Example: 8991

Default: 8991

server.host

Example: localhost

server.tls.keystore

Example: /var/opt/keybox/default/node_keystore.jks

server.tls.keystore-passphrase

Example: keystorepassword

server.tls.truststore

Example: /var/opt/keybox/default/truststore.jks

server.tls.truststore-passphrase

Example: truststorepassword

server.tls.require-client-auth

Example: true

Default: false

server.tls.verify-hostname

Example: true

Default: false

server.tls.supported-protocols

Example: TLSv1.2

Default: TLSv1, TLSv1.1, TLSv1.2

server.tls.cipher-suites

Example: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Default: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV

server.max-threads

Example: 200

Default: 200

management.server.port

Example: 9000

Default: 9000

management.healthchecks.enabled

Example: false

Default: false

database.migration.automatic

Example: true

Default: false

database.connection.pool.auto-commit

Example: true

Default: true

database.connection.pool.connection-timeout

Example: 30000

Default: 30000

database.connection.pool.idle-timeout

Example: 600000

Default: 600000

database.connection.pool.max-lifetime

Example: 1800000

Default: 1800000

database.connection.pool.minimum-idle

Example: 10

Default: 10

database.connection.pool.maximum-pool-size

Example: 1000

Default: 10

The property values related to the server configuration in the file nevismeta.properties can be expressions that will be replaced. The next table shows the available syntax:

SyntaxExampleRemarks
${exec:command}server.tls.keystore-passphrase: ${exec:/var/opt/keys/own/instance/keypass.sh}server.host: ${exec:hostname -f}Executes the given command and uses its output as the value
${env:variablename}server.host: ${env:HOSTNAME}Uses the value of the specified environment variable.

Standalone server command-line interface

For standalone deployments, the standalone command-line interface (CLI) provides a low level interface to run the server process. It can be used by higher level tools like the administrative CLI, see The administrative command-line interface or by the user directly.

You can use the standalone CLI to start nevisMeta without involvement of other system components like for example systemd.

You find the standalone script at /opt/nevismeta/bin/nevismeta-server. It provides the following command-line options:

Command-line argumentRemarksDefault
-c, --config PATHRequired. Path to the configuration file nevismeta.properties.No default.
-n, --name NAMEUnique name for that Nevis component node.Overrides the value of the property server.name (in the nevismeta.properties file).See the server.name property in the nevismeta.properties file.
-p, --port PORTThe HTTP/S port to listen on. TLS must be configured in the config file and not as an argument.Overrides the value of the property server.port (in the nevismeta.properties file).See the server.port property in the nevismeta.properties file.
-H, --host HOSTThe HTTP/S host to bind on. By default binds on all IPv4 and IPv6 interfaces.Overrides the value of the property server.host (in the nevismeta.properties file).See the server.host property in the nevismeta.properties file.
--log-config PATHLog configuration file to be used.If a log configuration is provided, nevisMeta will use the given configuration file to determine how logging should behave. If no configuration file is provided, nevisMeta will log to the console by default.Not set.
-V, --versionDisplay version and exit with status code 0.
-h, --helpShow complete and detailed usage and exit with status code 0.

Command-line arguments always prevail over the configuration in the nevismeta.properties file!

Example usage of the standalone CLI

To start an existing nevisMeta instance named "default" without using systemd to manage the service, set the following commands:

# set working directory
cd /var/opt/nevismeta/default
  
/opt/nevismeta/bin/nevismeta-server --config /var/opt/nevismeta/default/conf/nevismeta.properties --log-config /var/opt/nevismeta/default/conf/log4j.xml

Creating Self-Signed Certificates with SAN (Subject Alternative Names)

The following commands generate certificates that can be used in a test environment using a nevisMeta instance with 2-way client authentication and hostname verification enabled.

The keytool command creates a PKCS12 keystore with two SANs (one of type DNS, the other of type IP) and then, using openssl, we generate a PEM file from it to be used by nevisProxy, for example:

# keytool -genkeypair -keyalg RSA -alias nevisProxyClientCert -keystore /var/opt/certs/keystore.p12 -storetype pkcs12 -storepass password  -validity 360 -keysize 2048 -dname "cn=siven.ch,ou=auth,o=o=nevis-security,dc=com" -noprompt -ext SAN=dns:siven.ch,ip:10.0.206.87
# openssl pkcs12 -in /var/opt/certs/keystore.p12 -nodes -out /var/opt/certs/keystore.pem

The following command creates a keystore with two SANs using openssl. Both server.key and server.crt are PEM formatted:

openssl genrsa -out /var/opt/certs/ca.key 2048
openssl req -new -x509 -days 365 -key /var/opt/certs/ca.key -subj "/DC=COM/O=nevis-security/OU=auth/CN=siven.ch" -out /var/opt/certs/ca.crt
 
openssl req -newkey rsa:2048 -nodes -keyout /var/opt/certs/server.key -subj "/DC=COM/O=nevis-security/OU=auth/CN=siven.ch" -out /var/opt/certs/server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:siven.ch,IP:10.0.206.87") -days 365 -in /var/opt/certs/server.csr -CA /var/opt/certs/ca.crt -CAkey /var/opt/certs/ca.key -CAcreateserial -out /var/opt/certs/server.crt

GlassFish

Deprecated

The Glassfish deployment has been deprecated. It will be removed in future releases. Use the standalone deployment instead.

The other deployment type option for nevisMeta is the GlassFish web container. You specify the usage of the embedded container during instance creation (or handover), by setting the deploy_type variable to "adnglassfish".

The following configuration files control the behavior of nevisMeta in the GlassFish deployment type:

Configuration fileDeployment typeRemarks
env.confallAdministration command and process environment:* JAVA_HOME (optional): Use specified JRE/JDK

All other parameters should not be changed. | | vmargs.conf | all | JVM environment (JVM command-line options):* Heap size

  • Garbage collector
  • JSSE configuration properties
  • JNDI configuration properties | | nevismeta.properties | all | Application configuration. | | log4j.xml | all | Logging configuration. | | asadmin.conf | all | GlassFish server configuration options. | | login.conf | all | Ninja authentication module configuration for the UI login. |

The configuration files are located here:

  • /var/opt/nevismeta/<instance>/conf (instance configuration)