Configure TrustEdge
6 minute read
TrustEdge uses several configuration files to manage its settings and credentials. Understanding these files allows you to customize TrustEdge according to your needs.
trustedge.json: Main configuration file defining directory paths, proxy settings, TrustEdge agent behavior, and logging.bootstrap_config.json: Provides TrustEdge agent with Device Trust Manager endpoints and credentials.
trustedge.json
- Location:
/etc/digicert/trustedge.json - Purpose: Defines key configuration settings used by TrustEdge.
Example content:
{
"directory_paths": {
"bin_dir": "/usr/bin",
"lib_dir": "/usr/lib",
"conf_dir": "/etc/digicert/conf",
"keystore_dir": "/etc/digicert/keystore"
},
"proxy": {
"url": null
},
"agent": {
"bootstrap":"<path>/bootstrap_config.json",
"workspace_dir":"<path>",
"connection_uptime_interval": 360,
"keepalive_interval": 30,
"sleep_interval": 18000,
"action_handler_timeout": 120,
"enforce_token": false,
"log_payload": true,
"policy_timestamp_window": 10,
"max_retry_count": 7,
"chunk_supported":true,
"chunk_size": 131072,
"chunk_window_size": 4
},
"certificate": {
"service_dir": "/etc/digicert/service",
"polling_interval": "1",
"renewal_hours": "360",
"mode": "scep"
},
"service": {
"mode": "certificate"
},
"api": {
"mode": "https",
"port": 8443,
"num_process": 5,
"num_resource": 5,
"server_keycert_alias": "te-api-server",
"server_hostname": "localhost"
},
"cloud_provider":{
"provider_creds_dir":"/etc/digicert/cloudprovider"
},
"log": {
"loglevel": "ERROR|WARNING|DEBUG|INFO|VERBOSE"
}
}
| Key | Type | Description | Default value |
|---|---|---|---|
directory_paths | object | Container for binaries, libraries, configuration files, and the default keystore filepaths. | |
directory_paths.bin_dir | string | Directory where the TrustEdge binary is installed. | /usr/bin |
directory_paths.lib_dir | string | Directory where TrustEdge libraries are stored. | /usr/lib |
directory_paths.conf_dir | string | Directory containing configuration files. | /etc/digicert/conf |
directory_paths.keystore_dir | string | Default keystore directory for storing certificates, keys, and requests. | /etc/digicert/keystore |
proxy | object | Defines the proxy settings for TrustEdge. | |
proxy.url | string | URL of the proxy server. If null, no proxy is used. | null |
agent | object | Container for settings related to TrustEdge agent configuration. | |
agent.bootstrap | string | Path to the bootstrap configuration file for initializing the TrustEdge agent. | /etc/digicert/conf/bootstrap_config.json |
agent.workspace_dir | string | Directory used for temporary files and workspace data during TrustEdge operations. | /tmp |
agent.enforce_token | boolean | Determines whether the TrustEdge agent requires Policy Authorization Tokens (PAT) when handling policy data from the DRZ server. | true |
agent.connection_uptime_interval | string | Time, in seconds, that the agent stays connected to the broker. | 360 |
agent.keepalive_interval | string | Time, in seconds, for MQTT keep-alive messages (PINGREQ, PINGRESP).Service mode only | 0 |
agent.sleep_interval | string | Time, in seconds, for the agent to sleep before attempting to connect again. Service mode only | 18000 |
agent.action_handler_timeout | string | Time, in seconds, to wait for the artifact handler to complete. | 180 |
agent.log_payload | string | If set to true, agent will dump hex string of inbound and outbound message payloads. | true |
agent.policy_timestamp_window | string | The allowed period, in seconds, that defines the validity of a policy message. | 300 |
agent.max_retry_count | string | Determines how many consecutive networking or MTT failures the agent tolerates before it enters a sleep state | 5 |
agent.chunk_supported | string | The agent will break data into smaller chunks for processing or transmission, where chunking is supported. | true |
agent.chunk_size | string | The agent does not accept update artifact chunks larger than the specified size. | 131072 |
agent.chunk_window_size | string | The agent handles up to the specified number of payload chunks simultaneously before processing additional ones. | 4 |
certificate | object | Container for certificate management and renewal settings. | |
certificate.service_dir | string | Directory where the certificate service files are stored. | /etc/digicert/service |
certificate.polling_interval | string | Time, in seconds, for polling the certificate service. | 300 |
certificate.renewal_hours | string | The number of hours before expiry to start the renewal process. By default, the system attempts certificate renewal 360 hours (15 days) before expiry. | 360 |
certificate.mode | string | Certificate management mode. Allowed values: scep | scep |
service | object | Container for service mode and reconnection behavior settings. | |
service.mode | string | Operation mode for the service. Allowed values: agent, certificate, agent,certificate | certificate |
service.reconnect_delay | string | Time interval, in seconds, to start the backoff timer for reconnection. | 2 |
log | object | Defines logging configuration for TrustEdge. | |
log.loglevel | string | Logging level. Allowed values: ERROR, WARNING, DEBUG, INFO, VERBOSE | `ERROR |
api | object | TrustEdge Service provided REST APIs to deliver specific functionality to applications running on the device. | |
mode | string | Specifies whether the API runs in http or https mode. | http |
port | string | Specifies the TCP port for connecting to the server. | 8469 |
num_process | string | Specifies the maximum number of processes that can subscribe to resources. | 5 |
num_resource | string | Specifies the maximum number of resources that can be subscribed to by processes. | 5 |
server_keycert_alias | string | Alias for the server’s TLS certificate and private key, used in HTTPS mode | trustedge-server |
server_hostname | string | SNI value used by the client in HTTPS mode. | localhost |
cloud_provider | object | Path to the directory where the system stores the cloud provider credentials in a JSON format. | /etc/digicert/cloudprovider |
bootstrap_config.json
Warning
Do not edit the bootstrap_config.json file. Modifying this file may cause unexpected behavior or disrupt Device Trust Manager communications.- Location:
/etc/digicert/conf/bootstrap_config.json - Purpose: Provides the agent with Device Trust Manager MQTT endpoints and credentials.
Example content:
{
"configuration": {
"device_id": "<device_id>",
"account_id": "<account_id>",
"division_id": "<division_id>",
"device_group_id": "<device_group_id>",
"rendezvous_configuration": {
"mqtt_endpoint": {
"primary": ["mqtt://demo.one.digicert.com:1883"]
},
"persist_connection": false
},
"system_attributes": [
{ "key": "location" },
{ "key": "hardware_model" },
{ "key": "serial_number" },
{ "key": "operating_system" },
{ "key": "firmware_version" },
{ "key": "mac_address" },
{ "key": "ip_address" }
],
"authentication": [
{
"method": "x509",
"key_source": "SW",
"certificate_serial_number": "111111111111111111",
"certificate_issuer": "RSA 2048 ICA",
"cert_alias": "device1.crt",
"key_alias": "device1-key.crt"
}
]
}
}
| Field | Type | Description | Required |
|---|---|---|---|
configuration.device_id | string | Unique identifier for the device. Used as the device ID when connecting to Device Trust Manager. Used as the client ID with MQTT communications. | Yes |
configuration.account_id | string | The account ID associated with the device. | Yes |
configuration.division_id | string | Identifier for the division to which the device belongs. | Yes |
configuration.device_group_id | string | Identifier for the device group to which the device belongs. | Yes |
configuration.rendezvous_configuration | object | Contains connection settings for the rendezvous service. | Yes |
configuration.rendezvous_configuration.mqtt_endpoint | object | MQTT endpoint configuration details. | Yes |
configuration.rendezvous_configuration.mqtt_endpoint.primary | string | Fully qualified domain name (FQDN) of the primary MQTT endpoint. | Yes |
configuration.rendezvous_configuration.mqtt_endpoint.secondary | array | Array of strings representing backup MQTT endpoints for redundancy. | No |
configuration.rendezvous_configuration.authentication | array | Array of objects containing authentication credentials required to connect to the rendezvous service. | Yes |
configuration.rendezvous_configuration.authentication.method | string | Authentication method, e.g., x509. | Yes |
configuration.rendezvous_configuration.authentication.pem_key | string | PEM encoded private key in PKCS #8 format. | Yes |
configuration.rendezvous_configuration.authentication.pem_cert | string | PEM encoded certificate. | Yes |
configuration.rendezvous_configuration.persist_connection | boolean | Determines if the connection to the rendezvous endpoint should be persistent (true) or not (false). | Yes |
configuration.device_attributes | array | Array of key-value pairs representing device-specific attributes. | No |
configuration.device_attributes.key | string | Attribute key, e.g., Device name. | Yes |
configuration.device_attributes.value | string | Attribute value, e.g., RPi 0122: MS. | Yes |
configuration.system_attributes | array | Array of key-value pairs representing system-specific attributes. | No |
configuration.system_attributes.key | string | System attribute key, e.g., OS.VERSION. | Yes |
configuration.system_attributes.value | string | Optional attribute value. If not provided, the device will attempt to populate it; if unsuccessful, it’s skipped. | No |
configuration.user_defined_attributes | array | Array of key-value pairs representing user-defined attributes. | No |
configuration.user_defined_attributes.key | string | User-defined attribute key, e.g., My Attribute. | Yes |
configuration.user_defined_attributes.value | string | User-defined attribute value, e.g., My Value. | Yes |
configuration.default_attributes | array | Array of key-value pairs representing default attributes. | No |
configuration.default_attributes.key | string | Default attribute key, e.g., OS.VERSION. | Yes |
configuration.default_attributes.value | string | Default attribute value, e.g., 1.1. | Yes |
Was this page helpful?
Provide feedback