Configure WebGUI properties - webgui.properties

The WebGUI configuration file (WebGUI.properties) is located in the <pi_install_dir>/webgui/config/ directory. The following table explains the parameters and provides recommended values.

Parameters Description

Server , timezone properties

pi.webgui.server.port

WebGUI sever port number. The default value is 8030.

You can specify the port number as 443 to run WebGUI on HTTPS. This option is only available if WebGUIstart.sh is executed by root user.

pi.webgui.server.timezone

The timezone configuration for WebGUI. Valid values are local or utc. The default value is utc.

Log level, authentication mode properties

pi.webgui.admin.log.level

The applicable log levels. Valid values are : all, trace, debug, info, warn, error,fatal, off. The values are not case sensitive.

pi.webgui.server.authentication-mode

The authentication mode. Valid values are native or sso.

Session properties

pi.webgui.session.max-age

The maximum allowed duration for a session. After max-age duration, user will be asked to re-authenticate. The allowed format is <duration number>m (minutes) or <duration number> h (hours) or <duration number>d (days). For example, 20m or 20h or 20d.

The duration value must be greater than zero.

pi.webgui.session.expiry-time

The maximum duration allowed for a session to remain inactive. The value should be provided in minutes. After inactivity period, user will be asked to re-authenticate.

pi.webgui.session.max-active-sessions

The maximum number of active sessions allowed. The default value is 50.

SSL properties

pi.webgui.server.ssl.enabled-protocols

The supported SSL enabled protocols. For more information, see .oracle.com/en/java/javase/11/docs/specs/security/standard-names.html//[]. For multiple SSL protocols use comma separated list. For example, TLSv1.1,TLSv1.2.

pi.webgui.server.ssl.ciphers

The supported ssl ciphers. For the list of valid cipher names, see .oracle.com/en/java/javase/11/docs/specs/security/standard-names.html//[]. For multiple cipher names use comma separated list. For example, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256.

pi.webgui.server.ssl.key-store

The SSL server keystore location value. For JKS keystore, keystore password and private key password should be same when you generate a JKS keystore.

pi.webgui.server.ssl.key-store-type

The SSL keystore type. The default value is jks.

pi.webgui.server.ssl.key-store-password

The password credentials to SSL keystore.

pi.webgui.server.ssl.key-alias

Alias for SSL key. Default value is PingIntelligence.

ABS properties

pi.webgui.abs.url

ABS URL

pi.webgui.abs.access-key

ABS access key.

pi.webgui.abs.secret-key

ABS secret key.

pi.webgui.abs.api-service-url

Host URL for the API Publish service. The default port number is 8020.

ASE properties

pi.webgui.ase.url

ASE Management URL value. NOTE: The ASE management URL is an optional parameter.

pi.webgui.ase.mode

ASE deployment mode. Valid values are inline or sideband. When PingIntelligence is deployed on cloud, the default value is inline.

pi.webgui.ase.access-key

ASE access key.

pi.webgui.ase.secret-key

ASE secret key.

Kibana properties

pi.webgui.dashboard.url

The Kibana URL.

pi.webgui.dashboard.username

The Kibana username credentials.

pi.webgui.dashboard.password

The Kibana password credentials.

Elasticsearch properties

pi.webgui.elasticsearch.url

Elasticsearch URL.

pi.webgui.elasticsearch.username

The username credential to Elasticsearch.

pi.webgui.elasticsearch.password

The password credentials to Elasticsearch.

pi.webgui.elasticsearch.distro-type

Elasticsearch distribution type. Valid values are default and aws.

API discovery properties

pi.webgui.discovery.source

Source for API discovery. Valid values are abs, axway, and pingaccess.

Indicators of Attack (IoA) listing properties

pi.webgui.ioclisting.fetchsize

The limit of documents that can be pulled from Elasticsearch. The default value is 2000. The upper limit is 10000.

h2 database properties

pi.webgui.datasource.url

h2 database URL. The database is started on default port number 9092.Total number of documents that can be fetched in an Elasticsearch search query to list IoAs for different client identifier types.

pi.webgui.datasource.username

Username credentials to h2 database.

pi.webgui.datasource.password

Password to h2 database.

pi.webgui.datasource.encryption-password

Password to encrypt h2 database.

The h2 database will use the properties when it is first started. If you want to change them, stop webgui server and delete data/h2 directory and start again. When you delete data/h2 directory, WebGUI is reset. The login passwords,login sessions, and api state information is lost when the WebGUI is reset.

Connection timeout properties

pi.webgui.http-client.timeout

Total number of documents that can be fetched in an Elasticsearch TCP connection timeout value in milliseconds. Timeout after which TCP connection to ABS, ASE,Dashboard, ElasticSearch is closed by the WebGUI.

pi.webgui.http-client.socket-timeout

Socket timeout value in milliseconds. Timeout after which socket to ABS, ASE,Dashboard, ElasticSearch is closed by the WebGUI.

JDK truststore properties

pi.webgui.jdk.truststore

The location of JDK truststore. The default value is $JAVA_HOME/lib/security/cacerts.

pi.webgui.jdk.truststore-password

The password to JDK truststore.

Configure the values of JDK trustore and its password only if the defaults don’t match.

HTTP client connection properties

pi.webgui.http-client.max-connections

Maximum allowed HTTP connections

pi.webgui.http-client.request-timeout

Request timeout for the HTTP clients.

pi.webgui.http-client.keep-alive-time

Connection keep-alive time

pi.webgui.http-client.idle-time

HTTP client idle time

A samplewebgui.properties file is displayed here.

# PingIntelligence WebGUI properties file
# This is in standard java properties file format
# comments are denoted by number sign (#) as the first non blank character
# multiline values are ended with '\' as end of line

# server listening port
# server listens on 0.0.0.0 ( all interfaces )
# server enables only https(ssl) on this port
pi.webgui.server.port=8030

# Timezone configuration
# valid values: local, utc
pi.webgui.server.timezone=utc

# log level
# valid values: ALL, TRACE, DEBUG, INFO, WARN, ERROR, FATAL, OFF
# filtering sequence: ALL > TRACE > DEBUG > INFO > WARN > ERROR > FATAL > OFF
# higher level in the sequence will allow all the lower level log messages
# case insensitive
pi.webgui.admin.log.level=INFO

# Authentication mode
# valid values: native, sso
pi.webgui.server.authentication-mode=native

# ui login session
# maximum duration of a session
# after max-age duration, user will be asked to re-authenticate
# format: <duration>m (minutes) /h (hours) /d (days)
# duration should be > 5 minutes
pi.webgui.session.max-age=6h

# maximum session inactivity duration( No requests from the session ). In minutes
# after inactivity period, user will be asked to re-authenticate
pi.webgui.session.expiry-time=30

# maximum active sessions allowed
pi.webgui.session.max-active-sessions=50

# server ssl properties
# ssl enabled protocols ( https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#sslcontext-algorithms)
# for multiple SSL protocols use comma separated list. e.g TLSv1.1,TLSv1.2
pi.webgui.server.ssl.enabled-protocols=TLSv1.2

# supported ssl ciphers
# valid cipher names: https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names
# for multiple cipher names use comma separated list. e.g TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
pi.webgui.server.ssl.ciphers=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA, \
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, \
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, \
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

 server ssl keystore
# for JKS keystore, keystore password and private key password should be same when you generate a jks keystore.
pi.webgui.server.ssl.key-store=config/webgui.jks
pi.webgui.server.ssl.key-store-type=JKS
pi.webgui.server.ssl.key-store-password=OBF:AES:NOp0PNQvc/RLUN5rbvZLtTPghqVZzD9V:+ZGHbhpY4HENYYqJ4wn50AmoO6CZ3OcfjqTYQCfgBgc=
pi.webgui.server.ssl.key-alias=PingIntelligence

# abs properties
pi.webgui.abs.url=https://localhost:8080
pi.webgui.abs.access-key=OBF:AES:NuBmDdIhJM7KOB3BbXr4db5DfGJcrA==:hUsqFeTUmH5cOjiUPyws9WwTPYw9yAg0C1X1HSmSI30=
pi.webgui.abs.secret-key=OBF:AES:NuBmDcAhXgsQu8qzJgIo1Mq97B/PVw==:7GpDn83ZAU6GRKYsZe86x0gdnYOZfTbi8rUimDW100o=

# ase properties
# ASE management url
pi.webgui.ase.url=https://localhost:8010
# ASE mode: valid values: inline or sideband
pi.webgui.ase.mode=inline
pi.webgui.ase.access-key=OBF:AES:NuZ4O93cWBKyKDFOZFINHeBew8sQ:eu//E2CIObNNGvFOfHrLuAuec4WvN4yZsThAea4iBLA=
pi.webgui.ase.secret-key=OBF:AES:NuZ4O93cWBKyKDFOZFINHeBew8sQ:eu//E2CIObNNGvFOfHrLuAuec4WvN4yZsThAea4iBLA=

# kibana rendering ( dashboard ) properties
pi.webgui.dashboard.url=https://localhost:5601
pi.webgui.dashboard.username=ping_user
pi.webgui.dashboard.password=OBF:AES:NOp0PNQvc/RLUN5rbvZLtTPghqVZzD9V:+ZGHbhpY4HENYYqJ4wn50AmoO6CZ3OcfjqTYQCfgBgc=

# elasticsearch properties
pi.webgui.elasticsearch.url=https://localhost:9200
pi.webgui.elasticsearch.username=elastic
pi.webgui.elasticsearch.password=OBF:AES:NOp0PNQvc/RLUN5rbvZLtTPghqVZzD9V:+ZGHbhpY4HENYYqJ4wn50AmoO6CZ3OcfjqTYQCfgBgc=
# ES distribution type
# valid values: default, aws
pi.webgui.elasticsearch.distro-type=default

# api discovery properties
# discovery source
# valid values: abs, axway and pingaccess
# for axway and pingaccess, see config/discovery.properties
pi.webgui.discovery.source=abs

# ioc listing properties
# total number of documents that can be fetched in an elasticsearch search
# query to list iocs for different client identifier types.
pi.webgui.ioclisting.fetchsize=2000

# server internal configurations

 local h2 db datasource properties
# h2 db is started on default port 9092
pi.webgui.datasource.url=jdbc:h2:ssl://localhost/webgui_data;CIPHER=AES

# h2 db will use following properties when it is first started. There is no way to change it afterwards
# If you want to change it, you should stop webgui server and delete data/h2 directory and start again.
# when you delete data/h2 directory, webgui is reset. you will loose login passwords/login sessions/api state info.
pi.webgui.datasource.username=sa
pi.webgui.datasource.password=OBF:AES:NOp0PNQvc/RLUN5rbvZLtTPghqVZzD9V:+ZGHbhpY4HENYYqJ4wn50AmoO6CZ3OcfjqTYQCfgBgc=
pi.webgui.datasource.encryption-password=OBF:AES:NOp0PNQvc/RLUN5rbvZLtTPghqVZzD9V:+ZGHbhpY4HENYYqJ4wn50AmoO6CZ3OcfjqTYQCfgBgc=

# server to abs/ase/dashboard http connection properties
# tcp connect timeout in milliseconds
pi.webgui.http-client.timeout=15000
# timeout after which socket to abs/ase/dashboard/elasticsearch is closed by the webgui
pi.webgui.http-client.socket-timeout=120000

## http client connection pool configurations
pi.webgui.http-client.max-connections=256
pi.webgui.http-client.request-timeout=30000
pi.webgui.http-client.keep-alive-time=120000
pi.webgui.http-client.idle-time=120000