The Command Center Console configuration file is on the Command Center host at $GPCC_HOME/conf/app.conf
. Some parameters in this file are set by the Command Center installer.
You can add security settings in app.conf
to suit your environment. See Security Parameters.
After editing this file, reload the configuration by restarting the Command Center Console.
$ gpcc --start
appname = gpccws
The web server binary file. Do not change.
httpport = <port>
The web server port when EnableHTTP
is true. The default is 28080.
httpsport = <port>
The web server port when EnableHTTPS
is true. The default is 28080.
rpcport = <port>
The port on which the Command Center backend receives data from metrics collector agents. The default is 8899.
listentcp4 = [true | false]
When true
, the address type is tcp4. The default is true
.
runmode = [prod | dev | test]
The application mode, which can be dev
, prod
or test
. The default, prod
, is the recommended setting. In dev
and test
modes Command Center prints more verbose log messages. These are different logs than the logs affected by the log_level
parameter.
session = [true | false]
Use sessions to manage user experience. The default is true
. Sessions are stored in memory.
enablexsrf = [true | false]
Enable CSRF protection.
xsrfkey = <token_string>
The CSRF token.
xsrfexpire = <seconds>
CSRF expire time. The default is 2592000
seconds.
rendertype = json
The render type of the web server. Do not change.
printallsqls = [true | false]
Print all backend gpperfmon SQL to the web server console. The default is false
.
log_level
The level of messages to log: Debug
, Info
, or Error
. Debug
is the most verbose and Error
is the least verbose. The default is Info
.
master_host = <hostname>
The Greenplum Database host name. The default is localhost
.
master_port = <port>
The Greenplum Database master port. The default is 5432
.
path = /usr/local
Path to the directory where Greenplum Command Center is installed.
display_name = <display_name>
The display name for the console.
enable_kerberos = [true | false]
True if Kerberos authentication is enabled for Command Center. The default is false
.
enable_history = [true | false]
True if history data collection is enabled for Command Center. The default is true
. This parameter is managed in Command Center by setting Enable GPCC history data collection on or off on the Admin> Settings page.
HTTPSCertFile = </path/to/cert.pem>
HTTPSKeyFile = </path/to/cert.pem>
Set both of these properties to the full path to a .pem file containing the certificate and private key for the Command Center web server.
EnableHTTPS = [true | false]
Enable listening on the secure SSL port. The default is true
. True if SSL is enabled. Only one of EnableHTTPS
or EnableHTTP
can be true. <
EnableHTTP = [true | false]
Enable listening on the HTTP port. True if SSL is not enabled. Only one of EnableHTTP
or EnableHTTPS
can be true.
HTTPAddr = <ipaddress>
The IPv6 address of the host that runs Command Center. It is only necessary to set this parameter if Command Center is running in an IPv6 environment.
stats_check_interval = <seconds>
How often the statistics in the Command Center Table Browser are refreshed. The default is 300
. New tables and changed values such as file size and last access time may not be seen until stats_check_interval
seconds have elapsed.
ws_perf_port = <port>
Port to access the Command Center web server Go profiling data. (See pprof for more information.) The default is 6162
. Choose another port if there is a port conflict or if you are setting up another Command Center instance on the same host.
agent_perf_port = <port>
Port to use to access agent Go profiling data. The default is 6163
. Choose another port if there is a port conflict on segment hosts, or if you are setting up another Command Center instance on the same cluster.
You may customize the following security headers:
"Cache-Control", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
"Content-Security-Policy", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
"Permissions-Policy", // See https://www.w3.org/TR/permissions-policy-1/
"Referrer-Policy", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
"Strict-Transport-Security", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
"X-Content-Type-Options", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
"X-Frame-Options", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
"X-XSS-Protection", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
The following headers are configured by default and are set to these values:
"Cache-Control": "no-store",
"Referrer-Policy": "same-origin",
"Strict-Transport-Security": "max-age=31536000",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "SAMEORIGIN",
"X-XSS-Protection": "1; mode=block",
You may customize the following security headers:
Where:
"Cache-Control": "no-store"
indicates that the response may not be stored in any cache."Referrer-Policy": "same-origin"
indicates a referrer will be sent for same-site origins, but cross-origin requests will send no referrer information."Strict-Transport-Security": "max-age=31536000"
indicates the time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS."X-Content-Type-Options": "nosniff"
blocks or allows requests depending on type."X-Frame-Options": "SAMEORIGIN"
indicates that the page can only be displayed in a frame on the same origin as the page itself."X-XSS-Protection": "1; mode=block"
enables XSS filtering and the browser will block page rendering if it detects an attack.To customize any of these headers, enter your values in the app.conf
file and restart Command Center. For example, to customize Content-Security-Policy
, Permissions-Policy
, and X-Frame-Options
use a app.conf
entry similar to:
[security_headers]
Content-Security-Policy = default-src 'self' http://example.com;
Permissions-Policy = fullscreen=(), geolocation=()
X-Frame-Options = DENY
By default, Command Center supports the following cipher suites:
To use cipher suites other than the default four, add them to $GPCC_HOME/conf/app.conf
in a section labeled [tls_cipher_suites
], as in the following example:
[tls_cipher_suites]
Enable_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = true
Enable_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = true
Enable_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = true
Enable_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = true
Enable_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = true
Enable_TLS_RSA_WITH_AES_128_GCM_SHA256 = true
Enable_TLS_RSA_WITH_AES_256_GCM_SHA384 = true
Enable_TLS_RSA_WITH_AES_128_CBC_SHA256 = true
Enable_TLS_RSA_WITH_AES_128_CBC_SHA = true
Enable_TLS_RSA_WITH_AES_256_CBC_SHA = true
Enable_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = true
Enable_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = true
Warning: Cipher suites that are not among the four default cipher suites may have potential security risks and are not recommended.
When there are one or more entries under [tls_cipher_suites]
in app.conf
, Command Center will not use any default cipher suites, unless they are also declared in the [tls_cipher_suites]
section.