Environment Variables for TIBCO OI Hawk RedTail Components

Each component of TIBCO OI Hawk RedTail can be configured using the environment variables. These environment variables can be provided in a YAML file.

Hawk Agent Environment Variables

Environment Variable Description

auto_config_dir

The auto_config_dir environment variable specifies the directory from where the configuration objects are loaded for the agent to run in auto-configuration mode.
When this option is not used, the agent operates in manual configuration mode. When using the manual configuration mode, use the config_path variable.
Note: By default, the auto_config_dir is created in the hkce_agent container. Since any file or folder created in the container has a transient nature, removing hkce_agent container might lead to loss of rulebases that were stored in the directory specified in auto_config_dir. Thus, to avoid this issue, use the Docker volume to persist the rulebases and set the auto_config_dir to the destination of the Docker volume within the hkce_agent container.

 

Mandatory: No

Suggested Value: None

config_path

The config_path environment variable specifies the directory from where the configuration objects are loaded for the agent to run in manual configuration mode.
This variable cannot be used with the auto_config_dir variable.
The delimiter for path entries is the colon (:) symbol.

 

Mandatory: No

Suggested Value: None

hma_plugin_dir

The hma_plugin_dir environment variable specifies the directory used for Hawk microagent plug-in configuration.

 

Mandatory: No

Suggested Value: -

log_level

The log_level environment variable identifies the log level. The values of the log_level environment variable are:
  • 4 (ERROR)
  • 6 (WARN)
  • 7 (INFO)
  • 8 (DEBUG)
  • 16 (TRACE)

 

Mandatory: No

Suggested Value: 7

grpc_session

The grpc_session environment variable specifies the hostname and port that the Hawk Agent uses to connect to the Hawk RedTail Console using gRPC transport.

 

Mandatory: Yes

Suggested Value: hawkconsolenode:9697
grpc_max_reconnect_attempts

Specifies the number of attempts that must be made by the Hawk agent to re-establish communication with the Hawk RedTail Console using gRPC Transport.

 

Mandatory: No

Suggested Value: 100
grpc_reconnect_interval

Specifies the interval (in milliseconds) between reconnection attempts

 

Mandatory: No

Suggested Value: 5000

Environment Variables for gRPC Transport TLS Configuration

The following TLS/SSL parameters are applicable to -grpc_session
grpc_enable_tls

Set to true, if communication needs to happen over TLS protocol.

 

Mandatory: No

Suggested Value: false or true
grpc_server_ca

Path of the Certificate Authority of the Hawk RedTail Console server

 

Mandatory: No

Suggested Value: /redtail/conf/certs/cacert
grpc_server_hostname

Host name of the Hawk RedTail Console

 

Mandatory: No

Suggested Value: grpcserver
grpc_client_certificate

Path of the client certificate for the Hawk agent

 

Mandatory: No

Suggested Value: /redtail/conf/certs/grpc-client-certificate
grpc_client_key

Path of the client private key for the Hawk agent in PKCS8 format

 

Mandatory: No

Suggested Value: /redtail/conf/certs/grpc-client-key
Environment Variables for gRPC AMI Transport

ami_grpc_ session_port

Configures the agent with a gRPC session to be used to communicate with applications implementing the TIBCO Hawk Application Management Interface. 

Mandatory: No 

Suggested Value: 9698

ami_grpc_enable_tls

TLS parameters can be specified while using gRPC transport for AMI

Mandatory: No 

Suggested Value: false

ami_grpc_certificate

Location of certificate for AMI GRPC session port

Mandatory: No 

Suggested Value: /redtail/conf/certs/grpc-server-certificate

ami_grpc_private_key 

Location of private key for AMI GRPC session port

Mandatory: No 

Suggested Value: /redtail/conf/certs/grpc-server-key

ami_grpc_trusted_cert 

Location of CA certificate used to sign the AMI application's certificate

Mandatory: No 

Suggested Value: /redtail/conf/certs/cacert
Environment variables for Email Configurations

email_smtp_server

The email_smtp_server environment variable identifies the SMTP server host name for sending emails

 

Mandatory: No

Suggested Value: None

email_smtp_port

The email_smtp_port environment variable identifies the SMTP server port

 

Mandatory: No

Suggested Value: 25

email_smtp_auth_required

The email_smtp_auth_required environment variable specifies whether the SMTP server authentication is required or not

 

Mandatory: No

Suggested Value: false

email_smtp_tls_required

The email_smtp_tls_required environment variable specifies whether the SMTP server requires TLS or not

 

Mandatory: No

Suggested Value: false
email_smtp_tls_trust

Skips certificate validation of SMTP server. If set to "*", all hosts are trusted hosts. If set to a whitespace separated list of hosts, those hosts are trusted. Otherwise, trust depends on the certificate the server presents.

 

Mandatory: No

Suggested Value: -

email_smtp_socket_factory_port

The email_smtp_socket_factory_port environment variable specifies the SMTP socket factory port needed for TLS

 

Mandatory: No

Suggested Value: 25

email_smtp_user

The email_smtp_user environment variable SMTP server user name. This variable is required only if SMTP server authentication is configured to true.

 

Mandatory: No

Suggested Value: None

email_smtp_password

The email_smtp_password environment variable specifies the user password for the SMTP server. This variable is required only if SMTP server authentication is set to true.

 

Mandatory: No

Suggested Value: None

Hawk RedTail Console Environment Variables

Port: 9687

Environment Variable Description
ACTIVATION_SERVER_URL

TIBCO Activation Server URL

Mandatory: Yes

Suggested Value: https://tib-activate:7070/
LEADER_ELECTION_SCAN_INTERVAL_SECONDS

Configure the interval (in seconds) at which the application scans for leader election

Mandatory: Yes

Suggested Value: 10

LOAD_CONFIG_FROM_ENV

Flag to indicate whether to load variables from environment variables or to use predefined default values

 

Mandatory: Yes

Suggested Value: TRUE

waitForServices

Services after which the hawkconsolenode starts

 

Mandatory: Yes

Suggested Value: dbnode:5432,grafana:3000
TIBFTL_USERNAME

Username of FTL

Mandatory: Yes
TIBFTL_PASSWORD

Password of FTL

Mandatory: Yes
EMS_DOMAIN_RECONNECT_ATTEMPTS_AND_INTERVAL

Number of attempts and the interval in those attempts made to reinstate a connection with EMS server. The value should be comma separated value, where the first part represents the number of attempts and the second part represents interval in milli-seconds.

Mandatory: No

Suggested Value: 1800,1000

LDAP_SEARCH_CONTROL_COUNT_LIMIT

Setting that restricts the number of entries returned by an LDAP search operation.

Mandatory: No

Suggested Value: 30

LDAP_SEARCH_CONTROL_TIME_LIMIT

Setting that restricts the maximum time(in milliseconds) allowed for an LDAP search operation to complete.

Mandatory: No

Suggested Value: 30000

hawk_console_retention_count_notification

Notification retention limit per domain

Mandatory: No

Suggested Value: 100000

hawk_console_retention_count_medium

Medium alert retention limit per domain

Mandatory: No

Suggested Value: 100000

hawk_console_retention_count_low

Low alert retention limit per domain

Mandatory: No

Suggested Value: 100000

grpc_session_port

Port that the Hawk RedTail Console component container uses to listen to incoming transport request from Hawk agents

Mandatory: No

Suggested Value: 9697
prometheus_exporter_scrape_interval

Time interval (in seconds) in which console will scrape data from prometheus exporter

Mandatory: No

Suggested Value: 60
EXPORTER_MA_METHOD_SUBSCRIPTION_INTERVAL

Time interval (in seconds) in which console will receive data from subscription.

Mandatory: No

Suggested Value: 60
prometheus_exporter_clear_samples_enabled

Hawk Console will clear the stale Prometheus samples if this property is set to true.

Mandatory: No

Suggested Value: true
grpc_enable_tls

Set to true if gRPC communication needs to happen over TLS protocol

Mandatory: No

Suggested Value: false
grpc_server_certificate

Path of the server certificate for the HawkConsole

Mandatory: No

Suggested Value: /redtail/conf/certs/grpc-server-certificate
grpc_server_key

Path to HawkConsole private key

Mandatory: No

Suggested Value: /redtail/conf/certs/grpc-server-key
grpc_client_ca

Path to HawkAgent CA for mutual authentication

Mandatory: No

Suggested Value: /redtail/conf/certs/cacert

hawk_domain

The Hawk domain name.

Mandatory: Yes

Suggested Value: redtail

hawk_console_server_port

Listen port for Hawk RedTail Console REST communication

 

Mandatory: Yes

Suggested Value: 9687

JAVA_TOOL_OPTIONS

These are JVM properties which can be configured to tune the JVM process

For example, -Xms512m -Xmx2g

 

Mandatory: No

Suggested Value: <JVM Defaults>

GRAFANA_URL

Grafana URL

 

Mandatory: Yes

Suggested Value: http://grafana:3000

REST_TLS_CIPHERS

Supported Cipher Suites

 

Mandatory: Yes

Suggested Value: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256
REST_TLS_PROTOCOL

Supported TLS protocols

 

Mandatory: Yes

Suggested Value: TLSv1.2, TLSv1.3

REST_TLS_KEY_FILE

Key pair used for setting up REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/key

REST_TLS_KEY_PASSWORD

Password to key pair used for REST TLS communication

 

Mandatory: Yes

Suggested Value: <password>

REST_TLS_CERT_FILE

Certificate used for REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/certificate

REST_TLS_CACERT_FILE

Certificate of the CA used to sign the REST TLS certificate

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

TLS_SKIP_CERTIFICATE_VERIFICATION

Skip certificate verification

 

Mandatory: No

Suggested Value: false

TLS_SKIP_HOSTNAME_VERIFICATION

Skip host name verification

 

Mandatory: No

Suggested Value: true

JWT_SIGNING_KEY_FILE

Path to JWT signing key

 

Mandatory: No

Suggested Value: /redtail/conf/certs/key

JWT_SIGNING_KEY_PASSWORD

Password to JWT signing key

 

Mandatory: No

Suggested Value: <password>

JWT_TTL

JWT token time to live value (in minutes)

 

Mandatory: No

Suggested Value: 300

PROMETHEUS_TLS_CACERT_FILE

Path to the CA cert which signed Prometheus server certificate. This is required for Prometheus to securely connect with the Hawk RedTail Console for scraping metrics

 

Mandatory: No

Suggested Value: /redtail/conf/certs/cacert

GRAFANA_TLS_CACERT_FILE

Path to the Grafana CA certificate. This is valid in case where Grafana is secured with TLS

 

Mandatory: No

Suggested Value: NA

datasource_url

Connection URL to PostgreSQL server

 

Mandatory: Yes

Suggested Value: jdbc:postgresql://dbnode:3306/logumon

datasource_drivername

JDBC class name

 

Mandatory: Yes

Suggested Value: org.postgresql.Driver

datasource_username

Database user name

 

Mandatory: Yes

Suggested Value: postgres

datasource_password

Database password

 

Mandatory: Yes

Suggested Value: mypassword

datasource_connection_pool_initial_size

Database Connection pool size at start up

 

Mandatory: No

Suggested Value: "10"

datasource_connection_pool_max_idle

Maximum number of idle connections allowed in the database connection pool

 

Mandatory: No

Suggested Value: "20"

datasource_connection_pool_max_active

Maximum number of active connections allowed in the database connection pool

 

Mandatory: No

Suggested Value: 100

datasource_tls_cacert_file

Path to the database CA certificate. This is valid if PostgreSQL is secured with TLS.

 

Mandatory: No

Suggested Value: /redtail/conf/certs/cacert

datasource_tls_skip_hostname_verification

Skip host name verification while communicating with database over TLS

 

Mandatory: No

Suggested Value: true

datasource_tls_skip_certificate_verification

Skip certificate verification while communicating with database over TLS

 

Mandatory: No

Suggested Value: false

user_store_type

Type of store where the users are stored

 

Mandatory: Yes

Suggested Value: database, ldap

LDAP_UID_ATTR

Attribute to use as a user name when LDAP authentication is enabled

 

Mandatory: No

Suggested Value: CN

LDAP_SSL_ENABLED

Set to true, if communication with LDAP is over SSL

 

Mandatory: No

Suggested Value: false

LDAP_DISABLE_HOSTNAME_VERIFICATION

Skip LDAP server host name verification

 

Mandatory: No

Suggested Value: true

LDAP_TLS_CACERT_FILE

Path to the CA certificate of LDAP server

 

Mandatory: No

Suggested Value: NA
TLS Configuration

TLS_CLIENT_KEY_FILE

Path to hawkconsolenode client key. Required for mutual authentication with any other component/ client.

For example, if Grafana is configured with a reverse proxy using TLS via mutual authentication.

 

Mandatory: No

Suggested Value: NA

TLS_CLIENT_KEY_PASSWORD

Password to hawkconsolenode client key

 

Mandatory: No

Suggested Value: NA

TLS_CLIENT_CERT_FILE

Path to hawkconsolenode client certificate

 

Mandatory: No

Suggested Value: NA

log_level

Specifies the level of diagnostic information stored in the logs. The following are the logging levels:

ERROR - Indicates error level trace messages should be enabled.
WARNING - Indicates warning level trace messages should be enabled.
INFO - Indicates information level trace messages should be enabled.
DEBUG - Indicates debug level trace messages should be enabled.
TRACE - Indicates trace level messages should be enabled.

 

Mandatory: No

Suggested Value: INFO

Grafana Component Environment Variables

Port: 3000

Environment Variable Description
waitForServices

Specifies the services after which the Grafana component must start

 

Mandatory: Yes

Suggested Value: dbnode:5432

GF_USERS_ALLOW_SIGN_UP

When set to false: Prohibits users from being able to sign up or create user accounts. The admin user can still create users from the Grafana Admin Pages.

Default: false.

 

Mandatory: Yes

Suggested Value: false

GF_USERS_AUTO_ASSIGN_ORG

When set to true: Automatically adds new users to the main organization (ID 1).

When set to false: A new organization is created for the new user automatically.

Default: true

 

Mandatory: Yes

Suggested Value: true

GF_USERS_AUTO_ASSIGN_ORG_ROLE

The role new users are assigned for the main organization (if GF_USERS_AUTO_ASSIGN_ORG is set to true). Defaults to Viewer, other valid options are Admin and Editor. For TIBCO OI Hawk RedTail, this value must be Editor.

 

Mandatory: Yes

Suggested Value: Editor

GF_USERS_DEFAULT_THEME

Set the default UI theme: dark or light. Default is dark. For TIBCO OI Hawk RedTail, the suggested value is light.

 

Mandatory: Yes

Suggested Value: light

GF_AUTH_PROXY_ENABLED

Set to true, for Grafana to let a HTTP reverse proxy handle authentication. For TIBCO OI Hawk RedTail, this value must be true.

 

Mandatory: Yes

Suggested Value: true

GF_AUTH_PROXY_HEADER_NAME

HTTP Header name that contains the user name

 

Mandatory: Yes

Suggested Value: X-WEBAUTH-USER

GF_AUTH_PROXY_HEADER_PROPERTY

HTTP Header property, defaults to username

 

Mandatory: Yes

Suggested Value: username

GF_AUTH_PROXY_AUTO_SIGN_UP

Set to true to enable auto sign up of users who do not exist in the Grafana database. Default is true.

 

Mandatory: Yes

Suggested Value: true

GF_SERVER_DOMAIN

This setting is only used in as a part of the root_url setting

 

Mandatory: Yes

Suggested Value: grafananode

GF_SERVER_HTTP_PORT

The port to bind to; defaults to 3000

 

Mandatory: Yes

Suggested Value: 3000

GF_SERVER_ROOT_URL

This is the full URL used to access Grafana from a web browser

 

Mandatory: Yes

Suggested Value: %(protocol)s://%(domain)s:%(http_port)s/redtail/grafana

GF_AUTH_BASIC_ENABLED

Basic auth is enabled by default and works with built-in Grafana. For TIBCO OI Hawk RedTail, basic auth must be enabled.

 

Mandatory: Yes

Suggested Value: true

GF_SECURITY_ALLOW_EMBEDDING

Default: false.

When false, the X-Frame-Options: deny HTTP header is set in the Grafana HTTP responses. Thus, browsers do not allow rendering Grafana in <frame>, <iframe>, <embed>, or <object>. For TIBCO OI Hawk RedTail, set this value to true.

 

Mandatory: Yes

Suggested Value: true

GF_PATHS_PLUGINS

Directory where Grafana automatically scans and looks for plug-ins. Manually or automatically install any plug-ins here.

 

Mandatory: Yes

Suggested Value: /usr/share/grafana/data/grafana/plugins

GF_DATABASE_TYPE

Type of database where Grafana stores all the data

 

Mandatory: Yes

Suggested Value: postgres

GF_DATABASE_HOST

Host and IP port of the database

 

Mandatory: Yes

Suggested Value: dbnode:5432

GF_DATABASE_NAME

Name of the database

 

Mandatory: Yes

Suggested Value: grafana

GF_DATABASE_USER

Database user name

 

Mandatory: Yes

Suggested Value: postgres

GF_DATABASE_PASSWORD

Database user password

 

Mandatory: Yes

Suggested Value: mypassword

GF_DATABASE_SSL_MODE

Skips verification of the certificate chain and hostname when making the connection

 

Mandatory: Yes

Suggested Value: require

GF_DATABASE_CA_CERT_PATH

Database CA certificate

 

Mandatory: Yes

Suggested Value: /etc/grafana/db-cacert

Querynode Environment variables

Port: 9681

Environment Variable Description

LOAD_CONFIG_FROM_ENV

Flag to indicate whether to load variables from environment variables or to use predefined default values.

 

Mandatory: Yes

Suggested Value: TRUE

waitForServices

Services after which querynode starts

Mandatory: Yes

Suggested Value: dbnode:5432, prometheus:9090

machineId

Machine identification

Recommend value: machine-0000000000.

 

Mandatory: Yes

Suggested Value: machine-0000000000

services.rest.host

Host address of querynode

 

Mandatory: Yes

Suggested Value: 0.0.0.0

services.rest.port

Port on which querynode listens to HTTP request

 

Mandatory: Yes

Suggested Value: 9681

services.rest.options.results.maxpage

Maximum number of search results shown on the search page

 

Mandatory: Yes

Suggested Value: 1000000

services.query.host

Query Node self host IP

 

Mandatory: Yes

Suggested Value: 0.0.0.0

services.query.port

Query Node self port

Mandatory: Yes

Suggested Value: 9620

storage.cache

Internal cache for storing query results for each cached query

 

Mandatory: Yes

Suggested Value: /redtail/data/.query/qcache

storage.maxSplitH2fileSize

Defines maximum size of file for H2 file splitting

0 - defines no file splitting.
31 - 2 GB file size.

 

Mandatory: Yes

Suggested Value: 31

maxConcurrentQuery

Max number of queries that can be executed concurrently

 

Mandatory: Yes

Suggested Value: 25(docker compose) 50(helm)

REST_TLS_CIPHERS

Supported Cipher Suites

 

Mandatory: Yes

Suggested Value: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256
REST_TLS_PROTOCOL

Supported TLS protocol

 

Mandatory: Yes

Suggested Value: TLSv1.2, TLSv1.3

REST_TLS_KEY_FILE

Key pair used for setting up REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/key

REST_TLS_KEY_PASSWORD

Password to key pair used for REST TLS communication

 

Mandatory: Yes

Suggested Value: <password>

REST_TLS_CERT_FILE

Certificate used for REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/certificate

REST_TLS_CACERT_FILE

Certificate of the CA used to sign the REST TLS certificate

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

PROMETHEUS_SERVER_HOST

Host name of the Prometheus server

 

Mandatory: Yes

Suggested Value: prometheus

PROMETHEUS_SERVER_PORT

Port of the Prometheus server

 

Mandatory: Yes

Suggested Value: 9090

PROMETHEUS_SERVER_TLS_ENABLED

Set to true, if communication with Prometheus server needs to happen over TLS protocol

 

Mandatory: No

Suggested Value: false

PROMETHEUS_TLS_CACERT_FILE

CA certificate of Prometheus server

 

Mandatory: No

Suggested Value: <path to prometheus nginx CA certificate>

HAWKCONSOLE_HOST

hawkconsolenode host

 

Mandatory: Yes

Suggested Value: hawkconsolenode

HAWKCONSOLE_PORT

hawkconsolenode port

 

Mandatory: Yes

Suggested Value: 9687

HAWKCONSOLE_TLS_ENABLED

True, if communication with Prometheus server needs to happen over TLS protocol

 

Mandatory: Yes

Suggested Value: true

HAWKCONSOLE_TLS_CACERT_FILE

hawkconsolenode CA certificate

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

TLS_CLIENT_KEY_FILE

Path to querynode client key to communicate with hawkconsolenode

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/querynode-client-key

TLS_CLIENT_KEY_PASSWORD

Password to querynode client key to communicate with hawkconsolenode

 

Mandatory: Yes

Suggested Value: <password>

TLS_CLIENT_CERT_FILE

Path to querynode client certificate to communicate with hawkconsolenode

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/querynode-client-certificate

TLS_SKIP_CERTIFICATE_VERIFICATION

Skip certificate verification

 

Mandatory: No

Suggested Value: false

TLS_SKIP_HOSTNAME_VERIFICATION

Skip host name verification

 

Mandatory: No

Suggested Value: true

JWT_VERIFICATION_KEY

base64 encoded text of public key of the key pair used in Hawk RedTail Console

 

Mandatory: No

Suggested Value: Extracts out public key of the keypair /redtail/conf/certs/key

datasource_url

Specifies the JDBC URL for connecting to the PostgreSQL database. 

Mandatory: Yes 

Suggested Value: jdbc:postgresql://dbnode:5432/logumon

datasource_drivername

JDBC driver class to be used for the database connection.

Mandatory: Yes 

Suggested Value: org.postgresql.Driver

datasource_username

Username for authenticating with the database

Mandatory: Yes 

Suggested Value: postgres

datasource_password 

Password for the database user.

Mandatory: Yes 

Suggested Value: mypassword

datasource_connection_pool_initial_size 

Sets the initial number of connections in the connection pool. This ensures a minimum of 1 connections are available when the application starts

Mandatory: No 

Suggested Value: 1 (docker compose) , 2 (helm)

datasource_connection_pool_max_active

Specifies the maximum number of active connections allowed in the pool.

Mandatory: No 

Suggested Value: 2

datasource_tls_skip_hostname_verification 

If set to true, it skips hostname verification during TLS/SSL connections. This is useful in environments where hostname mismatches are expected.

Mandatory: No 

Suggested Value: true

datasource_tls_skip_certificate_verification

If set to true, it skips certificate validation during TLS/SSL connections. This is typically used in development or testing environments.

Mandatory: No 

Suggested Value: true

datasource_tls_cacert_file

Specifies the path to the CA (Certificate Authority) certificate file used to verify the database server's certificate during TLS/SSL connections.

Mandatory: No 

Suggested Value: /redtail/conf/certs/dbcacert

DATAMODEL_REFRESH_INTERVAL_SECONDS

Sets the interval (in seconds) at which the data model is refreshed

Mandatory: Yes 

Suggested Value: 60

log_level

Specifies the level of diagnostic information stored in the logs. The following are the logging levels:

ERROR - Indicates error level trace messages should be enabled.
WARNING - Indicates warning level trace messages should be enabled.
INFO - Indicates information level trace messages should be enabled.
DEBUG - Indicates debug level trace messages should be enabled.
TRACE - Indicates trace level messages should be enabled.

 

Mandatory: No

Suggested Value: INFO

JAVA_TOOL_OPTIONS

These are JVM properties which can be configured to tune the JVM process.

For example, -Xms512m -Xmx2g

 

Mandatory: No

Suggested Value: -Xms1g -Xmx2g

Database node Environment Variables

Port: 5432

Environment Variable Description

POSTGRES_HOST_AUTH_METHOD

Authentication mechanism to be used with the PostgreSQL server

 

Mandatory: Yes

Suggested Value: password
Note: To persist the PostgreSQL data, mount the volume for the path: /var/lib/postgresql/data

For setting up TLS for accessing PostgreSQL, you need to configure a "special" config file within PostgreSQL: /etc/postgresql/postgresql.conf.

You can create a new configuration with the following content and map it to /etc/postgresql/postgresql.conf:

ssl=on

ssl_key_file='/etc/postgresql/certs/db-server-key.pem'

ssl_cert_file='/etc/postgresql/certs/db-server-cert.pem'

ssl_ca_file='/etc/postgresql/certs/db-ca.pem'



hba_file='/etc/postgresql/pg_hba.conf'

The key and certificate are prebuilt in the TIBCO OI Hawk RedTail PostgreSQL image.

You can re-configure the ca, certificate, and key for TLS by mapping the volume:

Note: The key used for TLS should be non-passphrase protected.
- ../build-images/build-context/redtail/conf/certs/dbcacert:/etc/postgresql/certs/db-ca.pem

- ../build-images/build-context/redtail/conf/certs/dbkey:/etc/postgresql/certs/db-server-key.pem

- ../build-images/build-context/redtail/conf/certs/dbcertificate:/etc/postgresql/certs/db-server-cert.pem

Prometheus Environment Variables

Port: 9090

Consider the following aspects when configuring the prometheus.yml file:

To persist the Prometheus data, mount the volume for the path: /prometheus.
You can configure the cacert, client certificate and key by mounting the files to the volume and mapping the keys to the locations given in the prometheus.yml file (/etc/prometheus/*).

Configure the prometheus.yml file with the following content:

# Global config
global:
  scrape_interval: 90s # Set the scrape interval to every 90 seconds. Default is every 1 minute.
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).

# Alertmanager configuration
alerting:
  alertmanagers:
  - static_configs:
    - targets:
      # - alertmanager:9093

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
# - "first_rules.yml"
# - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'redtailmetrics'
  scheme: https
  honor_labels: true
  tls_config:
    insecure_skip_verify: true
    ca_file: '/etc/prometheus/hkc-cacert'
    cert_file: '/etc/prometheus/prom-certificate'
    key_file: '/etc/prometheus/prom-key'
  file_sd_configs:
    - files:
        - /etc/hawkprometheus-discovery/hawktargets.json

Prometheus Discovery Service Environment Variables

Environment Variable Description

client_certificate

The certificate which is going to be used for TLS communication with the Hawk RedTail Console

 

Mandatory: Yes

Suggested Value: /redtail/prometheus_discovery/certs/prom-certificate

client_key

The key which is going to be used for TLS communication with the Hawk RedTail Console

 

Mandatory: Yes

Suggested Value: /redtail/prometheus_discovery/certs/prom-key
hawkconsole_ca

The CA certificate of the Hawk RedTail Console

 

Mandatory: Yes

Suggested Value: /redtail/prometheus_discovery/certs/hkc-cacert
hawkconsole_url

URL of the Hawk RedTail Console

 

Mandatory: Yes

Suggested Value: https://hawkconsolenode:9687
target_output_file

Path to the file where the discovered Prometheus targets are stored

 

Mandatory: Yes

Suggested Value: /redtail/prometheus_discovery/out/hawktargets.json
log_level

Configure log level, Accepted values are ERROR, INFO and DEBUG.

Mandatory: No

Suggested Value: INFO
Note: To persist the Prometheus discovery data, mount the volume for the path: /redtail/prometheus_discovery/out.

Webapp Environment Variables

Port: 9680

Environment Variable Description

LOAD_CONFIG_FROM_ENV

Flag to indicate whether to load variables from environment variables or to use predefined default values

 

Mandatory: Yes

Suggested Value: TRUE

waitForServices

Services after which the Webapp starts

 

Mandatory: Yes

Suggested Value: hawkconsolenode:9687

services.rest.host

Host IP for Webapp REST communication

 

Mandatory: Yes

Suggested Value: 0.0.0.0

services.rest.port

Host port for Webapp REST communication

 

Mandatory: Yes

Suggested Value: 9680

GRAFANA_URL

Grafana URL

 

Mandatory: Yes

Suggested Value: http://grafana:3000

HAWKCONSOLE_NODE_URL

hawkconsolenode URL

 

Mandatory: Yes

Suggested Value: https://hawkconsolenode:9687

JWT_VERIFICATION_KEY

base64 encoded text of public key of the key pair used in Hawk RedTail Console

 

Mandatory: No

Suggested Value: Extracts out public key of the key pair /redtail/conf/certs/key

LOG_LEVEL

Specifies the level of diagnostic information stored in the logs. The following are the logging levels:

ERROR - Indicates error level trace messages should be enabled.
WARNING - Indicates warning level trace messages should be enabled.
INFO - Indicates information level trace messages should be enabled.
DEBUG - Indicates debug level trace messages should be enabled.
TRACE - Indicates trace level messages should be enabled.

 

Mandatory: Yes

Suggested Value: info

REST_TLS_KEY_FILE

Key pair used for setting up REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/tomcat/conf/key

REST_TLS_CERT_FILE

Certificate used for REST TLS communication

 

Mandatory: Yes

Suggested Value: /redtail/tomcat/conf/certificate

REST_TLS_CACERT_FILE

Certificate of the CA used to sign the REST TLS certificate

 

Mandatory: Yes

Suggested Value: /redtail/tomcat/conf/cacert
REST_TLS_PROTOCOL

Supported TLS protocol

 

Mandatory: Yes

Suggested Value: TLSv1.3

REST_TLS_KEY_PASSWORD

Password to key pair used for REST TLS communication

 

Mandatory: Yes

Suggested Value: <password>

REST_TLS_CIPHERS

Supported Cipher suites

 

Mandatory: Yes

Suggested Value: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256

QUERYNODE_TLS_CACERT_FILE

Query node CA certificate. Required for TLS communication with the Query node

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

HAWKCONSOLE_TLS_CACERT_FILE

The hawkconsolenode CA certificate. Required for TLS communication with Hawk RedTail Console

 

Mandatory: Yes

Suggested Value: /redtail/conf/certs/cacert

GRAFANA_TLS_CACERT_FILE

Grafana CA certificate. Required for TLS communication with Grafana.

 

Mandatory: No

Suggested Value: /redtail/conf/certs/cacert

TLS_CLIENT_KEY_FILE

Path for webapp client key. Required for mutual authentication with any other component/ client. For example, if Grafana is configured with a reverse proxy using TLS via mutual authentication.

 

Mandatory: No

Suggested Value: /redtail/conf/certs/webapp-client-key

TLS_CLIENT_CERT_FILE

Path of Webapp client certificate

 

Mandatory: No

Suggested Value: /redtail/conf/certs/webapp-client-certificate

TLS_CLIENT_KEY_PASSWORD

Password to webapp client key

 

Mandatory: No

Suggested Value: <password>
TLS_SKIP_CERTIFICATE_VERIFICATION

Specifies whether the webapp must skip certificate verification while communicating with other TIBCO OI Hawk RedTail nodes

 

Mandatory: Yes

Suggested Value: false
TLS_SKIP_HOSTNAME_VERIFICATION

Specifies whether the Webapp must skip host name verification while communicating with other TIBCO OI Hawk RedTail nodes

 

Mandatory: Yes

Suggested Value: true