Configure Oracle Insurance Gateway properties file
The following tables describe the properties that are maintained in the properties file. The property names are formatted for readability, note that the property names and associated values should always be specified on one line in the properties file.
Property Name | Sample Value | Explanation |
---|---|---|
ohi.properties.file.poll.interval |
Default is 10 |
Specifies how often the system will re-read the file, in minutes. Default value, every 10 minutes. Minimum value, 1 minute. Values lower than that are ignored, meaning the default value is used. |
Dynamic Logic
Property Name | Sample Value | Explanation |
---|---|---|
ohi.dynamiclogic. |
Default is /tmp |
Path to directory in which the system generated Dynamic Logic classes are placed. |
ohi.dynamiclogic. |
Default is true |
An optional property that determines whether to compile the dynamic logic (those who are not compiled before) at start-up of the application or not. Default value is true. |
ohi.dynamiclogic.timeout |
Default is 300 |
An optional property that determines the timeout of a running dynamic logic. If the timeout is expired, the dynamic logic is interrupted and an exception is thrown. The value is in seconds. Default value is 300. Please note that when the dynamic logic timeout property is added/updated, the dynamic logic(s) need to be recompiled for the property change to take effect. This can be done by using the Invalidate Dynamic Logic Integration Point explained Integration Guide. |
ohi.dynamiclogic.timeout. |
300 |
An optional property that determines the timeout of the running dynamic logic. If the timeout is expired, the dynamic logic is interrupted and an exception is thrown. The value is in seconds. This property is keyed on the particular dynamic logic code. Please note that when the dynamic logic timeout property is added/updated, the dynamic logic(s) need to be recompiled for the property change to take effect. This can be done by using the Invalidate Dynamic Logic Integration Point explained Integration Guide. If this property is not set, the value of ohi.dynamiclogic.timeout will be taken (which in his turn has a default of '300'). |
Incident Reports
Property Name | Sample Value | Explanation |
---|---|---|
ohi.incident.rootdir |
target/trace |
OHI Components makes
use of the Logback library for generating log output. In the event of an
unanticipated application exception, additional - more detailed
exception trace information is written out to an individual exception
trace file. The location for these exception trace files is controlled
by this property. By default the location "target/trace" relative to the
directory where the WebLogic server was started is used. |
ohi.incidents.target |
datafileset or file, default is file |
OHI Incident files can be stored in the database, in a datafile set. Whenever this property is set to "datafileset" this feature is activated. Otherwise the default mechanism of writing incident files to an O/S file system directory. The OHI Incident datafile sets will have a code with a following pattern: "OHIIncidents<yyyMMdd>" |
ohi.incidents.datafileset. |
10 |
Whenever OHI Incident storage in datafile sets is activated, this property defines the number of days that OHI Incident datafile sets are retained. Older OHI Incident datafile sets are removed. |
Destination Address
Property Name | Sample Value | Explanation |
---|---|---|
address.key.<key> |
URL |
Used for defining the address key property. The <key> placeholder is to be replaced by the particular address key of the destination. |
Web Service Settings
Property Name | Value | Explanation |
---|---|---|
ohi.service.<service>.media.type |
String, Default value is application/json |
The media type in which the response is sent to the external endpoint. |
ohi.service.<service>.method.type |
String, Default value is POST |
Used for the notification method type. <service> is replaced by notification key. |
ohi.service.<service>.notification.method |
String, Optional. Possible values are POST or PUT. |
Control which HTTP Method to use to send out the notification. Default is POST |
ohi.service.<service>.client.authentication |
Optional Possible values are BasicAuthentication, OAuth or None |
Used to specify the REST specific authentication mechanism to use for machine-to-machine communication. |
ohi.ws.api.default.pagesize |
Integer >=1, default 50 |
Number of items fetched in a HTTP API request |
ohi.ws.client.connectiontimeout |
Positive integer value |
The time in milliseconds before the attempt to connect to an outbound service times out. A value of 0 means never timeout. |
ohi.ws.client.readtimeout |
Positive integer value |
The time in milliseconds that the client will wait for the server to respond to the request. A value of 0 means never timeout. |
ohi.ws.client.retrytimeout |
Positive integer value |
The time in milliseconds that the system will wait before another attempt is made to access a failing service. A value of 0 means no timeout before retrying. |
ohi.ws.last.login.update.threshold |
Positive integer
value |
The number of hours that need to pass between logins before updating the user’s last login timestamp. By default, the last login timestamp will not be updated more than once per hour. This only applies to logins through a web service, not the ADF UI. |
Single Sign-On and Web Gate related Properties
The following table lists properties that need to be set when OHI Components application take part in Single Sign-On (SSO) scenarios or when OHI applications are fronted by a gateway that is responsible for handling authentication:
Property Name | Value | Explanation |
---|---|---|
ohi.security.sso. |
Boolean value. Default is false. |
The application will reject traffic without an SSO header. |
ohi.security.sso. |
Boolean value. Default is false. |
The application will check for an SSO header, and if one is not found, present the user with a login screen. |
ohi.security.sso. |
Optional. String value, defaults to OAM_REMOTE_USER for use with Oracle Access Manager. |
The header value in which to check for an SSO principal if it is not mapped via servlet security. |
ohi.security.sso. |
Optional. Boolean value, default is false. |
If this is set to true, when a user is SSO authenticated but does not exist in the application, it will be provisioned in the application immediately. |
ohi.security.sso. |
Optional. String value. Default is OHI_AUTO_PROVISION_USER. |
If this is set to a code, the function dynamic logic the code referenceswill be run to customise an auto-provisioned user. |
ohi.security.sso. |
Optional. String value. Default is empty. |
If this is set to a code, it will be used to lookup the security role to be added by default to auto-provisioned users. |
Cross Origin Resource Sharing related Properties
See the Security Guide for an introduction to Cross Origin Resource Sharing (CORS). For further explanation the reader is referred to W3C’s CORS specification.
The following table lists CORS related properties:
Property Name | Value |
---|---|
ohi.cors.access. |
Required. Comma-separated list of allowed origins. The value "*" effectively means all origins are allowed. |
ohi.cors.access. |
Optional. Header that indicates whether the response to request can be exposed when the omit credentials flag is unset. When this is part of the response to a preflight request it indicates that the actual request can include user credentials. Defaults to true. |
ohi.cors.access. |
Optional. Header that indicates, as part of the response to a preflight request, which methods can be used during the actual request. Format: comma-separated list. Allows all methods by default. |
ohi.cors.access. |
Optional. Header that indicates, as part of the response to a preflight request, which header field names can be used during the actual request. Format: comma-separated list. Allows all headers by default. |
ohi.cors.access. |
Optional. Header that indicates how long the results of a preflight request can be cached in a preflight result cache. Value in seconds. Default value 1800. |
ohi.cors.access. |
Optional. Header that indicates which headers are safe to expose to the API of a CORS API specification. Comma-separated list of exposed headers. |
ohi.vary.header |
Optional. Set Vary HTTP Header. Comma-separated list; default value: Accept,Accept-Encoding,Accept-Language,Origin |
Intrusion Detection
OHI applications safeguard against Cross-Site Scripting (XSS) attacks by checking "untrusted" data that may be entered in HTTP API requests (see the Security Guide for intrusion detection principles). Detection behavior can be customized using the properties that are listed in the following table:
Property Name | Value |
---|---|
ohi.untrusteddata.check |
XSS vulnerability detection is enabled by default. Disable it by setting the value for this parameter to false. This property should be used if other components in the landscape perform vulnerability detection. |
ohi.untrusteddata.domain.attribute.length |
Domain attributes of type "string" are checked by default if the length >= 30 characters. To be more stringent decrease the default value using this property. The value must be a positive integer. |
ohi.untrusteddata.whitelist.domainattribute |
Domain
attributes are checked by default. Use this property to define a
comma-separated list of customer-specific attributes that should be
excluded from intrusion detection checking. |
ohi.untrusteddata.whitelist.httpheader |
HTTP Headers are
checked by default. Use this property to define a comma-separated list
of customer-specific headers that should be excluded from intrusion
detection checking. |
ohi.untrusteddata.whitelist.queryparameter |
HTTP Query
Parameters are checked by default. Use this property to define a
comma-separated list of customer-specific query paremeters that should
be excluded from intrusion detection checking. |
For example, to prevent mixed encoded Cookies that a client like a browser sends as part of the request to result in a Bad Request, whitelist the Cookie header as follows:
ohi.untrusteddata.whitelist.httpheader=Cookie
Data Set Operations
The following table lists properties that deal with the Data Set Operations Integration point.
Property Name | Value | Explanation |
---|---|---|
ohi.datasetoperations.notification. |
String |
This property is related to the Data Set Operations Integration Point. It contains a URI that refers to the notification message, this message is sent once the process of uploading the data set payload is completed. Error messages prevent the import from happening. |
ohi.datasetoperations.notification. |
String |
This property is related to the Data Set Operations Integration Point. It contains a URI that refers to the notification message, this message is sent once the process of uploading the data set payload is completed. |
Using OAuth2 for REST Client Invocations
REST Clients in OHI applications can be configured to send requests to OAuth2 protected resources.See the implementation guide for further details about OAuth2 support in OHI applications.
The following table lists OAuth2 REST Client properties.
Property Name | Explanation |
---|---|
ohi.oauth.jwt |
Expiration period (in seconds) for the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWT is used as assertion). Default value: 600 seconds. Maximum value: 9999 seconds. |
ohi.oauth.jws |
Algorithm used for signing the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWT is used as assertion). Note that only RSA algorithms are currently supported. Default value: RS512. Alternative values: RS256; RS384. |
ohi.oauth.cert |
Determines the signing algorithm for X509 certificates that are used by OHI applications to sign the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWT is used as assertion). Only RSA algorithms are currently supported. Default value: SHA512withRSA. |
ohi.oauth.accesstoken |
To model the overhead of fetching an access token
from an OAuth2 authorization server for caching the access token in the
REST client, e.g. to account for some network delay between the client
and the authorization server. |
Using OAuth2 for securing OHI Application’s RESTful Services
OHI application’s RESTful services can be OAuth2 protected. In that case the application validates and / or introspects OAuth2 access tokens that are sent as Bearer tokens in the HTTP Authorization header.
The following table lists OAuth2 server side properties.
Property Name | Token Validation Method | Explanation |
---|---|---|
ohi.oauth.token |
N/A |
Determines the access token validation method. Possible values:
Default value: JWKSET. |
ohi.oauth.jwk.set.url |
JWKSET |
URL value for the OAuth2 authorization server JSON Web Key (JWK) Set endpoint. The OAuth2 authorization server should support RFC 7517. |
ohi.oauth.jwt.userid.claim |
JWKSET |
Specifies the claim in the JWT that can be used to identify the user for which the OAuth2 access token was created. Default value: sub. |
ohi.oauth.jwk |
JWKSET |
Name of the domain specific Key Store that holds public key certificates that the system will turn into a JWK Set. Default value: jsonwebkeys. Note that the "jsonwebkeys" Key Store has to be created via the Key Store management resource before it can be used. |
ohi.oauth.jwk |
JWKSET |
When using a set of public keys from a configured key store this property controls to which certificate identifier the JWT header’s KeyID ("kid") will be matched. By default it is assumed that the KeyID contains a reference to the alias of the certificate in the key store. Allowed values: alias; serialNumber. |
ohi.oauth.jws.verification.key |
JWKSET |
To filter the JWK Set that is used for OAuth2 access token validation: include signing keys only. Possible values: Y ("Yes") and N ("No"). Default value: N. |
ohi.oauth.jws.verification.key |
JWKSET |
To filter the JWK Set that is used for OAuth2 access token validation: include public keys only. Possible values: Y ("Yes") and N ("No"). Default value: N. |
ohi.oauth.jws.verification.key |
JWKSET |
To filter the JWK Set that is used for OAuth2 access token validation: include the JWS algorithm as specified in the JWT header as additional filter criterium. Possible values: Y ("Yes") and N ("No"). Default value: N. |
ohi.oauth.jws.verification.key |
JWKSET |
To filter the JWK Set that is used for OAuth2 access token validation: include the Key ID as specified in the JWT header as additional filter criterium. Possible values: Y ("Yes") and N ("No"). Default value: N. |
ohi.oauth.token |
OAUTH2_ENDPOINT |
URL value for the OAuth2 authorization server token validation or introspection endpoint. It is assumed that the endpoint supports Basic Authentication. |
ohi.oauth.token |
OAUTH2_ENDPOINT |
Unique client id for resolving the username and password credentials that are used to construct the Basic Authentication Authorization header when calling the OAuth2 authorization server token validation or introspection endpoint. |
ohi.oauth.token |
OAUTH2_ENDPOINT |
RFC 7662 defined Introspection Response element that will be used to derive the username from. Default value: "sub" (without quotes). |
Task Processing
The following properties influence task processing behavior.
Property Name | Value | Explanation |
---|---|---|
ohi.processing.fillthreshhold |
Positive integer value. Default’s to -1 the number of processors reported to the JVM. |
Suggested value is 1 less than number of CPU cores available to the managed server. Determines the number of tasks that will be submitted for processing at any given time. |
ohi.processing.filldepth |
Positive integer value. Defaults to 2x the number of processors reported to the JVM. |
Suggested value is a multiple of the number of CPU cores available to the managed server. Determines when the system will look for more tasks to be submitted for processing. |
ohi.processing.attemptLogLevel |
Integer Value >= 0. Default is 0 |
A value of greater than 0 means data for failed task processing attempts will be retained. |
ohi.processing.defaultdelay |
Positive Integer. Default is 3 |
Default delay in seconds used when a failed task is re-queued for another attempt. Is overridden if a delay is set on the task type. |
ohi.processing.maxIncompleteAttempts |
Positive integer value. default is 100000 |
Number of times a task can resolve as "incomplete" before it’s marked as in error. |
ohi.processing.maxErrorAttempts |
Positive integer value. Default is 3. |
Number of times a task can resolve as "errored" before it stops a task flow. |
ohi.processing.retryimmediate |
Boolean, default is true |
Determines if a failed task is retried immediately, or re-queued for another attempt after a delay. |
ohi.startup.start.task.processing |
Boolean, default is true |
Controls task processing for a managed server. By default, if a managed server that executes an OHI Components application is started then it will start processing tasks from the work backlog queue. The default behavior can be overridden by setting command-line parameter ohi.startup.start.task.processing; if it is set to false a managed server that executes the OHI Components application will not process tasks after it is started. The default value is true, meaning the managed server that executes the OHI Components application will start processing tasks from the work backlog queue after it is started. |
Integration related Properties
Property Name | Value | Explanation |
---|---|---|
ohi.oig.application.baseurl |
For example:
|
The base URL for accessing the application, typically includes the machine or loadbalancer, the domain and a port number. These are mandatory to set to have correct links in the response or location header. This property is an instance of ohi.<application>.application.baseurl. It is possible to overwrite the behaviour using a custom header in requests: X-OHI-OBEY-HOST. * If this header is present with value true, the links would be created from the request url itself * If the header is not present or the value is false, the links would be created with the help of the properties. For all asynchronous responses, notifications, containing links, the properties would be used as was always done. |
ohi.http.api.path |
For example: /oig-ws/api |
The context root of the application. Default is api. |
<integrationStepCode>-timeAllowed |
Numeric |
Specifies the timeout value that this step can take to revert back. If the timeout expires, the system tries to fetch the status of the process through the location header url. Example key is: invokeActivityStep-timeAllowed |
ohi.max.redirect.count |
Numeric, default 10 |
Specifies maximum number of redirections that a particular external invocation take |
ohi.timeout.maxRepeatAttempts |
Numeric, default 3 |
Determines how many times a timeout task will check if the underlying work is complete |
Scheduler Based Integration
Following properties can be used to configure integration invocations that utilize a scheduler.
Property Name | Value | Explanation |
---|---|---|
ohi.exchange.scheduler.poolsize |
Numeric, default 10 |
Specifies a numeric value that indicates the pool size for thread that should execute scheduler based integrations. |
Blocking Integration Interaction Pattern
The following properties are used by the system to provide the notion of seemingly blocking integration interaction. The system automatically adjusts the pool size according to the bounds set by 'ohi.exchange.await.core.poolsize' and 'ohi.exchange.await.max.poolsize'.
Property Name | Value | Explanation |
---|---|---|
ohi.exchange.await.core.poolsize |
Numeric, default 2 * the number of CPU cores available |
If fewer threads are running, a new thread is created to handle the request, even if other worker threads are idle. |
ohi.exchange.await.max.poolsize |
Numeric, default 40 |
If there are more than ohi.exchange.await.core.poolsize but less than ohi.exchange.await.max.poolsize threads running, a new thread will be created only if the queue (having a maximum size of 2147483647) is full. Typically this means that with a value of 40, at most there will be 40 threads available for 'async await'. |
ohi.exchange.await.poll.interval |
Numeric, default 1000 |
The time between consecutive polls the system will take checking up on a asynchronous exchange. Specified in milliseconds. |
ohi.exchange.blocking.timeout.max |
Numeric, default 5000 |
The maximum amount of time the system will wait for an asynchronous exchange to be completed. Specified in milliseconds. |
Callout Properties
The following table lists properties used by the REST call-out client:
Property Name | Value | Explanation |
---|---|---|
ohi.rest.client.logging |
OPTIONAL Default is false |
When "true" it will log traffic to external system. |
ohi.service.client.cache.size |
OPTIONAL Default is 500 |
Property that specifies the size of the REST Client cache. |
Data Exchange Related Properties
The following table lists data exchange/config migration related properties:
Property Name | Value | Explanation |
---|---|---|
ohi.application.uri.<source_application> |
String |
Reference to the URI of the source application to retrieve data-sets metadata to be processed. The <source_application> placeholder should be replaced. |
ohi.<notification_key>.endpoint.request |
String. For example:
|
Allows for web service client interactions to identify their request URI destination. This property is used to get the URI for the end point. The <notification_key> placeholder should be replaced. |
ohi.cm.concurrency.limit |
Positive integer value. Default is 2 |
Number of parallel threads used in configuration migration tool export and import processes. For better performance results, the value of this system property should be equal to the number of CPUs (core). For example, if there are 6 CPUs and each of them are single core, then this property should be set to 6. |
Purge Notification Properties
The following properties are applicable for configuring endpoints for purge process notification:
Property Name | Value | Explanation |
---|---|---|
ohi.purge.notification.endpoint.<PURGE TYPE> |
URL. Possible purge types: 'PurgeEvent', 'PurgeExchange', 'PurgeTechnicalData' |
This overrides any value that has been specified for ohi.purge.notification.endpoint for the specific \{PURGE TYPE}. |
ohi.purge.notification.endpoint |
URL, this optional for 'PURGE TYPE' for which a corresponding purge type is configured. |
The base URI of the system that is going to receive notification events. |
User Interface related Properties
The following table lists user interface related properties:
Property Name | Value | Explanation |
---|---|---|
ohi.environment.identifier |
Samples: "User Acceptance Test", "Development" |
Text string that is displayed on the home page of the system that helps the user to identify the environment. |
ohi.ui.backEndURL |
Root URL of the generic HTTP API resources |
Fully qualified URL for HTTP API resources. The path in the URL should include the context root for HTTP API resources. The default context root for HTTP API resources is '/api'. Note that this could be a load balancer URL and / or that the default context root might have been overwritten using a deployment plan. |
ohi.ui.api.authentication. |
Default: Oauth |
Authentication mechanism for the JET UI. One of OAuth, BasicAuthentication, WebGate (in case a gateway handles authentication) or OpenID (in case OpenID Connect is used - see below table for more properties). |
ohi.ui.api.authentication. |
The clientId is the public identifier for the JET UI. Mandatory when using OAuth. Not applicable when not using OAuth. Has no default value. |
|
ohi.ui.backEnd.root.url |
The base URL for accessing web services, typically includes the machine or loadbalancer, the domain and a port number |
|
ohi.ui.accessToken.url |
The webgate URL to access the accessToken resource |
|
ohi.ui.accessToken.root.url |
The webgate url root (Required for CSP whitelist) |
|
ohi.ui.webgate.url |
OAM url (Required for CSP whitelist) |
|
ohi.ui.waitTime |
Default is 1500 |
The waitTime is the time (in milliseconds) between entering a character in a search field, and the search firing. Applies to quick search and LOV, suggested is 1500. |
ohi.ui.session.timeout |
Default is 3600000 |
The timeout is the idle time (in milliseconds) after which the current user session expires and displays 'The page has expired' warning dialog. Clicking OK re-directs the user to the login page. The default value is set to 1hr (3600000 ms). A value of 0 means never timeout. |
User Interface related Properties specifically for OpenID Connect Support
The following table lists user interface related properties, specifically for OpenID Connect support:
Property Name | Value | Explanation |
---|---|---|
ohi.oauth.use.openidconnect |
false or true |
This is false by default. When specified as true, this means that OIG will activate the OpenID Connect sub-module so that the User Interface can use it. |
ohi.oauth.idp.uri |
This is the IDentity Provider (IDP) URL to acquire the configuration for OpenID Connect. |
|
ohi.oauth.token.introspection.endpoint.client_id |
This is the identification of the OpenID Connect client as registered in the IDP. |
|
ohi.oauth.token.introspection.endpoint.client_secret |
This is the secret associated with the above OpenID Connect client that has to be presented to acquire an access token. This secret needs to be stored in a secured/secret location. |
|
ohi.security.oauth.frontend |
Specifies the base URL of the JET Application that needs to be secured (e.g.
|
|
ohi.security.oauth.callback |
Specifies the OpenID Connect callback URL to be invoked after authentication of the user through OpenID Connect has taken place, but before an access token has been obtained. Defaults to: oidc/callback. |
|
ohi.security.oauth.logout |
Specifies the OpenID Connect URL that is to be invoked after a user has selected to logout from the OIG UI. Defaults to: oidc/logout. |
|
ohi.security.oauth.cookie.path |
A path that must exist in the requested URL, or the browser won’t send the Cookie header. Defaults to '/' |
|
ohi.security.oauth.cookie.name |
The name of the Cookie. Defaults to 'OHI_SHARED_AUTH'. |
|
ohi.security.oauth.cookie.maxage |
Number of seconds until the cookie expires. Defaults to 3600. |
|
ohi.security.oauth.cookie.secure |
false or true |
When set to true, the cookie is only sent to the server when a request is made with the https: scheme. Defaults to false. |
Monitoring & Metrics Related Properties
The following properties are related to monitoring and metrics gathering:
Property Name | Value | Explanation |
---|---|---|
ohi.healthcheck.url.mapping |
String, URL Mapping (e.g. /up) |
Defines the mapping between the Healthcheck servlet and an URL pattern. |
ohi.prometheusservlet.url.mapping |
String, URL Mapping |
Defines the mapping between the Prometheus servlet and an URL pattern. |
ohi.instrumentation.gather.applicationmetrics |
Boolean, false by default |
Set to true to enable recording of metrics |
ohi.instrumentation.gather.jvmtelemetry |
Boolean, false by default |
Set to true to enable recording of JVM telemetry |
ohi.instrumentation.filter.ohi.nameprefix |
Boolean, true by default |
Set to false to enable recording of non-OHI metrics |
ohi.instrumentation.common.application.tag |
Boolean, false by default |
Set to true to tag each metric with the name of the application |
ohi.instrumentation.<timer>.percentiles |
Comma-separated string, e.g. 0.5,0.75,0.95,0.99 |
Percentiles for the configured timer |
ohi.instrumentation.<timer>.histogram |
Boolean, false by default |
Determines if histogram buckets for the configured timer are published |
ohi.instrumentation.<timer>.regex |
Regular expression |
Data for the timer is published if the tag name that is specified as property |
ohi.instrumentation.<timer>.regex.tagname |
String |
Tag name subject to testing with the regular expression that is specified as property |
See the Administration Guide for more details about metrics related properties.