Start-up Properties (uc.properties)
The uc.properties file is read by the Controller, which is started by Tomcat.
The uc.properties file resides here:
[tomcat directory]\conf
The backslash character in a property value must be escaped as a double backslash.
For example:
example.path=c:\\stonebranch\\uc
For MySQL
uc.db.mysql.character_encoding
Allows the retrieval of output with extended unicode characters. If the property is not set, character encoding will not be used in the JDBC URL.
Examples:
uc.db.mysql.character_encoding=US-ASCII
uc.db.mysql.character_encoding=Cp1252
uc.db.mysql.character_encoding=UTF-8
uc.db.rdbms=mysql
Database type. Specify this property if you are using a MySQL database.
uc.db.url=jdbc:mysql://localhost/
JDBC connect URL. Specify this property if you are using a MySQL database.
By default, the controller automatically refreshes the uc.properties file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
For SQLServer
uc.db.rdbms=sqlserver
Database type. Specify this property if you are using a SQLServer database.
uc.db.url=jdbc:sqlserver://localhost:1433;DatabaseName=uc
JDBC connect URL. Specify this property if you are using a SQLServer database.
By default, the controller automatically refreshes the uc.properties file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
For Oracle
uc.db.rdbms=oracle
Database type. Specify this property if you are using an Oracle database.
uc.db.url=jdbc:oracle:thin:@//localhost:1521/@oracle.db.name@
JDBC connect URL. Specify this property if you are using an Oracle database.
By default, the controller automatically refreshes the uc.properties file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
For PostgreSQL
uc.db.rdbms=postgres
Database type. Specify this property if you are using a PostgreSQL database.
uc.db.url=jdbc:postgresql://localhost:5432/uc
JDBC connect URL. Specify this property if you are using a PostgreSQL database.
By default, the controller automatically refreshes the uc.properties file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
For All Databases
uc.db.name
If you specify a database name in this property and in uc.db.url, the names must be the same.
Name for the Controller database.
Default: uc
uc.db.password
Database password that will be replaced by uc.db.password.encrypted in the uc.properties file upon start-up.
By default, the controller automatically refreshes the uc.properties file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
Default: (none)
uc.db.password.encrypted
Encrypted version of uc.db.password that will replace uc.db.password in the uc.properties file upon start-up.
Default: (none)
uc.db.pooler.connections
Sets the minimum number of idle connections to maintain in the Server connection pool, or zero to create none.
The Server connection pool is used by all internal database transactions.
Default: 1
uc.db.pooler.connections.Auxiliary
Sets the minimum number of idle connections to maintain in the Auxiliary connection pool, or zero to create none.
The Auxiliary connection pool is used only when at least one of the following properties are true:
uc.db.pooler.connections.use_auxiliary.launchuc.db.pooler.connections.use_auxiliary.trigger
Default: 1
uc.db.pooler.connections.Client
Sets the minimum number of idle connections to maintain in the Client connection pool, or zero to create none.
The Client connection pool is used by all user interface related database transactions.
Default: 1
uc.db.pooler.connections.max
Sets the maximum number of connections that can be allocated by the Server connection pool at a given time.
The Server connection pool is used by all internal database transactions.
The installer overrides the default by configuring a maximum number of 40 in the uc.properties file.
Default: 30
uc.db.pooler.connections.max.Auxiliary
Sets the maximum number of connections that can be allocated by the Auxiliary connection pool at a given time.
The Auxiliary connection pool is used only when at least one of the following properties are true.
uc.db.pooler.connections.use_auxiliary.launchuc.db.pooler.connections.use_auxiliary.trigger
Default: 40
uc.db.pooler.connections.max.Client
Sets the maximum number of connections that can be allocated by the Client connection pool at a given time.
The Client connection pool is used by all user interface related database transactions.
Default: 30
uc.db.pooler.connections.max.Reserved
Sets the maximum number of connections that can be allocated by the Reserved connection pool at a given time.
The Reserved connection pool is used by all critical internal database transactions.
Default: 30
uc.db.pooler.connections.use_auxiliary.launch
Specifies that the Universal Controller should use the Auxiliary connection pool when launching workload.
Default: false
uc.db.pooler.connections.use_auxiliary.trigger
Specifies that the Universal Controller should use the Auxiliary connection pool when triggering workload.
Default: false
uc.db.pooler.connections.Reserved
Sets the minimum number of idle connections to maintain in the Reserved connection pool, or zero to create none.
The Reserved connection pool is used by all critical internal database transactions.
Default: 1
uc.db.secrets_provider
Specifies which secrets provider to use for the password.
If left unspecified, Universal Controller is assumed to be the provider, and the controller will continue to load the password from the uc.properties using one of the following properties.
uc.db.passworduc.db.password.encrypted
Property uc.db.password is immediately saved back as uc.db.password.encrypted with an encrypted value.
If property uc.db.secrets_provider is specified, it must be one of the following values, otherwise, a failure will be logged and uc.properties must be refreshed.
- uc.db.secrets_provider=uc (or not specified) - Universal Controller
- uc.db.secrets_provider=aws_secrets_manager - AWS Secrets Manager
- uc.db.secrets_provider=azure_key_vault - Azure Key Vault
- uc.db.secrets_provider=cyberark_credential_provider - CyberArk Credential Provider
- uc.db.secrets_provider=cyberark_central_credential_provider - CyberArk Central Credential Provider
The controller will then load all the properties associated with the specified provider.
See Secrets Provider Properties for the properties associated with each provider.
By default, the controller automatically refreshes the uc.properties file every 5 minutes to accommodate changes to this property, and properties associated with the provider, without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
Default: (none)
uc.db.url.append.properties
Allows additional options to be appended to the JDBC URL generated by Universal Controller.
Example:
uc.db.url.append.properties=&verifyServerCertificate=false&useSSL=true
Default: (none)
uc.db.user
Login ID that the Controller will use to log in to your database.
By default, the controller automatically refreshes the uc.properties file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
Default: root
For LDAP
uc.ldap.groups.filter_indirect
When this property is set to true, any Groups synchronized indirectly (that is, through a User's memberOf attribute) will honor the Group search filter and Group OU filters under the LDAP Advanced Settings section.
The code default for this property, which is used if this property is not set, is false.
Default: true
uc.ldap.groups.single_parent_per_child
This property should be set to true only if your Groups being synchronized from AD have at most one parent Group.
When synchronizing Groups, the default behavior in the Controller is to copy the members of a Sub Group into the Parent Group.
When this property is set to true, the Controller assumes that each Group has, at most, a single Parent Group and will use the Parent field on the Group definition to maintain the hierarchy instead of copying members.
Default: false
uc.ldap.groups.update_members
This property should be set to false only when synchronizing Groups from AD, and the number of values for the member attribute exceeds the MaxValRange LDAP policy (and the MaxValRange cannot be increased).
When synchronizing Groups, the default behavior in the Controller is to use the multi-valued member attribute to update the members for a Group; however, AD limits the number of values returned for an attribute, which can result in Group members being removed unexpectedly. This limit is determined by the MaxValRange LDAP policy (typically 1,500).
When this property is set to false, the Controller will not use the member attribute values to update members when synchronizing Groups from AD. Group membership will continue to be updated based on the memberOf attribute values when synchronizing Users from AD.
Default: true
uc.ldap.users.synchronize_by_range
This property is set to false by default to disable range-based searches. This assumes paging is supported by the directory server.
This property should be set to true only if your LDAP server does not support paged results.
If this property is set to true, the Controller will search based on ranges, using a filter like (&(uid>=a)(uid<=b)), when synchronizing Users. To use the <= or >= operators in a filter, an ordering rule must be defined for the attribute in the LDAP schema.
OpenLDAP's schema does not define an ordering rule for the User Id Attribute (for example, uid), so searches using filters like the above do not return any results.
Default: false
uc.ldap.users.synchronize_indirect
This property should be set to true only if your LDAP server does not support the User Membership Attribute (for example, memberOf).
Synchronizes LDAP users indirectly based on group membership. This only applies to groups that users are direct members of.
When this property is set to true, the following will apply for the LDAP refresh (scheduled and server operations):
- Users will not be synchronized directly based on the User Filter and User Target OU List.
- Groups will continue to be synchronized directly based on the Group Filter and Group Target OU List.
- For each matching group, the Group Member Attribute (for example, member) will be used to synchronize users matching the User Filter and User Target OU List
The uc.ldap.groups.update_members property will be ignored when indirect user synchronization is enabled.
There is currently no support for nested groups if the User Membership Attribute is not supported by the LDAP server.
Default: false
uc.ldap.users.update_memberships_on_login
This property should not be set to true if group membership for users is static, since there is extra overhead to process the groups, which may impact login performance.
When this property is set to true, LDAP group memberships for existing LDAP users are updated upon successful login.
When dynamically creating a new LDAP user at login, the user will be added only to groups that it is a direct member of. Likewise, when updating an existing LDAP user at login, the user will be removed from any groups that it is not a direct member of. Therefore, it is not recommended that you enable this property if a group hierarchy exists, since the user will be removed from any parent groups when logging in. (Group membership for the parent groups will be restored the next time the LDAP refresh runs; however, this can take up to 24 hours.)
Default: false
For OAuth Single Sign-On
uc.oauth.can_provision_local
Specifies if a user authenticating through OAuth Single Sign-On can be updated using the Access / ID Token if the user was created manually.
Default: false
uc.oauth.can_provision_any_idp
Specifies if a user authenticating through OAuth Single Sign-On can be updated using the Access / ID Token of a provider that differs from the provider the user was originally provisioned by.
Default: false
uc.saml.log.level
The saml.log.level property is used to configure the log level when OAuth Single Sign-On or SAML Single Sign-On is enabled.
Default: INFO
For SAML Single Sign-On
uc.saml.log.level
Configures the log level for the Spring SAML2 Service Provider framework. Options are
- ALL
- TRACE
- DEBUG
- INFO
- WARN
- ERROR
For backwards compatibility, property saml.log.level is still supported when property uc.saml.log.level is not specified.
Default: INFO
uc.saml.metadata.refresh_interval
The Identity Provider Metadata refresh interval in milliseconds; minimum = 30000, maximum = 2147483647.
Default: 120000
uc.saml.signature_algorithm_uri
By default, the saml2:AuthnRequest will be signed using rsa-sha256, though some Identity Providers will require a different algorithm.
To configure the algorithm automatically based on the Identity Provider’s metadata, do not specify this property.
Alternatively, you can manually override the default configuration by specifying this property.
Default: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or as specified by the Identity Provider's metadata.
uc.saml.authn_request.force_authn
Specifies (true of false) whether the Identity Provider should force the user to reauthenticate.
Default: false
uc.saml.authn_request.want_signed
Set the WantAuthnRequestsSigned setting, indicating (true or false) the Identity Provider's preference that Service Providers should sign the AuthnRequest before sending.
To configure the setting automatically based on the Identity Provider’s metadata, do not specify the property.
Default: Specified by the Identity Provider's metadata.
uc.saml.can_provision_local
Specifies if a user authenticating through SAML Single Sign-On can be updated using the SAML Assertion if the user was created manually.
Default: false
uc.saml.can_provision_any_idp
Specifies if a user authenticating through SAML Single Sign-On can be updated using the SAML Assertion of a provider that differs from the provider the user was originally provisioned by.
Default: false
For TrustStore
uc.trustmanager.truststore
Location of the keystore which holds certificates and keys.
Default: properties/cacerts
uc.trustmanager.truststore.type
The default TrustStore type. The following case-insensitive values are supported:
- JKS
- PKCS12
Default: KeyStore.getDefaultType() (PKCS12 as of Java 8)
uc.trustmanager.truststore.provider
The default TrustStore provider.
Default: (none)
uc.trustmanager.truststore.password
Password (if required) for the keystore that will be replaced by uc.trustmanager.truststore.password.encrypted in the uc.properties file upon start-up.
Default: changeit
uc.trustmanager.truststore.password.encrypted
Encrypted version of uc.trustmanager.truststore.password that will replace uc.trustmanager.truststore.password in the uc.properties file upon start-up.
Default: (none)
uc.trustmanager.algorithm
Java trust manager algorithm.
- For IBM AIX, the value must be IbmX509.
- For all other platforms, use the default value.
Default: SunX509
uc.trustmanager.provider
Java trust manager provider.
- For IBM AIX, the value must be IBMJSSE2.
- For all other platforms, use the default value.
Default: SunJSSE
uc.trustmanager.ssl.protocols
Comma-separated list of SSL/TLS protocols that can be used for Controller/OMS communications.
- If the property does not contain a protocol list, a default SSL/TLS context will be referenced for building the SSL/TLS socket used for Controller/OMS communications.
- If the property is used, only those protocols will be enabled for the Controller/OMS session.
- If the property is not used, only the protocols specified in currently configured default SSL/TLS Context's default SSL/TLS protocol list will be enabled for the Controller/OMS session.
For OpenTelemetry
To configure all of your OpenTelemetry settings in the uc.properties, but disable the feature until required, you can add the following property.
uc.otel.sdk.disabled=true
To enable the feature while the controller is running, you only need to set the uc.otel.sdk.disabled to false by updating the uc.properties, or by using the Server Operation > Temporary Property Change from the user interface.
By default, the controller automatically refreshes the uc.properties file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
The update from Server Operation > Temporary Property Change initiates the reconfiguration immediately.
uc.otel.sdk.disabled
If true, disable the OpenTelemetry SDK.
Default: false
uc.otel.traces.exporter
If none, no traces exporter configured.
Default: otlp
uc.otel.metrics.exporter
If none, no metrics exporter configured.
Default: otlp
uc.otel.exporter.otlp.service.name
Specifies a custom logical name for the service.
If left unspecified, the service name is controller.
Default: controller
uc.otel.exporter.otlp.protocol
The transport protocol to use on OTLP trace, and metric requests. Options include grpc and http/protobuf.
Default: grpc
uc.otel.exporter.otlp.traces.protocol
The transport protocol to use on OTLP trace requests. Options include grpc and http/protobuf.
Default: grpc
uc.otel.exporter.otlp.metrics.protocol
The transport protocol to use on OTLP metric requests. Options include grpc and http/protobuf.
Default: grpc
uc.otel.exporter.otlp.endpoint
The OTLP traces, and metrics endpoint to connect to. Must be a URL with a scheme of either http or https based on the use of TLS. If protocol is http/protobuf the version and signal will be appended to the path (e.g. v1/traces, or v1/metrics).
For example, http://localhost:4317 when protocol is grpc, and http://localhost:4318/v1/{signal} when protocol is http/protobuf.
Default: (none)
uc.otel.exporter.otlp.traces.endpoint
The OTLP traces endpoint to connect to. Must be a URL with a scheme of either http or https based on the use of TLS.
For example, http://localhost:4317 when protocol is grpc, and http://localhost:4318/v1/traces when protocol is http/protobuf.
Default: (none)
uc.otel.exporter.otlp.metrics.endpoint
The OTLP metrics endpoint to connect to. Must be a URL with a scheme of either http or https based on the use of TLS.
For example, http://localhost:4317 when protocol is grpc, and http://localhost:4318/v1/metrics when protocol is http/protobuf.
Default: (none)
uc.otel.exporter.otlp.certificate
The path to the file containing trusted certificates to use when verifying an OTLP trace, or metric server's TLS credentials. The file should contain one or more X.509 certificates in PEM format.
Default: By default, the host platform's trusted root certificates are used.
uc.otel.exporter.otlp.traces.certificate
The path to the file containing trusted certificates to use when verifying an OTLP trace server's TLS credentials. The file should contain one or more X.509 certificates in PEM format.
Default: By default, the host platform's trusted root certificates are used.
uc.otel.exporter.otlp.metrics.certificate
The path to the file containing trusted certificates to use when verifying an OTLP metric server's TLS credentials. The file should contain one or more X.509 certificates in PEM format.
Default: By default, the host platform's trusted root certificates are used.
uc.otel.exporter.otlp.client.key
The path to the file containing private client key to use when verifying an OTLP trace, or metric client's TLS credentials. The file should contain one private key PKCS8 PEM format.
Default: By default, no client key is used.
uc.otel.exporter.otlp.traces.client.key
The path to the file containing private client key to use when verifying an OTLP trace client's TLS credentials. The file should contain one private key PKCS8 PEM format.
Default: By default, no client key file is used.
uc.otel.exporter.otlp.metrics.client.key
The path to the file containing private client key to use when verifying an OTLP metric client's TLS credentials. The file should contain one private key PKCS8 PEM format.
Default: By default, no client key file is used.
uc.otel.exporter.otlp.client.certificate
The path to the file containing trusted certificates to use when verifying an OTLP trace, or metric client's TLS credentials. The file should contain one or more X.509 certificates in PEM format.
Default: By default, no chain file is used.
uc.otel.exporter.otlp.traces.client.certificate
The path to the file containing trusted certificates to use when verifying an OTLP trace server's TLS credentials. The file should contain one or more X.509 certificates in PEM format.
Default: By default, no chain file is used.
uc.otel.exporter.otlp.metrics.client.certificate
The path to the file containing trusted certificates to use when verifying an OTLP metric server's TLS credentials. The file should contain one or more X.509 certificates in PEM format.
Default: By default, no chain file is used.
uc.otel.exporter.otlp.headers
Key-value pairs separated by commas to pass as request headers on OTLP trace, or metric requests.
Default: (none)
uc.otel.exporter.otlp.traces.headers
Key-value pairs separated by commas to pass as request headers on OTLP trace requests.
Default: (none)
uc.otel.exporter.otlp.metrics.headers
Key-value pairs separated by commas to pass as request headers on OTLP metrics requests.
Default: (none)
uc.otel.exporter.otlp.compression
The compression type to use on OTLP trace, and metric requests. Options include gzip.
Default: By default, no compression will be used.
uc.otel.exporter.otlp.traces.compression
The compression type to use on OTLP trace requests. Options include gzip.
Default: By default, no compression will be used.
uc.otel.exporter.otlp.metrics.compression
The compression type to use on OTLP metric requests. Options include gzip.
Default: By default, no compression will be used.
uc.otel.exporter.otlp.timeout
The maximum waiting time, in milliseconds, allowed to send each OTLP trace, and metric batch.
Default: 10000
uc.otel.exporter.otlp.traces.timeout
The maximum waiting time, in milliseconds, allowed to send each OTLP trace batch.
Default: 10000
uc.otel.exporter.otlp.metrics.timeout
The maximum waiting time, in milliseconds, allowed to send each OTLP metric batch.
Default: 10000
uc.otel.exporter.otlp.metrics.temporality.preference
The preferred output aggregation temporality. Options include DELTA, LOWMEMORY, and CUMULATIVE. If CUMULATIVE, all instruments will have cumulative temporality. If DELTA, counter (sync and async) and histograms will be delta, up down counters (sync and async) will be cumulative. If LOWMEMORY, sync counter and histograms will be delta, async counter and up down counters (sync and async) will be cumulative.
Default: CUMULATIVE
uc.otel.exporter.otlp.metrics.default.histogram.aggregation
The preferred default histogram aggregation. Options are:
- BASE2_EXPONENTIAL_BUCKET_HISTOGRAM
- EXPLICIT_BUCKET_HISTOGRAM.
Default: EXPLICIT\_BUCKET\_HISTOGRAM
For Prometheus Metrics
uc.prometheus.metrics.uc_history_total.optional_labels
Specifies optional labels for uc_history_total metric. The property value is specified as comma-delimited list of optional labels. Options are:
- agent_id
- task_name
- security_business_services
- task_instance_exit_code
For example:
uc.prometheus.metrics.uc_history_total.optional_labels=agent_id,task_name
Default: (none)
uc.prometheus.metrics.uc_task_instance_duration_seconds.optional_labels
Specifies optional labels for uc_task_instance_duration_seconds metric. The property value is specified as comma-delimited list of optional labels. Options are:
- agent_id
- task_name
- security_business_services
For example:
uc.prometheus.metrics.uc_task_instance_duration_seconds.optional_labels=agent_id,task_name
Default: (none)
uc.prometheus.metrics.uc_task_instance_early_finish_total.optional_labels
Specifies optional labels for uc_task_instance_early_finish_total metric. The property value is specified as comma-delimited list of optional labels. Options are:
- agent_id
- task_name
- security_business_services
For example:
uc.prometheus.metrics.uc_task_instance_early_finish_total.optional_labels=agent_id,task_name
Default: (none)
uc.prometheus.metrics.uc_task_instance_late_finish_total.optional_labels
Specifies optional labels for uc_task_instance_late_finish_total metric. The property value is specified as comma-delimited list of optional labels. Options are:
- agent_id
- task_name
- security_business_services
For example:
uc.prometheus.metrics.uc_task_instance_late_finish_total.optional_labels=agent_id,task_name
Default: (none)
uc.prometheus.metrics.uc_task_instance_late_start_total.optional_labels
Specifies optional labels for uc_task_instance_late_start_total metric. The property value is specified as comma-delimited list of optional labels. Options are:
- agent_id
- task_name
- security_business_services
For example:
uc.prometheus.metrics.uc_task_instance_late_start_total.optional_labels=agent_id,task_name
Default: (none)
uc.prometheus.metrics.uc_task_instance_launch_total.optional_labels
Specifies optional labels for metrics.uc_task_instance_launch_total metric. The property value is specified as comma-delimited list of optional labels. Options are:
- agent_id
- task_name
- security_business_services
For example:
uc.prometheus.metrics.uc_task_instance_launch_total.optional_labels=agent_id,task_name
Default: (none)
uc.prometheus.metrics.uc_universal_event_total.optional_labels
Specifies optional labels for uc_universal_event metric. The property value is specified as comma-delimited list of optional labels. Options are:
- agent_id
- task_name
- security_business_services
For example:
uc.prometheus.metrics.uc_universal_event_total.optional_labels=agent_id,task_name
Default: (none)
uc.prometheus.metrics.uc_task_instance_duration_seconds.buckets
Specifies the buckets to use for the uc_task_instance_duration_seconds histogram.The property value is specified as comma-delimited list of double or integer values.
For example:uc.prometheus.metrics.uc_task_instance_duration_seconds.buckets=``1,2.5,5,10,15,30,45,60,150,300,600,900,1800,2700,3600
Default: (none)
For Session Validation
uc.session.validation.remote_addr.proxy_headers
If uc.session.validation.remote_addr.use_proxy_headers is true, specifies a comma-delimited list of proxy headers to use.
Assuming the Remote Address from the request is a trusted proxy, Universal Controller will iterate over the specified proxy headers, in specified order, until it finds a non-null value.
If none of the specified proxy headers have a non-null value, the Remote Address from the request is used.
If using the X-Forwarded-For header, the Client IP is extracted as the first entry from the delimited list of IPs.
X-Forwarded-For: <client>, <proxy>
X-Forwarded-For: <client>, <proxy>, …, <proxyN>
Default: X-Forwarded-For,X-Real-IP
uc.session.validation.remote_addr.trusted_proxies
If uc.session.validation.remote_addr.use_proxy_headers is true, specifies a comma-delimited list of trusted proxy IPs.
If the Remote Address from the request matches one of the specified trusted proxy IPs, Universal Controller will use uc.session.validation.remote_addr.proxy_headers to determine the Client IP, otherwise, the Remote Address from the request is used.
By default, uc.session.validation.remote_addr.use_proxy_headers is false, however, if you set uc.session.validation.remote_addr.use_proxy_headers to true, it is recommended you also configure this property; otherwise, all proxy IPs will be trusted.
Default: *
uc.session.validation.remote_addr.use_proxy_headers
Specifies (true or false) if the Universal Controller should use proxy headers when binding the Remote Address (Client IP) to the authenticated session.
See also:
- uc.session.validation.remote_addr.trusted_proxies
- uc.session.validation.remote_addr.proxy_headers
Default: false
uc.session.validation.remote_addr.validate
Specifies (true or false) if the Universal Controller should bind the Remote Address (Client IP) to the authenticated session and monitor for changes.
If a change is detected, the user session will be invalidated immediately.
Any detected change will be logged and audited.
By default, the Remote Address from the request is used for the Client IP.
If you need to use a proxy header, see the following properties.
- uc.session.validation.remote_addr.use_proxy_headers
- uc.session.validation.remote_addr.trusted_proxies
- uc.session.validation.remote_addr.proxy_headers
Default: true
uc.session.validation.user_agent.validate
Specifies (true or false) if the Universal Controller should bind the User-Agent header to the authenticated session and monitor for changes.
If a change is detected, the user session will be invalidated immediately.
Any detected change will be logged and audited.
Default: true
uc.audit.time_window.maximum
Specifies a maximum, in hours, for the Audit Time Constraint (minimum = 5, maximum = 2147483647).
Any Audit Time Constraint option that exceeds the configured maximum will no longer be available for selection from the drop-down.
Default: 2147483647
uc.backup.activity.numofdays.maximum
Specifies a maximum for the Days Older Than of an Activity Data Backup/Purge configuration (minimum = 1, maximum = 2147483647).
Default: 2147483647
uc.backup.audit.numofdays.maximum
Specifies a maximum for the Days Older Than of an Audit Data Backup/Purge configuration (minimum = 1, maximum = 2147483647).
Default: 2147483647
uc.backup.history.numofdays.maximum
Specifies a maximum for the Days Older Than of an History Data Backup/Purge configuration (minimum = 1, maximum = 2147483647).
Default: 2147483647
uc.cli.result_limit.maximum
Specifies a maximum for the CLI/Web Service Result Limit property configuration (minimum = 1, maximum = 2147483647)
Default: 2147483647
uc.date.formats
Accepted input date formats for Date Functions and Stored Procedure parameters. For example: uc.date.formats=yyyy/MM/dd;dd/MM/yyyy. Formats can vary, but years must be defined with four digits (yyyy). Formats are used on a "first match" basis.
uc.email.attachments.local.path
Directory location from where files can be attached for a specific Cluster Node / Server. You must specify a location in this property in order for the Attach Local File field to display in the Email Task and Email Notifications Details.
By default, the controller automatically refreshes the uc.properties file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
This property is local to the Cluster Node and must be specified on each Node based upon the path for that Node. Each Node can have a different path, but they should point to the same shared physical location in order to achieve the expected behavior. Best practices would be to use the same path in each Node.
uc.action.email_notification.attach_output.subscription.timeout_in_seconds
Number of seconds for Email Notification output timeout.
Default: 180
uc.export.client.fetch_limit.maximum
Specifies a maximum for the Client Export Fetch Limit property configuration (minimum = 100, maximum = 2147483647).
Default: 2147483647
uc.history.time_window.maximum
Specifies a maximum, in hours, for the History Time Constraint (minimum = 5, maximum = 2147483647).
Any History Time Constraint option that exceeds the configured maximum will no longer be available for selection from the drop-down.
Default: 2147483647
uc.keymanager.algorithm
Java key manager algorithm.
- For IBM AIX, the value must be IbmX509.
- For all other platforms, use the default value.
If no value is specified, the configured JVM default will be used.
uc.keymanager.client.alias
If multiple certificates reside in the keystore that could match the OMS server's certificate request, specifying an alias ensures that the intended client certificate is presented to the OMS server.
uc.keymanager.keystore
Location of the keystore which holds certificates and keys.
uc.keymanager.keystore.password
Password (if required) for the keystore that will be replaced by uc.keymanager.keystore.password.encrypted in the uc.properties file upon start-up.
uc.keymanager.provider
Java key manager provider.
- For IBM AIX, the value must be IBMJSSE2.
- For all other platforms, use the default value.
If no value is specified, the configured JVM default will be used.
uc.logging.appenders
Location of Universal Controller logging. The property value is specified as comma-delimited list of optional labels. Options are:
- console
- file
- none
The default value when not configured will be file in order to behave the same as previous releases and would be the same as specifying the following:
uc.logging.appenders=file
For containers, or any situation that does not want logging to go to a rolling file, that want the logging strictly to the console (stdout), the following should be specified in the uc.properties file:
uc.logging.appenders=console
If no logging is required, then the following would be specified in the uc.properties file:
uc.logging.appenders=none
If the property is specified, but no valid entries above are in the property value, then the default value of file is used.
Default: file
uc.mbean.catalina.manager.name
The Controller uses the Catalina:type=Manager MBean for the User Sessions feature.
To determine the Manager MBean object name, the Controller dynamically determines the context. For example:
Catalina:type=Manager,context=/uc,host=localhost
If the following error appears in the Console while you are using the User Sessions feature, you may need to configure this property manually:
Universal Controller not configured for user session operations.
In the uc.log, you would see the following:
javax.management.InstanceNotFoundException: Catalina:type=Manager,context=/uc,host=localhost
uc.node.transient
Specifies (true or false) if the node is a transient Cluster Node.
Default: false
uc.oms.service_timeout
Sets the OMS service timeout value specifying the number of seconds of inactivity before a timeout exception will be thrown.
For example, you will see the following in the uc.log:
Default (180 seconds)
2021-08-04-21:12:25:542 -0400 INFO [UC.OMS.Monitor.0] Created: OMSServerConnection [userName=null, clientId=ops.controller.f9a86ee2bd5e4928b3173b186e0feb3c, clientInstance=15296bc7-e994-49eb-a6cf-0ecbf72d5f2f, transportAddresses=OMSTransportAddress [[localhost/127.0.0.1:7878]], nft=true, socketTimeout=30, serviceTimeout=180, authenticateServer=false, serverAddress=null, nextSessionId=0, isClosing=false, connectionInstance=1]
uc.oms.service_timeout=300
OMSServerConnection [userName=null, clientId=ops.controller.f9a86ee2bd5e4928b3173b186e0feb3c, clientInstance=96e45eb5-c513-489a-8746-6223e962e901, transportAddresses=OMSTransportAddress [[localhost/127.0.0.1:7878]], nft=true, socketTimeout=30, serviceTimeout=300, authenticateServer=false, serverAddress=null, nextSessionId=0, isClosing=false, connectionInstance=1]
Default: 180
uc.overdue.timer.startup.threshold
Maximum number of days after which an overdue trigger is considered "stale/expired."
Default: 2
uc.property.refresh_interval_in_seconds
Specifies how often (in seconds) the controller refreshes the property file. Properties updated during the refresh include:
- uc.db.url
- uc.db.user
- uc.db.password
- uc.db.secrets_provider
- uc.db.secrets_provider.*
- uc.license
- uc.email.attachments.local.path
- uc.otel.sdk.disabled
- uc.otel.traces.exporter
- uc.otel.metrics.exporter
- uc.otel.exporter.otlp.*
- uc.property.refresh_interval_in_seconds
Default: 300
uc.report.scheduled.fetch_limit.maximum
Specifies a maximum for the Scheduled Report Fetch Limit property configuration (minimum = 1, maximum = 2147483647).
Default: 2147483647
uc.servlet.port
Port number used by Tomcat.
Default: 8080
uc.target_task_instances.tab.time_window.maximum
Specifies a maximum, in hours, for the Target Task Instances Tab Time Constraint (minimum = 5, maximum = 2147483647).
Any Target Task Instances Tab Time Constraint option that exceeds the configured maximum will no longer be available for selection from the drop-down.
Default: 2147483647
uc.task.sap.credential_type.required.compatibility_mode
If the SAP Credential Type Required system property is enabled, specifies (true or false) if an SAP Task will continue to run (instead of ending in Start Failure) when referencing a non-SAP-type Credential (at the task level SAP Credentials or job step level SAP User Credentials).
Default: false
uc.task.sap.rpc.timeout
Sets the timeout value in seconds for the SAP RPC calls.
Default: 120
uc.task.sap.username.restricted.compatibility_mode
If the SAP User Name Restricted system property is enabled, specifies (true or false) if an SAP Task will continue to run (instead of ending in Start Failure) when a job step specifies an SAP User Name.
Default: false
uc.task.zos.view_edit_jcl.timeout
Sets the JCL service timeout value specifying the number of seconds to wait for the agent response before a timeout exception will be thrown.
Default: 60
uc.task_instances.tab.time_window.maximum
Specifies a maximum, in hours, for the Task Instances Tab Time Constraint (minimum = 5, maximum = 2147483647).
Any Task Instances Tab Time Constraint option that exceeds the configured maximum will no longer be available for selection from the drop-down.
Default: 2147483647
uc.task_instances.time_window.maximum
Specifies a maximum, in hours, for the Task Instances Time Constraint (minimum = 5, maximum = 2147483647).
Any Task Instances Time Constraint option that exceeds the configured maximum will no longer be available for selection from the drop-down.
Default: 2147483647
uc.trigger_task_instances.tab.time_window.maximum
Specifies a maximum, in hours, for the Trigger Task Instances Tab Time Constraint (minimum = 5, maximum = 2147483647).
Any Trigger Task Instances Tab Time Constraint option that exceeds the configured maximum will no longer be available for selection from the drop-down.
Default: 2147483647
uc.ui.session_timeout
Default browser session timeout, in minutes. To use the Tomcat session configuration (default 30 minutes), set this property to 0.
Default: 30
uc.web_service.allow_unknown_properties
Specifies (true or false) whether web service APIs will fail if the request payload contains unknown properties.
Default: false
uc.web_service.httpclient.socket.keep_alive
Specifies (true or false) whether TCP socket keep-alive option is enabled for HTTP(S)/REST Web Service Tasks.
Default: false
Secrets Provider Properties
The uc.db.secrets_provider property specifies which secrets provider the controller will use for the database password.
The controller will then load all the properties associated with the specified provider.
By default, the controller automatically refreshes the uc.properties file every 5 minutes to accommodate changes to this property without requiring a restart. To change the property refresh interval, see uc.property.refresh_interval_in_seconds.
The properties that will be loaded by the controller for each provider are listed below.
AWS Secrets Manager
Property Name | Required | Description |
|---|---|---|
| true | The AWS access key, used to identify the user interacting with AWS. |
| true | The AWS secret access key, used to authenticate the user interacting with AWS. |
| true | The region name (e.g., us-east-1). |
| true | The ARN or name of the secret to retrieve. |
| false | If this secret was created by using the console, then Secrets Manager stores the information as a JSON structure of key/value pairs. Specifies the key for the password in the JSON structure.
|
| false | Specifies the key for the passphrase in the JSON structure.
|
| false | Specifies the key for the token in the JSON structure.
|
| false | The TTL (Time To Live), in seconds, for the cached secret before a new request to the provider is made. (default 3600 seconds / 1 hour) |
Azure Key Vault
Property Name | Required | Description |
|---|---|---|
| true | The name of the Key Vault used to build the vault URL to send HTTP requests to.
|
| true | The name of the secret. |
| true | The client (application) ID. |
| true | The Azure Active Directory tenant (directory) Id. |
| The client secret used to authenticate.
| |
| The client assertion used to authenticate.
| |
| The path of the PEM certificate used for authenticating.
| |
| The path of the PFX certificate used for authenticating.
| |
| The password for the PFX certificate.
| |
| false | The TTL (Time To Live), in seconds, for the cached secret before a new request to the provider is made. (default 28800 seconds / 8 hours) |
CyberArk Credential Provider
Property Name | Required | Description |
|---|---|---|
| true | The unique ID of the application issuing the password request. |
| true | The name of the Safe where the password is stored. |
| true | The name of the folder where the password is stored. |
| true | The name of the password object to retrieve. |
| false | The reason for retrieving the password. |
| false | The TTL (Time To Live), in seconds, for the cached secret before a new request to the provider is made. (default 5 seconds) |
CyberArk Central Credential Provider
Property Name | Required | Description |
|---|---|---|
| true | The hostname of the Central Credential Provider. |
| true | The port of the Central Credential Provider. |
| true | The unique ID of the application issuing the password request. |
| true | The name of the Safe where the password is stored. |
| true | The name of the folder where the password is stored. |
| true | The name of the password object to retrieve. |
| true | The path of the keystore containing the client certificate used for authenticating. |
| false | The password used to unlock the keystore. |
| false | The type of keystore. (default PKCS12)
|
| false | The name of a specific entry in the keystore to use. |
| false | The TTL (Time To Live), in seconds, for the cached secret before a new request to the provider is made. (default 5 seconds) |
Sample uc.properties File
# DB
uc.db.rdbms=mysql
uc.db.url=jdbc:mysql://localhost/
# MYSQL
# uc.db.mysql.character_encoding=UTF-8
# uc.db.rdbms=mysql
# uc.db.url=jdbc:mysql://localhost/
# MS SQLSERVER
# uc.db.rdbms=sqlserver
# uc.db.url=jdbc:sqlserver://localhost:1433;DatabaseName=uc
# ORACLE
# uc.db.rdbms=oracle
# uc.db.url=jdbc:oracle:thin:@//localhost:1521/@oracle.db.name@
#
# COMMON
#
# trust manager algorithm & provider
# uc.trustmanager.algorithm=SunX509
# uc.trustmanager.provider=SunJSSE
# uc.trustmanager.ssl.protocols=TLSv1,TLSv1.1,TLSv1.2
#
uc.db.user=root
uc.db.password=pswd
uc.db.name=uc
uc.servlet.port=8080
uc.ui.session_timeout=30