mirth.properties File
This is the main configuration file that tells Mirth® Connect where to store application data, what web server ports to listen on, and which database to connect to. You can also set other security and encryption options.
The following properties are supported:
| Property | Default Value | Description |
|---|---|---|
| Directories | ||
| dir.appdata | appdata | The location of the Application Data Directory. |
| dir.tempdata | ${dir.appdata}/temp | The location of the temporary files directory, by default set inside of the Application Data Directory. |
| Ports | ||
| http.port | 8080 | The HTTP port to make the web server available from. This is used to access the launch page and download signed client resources from. If this property is omitted or commented out, the web server only starts up on the HTTPS port. |
| https.port | 8443 | The HTTPS port to make the web server available from. This is used to access the secure opening of a page, web dashboard, and all REST API traffic (which includes the Administrator and CLI) . |
| Password Requirements | ||
password.minlength | 0 | Minimum password length, 0 for no minimum. |
password.minupper | 0 | Minimum uppercase characters, 0 for no minimum. |
password.minlower | 0 | Minimum lowercase characters, 0 for no minimum. |
password.minnumeric | 0 | Minimum numeric characters, 0 for no minimum. |
password.minspecial | 0 | Minimum special characters, 0 for no minimum. |
password.retrylimit | 0 | Maximum number of times a user may retry a failed log on, 0 for no maximum. If specified, the lockout period must be specified as well. |
password.lockoutperiod | 0 | Amount of time (in hours) to lockout user when the retry limit is exceeded, 0 for no lockout. |
password.expiration | 0 | After this amount of time (in days) passwords expire. |
password.graceperiod | 0 | If user's password is expired, the amount of time (in days) to give the user to change password after the next log on. |
password.reuseperiod | 0 | The amount of time (in days) to wait before users can change passwords to one used in the past. Set to 0 to always enable reuse, and as -1 to never enable reuse of the same password. |
| password.reuselimit | 0 | The amount of times users can reuse the same password. Set to 0 for no limit, and to -1 to never enable users to reuse the same password. |
| Keystore | ||
keystore.path | ${dir.appdata}/keystore.jks | The location of the keystore file, which houses the server certificate and the secret encryption key. This is usually located in the Application Data Directory. |
| keystore.storepass | 81uWxplDtB | The password for the keystore file itself. It is a good idea to change this from the default value. On first startup when the keystore is created, if this value equals the default, it is replaced with a randomly generated password. |
| keystore.keypass | 81uWxplDtB | The password for the keys within the keystore, including the server certificate and the secret encryption key. It is a good idea to change this from the default value. On first startup when the keystore is created, if this value equals the default, it is replaced with a randomly generated password. |
| keystore.type | JCEKS | The type of keystore. Usually this should not be changed. |
| Server | ||
| http.contextpath | / | The base context path of the web server. |
| server.url | If set, this URL is set in the webstart JNLP file so that when users open the Administrator it is shown in the server URL field by default. | |
| codebase.webstart.url | When using reverse proxy, the URL from where to download the Administrator's resources. | |
| http.host | 0.0.0.0 | The network interfaces to listen on for the web server HTTP port. Use 0.0.0.0 for all interfaces. |
| https.host | 0.0.0.0 | The network interfaces to listen on for the web server HTTPS port. Use 0.0.0.0 for all interfaces. |
| server.id.ephemeral | false | If true, the server will auto-generate a server ID on startup. Otherwise, the appdata/server.id file will be used. |
| server.startuplocksleep | When multiple servers start up at the same time against a new uninitialized database, there could be a race condition where both attempt to initialize the database at the same time. If this option is set, servers use a designated STARTUP_LOCK table to ensure that only one server initializes the database. Other servers wait this amount of time (in milliseconds) during the start up sequence before continuing to enable the first server to initialize the database. If you need to use this option, suggested value is 5000 (5 seconds). | |
| server.startupdeploy | true | Determines whether channels are deployed on server startup. |
| server.includecustomlib | false | Determines whether libraries in the custom-lib directory are included on the server classpath. To reduce potential classpath conflicts you should create Resources and use them on specific channels/connectors instead, and then set this value to false. |
| administrator.maxheapsize | 512m | The default maximum client-side heap size to set in the Java Web Start JNLP. Users may override this on the launch page. Note that this is not the same as the server-side max heap size. |
administrator. maxheapsizeoptions | 256m,512m,1g, 2g | The client-side max heap size options to give the user from the launch page and from the Server Manager. |
| configurationmap.location | file | Determines whether the configuration map is stored as a file, or in the database. Valid values: file, database |
| configurationmap.path | ${dir.appdata}/configuration .properties | The location of the configuration map properties file. Usually this is in the Application Data Directory. |
| extension.properties.provider | The fully-qualified class (extending ExtensionStatusProvider) that controls extension enabled/disabled flags. If absent or set to "file", the default behavior is used, reading from ${dir.appdata}/extension.properties. | |
| donkey.statsupdateinterval | 1000 | The interval on which to update channel statistics across all channels. |
| license.key | A valid license key is required to use Mirth® Connect and any Services and Extensions. Contact the help desk through our Success Community to get a license key. | |
| rhino.optimizationlevel | -1 | Sets the optimization level for Rhino (the JavaScript engine), 1 indicates that the engine should run in interpretive mode, which is less efficient but enables very large/complex scripts to compile. Set it to 0 or 1-9 to increase optimization, which may increase performance at the cost of limited script complexity. |
| rhino.languageversion | ES6 | The ECMAScript/JavaScript version that the Rhino engine should use. Valid values: ES6, DEFAULT, 1.0-1.8. |
| server.api.require-requested-with | true | If set to true, the Mirth® Connect REST API requires all incoming requests to contain an "X-Requested-With" header. This protects against Cross-Site Request Forgery (CSRF) security vulnerabilities. |
| server.api.sessionstore | false | If set to true, the web server sessions are stored in the database. |
| server.api.sessionstoretable | sessiondata | The table name to use for web server session data. |
| server.api.sessioncache | default | If absent or set to "default", an in-memory L1 cache is stored on each server for session data. If set to "none", then no cache is used, and every request for session data goes directly to the database. |
| server.api.sessionmaxinactiveinterval | 259200 (72 hours) | The maximum amount of time (in seconds) that a session can be idle/inactive before it is invalidated and evicted from the cache. Minimum is 60 seconds. |
| Security | ||
| http.stricttransportsecurity | true | HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It enables web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone |
| https.client.protocols | TLSv1.3, TLSv1.2 | The protocols to support by default for all TLS/SSL/HTTPS client traffic.
|
| https.server.protocols | TLSv1.3, TLSv1.2,SSLv2Hello | The protocols to support by default for all TLS/SSL/HTTPS server traffic.
|
| https.ciphersuites | See Default Supported Cipher Suites | The cipher suites to support by default for all TLS/SSL/HTTPS server traffic.
|
| https.ephemeraldhkeysize | 2048 | The key size to use for all generated Diffie-Hellman parameters.
|
| server.api.allowhttp | false | If enabled, API access is enabled through the regular HTTP port. Generally you should not enable this except for testing or development purposes. |
server.api.accesscontrol alloworigin | * | This value is set on the Access-Control-Allow-Origin HTTP header on all API responses. |
server.api.accesscontrol allowcredentials | false | This value is set on the Access-Control-Allow-Credentials HTTP header on all API responses. |
server.api.accesscontrol allowmethods | GET, POST, DELETE, PUT | This value is set on the Access-Control-Allow-Methods HTTP header on all API responses. |
server.api.accesscontrol allowheaders | Content-Type | This value is be set on the Access-Control-Allow-Headers HTTP header on all API responses. |
server.api.accesscontrol exposeheaders | This value is set on the Access-Control-Expose-Headers HTTP header on all API responses. | |
server.api.accesscontrol maxage | This value is set on the Access-Control-Max-Age HTTP header on all API responses. | |
server.api.contentsecurity policy | frame-ancestors 'none' | This value is set on the Content-Security-Policy HTTP header on all API responses. Changing this property could leave your server vulnerable to click-jacking attacks if you are embedding API access in a webpage. |
| server.api.xframeoptions | DENY | This value is set on the X-Frame-Options HTTP header on all API responses. Changing this property could leave your server vulnerable to click-jacking attacks if you are embedding API access in a webpage. |
| xstream.denytypes | A comma-separated list of fully-qualified classes to deny XStream from serializing or de-serializing. The classes can include wild cards. This list takes precedence over the list of allowed types. | |
| xstream.allowtypes | A comma-separated list of fully-qualified classes to enable XStream to serialize or de-serialize. The classes can include wild cards. Classes are denied unless they are explicitly allowed, through this property or xstream.allowtypehierarchies, or are essential for Mirth® Connect to function. | |
| xstream.allowtypehierarchies | A comma-separated list of fully-qualified type hierarchies to enable XStream to serialize or de-serialize. This means that these classes and their subclasses are allowed. Classes are denied unless they are explicitly allowed, through this property or xstream.allowtypes, or are essential for Mirth® Connect to function. | |
| Database | ||
| database | derby | The database type to use for the Mirth® Connect back-end database. Options:
By default Mirth® Connect ships with an embedded Apache Derby database for quick testing or development purposes. For production instances, you should change the database type to one of the other supported options. |
| database.url | dbc:derby:${dir.appdata} /mirthdb; create=true | The JDBC URL to use when connecting to the database. |
| database.driver | The fully-qualified JDBC Driver class to use when connecting to the database. | |
| database.max-connections | 20 | The maximum number of connections to use for the internal messaging engine connection pool. |
| database.username | The username to use when connecting to the database. | |
| database.password | The password to use when connecting to the database. | |
| database.connection.maxretry | 2 | On start up, if a database connection cannot be made for any reason, Mirth® Connect waits and attempts again this number of times. The default is 2 retries (a total of 3 attempts). |
| database.connection.retrywaitinmilliseconds | 10000 | The amount of time (in milliseconds) to wait between database connection attempts. The default is a 10-second wait between attempts. |
| database.pool | HikariCP | The connection pool type to use for the internal messaging engine. By default HikariCP is used, but "DBCP" is supported as well. |
| database.jdbc4 | true | Indicates whether the database driver supports JDBC 4 operations. |
| database.test-query | SELECT 1 | A small test query (such as "SELECT 1") that the connection pool can use for validity checking. |
| database.enable-read-write-split | true | If enabled, the database connection pool is split into read-only and read/write pools. More information here. |
| database.write-pool-cache | false | If enabled, the channel / channel group / code template / library internal cache queries use the read/write connection pool instead of the read-only pool. If your read-only pool is pointing to a read replica and there is significant replica lag, you may want to consider enabling this. Only applicable when "database.enable-read-write-split" is enabled. |
| database-readonly | The database type to use for the read-only pool, if enabled. If not specified, defaults to the "database" setting. | |
| database-readonly.url | The JDBC URL to use when connecting to the database for the read-only pool, if enabled. If not specified, defaults to the "database.url" setting. | |
| database-readonly.driver | The fully-qualified JDBC Driver class to use when connecting to the database for the read-only pool, if enabled. If not specified, defaults to the "database.driver" setting. | |
| database-readonly.username | The username to use when connecting to the database for the read-only pool, if enabled. If not specified, defaults to the "database.username" setting. | |
| database-readonly.password | The password to use when connecting to the database for the read-only pool, if enabled. If not specified, defaults to the "database.password" setting. | |
| database-readonly.max-connections | The maximum number of connections to use for the read-only pool, if enabled. If not specified, defaults to the "database.max-connections" setting. | |
| database-readonly.pool | The connection pool type to use for the read-only pool, if enabled. If not specified, defaults to the "database.pool" setting. | |
| database-readonly.jdbc4 | Indicates whether the database driver supports JDBC 4 operations for the read-only pool, if enabled. If not specified, defaults to the "database.jdbc4" setting. | |
| database-readonly.test-query | A small test query (e.g. "SELECT 1") used for validity checking for the read-only pool, if enabled. If not specified, defaults to the "database.test-query" setting. | |
| Encryption | ||
| encryption.export | 0 | If enabled, exported channels and other files from the Administrator will be encrypted. |
| encryption.properties | 0 | If enabled, the "database.password" property in this file is automatically encrypted and re-saved when the Mirth® Connect server is next started. To update the password, overwrite database.password and on next server start up, it is automatically encrypted and updated again. |
| encryption.algorithm | AES/CBC/PKCS5Padding | The algorithm to use for symmetric encryption. This applies to messages, exports, and anything that is used along with the keystore to encrypt / decrypt.
You must include the explicit mode and padding settings with the algorithm. The mode must also require an initialization vector.
|
| encryption.charset | UTF-8 | The charset to use when encoding textual data into bytes before encryption. |
| encryption.keylength | 128 | The key length to use for symmetric encryption. |
| encryption.fallback.algorithm | This is automatically set when you upgrade to 4.3. It is used to decrypt old data that may have been encrypted in a prior version of Mirth® Connect. | |
| encryption.fallback.charset | This is automatically set when you upgrade to 4.3, if your default JVM charset is not UTF-8. After decryption, it is used to decode old data that may have been encrypted in a prior version of Mirth Connect. | |
| digest.algorithm | PBKDF2WithHmacSHA256 | The algorithm to use for generating cryptographically secure hashes / digests. This is used for creating salted hash values for user passwords. If you change this, all current passwords are no longer be valid and must be reset by an administrator. If you are using a Cures-certified version of Mirth® Connect, you must use one of the following digest algorithms for your environment to meet certification requirements:
|
| digest.saltsizeinbytes | 8 | The amount of bytes to use for random-generated salt values to store along with hashes and digests. |
| digest.iterations | 600000 | The amount of times to run an input message through the digest algorithm. The appropriate value for this property depends on the algorithm used. |
| digest.usepbe | 1 | 0 for disabled and 1 for enabled. If enabled, the digest algorithm is assumed to be a password-based encryption function and is instantiated using a SecretKeyFactory and PBEKeySpec, rather than a MessageDigest object. |
| digest.keysizeinbits | 256 | Only used if The size (in bits) of the key to use for the Password-Based Encryption function. |
| digest.fallback.algorithm | SHA256 | The old digest algorithm, used for verifying old password hashes. |
| digest.fallback.saltsizeinbytes | 8 | The old digest salt size, used for verifying old password hashes. |
| digest.fallback.iterations | 1000 | The old digest iterations, used for verifying old password hashes. |
| digest.fallback.usepbe | 0 | The old digest PBE flag, used for verifying old password hashes. |
| digest.fallback.keysizeinbits | 256 | The old digest PBE key size, used for verifying old password hashes. |
| security.provider | org.bouncycastle.jce. provider.BouncyCastleProvider | The fully-qualified JCE/JCA provider class name to use. This provider is used for both symmetric encryption and password hashing. |
| Mirth Command Center | ||
| mcc.environment.id | If this Mirth® Connect environment has not yet registered with Mirth Command Center and this value is set, this environment will automatically register upon startup using this value as the environment ID. | |
| mcc.spoke.domain | If set, Mirth® Connect will use this value as the spoke domain when connecting to Mirth Command Center. | |
| mcc.proxy.host | If set, Mirth® Connect will use this proxy host to connect to Mirth Command Center. | |
| mcc.proxy.port | 8080 | If this value and "mcc.proxy.host" are set, Mirth® Connect will use this proxy port to connect to Mirth Command Center. |
| mcc.proxy.username | The username to use when connecting to Mirth Command Center through a proxy. | |
| mcc.proxy.password | The password to use when connecting to Mirth Command Center through a proxy. | |
| mcc.sync.interval.ms | 300000 (5 minutes) | The time interval, in milliseconds, to transmit Mirth® Connect data such as channels, channel groups, and server information to Mirth Command Center. |
| mcc.analytics.collection.interval.ms | 300000 (5 minutes) | The time interval, in milliseconds, to collect channel metrics from Mirth® Connect. The minimum time allowed is 60000 (1 minute). |
| mcc.analytics.post.interval.ms | 300000 (5 minutes) | The time interval, in milliseconds, to post channel metrics to Mirth Command Center. The minimum time allowed is 60000 (1 minute). |
| mcc.analytics.post.batch.size | 500 | The maximum number of entries to post to Mirth Command Center in one request. If there are more entries than this number, then they will be split up into separate post requests to Mirth Command Center. The minimum allowed is 100 and the maximum allowed is 10000. |
| mcc.analytics.collection.queue.maxsize | 100000 | The maximum size that the channel metrics internal queue can hold before dropping old requests. The default is the maximum size allowed and the minimum size allowed is 1000 requests. |