Security Configuration

All parameters listed here correspond to settings in tb-edge.yml (or tb-edge.conf on Linux). Set them as environment variables in /etc/tb-edge/conf/tb-edge.conf (Linux) or as container environment variables (Docker / Kubernetes). For instructions on applying changes, see How to change configuration.

Parameter	Env variable	Default	Description
security.jwt.tokenExpirationTime	JWT_TOKEN_EXPIRATION_TIME	9000	Number of seconds (2.5 hours)
security.jwt.refreshTokenExpTime	JWT_REFRESH_TOKEN_EXPIRATION_TIME	604800	Number of seconds (1 week).
security.jwt.tokenIssuer	JWT_TOKEN_ISSUER	thingsboard.io	User JWT Token issuer
security.jwt.tokenSigningKey	JWT_TOKEN_SIGNING_KEY	thingsboardDefaultSigningKey	Base64 encoded
security.user_token_access_enabled	SECURITY_USER_TOKEN_ACCESS_ENABLED	true	Enable/disable access to Tenant Administrators JWT token by System Administrator or Customer Users JWT token by Tenant Administrator
security.user_login_case_sensitive	SECURITY_USER_LOGIN_CASE_SENSITIVE	true	Enable/disable case-sensitive username login
security.claim.allowClaimingByDefault	SECURITY_CLAIM_ALLOW_CLAIMING_BY_DEFAULT	true	Enable/disable claiming devices; if false -> the device’s [claimingAllowed] SERVER_SCOPE attribute must be set to [true] to allow claiming the specific device
security.claim.duration	SECURITY_CLAIM_DURATION	86400000	1 minute, note this value must equal claimDevices.timeToLiveInMinutes value
security.basic.enabled	SECURITY_BASIC_ENABLED	false	Enable/Disable basic security options
security.oauth2.loginProcessingUrl	SECURITY_OAUTH2_LOGIN_PROCESSING_URL	/login/oauth2/code/	Redirect URL where access code from external user management system will be processed
security.oauth2.githubMapper.emailUrl	SECURITY_OAUTH2_GITHUB_MAPPER_EMAIL_URL_KEY	https://api.github.com/user/emails	The email addresses that will be mapped from the URL
security.java_cacerts.path	SECURITY_JAVA_CACERTS_PATH	${java.home}/lib/security/cacerts	CA certificates keystore default path. Typically this keystore is at JAVA_HOME/lib/security/cacerts
security.java_cacerts.password	SECURITY_JAVA_CACERTS_PASSWORD	changeit	The password of the cacerts keystore file

Parameter	Env variable	Default	Description
audit-log.enabled	AUDIT_LOG_ENABLED	true	Enable/disable audit log functionality.
audit-log.logging-level.mask."device"	AUDIT_LOG_MASK_DEVICE	W	Device logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."asset"	AUDIT_LOG_MASK_ASSET	W	Asset logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."dashboard"	AUDIT_LOG_MASK_DASHBOARD	W	Dashboard logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."widget_type"	AUDIT_LOG_MASK_WIDGET_TYPE	W	Widget type logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."widgets_bundle"	AUDIT_LOG_MASK_WIDGETS_BUNDLE	W	Widget bundles logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."customer"	AUDIT_LOG_MASK_CUSTOMER	W	Customer logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."user"	AUDIT_LOG_MASK_USER	W	User logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."rule_chain"	AUDIT_LOG_MASK_RULE_CHAIN	W	Rule chain logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."alarm"	AUDIT_LOG_MASK_ALARM	W	Alarm logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."entity_view"	AUDIT_LOG_MASK_ENTITY_VIEW	W	Entity view logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."device_profile"	AUDIT_LOG_MASK_DEVICE_PROFILE	W	Device profile logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."asset_profile"	AUDIT_LOG_MASK_ASSET_PROFILE	W	Asset profile logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."edge"	AUDIT_LOG_MASK_EDGE	W	Edge logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."tb_resource"	AUDIT_LOG_MASK_RESOURCE	W	TB resource logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.logging-level.mask."ota_package"	AUDIT_LOG_MASK_OTA_PACKAGE	W	Ota package logging levels. Allowed values: OFF (disable), W (log write operations), RW (log read and write operation
audit-log.sink.type	AUDIT_LOG_SINK_TYPE	none	Type of external sink. possible options: none, elasticsearch
audit-log.sink.index_pattern	AUDIT_LOG_SINK_INDEX_PATTERN	@\{TENANT\}_AUDIT_LOG_@\{DATE\}	Name of the index where audit logs are stored. Index name can contain placeholders: @\{TENANT\} — substituted by tenant ID; @\{DATE\} — substituted by current date in the format defined by audit_log.sink.date_format.
audit-log.sink.date_format	AUDIT_LOG_SINK_DATE_FORMAT	YYYY.MM.dd	Date format. Details of the pattern can be found here: https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html
audit-log.sink.scheme_name	AUDIT_LOG_SINK_SCHEME_NAME	http	http or https
audit-log.sink.host	AUDIT_LOG_SINK_HOST	localhost	Host of external sink system
audit-log.sink.port	AUDIT_LOG_SINK_PORT	9200	Port of external sink system
audit-log.sink.user_name	AUDIT_LOG_SINK_USER_NAME	_(empty)_	Username used to access external sink system
audit-log.sink.password	AUDIT_LOG_SINK_PASSWORD	_(empty)_	Password used to access external sink system