System settings
The system settings apply to all Servers in the system. The system settings are distributed on the following tabs:
General
Property | Description |
---|---|
Name | Name of the iCore system. |
Description | Brief description of the iCore system. |
System enabled | Specifies whether the iCore system is enabled or not. To enable the system, check the box. When the system is enabled at startup, all enabled process servers are started as configured. For server configuration, see Servers. If the system is disabled at startup, the enabled servers are started, but will be inactive regardless of their individual configuration. |
Enable cascade delete | Allows for "cascade deletion" of definitions and configurations that may be referenced by tracking entities. Default setting: False See also Remarks below. |
Collation | Collation to be used when sorting entity filter results. See also Remarks below. |
System time zone | Sets the time zone of dates and times in the iCore system. For more information, see Working with dates and times. |
Remarks
See also: Clean-up tracking Workflow activity
Enable cascade delete
important
Do not enable cascade delete in a production system. Only use this feature in a system dedicated to development.
This option makes it possible, for example, to delete a Component definition that is used by one or more Component Configurations from which Jobs have been created. When the Component definition is deleted, the Component configurations and the tracking entities generated during execution are automatically deleted.
General rules for cascade delete:
- Nodes with the
Retain
property set to True will not be deleted. - For tracking data to be deleted, it must be in a "non-executing" state which means that:
- Events must have state New, Completed or Delayed (all states)
- Jobs must have state Succeeded, Dispatch pending, Lost, Failed or Unknown.
- Cascade delete will consider the whole "Event-Job tree": if any tracking entity in the tree does not fulfill the conditions above, nothing will be deleted.
Deleting a | Results in |
---|---|
Event type | - All Event configurations using the Event definition are deleted. - All Events of the specified Event type are deleted, including the sub-tree of tracking entities for those Events. |
Event configuration | All Jobs referring to the Event configuration are deleted, including the sub-tree of tracking entities of those Jobs. |
Component definition | - All Component configurations using the Component definition are deleted. - All Jobs referring to the deleted Component definition are deleted including the sub-tree of tracking entities for those Jobs. |
Component configuration | - All Event configurations are deleted. - All Jobs referring to the deleted Component configuration are deleted including the sub-tree of tracking entities for those Jobs. |
Collation
Options are:
- Finnish_Swedish_CS_AS
Sorts results in accordance with the Swedish/Finnish alphabet. - SQL_Latin1_General_CP1_CI_AS (default in SQL server)
Sorts results in accordance with the Latin alphabet.
The Collation value can be filled in as free text or selected from the drop-down list. The entered value is checked and verified. If the field is left empty, the default value will be used. Default value is the collation of the database.
Security
Data protection
note
Before you make any changes to the data protection settings – read and take all required actions described in Data protection.
note
Property | Description |
---|---|
Mode | The mode of protection the system uses to protect sensitive data. The following options are available:
|
User password policy
See also User security.
Property | Description |
---|---|
Enforce password history | Specifies the number of password changes required before a password can be re-used. |
Maximum password age | Specifies number of days that a password can be used before it must be changed. |
Minimum password length | Specifies the minimum length (in characters) of a password. |
Complexity requirements |
|
System Queues
Property | Description |
---|---|
Job Manager result nack queue | A system global MSMQ queue, used when messages are sent to the system. See also Creating a new system. Example: DIRECT=OS:DbServer\private$\EMgrRepNack46 where 'DIRECT=OS': is fixed information. 'DbServer' is the name of the server where the queue is located. '\private$' indicates that the queue is private. '\EMgrRepNack46' is the name of the queue. |
New events nack queue | A system global MSMQ queue, used when messages are sent to the system. See also Creating a new system. Example: DIRECT=OS:DbServer\private$\NewEventsNack46. See explanation above. |
Express events queue | A system global queue for express Events. Example: DIRECT=OS:DbServer\private$\ExpressEventsQueue46 for explanation, see above. |
Job Manager result nack queue
If the queue is to be public, in a cluster, there is no \private$ and the MSMQ queue would be described as
DIRECT=OS:DbServer\EMgrRepNack46
Directories
Property | Description |
---|---|
Node directory | The directory where the iCore system will store the raw data to the Nodes. For a single server (non-clustered) system this can be a local path to an existing directory. Note that the user the service is running as must have full access to this directory. For a clustered system, this must be an UNC path to a network share to which all servers have full access. |
Compilation work directory | A directory used to store intermediate and temporary files during compilation of entities. By default, this directory is created in the current User's application data directory (%APPDATA%\iCore Solutions\iCPS\Systems\<system id>\Compile). The directory is created automatically and does not have to be manually created before compiling an entity. |
Compilation work directory
In iCIS v2.xx, this directory needed to be accessible from all servers. So if you have just upgraded from v2.xx, this directory may point to another location (such as a shared network drive).
Service Options
Property | Description |
---|---|
Auto-Failback | Specifies whether a Server automatically takes over a Server part in a clustered system, if the Server monitor detects that the Server part is currently running on a lower priority Server. For new iCore systems, the default setting for this option is 'False'. This means that if a Server part fail-over has occurred, and the original Server comes back online, the Server part will keep running on its new Server. Note that the Server part can still be moved back manually, or if the new Server fails, the Server part will of course fail over to its original Server. For more information about Server part fail-over, see Fail-over management. |
Express events ratio | The ratio that the Event Manager will follow when selecting between Express Events and ordinary Events if there are several Events in the queue. The ratio is set to avoid that a large number of express Events completely block the processing of ordinary Events. Example: If the ratio is 3 (default), the Event Manager will process three express Events, before it searches the queue for the next ordinary Event. |
Inter-server comm. port | Specifies the default port used for UDP (User Datagram Protocol) communication between servers in a clustered system. |
Inter-server comm. port
If you have multiple iCore systems running on the same machine and listening on the same network interface (IP address), you need to specify different ports for each system. This can also be achieved by setting the Port property on the individual Servers which will override the inter-server communication port setting of the system.
Application Pool Restart Inconsistency Detection Options
Property | Description |
---|---|
Policy | Specifies how a Server acts when it detects that other Servers in a multi-server system are running a newer assembly generation than itself. This typically occurs if a Restart Application Pool request was not correctly received by a Server in a clustered system. The following options are available:
|
Grace Period | Specifies the amount of time that will pass before the action specified in the Policy field is taken. |
Error Report Interval | Specifies the interval between error reports if "Write error log" has been selected as Policy. |
Auditing
note
For changes in the Auditing configuration to take effect, you need to restart the iCore system, log out any Users, and log back in again.
Property | Description |
---|---|
Enabled | Specifies whether auditing is enabled or not. |
Days to keep entries | The number of days to keep entries in the audit log. |
Changed property value max length | Defines the maximum length (in characters) of a changed property value included on an audit log entry. A value of 0 means that the full value is included on the entry. |
Enabled System actions | Specifies what system and server actions are recorded in the audit log (see also Auditing). |
Enabled Entity actions | Specifies what entity actions are recorded in the audit log (see also Auditing). |
Authentication provider configuration
note
A provider configured for authentication with OIDC must support endpoint discovery.
note
For more information about configuring user authentication, see User authentication.
Property | Description |
---|---|
OIDC authentication provider enabled | Specifies whether the configured OIDC authentication provider is enabled. |
Application name | The name of the application where authentication is performed. This name does not necessarily have to be identical with the name at the provider's, but should be something that makes it easy to identify the application at the OIDC provider. |
Authority display name | The name of the authority. This name may appear in logs and does not necessarily have to be identical with a name at the provider's, but should be something that easily identifies the OIDC provider. |
Authority | The URI of the authority (issuer). This property is required. |
Client Id | The identifier for the application using the provider. This property is required. |
Client secret | The application secret used by confidential clients during token exchange. |
Device code endpoint | The device code endpoint is used to initiate device code authentication. Only required if device code flow is to be used in PowerShell. |
Device token endpoint | The device token endpoint is used to request tokens in a device authentication flow. |
Username claim | A claim that can be retrieved from the OIDC provider's user info endpoint. The claim is used to connect an authenticated user to an iCore User via its username, and is done the first time a user logs in to the iCore system. This property is required. |
Require access token hash | Specifies whether an a_hash in the ID token is required or not. Default value is False. |
Validate endpoints | Specifies whether endpoints belong to the specified authority or not. Default value is False. |
Validate Issuer name | Specifies whether the identity token issuer name needs to match the authority or not. Default value is set to False. |
Require Authorization code hash | Specifies whether a c_hash in the ID token is required or not. Default value is False. |
Require identity token on refresh token response | Specifies whether an identity token is required on refresh token responses or not. Default value is False. |
Require identity token signature | Gets or sets a value indicating if only signed id tokens are accepted. Default value is False. |
Require https | Specifies if HTTPS is enforced on all endpoints or not. Default value is False. |
Require key set | Specifies if a key set is required or not. Default value is False. |
Scopes | The additional scope(s) that may be required to retrieve claims from the OP during authentication. |
Identification claims | The identification claim(s) that the client (iCore) expects to receive from the OP to match an authenticated OP user with an iCore User. Each claim is defined as the name of the claim and its source. The claim source specifies if the claim is found in the identity token or retrieved from the user information endpoint. Identification claims are optional. If not specified, the subject claim from the identity token is used. |
Device token endpoint
This field is only required if token endpoint is used for token exchange in device code flow.
Authorization provider configuration
note
For more information about configuring Azure AD user authorization, see Authorization with Azure AD.
Property | Description |
---|---|
Authorization provider enabled | Specifies whether the configured authorization provider is enabled. |
Tenant Id | The unique identifier of the tenant where the Azure AD belongs. |
Client Id | The client ID is the unique application (client) ID assigned to your app by Azure AD when the app was registered. |
Client secret | The application secret used by confidential clients during token exchange. |
Scopes | The additional scopes that may be required to retrieve claims from the OP that the client allows the authority to use during authentication. |
Identification claims | List of identification claims which the client expects to receive from the Azure AD authority. Each claim is defined as the name of the claim and its source. Identification claims are optional. If not specified, the subject claim from the identity token is used. |
See Also
Administrator
Editing system settings
Configuring a system
Technical architecture & Runtime
Servers and Server parts
Data protection
User security
Auditing
User authentication