Platform Properties

This section describes the different properties that you can use in the STR to configure the Platform.

Property

Description

Property

Description

auth.oidc.rp.client.id

Default value: ""

Client ID provided by Identity Provider. If it is not present, the SSO functionality is disabled.

auth.oidc.rp.provider.url

Default value: ""

Provide the Base URL to the associated Identity Provider. Read access is required for the /.well-known/openid-configuration file to acquire the relevant Provider Configurations.

auth.oidc.rp.provider.name

Default value: ""

The name of the provider needs to be Azure if it is used and groups are returned as uids.

auth.oidc.rp.groupPath

Default value "roles"

Path in ID Token or UserInfo object to find an array of users Access groups as defined by the Access Controller, separated with a dot (.).
The groups should be an array of Strings.
Example:
Here the groups array is inside and object.
{ myObject : { myGroups : [ "myGroup1", "mygroup2" ] } }
The path should then be:
groupPath: myObject.myGroups
When the group's array is direct under UserInfo then groupPath is just the name of the group's array.

auth.oidc.rp.auth.method

Default value: "CLIENT_SECRET_BASIC"

Available authentication methods are CLIENT_SECRET_BASIC and PRIVATE_KEY_JWT

auth.oidc.rp.client.secret

Default value: ""

This is mandatory when CLIENT_SECRET_BASIC is used as an authentication method.

This property sets the relevant Client Secret. 

auth.oidc.rp.auth.jwt.keystorePath

Default value: ""

Path to JKS keystore when PRIVATE_KEY_JWT is used

auth.oidc.rp.auth.jwt.alias

Default value: ""

Alias for key in keystore when PRIVATE_KEY_JWT is used

auth.oidc.rp.auth.jwt.keystorePassword

Default value: ""

Keystore password when PRIVATE_KEY_JWT is used, needs to be Encrypted by MediationZone.

auth.oidc.rp.auth.jwt.keyPassword

Default value: ""

Key password when PRIVATE_KEY_JWT is used, needs to be Encrypted by MediationZone.

auth.oidc.rp.scopes

Default value: ""

Optional additional scopes. Default scopes are openid, profile, and email.

auth.oidc.rp.claims.username

Default value: ""

Claim to use as the user name, if not specify sub will be used. This value should be unique. 

auth.oidc.rp.auth.jwt.keyId

Default value: ""

Optional Key ID for JWT header when PRIVATE_KEY_JWT is used

auth.oidc.rp.group.syncDisabled

Default value false.

When the value is set to true, the group synchronization from the Identity Provider is disabled, and the groups are set manually on each SSO User.

auth.oidc.rp.group.default

Default value ""

When Group Sync is disabled, the value of this property will be assigned to the user's default group when the user logs in for the first time.

auth.oidc.rp.multigroupsync.defaultGroup

Default value ""

This property assigns a default group to the user who is a member of multiple groups when the user logs in for the first time. It takes effect only when the group synchronization is enabled. The default group can be changed after logging in and must be one of the member groups. Changes made to the default group after logging in will persist in the next login.

auth.oidc.rp.auth.debug

Default value false.

Set this to true during the implementation of SSO Access to get more information.

cts.source.systems

This parameter (of type list) is valid only for integrations with SAP CTS+. It enables you to restrict the source systems from which exports (regular configuration and Workflow Package)can originate. If the parameter is left empty, exports from any system will be allowed.

Things to note:

  • This parameter is only effective when an import is triggered via the CTS+ API. Imports initiated through the System Import UI or the command line interface are not impacted.

  • The value of this parameter must exactly (case-sensitive) match the value specified in the mz.name system parameter of the source system. (mz.name can be changed at any time in the source system but changes will only take effect after the system is restarted. mz.name corresponds to mzexport.mz.name in an export file. This parameter is used to determine if an import should be permitted)

Example - System Parameter use

cts.source.systems ="dev1,test,staging"

mail.smtp.ssl.protocols

Default value: "TLSv1.2"

Specifies the SSL protocols that will be enabled for SSL connections. The property value is a whitespace separated list of tokens, with possible values "TLSv1, TLSv1.1, TLSv1.2, TLSv1.3".
TLSv1 is not recommended.

mz.codeserver.saveStateInterval

Default value: 10

Whenever an update to the Codeserver state is made, such as when saving a workflow with a change in its APL code, the Codeserver state will have to be saved. Using this property allows you to set the minimum interval (in seconds)for how often the Codeserver saves its state to the disk. 

mz.crypto.hash.algorithm

Default value: SHA-256

This property is to use the crypto algorithm for hashing data, for example, files.

mz.crypto.key.crypt

Default value: AES

This property is to use the crypto algorithm to encrypt and decrypt sensitive data within communications, for example, passwords.

The value can be set to AES/GCM/NoPadding for a higher level of security.

Note!

If you have set the value to AES/GCM/NoPadding, and you try to decrypt data, and it does not succeed on the first attempt, the property value reverts to AES.

mz.crypto.key.stream

Default value: PBKDF2WithHmacSHA256

This property is to encrypt configurations when you have a user password for the encryption.

The value can be set to PBEWithMD5AndDES.

Note!

 If the decryption fails when using the selected algorithm, it will try to use the other algorithm.

mz.cryptoservice.keystore.path

Default value: ""

This property specifies the full path to the crypto service keystore file. This keystore file is used for encrypting/decrypting passwords with specific keys stored in the keystore, and needs to be of JCEKS type. See the JDK product documentation for further information about using keytool in different scenarios. See also the sections describing the mzsh encryptpassword in the https://infozone.atlassian.net/wiki/x/wacyD for further information.

mz.cryptoservice.keystore.password

Default value: ""

This property specifies the password for the crypto service keystore file specified by the mz.cryptoservice.keystore.path property. This keystore is used for encrypting/decrypting passwords with specific keys stored in the keystore. See the sections describing the mzsh encryptpassword in the Command Line Tool Reference Guide for further information.

mz.database.profile.validation.skip

Default value: false

Set this property to true if you want to bypass the remote database validation in the Database profile. Validation requires that the configured database, tables and columns are available, and if they are unavailable when the validation is performed, the configuration and all its dependents can be marked as invalid. You can set this property if you require to validate your configuration when, or in an environment where, the database or its tables are unavailable.

mz.desktop.accelerators

Default value: "/path/to/accelerators.properties"

Set this property with the default value to set your own key bindings. You require to unpack a properties file from devkit.jar, and go to com/digitalroute/devkit/ui/accelerators/accelerators.properties. Save the accelerators.properties file to disk, and set this property to enable the accelerators.properties file.

mz.dynamicconnections

Default value: true

This property specifies if the pico instances for Desktop, mzsh, and Service Contexts must be registered on pico hosts for access:

true - Instances always have access.

false - Instances must be registered on pico hosts for access.

mz.httpd.security.disabled.cipher

Default value: "^.*_anon_.*$, ^SSL_.*$, ^(.*(3DES)).*$, ^.*_DHE_.*$"

This property allows you to use regex to manually disable the Java security cipher suite when using any picos to connect to the Platform with SSL enabled. This property is used when the Platform uses a different Java version than the rest of the picos. As there may be differences in the security ciphers between versions, the property aims to disable these ciphers to allow the picos to communicate with the Platform.

mz.javac.source

Default value: "default"
If the compilation of the system is slow after you import a new configuration, set this property to determine the javac version to be used. The possible values are 7, 8 or default. Setting this value to "7" may improve the compilation time.

mz.license.file

Default value: $MZ_HOME/etc

This property specifies the directory that contains the installation license file, i.e. mz.license.

mz.mailserver

Default value: ""

This property specifies the name or IP address of the mail server to be used for event generated e-mails.

mz.mailserver.auth 

Default value: false

Enables SMTP authentication.

mz.mailserver.auth.user 

Default value: ""

Set the SMTP user to be used for login when having enabled SMTP authentication with the mz.mailserver.auth property.

mz.mailserver.auth.enabled

Default value: false

Set this property to true if you want to enable SMTP authentication. If set to true, you also need to add the properties mz.mailserver.auth.user andmz.mailserver.auth.password.

mz.mailserver.host

Default value: ""

This property specifies the name or IP address of the mail server to be used for event generated e-mails.

mz.mailserver.auth.password 

Default value: ""

Set the encrypted password to be used for the SMTP user stated in the mz.mailserver.auth.user property when having enabled SMTP authentication with themz.mailserver.auth property.

To encrypt the password, use the mzsh encryptpassword command, and enter the result in this field. See the Command Line user documentation for further information on how to use this command.

mz.mailserver.port

Default value: 25/587

Use this property to configure which port you want to used for sending event generated e-mails. When the mz.mailserver.auth property is not used, i e set to false, the default value is 25. When the mz.mailserver.auth is set to true, the default value is 587

mz.notifier.mailfrom

Default value: ""

This property specifies the sending  e-mail address to be used for event generated e-mails. You must enter an e-mail address for an event notification to be sent by e-mail.

mz.picostorage.usecache  

Default value: true

This property enables the cache during a system import.

mz.platform.extref.ttl

Default value: 5

Use this property to configure a cache for the external references by entering the number of seconds you want the cache to live. If you require to disable the cache, for example in a development enviroment, set the value to 0.

mz.platform.s3.extref.ttl

Default value: 5

Use this property to configure a cache for the external references stored on an S3 Container by entering the number of seconds you want the cache to live. This will only work when you have S3 Properties File selected in your external reference profile. If you require to disable the cache, for example in a development environment, set the value to 0.

mz.platform.wf.max.concurrent.starts

This property decides how many workflows that can start loading at the same time. No limit is set for actual running workflows.

mz.platform.wf.threadpool

Default value: 10

This is a platform property that controls the number of threads used for the thread pool used by the workflow and group servers.

If you have a very large batch system with a lot of scheduling and workflows that are starting and stopping frequently,  this property might need to be increased to get more threads.

mz.security.user.restricted.login

Default value: false

Use this property to restrict user login to one instance for each interface type, i e Desktop and Command Line Tool mzsh.

mz.servicehost.port.range

This property determines the port range used by services. The system will bind to ports in the provided ranges. The values must not overlap with the ports used by SCs that are running on the same host.

mz.servicehost.natures

This property contains one or more service specific identifiers that sets behaviors, that are required by services that run on the Platform.

mz.statistics.collect.all

Default value: true
This property enables or disables collection of all statistics on the Platform. When you set this property to false, it overrides mz.statistics.collect.pico and mz.statistics.collect.workflow.

mz.statistics.collect.pico

Default value: true
This property enables or disables collection of pico statistics on the Platform.

mz.statistics.collect.workflow

Default value: true
This property enables or disables collection of workflow statistics on the Platform.

mz.subfolder.enabled

Default value: false

This property determines if the subfolder feature in Desktop is enabled or disabled. If you want to enable the subfolder feature in Desktop, set the value to true.

mz.subfolder.separator

Default value: "_"

This property determines the separator you can use when naming folders in the Desktop so that the subfolder feature is enabled. The valid values are "-" or "_".

mz.systemlog.maxresults

Default value: 500000

This property determines the maximum number of search results when you run a search in the System Log.

mz.ultra.bitfield.codec

Default value: "false"

This property selects the implementation that is to be used for ultra bit_block. If set to “true”, the newly selected implementation will be used. Values that are not set using this property will use the old implementation.

mz.ultra.xml.handle_as_string

Default value: ""

If you want to set any XML data type to be converted into string, you must set the value of this property to the data type you intend to convert. For example, if you wish to have all decimal data type be handled as string, set the value of this property to decimal.

For further information on XML schema support, see https://infozone.atlassian.net/wiki/x/WSY0D

mz.ultra.xml.restrictions

Default value: off

If you want to use XML union element type, you must enable this property If you want to use unions and restrictions inside unions, set this property to  union . If you want to use restrictions everywhere, including inside union type, set this property to  on . For further information on XML schema support, see https://infozone.atlassian.net/wiki/spaces/MD93/pages/204744281 .

mz.use.date.timezone

Default value: false

Setting this property to true will instruct the system to use the attached time zone when SQL input originates from a date object.

In most cases, the property should be set in the pico configuration of ECs . However, in case of audit processing, the property should also be set in the pico configuration of the Platform.

Note that if the mz.use.date.timezone property is used for setting dates with another time zone, there will be no way of keeping track of the actual time zone in the database, and you may have to manually convert the date during selection. To keep track of the time zone in an Oracle database, use the data type TIMESTAMP WITH TIME ZONE.

mz.user.emergency.unlock

Default value: ""

Setting this property with an encrypted password will change the mzadmin password at platform startup.

For information about how to reset the mzadmin password, see https://infozone.atlassian.net/wiki/x/AqsyD

mz.use.prefixfilter

Default value: false

If you add this property with the value true, files or configurations with more than one underscore at the beginning of the name are not visible from the Desktop after you restart the Platform.

mz.webserver.host

Default value: Taken from the common property pico.rcp.server.host.

This is the host IP address or hostname used to communicate with the Platform Web Interface.

mz.webserver.port

Default value: 9000

This is the port used to communicate with the Platform Web Interface.

mz.osgi.bootdelegation.ext

Default value:""

This property adds extra value to Felix Osgi boot delegation. 

pico.rcp.codeserver.deregister.timeout

Default value: 2700

This property specifies the time (in seconds) to wait before de-registering an unreachable EC from the Platform. Once de-registered, another EC can be brought up to replace it.

An EC is considered to be unreachable when the last known state was that it was running, but has since lost contact with the Platform.

pico.rcp.tls.keystore

Default value: ""

Set this property to enable the system to use TLS for all RCP connections that are not from the local host. If this property is not set, TLS will not be used at all.

pico.tmpdir

Default value: MZ_HOME/tmp

This property specifies the pico temp directory you want the Platform to use.

snmp.trap.format.b

Default value: ""

Add this property and set it to true if you want to activate the new format for SNMP events corresponding to the latest MIB definitions. If this property is not included, or if it is set to false, the previous invalid format will apply, which may be useful for backwards compatibility reasons.

Enhanced User Security Platform Properties

The properties below are applicable when the property mz.security.user.control.enabled is set to true in the Platform:

Property

Description

Property

Description

mz.security.user.control.enabled

Default value: true

This property enables or disables enhanced user security. If set to true, several rules regarding the passwords apply as soon as the platform is restarted. For information about enhanced user security, see https://infozone.atlassian.net/wiki/x/LyYyD

All users are required to change the password during their first login after this property has set to true. If an administrator user should reset a user's password, the user must also change it when they login.

mz.security.max.password.age.enabled

Default value: false

Enables or disables the password expiration check.  

If the mz.security.user.control.enabled and mz.security.max.password.age.enabled properties are set to true, the user is required to change the password every certain number of days that is set in themz.security.max.password.age.admin and mz.security.max.password.age.user properties.

mz.security.max.password.age.admin

Default value: 30

This property specifies the maximum password age for administrator users in days.

Please refer  mz.security.max.password.age.enabled column.

mz.security.max.password.age.user

Default value: 90

This property specifies the maximum password age for users in days.

Please refer mz.security.max.password.age.enabled column.

mz.security.max.password.history

Default value: 12

This property specifies how many passwords back that are required to be unique before reusing an old password.

mz.security.user.control.password.numcaps.count

Default value: 1

The minimum number of upper case characters or number of numerical characters, in a password.

mz.security.user.control.password.numcaps.message

Default value: The password needs at least one capital letter or a number in it.

The message to be displayed for the user when they have not met the condition for the minimum number of upper case or numerical characters in the password.

mz.security.user.control.password.numcaps.pattern

Default value: [A-Z0-9]

The pattern of the permitted values in regular expression. The password will be matched to the pattern to determine if the condition is met.

mz.security.user.control.password.length.count

Default value: 8

The minimum total number of characters in a password.

mz.security.user.control.password.length.message

Default value: The password needs to be at least 8 characters.

The message to be displayed for the user when they have not met the condition for the minimum length of the password.

mz.security.user.control.password.lowercase.count

Default value: ""

The minimum total number of lowercase characters in a password.

mz.security.user.control.password.uppercase.count

Default value: ""

The minimum total number of uppercase characters in a password.

mz.security.user.control.password.number.count

Default value: ""

The minimum total number of numeric characters in a password.

mz.security.user.control.password.special.count

Default value: 1

The minimum number of special characters, in a password.

mz.security.user.control.password.special.message

Default value: The password needs to contain at least 1 special character(s).

The message to be displayed for the user when they have not met the condition for the minimum number of special characters in the password.

mz.security.user.control.password.special.pattern

Default value: [\\W_]

The pattern of the permitted values in regular expression. The password will be matched to the pattern to determine if the condition is met.

mz.security.user.control.password.repetition.message

Default value: The password contains too many consecutive identical characters.

The message to be displayed for the user when they have not met the condition for the password having the least amount of multiple repeated characters in a sequence.

mz.security.user.control.password.username.message

Default value: The username may not be a part of the password.

The message to be displayed for the user when they have the username contained within the password.

mz.security.user.control.password.history.message

Default value: The password may not be a recently used password.

The message to be displayed for the user when they are reusing a password that they have used before.

mz.security.user.control.password.extra.count

Default value: ""

The minimum number of characters for the extra user policy.

mz.security.user.control.password.extra.message

Default value: ""

The message to be displayed for the user when they did not meet the requirements of the extra user policy.

mz.security.user.control.password.extra.pattern

Default value: ""

The pattern of the permitted values. The password will be matched to the pattern to determine if the condition is met.

mz.security.user.control.password.extra.type

Default value: ""

The type that determines what the extra pattern will be. The value of this property can be set to regexp or none. Setting it to regexp ensures that the pattern has to conform to regular expressions.

mz.user.account.change.password.limit

Default value: false

Setting this property to true will limit the password change to only once per day.

This property does not restrict users from the Administrator Group.

mz.user.account.inactivity

Default value: false

Setting this property to true will disable user accounts with inactivity exceeding 90 days. However, system accounts (admin accounts) are not affected by this.