Properties
Overview
Universal Controller contains three types of configurable properties:
Universal Controller start-up properties are the default properties contained in the uc.properties file when the Controller is installed. These properties are required for Controller start-up and operation. | |
Universal Controller system properties define Controller system information and performance. They have their values set during installation. Note In a High Availability environment, all Universal Controller cluster nodes share the same database; therefore, updating Universal Controller System Properties for one cluster node applies to all cluster nodes. | |
CLI provides a sample configuration file, |
Note
Properties for Universal Message Service (OMS) are installed as configuration file options when OMS is installed as a component of Universal Agent. The values for these options are set during the installation. There are several configuration methods available for changing these values.
Universal Controller Start-up Properties (uc.properties)
The uc.properties
file is read by the Controller, which is started by Tomcat.
The uc.properties
file resides here:
[tomcat directory]\conf
Note
The backslash character in a property value must be escaped as a double backslash.
For example:
example.path=c:\\stonebranch\\uc
Property Name | Description | Default |
---|---|---|
For MySQL: | ||
| Allows the retrieval of output with extended unicode characters. If the property is not set, character encoding will not be used in the JDBC URL. uc.db.mysql.character_encoding=US-ASCII uc.db.mysql.character_encoding=Cp1252 uc.db.mysql.character_encoding=UTF-8 | |
| Database type. Specify this property if you are using a MySQL database. | |
| JDBC connect URL. Specify this property if you are using a MySQL database. | |
For SQLServer | ||
| Database type. Specify this property if you are using a SQLServer database. | |
| JDBC connect URL. Specify this property if you are using a SQLServer database. | |
For Oracle | ||
| Database type. Specify this property if you are using an Oracle database. | |
| JDBC connect URL. Specify this property if you are using an Oracle database. | |
For All Databases | ||
IMPORTANT If you specify a database name in this property and in uc.db.url, the names must be the same. Name for the Controller database. | uc | |
| Database password that will be replaced by The | (none) |
| Encrypted version of | (none) |
| Sets the minimum number of idle connections to maintain in the Server connection pool, or zero to create none. | 1 |
| Sets the minimum number of idle connections to maintain in the Client connection pool, or zero to create none. | 1 |
| Sets the maximum number of connections that can be allocated by the Server connection pool at a given time. Note The installer overrides the default by configuring a maximum number of 40 in the | 30 |
| Sets the maximum number of connections that can be allocated by the Client connection pool at a given time. | 30 |
| Sets the maximum number of connections that can be allocated by the Reserved connection pool at a given time. | 30 |
| Sets the minimum number of idle connections to maintain in the Reserved connection pool, or zero to create none. | 1 |
| Specifies which secrets provider to use for the password. If left unspecified, Universal Controller is assumed to be the provider, and the controller will continue to load the password from the uc.properties using one of the following properties. Note Property If property
The controller will then load all the properties associated with the specified provider. See Secrets Provider Properties for the properties associated with each provider. | (none) |
| Allows additional options to be appended to the JDBC URL generated by Universal Controller.
| (none) |
| Login ID that the Controller will use to log in to your database. The | root |
For LDAP: | ||
| When this property is set to true, any Groups synchronized indirectly (that is, through a User's memberOf attribute) will honor the Group search filter and Group OU filters under the LDAP Advanced Settings section. Note The code default for this property, which is used if this property is not set, is false. | true |
| IMPORTANT This property should be set to true only if your Groups being synchronized from AD have at most one parent Group. When synchronizing Groups, the default behavior in the Controller is to copy the members of a Sub Group into the Parent Group. | false |
| IMPORTANT This property should be set to false only when synchronizing Groups from AD, and the number of values for the member attribute exceeds the When synchronizing Groups, the default behavior in the Controller is to use the multi-valued member attribute to update the members for a Group; however, AD limits the number of values returned for an attribute, which can result in Group members being removed unexpectedly. This limit is determined by the | true |
| IMPORTANT This property should be set to false only if your LDAP server supports paged results. | true |
| IMPORTANT This property should be set to true only if your LDAP server does not support the User Membership Attribute (for example, memberOf). Synchronizes LDAP users indirectly based on group membership. This only applies to groups that users are direct members of.
Note The Note There is currently no support for nested groups if the User Membership Attribute is not supported by the LDAP server. | false |
| IMPORTANT This property should not be set to true if group membership for users is static, since there is extra overhead to process the groups, which may impact login performance. When this property is set to true, LDAP group memberships for existing LDAP users are updated upon successful login. Note When dynamically creating a new LDAP user at login, the user will be added only to groups that it is a direct member of. Likewise, when updating an existing LDAP user at login, the user will be removed from any groups that it is not a direct member of. Therefore, it is not recommended that you enable this property if a group hierarchy exists, since the user will be removed from any parent groups when logging in. (Group membership for the parent groups will be restored the next time the LDAP refresh runs; however, this can take up to 24 hours.) | false |
For OAuth Single Sign-On: | ||
| Specifies if a user authenticating through OAuth Single Sign-On can be updated using the Access / ID Token if the user was created manually. | false |
| Specifies if a user authenticating through OAuth Single Sign-On can be updated using the Access / ID Token of a provider that differs from the provider the user was originally provisioned by. | false |
| The | INFO |
For SAML Single Sign-On: | ||
| Configures the log level for the Spring SAML2 Service Provider framework. Options are
For backwards compatibility, property | INFO |
| The Identity Provider Metadata refresh interval in milliseconds; minimum = 30000, maximum = 2147483647. | 120000 |
| By default, the saml2:AuthnRequest will be signed using rsa-sha256, though some Identity Providers will require a different algorithm. To configure the algorithm automatically based on the Identity Provider’s metadata, do not specify this property. Alternatively, you can manually override the default configuration by specifying this property. | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or as specified by the Identity Provider’s metadata. |
| Specifies (true of false) whether the Identity Provider should force the user to reauthenticate. | false |
| Set the WantAuthnRequestsSigned setting, indicating (true or false) the Identity Provider's preference that Service Providers should sign the AuthnRequest before sending. To configure the setting automatically based on the Identity Provider’s metadata, do not specify the property. | Specified by the Identity Provider’s metadata. |
| Specifies if a user authenticating through SAML Single Sign-On can be updated using the SAML Assertion if the user was created manually. | false |
| Specifies if a user authenticating through SAML Single Sign-On can be updated using the SAML Assertion of a provider that differs from the provider the user was originally provisioned by. | false |
For TrustStore: | ||
| Location of the keystore which holds certificates and keys. | properties/cacerts |
| The default TrustStore type. The following case-insensitive values are supported:
| KeyStore.getDefaultType() (PKCS12 as of Java 8) |
| The default TrustStore provider. | (none) |
| Password (if required) for the keystore that will be replaced by | changeit |
| Encrypted version of | (none) |
For OpenTelemetry: To configure all of your OpenTelemetry settings in the uc.properties, but disable the feature until required, you can add the following property.
To enable the feature while the controller is running, you only need to set the If you choose to update the uc.properties, the controller refreshes the property file at a 10 minute interval. You can increase this interval by adding the following property to the uc.properties.
The update from Server Operation > Temporary Property Change initiates the reconfiguration immediately. | ||
| If true , disable the OpenTelemetry SDK. | false |
| If none , no traces exporter configured. | otlp |
| If none , no metrics exporter configured. | otlp |
Specifies a custom logical name for the service. If left unspecified, the service name is controller. | controller | |
| The transport protocol to use on OTLP trace, and metric requests. Options include grpc and http/protobuf . | grpc |
| The transport protocol to use on OTLP trace requests. Options include grpc and http/protobuf . | grpc |
| The transport protocol to use on OTLP metric requests. Options include grpc and http/protobuf . | grpc |
| The OTLP traces, and metrics endpoint to connect to. Must be a URL with a scheme of either For example, | (none) |
| The OTLP traces endpoint to connect to. Must be a URL with a scheme of either For example, | (none) |
| The OTLP metrics endpoint to connect to. Must be a URL with a scheme of either For example, | (none) |
| The path to the file containing trusted certificates to use when verifying an OTLP trace, or metric server's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, the host platform's trusted root certificates are used. |
| The path to the file containing trusted certificates to use when verifying an OTLP trace server's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, the host platform's trusted root certificates are used. |
| The path to the file containing trusted certificates to use when verifying an OTLP metric server's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, the host platform's trusted root certificates are used. |
| The path to the file containing private client key to use when verifying an OTLP trace, or metric client's TLS credentials. The file should contain one private key PKCS8 PEM format. | By default, no client key is used. |
| The path to the file containing private client key to use when verifying an OTLP trace client's TLS credentials. The file should contain one private key PKCS8 PEM format. | By default, no client key file is used. |
| The path to the file containing private client key to use when verifying an OTLP metric client's TLS credentials. The file should contain one private key PKCS8 PEM format. | By default, no client key file is used. |
| The path to the file containing trusted certificates to use when verifying an OTLP trace, or metric client's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, no chain file is used. |
| The path to the file containing trusted certificates to use when verifying an OTLP trace server's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, no chain file is used. |
| The path to the file containing trusted certificates to use when verifying an OTLP metric server's TLS credentials. The file should contain one or more X.509 certificates in PEM format. | By default, no chain file is used. |
| Key-value pairs separated by commas to pass as request headers on OTLP trace, or metric requests. | (none) |
| Key-value pairs separated by commas to pass as request headers on OTLP trace requests. | (none) |
| Key-value pairs separated by commas to pass as request headers on OTLP metrics requests. | (none) |
| The compression type to use on OTLP trace, and metric requests. Options include gzip . | By default, no compression will be used. |
| The compression type to use on OTLP trace requests. Options include gzip . | By default, no compression will be used. |
| The compression type to use on OTLP metric requests. Options include gzip . | By default, no compression will be used. |
| The maximum waiting time, in milliseconds, allowed to send each OTLP trace, and metric batch. | 10000 |
| The maximum waiting time, in milliseconds, allowed to send each OTLP trace batch. | 10000 |
| The maximum waiting time, in milliseconds, allowed to send each OTLP metric batch. | 10000 |
| The preferred output aggregation temporality. Options include DELTA , LOWMEMORY , and CUMULATIVE . If CUMULATIVE , all instruments will have cumulative temporality. If DELTA , counter (sync and async) and histograms will be delta, up down counters (sync and async) will be cumulative. If LOWMEMORY , sync counter and histograms will be delta, async counter and up down counters (sync and async) will be cumulative. | CUMULATIVE |
| The preferred default histogram aggregation. Options are:
| EXPLICIT_BUCKET_HISTOGRAM |
For Prometheus Metrics: | ||
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies optional labels for
For example:
| (none) |
| Specifies the buckets to use for the uc_task_instance_duration_seconds histogram.The property value is specified as comma-delimited list of double or integer values. For example: 1,2.5,5,10,15,30,45,60,150,300,600,900,1800,2700,3600 | (none) |
Other Properties: | ||
| Limits the number of XML entity expansions.
| 1 |
| Accepted input date formats for Date Functions and Stored Procedure parameters. For example: | |
| Directory location from where files can be attached for a specific Cluster Node / Server. You must specify a location in this property in order for the Attach Local File field to display in the Email Task and Email Notifications Details. This property is local to the Cluster Node and must be specified on each Node based upon the path for that Node. Each Node can have a different path, but they should point to the same shared physical location in order to achieve the expected behavior. Best practices would be to use the same path in each Node. | |
| Number of seconds for Email Notification output timeout. | 180 |
| Java key manager algorithm.
If no value is specified, the configured JVM default will be used. | |
| If multiple certificates reside in the keystore that could match the OMS server's certificate request, specifying an alias ensures that the intended client certificate is presented to the OMS server. | |
| Location of the keystore which holds certificates and keys. | |
| Password (if required) for the keystore that will be replaced by | |
| Java key manager provider.
If no value is specified, the configured JVM default will be used. | |
| Location of STDOUT file logging. The property value is specified as comma-delimited list of optional labels. Options are:
The default value when not configured will be
For containers, or any situation that does not want logging to go to a rolling file, that want the logging strictly to the console (stdout), the following should be specified in the
If no logging is required, then the following would be specified in the
If the property is specified, but no valid entries above are in the property value, then the default value of | file |
The Controller uses the Catalina:type=Manager MBean for the User Sessions feature. | ||
| Specifies (true or false) if the node is a transient Cluster Node. | false |
| Sets the OMS service timeout value specifying the number of seconds of inactivity before a timeout exception will be thrown. For example, you will see the following in the uc.log: Default (180 seconds) 2021-08-04-21:12:25:542 -0400 INFO [UC.OMS.Monitor.0] Created: OMSServerConnection [userName=null, clientId=ops.controller.f9a86ee2bd5e4928b3173b186e0feb3c, clientInstance=15296bc7-e994-49eb-a6cf-0ecbf72d5f2f, transportAddresses=OMSTransportAddress [[localhost/127.0.0.1:7878]], nft=true, socketTimeout=30, serviceTimeout=180, authenticateServer=false, serverAddress=null, nextSessionId=0, isClosing=false, connectionInstance=1]
uc.oms.service_timeout=300 OMSServerConnection [userName=null, clientId=ops.controller.f9a86ee2bd5e4928b3173b186e0feb3c, clientInstance=96e45eb5-c513-489a-8746-6223e962e901, transportAddresses=OMSTransportAddress [[localhost/127.0.0.1:7878]], nft=true, socketTimeout=30, serviceTimeout=300, authenticateServer=false, serverAddress=null, nextSessionId=0, isClosing=false, connectionInstance=1]
| 180 |
| Maximum number of days after which an overdue trigger is considered "stale/expired." | 2 |
| Port number used by Tomcat. | 8080 |
| If the SAP Credential Type Required system property is enabled, specifies (true or false) if an SAP Task will continue to run (instead of ending in Start Failure) when referencing a non-SAP-type Credential (at the task level SAP Credentials or job step level SAP User Credentials). | false |
| Sets the timeout value in seconds for the SAP RPC calls. | 120 |
| If the SAP User Name Restricted system property is enabled, specifies (true or false) if an SAP Task will continue to run (instead of ending in Start Failure) when a job step specifies an SAP User Name. | false |
| Sets the JCL service timeout value specifying the n a timeout exception will be thrown. | 60 |
| Java trust manager algorithm.
| SunX509 |
| Java trust manager provider.
| SunJSSE |
| Comma-separated list of SSL/TLS protocols that can be used for Controller/OMS communications.
| |
| Default browser session timeout, in minutes. To use the Tomcat session configuration (default 30 minutes), set this property to 0. | 30 |
| Specifies (true or false) whether web service APIs will fail if the request payload contains unknown properties. | false |
| Specifies (true or false) whether TCP socket keep-alive option is enabled for HTTP(S)/REST Web Service Tasks. | false |
Secrets Provider Properties
The uc.db.secrets_provider
property specifies which secrets provider the controller will use for the database password.
The controller will then load all the properties associated with the specified provider.
The properties that will be loaded by the controller for each provider are listed below.
AWS Secrets Manager
Property Name | Required | Description |
---|---|---|
| true | The AWS access key, used to identify the user interacting with AWS. |
| true | The AWS secret access key, used to authenticate the user interacting with AWS. |
| true | The region name (e.g., us-east-1). |
| true | The ARN or name of the secret to retrieve. |
|