FTL Server Configuration Parameters
This topic presents the FTL server configuration parameters in the globals section or the ftl service section that apply to the FTL server as whole. (Subsequent topics present parameters that configure the behavior of the individual services that the FTL server provides.)
Servers and Locations
| Parameter | Arguments | Description |
|---|---|---|
| core.servers | servers | Required.
Supply a map from server names to their locations. Use the following form for each server: <server_name>: <host>:<port> Include in this map only core servers. Omit any auxiliary servers. |
| data | <path> | Optional.
When present, the FTL server stores its working data files in this <path> location. The directory at <path> must exist, as the FTL server does not create it automatically. Servers within a local network can share a data directory, or they can use unique locations. When absent, the default <path> is the current directory. |
| ftl | Optional.
Include an ftl configuration map with a server parameter to specify the host and port for a specific auxiliary server. For an example, see Auxiliary Servers. |
|
| internal.address |
<host>:<port> where <host> could be a hostname or a valid IP address |
Accepts internal.address, valid IP address, or hostname. Optional, globals section only. Force the FTL server to be reachable at only this address, regardless of
Note: The FTL server is
always reachable at
127.0.0.1.
|
|
|
boolean |
Optional. To ensure the realm service re-publishes monitoring messages to pre-6.0 clients, set this to |
| spin.limit | Optional.
Set the limit for the amount of spin time , in microseconds, for an FTL server receiving data from a connection. The default is 0. This is an ftl (not globals) setting. Use caution with this parameter and adjust it only when necessary and with full understanding of its effect on CPU and thread performance. The default value should provide optimal performance in most cases. |
Authentication and Authorization Service
| Parameter | Arguments | Description |
|---|---|---|
| auth.url | <url> | Optional. Authentication resource.
When present, authentication is enabled, so that the realm service requires and verifies user name and password credentials from client processes, affiliates, browsers, and tibftladmin. If the URL protocol is
Otherwise, the FTL server contacts an external authentication service at this URL. When absent, authentication is disabled, so that the FTL server neither requires nor verifies credentials. Note: You can make changes to the authentication flat file and these changes take effect shortly after saving your changes, without restarting the FTL server.
|
| auth.user | <user_name> |
Optional. The FTL server identifies itself to an external authentication service using this user name credential. |
| auth.password | <password> |
Optional. The FTL server identifies itself to an external authentication service using this password credential. To hide the password from casual observers, see Password Security. |
| auth.trust | <path> |
Optional. When the authentication service URL uses the
|
| auth.timeout | seconds |
Optional. Timeout for requests to a remote authentication service, in seconds. If the remote authentication service does not respond after this period, the FTL server returns an error. The default value is 15 seconds. This parameter must be defined in the globals section. |
Affiliated FTL Servers
For information about disaster recovery servers, see Disaster Recovery.
| Parameter | Arguments | Description |
|---|---|---|
| satelliteof | <URL_list> | When present, designate this FTL server as a satellite of a set of primary FTL servers.
Supply a pipe-separated URL list of primary FTL servers. For example: https://<host1>:<port1>|https://<host2>:<port2>|https://<host3>:<port3> A satellite receives its realm definition and accepts realm updates from any primary realm service. The realm service in a satellite does not accept client connection requests until it first receives a realm definition from a primary. |
| drfor | <URL_list> | When present, this FTL server starts as a disaster recovery server for a set of primary FTL servers.
Supply a pipe-separated URL list of primary FTL servers. The primaries initiate the connection to disaster recovery servers. |
| drto | <URL_list> | When present, this FTL server designates a set of disaster recovery servers and attempts to connect to them.
Supply a pipe-separated URL list of primary disaster recovery FTL servers. (You must also configure the disaster recovery servers using the drfor parameter.) |
| timeout | <timeout> | Optional.
FTL servers use this timeout for communication between other FTL servers in the same cluster. For example, this timeout applies to communication between core and auxiliary FTL servers at a given primary, satellite, or DR site. |
| heartbeat | <hb_interval> | Optional.
An FTL server sends its heartbeat signal at <hb_interval>, in seconds. Supply a positive number. When absent, the default value is 1 second, to other FTL servers in the same cluster. This applies to communication between core and auxiliary FTL servers at a given primary, satellite, or DR site. |
| user | <username> | Required for affiliated FTL servers when enabling user authorization.
An FTL server authenticates itself to affiliates with this < username>. |
| password | <password> | Required for affiliated FTL servers when enabling user authorization.
An FTL server authenticates itself to affiliates with this <password>. To hide the password from casual observers, see Password Security. |
Logging
| Parameter | Arguments | Description |
|---|---|---|
| loglevel | <level> | When present, the realm service logs protocol communication at this level of detail.
You may specify any of the standard log level strings . See “Tuning the Log Level” and its sub-topics in TIBCO FTL Development. You can set a general log level, or custom log levels for different elements. When this parameter is absent, the default level is info. |
| logfile | <logfile_prefix> | When present, the realm service logs to a rolling set of log files instead of the console. The
<logfile_prefix> argument may denote a path. All of the directories in the path must already exist.
For more information about rotating log files, see “Log Output Targets” in TIBCO FTL Development. When absent, the realm service sends log output to the console, ignoring the parameters max.log.size and max.logs. |
| max.log.size | <size> |
Optional. Available if Limits the maximum size, in bytes, of log files. The value must be greater than 100 kilobytes (102400 bytes). If max.log.size is not specified than the default of 20 MB is used. |
| max.logs | <logs> |
Optional. Available if Limits the maximum number of rolling log files.
|
REST Requests
| Parameter | Arguments | Description |
|---|---|---|
| origins.allowed | <URLs> |
When absent, the default behavior rejects all cross-origin requests. When present, allow REST requests that originate from URLs in an array of strings. The realm service rejects cross-origin requests from any other origin. The special value
Warning: Do not supply this parameter except when necessary.
Supplying a null string in the argument list of this parameter is not a recommended security practice. |
TLS Security
| Parameter | Arguments | Description |
|---|---|---|
| tls.san | SAN spec |
Optional. Add a SAN (Subject Alternative Name) to the certificate generated by the FTL server. When no custom certificate is configured, this certificate is presented to:
This parameter can be used to customize the certificate in cases where the clients above connect to a hostname unknown to FTL server (for example, the hostname of a load balancer). Example: |
| tls.secure | <password> | When present, the FTL server uses TLS to encrypt its communications with clients, utilities, and affiliates.
The password argument encrypts the TLS key file. To hide the password from observers, see Password Security. |
| tls.trust.file | <path> | Optional. (Required for secure servers.)
Secure FTL servers use this parameter to supply the file path to a local copy of the trust file. When both are present, this parameter overrides tls.trust.everyone. |
| tls.trust.everyone | Optional.
The FTL server trusts any other FTL server without verifying trust in the other service's certificate. Warning: Do not use this parameter except for convenience in development and testing. It is
not secure.
|
Security: Clients
Custom certs apply to:
-
Secure eFTL connections (wss)
-
HTTPS connections to eFTL (for eFTL pub/sub API)
-
HTTPS connections to realm UI and realm REST API
| Parameter | Arguments | Description |
|---|---|---|
| custom.cert | <path> | Required for HTTPS or WSS clients that require FTL server to authenticate itself using a non-default certificate. FTL clients are not affected.
The FTL server reads a public TLS certificate from this file. It uses the certificate to authenticate itself to clients. The certificate file must be in PEM format. |
| custom.cert.private.key | <path> | Required for HTTPS or WSS clients that require FTL server to authenticate itself using a non-default certificate. FTL clients are not affected.
The FTL server reads an encrypted TLS private key from this file. It uses the key to authenticate itself to clients, and to encrypt TLS communication with clients. The key file must be in PEM format. |
| custom.cert.private.key.password | <password> | Required if you specify
custom.cert.private.key.
The FTL server decrypts the private key using this password. |
TLS Algorithms
| GUI Parameter | Description |
|---|---|
| openssl.cipher.suites |
Replace default ciphers and protocols. Warning: Do not change these two values unless explicitly instructed to do so by TIBCO.
In the event that a flaw is discovered in the default cipher suite or protocols, TIBCO will issue a security announcement, and indicate new values for these settings. |
| openssl.context.options |