WithSecure Policy Manager supports some advanced configuration using Java system properties. This article describes how you can specify the Java system properties for Windows and Linux environments.
On Windows
The Java system properties for Policy Manager Server (PMS) can be specified via the Windows registry:
- Run Regedit as administrator.
- Create the following string registry key:
- For Policy Manager 15: HKEY_LOCAL_MACHINE\SOFTWARE(Wow6432Node)\Data Fellows\F-Secure\Management Server 5\additional_java_args
- For Policy Manager 16: HKLM\SOFTWARE\WithSecure\Policy Manager\Policy Manager Server\additional_java_args
- -DpropertyName=value If you want to specify multiple properties, use space as the delimiter. Property names and values are case-sensitive. An example: -Dh2ConsoleEnabled=true -DforbidDownloadingPublicKey=true
- Restart the PMS service to make the new configuration settings take effect.
On Linux
The above works for Linux as well. However, instead of the registry, use the /etc/opt/f-secure/fspms/fspms.conf configuration file:
- Create a new line with the parameter additional_java_args.
- -DpropertyName=value If you want to specify multiple properties, use space as the delimiter. Property names and values are case-sensitive. An example: additional_java_args="-Dh2ConsoleEnabled=true -DmaxSynchronousPackageRetrievalRequests=100"
- Restart the PMS service to make the new configuration settings take effect.
The list of Policy Manager supported configuration settings.
Note: We advise that the additional_java_args parameters are used with care, as some of these may cause database/registry corruption if implemented incorrectly. In the event of this happening, WithSecure would not be obligated to provide technical support in these cases. Remember to take backups before any modifications.
Note: All settings need the -D prefix in front of the property name, apart from -Xmx.
Property name: activeDirectoryRulesExecutionRate
Description: Execution rate of Active Directory rules (ms). To be used for test purposes only in case there is a need to specify less than minute values.
Property name:adminInterfaceReadTimeout
Description: Read timeout on admin interface and web reporting.
Default: 120000 (2 min)
Property name: adminModuleListeningInterface
Description: The IP address of the network interface where the admin module is bound.
Default value: 0.0.0.0 (all interfaces) if not restricted to the localhost, 127.0.0.1 if restricted.
Property name: allowUnsignedWithRiwsAndMibs
Description: To allow import of unsigned packages containing RIWs or MIBs files inside.
Default value: false
Note: This feature is for testing purposes only and should never be used in production.
Property name: backupPath
Description: The path to the directory in which database backups are stored.
Default value: <F-Secure installation folder>/Management Server 5/data/backup
Property name: certAdditionalDNS
Description: A comma-separated list of TLS certificate generation subject alternative name additional DNS values.
Example: -DcertAdditionalDns="pmserver.mydomain.pro, pmserver.myanotherdomain.com"
Default value: empty
Property name: certAdditionalIp
Description: A comma-separated list of TLS certificate generation subject alternative name additional IP addresses. Example: -DcertAdditionalIp="127.0.0.1, 127.0.0.2"
Default value: empty
Property name: certForceSubject
Important: Use with caution!
Description: TLS certificate subject full replacement for auto-generated subject. Should contain a comma-separated list of all needed values for subject generation. Examples: -DcertForceSubject="CN = F-secure self-signed certificate", -DcertForceSubject="DC = pro, DC = mydomain, OU = Servers, CN = PMServer"
Default value: empty
Property name: clientNotificationsIdleConnectionTimeout
Description: The time in seconds that websockets used for online hosts may be idle before closing.
Default: 1800
Property name: com.sun.jndi.ldap.object.disableEndpointIdentification
Description: If endpoint identification for LDAPS connections should be disabled. This can be used for troubleshooting in case LDAPS server certificate is not fully standards compliant, e.g. doesn't have Alternative DNS names extension.
Default: false - endpoint identification is enabled.
Property name: compressRequestLogs
Description: Defines whether request logs compression is turned on. By default this is false because in some environments compression corrupts log files.
Default value: false
Property name: emailForwardingRate
Description: The period of time to check for new alerts received from hosts and to send them as email messages to the defined recipients (in milliseconds).
Default value: 600000
Property name: enableVistaInteroperability
Description: Enables/disables TLS settings required for interoperability with Windows Vista clients.
Default value: false
In PM 12.20 - 12.40, enables/disables CBC_SHA cipher suites used by Windows Vista (see httpsCipherSuites).
In PM 13.00 and higher, also enables/disables TLSv1, TLSv1.1 (see httpsProtocols).
Property name: enableWindowsServer2012Interoperability
Description: Enables/disables TLS settings required for interoperability with Windows Server 2008 R2, 2012, 2012 R2 clients.
Default value: true
Enables TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384. If Windows Server has Windows update 3042058 installed, this is enough for communicating with PM. If not, Vista compatibility needs to be enabled.
Property name: forbidDownloadingPublicKey
Description: To hide the 'Download public key' link from the server and the host welcome pages, set this property to 'true'.
Default value: false
Property name: fsdiagReportsCleanUpDelay
Description: The period of time to check for FSDiag cleanup in milliseconds.
Default value: 86400000
Property name: fspms.maintenance.skip.backup
Description: If the backup step is skipped when doing database maintenance.
Default value: false
Property name: fspmsStdOutputLogFiles
Description: The number of fspms-stderrout.log file backups; that is, fspms-stderrout.log.1, fspms-stderrout.log.2 and so on.
Default value: 5
Property name: fspmsStdOutputLogFileSize
Description: The size of fspms-stderrout.log in kilobytes.
Default value: 4096
Property name: guts2ServerUrl
Description: Allows to specify an alternative GUTS2 server. Use this with caution as clients will continue using the default value for the internet fallback. If you specify upstream PM/PMP in this property, you have to specify it as http://<PM or PMP address>/guts2. More details are in the Admin Guide.
Default value: http://guts2.sp.f-secure.com
Property name: guts2ReadTimeoutSec
Description: Socket timeout in seconds for HTTP client connecting to upstream GUTS2 server. Minimum value is equal to 60 sec
Default: 600
Property name: h2ConsoleEnabled
Description: To enable the H2 Database Console, set this property to 'true'.
Default value: false
Property name: hideWelcomePage
Description: If the flag is "true", welcome page URL will return 404 error.
Default value: false
Property name: hostInterfaceReadTimeout
Description: Read timeout on host interface. Affects both uploading/downloading data by clients and time to keep an idle connection open. Should be greater than Push Notification Service poll time (by default 5 min).
Default value: 900000 (15 min)
Property name: hostModuleListeningInterface
Description: The IP address of the network interface where the host module is bound.
Default value: 0.0.0.0 (all interfaces)
Property name: httpClientMaxInMemorySize
Description: Max memory size used by http client for buffering response, e.g. for decoding JSON when Cosmos schema is downloaded by PMP, or security events are downloaded by Connector. Default: 20971520 (20 MB)
Property name: httpsCipherSuites
Description: A comma-separated list of TLS cipher suites to use.
Default value: TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + ,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384 if Windows Server 2012 interoperability is on (on by default, see enableWindowsServer2012Interoperability) + ,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA if Vista interoperability is on (the default, see enableVistaInteroperability)
Property name: httpsExcludedCipherSuites
Description: A comma-separated list of TLS cipher suites to exclude.
Default value: empty
Property name: httpsExcludedProtocols
Description: A comma-separated list of TLS protocols to exclude, e.g. set to 'TLSv1.2' to keep only TLSv1.3.
Default value: empty
Property name: httpsProtocols
Description: A comma-separated list of TLS protocols to use.
Default value: TLSv1.3,TLSv1.2 + ,TLSv1,TLSv1.1 if Vista interoperability is on (off by default, see enableVistaInteroperability)
Property name: httpProxyServer
Description: Set it to false to disable Ultimate mode.
Default: true (Introduced in 16.00)
Property name: keepGuts2UpdatesCount
Description: A count of GUTS2 update versions stored in the local filesystem.
Default value: 10
Property name: legacyWebReportingEnabled
Description: Turn on/off the old version of Web Reporting.
Default: TRUE
Property name: maxFsdiagReportAge
Description: How long an FSDiag should live on the server (in milliseconds).
Default value: 2592000000
Property name: maxOperationAge
Description: The time period an ms operation is stored in the database (30 days by default).
Default value: 2592000000
Property name: maxPdfReportTimeInSec
Description: The new WR PDF report generation timeout in seconds.
Default value: 900
Property name: maxSynchronousPackageRetrievalRequests
Description: The maximum number of simultaneously handled package download requests for policy-based installations.
Default: 50
Property name: maxUploadedDiagnosticsReportSize
Description: The maximum size of FSDiag package which can be uploaded to the server remotely. 104857600 bytes (100MB) by default.
Default value: 104857600
Property name: maxUploadedPackageSize
Description: The maximum size of package; for example, scanning report or status, which could be uploaded by clients to a server. 1048576 bytes (1MB) by default.
Default value: 1048576
Property name: odbcConnectorEnabled
Description: One of the ODBC connector properties for direct access to H2 database. This enables/disables access to the Policy Manager Server database via the ODBC.
Default value: false
Property name: minFreeSpaceSizeMB
Description: The minimum free space size in MB required to start downloading GUTS2 updates. 2048 (2GB) by default.
Default: 2048
Property name: odbcConnector.pgAllowOthers
Description: One of the ODBC connector properties for direct access to H2 database. When enabled, this allows for remote clients to access the database. When disabled, only the clients residing on the same computer have access.
Default value: false
Property name: odbcConnector.pgPort
Description: One of the ODBC connector properties for direct access to H2 database. This specifies the port number to connect to.
Default value: 5435
Property name: operationCleanUpDelay
Description: Time period in ms for checking if there are old operations exist (every 24 hours by default).
Default value: 86400000
Property name: phantomJsReportGenTimeout
Description: Maximum time in seconds for generating PDF reports in Web Reporting.
Default value: 60
Property name: pnsDisabled
Description: Instructs CS/SS 14+ (One-client based) not to subscribe for push notifications.
Default value: false
Property name: populateAlertsFromReport
Description: If scanning report is received then server transforms infection objects contained in report to appropriate alerts. This function is enabled by default
Default: True
Property name: printTlsSettings
Description: Server prints session cache parameters, supported and enabled protocols and cipher suites to the startup log.
Default value: false
Property name: refreshNotificationEventsDelay
Description: To disable auto-refresh feature, set this property to 'false'.
Default value: 60000
Property name: refreshNotificationEventsEnabled
Description: To disable auto-refresh feature, set this property to 'false'.
Default value: true
Property name: reverseProxy
Description: In default 'forward' mode, Policy Manager Proxy downloads GUTS2 and SWUP updates and databases from the Internet. When switched to 'reverse' mode this traffic goes to master PMS instance.
Default value: false
Property name: searchHardLimit
Description: The upper bound for facet and item limits in search. Constrains server memory required for a request. Does not apply to data export to CSV.
Default value: 10000
Property name: scheduledTasksCheckPeriod
Description: Interval between scheduled tasks execution attempts in minutes. For PM 12.00 the option only affects scheduled backup. Interval between scheduled tasks execution attempts in minutes.
Default value: 30
Property name: secureDataPath
Description: Path to encrypted file which stores various credentials entered by Policy Manager administrators; for example, mail server, Active Directory.
Default value: <F-Secure installation folder>/Management Server 5/data/sdata
Property name: swup.cache.ttl.downloadEntries
Description: Time To Live interval (ms) for downloaded Software Updater updates. 15 days by default.
Default value: 1296000000
Property name: swup.cache.ttl.failedToDownloadEntries
Description: Time To Live interval (ms) for failed to download updates. 1 hour by default.
Default value: 3600000
Property name: syslogForwardingRate
Description: The period of time to check for new alerts received from hosts and send those to the syslog (in milliseconds)
Default: 10000
Property name: updatePollingInterval
Description: Interval in minutes to poll GUTS2 server for new update versions.
Default value: 10
Property name: upstreamHttpClientMaxConnections
Description: Maximum number of connections http client can establish when PMP is communicating with upstream server
Default: 5000
Property name: webReportingListeningInterface
Description: IP address of the network interface where web reporting module is bound.
Default value: 0.0.0.0 (all interfaces)
Property name: wsGuts2RootServerUrl
Description: Allows to specify alternative WithSecure GUTS2 server for managed clients versions 16 and newer. Does not override Policy Manager's GUTS2 update source, use wsGuts2ServerUrl instead.
Default:
http://guts2.fsapi.com/
(Introduced in 16.00)
Property name: wsGuts2ServerUrl
Description: Allows to specify alternative WithSecure GUTS2 server where PM/PMP are fetching updates from. If you switch PM/PMP to Beta/CI, use this property in combination with wsGuts2RootServerUrl as clients will continue using default value for the internet fallback otherwise.
Default:
http://guts2.fsapi.com/
(Introduced in 16.00)
If you specify upstream PM/PMP in this property, you have to specify it as 'https://<PM or PMP address>/ws-guts2'
Property name: -Xmx
Description:
Note: No -D prefix is needed.
Maximum Java heap size. By default Java ergonomics is used - 1/4 of physical memory up to 1 GB (for PM 12.30 and older) or up to 32 GB (for PM 12.40+). If ergonomics logic is not suitable and/or more memory is needed, this option can be specified:
-Xmx1200M - maximum for PM 12.30 and older -Xmx2048M - 2G heap for PM 12.40+
Default value: 1/4 of physical memory, for example:
256M for 1G of RAM 512M for 2G of RAM 1024M for 4G of RAM 2048M for 8G of RAM