[Tunnel_Service]
The [Tunnel_Service] stanza is used to configure the SSL tunnel used between the services and agents.
Parameter | Description |
tunnel_enabled | Default value: false. Changing the value to True enables the tunnel service. Any other value disables the service. In MVMM Fix Pack 9.1.00.J, this parameter must be enabled if you want to enable the use of anonymous cipher suites for secure agent tunnels. |
tunnel_bind_addr | Defaults to 0.0.0.0 (wildcard address); the IP or name of the network interface to which the tunnel should bind. |
tunnel_port | Defaults to 15010. The port number to which agents should connect or to which the tunnel should bind. |
tunnel_mode | Defaults to Both. Connection initiation mode: Connect, Accept or Both. |
tunnel_proxy_port | Defaults to 15009. Local port on which the tunnel listens for local proxy connection attempts (e.g. qpcgateway to an agent). |
tunnel_init_period_mins | Defaults to 1 (minute). Tunnel initiation occurs on this schedule if the tunnel mode is either Connect or Both. Agents that are confirmed, and have a service-initiated ConnectionInitiation preference value are initiated on this schedule. Reconnects are attempted on the same schedule. |
ssl_allow_anon | Defaults to false. Set the value to true to allow the use of anonymous cipher suites. |
ssl_client_auth | Defaults to false. Set if tunnel clients must authenticate. Requires key stores to be configured on the agents if set to true. |
ssl_protocols | Defaults to TLSv1.2. Defines the protocol that the tunnel uses. Can be any of SSL, SSLv2, SSLv3, TLS, TLSv1, TLSv1.1, TLSv1.2. |
ssl_include_ciphers | Defaults to TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Comma-separated whitelist of ciphers the tunnel uses; takes precedence over ssl_exclude_ciphers. Valid cipher names are defined in https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names. To use anonymous cipher suites in MVMM Fix Pack 9.1.00.J, you must include the name of the required anonymous cipher suite in this parameter. For example: ssl_include_ciphers=TLS_DH_anon_WITH_AES_128_CBC_SHA.... |
ssl_exclude_ciphers | Defaults to Not set. Comma-separated list of ciphers to NOT use. These ciphers are removed from those available in the JRE the default cipher list. ssl_include_ciphers has precedence. Valid cipher suite names are defined in https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names Note that the cipher suite name must be supported by the configured "ssl_protocol". |
ssl_truststore_file | Defaults to Not set. Keystore file containing the trusted certificate entries. |
ssl_truststore_type | Defaults to JKS. |
ssl_truststore_password | Defaults to changeit. Password for the store file. Should be changed. Can be OBF encoded (use the OBFPassword script). |
ssl_trustman_algorithm | Defaults to PKIX. |
ssl_keystore_file | Defaults to Not set. The store file containing the TrueSight Middleware and Transaction Monitor Services keys. |
ssl_keystore_type | Defaults to JKS. |
ssl_keystore_password | Defaults to changeit. Password for the store file. Should be changed. Can be OBF encoded (use the OBFPassword script). |
ssl_keyman_algorithm | Defaults to JKS. |
ssl_revokestore_password | Defaults to changeit. |
use_internal_certificates | Defaults to false. If true, MainView Middleware Monitor generates and uses internally generated certificates (using SHA256withRSA keys). In addition, the key and trust store file names, types, and algorithm parameters are ignored. If false MainView Middleware Monitor must be provided with populated stores and the configuration parameters for them must be provided if authentication is required. |
cert_validity_period | Defaults to 3650. Certificate validity period, in days, for internally managed certificates. |
cert_key_size | Defaults to 1024. Key size used for internally generated certificates. |