Policy Manager advanced configuration settings

F-Secure Policy Manager supports some advanced configuration using Java system properties. This article describes how you can specify the Java system properties for Windows and Linux environments.
On Windows
The Java system properties for Policy Manager Server (PMS) can be specified via the Windows registry:
- Run Regedit as administrator.
- Create the following string registry key:
HKEY_LOCAL_MACHINE\SOFTWARE(Wow6432Node)\Data Fellows\F-Secure\Management Server 5\additional_java_args
- Specify the Java system properties in the following format:
-DpropertyName=value
If you want to specify multiple properties, use space as the delimiter. Property names and values are case-sensitive. An example:-Dh2ConsoleEnabled=true -DforbidDownloadingPublicKey=true
- Restart the PMS to make the new configuration settings take effect.
On Linux
The above works for Linux as well. However, instead of the registry, use the /etc/opt/f-secure/fspms/fspms.conf
configuration file:
- Create a new line with the parameter additional_java_args.
- Specify the Java system properties with the value in quotes in the following format:
-DpropertyName=value
If you want to specify multiple properties, use space as the delimiter. Property names and values are case-sensitive. An example:
additional_java_args="-Dh2ConsoleEnabled=true -DmaxSynchronousPackageRetrievalRequests=100"
- Restart the PMS to make the new configuration settings take effect.
The list of Policy Manager supported configuration settings
Note: We advise that the additional_java_args parameters are used with care, as some of these may cause database/registry corruption if implemented incorrectly. In the event of this happening, F-Secure would not be obligated to provide technical support in these cases. Remember to take backups before any modifications.
Note: All settings need the -D
prefix in front of the property name, apart from -Xmx
.
- Property name:
activeDirectoryRulesExecutionRate
- Description: Execution rate of Active Directory rules (ms). To be used for test purposes only in case there is a need to specify less than minute values.
- Property name:
adminModuleListeningInterface
- Description: The IP address of the network interface where the admin module is bound.
-
Default value:
0.0.0.0
(all interfaces) if not restricted to the localhost,127.0.0.1
if restricted.
- Property name:
allowUnsignedWithRiwsAndMibs
- Description: To allow import of unsigned packages containing RIWs or MIBs files inside.
-
Default value:
false
Note: This feature is for testing purposes only and should never be used in production.
- Property name:
backupPath
- Description: The path to the directory in which database backups are stored.
-
Default value:
<F-Secure installation folder>/Management Server 5/data/backup
- Property name:
compressRequestLogs
- Description: Defines whether request logs compression is turned on. By default this is false because in some environments compression corrupts log files.
-
Default value:
false
- Property name:
enableVistaInteroperability
- Description: Enables/disables TLS settings required for interoperability with Windows Vista clients.
-
Default value:
true
In PM 12.20 - 12.40, enables/disables CBC_SHA cipher suites used by Windows Vista (see httpsCipherSuites).
In PM 13.00 and higher, also enables/disables TLSv1, TLSv1.1 (see httpsProtocols).
- Property name:
forbidDownloadingPublicKey
- Description: To hide the 'Download public key' link from the server and the host welcome pages, set this property to 'true'.
-
Default value:
false
- Property name:
fsdiagReportsCleanUpDelay
- Description: The period of time to check for FSDiag cleanup in milliseconds.
-
Default value:
86400000
- Property name:
fspms.maintenance.skip.backup
- Description: If the backup step is skipped when doing database maintenance.
-
Default value:
false
- Property name:
fspmsStdOutputLogFiles
-
Description: The number of
fspms-stderrout.log
file backups; that is,fspms-stderrout.log.1
,fspms-stderrout.log.2
and so on. -
Default value:
5
- Property name:
fspmsStdOutputLogFileSize
-
Description: The size of
fspms-stderrout.log
in kilobytes. -
Default value:
4096
- Property name:
guts2ServerUrl
-
Description: Allows to specify an alternative GUTS2 server. Use this with caution as clients will continue using the default value for the internet fallback. If you specify upstream PM/PMP in this property, you have to specify it as
http://<PM or PMP address>/guts2
. More details are in the Admin Guide. -
Default value:
<A href="http://guts2.sp.f-secure.com" target="_blank" rel="noopener noreferrer">http://guts2.sp.f-secure.com</A>
- Property name:
h2ConsoleEnabled
- Description: To enable the H2 Database Console, set this property to 'true'.
-
Default value:
false
- Property name:
hostModuleListeningInterface
- Description: The IP address of the network interface where the host module is bound.
-
Default value:
0.0.0.0
(all interfaces)
- Property name:
httpsCipherSuites
- Description: A comma-separated list of TLS cipher suites to use.
-
Default value:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384
- +
-
,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
if Vista interoperability is on (the default, see enableVistaInteroperability)
- Property name:
httpsExcludedCipherSuites
- Description: A comma-separated list of TLS cipher suites to exclude.
-
Default value:
<empty>
- Property name:
httpsExcludedProtocols
- Description: A comma-separated list of TLS protocols to use.
-
Default value:
<empty>
TLSv1, TLSv1.1 and TLSv1.2 are enabled by default (see httpsProtocols).
- Property name:
httpsProtocols
- Description: A comma-separated list of TLS protocols to use.
-
Default value:
TLSv1.2
+,TLSv1,TLSv1.1
if Vista interoperability is on (for the default, see enableVistaInteroperability)
- Property name:
keepGuts2UpdatesCount
- Description: A count of GUTS2 update versions stored in the local filesystem.
-
Default value:
10
- Property name:
maxFsdiagReportAge
- Description: How long an FSDiag should live on the server (in milliseconds).
-
Default value:
2592000000
- Property name:
maxOperationAge
- Description: The time period an ms operation is stored in the database (30 days by default).
-
Default value:
2592000000
- Property name:
maxUploadedDiagnosticsReportSize
- Description: The maximum size of FSDiag package which can be uploaded to the server remotely. 104857600 bytes (100MB) by default.
-
Default value:
104857600
- Property name:
maxUploadedPackageSize
- Description: The maximum size of package; for example, scanning report or status, which could be uploaded by clients to a server. 1048576 bytes (1MB) by default.
-
Default value:
1048576
- Property name:
odbcConnectorEnabled
- Description: One of the ODBC connector properties for direct access to H2 database. This enables/disables access to the Policy Manager Server database via the ODBC.
-
Default value:
false
- Property name:
odbcConnector.pgAllowOthers
- Description: One of the ODBC connector properties for direct access to H2 database. When enabled, this allows for remote clients to access the database. When disabled, only the clients residing on the same computer have access.
-
Default value:
false
- Property name:
odbcConnector.pgPort
- Description: One of the ODBC connector properties for direct access to H2 database. This specifies the port number to connect to.
-
Default value:
5435
- Property name:
operationCleanUpDelay
- Description: Time period in ms for checking if there are old operations exist (every 24 hours by default).
-
Default value:
86400000
- Property name:
phantomJsReportGenTimeout
- Description: Maximum time in seconds for generating PDF reports in Web Reporting.
-
Default value:
60
- Property name:
printTlsSettings
- Description: Server prints session cache parameters, supported and enabled protocols and cipher suites to the startup log.
-
Default value:
false
- Property name:
refreshNotificationEventsDelay
- Description: To disable auto-refresh feature, set this property to 'false'.
-
Default value:
60000
- Property name:
refreshNotificationEventsEnabled
- Description: To disable auto-refresh feature, set this property to 'false'.
-
Default value:
true
- Property name:
reverseProxy
- Description: In default 'forward' mode, Policy Manager Proxy downloads GUTS2 and SWUP updates and databases from the Internet. When switched to 'reverse' mode this traffic goes to master PMS instance.
-
Default value:
false
- Property name:
scheduledTasksCheckPeriod
- Description: Interval between scheduled tasks execution attempts in minutes. For PM 12.00 the option only affects scheduled backup. Interval between scheduled tasks execution attempts in minutes.
-
Default value:
30
- Property name:
secureDataPath
- Description: Path to encrypted file which stores various credentials entered by Policy Manager administrators; for example, mail server, Active Directory.
-
Default value:
<F-Secure installation folder>/Management Server 5/data/sdata
- Property name:
suDbUpdatePeriod
- Description: Time period in minutes how frequently the PMS downloads software updates from Shavlik.
-
Default value:
30
- Property name:
swup.cache.ttl.downloadEntries
- Description: Time To Live interval (ms) for downloaded Software Updater updates. 15 days by default.
-
Default value:
1296000000
- Property name:
swup.cache.ttl.failedToDownloadEntries
- Description: Time To Live interval (ms) for failed to download updates. 1 hour by default.
-
Default value:
3600000
- Property name:
updatePollingInterval
- Description: Interval in minutes to poll GUTS2 server for new update versions.
-
Default value:
10
- Property name:
webReportingListeningInterface
- Description: IP address of the network interface where web reporting module is bound.
-
Default value:
0.0.0.0
(all interfaces)
- Property name:
-Xmx
-
Description:
Note: No
-D
prefix is needed.Maximum Java heap size. By default Java ergonomics is used - 1/4 of physical memory up to 1 GB (for PM 12.30 and older) or up to 32 GB (for PM 12.40+). If ergonomics logic is not suitable and/or more memory is needed, this option can be specified:-
-Xmx1200M
- maximum for PM 12.30 and older -
-Xmx2048M
- 2G heap for PM 12.40+
-
-
Default value: 1/4 of physical memory, for example:
-
256M
for 1G of RAM -
512M
for 2G of RAM -
1024M
for 4G of RAM -
2048M
for 8G of RAM
-