Reference: PCE Runtime Parameters

This section lists important PCE runtime configuration parameters, their meaning, their purpose, and their exposure levels.

When configuring the PCE with the illumio-pce-env setup script, you are prompted for many of these parameters. See Configure the PCE for information.

IMPORTANT:

The runtime_env.yml file contains sensitive information that should be kept secret, such as encryption keys. Take steps to ensure the confidentiality of this file.
The runtime_env.yml file is not included in automatic PCE backups. You must manually back up this file to a secure location.

Runtime File Exposure Levels

The Illumio PCE runtime_env.yml file provides the following exposure levels for PCE configuration:

Public Stable (public_stable): These runtime_env.yml parameters can be used by all customers. All changes are backward compatible.
Public Experimental (public_experimental): These runtime_env.yml parameters can be used by all customers but might change from release to release with no guarantee of backwards compatibility.

Required Runtime Parameters

The following table lists the required runtime_env.yml file parameters for each PCE software node you deploy. All required parameters have no default values. All paths configured in this file must be absolute.

Required Parameter	Description	Exposure
`enabled_preview_features`	Includes sub-parameters to enable identified preview features
`install_root`	The full path to the location of the PCE binaries and scripts The software does not write to any files in this directory, so it can be read-only. For example: `install_root: /opt/illumio-pce`	Public Stable
`runtime_data_root`	The full path to the location where the PCE writes runtime data This data can be deleted on reboot if necessary. This directory should have 700 permissions, but all of its files will have 600 permissions. This directory must be owned by the user that runs the PCE software. For example: `runtime_data_root: /var/lib/illumio-pce/runtime`	Public Stable
`persistent_data_root`	The full path to the location where the PCE writes persistent data This data must persist across reboots for the software to work properly. This directory should have 700 permissions, but all of its files will have 600 permissions. This directory must be owned by the user that runs the PCE software. For example: `persistent_data_root: /var/lib/illumio-pce/data`	Public Stable
`ephemeral_data_root`	The full path to the location where the PCE writes temporary files These files must not be deleted while the software is running, but they should be deleted on reboot. This directory should have 700 permissions, but all of its files will have 600 permissions. For example: `ephemeral_data_root: /var/lib/illumio-pce/tmp`	Public Stable
`log_dir`	The directory where the PCE software writes some text file logs (although most PCE services log to syslog) `logrotate` (or similar) should be used to manage these files. For example: `log_dir: /var/log/illumio-pce`	Public Stable
`pce_fqdn`	The fully qualified domain name (FQDN) of the PCE cluster For example: `pce_fqdn: pce.mycompany.com`	Public Stable
`cluster_public_ips: cluster_fqdn`	The FQDN of your entire cluster NOTE: If you change the value of `cluster_public_ips`, wait for the paired VENs to receive the new IP addresses and begin heartbeating to them.	Public Stable
`web_service_certificate`	Full path to the X.509 public certificate used by this node for TLS See TLS Requirements for more information on the contents of the certificate files. For example: `web_service_certificate: /etc/pki/tls/certs/my_cert.crt`	Public Stable
`web_service_private_key`	The RSA private key for TLS that matches the public certificate The private key must be PEM encoded in PKCS#12 format without a password. For example: `web_service_private_key: /var/lib/illumio-pce/cert/rsa_private_key.key` Alternatively, you can specify a script (using `$` notation) that outputs the private key. This approach is useful when you need to store the key in a hardware security module (HSM) or other key store. For example: `web_service_private_key: $ /var/lib/illumio-pce/cert/get_rsa_private_key.sh` This script can be located anywhere on the file system as long as it is executable by the `ilo-pce user`. Example script output: $`/local/scripts/get_rsa_private_key.sh -----BEGIN RSA PRIVATE KEY----- MIIE... many lines trimmed here -----END RSA PRIVATE KEY-----`	Public Stable
`email_address`	Email sender address used by the PCE when sending emails from the system; for example, to send invitations and notifications For example: `email_address: noreply@exampleblocked_traffic.com`	Public Stable
`service_discovery_fqdn`	The FQDN or IP address of the first core node	Public Experimental
`service_discovery_encryption_key`	The key used to encrypt Service Discovery node traffic. This value must be the same for all PCE nodes. This key must be 16 bytes that are base64 encoded. For example: `service_discovery_encryption_key: 05TlqH1W0cKcK797DV73yg==`	Public Stable
`node_type`	The type of the PCE software node Allowable values: `core`: core node `data0`: data node `data1`: data node `snc0`: single-node cluster `citus_coordinator`: coordinator node for multi-node traffic database `citus_worker`: worker node for multi-node traffic database For example: `node_type: core`	Public Stable
`login_banner`	A custom message on the PCE login screen typically used to display legal notice or company policy when a user logs in	Public Stable
`cluster_type`	PCE cluster type. Required on every node in a multi-node cluster (MNC). Not required on a single-node cluster (SNC). One of the following: `4node_v0`: 2x2 PCE cluster `4node_v0_small`: 2x2 PCE cluster with fewer compute and memory resources `6node_v0`: 4x2 PCE cluster `4node_dx`: 2x2 PCE cluster with multi-node traffic database `6node_dx`: 4x2 PCE cluster with multi-node traffic database Default: `4node_v0`	Public Stable

Optional Runtime Parameters

The following table lists common optional runtime_env.yml file parameters for each PCE software node you deploy. Your Illumio Professional Services representative might provide additional parameters to configure certain advanced functions.

Optional Parameter	Description	Exposure
`ven_repo_url`	The base URL used to fetch the VENs and to enable workload pairing with the PCE Required format: `https://host[:port]/repo_dir` You can use alternate ports by specifying the port at the end of hostname. `repo_dir` cannot be empty. For example: `https://repo.example.com:8443/onpremgCBURz8Y4zkGk1u7N9ialjPGlZ` Default: None	Public Stable
`ven_repo_ips`	IP addresses of the VEN repository These IP addresses are injected into iptables to allow outbound access to the `yum/apt get` repositories without having to write an explicit PCE policy. Setting this parameter allows outbound access on ports 80 and 443 to these IP addresses. You can specify both single IP addresses or IP addresses with CIDR notation. When you do not specify this parameter, the VEN won't be allowed to access the repository containing VEN software packages. For example: `ven_repo_ips: - 1.2.3.4 - 5.6.7.8/8` Default: None	Public Stable
`internal_service_ip`	The IP address of the PCE Set this value manually only when you want to use a public IP address or the PCE node has multiple interfaces. For example: `internal_service_ip: 10.2.8.89` Default: The first available private IP address on the node	Public Stable
`front_end_https_port`	The front end HTTPS port When the cluster is front-ended by a server load balancer, such as F5, it must be configured to forward this port. For example: `front_end_https_port: 8443` Default: TCP 8443 if not set by `front_end_management_https_port` or `front_end_https_port`	Public Stable
`front_end_event_service_port`	The front end Event Service port When the cluster is front-ended by a server load balancer, such as F5, it must be configured to forward this port. The idle connection timeout on the server load balancer might need to be configured to maintain the connections on this port. Please contact your Illumio Professional Services representative for information on configuring your server load balancer. For example: `front_end_event_service_port: 8444` Default: `8444`	Public Stable
`front_end_management_https_port`	The port for PCE web console and REST API This key separates different kinds of communication. See also `front_end_https_port`. Default: TCP 8443 if not set by `front_end_management_https_port` or `front_end_https_port`	Public Stable
`syslog_event_export_format`	The export format (CEF, LEEF, or JSON) for VEN flow summaries and Organization events. When you specify CEF or LEEF format, you will continue getting traffic flows and Organization events in JSON format. For example: `syslog_event_export_format: cef` Default: `json`	Public Stable
`min_tls_version`	The minimum Transport Layer Security (TLS) version used to secure VEN-to-PCE communications, the PCE's web server for the PCE web console, and the REST API. It is recommended that you use the default setting, 1.2. Earlier TLS versions, such as 1.0 and 1.1, are considered less secure, so it is recommended you do not use them. In rare circumstances, such as when using older operating systems, you might need to change the minimum TLS version; see TLS Versions for Communications. For more information, see Illumio PCE (Core & Edge) Version 21.2.0 Default Configuration Only Supports TLS 1.2 (requires login). Allowable values: `tls1_0`, `tls 1_1`, `tls1_2`. For example: `min_tls_version: tls1_2` Default: `tls1_2`	Public Stable
`insecure_tls_weak_ciphers_enabled`	Specifies whether to allow the use of weaker TLS ciphers, such as cipher block chaining (CBC) ciphers. Stronger ciphers are recommended. Illumio recommends you keep the default value (`true`) for this setting when using clients or operating systems that can only negotiate TLS using CBC ciphers. If your environment is not impacted by this limitation, Illumio recommends that you change the value to `false` so that you use strong ciphers. For example: `insecure_tls_weak_ciphers_enabled: true` Default: `true`	Public Stable
`trusted_ca_bundle`	The path to the trusted root certificate bundle. The PCE uses this parameter to validate that the certificates are trusted and indicates the path to the trusted root certificate bundle file. For example: `trusted_ca_bundle: /etc/ssl/certs/ca-bundle.crt` Default: `/etc/ssl/certs/ca-bundle.crt`	Public Stable
`email_display_name`	Email display name to be used when sending email from the system. For example, to send invitations and notifications from the PCE. For example: `email_display_name:'noreply'` Default: `noreply`	Public Stable
`smtp_relay_address`	SMTP relay information used by the PCE to send email; for example, to send invitations and notifications. The PCE assumes that an SMTP Relay runs on localhost and listens on `127.0.0.1/587`. When this isn't the case, you must specify the configuration on the core nodes. Use one of the following formats: `ip_address (e.g. 127.0.0.1)` `ip_address:port (e.g. 127.0.0.1:587)` For example: `smtp_relay_address: 127.0.0.1:587` Default: `127.0.0.1:587`	Public Stable
`export_flow_summaries_to_fluentd`	The types of traffic flow summaries to export to Fluentd. Values: `accepted` (allowed), `potentially_blocked`, `blocked` For example: `export_flow_summaries_to_fluentd: - accepted - potentially_blocked - blocked`	Public Experimental
`export_flow_summaries_to_syslog`	Enables traffic flow summaries to syslog. Values: `accepted` (allowed), `potentially_blocked`, `blocked` For example: `export_flow_summaries_to_syslog: - accepted - potentially_blocked - blocked` To export blocked traffic summaries, include only the flow summary type when specifying the parameter; for example: `export_flow_summaries_to_syslog: - blocked`	Public Experimental
`internal_syslog_fqdn_enabled`	Specifies whether to use the PCE's fully-qualified domain name (FQDN) or the hostname in syslog messages. The FQDN can be more helpful if the short hostnames are difficult to distinguish. Values: `true` (the `host=` field uses the FQDN), `false` (default) For example: `internal_syslog_fqdn_enabled: true`	Public Experimental