Customizing Cloud Client Parameters
You can control client operations or default behavior through the following configuration parameters that you set:
You can modify these parameters by using the cedit command. For details, see Using Cloud Client Commands.
Linux NSS-Related Parameters
The following are user query or NSS parameters that you can set on Linux systems:
| Parameter Name | Description | Default Value |
|---|---|---|
nss.group.ignore
|
Names of groups to ignore | File:/etc/centrifycc/group.ignore
|
nss.user.ignore
|
Names of users to ignore | File:/etc/centrifycc/user.ignore
|
agent.nss.program.ignore
|
Programs where CentrifyCC NSS library should not process NSS calls. Must be careful about this as cloud users will not be processed. This is renamed in 19.6 due to conflict with DirectAudit configuration parameters |
kcm |
nss.group.skip.members
|
List of programs that do not care about group members when getgrXXX() APIs are called | ls,chown,find,ps,chgrp,dtaction,dtwm,pt_chmod,adid,ll,id
|
nss.programs.force.grouplist.backend
|
List of process names that will get the list of all available groups from backend | none |
nss.programs.get.allmembers
|
List of process names that gets group member list from backend, resulting in all members are returned. >Note: This will slow down system performance. DO NOT set this unless absolutely necessary. |
none |
nss.getgrouplist.interval
|
How frequent to get the list of available groups from backend. | 4 hours |
nss.prefetch.users
|
List of users that the cloud client will retrieve from the Cloud service before the system requests it. | none |
nss.programs.getusergroups
|
List of process names such that getpwnam/getpwuid calls by such process will also get the list of groups that the user belongs to. | nscd,su,login,sshd,sudo,groups,id,getent |
nss.refresh.prefetch.users.interval
|
nss.refresh.prefetch.users.interval | 1 hour |
nss.group.members.async.refresh
|
whether group membership lists are refreshed asynchronously when expired information is encountered. >Note: DO NOT USE. Does not make sense in new group membership architecture as group membership is acquired from local cache. |
false
|
Linux PAM-Related Parameters
The following are Linux user login parameters for:
| Parameter Name | Description | Default Value |
|---|---|---|
pam.homedir.create
|
Create home directory if it does not exist on the local machine. | True
|
pam.homedir.create.mesg
|
Message displayed when a user's home directory is created. | Created home directory |
pam.ignore.users
|
Name of users that will be authenticated locally. | file:/etc/centrifycc/user.ignore
|
pam.mfa.disabled
|
Specify whether to disable multi-factor authentication (MFA) user login on this machine. | False
|
pam.mfa.program.ignore
|
Specify a list of programs that ignore MFA. | ftpd profiled vsftpd java http cdc_chkpwd kdm unix2_chkpwd
|
pam.mfa.oob.max.count
|
Maximum number of retries for MFA for out of band mechanisms. An "out of band" mechanism is an authentication mechanism that requires additional interaction from the user, such as clicking a link in an email or SMS message. | 300
|
pam.password.enter.mesg
|
Message displayed when prompting for a user's password. | Password |
Other Configuration Parameters
The following are other parameters that you can configure; these apply to Windows, Linux, or both:
| Parameter Name | Description | Default Value | Applicable Platforms |
|---|---|---|---|
agent.tcp.connect.timeout
|
Specifies when TCP CONNECT should timeout. | 30 seconds | All |
agent cert.validate
|
Specifies whether to validate the certificate when connecting to the platform | true | All |
agent.http.timeout
|
Generic HTTP timeout The value that you specify must be parsable into a time duration value. | 2 minutes | All |
agent.online.status.refresh
|
Determines how often the client connects to the platform to update connection status. | 1 minute | All |
agent.ping.timeout
|
Maximum time to wait for a response from the platform when updating connection status. The client will switch to offline mode after the timeout limit. The value that you specify must be parsable into a time duration value. | 20 seconds | All |
agent.update.interval
|
Determines how often the client updates the platform with its operating system and client version information. | 24 hours | All |
agent.web.proxy.global
|
The proxy URL to use when connecting to the platform. See Additional Notes below. | (none) | All |
agent.web.proxy.order
|
The web proxy order to use when connecting to the platform. See Additional Notes below. | Global, Direct | All |
audittrail.targets
|
Audit trail targets (1 - DirectAudit, 0 - not sent to DirectAudit). See Additional Notes below. | 1 | All |
cagent.audit.session
|
Determines if session auditing is enabled. 0 - not enabled, 1 - enabled. To change the setting, run dacontrol -d to disable auditing or dacontrol -e to enable auditing. Do not use cedit to edit this parameter. |
1 | Linux only |
cclient.cache.cleanup.interval
|
How often the client cleans up the cache. | 10 minutes | Linux only |
cclient.cache.expires
|
Amount of time until a generic object is checked in to the platform for changes. | 1 hour | Linux only |
cclient.cache.member.refresh
|
Amount of time that must pass before a group membership object is expired. | 30 seconds | Linux only |
cclient.cache.negative.expires
|
Lifetime of a negative object in cache. | 5 seconds | Linux only |
cclient.cache.password.hash
|
Specifies whether to store the password hash for client-based login. | True | Linux only |
cclient.cache.refresh
|
Amount of time that must pass before an object is refreshed from the platform. | 5 minutes | Linux only |
cenroll.agent.wait.time
|
Determines how long the cenroll command should wait for the client to create its LRPC socket and serve requests before it runs the post-enroll script and exits. The value that you specify must be parsable into a time duration value. | 10 seconds | All |
cenroll.http.timeout
|
HTTP timeout for enroll and unenroll commands. The value that you specify must be parsable into a time duration value. | 5 minutes | All |
cli.hook.cenroll
|
The path to the post-enrollment script, if you've configured one. | none | All |
CloudUserDomains (Windows only) |
This value is a comma-separated list of domains. During initauth if the username is in UPN format and the domain part matches the one from the This setting replaces the boolean |
false | All |
EnableCSSExtension
|
Used to enable or disable the CSS Extension. Enabling this feature allows zone role workflow requests to process immediately and not be delayed by Active Directory synchronization schedules. | false | Linux |
| FeatureAAPMEnabled | Used to enable or disable the AAPM feature. | none | All |
FeatureAgentAuthEnabled
|
Used to enable or disable the Agent Auth feature. | none | All |
FeatureDMCEnabled
|
Used to enable or disable the delegated machine credentials feature. | none | All |
LogLevel
|
Log level (used for client log only). The best practice is to create a varying parameter or LogLevel that shows the log level for all items, with the exception of Linux user query or Linux user login. | Info | All |
log.rest
|
If this is set to true, the client will log REST API calls and return values as INFO level messages. If this is set to false, the client logs these operations as DEBUG level messages. | false | All |
log.script
|
Perl script logging level. | Info | Linux only |
log.script.autoedit.pl
|
Perl script logging level for autoedit. | Info | Linux only |
lrpc2.client.connect.timeout
|
LRPC2 client (other than Cloud Client) connection timeout | 5 seconds | All |
lrpc2.client.receive.timeout
|
Amount of time that lrpc2 client will wait for reply from the Cloud Client | 5 minutes | All |
lrpc2.client.send.timeout
|
Amount of time that lrpc2 will wait for the Cloud Client to receive the LRPC2 client request | 1 minute | All |
print_log_to_stdout.script
|
Perl script logging redirect to stdout | 1 | Linux only |
recurring.interval.deviation.percentage
|
The maximum percentage deviation allowed for adding randomness to the interval between runs in a recurring job. | 5 | All |
Additional Notes
For proxy settings, review the following in the Cloud Client:
- If the setting proxy is empty, all REST API calls are sent directly to the platform.
- If the setting proxy is non-empty, it is used as the proxy for all REST API (including enrollment).
- The user can specify which proxy to use in the cenroll command. The parameter impacts the proxy setting.
-
The upgrade process handles agent.web.proxy.order and agent.web.proxy.global as follows:
- If the first value of agent.web.proxy.order is direct, set proxy setting to empty. This applies only to direct connection.
- Otherwise, import the value of agent.web.proxy to proxy parameter in settings package.
- If direct connection fails, there is no proxy support.
