The DSS API can be configured through it's DSS properties file. In this file we reference a TSA configuration and a Keystore which can also be configured. Below you can find for each of these options how you can configure these.
DSS Properties
For the DSS API itself we have a .properties file we can configure. Below you can find the curren configuration.
For each deployment type the file is located in a certain folder or configuration.
The contens of this file is the same across the deployment types;
# JDBC database config
datasource.jdbc.enabled = true
datasource.driver.class = org.hsqldb.jdbcDriver
datasource.url = jdbc:hsqldb:mem:testdb
datasource.username = sa
datasource.password =
# Cache config (values in seconds)
cache.expiration = 86400
cache.crl.default.next.update = 600
cache.crl.max.next.update = 10800
cache.ocsp.default.next.update = 60
cache.ocsp.max.next.update = 180
# EU LOTL config
oj.content.keystore.type = PKCS12
oj.content.keystore.filename = keystore.p12
oj.content.keystore.password = dss-password
current.oj.url = https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2019.276.01.0001.01.ENG
current.lotl.url = https://ec.europa.eu/tools/lotl/eu-lotl.xml
lotl.country.code = EU
# AdES LOTL config
tl.loader.ades.enabled=false
tl.loader.ades.lotlUrl=https://ec.europa.eu/tools/lotl/mra/ades-lotl.xml
tl.loader.ades.keystore.type=PKCS12
tl.loader.ades.keystore.filename=ades/ades-keystore.p12
tl.loader.ades.keystore.password=ks-password
tl.loader.ades.tsl.type=http://ec.europa.eu/tools/lotl/mra/ades-lotl-tsl-type
# Server signing token
dss.server.signing.keystore.type = PKCS12
dss.server.signing.keystore.filename = user_a_rsa.p12
dss.server.signing.keystore.password = password
# TSA
tsp-source = classpath:config/tsp-config.xml
# LOTL/TLs loading
cron.tl.loader.enable = true
cron.initial.delay.tl.loader = 0
cron.delay.tl.loader = 3600000
# File size limit
multipart.maxFileSize = 52428800
multipart.maxInMemorySize = 52428800
# default validation policy (in dss-policy-jaxb/src/main/resources/)
default.validation.policy = policy/constraint.xml
# validation policy for a certificate validation (in dss-policy-jaxb/src/main/resources/)
default.certificate.validation.policy = policy/certificate-constraint.xml
# Custom trusted key store
trusted.source.keystore.type = PKCS12
trusted.source.keystore.filename = keystore.p12
trusted.source.keystore.password = dss-password
# Custom trusted adjacent key store
trusted.source.keystore-intermediate.type = PKCS12
trusted.source.keystore-intermediate.filename = keystore-intermediate.p12
trusted.source.keystore-intermediate.password = dss-password
# CommonsDataLoader configuration (timeouts in milliseconds)
dataloader.connection.timeout = 5000
dataloader.connection.request.timeout = 5000
dataloader.redirect.enabled = true
# Defines a number of secure validation tests to be performed on imported RSA keys (disabled by default, use value '1' or higher to enable)
bc.rsa.max_mr_tests = 0
proxy.http.enabled = false
#proxy.http.host =
#proxy.http.scheme =
#proxy.http.port = 0
#proxy.http.user =
#proxy.http.password =
#proxy.http.exclude =
# e.g.: proxy.http.exclude = test.site.lu, test.website.com
proxy.https.enabled = false
#proxy.https.host =
#proxy.https.scheme =
#proxy.https.port = 0
#proxy.https.user =
#proxy.https.password =
#proxy.https.exclude =
# e.g.: proxy.https.exclude = test.site.lu, test.website.com
cxf.debug = true
cxf.mtom.enabled = true
cookie.secure = false
nexuDownloadUrl=https://github.com/nowina-solutions/nexu/releases/download/nexu-${nexu.version}/nexu-bundle-${nexu.version}.zip
nexuVersion = 1.
nexuUrl=http://localhost:9795
dssVersion = ${project.version}
# https://webgate.ec.europa.eu/tl-browser/# (old link)
tl.browser.root.url = https://eidas.ec.europa.eu/efda/tl-browser/#/screen
# Default digest algo to be checked in the web interface
default.digest.algo = SHA256
# Defines the "SameSite" parameter value for "Set-Cookie" header
web.security.cookie.samesite = strict
# Defines the "X-Content-Security-Policy" header value
web.security.csp = default-src 'self' ${nexuUrl} 'unsafe-inline' data:;
Bare metal
For the Bare metal deployment type the configuration file is embedded in the war file, you can override the configuration via the lib/dss-custom.properties file.
Kubernetes
In kubernetes environment the configuration is loaded via a ConfigMap. This configmap can be found in Kubernetes and can be updated via kubectl and its subcommands.
Standalone
Similar to the Bare metal deployment the properties are embedded in the WAR file. you can override these via the dss-custom.propertiesfile.
This file is located in apache-tomcat-8.5.95/lib/dss-custom.properties
TSA configuration
The TSA configuration file holds information for which TSA server to be used. The configuration looks like the following