Environment Variables for TIBCO OI Hawk RedTail Components

Each component of TIBCO OI Hawk RedTail can be configured using the environment variables. These environment variables can be provided in a YAML file.

Hawk Agent Environment Variables

Environment Variable Description

agent_domain

The agent_domain environment variable sets the Hawk agent domain.

 

Mandatory: No

Suggested Value: "none"

agent_name

The agent_name environment variable sets the name of Hawk agent. If not provided, set it to the host name of the hkce_agent container.

 

Mandatory: No

Suggested Value: Hostname of hkce_agent container

auto_config_dir

The auto_config_dir environment variable specifies the directory from where the configuration objects are loaded for the agent to run in auto-configuration mode.
When this option is not used, the agent operates in manual configuration mode. When using the manual configuration mode, use the config_path variable.
Note: By default, the auto_config_dir is created in the hkce_agent container. Since any file or folder created in the container has a transient nature, removing hkce_agent container might lead to loss of rulebases that were stored in the directory specified in auto_config_dir. Thus, to avoid this issue, use the Docker volume to persist the rulebases and set the auto_config_dir to the destination of the Docker volume within the hkce_agent container.

 

Mandatory: No

Suggested Value: None

config_path

The config_path environment variable specifies the directory from where the configuration objects are loaded for the agent to run in manual configuration mode.
This variable cannot be used with the auto_config_dir variable.
The delimiter for path entries is the colon (:) symbol.

 

Mandatory: No

Suggested Value: None

hawk_domain

The hawk_domain environment variable sets the Hawk domain name.

 

Mandatory: No

Suggested Value: "default"

hma_plugin_dir

The hma_plugin_dir environment variable specifies the directory used for Hawk microagent plug-in configuration.

 

Mandatory: No

Suggested Value: -

log_level

The log_level environment variable identifies the log level. The values of the log_level environment variable are:
  • 4 (ERROR)
  • 6 (WARN)
  • 7 (INFO)
  • 8 (DEBUG)
  • 16 (TRACE)

 

Mandatory: No

Suggested Value: 7

ami_tcp_session

The ami_tcp_session environment variable specifies the URL that the external microagents (e.g. HKBWCE) used to connect to Hawk agent to join the agent's TCP sub-cluster. The URL is in the form <HawkAgent_Service_name>:<AMI_API_PORT>.

 

Mandatory: No

Suggested Value: hawkagent:2571

grpc_session

The grpc_session environment variable specifies the hostname and port that the Hawk Agent uses to connect to the Hawk RedTail Console using gRPC transport.

 

Mandatory: Yes

Suggested Value: hawkconsolenode:9697

grpc_max_reconnect_attempts

Specifies the number of attempts that must be made by the Hawk agent to re-establish communication with the Hawk RedTail Console using gRPC Transport.

 

Mandatory: No

Suggested Value: 100

grpc_reconnect_interval

Specifies the interval (in milliseconds) between reconnection attempts

 

Mandatory: No

Suggested Value: 5000

Environment Variables for gRPC Transport TLS Configuration
grpc_enable_tls

Specifies whether the communication must be done over TLS for gRPC transport

 

Mandatory: No

Suggested Value: false

grpc_server_ca

Path to truststore containing the certificates of Hawk RedTail Console that the agent is connecting to through gRPC

 

Mandatory: No

Suggested Value: Path to truststore containing the certificates of Hawk RedTail Console that the agent is connecting to through gRPC

grpc_server_hostname

Host name of the hawkconsolenode

 

Mandatory: No

Suggested Value: Path to the Hawk RedTail Console private key in PKCS8 format

grpc_client_certificate

Path to Hawk agent TLS certificate for the gRPC transport

 

Mandatory: No

Suggested Value: Path to the Hawk agent TLS certificate

grpc_client_key

Path to Hawk agent TLS private key for the gRPC transport

Note: PKCS8 is the only supported format for the private key.

 

Mandatory: No

Suggested Value: Path to the Hawk agent private key in PKCS8 format

Environment Variables for TCP Transport TLS Configuration
tcp_key_store

Path of the key store file.

 

Mandatory: No

Suggested Value: None

tcp_trust_store

Path of the trust store file

 

Mandatory: No

Suggested Value: None

tcp_key_store_ password

Password for the key store file

 

Mandatory: No

Suggested Value: None

tcp_trust_ store_password

Password for the trust store file

 

Mandatory: No

Suggested Value: None

tcp_key_ password

Encrypted key password

 

Mandatory: No

Suggested Value: None

tcp_ssl_ protocol

Protocol for a secure connection

 

Mandatory: No

Suggested Value: TLSv1.2

tcp_enabled_ algorithms

Algorithm to be used for the security protocol. You can specify multiple algorithms as comma-separated list without space.

 

Mandatory: No

Suggested Value: TLS_RSA_WITH_AES_128_CBC_SHA

Environment variables for Email Configurations

email_smtp_server

The email_smtp_server environment variable identifies the SMTP server host name for sending emails

 

Mandatory: No

Suggested Value: None

email_smtp_port

The email_smtp_port environment variable identifies the SMTP server port

 

Mandatory: No

Suggested Value: 25

email_smtp_auth_required

The email_smtp_auth_required environment variable specifies whether the SMTP server authentication is required or not

 

Mandatory: No

Suggested Value: false

email_smtp_tls_required

The email_smtp_tls_required environment variable specifies whether the SMTP server requires TLS or not

 

Mandatory: No

Suggested Value: false

email_smtp_tls_trust

Skips certificate validation of SMTP server. If set to "*", all hosts are trusted hosts. If set to a whitespace separated list of hosts, those hosts are trusted. Otherwise, trust depends on the certificate the server presents.

 

Mandatory: No

Suggested Value: -

email_smtp_socket_factory_port

The email_smtp_socket_factory_port environment variable specifies the SMTP socket factory port needed for TLS

 

Mandatory: No

Suggested Value: 25

email_smtp_user

The email_smtp_user environment variable SMTP server user name. This variable is required only if SMTP server authentication is configured to true.

 

Mandatory: No

Suggested Value: None

email_smtp_password

The email_smtp_password environment variable specifies the user password for the SMTP server. This variable is required only if SMTP server authentication is set to true.

 

Mandatory: No

Suggested Value: None

ZooKeeper Environment Variables

Port: 9600

Things to consider when configuring the ZooKeeper environment variables:

Mount the volume for the path /data/zk/ to persist the ZooKeeper data.
Configure the keystore and truststore cacert by mounting the files to the volume and mapping the keys to the locations given in the zoo.cfg file (/conf/certs).

Configure the zoo.cfg file as following:

dataDir=/data/zk/
# the maximum number of client connections.
# increase this if you need to handle more clients
#maxClientCnxns=500
#
# Be sure to read the maintenance section of the
# administrator guide before turning on autopurge.
#
# http://zookeeper.apache.org/doc/current/zookeeperAdmin.html
#sc_maintenance
#
# The number of snapshots to retain in dataDir
autopurge.snapRetainCount=5
# Purge task interval in hours
# Set to "0" to disable auto purge feature
autopurge.purgeInterval=24

# the port at which the clients will connect
secureClientPort=9600

serverCnxnFactory=org.apache.zookeeper.server.
NettyServerCnxnF
actory

authProvider.x509=org.apache.zookeeper.server.auth.X509Au
thenticationProvider

ssl.keyStore.location=/conf/certs/zookeeper-keystore.p12
ssl.keyStore.password=changeit
ssl.trustStore.location=/conf/certs/zookeeper-truststore.pem
ssl.hostnameVerification=false
ssl.keyStore.type=PKCS12
ssl.trustStore.type=PEM

ssl.clientAuth=need

Hawk RedTail Console Environment Variables

Port: 9687

Environment Variable Description

zookeeper.connectString

Host and port of ZooKeeper

 

Mandatory: Yes

Suggested Value: zookeeper:9600

ZK_CLIENT_KEY_FILE

Path to the ZooKeeper client private key

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/querynode-client-key

ZK_CLIENT_KEY_PASSWORD

Password of the ZooKeeper client key

 

Mandatory: Yes

Suggested Value: <password>

ZK_CLIENT_CACERT_FILE

Path to CA certificate file used for generating the key

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

ZK_CLIENT_CERT_FILE

Path to the ZooKeeper client certificate

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/querynode-client-certificate

ZK_CLIENT_TRUSTSTORE_FILE

Path to the ZooKeeper client truststore. This truststore must contain the certificate of the CA which issued the certificate to the ZooKeeper server. The supported truststore types are PEM, PKCS12, and JKS.

 

To create a PKCS12 trust store without a key and use it as zookeeper, then you must use Java’s keytool utility so that a java based application can understand them. For example:

keytool -import -alias mycert -file certificate.pem -keystore truststore.p12 -storetype PKCS12 -storepass password

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/zookeeper-client-truststore.pem

ZK_CLIENT_TRUSTSTORE_PASSWORD

Applicable only if the ZooKeeper trust store is password protected

 

Mandatory: No

Suggested Value: <password>

ZK_CLIENT_TRUSTSTORE_TYPE

Specifies the type of truststore if the file defined in the environment variable ZK_CLIENT_TRUSTSTORE_FILE does not have a file extension

 

Mandatory: No

Suggested Value: PEM, JKS, PKCS12

LOAD_CONFIG_FROM_ENV

Flag to indicate whether to load variables from environment variables or to use predefined default values

 

Mandatory: Yes

Suggested Value: TRUE

waitForServices

Services after which the hawkconsolenode starts

 

Mandatory: Yes

Suggested Value: zookeeper:9600, dbnode:5432

grpc_session_port

Port that the Hawk RedTail Console component container uses to listen to incoming transport request from Hawk agents

 

Mandatory: No

Suggested Value: 9697

hawk_domain

The Hawk domain name.

 

Mandatory: Yes

Suggested Value: redtail

hawk_domain_platform

Platform of the domain mentioned in property hawk_domain. Possible values are kubernetes, docker or enterprise

 

Mandatory: No

Suggested Value: kubernetes

publicIp

The service name of the hawkconsolenode which gets registered with ZooKeeper

 

Mandatory: Yes

Suggested Value: hawkconsolenode

machineId

Internal component ID

 

Mandatory: Yes

Suggested Value: machine-0000000000

unity.services.rest.host

Host IP for Hawkconsole REST communication

 

Mandatory: Yes

Suggested Value: 0.0.0.0

hawk_console_server_port

Listen port for Hawk RedTail Console REST communication

 

Mandatory: Yes

Suggested Value: 9687

JAVA_OPTS

These are JVM properties which can be configured to tune the JVM process

For example, -Xms512m -Xmx2g

 

Mandatory: No

Suggested Value: <JVM Defaults>

GRAFANA_URL

Grafana URL

 

Mandatory: Yes

Suggested Value: http://grafana:3000

REST_TLS_CIPHERS

Supported Cipher Suites

 

Mandatory: Yes

Suggested Value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,

TLS_AES_256_GCM_SHA384,

TLS_AES_128_GCM_SHA256

REST_TLS_PROTOCOL

Supported TLS protocols

 

Mandatory: Yes

Suggested Value: TLSv1.2, TLSv1.3

REST_TLS_KEY_FILE

Key pair used for setting up REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/key

REST_TLS_KEY_PASSWORD

Password to key pair used for REST TLS communication

 

Mandatory: Yes

Suggested Value: <password>

REST_TLS_CERT_FILE

Certificate used for REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/certificate

REST_TLS_CACERT_FILE

Certificate of the CA used to sign the REST TLS certificate

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

TLS_SKIP_CERTIFICATE_VERIFICATION

Skip certificate verification

 

Mandatory: No

Suggested Value: false

TLS_SKIP_HOSTNAME_VERIFICATION

Skip host name verification

 

Mandatory: No

Suggested Value: true

JWT_SIGNING_KEY_FILE

Path to JWT signing key

 

Mandatory: No

Suggested Value: /redtail/conf/certs/key

JWT_SIGNING_KEY_PASSWORD

Password to JWT signing key

 

Mandatory: No

Suggested Value: <password>

JWT_TTL

JWT token time to live value (in minutes)

 

Mandatory: No

Suggested Value: 300

PROMETHEUS_TLS_CACERT_FILE

Path to the CA cert which signed Prometheus server certificate. This is required for Prometheus to securely connect with the Hawk RedTail Console for scraping metrics

 

Mandatory: No

Suggested Value: /redtail/conf/certs/cacert

PROMETHEUS_TLS_CN

Common name defined in Prometheus certificate. This is required for Prometheus to securely connect with Hawk RedTail Console for scraping metrics

 

Mandatory: No

Suggested Value: Prometheus

GRAFANA_TLS_CACERT_FILE

Path to the Grafana CA certificate. This is valid in case where Grafana is secured with TLS

 

Mandatory: No

Suggested Value: NA

datasource_url

Connection URL to PostgreSQL server

 

Mandatory: Yes

Suggested Value: jdbc:postgresql://dbnode:3306/logumon

datasource_drivername

JDBC class name

 

Mandatory: Yes

Suggested Value: org.postgresql.Driver

datasource_username

Database user name

 

Mandatory: Yes

Suggested Value: postgres

datasource_password

Database password

 

Mandatory: Yes

Suggested Value: mypassword

datasource_connection_pool_initial_size

Database Connection pool size at start up

 

Mandatory: No

Suggested Value: "10"

datasource_connection_pool_max_idle

Maximum number of idle connections allowed in the database connection pool

 

Mandatory: No

Suggested Value: "20"

datasource_connection_pool_max_active

Maximum number of active connections allowed in the database connection pool

 

Mandatory: No

Suggested Value: 100

datasource_tls_cacert_file

Path to the database CA certificate. This is valid if PostgreSQL is secured with TLS.

 

Mandatory: No

Suggested Value: /redtail/conf/certs/cacert

datasource_tls_skip_hostname_verification

Skip host name verification while communicating with database over TLS

 

Mandatory: No

Suggested Value: true

datasource_tls_skip_certificate_verification

Skip certificate verification while communicating with database over TLS

 

Mandatory: No

Suggested Value: false

user_store_type

Type of store where the users are stored

 

Mandatory: Yes

Suggested Value: database, ldap

LDAP Configuration (All variables are mandatory if the variable user_store_type is ldap)

LDAP_HOST

Host name for the LDAP server

 

Mandatory: No

Suggested Value: NA

LDAP_PORT

Port of the LDAP server

 

Mandatory: No

Suggested Value: NA

LDAP_ADMIN_DN

Admin user DN

 

Mandatory: No

Suggested Value: NA

LDAP_ADMIN_PASSWORD

Admin user password

 

Mandatory: No

Suggested Value: NA

LDAP_BASE_DN

LDAP Base DN

Mandatory: No

Suggested Value: NA

LDAP_UID_ATTR

Attribute to use as a user name

 

Mandatory: No

Suggested Value: CN

LDAP_SSL_ENABLED

Set to true, if communication with LDAP is over SSL

 

Mandatory: No

Suggested Value: false

LDAP_DISABLE_HOSTNAME_VERIFICATION

Skip LDAP server host name verification

 

Mandatory: No

Suggested Value: true

LDAP_TLS_CACERT_FILE

Path to the CA certificate of LDAP server

 

Mandatory: No

Suggested Value: NA

TLS Configuration

TLS_CLIENT_KEY_FILE

Path to hawkconsolenode client key. Required for mutual authentication with any other component/ client.

For example, if Grafana is configured with a reverse proxy using TLS via mutual authentication.

 

Mandatory: No

Suggested Value: NA

TLS_CLIENT_KEY_PASSWORD

Password to hawkconsolenode client key

 

Mandatory: No

Suggested Value: NA

TLS_CLIENT_CERT_FILE

Path to hawkconsolenode client certificate

 

Mandatory: No

Suggested Value: NA

log_level

Specifies the level of diagnostic information stored in the logs. The following are the logging levels:

ERROR - Indicates error level trace messages should be enabled.
WARNING - Indicates warning level trace messages should be enabled.
INFO - Indicates information level trace messages should be enabled.
DEBUG - Indicates debug level trace messages should be enabled.
TRACE - Indicates trace level messages should be enabled.

 

Mandatory: No

Suggested Value: INFO

Environment Variables for gRPC Transport TLS Configuration
grpc_enable_tls

Specifies whether TLS should be enabled for gRPC communication

 

Mandatory: No

Suggested Value: false

grpc_server_certificate

Path to the Hawk RedTail Console certificate

 

Mandatory: No

Suggested Value: <Path to the Hawk RedTail Console TLS certificate>

grpc_server_key

Path to Hawk RedTail Console private key for the gRPC Transport.

Note: PKCS8 is the only supported format for the private key.

 

Mandatory: No

Suggested Value: <Path to Hawk RedTail Console private Key PKCS8 format>

grpc_client_ca

Path to truststore containing the certificates of Hawk agents that are connecting to the Hawk RedTail Console through gRPC

 

Mandatory: No

Suggested Value: <Path to truststore containing the certificates of the Hawk agents that are connecting to Hawk RedTail Console through gRPC>

Grafana component Environment Variables

Port: 3000

Environment Variable Description
waitForServices

Specifies the services after which the Grafana component must start

 

Mandatory: Yes

Suggested Value: dbnode:5432

GF_USERS_ALLOW_SIGN_UP

When set to false: Prohibits users from being able to sign up or create user accounts. The admin user can still create users from the Grafana Admin Pages.

Default: false.

 

Mandatory: Yes

Suggested Value: false

GF_USERS_AUTO_ASSIGN_ORG

When set to true: Automatically adds new users to the main organization (ID 1).

When set to false: A new organization is created for the new user automatically.

Default: true

 

Mandatory: Yes

Suggested Value: true

GF_USERS_AUTO_ASSIGN_ORG_ROLE

The role new users are assigned for the main organization (if GF_USERS_AUTO_ASSIGN_ORG is set to true). Defaults to Viewer, other valid options are Admin and Editor. For TIBCO OI Hawk RedTail, this value must be Editor.

 

Mandatory: Yes

Suggested Value: Editor

GF_USERS_DEFAULT_THEME

Set the default UI theme: dark or light. Default is dark. For TIBCO OI Hawk RedTail, the suggested value is light.

 

Mandatory: Yes

Suggested Value: light

GF_AUTH_PROXY_ENABLED

Set to true, for Grafana to let a HTTP reverse proxy handle authentication. For TIBCO OI Hawk RedTail, this value must be true.

 

Mandatory: Yes

Suggested Value: true

GF_AUTH_PROXY_HEADER_NAME

HTTP Header name that contains the user name

 

Mandatory: Yes

Suggested Value: X-WEBAUTH-USER

GF_AUTH_PROXY_HEADER_PROPERTY

HTTP Header property, defaults to username

 

Mandatory: Yes

Suggested Value: username

GF_AUTH_PROXY_AUTO_SIGN_UP

Set to true to enable auto sign up of users who do not exist in the Grafana database. Default is true.

 

Mandatory: Yes

Suggested Value: true

GF_SERVER_DOMAIN

This setting is only used in as a part of the root_url setting

 

Mandatory: Yes

Suggested Value: grafananode

GF_SERVER_HTTP_PORT

The port to bind to; defaults to 3000

 

Mandatory: Yes

Suggested Value: 3000

GF_SERVER_ROOT_URL

This is the full URL used to access Grafana from a web browser

 

Mandatory: Yes

Suggested Value: %(protocol)s://%(domain)s:%(http_port)s/redtail/grafana

GF_AUTH_BASIC_ENABLED

Basic auth is enabled by default and works with built-in Grafana. For TIBCO OI Hawk RedTail, basic auth must be enabled.

 

Mandatory: Yes

Suggested Value: true

GF_SECURITY_ALLOW_EMBEDDING

Default: false.

When false, the X-Frame-Options: deny HTTP header is set in the Grafana HTTP responses. Thus, browsers do not allow rendering Grafana in <frame>, <iframe>, <embed>, or <object>. For TIBCO OI Hawk RedTail, set this value to true.

 

Mandatory: Yes

Suggested Value: true

GF_PATHS_PLUGINS

Directory where Grafana automatically scans and looks for plug-ins. Manually or automatically install any plug-ins here.

 

Mandatory: Yes

Suggested Value: /usr/share/grafana/data/grafana/plugins

GF_DATABASE_TYPE

Type of database where Grafana stores all the data

 

Mandatory: Yes

Suggested Value: postgres

GF_DATABASE_HOST

Host and IP port of the database

 

Mandatory: Yes

Suggested Value: dbnode:5432

GF_DATABASE_NAME

Name of the database

 

Mandatory: Yes

Suggested Value: grafana

GF_DATABASE_USER

Database user name

 

Mandatory: Yes

Suggested Value: postgres

GF_DATABASE_PASSWORD

Database user password

 

Mandatory: Yes

Suggested Value: mypassword

GF_DATABASE_SSL_MODE

Skips verification of the certificate chain and hostname when making the connection

 

Mandatory: Yes

Suggested Value: require

GF_DATABASE_CA_CERT_PATH

Database CA certificate

 

Mandatory: Yes

Suggested Value: /etc/grafana/db-cacert

Query node Environment variables

Port: 9681

Environment Variable Description

zookeeper.connectString

Host and port of ZooKeeper

 

Mandatory: Yes

Suggested Value: zookeeper:9600

ZK_CLIENT_KEY_FILE

Path to the ZooKeeper client private key

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/querynode-client-key

ZK_CLIENT_KEY_PASSWORD

Password of the ZooKeeper client key

 

Mandatory: Yes

Suggested Value: <password>

ZK_CLIENT_CACERT_FILE

Path to CA certificate file used for generating the key

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

ZK_CLIENT_CERT_FILE

Path to the ZooKeeper client certificate

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/querynode-client-certificate

ZK_CLIENT_TRUSTSTORE_FILE

Path to the ZooKeeper client truststore. This truststore must contain the certificate of the CA which issued the certificate to the ZooKeeper server. The supported truststore types are PEM, PKCS12, and JKS.

 

To create a PKCS12 trust store without a key and use it as ZooKeeper, then you must use Java’s keytool utility so that a java based application can understand them. For example:

keytool -import -alias mycert -file certificate.pem -keystore truststore.p12 -storetype PKCS12 -storepass password

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/zookeeper-client-truststore.pem

ZK_CLIENT_TRUSTSTORE_PASSWORD

Applicable only if the Zoo Keeper trust store is password protected

 

Mandatory: No

Suggested Value: <password>

ZK_CLIENT_TRUSTSTORE_TYPE

Specifies the type of truststore if the file defined in the environment variable ZK_CLIENT_TRUSTSTORE_FILE does not have a file extension

 

Mandatory: No

Suggested Value: PEM, JKS, PKCS12

LOAD_CONFIG_FROM_ENV

Flag to indicate whether to load variables from environment variables or to use predefined default values.

 

Mandatory: Yes

Suggested Value: TRUE

waitForServices

Services after which querynode starts

Mandatory: Yes

Suggested Value: zookeeper:9600, dbnode:5432, prometheus:9090

machineId

Machine identification

Recommend value: machine-0000000000.

 

Mandatory: Yes

Suggested Value: machine-0000000000

unity.services.rest.host

Host address of querynode

 

Mandatory: Yes

Suggested Value: 0.0.0.0

unity.services.rest.port

Port on which query listen to HTTP request

 

Mandatory: Yes

Suggested Value: 9681

unity.services.rest.options.results.maxpage

Maximum number of search results shown on the search page

 

Mandatory: Yes

Suggested Value: 1000000

unity.services.query.host

Query Node self host IP which gets registered with ZooKeeper

 

Mandatory: Yes

Suggested Value: 0.0.0.0

unity.services.query.port

Query Node self port which gets registered with ZooKeeper

 

Mandatory: Yes

Suggested Value: 9620

unity.storage.cache

Internal cache for storing query results for each cached query

 

Mandatory: Yes

Suggested Value: /redtail/data/.query/qcache

unity.storage.maxSplitH2fileSize

Defines maximum size of file for H2 file splitting

0 - defines no file splitting.
31 - 2 GB file size.

 

Mandatory: Yes

Suggested Value: 31

unity.maxConcurrentQuery

Max number of queries that can be executed concurrently

 

Mandatory: Yes

Suggested Value: 25

REST_TLS_CIPHERS

Supported Cipher Suites

 

Mandatory: Yes

Suggested Value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,

TLS_AES_256_GCM_SHA384,

TLS_AES_128_GCM_SHA256

REST_TLS_PROTOCOL

Supported TLS protocol

 

Mandatory: Yes

Suggested Value: TLSv1.2, TLSv1.3

REST_TLS_KEY_FILE

Key pair used for setting up REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/key

REST_TLS_KEY_PASSWORD

Password to key pair used for REST TLS communication

 

Mandatory: Yes

Suggested Value: <password>

REST_TLS_CERT_FILE

Certificate used for REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/certificate

REST_TLS_CACERT_FILE

Certificate of the CA used to sign the REST TLS certificate

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

PROMETHEUS_SERVER_HOST

Host name of the Prometheus server

 

Mandatory: Yes

Suggested Value: prometheus

PROMETHEUS_SERVER_PORT

Port of the Prometheus server

 

Mandatory: Yes

Suggested Value: 9090

PROMETHEUS_SERVER_TLS_ENABLED

Set to true, if communication with Prometheus server needs to happen over TLS protocol

 

Mandatory: No

Suggested Value: false

PROMETHEUS_TLS_CACERT_FILE

CA certificate of Prometheus server

 

Mandatory: No

Suggested Value: <path to prometheus nginx CA certificate>

HAWKCONSOLE_HOST

hawkconsolenode host

 

Mandatory: Yes

Suggested Value: hawkconsolenode

HAWKCONSOLE_PORT

hawkconsolenode port

 

Mandatory: Yes

Suggested Value: 9687

HAWKCONSOLE_TLS_ENABLED

True, if communication with Prometheus server needs to happen over TLS protocol

 

Mandatory: Yes

Suggested Value: true

HAWKCONSOLE_TLS_CACERT_FILE

hawkconsolenode CA certificate

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

TLS_CLIENT_KEY_FILE

Path to querynode client key to communicate with hawkconsolenode

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/querynode-client-key

TLS_CLIENT_KEY_PASSWORD

Password to querynode client key to communicate with hawkconsolenode

 

Mandatory: Yes

Suggested Value: <password>

TLS_CLIENT_CERT_FILE

Path to querynode client certificate to communicate with hawkconsolenode

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/querynode-client-certificate

TLS_SKIP_CERTIFICATE_VERIFICATION

Skip certificate verification

 

Mandatory: No

Suggested Value: false

TLS_SKIP_HOSTNAME_VERIFICATION

Skip host name verification

 

Mandatory: No

Suggested Value: true

JWT_VERIFICATION_KEY

base64 encoded text of public key of the key pair used in Hawk RedTail Console

 

Mandatory: No

Suggested Value: Extracts out public key of the keypair /redtail/conf/certs/key

log_level

Specifies the level of diagnostic information stored in the logs. The following are the logging levels:

ERROR - Indicates error level trace messages should be enabled.
WARNING - Indicates warning level trace messages should be enabled.
INFO - Indicates information level trace messages should be enabled.
DEBUG - Indicates debug level trace messages should be enabled.
TRACE - Indicates trace level messages should be enabled.

 

Mandatory: No

Suggested Value: INFO

JAVA_OPTS

These are JVM properties which can be configured to tune the JVM process.

For example, -Xms512m -Xmx2g

 

Mandatory: No

Suggested Value: <JVM Defaults>

Database node Environment Variables

Port: 5432

Environment Variable Description

POSTGRES_HOST_AUTH_METHOD

Authentication mechanism to be used with the PostgreSQL server

 

Mandatory: Yes

Suggested Value: password

POSTGRES_PASSWORD

PostgreSQL server root user's password

 

Mandatory: Yes

Suggested Value: mypassword

MYSQL_MIGRATION_SERVER_HOST_PORT

Host name and port of the MySQL server from where the data is to be migrated.

For migrating the data from MySQL to PostgreSQL ensure that the following conditions are met before starting TIBCO OI Hawk RedTail:

1. The environment variable MYSQL_MIGRATION_SERVER_HOST_PORT is defined.
2. The environment variable MYSQL_MIGRATION_SERVER_PASSWORD is defined.
3. The PostgreSQL server is not initialized.

 

Mandatory: No

Suggested Value: mysqldbnode:3306

MYSQL_MIGRATION_SERVER_PASSWORD

MySQL server root user's password from where the data is to be migrated

 

Mandatory: No

Suggested Value: mypassword

Note: To persist the PostgreSQL data, mount the volume for the path: /var/lib/postgresql/data

For setting up TLS for accessing PostgreSQL, you need to configure a "special" config file within PostgreSQL: /etc/postgresql/postgresql.conf.

You can create a new configuration with the following content and map it to /etc/postgresql/postgresql.conf:

ssl=on

ssl_key_file='/etc/postgresql/certs/db-server-key.pem'

ssl_cert_file='/etc/postgresql/certs/db-server-cert.pem'

ssl_ca_file='/etc/postgresql/certs/db-ca.pem'



hba_file='/etc/postgresql/pg_hba.conf'

The key and certificate are prebuilt in the TIBCO OI Hawk RedTail PostgreSQL image.

You can re-configure the ca, certificate, and key for TLS by mapping the volume:

Note: The key used for TLS should be non-passphrase protected.
- ../build-images/build-context/redtail/conf/certs/dbcacert:/etc/postgresql/certs/db-ca.pem

- ../build-images/build-context/redtail/conf/certs/dbkey:/etc/postgresql/certs/db-server-key.pem

- ../build-images/build-context/redtail/conf/certs/dbcertificate:/etc/postgresql/certs/db-server-cert.pem

Prometheus Environment Variables

Port: 9090

Consider the following aspects when configuring the prometheus.yml file:

To persist the Prometheus data, mount the volume for the path: /prometheus.
You can configure the cacert, client certificate and key by mounting the files to the volume and mapping the keys to the locations given in the prometheus.yml file (/etc/prometheus/*).

Configure the prometheus.yml file with the following content:

# Global config
global:
  scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).

# Alertmanager configuration
alerting:
  alertmanagers:
  - static_configs:
    - targets:
      # - alertmanager:9093

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
# - "first_rules.yml"
# - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'redtailmetrics'
  scheme: https
  honor_labels: true
  tls_config:
    insecure_skip_verify: true
    ca_file: '/etc/prometheus/hkc-cacert'
    cert_file: '/etc/prometheus/prom-certificate'
    key_file: '/etc/prometheus/prom-key'
  file_sd_configs:
    - files:
        - /etc/hawkprometheus-discovery/hawktargets.json

Prometheus Discovery Service Environment Variables

Environment Variable Description

client_certificate

The certificate which is going to be used for TLS communication with the Hawk RedTail Console

 

Mandatory: Yes

Suggested Value: /redtail/prometheus_discovery/certs/prom-certificate

client_key

The key which is going to be used for TLS communication with the Hawk RedTail Console

 

Mandatory: Yes

Suggested Value: /redtail/prometheus_discovery/certs/prom-key

hawkconsole_ca

The CA certificate of the Hawk RedTail Console

 

Mandatory: Yes

Suggested Value: /redtail/prometheus_discovery/certs/hkc-cacert

hawkconsole_url

URL of the Hawk RedTail Console

 

Mandatory: Yes

Suggested Value: https://hawkconsolenode:9687

target_output_file

Path to the file where the discovered Prometheus targets are stored

 

Mandatory: Yes

Suggested Value: /redtail/prometheus_discovery/out/hawktargets.json

Note: To persist the Prometheus discovery data, mount the volume for the path: /redtail/prometheus_discovery/out.

Webapp Environment Variables

Port: 9680

Environment Variable Description

LOAD_CONFIG_FROM_ENV

Flag to indicate whether to load variables from environment variables or to use predefined default values

 

Mandatory: Yes

Suggested Value: TRUE

waitForServices

Services after which the Webapp starts

 

Mandatory: Yes

Suggested Value: dbnode:5432

machineId

Internal component ID

 

Mandatory: Yes

Suggested Value: machine-0000000000

unity.services.rest.host

Host IP for Webapp REST communication

 

Mandatory: Yes

Suggested Value: 0.0.0.0

unity.services.rest.port

Host port for Webapp REST communication

 

Mandatory: Yes

Suggested Value: 9680

GRAFANA_URL

Grafana URL

 

Mandatory: Yes

Suggested Value: http://grafana:3000

HAWKCONSOLE_NODE_URL

hawkconsolenode URL

 

Mandatory: Yes

Suggested Value: https://hawkconsolenode:9687

JWT_VERIFICATION_KEY

base64 encoded text of public key of the key pair used in Hawk RedTail Console

 

Mandatory: No

Suggested Value: Extracts out public key of the key pair /redtail/conf/certs/key

LOG_LEVEL

Specifies the level of diagnostic information stored in the logs. The following are the logging levels:

ERROR - Indicates error level trace messages should be enabled.
WARNING - Indicates warning level trace messages should be enabled.
INFO - Indicates information level trace messages should be enabled.
DEBUG - Indicates debug level trace messages should be enabled.
TRACE - Indicates trace level messages should be enabled.

 

Mandatory: Yes

Suggested Value: info

DATABASE_URL

URL IP of Database server. For example, the value of this variable can be following:

<protocol>://<DB username>:<DB password>@<host1>:<port1>,<host2>:<port2>/<DB name to access>

Where,

- The DB user name and password are set only once, and they are provided at the beginning of the URL. The user name and password should be the same for all hosts. These parameters are optional. They can be empty.

- The hosts and ports are a set of keys and values for the different IP addresses where the databases are present.

- The DB name is the name of the database that must be accessed.

 

Mandatory: Yes

Suggested Value: <protocol>://<DB username>:<DB password>@<host1>:<port1>,<host2>:<port2>/<DB name to access>

DATABASE_POOL_CONNECTION_LIMIT

The maximum number of connections that can be created at once

 

Mandatory: Yes

Suggested Value: 5

DATABASE_POOL_IDLE_TIMEOUT_MILLIS

Number of milliseconds a client must sit idle in the pool and not be checked out before it is disconnected from the backend and discarded. Default is 10000 (10 seconds) - set to 0 to disable auto-disconnection of idle clients.

 

Mandatory: Yes

Suggested Value: 10000

DATABASE_TLS_ENABLED

True, if communication with database is over TLS

 

Mandatory: Yes

Suggested Value: true

DATABASE_TLS_CACERT_FILE

Path to the database CA certificate

 

Mandatory: No

Suggested Value: /redtail/conf/certs/cacert

REST_TLS_KEY_FILE

Key pair used for setting up REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/tomcat/conf/key

REST_TLS_CERT_FILE

Certificate used for REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/tomcat/conf/certificate

REST_TLS_CACERT_FILE

Certificate of the CA used to sign the REST TLS certificate

 

Mandatory: Yes

Suggested Value: /redtail/tomcat/conf/cacert

REST_TLS_PROTOCOL

Supported TLS protocol

 

Mandatory: Yes

Suggested Value: TLSv1.3

REST_TLS_KEY_PASSWORD

Password to key pair used for REST TLS communication

 

Mandatory: Yes

Suggested Value: <password>

REST_TLS_CIPHERS

Supported Cipher suites

 

Mandatory: Yes

Suggested Value: AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA:ECDH-RSA-AES128-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

QUERYNODE_TLS_CACERT_FILE

Query node CA certificate. Required for TLS communication with the Query node

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

HAWKCONSOLE_TLS_CACERT_FILE

The hawkconsolenode CA certificate. Required for TLS communication with Hawk RedTail Console

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

GRAFANA_TLS_CACERT_FILE

Grafana CA certificate. Required for TLS communication with Grafana.

 

Mandatory: No

Suggested Value: /redtail/conf/certs/cacert

TLS_CLIENT_KEY_FILE

Path for webapp client key. Required for mutual authentication with any other component/ client. For example, if Grafana is configured with a reverse proxy using TLS via mutual authentication.

 

Mandatory: No

Suggested Value: /redtail/conf/certs/webapp-client-key

TLS_CLIENT_CERT_FILE

Path of Webapp client certificate

 

Mandatory: No

Suggested Value: /redtail/conf/certs/webapp-client-certificate

TLS_CLIENT_KEY_PASSWORD

Password to webapp client key

 

Mandatory: No

Suggested Value: <password>

TLS_SKIP_CERTIFICATE_VERIFICATION

Specifies whether the webapp must skip certificate verification while communicating with other TIBCO OI Hawk RedTail nodes

 

Mandatory: Yes

Suggested Value: false

TLS_SKIP_HOSTNAME_VERIFICATION

Specifies whether the Webapp must skip host name verification while communicating with other TIBCO OI Hawk RedTail nodes

 

Mandatory: Yes

Suggested Value: true