Reference: PCE Runtime Parameters

This section lists important PCE runtime configuration parameters, their meaning, their purpose, and their exposure levels.

When configuring the PCE with the illumio-pce-env setup script, you are prompted for many of these parameters. See Configure the PCE for information.

IMPORTANT:

  • The runtime_env.yml file contains sensitive information that should be kept secret, such as encryption keys. Take steps to ensure the confidentiality of this file.

  • The runtime_env.yml file is not included in automatic PCE backups. You must manually back up this file to a secure location.

Runtime File Exposure Levels

The Illumio PCE runtime_env.yml file provides the following exposure levels for PCE configuration:

  • Public Stable (public_stable): These runtime_env.yml parameters can be used by all customers. All changes are backward compatible.
  • Public Experimental (public_experimental): These runtime_env.yml parameters can be used by all customers but might change from release to release with no guarantee of backwards compatibility.

Required Runtime Parameters

The following table lists the required runtime_env.yml file parameters for each PCE software node you deploy. All required parameters have no default values. All paths configured in this file must be absolute.

Required

Description

Exposure

enabled_preview_features

Includes sub-parameters to enable identified preview features

 
install_root

The full path to the location of the PCE binaries and scripts

The software does not write to any files in this directory, so it can be read-only.

For example:

install_root: /opt/illumio-pce

Public Stable
runtime_data_root

The full path to the location where the PCE writes runtime data

This data can be deleted on reboot if necessary. This directory should have 700 permissions, but all of its files will have 600 permissions. This directory must be owned by the user that runs the PCE software.

For example:

runtime_data_root: /var/lib/illumio-pce/runtime

Public Stable
persistent_data_root

The full path to the location where the PCE writes persistent data

This data must persist across reboots for the software to work properly. This directory should have 700 permissions, but all of its files will have 600 permissions. This directory must be owned by the user that runs the PCE software.

For example:

persistent_data_root: /var/lib/illumio-pce/data

Public Stable
ephemeral_data_root

The full path to the location where the PCE writes temporary files

These files must not be deleted while the software is running, but they should be deleted on reboot. This directory should have 700 permissions, but all of its files will have 600 permissions.

NOTE:

Illumio does not recommend using /tmp due to the tmpwatch utility on RHEL/CentOS 6.

For example:

ephemeral_data_root: /var/lib/illumio-pce/tmp

Public Stable
log_dir

The directory where the PCE software writes some text file logs (although most PCE services log to syslog)

logrotate (or similar) should be used to manage these files.

For example:

log_dir: /var/log/illumio-pce

Public Stable
pce_fqdn

The fully qualified domain name (FQDN) of the PCE cluster

For example:

pce_fqdn: pce.mycompany.com

Public Stable

cluster_public_ips:

cluster_fqdn

The FQDN of your entire cluster

NOTE:

If you change the value of cluster_public_ips, wait for the paired VENs to receive the new IP addresses and begin heartbeating to them.

Public Stable
web_service_certificate

Full path to the X.509 public certificate used by this node for TLS

See TLS Requirements for more information on the contents of the certificate files.

For example:

web_service_certificate: /etc/pki/tls/certs/my_cert.crt

Public Stable
web_service_private_key

The RSA private key for TLS that matches the public certificate

The private key must be PEM encoded in PKCS#12 format without a password.

For example:

web_service_private_key: /var/lib/illumio-pce/cert/rsa_private_key.key

Alternatively, you can specify a script (using $ notation) that outputs the private key. This approach is useful when you need to store the key in a hardware security module (HSM) or other key store.

For example:

web_service_private_key: $ /var/lib/illumio-pce/cert/get_rsa_private_key.sh

This script can be located anywhere on the file system as long as it is executable by the ilo-pce user.

Example script output:

$ /local/scripts/get_rsa_private_key.sh

-----BEGIN RSA PRIVATE KEY-----

MIIE...

many lines trimmed here

-----END RSA PRIVATE KEY-----

Public Stable

email_address

Email sender address used by the PCE when sending emails from the system; for example, to send invitations and notifications

For example: 

email_address: noreply@exampleblocked_traffic.com

Public Stable
service_discovery_fqdn

The FQDN or IP address of the first core node

Public Experimental
service_discovery_encryption_key

The key used to encrypt Service Discovery node traffic.

This value must be the same for all PCE nodes. This key must be 16 bytes that are base64 encoded.

For example:

service_discovery_encryption_key: 05TlqH1W0cKcK797DV73yg==

Public Stable
node_type

The type of the PCE software node

Allowable values:

  • core: core node
  • data0: data node
  • data1: data node
  • snc0: single-node cluster
  • citus_coordinator: coordinator node for multi-node traffic database
  • citus_worker: worker node for multi-node traffic database

For example:

node_type: core

Public Stable
login_banner

A custom message on the PCE login screen typically used to display legal notice or company policy when a user logs in

Public Stable

Optional Runtime Parameters

The following table lists common optional runtime_env.yml file parameters for each PCE software node you deploy. Your Illumio Professional Services representative might provide additional parameters to configure certain advanced functions.

Optional

Description

Exposure

ven_repo_url

The base URL used to fetch the VENs and to enable workload pairing with the PCE

Required format: https://host[:port]/repo_dir

You can use alternate ports by specifying the port at the end of hostname. repo_dir cannot be empty.

For example:

https://repo.example.com:8443/onpremgCBURz8Y4zkGk1u7N9ialjPGlZ

Default: None

Public Stable
ven_repo_ips

IP addresses of the VEN repository

These IP addresses are injected into iptables to allow outbound access to the yum/apt get repositories without having to write an explicit PCE policy.

Setting this parameter allows outbound access on ports 80 and 443 to these IP addresses. You can specify both single IP addresses or IP addresses with CIDR notation.

When you do not specify this parameter, the VEN won't be allowed to access the repository containing VEN software packages.

For example:

ven_repo_ips: 
- 1.2.3.4 
- 5.6.7.8/8

Default: None

Public Stable
cluster_type

PCE cluster type

One of the following:

  • 4node_v0: 2x2 PCE cluster
  • 6node_v0: 4x2 PCE cluster
  • 4node_dx: 2x2 PCE cluster with multi-node traffic database
  • 6node_dx: 4x2 PCE cluster with multi-node traffic database

Default: 4node_v0

Public Stable
internal_service_ip

The IP address of the PCE

Set this value manually only when you want to use a public IP address or the PCE node has multiple interfaces.

For example:

internal_service_ip: 10.2.8.89

Default: The first available private IP address on the node

Public Stable
front_end_https_port

The front end HTTPS port

When the cluster is front-ended by a server load balancer, such as F5, it must be configured to forward this port.

For example:

front_end_https_port: 8443

Default: TCP 8443 if not set by front_end_management_https_port or front_end_https_port

Public Stable
front_end_event_service_port

 

The front end Event Service port

When the cluster is front-ended by a server load balancer, such as F5, it must be configured to forward this port. The idle connection timeout on the server load balancer might need to be configured to maintain the connections on this port. Please contact your Illumio Professional Services representative for information on configuring your server load balancer.

For example:

front_end_event_service_port: 8444

Default: 8444

Public Stable
front_end_management_https_port

The port for PCE web console and REST API

This key separates different kinds of communication. See also front_end_https_port.

Default: TCP 8443 if not set by front_end_management_https_port or front_end_https_port

Public Stable
syslog_event_export_format

The export format (CEF, LEEF, or JSON) for VEN flow summaries and Organization events.

When you specify CEF or LEEF format, you will continue getting traffic flows and Organization events in JSON format.

For example:

syslog_event_export_format: cef

Default: json

Public Stable
trusted_ca_bundle

The path to the trusted root certificate bundle

The PCE uses this parameter to validate that the certificates are trusted and indicates the path to the trusted root certificate bundle file.

For example:

trusted_ca_bundle: 
/etc/ssl/certs/ca-bundle.crt

Default: /etc/ssl/certs/ca-bundle.crt

Public Stable
email_display_name

Email display name to be used when sending email from the system. For example, to send invitations and notifications from the PCE.

For example:

email_display_name:'noreply'

Default: noreply

Public Stable
smtp_relay_address

 

SMTP relay information used by the PCE to send email; for example, to send invitations and notifications

The PCE assumes that an SMTP Relay runs on localhost and listens on 127.0.0.1/587. When this isn't the case, you must specify the configuration on the core nodes.

Use one of the following formats:

  • ip_address (e.g. 127.0.0.1)
  • ip_address:port (e.g. 127.0.0.1:587)

For example:

smtp_relay_address: 127.0.0.1:587

Default: 127.0.0.1:587

Public Stable
export_flow_summaries_to_fluentd

The types of traffic flow summaries to export to Fluentd

Values: accepted (allowed), potentially_blocked, blocked

For example:

export_flow_summaries_to_fluentd:
  - accepted

  - potentially_blocked

  - blocked

Public Experimental
export_flow_summaries_to_syslog

Enables traffic flow summaries to syslog

Values: accepted (allowed), potentially_blocked, blocked

For example:

export_flow_summaries_to_syslog:
  - accepted
  - potentially_blocked
  - blocked

To export blocked traffic summaries, include only the flow summary type when specifying the parameter; for example:

export_flow_summaries_to_syslog:
  - blocked

Public Experimental