Introduction / FirstSpirit Server configuration / Configuration files (FirstSpirit Server) / FirstSpirit Server (fs-server.conf) / Storage Engine Properties
Area: Storage Engine Properties
Table of contents |
###########################
# storage engine properties
###########################
# use one shared cache for all repositories
repository.sharedCache=1
# time in seconds after a unused repository gets unloaded
REPOSITORY_UNLOAD_TIME=1800
# time in seconds after a unused registry gets unloaded (in seconds)
registry.unloadTime=1800
# Repository encryption
#----------------------
# Enable repository encryption. A keyfile must be set to enable encryption.
repository.encryption=0
# Path to master key file.
# The content of the file is read with UTF-8 encoding. Leading and trailing
# whitespace is ignored. The key characters are processed with the
# PBKDF2WithHmacSHA1 password-based key derivation function.
repository.encryption.keyFilePath=
# The symmetric encryption algorithm name, mode and padding.
# repository.encryption.algorithm=AES/CBC/PKCS5Padding
repository.encryption.algorithm=AES/CTR/NoPadding
# Keysize to use for the specified encryption algorithm.
# See SunJCE provider documentation for allowed keysizes.
repository.encryption.keySize=128
All Berkeley DB properties can also be used in the fs-server.conf configuration file. To do this, the prefix “repository.” must always be specified before the particular property.
The relevant properties can be found in the Berkley DB documentation (http://www.oracle.com/database/berkeley-db/index.html).
repository.sharedCache
The value of this parameter is set to 1 by default. This allows the Berkley DBs of all projects to share one cache on a server. In particular, this makes it easier to manage the Berkley DB cache on servers with several projects and is more effective overall.
If each project is to have its own cache for the Berkley DB, the value can be set to 0.
REPOSITORY_UNLOAD_TIME
This parameter can be used to define the time span (in sec.) that must elapse without a read or write action before a repository is closed and removed from the cache. The parameter is set to a value of 1800 by default. Depending on the project environment, it may be a good idea to set a longer retention time here.
registry.unloadTime
This parameter can be used to define the time span (in sec.) that must elapse without a read or write action before the registry is closed and removed from the cache. The parameter is set to a value of 1800 by default. Depending on the project environment, it may be a good idea to set a longer retention time here .
Configuring the file repository so it is encrypted:
repository.defaultCompressor
This parameter can be used to configure the default value for repository compression.
Possible values are:
LZ4 (default value):
repository.defaultCompressor=de.espirit.firstspirit.storage.backend.LZ4Compressor
Deflate
repository.defaultCompressor=de.espirit.firstspirit.storage.backend.DeflaterCompressor
[none]
repository.defaultCompressor=
Parameter changes will only affect new projects. |
repository.encryption
In the FirstSpirit repository, content, structures, and media from FirstSpirit projects are usually saved unencrypted (default value: 0). To configure encrypted storage of this data in the repository, you must set the parameter to a value of 1. The setting made here is used as a default setting for all new or imported projects:
- If it is set to 1, the “Encryption enabled” project setting (see Repository) is enabled for all new or imported projects.
- If it is set to 0, the “Encryption enabled” project setting is disabled for all new or imported projects.
Pre-existing projects are not affected if the parameter is changed, that is, encryption must be enabled (or disabled) separately for existing projects by going to the project settings.
Before encryption can be enabled, you must create a global server key (see Creating the key file) and use the repository.encryption.keyFilePath parameter to configure the path to the server key file (see below).
repository.encryption.keyFilePath
If repository encryption is enabled (repository.encryption=1), this parameter is used to specify the path to the global server key, e.g.:
repository.encryption.keyFilePath=${cmsroot}/conf/fs5key.txt
The global server key must be at least eight bytes long. The content of the specified file must be encoded in UTF-8. White spaces at the beginning and end of the file are ignored. The path can be specified as absolute or relative (to the root directory of the FirstSpirit server). ${cmsroot} can be used as a placeholder for the FirstSpirit root directory.
There is only one key file for each FirstSpirit server. In a cluster scenario involving master and slave servers (see Clustering – load distribution on generation), all the servers concerned must use the same key file.
Access to the global server key file should be properly secured to prevent unauthorized persons from accessing the repository contents. At the same time, this means that if the key file is damaged or lost, it will no longer be possible to access the contents of the repository. |
repository.encryption.algorithm
The symmetric algorithm configured here is used to encrypt the contents of the project repository. Rather than making direct use of the server key file, this involves generating an internal key for the project repository. The process of generating the internal project key relies on the PBKDF2WithHmacSHA1 key derivation algorithm (65536 iterations, 256-bit random salt, 256-bit key size, “Password-Based Key Derivation Function 2”).
The preconfigured example value for encrypting the project repository is AES/CTR/NoPadding (this value is intended purely as a configuration example and is not to be construed as a recommendation). The actual encryption process is handled by the Java Cryptography Extension. Therefore, it is possible to utilize all the symmetric encryptions and modes that are supported by the Java platform used. For details of which algorithms, modes, and key sizes are possible, please see the JCE documentation:
- http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Cipher
- http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider
The value configured here is transferred to the project properties under “Repository”, option Encryption algorithm in ServerManager (for new or imported projects). For existing projects, the value can be configured there.
repository.encryption.keySize
This parameter can be used to configure the length of the key for encrypting the repository contents. The values configured here must be compatible with the configured algorithm (encryption, modes) and are dependent on the Java version used (see repository.encryption.algorithm). Once again, the JCE documentation provides details of which values are possible.
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider
The value configured here is transferred to the project properties under “Repository”, option Encryption key size in ServerManager (for new or imported projects). For existing projects, the value can be configured there.
Larger key sizes and stronger algorithms can be configured if “Unlimited Strength Jurisdiction Policy Files” are installed on the server:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#importlimits
Configuring default values
As soon as a key file has been created and configured, all the encryption parameters (for each individual project) can be enabled and configured in the “Repository” area of ServerManager as well (see Repository). All the values that are configured globally using fs-server.conf are defined as default values in the project configuration. This means that the globally configured values will be applied as default values for any projects that are created or imported as of this point. The global configuration does not affect existing projects, which must be configured via the project settings instead.
The parameters can also be tested within the project configuration.
For more information on repository encryption, see Repository encryption.
If changes are made to the fs-server.conf file, the server will need to be restarted (see General configuration information). |