System settings
The system settings apply to all Servers in the system. The system settings are distributed on the following tabs:
General
Property | Description |
---|---|
Name | Name of the iCore system. |
Description | Brief description of the iCore system. |
Enable cascade delete | Allows for "cascade deletion" of definitions and configurations that may be referenced by tracking entities. Default setting: False See also Remarks below. |
Collation | Collation to be used when sorting entity filter results. See also Remarks below. |
System time zone | Sets the time zone of dates and times in the iCore system. For more information, see Working with dates and times. |
Remarks
See also: Clean-up tracking Workflow activity
Enable cascade delete
Do not enable cascade delete in a production system. Only use this feature in a system dedicated to development.
This option makes it possible, for example, to delete a Component definition that is used by one or more Component Configurations from which Jobs have been created. When the Component definition is deleted, the Component configurations and the tracking entities generated during execution are automatically deleted.
General rules for cascade delete:
- Nodes with the
Retain
property set to True will not be deleted. - For tracking data to be deleted, it must be in a "non-executing" state which means that:
- Events must have state New, Completed or Delayed (all states)
- Jobs must have state Succeeded, Dispatch pending, Lost, Failed or Unknown.
- Cascade delete will consider the whole "Event-Job tree": if any tracking entity in the tree does not fulfill the conditions above, nothing will be deleted.
Deleting a | Results in |
---|---|
Event type | - All Event configurations using the Event definition are deleted. - All Events of the specified Event type are deleted, including the sub-tree of tracking entities for those Events. |
Event configuration | All Jobs referring to the Event configuration are deleted, including the sub-tree of tracking entities of those Jobs. |
Component definition | - All Component configurations using the Component definition are deleted. - All Jobs referring to the deleted Component definition are deleted including the sub-tree of tracking entities for those Jobs. |
Component configuration | - All Event configurations are deleted. - All Jobs referring to the deleted Component configuration are deleted including the sub-tree of tracking entities for those Jobs. |
Collation
Options are:
- Finnish_Swedish_CS_AS
Sorts results in accordance with the Swedish/Finnish alphabet. - SQL_Latin1_General_CP1_CI_AS (default in SQL server)
Sorts results in accordance with the Latin alphabet.
The Collation value can be filled in as free text or selected from the drop-down list. The entered value is checked and verified. If the field is left empty, the default value will be used. Default value is the collation of the database.
Security
Data protection
Before you make any changes to the data protection settings – read and take all required actions described in Data protection.
Property | Description |
---|---|
Mode | The mode of protection the system uses to protect sensitive data. The following options are available:
|
User password policy
See also User security.
Property | Description |
---|---|
Enforce password history | Specifies the number of password changes required before a password can be re-used. |
Maximum password age | Specifies number of days that a password can be used before it must be changed. |
Minimum password length | Specifies the minimum length (in characters) of a password. |
Complexity requirements |
|
System Queues
Property | Description |
---|---|
Job Manager result nack queue | A system global MSMQ queue, used when messages are sent to the system. See also Creating a new system. Example: DIRECT=OS:DbServer\private$\EMgrRepNack46 where 'DIRECT=OS': is fixed information. 'DbServer' is the name of the server where the queue is located. '\private$' indicates that the queue is private. '\EMgrRepNack46' is the name of the queue. |
New events nack queue | A system global MSMQ queue, used when messages are sent to the system. See also Creating a new system. Example: DIRECT=OS:DbServer\private$\NewEventsNack46. See explanation above. |
Express events queue | A system global queue for express Events. Example: DIRECT=OS:DbServer\private$\ExpressEventsQueue46 for explanation, see above. |
If the queue is to be public, in a cluster, there is no \private$ and the MSMQ queue would be described as
DIRECT=OS:DbServer\EMgrRepNack46
Directories
Property | Description |
---|---|
Node directory | The directory where the iCore system will store the raw data to the Nodes. For a single server (non-clustered) system this can be a local path to an existing directory. Note that the user the service is running as must have full access to this directory. For a clustered system, this must be an UNC path to a network share to which all servers have full access. |
Compilation work directory | A directory used to store intermediate and temporary files during compilation of entities. By default, this directory is created in the current User's application data directory (%APPDATA%\iCore Solutions\iCPS\Systems\<system id>\Compile). The directory is created automatically and does not have to be manually created before compiling an entity. |
In iCIS v2.xx, this directory needed to be accessible from all servers. So if you have just upgraded from v2.xx, this directory may point to another location (such as a shared network drive).
Service Options
Property | Description |
---|---|
Auto-Failback | Specifies whether a Server automatically takes over a Server part in a clustered system, if the Server monitor detects that the Server part is currently running on a lower priority Server. For new iCore systems, the default setting for this option is 'False'. This means that if a Server part fail-over has occurred, and the original Server comes back online, the Server part will keep running on its new Server. Note that the Server part can still be moved back manually, or if the new Server fails, the Server part will of course fail over to its original Server. For more information about Server part fail-over, see Fail-over management. |
Express events ratio | The ratio that the Event Manager will follow when selecting between Express Events and ordinary Events if there are several Events in the queue. The ratio is set to avoid that a large number of express Events completely block the processing of ordinary Events. Example: If the ratio is 3 (default), the Event Manager will process three express Events, before it searches the queue for the next ordinary Event. |
Inter-server comm. port | Specifies the default port used for UDP (User Datagram Protocol) communication between servers in a clustered system. |
If you have multiple iCore systems running on the same machine and listening on the same network interface (IP address), you need to specify different ports for each system. This can also be achieved by setting the Port property on the individual Servers which will override the inter-server communication port setting of the system.
Application Pool Restart Inconsistency Detection Options
Property | Description |
---|---|
Policy | Specifies how a Server acts when it detects that other Servers in a multi-server system are running a newer assembly generation than itself. This typically occurs if a Restart Application Pool request was not correctly received by a Server in a clustered system. The following options are available:
|
Grace Period | Specifies the amount of time that will pass before the action specified in the Policy field is taken. |
Error Report Interval | Specifies the interval between error reports if "Write error log" has been selected as Policy. |
Auditing
For changes in the Auditing configuration to take effect, you need to restart the iCore system, log out any Users, and log back in again.
Property | Description |
---|---|
Enabled | Specifies whether auditing is enabled or not. |
Days to keep entries | The number of days to keep entries in the audit log. |
Changed property value max length | Defines the maximum length (in characters) of a changed property value included on an audit log entry. A value of 0 means that the full value is included on the entry. |
Enabled System actions | Specifies what system and server actions are recorded in the audit log (see also Auditing). |
Enabled Entity actions | Specifies what entity actions are recorded in the audit log (see also Auditing). |
Authentication provider configuration
A provider configured for authentication with OIDC must support endpoint discovery.
For more information on how to collect the necessary information and configure user authentication, see User authentication.
Property | Description |
---|---|
OIDC authentication provider enabled | Specifies whether the configured OIDC authentication provider is enabled. |
Application name | The name of the application where authentication is performed. This name does not necessarily have to be identical with the name at the provider's, but should be something that makes it easy to identify the application at the OIDC provider. |
Authority display name | Only used for display purposes by iCore. |
Authority | The URI of the authority (issuer). This property is required. |
Client Id | The identifier for the application using the provider. This property is required. |
Client secret | The application secret used by confidential clients during token exchange. |
Device code endpoint | The device code endpoint is used to initiate device code authentication. It is only required if device code flow is to be used in PowerShell. For internal use only. |
Device token endpoint | The device token endpoint is used to request tokens in a device authentication flow. This field is only required if token endpoint is used for token exchange in device code flow. At the time of writing, it is only used internally and should be left empty in the configuration. |
Username claim | A claim that can be retrieved from the OIDC provider's user info endpoint. The value of this claim is used to identify the iCore User via its username the first time the user logs in to the iCore system. Upon subsequent logins, the user is identified by the claim(s) specified in the Identification claims property. This property is required. |
Require access token hash | Specifies whether an access token hash (at_hash) is required in the ID token or not. If set to True, and the provider does not include an at_hash in the identity token when the user authenticates, an error will be generated and user is denied access. The OpenID Connect standard does not require an access token hash to be present in the ID token when used together with the authorization code flow, so there is no guarantee that all OpenID Connect certified providers will include one. Also, check the list of supported claims in the discovery document from your OIDC authentication provider to see if at_hash is among them. Default value is False. |
Validate endpoints | Specifies whether endpoints belong to the specified authority or not. Default value is False. |
Validate Issuer name | Specifies whether the identity token issuer name needs to match the authority or not. Default value is set to False. |
Require Authorization code hash | Specifies whether an access code hash (c_hash) in the ID token is required or not. If set to True, and the provider does not include a c_hash in the identity token when the user authenticates, an error is generated and the user is denied access. Check the list of supported claims in the discovery document from your OIDC authentication provider to see if c_hash is among them. This can indicate whether this claim is included in the token response or not. Default value is False. |
Require identity token on refresh token response | Specifies whether an identity token is required on refresh token responses or not. Default value is False. |
Require identity token signature | Specifies if only signed ID tokens are accepted. Default value is False. |
Require https | Specifies if HTTPS is enforced on all endpoints or not. Default value is False. |
Require key set | Specifies whether a JSON web key set is required from the OIDC authentication provider. Default value is False. |
Scopes | The scope(s) that may be required to retrieve claims from the OIDC provider during authentication. The scope openid is required. |
Identification claims | The identification claim(s) that the client (iCore) expects to receive from the OIDC provider to match an authenticated user with an iCore User. Each claim is defined as the name of the claim and its source. The claim source specifies if the claim is found in the identity token or retrieved from the user information endpoint. If you do not want to use Identification claims, add the subject claim (sub) from the identity token here. |
Authorization provider configuration
For more information on how to collect the necessary information and configure Azure AD user authorization, see Authorization with Azure AD.
Property | Description |
---|---|
Authorization provider enabled | Specifies whether the configured authorization provider is enabled. |
Tenant Id | The unique identifier of the tenant where the Azure AD belongs. |
Client Id | The client ID is the unique application (client) ID assigned to your app by Azure AD when the app was registered. |
Client secret | The application secret used by confidential clients during token exchange. |
Scopes | Scopes that are required to complete the authorization at the provider. Using Azure AD as provider, requires that the scopes User.Read and GroupMember.Read.All are set here. |
Identification claims | The identification claims that the client expects to receive from the Azure AD authority. Each claim is defined as the name of the claim and its source which can be either the identity token, or the user information that can be retrieved from the user properties in Azure AD. Identification claims are optional. If not specified, the object ID (oid) of the user in Azure AD is used. |
See Also
Administrator
Editing system settings
Configuring a system
Technical architecture & Runtime
Servers and Server parts
Data protection
User security
Auditing
User authentication