Versions Compared

Old Version 8

changes.mady.by.user Thomas Swindells

Saved on

compared with

New Version Current

changes.mady.by.user Chris Welford

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Table of Contents
minLevel1
maxLevel6
include
outlinefalse
indent
stylenone
excludeTable of Contents
typelist
class
printabletrue

Configuration

...

Files

Excerpt
nameConfigurationFiles

Configuration options can be specified in a number of different ways. These take precedence in the following order:

  1. Java System properties – set using the -D propertyName=value on the java command line / tomcat launch configuration

  2. webapps/<phixflow>/WEB-INF/classes/local.properties – optional java properties file

  3. webapps/<phixflow>/WEB-INF/classes/phixflow.properties – optional java properties file

  4. Environment variables – using the environment form of the property name as described below

  5. webapps/<phixflow>/WEB-INF/classes/context/server.properties – this contains the default values and should not be modified.

Keystore Files

Optionally, secrets such as database passwords can be kept encrypted in external secret files. Refer to Configure a Keystore and Aliases for instructions on how to configure this before proceeding with the installation.

Environment form of property names

As operating systems have stricter rules around valid characters in environment variable names, and prefer them to be in upper case, when using environment variables the property name should be converted as follows:

  • Replace dots (.) with underscores (_).

  • Remove any dashes (-).

  • Convert to uppercase.

For instance “db.url” would be looked up as “DB_URL” when resolved from environment variables.

Guidelines and advice for configuration

  • The context/server.properties file should never be changed. This is replaced on upgrade.

  • For a multi instance environment (e.g. DEV, QA and Prod) it is recommended that a common phixflow.properties file is used on all the instances, containing configuration settings that are identical on all environments. The local.properties file is then used for local overrides such as database url and passwords.

  • For single instance environments it is recommended to follow the same structure as with multi instance environments, but alternatively just one of either the phixflow.properties or local.properties files can be used to have all the configuration in a single file.

  • Only properties that have differing values from the default settings in the server.properties should be configured. This makes it easier to review and manage the configuration and ensures that fixes and improvements to the default settings will be applied automatically.

  • In docker environments it may be beneficial to use environment variables rather than settings in the local.properties file. Theis allows the same container image to be started as multiple instances with different configurations.

Configuration Properties

Note

Java properties files use the \ as an escape character. When configuring paths on Windows either use forward slashes (e.g. c:/apps/phixflow) or double up the backslashes (e.g. c:\\apps\\phixflow).

Other properties can be referenced within a property value using the syntax ${property}

Initial password of the default administrator user created during installation. If no value is configured a password is autogenerated and written to the security.log file.
It is strongly recommended this is changed immediately after installation. ${install.data.base}/export

In other words

  • a setting in phixflow.properties takes precedence over a setting for that same property in server.properties

  • a setting in local.properties takes precedence over a setting for that same property in either or both server.properties or phixflow.properties

Keystore Files

Optionally, secrets, such as database passwords, can be kept encrypted in external secret files. Refer to Configure a Keystore and Aliases for instructions on how to configure this before proceeding with the installation.

Environment Form of Property Names

As operating systems have stricter rules around valid characters in environment variable names, and prefer them to be in upper case, when using environment variables the property name should be converted as follows:

  • Replace dots (.) with underscores (_)

  • Remove any dashes (-)

  • Convert to uppercase

For example, “db.url” would be looked up as “DB_URL” when resolved from environment variables.

Guidelines and Advice for Configuration

  • The context/server.properties file should never be changed. This is replaced on upgrade.

  • For a multi-instance environment (e.g. DEV, QA and Prod) it is recommended that a common phixflow.properties file is used on all instances, containing configuration settings that are identical on all environments. The local.properties file is then used for local overrides, such as database url and passwords.

  • For single instance environments it is recommended that you use only the local.properties file.

  • Only properties that have differing values from the default settings in the server.properties should be configured. This makes it easier to review and manage the configuration and ensures that fixes and improvements to the default settings will be applied automatically.

  • In docker environments it may be beneficial to use environment variables rather than settings in the local.properties file. This allows the same container image to be started as multiple instances with different configurations.

Excerpt
nameInstallTimeProperties

Installation Specific Properties

These properties are required for installation to succeed and are populated in the database. After installation is complete the values are not used any further.

Property

Requires Configuration

Default Value

Explanation

install.customer_name

Always

<none>

The customer name as provided with your licence 

install.licence_key

Always

<none>

Licence key as provided with your licence.

install.user.password

Often

<autogenerated>

install.user.username

Often

admin

Username of the default administrator user created during installation.

install.user.email

Often

<none>

Email address of the default administrator user created during installation. Can be updated after install in the User Details screen.

install.user.firstname

Often

admin

First name of the default administrator user created during installation. Can be updated after install in the User Details screen.

install.user.lastname

Often

admin

Last name of the default administrator user created during installation. Can be updated after install in the User Details screen.

install.data.base

Often

${install.application_loc}/data

Base location for the default data directory paths. This will commonly be configured to be “/opt/phixflow/data”

install.data.temp

Occasionally

${install.data.base}/temp

Populates an initial value in the System Configuration Temporary File Location

install.data.upload

Occasionally

${install.data.base}/upload

Populates an initial value in the System Configuration File Upload Directory

install.data.import

Occasionally

${install.data.base}/import

Populates an initial value in the System Configuration Import File Location

install.data.export

Occasionally

Configuration Properties

Note

Java properties files use the backslash \ as an escape character. When configuring paths on Windows either use forward slashes (e.g. c:/apps/phixflow) or double backslashes (e.g. c:\\apps\\phixflow).

Other properties can be referenced within a property value using the syntax ${property}

Excerpt
nameInstallTimeProperties

Installation Specific Properties

These properties are required for installation to succeed and are populated in the database. After installation is complete the values are not used any further.

Property

Requires Configuration

Default Value

Explanation

install.customer_name

Always

<none>

The customer name as provided with your licence.

install.licence_key

Always

<none>

Licence key as provided with your licence.

install.user.password

Often

<autogenerated>

Initial password of the default administrator user created during installation. If no value is configured a password is autogenerated and written to the security.log file.

It is strongly recommended this is changed immediately after installation.

install.user.username

Often

admin

Username of the default administrator user created during installation.

install.user.email

Often

<none>

Email address of the default administrator user created during installation. Can be updated after installation in the User Details screen.

install.user.firstname

Often

admin

First name of the default administrator user created during installation. Can be updated after installation in the User Details screen.

install.user.lastname

Often

admin

Last name of the default administrator user created during installation. Can be updated after installation in the User Details screen.

install.data.base

Often

${install.application_loc}/data

Base location for the default data directory paths. This will commonly be configured to be “/opt/phixflow/data”

install.data.temp

Occasionally

${install.data.base}/temp

Populates an initial value in the System Configuration Export Temporary File Location

install.data.templateupload

Occasionally

${install.data.base}/templateupload

Populates an initial value in the System Configuration Template LocationFile Upload Directory

install.data.archiveimport

Occasionally

${install.data.base}/archiveimport

Populates an initial value in the System Configuration Archive DirectoryImport File Location

install.data.restoreexport

Occasionally

${install.data.base}/restoreexport

Populates an initial value in the System Configuration Restore DirectoryExport File Location

install.data.drivertemplate

Occasionally

${install.data.base}/drivertemplate

Populates an initial value in the System Configuration Data Driver DirectoryTemplate Location

install.data.downloadarchive

Occasionally

${install.data.base}/downloadarchive

Populates an initial value in the System Configuration Download LocationArchive Directory

install.data.pluginrestore

Occasionally

${install.data.base}/pluginrestore

Populates an initial value in the System Configuration Plugin LocationRestore Directory

install.data.filedriver

Occasionally

${install.data.base}/filedriver

Populates an initial value in the System Configuration File Table Upload LocationData Driver Directory

install.data.application_locdownload

Rarely

<autodetected>

Base application install location, e.g.

install.pepperKey

Rarely

<none>

Externally defined value for the pepperKey. If not specified and a pepper key isn’t configured in the keystore then a value is autogenerated.

install.phixflow_api_keyOccasionally

${install.data.base}/download

Populates an initial value in the System Configuration Download Location

install.data.plugin

Occasionally

${install.data.base}/plugin

Populates an initial value in the System Configuration Plugin Location

install.data.file

Occasionally

${install.data.base}/file

Populates an initial value in the System Configuration File Table Upload Location

install.application_loc

Rarely

<autodetected>

Base application install location

install.pepperKey

Rarely

<none>

Externally defined value for the Phixflow API credential signing keypepperKey. If not specified and the api key a pepper key isn’t configured in the keystore then a value is autogenerated.

install.phixflow_api_key

Rarely

<none>

Externally defined value for the PhixFlow API credential signing key. If not specified and the API key isn’t configured in the keystore then a value is autogenerated.

Excerpt
nameBasicDatabase

Database Connection Configuration

These are the basic settings to enable connection to the Phixflow database.

Keystore Configuration

Property

Requires Configuration

Default Value

Explanation

db.url

Always

<none>

phixflow-database-password

Often

<none>

The jdbc url of the database including any required parameters.
E.g.
For more information on defining the database URL consult your Database Administrator.
Example URLs

MySQL

jdbc:mysql://localhost/phixflow?defaultFetchSize=2000&?allowPublicKeyRetrieval=true
Note the allowPublicKeyRetrieval parameter may be required depending on your setup

Oracle

jdbc:oracle:thin:@//localhost:1521/pdb.local

SQL Server

jdbc:sqlserver://;database=webtrunk;sendStringParametersAsUnicode=false

phixflow-database-user

Often

<none>

Default key name containing the database username. May also be stored in the keystore.

;encrypt=false

MS SQL Server JDBC driver version 12.6.1 onwards, defaults to using an encrypted connection which may require additional parameters to be added to the URL. If encryption is not required, add 'encrypt=false' to the URL.

See https://learn.microsoft.com/en-us/sql/connect/jdbc/microsoft-jdbc-driver-for-sql-server?view=sql-server-ver16

phixflow-database-user

Often

<none>

Default key name containing the database passwordusername. May This can also be stored in the keystore.

Excerpt
nameKeystore

phixflow-database-password

Often

<none>

Default key name containing the database password. This can also be stored in the keystore.

Excerpt
nameKeystore

Keystore Configuration

The keystore must be configured and populated during installation before Phixflow PhixFlow is first started. Using a keystore is optional.

Property

Requires Configuration

Default Value

Explanation

keystore.file

Optional

/opt/secure/keystore.jks

Location of the keystore file. Only used if the keystore password is provided, otherwise use of the keystore is disabled.

phixflow-keystore-password

Optional

<none>

Default key name containing the keystore password

keystore.passwordKey

Rarely

phixflow-keystore-password

Name of the key containing the keystore password.

pepper.key.name

Rarely

pepperKey

Name of the key containing the pepper key which is used for encrypting passwords.

api.key.name

Rarely

phixflow-api-key

Name of the key containing the api API key which is used for signing api API credentials.

Excerpt
nameLoginLoginBasic

Login - Basic Configuration

Phixflow PhixFlow supports multiple modes of supporting authentication users. Users can be authenticated either with local credentials, native active directory based credentials, or using SAML to authenticate with active directory or other services, such as Okta.

Property

Requires Configuration

Default Value

Explanation

login.defaultForm

=

Often

local

Often

Selects the form displayed when a user connects.

#local

local - only allows local authentication

,

.

full - allows selecting any of the enabled authentication methods

,

.

auto - if SAML SSO is enabled allows logging in without displaying the login form if the user is already authenticated

,

.

activedirectory - supports active directory login only.

login.default=local

Often

local

The default domain for login.

login.local.enabled=true

rarely

Rarely

true

Allows disabling support of local login. This will prevent any local administrator accounts from being used.

login.saml.enabled=false Often Configures whether SAML login is enabled

login.saml.key= <none> Often Configures the identity provider's entity id .

login.saml.attribute.domain= <none> Often configures the domain

Excerpt
nameLoginSaml

Login - Saml Configuration

PhixFlow supports multiple modes of supporting authentication users. Users can be authenticated either with local credentials, native active directory based credentials, or using SAML to authenticate with active directory or other services, such as Okta.

Property

Requires Configuration

Default Value

Explanation

login.saml.enabled=false

Often

false

Configures whether SAML login is enabled

login.saml.key= <none>

Often

<none>

Configures the identity provider's entity id .

login.saml.attribute.domain= <none>

Often

<none>

Configures the domain of the saml users.

login.saml.label=Single Sign In

Rarely

Single Sign In

The label to display

login.saml.attributeMap=authenticationOnly

Often

authenticationOnly

Configures the integration method

,

.

authenticationOnly - SAML used for authentication but

Phixflow

PhixFlow manages user details and permissions.

okta - configured to support Okta based authentication and details.

userDetails - allows configuration of authentication and user details to be provided by saml.

login.saml.keystore.file

=

Often

classpath:keystore/samlKeystore.jks

Often

Configures the location of the saml keystore

login.saml.keystore.password

=

Often

<none>

Often

Configures the password to the saml keystore.

login.saml.keystore.key.password

=

Often

<none>

Often

Configures the password to the secret in the saml keystore

login.saml.keystore.key.alias

=

Rarely

samlKey

Rarely

Configures the alias of the secret stored in the saml keystore

login.saml.url.host

=

Often

localhost

Often

Configures the externally resolvable hostname of the

Phixflow

PhixFlow server. If behind a reverse proxy this will be the

proxies

proxy’s hostname.

login.saml.url.port

=

Occasionally

443

Occasionally

Configures the port of the

Phixflow

PhixFlow server, or that of the reverse proxy if it is being used.

login.saml.url.includePort

=

Rarely

false

Rarely

Whether the port should be included in the generated url.

login.saml.url.path

=/phixflow Occasionally

Occasionally

phixflow

Path that the webapp is installed under. If behind a reverse proxy this should be the path that the proxy forwards.

Make sure that you do not precede the path with a /, i.e. it should be the name of the webapp only, as in the example.

login.saml.metadata.entityId

=

Rarely

https://${login.saml.url.host}/${login.saml.url.path}

Rarely

The value that globally identifies the

Phixflow

PhixFlow instance.

login.saml.metadata.entityBaseUrl

=

Rarely

https://${login.saml.url.host}/${login.saml.url.path}

Rarely

The public facing URL of the

Phixflow

PhixFlow instance.

login.saml.metadata.file

=

Often

file:/opt/phixflow/data/saml-metadata/idp-metadata.xml

Often

Path to the Identity Provider Metadata file.

login.saml.metadata.trustCheck

=

Rarely

true

Rarely

Whether to validate incoming

siguatures

signatures.

login.saml.attribute.username

=

Occasionally

nameid

Occasionally

Used with the authenticationOnly and userDetails attribute map to define the appropriate mapping from the incoming metadata.

login.saml.attribute.fullname

=

Occasionally

displayname

Occasionally

Used with the userDetails attribute map to define the appropriate mapping from the incoming metadata.

login.saml.attribute.firstname

=

Occasionally

givenname

Occasionally

Used with the userDetails attribute map to define the appropriate mapping from the incoming metadata.

login.saml.attribute.lastname

=

Occasionally

surname

Occasionally

Used with the userDetails attribute map to define the appropriate mapping from the incoming metadata.

login.saml.attribute.phonenumber

=

Occasionally

phonenumber

Occasionally

Used with the userDetails attribute map to define the appropriate mapping from the incoming metadata.

login.saml.attribute.company

=

Occasionally

company

Occasionally

Used with the userDetails attribute map to define the appropriate mapping from the incoming metadata.

login.saml.attribute.department

=

Occasionally

department

Occasionally

Used with the userDetails attribute map to define the appropriate mapping from the incoming metadata.

login.saml.attribute.email

=

Occasionally

email

Occasionally

Used with the userDetails attribute map to define the appropriate mapping from the incoming metadata.

login.saml.attribute.groups

=

Occasionally

group

Occasionally

Used with the userDetails attribute map to define the appropriate mapping from the incoming metadata.

login.saml.attribute.globalLogout

=

Occasionally

false

Occasionally

Used with the authenticationOnly and userDetails attribute map to determine whether logging out of

Phixflow

PhixFlow should also trigger a logout of the identity provider.

login.activeDirectory.enabled=false Often Whether Active Directory integration is enabled

login.activeDirectory.domain=example.com Often The domain being logged into

login.activeDirectory.url=ldaps://ldap.example.com Often Space seperated list of domain LDAP servers.

login.activeDirectory.dn=ou=user accounts,dc=example,dc=com Often The root distinguished name to search under

login.activeDirectory.timeout=5000 Rarely Timeout for attempt to authenticate against each server
Excerpt
nameLoginActiveDirectory

Login - Active Directory Configuration

PhixFlow supports multiple modes of supporting authentication users. Users can be authenticated either with local credentials, native active directory based credentials, or using SAML to authenticate with active directory or other services, such as Okta.

Property

Requires Configuration

Default Value

Explanation

login.activeDirectory.enabled

Often

false

Whether Active Directory integration is enabled.

login.activeDirectory.domain

Often

http://example.com

The domain being logged into

login.activeDirectory.alternativeDomain

Rarely

http://example2.com

If a user is not found in Active Directory with the primary domain (login.activeDirectory.domain) then the alternative domain will be tried.

login.activeDirectory.url

Often

ldaps://ldap.example.com

Space separated list of domain LDAP servers.

login.activeDirectory.dn

Often

ou=user accounts,dc=example,dc=com

If you have a large AD tree, searches may take some time, and this could lead to slow authentication for users. Therefore it is possible to specify a root DN (Distinguished name) at which PhixFlow will begin searching for the user. The Distinguished Name format is standard and further details can be found on the web.

login.activeDirectory.timeout

Rarely

5000

You can specify a timeout. For each server specified, if the server does not respond within the limit specified by the timeout, it will try the next server. If the last server in the list times out, then the authentication will fail.

The timeout is specified in milliseconds.

login.activeDirectory.authenticationOnly

=false Occasionally Whether only authentication is used from active directory, with user permissions and details being stored in Phixflow

Occasionally

false

If this is true Active Directory is used for authentication when logging in, but not authorisation. This is a mixed user.

The user must be configured in PhixFlow before logging in and user groups must be configured for the user. External groups will not be used to determine access rights.

Excerpt
nameLogging

Logging Configuration

valid Where a level is required this can be one of level values: OFF, ERROR, WARN, INFO, DEBUG, TRACE, ALL

Property

Requires Configuration

Default Value

Explanation

logging.file.directory

=

Occasionally

logs

Occasionally

The directory logs are written into, relative to the Tomcat root directory.

logging.file.phixflow.base

=

Occasionally

phixflow

Occasionally

Base name of the standard

phixflow

PhixFlow log file.

logging.file.security.base

=

Occasionally

security

Occasionally

Base name of the security log file.

logging.stdout.level

=

Occasionally

OFF

Occasionally

Used to control the minimum log message level permitted to be output to

stdout

standard output.

logging.root.level

=INFO Rarely configures

Rarely

INFO

Configures the default minimum log level that can be generated.

logging.file.phixflow.main

=

Rarely

${logging.file.directory}/${logging.file.phixflow.base}.log

Rarely

Defines the path and name of the standard

phixflow

PhixFlow log file

.

logging.file.phixflow.archive

=

Rarely

${logging.file.directory}/${logging.file.phixflow.base}.%d{yyyy-MM-dd}.log

Rarely

Defines the path and name of archived standard

phixflow

PhixFlow log files.

logging.file.security.main

=

Rarely

${logging.file.directory}/${logging.file.security.base}.log

Rarely

Defines the path and name of the security log file.

logging.file.security.archive

=

Rarely

${logging.file.directory}/${logging.file.security.base}.%d{yyyy-MM-dd}.log

Rarely

Defines the path and name of archived security log files.

logging.file.phixflow.level

=

Rarely

ALL

Rarely

Used to control the minimum log message level permitted to be output to standard log file.

logging.file.security.level

=

Rarely

ALL

Rarely

Used to control the minimum log message level permitted to be output to security log file.