Choreo Connect Enforcer Configuration Catalog

This document describes all the configuration parameters that are used in WSO2 Choreo Connect Enforcer.

Instructions for use

Select the configuration sections, parameters, and values that are required for your use and add them to the config.toml file located in <CHOREO-CONNECT_HOME>/docker-compose/choreo-connect/conf/. See the example .toml file given below.

# This is an example .toml file.
[enforcer.authService]
  port = 8081
  maxMessageSize = 1000000000
  maxHeaderLimit = 8192
  keepAliveTime = 600

[enforcer.apimCredentials]
  username="admin"
  password="$env{apim_admin_pwd}"

Auth Service

[enforcer.authService]
  port = 8081
  maxMessageSize = 1000000000
  maxHeaderLimit = 8192
  keepAliveTime = 600
[authService] Required

The configurations of gRPC netty based server in Enforcer that handles the incoming requests in the Choreo Connect.

port

integer Required

Default: 8081

Port of the Enforcer auth service.

maxMessageSize

integer

Default: 1000000000

Maximum message size in bytes

maxHeaderLimit

integer

Default: 8192

Maximum header size in bytes

keepAliveTime

integer

Default: 600

Keep alive time in seconds for connection with the router via external authz service

tokenPrivateKeyPath

string

Default: /home/wso2/security/keystore/mg.key

Private key path to use for the token generation

Auth Service thread pool

[enforcer.authService.threadPool]
  coreSize = 400
  maxSize = 500
  keepAliveTime = 600
  queueSize = 1000
[authService.threadPool] Required

The thread pool configurations of gRPC netty based server in Enforcer that handles the incoming requests in the Choreo Connect.

coreSize

integer Required

Default: 400

Minimum number of workers to keep alive

maxSize

integer

Default: 500

Maximum pool size

keepAliveTime

integer

Default: 600

Timeout in seconds for idle threads waiting for work

queueSize

integer

Default: 1000

Queue size of the worker threads

API Manager Credentials

[enforcer.apimCredentials]
  username="admin"
  password="$env{apim_admin_pwd}"
[apimCredentials] Required

The credentials of the API Manager

username

string Required

Default: admin

Username

password

string Required

Default: $env{apim_admin_pwd}

Password

Cache

[enforcer.cache]
  enabled = true
  maximumSize = 10000
  expiryTime = 15
[cache] Required

The configurations of token caching in the Choreo Connect.

enabled

boolean Required

Default: true

Enable/Disable token cache.

maximumSize

integer Required

Default: 10000

Maximum cache size.

expiryTime

integer Required

Default: 15

Expiry time in seconds

JWT Generator

[enforcer.jwtGenerator]
  enable = false
  encoding = "base64"
  claimDialect = "http://wso2.org/claims"
  convertDialect = false
  header = "X-JWT-Assertion"
  signingAlgorithm = "SHA256withRSA"
  enableUserClaims = false
  gatewayGeneratorImpl = "org.wso2.carbon.apimgt.common.gateway.jwtgenerator.APIMgtGatewayJWTGeneratorImpl"
  claimsExtractorImpl = "org.wso2.carbon.apimgt.impl.token.ExtendedDefaultClaimsRetriever"
  publicCertificatePath = "/home/wso2/security/truststore/mg.pem"
  privateKeyPath = "/home/wso2/security/keystore/mg.key"
[jwtGenerator]

The configuration of the backend jwt generation in the Choreo Connect.

enable

boolean Required

Default:

Enable/Disable backend JWT generation

encoding

string

Default: base64
Possible Values: base64, base64url

Encoding of the JWT

claimDialect

string Required

Default: http://wso2.org/claims

The JWT access token contains all claims that are defined in the enforcer.jwtGenerator.claimDialect element. The default value of this element is http://wso2.org/claims. To get the list of a specific user's claims that need to be included in the JWT, uncomment this element after enabling the JWT. It will include all claims in http://wso2.org/claims to the JWT access token.

convertDialect

boolean

Default: false

Remap the OIDC claims into the configured dialect

header

string Required

Default: X-JWT-Assertion

The name of the HTTP header to which the JWT is attached.

signingAlgorithm

string

Default: SHA256withRSA
Possible Values: SHA256withRSA, NONE

The signing algorithm is used to sign the JWT.

enableUserClaims

boolean

Default: false

Enable/Disable user claims.

gatewayGeneratorImpl

string

Default: org.wso2.carbon.apimgt.common.gateway.jwtgenerator.APIMgtGatewayJWTGeneratorImpl

Custom JWT generator

claimsExtractorImpl

string

Default: org.wso2.carbon.apimgt.impl.token.ExtendedDefaultClaimsRetriever

Custom Claim Retriever to add custom claims into JWT

publicCertificatePath

string

Default: /home/wso2/security/truststore/mg.pem

Public certificate for generated JWT

privateKeyPath

string

Default: /home/wso2/security/keystore/mg.key

Private key path used for JWT generation

JWT Issuer

[enforcer.jwtIssuer]
  enabled = true
  issuer = "https://localhost:9095/testkey"
  encoding = "base64"
  claimDialect = ""
  signingAlgorithm = "SHA256withRSA"
  publicCertificatePath = "/home/wso2/security/truststore/mg.pem"
  privateKeyPath = "/home/wso2/security/keystore/mg.key"
  validityPeriod = 3600
[jwtIssuer]

The issuer configuration required to generate token at Choreo Connect.

enable

boolean Required

Default: true

Enable/Disable JWT generation.

issuer

string Required

Default: https://localhost:9095/testkey

Issuer value for the JWT under iss claim.

encoding

integer

Default: base64
Possible Values: base64,base64url

Encoding of the JWT

claimDialect

string

Default: http://wso2.org/claims

A set of claims are identified as a dialect. Different dialects represent the same piece of information with different claim URIs.

signingAlgorithm

string

Default: SHA256withRSA
Possible Values: SHA256withRSA, NONE

The signing algorithm is used to sign the JWT.

publicCertificatePath

string

Default: /home/wso2/security/truststore/mg.pem

Public certificate for generated JWT.

privateKeyPath

string

Default: /home/wso2/security/keystore/mg.key

Private key path used for JWT generation.

validityPeriod

integer

Default: 3600

Validity period of the JWT in seconds.

caCertFile

string

Default: /home/wso2/security/truststore/consul/consul-agent-ca.pem

This is the optional path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.

certFile

string

Default:

This is the optional path to the certificate for Consul communication. If this is set, then you also need to set keyFile.

keyFile

string

Default:

This is the optional path to the private key for Consul communication. If this is set, then you need to also set certFile.

JWT Issuer User

[[enforcer.jwtIssuer.jwtUser]]
  username = "admin"
  password = "$env{enforcer_admin_pwd}"
[jwtIssuer.jwtUser] Required

Configure allowed users to use the JWT generated by the Choreo Connect. You can provide multiple users.

username

string Required

Default: admin

Username

password

string Required

Default: $env{enforcer_admin_pwd}

Password

Auth Header

[enforcer.security.authHeader]
  enableOutboundAuthHeader = false
  authorizationHeader = "authorization"
[security.authHeader]

Configurations related to Authorization header

enableOutboundAuthHeader

boolean Required

Default: false

Remove authorization header from backend request

authorizationHeader

string Required

Default: authorization

Header name which authorization token coming from the downstream client

Token Service

[[enforcer.security.tokenService]]
  name="Resident Key Manager"
  issuer = "https://localhost:9443/oauth2/token"
  certificateAlias = "wso2carbon"
  jwksURL = ""
  validateSubscription = false
  consumerKeyClaim = "azp"
  certificateFilePath = "/home/wso2/security/truststore/wso2carbon.pem"
[security.tokenService]

Configuration required to JWT token authorization. You can provide multiple JWT issuers.

name

string Required

Default:

Provide unique name for the JWT issuer

certificateAlias

string

Default:

Alias name given in Enforcer truststore for the public certificate of the JWT issuer.

jwksURL

integer

Default:

JWKS endpoint of the issuer.

validateSubscription

boolean

Default: false

Enable/Disable subscription validation.

consumerKeyClaim

string

Default:

The claim in which the consumer key of the application is coming.

certificateFilePath

string

Default:

Certificate Filepath within Enforcer

Throttling

[enforcer.throttling]
  enableGlobalEventPublishing = false
  enableHeaderConditions = false
  enableQueryParamConditions = false
  enableJwtClaimConditions = false
  jmsConnectionInitialContextFactory = "org.wso2.andes.jndi.PropertiesFileInitialContextFactory"
  jmsConnectionProviderUrl = "amqp://admin:$env{tm_admin_pwd}@carbon/carbon?brokerlist='tcp://localhost:5672'"
[throttling]

Configurations related to Throttling

enableGlobalEventPublishing

boolean Required

Default: false

Connect with the central traffic manager.

enableHeaderConditions

boolean Required

Default: false

Enable global advanced throttling based on request header conditions.

enableQueryParamConditions

boolean Required

Default: false

Enable global advanced throttling based on request query parameter conditions.

enableJwtClaimConditions

boolean Required

Default: false

Enable global advanced throttling based on jwt claim conditions.

jmsConnectionInitialContextFactory

string Required

Default: org.wso2.andes.jndi.PropertiesFileInitialContextFactory

The message broker context factory.

Binary Throttle publishing configurations

[enforcer.throttling.publisher]
  username = "admin"
  password = "$env{tm_admin_pwd}"
[throttling.publisher] Required

Throttling configurations related to event publishing using a binary connection. The following are credentials required to establish connection between Traffic Manager

username

string Required

Default: admin

Username

password

string Required

Default: $env{tm_admin_pwd}

Password

Binary Throttle publishing url group configurations

[[enforcer.throttling.publisher.urlGroup]]
  receiverURLs = ["tcp://localhost:9611"]
  authURLs = ["ssl://localhost:9711"]
[throttling.publisher.urlGroup] Required

Throttling configurations related to event publishing using a binary connection. The following are Receiver URL and the authentication URL of the Traffic manager node/nodes. You can provide multiple URL groups

receiverURLs

string Required

Default: tcp://localhost:9611

Receiver URLs

authURLs

string Required

Default: ssl://localhost:9711

Auth URLs

Binary Throttle publishing pool configurations

[enforcer.throttling.publisher.pool]
  maxIdleDataPublishingAgents = 1000
  initIdleObjectDataPublishingAgents = 200
  publisherThreadPoolCoreSize = 200
  publisherThreadPoolMaximumSize = 1000
  publisherThreadPoolKeepAliveTime = 200
[throttling.publisher.pool]

Throttling configurations related to event publishing using a binary connection. The following are data publisher object pool configurations

maxIdleDataPublishingAgents

integer

Default: 1000

Maximum idle number of connections

initIdleObjectDataPublishingAgents

integer

Default: 200

Minimum idle number of connections

publisherThreadPoolCoreSize

integer

Default: 200

Thread pool core size

publisherThreadPoolMaximumSize

integer

Default: 1000

The maximum size of the thread pool

publisherThreadPoolKeepAliveTime

integer

Default: 200

The timeframe after which the publisher thread pool is terminated in seconds

Binary Throttle publishing agent configurations

[enforcer.throttling.publisher.agent]
  sslEnabledProtocols = "TLSv1.2"
  ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  ,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256  ,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
  queueSize = 32768
  batchSize = 200
  corePoolSize = 1
  socketTimeoutMS = 30000
  maxPoolSize = 1
  keepAliveTimeInPool = 20
  reconnectionInterval = 30
  # TCP connection pool configurations (for data publishing)
  maxTransportPoolSize = 250
  maxIdleConnections = 250
  evictionTimePeriod = 5500
  minIdleTimeInPool = 5000
  # SSL connection pool configurations (for authentication)
  secureMaxTransportPoolSize = 250
  secureMaxIdleConnections = 250
  secureEvictionTimePeriod = 5500
  secureMinIdleTimeInPool = 5000
[throttling.publisher.agent] Required

Throttling configurations related to event publishing using a binary connection. The following are data publisher agent configurations

sslEnabledProtocols

string Required

Default: TLSv1.2

SSL Protocols

ciphers

string Required

Default: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV

ciphers

queueSize

integer Required

Default: 32768

The size of the queue event disruptor which handles events before they are published. The value specified should always be the result of an exponent with 2 as the base.

batchSize

integer Required

Default: 200

The maximum number of events in a batch sent to the queue event disruptor at a given time.

corePoolSize

integer Required

Default: 1

The number of threads that will be reserved to handle events at the time you start.

socketTimeoutMS

integer Required

Default: 30000

Socket timeout in milliseconds.

maxPoolSize

integer Required

Default: 1

The maximum number of threads that should be reserved at any given time to handle events.

keepAliveTimeInPool

integer Required

Default: 20

The amount of time which threads in excess of the core pool size may remain idle before being terminated.

reconnectionInterval

integer Required

Default: 30

The time interval between reconnection in seconds.

maxTransportPoolSize

integer Required

Default: 250

Maximum pool size for TCP connection pool configurations (for data publishing).

maxIdleConnections

integer Required

Default: 250

Maximum idle connections for TCP connection pool configurations (for data publishing).

evictionTimePeriod

integer Required

Default: 5500

Eviction time period for TCP connection pool configurations (for data publishing).

minIdleTimeInPool

integer Required

Default: 5000

Minimum idle time in pool for TCP connection pool configurations (for data publishing).

secureMaxTransportPoolSize

integer Required

Default: 250

Maximum pool size for SSL connection pool configurations (for authentication).

maxIdleConnections

integer Required

Default: 250

Maximum number of idle connections for SSL connection pool configurations (for authentication).

secureEvictionTimePeriod

integer Required

Default: 250

Eviction time period for SSL connection pool configurations (for authentication).

secureMinIdleTimeInPool

integer Required

Default: 250

Minimum idle time in pool for SSL connection pool configurations (for authentication).

Top