The WebGUI configuration file (webgui.properties) is located in the <pi_install_dir>/webgui/config/ directory.
The following table explains the parameters and provides recommended values.
| Parameters | Description |
|---|---|
Server, time zone properties |
|
|
pi.webgui.server.port |
WebGUI sever port number. The default value is 8030. Note:
You can specify the port number as 443 to run WebGUI on HTTPS. This option is only available if WebGUI start.sh is executed by a root user. |
|
pi.webgui.server.timezone |
The time zone configuration for WebGUI. Valid values are
|
|
Log level, authentication mode properties |
|
|
pi.webgui.admin.log.level |
The applicable log levels. Valid values are |
|
pi.webgui.server.authentication-mode |
The authentication mode. Valid values are |
|
Session properties |
|
|
pi.webgui.session.max-age |
The maximum allowed duration for a session. After max-age duration, the user will be asked
to re-authenticate. The allowed format is
Note:
The duration value must be greater than zero. |
|
pi.webgui.session.expiry-time |
The maximum duration allowed for a session to remain inactive. The value should be provided in minutes. After an inactivity period, the user will be asked to re-authenticate. |
|
pi.webgui.session.max-active-sessions |
The maximum number of active sessions allowed. The default value is 50. |
|
SSL properties |
|
|
pi.webgui.server.ssl.enabled-protocols |
The supported SSL enabled protocols. For more information, see https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#sslcontext-algorithms. For multiple SSL protocols, use a comma-separated list. For example, TLSv1.1, TLSv1.2. |
|
pi.webgui.server.ssl.ciphers |
The supported SSL ciphers. For the list of valid cipher names, see https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names. For multiple cipher names, use a comma-separated list. For example, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256. |
|
pi.webgui.server.ssl.key-store |
The SSL server key store location value. For JKS key store, the key store password and private key password should be same when you generate a JKS key store. |
|
pi.webgui.server.ssl.key-store-type |
The SSL key store type. The default value is
|
|
pi.webgui.server.ssl.key-store-password |
The password credentials to the SSL key store. |
|
pi.webgui.server.ssl.key-alias |
Alias for the SSL key. The default value is
|
|
ABS properties |
|
|
pi.webgui.abs.url |
ABS URL. |
|
pi.webgui.abs.access-key |
ABS access key. |
|
pi.webgui.abs.secret-key |
ABS secret key. |
|
pi.webgui.abs.api-service-url |
Host URL for the API Publish Service. The default port number is 8020. |
|
ASE properties |
|
|
pi.webgui.ase.url |
ASE management URL value. Note:
The ASE management URL is an optional parameter. |
|
pi.webgui.ase.mode |
ASE deployment mode. Valid values are |
|
pi.webgui.ase.access-key |
ASE access key. |
|
pi.webgui.ase.secret-key |
ASE secret key. |
|
Kibana properties |
|
|
pi.webgui.dashboard.url |
The Kibana URL. |
|
pi.webgui.dashboard.username |
The Kibana username credentials. |
|
pi.webgui.dashboard.password |
The Kibana password credentials. |
|
Elasticsearch properties |
|
|
pi.webgui.elasticsearch.url |
Elasticsearch URL. |
|
pi.webgui.elasticsearch.username |
The username credential to Elasticsearch. |
|
pi.webgui.elasticsearch.password |
The password credentials to Elasticsearch. |
|
pi.webgui.elasticsearch.distro-type |
Elasticsearch distribution type. Valid values are
|
|
API discovery properties |
|
|
pi.webgui.discovery.source |
Source for API discovery. Valid values are |
|
Indicators of Attack (IoA) listing properties |
|
|
pi.webgui.ioclisting.fetchsize |
The limit of documents that can be pulled from Elasticsearch. The default value is 2000. The upper limit is 10,000. |
|
H2 database properties |
|
|
pi.webgui.datasource.url |
H2 database URL. The database is started on the default port number 9092. The total number of documents that can be fetched in an Elasticsearch search query to list IoAs for different client identifier types. |
|
pi.webgui.datasource.username |
Username credentials to the H2 database. |
|
pi.webgui.datasource.password |
Password to the H2 database. |
|
pi.webgui.datasource.encryption-password |
Password to encrypt the H2 database. |
|
Note:
The H2 database will use the properties when it is first started. If you want to change them, you can stop the WebGUI server and delete the data/h2 directory and start again. When you delete the data/h2 directory, WebGUI is reset. The login passwords, login sessions, and API state information is lost when the WebGUI is reset. |
|
|
Connection timeout properties |
|
|
pi.webgui.http-client.timeout |
Total number of documents that can be fetched in an Elasticsearch TCP connection timeout value in milliseconds. Timeout after which TCP connection to ABS, ASE, Dashboard, Elasticsearch is closed by the WebGUI. |
|
pi.webgui.http-client.socket-timeout |
Socket timeout value in milliseconds. Timeout after which socket to ABS, ASE, Dashboard, Elasticsearch is closed by the WebGUI. |
|
JDK truststore properties |
|
|
pi.webgui.jdk.truststore |
The location of JDK truststore. The default value is $JAVA_HOME/lib/security/cacerts. |
|
pi.webgui.jdk.truststore-password |
The password to JDK truststore. |
|
Note:
You can configure the values of JDK trustore and its password only if the defaults don't match. |
|
|
HTTP client connection properties |
|
|
pi.webgui.http-client.max-connections |
Maximum allowed HTTP connections. |
|
pi.webgui.http-client.request-timeout |
Request timeout for the HTTP clients. |
|
pi.webgui.http-client.keep-alive-time |
Connection keep-alive time. |
|
pi.webgui.http-client.idle-time |
HTTP client idle time. |
A sample webgui.properties file is displayed below:
#### PingIntelligence WebGUI properties file
# This is in standard java properties file format
# comments are denoted by number sign (#) as the first non blank character
# multiline values are ended with '\' as end of line
### server listening port
# server listens on 0.0.0.0 ( all interfaces )
# server enables only https(ssl) on this port
pi.webgui.server.port=8030
### Timezone configuration
# valid values: local, utc
pi.webgui.server.timezone=utc
### log level
# valid values: ALL, TRACE, DEBUG, INFO, WARN, ERROR, FATAL, OFF
# filtering sequence: ALL > TRACE > DEBUG > INFO > WARN > ERROR > FATAL > OFF
# higher level in the sequence will allow all the lower level log messages
# case insensitive
pi.webgui.admin.log.level=INFO
### Authentication mode
# valid values: native, sso
pi.webgui.server.authentication-mode=native
### ui login session
# maximum duration of a session
# after max-age duration, user will be asked to re-authenticate
# format: <duration>m (minutes) /h (hours) /d (days)
# duration should be > 5 minutes
pi.webgui.session.max-age=6h
# maximum session inactivity duration( No requests from the session ). In minutes
# after inactivity period, user will be asked to re-authenticate
pi.webgui.session.expiry-time=30
# maximum active sessions allowed
pi.webgui.session.max-active-sessions=50
### server ssl properties
# ssl enabled protocols ( https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#sslcontext-algorithms)
# for multiple SSL protocols use comma separated list. e.g TLSv1.1,TLSv1.2
pi.webgui.server.ssl.enabled-protocols=TLSv1.2
# supported ssl ciphers
# valid cipher names: https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names
# for multiple cipher names use comma separated list. e.g TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
pi.webgui.server.ssl.ciphers=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA, \
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, \
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, \
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, \
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, \
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
## server ssl keystore
# for JKS keystore, keystore password and private key password should be same when you generate a jks keystore.
pi.webgui.server.ssl.key-store=config/webgui.jks
pi.webgui.server.ssl.key-store-type=JKS
pi.webgui.server.ssl.key-store-password=OBF:AES:NOp0PNQvc/RLUN5rbvZLtTPghqVZzD9V:+ZGHbhpY4HENYYqJ4wn50AmoO6CZ3OcfjqTYQCfgBgc=
pi.webgui.server.ssl.key-alias=PingIntelligence
### abs properties
pi.webgui.abs.url=https://localhost:8080
pi.webgui.abs.access-key=OBF:AES:NuBmDdIhJM7KOB3BbXr4db5DfGJcrA==:hUsqFeTUmH5cOjiUPyws9WwTPYw9yAg0C1X1HSmSI30=
pi.webgui.abs.secret-key=OBF:AES:NuBmDcAhXgsQu8qzJgIo1Mq97B/PVw==:7GpDn83ZAU6GRKYsZe86x0gdnYOZfTbi8rUimDW100o=
### ase properties
# ASE management url
pi.webgui.ase.url=https://localhost:8010
# ASE mode: valid values: inline or sideband
pi.webgui.ase.mode=inline
pi.webgui.ase.access-key=OBF:AES:NuZ4O93cWBKyKDFOZFINHeBew8sQ:eu//E2CIObNNGvFOfHrLuAuec4WvN4yZsThAea4iBLA=
pi.webgui.ase.secret-key=OBF:AES:NuZ4O93cWBKyKDFOZFINHeBew8sQ:eu//E2CIObNNGvFOfHrLuAuec4WvN4yZsThAea4iBLA=
### kibana rendering ( dashboard ) properties
pi.webgui.dashboard.url=https://localhost:5601
pi.webgui.dashboard.username=ping_user
pi.webgui.dashboard.password=OBF:AES:NOp0PNQvc/RLUN5rbvZLtTPghqVZzD9V:+ZGHbhpY4HENYYqJ4wn50AmoO6CZ3OcfjqTYQCfgBgc=
### elasticsearch properties
pi.webgui.elasticsearch.url=https://localhost:9200
pi.webgui.elasticsearch.username=elastic
pi.webgui.elasticsearch.password=OBF:AES:NOp0PNQvc/RLUN5rbvZLtTPghqVZzD9V:+ZGHbhpY4HENYYqJ4wn50AmoO6CZ3OcfjqTYQCfgBgc=
# ES distribution type
# valid values: default, aws
pi.webgui.elasticsearch.distro-type=default
### api discovery properties
# discovery source
# valid values: abs, axway and pingaccess
# for axway and pingaccess, see config/discovery.properties
pi.webgui.discovery.source=abs
### ioc listing properties
# total number of documents that can be fetched in an elasticsearch search
# query to list iocs for different client identifier types.
pi.webgui.ioclisting.fetchsize=2000
### server internal configurations
## local h2 db datasource properties
# h2 db is started on default port 9092
pi.webgui.datasource.url=jdbc:h2:ssl://localhost/webgui_data;CIPHER=AES
# h2 db will use following properties when it is first started. There is no way to change it afterwards
# If you want to change it, you should stop webgui server and delete data/h2 directory and start again.
# when you delete data/h2 directory, webgui is reset. you will loose login passwords/login sessions/api state info.
pi.webgui.datasource.username=sa
pi.webgui.datasource.password=OBF:AES:NOp0PNQvc/RLUN5rbvZLtTPghqVZzD9V:+ZGHbhpY4HENYYqJ4wn50AmoO6CZ3OcfjqTYQCfgBgc=
pi.webgui.datasource.encryption-password=OBF:AES:NOp0PNQvc/RLUN5rbvZLtTPghqVZzD9V:+ZGHbhpY4HENYYqJ4wn50AmoO6CZ3OcfjqTYQCfgBgc=
### server to abs/ase/dashboard http connection properties
# tcp connect timeout in milliseconds
pi.webgui.http-client.timeout=15000
# timeout after which socket to abs/ase/dashboard/elasticsearch is closed by the webgui
pi.webgui.http-client.socket-timeout=120000
## http client connection pool configurations
pi.webgui.http-client.max-connections=256
pi.webgui.http-client.request-timeout=30000
pi.webgui.http-client.keep-alive-time=120000
pi.webgui.http-client.idle-time=120000