Configuration¶
Overview¶
Comprehensive configuration guide for OVES Access Management deployment across different environments.
Environment Configuration¶
Development Environment¶
# config/development.yml
environment: development
debug: true
log_level: debug
database:
type: sqlite
path: data/dev.db
security:
jwt_secret: dev-secret-key
session_timeout: 3600
external_services:
azure_ad:
tenant_id: dev-tenant
client_id: dev-client
keycloak:
url: http://localhost:8080
realm: oves-dev
Staging Environment¶
# config/staging.yml
environment: staging
debug: false
log_level: info
database:
type: postgresql
host: staging-db.internal
port: 5432
database: oves_staging
username: ${DB_USER}
password: ${DB_PASSWORD}
security:
jwt_secret: ${JWT_SECRET}
session_timeout: 1800
external_services:
azure_ad:
tenant_id: ${AZURE_TENANT_ID}
client_id: ${AZURE_CLIENT_ID}
client_secret: ${AZURE_CLIENT_SECRET}
Production Environment¶
# config/production.yml
environment: production
debug: false
log_level: warn
database:
type: postgresql
host: prod-db.internal
port: 5432
database: oves_production
username: ${DB_USER}
password: ${DB_PASSWORD}
ssl_mode: require
security:
jwt_secret: ${JWT_SECRET}
session_timeout: 900
rate_limiting:
enabled: true
requests_per_minute: 60
external_services:
azure_ad:
tenant_id: ${AZURE_TENANT_ID}
client_id: ${AZURE_CLIENT_ID}
client_secret: ${AZURE_CLIENT_SECRET}
Security Configuration¶
JWT Configuration¶
jwt:
algorithm: HS256
expiration: 900 # 15 minutes
refresh_expiration: 3600 # 1 hour
issuer: oves-access-management
audience: oves-users
Password Policy¶
password_policy:
min_length: 12
require_uppercase: true
require_lowercase: true
require_numbers: true
require_special_chars: true
history_check: 5
expiration_days: 90
Rate Limiting¶
rate_limiting:
login_attempts:
max_attempts: 5
window_minutes: 15
lockout_minutes: 30
api_requests:
requests_per_minute: 100
requests_per_hour: 1000
Database Configuration¶
PostgreSQL Setup¶
-- Create database and user
CREATE DATABASE oves_production;
CREATE USER oves_user WITH ENCRYPTED PASSWORD 'secure_password';
GRANT ALL PRIVILEGES ON DATABASE oves_production TO oves_user;
-- Enable required extensions
\c oves_production;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
CREATE EXTENSION IF NOT EXISTS "pgcrypto";
Connection Pooling¶
database:
pool:
min_connections: 5
max_connections: 20
connection_timeout: 30
idle_timeout: 600
Monitoring¶
Health Checks¶
health_checks:
enabled: true
endpoints:
- /health
- /health/database
- /health/external-services
database:
timeout: 5
query: "SELECT 1"
external_services:
azure_ad:
timeout: 10
endpoint: "https://login.microsoftonline.com/common/v2.0/.well-known/openid_configuration"
Logging¶
logging:
level: info
format: json
destinations:
- type: file
path: logs/application.log
rotation:
max_size: 100MB
max_files: 10
- type: syslog
facility: local0
severity: info
Metrics¶
metrics:
enabled: true
endpoint: /metrics
collectors:
- system
- database
- http_requests
- authentication_events
Backup Configuration¶
Database Backup¶
#!/bin/bash
# backup-database.sh
BACKUP_DIR="/backups/oves"
DB_NAME="oves_production"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
# Create backup
pg_dump $DB_NAME > $BACKUP_DIR/oves_backup_$TIMESTAMP.sql
# Compress backup
gzip $BACKUP_DIR/oves_backup_$TIMESTAMP.sql
# Clean old backups (keep 30 days)
find $BACKUP_DIR -name "*.sql.gz" -mtime +30 -delete
Configuration Backup¶
backup:
configuration:
enabled: true
schedule: "0 2 * * *" # Daily at 2 AM
retention_days: 90
database:
enabled: true
schedule: "0 1 * * *" # Daily at 1 AM
retention_days: 30
compression: gzip
Environment Variables¶
Required Variables¶
# Database
DB_HOST=localhost
DB_PORT=5432
DB_NAME=oves_production
DB_USER=oves_user
DB_PASSWORD=secure_password
# Security
JWT_SECRET=your-jwt-secret-key
ENCRYPTION_KEY=your-encryption-key
# Azure AD
AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-client-id
AZURE_CLIENT_SECRET=your-client-secret
# Keycloak
KEYCLOAK_URL=https://keycloak.your-domain.com
KEYCLOAK_REALM=oves
KEYCLOAK_CLIENT_ID=oves-client
KEYCLOAK_CLIENT_SECRET=keycloak-secret
Optional Variables¶
# Logging
LOG_LEVEL=info
LOG_FORMAT=json
# Monitoring
METRICS_ENABLED=true
HEALTH_CHECK_ENABLED=true
# Features
FEATURE_REGISTRATION=false
FEATURE_PASSWORD_RESET=true
Deployment Checklist¶
Pre-Deployment¶
- [ ] Environment variables configured
- [ ] Database migrations applied
- [ ] SSL certificates installed
- [ ] External service connectivity verified
- [ ] Security scanning completed
Post-Deployment¶
- [ ] Health checks passing
- [ ] Logs capturing correctly
- [ ] Metrics being collected
- [ ] Backup processes running
- [ ] Monitoring alerts configured
Configuration follows the principle of least privilege and defense in depth security.