Advanced Configuration
Cryptshare System Properties
By placing an additional settings file called 'cryptshare.properties' into the Cryptshare installation folder, certain parts of the Cryptshare Server can be influenced in their behavior. These settings are intended for use when experiencing problems with the Cryptshare Server. As of now, settings regarding the following parts of the application can be made:
-
Optimizing the database
-
Skipping of certain operations during cleanup (Cleanup Task)
-
Sizing of the thread pool for encryption threads
-
Maximum timeout for a pending Backup Task
|
cryptshare.properties does not exist
By default, the 'cryptshare.properties' file is not part of the Cryptshare Installation and has to be created first:
<configuration-flag>=<configuration-value>
|
|
Instant auto-reload
Please note, that when introducing or changing the contents of this file, a system restart is required. The settings file will automatically be re-initialized upon change but there are Values which require a restart.. |
# EN: Documentation see here: https://documentation.cryptshare.com/w/CSSCurrent_en:Advanced_Configuration upload.html.maxerrors=100 mainPoolSize = 150
Database
Database Connection Pool
Depending on the requirements of your Cryptshare Server and the expected load it might be necessary to increase resource allocation for the database.
Calculating Pool Sizes
The following formula can be used to calculate an appropriate pool size:
(cpu_core_count * 2) + 1 |
Here are some examples with the pool size rounded up:
| CPU Cores | 2 | 4 | 8 | 16 |
|---|---|---|---|---|
Pool Size |
5 |
10 |
20 |
35 |
|
Note that both a too small or too large pool size can negatively impact performance. If the pool size is too small, the available system resources will not be fully utilized and requests may have to wait until the pool frees connections. If the pool size is too high, requests may slow down as the CPU cores must be shared. |
database.connection.maxPoolSize=<int> database.connection.minIdlePoolSize=<int>
|
Default Setting: '5' (for both) <int>: Numeric value specifying the connection pool size |
Skipping Cleanup Task Steps
The cleanup task consists of several steps executed in subsequent order. If due to database inconsistencies or internal database errors one of these steps cannot finish its operations properly or gets stuck, the respective step can be skipped in order to be able to finish the rest of the cleanup operation.
|
Please note that skipping cleanup steps is not recommended unless you are experiencing issues which cause the cleanup task not to finish its cleanup procedure. |
Steps which can be skipped
In order to find out which cleanup step is responsible for errors you can check the system log and deactivate this step by applying the respective Cryptshare system property.
LockData Cleanup Step
cleanup.skip.lockData = <true|false>
LockData is an internal record keeping track of wrong-password attempts within the Cryptshare download section. This data will be removed from the system as soon as it is not required any more. For instance if a transfer record has been archived.
|
This step can be skipped without risk. However, if not active, the database will fill up with lock data records not required anymore. |
Verification Cleanup Step
cleanup.skip.verifications = <true|false>
Verification records are the server-side representation of verified users. Expired verifications will be removed from the system.
|
This step can be skipped without risk. However, if not active, the database will fill up with expired verification records. |
Timeout for pending BackupTask
If the database backup has been enabled, the backup task is configured to wait for other tasks to finish their operations before executing the backup. However it can happen, that theses tasks are not finished properly so that the backup task would be waiting infinitely. The maximum timeout setting configures the backup task to continue with its operations regardless of the fact that there are still running tasks. The default value is set to 60 minutes.
backup.maxWait=<int>
|
<int> : Numeric value specifying the timeout in minutes, i.e. '60' Default: 60 |
Performance Adjustment
|
Please do not change these settings unless you are experiencing problems. |
Encryption Thread Pool
The size for the Cryptshare encryption thread pool defines the amount of parallel file encryption operations for Cryptshare Transfers. The default setting is set to 30. This means, that on a Cryptshare server with this setting 30 parallel encryption processes can be initiated. The next process which would exceed this maximum will be put into a queue and will be started as soon as a thread from this pool is available again. This parameter not only influences the size of the encryption thread pool, but also affects the number of parallel gathering processes of the pre-processing result, if the display of pre-processing results is activated.
|
Please note, that this setting can have a noticable impact on CPU and memory usage.
|
mainPoolSize=<int>
|
<int>: Numeric value specifying the thread pool size Default: 30 |
Mailing Thread Pool
The size for the Cryptshare mailing thread pool defines the amount of parallel mail sending operations. Please note that email servers often only allow a limited number of simultaneous connections. If you adjust this parameter, make sure that your email server is able to handle this increased quantity.
mailingPoolSize=<int>
|
<int>: Numeric value specifying the thread pool size Default: 5 |
Download Decryption Buffer
|
Cryptshare works with an AES algorithm. This algorithm is known to be much more resource-intensive when decrypting than when encrypting. Depending on how the system is mainly used, a change of the decryption buffer size can either increase or decrease CPU/Memory consumption. |
The default setting for the decryption buffer is 2MB. This is a good setting for a server handling both, small and large files. If the server however is mostly handling larger files, increasing the buffer size can considerably improve the CPU consumption. However, this will increase memory usage.
|
Please note, that this setting should be handled with caution as it can have a massive impact on CPU and memory use. |
decrypt.buffer=<int>
|
<int>: Numeric value specifying the buffer size in bytes. Default: 2097152 (2MB) |
Download Delay
Under high load, the Cryptshare Server delays the decryption of files being downloaded to improve responsiveness of the Cryptshare Server. This behavior can be disabled if it causes problems.
|
This property can be set to "false" without a server restart and it will be instantly applied. When setting it to "true", a restart is required. |
decrypt.delay=<true++{{++!}}false>
HTML5 Transfer Settings
HTML5 Parallel Upload Streams
|
Please do only change this parameter if experiencing performance issues such as interrupted HTML5 uploads due to too high I/O activity or CPU load. Please also note, that decreasing this parameter will also slow down the HTML5 upload rate. |
upload.html.parallel=<int>
|
<int>: Numeric value specifying the maximum amount of parallel HTML5 upload streams. Default: 5 Maximum: 5 |
HTML5 Cleanup Tracker Timeout
|
In HTML5 transfer mode every upload stream is kept under surveillance by a Cleanup Tracker which makes sure, that upload files of interrupted transfers will be removed from the system. On bad internet connections however, the default timeout setting of 10 minutes can be too short and ongoing HTML5 uploads are interrupted before the transfer is complete. In order to avoid this behavior, the default timeout setting can be increased. |
upload.html.timeout = <timeout in minutes>
|
<timeout in minutes>: Numeric Integer value specifying the timeout value in minutes Default: 10 Allowed: Integer between 1 and 60 |
HTML5 Client Error Count
|
The HTML5 transfer mode is capable of proceeding a transfer even when the http connection temporarily gets interrupted or is so bad that many requests are running into a timeout. If such an error occurs the client will try to re-send the failed packages until either all packages were transferred successfully or the error counter has exceeded. In case the error count has exceeded the client will cancel the transfer. If your clients often run into this problem it is possible to increase the maximum error count so that clients won’t cancel a transfer so quickly. |
upload.html.maxerrors = <20-5000>
|
<int>: Number to set for the error count Default: 100 Allowed: 20-5000 |
LDAP Settings
Connection pool
To increase the performance of LDAP requests, Cryptshare uses a pool of already established connections. They can be used and re-used for LDAP requests. It is possible to configure the minimum (initial) and maximum number of simultaneously established connections.
ldap.initialConnections=<int>
ldap.maxConnections=<int>
|
<int>: Numeric integer value that specifies the number of connections. Default initial number: 5 Default maximum number: 20 |
Alternatively, connection pools can be deactivated completely. When deactivated, the parameters ldap.initialConnections and ldap.maxConnections won’t have an effect anymore. By default, connection pools are activated and can be deactivated, if necessary.
ldap.connectionPooling = <true++{{++!}}false>
|
Default: true (enabled) |
Timeouts
A timeout specifies the maximum time that is allowed to perform a certain task. Regarding LDAP, there are two timeouts that can be configured: Connection timeout: Allowed time to establish a connection to an LDAP server. Response timeout: Allowed time recieve a response to a submitted request.
ldap.connectTimeout=<int>
ldap.responseTimeout=<int>
|
<int>: Numeric integer value that specifies the time in milliseconds. Default connection timeout: 5000 (5 seconds) Default response timeout: 20000 (20 seconds) |
Referrals
Some LDAP directories are partitioned / distributed and contain entries that refer to other directories (so-called referrals). Optionally, the automatic resolution of these references through an additional connection can be enabled. If the resolved reference again contains a reference, this will not be resolved.
ldap.followReferrals=<true++{{++!}}false>
|
Default: false (disabled) |
Security Setting Rate Limiting
Rate Limiting for Requesting a Verification Code
In order to limit the number of verification requests per minute to prevent DoS attacks and mail flooding, rate limiting for requesting a verification code is active. The number of verification codes that can be requested per minute is limited to 25 by default.
|
Info
For handling rate limit requests, additional response headers are available. See Rate limiting |
verification.verificationsPerMinute=<int>
|
<int>: Numeric integer value that specifies the number of verification code requests per minute. Default: 25 This feature is deactivatable by setting the value to 0. |
Content Security Policy
Adding other URLs as resources inside the Cryptshare Web App
Content Security Policy (CSP) is an additional security mechanism that helps to recognize and mitigate certain types of attacks, e.g. cross-site scripting (XSS). For this purpose, a so-called CSP header can be used, which only allows the client (browser) to access certain defined resources. This can, for example, prevent an attacker from executing malicious code from an unknown source. By default, the Cryptshare Server only allows the use of resources from the server’s domain.
For security reasons, the loading of images and scripts from other URLs cannot be activated for the Administration Interface. Therefore, all changes with these two parameters only affect the Cryptshare Web App. If images from other URLs are set as individualized advanced CSS, then they will not be visible in the Web App Preview inside the Admin Interface.
Parameters for adding other URLs as resources
csp.fetchDirectives.urls=<string>
|
<string>: Comma-separated list of URLs that may be used for resources Default: "" |
Example: To add the additional URLs "https://example.com/my-logo.png" and "https://app.example.com/images/image.svg", set the value to "https://example.com,https://app.example.com".
Please note that this only allows images and fonts from other URLs to be loaded by default. If you want to include scripts from other URLs, you must also configure the following parameter:
Parameter to allow scripts to be loaded from other URLs
csp.fetchDirectives.allowScriptsFromUrls=<true|false>
Default value: false
|
Please note that in order to allow scripts from other URLs the Content-Security header for scripts will be set to unsafe-inline and unsafe-eval that leads to reduced security. |
Additional security headers
Cross-Origin-Embedder-Policy
When this option is enabled, the Cryptshare server sends the ‘Cross-Origin-Embedder-Policy’ header with all responses. By default, this header is sent with the value ‘credentialless’ to enhance the security of embedded resources.
Parameter to enable/disable the Cross-Origin-Embedder-Policy
headers.coep.active=<boolean>
Default value: true
Parameter to set the Cross-Origin-Embedder-Policy
headers.coep.value=<string>
Default value: credentialless
Cross-Origin-Resource-Policy
When this option is enabled, the Cryptshare server sends the “Cross-Origin-Resource-Policy” header with all responses. By default, this header is sent with the value ‘same-origin’ to restrict which origin domains are permitted to load resources from the server.
Parameter for enabling/disabling the Cross-Origin-Resource-Policy
headers.corp.active=<boolean>
Default value: true
Parameter for setting the Cross-Origin-Resource-Policy
headers.corp.value=<string>
Default value: same-origin
Permissions Policy
When this option is enabled, the Cryptshare server sends the ‘Permissions-Policy’ header with all responses. By default, this header is sent to restrict access to browser functions for all origin domains.
Parameters for enabling/disabling the Permissions Policy
headers.pp.active=<boolean>
Default value: true
Parameter for setting the Permissions Policy
headers.pp.value=<string>
| Default value: geolocation=(), camera=(), microphone=(), payment=(), usb=(), midi=(), accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), encrypted-media=(), gyroscope=(), magnetometer=(), picture-in-picture=(), speaker-selection=(), sync-xhr=(), vr=() |
X-Permitted-Cross-Domain-Policies
When this option is enabled, the Cryptshare server sends the ‘X-Permitted-Cross-Domain-Policies’ header with all responses. By default, this header is sent with the value "none" to prevent Flash or PDF clients from requesting cross-domain policy files.
Parameters for enabling/disabling X-Permitted-Cross-Domain-Policies
headers.xpcdp.active=<boolean>
Default value: true
Cross-Origin-Opener-Policy
When this option is enabled, the Cryptshare server sends the ‘Cross-Origin-Opener-Policy’ header with all responses. By default, this header is set to ‘same-origin-allow-popups’ to allow pop-ups, but only from the same origin.
Parameter to enable/disable the Cross-Origin-Opener-Policy
headers.coop.active=<boolean>
Default value: true
Prioritisation of file types in EML Archiving and EML Download
Prioritization of file types for EML Archiving and EML Download
Using EML archiving and EML Download it is possible to set a attachment total file size limit for attachments put into the generated EML file. When the total attachment file size exceeds the set limit, files are attached to the EML file using a prioritization list of file types where file type extensions at the start have a higher priority than those after them. File types not in the list have the lowest priority. If an empty string is provided as prioritization list, this file type prioritization behavior is disabled.
|
Info
You can find more information for the EML Archiving in the article Activating the Archiving Feature. |
reaching the file size limit
eml.attachmentFileTypeOrder=<csv>
|
<csv>: Comma-separated list of file extensions Default: eml,pdf,docx,doc,xlsx,xls,txt,ppt,pptx |
Further Configuration Flags
Cleaning up orphaned temporary upload files
While files are being uploaded during a transfer, this data is written to a temporary upload directory. Due to technical reasons it is however possible that those files are not always deleted afterwards. Therefore, an additional cleanup step which is executed during the execution of the Cleanup Task takes care of those orphaned files and removes them from the disk if they are older than 24 hours.
cleanup.skip.tmpfiles=<true++{{++!}}false>
|
Default: true |
Log Verbosity for ongoing uploads
In order to enable the administrator to better notice running uploads, an informal log entry is written after a certain number of upload requests. A file upload usually consists of several upload requests. The counting is done across transfers.
INFO 2016-04-29 08:45:51 CS3System - (com.cryptshare.wicket.request.HTML5FileItemFactory@1771fb9f) - Cryptshare upload in progress.
Depending on the upload activity of this server there might be too many or to few of these entries. In either way, the counter for this feature can be changed accordingly.
upload.logverbosity=<int>
|
<int>: Numeric value to set after how many upload requests a log entry should be written. Default: 1000 |
Performing a backup before an update
Usually before an update is performed, a rollback-compatible backup will be made. In case, there’s something wrong with the backup procedure so that it avoids performing the update, this step can be disabled.
update.backup=<true++{{++!}}false>
Default: true
Maximum File Size for the Cryptshare Content Viewer
The Content Viewer in the download section of Cryptshare only opens files smaller than 2MB. For security reasons the viewer only opens these files in memory which can massively increase the memory consumption.
|
Memory Consumption
Please note, that depending on your available memory and the average user load on the server memory consumption can increase drastically if you increase this setting. |
|
This value also affects the display of the confidential message in the download page. |
Increasing the maximum file size of the Content Viewer
viewer.maxSize = <int>
|
<int> = Integer defining the maximum file size in MB. Default: 2 |
File Type Filter Max. Buffer Size
When the embedded file analysis of the file type filter is active, supported files are opened and scanned for their contents. In the case of MS Office files, this analysis can require large amounts of memory when working with larger files. If files cannot be scanned due to this, the following parameter can be set to a large value to allow scanning these files, at the cost of increased memory consumption.
Increasing the maximum buffer size when analyzing office files
fileTypeFilter.byteArrayMax= <int>
|
Integer defining the maximum size of the buffer to use when analyzing office files. Default: 100000000 (100 Million Bytes = 100 MB) |
Virtual Hosts Restriction
By default, the Cryptshare Server will respond to HTTP requests regardless of the contents of the 'Host'-header. To protect against Host-Header-Injection-Attacks, the server can be configured to block requests with a Host-header that is not the canonical host of this system.
Restrict Host-headers
virtualHosts.restrict= <true{{!}}false>
|
If Host-headers in requests should be restricted. If enabled, only the host of the configured base-URL as well as additional hosts from `virtualHosts.additional` are accepted. Default: false |
Additional Virtual Hosts
If `virtualHosts.restrict` is enabled, `virtualHosts.additional` can be used to add additional hosts the server is available under.
Add additional virtual host
virtualHosts.additional= <string>
|
Comma-separated host names (besides the configured base URL) under which this Cryptshare Server is available. See https://www.eclipse.org/jetty/documentation/jetty-9/index.html#configuring-a-virtual-host for details on the syntax. Default: "" |
Example: To add the additional virtual hosts 'example.com' and 'app.example.com', set the value to 'example.com,app.example.com'