1 Overview
2 Universal Controller Start-up Properties (uc.properties)
- 2.1 Secrets Provider Properties
3 Universal Controller System Properties
- 3.1 Overriding Universal Controller System Properties
- 3.2 Deprecated System Properties
4 Command Line Interface (CLI) Properties

Overview

Universal Controller contains three types of configurable properties:

Universal Controller Start-up Properties (uc.properties)	Universal Controller start-up properties are the default properties contained in the uc.properties file when the Controller is installed. These properties are required for Controller start-up and operation. The values for these properties are set during the installation process. Some of the values are based on information that you provide during the installation. You can reset these properties by stopping the Controller, editing uc.properties, and restarting the Controller. The changes will take effect after the restart (see Starting and Stopping Universal Controller).
Universal Controller System Properties	Universal Controller system properties define Controller system information and performance. They have their values set during installation. You can reset these properties at any time, without having to stop the Controller, via the user interface. Note In a High Availability environment, all Universal Controller cluster nodes share the same database; therefore, updating Universal Controller System Properties for one cluster node applies to all cluster nodes.
Command Line Interface (CLI) Properties	CLI provides a sample configuration file, cmdtools.props, that you can use to pass CLI Global parameters to a CLI command.

Note

Properties for Universal Message Service (OMS) are installed as configuration file options when OMS is installed as a component of Universal Agent. The values for these options are set during the installation. There are several configuration methods available for changing these values.

Universal Controller Start-up Properties (uc.properties)

The uc.properties file is read by the Controller, which is started by Tomcat.

The uc.properties file resides here:

[tomcat directory]\conf

Note

The backslash character in a property value must be escaped as a double backslash.

For example:

example.path=c:\\stonebranch\\uc

Property Name	Description	Default

Property Name	Description	Default
For MySQL:
`uc.db.mysql.character_encoding`	Allows the retrieval of output with extended unicode characters. If the property is not set, character encoding will not be used in the JDBC URL. Examples: `uc.db.mysql.character_encoding=US-ASCII uc.db.mysql.character_encoding=Cp1252 uc.db.mysql.character_encoding=UTF-8`
`uc.db.rdbms=mysql`	Database type. Specify this property if you are using a MySQL database.
`uc.db.url=jdbc:mysql://localhost/`	JDBC connect URL. Specify this property if you are using a MySQL database. By default, the controller automatically refreshes the `uc.properties` file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
For SQLServer
`uc.db.rdbms=sqlserver`	Database type. Specify this property if you are using a SQLServer database.
`uc.db.url=jdbc:sqlserver://localhost:1433;DatabaseName=uc`	JDBC connect URL. Specify this property if you are using a SQLServer database. By default, the controller automatically refreshes the `uc.properties` file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
For Oracle
`uc.db.rdbms=oracle`	Database type. Specify this property if you are using an Oracle database.
`uc.db.url=jdbc:oracle:thin:@//localhost:1521/@oracle.db.name@`	JDBC connect URL. Specify this property if you are using an Oracle database. By default, the controller automatically refreshes the `uc.properties` file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
For PostgreSQL
`uc.db.rdbms=postgres`	Database type. Specify this property if you are using a PostgreSQL database.
`uc.db.url=jdbc:postgresql://localhost:5432/uc`	JDBC connect URL. Specify this property if you are using a PostgreSQL database. By default, the controller automatically refreshes the `uc.properties` file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
For All Databases
`uc.db.name`	IMPORTANT If you specify a database name in this property and in uc.db.url, the names must be the same. Name for the Controller database.	uc
`uc.db.password`	Database password that will be replaced by `uc.db.password.encrypted` in the `uc.properties` file upon start-up. By default, the controller automatically refreshes the `uc.properties` file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.	(none)
`uc.db.password.encrypted`	Encrypted version of `uc.db.password` that will replace `uc.db.password` in the `uc.properties` file upon start-up.	(none)
`uc.db.pooler.connections`	Sets the minimum number of idle connections to maintain in the Server connection pool, or zero to create none. The Server connection pool is used by all internal database transactions.	1
`uc.db.pooler.connections.Auxiliary`	Sets the minimum number of idle connections to maintain in the Auxiliary connection pool, or zero to create none. The Auxiliary connection pool is used only when at least one of the following properties are `true:` `uc.db.pooler.connections.use_auxiliary.launch` `uc.db.pooler.connections.use_auxiliary.trigger`	1
`uc.db.pooler.connections.Client`	Sets the minimum number of idle connections to maintain in the Client connection pool, or zero to create none. The Client connection pool is used by all user interface related database transactions.	1
`uc.db.pooler.connections.max`	Sets the maximum number of connections that can be allocated by the Server connection pool at a given time. The Server connection pool is used by all internal database transactions. Note The installer overrides the default by configuring a maximum number of 40 in the `uc.properties` file.	30
`uc.db.pooler.connections.max.Auxiliary`	Sets the maximum number of connections that can be allocated by the Auxiliary connection pool at a given time. The Auxiliary connection pool is used only when at least one of the following properties are `true`. `uc.db.pooler.connections.use_auxiliary.launch` `uc.db.pooler.connections.use_auxiliary.trigger`	40
`uc.db.pooler.connections.max.Client`	Sets the maximum number of connections that can be allocated by the Client connection pool at a given time. The Client connection pool is used by all user interface related database transactions.	30
`uc.db.pooler.connections.max.Reserved`	Sets the maximum number of connections that can be allocated by the Reserved connection pool at a given time. The Reserved connection pool is used by all critical internal database transactions.	30
`uc.db.pooler.connections.use_auxiliary.launch`	Specifies that the Universal Controller should use the Auxiliary connection pool when launching workload.	false
`uc.db.pooler.connections.use_auxiliary.trigger`	Specifies that the Universal Controller should use the Auxiliary connection pool when triggering workload.	false
`uc.db.pooler.connections.Reserved`	Sets the minimum number of idle connections to maintain in the Reserved connection pool, or zero to create none. The Reserved connection pool is used by all critical internal database transactions.	1
`uc.db.secrets_provider`	Specifies which secrets provider to use for the password. If left unspecified, Universal Controller is assumed to be the provider, and the controller will continue to load the password from the uc.properties using one of the following properties. uc.db.password uc.db.password.encrypted Note Property uc.db.password is immediately saved back as uc.db.password.encrypted with an encrypted value. If property `uc.db.secrets_provider` is specified, it must be one of the following values, otherwise, a failure will be logged and `uc.properties` must be refreshed. uc.db.secrets_provider=uc (or not specified) - Universal Controller uc.db.secrets_provider=aws_secrets_manager - AWS Secrets Manager uc.db.secrets_provider=azure_key_vault - Azure Key Vault uc.db.secrets_provider=cyberark_credential_provider - CyberArk Credential Provider uc.db.secrets_provider=cyberark_central_credential_provider - CyberArk Central Credential Provider The controller will then load all the properties associated with the specified provider. See Secrets Provider Properties for the properties associated with each provider. By default, the controller automatically refreshes the `uc.properties` file every 5 minutes to accommodate changes to this property, and properties associated with the provider, without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.	(none)
`uc.db.url.append.properties`	Allows additional options to be appended to the JDBC URL generated by Universal Controller. Example: HTML	(none)
`uc.db.user`	Login ID that the Controller will use to log in to your database. By default, the controller automatically refreshes the `uc.properties` file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.	root
For LDAP:
`uc.ldap.groups.filter_indirect`	When this property is set to true, any Groups synchronized indirectly (that is, through a User's memberOf attribute) will honor the Group search filter and Group OU filters under the LDAP Advanced Settings section. Note The code default for this property, which is used if this property is not set, is false.	true
`uc.ldap.groups.single_parent_per_child`	IMPORTANT This property should be set to true only if your Groups being synchronized from AD have at most one parent Group. When synchronizing Groups, the default behavior in the Controller is to copy the members of a Sub Group into the Parent Group. When this property is set to true, the Controller assumes that each Group has, at most, a single Parent Group and will use the Parent field on the Group definition to maintain the hierarchy instead of copying members.	false
`uc.ldap.groups.update_members`	IMPORTANT This property should be set to false only when synchronizing Groups from AD, and the number of values for the member attribute exceeds the `MaxValRange` LDAP policy (and the `MaxValRange` cannot be increased). When synchronizing Groups, the default behavior in the Controller is to use the multi-valued member attribute to update the members for a Group; however, AD limits the number of values returned for an attribute, which can result in Group members being removed unexpectedly. This limit is determined by the `MaxValRange` LDAP policy (typically 1,500). When this property is set to false, the Controller will not use the member attribute values to update members when synchronizing Groups from AD. Group membership will continue to be updated based on the memberOf attribute values when synchronizing Users from AD.	true
`uc.ldap.users.synchronize_by_range`	IMPORTANT This property is set to false by default to disable range-based searches. This assumes paging is supported by the directory server. This property should be set to true only if your LDAP server does not support paged results. If this property is set to true, the Controller will search based on ranges, using a filter like (&(uid>=a)(uid<=b)), when synchronizing Users. To use the <= or >= operators in a filter, an ordering rule must be defined for the attribute in the LDAP schema. OpenLDAP's schema does not define an ordering rule for the User Id Attribute (for example, uid), so searches using filters like the above do not return any results.	false
`uc.ldap.users.synchronize_indirect`	IMPORTANT This property should be set to true only if your LDAP server does not support the User Membership Attribute (for example, memberOf). Synchronizes LDAP users indirectly based on group membership. This only applies to groups that users are direct members of. When this property is set to true, the following will apply for the LDAP refresh (scheduled and server operations): Users will not be synchronized directly based on the User Filter and User Target OU List. Groups will continue to be synchronized directly based on the Group Filter and Group Target OU List. For each matching group, the Group Member Attribute (for example, member) will be used to synchronize users matching the User Filter and User Target OU List Note The `uc.ldap.groups.update_members` property will be ignored when indirect user synchronization is enabled. Note There is currently no support for nested groups if the User Membership Attribute is not supported by the LDAP server.	false
`uc.ldap.users.update_memberships_on_login`	IMPORTANT This property should not be set to true if group membership for users is static, since there is extra overhead to process the groups, which may impact login performance. When this property is set to true, LDAP group memberships for existing LDAP users are updated upon successful login. Note When dynamically creating a new LDAP user at login, the user will be added only to groups that it is a direct member of. Likewise, when updating an existing LDAP user at login, the user will be removed from any groups that it is not a direct member of. Therefore, it is not recommended that you enable this property if a group hierarchy exists, since the user will be removed from any parent groups when logging in. (Group membership for the parent groups will be restored the next time the LDAP refresh runs; however, this can take up to 24 hours.)	false
For OAuth Single Sign-On:
`uc.oauth.can_provision_local`	Specifies if a user authenticating through OAuth Single Sign-On can be updated using the Access / ID Token if the user was created manually.	false
`uc.oauth.can_provision_any_idp`	Specifies if a user authenticating through OAuth Single Sign-On can be updated using the Access / ID Token of a provider that differs from the provider the user was originally provisioned by.	false
`uc.saml.log.level`	The saml.log.level property is used to configure the log level when OAuth Single Sign-On or SAML Single Sign-On is enabled.	INFO
For SAML Single Sign-On:
`uc.saml.log.level`	Configures the log level for the Spring SAML2 Service Provider framework. Options are ALL TRACE DEBUG INFO WARN ERROR For backwards compatibility, property `saml.log.level` is still supported when property `uc.saml.log.level` is not specified.	INFO
`uc.saml.metadata.refresh_interval`	The Identity Provider Metadata refresh interval in milliseconds; minimum = 30000, maximum = 2147483647.	120000
`uc.saml.signature_algorithm_uri`	By default, the saml2:AuthnRequest will be signed using rsa-sha256, though some Identity Providers will require a different algorithm. To configure the algorithm automatically based on the Identity Provider’s metadata, do not specify this property. Alternatively, you can manually override the default configuration by specifying this property.	http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or as specified by the Identity Provider’s metadata.
`uc.saml.authn_request.force_authn`	Specifies (true of false) whether the Identity Provider should force the user to reauthenticate.	false
`uc.saml.authn_request.want_signed`	Set the WantAuthnRequestsSigned setting, indicating (true or false) the Identity Provider's preference that Service Providers should sign the AuthnRequest before sending. To configure the setting automatically based on the Identity Provider’s metadata, do not specify the property.	Specified by the Identity Provider’s metadata.
`uc.saml.can_provision_local`	Specifies if a user authenticating through SAML Single Sign-On can be updated using the SAML Assertion if the user was created manually.	false
`uc.saml.can_provision_any_idp`	Specifies if a user authenticating through SAML Single Sign-On can be updated using the SAML Assertion of a provider that differs from the provider the user was originally provisioned by.	false