Advanced configuration

Some technical configurations can be applied to an instance directly in its configuration file. This should be used carefully as it may cause things to break.

Injecting advanced configuration

RPM
Kubernetes

On VMs, you have access to the /opt/stream/etc/conf.d/stream-extra.conf file. For each parameter you wish to override, create a newline and use the following syntax:

<parameter>=<value>

As an example, if you want to modify the file extension that DER certificates will have when sent as email attachments and set it to CRT, you need to add:

stream.metrics.enabled=true

After modifying the file, restart the Stream service:

$ systemctl restart stream

One added line means one modified option, you need to add as many lines at the end of the file as there are values that you want to override.

The Stream container provides a bundled application.conf file that is mostly configured through environment variables. To modify low-level behavior of Horizon that are not accessible through an environment variable, use the extraConfig value in your values.yaml file to update specific settings:

extraConfig: |
    stream {
      metrics.enabled = true
    }

Extra configurations are appended at the end of the config file, overriding any previously set config value.

Available settings

Parameter stream.security.http.headers.xapi.idprov was deleted.

Parameter stream.security.http.headers.xapi.key was deleted.

Parameter stream.security.http.headers.xapi.id was deleted.

Parameter stream.security.http.headers.xid was deleted.

Parameter stream.trustchain.ca.online.root.operational was deleted.

Parameter stream.trustchain.ca.online.root.non_operational was deleted.

Parameter stream.trustchain.ca.online.subordinate.operational was deleted.

Parameter stream.trustchain.ca.offline.root.non_operational was deleted.

Parameter stream.crl.manager.timeout was deleted.

Parameter stream.ocsp.manager.timeout was deleted.

Parameter stream.timestamping.manager.timeout was deleted.

Parameter stream.crl.queue.size was deleted.

Bootstrap Configuration

stream.bootstrap.administrator.name

stream.bootstrap.administrator.name = "administrator"

Default administrator account name

stream.bootstrap.administrator.display-name

stream.bootstrap.administrator.display-name = "Stream Administrator"

Default administrator account display name

This parameter replaces stream.bootstrap.administrator.display.name. Please modify your configuration accordingly

stream.bootstrap.administrator.password.path

stream.bootstrap.administrator.password.path = "var/run/adminPassword"

Relative path of the file where the initial admin password should be stored into

stream.bootstrap.local.identity.provider

stream.bootstrap.local.identity.provider = "local"

Length (in bytes) of the initial admin password

Default administrator account identity provider to use

stream.bootstrap.timeout

stream.bootstrap.timeout = "1m"

Duration after which the bootstrap of Stream times out

CRL Configuration

stream.crl.sync.interval

stream.crl.sync.interval = "15m"

Interval at which CRL synchronization occurs

stream.crl.cache.max-age.mode

stream.crl.cache.max-age.mode = "1s"

How to set max-age cache directive on crl fetch: one of 'disabled', 'nextrefresh' or a duration

stream.crl.cache.max-age.default

stream.crl.cache.max-age.default = "5m"

Default max-age duration in 'nextrefresh' mode when the CRL has no next refresh planned

stream.crl.upload.max-size

stream.crl.upload.max-size = "20m"

Max allowed size on applicative side for CRL uploads

Certificate authentication

stream.security.http.headers.certificate

stream.security.http.headers.certificate = null

Name of the HTTP header containing the certificate

stream.security.authentication.enforce-x509

stream.security.authentication.enforce-x509 = false

Allow only certificate authentication

Event Configuration

stream.event.ttl

stream.event.ttl = null

Time to live of the events. If not set, events never expire

stream.event.chainsign

stream.event.chainsign = true

Specify whether to chain and sign the Stream events to ensure they haven’t been tampered with

stream.event.seal.algorithm

stream.event.seal.algorithm = "HS512"

Algorithm to use to hash the signature of the events in Stream (other possible values are "HS384" and "HS256")

stream.event.seal.secret

stream.event.seal.secret = null

Secret to seal the events with

stream.event.ignore-unsealed-pending

stream.event.ignore-unsealed-pending = false

Do not throw an error if pending events are unsealed

stream.event.disable-stacktrace

stream.event.disable-stacktrace = false

Enable to remove stacktraces from Stream events

stream.event.timeout

stream.event.timeout = "30s"

Duration after which the event manager times out when trying to retrieve the last signed event in the database

stream.event.manager.interval

stream.event.manager.interval = "5s"

How often will the Event Manager actor check in the database if new a new event appeared to sign it and display it in the "Events" section of Stream

General

stream.security.trustmanager.enforce-serverauth

stream.security.trustmanager.enforce-serverauth = false

If set to true, enforces the use of the serverAuth EKU in the server authentication certificates (when Stream accesses a service through TLS)

This parameter replaces stream.security.trustmanager.enforce_serverauth. Please modify your configuration accordingly

stream.security.trustmanager.timeout

stream.security.trustmanager.timeout = "10s"

Timeout to check trust status of certificates

This parameter replaces stream.trust.manager.timeout. Please modify your configuration accordingly

stream.security.trustmanager.cache.expire-after-access.external

stream.security.trustmanager.cache.expire-after-access.external = "30d"

Time after which an entry in the CRL cache expires for external CAs

This parameter replaces stream.trust.manager.cache.external.expireafteraccess. Please modify your configuration accordingly

stream.security.trustmanager.cache.expire-after-access.managed

stream.security.trustmanager.cache.expire-after-access.managed = "5m"

Time after which an entry in the CRL cache expires for managed CAs

This parameter replaces stream.trust.manager.cache.managed.expireafteraccess. Please modify your configuration accordingly

stream.security.trustmanager.crl-info.interval

stream.security.trustmanager.crl-info.interval = "5m"

Interval at which CRL Info are synchronized in trust manager

stream.security.manager.timeout

stream.security.manager.timeout = "10s"

Duration after which the security manager times out when trying to authenticate a principal with its session

stream.security.principal.password.length

stream.security.principal.password.length = 42

Local accounts password length

This parameter replaces stream.account.secret.length. Please modify your configuration accordingly

stream.keystore.timeout

stream.keystore.timeout = "1m"

How long the authentication cache lasts

Timeout for operations using keystores (generating CSR, listing keys, etc ..)

stream.keystore.pkcs11.reload.delay

stream.keystore.pkcs11.reload.delay = "5s"

Delay when reloading pkcs11 keystores after an error

stream.keystore.healthcheck.interval

stream.keystore.healthcheck.interval = "5m"

Interval at which keystore status is checked

stream.keystore.required-for-readiness

stream.keystore.required-for-readiness = []

List of names of keystores that are required to consider the instance ready

stream.queue.timeout

stream.queue.timeout = "5s"

Timeout to register the queues in actors

stream.queue.parallelism

stream.queue.parallelism = 5

Number of parallel requests (enrollment, revocation, ocsp, timestamping…) on the default queue

This parameter replaces stream.queue.default.parallelism. Please modify your configuration accordingly

stream.queue.size

stream.queue.size = 100

Number of requests (enrollment, revocation, ocsp, timestamping, crl, krl) that can be queued on the default queue

This parameter replaces stream.queue.default.size,stream.crl.queue.size. Please modify your configuration accordingly

stream.metrics.enabled

stream.metrics.enabled = false

Enable advanced metrics for collection

stream.metrics.intervals.short

stream.metrics.intervals.short = "30s"

Interval at which short lived metrics are computed

stream.metrics.intervals.long

stream.metrics.intervals.long = "5m"

Interval at which background metrics are computed

stream.trigger.timeout

stream.trigger.timeout = "1m"

Timeout for registering the triggers in actors

stream.ntp.client.timeout

stream.ntp.client.timeout = "1m"

Timeout for registering the NTP Clients in actors

stream.system.monitor.timeout

stream.system.monitor.timeout = "1m"

Timeout for the system monitor loading

This parameter replaces stream.system.configuration.timeout. Please modify your configuration accordingly

stream.sql.max-recursion-depth

stream.sql.max-recursion-depth = 5

Maximum recursion allowed for the SQL (Stream Query Language) queries

HTTP Headers Configuration

stream.security.http.headers.enforce-connection-close

stream.security.http.headers.enforce-connection-close = true

Defines whether HTTP connections should remain open

This parameter replaces stream.http.header.enforce_connection_close. Please modify your configuration accordingly

stream.security.http.headers.real-ip

stream.security.http.headers.real-ip = "X-Real-IP"

Name of the HTTP header to use as Real IP

This parameter replaces stream.http.header.realip. Please modify your configuration accordingly

KRL Configuration

stream.krl.sync.interval

stream.krl.sync.interval = "15m"

Interval at which KRL synchronization occurs

stream.krl.cache.max-age.mode

stream.krl.cache.max-age.mode = "1s"

How to set max-age cache directive on krl fetch: one of 'disabled', 'nextrefresh' or a duration

stream.krl.cache.max-age.default

stream.krl.cache.max-age.default = "5m"

Default max-age duration in 'nextrefresh' mode when the KRL has no next refresh planned

Keyset configuration

stream.secret.manager.keyset.path

stream.secret.manager.keyset.path = "etc/stream.keyset"

Path to the keyset for secrets encryption

stream.secret.manager.keyset.master-key-uri

stream.secret.manager.keyset.master-key-uri = null

Master key URI to encrypt the keyset with

OCSP Configuration

stream.ocsp.timeout

stream.ocsp.timeout = "1m"

Timeout for processing OCSP requests and starting OCSP actors

stream.ocsp.request.max-size

stream.ocsp.request.max-size = "8k"

Max allowed size for OCSP requests

This parameter replaces stream.ocsp.request.maxsize. Please modify your configuration accordingly

stream.ocsp.default-next-update-delay

stream.ocsp.default-next-update-delay = "5m"

Default time for OCSP response next update when no crl refresh is available

This parameter replaces stream.ocsp.default.next_update_delay. Please modify your configuration accordingly

OpenID Configuration

stream.openid.state-separator

stream.openid.state-separator = "#"

Separator character of the OpenID state

This parameter replaces stream.security.identity.provider.openid.state.separator. Please modify your configuration accordingly

stream.openid.nonce.size

stream.openid.nonce.size = 32

Size (in bytes) of the challenge stored in the nonce

This parameter replaces stream.security.identity.provider.openid.nonce.size. Please modify your configuration accordingly

stream.openid.nonce.ttl

stream.openid.nonce.ttl = "1m"

Duration for which a nonce stays in Horizon before being removed

This parameter replaces stream.security.identity.provider.openid.nonce.ttl. Please modify your configuration accordingly

SSH Configuration

stream.ssh.ca.timeout

stream.ssh.ca.timeout = "1m"

Timeout for registering the SSH Certificate Authorities in actors

The Timeout of SSH CA actions

Search Configuration

stream.security.principal.search.page.default-size

stream.security.principal.search.page.default-size = 50

How many elements to retrieve in a security principals search query if no pageSize has been specified

This parameter replaces stream.security.principal.search.page.default_size. Please modify your configuration accordingly

stream.security.principal.search.page.max-size

stream.security.principal.search.page.max-size = null

How big can the pageSize parameter be in a security principals search query (Must be a positive integer)

This parameter replaces stream.security.principal.search.page.max_size. Please modify your configuration accordingly

stream.event.search.page.default-size

stream.event.search.page.default-size = 50

How many elements to retrieve in an event search query if no pageSize has been specified

This parameter replaces stream.event.search.page.default_size. Please modify your configuration accordingly

stream.event.search.page.max-size

stream.event.search.page.max-size = null

How big can the pageSize parameter be in an event search query (Must be a positive integer)

This parameter replaces stream.event.search.page.max_size. Please modify your configuration accordingly

stream.x509.certificate.search.page.default-size

stream.x509.certificate.search.page.default-size = 50

How many elements to retrieve in a X509 certificate search query if no pageSize has been specified

This parameter replaces stream.certificate.search.page.default_size. Please modify your configuration accordingly

stream.x509.certificate.search.page.max-size

stream.x509.certificate.search.page.max-size = null

How big can the pageSize parameter be in a X509 certificate search query (Must be a positive integer)

This parameter replaces stream.certificate.search.page.max_size. Please modify your configuration accordingly

stream.ssh.certificate.search.page.default-size

stream.ssh.certificate.search.page.default-size = 50

How many elements to retrieve in a SSH certificate search query if no pageSize has been specified

stream.ssh.certificate.search.page.max-size

stream.ssh.certificate.search.page.max-size = null

How big can the pageSize parameter be in a SSH certificate search query (Must be a positive integer)

TSA Configuration

stream.timestamping.timeout

stream.timestamping.timeout = "1m"

Timeout to register signers and process responses

stream.timestamping.authority.timeout

stream.timestamping.authority.timeout = "1m"

Timeout to register timestamping authorities in actors

stream.timestamping.request.max-size

stream.timestamping.request.max-size = "8k"

Max allowed size for timestamping requests

This parameter replaces stream.timestamping.request.maxsize. Please modify your configuration accordingly

X509 Configuration

stream.x509.ca.timeout

stream.x509.ca.timeout = "1m"

Timeout for registering the X509 Certificate Authorities in actors

The Timeout of X509 CA actions

This parameter replaces stream.ca.timeout. Please modify your configuration accordingly