Gateway Parameters
Gateway Security HTTP Headers and Configuration
Gateways use more secure security headers. The default settings are listed below, along with their associated system properties. These parameters mainly impact Perspective sessions, as well as any pages hosted on Ignition's web server.
Note: HTTP headers used by the Gateway are configurable via the ignition.conf file in the Gateway's installation directory. In most cases there won't be a need to modify the new default values. However, if you're embedding a Perspective session inside of an iframe from another origin, and it stops working after upgrade, then take a look at this
Knowledge Base Article for more details.
Strict Transport Security
The following system properties interact with the Strict-Transport-Security header. Enabling the header involves setting the Dignition.https.sts.maxAge
system property to a non-zero value. By default, the header is disabled.
System Property | Description |
---|
-Dignition.https.sts.maxAge | Sets the maximum age of the Strict Transport Security header. The value should be set to an integer, representing a number of seconds. |
-Dignition.https.sts.includeSubDomains | Applies the includeSubDomains parameter. Expects a boolean value. If omitted, defaults to false. |
-Dignition.https.sts.preload |
The following feature is new in Ignition version 8.1.5
Click here to check out the other new features
This parameter allows websites to tell the browser to only connect using HTTPS. It can be set to " true" or " false" to enable or disable the preload directive of the Strict-Transport-Security header. If omitted, defaults to false. |
wrapper.java.additional.1=-Dignition.https.sts.maxAge=5000
wrapper.java.additional.2=-Dignition.https.sts.includeSubDomains=false
wrapper.java.additional.3=-Dignition.https.sts.preload=true
Referrer Policy
The following system properties interact with the Referrer-Policy header: By default, the header is enabled with a value of strict-origin-when-cross-origin.
System Property | Description |
---|
-Dignition.http.header.referrer_policy.enabled | Allows you to enable or disable the Referrer-Policy header. Expects a true or false value. |
-Dignition.http.header.referrer_policy.value | Sets the value of the Referrer-Policy. |
wrapper.java.additional.1=-Dignition.http.header.referrer_policy.enabled=true
wrapper.java.additional.2=-Dignition.http.header.referrer_policy.value=strict-origin-when-cross-origin
X Content Type Options
The following system properties interact with the X-Content-Type-Options header: By default, the header is enabled with a value of nosniff
.
System Property | Description |
---|
-Dignition.http.header.x_content_type_options.enabled | Allows you to enable or disable the X-Content-Type-Options header. Expects a true or false value. |
-Dignition.http.header.x_content_type_options.value | Determines the value of the X-Content-Type-Options. |
wrapper.java.additional.1=-Dignition.http.header.x_content_type_options.enabled=true
wrapper.java.additional.2=-Dignition.http.header.x_content_type_options.value=nosniff
X Frame Options
The following system properties interact with the X-Frame-Options header: By default, the header is enabled with a value of SAMEORIGIN
.
System Property | Description |
---|
-Dignition.http.header.x_frame_options.enabled | Enables or disables the X-Frame-Options header. |
-Dignition.http.header.x_frame_options.value | Determines the value of the X-Frame-Options header |
wrapper.java.additional.1=-Dignition.http.header.x_frame_options.enabled=true
wrapper.java.additional.2=-Dignition.http.header.x_frame_options.value=SAMEORIGIN
X XSS Protection
The following system properties interact with the X-XSS-Protection header. By default, the header is enabled with a value of 1; mode=block
.
System Property | Description |
---|
-Dignition.http.header.x_xss_protection.enabled | Enables or disables the X-XSS-Protection header. |
-Dignition.http.header.x_xss_protection.value | Determines the value of the X-XSS-Protection header. |
wrapper.java.additional.1=-Dignition.http.header.x_xss_protection.enabled=true
wrapper.java.additional.2=-Dignition.http.header.x_xss_protection.value=1; mode=block
HTTP Client Manager
The following feature is new in Ignition version
8.1.12
Click here to check out the other new features
The following system properties interact with the platform's HTTP Client. These settings allow you to configure how the IdP system and Perspective's HTTP Bindings parse cookies, handle idle HTTP connections, and respect proxy settings.
System Property | Description |
---|
-Dignition.http.client.manager.cookieSpec | Controls the cookie parsing behavior of the HTTP Client. This system property may take one of the following values: default : Default cookie specification that picks up the best matching cookie policy based on the format of cookies sent with the HTTP response.netscape : This CookieSpec implementation conforms to the original draft specification published by Netscape Communications. It should be avoided unless absolutely necessary for compatibility with legacy applications.standard : Standard CookieSpec implementation that enforces a more relaxed interpretation of the HTTP state management specification (RFC 6265, section 5) for interoperability with existing servers that do not conform to the well-behaved profile (RFC 6265, section 4).standard-strict : Standard CookieSpec implementation that enforces syntax and semantics of the well-behaved profile of the HTTP state management specification (RFC 6265, section 4).
|
-Dignition.http.client.manager.socket.keepalive | When set to true , HTTP connections issued from the HTTP Client will set the SO_KEEPALIVE flag on the underlying socket, enabling keepalive. Enabling keepalive maintains a connection between a client and the server, reducing the number of TCP and SSL/TLS connection requests. You must also enable and configure keepalive settings on the OS running the Gateway. See KeepAlive Configuration. |
-Dignition.http.client.manager.pool.idleConnectionCheckInterval | An integer representing the duration in seconds between each check for idle connections. This value is ignored when maxIdleConnectionTime is less than or equal to zero. If this value is undefined or less than or equal to zero, then the interval is set to match maxIdleConnectionTime . |
-Dignition.http.client.manager.pool.maxIdleConnectionTime | An integer representing the number of seconds that connections in the HTTP connection pool may be idle (i.e. no data is sent or received on the socket) before it is evicted and closed. If set to any number less than or equal to zero or undefined, idle connection eviction will be disabled. |
-Dignition.http.client.manager.proxy.enabled | If set to true , the HTTP Client will respect the JVM's system default proxy settings. Default value if undefined is false . |
wrapper.java.additional.1=-Dignition.http.client.manager.cookieSpec=standard-strict
wrapper.java.additional.2=-Dignition.http.client.manager.socket.keepalive=true
wrapper.java.additional.3=-Dignition.http.client.manager.pool.idleConnectionCheckInterval=60
wrapper.java.additional.4=-Dignition.http.client.manager.pool.maxIdleConnectionTime=300
wrapper.java.additional.5=-Dignition.http.client.manager.proxy.enabled=true
KeepAlive Configuration
For Windows:
Navigate to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
If parameters for \KeepAliveTime and \KeepAliveInterval do not exist, create them.
Click Edit>New>DWORD (32-bit) Value.
Open the Registry Editor.

Add the following parameters:
Name | Data Type | Range | Default value |
---|
KeepAliveTime | REG_DWORD | 0x1–0xFFFFFFFF (milliseconds) | 0x6DDD00 (7,200,000 milliseconds = 2 hours) |
KeepAliveInterval | REG_DWORD | 0x1–0xFFFFFFFF (milliseconds) | 0x3E8 (1,000 milliseconds = 1 second) |
Exit the Registry Editor.
Restart the computer for changes to take effect.
For Linux:
For Linux systems, there are three parameters to change:
Name | Default value |
---|
tcp_keepalive_time | 7200 (seconds) |
tcp_keepalive_intvl | 75 (seconds) |
tcp_keepalive_probes | 9 (number of probes) |
Edit /etc/sysctl.conf:
Add the following settings:
net.ipv4.tcp_keepalive_time = #newvalue
net.ipv4.tcp_keepalive_intvl = #newvalue
net.ipv4.tcp_keepalive_probes = #newvalue
Note: By default, the maximum size is kept low on the default installation to prevent DoS attacks. We do not recommend changing this, especially so if the Gateway isn't in a closed network.
This parameter allows you limit the amount of data that can be posted back from a browser or other client, to the Gateway. Generally, this is useful to increase the maximum size for Web Dev POST requests. More information about this parameter can be found in Jetty's documentation .
wrapper.java.additional.1=-Dorg.eclipse.jetty.server.Request.maxFormContentSize=2000000
Internal Database Connection Timeout
The following feature is new in Ignition version
8.1.16
Click here to check out the other new features
The default maximum time that the Gateway will wait for a connection to an internal database is 30 seconds. This parameter allows you to override this setting and increase the maximum wait time.
wrapper.java.additional.1=-Dignition.internalDbMaxWait=60000
Internal Database Maintenance Tasks
Internal Database VACUUM Operation
The following feature is new in Ignition version
8.1.23
Click here to check out the other new features
Starting in 8.1.23, a VACUUM operation is executed against the internal database upon Gateway startup by default. This operation reclaims unused disk space, trimming down on both the time it takes for auto-backups to complete, as well as the overall size of the internal database itself. This action can be disabled by using the following parameter.
wrapper.java.additional.1=-Dignition.skipConfigDbVacuum=true
Internal Database Legacy Tag Cleanup
The following feature is new in Ignition version
8.1.23
Click here to check out the other new features
Upon Gateway startup, you can conduct a cleanup task on old 7.X.X SQLTAG tables. This helps to reduce bloated internal databases, save disk space, and potentially improve Gateway performance. Using the following parameter will opt the Gateway in for performing this cleanup task.
wrapper.java.additional.1=-Dignition.tags.cleanupLegacyTagTables=true
Internal Database Project Table Cleanup
The following feature is new in Ignition version
8.1.23
Click here to check out the other new features
Upon Gateway startup, a cleanup task is conducted on old 7.X.X project tables. This helps to trim down internal databases, providing more space for other operations, and may improve Gateway performance. The following parameter will allow you to skip this cleanup operation.
wrapper.java.additional.1=-Dignition.projects.skipProjectRecordTableCleanup=true
Hosted Launcher Installers
Normally, each Ignition Gateway includes files for the various launchers. When you download a launcher from a Gateway, it simply streams its local launcher files. However, you can override this behavior, causing the Gateway to ignore it's local launcher files and instead download launchers from the internet. This is an uncommon configuration for most cases, as it was devised primarily to aid with systems where memory limitations are strict (such as physical devices that include preinstalled Ignition Gateways).
Enabling Hosted Launchers
The following parameter (and value) enables the use of hosted launchers. While enabled, the Gateway will only ever attempt to retrieve the hosted launchers, meaning it will ignore the local launcher files.
wrapper.java.additional.1=-Dignition.hostedLaunchers=true
Hosted Launcher Version
By default, enabling Hosted Launchers will cause the Gateway to retrieve launchers version appropriate launchers: 8.0.0 launchers for 8.0.0 Gateways, 8.1.0 launchers for 8.1.0 Gateways, etc.
The parameter below can be used to explicitly state which launcher version to retrieve. Generally, this is not recommended, but can potentially be useful if you're looking for a specific launcher version. It requires that -Dignition.hostedLaunchers
is set to "true".
wrapper.java.additional.1=-Dignition.hostedLauncherVersion=8.1.0
Automatic Thread Dump Sample Rate
The following feature is new in Ignition version
8.1.13
Click here to check out the other new features
The following parameter can be used to override the default sample rate for Automatic Thread Dumps.
wrapper.java.additional.1=-Dignition.automaticThreadDump.sampleRate=60
Ignition Edition
You can specify which edition of Ignition a Gateway should be set to with the parameter demonstrated below.
wrapper.java.additional.1=-Dedition=standard
Caution: Ignition Gateway Licenses are matched to a specific edition. Changing the edition of an Ignition Gateway that is already licensed can result in the license becoming invalidated. It's recommended that you unactivate a license on a gateway before changing its edition.
Values
- Standard Ignition -
standard
- Ignition Edge -
edge
- Ignition Maker -
maker
Loading Unsigned Modules - "Developer Mode"
Normally, an Ignition Gateway will not allow unsigned module to be installed. This restriction can be disabled with the flag below. This is normally done in cases where a user is developing a custom module, and wants to install it without having the module signed.
wrapper.java.additional.1=-Dignition.allowunsignedmodules=true
Project Directory Scan Rate
This setting dictates how often the Ignition Gateway will scan its project directory for changes. As of Ignition 8.1.0 this was changed to a 300 second rate (from a 10 seconds rate), but it can be configured. This is useful in cases where project files are being modified from external sources and the gateway needs to be aware of theses changes in a more timely manner. The argument below expects an integer, which represents a number of seconds.
wrapper.java.additional.1=-Dignition.projects.scanFrequency=100
Ignored Project Directory Files
The following feature is new in Ignition version
8.1.15
Click here to check out the other new features
This setting allows users to specify a list of folders in the project directory that the Ignition Gateway will ignore when scanning for changes. By default, the Gateway will ignore changes to any files located within folders with the name ".git", ".svn", or ".hg". The argument below expects a list of additional folders to ignore, using the ':' character as a file separator.
wrapper.java.additional.1=-Dignition.projects.ignoredFiles=Folder1:Folder2:Folder3
Redundant Alarm Runtime Limit
In redundant systems, both alarm event and alarm shelf items wait in separate queues on the active node before they're transferred to the inactive node. Normally the active node sends recently changed alarm events and shelve events to the inactive node as they occur. However if the queue becomes full the active node will pause this behavior and send a full transfer to the inactive node, ensuring that the state of events on the inactive node is accurate.
System Property | Description |
---|
-Dalarm.redundancy.runtimeupdates.max | Determines the maximum size of the alarm events queue. Defaults to 2,000,000 if omitted. |
-Dalarmshelf.redundancy.runtimeupdates.max | Determines the maximum size of the alarm shelf queue. Defaults to 2,000,000 if omitted. |
wrapper.java.additional.1=-Dalarm.redundancy.runtimeupdates.max=1000000
wrapper.java.additional.2=-Dalarmshelf.redundancy.runtimeupdates.max=1000000
Web Server
The following parameters are used to configure Ignition's default settings for web requests that are not configured in some other, more specific manner, such as Perspective Route Handling. These settings usually do not need to be modified, but a higher value may help mitigate issues on very busy systems.
System Property | Description |
---|
-Dignition.routes.defaultConcurrency | Determines the number of concurrent sessions allowed to acquire a lock per webserver route. The lock must be acquired within two seconds of an incoming request, or the request will return an error. Default is 5. |
wrapper.java.additional.1=-Dignition.routes.defaultConcurrency=5