Control Center appsettings
This page lists all the appsettings.json settings available for the Control Center (Core).
The appsettings.json file is located in the folder <AMT Environment>\AmtTools\ControlCenterCore\
The appsettings file is (sub-)divided into the following sections.
| Section | Description |
| AMT | The main section where most settings are located. |
| Logging | Section for the logging settings for the Web Application. |
| AllowedHosts | Solo settings which restricts the hosts which may access the Web Application. |
Theme
This setting is explained in AMT Web Themes.
Culture
The language of the Control Center, used for localization. See Localization.
KeepAliveInterval
The number of minutes between keepalive calls originating from a JavaScript script in the browser. It is important that this interval is shorter or equal to the lifetime of the authentication tokens and the web session timeout.
BusinessLogic
Settings needed to communicate with the Control Center WebAPI.
- Address - The URL of the ControlCenterBL website should be set as the value of this key.
- RequestTimeout - The timeout (in minutes) for requests to the business logic address. This default value is approximately 1 minute and 40 seconds (1.67 minutes).
"Address": "https://<domain>[:port]/<path>",
"RequestTimeout": 1.67
},
TransactionRenderer
Settings needed to communicate with the Transaction Renderer (Blazor) web application, which is used for the view transactions feature in the Control Center.
- Address - The URL of the TransactionRendererBlazor website should be set as the value of this key.
- RequestTimeout - The timeout (in minutes) for requests to the transaction renderer address. This default value is approximately 1 minute and 40 seconds (1.67 minutes).
"Address": "https://<domain>[:port]/<path>",
"RequestTimeout": 1.67
},
AuthenticationType
The authentication type used to log into the Control Center, the only valid option is "OIDC" (OpenID Connect).
OIDC
This section holds the settings for OpenID Connect authentication.
- ClientId - The client ID of the application.
- Authority - The OIDC authority URL.
- Scope - The scopes to request from the authorization server to allow access tokens to be used to call other resource servers (e.g. CC, AC or Blazor APIs).
- ClientSecret - The client secret of the application, not applicable if client assertion is enabled.
- TokenValidationParameters:
- NameClaimType - The claim type that will be used to identify the user. Commonly preferred_username is used as claim type.
The claim type must be identical to the claim type set in the ControlCenterBL appsettings.
- NameClaimType - The claim type that will be used to identify the user. Commonly preferred_username is used as claim type.
- RequireHttpsMetadata - If true then HTTPS is required for the authority. The default is true. This should be disabled only in development environments.
"OIDC": {
"ClientId": "amt-controlcenter",
"Authority": "https://login.example.org/amt-applications/v2/auth",
"Scope": [ "openid profile amt-controlcenter-api-scope" ],
"ClientSecret": "c8A6L7j5E3N0n9Y",
"TokenValidationParameters": {
"NameClaimType": "preferred_username"
},
"RequireHttpsMetadata": true
},
...
CookieAuthenticationOptions
The 'CookieAuthenticationOptions' section holds settings for the cookie used for user authentication.
- Name - Name of the authentication cookie that will be used to store the identity token.
- Domain - The domain of the authentication cookie.
- Path - The path of the authentication cookie.
- SameSite - SameSite policy of the authentication cookie. Should be set to None if the application is used in an iframe.
Allowed values are: Undefined the default value which does not set a SameSite field, None to disable SameSite restrictions, Lax to send the cookie with "same-site" requests and with "cross-site" top-level navigations, and Strict to only send the cookie with "same-site" requests.
"Cookie": {
"Name": ".Amt.CC.Auth",
"Domain": "",
"Path": "/",
"SameSite": "None"
}
},
AmtOIDC
This section holds the remaining OpenID Connect options.
- DisableRefreshTokens - Set to true to disable the refresh of tokens. Defaults to false.
- RefreshThreshold - The refresh threshold in seconds if enabled. If tokens expire within the configured threshold, the tokens will be refreshed. Defaults to 60 seconds.
- EnableClientAssertion - Set to true to enable client assertion. Defaults to false. If true, a signed token will be used to authenticate users instead of a client secret.
- ClientAssertionAlgorithm - The algorithm used to sign the token to be used as client assertion. Defaults to RS256.
- CertificateConfig - This section must be set if client assertion is enabled. See CertificateConfig.
...
"DisableRefreshTokens": false,
"RefreshThreshold": 60,
"EnableClientAssertion": false,
"ClientAssertionAlgorithm": "RS256",
"CertificateConfig": {
...
CertificateConfig
Configuration options for the certificate used to sign the client assertion. This section can be left out if client assertion is disabled.
- AllowInvalid - Set to true if invalid certificates should be allowed. Defaults to false.
- Subject - The subject of the certificate.
- StoreName - The name of the store where the certificate is located. Defaults to 'MY'.
- StoreLocation - The location of the store where the certificate is located. Defaults to 'CurrentUser'.
- Path - The path to the certificate file.
- Password - The password for the certificate. Only necessary when loading the certificate from base64 or file.
"AllowInvalid": true,
"Subject": "amt-application-cert",
"StoreName": "MY",
"StoreLocation": "LocalMachine",
"Path": "certificate.pfx"
"Password": ""
}
DataProtection
The DataProtection setting contains settings for ASP.NET Core data protection, which is used to encrypt the session
state and authentication cookie, amongst other things. This section is optional and allows the keys to be saved to a
specified folder, where they will be encrypted with DPAPI (Data Protection Application Programming Interface),
allowing only accounts from the same system to access them. This is a replacement for the ASP.NET MachineKey.
When this section is not included in the appsettings file, keys are saved to the registry which is the default.
- ApplicationName - The application name used for data protection. Setting the same application name in multiple web applications will result in the sharing of their keys.
- KeyRingFolder - The local directory where data protection keys will be stored.
"ApplicationName": "",
"KeyRingFolder": "D:\\keyringfolder\\"
},
WebSessionState
The 'WebSessionState' section contains optional settings for the ASP.NET Core web sessions used by the Control Center Core web application.
- IdleTimeout - The time in minutes that a session remains active on the server before it is discarded, default is 10 minutes.
- IOTimeout - The timeout (in minutes) for loading data from the session store. The default value of 1 is the ASP.NET Core default and usually should not have to be changed.
- The Cookie section holds settings for the cookie used for the web session.
- Domain - The domain of the web session cookie.
- Path - The path of the web session cookie.
- Name - The name of the web session cookie.
"IdleTimeout": 10,
"IOTimeout": 1,
"Cookie": {
"Domain": "",
"Path": "/",
"Name": ".Amt.CC.WebSession"
}
}
Logging
Sets the logging levels for the various ASP.NET Core components of the web application. These settings do not need be
adjusted in a normal situation.
The allowed log levels are, from most to least detailed: Trace, Debug, Information,
Warning, Error, Critical and None.
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information",
"System.Net.Http": "Warning"
}
},
AllowedHosts
In the AllowedHosts section, access to the web application can be restricted to specific hostnames.
The
value is a semicolon-delimited list of host names without port numbers.
By default all hostnames are allowed
by the asterisk (*) wildcard.
Disallowed users will get a HTTP 400 error code (Bad Request).