Property | Value |
|---|
sessioncontrollers
ptsserver | <ip address> :port> [<,| ;> ip adresse : port [<,| ;> ip adresse :port…] ] – or list of protocol://server:port
This property specifies a comma separated list of session controllers which the application server can use to validate sessions.
The address and the port correspond to session controller property server.listenurls.
Note that both the name sessioncontrollers and the old name ptsserver can be used – if the first one is found, it will be used, otherwise it will look for the old name ptsserver.
tcp:// or nio:// or nios:// or local:// can be put in front of the server:port – tcp:// is default. tcp:// connects using blocking sockets, requiring 2 threads per connections where nio:// uses nonblocking socket IO and does not use any additional threads per connections, and local:// does not use sockets at all, but simply uses intra-jvm queues which are much faster but only works when both the client and server is in the save JVM.
nios://[hostname]:port[?params] – Like NIO, but with SSL encryption
For nios connections, the following parameters can be specified;
enabledciphersuites – List of enabled cipher suites, if not specified, the Java default ones are used.
validateservercert – Set to false to disable SSL server certificate validation
acceptedcerts – Points to one or more issuer certificates (.cer, .der or .p7b files) containing accepted issuer certificates if validation is enabled.
Example:
localhost:21243, nio://localhost:21244
In this example the web server will communicate with two session controller servers: one which listens on localhost port 21243 and another session controller server on port 21244.
That is, both dispatchers run on the same machine and listen on individual ports. |
agentvalidator | <java class>
This implementation of IAgentValidator implements access control functionality in the PortalProtect agents. It contains customer specific functionality.
Example:
dk.itp.security.authentication.passticket.DefaultValidator |
useAclHistory | <true | false>
If true, the PortalProtect admin GUI will display the last 1000 actions involving ACLs – this is very useful for debugging and for figuring out which operations to XXXoolean in LDAP. |
disableAclCaching | <true | false>
This should always be set to false, except when doing performance testing – setting it to true will cause the Agent to contact the PortalProtect Server for each request to an ACL, and with WebLogic, there can be hundreds of ACL checks for a single page with its embedded gifs. |
warnWhenAccessDenied | <true | false>
Enable/Disable WARN logging on ACL checks. If true (which is default) any ACL check which fails will be logged as a WARN in the log. Otherwise it is logged as DEBUG. |
disableEnvironmentCheck | <true | false>
If true, environment check is disabled, and an environment on group names is ignored. |
environmentAliasList | <alias=id[;alias2=id2]….>
A list of environment aliases. An alias can be used to associate a string with an environment, e.g. "intern=1;extern=2" means that you can use the environment checking groupname@1 or groupname@intern – it is simply a way of using an easier to remember name for the group/environment checking. |
sessionCacheSize | <Size of cache>
Sets the size of the session cache in the Agent, defaults to 10000 |
sessionCacheTimeout | <Timeout in seconds>
Sets the session cache timeout, default is 300 (5 minutes), meaning that after 5 minutes, the Agent will retrieve the session again from the session controller, marking it as still being active. This timeout should not be changed. |
groupCacheSize | <Size of cache>
Sets the size of the user group cache, defaults to 1000. |
groupCacheTimeout | <Timeout in seconds>
Sets the timeout of the group cache, default is 300 (5 minutes). |
aclCacheSize | <Size of cache>
Sets the size of the ACL cache, default is 10000 – note that if using e.g. WebLogic Portal, the size might be increased, since the portal will check thousands of resources per page. |
aclCacheTimeout | <Timeout in seconds>
Specifies the number of seconds an entry can be in the cache – after the timeout has expired, it will be removed, and the Agent will retrieve an updated version from the session controller when it needs it again.
The default is 600 seconds (10 minutes)
Increase this value to gain extra performance, but increasing will mean that it will take longer to react to changes to the ACL. |
reconnectToPrimarySessionCtrl | <true | false>
If set to true, the PP Agent will attempt to reconnect to the primary session controller, even after it has connected to a secondary session controller, to even out load in a clustered environment. The default value is false.
Example:
reconnectToPrimarySessionCtrl=true
In this case, the agent will after 5 minutes of being connected to a secondary session controller attempt to reconnect to the primary one each minute – if a successful connection is archived, all new activity will go to the primary server, and it will give the currently executing commands 30 seconds to complete before disconnecting from the secondary server. |
garbagecollect.waitseconds | <number of seconds>
Can be used to set the number of seconds (rounded up to 5 second intervals) between calls to System.gc() – values of 0 or negative disables periodic garbage collection.
Note that on some JVMs, memory usage and GC performance is much improved by doing periodic calls to System.gc()
This value can also be specified as a system property with the same name.
Example:
garbagecollect.waitseconds=30 |
disableStatistics | <true | false>
If true, statistics is disabled, and details will not be created – only summaries will. |
exitOnOutOfMemory | <true | false>
If this parameter is set to true, the Agent will attempt to exist the JVM if it encounters and OutOfMemoryError - note that this is not failsafe, since there might not be enough memory left to actually exit the JVM, but the agent will try.
This is mostly useful in setups where the JVM will automatically be restarted, such as a webserver running as a windows service. |
clusterID | <Integer, 0-255> (Default 0)
ID of the default cluster to create sessions in – if 0 is specified, the default session controller (specified in sessioncontrollers or ptssserver property) will be used to create the new session. |
clusters | <List of cluster Ids, separated by comma>
Defines which alternate clusters of session controllers which the agent is able to connect to. – see cluster.xxxx.sessioncontrollers for info on how to set a list of servers for another cluster.
This property allows an Agent to connect to multiple different clusters of session controllers simultaneously – e.g. if there is a cluster for internal users and another cluster for external users, the agent can connect to both of them simultaneously.
Within each session ID, there is a cluster ID stored – that ID originates from the "clustered" attribute defined for the session controller that creates the session. So if you have 2 separate clusters, one for internal and another for external users, then make sure that the "clustered" attribute of each has a different value, e.g. 1 for internal and 2 for external.
When a request for a session is received by the agent, it will try to look in cluster.<clustered>.sessioncontrollers and if there is an alternate session controller cluster defined for that particular cluster ID, then it will use one of those session controllers instead of the default one to get at the session.
Example:
2,3 |
cluster.xxxx.sessioncontrollers | <List of server1:port[;server2:port]…>
xxxx is a cluster ID between 1 and 255.
Defines one or more session controllers to connect to for session for the specified cluster.
See sessioncontrollers and clusters properties for more information on the format of this property.
Example:
cluster.2.sessioncontrollers=nio://server2_1:21343;nio://server2_2:21343
cluster.3.sessioncontrollers=server3_1:21343 |
surveillance.warningseconds | <number of seconds>
Number of seconds that pass before a task under surveillance is considered to be hanging, which will provoke an action such as dumping the JVM (stacktraces of all running threads).
See the section "Using Application Surveillance Component" for more information about the surveillance component.
Default is 60 seconds. |
surveillance.action.xxxx | <taskname = action>
xxxx is a number between 1 and 512.
Taskname is a name of the task being used (wildcards * and ? are supported)
action is one of: "none", "dumpjvm", "dumpjvmall"
Actions:
none – does nothing but log that a surveillance task has taken too long to complete.
Dumpjvm – dumps the JVM (which means lists all running threads and their current stackdump)
dumpjvmall – same as dumpjvm, but on ALL servers connected to the configuration server, this is mostly useful for diagnosting applications that occationally are slow, where calls involve multiple servers, and is useful to get a snapshot of the state for all the servers.
Default is not to take any action (none) besides logging that the particular task is still running after surveillance.warningseconds seconds have elapsed.
Example:
surveillance.action.1=ejb*=dumpjvmall
surveillance.action.2=com.somewhere.SomeClass=dumpjvm
surveillance.action.512=*=none |
ppagent.synctimewithserver | <true or false>
Enables the Agent to synchronize time with the config server – if set to true, the Agent will retrieve the time from the config server, and try to set the clock on the Agent machine to the same time (meaning same second, milliseconds are ignored).
Note that this will only work on windows machines – since java does not provide an API to set the system clock, the agent will attempt to invoke "cmd.exe /c time xx:yy:zz" to set the current time – it will not attempt to change the date.
Default is false.
Example:
ppagent.synctimewithserver=true |
lb.changeactive.differenceinconnections | <integer> Default 3
Used with dynamic loadbalancing. Contains the number of connections that a given server must have less than the current server for the client to change to the lesser loaded server.
Note that the lower the value, the higher the risk of setups with many agents will switch back and forth between servers, and the higher the value, the more uneven the load will be across multiple servers. |
lb.reconnectinterval | <integer> Default 30
Used with dynamic loadbalancing. The number of seconds between the client attempting to reconnect to any available servers that it previously was not able to connect to. |
lb.switchactiveinterval | <integer> Default 600
Used with dynamic loadbalancing. The number of seconds between checking all connected active and passive servers and switching active server to a lesser loaded server, if one exists.
If the lesser loaded server has at least lb.changeactive.differenceinconnections (default 3) less connections than the current server, the client will change active server. |