Skip to main content
Skip table of contents

Environment

Environment

An Environment represents physical system configurations and combines server and connection settings into one convenient file.

Description

You may define multiple environments in which to work on your model. These environments represent physical system configurations e.g. Development, QA, Staging, or Production. Among other things, environments store log-on and password information, database connection information, and deployment and connection information. Once they are defined, you can move easily between the environmental settings by selecting them from a drop-down list in NexJ Studio.

A recommended best practice for reuse of Environment files is to employ property files in conjunction with a “template” environment. This provides separation between high-level configuration options (stored in the environment file) and configuration values (stored in properties files). To do this, replace environment property values with ${<propertyName>:<defaultValue>} e.g. debug="${debug:false}". The default value will be used unless a value exists in the property file (e.g. debug=true), in which case that value will be used.

Environments may be encrypted using NexJ Studio to protect their contents. Environments may be split into Server and Connections files using the right mouse button menu item "Extract to Server/Connections" in NexJ Studio.

Properties

anyAttribute

Any attribute

anonRPC : boolean

True to enable anonymous access to HTTP/soap, HTTP/text, HTTP/web and HTTP/xml RPC protocols; false to disable.

Anonymous requests will be processed in an invocation context where the user is the user specified in the "anonUser" property. The HTTP/text RPC protocol is used by all the clients except for the flat page client.
See
Server.anonUser
anonUser : string

The user that anonymous HTTP requests will be authenticated as.

Set this property to enable anonymous access to the server. Details on how this works can be found in the httpAnonymousURL documentation. The Domain is appended to the user by the framework when SPNEGO used.
See
anonRPC anonWeb HttpConnection.authentication
anonWeb : boolean

True to enable anonymous access to the flat page client.

Anonymous requests will be processed in an invocation context where the user is the user specified in the "anonUser" property.
See
Server.anonUser
authCacheTimeout : nonNegativeLong

Number of milliseconds for which a security context should be cached.

Valid values based on“long”.
0 (minInclusive)
authCert : boolean

True to enable client certificate authentication access to all RPC and UI endpoints.

authComponent : string

Authentication interceptor component.

authDebug : boolean

True to enable authentication debugging.

authDomain : string

Authentication domain or Kerberos realm, usually DOMAIN.EXT in capital letters.

Example


EXAMPLE.COM

authGroup : string

Authentication group/role granting server request privileges.

All application users must be in this group, as received from the authentication layer.
Example


nexjusers

authNaming : authNaming

Authentication principal naming: long to append the domain, short to remove, default to keep unchanged.

Valid values based on“string”.
default
short
long
authProtocol : authProtocol

Authentication protocol.

Valid values based on“string”.
basic

Basic user name/password authentication

form

Login form-based user name/password authentication

spnego

SPNEGO authentication - http://en.wikipedia.org/wiki/SPNEGO

certificate

Client certificate authentication

perimeter

Token-based SSO authentication

container

Container-specific authentication

custom

Interceptor component authentication

authRPC : boolean

True to enable basic and SPNEGO authentication access to generic RPC protocols; false to disable.

Generic RPC protocols are HTTP/soap, HTTP/text, HTTP/web, HTTP/xml and EJB. They are used by all the clients except for the flat page client. If authProtocol is "certificate" and "trust" is not set, setting authRPC to "false" disables the generic RPC protocols altogether.
authService : string

Authentication Kerberos service principal name (SPN), usually HTTP/host.domain.ext.

Example


HTTP/localhost.example.com

buildBanner : string

Information to be displayed in the banner.

channelWarningTimeout : nonNegativeLong

Timeout in milliseconds before a warning is generated, 0 for infinite timeout.

Valid values based on“long”.
0 (minInclusive)
clientPerfStatusEnabled : boolean

True if Flat client deployments support logging performance metrics.

clusterAvailabilityTimeout : nonNegativeLong

The minimum time in milliseconds that must elapse before a node is considered unavailable in a cluster.

When the session manager detects a node as unavailable, it redirects requests aways from that node. When the object queue dispatcher detects a node as unavailable, it recovers all the persistent messages that were assigned to that node and stops delivering messages to it.
Valid values based on“long”.
0 (minInclusive)
clusterCPUThreshold : percentage

The CPU usage at which a node is considered busy.

This value is used as a secondary metric for determining the most available node.
Valid values based on“nonNegativeInt”.
100 (maxInclusive)
clusterKeystore : string

The base64 encoded keystore (inline) to be used for inter-cluster communication.

clusterMemoryLimit : percentage

The memory usage at which a node is considered overloaded. It is expressed as the percentage of utilization of the total heap.

This is the maximum memory usage allowed before session passivation is forced. When the object queue dispatcher node becomes overloaded, it initiates pre-emptive failover and a new non-busy node is selected to be the dispatcher.
Valid values based on“nonNegativeInt”.
100 (maxInclusive)
clusterMemoryThreshold : percentage

The memory usage at which a node is considered busy. It is expressed as the percentage of utilization of the allocated heap.

This value is used as the primary metric for determining the most available node.
Valid values based on“nonNegativeInt”.
100 (maxInclusive)
clusterPassword : password

The password for the clusterKeystore.

Valid values based on“string”.
  
concurrentLoadingEnabled : boolean

True to enable concurrent metadata loading.

description : string

A meaningful description of what the deployment environment represents.

diagnosticLeakTimeout : nonNegativeLong

The minimum time in seconds that a pool resource must stay in use before a warning is logged about it being possibly hung.

Valid values based on“long”.
0 (minInclusive)
diagnosticRepeatTimeout : nonNegativeLong

The minimum time in seconds that must elapse before repeated system-triggered dumps on the same pool are logged.

A system-triggered dump occurs when a pool that has already allocated its maximum number of resources and fails to return a resource within its configured wait period.
Valid values based on“long”.
0 (minInclusive)
diagnosticTrace : boolean

True to enable diagnostic object tracing on pool resources.

distributed : boolean

Enable clustering services.

dynamic : boolean

True to enable dynamic metadata deployment.

eventAudit : boolean

True to enable event triggered audit logging.

hideErrorValveReport : boolean

Flag to determine if the error report (custom error message and/or stack trace) is presented when an error occurs.

If set to true, then the error report is not returned in the HTML response. Default value: false See org.apache.catalina.valves.ErrorReportValve.
hideErrorValveServerInfo : boolean

Flag to determine if server information is presented when an error occurs.

If set to true, then the server version is not returned in the HTML response. Default value: true See org.apache.catalina.valves.ErrorReportValve.
httpAnonymousURL : string

HTTP server anonymous content URL.

To enable anonymous access you must specify a user in the environment's "anonUser" property.

The anonymous URL defaults to "/nexj/<env>/anon" where <env> is either specified in the "name" property or derived from the metadata namespace. This value can be overridden.

Requests made under this context are authenticated as the user specified in the environment's "anonUser" property. Flat web client is exposed if "anonWeb" is true. HTTP RPC protocols are exposed on anon if the "anonRPC" property is true. HTTP integration channels are exposed on anon if their "authentication" is "none".

To make static content from the web folder available over the anonymous channel you must first enable anonymous access as above, then whitelist the content. The way to add items to be whitelisted is to customize the "HTTPServer.Static" component and add your path to the "anon" Collection. It is currently populated with a few that are known to be needed for form authentication. Using the * wildcard character can be used in case a directory would like to be whitelisted (ex /fonts/*) or you can specify the full path to the static resource to be exposed (/document.pdf).

Example


You must set the "anonUser" property and a channels "authentication" to "none".
http://server.example.com:port/myapp/anon       (Yields Contact App URL: http://server.exmple.com:port/myapp/anon/channel/myChannelName)

See
Server.name
httpAuthCookie : string

The HTTP authentication cookie name.

httpForbiddenEnabled : boolean

True to enable the HTTP 403 Forbidden response for a permanent authentication failure.

Otherwise HTTP 404 Not Found is used to hide the existence of an HTTP resource, as a deterrent. Defaults to false, as a deterrent on a security hardened server.
httpFormErrorPage : string

Path from root of WAR to the login error page. Must start with "/".

httpFormLoginPage : string

Path from root of WAR to the login page. Must start with "/".

The login page is displayed when an unauthenticated request is made to any secured resource under the form-based-authentication URL. There should be a login form on this page, allowing the user to authenticate.

The login form should submit to the same URL from which it was served, i.e. action="". The POST request should have the username passed in the text field "j_username" and the password in "j_password".

httpGZip : boolean

Compress the HTTP traffic to minimize the network bandwidth

This does come with a substantial performance cost.
httpLockTimeout : nonNegativeInt

HTTP session lock timeout in seconds (0 is unlimited).

Valid values based on“int”.
0 (minInclusive)
httpLoginURL

The relative HTTP login URL.

Defaults to "/channel/sso:Login".
See
Server.httpSSOURL
httpLogoutDateCookie : string

The HTTP logout date cookie name.

This cookie stores the time at which the server will log out the user.
httpLogoutURL

The relative HTTP logout URL.

Defaults to "/channel/sso:Logout".
See
Server.httpSSOURL
httpMaxSize : nonNegativeInt

Maximum HTTP request size in bytes (0 is unlimited).

Valid values based on“int”.
0 (minInclusive)
httpPingURL

The relative HTTP ping URL.

Defaults to "/channel/sso:Ping".
See
Server.httpSSOURL
httpPrincipalCookie : string

The HTTP principal cookie name.

This cookie stores the login name of the user. This is used for debugging purposes only and no security features are dependent on it.
httpReportURL : string

Reporting Base URL, to specify an external server to provide reporting functionality.

Example


http://server.example.com:port/nexj/reports

httpSSOURL : httpURL

The root HTTP URL of the SSO Application.

Valid values based on“anyURI”.
http[s]?://.*
httpURL : string

HTTP server URL, if non-default.

If URL contains no HTTP context path, then context defaults to "/nexj/<env>" where <env> is either specified in the "name" property or derived from the metadata namespace.

If a port number is not specified, a default HTTP port number based on the value of the secureTransport attribute is used:

If secureTransport="false", the default port is 7080. If secureTransport="true", the default port is 7443. If a port number is specified, the system either uses that number or replaces it, depending on the following:

If the URL scheme aligns with the secureTransport value, meaning the URL scheme is "https" when secureTransport="true" and "http" when secureTransport="false", the specified port number is used.

If there is a mismatch between the URL scheme and the secureTransport value, the port number is replaced as follows:

If the URL scheme is "http" and secureTransport="true", the last three digits of the specified port are replaced with 443. This applies regardless of the number of digits in the port number. For example, 80 or 123 would be replaced with 443; 8441 would be replaced with 8443; and 12345 would be replaced with 12443.

If the URL scheme is "https" and secureTransport="false", the last three digits of the specified port are replaced with 080.

Example


http://server.domain:port       (Yields Contact App URL: http://server.domain:port/nexj/finance/ui/portlet)
http://server.domain:port/      (Yields Contact App URL: http://server.domain:port/ui/portlet)
http://server.domain:port/crm/  (Yields Contact App URL: http://server.domain:port/crm/ui/portlet)
/                               (Yields Contact App URL: http://<default>/ui/portlet)
/crm                            (Yields Contact App URL: http://<default>/crm/ui/portlet)

See
Server.name
installRoot : string

Websphere-specific property specifying absolute paths of AppServer locations separated by comma. The value is used by the deployment tool to push server config files and jars.

jnlpEnabled : boolean

True if Java Web Start deployment of the Rich Desktop Client is enabled.

jnlpPrivate : boolean

Restrict the Java Web Start download of the Rich Desktop Client to the private intranet.

journalDirectory : string

The directory in which to store the transactional journal.

If a relative path is specified then the journal directory is placed under the server data directory. The journal files are placed in a subdirectory named after the node name.
Example


tx${test.clone}

journalEnabled : boolean

True to enable use of the transactional journal.

keystorePassword : password

The password for the SSL keystore that holds server certificates.

The password used for the application server's ssl.keystore file.
Example


text:keypass

Valid values based on“string”.
  
ldapAuthProtocol

The authentication protocol for connecting to the LDAP server.

Valid values based on“string”.
kerberos

Kerberos authentication

http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
simple

Simple authentication

ldapCacheTimeout : nonNegativeLong

Duration (in seconds) to cache LDAP query results; 0 to disable.

Valid values based on“long”.
0 (minInclusive)
ldapDomain : string

The user's domain. May contain: ${user_domain}, ${server_domain}, and ${default_domain}.

${user_domain}: Domain formed from the user's DN: "DC=a,DC=b,DC=c" becomes "a.b.c". ${server_domain}: Authentication domain in the .server file. ${default_domain}: Default realm from the krb5 configuration file.
Example


ldapDomain="${user_domain}"
ldapDomain="${default_domain}"

ldapExpandParents : boolean

True to perform nested group search; false to return only direct parent groups.

ldapGroupContextDN : string

The DN to search for groups. May contain: ${user_domain}, ${server_domain}, and ${default_domain}.

${user_domain}: DN formed from the user principal's domain: "user@a.b.c" becomes "DC=a,DC=b,DC=c". ${server_domain}: DN of the authentication domain in the .server file. ${default_domain}: DN of the default realm from the krb5 configuration file.
Example


ldapGroupContextDN="OU=Security Groups,OU=NexJ Systems,${user_domain}"
ldapGroupContextDN="${default_domain}"

ldapGroupFilter : string

The filter to use when querying groups.

Example


(objectCategory=group)

ldapGroupNameAttribute : string

The group attribute that holds the group's name.

Example


sAMAccountName

ldapGroupParentMap : string

List of "group attribute:group attribute" pairs for mapping groups to their parent groups.

Format is "child_attr1:parent_attr1;child_attr2:parent_attr2;...;child_attrN:parent_attrN".
ldapGroupSearchScope : ldapScope

The scope to use when searching for groups.

Valid values based on“string”.
oneLevel
object
subtree
ldapPassword : password

The password to use to connect to the LDAP server corresponding to the ldapUser.

Valid values based on“string”.
  
ldapURL : string

LDAP server URL for determining user group membership.

ldapUser : string

The user id to use to connect to the LDAP server.

Unspecified for silent sign on.
ldapUserContextDN : string

The DN to search for users. May contain: ${user_domain}, ${server_domain}, and ${default_domain}.

${user_domain}: DN formed from the user principal's domain: "user@a.b.c" becomes "DC=a,DC=b,DC=c". ${server_domain}: DN of the authentication domain in the .server file. ${default_domain}: DN of the default realm from the krb5 configuration file.
Example


ldapUserContextDN="OU=Users,OU=NexJ Systems,${user_domain}"
ldapUserContextDN="${default_domain}"

ldapUserDNAttribute : string

The user attribute that holds the user DN.

ldapUserFilter : string

The filter to use when querying users.

Example


(objectCategory=user)

ldapUserGroupMap : string

List of "user attribute:group attribute" pairs for mapping users to groups.

Format is "user_attr1:group_attr1;user_attr2:group_attr2;...;user_attrN:group_attrN".
ldapUserLoginAttribute : string

The user attribute that holds the login id.

Example


userPrincipalName

ldapUserPrincipalAttribute : string

The user attribute that holds the Kerberos principal name without the realm.

ldapUserSearchScope : ldapScope

The scope to use when searching for users.

Valid values based on“string”.
oneLevel
object
subtree
location : string

Container-specific deployment location for the model.

For information about additional locations, see the topic Deploying NexJ Server.
Example


For Model Server, the location could be: C:\java\container\deploy

loggingPlatformAdapter : string

Java class implementing logging platform adaptation.

maxLoginAttempts : string

Maximum login attempts (0 is unlimited) allowed before user is locked out.

maxMessageReceivers : nonNegativeInt

Maximum number of threads used by object queueing engine.

Valid values based on“int”.
0 (minInclusive)
maxMessageSenders : nonNegativeInt

Maximum number of connections to the object queueing engine.

Valid values based on“int”.
0 (minInclusive)
messagePort : nonNegativeInt

TCP/IP port to use for intra-cluster communication with the ObjectQueue engine.

Valid values based on“int”.
0 (minInclusive)
name : string

The environment name to use for deployments. Derived from repository namespace if not specified.

nodes : string

Space-separated list of IP addresses with sign-separated port offsets of initial cluster members. Used by unicast cluster discovery protocols only. If unspecified, centralized persistent storage is used for obtaining the addresses.

Example


10.0.0.2+1

password : password

Deployment administrator password.

Valid values based on“string”.
  
passwordHashAlgorithm : string

The hash algorithm used to encrypt user's password.

persistenceCompression : boolean

Compress the persisted session state for reduced persistent storage (~5 times) at the cost of increased CPU utilization.

persistenceDirDepth : nonNegativeInt

Number of subdirectory levels created under the persistence directory.

Valid values based on“int”.
0 (minInclusive)
persistenceDirectory : string

Shared directory for storing the persisted session state. If not specified, the sessions are persisted to the SessionDatabase data source.

persistentSession : boolean

Enable session persistence and advanced load balancing.

Session information is stored using a file system or a database.
pixelPerfectReportsAudit : boolean

True to audit execution of pixel perfect reports to the report audit table in the audit datasource.

pollPeriod : nonNegativeLong

The time interval in ms for the client to poll the server for updates.

Default is 300000 (5 min).
Valid values based on“long”.
0 (minInclusive)
previewThreshold : nonNegativeInt

Maximum document size in bytes for automatic preview.

Example


202400

Valid values based on“int”.
0 (minInclusive)
pushDisconnectDelay : nonNegativeLong

The time in ms for the push redirector to wait between client disconnections when dropping clients due to an error connecting to the push server. Default is 50.

Valid values based on“long”.
0 (minInclusive)
pushHeartbeat : nonNegativeInt

The time in ms of the period with which heartbeats are sent from the push server to the push redirector in order to detect stale or unresponsive connections (after 3 missed heartbeats). Default is 10000 (10 s).

Valid values based on“int”.
0 (minInclusive)
pushPassword : password

The password with which the push redirector will authenticate with the push server node(s).

Specifies the password of the push user when used with the Push User property or the keystore password when used with the Push Certificate property.
Valid values based on“string”.
  
pushRedirectorURL : string

The URL (full path - host, port, and context path) of the push redirector.

Example


http://localhost:port/nexj/pushRedirect

pushServerURLs : string

List of space separated push server node URLs (full path) to which the push redirector should connect.

Example


http://app1.local:8080/nexj/push http://app2.local:8080/nexj/push

pushTimeout : nonNegativeLong

The time in ms after which the connection from client to push redirector will timeout and cause a heartbeat to be sent to the client. Default is 300000 (5 min).

Valid values based on“long”.
0 (minInclusive)
pushTrust : string

The push server SSL certificate that the push redirector should trust.

See
Trust property
pushType : pushType

The type of Comet to use for push notifications. If the selected type isn't supported by the client web browser, polling is used.

Valid values based on“string”.
streaming

Uses "streaming" type Comet for notifications.

long

Uses "long polling" type Comet for notifications

none

The default push mode. Does not use the push server for notifications - periodic polling is used.

pushUser : string

The user name with which the push redirector will authenticate with the push server node(s).

readAudit

Specifies the read auditing level. Supported levels are "access", "attributes", "values", and "none" (default).

none - Disable creation of read audit logs.

access - Record the user and time a record was accessed.

attributes - Record above plus a list of attributes that were accessed.

values - Record above plus each attribute's current value.

See
For more information, see Configuring Audit Trails.
Valid values based on“string”.
none
access
attributes
values
rpcPrivilege : string

Privilege required for access to generic RPC protocols. If not set, the access is unrestricted and a validation warning is generated.

Generic RPC protocols are HTTP/soap, HTTP/text, HTTP/web, HTTP/xml and EJB. Generic RPC is used by all the clients except for the flat page client.
Example


InternalManage

secureTransport : boolean

Use SSL for encrypted communication and server authentication.

sessionCookie : string

The session cookie name.

If using mod_jk the workers.properties must be updated to include the session_cookie directive. Reference: https://tomcat.apache.org/connectors-doc/reference/workers.html
sessionTimeout : nonNegativeInt

Logon session timeout in minutes (0 is unlimited). With persistent sessions, it is the period of inactivity before the session is persisted.

Valid values based on“int”.
0 (minInclusive)
soaURLRewritePattern : string

The URL rewrite pattern for outgoing SOA connections. For use together with soaURLRewriteReplacement.

Defaults to "".

E.g. ^(.*)://webserver.com/nexj(.*) to match webserver URLs going to the "nexj" cluster.

soaURLRewriteReplacement : string

The URL rewrite replacement for outgoing SOA connections. For use together with soaURLRewritePattern.

Defaults to "".

E.g. $1://localhost:8080/nexj$2 to direct requests to localhost to avoid a roundtrip to the webserver.

statPersistenceEnabled : boolean

Whether persisting of statistics is enabled.

statPersistenceTimeout : long

The amount of time in minutes that persisted statistics are kept before being deleted.

Very long timeouts may reduce the performance of the database instance hosting the "StatDatabase" database.
statSamplingInterval : long

The frequency of sampling statistics in seconds.

Higher frequencies will have a negative impact on the performance of the application.
stuckThreadThreshold : nonNegativeInt

Minimum duration in seconds after which a web request thread is considered stuck.

NexJ Model Server only. If set to 0, stuck thread detection is disabled. See org.apache.catalina.valves.StuckThreadDetectionValve.
See
For more information, see Detecting long running web requests.
Valid values based on“int”.
0 (minInclusive)
test : boolean

Flag set to specify if the server may be used for testing.

transactionTimeout : nonNegativeInt

The default transaction timeout in seconds, 0 for infinite timeout.

Valid values based on“int”.
0 (minInclusive)
trust : string

The X.509 certificate, or signer's certificate thereof, for the remote system.

The CN from the certificate presented by the remote system is used as the user principal for which the invocation context will be created. This allows support of multiple external systems authenticating to an HTTP channel, mapped to different users based on the certificates they present. http://en.wikipedia.org/wiki/X.509
type : serverType

Container type - Generic (Model Server) or WebSphere..

One of Generic (Model Server) or WebSphere.
Valid values based on“string”.
Generic

NexJ Application Server

NJAS (also known as TEEE). This server type is used for local execution, debugging and unit testing.
JBoss

JBoss Application Server

www.jboss.com
WebSphere

IBM WebSphere Application Server

www.ibm.com/websphere
WebSphere 7

IBM WebSphere Application Server Version 7

www.ibm.com/websphere
WebSphere 8

IBM WebSphere Application Server, Version 8

www.ibm.com/websphere
updateAudit : boolean

True to enable attribute triggered audit logging for create, update and delete.

Determines whether create, update, and delete actions that users perform on objects are logged, for example, changing a contact name.
user : string

Deployment administrator user name.

The ID that must be provided to the server before allowing metadata to be deployed.

Content

See Server Connections

Parent topic: references

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close