Configuring services

The types of values used in the description of parameters are:

Type	Example	Description
String	"an example"	String value
Bool	true, false	Boolean value
Int	42	Whole number value
Port	22	Number between 0 and 65535
Range	"5000-5010"	Range of ports
Duration	1 minute, 3 days	Duration with unit of measure
Size	16 MiB, 3 GB	File size with unit of measure
ArrPort	[5000, 5002, 5005]	List/Array of port values
ArrString	["a", "b", "c"]	List/Array of string values
ArrNET	[ 172.24.0.0/16 ]	List/Array of IP networks

Each of the ten services that make up tiCrypt backend has its own configuration file and options. Two of the services require complicated settings, and they have their own chapters:

• ticrypt-auth: See ???

• ticrypt-vm: See ???

Shared Sections

Almost all the services need the following sections. The configuration is virtually identical across services.

mongodb section

All tiCrypt services use MongoDB as the backing database. Each of the ten services has its own database that can have its unique connectivity options. The supported parameters are the same.

Parameter	Type	Required	Description
database	String	Optional	The name of the MongoDB database
hostname	String	Optional	Hostname hosting the MongoDB server
port	Port	Optional	Port of MongoDB
user	String	Optional	User name for MongoDB
password	String	Optional	The password of user

Alternatively, the uri parameter can be specified. It has the form: "mongodb://user:password@localhost:27017/${database}"

Do not specify both the uri and the hostname,port,user, password` parameters.

ticrypt.auth section

All the services need to know how to contact ticrypt.auth. They all must have the section ticrypt.auth in their configuration file with the parameters:

Parameter	Type	Required	Description
hostname	String	Optional	Hostname of ticrypt.auth
port	Port	Optional	Port on which ticrypt.auth runs

akka parameters

The tiCrypt services use the AKKA framework to communicate. Two parameters are controlling the AKKA communication.

akka.remote.netty.tcp.hostname

Specifies the interface on which to listen. If all the services run on a single server, the value 127.0.0.1 is appropriate.

akka.remote.netty.tcp.port

This is the port number on which the component listens. Keep the default value for each component since it guarantees non-collision. It can be changed, but with caution.

ticrypt-rest config

ticrypt-rest section

Parameter	Type	Required	Description
mongodb	Section	Required	See [mongo-ti]
http.host	String	Optional	The host to listen to
http.port	Port	Optional	The port to listen to
allowed-origins	ArrString	Optional	List of origins. Empty means all
vm.internal-networks	ArrNET	Required	List of internal nets.
validation.request-json	on, off	Required	Turn on JSON request validation?
validation.response-json	on, off	Required	Turn on JSON response validation
session.search-raw-header	Bool	Optional	Fix for cookie problem

akka.http.server section

The goal of this section is to specify AKKA parameters controlling the HTTP server.

Parameter	Type	Required	Description
parsing.max-content-length	Size	Optional	Max content size
request-timeout	Duration	Optional	Max duration of request
idle-timeout	Duration	Optional	Max duration of connection
pipelining-limit	Int	Optional	How many request in parallel?

parsing.max-content-length must be 50% more than the length of a chunk. The default "16 MiB" value is recommended.

idle-timeout must be longer than request-timeout

ticrypt-file-manager config

Parameters for section ticrypt.filemanager

Parameter	Type	Required	Description
mongodb	Section	Required	See [mongo-ti]
chunk-size	Size	Optional	Chunk size
max-header-size	Int	Optional	Max header size
akka.remote.netty.tcp.hostname			See [akka]
akka.remote.netty.tcp.port			See [akka]

There should be no reason to change the chunk-size value from 8GB

max-header-size is a dangerous value to change—the default of 64 bytes future proofs the tiCrypt instance.

ticrypt-storage config

Parameters for the section ticrypt.storage:

Parameter	Type	Required	Description
path	String	Required	Path to file storage directory
idle-time	Duration	Optional	How long to wait on connection
idle-check	Duration	Optional	How often to check on connection
akka.remote.netty.tcp.hostname			See [akka]
akka.remote.netty.tcp.port			See [akka]

ticrypt-proxy config

Parameters for the section ticrypt.proxy:

Parameter	Type	Required	Description
interface	String	Required	Interface to listen on
ports	ArrPorts	Required	Ports to use
proxy-ttl	Duration	Optional	How much to wait for connection
akka.remote.netty.tcp.hostname			See [akka]
akka.remote.netty.tcp.port			See [akka]

interface parameter is critical. You must listen only on the domain used for proxying. Failure to do so can open security attacks.

ports can specify ranges. E.g. [ "6000-6010" ]

The ports specified by the ports parameter must be accessible from the outside. The firewall rules must be coordinated with this option.

ticrypt-logger config

Parameters for the section ticrypt.logger:

Parameter	Type	Required	Description
drivers	Section	Required	See below
rotate-log	on, off	Optional	Rotate the logs?
rotate-log-frequency	Duration	Optional	How often?
rotate-log-suffix-format	String	Optional	Format 1
rotate-log-suffix-timezone	String	Optional	Timezone, default UTC
max-buffered-lines	Int	Optional	How many lines to buffer?
akka.remote.netty.tcp.hostname			See [akka]
akka.remote.netty.tcp.port			See [akka]

---

1. See http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html↩︎

The default parameters should be suitable for most situations. The only parameter you should contemplate changing is max-buffered-lines if you notice performance degradation.

drivers section

The goal of this section is to specifies how the logs are stored. A typical setup is the following

drivers {
            main-file-logger {
                main = true
                immutable = true
                type = "file"
                log-file = "/var/log/ticrypt/ticrypt-secure-log.log"
            }
            tcp-logger {
                immutable = false
                main = false
                type = "tcp"
                host = "localhost"
                port = 25000
                send-timeout = 30s
                retry-timeout = 5s
            }

        }

The main-file-logger is a master copy of the log and is kept locally. The tcp-logger specifies a remote logger that is updated on port 25000 hosted on localhost.

The tcp-logger is primarily used by tiCrypt Audit.

Changing the main-file-logger is problematic since it might result in a non-functioning system.

ticrypt-stats config

Parameters for the section ticrypt.stats:

Parameter	Type	Required	Description
akka.remote.netty.tcp.hostname			See [akka]
akka.remote.netty.tcp.port			See [akka]

ticrypt-notifications config

Parameters for the section ticrypt.notifications:

Parameter	Type	Required	Description
akka.remote.netty.tcp.hostname			See [akka]
akka.remote.netty.tcp.port			See [akka]

ticrypt-maintainance config

Parameters for the section ticrypt.maintainance:

Parameter	Type	Required	Description
account-locker	Section	Required	See below
akka.remote.netty.tcp.hostname			See [akka]
akka.remote.netty.tcp.port			See [akka]

account-locker section

Parameter	Type	Required	Description
enabled	Bool	Optional	Is the feature enabled?
frequency	Duration	Optional	How often to check?
time-before-account-old	Duration	Optional	When is the account old?

ticrypt-backup config

Parameters for section ticrypt.backup:

Parameter	Type	Required	Description
public-key-location	String	Optional	File where SSH public key is stored (for remove SSH authentication)
identifier	String	Optional	The prefix for backup directory names
backup-base	String	Mandatory	Directory where to place backups
storage-base	String	Mandatory	Directory where file chunks are stored. Must match value in ticrypt-storage
backup-min	Int	Optional	Time in hours from midnight for backup time window
backup-max	Int	Optional	Time in hours from midnight for backup time window