Security-related Parameters

The parameters in the following table are used to provide access and identify required files and information so that ICM can communicate securely with the provisioned nodes and deployed containers. They are all required, in the defaults file only.

For information about using scripts provided with ICM to generate these files, see Obtain Security-Related Files in the “Using ICM” chapter.
For information about how ICM uses the security files you provide to communicate securely with provisioned nodes and services on them, see ICM Security in this chapter
For general information about using the SSH protocol, see SSH PROTOCOLOpens in a new tab from SSH Communications Security.
For information about Docker security. including the use of TLS certificates with Docker, see Docker securityOpens in a new tab in the Docker documentation.
For general information about using TLS with InterSystems IRIS, see InterSystems TLS GuideOpens in a new tab and The InterSystems Public Key InfrastructureOpens in a new tab. For information about the contents of the file identified by the SSLConfig parameter, see Create a Client ConfigurationOpens in a new tab.
For information about the use of TLS to secure connections between mirror members, see Securing Mirror Communication with TLS SecurityOpens in a new tab in the High Availability Guide.

Parameter	Definition

Provider-specific credentials and account parameters; to see detailed instructions for obtaining the files and values, click the provider link	Provider-Specific – AWS Credentials: Path to a file containing the public/private keypair for an AWS account. Provider-Specific – GCP Credentials: Path to a JSON file containing the service account key for a GCP account. Project: GCP project ID. Provider-Specific – Azure SubscriptionId: A unique alphanumeric string that identifies a Microsoft Azure subscription. TenantId: A unique alphanumeric string that identifies the Azure Active Directory directory in which an application was created. UseMSI: If true, authenticates using a Managed Service Identity in place of ClientId and ClientSecret; default is false. ClientId, ClientSecret: Credentials identifying and providing access to an Azure application (if UseMSI is false). Provider-Specific – Tencent SecretID, SecretKey: Unique alphanumeric strings that identify and provide access to a Tencent Cloud account. Provider-Specific – vSphere VSphereUser, VSpherePassword: Credentials for vSphere operations.
SSHUser	Nonroot account with sudo access used by ICM for access to provisioned nodes. Root of SSHUser’s home directory can be specified using the Home field. Required value is provider-specific, as follows: AWS — As per AMI (see AMI parameter in AWS Parameters); usually ubuntu for Ubuntu images GCP — At user's discretion Azure — At user's discretion Tencent — As per image (see ImageId parameter in Tencent Parameters) vSphere — As per VM template (see Template parameter in vSphere Parameters) Preexisting — See SSH in the appendix “Deploying on a Preexisting Cluster”
SSHPassword	Initial password for the user specified by SSHUser. Required for marketplace Docker images and deployments of type vSphere, Azure, and PreExisting. This password is used only during provisioning, at the conclusion of which password logins are disabled.
SSHOnly	If true, ICM does not attempt SSH password logins during provisioning, for providers vSphere and PreExisting only. Because this prevents ICM from logging in using a password, it requires that you stage your public SSH key (as specified by the SSHPublicKey field, below) on each node. Default: false.
SSHPublicKey	Path within the ICM container of the public key of the SSH public/private key pair; required for all deployments. For provider AWS, must be in SSH2 format, for example:---- BEGIN SSH2 PUBLIC KEY --- AAAAB3NzaC1yc2EAAAABJQAAAQEAoa0 ---- BEGIN SSH2 PUBLIC KEY ---For other providers, must be in OpenSSH format, for example:ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAoa0
SSHPrivateKey	Path within the ICM container of the private key of the SSH public private key pair; required for all deployments in RSA format, for example:-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAoa0ex+JKzC2Nka1 -----END RSA PRIVATE KEY-----
TLSKeyDir	Directory within the ICM container containing TLS keys used to establish secure connections to Docker, InterSystems Web Gateway, JDBC, and mirrored InterSystems IRIS databases, as follows: ca.pem cert.pem key.pem keycert.pem server-cert.pem server-key.pem keystore.p12 truststore.jks SSLConfig.properties
SSLConfig	Path within the ICM container to an TLS configuration file used to establish secure JDBC connections. Default: If this parameter is not provided, ICM looks for a configuration file in /TLSKeyDir/SSLConfig.Properties (see previous entry).
PrivateSubnet	If true, ICM deploys on an existing private subnet, or creates and deploys on a new private subnet, for use with a bastion host; see Deploying on a Private Network.
WeavePassword	Password used to encrypt traffic over Weave Net; enable encryption by setting to a value other than null in the defaults file. Default: null.
net_vpc_cidr	CIDR of the existing private network to deploy on; see Deploy Within an Existing Private Network.
net_subnet_cidr	CIDR of an ICM node’s subnet within an existing private network.

Port and Protocol Parameters

General Parameters