As an Operator, you can add or modify the values of the system properties.

The following tables describe some of the system properties. As an Operator, you can set the values for these properties.

Table 1. Alert Emails
System Property Description
vco.alert.mail.to

When an alert is triggered, a notification is sent immediately to the list of Email addresses provided in the Value field of this system property. You can enter multiple Email IDs separated by commas.

If the property does not contain any value, then the notification is not sent.

The notification is meant to alert VMware support / operations personnel of impending issues before notifying the customer.

vco.alert.mail.cc When alert emails are sent to any customer, a copy is sent to the Email addresses provided in the Value field of this system property. You can enter multiple Email IDs separated by commas.
mail.* There are multiple system properties available to control the Alert Emails. You can define the Email parameters like SMTP properties, username, password, and so on.
Table 2. Alerts
System Property Description
vco.alert.enable Globally enables or disables the generation of alerts for both Operators and Enterprise customers.
vco.enterprise.alert.enable Globally enables or disables the generation of alerts for Enterprise customers.
vco.operator.alert.enable Globally enables or disables the generation of alerts for Operators.
Table 3. Bastion Orchestrator Configuration
System Property Description
session.options.enableBastionOrchestrator Enables the Bastion Orchestrator feature.

For more information, see Bastion Orchestrator Configuration Guide available at https://docs.vmware.com/en/VMware-SD-WAN/index.html.

vco.bastion.private.enable Enables the Orchestrator to be the Private Orchestrator of the Bastion pair.
vco.bastion.public.enable Enables the Orchestrator to be the Private Orchestrator of the Bastion pair.
Table 4. Certificate Authority
System Property Description
edge.certificate.renewal.window This optional system property allows the Operator to define one or more maintenance windows during which the Edge certificate renewal is enabled. Certificates scheduled for renewal outside of the windows will be deferred until the current time falls within one of the enabled windows.

Enable System Property:

To enable this system property, type "true" for "enabled" in the first part of the Value text area in the Modify System Property dialog box. An example of the first part of this system property when it is enabled is shown below.

Operators can define multiple windows to restrict the days and hours of the day during which Edge renewals are enabled. Each window can be defined by a day, or a list of days (separated by a comma), and a start and end time. Start and end times can be specified relative to an Edge's local time zone, or relative to UTC. See image below for an example.

Note: If attributes are not present, the default is enabled "false."
When defining window attributes, adhere to the following:
  • Use IANA time zones, not PDT or PST (e.g. America/Los_Angeles) See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for more information.
  • Use UTC for days (e.g. SAT, SUN).
    • Separated by comma.
    • Days in three letters in English.
    • Not case sensitive.
  • Use Military 24 hour time format only (HH:MM) for start times (e.g. 01:30) and end times (e.g. 05:30).

If the above-mentioned values are missing, the attribute defaults in each window definition are as follow:

  • If enabled is missing, the default value = false.
  • If timezone is missing, the default = 'local.'
  • If one of either 'days' or end and start times are missing, the defaults are as follows:
    • If 'days' is missing, the start/end is applied to each day of the week (mon, tue, wed, thu, fri, sat, sun).
    • If end and start times are missing, then any time in the specified day will match (start = 00:00 and end = 23:59 ).
    • NOTE: One of either 'days' or end and start times must be present. However, if they are missing, the defaults will be as indicated above.

Disable System Property:

This system property is disabled by default, which means the certificate will automatically renew after it expires. "Enabled" will be set to "false in the first part of the Value text area in the Modify System Property dialog box. An example of this property when it is disabled is shown below.

{

"enabled": false,

"windows": [

{

NOTE: This system property requires that PKI be enabled.

gateway.certificate.renewal.window This optional system property allows the Operator to define one or more maintenance windows during which the Gateway certificate renewal is enabled. Certificates scheduled for renewal outside of the windows will be deferred until the current time falls within one of the enabled windows.

Enable System Property:

To enable this system property, type "true" for "enabled" in the first part of the Value text area in the Modify System Property dialog box. See image below for an example.

Operators can define multiple windows to restrict the days and hours of the day during which edge renewals are enabled. Each window can be defined by a day, or list of days (separated by a comma), and a start and end time. Start and end times can be specified relative to an edge's local timezone, or relative to UTC. See image below for an example.

Note: If attributes are not present, the default is enabled "false."
When defining window attributes, adhere to the following:
  • Use IANA time zones, not PDT or PST (e.g. America/Los_Angeles) See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for more information.
  • Use UTC for days (e.g. SAT, SUN).
    • Separated by comma.
    • Days in three letters in English.
    • Not case sensitive.
  • Use Military 24 hour time format only (HH:MM) for start times (e.g. 01:30) and end times (e.g. 05:30).

If the above-mentioned values are missing, the attribute defaults in each window definition are as follow:

  • If enabled is missing, the default value = false.
  • If timezone is missing, the default = 'local."
  • If one of either 'days' or end and start times are missing, the defaults are as follows:
    • If 'days' is missing, the start/end is applied to each day of the week (mon, tue, wed, thu, fri, sat, sun).
    • If end and start times are missing, then any time in the specified day will match (start = 00:00 and end = 23:59 ).
    • NOTE: One of either 'days' or (end and start) must be present. However, if they are missing, the defaults will be as indicated above.

Disable System Property:

This system property is disabled by default, which means the certificate will automatically renew after it expires. "Enabled" will be set to "false in the first part of the Value text area in the Modify System Property dialog box. An example of this property when it is disabled is shown below.

{

"enabled": false,

"windows": [

{

NOTE: This system property requires that PKI be enabled.

Table 5. Data Retention
System Property Description
retention.highResFlows.days This system property enables Operators to configure high resolution flow stats data retention anywhere between 1 and 90 days.
retention.lowResFlows.months This system property enables Operators to configure low resolution flow stats data retention anywhere between 1 and 365 days.
session.options.maxFlowstatsRetentionDays This property enables Operators to query more than two weeks of flows stats data.
Table 6. Edges
System Property Description
edge.offline.limit.sec If the Orchestrator does not detect a heartbeat from an Edge for the specified duration, then the state of the Edge is moved to OFFLINE mode.
edge.link.unstable.limit.sec When the Orchestrator does not receive link statistics for a link for the specified duration, the link is moved to UNSTABLE mode.
edge.link.disconnected.limit.sec When the Orchestrator does not receive link statistics for a link for the specified duration, the link is disconnected.
edge.deadbeat.limit.days If an Edge is not active for the specified number of days, then the Edge is not considered for generating Alerts.
vco.operator.alert.edgeLinkEvent.enable Globally enables or disables Operator Alerts for Edge Link events.
vco.operator.alert.edgeLiveness.enable Globally enables or disables Operator Alerts for Edge Liveness events.
Table 7. Edge Activation
System Property Description
edge.activation.key.encode.enable Base64 encodes the activation URL parameters to obscure values when the Edge Activation Email is sent to the Site Contact.
edge.activation.trustedIssuerReset.enable Resets the trusted certificate issuer list of the Edge to contain only the Orchestrator Certificate Authority. All TLS traffic from the edge are restricted by the new issuer list.
network.public.certificate.issuer Set the value of network.public.certificate.issuer equal to the PEM encoding of the issuer of Orchestrator server certificate, when edge.activation.trustedIssuerReset.enable is set to True. This will add the server certificate issuer to the trusted issuer of the Edge, in addition to the Orchestrator Certificate Authority.
Table 8. Monitoring
System Property Description
vco.monitor.enable Globally enables or disables monitoring of Enterprise and Operator entity states. Setting the Value to False prevents SD-WAN Orchestrator from changing entity states and triggering alerts.
vco.enterprise.monitor.enable Globally enables or disables monitoring of Enterprise entity states.
vco.operator.monitor.enable Globally enables or disables monitoring of Operator entity states.
Table 9. Notifications
System Property Description
vco.notification.enable Globally enables or disables the delivery of Alert notifications to both Operator and Enterprises.
vco.enterprise.notification.enable Globally enables or disables the delivery of Alert notifications to the Enterprises.
vco.operator.notification.enable Globally enables or disables the delivery of Alert notifications to the Operator.
Table 10. Password Reset and Lockout
System Property Description
vco.enterprise.resetPassword.token.expirySeconds Duration of time, after which the password reset link for an enterprise user expires.
vco.enterprise.authentication.passwordPolicy

Defines the password expiration and password history policy for enterprise users.

Edit the JSON template in the Value field to define the following:

expiry:
  • enable: Set this to true to enable automatic expiry of enterprise user passwords.
  • days: Enter the number of days that an enterprise password may be used before forced expiry.
history:
  • enable: Set this to true to enable recording of enterprise users' previous Passwords.
  • count: Enter the number of previous Passwords to be saved in the history. When an enterprise user tries to change the password, the system does not allow the user to enter a password that is already saved in the history.
enterprise.user.lockout.defaultAttempts Number of times the enterprise user can attempt to login. If the login fails for the specified number of times, the account is locked.
enterprise.user.lockout.defaultDurationSeconds Duration of time, for which the enterprise user account is locked.
enterprise.user.lockout.enabled Enables or disables the lockout option for the enterprise login failures.
vco.operator.resetPassword.token.expirySeconds Duration of time, after which the password reset link for an Operator user expires.
vco.operator.authentication.passwordPolicy

Defines the password expiration and password history policy for Operator users.

Edit the JSON template in the Value field to define the following:

expiry:
  • enable: Set this to true to enable automatic expiry of Operator user passwords.
  • days: Enter the number of days that an Operator password may be used before forced expiry.
history:
  • enable: Set this to true to enable recording of Operator users' previous Passwords.
  • count: Enter the number of previous Passwords to be saved in the history. When an Operator user tries to change the password, the system does not allow the user to enter a password that is already saved in the history.
operator.user.lockout.defaultAttempts Number of times the Operator user can attempt to login. If the login fails for the specified number of times, the account is locked.
operator.user.lockout.defaultDurationSeconds Duration of time, for which the Operator user account is locked.
operator.user.lockout.enabled Enables or disables the lockout option for the Operator login failures.
Table 11. Rate Limiting APIs
System Property Description
vco.api.rateLimit.enabled Allows Operator Super users enable or disable the rate limiting feature at the system level. By default, the value is False.
Note: The rate-limiter is not enabled in earnest, that is, it will not reject API requests that exceed the configured limits, unless the vco.api.rateLimit.mode.logOnly setting is disabled.
vco.api.rateLimit.mode.logOnly

Allows Operator Super user to use rate limit in a LOG_ONLY mode. When the value is set as True and if a rate limit exceeds, this option logs only the error and fires respective metrics allowing clients to make requests without rate limiting.

When the value is set to False, the request API is restricted with defined policies and HTTP 429 is returned.

vco.api.rateLimit.rules.global

Allows to define a set of globally applicable policies used by the rate-limiter, in a JSON array. By default, the value is an empty array.

Each type of user (Operator, Partner, and Customer) can make up to 500 requests for every 5 seconds. The number of requests is subject to change based on the behavior pattern of the rate limited requests.

The JSON array consists of the following parameters:

Types: The type objects represent different contexts in which the rate limits are applied. The following are the different type objects that are available:
  • SYSTEM: Specifies a global limit shared by all the users.
  • OPERATOR_USER: A limit that can be set in general for all the Operator users.
  • ENTERPRISE_USER: A limit that can be set in general for all the Enterprise users.
  • MSP_USER: A limit that can be set in general for all the MSP users.
  • ENTERPRISE: A limit that can be shared between all users of an Enterprise and is applicable to all the Enterprises in the network.
  • PROXY: A limit that can be shared between all users of a Proxy and is applicable to all proxies.
Policies: Add rules to the policies to apply the requests that match the rule, by configuring the following parameters:
  • Match: Enter the type of requests to be matched:
    • All: Rate-limit all requests matching one of the type objects.
    • METHOD: Rate-limit all requests matching the specified method name.
    • METHOD_PREFIX: Rate-limit all requests matching the specified method group.
  • Rules: Enter the values for the following parameters:
    • maxConcurrent: Number of jobs that can be performed at the same time.
    • reservoir: Number of jobs that can be performed before the limiter stops performing jobs.
    • reservoirRefreshAmount: Value to set the reservoir to when reservoirRefreshInterval is in use.
    • reservoirRefreshInterval: For every millisecond of reservoirRefreshInterval, the reservoir value will be automatically updated to the value of reservoirRefreshAmount. The reservoirRefreshInterval value should be a multiple of 250 (5000 for Clustering).

Enabled: Each type limit can be enabled or disabled by including the enabled key in APIRateLimiterTypeObject. By default, the value of enabled is True, even if the key is not included. You need to include "enabled": false key to disable the individual type limits.

The following example shows a sample JSON file with default values:

[
    {
        "type": "OPERATOR_USER",
        "policies": [
            {
                "match": {
                    "type": "ALL"
                },
                "rules": {
                    "reservoir": 500,
                    "reservoirRefreshAmount": 500,
                    "reservoirRefreshInterval": 5000
                }
            }
        ]
    },
    {
        "type": "MSP_USER",
        "policies": [
            {
                "match": {
                    "type": "ALL"
                },
                "rules": {
                    "reservoir": 500,
                    "reservoirRefreshAmount": 500,
                    "reservoirRefreshInterval": 5000
                }
            }
        ]
    },
    {
        "type": "ENTERPRISE_USER",
        "policies": [
            {
                "match": {
                    "type": "ALL"
                },
                "rules": {
                    "reservoir": 500,
                    "reservoirRefreshAmount": 500,
                    "reservoirRefreshInterval": 5000
                }
            }
        ]
    }
]
Note: It is recommended not to change the default values of the configuration parameters.
vco.api.rateLimit.rules.enterprise.default Comprises the default set of Enterprise-specific policies applied to newly created Customers. The Customer-specific properties are stored in the Enterprise property vco.api.rateLimit.rules.enterprise.
vco.api.rateLimit.rules.enterpriseProxy.default Comprises the default set of Enterprise-specific policies applied to newly created Partners. The Partner-specific properties are stored in the Enterprise proxy property vco.api.rateLimit.rules.enterpriseProxy.

For more information on Rate limiting, see Rate Limiting API Requests.

Table 12. Remote Diagnostics
System Property Description
network.public.address Specifies the browser origin address/DNS hostname that is used to access the SD-WAN Orchestrator UI.
network.portal.websocket.address Allows to set an alternate DNS hostname/address to access the SD-WAN Orchestrator UI from a browser, if the browser address is not the same as the value of network.public.address system property.

As remote diagnostics now uses a WebSocket connection, to ensure web security, the browser origin address that is used to access the Orchestrator UI is validated for incoming requests. In most cases, this address is same as the network.public.address system property. In rare scenarios, the Orchestrator UI can be accessed using another DNS hostname/address that is different from the value set in the network.public.address system property. In such cases, you can set this system property to the alternate DNS hostname/address. By default, this value is not set.

session.options.websocket.portal.idle.timeout Allows to set the total amount of time (in seconds) the browser WebSocket connection is active in an idle state. By default, the browser WebSocket connection is active for 300 seconds in an idle state.
Table 13. Segmentation
System Property Description
enterprise.capability.enableSegmentation Enables or disables the segmentation capability for Enterprise users.
enterprise.segments.system.maximum Specifies the maximum number of segments allowed for any Enterprise user. Ensure that you change the value of this system property to 128 if you want to enable 128 segments on SD-WAN Orchestrator for an Enterprise user.
enterprise.segments.maximum Specifies the default value for the maximum number of segments allowed for a new or existing Enterprise user. The default value for any Enterprise user is 16.
Note: This value must be less than or equal to the number defined in the system property, enterprise.segments.system.maximum.
It is not recommended for you to change the value of this system property if you want to enable 128 segments for an Enterprise user. Instead, you can enable Customer Capabilities in the Customer Configuration page to configure the required number of segments. For instructions, refer to the "Configure Customer Capabilities" section in the VMware SD-WAN Operator Guide available at VMware SD-WAN Documentation.
enterprise.subinterfaces.maximum Specifies the maximum number of sub-interfaces that can be configured for an Enterprise user. The default value is 32.
enterprise.vlans.maximum Specifies the maximum number of VLANs that can be configured for an Enterprise user. The default value is 32.
session.options.enableAsyncAPI When the segment scale is increased to 128 segments for any Enterprise user, to prevent UI timeouts, you can enable Async APIs support on the UI by using this system property. The default value is true.
session.options.asyncPollingMilliSeconds Specifies the Polling interval for Async APIs on the UI. The default vaue is 5000 milliseconds.
session.options.asyncPollingMaxCount Specifies the maximum number of calls to getStatus API from the UI. The default value is 10.
vco.enterprise.events.configuration.diff.enable Enables or disables configuration diff event logging. Whenever the number of segments for an Enterprise user is greater than 4, the configuration diff event logging will be deactivated. You can enable configuration diff event logging using this system property.
Table 14. Self-service Password Reset
System Property Description
vco.enterprise.resetPassword.twoFactor.mode Defines the mode for the second level for password reset authentication, for all the Enterprise users. Currently, only the SMS mode is supported.
vco.enterprise.resetPassword.twoFactor.required Enables or disables the two-factor authentication for password reset of Enterprise users.
vco.enterprise.selfResetPassword.enabled Enables or disables self-service password reset for Enterprise users.
vco.enterprise.selfResetPassword.token.expirySeconds Duration of time, after which the self-service password reset link for an Enterprise user expires.
vco.operator.resetPassword.twoFactor.required Enables or disables the two-factor authentication for password reset of Operator users.
vco.operator.selfResetPassword.enabled Enables or disables self-service password reset for Operator users.
vco.operator.selfResetPassword.token.expirySeconds Duration of time, after which the self-service password reset link for an Operator user expires.
Table 15. Two-factor Authentication
System Property Description
vco.enterprise.authentication.twoFactor.enable Enables or disables the two-factor authentication for Enterprise users.
vco.enterprise.authentication.twoFactor.mode Defines the mode for the second level authentication for Enterprise users. Currently, only SMS is supported as the second level authentication mode.
vco.enterprise.authentication.twoFactor.require Defines the two-factor authentication as mandatory for Enterprise users.
vco.operator.authentication.twoFactor.enable Enables or disables the two-factor authentication for Operator users.
vco.operator.authentication.twoFactor.mode Defines the mode for the second level authentication for Operator users. Currently, only SMS is supported as the second level authentication mode.
vco.operator.authentication.twoFactor.require Defines the two-factor authentication as mandatory for Operator users.
Table 16. VNF Configuration
System Property Description
edge.vnf.extraImageInfos Defines the properties of a VNF Image.
You can enter the following information for a VNF Image, in JSON format in the Value field:
[
  {
    "vendor": "Vendor Name",
    "version": "VNF Image Version",
    "checksum": "VNF Checksum Value",
    "checksumType": "VNF Checksum Type"
  }
]
Example of JSON file for Check Point Firewall Image:
[
  {
    "vendor": "checkPoint",
    "version": "r80.40_no_workaround_46",
    "checksum": "bc9b06376cdbf210cad8202d728f1602b79cfd7d",
    "checksumType": "sha-1"
  }
]
Example os JSON file for Fortinet Firewall Image:
[
   {
      "vendor": "fortinet",
      "version": "624",
      "checksum": "6d9e2939b8a4a02de499528c745d76bf75f9821f",
      "checksumType": "sha-1"
   }
]
edge.vnf.metric.record.limit Defines the number of records to be stored in the database
enterprise.capability.edgeVnfs.enable Enables VNF deployment on supported Edge models.
enterprise.capability.edgeVnfs.securityVnf.checkPoint Enables Check Point Networks Firewall VNF
enterprise.capability.edgeVnfs.securityVnf.fortinet Enables Fortinet Networks Firewall VNF
enterprise.capability.edgeVnfs.securityVnf.paloAlto Enable Palo Alto Networks Firewall VNF
session.options.enableVnf Enables VNF feature
vco.operator.alert.edgeVnfEvent.enable Enables or disables Operator alerts for Edge VNF events globally
vco.operator.alert.edgeVnfInsertionEvent.enable Enables or disables Operator alerts for Edge VNF Insertion events globally
Table 17. VPN
System Property Description
vpn.disconnect.wait.sec The time interval for the system to wait before disconnecting a VPN tunnel.
vpn.reconnect.wait.sec The time interval for the system to wait before reconnecting a VPN tunnel.