Advanced configuration

Protocol to use to calculate the ACME base URL if there isn’t any X-Forwarded-Proto nor X-Forwarded-Host in the header of the request

Prefix used to calculate the ACME base URL

Defines whether Horizon should behave like the Boulder ACME implementation (if set to false, Horizon will strictly follow the RFC). Only applicable if horizon.acme.http.json.prettify is set to "true"

Whether the ACME API can be used with GET requests instead of POST ones

Maximum configurable timeout in the ACME profiles

Maximum configurable delay in the ACME profiles

Maximum configurable retry count in the ACME profiles

Number of instances that will be started for each Horizon node to perform the ACME validation

Order time to live

Number of instances that will be started for each Horizon node to perform the ACME validation

Acme challenge size

Http response as sent as prettyfied JSON

Interval at which order status is checked against the ACME server

Max delay before order retrieval against the ACME server is abandoned

The timeout for requests to the event analytics actor

Interval at which the events are synchronized

Enable event analytics

The timeout for requests to the discovery event analytics actor

Interval at which the discovery events are synchronized

Enable discovery event analytics

The timeout for requests to the certificate analytics actor

Enable certificate analytics

The url to the analytics database. Should start with jdbc:duckdb: followed by the absolute path of the file.

The thread pool size for the analytics operations. Should be equal to ((physical_core_count * 2) + effective_spindle_count)

The memory limit to set to the duck db analytics database

Batch size for certificate archive creation

Grace period of certificate archives before they can be deleted. Decreasing this value means less time to securely download the archive before it is available for deletion

Batch size for event archive creation

Grace period of event archives before they can be deleted. Decreasing this value means less time to securely download the archive before it is available for deletion

Time frame after which event archiving is allowed

Buffer size for the parquet writer. If using s3 backend, this should be no more than 2 times the 'storage.multipart-upload-buffer-size' to optimize performance

Interval at which the background process polls in-progress enrollment requests

Delay increment between consecutive polls for the same request (5, 10, 15, … minutes)

Upper bound for the poll delay

Parallelism for concurrent request polling

Interval at which the auto renewal process will check certificates to renew

Parallelism for concurrent certificate renewals on auto renew

Parallelism for concurrent profile auto renewal execution. Bumping this parameter will have a multiply effect on the horizon.auto-renew.parallelism.renewal parameter

How long the authentication cache lasts

Default administrator account name

Default administrator account display name

Relative path of the file where the initial admin password should be stored into

Length (in bytes) of the initial admin password

Default administrator account identity provider to use

Duration after which the bootstrap of Horizon times out

Default idle time after which a CA crl is removed from cache

Duration that the CA manager actor will wait to retrieve information about certificates (trust status, trust chain, …​)

Maximum configurable timeout for CRL/OCSP request for a CA

Maximum configurable refresh for a CA’s CRL

List of exporters to export client authenticated CAs to

Whether this exporter should export client CAs

Type of exporter. One of k8s-configmap, k8s-secret, file. The corresponding configuration parameters should be filled

How to format the CA certificates. One of pem-blocks

Path to the file to write the CAs to. Mandatory if type is file

Name of the configmap. Mandatory if type is k8s-configmap

Key of the element in the configmap

Name of the secret. Mandatory if type is k8s-secret

Key of the element in the secret

Number of certificates per batch when Horizon synchronizes the database with the CRL or updates the cached entries

The maximum number of CAs awaiting CRL synchronization for the certificate status cache. When modifying this value, the change should be reflected on the crl-task-dispatcher.thread-pool-executor.fixed-pool-size value

Number of CRLs to synchronize in parallel for the certificate status cache

Timeout for the synchronizer actor during DB synchronization

Number of CRLs to synchronize in parallel for DB synchronization. When modifying this value, the change should be reflected on the crl-task-dispatcher.thread-pool-executor.fixed-pool-size value

The maximum number of CAs awaiting CRL synchronization for DB synchronization

The CSV delimiter to use when exporting an HRQL query result to a CSV file

The CSV delimiter to use when exporting an HEQL query result to a CSV file

The CSV delimiter to use when exporting an HDQL query result to a CSV file

The CSV item attribute separator to use when exporting an HCQL query result to a CSV file

The CSV item separator to use when exporting an HCQL query result to a CSV file

The CSV delimiter to use when exporting an HCQL query result to a CSV file

Name of the HTTP header containing the certificate

Duration after which the DCV manager actor times out when retrieving dcv configuration in the database

Number of DCV policy that can be queued

Delay between DNS record creation and first validation attempt, to allow DNS propagation

Maximum number of domains submitted for validation within the time window defined by throttle.per for each dcv policy

Time window for the throttle

Number of DCVWorkerActor instances to start per cluster node

Default number of DCV lifecycle events returned per page

Maximum number of DCV lifecycle events that can be requested per page (null for unlimited)

Timeout for DCV lifecycle event search queries

Retention of DCV lifecycle event before they are removed from the database. This cannot be less than 30 days

Maximum time allowed for security principals search operations. For infinite timeout, use 0s

Maximum time allowed for request search and aggregate operations. For infinite timeout, use 0s

Maximum time allowed for event search operations. For infinite timeout, use 0s

Maximum time allowed for discovery event search and aggregate operations. For infinite timeout, use 0s

Maximum time allowed for certificate search and aggregate operations. For infinite timeout, use 0s

Time to live of the discovery events. If not set, events never expire

Time to live of the events. If not set, events never expire

Specify whether to chain and sign the Horizon events to ensure they haven’t been tampered with

Algorithm to use to hash the signature of the events in Horizon (other possible values are "HS384" and "HS256")

Secret to seal the events with

Do not throw an error if pending events are unsealed

Duration after which the event manager times out when trying to retrieve the last signed event in the database

How often will the Event Manager actor check in the database if new a new event appeared to sign it and display it in the "Events" section of Horizon

Difference of time allowed between the "Issued At Time" and the validation time (or the server time) (in the future only)

Difference of time allowed between the "Issued At Time" and the validation time (or the server time) (in the past only)

Difference of time allowed between the client time and the server time

Time to live of a password reset request (from the login prompt)

If set to true, enforces the use of the serverAuth EKU in the server authentication certificates (when Horizon accesses a service through TLS)

Duration after which the security manager times out when trying to authenticate a principal with its session

Default grace period for all requests

Default duration for all requests

Default duration for failed requests

Number of revocation requests downloaded from Intune

Limited to 500 max

Default timeout for REST requests for the REST datasource

Duration after which the Scheduler manager actor times out when retrieving scheduled tasks in the database

File extension that DER certificates sent as email attachments (through the notifications feature) will be given

File extension that PKCS#7 certificates sent as email attachments (through the notifications feature) will be given

File extension that PEM certificates sent as email attachments (through the notifications feature) will be given

Maximum recursion allowed for the HQL queries

Timeout for the system monitor loading

Timeout for thirdparty synchronization requests

Maximum configurable timeout on the PKI connectors

Duration after which the PKI Manager times out when trying to enroll or revoke a certificate

Number of parallel certificate requests (enrollment, revocation…) on the default queue

Number of certificate requests (enrollment, revocation) that can be queued on the default queue

Interval at which the PKI connectors statuses are checked

Hide the start-up banner

Default store encryption type to use when sending centralized EST responses

Choose whether or not scim discovery endpoints are authenticated

Default key type used for automation when none are specified in the profile

Custom endpoint configuration

Default allowed domains: a regular expression that the dns or email domains should match

Default allowed email domains: a regular expression that the email domains should match (after the @)

Default allowed dns domains: a regular expression that the dns domains should match

Duration after which the grading manager times out when retrieving the grading configuration from the database

How large can the grading manager queue can get before it discards new grading requests

Duration after which the grading actor times out when grading a certificate (upon enrolment)

Defines whether HTTP connections should remain open

Name of the HTTP header to use as Real IP

Name of the HTTP header containing the scheme requested - used for ACME

Name of the HTTP header containing the host requested - used for ACME

Path to the file containing the namespace identifier of the Kubernetes cluster

Namespace of the Kubernetes cluster. If defined, contents of the horizon.kubernetes.namespace-path will be ignored

Path to the file containing the certificate authorities of the Kubernetes cluster

Path to the file containing the token to authenticate on the API of the Kubernetes cluster

Host on which to join the Kubernetes API

Port on which to join the Kubernetes API

Timeout for requests to the Kubernetes API

Whether to join the Kubernetes API with http or https

TLS Version to use while connecting to the Kubernetes API

Number of retries in case of 401 response from Kubernetes API (can occur on token rotation)

Mimimum backoff for retries in case of 401 response from Kubernetes API (can occur on token rotation)

Maximum backoff for retries in case of 401 response from Kubernetes API (can occur on token rotation)

Random factor for retries in case of 401 response from Kubernetes API (can occur on token rotation)

Timeout to check for maintenance state on each request

Enable advanced metrics for collection

Interval at which short lived metrics are computed

Interval at which background metrics are computed

Size of the nonce value used for the JWT authentication token

Time to live of the nonce used to validate the JWT authentication token

Size (in bytes) of the challenge stored in the nonce

Duration for which a nonce stays in Horizon before being removed

Size (in bytes) of the challenge stored in the nonce

Duration for which a nonce stays in Horizon before being removed

Size (in bytes) of the challenge stored in the nonce

Duration for which a nonce stays in Horizon before being removed

Separator character of the OpenID state

Scheme to use for the callback

Selection order for the authentication method on the access token retrieval endpoint

The refresh interval between the deletion of expired reports with link email

Max stored number of CSV for a given report. If the field is negative or equal to zero, then the retention will be deactivated.

How many elements to retrieve in a security principals search query if no pageSize has been specified

How big can the pageSize parameter be in a security principals search query (Must be a positive integer)

How many elements to retrieve in a request search query if no pageSize has been specified

How big can the pageSize parameter be in a request search query (Must be a positive integer)

How many elements to retrieve in an event search query if no pageSize has been specified

How big can the pageSize parameter be in an event search query (Must be a positive integer)

How many elements to retrieve in a request search query if no pageSize has been specified

How big can the pageSize parameter be in a request search query (Must be a positive integer)

How many elements to retrieve in a request search query if no pageSize has been specified

How big can the pageSize parameter be in a request search query (Must be a positive integer)

Default idle time after which a token validation is no longer valid

Default interval for JWKS updates

Default cooldown after a JWKS update

Timeout for the JWKS endpoint HTTP call during a passive refresh

Default timeout for HTTP client requests when fetching JWKS endpoints

Whitelist of allowed storage types for heavy files

Timeout for the tenancy cache actor initialization

Grace period for the tenant when deleted before effective deletion can occur

Lifetime for transient (non escrowed) keys

Interval at which expired keys are removed from the database

How long must a trigger that fails for the first time wait before retrying

Maximum amount of failed attempts that a trigger can have before canceling

Trigger manager timeout

How often does the trigger manager check for triggers to run

Timeout to fetch dns records when using validation rules

The name of the escrow vault

The name of the configuration vault

Timeout for encryption requests