Policy Manager advanced configuration settings

This discussion has a more recent version.
JaliJali Posts: 1,777 F-Secure Employee
in Business Suite

F-Secure Policy Manager supports some advanced configuration using Java system properties. This article describes how you can specify the Java system properties for Windows and Linux environments.

On Windows

The Java system properties for Policy Manager Server (PMS) can be specified via the Windows registry:

  1. Run Regedit as administrator.
  2. Create the following string registry key: HKEY_LOCAL_MACHINE\SOFTWARE(Wow6432Node)\Data Fellows\F-Secure\Management Server 5\additional_java_args
  3. Specify the Java system properties in the following format: 
    -DpropertyName=value
    If you want to specify multiple properties, use space as the delimiter. Property names and values are case-sensitive. An example: 
    -Dh2ConsoleEnabled=true -DforbidDownloadingPublicKey=true
  4. Restart the PMS to make the new configuration settings take effect.

On Linux

The above works for Linux as well. However, instead of the registry, use the /etc/opt/f-secure/fspms/fspms.conf configuration file:

  1. Create a new line with the parameter additional_java_args.
  2. Specify the Java system properties with the value in quotes in the following format: 
    -DpropertyName=value

    If you want to specify multiple properties, use space as the delimiter. Property names and values are case-sensitive. An example: 

    additional_java_args="-Dh2ConsoleEnabled=true -DmaxSynchronousPackageRetrievalRequests=100"
  3. Restart the PMS to make the new configuration settings take effect.

The list of Policy Manager supported configuration settings

Note: We advise that the additional_java_args parameters are used with care, as some of these may cause database/registry corruption if implemented incorrectly. In the event of this happening, F-Secure would not be obligated to provide technical support in these cases. Remember to take backups before any modifications.

Note: All settings need the -D prefix in front of the property name, apart from -Xmx.

Property name: activeDirectoryRulesExecutionRate
Description: Execution rate of Active Directory rules (ms). To be used for test purposes only in case there is a need to specify less than minute values.
Property name: adminModuleListeningInterface
Description: The IP address of the network interface where the admin module is bound.
Default value: 0.0.0.0 (all interfaces) if not restricted to the localhost, 127.0.0.1 if restricted.
Property name: allowUnsignedWithRiwsAndMibs
Description: To allow import of unsigned packages containing RIWs or MIBs files inside.
Default value: false

Note: This feature is for testing purposes only and should never be used in production.

Property name: backupPath
Description: The path to the directory in which database backups are stored.
Default value: <F-Secure installation folder>/Management Server 5/data/backup
Property name: compressRequestLogs
Description: Defines whether request logs compression is turned on. By default this is false because in some environments compression corrupts log files.
Default value: false
Property name: enableVistaInteroperability
Description: Enables/disables TLS settings required for interoperability with Windows Vista clients.
Default value: true

In PM 12.20 - 12.40, enables/disables CBC_SHA cipher suites used by Windows Vista (see httpsCipherSuites).

In PM 13.00 and higher, also enables/disables TLSv1, TLSv1.1 (see httpsProtocols).

Property name: forbidDownloadingPublicKey
Description: To hide the 'Download public key' link from the server and the host welcome pages, set this property to 'true'.
Default value: false
Property name: fsdiagReportsCleanUpDelay
Description: The period of time to check for FSDiag cleanup in milliseconds.
Default value: 86400000
Property name: fspms.maintenance.skip.backup
Description: If the backup step is skipped when doing database maintenance.
Default value: false
Property name: fspmsStdOutputLogFiles
Description: The number of fspms-stderrout.log file backups; that is, fspms-stderrout.log.1, fspms-stderrout.log.2 and so on.
Default value: 5
Property name: fspmsStdOutputLogFileSize
Description: The size of fspms-stderrout.log in kilobytes.
Default value: 4096
Property name: guts2ServerUrl
Description: Allows to specify an alternative GUTS2 server. Use this with caution as clients will continue using the default value for the internet fallback. If you specify upstream PM/PMP in this property, you have to specify it as http://<PM or PMP address>/guts2. More details are in the Admin Guide.
Default value: <A href="http://guts2.sp.f-secure.com" target="_blank" rel="noopener noreferrer">http://guts2.sp.f-secure.com</A>
Property name: h2ConsoleEnabled
Description: To enable the H2 Database Console, set this property to 'true'.
Default value: false
Property name: hostModuleListeningInterface
Description: The IP address of the network interface where the host module is bound.
Default value: 0.0.0.0 (all interfaces)
Property name: httpsCipherSuites
Description: A comma-separated list of TLS cipher suites to use.
Default value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384
+
,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA if Vista interoperability is on (the default, see enableVistaInteroperability)
Property name: httpsExcludedCipherSuites
Description: A comma-separated list of TLS cipher suites to exclude.
Default value: &lt;empty&gt;
Property name: httpsExcludedProtocols
Description: A comma-separated list of TLS protocols to use.
Default value: &lt;empty&gt;

TLSv1, TLSv1.1 and TLSv1.2 are enabled by default (see httpsProtocols).

Property name: httpsProtocols
Description: A comma-separated list of TLS protocols to use.
Default value: TLSv1.2 + ,TLSv1,TLSv1.1 if Vista interoperability is on (for the default, see enableVistaInteroperability)
Property name: keepGuts2UpdatesCount
Description: A count of GUTS2 update versions stored in the local filesystem.
Default value: 10
Property name: maxFsdiagReportAge
Description: How long an FSDiag should live on the server (in milliseconds).
Default value: 2592000000
Property name: maxOperationAge
Description: The time period an ms operation is stored in the database (30 days by default).
Default value: 2592000000
Property name: maxUploadedDiagnosticsReportSize
Description: The maximum size of FSDiag package which can be uploaded to the server remotely. 104857600 bytes (100MB) by default.
Default value: 104857600
Property name: maxUploadedPackageSize
Description: The maximum size of package; for example, scanning report or status, which could be uploaded by clients to a server. 1048576 bytes (1MB) by default.
Default value: 1048576
Property name: odbcConnectorEnabled
Description: One of the ODBC connector properties for direct access to H2 database. This enables/disables access to the Policy Manager Server database via the ODBC.
Default value: false
Property name: odbcConnector.pgAllowOthers
Description: One of the ODBC connector properties for direct access to H2 database. When enabled, this allows for remote clients to access the database. When disabled, only the clients residing on the same computer have access.
Default value: false
Property name: odbcConnector.pgPort
Description: One of the ODBC connector properties for direct access to H2 database. This specifies the port number to connect to.
Default value: 5435
Property name: operationCleanUpDelay
Description: Time period in ms for checking if there are old operations exist (every 24 hours by default).
Default value: 86400000
Property name: phantomJsReportGenTimeout
Description: Maximum time in seconds for generating PDF reports in Web Reporting.
Default value: 60
Property name: printTlsSettings
Description: Server prints session cache parameters, supported and enabled protocols and cipher suites to the startup log.
Default value: false
Property name: refreshNotificationEventsDelay
Description: To disable auto-refresh feature, set this property to 'false'.
Default value: 60000
Property name: refreshNotificationEventsEnabled
Description: To disable auto-refresh feature, set this property to 'false'.
Default value: true
Property name: reverseProxy
Description: In default 'forward' mode, Policy Manager Proxy downloads GUTS2 and SWUP updates and databases from the Internet. When switched to 'reverse' mode this traffic goes to master PMS instance.
Default value: false
Property name: scheduledTasksCheckPeriod
Description: Interval between scheduled tasks execution attempts in minutes. For PM 12.00 the option only affects scheduled backup. Interval between scheduled tasks execution attempts in minutes.
Default value: 30
Property name: secureDataPath
Description: Path to encrypted file which stores various credentials entered by Policy Manager administrators; for example, mail server, Active Directory.
Default value: &lt;F-Secure installation folder&gt;/Management Server 5/data/sdata
Property name: suDbUpdatePeriod
Description: Time period in minutes how frequently the PMS downloads software updates from Shavlik.
Default value: 30
Property name: swup.cache.ttl.downloadEntries
Description: Time To Live interval (ms) for downloaded Software Updater updates. 15 days by default.
Default value: 1296000000
Property name: swup.cache.ttl.failedToDownloadEntries
Description: Time To Live interval (ms) for failed to download updates. 1 hour by default.
Default value: 3600000
Property name: updatePollingInterval
Description: Interval in minutes to poll GUTS2 server for new update versions.
Default value: 10
Property name: webReportingListeningInterface
Description: IP address of the network interface where web reporting module is bound.
Default value: 0.0.0.0 (all interfaces)
Property name: -Xmx
Description:

Note: No -D prefix is needed.

Maximum Java heap size. By default Java ergonomics is used - 1/4 of physical memory up to 1 GB (for PM 12.30 and older) or up to 32 GB (for PM 12.40+). If ergonomics logic is not suitable and/or more memory is needed, this option can be specified:
  • -Xmx1200M - maximum for PM 12.30 and older
  • -Xmx2048M - 2G heap for PM 12.40+
Default value: 1/4 of physical memory, for example:
  • 256M for 1G of RAM
  • 512M for 2G of RAM
  • 1024M for 4G of RAM
  • 2048M for 8G of RAM
Like
Sign In or Register to comment.