Authentication Server configuration files - Amazon DCV Access Console
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authentication Server configuration files

The Authentication Server has two configuration files (/etc/dcv-access-console-auth-server/access-console-auth-server.properties and /etc/dcv-access-console-auth-server/access-console-auth-server-secrets.properties) that include parameters that can be configured to customize the Amazon DCV Access Console functionality connecting to different components.

Note

The property files contains sensitive data. By default, its write access is restricted to root and its read access is restricted to root and to the user running the Authentication Server. By default, this is the dcvaccessconsole user.

The following tables list the parameters in the Authentication Server configuration files.

For the /etc/dcv-access-console-auth-server/access-console-auth-server.properties configuration:

Parameter name Required Default Value Description

server-port

Yes

9000

Specifies the port the Authentication Server listens.

authentication-header-name

Either authentication-header-name or pam-helper-path is required

username

Specifies the header name in the request to use as the userid.

pam-helper-path

Either authentication-header-name or pam-helper-path is required

/var/usr/dcv-access-console-auth-server/dcvpamhelper

Specifies the full path of the dcvpamhelper that is installed as part of the Authentication Server.

pam-service-name

Only required if pam-helper-path is specified

dcv

Specify 'dcv' if /etc/pam.d/dcv is installed or use system-auth on redhat based systems, common-auth on ubuntu/debian.

enable-pam-debug

Only required if pam-helper-path is specified

False

Enables or disables the debug logging for the dcvpamhelper.

pam-process-timeout

Only required if pam-helper-path is specified

10

Specifies the number of seconds to wait for the dcvpamhelper to finish.

pam-normalize-userid-enabled

No

False

Enables or disables the use of pam-normalize-userid-command to normalize the different usernames to a userid.

pam-normalize-userid-command

No

id -u -nr

Specifies the command to use to normalize the username to a userid.

redirect-uris

Yes

Specifies the call back url of the Web Client. It should be of the format https://webclient-host:webclient-port/api/auth/callback/dcv-access-console-auth-server.

post-logout-redirect-uris

Yes

Specifies the url of the Web Client to redirect to after logout. It should be of the format https://webclient-host:webclient-port.

authorization-server-hostname

Yes

Specifies the url of the Authentication Server. It should be of the format https://auth-server-host:auth-server-port.

throttling-burst

No

50

Specifies the bucket maximum capacity of the token bucket throttle algorithm.

throttling-refill

No

2

Specifies the bucket refill rate of the token bucket throttle algorithm.

throttling-period-in-seconds

No

1

Specifies the period in seconds for the bucket refill rate of the token bucket throttle algorithm.

throttling-login-burst

No

10

Specifies the bucket maximum capacity of the token bucket throttle algorithm for the /login endpoint.

throttling-login-refill

No

10

Specifies the bucket refill rate of the token bucket throttle algorithm for the /login endpoint.

throttling-login-period-in-seconds

No

3600

Specifies the period in seconds for the bucket refill rate of the token bucket throttle algorithm for the /login endpoint.

throttling-cache-max-size

No

1000

Specifies the number unique IP address to track for throttling.

throttling-cache-max-time-minutes

No

20

Specifies the number minutes to track an IP address for throttling.

access-token-time-to-live

No

30s

Specifies the time to live for the access token.

refresh-token-time-to-live

No

2h

Specifies the time to live for the refresh token. It should be greater than the access-token-time-to-live.

show-cookie-link

No

FALSE

Enables or disables if a link to a privacy disclaimer shows on the sign in page.

cookie-link-target

No

Specifies the link your users will be directed to for the privacy disclaimer. If you set show-cookie-link to false, leave it without a value.

show-privacy-link

No

FALSE

Enables or disables if a link to a privacy disclaimer shows on the sign in page.

privacy-link-target

No

Specifies the link your users will be directed to for the privacy disclaimer. If you set show-privacy-link to false, leave it without a value.

For the /etc/dcv-access-console-auth-server/access-console-auth-server-secrets.properties configuration:

Parameter name Required Default Value Description

ssl.enabled

No

False

Enables SSL in Authentication Server.

ssl.key-store-type

No

PKCS12

Specifies the type of the Java Keystore file.

ssl.key-store

No

Specifies the path to the Java Keystore file.

ssl.key-store-password

No

Specifies the password to the Java Keystore file.

auth-server-client-id

No

dcv-access-console-web-client

Specifies the client id for the Web Client. It should be the same in the Web Client properties.

auth-server-client-secret

No

Specifies the secret for the Web Client. It should be the same in the Web Client properties.