System Administration : Parameters
  

Parameters

In the Parameters tab of the System Administration application, you can change the following types of parameters. For each Parameter, you see the Parameter name and its value and it is also possible to restore the default value, by clicking the Restore Defaults, , button.
Please note that all of the parameters are not available and used for the Queue Agent Profiles.
General Parameters
System
Connectors
Cloud Services
Weekend Settings
Agent Parameters
Queue Agent Settings
HTTPS Parameters
Certificate and key store Settings
HTTPS server settings
Central WebSocket Server Settings
Application Parameters
Appointment Management Settings
Recycle Settings
Browser Settings
Mobile API (Central)
Customer
User Settings
Event Manager Settings
Sorting Policy Settings
Queue Agent Media Settings
Statistics Settings
SSO Settings
LDAP Settings
Pre Authentication and Authorization Settings

General Parameters

 
Parameter
Description
Default value
System
General parameter, regarding the whole system.
 
System Locale
Language code for language used in the system.
For more information, see “Localisation” .
en
 
 
 
Connectors
General parameters regarding connectors.
 
Date Time Format
Date and time format.
HH:mm
Customer External JNDI Name
Customer External JNDI Name
java:global/customCustomerDb/customerdbintegration/CustomerCentralManagerBean
 
 
 
Cloud Services
Qmatic Cloud Services offers an app that allows the customer to take a ticket for a service offered by our client as a complement to the traditional way of taking a ticket at the Branch. The app will recommend those Branches that offer the service the customer is interested in and gives the waiting time for each Branch. It provides information about the customer’s geographical location and helps them navigate to the Branch.
 
Enabled
Whether or not Cloud Services is enabled.
Disabled
 
 
 
Weekend Settings
Parameter regarding scheduling of Context Marketing Messages.
 
Weekend days
Select which days of the week that should be regarded as weekend days. Default is Saturday and Sunday. This is used when scheduling Context Marketing Messages.
For more information, see the Administrator’s Guide.
Saturday
Sunday
 

Agent Parameters

 
Parameter
Description
Default value
Queue Agent Settings
Parameters connected to the Queue Agent.
 
Central HTTP Port
Enter the port number that should be used as the Central Orchestra Server port.
8080 for http and 8443 for https.
Central HTTP Protocol
Select either http or https from the drop-down list.
http or https

HTTPS Parameters

 
Parameter
Description
Default value
Certificate and key store Settings
For more information, see “Secure Communication” .
 
(Re)generate certificate
Enabling this check box and saving the parameter list will cause the certificate to be generated in the key store.
If a certificate with the same alias already exists, it will be overwritten, so be careful!
 
KeyStore alias
The alias of the certificate key entry, in key store.
orchestra
Distinguished name
The distinguished name of the certificate. The first (CN) section is the host name of the server and the subsequent sections describe the organization.
CN=localhost,OU=orgUnit, O=org, L=city, S=state, C=countryCode
Subject alternate name
This field needs to be set to both IP address and host name of the server if both are going to be used for HTTPS communication. Separate each entry with a comma. Example: myhost.com, 10.0.10.0.
localhost
HTTPS server settings
For more information, see “Secure Communication” .
 
HTTPS enabled
Controls whether HTTPS should be enabled or not in Wildfly.
An Orchestra restart is recommended after enabling HTTPS.
Disabled
KeyStore alias
Determines which key entry in the key store to use as a server certificate.
HTTPS must be disabled before selecting a new KeyStore alias.
 
HTTPS port
Decides which port to use for HTTPS communication.
8443
 
 
 
Central WebSocket Server Settings
Settings connected to the Central Websocket server, heartbeat, etc.
 
WebSocket enabled
If this check box is checked, Web socket communication over unencrypted channels is allowed.
WARNING! Disabling this will cause any distributed Queue Agent connected over unencrypted WebSocket to stop functioning!
Enabled
WebSocket port
The port to use for unencrypted WebSocket communication.
WARNING! Changing this will cause any distributed Queue Agent connected over unencrypted WebSockets to stop functioning, until they are re-configured!
8787
Secure WebSocket enabled
Enabling this parameter will cause the WebSocket server on Central to support WebSocket secure. Make sure that the certificate setting is properly configured.
WARNING! Disabling this setting will cause any Queue Agents that are currently connected using secure WebSocket to stop functioning!
Disabled
Secure WebSocket port
The port to use for secure WebSocket communication.
WARNING! Changing this parameter will cause any Queueu Agents that are currently connected using secure WebSocket to stop functioning, until they are re-configured!
9150
Netty worker thread pool size
The number of worker threads available to handle web socket traffic. Minimum 5, maximum 1000.
100
Init commands thread pool size
The number of threads available to handle init commands from the Queue Agents. Minimum 1, maximum 500.
20
Non-init commands thread pool size
The number of threads available to handle all non-init commands from the Queue Agents. Minimum 1, maximum 500.
20
Event thread pool size
The number of threads available to handle events from the Queue Agents. Minimum 1, maximum 500.
20
Command pool size
The number of threads tasked with notification of results to commands. Minimum 5, maximum 1000.
20
Command timeout (milliseconds)
The time in milliseconds to wait for a response from a command sent to a Queue Agent. Minimum 500, maximum180000.
60000
Client connection timeout (milliseconds)
The time, in milliseconds, to wait before a connection to a Queue Agent is considered lost. Minimum 1000, maximum 600000.
120000
Heartbeat interval (milliseconds)
The maximum time, in milliseconds, before a heartbeat message is sent to a Queue Agent if nothing else is sent. Minimum 5000, maximum 120000.
30000
Enable IP-address filtering
This check box determines whether the web socket server should only allow connections from certain IP-addresses. If enabled, only addresses specified in the definition clause, below, will be allowed to connect.
Disabled
Allowed IP-addresses
A comma-separated list of allowed IP-addresses. Wildcards are allowed. Localhost (127.0.0.1) is always allowed.
Example: 192.168.2.2*,192.168.1.100 will allow 192.168.2.2, a range from 192.168.2.20 to 192.168.2.29, a range from 192.168.2.200 to 192.168.2.255, 192.168.1.100 as well as 127.0.0.1.
 
Send extended heartbeat message
If this check box is checked, timestamps are included in the heartbeat message. This is combined with trace logging both centrally and on selected Queue Agent(s) that have the agent.conf property central.websocket.heartbeat.extended set to true.
Disabled
Delay start of web socket server (seconds)
Increasing this value will delay the start of the web socket server and prevent any Queue Agent connections, until the web socket server is started. This can, for example, be used for a central system with many distributed Queue Agents.
0
 

Application Parameters

 
Parameter
Description
Default value
Appointment Management Settings
Parameters regarding Appointment management.
 
Delete appointments where endtime passed by (days)
Applicable to Central. Number of days that should pass, since the end time of an appointment, before that appointment is deleted.
1
Delete appointments at (hh:mm)
Applicable to Central. Time when appointments are deleted.
02:00
Cron trigger for synchronizing appointments
Cron job trigger indicating when appointments should be synchronized.
0 0 0 * * *
Cron trigger for deleting old appointments
Cron job trigger indicating when appointments should be deleted.
0 0 2 * * *
Appointment Status callbacks enabled
This parameter is enabled in order to get updates for appointments.
Example:
CREATED: 20
RESCHEDULED: 21
CALLED: 40
ARRIVED: 30
CANCELLED: 53
COMPLETE: 50
NO_SHOW: 51
ENDED_BY_RESET: 52
Enabled
Appointment Status update callback URLs (comma-separated).
 
/calendar-backend/public/api/v1/appointments/callback
Appointment life cycle events enabled
Enable or disable sending of events when appointments created, updated, or deleted.
Disabled
Block early appointments (minutes)
Specify the number of minutes before the appointment start time, that it is possible to call an appointment visit. Note that it is possible to have a different number for different Agent Profiles, here.
 
 
 
 
Recycle Settings
Parameters regarding recycling of tickets.
 
Recycle Max no Recycles
The maximum number of times a ticket can be recycled.
3
Recycle Insert Delay
Number of seconds after which a ticket can be recycled and placed back into the queue at the first position.
60
Browser Settings
 
 
Allow Browser Chrome Frame
When this check box is checked, Chrome Frame is enabled.
Chrome Frame is designed to expand Internet Explorer’s functionality, by adding support for open web technologies and Google Chrome’s fast rendering engine.
Disabled
HttpOnly cookie flag enabled
Cookies with HTTP only flag set to true indicates that the cookie shall only be accessed from server side and not applications running in the browser.
Note that the Use the HttpOnly cookie flag setting should also be enabled in the Calendar Admin application, under System Settings if applicable. For more information, see the Administrator’s Guide.
An Orchestra restart is needed after enabling the HttpOnly cookie flag.
Disabled
Secure cookie flag enabled
A secure flag set to true on a cookie indicates that the cookie must be sent over a secure communication, such as HTTPS.
 
To enable secure flag:
1. Stop Orchestra. (Both Central and Queue Agent(s))
2. Open the file shiro.ini file, located in <orchestra_install_dir>\conf\.
3. Un-comment the property cookie.secure and make sure that it is set to true.
4. Restart Orchestra. (Both Central and Queue Agent(s))
Note that the Use the Secure cookie flag setting should also be enabled in the Calendar Admin application, under System Settings, if applicable. For more information, see the Administrator’s Guide.
An Orchestra restart is needed after enabling the Secure cookie flag.
Disabled
 
 
 
Mobile API (Central)
Parameters regarding username and password for the Mobile API.
 
Username
Username used to access the Mobile API.
mobile
Password
Password used to access the Mobile API.
 
Mobile Ticket Base URL
Base URL used when generating URLs in e.g. barcodes, SMS messages and other mobile ticket implementations.
http://MobileTicket/MyVisit/CurrentStatus
Customer
Parameters regarding handling of Customer data, mainly due to GDPR regulations.
 
Include customers in export
If this check box is checked, customers will be included in export/import.
Disabled
Use retention policy for customer object
If this check box is checked, Customer objects will automatically be updated with a new interaction timestamp and deletion timestamp when Appointments or Visits are created or updated for that Customer.
Enabled
Delete customers, based on retention policy, at (hh:mm)
Customers will automatically be deleted, based on their retention policy, at this time (hh:mm).
Delete job will only run if Use retention policy for customer object is enabled.
01:00
 
 
 
User Settings
Parameters regarding User settings.
 
Number of Login attempts before deactivating user
Number of failed Login attempts before deactivating user. Counter will be reset if successful login occurs before limit is reached.
Counter will also reset when user is updated.
 
Min Login Code
Lowest valid login code number.
1000
Max Login Code
Highest valid login code number. Default is set to 9999.
9999
UserName validation Pattern
Regular expression used for user name validation.
^[a-z]+[a-z,0-9]*$
Password Validation Pattern
Regular expression used for password validation.
^.*(?=.{8,}(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$
Enable automatic deactivation of users
Check this check box to enable automatic deactivation of users that have not logged in for a specified period of time.
Enabled
Deactivate inactive users at (hh:mm)
Users will automatically be deactivated, based on when they were last logged in, at this time (hh:mm).
23:30
Deactivate users not logged in for given number of days
Number of days since last log in, after which users will automatically be deactivated.
180
Password expiration
Enable/disable password expiration
Disabled
Password expiration days
Set the number of days before a password expires.
90
Require new password at first login
Require new users to change their password at first login or after password has been changed by an administrator.
Disabled
 
 
 
Event Manager Settings
Parameter regarding events.
 
Upload Standard Events to Central
Whether or not standard events should be uploaded to Central (yes/no).
Events are uploaded.
Publish Custom Events on Central Topic
Whether or not custom events should be published on Central topic.
Events are published.
 
 
 
Sorting Policy Settings
Settings regarding sorting policy for visits.
 
Multi service visit sort policy
This setting affects how the visit is transferred to the Queue of the next Service in a multi-service Visit. From the drop-down list, select the wanted sorting policy; SORTED, FIRST, or LAST.
SORTED
Queue Agent Media Settings
Parameters regarding handling of media on Queue Agents.
 
Cron trigger for deleting old media
Cron job trigger indicating when old media will be deleted.
0 0 23 * * *
Allowed Download Interval
Time period when download is allowed.
00:00-23:59
Download media in advance (days)
Number of days in advance that media is downloaded.
5
Cron trigger for downloading media.
Cron job trigger indicating when media will be downloaded.
0 0 3 * * *
 
 
 
Statistics Settings
Parameters regarding the handling of statistics.
 
Enable Stat Messages
Whether or not sending of Stat messages should be enabled.
Changing this value requires a restart of both central and all Queue Agents.
Enabled.
Stat Server Address
IP v4 address to the stat resource server.
Note that when creating a Queue Agent Profile, this parameter needs to be changed to the IP address where Stat.war is located.
http://127.0.0.1
Stat Server Port
Port number where the stat resource is configured.
8080
Stat Server Resource
Application name for the stat resource.
/stat/message/
Queue Agent Resend Interval (minutes)
Resend interval (minutes).
10
Queue Agent Upload schedule.
JSON definition of allowed time slots for stat sending, leave empty to always allow stat upload.
Example for upload during the night:
[{“days”:[“Mon”, “Tue”,”Wed”,”Thu”,”Fri”,”Sat”,”Sun”],”time”:”20:00-04:00”}]
[{“days”:[“Mon”, “Tue”,”Wed”,”Thu”,”Fri”,”Sat”,”Sun”],”time”:”00:00-23:59”}]
 
 
 
SSO Settings
For more information about the SSO Settings, see “SSO setup” .
 
Enabled
Mark this check box to enable SSO. By default it is not enabled.
Not enabled
Allow basic authentication
 
Not allowed
Allow localhost
 
Allowed
Allow unsecure basic
 
Not allowed
Client module
 
spnego-client
Pre-authentication user name
User name of pre-authentication user.
preauthuser
Pre-authentication password
Password of pre-authentication user.
 
Login server module
 
spnego-server
Prompt ntlm
 
Not enabled.
Allow delegation
 
Allowed
Logger level
 
1
LDAP Settings
LDAP configuration in Orchestra consists of two tasks:
Server configuration
System parameters - found in this table.
Certificate handling - see “LDAP Certificate Handling” .
LDAP/AD Group Mappings, e.g how LDAP objects, groups are mapped to Orchestra entities (Roles, Branches/Branch Groups). For more information, see the Administrator’s Guide.
Each Orchestra attribute has a corresponding LDAP field attribute. For more LDAP information, see “LDAP Hosts/Urls” .
The user superadmin will always log in locally. It is also possible to create users that are not authenticated towards the Active Directory.
 
Enabled
When the check box is checked, all users are authenticated towards the configured LDAP server, that is the Active Directory.
This parameter needs to be set to true, in order to be able to perform LDAP mappings in the User Management application.
Not enabled.
Validate settings
Validate settings against LDAP server, when enabling LDAP. Disabling allows settings to be saved, even if LDAP server is not available.
Enabled
Server URL(s)
Space separated list of full LDAP URL:s, e.g. ldap://somehost:somePort
ldap://localhost:389
Bind user Dn
Bind user name, either accountName@domain.foo or full DN.
addEntryUser@domainName.se
Bind user password
Bind user password.
 
Base search context DN
Defines the root context, from which searches will origin.
CN=Users,DC=your_domain,DC=com
Account search filter
Defines how a user account DN should be searched for.
(&(objectClass=user)(sAMAccountName={0}))
Search timeout (millis)
Defines the timeout for an LDAP query in milliseconds.
1000
User groups attribute name
User attribute that defines the groups of the user.
memberOf
Mapped user attributes
Defines what user attributes that should be returned when searching for a user.
The values from the fields below should be used in this string.
accountName,firstName,lastName,locale,rtl,loginCode
Account name mapped attribute
Defines the user attribute mapped to the account name.
sAMAccount Name
First name mapped attribute
Defines the user attribute mapped to the first name of the user.
givenName
Last name mapped attribute
Defines the user attribute mapped to the last name of the user.
sn
Locale mapped attribute
Defines the user attribute mapped to the locale of the user.
msExchUserCulture
RTL mapped attribute
Defines the user attribute mapped to the right-to-left setting of the user. Should be evaluated to true/false.
rtl
Login code mapped attribute
Defines the user attribute mapped to the login code of the user.
loginCode
Pre Authentication and Authorization Settings
 
Enabled
Enable/disable Pre Authentication and Authorization. This will also enable the Pre Authorization tab in the User Management application.
Disabled
User name header
Name of the HTTP header for user name.
iv-user
Group mapping IDs header
Name of the HTTP header for mapping name for role access.
iv-groups
Branch mapping IDs header
Name of the HTTP header for mapping name for branch access.
office_id
Given name header
Name of the HTTP header for user’s given name.
givenname
Surname header
Name of the HTTP header for user’s surname.
sn

LDAP Hosts/Urls

The LDAP Hosts/Urls define what Active Directory hosts that should be used for authentication.
Orchestra will try to connect to the first one in the list, if Orchestra establishes a connection, the authentication will be performed towards that server. If the connection fails because the server is unavailable/down, Orchestra will automatically try the next server in the list.
Authentication will only be performed once, using the first available connection.
It is possible to specify the LDAP server port, if the server does not use the default port, 389.
If the Active Directory server uses encrypted communication, that is LDAP over SSL (Secure Sockets Layer), one must import the appropriate server certificates in order to secure the connection.
For more information, see “Example:”.
Note that the server url is different in this case, ldaps://server:636. The default secure port is 636.

LDAP Certificate Handling

You must export the CA certificate from the Active Directory server to enable Secure Sockets Layer (SSL) security.
Different Corporate organizations have different methods and processes to create a CA root certificate. The procedure below provides information on creating a personal CA for Active Directory 2003.

Procedure

1. Log on as a domain administrator on the Active Directory domain server.
2. Install the certificate authority (CA) on the Microsoft Windows Server, which installs the server certificate on the Active Directory server. To do so, complete the following steps:
a) Click Start > Control Panel > Administrative Tools > Certificate Authority to open the CA Microsoft Management Console (MMC) GUI.
b) Highlight the CA computer, and right-click to select CA Properties.
c) From General menu, click View Certificate.
d) Select the Details view, and click Copy to File on the lower-right corner of the window.
e) Use the Certificate Export wizard to save the CA certificate in a file.
You can save the CA certificate in either DER Encoded Binary X-509 format or Based-64 Encoded X-509 format.

Adding AD/LDAP server certificate to Orchestra Central

The Active Directory/LDAP server certificate must be added to the trusted store of certificates on Orchestra.

Preparation:

1. Copy the Active Directory Server certificate to a temporary location, for example:
C:\TEMP\myADcert.cer
 

SSL Certificate import:

1. In Orchestra conf/security folder, execute the following:
keytool -import -keystore truststore -file <cert-file> -storepass changeit
 
2. Edit app/<wildfly-11.0.0.Final>/bin/standalone.conf.bat.
Make sure that the password entered above matches the following parameter value:
javax.net.ssl.trustStorePassword=changeit
 

Example:

Owner: CN=elkcertificate, DC=elk, DC=se
Issuer: CN=elkcertificate, DC=elk, DC=se
Serial number: 423e55f0dff557b24ffe5e41a7df65c8
Valid from: Thu Nov 13 11:02:53 CET 2008 until: Wed Nov 13 11:10:07 CET 2013
Certificate fingerprints:
MD5: 36:C0:35:A0:FA:4B:81:B4:F2:35:F2:F3:13:CF:73:92
SHA1: C3:F6:56:A5:F0:49:65:DE:DA:D5:64:94:FD:88:8D:32:8E:95:8F:87
SHA256: 76:6A:02:FF:6C:A3:3C:74:BC:CF:C8:A6:23:F1:13:3F:69:6E:F0:BE:53:6E:AB:AF:78:2A:6F:22:F1:73:A9:9A
Signature algorithm name: SHA1withRSA
Version: 3
 
Extensions:
 
#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 ...
 
 
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=elkcertificate,CN=testpc2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=elk,DC=se?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://testpc2.elk.se/CertEnroll/elkcertificate.crl]
]]
 
#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
 
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 39 C9 64 7C 58 79 86 A2 62 01 80 FF 09 1E F5 43 9.d.Xy..b......C
0010: 5C 23 14 DD \#..
]
]
 
Trust this certificate? [no]: yes
Certificate was added to keystore
3. Orchestra can now use SSL for communicating with the Active Directory.
If either of the SSL parameters in the configuration file was changed, for example trust store file name or trust store password, the Orchestra must be restarted in order to commit the changes.

Adding AD/LDAP server certificate to Distributed Queue Agent

1. Copy the Active Directory server certificate to a temporary location, e.g. C:\TEMP\fooAD-DER.cer, /tmp/fooAD-DER.cer
2. Go to the profile template for the distributed Queue Agent, e.g.
*nix:
<install_dir>/media/agentProfiles/2.3-master-custom/conf/security
 
Windows:
<install_dir>\media\agentProfiles\2.3-master-custom\conf\security
 
3. Import the certificate using the standard Java command key tool:
keytool -import -keystore truststore.jks -file C:\TEMP\fooAD-DER.cer -storepass changeit