Configuration
Standalone Execution
The OCS is run using the script n2ocs. To run the OCS manually, run:
cd /opt/nsquared/ocs/bin
./n2ocs ../etc/server.json
The only command line argument is to the configuration file.
As the OCS is a Java program, it is possible to provide arguments to the JVM via the JAVA_OPT environment variable. For example, to define the configuration file for logging:
export JAVA_OPTS="-Dlogback.configurationFile=/opt/nsquared/ocs/etc/logback.xml"
The OCS uses Logback for logging and the logging configuration can be configured in a logback.xml file.
JSLEE Integrated Execution
Refer to JSLEE configuration
Example Configuration File
The n2ocs.json file is a JSON based configuration file which allows C-style multi-line comments.
When installed using the OS packaging, the configuration file will be installed in to the /opt/nsquared/ocs/etc/ directory. The example configuration file will include basic configuration:
{
"database.mongodb": {
"host": "127.0.0.1",
"port": 27017,
"db_name": "n2ocs",
"useObjectId": false
}
, "http.api.enabled": true
, "http.api.interface": "0.0.0.0"
, "http.api.port": 5490
, "management.http.api.port": 5492
, "vouchers.enabled": true
, "voucher.generation.enabled": false
, "auth.enabled": false
, "auth.provider": "jwt"
, "auth.jwt.publickey": "base64 encoded public key"
, "auth.jwt.rolepath": "resource_access/n2ocs/roles"
, "groveller": {
"account": {
"enabled": true
}
}
}
Configuration Options
The following configuration options are available:
| Field | Type | Required? | Default | Description | |
|---|---|---|---|---|---|
database.mongodb |
Object | Yes | - | Database connectivity object, as required by Vert.x | |
server.name |
String | No | - | The name of the OCS server for use in EDRs and other output. This should be set uniquely for every OCS server in an environment. While the default is ocs-server-name, this should be changed. |
|
http.api.enabled |
Boolean | No | true |
If false the HTTP REST API to the OCS is disabled. Note that this API is required by the OCS administration GUI. |
|
http.api.interface |
String | No | 127.0.0.1 |
The local system network interface to listen on for the HTTP interface. By default this is set to “127.0.0.1” to avoid public access. | |
http.api.port |
Integer | No | 5490 |
The port the HTTP API listens on. The default is 5490. | |
management.http.api.interface |
Integer | No | 127.0.0.1 |
The local system network interface to listen on for the management interface. By default this is set to “127.0.0.1” to avoid public access. | |
management.http.api.port |
Integer | No | 5492 |
The port that the management interface is available over. The default is 5492. | |
vouchers.enabled |
Boolean | No | false |
Set to true to enable the voucher management solution in the OCS. | |
voucher.generation.enabled |
Boolean | No | false |
Set to true to enable the voucher generator on this node. The voucher generate should only run one one OCS node as voucher generation cannot be parallelized across nodes. | |
groveller |
Object | No | - | OCS grovelling configuration. See below for details. | |
account.lock.id-length |
Integer | No | 3 | The length of the hash value to generate from OCS wallets, to determine locking of wallets across clustered servers. | |
expiry-buffer-ms |
Integer | No | 2000 | The length of time between a reservation expiring and the reservation being removed. This must be non-zero, otherwise network latency and processing time will expire reservations prior to the commit of the reservation. | |
slow-request-threshold-ms |
Integer | No | -1 | The maximum time a request can take to process in the OCS prior to a warning being written to the log. This takes in to account both waiting time (for the wallets to be unlocked), DB access times and all other processing. Set to -1 to disable. | |
| authentication | - | - | - | See below for authentication configuration. |
Database Configuration
The configuration option database.mongodb is required. This sub-object of the overall configuration defines how to connect to the OCS database via the MongoDB driver. See https://vertx.io/docs/vertx-mongo-client/java/ for more information on how to configure the driver.
Note that the configuration option useObjectId must be set to false, as object IDs are not supported by the OCS.
A standard Mongo DB connection is:
{
"database.mongodb": {
"host": "10.42.2.103",
"port": 27016,
"db_name": "n2ocs",
"useObjectId": false
}
}
OCS Groveller Configuration
Configuration to determine whether the groveller runs or not on the node. An example configuration for the groveller includes:
{
"groveller": {
"account": {
"enabled": true,
"reprocess.period.hours": 12,
"maximum.tps": 4
}
}
}
This configuration will enable wallet grovelling. To control groveller speed, the following configuration options may be used:
| Field | Type | Required? | Default | Description |
|---|---|---|---|---|
enabled |
Boolean | no | false |
Enable or disable the groveller on this node. Only one OCS node should have grovelling enabled. |
reprocess.period.hours |
Integer | no | 8 | How frequently to reprocess every wallet. If the system cannot get through all wallets in this period, the reprocessing will begin immediately after the last processing completes. Otherwise an enforced delay will occur to not reprocess more often. |
maximum.tps |
Integer | no | 1 | The maximum wallets per second to process. If the speed to get through all wallets within the hours set would be greater than this, the processing is throttled to take longer. |
Security Configuration
The OCS API may be secured using OpenID Connect (OIDC), specifically via JWT tokens.
The OCS is tested against the following OIDC providers:
This authentication is optional, however it is strongly recommended for when
the OCS API is being used by provisioning and frontend services. When using
Keycloak, the public key (for the configuration option auth.jwt.publickey)
can be retrieved by:
- Logging in to the Keycloak administration screens.
- Choosing the N2OCS realm.
- Choosing the
keystab from theRealm Settingsscreen. - Press the
Public keybutton to show the public key for theRS256Algorithm.
To enable and use the OpenID connect authentication solution, configure the following options:
| Field | Type | Required? | Default | Description |
|---|---|---|---|---|
auth.enabled |
Boolean | no | false |
Set this configuration to true to enable (and required) authentication. |
auth.provider |
String | no | - | The authentication provider can be configured using auth.provider, however the only option at this stage is jwt. Options other than jwt will cause an error to be thrown and the OCS will not start. |
auth.jwt.publickey |
String | no | - | The public key of the signing authority that signs the JSON web tokens that will be provided to the OCS HTTP interface in the Authorization header. |
auth.jwt.rolepath |
String | no | - | The path, using / to indicate the path into the JWT JSON object to get the list of roles that the user has (for the purposes of authorizing access to the OCS). This by default is set to resource_access/n2ocs/roles, where n2ocs is the Client ID of the Keycloak client being used for authentication. |
OCS Roles
The JWT role path must provide the authenticated user’s roles to which the OCS should apply authorization checks. The following high level roles are used by the OCS to manage engine:
| Role | Usage |
|---|---|
resource:*:read |
Read access to the OCS database. All GET queries to the OCS HTTP API will be authorized for any user with this role. |
resource:*:write |
Write access to the OCS database. All requests that are not GET queries to the OCS HTTP API will be authorized for any user with this role. |
engine:*:exec |
Execute access against all engine endpoints. |
engine:*:write |
Write access against all engine endpoints. |