Config YAML
The IQ Server is a web application built on a Dropwizard web server. The initial configuration is set using the YAML formatted config.yml and is located in the same folder that contains the primary server .jar file.
After the initial startup, the configuration is stored in the internal database and will need to be modified using the Configuration REST API or through the System Preferences in the user interface.
Some configuration options may only be changed from the config.yml such as system logging and any startup configuration.
See the Configuration Settings below for details.
Editing the config.yml file
We recommend using caution when editing the config.yml file to avoid corrupting the layout. The YAML format relies on indenting to denote nested properties. Modifying this indentation incorrectly may lead to improper configuration.
Keep the following points in consideration:
TAB characters are not supported in YAML files. Use space characters only for indenting.
The YAML (.yml) structure is tree-like. Space indents define the hierarchy.
Indented lines are child options of the outdented line preceding them.
The parser ignores comments beginning with the hash symbol (#).
Configuration Settings
In recent versions of IQ Server, most configuration is stored in the internal database and should be updated using the API or System Preferences. Use the chart below to match which settings may still be set with the config.yml file.
Property | Config.yml | API/UI | Description |
|---|---|---|---|
sonatypeWork |
|
| Directory for data files. The default value is |
applicationConnectors |
|
| The port numbers for the web application on the hosted server. |
applicationContextPath |
|
| The context path at which the web application is hosted. This is the directory after the server's domain and port. |
requestLog, logging |
|
| Settings to create, save, and rotate the request.log |
createSampleData |
|
| Sample data is created for new installs. |
licenseFile |
|
| Path to a license file to automatically install if unlicensed. Disabled by default. |
baseUrl(as of release 138) |
|
| Base URL of the IQ Server for user-facing links back to the server. Required for Email, SCM, and Jira integrations. |
forceBaseUrl(as of release 138) |
|
| Whether or not certain redirects and services are forced to use the configured |
policyMonitoringHour(as of release 142) |
|
| Hour of the day (0-23) to schedule Policy Monitoring execution. The default is set to '0' for midnight. |
csrfProtection(as of release 142) |
|
| Enables/disables cross-site request forgery protection. Defaults to |
userAgentSuffix(as of release 142) |
|
| A custom fragment to add to the "user-agent" for HTTP calls |
webhookSecretPassphrase(as of release 142) |
|
| The passphrase used to encrypt the Webhook Secret Keys |
eventBus.maxPoolSize(as of release 142) |
|
| Configures the number of threads used for the EventBus. The EventBus is used to asynchronously post various events (e.g. policy evaluation, entity management, license/security vulnerability overrides, etc). These events can then be consumed by various services (e.g. webhooks, source control, etc). via the new name eventBus.maxThreadPoolSize |
Troubleshooting the config.yml file
The IQ Server will not start when the config.yml file is not properly formatted.
To troubleshoot, open a terminal and navigate to the installation directory. Use the demo.bat or ./demo.sh commands to start the server.
Below is an example error from a Windows operating system.
ERROR [2022-03-01 11:08:48,052] com.sonatype.insight.brain.service.InsightBrainService: Fatal error trying to start server ! org.yaml.snakeyaml.scanner.ScannerException: while scanning for the next token ! found character '\t(TAB)' that cannot start any token. (Do not use \t(TAB) for indentation) ! in 'reader', line 21, column 1:
Use the following steps when unable to reformat the config.yml to correct the issue:
Rename the config.yml file from your installation directory
Re-download the IQ server archive if it is not still on the server. We recommend using the same version to avoid upgrade issues.
Extract the archive and locate the config.yml file
Move the config.yml file into your installation directory
Enter changes from your previous config.yml to the new file
The following reference is an example of the config.yml file as of release 183. We recommend using the original file from the archive to avoid indentation errors. The below text is to only be used for reference.
#
# NOTE: The indentation in this file is crucial for proper processing. Please keep the existing indentation when editing it.
#
# Directory for data files.
sonatypeWork: ./sonatype-work/clm-server
# Path to a license file to automatically install if unlicensed.
#licenseFile: ./license.lic
# HTTP Strict Transport Security (HSTS) is supported using dropwizard-web configuration
# HSTS headers are enabled by default, uncomment web: section below and set enabled: false to disable
# Refer to https://github.com/dropwizard/dropwizard-web#supports for detailed configuration guide
#web:
# hsts:
# enabled: true
# maxAge: 365 days
# includeSubDomains: true
# HTTP-specific options.
server:
# The context path for the application. Note that this must have a leading slash.
applicationContextPath: /
applicationConnectors:
- type: http
# The port on which the HTTP server listens for service requests.
# Because Java cannot drop privileges in a POSIX system, these
# ports cannot be in the range 1-1024. A port value of 0 will
# make the OS use an arbitrary unused port.
port: 8070
# The hostname of the interface to which the application HTTP server socket
# will be bound. If omitted, the socket will listen on all
# interfaces.
#bindHost: 127.0.0.1 # only bind to loopback
adminConnectors:
- type: http
# The port on which the HTTP server listens for administrative
# requests. Subject to the same limitations as "port".
port: 8071
# The hostname of the interface to which the admin HTTP server socket
# will be bound. If omitted, the socket will listen on all
# interfaces.
#bindHost: 127.0.0.1 # only bind to loopback
# HTTP request log settings.
requestLog:
appenders:
# Settings for logging to a file.
- type: file
# The file to which current statements will be logged.
currentLogFilename: ./log/request.log
logFormat: "%clientHost %l %user [%date] \"%requestURL\" %statusCode %bytesSent %elapsedTime \"%header{User-Agent}\""
# When the log file rotates, the archived log will be renamed to this and gzipped. The
# %d is replaced with the previous day (yyyy-MM-dd). Custom rolling windows can be created
# by passing a SimpleDateFormat-compatible format as an argument: "%d{yyyy-MM-dd-hh}".
archivedLogFilenamePattern: ./log/request-%d.log.gz
# The number of archived files to keep.
archivedFileCount: 50
# Logging settings.
logging:
# The default level of all loggers. Can be OFF, ERROR, WARN, INFO, DEBUG, TRACE, or ALL.
level: DEBUG
# Logger-specific settings.
loggers:
"com.sonatype.insight.scan": INFO
"eu.medsea.mimeutil.MimeUtil2": INFO
"org.apache.http": INFO
"org.apache.http.wire": ERROR
"org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter": INFO # WARNING: This reveals credentials at DEBUG level
"org.eclipse.birt.report.engine.layout.pdf.font.FontConfigReader": WARN
"org.eclipse.jetty": INFO
"org.postgresql.jdbc.PgConnection": INFO
"org.quartz": INFO
"org.zeroturnaround.exec": INFO
"com.networknt.schema": OFF
"org.eclipse.jgit": INFO
"com.sonatype.insight.audit":
appenders:
- type: file
# The file to which audit statements will be logged.
currentLogFilename: ./log/audit.log
# When the audit log file rotates, the archived audit log will be renamed to this and gzipped. The
# %d is replaced with the previous day (yyyy-MM-dd). Custom rolling windows can be created
# by passing a SimpleDateFormat-compatible format as an argument: "%d{yyyy-MM-dd-hh}".
#
# If archive is true, this must be specified.
archivedLogFilenamePattern: ./log/audit-%d.log.gz
# The number of archived audit log files to keep.
archivedFileCount: 50
#"com.sonatype.insight.policy.violation":
#appenders:
#- type: file
# The file to which policy violations will be logged.
#currentLogFilename: ./log/policy-violation.log
# When the policy violation log file rotates, the archived policy violation log will be renamed to this
# and gzipped. The %d is replaced with the previous day (yyyy-MM-dd). Custom rolling windows can be created
# by passing a SimpleDateFormat-compatible format as an argument: "%d{yyyy-MM-dd-hh}".
#
# If archive is true, this must be specified.
#archivedLogFilenamePattern: ./log/policy-violation-%d.log.gz
# The number of archived policy violation log files to keep.
#archivedFileCount: 50
appenders:
# Settings for logging to stdout.
- type: console
# Do not display log statements below this threshold to stdout.
threshold: INFO
logFormat: "%d{'yyyy-MM-dd HH:mm:ss,SSSZ'} %level [%thread] %X{username} %logger - %msg%n"
# Settings for logging to a file.
- type: file
# Do not write log statements below this threshold to the file.
threshold: ALL
logFormat: "%d{'yyyy-MM-dd HH:mm:ss,SSSZ'} %level [%thread] %X{username} %logger - %msg%n"
# The file to which current statements will be logged.
currentLogFilename: ./log/clm-server.log
# When the log file rotates, the archived log will be renamed to this and gzipped. The
# %d is replaced with the previous day (yyyy-MM-dd). Custom rolling windows can be created
# by passing a SimpleDateFormat-compatible format as an argument: "%d{yyyy-MM-dd-hh}".
#
# If archive is true, this must be specified.
archivedLogFilenamePattern: ./log/clm-server-%d.log.gz
# The number of archived files to keep.
archivedFileCount: 50
# Sample data is created for new installs.
createSampleData: true