Monitoring configuration

The Connect2id server provides a monitoring endpoint with over 100 metrics and a number of backend database health checks. These are implemented with help of the Dropwizard Metrics library.

The metrics can also be reported via JMX or Graphite to a remote metrics collection and visualisation server.

The monitor endpoint has its configuration in the following file:

WEB-INF/monitor.properties

Any property in the configuration file can be overridden with a Java system property, e.g. by setting the optional -D argument at JVM startup:

-Dmonitor.apiAccessTokenSHA256=cca68b8b82bcf0b96cb826199429e50cd95a042f8e8891d1ac56ab135d096633

The external configuration guide has tips for setting system properties from environment variables, local files and other locations.

1. Web API

monitor.apiAccessTokenSHA256

The access token for the monitor endpoint, represented by its SHA-256 hash (in hexadecimal format). The hashed storage is intended to prevent accidental leakage of the token through configuration files, logs, etc. The token is of type Bearer, non-expiring and must contain at least 32 random alphanumeric characters to make brute force guessing impractical. If not specified the web API is disabled.

Additional access tokens, to facilitate token roll-over or for other needs, can be configured by appending a dot (.) with a unique label to the property name, e.g. as monitor.apiAccessTokenSHA256.1=abc....

The hash for a token with value ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6:

monitor.apiAccessTokenSHA256=cca68b8b82bcf0b96cb826199429e50cd95a042f8e8891d1ac56ab135d096633

monitor.secondaryAPIAccessTokenSHA256

Optional secondary access token for the monitor endpoint. Has the same format as monitor.apiAccessTokenSHA256. Must not be set if not needed.

The secondary token can be used by a load balancer to monitor the health check of the Connect2id server.

Use monitor.apiAccessTokenSHA256.* from v10.0 on.

monitor.secondaryAPIAccessTokenSHA256=304b07b6d8eb155a957b965831be9ce39fb098554a2d5f2047ee0a0491022dea

2. General reporting

monitor.entryCountCacheTimeout

Timeout for caching entry count results, in seconds. Zero disables caching, negative disables readings, causing the gauge to always return -1. The default timeout value is 1800 seconds (30 minutes).

Gauges with entry count caching:

  • authzSessionStore.numSessions
  • sessionStore.numSessions
  • clientStore.numRegistrations
  • clientStore.numCachedRemoteJWKSets
  • clientStore.numCachedRemoteRequestObjects
  • authzStore.numAuthzCodes
  • authzStore.numIdAccessTokens
  • authzStore.numLongLivedAuthorizations
  • authzStore.numRevocationJournalEntries
  • authzStore.numExpendedTokenEntries
monitor.entryCountCacheTimeout=1800

3. JMX reporting

Controls metrics reporting via JMX.

monitor.enableJMX

Enables / disables monitoring via JMX.

monitor.enableJMX=false

4. Graphite reporting

Controls metrics reporting via Graphite to a remote metrics collection and visualisation server.

monitor.graphite.enable

Enables / disables metrics reporting to a Carbon server (component of the Graphite system).

monitor.graphite.enable=true

monitor.graphite.host

The Carbon server host name / IP address where the metrics will be streamed.

monitor.graphite.host=graphite.example.com

monitor.graphite.port

The Carbon server port number.

monitor.graphite.port=2003

monitor.graphite.reportInterval

The reporting interval, in seconds.

monitor.graphite.reportInterval=60

monitor.graphite.batchSize

Set to a positive integer to enable metrics batching using the Graphite pickle protocol. If set to zero batching is disabled, implying use of the Graphite plaintext protocol. Note that the pickle and plaintext protocols typically require a different port number.

monitor.graphite.batchSize=0

monitor.graphite.prefix

Optional prefix for the metrics. May be used to prepend an API key and / or to specify a name for the Connect2id server node in a cluster.

To specify an API key for each streamed metrics packet:

monitor.graphite.prefix=999d98bd-d745-4255-9f02-a3eec57c3fe5

To specify an API key and a base name for Connect2id server node:

monitor.graphite.prefix=999d98bd-d745-4255-9f02-a3eec57c3fe5.c2id_node1

monitor.graphite.ratesTimeUnit

The time unit for reporting rates. Specified as Java TimeUnit enum constants.

monitor.graphite.ratesTimeUnit=SECONDS

monitor.graphite.durationsTimeUnit

The time unit for reporting durations. Specified as Java TimeUnit enum constants.

monitor.graphite.durationsTimeUnit=MILLISECONDS

monitor.graphite.filter

White list of metric names to report to the Carbon server, with optional wild cards. To report all metrics set the filter value to an asterisk *. More than one filter card may be specified.

To send all available metrics:

monitor.graphite.filter=*

To send only those metrics that relate to the token and user endpoint of the Connect2id server:

monitor.graphite.filter.1=tokenEndpoint.*
monitor.graphite.filter.2=userInfoEndpoint.*

You can also specify absolute metric names (no wild card):

monitor.graphite.filter.1=op.idTokenIssues
monitor.graphite.filter.2=tokenEndpoint.*
monitor.graphite.filter.3=userInfoEndpoint.*