Policy Manager advanced configuration settings

Jali · May 2012

This article in other languages: Japanese.

F-Secure Policy Manager supports some advanced configuration using Java system properties. This article describes how you can specify the Java system properties for Windows and Linux environments.

On Windows

The Java system properties for Policy Manager Server (PMS) can be specified via the Windows registry:

Run Regedit as administrator.
Create the following string registry key: HKEY_LOCAL_MACHINE\SOFTWARE(Wow6432Node)\Data Fellows\F-Secure\Management Server 5\additional_java_args
Specify the Java system properties in the following format:
```
-DpropertyName=value
```
If you want to specify multiple properties, use space as the delimiter. Property names and values are case-sensitive. An example:
```
-Dh2ConsoleEnabled=true -DforbidDownloadingPublicKey=true
```
Restart the PMS to make the new configuration settings take effect.

On Linux

The above works for Linux as well. However, instead of the registry, use the /etc/opt/f-secure/fspms/fspms.conf configuration file:

Create a new line with the parameter additional_java_args.
Specify the Java system properties with the value in quotes in the following format:
```
-DpropertyName=value
```
If you want to specify multiple properties, use space as the delimiter. Property names and values are case-sensitive. An example:
```
additional_java_args="-Dh2ConsoleEnabled=true -DmaxSynchronousPackageRetrievalRequests=100"
```
Restart the PMS to make the new configuration settings take effect.

The list of Policy Manager supported configuration settings

Note: We advise that the additional_java_args parameters are used with care, as some of these may cause database/registry corruption if implemented incorrectly. In the event of this happening, F-Secure would not be obligated to provide technical support in these cases. Remember to take backups before any modifications.

Note: All settings need the -D prefix in front of the property name, apart from -Xmx.

Property name: activeDirectoryRulesExecutionRate: Description: Execution rate of Active Directory rules (ms). To be used for test purposes only in case there is a need to specify less than minute values.

Property name: adminModuleListeningInterface: Description: The IP address of the network interface where the admin module is bound.; Default value: 0.0.0.0 (all interfaces) if not restricted to the localhost, 127.0.0.1 if restricted.

Property name: allowUnsignedWithRiwsAndMibs: Description: To allow import of unsigned packages containing RIWs or MIBs files inside.; Default value: false
Note: This feature is for testing purposes only and should never be used in production.

Property name: backupPath: Description: The path to the directory in which database backups are stored.; Default value: <F-Secure installation folder>/Management Server 5/data/backup

Property name: compressRequestLogs: Description: Defines whether request logs compression is turned on. By default this is false because in some environments compression corrupts log files.; Default value: false

Property name: enableVistaInteroperability

Description: Enables/disables TLS settings required for interoperability with Windows Vista clients.

Default value: true

In PM 12.20 - 12.40, enables/disables CBC_SHA cipher suites used by Windows Vista (see httpsCipherSuites).

In PM 13.00 and higher, also enables/disables TLSv1, TLSv1.1 (see httpsProtocols).

Property name: forbidDownloadingPublicKey: Description: To hide the 'Download public key' link from the server and the host welcome pages, set this property to 'true'.; Default value: false

Property name: fsdiagReportsCleanUpDelay: Description: The period of time to check for FSDiag cleanup in milliseconds.; Default value: 86400000

Property name: fspms.maintenance.skip.backup: Description: If the backup step is skipped when doing database maintenance.; Default value: false

Property name: fspmsStdOutputLogFiles: Description: The number of fspms-stderrout.log file backups; that is, fspms-stderrout.log.1, fspms-stderrout.log.2 and so on.; Default value: 5

Property name: fspmsStdOutputLogFileSize: Description: The size of fspms-stderrout.log in kilobytes.; Default value: 4096

Property name: guts2ServerUrl: Description: Allows to specify an alternative GUTS2 server. Use this with caution as clients will continue using the default value for the internet fallback. If you specify upstream PM/PMP in this property, you have to specify it as http://<PM or PMP address>/guts2. More details are in the Admin Guide.; Default value: <A href="http://guts2.sp.f-secure.com" target="_blank" rel="noopener noreferrer">http://guts2.sp.f-secure.com</A>

Property name: h2ConsoleEnabled: Description: To enable the H2 Database Console, set this property to 'true'.; Default value: false

Property name: hostModuleListeningInterface: Description: The IP address of the network interface where the host module is bound.; Default value: 0.0.0.0 (all interfaces)

Property name: httpsCipherSuites: Description: A comma-separated list of TLS cipher suites to use.; Default value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384; +; ,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA if Vista interoperability is on (the default, see enableVistaInteroperability)

Property name: httpsExcludedCipherSuites: Description: A comma-separated list of TLS cipher suites to exclude.; Default value: <empty>

Property name: httpsExcludedProtocols: Description: A comma-separated list of TLS protocols to use.; Default value: <empty>
TLSv1, TLSv1.1 and TLSv1.2 are enabled by default (see httpsProtocols).

Property name: httpsProtocols: Description: A comma-separated list of TLS protocols to use.; Default value: TLSv1.2 + ,TLSv1,TLSv1.1 if Vista interoperability is on (for the default, see enableVistaInteroperability)

Property name: keepGuts2UpdatesCount: Description: A count of GUTS2 update versions stored in the local filesystem.; Default value: 10

Property name: maxFsdiagReportAge: Description: How long an FSDiag should live on the server (in milliseconds).; Default value: 2592000000

Property name: maxOperationAge: Description: The time period an ms operation is stored in the database (30 days by default).; Default value: 2592000000

Property name: maxUploadedDiagnosticsReportSize: Description: The maximum size of FSDiag package which can be uploaded to the server remotely. 104857600 bytes (100MB) by default.; Default value: 104857600

Property name: maxUploadedPackageSize: Description: The maximum size of package; for example, scanning report or status, which could be uploaded by clients to a server. 1048576 bytes (1MB) by default.; Default value: 1048576

Property name: odbcConnectorEnabled: Description: One of the ODBC connector properties for direct access to H2 database. This enables/disables access to the Policy Manager Server database via the ODBC.; Default value: false

Property name: odbcConnector.pgAllowOthers: Description: One of the ODBC connector properties for direct access to H2 database. When enabled, this allows for remote clients to access the database. When disabled, only the clients residing on the same computer have access.; Default value: false

Property name: odbcConnector.pgPort: Description: One of the ODBC connector properties for direct access to H2 database. This specifies the port number to connect to.; Default value: 5435

Property name: operationCleanUpDelay: Description: Time period in ms for checking if there are old operations exist (every 24 hours by default).; Default value: 86400000

Property name: phantomJsReportGenTimeout: Description: Maximum time in seconds for generating PDF reports in Web Reporting.; Default value: 60

Property name: printTlsSettings: Description: Server prints session cache parameters, supported and enabled protocols and cipher suites to the startup log.; Default value: false

Property name: refreshNotificationEventsDelay: Description: To disable auto-refresh feature, set this property to 'false'.; Default value: 60000

Property name: refreshNotificationEventsEnabled: Description: To disable auto-refresh feature, set this property to 'false'.; Default value: true

Property name: reverseProxy: Description: In default 'forward' mode, Policy Manager Proxy downloads GUTS2 and SWUP updates and databases from the Internet. When switched to 'reverse' mode this traffic goes to master PMS instance.; Default value: false

Property name: scheduledTasksCheckPeriod: Description: Interval between scheduled tasks execution attempts in minutes. For PM 12.00 the option only affects scheduled backup. Interval between scheduled tasks execution attempts in minutes.; Default value: 30

Property name: secureDataPath: Description: Path to encrypted file which stores various credentials entered by Policy Manager administrators; for example, mail server, Active Directory.; Default value: <F-Secure installation folder>/Management Server 5/data/sdata

Property name: suDbUpdatePeriod: Description: Time period in minutes how frequently the PMS downloads software updates from Shavlik.; Default value: 30

Property name: swup.cache.ttl.downloadEntries: Description: Time To Live interval (ms) for downloaded Software Updater updates. 15 days by default.; Default value: 1296000000

Property name: swup.cache.ttl.failedToDownloadEntries: Description: Time To Live interval (ms) for failed to download updates. 1 hour by default.; Default value: 3600000

Property name: updatePollingInterval: Description: Interval in minutes to poll GUTS2 server for new update versions.; Default value: 10

Property name: webReportingListeningInterface: Description: IP address of the network interface where web reporting module is bound.; Default value: 0.0.0.0 (all interfaces)

Property name: -Xmx

Description:

Note: No -D prefix is needed.

Maximum Java heap size. By default Java ergonomics is used - 1/4 of physical memory up to 1 GB (for PM 12.30 and older) or up to 32 GB (for PM 12.40+). If ergonomics logic is not suitable and/or more memory is needed, this option can be specified:

-Xmx1200M - maximum for PM 12.30 and older
-Xmx2048M - 2G heap for PM 12.40+

Default value: 1/4 of physical memory, for example:

256M for 1G of RAM
512M for 2G of RAM
1024M for 4G of RAM
2048M for 8G of RAM

Policy Manager advanced configuration settings

Categories