The Command Center Console configuration file is on the Command Center host at $GPCC_HOME/conf/app.conf. Some parameters in this file are set by the Command Center installer.
You can add security settings in app.conf to suit your environment. See Security Parameters.
After editing this file, reload the configuration by restarting the Command Center Console.
$ gpcc --start
appname = gpccws
The web server binary file. Do not change.
httpport = <port>
The web server port when EnableHTTP is true. The default is 28080.
httpsport = <port>
The web server port when EnableHTTPS is true. The default is 28080.
rpcport = <port>
The port on which the Command Center backend receives data from metrics collector agents. The default is 8899.
listentcp4 = [true | false]
When true, the address type is tcp4. The default is true.
runmode = [prod | dev | test]
The application mode, which can be dev, prod or test. The default, prod, is the recommended setting. In dev and test modes Command Center prints more verbose log messages. These are different logs than the logs affected by the log_level parameter.
session = [true | false]
Use sessions to manage user experience. The default is true. Sessions are stored in memory.
enablexsrf = [true | false]
Enable CSRF protection.
xsrfkey = <token_string>
The CSRF token.
xsrfexpire = <seconds>
CSRF expire time. The default is 2592000 seconds.
rendertype = json
The render type of the web server. Do not change.
printallsqls = [true | false]
Print all backend gpperfmon SQL to the web server console. The default is false.
log_level
The level of messages to log: Debug, Info, or Error. The default is Info. The values are not case-sensitive.
master_host = <hostname>
The Greenplum Database host name. The default is localhost.
master_port = <port>
The Greenplum Database master port. The default is 5432.
path = /usr/local
Path to the directory where Greenplum Command Center is installed.
display_name = <display_name>
The display name for the console.
enable_kerberos = [true | false]
True if Kerberos authentication is enabled for Command Center. The default is false.
enable_history = [true | false]
True if history data collection is enabled for Command Center. The default is true. This parameter is managed in Command Center by setting Enable GPCC history data collection on or off on the Admin> Settingsi page.
HTTPSCertFile = </path/to/cert.pem> HTTPSKeyFile = </path/to/cert.pem>
Set both of these properties to the full path to a .pem file containing the certificate and private key for the Command Center web server.
EnableHTTPS = [true | false]
Enable listening on the secure SSL port. True if SSL is enabled. Only one of EnableHTTPS or EnableHTTP can be true.
EnableHTTP = [true | false]
Enable listening on the HTTP port. True if SSL is not enabled. Only one of EnableHTTP or EnableHTTPS can be true.
HTTPAddr = <ipaddress>
The IPv6 address of the host that runs Command Center. It is only necessary to set this parameter if Command Center is running in an IPv6 environment.
stats_check_interval = <seconds>
How often the statistics in the Command Center Table Browser are refreshed. The default is 300. New tables and changed values such as file size and last access time may not be seen until stats_check_interval seconds have elapsed.
ws_perf_port = <port>
Port to access the Command Center web server Go profiling data. (See pprof for more information.) The default is 6162. Choose another port if there is a port conflict or if you are setting up another Command Center instance on the same host.
agent_perf_port = <port>
Port to use to access agent Go profiling data. The default is 6163. Choose another port if there is a port conflict on segment hosts, or if you are setting up another Command Center instance on the same cluster.
gpmetrics_home = <dirname>
The location of the gpmetrics directory. If you don't set this the default is $HOME.
XSRFSecure = true
The Command Center installer writes this parameter to $GPCC_HOME/conf/app.conf if a user configures Command Center to use the HTTPS protocol. This parameter defaults to false.
NOTE: Do not change this value unless you are experiencing problems.
Setting Security Parameters
You may customize the following security headers:
"Cache-Control", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
"Content-Security-Policy", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
"Permissions-Policy", // See https://www.w3.org/TR/permissions-policy-1/
"Referrer-Policy", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
"Strict-Transport-Security", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
"X-Content-Type-Options", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
"X-Frame-Options", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
"X-XSS-Protection", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
The following headers are configured by default and are set to these values:
"Cache-Control": "no-store",
"Referrer-Policy": "same-origin",
"Strict-Transport-Security": "max-age=31536000",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY",
"X-XSS-Protection": "1; mode=block",
Where:
"Cache-Control": "no-store"indicates that the response may not be stored in any cache."Referrer-Policy": "same-origin"indicates a referrer will be sent for same-site origins, but cross-origin requests will send no referrer information."Strict-Transport-Security": "max-age=31536000"indicates the time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS."X-Content-Type-Options": "nosniff"blocks or allows requests depending on type."X-Frame-Options": "DENY"indicates that the page cannot be displayed in a frame, regardless of the site attempting to do so."X-XSS-Protection": "1; mode=block"enables XSS filtering and the browser will block page rendering if it detects an attack.
To customize any of these headers, enter your values in the app.conf file and restart Command Center. For example, to customize Content-Security-Policy, Permissions-Policy, and X-Frame-Options use a app.conf entry similar to:
[security_headers]
Content-Security-Policy = default-src 'self' http://example.com;
Permissions-Policy = fullscreen=(), geolocation=()
X-Frame-Options = DENY
Setting TLS Cipher Suites
By default, Command Center supports the following cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
To use cipher suites other than the default four, add them to $GPCC_HOME/conf/app.conf in a section labeled [tls_cipher_suites], as in the following example:
[tls_cipher_suites]
Enable_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = true
Enable_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = true
Enable_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = true
Enable_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = true
Enable_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = true
Enable_TLS_RSA_WITH_AES_128_GCM_SHA256 = true
Enable_TLS_RSA_WITH_AES_256_GCM_SHA384 = true
Enable_TLS_RSA_WITH_AES_128_CBC_SHA256 = true
Enable_TLS_RSA_WITH_AES_128_CBC_SHA = true
Enable_TLS_RSA_WITH_AES_256_CBC_SHA = true
Enable_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = true
Enable_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = true
Warning: Cipher suites that are not among the four default cipher suites may have potential security risks and are not recommended.
When there are one or more entries under [tls_cipher_suites] in app.conf, Command Center will not use any default cipher suites, unless they are also declared in the [tls_cipher_suites] section.
