Configuration File

The Configuration File is the central setup point for UDMG. While Endpoints, Pipelines, and other Configuration Items are managed through the UDMG Admin UI or UDMG REST API, most of global and system-level settings are defined here.

On the host where the UDMG Server is installed, the file is located at:

/opt/udmg/etc/udmg-server.hcl

This file uses HCL (HashiCorp Configuration Language) to express structured configuration in a clear, declarative format.

UDMG also supports a set of custom functions (not part of standard HCL) for dynamic values—see Custom Functions below.

What is HCL?

The UDMG Server configuration file is written in HCL (HashiCorp Configuration Language), a human-friendly syntax for structured configuration.

Key points about HCL:

Blocks group related settings inside curly braces ({}). For example, the api block contains all API-related options.
Arguments are key-value pairs defined within blocks. Each argument has a name (the key) and a value.
Argument names are unique within their block and describe the purpose of the setting.

Dot Notation

Throughout this documentation we use dot notation to reference nested arguments.

This notation is used only in the documentation for clarity. In the actual HCL file, arguments are defined within their respective blocks, not as dot-separated keys.

Dot notation examples
api {
  port =        # Referenced as: api.port
  
  secure {
    enable =    # Referenced as: api.secure.enable
  }
}

Time Duration Format and Allowed Units

Several configuration arguments accept time durations (for example, "30s" or "15m"). A duration is written as a string with:

A decimal number (optionally with a fraction), followed by
A unit suffix.

You can also combine multiple number+unit segments in a single value to express longer or more precise durations.

Examples:

"30s" = 30 seconds
"0.5s" = half a second
"250ms" = 250 milliseconds
"2h45m" = 2 hours and 45 minutes

Allowed time units:

ns for nanoseconds
us for microseconds
ms for milliseconds
s for seconds
m for minutes
h for hours

Arguments by Block

This section lists all configurable arguments available in udmg-server.hcl. Arguments are grouped by configuration block (including the root level). For every argument, the table shows its name, description, type, and default value—helping you quickly understand what it controls and how to set it.

info

All HCL arguments described on this page use dot notation to reference their full path from the root of the configuration file.

Root Level

Top-level arguments define global behavior for the UDMG Server. These settings apply across all domains and act as defaults for path resolution and runtime behavior.

HCL Argument Name Description Value Type Default Value

instance_name Name reported in observability metrics and logs for this UDMG Server instance. In High-Availability deployments, set a unique value per Cluster Node so telemetry can be attributed correctly. string "udmg-server"

auto_migrate When enabled, UDMG automatically applies any required database schema migrations during startup. This is typically needed when upgrading to a more recent UDMG version. bool true

HCL Argument Name	Description	Value Type	Default Value
`instance_name`	Name reported in observability metrics and logs for this UDMG Server instance. In High-Availability deployments, set a unique value per Cluster Node so telemetry can be attributed correctly.	`string`	`"udmg-server"`
`auto_migrate`	When enabled, UDMG automatically applies any required database schema migrations during startup. This is typically needed when upgrading to a more recent UDMG version.	`bool`	`true`
`work_directory_path`	Defines the current working directory for the UDMG Server. For Endpoints, this path acts as a hard root (similar to a chroot jail). Endpoint paths are always resolved inside this directory and cannot reference absolute paths outside of it. Exceptionally, this can be disabled by setting the base working directory to `/`. For other Configuration Items and arguments, it serves as the base directory for resolving relative paths. In these cases, you may still specify an absolute path to override it.	`string`	`""`

work_directory_path

Defines the current working directory for the UDMG Server.

For Endpoints, this path acts as a hard root (similar to a chroot jail). Endpoint paths are always resolved inside this directory and cannot reference absolute paths outside of it. Exceptionally, this can be disabled by setting the base working directory to /.
For other Configuration Items and arguments, it serves as the base directory for resolving relative paths. In these cases, you may still specify an absolute path to override it.

string

""

`admin_app`

The admin_app block configures the embedded web server that serves the UDMG Admin UI. Use these settings to control how the Admin UI is exposed and secured.

HCL Argument Name	Description	Value Type	Default Value
`admin_app.enable`	Enables the embedded web server for UDMG Admin UI.	`bool`	`true`
`admin_app.path`	Path to admin app static files. Modify only in accordance with your Stonebranch contact person.	`string` (use embedded files)	`""`
`admin_app.url_path`	URL path for the UDMG Admin UI signin page.	`string`	`"/signin"`

`jwt`

The jwt block configures token-based authentication for the UDMG Admin UI and UDMG REST API. Use strong, unique keys and tune durations to balance security and usability.

HCL Argument Name Description Value Type Default Value

HCL Argument Name	Description	Value Type	Default Value
`jwt.signing_key`	Secret key for signing both access and refresh tokens. Must be at least 30 [a-zA-Z0-9_] characters. warning Change this default value to ensure the security of your system.	`string`	No default
`jwt.access_token.duration`	The validity duration of the access token. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"15m"`
`jwt.refresh_token.duration`	The validity duration of the refresh token. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"24h"`

jwt.signing_key

Secret key for signing both access and refresh tokens. Must be at least 30 [a-zA-Z0-9_] characters.

warning

Change this default value to ensure the security of your system.

string

No default

jwt.access_token.duration

The validity duration of the access token.

For allowed time units, see Time Duration Format and Allowed Units.

string

"15m"

jwt.refresh_token.duration

The validity duration of the refresh token.

For allowed time units, see Time Duration Format and Allowed Units.

string

"24h"

`database`

The database block defines the backend. Configure it to point UDMG Server to your production database and to enforce secure connections where required.

HCL Argument Name	Description	Value Type	Default Value
`database.engine`	The type of database engine to use. Options: `"mysql"` `"oracle"` `"mssql"` `"postgres"`	`string`	No default
`database.dsn`	Connection string override. If provided, overrides `database.name`, `database.hostname`, and `database.port`.	`string`	No default
`database.name`	The database name.	`string`	No default
`database.hostname`	The hostname or IP address of the database server.	`string`	No default
`database.port`	The port number for the database server.	`number`	No default
`database.user`	The username for connecting to the database.	`string`	No default
`database.password`	The password for connecting to the database.	`string`	No default
`database.options.max_connections`	The maximum number of open connections to the database.	`number`	`30`
`database.options.idle_connections`	The maximum number of connections in the idle connection pool.	`number`	`5`
`database.options.max_retries`	The maximum number of times to retry an operation if the database is locked.	`number`	`5`
`database.options.initial_interval`	The initial time duration to wait before retrying a locked operation. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"50ms"`
`database.options.max_interval`	The maximum time duration to wait between retries for a locked operation. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"1s"`
`database.secure.enable`	Enables or disables secure (TLS/SSL) connection to the database.	`bool`	`false`
`database.secure.mode`	The SSL mode to use. Availability depends on database engine. Allowed values: `"disable"` `"require"` `"verify-ca"` `"verify-full"` info Refer to PostgreSQL docs for details.	`string`	`"require"`
`database.secure.pub_key`	Path to certificate in PEM format for client authentication (required if enabled).	`string`	No default
`database.secure.priv_key`	Path to the client private key file (used for client certificate authentication, if `database.secure.enable` is `true`).	`string`	No default

`security`

The security block provides system-wide hardening toggles and recovery options. Use these settings to control what is exposed via the UDMG REST API and to guard against accidental lockouts.

HCL Argument Name	Description	Value Type	Default Value
`security.passphrase_key`	Root encryption key (K0) for encrypting secret value (passwords, credential private keys). Must be a valid 32-byte (64 characters) hexadecimal string. Keep secure, back up for disaster recovery.	`string`	No default
`security.domain_chroot`	Enable chroot for domains. Allowed values: `"NONE"` `"WORKDIR"` `"WORKDIR+DOMAIN"`	`string`	`"WORKDIR+DOMAIN"`
`security.work_directory_key_display`	If enabled, the `work_directory_path` is exposed under the UDMG REST API.	`bool`	`false`
`security.file_permissions`	Permissions for created files, specified as a standard Linux file mode.	`string`	`"600"`
`security.directory_permissions`	Permissions for created folders, specified as a standard Linux file mode.	`string`	`"700"`
`security.ignore_system_user_ip_filter`	Bypasses the IP Filtering - Admin UI restriction. Use this option only to recover from an accidental lockout.	`bool`	`false`
`security.password.min_length`	Minimum password length.	`number`	`8`
`security.password.min_upper_case`	Minimum number of uppercase characters in password.	`number`	`1`
`security.password.min_lower_case`	Minimum number of lowercase characters in password.	`number`	`1`
`security.password.min_numbers`	Minimum number of numbers in password.	`number`	`1`
`security.password.min_symbols`	Minimum number of symbols in password.	`number`	`1`

`log`

The log block controls how UDMG Server emits operational logs. Configure it to meet your observability and retention requirements. For more information, refer to Logging.

HCL Argument Name	Description	Value Type	Default Value
`log.level`	Log verbosity level. Messages of the specified severity level and higher are printed. Options: `"TRACE"` `"DEBUG"` `"INFO"` `"WARN"` `"ERROR"`	`string`	`"INFO"`
`log.format`	Format of the log output. Options: `"plain"` `"json"`	`string`	`"plain"`
`log.file`	Log file path. Supports environment variable expansion.	`string`	`""` (`stdout`)
`log.rotate.enable`	Enables or disables the log rotation feature. When enabled, log files are rotated as soon as one of the configured rotation conditions is met: The defined `log.rotate.frequency` interval has elapsed. The log file reaches the configured `log.rotate.size`. Only the size-based condition can be disabled.	`bool`	`false`
`log.rotate.frequency`	Time interval that triggers log rotation. Rotation occurs when this interval is reached, unless rotation is disabled. Options: `"daily"` `"weekly"` `"monthly"` `"quarterly"`	`string`	`"daily"`
`log.rotate.size`	Maximum log file size (in megabytes) before rotation is triggered. Checked every hour.	`number`	`0` (disabled)
`log.rotate.file_format`	Format for rotated log filenames. It can include directory structure and the following placeholders: `{YYYY}` (year) `{MM}` (month) `{DD}` (day) `{HH}` (hour) `{mm}` (minute) `{ss}` (second) `{ns}` (nanosecond)	`string`	`"{YYYY}{MM}{DD}/udmg-server{HH}{mm}{ss}{ns}.log"`

`api`

The api block configures the HTTP server that exposes the UDMG Admin UI and UDMG REST API (set api.secure.enable = true to serve them over HTTPS).

HCL Argument Name	Description	Value Type	Default Value
`api.inet`	IP address to bind for UDMG REST API connection requests. `0.0.0.0` listens on all available network interfaces.	`string`	`"0.0.0.0"`
`api.port`	The port number the API server listens on.	`string`	`"8080"`
`api.spec`	Enables or disables serving the OpenAPI specification (at `/spec` and `/swagger/index.html`).	`bool`	`false`
`api.csrf`	Enables or disables Cross-Site Request Forgery protection middleware. tip It is recommended to keep enabled.	`bool`	`true`
`api.trusted_domains`	List of UDMG Admin UI hostnames (including the port when it's not the default `443`) that the UDMG Server accepts as trusted sources. Example with default port: `["udmg.my-company.com"]` Example with custom port number: `["udmg-staging.my-company.com:9180"]` Example with several hostnames when the UDMG Admin UI can be reached through several URLs: `["udmg.my-company.com", "udmg-staging.my-company.com:9180"]`	`list(string)`	`[]`
`api.cors`	Enables or disables Cross-Origin Resource Sharing headers. info Required if accessing the API from a web frontend hosted on a different domain/port.	`bool`	`true`
`api.cors_domain`	Specifies the allowed origin domain(s) for CORS requests when `api.cors` is enabled. Use `"*"` for any domain (less secure).	`string`	`"*"`
`api.verbose`	Increase the verbosity for the logging of the API requests and responses (can be noisy).	`bool`	`false`
`api.rate_limit`	Global rate limiting for all UDMG REST API requests per minute.	`number`	`5000`
`api.allow_concurrent_user_login`	Controls whether multiple simultaneous sessions are permitted for the same User. When set to `false`, any existing user sessions will be terminated when a new login occurs. info This improves security by preventing multiple concurrent logins, but may disrupt legitimate multi-device usage.	`bool`	`true`
`api.secure.enable`	Enables or disables HTTPS for the API server. info If enabled, `api.secure.pub_key` and `api.secure.priv_key` are required.	`bool`	`false`
`api.secure.pub_key`	Path to the public SSL/TLS certificate file (PEM format). This certificate is presented by the UDMG Server to clients to validate the Server's identity and establish a secure HTTPS connection. The path is relative to the `work_directory_path` of the UDMG Server.	`string`	No default
`api.secure.priv_key`	Path to the private SSL/TLS key file (PEM format). This key is used by the UDMG Server to prove ownership of the certificate and to complete the TLS handshake, enabling encrypted communication over HTTPS. The path is relative to the `work_directory_path` of the UDMG Server.	`string`	No default

`wtc`

The wtc block defines configuration options for the Web Transfer Client (WTC) service, which enables HTTPS-based file transfers when UDMG acts as a HTTPS server.

HCL Argument Name	Description	Value Type	Default Value
`wtc.enable`	Enables or disables the WTC service. When disabled, the HTTPS listener for the Web Transfer Client will not start.	`bool`	`false`
`wtc.inet`	The IP address that the WTC listener binds to. Use `"0.0.0.0"` to listen on all network interfaces, or specify a local IP address to restrict the listener to that interface.	`string`	`"0.0.0.0"`
`wtc.port`	The TCP port number on which the WTC service listens for HTTPS connections. Must be between `1` and `65535`.	`string`	`"8443"`
`wtc.spec`	Enables serving of the OpenAPI specification (available at `/spec` and `/swagger/index.html`) for debugging or integration testing purposes.	`bool`	`false`
`wtc.default_domain`	Specifies the default UDMG Domain that the root WTC URL (for example, `https://example.com:4433`) redirects to when no domain path is provided.	`string`	`"primary"`
`wtc.max_public_connections`	Defines the maximum number of concurrent connections allowed for Shared Public Links (Web Transfer Client). The counter is maintained per UDMG Server node and is not shared across a Cluster.	`number`	`1000`
`wtc.secure.enable`	Enables HTTPS for the Web Transfer Client (WTC). When set to `true`, WTC serves all traffic over TLS and requires both `wtc.secure.pub_key` and `wtc.secure.priv_key` to be configured.	`bool`	`false`
`wtc.secure.pub_key`	Path to the public SSL/TLS certificate file (PEM format) used for encrypting HTTPS traffic. The path is relative to the `work_directory_path` unless an absolute path is provided.	`string`	No default
`wtc.secure.priv_key`	Path to the private key file (PEM format) associated with the public certificate. This key is required when `wtc.secure.enable = true` to complete the TLS handshake.	`string`	No default

`transfer`

The transfer block arguments only apply when UDMG is acting as a client. For related documentation, refer to Pipeline Types.

HCL Argument Name	Description	Value Type	Default Value
`transfer.retry_delay`	The base wait time before retrying a transfer after a connection or transfer error. Each retry restarts the transfer from the beginning. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"5m"`
`transfer.max_retry_delay`	The maximum wait time allowed between retries after a connection or transfer error. Each retry restarts the transfer from the beginning. This value acts as an upper limit when exponential backoff is applied. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"1h"`
`transfer.retry_backoff`	The exponential backoff factor applied to the retry delay. After each failed attempt, the wait time is multiplied by this factor, up to the limit set by `transfer.max_retry_delay`. Each retry restarts the transfer from the beginning. Delay for retry attempt `n` = `retry_delay x (retry_backoff ^ n)`, where `n` is the retry attempt number, starting at `0`. Example with `retry_delay = 5m`: `retry_backoff = 1` → 5m, 5m, 5m, ... `retry_backoff = 2` → 5m, 10m, 20m, ... `retry_backoff = 3` → 5m, 15m, 45m, 135m, ...	`number`	`2.0`
`transfer.max_retries`	The maximum number of times a transfer will be retried after a connection or transfer error. Each retry restarts the transfer from the beginning. Once this limit is reached, the transfer is marked as failed.	`number`	`3`
`transfer.check_interval`	Interval at which UDMG polls for pending transfers that were scheduled through the Transfers Scheduled API. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"1m"`

`observability`

The observability block enables health and diagnostics endpoints and optional debug access. Use it to integrate UDMG Server with monitoring stacks and to expose a separate, minimal API for status and metrics collection.

HCL Argument Name	Description	Value Type	Default Value
`observability.api.inet`	Address for the observability API.	`string`	`"0.0.0.0"`
`observability.api.port`	Port for the observability API.	`string`	`"7070"`
`observability.api.spec`	Enables or disables serving the observability OpenAPI specification (at `/spec` and `/swagger/index.html`, at the port defined in `observability.api.port`).	`bool`	`false`
`observability.api.enable`	Enables or disables the observability API.	`bool`	`true`
`observability.api.rate_limit`	Global rate limiting for observability API requests per minute.	`number`	`5000`
`observability.api.debug.enable`	Enable or disable debug mode for observability API.	`bool`	`false`
`observability.api.debug.user`	Debug username for observability API.	`string`	`""`
`observability.api.debug.password`	Debug password for observability API.	`string`	`""`
`observability.api.secure.enable`	Enable HTTPS. Requires certificate and key.	`bool`	`false`
`observability.api.secure.pub_key`	Path to public SSL/TLS certificate file in PEM format (required if enabled).	`string`	No default
`observability.api.secure.priv_key`	Path to private SSL/TLS key file in PEM format (required if enabled)	`string`	No default
`observability.prometheus.enable`	Enables or disables Prometheus metrics.	`bool`	`false`
`observability.opentelemetry.enable`	Enable or disable OpenTelemetry.	`bool`	`false`
`observability.opentelemetry.host`	Host for OpenTelemetry collector.	`string`	`""`
`observability.opentelemetry.port`	Port for OpenTelemetry collector.	`string`	`""`

`ldap`

The ldap block integrates UDMG with an external LDAP directory for user authentication and lookup. Configure servers, binding, and attribute mapping here to centralize identity management. For more information, refer to LDAP Authentication.

HCL Argument Name Description Value Type Default Value

HCL Argument Name	Description	Value Type	Default Value
`ldap.ldap_account_sync_interval`	Defines how often UDMG synchronizes LDAP users that are linked to UDMG Accounts. Leave empty (`""`) to disable synchronization. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"24h"`
`ldap.ldap_user_sync_interval`	Defines how often UDMG synchronizes LDAP users that are linked to UDMG Users. Leave empty (`""`) to disable synchronization. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"24h"`

ldap.ldap_account_sync_interval

Defines how often UDMG synchronizes LDAP users that are linked to UDMG Accounts. Leave empty ("") to disable synchronization.

For allowed time units, see Time Duration Format and Allowed Units.

string

"24h"

ldap.ldap_user_sync_interval

Defines how often UDMG synchronizes LDAP users that are linked to UDMG Users. Leave empty ("") to disable synchronization.

For allowed time units, see Time Duration Format and Allowed Units.

string

"24h"

`icap`

The icap block configures general content-scanning via an ICAP server. Use it to enforce malware scanning on inbound file flows. For more information, refer to ICAP Scanner.

HCL Argument Name Description Value Type Default Value

HCL Argument Name	Description	Value Type	Default Value
`icap.timeout`	The maximum time duration to wait for a response from the ICAP server. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"10s"`
`icap.retry`	Number of retry attempts for connecting to or communicating with ICAP server on failure.	`number`	`0`

icap.timeout

The maximum time duration to wait for a response from the ICAP server.

For allowed time units, see Time Duration Format and Allowed Units.

string

"10s"

icap.retry Number of retry attempts for connecting to or communicating with ICAP server on failure. number 0

`uac`

The uac block connects UDMG to Universal Automation Center (UAC) for orchestration and scheduling. Configure it to allow UAC to trigger or react to file transfer events within UDMG. For more information, refer to Universal Event Integration.

HCL Argument Name	Description	Value Type	Default Value
`uac.enable`	Enables or disables globally the feature to publish Universal Event.	`bool`	`false`
`uac.urls`	A list of URIs for the Publish Universal Event API on the target Universal Controllers. UDMG will attempt to connect to these in order if one fails. Example: `["http://host1/uc", "https://host2/uc"]`	`list(string)`	`[]`
`uac.username`	The username for authenticating with the Universal Controller REST API. The user must have the required permissions to call the Universal Event Web Services.	`string`	`""`
`uac.password`	The password for authenticating with the Universal Controller REST API.	`string`	`""`
`uac.event_name`	The name of the Universal Event to trigger in UAC when a relevant action occurs.	`string`	`""`
`uac.event_ttl`	An optional Time-To-Live for the Universal Event (in minutes).	`string`	`""`
`uac.override_publish_event`	Allow override of Publish event from pipelines configuration.	`bool`	`false`

`protocol`

The protocol block defines default settings that apply to all supported transfer protocols. Adjust these values to fine-tune connection behavior, session timeouts, and overall resource utilization.

HCL Argument Name Description Value Type Default Value

protocol.auth_timeout Authentication timeout before dropping connection. string "30s"

HCL Argument Name	Description	Value Type	Default Value
`protocol.auth_timeout`	Authentication timeout before dropping connection.	`string`	`"30s"`
`protocol.session_idle_timeout`	The idle timeout protocol sessions. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"3600s"`
`protocol.max_connections`	Maximum number of concurrent connections.	`number`	`120`

protocol.session_idle_timeout

The idle timeout protocol sessions.

For allowed time units, see Time Duration Format and Allowed Units.

string

"3600s"

protocol.max_connections Maximum number of concurrent connections. number 120

`cluster`

The cluster block enables high-availability operation across multiple UDMG Server nodes and defines how nodes discover peers and coordinate. All nodes in a cluster must use a consistent configuration for stable behavior.

For more information, refer to High Availability.

HCL Argument Name	Description	Value Type	Default Value
`cluster.mode`	The operational mode of the cluster. Allowed value: `"AA"` (Active-Active). `"AP"` (Active-Passive).	`string`	`"AA"`
`cluster.heartbeat`	The time interval between heartbeat signals sent between nodes. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"10s"`
`cluster.deadline`	The time duration after which a node is considered down if no heartbeat is received. For allowed time units, see Time Duration Format and Allowed Units.	`string`	`"30s"`
`cluster.seeds`	Cluster seeds for bootstrapping, comma-separated list of initial node addresses (`host`:`client_port`). Not required for standard setup.	`string`	`""`
`cluster.client_port`	The port number used by UDMG Server for client communication in a cluster.	`number`	`4222`
`cluster.cluster_port`	The port number used for inter-node communication within the UDMG Server cluster.	`number`	`6222`

`as2`

The as2 block configures AS2 (Applicability Statement 2) protocol support. AS2 is used for secure and reliable file transfer over HTTP/HTTPS.

For more information, refer to AS2.

HCL Argument Name	Description	Value Type	Default Value
`as2.enable`	Enable AS2 service.	`bool`	`true`
`as2.message_id_expiry`	Number of days to keep message IDs for replay protection.	`number`	`0` (unlimited)
`as2.replay_protect`	Enable replay protection for AS2 messages.	`bool`	`true`

`hook_server`

The hook_server block configures the Configures HTTP server that handles callbacks such as AS2 Message Disposition Notifications (MDNs). Enables asynchronous receipt confirmations for file transfers.

HCL Argument Name	Description	Value Type	Default Value
`hook_server.enable`	Enable hook server.	`bool`	`false`
`hook_server.inet`	Interface address for hook server to listen on.	`string`	`"0.0.0.0"`
`hook_server.port`	Port for hook server.	`string`	`"9090"`
`hook_server.spec`	Enable API specification.	`bool`	`false`
`hook_server.enable_mdn`	Enable hook server for AS2 MDN callbacks.	`bool`	`false`
`hook_server.secure.enable`	Enable HTTPS. Requires certificate and key.	`bool`	`false`
`hook_server.secure.pub_key`	Path to public SSL/TLS certificate file in PEM format (required if enabled).	`string`	No default
`hook_server.secure.priv_key`	Path to private SSL/TLS key file in PEM format (required if enabled).	`string`	No default

`tls`

The tls block applies to all services (API, Observability, WTC, HookServer, etc.) unless protocol-specific overrides are enabled and configured.

HCL Argument Name	Description	Value Type	Default Value
`tls.min_version`	Minimum TLS version to support. Options: 1.0, 1.1, 1.2, 1.3. Recommended: Use 1.2 or higher for security. TLS 1.0 and 1.1 are considered insecure.	`string`	`"1.2"`
`tls.max_version`	Maximum TLS version to support. Options: 1.0, 1.1, 1.2, 1.3. TLS 1.3 provides best security and performance when available.	`string`	`"1.3"`
`tls.cipher_suites`	Optional list of cipher suites to use. Leave empty for secure defaults. If not specified, uses secure cipher suites recommended by Go crypto/tls providing forward secrecy and modern cryptographic standards.	`list(string)`	`[]`
`tls.curve_preferences`	Optional list of curve preferences. Leave empty for secure defaults. If not specified, uses: `X25519`, `P256`, `P384`. Options: `P256` `P384` `P521` `X25519`	`list(string)`	`[]`
`tls.allow_protocol_override.api`	Allow API to override TLS settings.	`bool`	`false`
`tls.allow_protocol_override.obs`	Allow observability API to override TLS settings.	`bool`	`false`
`tls.allow_protocol_override.wtc`	Allow WTC to override TLS settings.	`bool`	`false`
`tls.allow_protocol_override.ftp`	Allow FTP to override TLS settings.	`bool`	`false`
`tls.allow_protocol_override.as2`	Allow AS2 to override TLS settings.	`bool`	`false`
`tls.allow_protocol_override.hook_server`	Allow hook server to override TLS settings.	`bool`	`false`

Custom Functions

The configuration loader in UDMG provides a set of custom functions (these are not part of standard HCL syntax). You can use them to dynamically generate values inside the Configuration File.

Function	Description	Usage	Result
`upper`	Converts a string to upper case.	`${upper("string")}`	`"STRING"`
`lower`	Converts a string to lower case.	`${lower("STRING")}`	`"string"`
`env`	Retrieves an environment variable, with a mandatory fallback default.	`${env("HOSTNAME", "default")}`	`"my-hostname"` or `"default"` if unset

For the env function, a default value is mandatory. If the referenced environment variable does not exist, UDMG uses the provided default instead of throwing an error.

Example of env function usage
database {
    engine   = "postgresql"
    hostname = "localhost"
    user     = "udmg"
    password = "${env("DB_PASSWORD", "default-password")}"
}

tip

Environment variables take precedence over HCL arguments when both are provided. It is generally recommended to configure settings in HCL files to maintain clarity, consistency, and ease of management.

Use environment variable overrides sparingly (typically for temporary adjustments, containerized deployments, or sensitive values such as passwords and secrets).

What is HCL?​

Dot Notation​

Time Duration Format and Allowed Units​

Arguments by Block​

Root Level​

admin_app​

jwt​

database​

security​

log​

api​

wtc​

transfer​

observability​

ldap​

icap​

uac​

protocol​

cluster​

as2​

hook_server​

tls​

Custom Functions​

What is HCL?

Dot Notation

Time Duration Format and Allowed Units

Arguments by Block

Root Level

`admin_app`

`jwt`

`database`

`security`

`log`

`api`

`wtc`

`transfer`

`observability`

`ldap`

`icap`

`uac`

`protocol`

`cluster`

`as2`

`hook_server`

`tls`

Custom Functions