Reference: PCE Runtime Parameters
This section lists important PCE runtime configuration parameters, their meaning, their purpose, and their exposure levels.
When configuring the PCE with the illumio-pce-env setup script, you are prompted for many of these parameters. See Configure the PCE for information.
Runtime File Exposure Levels
The Illumio PCE runtime_env.yml file provides the following exposure levels for PCE configuration:
Important
The
runtime_env.ymlfile contains sensitive information that should be kept secret, such as encryption keys. Take steps to ensure the confidentiality of this file.The
runtime_env.ymlfile is not included in automatic PCE backups. You must manually back up this file to a secure location.
Public Stable (
public_stable): Theseruntime_env.ymlparameters can be used by all customers. All changes are backward compatible.Public Experimental (
public_experimental): Theseruntime_env.ymlparameters can be used by all customers but might change from release to release with no guarantee of backwards compatibility.
Description of Runtime Parameters
Required Runtime Parameters
The following table lists the required runtime_env.yml file parameters for each PCE software node you deploy. All required parameters have no default values. All paths configured in this file must be absolute.
Required Parameter | Description | Exposure |
|---|---|---|
| Includes sub-parameters to enable identified preview features | |
| The full path to the location of the PCE binaries and scripts The software does not write to any files in this directory, so it can be read-only. For example: install_root: /opt/illumio-pce | Public Stable |
| The full path to the location where the PCE writes runtime data This data can be deleted on reboot if necessary. This directory should have 700 permissions, but all of its files will have 600 permissions. This directory must be owned by the user that runs the PCE software. For example: runtime_data_root: /var/lib/illumio-pce/runtime | Public Stable |
| The full path to the location where the PCE writes persistent data This data must persist across reboots for the software to work properly. This directory should have 700 permissions, but all of its files will have 600 permissions. This directory must be owned by the user that runs the PCE software. For example: persistent_data_root: /var/lib/illumio-pce/data | Public Stable |
| The full path to the location where the PCE writes temporary files These files must not be deleted while the software is running, but they should be deleted on reboot. This directory should have 700 permissions, but all of its files will have 600 permissions. For example: ephemeral_data_root: /var/lib/illumio-pce/tmp | Public Stable |
| The directory where the PCE software writes some text file logs (although most PCE services log to syslog) For example: log_dir: /var/log/illumio-pce | Public Stable |
| The fully qualified domain name (FQDN) of the PCE cluster For example: pce_fqdn: pce.mycompany.com | Public Stable |
| The FQDN of your entire cluster NoteIf you change the value of | Public Stable |
| Full path to the X.509 public certificate used by this node for TLS See TLS Requirements for more information on the contents of the certificate files. For example: web_service_certificate: /etc/pki/tls/certs/my_cert.crt | Public Stable |
| The RSA private key for TLS that matches the public certificate The private key must be PEM encoded in PKCS#12 format without a password. For example: web_service_private_key: /var/lib/illumio-pce/cert/rsa_private_key.key Alternatively, you can specify a script (using For example: web_service_private_key: $ /var/lib/illumio-pce/cert/get_rsa_private_key.sh This script can be located anywhere on the file system as long as it is executable by the Example script output: $ /local/scripts/get_rsa_private_key.sh -----BEGIN RSA PRIVATE KEY----- MIIE... many lines trimmed here -----END RSA PRIVATE KEY----- | Public Stable |
| Email sender address used by the PCE when sending emails from the system; for example, to send invitations and notifications For example: email_address: noreply@exampleblocked_traffic.com | Public Stable |
| The FQDN or IP address of the first core node | Public Experimental |
| The key used to encrypt Service Discovery node traffic. This value must be the same for all PCE nodes. This key must be 16 bytes that are base64 encoded. For example: service_discovery_encryption_key: 05TlqH1W0cKcK797DV73yg== | Public Stable |
| The type of the PCE software node Allowable values:
For example: node_type: core | Public Stable |
| A custom message on the PCE login screen typically used to display legal notice or company policy when a user logs in | Public Stable |
| PCE cluster type. Required on every node in a multi-node cluster (MNC). Not required on a single-node cluster (SNC). One of the following:
Default: | Public Stable |
Optional Runtime Parameters
The following table lists common optional runtime_env.yml file parameters for each PCE software node you deploy. Your Illumio Professional Services representative might provide additional parameters to configure certain advanced functions.
For additional TLS information for the min_tls_version parameter, see TLS Versions for Communications.
Optional Parameter | Description | Exposure |
|---|---|---|
| The base URL used to fetch the VENs and to enable workload pairing with the PCE Required format: You can use alternate ports by specifying the port at the end of hostname. For example: https://repo.example.com:8443/onpremgCBURz8Y4zkGk1u7N9ialjPGlZ Default: None | Public Stable |
| IP addresses of the VEN repository These IP addresses are injected into iptables to allow outbound access to the Setting this parameter allows outbound access on ports 80 and 443 to these IP addresses. You can specify both single IP addresses or IP addresses with CIDR notation. When you do not specify this parameter, the VEN won't be allowed to access the repository containing VEN software packages. For example: ven_repo_ips: - 1.2.3.4 - 5.6.7.8/8 Default: None | Public Stable |
| The IP address of the PCE Set this value manually only when you want to use a public IP address or the PCE node has multiple interfaces. For example: internal_service_ip: 10.2.8.89 Default: The first available private IP address on the node | Public Stable |
| The front end HTTPS port When the cluster is front-ended by a server load balancer, such as F5, it must be configured to forward this port. For example: front_end_https_port: 8443 Default: TCP 8443 if not set by | Public Stable |
| The front end Event Service port When the cluster is front-ended by a server load balancer, such as F5, it must be configured to forward this port. The idle connection timeout on the server load balancer might need to be configured to maintain the connections on this port. Please contact your Illumio Professional Services representative for information on configuring your server load balancer. For example: front_end_event_service_port: 8444 Default: | Public Stable |
| The port for PCE web console and REST API This key separates different kinds of communication. See also Default: TCP 8443 if not set by | Public Stable |
| The export format (CEF, LEEF, or JSON) for VEN flow summaries and Organization events. When you specify CEF or LEEF format, you will continue getting traffic flows and Organization events in JSON format. For example: syslog_event_export_format: cef Default: | Public Stable |
| The minimum Transport Layer Security (TLS) version used to secure VEN-to-PCE communications, the PCE's web server for the PCE web console, and the REST API. Use the default setting, 1.2. Set it as follows: It is recommended that you use the default setting, 1.2. Earlier TLS versions, such as 1.0 and 1.1, are considered less secure, so it is recommended you do not use them. In rare circumstances, such as when using older operating systems, you might need to change the minimum TLS version. Allowable values: For example: min_tls_version: tls1_2 Default: | Public Stable |
| Specifies whether to allow the use of weaker TLS ciphers, such as cipher block chaining (CBC) ciphers. Stronger ciphers are recommended. For most deployments, Illumio recommends that you change the value to For example: insecure_tls_weak_ciphers_enabled: false Default: | Public Stable |
| The path to the trusted root certificate bundle. The PCE uses this parameter to validate that the certificates are trusted and indicates the path to the trusted root certificate bundle file. For example: trusted_ca_bundle: /etc/ssl/certs/ca-bundle.crt Default: | Public Stable |
| Email display name to be used when sending email from the system. For example, to send invitations and notifications from the PCE. For example: email_display_name:'noreply' Default: | Public Stable |
| SMTP relay information used by the PCE to send email; for example, to send invitations and notifications. The PCE assumes that an SMTP Relay runs on localhost and listens on Use one of the following formats:
For example: smtp_relay_address: 127.0.0.1:587 Default: | Public Stable |
| The types of traffic flow summaries to export to Fluentd. Values: For example: export_flow_summaries_to_fluentd: - accepted - potentially_blocked - blocked | Public Experimental |
| Enables traffic flow summaries to syslog. Values: For example: export_flow_summaries_to_syslog: - accepted - potentially_blocked - blocked To export blocked traffic summaries, include only the flow summary type when specifying the parameter; for example: export_flow_summaries_to_syslog: - blocked | Public Experimental |
| Specifies whether to use the PCE's fully-qualified domain name (FQDN) or the hostname in syslog messages. The FQDN can be more helpful if the short hostnames are difficult to distinguish. Values: For example: internal_syslog_fqdn_enabled: true | Public Experimental |