Administration guide > Configure the deployment environment > Configuring catalog and container servers
Server properties file
The server properties file contains several properties that define different settings for the server, such as trace settings, logging, and security configuration. The server properties file is used by both catalog service and container servers in both stand-alone servers and servers that are hosted in WAS.
- Server properties
- Security server properties
- General security properties
- Transport layer security properties
- Authentication properties
Sample server properties file
Use the sampleServer.properties file that is in the wxs_home/properties directory to create the properties file.
Specify a server properties file
Specify a setting by using one of the items later in the list overrides the previous setting. For example, if you specify a system property value for the server properties file, the properties in that file override the values in the objectGridServer.properties file that is in the classpath.
- For servers that run in WAS:
- Use a well-named file in the classpath, for example...
If you put this well-named file in the current directory, the file is not found unless the current directory is in the classpath. The name that is used follows:
- Specify a system property that specifies a file in the system current directory. Put the file in the was_root/properties directory. The file cannot be in the classpath:
- For stand-alone servers:
- Use a well-named file in the classpath, for example wxs_home/properties. If you put this well-named file in the current directory, the file is not found unless the current directory is in the classpath. The name that is used follows:
- Specify the server properties file as a parameter when you run the startOgServer command. You can override these properties manually to specify a file in the system current directory:
- For embedded, stand-alone servers:
Use the embedded server API. Use the ServerFactory.getServerProperties and ServerFactory.getCatalogServerProperties methods. The data in the object is populated with the data from the properties files.
- General properties
- Location to where the container server output is written. When this value is not specified, the output is written to a log directory within the current directory. This property applies to both the container server and the catalog service.
Default: no value
- Specifies the minimum number of threads used by the internal thread pool in the run time for built-in evictors and DataGrid operations.
- Specifies the maximum number of threads used by the internal thread pool in the run time for built-in evictors and DataGrid operations.
- Enables trace and the trace specification string for the container server. Trace is disabled by default. This property applies to both the container server and the catalog service.
- Specifies a file name to write trace information. This property applies to both the container server and the catalog service.
- Enables the container to write the SystemOut, SystemErr, and trace output to a file. If this property is set to false, output is not written to a file and is instead written to the console.
- Enables ObjectGrid container Managed Beans (MBean). This property applies to both the container server and the catalog service.
- Sets the server name that is used to identify the server. This property applies to both the container server and the catalog service.
- Set the name of the zone to which the server belongs. This property applies to both the container server and the catalog service.
- Synonymous with peer port. Specifies the port number the high availability manager uses. If this property is not set, the catalog service generates an available port automatically. This property applies to both the container server and the catalog service.
- Specifies the host name to which the Object Request Broker (ORB) should bind. This property applies to both the container server and the catalog service.
If the configuration involves multiple network cards, set the listener host and port to let the Object Request Broker in the JVM know the IP address to which to bind. For catalog and container servers, specify the listener host and port in the server properties file. Neglecting to specify which IP address to use produces symptoms such as connection time outs, unusual API failures, and clients that seem to hang.
- Specifies the port number to which the Object Request Broker (ORB) should bind. This property applies to both the container server and the catalog service.
- Specifies the port number on which the MBean server should listen. This property applies to both the container server and the catalog service.
- Container server properties
- Specifies the stats specification for the container server.
- Sets the memory threshold for memory-based eviction. The percentage specifies the maximum heap that should be used in the Java™ virtual machine (JVM) before eviction occurs. The default value is -1, which indicates that the memory threshold is not set. If the memoryThresholdPercentage property is set, the MemoryPoolMXBean value is set with the provided value. See MemoryPoolMXBean interface in the Java API specification for more information. However, eviction occurs only if eviction is enabled on an evictor. To enable memory based eviction, see Evictors. This property only applies to a container server.
- End points to connect to the catalog service domain. This value should be in the form host:port<,host:port> where the host value is the listenerHost value and the port value is the listenerPort value of the catalog server. This property only applies to a container server.
- Catalog service properties
- Specifies the domain name that is used to uniquely identify this catalog service domain to clients when routing to multiple domains. This property only applies to the catalog service.
- Enables quorum for the catalog service. Quorum is used to ensure that a majority of the catalog service domain is available before allowing modification to the placement of partitions on available container servers.
To enable quorum, set the value to true or enabled. The default value is disabled. This property only applies to the catalog service.
- Catalog service domain end points for the catalog service. This property specifies the catalog service end points to start the catalog service domain. Use the following format:
This property only applies to the catalog service.
- Specifies how often heartbeats occur. The heartbeat frequency level is a trade-off between use of resources and failure discovery time. The more frequently heartbeats occur, more resources are used, but failures are discovered more quickly. This property applies only to the catalog service. Use one of the following values:
0 Heartbeat level at a typical rate.
Failover detection occurs at a reasonable rate without overusing resources. (Default)
-1 Aggressive heartbeat level.
Failures are detected more quickly, but also uses additional processor and network resources. This level is more sensitive to missing heartbeats when the server is busy.
1 Relaxed heartbeat level.
A decreased heartbeat frequency increases the time to detect failures, but also decreases processor and network use.
Security server properties
The server properties file is also used to configure eXtreme Scale server security. You use a single server property file to specify both basic the properties and security properties.
- General security properties
- Enables the container server security when set to true. The default value is false. This property should match the securityEnabled property that is specified in the objectGridSecurity.xml file that is provided to the catalog server.
- Indicates whether this server supports credential authentication. Chose one of the following values:
- Never: The server does not support credential authentication.
- Supported: The server supports the credential authentication if the client also supports credential authentication.
- Required: The client requires credential authentication.
See Application client authentication for details about credential authentication.
- Transport layer security settings
- Specifies the server transport type. Use one of the following values:
- TCP/IP: Indicates that the server only supports TCP/IP connections.
- SSL-Supported: Indicates that the server supports both TCP/IP and SSL connections. (Default)
- SSL-Required: Indicates that the server requires SSL connections.
- SSL configuration properties
- Alias name in the keystore. This property is used if the keystore has multiple key pair certificates and to select one of the certificates.
Default: no value
- Name of the context provider for the trust service. If you indicate a value that is not valid, a security exception results that indicates that the context provider type is incorrect.
Valid values: IBMJSSE2, IBMJSSE, IBMJSSEFIPS, and so on.
- Indicates the type of security protocol to use for the client. Set this protocol value based on which Java Secure Socket Extension (JSSE) provider you use. If you indicate a value that is not valid, a security exception results that indicates that the protocol value is incorrect.
Valid values: SSL, SSLv2, SSLv3, TLS, TLSv1, and so on.
- Indicates the type of keystore. If you indicate a value that is not valid, a runtime security exception results.
Valid values: JKS, JCEK, PKCS12, and so on.
- Indicates the type of truststore. If you indicate a value that is not valid, a runtime security exception results.
Valid values: JKS, JCEK, PKCS12, and so on.
- Specifies a fully qualified path to the keystore file.
- Specifies a fully qualified path to the truststore file.
- Specifies the string password to the keystore. You can encode this value or use the actual value.
- Specifies a string password to the truststore. You can encode this value or use the actual value.
- If the property is set to true, the SSL client must be authenticated. Authenticating the SSL client is different from the client certificate authentication. Client certificate authentication means authenticating a client to a user registry based on the certificate chain. This property ensures that the server connects to the right client.
- The SecureTokenManager setting is used for protecting the secret string for server mutual authentications and for protecting the single sign-on token.Data grid security
- Specifies the type of SecureTokenManager setting. Use one of the following settings:
- none: Indicates that no secure token manager is used.
- default: Indicates that the token manager that is supplied with the WebSphere eXtreme Scale product is used. You must provide a SecureToken keystore configuration.
- custom: Indicates that you have the own token manager that you specified with the SecureTokenManager implementation class.
- Name of the SecureTokenManager implementation class, if you have specified the SecureTokenManagerType property value as custom. The implementation class must have a default constructor to be instantiated.
- Custom SecureTokenManager implementation class properties. This property is used only if the secureTokenManagerType value is custom. The value is set to the SecureTokenManager Object with the setProperties(String) method.
- Secure token keystore configuration
- File path name for the keystore that stores the public-private key pair and the secret key.
- Specifies the keystore type, for example, JCKES. You can set this value based on the Java Secure Socket Extension (JSSE) provider that you use. However, this keystore must support secret keys.
- Alias of the public-private key pair that is used for signing and verifying.
- Specifies the password to protect the key pair alias that is used for signing and verifying.
- Specifies the secret key alias that is used for ciphering.
- Specifies the password to protect the secret key.
- Algorithm that is used for providing a cipher. You can set this value based on the Java Secure Socket Extension (JSSE) provider that you use.
- Algorithm that is used for signing the object. You can set this value based on the JSSE provider that you use.
- Authentication string
- Specifies the secret string to challenge the server. When a server starts, it must present this string to the president server or catalog server. If the secret string matches what is in the president server, this server is allowed to join in.
Parent topic:Configure catalog and container servers
Best practice: Clustering the catalog service
Security integration with WAS
Configure WebSphere eXtreme Scale with WAS
Configure multi-master replication topologies
Start secure servers in a stand-alone environment
Start a stand-alone catalog service
Start container processes
Start secure servers in WAS
Start and stop servers in a WAS environment
Configure SSL parameters for clients or servers
Java SE security tutorial
Lesson 2.2: Configure catalog server security
Lesson 2.3: Configure container server security