Skip to main content

Configuration REST API

The Configuration REST API allows users with the System Administrator role or the Edit System Configuration and Users permission, to configure the server.

API Requests

GET Configuration Properties

To get one or more configuration properties you can make a GET request to the config:

GET /api/v2/config?property={propertyName1}&property={propertyName2}

One or more values are required for the query parameter property . The values must match (case-sensitive) the names of the configuration properties you want to retrieve.

Example
curl -u admin:admin123 'http://localhost:8070/api/v2/config?property=baseUrl&property=forceBaseUrl'
Response

A JSON response with the requested properties and values.

PUT Configuration Properties

To set one or more configuration properties you can make a PUT request to the following path:

PUT /api/v2/config

The request requires a JSON body as payload, which must include one or more of the properties described above.

Example
curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"baseUrl": "http://sonatype.com:8070", "forceBaseUrl":true, "quarantinedItemCustomMessage":"My custom quarantine message."}' http://localhost:8070/api/v2/config
Response

A successful request returns the HTTP status code 204. An invalid property name returns a 400 code.

DELETE Configuration Properties

To delete one or more configuration properties make a DELETE request to the config endpoint:

DELETE /api/v2/config?property={propertyName1}&property={propertyName2}

One or more values are required for the query parameter property . The values must match (case-sensitive) the names of the configuration properties you want to retrieve.

Example
curl -u admin:admin123 -X DELETE 'http://localhost:8070/api/v2/config?property=baseUrl&property=forceBaseUrl'
Response

A successful request returns the HTTP status code 204. An invalid property name returns a 400 code.

IQ Server Connection Properties

Use the following properties to manage connecting to the IQ Server. The IQ Server supports the following solutions: Lifecycle, Developer, SBOM Manager, and Repository Firewall.

Base URL (required)

Setting the base URL (domain) of the IQ Server. This property is for user-facing links and is required for sending emails, following links in pull requests and CI servers, and connecting to reports in most integrations.

Property: baseUrl

Default: null

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"baseUrl": "https://example.sonatype.com/"}' https://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=baseUrl"

User Session Timeout

Session timeout value in minutes for IQ Server. The user receives a browser notifications when the session is about to expire.

Property: sessionTimeout

Default: 30

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"sessionTimeout": 30}' https://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=sessionTimeout"

Force the Base Url

When set to true, IQ Server treats inbound requests as originating from the baseURL instead of on inbound HTTP request headers to ignore a misconfigured upstream reverse proxy.

We recommend fixing the upstream server to send properly formatted forwarded headers instead of using this setting.

Property: forceBaseUrl

Default: false

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"forceBaseUrl": true}' https://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=forceBaseUrl"

Frame Ancestors Allowlist

This property prevents clickjacking by adding an HTTP Content-Security-Policy (CSP) frame-ancestors directive to specify the domains or parent URLs that can frame the current resource. The property 'self' is appended to this list.

The default null value sets no restriction on the allowed domain or parent URLs. Any domain can frame the resource. Setting the property with a list of domains or parent URLs passed as JSON.

Property: frameAncestorsAllowlist

Default: null

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"frameAncestorsAllowlist": ["*first.com","second.*"]}' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=frameAncestorsAllowlist"

Max Thread Pool Size

The maximum number of threads that can be used for the EventBus.

The EventBus is used to asynchronously post various events (e.g. policy evaluation, entity management, license/security vulnerability overrides, etc).

These events are consumed by various services (e.g. webhooks, source control, etc).

Property: eventBus.maxThreadPoolSize

Default: 500

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"eventBus.maxThreadPoolSize": 500}' https://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=eventBus.maxThreadPoolSize"

User-Agent Suffix

The user-agent header is a header in a request for web access sent under the HTTP protocol. This header identifies the software program that was used to send the request. A custom fragment may be added to the end of the "user-agent" for HTTP calls. This fragment may be used with network firewalls in managing traffic from the IQ Server.

Property: userAgentSuffix

Default: null

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"userAgentSuffix ": "Approved" }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=userAgentSuffix"

Enforce CSRF Protection

Enables/disables cross-site request forgery protection. The default is set to true to increase security.

Property: csrfProtection

Default: true

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"csrfProtection": true }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=csrfProtection"

Sonatype Data Services URL

This property points to the Sonatype Data Services to receive up-to-date information. This value may be updated when a static remote IP is needed while configuring access through firewall rules. This value should not be changed unless directly by the Sonatype Support team.

Property: hdsUrl

Default: https://clm.sonatype.com/

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"hdsUrl": "https://clm.sonatype.com/" }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=hdsUrl"

Allow Single-Sign On (SSO)

Use this property to redirect authentication to the SAML provider and skip the Sign-in dialog box.

Property: enableSsoOnly

Default: null

curl -u admin:admin123 -X POST -H "Content-Type: application/json" https://<iq-server-url>/api/v2/config/features/enableSsoOnly

To enable the IQ Sign-in dialog box again, use the DELETE method as show below.

curl -u admin:admin123 -X DELETE -H "Content-Type: application/json" https://<iq-server-url>/api/v2/config/features/enableSsoOnly

IQ Server Configuration Properties

Use the following properties to manage the IQ Server configuration. The IQ Server supports the following solutions: Lifecycle, Developer, SBOM Manager, and Repository Firewall.

Continuous Monitoring Start Time

Continuous Monitoring updates the report for applications not built regularly by performing an analysis from the most recent scan files. As each report may take a few minutes to run, this process should start in off-peak hours after the maintenance backup is made. The number represents the hour of the day with 0 starting at the system time of midnight. Note that the actual process begins on a random minute before or after the chosen hour to limit the load on Sonatype servers.

Property: policyMonitoringHour

Default: 0 ; hour of the day ranging from (0-23)

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"policyMonitoringHour": 2 }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=policyMonitoringHour"

Access Allow List for REST APIs

List of usernames passed as JSON. This property is used to control the access to the public API.

When set, only the users specified in the list are allowed to make API calls. Set this property to null for unrestricted API access to authenticated users.

Property: apiAccessAllowList

Default: null

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"apiAccessAllowList": "[\"user1\",\"user2\"]" }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=apiAccessAllowList"

Set the Maximum Search Causes

This parameter adjusts the limit for the number of clauses (query parameters) in the advanced search's Lucene query. Wildcard or open ended searches result in a large number of clauses that may have performance implications. The limit is in place to keep searches from overloading the server.

This parameter is relevant when non-admin users perform advanced searches across large numbers of organizations or applications. When the query generated contains too many clauses, an issue may occur. Adjusting the clause count controls the limit to avoid the error message.

The clause count limit for Advanced Search queries.

Property: maxAdvancedSearchClauseCount

Default: 2048

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"maxAdvancedSearchClauseCount": 5000 }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=maxAdvancedSearchClauseCount"

Delimiter for Advanced Search CSV Export

The delimiter for the Advanced Search API when exporting to a CSV file.

Property: advancedSearchCSVExportDelimiter

Default: , (a comma)

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"advancedSearchCSVExportDelimiter":"," }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=advancedSearchCSVExportDelimiter"

Enable Data Insights

Allows the IQ instance to send non-anonymized telemetry data to Sonatype. This data is used to generate Data Insights. Disabling this property will cause a degraded user experience.

Property: ADVANCED_REPORTING_INSIGHTS_ENABLED

Default: true

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"ADVANCED_REPORTING_INSIGHTS_ENABLED": true }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=ADVANCED_REPORTING_INSIGHTS_ENABLED"

Restrict Success Metrics to a Specific Stage

Reduces the data being consumed through the API when more than one Lifecycle stage is commonly used by setting the specific stageId for which success metrics are retrieved.

Allowed values: source , build , stage-release , release , operate

Property: successMetricsStageId

Default: null

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"successMetricsStageId": "stage-release" }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=successMetricsStageId"

Lifecycle Properties

Use the following properties to manage the Lifecycle solution-specific configuration.

Enable Observed License Detection for ALP

Enables observed license detection for additional ecosystems for users of Lifecycle with Advanced Legal Pack (ALP) add-on. This setting was set to false for IQ Server versions installed before release 165 but newer instances default to true.

Property: alpObservedLicenseDetectionEnabled

Default: true

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"alpObservedLicenseDetectionEnabled": true }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=alpObservedLicenseDetectionEnabled"

Repository Firewall Properties

Use the following properties to manage the Repository Firewall solution-specific configuration.

Set the Custom Quarantine Message

The custom quarantined message to display when a component fails a Repository Firewall policy. This message may be up to 500 chars and include URLs.

See Custom Quarantine Message to learn more.

Property: quarantinedItemCustomMessage

Default: null

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"quarantinedItemCustomMessage": "This is a custom message." }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=quarantinedItemCustomMessage"

Automatic Quarantine Release

Set the frequently the Repository Firewall checks components quarantined in the past 14 days for updated metadata.

Scheduling interval (in minutes) for Automatic Quarantine Release. The minimum value supported is 30 minutes.

Property: automaticQuarantineReleaseTimeIntervalInMinutes

Default: 60

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"automaticQuarantineReleaseTimeIntervalInMinutes": 120 }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=automaticQuarantineReleaseTimeIntervalInMinutes"

Expiration Time for Temporary Quarantine Reports

Expiration time for quarantine reports

Property: quarantinedComponentReportExpirationTimeInHours

Default: 12

curl -u admin:admin123 -X PUT -H "Content-Type: application/json" -d '{"quarantinedComponentReportExpirationTimeInHours": 2 }' http://localhost:8070/api/v2/config

curl -u admin:admin123 -X GET "https://localhost:8070/api/v2/config?property=quarantinedComponentReportExpirationTimeInHours"

Property

Default

Released

advancedSearchCSVExportDelimiter

, (a comma)

ADVANCED_REPORTING_INSIGHTS_ENABLED

true

alpObservedLicenseDetectionEnabled

true

apiAccessAllowList

null

automaticQuarantineReleaseTimeIntervalInMinutes

60

baseUrl

null

csrfProtection

true

eventBus.maxThreadPoolSize

500

forceBaseUrl

false

frameAncestorsAllowlist

null

hdsUrl

https://clm.sonatype.com/

maxAdvancedSearchClauseCount

2048

policyMonitoringHour

0 (hour of the day 0-23)

purgeScanFiles

null

quarantinedComponentReportExpirationTimeInHours

12

quarantinedItemCustomMessage

null

sessionTimeout

30

successMetricsStageId

null

userAgentSuffix

null

waivedComponentUpgradeMonitoringEnabled

false

webhookSecretPassphrase

^d1swM!FF&amp;qQ