Back-End Settings

The settings in the backend category are used for optimizing Key Manager performance in various hardware and network setups. More specifically, this section includes settings for:

Back-end performance
Scheduling for system-level jobs
Proxy settings

CSV download policy

Defines how CSV downloads are handled in the UI:

Disabled: All CSV downloads are disabled
Default: default Excel quoting. Fields containing the separator character (',') are enclosed in double quotes. Any double quotes inside the field are doubled.
Strict: All fields are prepended by a single quote to force Excel to interpret the field as text, not a formula or macro. Fields are enclosed in double quotes whether or not they contain the separator character. Any double quotes inside the field are doubled.

note
This setting is backend-specific.

Frontend workers

Number of frontend workers responding to incoming HTTP requests. Try increasing this number if the user interface of PKM feels sluggish. You can also increase the number of requests a worker processes during its lifetime.

Frontend timeout

The duration after which worker process times out. Increase this value if you expect some queries to the database to take time to complete.

Frontend worker max requests

How many requests a worker is allowed to process during its life time. This value is there to guard against possible memory leaks. Try increasing this number if the user interface of PKM feels sluggish. You can also increase the number of frontend worker processes. The recommendation is to have the value reasonably low, but high enough so that the overhead fromrestarting processes remains tolerable. The default is 1024.

Frontend worker memory limit

How many MBs memory a worker is allowed to have after it has processed a request. If the amount of memory reserved by the worker process exceeds this value, the worker gets recycled.The default is 1024 MBs.

Maximum processes

The maximum number of concurrent jobs that can run on a single Key Manager back end at any given time. Exceeding jobs are queued. Specified in number of jobs.

Increasing this value allows additional jobs to be processed at the same time, which allows jobs to be completed faster on sufficiently-powerful back ends. Lowering this value allows less-efficient back ends to complete a smaller number of jobs in a timely manner before taking on additional jobs. Setting this to 0 prevents the Key Manager back end(s) from starting new worker processes.

Maximum memory usage limit

When the memory usage on a Key Manager back end reaches this percentage, no new worker processes are started on that Key Manager back end until memory usage drops below the specified percentage. The default is 80 percent. Specified in percents of total memory (0 - 100).

Backend worker memory limit

How many MBs memory a worker is allowed to consume. Set to 0 to not limit memory consumption at all.

Maximum load multiplier

Maximum load average (of a single core) at which new jobs are started on Key Manager back ends. If the 1-minute average load per core exceeds this amount on a Key Manager back end, no new jobs are started on that Key Manager back end until the load has dropped below the load limit.

The recommended value for the load multiplier is between 1.0 and 2.0.

Socks proxies

Some of the hosts in the managed environment may have to be accessed via proxy servers. To reach such hosts, you can specify proxy settings for agentless connections.

Specify one proxy setting per line, in the following format:

IP[/bits] Proxy[:port]

replace the example values as follows:

IP: The IP address of the host or network that you want to contact via Proxy.
bits (optional): The length of the bit mask. You can specify this to match the proxy setting to networks.
Proxy: The address of the proxy server that is used for connecting to the IP address(es).
port (optional): The number of the socks port on the Proxy server. If left unspecified, port 1080 is used.

As an example, the following proxy setting routes all connections bound to the 192.0.2.* network via the proxy server at 10.1.2.100 on port 1973:

192.0.2.0/24 10.1.2.100:1973

For more information about proxy settings, see Connecting to Hosts Via Proxies.

Run internal jobs

Specify whether target back end(s) run internal jobs. Internal jobs perform system tasks such as scheduling jobs, gathering statistics, and cleaning old records.

note

Each Key Manager deployment must have at least one Key Manager server with internal jobs enabled.

Run host interaction api tasks

Specify whether target servers run host interaction API tasks. Front-end servers with this setting enabled are used by the script-based scans for API calls, and it must be enabled on at least one server.

Host interaction API workers

Number of worker processes running host interaction api tasks concurrently. The workers read incoming scan results from workers runnign script-based scans and store the results in the database. The amount of host interaction api workers should correspond to the number of host interaction backend workers.

Host interaction backend workers

Number of worker processes running host interaction tasks concurrently. The tasks are mainly script- based scans.

Host interaction job timeout

Maximum duration of a job executed via script deployed on the target server. The default value is 3600 seconds.

If script-based scans are failing due to SoftTimeLimitExceeded() error, this value should be increased. If targets for script-based scans have large variation in the amount of users or keys, consider setting this value higher than the maximum value of expected scan time.

PKM Workload Reporting Level

A non-negative integer specifying the workload-reporting level:

0 - Disable workload reporting. Saves system storage space.
1 - Include SQL-query statistics in job logs. Usable for database-performance troubleshooting.

Periods interval

The rate at which target back end(s) perform periodic jobs, such as cleaning up hanging jobs, queuing jobs that can be started, and updating schedules. Specified in number of poll intervals. For example, if Poll interval is set to 5, and Periods interval to 12, then periodic jobs are performed every 60 seconds. Decreasing this setting allows the system to react faster to scheduling changes and to jobs that have reached their execution windows. Increasing this setting reduces system load.

Poll interval

The interval at which target back end(s) poll for and start queued jobs. Specified in seconds. Shortening the interval allows Key Manager to react faster to new jobs. Lenghtening the interval reduces system load.

Entity ID

The ENTITY_ID used in SAML SSO. This is how the IdP recognizes you. FQDN is a good choice.

SAML metadata automatic configuration URL

The URL offering the IdP metadata. Alternatively Metadata local file path can be given.

SAML metadata local file location

File path for IdP metadata. Alternatively Metadata automatic configuration URL can be given.

CSV download policy​

Frontend workers​

Frontend timeout​

Frontend worker max requests​

Frontend worker memory limit​

Maximum processes​

Maximum memory usage limit​

Backend worker memory limit​

Maximum load multiplier​

Socks proxies​

Run internal jobs​

Run host interaction api tasks​

Host interaction API workers​

Host interaction backend workers​

Host interaction job timeout​

PKM Workload Reporting Level​

Periods interval​

Poll interval​

Entity ID​

SAML metadata automatic configuration URL​

SAML metadata local file location​