Configure Oracle Insurance Gateway properties file

The following tables describe the properties that are maintained in the properties file. The property names are formatted for readability, note that the property names and associated values should always be specified on one line in the properties file.

Property Name	Sample Value	Explanation
ohi.properties.file.poll.interval	Default is 10	Specifies how often the system will re-read the file, in minutes. Default value, every 10 minutes. Minimum value, 1 minute. Values lower than that are ignored, meaning the default value is used.

Property Name

Sample Value

Explanation

ohi.properties.file.poll.interval

Default is 10

Specifies how often the system will re-read the file, in minutes. Default value, every 10 minutes. Minimum value, 1 minute. Values lower than that are ignored, meaning the default value is used.

Dynamic Logic

Property Name	Sample Value	Explanation
ohi.dynamiclogic. classes.directory	Default is /tmp	Path to directory in which the system generated Dynamic Logic classes are placed.
ohi.dynamiclogic. startup.compile	Default is true	An optional property that determines whether to compile the dynamic logic (those who are not compiled before) at start-up of the application or not. Default value is true.
ohi.dynamiclogic.timeout	Default is 300	An optional property that determines the timeout of a running dynamic logic. If the timeout is expired, the dynamic logic is interrupted and an exception is thrown. The value is in seconds. Default value is 300. Please note that when the dynamic logic timeout property is added/updated, the dynamic logic(s) need to be recompiled for the property change to take effect. This can be done by using the Invalidate Dynamic Logic Integration Point explained Integration Guide.
ohi.dynamiclogic.timeout. <dynamic_logic_code>	300	An optional property that determines the timeout of the running dynamic logic. If the timeout is expired, the dynamic logic is interrupted and an exception is thrown. The value is in seconds. This property is keyed on the particular dynamic logic code. Please note that when the dynamic logic timeout property is added/updated, the dynamic logic(s) need to be recompiled for the property change to take effect. This can be done by using the Invalidate Dynamic Logic Integration Point explained Integration Guide. If this property is not set, the value of ohi.dynamiclogic.timeout will be taken (which in his turn has a default of '300').

Property Name

Sample Value

Explanation

ohi.dynamiclogic.
classes.directory

Default is /tmp

Path to directory in which the system generated Dynamic Logic classes are placed.

ohi.dynamiclogic.
startup.compile

Default is true

An optional property that determines whether to compile the dynamic logic (those who are not compiled before) at start-up of the application or not. Default value is true.

ohi.dynamiclogic.timeout

Default is 300

An optional property that determines the timeout of a running dynamic logic. If the timeout is expired, the dynamic logic is interrupted and an exception is thrown. The value is in seconds. Default value is 300.

ohi.dynamiclogic.timeout.
<dynamic_logic_code>

300

An optional property that determines the timeout of the running dynamic logic. If the timeout is expired, the dynamic logic is interrupted and an exception is thrown. The value is in seconds. This property is keyed on the particular dynamic logic code.

Please note that when the dynamic logic timeout property is added/updated, the dynamic logic(s) need to be recompiled for the property change to take effect. This can be done by using the Invalidate Dynamic Logic Integration Point explained Integration Guide. If this property is not set, the value of ohi.dynamiclogic.timeout will be taken (which in his turn has a default of '300').

Incident Reports

Property Name	Sample Value	Explanation
ohi.incident.rootdir	target/trace	OHI Components makes use of the Logback library for generating log output. In the event of an unanticipated application exception, additional - more detailed exception trace information is written out to an individual exception trace file. The location for these exception trace files is controlled by this property. By default the location "target/trace" relative to the directory where the WebLogic server was started is used. When changing the value for this property, make sure that the OS user that executes the WebLogic server processes needs to be able to create (and read/write files in) the directory referenced by the property.
ohi.incidents.target	datafileset or file, default is file	OHI Incident files can be stored in the database, in a datafile set. Whenever this property is set to "datafileset" this feature is activated. Otherwise the default mechanism of writing incident files to an O/S file system directory. The OHI Incident datafile sets will have a code with a following pattern: "OHIIncidents<yyyMMdd>"
ohi.incidents.datafileset. retentionperiod	10	Whenever OHI Incident storage in datafile sets is activated, this property defines the number of days that OHI Incident datafile sets are retained. Older OHI Incident datafile sets are removed.

Property Name

Sample Value

Explanation

ohi.incident.rootdir

target/trace

OHI Components makes use of the Logback library for generating log output. In the event of an unanticipated application exception, additional - more detailed exception trace information is written out to an individual exception trace file. The location for these exception trace files is controlled by this property. By default the location "target/trace" relative to the directory where the WebLogic server was started is used.
When changing the value for this property, make sure that the OS user that executes the WebLogic server processes needs to be able to create (and read/write files in) the directory referenced by the property.

ohi.incidents.target

datafileset or file, default is file

OHI Incident files can be stored in the database, in a datafile set. Whenever this property is set to "datafileset" this feature is activated. Otherwise the default mechanism of writing incident files to an O/S file system directory. The OHI Incident datafile sets will have a code with a following pattern: "OHIIncidents<yyyMMdd>"

ohi.incidents.datafileset.
retentionperiod

Whenever OHI Incident storage in datafile sets is activated, this property defines the number of days that OHI Incident datafile sets are retained. Older OHI Incident datafile sets are removed.

Destination Address

Property Name	Sample Value	Explanation
address.key.<key>	URL	Used for defining the address key property. The <key> placeholder is to be replaced by the particular address key of the destination.

Property Name

Sample Value

Explanation

address.key.<key>

URL

Used for defining the address key property. The <key> placeholder is to be replaced by the particular address key of the destination.

Web Service Settings

Property Name	Value	Explanation
ohi.service.<service>.media.type	String, Default value is application/json	The media type in which the response is sent to the external endpoint.
ohi.service.<service>.method.type	String, Default value is POST	Used for the notification method type. <service> is replaced by notification key.
ohi.service.<service>.notification.method	String, Optional. Possible values are POST or PUT.	Control which HTTP Method to use to send out the notification. Default is POST
ohi.service.<service>.client.authentication	Optional Possible values are BasicAuthentication, OAuth or None	Used to specify the REST specific authentication mechanism to use for machine-to-machine communication.
ohi.ws.api.default.pagesize	Integer >=1, default 50	Number of items fetched in a HTTP API request
ohi.ws.client.connectiontimeout	Positive integer value Default: 60000	The time in milliseconds before the attempt to connect to an outbound service times out. A value of 0 means never timeout.
ohi.ws.client.readtimeout	Positive integer value Default: 60000	The time in milliseconds that the client will wait for the server to respond to the request. A value of 0 means never timeout.
ohi.ws.client.retrytimeout	Positive integer value Default: 1000	The time in milliseconds that the system will wait before another attempt is made to access a failing service. A value of 0 means no timeout before retrying.
ohi.ws.last.login.update.threshold	Positive integer value Default: 1 Minimum: 1	The number of hours that need to pass between logins before updating the user’s last login timestamp. By default, the last login timestamp will not be updated more than once per hour. This only applies to logins through a web service, not the ADF UI.

Property Name

Value

Explanation

ohi.service.<service>.media.type

String, Default value is application/json

The media type in which the response is sent to the external endpoint.

ohi.service.<service>.method.type

String, Default value is POST

Used for the notification method type. <service> is replaced by notification key.

ohi.service.<service>.notification.method

String, Optional. Possible values are POST or PUT.

Control which HTTP Method to use to send out the notification. Default is POST

ohi.service.<service>.client.authentication

Optional Possible values are BasicAuthentication, OAuth or None

Used to specify the REST specific authentication mechanism to use for machine-to-machine communication.

ohi.ws.api.default.pagesize

Integer >=1, default 50

Number of items fetched in a HTTP API request

ohi.ws.client.connectiontimeout

Positive integer value
Default: 60000

The time in milliseconds before the attempt to connect to an outbound service times out. A value of 0 means never timeout.

ohi.ws.client.readtimeout

Positive integer value
Default: 60000

The time in milliseconds that the client will wait for the server to respond to the request. A value of 0 means never timeout.

ohi.ws.client.retrytimeout

Positive integer value
Default: 1000

The time in milliseconds that the system will wait before another attempt is made to access a failing service. A value of 0 means no timeout before retrying.

ohi.ws.last.login.update.threshold

Positive integer value
Default: 1
Minimum: 1

The number of hours that need to pass between logins before updating the user’s last login timestamp. By default, the last login timestamp will not be updated more than once per hour. This only applies to logins through a web service, not the ADF UI.

Single Sign-On and Web Gate related Properties

The following table lists properties that need to be set when OHI Components application take part in Single Sign-On (SSO) scenarios or when OHI applications are fronted by a gateway that is responsible for handling authentication:

Property Name	Value	Explanation
ohi.security.sso. required	Boolean value. Default is false.	The application will reject traffic without an SSO header.
ohi.security.sso. enabled	Boolean value. Default is false.	The application will check for an SSO header, and if one is not found, present the user with a login screen.
ohi.security.sso. header	Optional. String value, defaults to OAM_REMOTE_USER for use with Oracle Access Manager.	The header value in which to check for an SSO principal if it is not mapped via servlet security.
ohi.security.sso. provisionOnDemand	Optional. Boolean value, default is false.	If this is set to true, when a user is SSO authenticated but does not exist in the application, it will be provisioned in the application immediately.
ohi.security.sso. provisionOnDemandDylo	Optional. String value. Default is OHI_AUTO_PROVISION_USER.	If this is set to a code, the function dynamic logic the code referenceswill be run to customise an auto-provisioned user.
ohi.security.sso. provisionOnDemandRole	Optional. String value. Default is empty.	If this is set to a code, it will be used to lookup the security role to be added by default to auto-provisioned users.

Property Name

Value

Explanation

ohi.security.sso.
required

Boolean value. Default is false.

The application will reject traffic without an SSO header.

ohi.security.sso.
enabled

Boolean value. Default is false.

The application will check for an SSO header, and if one is not found, present the user with a login screen.

ohi.security.sso.
header

Optional. String value, defaults to OAM_REMOTE_USER for use with Oracle Access Manager.

The header value in which to check for an SSO principal if it is not mapped via servlet security.

ohi.security.sso.
provisionOnDemand

Optional. Boolean value, default is false.

If this is set to true, when a user is SSO authenticated but does not exist in the application, it will be provisioned in the application immediately.

ohi.security.sso.
provisionOnDemandDylo

Optional. String value. Default is OHI_AUTO_PROVISION_USER.

If this is set to a code, the function dynamic logic the code referenceswill be run to customise an auto-provisioned user.

ohi.security.sso.
provisionOnDemandRole

Optional. String value. Default is empty.

If this is set to a code, it will be used to lookup the security role to be added by default to auto-provisioned users.

Cross Origin Resource Sharing related Properties

See the Security Guide for an introduction to Cross Origin Resource Sharing (CORS). For further explanation the reader is referred to W3C’s CORS specification.

The following table lists CORS related properties:

Property Name	Value
ohi.cors.access. control.allow.origin	Required. Comma-separated list of allowed origins. The value "*" effectively means all origins are allowed.
ohi.cors.access. control.allow.credentials	Optional. Header that indicates whether the response to request can be exposed when the omit credentials flag is unset. When this is part of the response to a preflight request it indicates that the actual request can include user credentials. Defaults to true.
ohi.cors.access. control.allow.methods	Optional. Header that indicates, as part of the response to a preflight request, which methods can be used during the actual request. Format: comma-separated list. Allows all methods by default.
ohi.cors.access. control.allow.headers	Optional. Header that indicates, as part of the response to a preflight request, which header field names can be used during the actual request. Format: comma-separated list. Allows all headers by default.
ohi.cors.access. control.max.age	Optional. Header that indicates how long the results of a preflight request can be cached in a preflight result cache. Value in seconds. Default value 1800.
ohi.cors.access. control.expose.headers	Optional. Header that indicates which headers are safe to expose to the API of a CORS API specification. Comma-separated list of exposed headers.
ohi.vary.header	Optional. Set Vary HTTP Header. Comma-separated list; default value: Accept,Accept-Encoding,Accept-Language,Origin

Property Name

Value

ohi.cors.access.
control.allow.origin

Required. Comma-separated list of allowed origins. The value "*" effectively means all origins are allowed.

ohi.cors.access.
control.allow.credentials

Optional. Header that indicates whether the response to request can be exposed when the omit credentials flag is unset. When this is part of the response to a preflight request it indicates that the actual request can include user credentials. Defaults to true.

ohi.cors.access.
control.allow.methods

Optional. Header that indicates, as part of the response to a preflight request, which methods can be used during the actual request. Format: comma-separated list. Allows all methods by default.

ohi.cors.access.
control.allow.headers

Optional. Header that indicates, as part of the response to a preflight request, which header field names can be used during the actual request. Format: comma-separated list. Allows all headers by default.

ohi.cors.access.
control.max.age

Optional. Header that indicates how long the results of a preflight request can be cached in a preflight result cache. Value in seconds. Default value 1800.

ohi.cors.access.
control.expose.headers

Optional. Header that indicates which headers are safe to expose to the API of a CORS API specification. Comma-separated list of exposed headers.

ohi.vary.header

Optional. Set Vary HTTP Header. Comma-separated list; default value: Accept,Accept-Encoding,Accept-Language,Origin

Intrusion Detection

OHI applications safeguard against Cross-Site Scripting (XSS) attacks by checking "untrusted" data that may be entered in HTTP API requests (see the Security Guide for intrusion detection principles). Detection behavior can be customized using the properties that are listed in the following table:

Property Name	Value
ohi.untrusteddata.check	XSS vulnerability detection is enabled by default. Disable it by setting the value for this parameter to false. This property should be used if other components in the landscape perform vulnerability detection.
ohi.untrusteddata.domain.attribute.length	Domain attributes of type "string" are checked by default if the length >= 30 characters. To be more stringent decrease the default value using this property. The value must be a positive integer.
ohi.untrusteddata.whitelist.domainattribute	Domain attributes are checked by default. Use this property to define a comma-separated list of customer-specific attributes that should be excluded from intrusion detection checking. Format: <DOMAIN OBJECT SIMPLE NAME>.<ATTRIBUTE NAME>,<DOMAIN OBJECT SIMPLE NAME>.<ATTRIBUTE NAME>. For example: NOTE.NOTETEXT
ohi.untrusteddata.whitelist.httpheader	HTTP Headers are checked by default. Use this property to define a comma-separated list of customer-specific headers that should be excluded from intrusion detection checking. Format: <HEADER NAME>,<HEADER NAME>.
ohi.untrusteddata.whitelist.queryparameter	HTTP Query Parameters are checked by default. Use this property to define a comma-separated list of customer-specific query paremeters that should be excluded from intrusion detection checking. Format: <QUERY PARAMETER NAME>,<QUERY PARAMETER NAME>.

Property Name

Value

ohi.untrusteddata.check

XSS vulnerability detection is enabled by default. Disable it by setting the value for this parameter to false. This property should be used if other components in the landscape perform vulnerability detection.

ohi.untrusteddata.domain.attribute.length

Domain attributes of type "string" are checked by default if the length >= 30 characters. To be more stringent decrease the default value using this property. The value must be a positive integer.

ohi.untrusteddata.whitelist.domainattribute

Domain attributes are checked by default. Use this property to define a comma-separated list of customer-specific attributes that should be excluded from intrusion detection checking.
Format: <DOMAIN OBJECT SIMPLE NAME>.<ATTRIBUTE NAME>,<DOMAIN OBJECT SIMPLE NAME>.<ATTRIBUTE NAME>. For example: NOTE.NOTETEXT

ohi.untrusteddata.whitelist.httpheader

HTTP Headers are checked by default. Use this property to define a comma-separated list of customer-specific headers that should be excluded from intrusion detection checking.
Format: <HEADER NAME>,<HEADER NAME>.

ohi.untrusteddata.whitelist.queryparameter

HTTP Query Parameters are checked by default. Use this property to define a comma-separated list of customer-specific query paremeters that should be excluded from intrusion detection checking.
Format: <QUERY PARAMETER NAME>,<QUERY PARAMETER NAME>.

For example, to prevent mixed encoded Cookies that a client like a browser sends as part of the request to result in a Bad Request, whitelist the Cookie header as follows:

ohi.untrusteddata.whitelist.httpheader=Cookie

Data Set Operations

The following table lists properties that deal with the Data Set Operations Integration point.

Property Name	Value	Explanation
ohi.datasetoperations.notification. endpoint.export	String	This property is related to the Data Set Operations Integration Point. It contains a URI that refers to the notification message, this message is sent once the process of uploading the data set payload is completed. Error messages prevent the import from happening.
ohi.datasetoperations.notification. endpoint.import	String	This property is related to the Data Set Operations Integration Point. It contains a URI that refers to the notification message, this message is sent once the process of uploading the data set payload is completed.

Property Name

Value

Explanation

ohi.datasetoperations.notification.
endpoint.export

String

This property is related to the Data Set Operations Integration Point. It contains a URI that refers to the notification message, this message is sent once the process of uploading the data set payload is completed. Error messages prevent the import from happening.

ohi.datasetoperations.notification.
endpoint.import

String

Using OAuth2 for REST Client Invocations

REST Clients in OHI applications can be configured to send requests to OAuth2 protected resources.See the implementation guide for further details about OAuth2 support in OHI applications.

The following table lists OAuth2 REST Client properties.

Property Name	Explanation
ohi.oauth.jwt .expiration.period	Expiration period (in seconds) for the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWT is used as assertion). Default value: 600 seconds. Maximum value: 9999 seconds.
ohi.oauth.jws .signing.algorithm	Algorithm used for signing the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWT is used as assertion). Note that only RSA algorithms are currently supported. Default value: RS512. Alternative values: RS256; RS384.
ohi.oauth.cert .signing.algorithm	Determines the signing algorithm for X509 certificates that are used by OHI applications to sign the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWT is used as assertion). Only RSA algorithms are currently supported. Default value: SHA512withRSA.
ohi.oauth.accesstoken .expiry.time.delay	To model the overhead of fetching an access token from an OAuth2 authorization server for caching the access token in the REST client, e.g. to account for some network delay between the client and the authorization server. Example: if the authorization server returns a token with an expiry time of 3600 seconds and if the network delay is expected to be 100 ms, then 100 ms could be configured for this key. The resulting access token will be cached for the original expiry time minus overhead time, i.e. 3600000 - 100 = 3599900 ms. The value should be specified in milliseconds.

Property Name

Explanation

ohi.oauth.jwt
.expiration.period

Expiration period (in seconds) for the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWT is used as assertion). Default value: 600 seconds. Maximum value: 9999 seconds.

ohi.oauth.jws
.signing.algorithm

Algorithm used for signing the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWT is used as assertion). Note that only RSA algorithms are currently supported. Default value: RS512. Alternative values: RS256; RS384.

ohi.oauth.cert
.signing.algorithm

Determines the signing algorithm for X509 certificates that are used by OHI applications to sign the JWT token that an OHI application generates for obtaining an OAuth2 access token through the assertion grant type (where the JWT is used as assertion). Only RSA algorithms are currently supported. Default value: SHA512withRSA.

ohi.oauth.accesstoken
.expiry.time.delay

To model the overhead of fetching an access token from an OAuth2 authorization server for caching the access token in the REST client, e.g. to account for some network delay between the client and the authorization server.
Example: if the authorization server returns a token with an expiry time of 3600 seconds and if the network delay is expected to be 100 ms, then 100 ms could be configured for this key. The resulting access token will be cached for the original expiry time minus overhead time, i.e. 3600000 - 100 = 3599900 ms.
The value should be specified in milliseconds.

Using OAuth2 for securing OHI Application’s RESTful Services

OHI application’s RESTful services can be OAuth2 protected. In that case the application validates and / or introspects OAuth2 access tokens that are sent as Bearer tokens in the HTTP Authorization header.

The following table lists OAuth2 server side properties.

Property Name	Token Validation Method	Explanation
ohi.oauth.token .validation.method	N/A	Determines the access token validation method. Possible values: JWKSET: OAuth2 access tokens are validated by the resource server. Assuming the token is a JWT, validates it against a JSON Web Key (JWK) Set as defined by RFC 7517. Possible sources of the JWK Set are: endpoint exposed by an OAuth2 authorization server; or a set of public key certificates that are managed in a local key store. OAUTH2_ENDPOINT: validates the token using an OAuth2 authorization server’s token introspection endpoint as defined by RFC 7662. Default value: JWKSET.
ohi.oauth.jwk.set.url	JWKSET	URL value for the OAuth2 authorization server JSON Web Key (JWK) Set endpoint. The OAuth2 authorization server should support RFC 7517.
ohi.oauth.jwt.userid.claim	JWKSET	Specifies the claim in the JWT that can be used to identify the user for which the OAuth2 access token was created. Default value: sub.
ohi.oauth.jwk .keystore.name	JWKSET	Name of the domain specific Key Store that holds public key certificates that the system will turn into a JWK Set. Default value: jsonwebkeys. Note that the "jsonwebkeys" Key Store has to be created via the Key Store management resource before it can be used.
ohi.oauth.jwk .publickey.keyid.source	JWKSET	When using a set of public keys from a configured key store this property controls to which certificate identifier the JWT header’s KeyID ("kid") will be matched. By default it is assumed that the KeyID contains a reference to the alias of the certificate in the key store. Allowed values: alias; serialNumber.
ohi.oauth.jws.verification.key .selection.signing_keys_only	JWKSET	To filter the JWK Set that is used for OAuth2 access token validation: include signing keys only. Possible values: Y ("Yes") and N ("No"). Default value: N.
ohi.oauth.jws.verification.key .selection.public_keys_only	JWKSET	To filter the JWK Set that is used for OAuth2 access token validation: include public keys only. Possible values: Y ("Yes") and N ("No"). Default value: N.
ohi.oauth.jws.verification.key .selection.jws_algorithm	JWKSET	To filter the JWK Set that is used for OAuth2 access token validation: include the JWS algorithm as specified in the JWT header as additional filter criterium. Possible values: Y ("Yes") and N ("No"). Default value: N.
ohi.oauth.jws.verification.key .selection.key_id	JWKSET	To filter the JWK Set that is used for OAuth2 access token validation: include the Key ID as specified in the JWT header as additional filter criterium. Possible values: Y ("Yes") and N ("No"). Default value: N.
ohi.oauth.token .introspection.endpoint.url	OAUTH2_ENDPOINT	URL value for the OAuth2 authorization server token validation or introspection endpoint. It is assumed that the endpoint supports Basic Authentication.
ohi.oauth.token .introspection.endpoint.client_id	OAUTH2_ENDPOINT	Unique client id for resolving the username and password credentials that are used to construct the Basic Authentication Authorization header when calling the OAuth2 authorization server token validation or introspection endpoint.
ohi.oauth.token .introspection.response.username	OAUTH2_ENDPOINT	RFC 7662 defined Introspection Response element that will be used to derive the username from. Default value: "sub" (without quotes).

Property Name

Token Validation Method

Explanation

ohi.oauth.token
.validation.method

N/A

Determines the access token validation method. Possible values:

JWKSET: OAuth2 access tokens are validated by the resource server. Assuming the token is a JWT, validates it against a JSON Web Key (JWK) Set as defined by RFC 7517. Possible sources of the JWK Set are: endpoint exposed by an OAuth2 authorization server; or a set of public key certificates that are managed in a local key store.
OAUTH2_ENDPOINT: validates the token using an OAuth2 authorization server’s token introspection endpoint as defined by RFC 7662.

Default value: JWKSET.

ohi.oauth.jwk.set.url

JWKSET

URL value for the OAuth2 authorization server JSON Web Key (JWK) Set endpoint. The OAuth2 authorization server should support RFC 7517.

ohi.oauth.jwt.userid.claim

JWKSET

Specifies the claim in the JWT that can be used to identify the user for which the OAuth2 access token was created. Default value: sub.

ohi.oauth.jwk
.keystore.name

JWKSET

Name of the domain specific Key Store that holds public key certificates that the system will turn into a JWK Set. Default value: jsonwebkeys. Note that the "jsonwebkeys" Key Store has to be created via the Key Store management resource before it can be used.

ohi.oauth.jwk
.publickey.keyid.source

JWKSET

When using a set of public keys from a configured key store this property controls to which certificate identifier the JWT header’s KeyID ("kid") will be matched. By default it is assumed that the KeyID contains a reference to the alias of the certificate in the key store. Allowed values: alias; serialNumber.

ohi.oauth.jws.verification.key
.selection.signing_keys_only

JWKSET

To filter the JWK Set that is used for OAuth2 access token validation: include signing keys only. Possible values: Y ("Yes") and N ("No"). Default value: N.

ohi.oauth.jws.verification.key
.selection.public_keys_only

JWKSET

To filter the JWK Set that is used for OAuth2 access token validation: include public keys only. Possible values: Y ("Yes") and N ("No"). Default value: N.

ohi.oauth.jws.verification.key
.selection.jws_algorithm

JWKSET

To filter the JWK Set that is used for OAuth2 access token validation: include the JWS algorithm as specified in the JWT header as additional filter criterium. Possible values: Y ("Yes") and N ("No"). Default value: N.

ohi.oauth.jws.verification.key
.selection.key_id

JWKSET

To filter the JWK Set that is used for OAuth2 access token validation: include the Key ID as specified in the JWT header as additional filter criterium. Possible values: Y ("Yes") and N ("No"). Default value: N.

ohi.oauth.token
.introspection.endpoint.url

OAUTH2_ENDPOINT

URL value for the OAuth2 authorization server token validation or introspection endpoint. It is assumed that the endpoint supports Basic Authentication.

ohi.oauth.token
.introspection.endpoint.client_id

OAUTH2_ENDPOINT

Unique client id for resolving the username and password credentials that are used to construct the Basic Authentication Authorization header when calling the OAuth2 authorization server token validation or introspection endpoint.

ohi.oauth.token
.introspection.response.username

OAUTH2_ENDPOINT

RFC 7662 defined Introspection Response element that will be used to derive the username from. Default value: "sub" (without quotes).

Task Processing

The following properties influence task processing behavior.

Property Name	Value	Explanation
ohi.processing.fillthreshhold	Positive integer value. Default’s to -1 the number of processors reported to the JVM.	Suggested value is 1 less than number of CPU cores available to the managed server. Determines the number of tasks that will be submitted for processing at any given time.
ohi.processing.filldepth	Positive integer value. Defaults to 2x the number of processors reported to the JVM.	Suggested value is a multiple of the number of CPU cores available to the managed server. Determines when the system will look for more tasks to be submitted for processing.
ohi.processing.attemptLogLevel	Integer Value >= 0. Default is 0	A value of greater than 0 means data for failed task processing attempts will be retained.
ohi.processing.defaultdelay	Positive Integer. Default is 3	Default delay in seconds used when a failed task is re-queued for another attempt. Is overridden if a delay is set on the task type.
ohi.processing.maxIncompleteAttempts	Positive integer value. default is 100000	Number of times a task can resolve as "incomplete" before it’s marked as in error.
ohi.processing.maxErrorAttempts	Positive integer value. Default is 3.	Number of times a task can resolve as "errored" before it stops a task flow.
ohi.processing.retryimmediate	Boolean, default is true	Determines if a failed task is retried immediately, or re-queued for another attempt after a delay.
ohi.startup.start.task.processing	Boolean, default is true	Controls task processing for a managed server. By default, if a managed server that executes an OHI Components application is started then it will start processing tasks from the work backlog queue. The default behavior can be overridden by setting command-line parameter ohi.startup.start.task.processing; if it is set to false a managed server that executes the OHI Components application will not process tasks after it is started. The default value is true, meaning the managed server that executes the OHI Components application will start processing tasks from the work backlog queue after it is started.

Property Name

Value

Explanation

ohi.processing.fillthreshhold

Positive integer value. Default’s to -1 the number of processors reported to the JVM.

Suggested value is 1 less than number of CPU cores available to the managed server. Determines the number of tasks that will be submitted for processing at any given time.

ohi.processing.filldepth

Positive integer value. Defaults to 2x the number of processors reported to the JVM.

Suggested value is a multiple of the number of CPU cores available to the managed server. Determines when the system will look for more tasks to be submitted for processing.

ohi.processing.attemptLogLevel

Integer Value >= 0. Default is 0

A value of greater than 0 means data for failed task processing attempts will be retained.

ohi.processing.defaultdelay

Positive Integer. Default is 3

Default delay in seconds used when a failed task is re-queued for another attempt. Is overridden if a delay is set on the task type.

ohi.processing.maxIncompleteAttempts

Positive integer value. default is 100000

Number of times a task can resolve as "incomplete" before it’s marked as in error.

ohi.processing.maxErrorAttempts

Positive integer value. Default is 3.

Number of times a task can resolve as "errored" before it stops a task flow.

ohi.processing.retryimmediate

Boolean, default is true

Determines if a failed task is retried immediately, or re-queued for another attempt after a delay.

ohi.startup.start.task.processing

Boolean, default is true

Controls task processing for a managed server. By default, if a managed server that executes an OHI Components application is started then it will start processing tasks from the work backlog queue. The default behavior can be overridden by setting command-line parameter ohi.startup.start.task.processing; if it is set to false a managed server that executes the OHI Components application will not process tasks after it is started. The default value is true, meaning the managed server that executes the OHI Components application will start processing tasks from the work backlog queue after it is started.

Integration related Properties

Property Name Value Explanation

Property Name	Value	Explanation
ohi.oig.application.baseurl	For example: `http://localhost:7001`	The base URL for accessing the application, typically includes the machine or loadbalancer, the domain and a port number. These are mandatory to set to have correct links in the response or location header. This property is an instance of ohi.<application>.application.baseurl. It is possible to overwrite the behaviour using a custom header in requests: X-OHI-OBEY-HOST. * If this header is present with value true, the links would be created from the request url itself * If the header is not present or the value is false, the links would be created with the help of the properties. For all asynchronous responses, notifications, containing links, the properties would be used as was always done.
ohi.http.api.path	For example: /oig-ws/api	The context root of the application. Default is api.
<integrationStepCode>-timeAllowed	Numeric	Specifies the timeout value that this step can take to revert back. If the timeout expires, the system tries to fetch the status of the process through the location header url. Example key is: invokeActivityStep-timeAllowed
ohi.max.redirect.count	Numeric, default 10	Specifies maximum number of redirections that a particular external invocation take
ohi.timeout.maxRepeatAttempts	Numeric, default 3	Determines how many times a timeout task will check if the underlying work is complete

ohi.oig.application.baseurl

For example:

http://localhost:7001

The base URL for accessing the application, typically includes the machine or loadbalancer, the domain and a port number. These are mandatory to set to have correct links in the response or location header. This property is an instance of ohi.<application>.application.baseurl.

It is possible to overwrite the behaviour using a custom header in requests: X-OHI-OBEY-HOST.

* If this header is present with value true, the links would be created from the request url itself * If the header is not present or the value is false, the links would be created with the help of the properties.

For all asynchronous responses, notifications, containing links, the properties would be used as was always done.

ohi.http.api.path

For example: /oig-ws/api

The context root of the application. Default is api.

<integrationStepCode>-timeAllowed

Numeric

Specifies the timeout value that this step can take to revert back. If the timeout expires, the system tries to fetch the status of the process through the location header url. Example key is: invokeActivityStep-timeAllowed

ohi.max.redirect.count

Numeric, default 10

Specifies maximum number of redirections that a particular external invocation take

ohi.timeout.maxRepeatAttempts

Numeric, default 3

Determines how many times a timeout task will check if the underlying work is complete

Scheduler Based Integration

Following properties can be used to configure integration invocations that utilize a scheduler.

Property Name	Value	Explanation
ohi.exchange.scheduler.poolsize	Numeric, default 10	Specifies a numeric value that indicates the pool size for thread that should execute scheduler based integrations.

Property Name

Value

Explanation

ohi.exchange.scheduler.poolsize

Numeric, default 10

Specifies a numeric value that indicates the pool size for thread that should execute scheduler based integrations.

Blocking Integration Interaction Pattern

The following properties are used by the system to provide the notion of seemingly blocking integration interaction. The system automatically adjusts the pool size according to the bounds set by 'ohi.exchange.await.core.poolsize' and 'ohi.exchange.await.max.poolsize'.

Property Name	Value	Explanation
ohi.exchange.await.core.poolsize	Numeric, default 2 * the number of CPU cores available	If fewer threads are running, a new thread is created to handle the request, even if other worker threads are idle.
ohi.exchange.await.max.poolsize	Numeric, default 40	If there are more than ohi.exchange.await.core.poolsize but less than ohi.exchange.await.max.poolsize threads running, a new thread will be created only if the queue (having a maximum size of 2147483647) is full. Typically this means that with a value of 40, at most there will be 40 threads available for 'async await'.
ohi.exchange.await.poll.interval	Numeric, default 1000	The time between consecutive polls the system will take checking up on a asynchronous exchange. Specified in milliseconds.
ohi.exchange.blocking.timeout.max	Numeric, default 5000	The maximum amount of time the system will wait for an asynchronous exchange to be completed. Specified in milliseconds.

Property Name

Value

Explanation

ohi.exchange.await.core.poolsize

Numeric, default 2 * the number of CPU cores available

If fewer threads are running, a new thread is created to handle the request, even if other worker threads are idle.

ohi.exchange.await.max.poolsize

Numeric, default 40

If there are more than ohi.exchange.await.core.poolsize but less than ohi.exchange.await.max.poolsize threads running, a new thread will be created only if the queue (having a maximum size of 2147483647) is full. Typically this means that with a value of 40, at most there will be 40 threads available for 'async await'.

ohi.exchange.await.poll.interval

Numeric, default 1000

The time between consecutive polls the system will take checking up on a asynchronous exchange. Specified in milliseconds.

ohi.exchange.blocking.timeout.max

Numeric, default 5000

The maximum amount of time the system will wait for an asynchronous exchange to be completed. Specified in milliseconds.

Callout Properties

The following table lists properties used by the REST call-out client:

Property Name	Value	Explanation
ohi.rest.client.logging	OPTIONAL Default is false	When "true" it will log traffic to external system.
ohi.service.client.cache.size	OPTIONAL Default is 500	Property that specifies the size of the REST Client cache.

Property Name

Value

Explanation

ohi.rest.client.logging

OPTIONAL

Default is false

When "true" it will log traffic to external system.

ohi.service.client.cache.size

OPTIONAL

Default is 500

Property that specifies the size of the REST Client cache.

Data Exchange Related Properties

The following table lists data exchange/config migration related properties:

Property Name Value Explanation

Property Name	Value	Explanation
ohi.application.uri.<source_application>	String	Reference to the URI of the source application to retrieve data-sets metadata to be processed. The <source_application> placeholder should be replaced.
ohi.<notification_key>.endpoint.request	String. For example: `http://machine.domain:port/`	Allows for web service client interactions to identify their request URI destination. This property is used to get the URI for the end point. The <notification_key> placeholder should be replaced.
ohi.cm.concurrency.limit	Positive integer value. Default is 2	Number of parallel threads used in configuration migration tool export and import processes. For better performance results, the value of this system property should be equal to the number of CPUs (core). For example, if there are 6 CPUs and each of them are single core, then this property should be set to 6.

ohi.application.uri.<source_application>

String

Reference to the URI of the source application to retrieve data-sets metadata to be processed. The <source_application> placeholder should be replaced.

ohi.<notification_key>.endpoint.request

String. For example:

http://machine.domain:port/

Allows for web service client interactions to identify their request URI destination. This property is used to get the URI for the end point. The <notification_key> placeholder should be replaced.

ohi.cm.concurrency.limit

Positive integer value. Default is 2

Number of parallel threads used in configuration migration tool export and import processes. For better performance results, the value of this system property should be equal to the number of CPUs (core). For example, if there are 6 CPUs and each of them are single core, then this property should be set to 6.

Purge Notification Properties

The following properties are applicable for configuring endpoints for purge process notification:

Property Name	Value	Explanation
ohi.purge.notification.endpoint.<PURGE TYPE>	URL. Possible purge types: 'PurgeEvent', 'PurgeExchange', 'PurgeTechnicalData'	This overrides any value that has been specified for ohi.purge.notification.endpoint for the specific \{PURGE TYPE}.
ohi.purge.notification.endpoint	URL, this optional for 'PURGE TYPE' for which a corresponding purge type is configured.	The base URI of the system that is going to receive notification events.

Property Name

Value

Explanation

ohi.purge.notification.endpoint.<PURGE TYPE>

URL. Possible purge types: 'PurgeEvent', 'PurgeExchange', 'PurgeTechnicalData'

This overrides any value that has been specified for ohi.purge.notification.endpoint for the specific \{PURGE TYPE}.

ohi.purge.notification.endpoint

URL, this optional for 'PURGE TYPE' for which a corresponding purge type is configured.

The base URI of the system that is going to receive notification events.

User Interface related Properties

The following table lists user interface related properties:

Property Name	Value	Explanation
ohi.environment.identifier	Samples: "User Acceptance Test", "Development"	Text string that is displayed on the home page of the system that helps the user to identify the environment.
ohi.ui.backEndURL	Root URL of the generic HTTP API resources	Fully qualified URL for HTTP API resources. The path in the URL should include the context root for HTTP API resources. The default context root for HTTP API resources is '/api'. Note that this could be a load balancer URL and / or that the default context root might have been overwritten using a deployment plan.
ohi.ui.api.authentication. method	Default: Oauth	Authentication mechanism for the JET UI. One of OAuth, BasicAuthentication, WebGate (in case a gateway handles authentication) or OpenID (in case OpenID Connect is used - see below table for more properties).
ohi.ui.api.authentication. oauth.clientId		The clientId is the public identifier for the JET UI. Mandatory when using OAuth. Not applicable when not using OAuth. Has no default value.
ohi.ui.backEnd.root.url		The base URL for accessing web services, typically includes the machine or loadbalancer, the domain and a port number
ohi.ui.accessToken.url		The webgate URL to access the accessToken resource
ohi.ui.accessToken.root.url		The webgate url root (Required for CSP whitelist)
ohi.ui.webgate.url		OAM url (Required for CSP whitelist)
ohi.ui.waitTime	Default is 1500	The waitTime is the time (in milliseconds) between entering a character in a search field, and the search firing. Applies to quick search and LOV, suggested is 1500.
ohi.ui.session.timeout	Default is 3600000	The timeout is the idle time (in milliseconds) after which the current user session expires and displays 'The page has expired' warning dialog. Clicking OK re-directs the user to the login page. The default value is set to 1hr (3600000 ms). A value of 0 means never timeout.

Property Name

Value

Explanation

ohi.environment.identifier

Samples: "User Acceptance Test", "Development"

Text string that is displayed on the home page of the system that helps the user to identify the environment.

ohi.ui.backEndURL

Root URL of the generic HTTP API resources

Fully qualified URL for HTTP API resources. The path in the URL should include the context root for HTTP API resources. The default context root for HTTP API resources is '/api'. Note that this could be a load balancer URL and / or that the default context root might have been overwritten using a deployment plan.

ohi.ui.api.authentication.
method

Default: Oauth

Authentication mechanism for the JET UI. One of OAuth, BasicAuthentication, WebGate (in case a gateway handles authentication) or OpenID (in case OpenID Connect is used - see below table for more properties).

ohi.ui.api.authentication.
oauth.clientId

The clientId is the public identifier for the JET UI. Mandatory when using OAuth. Not applicable when not using OAuth. Has no default value.

ohi.ui.backEnd.root.url

The base URL for accessing web services, typically includes the machine or loadbalancer, the domain and a port number

ohi.ui.accessToken.url

The webgate URL to access the accessToken resource

ohi.ui.accessToken.root.url

The webgate url root (Required for CSP whitelist)

ohi.ui.webgate.url

OAM url (Required for CSP whitelist)

ohi.ui.waitTime

Default is 1500

The waitTime is the time (in milliseconds) between entering a character in a search field, and the search firing. Applies to quick search and LOV, suggested is 1500.

ohi.ui.session.timeout

Default is 3600000

The timeout is the idle time (in milliseconds) after which the current user session expires and displays 'The page has expired' warning dialog. Clicking OK re-directs the user to the login page. The default value is set to 1hr (3600000 ms). A value of 0 means never timeout.

User Interface related Properties specifically for OpenID Connect Support

The following table lists user interface related properties, specifically for OpenID Connect support:

Property Name Value Explanation

Property Name	Value	Explanation
ohi.oauth.use.openidconnect	false or true	This is false by default. When specified as true, this means that OIG will activate the OpenID Connect sub-module so that the User Interface can use it.
ohi.oauth.idp.uri		This is the IDentity Provider (IDP) URL to acquire the configuration for OpenID Connect.
ohi.oauth.token.introspection.endpoint.client_id		This is the identification of the OpenID Connect client as registered in the IDP.
ohi.oauth.token.introspection.endpoint.client_secret		This is the secret associated with the above OpenID Connect client that has to be presented to acquire an access token. This secret needs to be stored in a secured/secret location.
ohi.security.oauth.frontend		Specifies the base URL of the JET Application that needs to be secured (e.g. `https://host:8909/oig)`
ohi.security.oauth.callback		Specifies the OpenID Connect callback URL to be invoked after authentication of the user through OpenID Connect has taken place, but before an access token has been obtained. Defaults to: oidc/callback.
ohi.security.oauth.logout		Specifies the OpenID Connect URL that is to be invoked after a user has selected to logout from the OIG UI. Defaults to: oidc/logout.
ohi.security.oauth.cookie.path		A path that must exist in the requested URL, or the browser won’t send the Cookie header. Defaults to '/'
ohi.security.oauth.cookie.name		The name of the Cookie. Defaults to 'OHI_SHARED_AUTH'.
ohi.security.oauth.cookie.maxage		Number of seconds until the cookie expires. Defaults to 3600.
ohi.security.oauth.cookie.secure	false or true	When set to true, the cookie is only sent to the server when a request is made with the https: scheme. Defaults to false.

ohi.oauth.use.openidconnect

false or true

This is false by default. When specified as true, this means that OIG will activate the OpenID Connect sub-module so that the User Interface can use it.

ohi.oauth.idp.uri

This is the IDentity Provider (IDP) URL to acquire the configuration for OpenID Connect.

ohi.oauth.token.introspection.endpoint.client_id

This is the identification of the OpenID Connect client as registered in the IDP.

ohi.oauth.token.introspection.endpoint.client_secret

This is the secret associated with the above OpenID Connect client that has to be presented to acquire an access token. This secret needs to be stored in a secured/secret location.

ohi.security.oauth.frontend

Specifies the base URL of the JET Application that needs to be secured (e.g.

https://host:8909/oig)

ohi.security.oauth.callback

Specifies the OpenID Connect callback URL to be invoked after authentication of the user through OpenID Connect has taken place, but before an access token has been obtained. Defaults to: oidc/callback.

ohi.security.oauth.logout

Specifies the OpenID Connect URL that is to be invoked after a user has selected to logout from the OIG UI. Defaults to: oidc/logout.

ohi.security.oauth.cookie.path

A path that must exist in the requested URL, or the browser won’t send the Cookie header. Defaults to '/'

ohi.security.oauth.cookie.name

The name of the Cookie. Defaults to 'OHI_SHARED_AUTH'.

ohi.security.oauth.cookie.maxage

Number of seconds until the cookie expires. Defaults to 3600.

ohi.security.oauth.cookie.secure

false or true

When set to true, the cookie is only sent to the server when a request is made with the https: scheme. Defaults to false.

Monitoring & Metrics Related Properties

The following properties are related to monitoring and metrics gathering:

Property Name	Value	Explanation
ohi.healthcheck.url.mapping	String, URL Mapping (e.g. /up)	Defines the mapping between the Healthcheck servlet and an URL pattern.
ohi.prometheusservlet.url.mapping	String, URL Mapping	Defines the mapping between the Prometheus servlet and an URL pattern.
ohi.instrumentation.gather.applicationmetrics	Boolean, false by default	Set to true to enable recording of metrics
ohi.instrumentation.gather.jvmtelemetry	Boolean, false by default	Set to true to enable recording of JVM telemetry
ohi.instrumentation.filter.ohi.nameprefix	Boolean, true by default	Set to false to enable recording of non-OHI metrics
ohi.instrumentation.common.application.tag	Boolean, false by default	Set to true to tag each metric with the name of the application
ohi.instrumentation.<timer>.percentiles	Comma-separated string, e.g. 0.5,0.75,0.95,0.99	Percentiles for the configured timer
ohi.instrumentation.<timer>.histogram	Boolean, false by default	Determines if histogram buckets for the configured timer are published
ohi.instrumentation.<timer>.regex	Regular expression	Data for the timer is published if the tag name that is specified as property ohi.instrumentation.<timer>.regex.tagname matches this regular expression
ohi.instrumentation.<timer>.regex.tagname	String	Tag name subject to testing with the regular expression that is specified as property ohi.instrumentation.<timer>.regex. Data for the timer is published if the tag name matches the regular expression.

Property Name

Value

Explanation

ohi.healthcheck.url.mapping

String, URL Mapping (e.g. /up)

Defines the mapping between the Healthcheck servlet and an URL pattern.

ohi.prometheusservlet.url.mapping

String, URL Mapping

Defines the mapping between the Prometheus servlet and an URL pattern.

ohi.instrumentation.gather.applicationmetrics

Boolean, false by default

Set to true to enable recording of metrics

ohi.instrumentation.gather.jvmtelemetry

Boolean, false by default

Set to true to enable recording of JVM telemetry

ohi.instrumentation.filter.ohi.nameprefix

Boolean, true by default

Set to false to enable recording of non-OHI metrics

ohi.instrumentation.common.application.tag

Boolean, false by default

Set to true to tag each metric with the name of the application

ohi.instrumentation.<timer>.percentiles

Comma-separated string, e.g. 0.5,0.75,0.95,0.99

Percentiles for the configured timer

ohi.instrumentation.<timer>.histogram

Boolean, false by default

Determines if histogram buckets for the configured timer are published

ohi.instrumentation.<timer>.regex

Regular expression

Data for the timer is published if the tag name that is specified as property
ohi.instrumentation.<timer>.regex.tagname matches this regular expression

ohi.instrumentation.<timer>.regex.tagname

String

Tag name subject to testing with the regular expression that is specified as property
ohi.instrumentation.<timer>.regex. Data for the timer is published if the tag name matches
the regular expression.

See the Administration Guide for more details about metrics related properties.