The Command Center Console configuration file is on the Command Center host at $GPCC_HOME/conf/app.conf
. Some parameters in this file are set by the Command Center installer.
You can add security settings in app.conf
to suit your environment. See Security Parameters.
After editing this file, reload the configuration by restarting the Command Center Console.
$ gpcc --start
AppName = gpccws
The web server binary file. Do not change.
HTTPPort = <port>
The web server port when EnableHTTP
is true. The default is 28080.
HTTPSPort = <port>
The web server port when EnableHTTPS
is true. The default is 28080.
rpc_port = <port>
The port on which the Command Center backend receives data from metrics collector agents. The default is 8899.
ListenTCP4 = [true | false]
When true
, the address type is tcp4. The default is true
.
RunMode = [prod | dev | test]
The application mode, which can be dev
, prod
or test
. The default, prod
, is the recommended setting. In dev
and test
modes Command Center prints more verbose log messages. These are different logs than the logs affected by the log_level
parameter.
Session = [true | false]
Use sessions to manage user experience. The default is true
. Sessions are stored in memory.
EnableXSRF = [true | false]
Enable CSRF protection.
XSRFKey = <token_string>
The CSRF token.
XSRFExpire = <seconds>
CSRF expire time. The default is 2592000
seconds.
log_level
The level of messages to log: Debug
, Info
, or Error
. The default is Info
. The values are not case-sensitive.
master_host = <hostname>
The VMware Greenplum host name. The default is localhost
.
master_port = <port>
The VMware Greenplum coordinator port. The default is 5432
.
path = /usr/local
Path to the directory where Greenplum Command Center is installed.
display_name = <display_name>
The display name for the console.
enable_kerberos = [true | false]
True if Kerberos authentication is enabled for Command Center. The default is false
.
enable_history = [true | false]
True if history data collection is enabled for Command Center. The default is true
. This parameter is managed in Command Center by setting Enable GPCC history data collection on or off on the Admin> Settings page.
HTTPSCertFile = </path/to/cert.pem>
HTTPSKeyFile = </path/to/cert.pem>
Set both of these properties to the full path to a .pem file containing the certificate and private key for the Command Center web server.
EnableHTTPS = [true | false]
Enable listening on the secure SSL port. True if SSL is enabled. Only one of EnableHTTPS
or EnableHTTP
can be true.
EnableHTTP = [true | false]
Enable listening on the HTTP port. True if SSL is not enabled. Only one of EnableHTTP
or EnableHTTPS
can be true.
HTTPAddr = <ipaddress>
The IPv6 address of the host that runs Command Center. It is only necessary to set this parameter if Command Center is running in an IPv6 environment.
ws_perf_port = <port>
Port to access the Command Center web server Go profiling data. (See pprof for more information.) The default is 6162
. Choose another port if there is a port conflict or if you are setting up another Command Center instance on the same host.
agent_perf_port = <port>
Port to use to access agent Go profiling data. The default is 6163
. Choose another port if there is a port conflict on segment hosts, or if you are setting up another Command Center instance on the same cluster.
gpmetrics_home = <dirname>
The location of the gpmetrics
directory. If you don't set this the default is $HOME
.
XSRFSecure = true
The Command Center installer writes this parameter to $GPCC_HOME/conf/app.conf
if a user configures Command Center to use the HTTPS protocol. This parameter defaults to false
.
NOTE: Do not change this value unless you are experiencing problems.
You may customize the following security headers:
"Cache-Control", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
"Content-Security-Policy", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
"Permissions-Policy", // See https://www.w3.org/TR/permissions-policy-1/
"Referrer-Policy", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
"Strict-Transport-Security", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
"X-Content-Type-Options", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
"X-Frame-Options", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
"X-XSS-Protection", // See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
The following headers are configured by default and are set to these values:
"Cache-Control": "no-store",
"Referrer-Policy": "same-origin",
"Strict-Transport-Security": "max-age=31536000",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY",
"X-XSS-Protection": "1; mode=block",
Where:
"Cache-Control": "no-store"
indicates that the response may not be stored in any cache."Referrer-Policy": "same-origin"
indicates a referrer will be sent for same-site origins, but cross-origin requests will send no referrer information."Strict-Transport-Security": "max-age=31536000"
indicates the time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS."X-Content-Type-Options": "nosniff"
blocks or allows requests depending on type."X-Frame-Options": "DENY"
indicates that the page cannot be displayed in a frame, regardless of the site attempting to do so."X-XSS-Protection": "1; mode=block"
enables XSS filtering and the browser will block page rendering if it detects an attack.To customize any of these headers, enter your values in the app.conf
file and restart Command Center. For example, to customize Content-Security-Policy
, Permissions-Policy
, and X-Frame-Options
use a app.conf
entry similar to:
[security_headers]
Content-Security-Policy = default-src 'self' http://example.com;
Permissions-Policy = fullscreen=(), geolocation=()
X-Frame-Options = DENY
By default, Command Center supports the following cipher suites:
To use cipher suites other than the default four, add them to $GPCC_HOME/conf/app.conf
in a section labeled [tls_cipher_suites
], as in the following example:
[tls_cipher_suites]
Enable_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = true
Enable_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = true
Enable_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = true
Enable_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = true
Enable_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = true
Enable_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = true
Enable_TLS_RSA_WITH_AES_128_GCM_SHA256 = true
Enable_TLS_RSA_WITH_AES_256_GCM_SHA384 = true
Enable_TLS_RSA_WITH_AES_128_CBC_SHA256 = true
Enable_TLS_RSA_WITH_AES_128_CBC_SHA = true
Enable_TLS_RSA_WITH_AES_256_CBC_SHA = true
Enable_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = true
Enable_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = true
Warning: Cipher suites that are not among the four default cipher suites may have potential security risks and are not recommended.
When there are one or more entries under [tls_cipher_suites]
in app.conf
, Command Center will not use any default cipher suites, unless they are also declared in the [tls_cipher_suites]
section.