Cryptshare System Properties
By placing an additional settings file called 'cryptshare.properties' into the Cryptshare installation folder, certain parts of the Cryptshare Server can be influenced in their behavior. These settings are intended for use when experiencing problems with the Cryptshare Server. As of now, settings regarding the following parts of the application can be made:
- Optimizing the database
- Skipping of certain operations during cleanup (Cleanup Task)
- Sizing of the thread pool for encryption threads
- Maximum timeout for a pending Backup Task
cryptshare.properties does not exist
By default, the 'cryptshare.properties' file is not part of the Cryptshare Installation and has to be created first:
- Navigate to the Cryptshare installation folder and create the file 'cryptshare.properties'
- Add the desired configuration flags to the file. One flag per line:
- Save the changes
Please note, that when introducing or changing the contents of this file, a system restart is required.
The settings file will automatically be re-initialized upon change but there are Values which require a restart..
Optimizing the database
When experiencing issues with database records or the speed of the database, an additional step for the Cleanup Task can be activated in order to optimize it.
This additional operation can be activated at any time and will be executed before other cleanup operations.
Please note that the execution time for this operation can take a considerable amount of time depending on the size of your database and how the system is used.
A database-internal mechanism will optimize and repair the database by performing an export/import operation on it. This will repair/delete corrupted database records. Depending on the size of the database this operation can take several minutes.
Please note, that after this operation the database will be shut down for a few seconds in order to replace the old version of the database with the optimized one.
DB Hard Shutdown
By default this setting is disabled and can be enabled in case the database won't properly shutdown. If the Cryptshare service repeatedly won't shutdown because the database is still running, this flag can be enabled.
Please note that enabling this flag should be a temporary solution only. Contact Cryptshare support in order to get a permanent solution.
Database threads will be interrupted if the regular shutdown procedure hangs.
Default Setting: 'false'
Valid Settings: 'true' or 'false'
Automatic WAL size limitation
The database creates journal files, so-called write-ahead logs (WAL). By default, they take up to 4.096 MB disk space. If the amount of free disk space is lower than that, database operations may fail.
To prevent this, Cryptshare checks the free disk space (of the volume where <installation directory>/orientDB/databases is mounted) at startup and limits the maximum size that is consumed for WAL files accordingly. If there is enough free space available, the maximum WAL size is left untouched at 4.096 MB.
The automatic limitation can be disabled with this setting, which means that the database uses the default size of 4.096 MB.
Default Setting: 'true'
Valid Settings: 'true' (automatic limitation is enabled) or 'false' (automatic limition is disabled)
Skipping Cleanup Task Steps
The cleanup task consists of several steps executed in subsequent order. If due to database inconsistencies or internal database errors one of these steps cannot finish its operations properly or gets stuck, the respective step can be skipped in order to be able to finish the rest of the cleanup operation.
Please note that skipping cleanup steps is not recommended unless you are experiencing issues which cause the cleanup task not to finish its cleanup procedure.
Steps which can be skipped
In order to find out which cleanup step is responsible for errors you can check the system log and deactivate this step by applying the respective Cryptshare system property.
LockData Cleanup Step
LockData is an internal record keeping track of wrong-password attempts within the Cryptshare download section.
This data will be removed from the system as soon as it is not required anymore. For instance if a transfer record has been archived.
Verification Cleanup Step
Verification records are the server-side representation of verified users.
Expired verifications will be removed from the system.
This step can be skipped without risk. However, if not active, the database will fill up with lock data records not required anymore.
This step can be skipped without risk. However, if not active, the database will fill up with expired verification records.
Timeout for pending BackupTask
If the database backup has been enabled, the backup task is configured to wait for other tasks to finish their operations before executing the backup. However it can happen, that theses tasks are not finished properly so that the backup task would be waiting infinitely.
The maximum timeout setting configures the backup task to continue with its operations regardless of the fact that there are still running tasks. The default value is set to 60 minutes.
Please do not change these settings unless you are experiencing problems.
Encryption Thread Pool
The size for the Cryptshare encryption thread pool defines the amount of parallel file encryption operations for Cryptshare Transfers. The default setting is set to 50.
This means, that on a Cryptshare server with this setting 50 parallel encryption processes can be initiated. The next process which would exceed this maximum will be put into a queue and will be started as soon as a thread from this pool is available again.
Please note, that this setting can have a noticable impact on CPU and memory usage.
- A high value for this setting will INCREASE the CPU usage
- A low value for this setting will DECREASE the CPU usage
<int>: Numeric value specifying the thread pool size
Download Decryption Buffer
Cryptshare works with an AES algorithm. This algorithm is known to be much more resource-intensive when decrypting than when encrypting.
Depending on how the system is mainly used, a change of the decryption buffer size can either increase or decrease CPU/Memory consumption.
The default setting for the decryption buffer is 2MB. This is a good setting for a server handling both, small and large files. If the server however is mostly handling larger files, increasing the buffer size can considerably improve the CPU consumption. However, this will increase memory usage.
Please note, that this setting should be handled with caution as it can have a massive impact on CPU and memory use.
<int>: Numeric value specifying the buffer size in bytes.
Default: 2097152 (2MB)
Under high load, the Cryptshare Server delays the decryption of files being downloaded to improve responsiveness of the Cryptshare Server. This behavior can be disabled if it causes problems.
This property can be set to "false" without a server restart and it will be instantly applied. When setting it to "true", a restart is required.
HTML5 Transfer Settings
HTML5 Parallel Upload Streams
The HTML5 transfer mode usually is a lot faster than the other transfer modes, as it dynamically optimizes the transfer rate and will upload up to 5 files in parallel if possible.
This however can cause a large I/O activity on server-side, especially for servers using regular HDD for storage (No SSD).
Since Cryptshare version v4.1.3 the amount of parallel uploads is automatically reduced on slow connections.
Please do only change this parameter if experiencing performance issues such as interrupted HTML5 uploads due to too high I/O activity or CPU load.
Please also note, that decreasing this parameter will also slow down the HTML5 upload rate.
<int>: Numeric value specifying the maximum amount of parallel HTML5 upload streams.
HTML5 Cleanup Tracker Timeout
In HTML5 transfer mode every upload stream is kept under surveillance by a Cleanup Tracker which makes sure, that upload files of interrupted transfers will be removed from the system.
On bad internet connections however, the default timeout setting of 10 minutes can be too short and ongoing HTML5 uploads are interrupted before the transfer is complete.
In order to avoid this behavior, the default timeout setting can be increased.
<timeout in minutes>: Numeric Integer value specifying the timeout value in minutes
Allowed: Integer between 1 and 60
HTML5 Client Error Count
The HTML5 transfer mode is capable of proceeding a transfer even when the http connection temporarily gets interrupted or is so bad that many requests are running into a timeout.
If such an error occurs the client will try to re-send the failed packages until either all packages were transferred successfully or the error counter has exceeded. In case the error count has exceeded the client will cancel the transfer.
If your clients often run into this problem it is possible to increase the maximum error count so that clients won't cancel a transfer so quickly.
Please note, that an increased error count can have a massive impact on performance to both server and client. If your server has not enough resources to handle many clients in parallel or to handle large uploads, increasing this setting can have the opposite effect.
It is therefore recommended to make sure first that the server resources are sufficient and the transfer failures are indeed happening because of a bad network connection.
To increase the performance of LDAP requests, Cryptshare uses a pool of already established connections. They can be used and re-used for LDAP requests.
It is possible to configure the minimum (initial) and maximum number of simultaneously established connections.
<int>: Numeric integer value that specifies the number of connections.
Default initial number: 5
Default maximum number: 20
A timeout specifies the maximum time that is allowed to perform a certain task. Regarding LDAP, there are two timeouts that can be configured:
Connection timeout: Allowed time to establish a connection to an LDAP server.
Response timeout: Allowed time recieve a response to a submitted request.
<int>: Numeric integer value that specifies the time in milliseconds.
Default connection timeout: 5000 (5 seconds)
Default response timeout: 20000 (20 seconds)
Some LDAP directories are partitioned / distributed and contain entries that refer to other directories (so-called referrals). Optionally, the automatic resolution of these references through an additional connection can be enabled. If the resolved reference again contains a reference, this will not be resolved.
The automatic resolution of referrals is activated in versions 3.11.0.X and 3.11.1.X (not configurable) and as of version 3.11.2.X is disabled per default. Please note that an enabled referral resolution may affect the performance of LDAP queries.
Default: false (disabled)
Security Setting Rate Limiting
Rate Limiting for Requesting a Verification Code
In order to limit the number of verification requests per minute to prevent DoS attacks and mail flooding, rate limiting for requesting a verification code is active. The number of verification codes that can be requested per minute is limited to 25 by default.
For handling rate limit requests, additional response headers are available. See Rate limiting
<int>: Numeric integer value that specifies the number of verification code requests per minute.
This feature is deactivatable by setting the value to 0.
Priorization of file types for EML Archiving
Using EML archiving it is possible to set a attachment total file size limit for attachments put into the generated EML file. When the total attachment file size exceeds the set limit, files are attached to the EML file using a priorization list of file types where file type extensions at the start have a higher priority than those after them. File types not in the list have the lowest priorty. If an empty string is provided as priorization list, this file type priorization behaviour is disabled.
You can find more information for the EML Archiving in the article Activating the Archiving Feature.
<csv>: Comma-separated list of file extensions
Further Configuration Flags
XML Service Interface: Password Validation
With Cryptshare v126.96.36.199 or higher, the XML Service Interface used by the Cryptshare Robot, Cryptshare for Notes (up to v2.9.x) and Cryptshare for Outlook (up to v1.6.3) will validate a given transfer password. If the password does not comply with the password quality settings on the server, the transfer will be declined.
For these products the password validation can be deactivated as they are neither capable of validating nor creating passwords according to the password policy specifications. This can cause transfers to be declined although the client has accepted the given password.
Cleaning up orphaned temporary upload files
While files are being uploaded during a transfer, this data is written to a temporary upload directory. Due to technical reasons it is however possible that those files are not always deleted afterwards.
Therefore an additional cleanup step which is executed during the execution of the Cleanup Task takes care of those orphaned files and removes them from the disk if they are older than 24 hours.
Log Verbosity for ongoing uploads
In order for the administrator to recognize if uploads are in progress, an informational log entry is written for every thousandth upload request.
Depending on the upload activity of this server there might be too many or to few of these entries. In either way, the counter for this feature can be changed accordingly.
Performing a backup before an update
Usually before an update is performed, a rollback-compatible backup will be made. In case, there's something wrong with the backup procedure so that it avoids performing the update, this step can be disabled.
Maximum File Size for the Cryptshare Content Viewer
The Content Viewer in the download section of Cryptshare only opens files smaller than 2MB. For security reasons the viewer only opens these files in memory which can massively increase the memory consumption.
Please note, that depending on your available memory and the average user load on the server memory consumption can increase drastically if you increase this setting.
This value also affects the display of the confidential message in the download page.