Managing Distributed Data Framework

DDF relies on the Directory Permissions of the host platform to protect the integrity of the DDF during operation. System administrators MUST perform the following steps prior to deploying bundles added to the DDF.

The amount of memory allocated to the Java Virtual Machine host DDF by the operating system can be increased by updating the setenv script:

By default, DDF prevents connections to JMX because the system is more secure when JMX is not enabled. However, many monitoring tools require a JMX connection to the Java Virtual Machine. To enable JMX, update the setenv script:

Certificates, and sometimes their associated private keys, are stored in keystore files. DDF includes two default keystore files, the server key store and the server trust store. The server keystore holds DDF’s certificate and private key. It will also hold the certificates of other nodes whose signature DDF will accept. The truststore holds the certificates of nodes or other entities that DDF needs to trust.

Upon startup, the installation can be completed by navigating to the Admin Console at https://{FQDN}:{PORT}/admin.

On the initial startup of the Admin Console, a series of prompts walks through essential configurations. These configurations can be changed later, if needed.

In order to install DDF from the Command Console, use the command profile:install <profile-name>. The <profile-name> should be the desired Setup Type in lowercase letters. To see the available profiles, use the command profile:list.

The Guest Claim Attributes can be configured via the Admin Console after running the profile:install command. See Configuring Guest Claim Attributes.

System Settings and Contact Info, as described in System Configuration Settings, can be changed in <DDF_HOME>/etc/custom.system.properties. The certificates must be set up manually as described in Managing Keystores and Certificates.

In order to integrate with a failover proxy, the DDF node’s system properties (in <DDF_HOME>/etc/custom.system.properties) must be changed to publish the correct port to external systems and users. This must be done before installing the first DDF node. See High Availability Initial Setup.

There are two internal port properties that must be changed to whatever ports the DDF will use on its system. Then there are two external port properties that must be changed to whatever ports the failover proxy is forwarding traffic through.

In the below example, the failover proxy with a hostname of service.org is forwarding https traffic via 8993 and http traffic via 8181. The DDF node will run on 1111 for https and 2222 for http (on the host that it’s hosted on). The hostname of the DDF must match the hostname of the proxy.

The two DDF nodes need to be under identical root directories on their corresponding systems. On Windows, this means they must be under the same drive.

A third party tool will have to be used to persist the logs in a highly available manner.

The storage provider must be in a location that is shared between the two DDF nodes and must be highly available. If hardening the Highly Available Cluster, this shared storage provider must be trusted/secured. One way to accomplish this is to use the default Content File System Storage Provider and configure it to point to a highly available shared directory.

Due to the nature of highly available environments, localhost is not suitable for use as a hostname to identify the DDF cluster. The default certificate uses localhost as the common name, so this certificate needs to be replaced. The following describes how to generate a certificate signed by the DDF Demo Certificate Authority that uses a proper hostname.

Certificates need to have Subject Alternative Names (SANs) which will include the host for the failover proxy and for both DDF nodes. A certificate with SANs signed by the Demo CA can be obtained by navigating to <DDF_HOME>/etc/certs/ and, assuming the proxy’s hostname is service.org, running the following for UNIX operating systems:

or the following for Windows operating systems:

More customization for certs can be achieved by following the steps at Creating New Server Keystore Entry with the CertNew Scripts.

Instead of having to manually turn features on and off, there is a High Availability installation profile. This profile will not show up in the UI Installer, but can be installed by executing profile:install ha on the command line instead of stepping through the UI Installer. This profile will install all of the High Availability supported features.

To disable guest access for all contexts, use the Web Context Policy Manager configuration and uncheck the Guest checkbox. Only authorized users are then allowed to continue to the Search UI page.

Guest authentication must be enabled and configured to allow guest users. Once the guest user is configured, redaction and filtering of metadata is done for the guest user the same way it is done for normal users.

To enable guest authentication for a context, use the Web Context Policy Manager configuration to select Allow Guest Access.

To use OpenID Connect (OIDC) and OAuth 2.0, DDF needs to be connected to an external Identity Provider (IdP) which supports these protocols.

To connect to an external SAML Identity Provider,

To configure DDF to not use a SAML Identity Provider (IdP),

Mutli-factor authentication, sometimes referred to as two-factor authentication, allows for greater security. It does this by requiring users to provide multiple proofs of identity, typically through something they know (such as a password), and something they have/are (such as a randomly generated pin number sent to one of their personal devices). The IdP that comes with DDF does not support multi-factor authentication by default.

Keycloak can be used to help setup and configure multi-factor authentication. See Connecting to an External Identity Provider on how to initially hookup Keycloak.

See the Keycloak Documentation {external link} for more information and details about how to configure Keycloack for multi-factor authentication.

Limit access to the individual applications, features, or services to those users who need access. Organizational requirements should dictate which applications are restricted and the extent to which they are restricted.

If a permission is specified, any user without the required attributes will be unable to see or modify the feature, app, or configuration.

A Certificate Revocation List is a collection of formerly-valid certificates that should explicitly not be accepted.

An Online Certificate Status Protocol is a protocol used to verify the revocation status of a certificate. An OCSP server can be queried with a certificate to verify if it is revoked.

The advantage of using an OCSP Server over a CRL is the fact that a local copy of the revoked certificates is not needed.

When configured, text searches in Solr will utilize synonyms when attempting to match text within the catalog. Synonyms are used during keyword/anyText searches as well as when searching on specific text attributes when using the like / contains operator. Text searches using the equality / exact match operator will not utilize synonyms.

Solr utilizes a synonyms.txt file which exists for each Solr core. Synonym matching is most pertinent to metacards which are contained within 2 cores: catalog and metacard_cache.

Follow instructions on Securing Solr .

The Solr Admin UI for Solr server configurations can be accessed from a web browser. See Using the Solr Administration User Interface for more details.

Prevent data with errors or warnings from being ingested at all.

Prevent invalid metacards from being displayed in query results, unless specifically queried.

Prevent certain users from seeing data with certain types of errors or warnings. Typically, this is used for security markings. If the Metacard Validation Filter Plugin is configured to Filter errors and/or Filter warnings, metacards with errors/warnings will be hidden from users without the specified user attributes.

The Content Directory Monitor is installed by default with a standard installation of the Catalog application.

Configuring a Content Directory Monitor requires adding permissions to the Security Manager before CDM configuration.

Configuring a CDM requires adding read and write permissions to the directory being monitored. The following permissions, replacing <DIRECTORY_PATH> with the path of the directory being monitored, are required for each configured CDM and should be placed in the CDM section inside <DDF_HOME>/security/configurations.policy.

Trailing slashes after <DIRECTORY_PATH> have no effect on the permissions granted. For example, adding a permission for "${/}test${/}path" and "${/}test${/}path${/}" are equivalent. The recursive forms "${/}test${/}path${/}-", and "${/}test${/}path${/}${/}-" are also equivalent.

Line 1 gives the CDM the permissions to read from the monitored directory path. Line 2 gives the CDM the permissions to recursively read and write from the monitored directory path, specified by the directory path’s suffix "${/}-".

If a CDM configuration is deleted, then the corresponding permissions that were added should be deleted to avoid granting unnecessary permissions to parts of the system.

Configure the CDM from the Admin Console:

See Content Directory Monitor configurations for all possible configurations.

The CDM processes files in a directory, and all of its sub-directories. The CDM offers three options:

Regardless of the option, the DDF takes each file in a monitored directory structure and creates a metacard for it. The metacard is linked to the file. The behavior of each option is given below.

The CDM supports parallel processing of files (up to 8 files processed concurrently). This is configured by setting the number of Maximum Concurrent Files in the configuration. A maximum of 8 is imposed to protect system resources.

When the CDM is set up, the directory specified is continuously scanned, and files are locked for processing based on the ReadLock Time Interval. This does not apply to the Monitor in place processing directive. Files will not be ingested without having a ReadLock that has observed no change in the file size. This is done so that files that are in transit will not be ingested prematurely. The interval should be dependent on the speed of the copy to the directory monitor (ex. network drive vs local disk). For local files, the default value of 500 milliseconds is recommended. The recommended interval for network drives is 1000 - 2000 milliseconds. If the value provided is less than 100, 100 milliseconds will be used. It is also recommended that the ReadLock Time Interval be set to a lower amount of time when the Maximum Concurrent Files is set above 1 so that files are locked in a timely manner and processed as soon as possible. When a higher ReadLock Time Interval is set, the time it takes for files to be processed is increased.

The CDM supports setting metacard attributes directly when DDF ingests a file. Custom overrides are entered in the form:

attribute-name=attribute-value

For example, to set the contact email for all metacards, add the attribute override:

contact.point-of-contact-email=doctor@clinic.com

Each override sets the value of a single metacard attribute. To set the value of an additional attribute, select the "plus" icon in the UI. This creates an empty line for the entry.

To set multi-valued attributes, use a separate override for each value. For example, to add the keywords PPI and radiology to each metacard, add the custom attribute overrides:

topic.keyword=PPI
topic.keyword=radiology

Attributes will only be overridden if they are part of the metacard type or are injected.

All attributes in the catalog taxonomy tables are injected into all metacards by default and can be overridden.

For example, if the metacard type contains contact email,

contact.point-of-contact-email

but the value is not currently set, adding an attribute override will set the attribute value. To override attributes that are not part of the metacard type, attribute injection can be used.

The CDM blacklist uses the "bad.files" and "bad.file.extensions" properties from the custom.system.properties file in "etc/" in order to prevent malicious or unwanted data from being ingested into DDF. While the CDM automatically omits hidden files, this is particularly useful when an operating system automatically generates files that should not be ingested. One such example of this is "thumbs.db" in Windows. This file type and any temporary files are included in the blacklist.

If the CDM fails to read the file, an error will be logged in the CDM log. If the directory monitor is configured to Delete or Move, the original file is also moved to the \.errors directory.

CDM will send logs detailing the processing of files in the directory to cdm.log.

The Metacard Attribute Security Policy Plugin combines existing metacard attributes to make new attributes and adds them to the metacard.

Sample configuration of the Metacard Attribute Security Policy Plugin.

To configure the plugin to combine the attributes sourceattribute1 and sourceattribute2 into a new attribute destinationattribute1 using the union, enter these two lines under the title Metacard Union Attributes

See Metacard Attribute Security Policy Plugin configurations for all possible configurations.

By default, the Metacard Validation Marker Plugin will mark metacards with validation errors and warnings as they are reported by each metacard validator and then allow the ingest. To prevent the ingest of certain invalid metacards, the Metacard Validity Marker plugin can be configured to "enforce" one or more validators. Metacards that are invalid according to an "enforced" validator will not be ingested.

See Metacard Validity Marker Plugin configurations for all possible configurations.

The Metacard Validity Filter Plugin determines whether metacards with validation errors or warnings are filtered from query results.

See Metacard Validity Filter Plugin configurations for all possible configurations.

The XML Attribute Security Policy Plugin finds security attributes contained in a metacard’s metadata.

See XML Attribute Security Policy Plugin configurations for all possible configurations.

The Security Audit Plugin audits specific metacard attributes.

To configure the Security Audit Plugin:

Add the desired metacard attributes that will be audited when modified.

See Security Audit Plugin configurations for all possible configurations.

Guest access is a toggleable configuration. Enabling guest access will cause all users to be assigned a guest principal for use throughout the entire system. The guest principal will be used either by itself or along with any other principals acquired from configured authentication types.

Enabling session storage allows the system to persist the user login through the use of cookies. Note that the SAML and OIDC authentication types require session storage to be enabled.

Through the Web Context Policy Manager, authentication types for DDF may be configured with the following format:

Authentication types can be configured separately for: * web pages (these are all context paths that do not start with /services such as /admin and /search) * endpoints (these are all context paths that start with /services)

Configuring separate authentication types for specific contexts is supported through the web-context-policy-config.properties configuration file. * Navigate to <DDF_HOME>/etc/ * Edit the web-context-policy-config.properties file * Restart DDF

The web-context-policy-config.properties file format is:

The fields for required attributes allows configuring certain contexts to only be accessible to users with pre-defined attributes. For example, the default required attribute for the /admin context is role=system-admin, limiting access to the Admin Console to system administrators

White listed contexts are trusted contexts which will bypass security. Any sub-contexts of a white listed context will be white listed as well, unless they are specifically assigned a policy.

With the security-pdp-authz feature configured in this way, the above Metacard would be displayed to the user. Note that this particular configuration would not require any XACML rules to be present. All of the attributes can be matched internally and there is no reason to call out to the external XACML processing engine. For more complex decisions, it might be necessary to write a XACML policy to handle certain attributes.

To set up a XACML policy, place the desired XACML policy in the <distribution root>/etc/pdp/policies directory and update the included access-policy.xml to include the new policy. This is the directory in which the PDP will look for XACML policies every 60 seconds.

See Developing XACML Policies for more information about custom XACML policies.

Several Policy Plugins for catalog filtering exist currently: Metacard Attribute Security Policy Plugin and XML Attribute Security Policy Plugin. These Policy Plugin implementations allow an administrator to easily add filtering capabilities to some standard Metacard types for all Catalog operations. These plugins will place policy information on the Metacard itself that allows the Filter Plugin to restrict unauthorized users from viewing content they are not allowed to view.

The Catalog Federation Strategy configuration can be found in the Admin Console.

See Federation Strategy configurations for all possible configurations.

The Confluence source provides a Federated Source to retrieve pages, comments, and attachments from an Atlassian Confluence® REST API and turns the results into Metacards the system can use. The Confluence source does provide a Connected Source interface but its functionality has not been verified.

Confluence Source has been tested against the following versions of Confluence with REST API v2

The Confluence Federated Source is installed by default with a standard installation in the Catalog application.

Add a New Confluence Federated Source through the Admin Console:

Configure an Existing Confluence Federated Source through the Admin Console:

See Confluence Federated Source configurations for all possible configurations.

Most of the fields that can be queried on Confluence have some sort of restriction on them. Most of the fields do not support the like aka ~ operation so the source will convert like queries to equal queries for attributes that don’t support like. If the source receives a query with attributes it doesn’t understand, it will just ignore them. If the query doesn’t contain any attributes that map to Confluence search attributes, an empty result set will be returned.

Depending on your version of Confluence, when downloading attachments you might get redirected to a different download URL. The default URLResourceReader configuration allows redirects, but if the option was disabled in the past, the download will fail. This can be fixed by re-enabling redirects in the URLResourceReader configuration.

The CSW Specification Profile Federated Source should be used when federating to an external (non-DDF-based) CSW (version 2.0.2) compliant service.

Add a New CSW Specification Profile Federated Source through the Admin Console:

Configure an Existing CSW Specification Profile Federated Source through the Admin Console:

See CSW Specification Profile Federated Source configurations for all possible configurations.

The CSW Federation Profile Source is DDF’s CSW Federation Profile which supports the ability to search collections of descriptive information (metadata) for data, services, and related information objects.

Use the CSW Federation Profile Source when federating to a DDF-based system.

Configure the CSW Federation Profile Source through the Admin Console:

Configure an Existing CSW Federated Source through the Admin Console:

See CSW Federation Profile Source configurations for all possible configurations.

The Content File System Storage Provider is the default Storage Provider included with DDF

The Content File System Storage Provider is installed by default with the Catalog application.

To configure the Content File System Storage Provider:

See Content File System Storage Provider configurations for all possible configurations.

The Geographic MetaData extensible markup language (GMD) CSW source supports the ability to search collections of descriptive information (metadata) for data, services, and related information objects, based on the Application Profile ISO 19115/ISO19119 .

Use the GMD CSW source if querying a GMD CSW APISO compliant service.

The GMD CSW source is installed by default with a standard installation in the Spatial application.

Configure a new GMD CSW APISO v2.0.2 Source through the Admin Console:

Configure an existing GMD CSW APISO v2.0.2 Source through the Admin Console:

See GMD CSW APISO v2.0.2 Source configurations for all possible configurations.

The OpenSearch source provides a Federated Source that has the capability to do OpenSearch queries for metadata from Content Discovery and Retrieval (CDR) Search V1.1 compliant sources. The OpenSearch source does not provide a Connected Source interface.

The OpenSearch Source is installed by default with a standard installation in the Catalog application.

Configure a new OpenSearch Source through the Admin Console:

Configure an existing OpenSearch Source through the Admin Console:

See OpenSearch Source configurations for all possible configurations.

Use the OpenSearch source if querying a CDR-compliant search service is desired.

The OpenSearch source does not provide a Connected Source interface.

The Solr Catalog Provider is included with a standard installation of DDF.

SolrCloud is a cluster of distributed Solr servers used for high availability and scalability. Configuration shared between Solr Server instances is managed by Zookeeper.

Review and complete the following Zookeeper and Solr documentation:

The jute.maxbuffer property needs to be set on Zookeeper and SolrCloud nodes to support large dictionary files. The following JAR is needed to support WKT geospatial queries and needs to be installed on every Solr server instance.

The JAR can be downloaded from:

Repeat the following procedure for each Zookeeper and SolrCloud node instance:

The WFS Source allows for requests for geographical features across the web using platform-independent calls.

A Web Feature Service (WFS) source is an implementation of the FederatedSource interface provided by the DDF Framework.

Use the WFS Source if querying a WFS version 1.1.0 compliant service.

The WFS v1.1.0 Source is installed by default with a standard installation in the Spatial application.

Configure a new WFS v1.1.0 Source through the Admin Console:

Configure an existing WFS v1.1.0 Source through the Admin Console:

See WFS v.1.1 Federated Source configurations for all possible configurations.

The WFS URL must match the endpoint for the service being used. The type of service and version are added automatically, so they do not need to be included. Some servers will throw an exception if they are included twice, so do not include those.

The syntax depends on the server. However, in most cases, the syntax will be everything before the ? character in the URL that corresponds to the GetCapabilities query.

In this case, the WFS URL would be: http://www.example.org:8080/geoserver/wfs

The WFS v1.1.0 Source supports mapping metacard attributes to WFS feature properties for queries (GetFeature requests) to the WFS server. The source uses a MetacardMapper service to determine how to map a given metacard attribute in a query to a feature property the WFS server understands. It looks for a MetacardMapper whose getFeatureType() matches the feature type being queried. Any MetacardMapper service implementation will work, but DDF provides one in the Spatial application called Metacard to WFS Feature Map.

The WFS 2.0 Source allows for requests for geographical features across the web using platform-independent calls.

Use the WFS Source if querying a WFS version 2.0.0 compliant service. Also see Working with WFS Sources.

The WFS v2.0.0 Source is installed by default with a standard installation in the Spatial application.

Configure a new WFS v2.0.0 Source through the Admin Console:

Configure an existing WFS v2.0.0 Source through the Admin Console:

See WFS v.2.0 Federated source configurations or WFS v2.0 Connected source configurations for all possible configurations.

The WFS URL must match the endpoint for the service being used. The type of service and version is added automatically, so they do not need to be included. Some servers will throw an exception if they are included twice, so do not include those.

The syntax depends on the server. However, in most cases, the syntax will be everything before the ? character in the URL that corresponds to the GetCapabilities query.

In this case, the WFS URL would be

The WFS 2.0 Source allows for virtually any schema to be used to describe a feature. A feature is roughly equivalent to a metacard. The MetacardMapper was added to allow an administrator to configure which feature properties map to which metacard attributes.

Use the WFS MetacardMapper to configure which feature properties map to which metacard attributes when querying a WFS version 2.0.0 compliant service. When feature collection responses are returned from WFS sources, a default mapping occurs which places the feature properties into metacard attributes, which are then presented to the user via DDF. There can be situations where this automatic mapping is not optimal for your solution. Custom mappings of feature property responses to metacard attributes can be achieved through the MetacardMapper. The MetacardMapper is set by creating a feature file configuration which specifies the appropriate mapping. The mappings are specific to a given feature type.

The WFS MetacardMapper is installed by default with a standard installation in the Spatial application.

There are two ways to configure the MetacardMapper:

The following shows how to configure the MetacardMapper to be used with the sample data provided with GeoServer. This configuration shows a custom mapping for the feature type ‘states’. For the given type, we are taking the feature property ‘STATE_NAME’ and mapping it to the metacard attribute ‘title’. In this particular case, since we mapped the state name to title in the metacard, it will now be fully searchable.

The Catalog REST endpoint allows clients to perform operations on the Catalog using REST.

To install the Catalog REST endpoint:

The Catalog REST endpoint has no configurable properties. It can only be installed or uninstalled.

The CSW endpoint enables a client to search collections of descriptive information (metadata) about geospatial data and services.

To install the CSW endpoint:

To control the number of threads used for parallel processing of transactions, set the org.codice.ddf.spatial.ogc.csw.catalog.endpoint.threadpool system property in custom.system.properties. The default thread pool is 2 * Number Processors.

Keyhole Markup Language (KML) is an XML notation for describing geographic annotation and visualization for 2- and 3- dimensional maps.

The root network link will create a network link for each configured source, including the local catalog. The individual source network links will perform a query against the OpenSearch Endpoint periodically based on the current view in the KML client. The query parameters for this query are obtained by a bounding box generated by Google Earth. The root network link will refresh every 12 hours or can be forced to refresh. As a user changes their current view, the query will be re-executed with the bounding box of the new view. (This query gets re-executed two seconds after the user stops moving the view.)

This KML Network Link endpoint has the ability to serve up custom KML style documents and Icons to be used within that document. The KML style document must be a valid XML document containing a KML style. The KML Icons should be placed in a single level directory and must be an image type (png, jpg, tif, etc.). The Description will be displayed as a pop-up from the root network link on Google Earth. This may contain the general purpose of the network and URLs to external resources.

To install the KML endpoint:

To configure the KML endpoint:

See KML Endpoint configurations for all possible configurations.

The OpenSearch endpoint enables a client to send query parameters and receive search results. This endpoint uses the input query parameters to create an OpenSearch query. The client does not need to specify all of the query parameters, only the query parameters of interest.

To install the KML endpoint:

The OpenSearch endpoint has no configurable properties. It can only be installed or uninstalled.

Zookeeper clients cannot use secure (SSL/TLS) connections. The configuration information that Zookeeper sends and receives is vulnerable to network sniffing. Any unencrypted network traffic is vulnerable to sniffing attacks. To use SolrCloud with Zookeeper securely, these processes must be isolated on the network, or their communications must be encrypted by other means. The DDF process must be visible on the network to allow authorized parties to interact with it.

The Landing Page is installed by default with a standard installation.

The DDF landing page offers a starting point and general information for a DDF node. It is accessible at /(index|home|landing(.htm|html)).

Configure the Landing Page from the Admin Console:

Configure important landing page items such as branding logo, contact information, description, and additional links.

See Landing Page configurations for all possible configurations.

The customization of the UI theme across DDF is available through the capabilities of Platform UI Configuration. The banner has four items to configure:

See the Platform UI for all possible configurations of the Platform UI Configuration.

The Decanter SLA Checker provides a way to create alerts based on configurable conditions in events posted to decanter/collect/* and can be configured by editing the file <DDF_HOME>/etc/org.apache.karaf.decanter.sla.checker.cfg. By default there are only two checks that will produce alerts, and they are based on the SystemNotice event property of priority.

The Decanter Scheduler looks up services implementing the Runnable interface with the service-property decanter.collector.name and executes the Runnable periodically. The Scheduler can be configured by editing the file <DDF_HOME>/etc/org.apache.karaf.decanter.scheduler.simple.cfg.

An encrypt security command is provided with DDF to encrypt text. This is useful when displaying password fields to users.

Below is an example of the security:encrypt command used to encrypt the plain text myPasswordToEncrypt.

Because DDF is built on top of Apache Karaf, DDF can use the Karaf Wrapper to run DDF as a service and enable automatic startup and shutdown. When DDF is started using Karaf Wrapper, new wrapper.log and wrapper.log.n (where n goes from 1 to 5 by default) log files will be generated to include wrapper and console specific information.

Because DDF is built on top of Apache Karaf, more information on operating DDF can be found in the Karaf documentation .

For details on any command, type help then the command. For example, help search (see results of this command in the example below).

The help command provides a description of the provided command, along with the syntax in how to use it, arguments it accepts, and available options.

The CQL syntax used with console commands should follow the OGC CQL format. GeoServer provides a description of the grammar and examples in this CQL Tutorial .

Many console commands are available, including DDF commands and the core Karaf console commands. For more information about these core Karaf commands and using the console, see the Commands documentation for Karaf 4.2.9 at Karaf documentation .

For a complete list of all available commands, from the Command Console, press TAB and confirm when prompted.

Console commands follow a format of namespace:command.

To get a list of commands, type in the namespace of the desired extension then press TAB.

For example, type catalog, then press TAB.