|
If the installer is used to install the Experience Service, these parameters are configured by the installer.
|
|
If you’re configuring for single sign-on authentication, see the “Single Sign-on (SSO) Authentication Configuration Parameters” section below.
|
Parameter
|
Description
|
authentication.type
|
If using Basic Authentication, this parameter must be set to twxUser.
|
authentication.baseURL
|
The URL for the ThingWorx server that is used for authentication. For example: https://twx.example.com:8443
|
authentication.authorization.appKey
|
The ThingWorx application key that is used by the Experience Service to read the memberships of ThingWorx groups. The group memberships are used to determine which Experience Service role a user belongs to and the permissions that have been granted to that user.
For more information about configuring the authorization application key, see Configure Access to ThingWorx Group Memberships.
|
authentication.authorization.refreshRate
|
This parameter determines how frequently the membership of Experience Service roles are synchronized with the membership of ThingWorx groups. The value specified is in milliseconds.
By default, this is set to 5 minutes. The fastest rate this can be set to is 30 seconds.
|
Parameter
|
Description
|
authentication.type
|
This must be set to openidUser when configuring the Experience Service to use SSO.
|
authentication.baseUrl
|
The URL for the ThingWorx server that is used for authentication when basic authentication is used and used for group membership synchronization regardless of the authentication type. For example, https://twx.example.com:8443.
|
authentication.authorization.refreshRate
|
This parameter determines how frequently the membership of Experience Service roles are synchronized with the membership of ThingWorx groups. The value specified is in milliseconds.
By default, this is set to 5 minutes. The fastest rate this can be set to is 30 seconds.
|
authentication.openid.issuer
|
Set this equal to the <as-base-url> parameter identified in the “SSO Configuration Parameters” section in PingFederate Configuration Example.
|
authentication.openid.clientId
|
Set this equal to the <es-client-id> parameter identified in the “SSO Configuration Parameters” section in PingFederate Configuration Example.
|
authentication.openid.clientSecret
|
Set this equal to the <es-client-secret> parameter identified in the “SSO Configuration Parameters” section in PingFederate Configuration Example.
|
authentication.openid.redirectUri
|
Set this equal to the <es-redirect-uri> parameter identified in the “SSO Configuration Parameters” section in PingFederate Configuration Example.
|
authentication.openid.session.maxAge
|
When a user authenticates with the Experience Service using OpenID Connect, a session is created for that user. This property specifies how much time must elapse before the session is invalidated and the user must re-authenticate. The default unit for this setting is milliseconds. However, other units can be specified by appending the unit name to the value. For example, "10 hours". The following units are supported:
• Seconds: seconds, s
• Minutes: minutes, m
• Hours: hours, hrs, hour, h
• Days: days, day, d
|
authentication.openid.externalScope
|
This is required to access the ThingWorx APIs using oauth2. This value should be set to the same value configured in ThingWorx for use of ThingWorx as a Resource Provider.
|
authentication.openid.esScope
|
Set this equal to the <es-scope> parameter identified in the “SSO Configuration Parameters” section in PingFederate Configuration Example.
|
authentication.openid.studioClientId
|
Enter the name of the Studio client ID. The default value for this field is PTC_Studio_Client_ID. However, if this has been configured to something different, that must be entered here.
|
authentication.openid.claimsMapping.username
|
Set this equal to the value of the sub attribute identified in your OpenID Connect Policy. For more information, see Step 9 in OpenID Policy Configuration.
|
|
If the Experience Service is being deployed in a cluster, ensure that the data store directories (projects.store, reps.store, and upgrade.store) are accessible by all instances running in the cluster.
|
Parameter
|
Description
|
projects.storePath
|
The path to the directory where project content is stored.
|
projects.staticOps.maxAge
|
Specifies value of the max-age header that is included with responses when project content is downloaded to a client.
|
reps.storePath
|
The path to the directory where representation repository content is stored.
|
reps.staticOps.maxAge
|
Specifies value of the max-age header that is included with responses when reps content is downloaded to a client.
|
upgrade.storePath
|
The path to the directory where migrator success files are stored. These files are used to indicate when an upgrade migrator has successfully completed its data migration task so that the migration is not repeated.
|
|
The paths specified for these configuration parameters can be absolute or relative paths. Absolute paths begin with “/” and are treated as relative to the root of the file system, while relative paths begin with “./” and are treated as relative to the Experience Service installation directory.
|
|
SQLite is installed with the Experience Service. PostgreSQL must be obtained and installed separately.
|
Parameter
|
Description
|
||
dbHandler
|
Set this parameter to one of the following:
• SQLiteHandler if SQLite is being used
• postgresHandler if PostgreSQL is being used
|
||
db.datafilePath
|
This parameter is only applicable if SQLite is being used and specifies the path to the SQLite data file. When the Experience Service is started, it creates the data file if it doesn't exist.
|
||
db.connectionString
|
This parameter is only applicable if PostgreSQL is being used and specifies the connection string used to connect to the PostgreSQL database. The format of the connection string is as follows:
postgres://<dbusername>:<dbpassword>@<host>:<port>/<database-name>
The credentials used must have sufficient permissions to create new database tables in the PostgreSQL database.
|
Parameter
|
Description
|
enable_irs_federation
|
Setting this parameter to true enables IRS federation, while setting it to false disables IRS federation.
|
domain_id_resolver
|
The base URL used to query for Experiences from other Experience Services. This is only required if IRS federation is enabled. In general, the base URL for the PTC provided global experience index (GXI) must be used:
https://gxi.vuforia.io/VuforiaExperienceService/id-resolution/resolutions/
|
Parameter
|
Description
|
||
logsPath
|
The glob pattern describing the paths that correspond to log files. By default, this is set to /var/logs/thingserver.log*. This enables all files in the /var/logs with names that start with thingserver.log to be downloaded.
|
trustProxy Setting
|
Client IP
|
Protocol
|
false (default)
|
IP of the client that sent the request
|
Protocol of the request
|
true
|
Left-most entry in the X-Forwarded-For header
|
Value of the X-Forwarded-Proto header
|
IP filter criteria
|
Right-most entry in the X-Forwarded-For header after filtering that list to remove any entries that match the specified filter criteria (see below for more information on how to construct the filter criteria)
|
Value of the X-Forwarded-Proto header
|
integer (n)
|
The nth entry from the right in the X-Forwarded-For header
|
Value of the X-Forwarded-Proto header
|
Filter Option
|
Addresses That Will Be Filtered
|
loopback
|
Any address that belongs to the following subnet:
• IPv4: 127.0.0.1/8
• IPv6: ::1/128
|
linklocal
|
Any address that belongs to the following subnet:
• IPv4: 169.254.0.0/16
• IPv6: fe80::/10
|
uniquelocal
|
Any address that belongs to one of the following subnets:
• IPv4: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16
• IPv6: fc00::/7
|
<ip address>
|
The specified IP address (for example, 203.0.113.13)
|
Use Case
|
trustProxy Parameter Setting
|
Ignore the information in the X-Forwarded-* headers.
|
false
|
Treat all entries in the X-Forwarded-For header (except the left-most) as known, trusted proxies. The left-most entry is treated as the client IP.
|
true
|
Treat only the local host as a known, trusted proxy.
|
"loopback"
|
Treat the local host and the IP addresses 203.0.113.13 and 203.0.113.15 as trusted proxies.
|
"loopback, 203.0.113.13,203.0.113.15"
|
Treat the local host and any host on the local network as a known, trusted proxy
|
"loopback, linklocal, uniquelocal"
|
|
Your ThingWorx server may have been configured to use a realm that is different from the default.
|
Parameter
|
Description
|
proxies.0.autoRewrite
|
If set to true, the Experience Service will change any redirect URIs provided by the ThingWorx server so that the client is redirected back through the proxy. For example, assume the Experience ServiceThingWorx proxy is located at https://es.example.com/Thingworx and the proxied ThingWorx server is located at https://twx.example.com/Thingworx. If the ThingWorx server redirects the client to https://twx.example.com/Thingworx/something, then the Experience Service rewrites this URL as https://es.example.com/Thingworx/something. If this property is set to false, then the Experience Service does not rewrite these redirect URIs.
|
proxies.0.protocolRewrite
|
This parameter identifies the protocol used when rewriting redirect URIs. For example, assume that the Experience Service is running in secure HTTPS mode but the ThingWorx server is running in insecure HTTP mode. In this case, this parameter must be set equal to HTTPS so that when the redirect URIs are rewritten they are rewritten to use the protocol used by the Experience Service proxy.
|
proxies.0.secure
|
If set to true, the Experience ServiceThingWorx proxy rejects unauthorized (self-signed) certificates used by the proxied ThingWorx server. Therefore, this parameter must be set to false if the proxied ThingWorx server is using self-signed certificates.
|
websocketProxies.0.autoRewrite
|
This parameter controls the redirect rewrite behavior for the web socket proxy in the same way the proxies.0.autoRewrite parameter controls the rewrite behavior for the HTTP proxy.
|
websocketProxies.0.protocolRewrite
|
This parameter controls the protocol that is used when rewriting redirect URIs for the web socket proxy in the same way the proxies.0.protocolRewrite parameter controls the rewrite behavior for the HTTP proxy. Valid protocol choices are ws or wss.
|
websocketProxies.0.secure
|
This parameter controls whether the web socket proxy rejects unauthorized (self-signed) certificates in the same way that the proxies.0.secure parameter controls whether the HTTP proxy rejects unauthorized (self-signed) certificates.
|
proxies.0.disabled
|
If set to true, this parameter disables the ThingWorx proxy. If set to false, it enables the proxy.
|
proxies.0.target
|
The base URL for the ThingWorx server. This URL must end in /Thingworx. For example, https://twx.acme.com:8443/Thingworx.
|
proxies.0.appKey
|
The ThingWorx application key used by the Experience Service to grant public Experiences access to ThingWorx data. For more information about public Experiences and configuring public access to ThingWorx, see Configuring Public Access to ThingWorx.
|
websocketProxies.0.disabled
|
If set to true, this parameter disables the ThingWorx web socket proxy. If set to false, it enables the proxy.
|
websocketProxies.0.target
|
The base URL used to establish a web socket between the client and the ThingWorx server. This URL must be compatible with the value specified for proxies.0.target. For example, if proxies.0.target is set to https://twx.acme.com:8443/Thingworx, then this parameter must be set to wss://twx.acme.com:8443.
|
|
Do not connect Edge devices and mashups to the ThingWorx server using the Experience ServiceThingWorx proxy. Instead, a direct connection to the ThingWorx server should be used (using alternative ports, ELB, and so on). The Experience ServiceThingWorx proxy is not designed to handle the load associated with EDGE device traffic and certain Edge SDKs do not work through a proxy.
|
|
If the Experience Service is being deployed in a cluster, ensure that the key and certificate file locations are accessible by all instances running in the cluster.
|
|
Values can be specified for the PEM properties (httpsKeyPath, httpsCrtPath and httpsCaPath) or the PCKS12 (PFX) property (httpsPfxPath), but not both.
|
Parameter
|
Description
|
httpsKeyPath
|
The path to the file that contains the PEM encoded private key.
|
httpsCrtPath
|
The path to the file that contains the PEM encoded public certificate.
|
httpsCaPath
|
The path to the certificate bundle file that contains the PEM encoded public certificates for the intermediate certificate authorities.
|
httpsCertPassphrase
|
The passphrase used to decrypt the PEM encoded private key or the PCKS12 (PFX) encoded archive file.
|
httpsPfxPath
|
The path to the file that contains the PCKS12 (PFX) encoded archive file.
|
|
The paths specified for these configuration parameters can be absolute or relative paths. Absolute paths begin with “/” and are treated as relative to the root of the file system, while relative paths begin with “./” and are treated as relative to the Experience Service installation directory.
On Windows, an absolute path can either begin with "/" or with a drive letter - for example "C:/". If the absolute path starts with a "/" then the path is treated as relative to the root of the drive that contains the Experience Service installation directory.
|
Parameter
|
Description
|
nohttp2
|
Add this parameter and set it to true in order to save images taken with the Camera widget during an experience to a repository in ThingWorx.
For example:
{
….. "nossl":true, "nohttp2":true } |
Parameter
|
Description
|
hmtg.credentials.baseUrl
|
URL for the Model Target service. This parameter is populated for you. The value is:
https://vws.vuforia.com
|
hmtg.credentials.tokenPath
|
HTTP request path for OAuth2 authentication. This parameter is populated for you. The value is:
oauth2/token
|
hmtg.credentials.amtgPath
|
HTTP request path for Advanced Model Target generation. This parameter is populated for you. The value is:
modeltargets/advancedDatasets
|
hmtg.credentials.accessKey
|
The value for this parameter must be obtained from PTC Technical Support. For more information, see Request Information to Enable Advanced Model Target Generation.
|
hmtg.credentials.secretKey
|
The value for this parameter must be obtained from PTC Technical Support. For more information, see Request Information to Enable Advanced Model Target Generation.
|
Parameter
|
Description
|
publicAccess
|
Disable or enable the ability to publish projects that have the Access field set to Public in Vuforia Studio.
For example:
{
….. "publicAccess":{ "disabled": true } |