[Tunnel_Service]

The [Tunnel_Service] stanza is used to configure the SSL tunnel used between the services and agents.

Parameter

Description

tunnel_enabled

Default: false.

True enables, any other value is disabled.

tunnel_bind_addr

Defaults to 0.0.0.0 (wildcard address); the IP or name of the network interface to which the tunnel should bind.

tunnel_port

Defaults to 15010.

The port number to which agents should connect or to which the tunnel should bind.

tunnel_mode

Defaults to Both.

Connection initiation mode: Connect, Accept or Both.

tunnel_proxy_port

Defaults to 15009.

Local port on which the tunnel listens for local proxy connection attempts (e.g. qpcgateway to an agent).

tunnel_init_period_mins

Defaults to 1 (minute).

Tunnel initiation occurs on this schedule if tunnel mode is either Connect or Both. Agents that are confirmed, and have a service-initiated ConnectionInitiation preference value are initiated on this schedule. Reconnects are attempted on the same schedule.

ssl_client_auth

Defaults to false.

Set if tunnel clients must authenticate. Requires key stores to be configured on the agents if set to true.

ssl_protocols

Defaults to TLS.

Defines the protocol that the tunnel uses.

Can be any of SSL, SSLv2, SSLv3, TLS, TLSv1, TLSv1.1, TLSv1.2.

ssl_include_ciphers

Defaults to TLS_DH_anon_WITH_AES_128_CBC_SHA.

Comma-separated whitelist of ciphers the tunnel uses; takes precedence over ssl_exclude_ciphers.

Valid cipher names are defined in  https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names .

Note that the cipher suite name must be supported by the configured "ssl_protocol".

ssl_exclude_ciphers

Defaults to Not set.

Comma-separated list of ciphers to NOT use. 

These ciphers are removed from those available in the JRE the default cipher list. ssl_include_ciphers has precedence.

Valid cipher suite names are defined in  https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names

Note that the cipher suite name must be supported by the configured "ssl_protocol".

ssl_truststore_file

Defaults to Not set.

Keystore file containing the trusted certificate entries.

ssl_truststore_type

Defaults to JKS.

ssl_truststore_password

Defaults to changeit.

Password for the store file. Should be changed. Can be OBF encoded (use the OBFPassword script).

ssl_trustman_algorithm

Defaults to PKIX.

ssl_keystore_file

Defaults to Not set.

The store file containing the TrueSight Middleware and Transaction Monitor Services keys.

ssl_keystore_type

Defaults to JKS.

ssl_keystore_password

Defaults to changeit.

Password for the store file. Should be changed. Can be OBF encoded (use the OBFPassword script).

ssl_keyman_algorithm

Defaults to JKS.

ssl_revokestore_password

Defaults to changeit.

use_internal_certificates

Defaults to false.

If true, TrueSight Middleware and Transaction Monitor generates and uses internally generated certificates (using SHA256withRSA keys). In addition, the key and trust store file names, types, and algorithm parameters are ignored.

If false TrueSight Middleware and Transaction Monitor must be provided with populated stores and the configuration parameters for them must be provided if authentication is required.

cert_validity_period

Defaults to 3650.

Certificate validity period, in days, for internally managed certificates.

cert_key_size

Defaults to 1024.

Key size used for internally generated certificates.

Was this page helpful? Yes No Submitting... Thank you

Comments