Global Configuration Properties

SignServer supports global properties with hierarchical scoping. Global properties sit outside any individual Worker and affect the entire SignServer instance or a specific node.

Global Properties Functional Categories

Category	Properties
System	`HTTP_MAX_UPLOAD_SIZE`, `FILE_SIZE_THRESHOLD`, `HTTP_MAX_UPLOAD_FIELD_COUNT`
Access Control	`ALLOW_ANY`, `WSADMINS`, `GLOB.WSPEERS`, `WSARCHIVEAUDTIORS`, `WASAUDITORS`, `ALLOWANYWSADMIN`
Worker Registration	`GLOB.WORKER<id>.CLASSPATH`, `GLOB.WORKER<id>.SIGNERTOKEN.CLASSPATH`
Worker Defaults	`GLOB.DEFAULT.SHAREDLIBRARYNAME`, `GLOB.DEFAULT.SLOTLABELTYPE`, `GLOB.DEFAULT.SLOTLABELVALUE`, `GLOB.DEFAULT.PIN`
Request Prioritization	`GLOB.QOS_FILTER_ENABLED`, `GLOB.QOS_PRIORITIES`, `GLOB.QOS_MAX_REQUESTS`, `GLOB.QOS_MAX_PRIORITY`
Peer Systems	`GLOB.PEERS_INCOMING_ENABLED`
JWKS Cache Size	`GLOB.JWKS_CACHE_SIZE`

Some global properties use the following scope prefixes:

GLOB.: Applies across all nodes (SCOPE_GLOBAL).
NODE.: Applies only to the current node (SCOPE_NODE). The node ID is automatically appended.

System Properties

SignServer imposes a soft limit by refusing to process uploads with a size over 100 MB. This limit can be configured by setting the global configuration properties.

Property	Default	Description
`HTTP_MAX_UPLOAD_SIZE`	104857600 (100 MB)	Global configuration property that can be set to specify the maximum size (in bytes) that is allowed for an HTTP request.
`HTTP_MAX_UPLOAD_FIELD_COUNT`	16	Global configuration property that is set to a default of 16 which typically would support up to around 10 request metadata properties depending on how many other fields are provided. If more fields are needed, the property can be adjusted.
`FILE_SIZE_THRESHOLD`	1048576 (1 MB)	Global configuration property that can be set to specify the size threshold (in bytes) after which the data is written to disk. The directory uploaded files are temporarily stored to is the default temp directory and can be changed by starting the application server with a different value for the Java property java.io.tmpdir.

Property

Default

Description

HTTP_MAX_UPLOAD_SIZE

104857600 (100 MB)

Global configuration property that can be set to specify the maximum size (in bytes) that is allowed for an HTTP request.

HTTP_MAX_UPLOAD_FIELD_COUNT

Global configuration property that is set to a default of 16 which typically would support up to around 10 request metadata properties depending on how many other fields are provided. If more fields are needed, the property can be adjusted.

FILE_SIZE_THRESHOLD

1048576 (1 MB)

Global configuration property that can be set to specify the size threshold (in bytes) after which the data is written to disk.

The directory uploaded files are temporarily stored to is the default temp directory and can be changed by starting the application server with a different value for the Java property java.io.tmpdir.

For implementation information, see Client HTTP Interface.

Access Control Properties

The access control global properties configure who can use the Admin WS Interface:

Property	Description
`ALLOW_ANY`	Set `ALLOW_ANY` to true to enable. When the use of `ALLOW_ANY` is enabled, users can perform admin actions without being listed as an administrator.
`WSADMINS`	List of administrator certificates (serial + issuer DN) allowed to administrate in WS.
`WSAUDITORS`	List of auditor certificates allowed to query the audit log in WS.
`WSARCHIVEAUDITORS`	List of auditor certificates allowed to query the archive in WS.
`ALLOWANYWSADMIN`	When true, overrides `WSADMINS` and allows any certificate trusted by the web server.

These are typically managed using CLI commands rather than set manually:

bin/signserver wsadmins -add -certserialno 123ABCDEF -issuerdn "CN=AdminCA, C=SE"
bin/signserver wsauditors -add -certserialno 456ABCDEF -issuerdn "CN=AdminCA, C=SE"

In the Admin WS, when wsadmins -allowany is set to true, it overrides the ALLOW_ANY property to allow any administrator with a certificate accepted by the web server. Setting this property to false disables ALLOW_ANY and any associated functionality with its configuration. See Deploy-time Configuration.

Worker Registration Properties

The Worker registration properties tell SignServer which Workers exist and what Java classes implement them.

Property	Description
`GLOB.WORKER<id>.CLASSPATH`	Provide the fully qualified class name of the Worker implementation. Example: `GLOB.WORKER3.CLASSPATH=org.signserver.module.cmssigner.CMSSigner`
`GLOB.WORKER<id>.SIGNERTOKEN.CLASSPATH`	Provide the fully qualified class name of the Crypto Token implementation. Example: `GLOB.WORKER3.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.PKCS11CryptoToken`

Property

Description

GLOB.WORKER<id>.CLASSPATH

Provide the fully qualified class name of the Worker implementation.

Example:

GLOB.WORKER3.CLASSPATH=org.signserver.module.cmssigner.CMSSigner

GLOB.WORKER<id>.SIGNERTOKEN.CLASSPATH

Provide the fully qualified class name of the Crypto Token implementation.

Example:

GLOB.WORKER3.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.PKCS11CryptoToken

Default Global Worker Properties

Certain Worker properties can instead be specified as default values in the global configuration, to avoid having to repeat the properties in every Worker. Individual Workers can override the default global values (if any), by specifying the property as usual.

Global default values are specified as global values in the global configuration with the name prefixed with GLOB.DEFAULT.. The following properties can currently be specified in the global configuration:

Property	Description
`GLOB.DEFAULT.SHAREDLIBRARYNAME`	Specify the name of the pre-defined library. Example: `GLOB.DEFAULT.SHAREDLIBRARYNAME=/opt/utimaco/Software/PKCS11/lib/Linux-x86-64/libcs2_pkcs11.so`
`GLOB.DEFAULT.SLOTLABELTYPE`	How to identify the slot (`SLOT_NUMBER`, `SLOT_INDEX`, or `SLOT_LABEL`). Example: `GLOB.DEFAULT.SLOTLABELTYPE=SLOT_INDEX`
`GLOB.DEFAULT.SLOTLABELVALUE`	Specify which slot to use. Example: `GLOB.DEFAULT.SLOTLABELVALUE=slotLabelValue=1`
`GLOB.DEFAULT.PIN`	Specify HSM activation PIN.

Request Prioritization Properties

Enterprise

Request Prioritization is a feature that is enabled using a SignServer global configuration property, allowing you to assign different priority levels to different signing requests based on the Worker the request is targeted to.

To enable Request Prioritization, set the global configuration property GLOB.QOS_FILTER_ENABLED to true. The feature is by default be disabled (false) in a newly installed or upgraded system.

Property	Default	Description
`GLOB.QOS_FILTER_ENABLED`	false	Enables or disables request prioritization. When false, the filter acts as a pass-through treating all requests equally.
`GLOB.QOS_PRIORITIES`	(none)	Comma-separated list of `WorkerID:PriorityLevel` pairs. For example: `1:1,2:2,4:5` will assign the following priority levels (a higher value means higher priority): Priority level 1 to Worker with Worker ID 1 Priority level 2 to Worker with Worker ID 2 Priority level 5 to Worker with Worker ID 4 For more information on Worker IDs, see Worker Status Properties Page.
`GLOB.QOS_MAX_REQUESTS`	10	Maximum number of requests handled concurrently before queuing begins.
`GLOB.QOS_MAX_PRIORITY`	5	Maximum priority level integer. Workers not assigned a priority default to level 0.

See Set up Request Prioritization.

Peer Systems Properties

Enterprise

The PEERS_INCOMING_ENABLED property is used for peer systems-related configuration. The property applies to deployments where a SignServer instance is connected with an EJBCA instance.

Property	Description
`PEERS_INCOMING_ENABLED`	Set to true to allow incoming peer connections. Corresponds to the Admin Web Allow incoming connections option on the Administrator Page.

See Peer Systems.

JWKS Cache Size Property

When the JWKS endpoint URL is used to fetch the public keys from the authorization server, SignServer caches the keys per issuer.

Property	Description
`GLOB.JWKS_CACHE_SIZE`	Set the desired number of cached issuers. Default: 10

Property

Description

GLOB.JWKS_CACHE_SIZE

Set the desired number of cached issuers.

Default: 10

A server restart is required for the changes to take effect.

For more information, see JWT Authorizer.

How to Set Global Properties

Configure in Admin CLI

Property files use the GLOB. or NODE. prefix to identify global or node-scoped entries.

Use setproperty to set a single property:

bin/signserver setproperty global GLOB.PROPERTYNAME value
bin/signserver setproperty global NODE.PROPERTYNAME value

The setproperties command reads all the configuration properties from a property file, and depending on the contents of the key, it sets the given property.

bin/signserver setproperties myconfig.properties

You can also get a property with:

signserver getproperty <signerid | signerName | global | node> <propertykey>

Configuration Commands

Command

Description

getconfig

Returns the global configuration depending on options.

getproperty

Lists the value of a global property.

Usage:

signserver getproperty <signerid | signerName | global | node> <propertykey>

setproperty

Set a single property for either a global and Worker configuration.

Usage:

signserver setproperty 1 DEFAULTKEY "ts00003"

setproperties

Used to batch a set of properties, both for the global and Worker configuration. The command can be used to configure a Signer in a test environment, dump all the properties and upload it into production.

The setproperties command reads all the configuration properties form a property file, and depending on the contents of the key, it then sets the given property. All properties are set according to the following defined rule set:

Rule	Comment
Properties starting with `id<num>`.	Sets the property to the value of the given ID to the Worker with the given id.
Properties starting with `name<name>`.	Sets the property to a Worker with the given name. If the name does not exists, a unique ID will be generated and assigned.
Property keys containing `GENID<NUM>`, example `WORKERGENID1` or `GLOB. WORKERGENID1`	The SignServer will find a free unique ID and assign substitute all `GENID<num>` with this ID.
Properties starting with `glob.`	Sets a global property with global scope.
Properties starting with `node.`	Sets a global property with node scope.
Properties starting with `-<other prefix><value>`	Removes the property, either Worker or global.

For examples, see the directory sample-configs.

dumpproperties

Dumps all configured properties for one or all Workers in the system into a property file. If the configuration for one Worker is dumped, the dumpproperties tool can be used to transfer the configuration from one installation to another. If all configurations are dumped, it can be used as a backup tool.

Configure in Admin Web

The Admin Web also exposes a Global Configuration section with the same capabilities. See Global Configuration Page.

Viewing Global Properties

To inspect all current global properties alongside Worker statuses:

bin/signserver getstatus complete all

If all Workers are displayed, all the global configuration parameters will also be displayed.

To dump everything to a file for backup or migration:

bin/signserver dumpproperties all backup.properties

Important Notes

All configuration commands are cached until a reload command is issued and the configuration becomes active. After setting global properties, you typically need to run bin/signserver reload <workerID> for worker-related changes.
The resync command is available if a SignServer node has a complete database failure, causing the Global Configuration to switch to Offline mode. After the database recovers, resync writes the valid configuration back and restores Online mode. See Admin CLI.
Properties considered sensitive (currently PIN, KEYSTOREPASSWORD, and KEYDATA) are masked when displayed in the Admin Web and in configuration dumps. See Masking Sensitive Properties.