Properties
Overview
Universal Controller contains three types of configurable properties:
Universal Controller start-up properties are the default properties contained in the uc.properties file when the Controller is installed. These properties are required for Controller start-up and operation. | |
Universal Controller system properties define Controller system information and performance. They have their values set during installation. Note In a High Availability environment, all Universal Controller cluster nodes share the same database; therefore, updating Universal Controller System Properties for one cluster node applies to all cluster nodes. | |
CLI provides a sample configuration file, |
Note
Properties for Universal Message Service (OMS) are installed as configuration file options when OMS is installed as a component of Universal Agent. The values for these options are set during the installation. There are several configuration methods available for changing these values.
Universal Controller Start-up Properties (uc.properties)
The uc.properties
file is read by the Controller, which is started by Tomcat.
The uc.properties
file resides here:
[tomcat directory]\conf
Note
The backslash character in a property value must be escaped as a double backslash.
For example:
example.path=c:\\stonebranch\\uc
Property Name | Description | Default |
---|---|---|
For MySQL: | ||
| Allows the retrieval of output with extended unicode characters. If the property is not set, character encoding will not be used in the JDBC URL. uc.db.mysql.character_encoding=US-ASCII uc.db.mysql.character_encoding=Cp1252 uc.db.mysql.character_encoding=UTF-8 | |
| Database type. Specify this property if you are using a MySQL database. | |
| JDBC connect URL. Specify this property if you are using a MySQL database. | |
For SQLServer | ||
| Database type. Specify this property if you are using a SQLServer database. | |
| JDBC connect URL. Specify this property if you are using a SQLServer database. | |
For Oracle | ||
| Database type. Specify this property if you are using an Oracle database. | |
| JDBC connect URL. Specify this property if you are using an Oracle database. | |
For All Databases | ||
| IMPORTANT If you specify a database name in this property and in uc.db.url, the names must be the same. Name for the Controller database. | uc |
| Database password that will be replaced by The | (none) |
| Encrypted version of | (none) |
| Sets the minimum number of idle connections to maintain in the Server connection pool, or zero to create none. | 1 |
| Sets the minimum number of idle connections to maintain in the Client connection pool, or zero to create none. | 1 |
| Sets the maximum number of connections that can be allocated by the Server connection pool at a given time. Note The installer overrides the default by configuring a maximum number of 40 in the | 30 |
| Sets the maximum number of connections that can be allocated by the Client connection pool at a given time. | 30 |
| Sets the maximum number of connections that can be allocated by the Reserved connection pool at a given time. | 30 |
| Sets the minimum number of idle connections to maintain in the Reserved connection pool, or zero to create none. | 1 |
| Specifies which secrets provider to use for the password. If left unspecified, Universal Controller is assumed to be the provider, and the controller will continue to load the password from the uc.properties using one of the following properties. Note Property If property
The controller will then load all the properties associated with the specified provider. See Secrets Provider Properties for the properties associated with each provider. | (none) |
| Allows additional options to be appended to the JDBC URL generated by Universal Controller.
| (none) |
| Login ID that the Controller will use to log in to your database. The | root |
For LDAP: | ||
| When this property is set to true, any Groups synchronized indirectly (that is, through a User's memberOf attribute) will honor the Group search filter and Group OU filters under the LDAP Advanced Settings section. Note The code default for this property, which is used if this property is not set, is false. | true |
| IMPORTANT This property should be set to true only if your Groups being synchronized from AD have at most one parent Group. When synchronizing Groups, the default behavior in the Controller is to copy the members of a Sub Group into the Parent Group. | false |
| IMPORTANT This property should be set to false only when synchronizing Groups from AD, and the number of values for the member attribute exceeds the When synchronizing Groups, the default behavior in the Controller is to use the multi-valued member attribute to update the members for a Group; however, AD limits the number of values returned for an attribute, which can result in Group members being removed unexpectedly. This limit is determined by the | true |
| IMPORTANT This property should be set to false only if your LDAP server supports paged results. | true |
| IMPORTANT This property should be set to true only if your LDAP server does not support the User Membership Attribute (for example, memberOf). Synchronizes LDAP users indirectly based on group membership. This only applies to groups that users are direct members of.
Note The Note There is currently no support for nested groups if the User Membership Attribute is not supported by the LDAP server. | false |
| IMPORTANT This property should not be set to true if group membership for users is static, since there is extra overhead to process the groups, which may impact login performance. When this property is set to true, LDAP group memberships for existing LDAP users are updated upon successful login. Note When dynamically creating a new LDAP user at login, the user will be added only to groups that it is a direct member of. Likewise, when updating an existing LDAP user at login, the user will be removed from any groups that it is not a direct member of. Therefore, it is not recommended that you enable this property if a group hierarchy exists, since the user will be removed from any parent groups when logging in. (Group membership for the parent groups will be restored the next time the LDAP refresh runs; however, this can take up to 24 hours.) | false |
For Single Sign-On: | ||
| Configures the log level for the Spring SAML2 Service Provider framework. Options are
For backwards compatibility, property | INFO |
| The Identity Provider Metadata refresh interval in milliseconds; minimum = 30000, maximum = 2147483647. | 120000 |
| By default, the saml2:AuthnRequest will be signed using rsa-sha256, though some Identity Providers will require a different algorithm. To configure the algorithm automatically based on the Identity Provider’s metadata, do not specify this property. Alternatively, you can manually override the default configuration by specifying this property. | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or as specified by the Identity Provider’s metadata. |
| Specifies (true of false) whether the Identity Provider should force the user to reauthenticate. | false |
| Set the WantAuthnRequestsSigned setting, indicating (true or false) the Identity Provider's preference that Service Providers should sign the AuthnRequest before sending. To configure the setting automatically based on the Identity Provider’s metadata, do not specify the property. | Specified by the Identity Provider’s metadata. |
For TrustStore: | ||
| Location of the keystore which holds certificates and keys. | properties/cacerts |
| The default TrustStore type. The following case-insensitive values are supported:
| KeyStore.getDefaultType() (PKCS12 as of Java 8) |
| The default TrustStore provider. | (none) |
| Password (if required) for the keystore that will be replaced by | changeit |
| Encrypted version of | (none) |
For OpenTelemetry: To configure all of your OpenTelemetry settings in the uc.properties, but disable the feature until required, you can add the following property.
To enable the feature while the controller is running, you only need to set the If you choose to update the uc.properties, the controller refreshes the property file at a 10 minute interval. You can increase this interval by adding the following property to the uc.properties.
The update from Server Operation > Temporary Property Change initiates the reconfiguration immediately. | ||
| If true , disable the OpenTelemetry SDK. | false |
| If none , no traces exporter configured. | otlp |
| If none , no metrics exporter configured. | otlp |
| Specifies a custom logical name for the service. If left unspecified, the service name is controller. | controller |
| The transport protocol to use on OTLP trace, and metric requests. Options include grpc and http/protobuf . | grpc |
| The transport protocol to use on OTLP trace requests. Options include grpc and http/protobuf . | grpc |
| The transport protocol to use on OTLP metric requests. Options include grpc and http/protobuf . | grpc |
| The OTLP traces, and metrics endpoint to connect to. Must be a URL with a scheme of either For example, | (none) |
| The OTLP traces endpoint to connect to. Must be a URL with a scheme of either For example, | (none) |
| The OTLP metrics endpoint to connect to. Must be a URL with a scheme of either For example, | (none) |
| The path to the file containing trusted certificates to use when verifying an OTLP trace, or metric server's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, the host platform's trusted root certificates are used. |
| The path to the file containing trusted certificates to use when verifying an OTLP trace server's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, the host platform's trusted root certificates are used. |
| The path to the file containing trusted certificates to use when verifying an OTLP metric server's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, the host platform's trusted root certificates are used. |
| The path to the file containing private client key to use when verifying an OTLP trace, or metric client's TLS credentials. The file should contain one private key PKCS8 PEM format. | By default, no client key is used. |
| The path to the file containing private client key to use when verifying an OTLP trace client's TLS credentials. The file should contain one private key PKCS8 PEM format. | By default, no client key file is used. |
| The path to the file containing private client key to use when verifying an OTLP metric client's TLS credentials. The file should contain one private key PKCS8 PEM format. | By default, no client key file is used. |
| The path to the file containing trusted certificates to use when verifying an OTLP trace, or metric client's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, no chain file is used. |
| The path to the file containing trusted certificates to use when verifying an OTLP trace server's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, no chain file is used. |
| The path to the file containing trusted certificates to use when verifying an OTLP metric server's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, no chain file is used. |
| Key-value pairs separated by commas to pass as request headers on OTLP trace, or metric requests. | (none) |
| Key-value pairs separated by commas to pass as request headers on OTLP trace requests. | (none) |
| Key-value pairs separated by commas to pass as request headers on OTLP metrics requests. | (none) |
| The compression type to use on OTLP trace, and metric requests. Options include gzip . | By default, no compression will be used. |
| The compression type to use on OTLP trace requests. Options include gzip . | By default, no compression will be used. |
| The compression type to use on OTLP metric requests. Options include gzip . | By default, no compression will be used. |
| The maximum waiting time, in milliseconds, allowed to send each OTLP trace, and metric batch. | 10000 |
| The maximum waiting time, in milliseconds, allowed to send each OTLP trace batch. | 10000 |
| The maximum waiting time, in milliseconds, allowed to send each OTLP metric batch. | 10000 |
| The preferred output aggregation temporality. Options include DELTA , LOWMEMORY , and CUMULATIVE . If CUMULATIVE , all instruments will have cumulative temporality. If DELTA , counter (sync and async) and histograms will be delta, up down counters (sync and async) will be cumulative. If LOWMEMORY , sync counter and histograms will be delta, async counter and up down counters (sync and async) will be cumulative. | CUMULATIVE |
| The preferred default histogram aggregation. Options are:
| EXPLICIT_BUCKET_HISTOGRAM |
For Prometheus Metrics: | ||
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies the buckets to use for the uc_task_instance_duration_seconds histogram.The property value is specified as comma-delimited list of double or integer values. For example: 1,2.5,5,10,15,30,45,60,150,300,600,900,1800,2700,3600 | (none) |
Other Properties: | ||
| Limits the number of XML entity expansions.
| 1 |
| Accepted input date formats for Date Functions and Stored Procedure parameters. For example: | |
| Directory location from where files can be attached for a specific Cluster Node / Server. You must specify a location in this property in order for the Attach Local File field to display in the Email Task and Email Notifications Details. This property is local to the Cluster Node and must be specified on each Node based upon the path for that Node. Each Node can have a different path, but they should point to the same shared physical location in order to achieve the expected behavior. Best practices would be to use the same path in each Node. | |
| Number of seconds for Email Notification output timeout. | 180 |
| Java key manager algorithm.
If no value is specified, the configured JVM default will be used. | |
| If multiple certificates reside in the keystore that could match the OMS server's certificate request, specifying an alias ensures that the intended client certificate is presented to the OMS server. | |
| Location of the keystore which holds certificates and keys. | |
| Password (if required) for the keystore that will be replaced by | |
| Java key manager provider.
If no value is specified, the configured JVM default will be used. | |
| Location of STDOUT file logging. The property value is specified as comma-delimited list of optional labels. Options are:
The default value when not configured will be
For containers, or any situation that does not want logging to go to a rolling file, that want the logging strictly to the console (stdout), the following should be specified in the
If no logging is required, then the following would be specified in the
If the property is specified, but no valid entries above are in the property value, then the default value of | file |
| The Controller uses the Catalina:type=Manager MBean for the User Sessions feature. | |
| Specifies (true or false) if the node is a transient Cluster Node. | false |
| Sets the OMS service timeout value specifying the number of seconds of inactivity before a timeout exception will be thrown. For example, you will see the following in the uc.log: Default (180 seconds) 2021-08-04-21:12:25:542 -0400 INFO [UC.OMS.Monitor.0] Created: OMSServerConnection [userName=null, clientId=ops.controller.f9a86ee2bd5e4928b3173b186e0feb3c, clientInstance=15296bc7-e994-49eb-a6cf-0ecbf72d5f2f, transportAddresses=OMSTransportAddress [[localhost/127.0.0.1:7878]], nft=true, socketTimeout=30, serviceTimeout=180, authenticateServer=false, serverAddress=null, nextSessionId=0, isClosing=false, connectionInstance=1]
uc.oms.service_timeout=300 OMSServerConnection [userName=null, clientId=ops.controller.f9a86ee2bd5e4928b3173b186e0feb3c, clientInstance=96e45eb5-c513-489a-8746-6223e962e901, transportAddresses=OMSTransportAddress [[localhost/127.0.0.1:7878]], nft=true, socketTimeout=30, serviceTimeout=300, authenticateServer=false, serverAddress=null, nextSessionId=0, isClosing=false, connectionInstance=1]
| 180 |
| Maximum number of days after which an overdue trigger is considered "stale/expired." | 2 |
| Port number used by Tomcat. | 8080 |
| Sets the timeout value in seconds for the SAP RPC calls. | 120 |
| Sets the JCL service timeout value specifying the n a timeout exception will be thrown. | 60 |
| Java trust manager algorithm.
| SunX509 |
| Java trust manager provider.
| SunJSSE |
| Comma-separated list of SSL/TLS protocols that can be used for Controller/OMS communications.
| |
| Default browser session timeout, in minutes. To use the Tomcat session configuration (default 30 minutes), set this property to 0. | 30 |
| Specifies (true or false) whether web service APIs will fail if the request payload contains unknown properties. | false |
| Specifies (true or false) whether TCP socket keep-alive option is enabled for HTTP(S)/REST Web Service Tasks. | false |
Secrets Provider Properties
The uc.db.secrets_provider
property specifies which secrets provider the controller will use for the database password.
The controller will then load all the properties associated with the specified provider.
The properties that will be loaded by the controller for each provider are listed below.
AWS Secrets Manager
Property Name | Required | Description |
---|---|---|
| true | The AWS access key, used to identify the user interacting with AWS. |
| true | The AWS secret access key, used to authenticate the user interacting with AWS. |
| true | The region name (e.g., us-east-1). |
| true | The ARN or name of the secret to retrieve. |
| false | If this secret was created by using the console, then Secrets Manager stores the information as a JSON structure of key/value pairs. Specifies the key for the password in the JSON structure.
|
| false | Specifies the key for the passphrase in the JSON structure.
|
| false | Specifies the key for the token in the JSON structure.
|
| false | The TTL (Time To Live), in seconds, for the cached secret before a new request to the provider is made. (default 3600 seconds / 1 hour) |
Azure Key Vault
Property Name | Required | Description |
---|---|---|
| true | The name of the Key Vault used to build the vault URL to send HTTP requests to.
|
| true | The name of the secret. |
| true | The client (application) ID. |
| true | The Azure Active Directory tenant (directory) Id. |
| The client secret used to authenticate.
| |
| The client assertion used to authenticate.
| |
| The path of the PEM certificate used for authenticating.
| |
| The path of the PFX certificate used for authenticating.
| |
| The password for the PFX certificate.
| |
| false | The TTL (Time To Live), in seconds, for the cached secret before a new request to the provider is made. (default 28800 seconds / 8 hours) |
CyberArk Credential Provider
Property Name | Required | Description |
---|---|---|
| true | The unique ID of the application issuing the password request. |
| true | The name of the Safe where the password is stored. |
| true | The name of the folder where the password is stored. |
| true | The name of the password object to retrieve. |
| false | The reason for retrieving the password. |
| false | The TTL (Time To Live), in seconds, for the cached secret before a new request to the provider is made. (default 5 seconds) |
CyberArk Central Credential Provider
Property Name | Required | Description |
---|---|---|
| true | The hostname of the Central Credential Provider. |
| true | The port of the Central Credential Provider. |
| true | The unique ID of the application issuing the password request. |
| true | The name of the Safe where the password is stored. |
| true | The name of the folder where the password is stored. |
| true | The name of the password object to retrieve. |
| true | The path of the keystore containing the client certificate used for authenticating. |
| false | The password used to unlock the keystore. |
| false | The type of keystore. (default PKCS12)
|
| false | The name of a specific entry in the keystore to use. |
| false | The TTL (Time To Live), in seconds, for the cached secret before a new request to the provider is made. (default 5 seconds) |
Sample uc.properties File
# DB uc.db.rdbms=mysql uc.db.url=jdbc:mysql://localhost/ # MYSQL # uc.db.mysql.character_encoding=UTF-8 # uc.db.rdbms=mysql # uc.db.url=jdbc:mysql://localhost/ # MS SQLSERVER # uc.db.rdbms=sqlserver # uc.db.url=jdbc:sqlserver://localhost:1433;DatabaseName=uc # ORACLE # uc.db.rdbms=oracle # uc.db.url=jdbc:oracle:thin:@//localhost:1521/@oracle.db.name@ # # COMMON # # trust manager algorithm & provider # uc.trustmanager.algorithm=SunX509 # uc.trustmanager.provider=SunJSSE # uc.trustmanager.ssl.protocols=TLSv1,TLSv1.1,TLSv1.2 # uc.db.user=root uc.db.password=pswd uc.db.name=uc uc.servlet.port=8080 uc.ui.session_timeout=30
Universal Controller System Properties
Properties for your Universal Controller system are set (in the Controller database) during Controller installation. These properties let you define Controller system information and performance.
Universal Controller system properties do not reside in a properties file; they are available only via the user interface.
Although you can reset these properties any time after the Controller is in operation without having to stop and restart the Controller, you should click the Reload current page icon in your browser taskbar after resetting a property.
Note
You must be assigned the ops_admin role in order to reset these properties.
Step 1 | From the Available Services, select Administration > Properties. The Properties list displays. |
---|---|
Step 2 | If you want to change the value of a property, click a its Value field and select/enter a new value. |
Step 3 | To filter the list of displayed properties, enter appropriate characters (not case-sensitive) in the empty fields above the Name and/or Value columns. |
The following table describes the Universal Controller system properties:
Name | Description | Default |
---|---|---|
Administrator Email Address | System administrator email address(es) specified as the recipient(s) for System Notifications. Addresses for multiple administrators should be specified in a comma-separated list. | (none) |
Agent Address Information Restricted | Specification (true or false) for whether or not to hide the IP address of an Agent from non-Administrator (ops_admin) users. If the property is set to true and the user is a non-Administrator, the IP Address field of Agents will display ***** instead of the actual value for that user. | true |
Agent Cache Retention Period in Days | Number of days that cache files (stdout, stderr) are retained by the system. | 7 |
Agent Cluster Network Alias Cache Retention In Minutes | Amount of time (in minutes) that a resolved Network Alias will be used before attempting to resolve it again. | 30 |
Agent Cluster Network Alias Retry Interval In Minutes | Amount of time (in minutes) before automatically retrying the Network Alias resolution upon failure. | 5 |
Agent Cluster Network Alias Uquery Port | Default port for an Agent Cluster with a Distribution method of Network Alias if no Agent Port is specified. | 7887 |
Agent Credentials Required | Specification (true or false) for whether or not Credentials are required for agent-based tasks and Application Resources. | false |
Agent Credentials Required On Registration (uc.agent.credentials.required.registration) | Specification (Windows, Linux/Unix, z/OS) for whether the agent has to use the credentials or not. | (none) |
Agent Heartbeat Grace Period in Seconds | Grace period in seconds (minimum 30, maximum 600) that the Controller will allow for a delayed heartbeat message. | 60 |
Agent Heartbeat Interval in Seconds | Number of seconds between each heartbeat message sent by the agent to the Controller. | 120 |
Agent Notification Disabled If Suspended |