Storage Configuration

Storage configuration

The storage configuration includes the runtime database, ldap and session cache configuration.

The following example shows the storage configuration. More in-depth explanation of each section is available after the example.

runtime_db: mypq                                            # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: db                                                  # Specifies the type of session cache, in-memory, redis, or db.
  # cfg: redis-standalone                                   # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection
  # life_time: 600                                          # Specifies the session entry duration in seconds. It applies to `in-memory` type sessions only. Default is `600`
  # max_entries: 60000                                      # Specifies the maximum number of session entries. It applies to `in-memory` type sessions only. Default is `60000`
server_connections:                                         # Server connections
  - name: mypq                                              # Connection name
    type: postgresql                                        # Connection type, `redis`, `ldap`, `postgresql`, `oracle`, `db2`
    database_name: verify-access                            # Specifies the database name. For database types only.
    hosts:                                                  # List of host information (IP and port)
      - hostname: postgresql                                # Server's hostname
        hostport: 5432                                      # Server's host port
    credential:                                             # Credential information to connect to the server
      username: postgres                                    # Specifies the username to access the server.
      password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
                                                            # Specifies the password to access the server. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:postgres_keys                                  # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      mutual_auth:
        key: ks:rt_profile_keys/postgres                    # When mutual TLS is needed, specify the keystore and label that contains the client's private key.
        certificate: ks:rt_profile_keys/postgres            # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate.
        ca:                                                 
          - ks:rt_profile_keys/ca                           # When mutual TLS is needed, specify the keystore and label of the client's CA certificate.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection settings
      max_idle_time: 10                                     # Maximum idle time in seconds
      min_pool_size: 5                                      # Minimum connection pool size
      max_pool_size: 50                                     # Maximum connection pool size
      connect_timeout: 5                                    # Connect timeout, in seconds
      aged_timeout: 30                                      # Aged timeout, in seconds
  - name: ldap_staging                                      # Connection name
    type: ldap                                              # Connection type
    hosts:                                                  # List of host information (IP and port)
      - hostname: openldap                                  # Server's hostname
        hostport: 636                                       # Server's host port
    credential:                                             # Credential information to connect to the host.
      bind_dn: cn=root,secAuthority=Default                 # Specifies the binding credential for the LDAP server connection.
      bind_password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
                                                            # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:ldap_keys                                      # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      mutual_auth:
        key: ks:rt_profile_keys/ldap                        # When mutual TLS is needed, specify the keystore and label that contains the client's private key.
        certificate: ks:rt_profile_keys/ldap                # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate.
        ca:                                                 # The mutual_auth connection certificate array.
          - ks:rt_profile_keys/ca                           # When mutual TLS is needed, specify the keystore and label of the client's CA certificate.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection pool settings for the LDAP server.
      max_pool_size: 50                                     # Maximum connection pool size.
      connect_timeout: 3                                    # Connect timeout, in seconds.
      aged_timeout: 5                                       # Aged timeout, in seconds.
  - name: redis-standalone                                  # Connection name
    type: redis                                             # Connection type
    deployment:                                             # Redis deployment information. for `redis` type only
      model: standalone                                     # Deployment model. `standalone` or `sentinel`
      # master: master                                      # Master node information. For `sentinel` model only
    hosts:                                                  # List of host information (IP and port)
      - hostname: redis                                     # Server's hostname
        hostport: 6390                                      # Server's host port
    credential:                                             # Credential information to connect to the host.
      username: isva                                        # Specifies the username to access the server
      password: 'OBF:oUqHV/2VlAeWb1D7uAdfQysti3vh44p5/rpCDR35gn4=' # p@ssw0rd
                                                            # Specifies the password for the redis server connection. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:redis_keys                                     # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      mutual_auth:
        key: ks:rt_profile_keys/redis                       # When  mutual TLS is needed, specify the keystore and label that contains the client's private key.
        certificate: ks:rt_profile_keys/redis               # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate.
        ca:                                                 
          - ks:rt_profile_keys/ca                           # When mutual TLS is needed, specify the keystore and label of the client's CA certificate.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.

Annotation used for keystores and certificate files

  • ks: Represents a keystore, the file system path that it will look under is /var/isvaop/config/keystore. If it is used for a key the equivalent pem file should reside under /var/isvaop/config/keystore/<keystore_name>/personal/ folder. If its used for a certificate the equivalent pem file should reside under /var/isvaop/config/keystore/<keystore_name>/signer/ folder.
  • @ Represents a file, it uses a relative file system path that it will look under is /var/isvaop/config/. Extensions such as .pem, .crt and .key can be used.
  • B64: Represents the literal value of the base64 encoded certificate or key.
  • Read more about key management.

Detailed Configuration: