Deployment configuration
The deployment configuration file used by Access Decision Service is written in YAML. (See yaml.org for more information about the format.)
Running ADS in a Docker container
A deployment configuration file is included in the distribution and it is used when ADS is started for the first time (see docker/resources/deployment.yaml
). This file contains a configuration that allows you to get ADS up and running and ready for use.
However, the deployment file can be further edited to adapt to your configuration requirements. The deployment.yaml file can be opened in any text editor.
See also the appendix Deployment configuration sample for an example of a deployment configuration file.
Running ADS on the command line
When ADS is run from the command line you need to set up your own deployment configuration file. See the descriptions for the different properties below.
The appendix Deployment configuration sample provides a template that you can copy and use for your configuration.
Updating the deployment configuration
The deployment configuration file contains property settings for which you have to stop the application to update, as ADS reads the deployment file only at start-up.
- To update any part of the configuration, simply stop ADS (that is, kill the process), update the configuration file, and then restart ADS. (See Installation, for information about stopping and starting ADS.)
Note: Some properties use file references, like <path/to/file>. These should always be seen as relative to the environment in which ADS is running.
Configuration using environment variables
Properties in the deployment file can be configured using environment variables. The example shows a deployment configuration file that uses the environment variable PORT to set the application port.
The syntax is: ${<environment variable name>:-<default value>}.
server:
applicationConnectors:
- type: http
port: ${PORT:-8888}
adminConnectors:
- type: http
port: 8081
Environment variable PORT with a default value
If the environment variable is not defined, then a default value of 8888 is used. Other names can be used, for example ${APP_PORT}.
Note: Axiomatics recommends using environment variables to substitute any sensitive information, such as passwords, so that sensitive information can be managed and protected using generic mechanisms, external to the deployment file.
License
A license is required to run the product. The license file is provided separately by Axiomatics, and it needs to be in place before ADS can start. This is covered in the Installation section.
This is how to set the file reference to the license key file:
- Locate the license property in the sample deployment configuration file.
license: file:<path/to/>license_file.license
Update the license property with the URL for where the license file is stored, using one of the formats listed in the table below:
License file reference
You can set a file reference using one of the following formats:
Format | Description |
---|---|
dir/license_file.license | relative path on file system |
/dir/license_file.license | absolute path on file system |
http://<host:port>/<path/to/file> | URL to the file |
https://<host:port>/<path/to/file> | URL to the file NOTE: There must be a valid certificate present that the JVM trusts. If not, a valid certificate has to be added to the truststore, and the JVM instructed to use it. |
classpath:/license_file.license | file on classpath |
License file reference formats
License expiration warning
ADS will warn in a log message when the license is nearing its expiration date. By default, that warning is triggered 30 days before the expiration date.
You can override this by adding an optional property to the deployment configuration file. See License expiration warning for more information.
Authorization domain configuration
The authorization domain configuration file contains a set of XACML policies and configurations (for example, attribute connector and/or cache configurations) to be used by the authorization service. It is deployed by setting a file reference to it in the deployment configuration file.
ADS supports authorization domain configuration files expressed in two different formats, YAML and XML. Each format requires its own property for configuration:
for a YAML-format domain configuration file, the domain property is used. (See yaml.org, for more information about the format.)
for an XML-format domain configuration file produced by the Axiomatics Services Manager (ASM) (up to and including version 6.2.9), the legacyXmlConfig property is used
Note: The properties are mutually exclusive and only one of them can be enabled at any given time. The sample deployment configuration file provided in the distribution package uses the domain property configuration.
See Authorization Domains for more information about domains and how to create authorization domain configuration files.
Updating the domain configuration during runtime
By default, ADS is configured to read the domain configuration only once, when loading the deployment configuration file at start-up. However, there is an optional property that can be added that will make ADS poll the domain configuration source at regular intervals during runtime. See Runtime updating of domain configuration for more information.
Using a YAML-format domain configuration file
- Locate the domain property in the sample deployment configuration file.
domain: domain.yaml
Set a file reference to a YAML-format authorization domain configuration file. See the table below for supported formats for file references.
A YAML-format authorization domain configuration file is provided in the Docker distribution package (docker/resources/domain.yaml
).
A sample YAML-format domain file is also available in the appendix Authorization decisions domain file. This domain configuration also contains a policy that you can use to run the four example requests against, as described in the section Authorization decisions. It does not contain any attribute connector configurations.
Using an XML-format domain configuration file
- Add the legacyXmlConfig property in the sample deployment configuration file.
legacyXmlConfig: <path/to/>domain.xml
Set a file reference to an XML-format authorization domain configuration file. See the table below for supported formats for file reference.
Note: An XML-format authorization domain configuration file must be produced either by exporting it from Axiomatics Services Manager (up to and including version 6.2.9) via the ASM UI or retrieved programmatically using the Admin API. It is not intended to be edited manually.
Domain configuration file reference
The property must point to the authorization domain configuration file to be used, using one of the supported formats listed in the table:
You can set a file reference using one of the following formats:
Format | Description |
---|---|
dir/file.yaml | relative path on file system |
/dir/file.yaml | absolute path on file system |
http://<host:port>/<path/to/file> | URL to the file |
https://<host:port>/<path/to/file> | URL to the file NOTE: There must be a valid certificate present that the JVM trusts. If not, a valid certificate has to be added to the truststore, and the JVM instructed to use it. |
classpath:/file.yaml | file on classpath |
Domain configuration file reference formats
The same retrieval options apply for both YAML- and XML-format files.
Note: To have ADS send user credentials when requesting a domain configuration file from remote locations that support Basic Authentication, you need to configure an additional property. Note that this feature only supports YAML-format deployment configuration files. See HTTP client configuration for more information.
Authentication
- Locate the authentication section in the sample deployment configuration file.
The available types of authentication are None and Basic.
authentication:
type: Basic
user:
username: ads-user
hashPassword: <sha-256 hash password>
Basic authentication
To use Basic authentication, enter a user name and a hashed password. Generate the hashed password using the SHA-256 algorithm. Only one user can be configured for use with the Basic authentication option.
If Basic authentication is used, the authenticated user can access any endpoint on ADS.
If Type is set to None (no user name or password needed for access), then whatever is entered as user name and password is ignored. (The user entries can actually be deleted.)
Service connectors
Locate the server: property in the sample deployment configuration file.
In this section, service connectors to the server can be configured to use specific ports and/or encryption to secure communication. Both TLS and TLS with client certificate can be used.
Application and administration endpoints
By default, the application endpoint will use port 8080 and the administration endpoint will use port 8081. The properties for applicationConnectors and adminConnectors can be configured to use specific ports in the deployment configuration YAML file.
Recommended configuration
A recommended configuration would have separate ports for the application and administration endpoints. For example:
server:
applicationConnectors:
- type: http
port: 8080
adminConnectors:
- type: http
port: 8081
Recommended port configuration
Note: Axiomatics strongly recommends configuring the ports explicitly. This will simplify troubleshooting, should that be necessary.
Single port configuration
If limitations of your environment prevents you from using a dual-port configuration, it is also possible to configure a single port for all the endpoints, either as HTTP or HTTPS (in this case, application endpoints and administration endpoints will be prepended with the path /application and /admin, respectively), using type: simple. For example:
server:
type: simple
connector:
type: http
port: 8081
Single port configuration
TLS and TLS with client certificate
In the sample deployment configuration file, the applicationConnectors and adminConnectors properties are configured for HTTP. (See the sample configuration above.)
If HTTPS is used, the property can be configured for TLS or TLS with client certificate:
TLS
server:
applicationConnectors:
## Requirements to enable TLS
- type: https
port: 8443
keyStorePath: file:<path/to/>server.keystore
keyStorePassword: changeit
keyStoreType: pkcs12
TLS with client certificate
server:
applicationConnectors:
## Requirements to enable TLS with client certificate
- type: https
port: 8443
keyStorePath: file:<path/to/>server.keystore
keyStorePassword: changeit
keyStoreType: pkcs12
trustStorePath: file:<path/to/>server.truststore
trustStorePassword: changeit
trustStoreType: pkcs12
needClientAuth: true
TLS configurations
Logging
- Locate the logging section in the sample deployment configuration file.
Enabling audit logging
A configuration for audit logging is provided in the sample deployment configuration file. By default, it is disabled.
logging:
level: WARN
#loggers:
# "com.axiomatics.audit": INFO
appenders:
- type: console
target: stdout
timeZone: system
Audit logging disabled
- To enable audit logging in the sample configuration file, uncomment the "loggers" property and the com.axiomatics.audit parameter.
logging:
level: WARN
loggers:
"com.axiomatics.audit": INFO
appenders:
- type: console
target: stdout
timeZone: system
Audit logging enabled
In the sample deployment configuration, the appender type is set to console and the target to stdout.
Some of the log events in ADS may generate multi-line messages. This is not always desirable, for example, if you are using a log analysis tool that requires single-line log messages. This can be resolved by configuring the logging property to use a JSON layout. See Configuring single-line per event log output for more information.
The audit logs produced by ADS contain two types of events, evaluation events and administrative events. You can control whether log output files should contain either evaluation events or administrative events or both. See Separating event types in the audit log output for more information.
By default, the log output for evaluation events is presented in a concise format. For processing efficiency, information not essential to auditing is excluded from the evaluation events. If the full logging information is required, this can be configured using an additional property. See Enabling verbose audit logging for more information.
See the section Audit log message format for output examples and more information about the logging output format.
Disabling audit logging
- To disable audit logging example in the sample configuration file, comment out the "loggers" property and the com.axiomatics.audit parameter in the deployment configuration file.
Configuring other logging options
If there is a need to change the logging configuration, for example, to add other appenders, or accommodate requirements for a different output type or log format, several options are available:
Further examples of logging configurations are available in the section Optional deployment configuration
For more information about Dropwizard logging configuration options, please refer to the logging section of the Dropwizard documentation.
Furthermore, Dropwizard implements the Logback logging system. Refer to Logback documentation, for more information.
Additional deployment configuration
There are configuration properties that are not included in the sample deployment configuration files that may be relevant for some users. See Optional deployment configuration for more information.
Disclaimer
Access Decision Service makes use of the Dropwizard framework for its implementation.
There are many configuration options available in Dropwizard. However, only properties explicitly mentioned in the Access Decision Service documentation are supported. Axiomatics assumes no responsibility or liability for the use of other configuration options.
For more information about Dropwizard configuration options, please refer to the Dropwizard documentation.