Copyright ©
Mindbreeze GmbH, A-4020 Linz, 2023.
All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.
These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.
For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.
Identity Encryption Credential | This option allows you to display the user identity in encrypted form in app.telemetry. |
Cache In Memory Items Size | Number of elements stored in the cache. Depends on the available memory of the JVM. |
Database Directory Path | The directory path of the cache. Example: /data/principal_resolution_cache If you are using a Mindbreeze Enterprise product, a path must be set. If you are using a Mindbreeze InSpire product, the path does not need to be set. |
Group Members Resolution And Inversion Threads | This option determines the number of threads that will resolve parallel group members and invert those groups. Values less than 1 are assumed to be 1. |
In-Memory Containers Inversion Threshold (Advanced Setting) | This option sets the maximum number of groups. If this number is exceeded, further RAM consumption during inversion is avoided by using hard disks. |
This option determines (in minutes) when the cache should be refreshed. (Default value: 60 minutes) Values below 0, disable the cache update. When starting the service, the last (persisted) cache update time is taken into account. This means that the cache is not necessarily updated when the service is stopped/started, for example, but only at the next time interval. | |
Readonly (Advanced Setting) | This option should only be used for Producer Consumer configurations. Consumer caches should have this option enabled if the "Readonly on Consumer" option is enabled in the Producer cache. |
Delete old cache after update | This option is enabled by default and determines whether the old cache data should be deleted after each update. If this option is disabled, old cache data will not be deleted. This data will accumulate on your storage device, so it is recommended that this option is always enabled. |
Backup cache before cleaning | If this option is selected, a copy of the cache is created in the /data/currentservice/<service name>/temp directory |
Clean Cache Update Schedule | In this field you can configure cache cleanup and update using Extended Cron Expressions at specific times (documentation and examples of Cron Expressions can be found here) |
Clean Cache after each N updates | In this field, you can enter a number (N) for the cache to be cleared and rebuilt after a certain number of updates (N). |
Retry Update Cache Run If Was Incomplete In (Minutes) | This option determines (in minutes) when the cache should perform a new update process if an update was incomplete. Values below 0, disable the cache retry update. |
A health check automatically checks the connection to the cache and restarts the service if connection problems are detected.
This is done by sending a Health Check network request to the cache. If there is no response from the cache within the timeout period that is specified, this is considered to be a failure. This process is repeated until the maximum number of failures is exceeded or a response is received within the timeout.
If the maximum number of failures is exceeded, the cache service is automatically restarted.
Health Check Interval (Minutes) | This option specifies the time interval in minutes after which a health check should be performed. |
Health Check max. Retries On Failure | This option specifies how often the health check is repeated if it was not successful. If the number of repetitions specified here is exceeded, a restart is performed. |
Health Check Request Timeout (ms) | This option specifies the time in milliseconds within which the response must come back to the health check for the health check to be considered successful. |
Webservice Port | The service is available on the specified port. If multiple Principal Resolution Services are configured, make sure that they have different "Webservice Port" parameters and that they are available. |
Identity Alias Name Property | This option allows you to use properties in the identity to search for group memberships in the cache by their value. |
Lowercase Principals | With this option, all principals supplied by the cache are written down. |
Preserve Case for Principals Matching Pattern | This option allows to keep certain principals (defined by regex patterns) in their original format (not lowercase). |
Case Insensitive Member Resolution | This option determines whether users are checked regardless of their capitalization. |
Exclude Principals Pattern | This option allows you to remove specific principals for all users from their principals list. |
Suppress Anonymous Users Principals | This option can be used, for example, to suppress the "Everyone" principle for anonymous users, i.e. anonymous users cannot find public documents either. |
Suppress External Service Calls | The "Suppress External Service Calls" option prevents external services, e.g., LDAP, from being queried during the search. |
Resolve non-anonymous principal to all registered users. | This option determines whether "normal" (non-anonymous) users belong to the group that contains all users. |
Use Parent Principals Cache Service | If this option is enabled, additional groups of the user are resolved and delivered in another cache (Parent Cache). |
Parent Principals Cache Service Port | The port used for the "Use Parent Principals Cache Service" option if enabled. |
Parent Cache Principals Include Patterns | If empty, all parent cache principals are included, otherwise a parent principal must match at least one pattern (case-insensitive) to be included. |
Parent Cache Principals Exclude Patterns | Parent cache principals that match at least one pattern line (case-insensitive) are excluded. "exclude patterns" have priority over "include patterns". |
See Producer Consumer Configuration.
If “LDAP Connection Encryption” is selected the “Connection Encryption” under “LDAP Settings” in the “Network” tab is overwritten. The SSL protocol (LDAPS) on port 636 or the TLS protocol (StartTLS) on port 389 can be selected. If Unencrypted is selected, no encryption is performed.
If only certain groups or users are to be stored in the cache, the "Group Filters" or "User Filters" can be configured and used for this purpose. The filters must correspond to the LDAP filter syntax. The cache structure can be restricted to certain ActiveDirectory organizational units. Therefore it is necessary to configure the "Exclude Base DN" and "Include Base DN" options accordingly. The "Distinguished Name" of all users and groups is compared with the individual lines of the configured "Include Base DN" and "Exclude Base DN" to include or exclude the user or group. The "Exclude Base DN" option is applied first.
"Include Principals Rule" allows you to add new principals for all users (if these users match a configured Regex pattern). It can also be used to create "pseudogroups", i.e. groups that implicitly contain all users. For example, with the "Pattern" .* (matches all) and the "Principal" myportal-users a pseudogroup myportal-users can be created. Each user is thus a member of the pseudogroup myportal-users.
Select one of the configured caching principal resolution services in “Data Source”. For example, Caching LDAP Principal Resolution can be selected for a file system data source (in the screenshot “FS Data Source”).
On the producer node, click on "Add Property" in the "Consumer Services" section and configure the following fields:
Readonly on Consumer | This checkbox should be selected only on producer nodes of Mindbreeze InSpire environments with producer and consumer nodes. Local updates on all consumer nodes will be disabled. If Consumers Base URLs are configured, then only those configured consumers will be updated remotely. The explicit configuration of consumer is not recommended in situations where some consumer nodes are disabled or their role is change in MMC nodes setup. In such dynamic nodes situations, it is recommended to select only this checkbox, the consumers will be detected automatically according to current MMC nodes setup. |
Base URL | The URL to the Mindbreeze Management Center of the Mindbreeze InSpire consumer appliance. If hosted in the cloud, usually https://mycompany.mindbreeze.com:8443 Windows: Base URL should be directly the consumer cache URL (HTTP). E.g. http://consumerhost:23900 |
Realm | The target realm used by the consumer appliance.Default: "master". Windows: Realm should be empty |
Service Port | The Caching Principal Resolution Service Port on the Mindbreeze InSpire Appliance Windows: Service Port should be empty |
Disable | To disable updating the remote cache |
On InSpire environments with producer and consumer nodes local cache updates are disabled on consumers if “Readonly on Consumer” option is selected on producer nodes. On other environments activate the "Readonly" checkbox manually. No further configuration is necessary. After each cache update on producer all of the consumer caches are automatically synchronized.
URL | Description |
http://localhost:23900/control?action=updatecache | Updates all containers. |
http://localhost:23900/control?action=updatecache&container=<containerid>&isunifiedid=false | Updates <containerid> only. |
http://localhost:23900/control?action=updatecache&partition=<partition> | Updates only one partition. |
http://localhost:23900/control?action=updatecache&scope=full | Performs a complete update |
http://localhost:23900/control?action=updatecache&scope=clean | Performs a cleanup and a full update. |
http://localhost:23900/control?action=cancelupdate | Aborts a running update. |
http://localhost:23900/control?action=checkconsistency&individualid=<userid>&isunifiedid=false | Checks if cached principals match <userid> with the principals provided by the source. If “all” is used instead of <userid>, the check is performed for all users. |
http://localhost:23900/control?action=checkprincipals&individualid=<userid>&timeoutms=<milliseconds> | Returns principals with <userid> from the cache. <userid> should not be a unified ID. |
http://localhost:23900/control?action=checkprincipals&individualid=“somestring“&aliasnameattribute=<attribute>&aliasname=<aliasname>&timeoutms=<milliseconds> | Returns principals with alias names. <aliasnameattribute> should be the configured “Service Request Identity Alias Name Property.” |
http://localhost:23900/control?action=checkprincipals&individualid=“somestring“&isanonymous=true&timeoutms=<milliseconds> | Returns principals of anonymous users |
http://localhost:23900/control?action=export&path=/data/tmp/export | Exports all database tables in CSV format. |
http://localhost:23900/control?action=reopencache&path=c:\newcache | Reopens the cache in an empty directory. The cache should be updated after reopening. |
http://localhost:23900/info?key=cachedir | Returns the currently used cache directory. |
http://localhost:23900/control?action=updateprincipalmembership&container=<container>&individuals=<individuals> | <individuals> List of individuals separated by ";" – e.g. user1; user2. |
http://localhost:23900/control?action=printstacktraces | Outputs the current status of all threads. |
http://localhost:23900/control?action=reset&aliasnames=true&partition=<partition> | Resets the alias names of a partition. |
http://localhost:23900/control?action=syncconsumers | All configured consumer caches are synchronized. |
http://localhost:23900/control?action=setLogCacheUpdateCalls&value=true | Enables debug logging of all the calls which the caching framework makes in order to get into its current state. (can be deactivated with “value=false”). |