Configuration Reference
This page is a complete reference for all Cirata Symphony configuration files and their fields. For instructions on editing and backing up configuration, see the Operations guide.
symphony.config
The main application configuration file. JSON format.
Naming
Controls how Symphony identifies itself in the UI and API responses.
| Key | Default | Description |
|---|---|---|
naming.product | Cirata Symphony | Full product name displayed in the UI |
naming.short | Symphony | Short product name used in compact contexts |
naming.byline | The data orchestration foundation for enterprise AI | Tagline displayed on the login page |
naming.support_contact | support@cirata.com | Support contact (typically an email address) shown on the About page |
Network
| Key | Default | Description |
|---|---|---|
network.uiport | 8080 | Internal HTTP port for the UI and API server |
The external hostname is not stored in symphony.config—it is embedded in the Symphony account JWT that is generated during initial setup. To change the external hostname, a fresh setup is required.
OIDC Authentication
Controls the OpenID Connect provider used for user authentication.
| Key | Description |
|---|---|
oidc.issuer | OIDC issuer domain and path (no https:// prefix—Symphony adds it automatically) |
oidc.clientid | OIDC client ID for the API (confidential client, no login flow) |
oidc.uiclientid | OIDC client ID for the UI (public client, authorization code flow) |
oidc.clientsecret | Client secret for the API client (optional, for confidential clients) |
oidc.uiclientsecret | Client secret for the UI client (optional, for confidential UI clients) |
oidc.tls_skip_verify | When true, skip TLS certificate verification for the OIDC provider. Can be set via the setup wizard's Disable TLS Verification switch. |
These values are initially set during the setup wizard using the OIDC_ISSUER, OIDC_CLIENTID, OIDC_UICLIENTID, OIDC_CLIENTSECRET, and OIDC_UICLIENTSECRET environment variables as defaults. The tls_skip_verify setting can be configured via the setup wizard or the OIDC_TLS_SKIP_VERIFY environment variable.
Role-Based Access Control (RBAC)
| Key | Default | Description |
|---|---|---|
rbac.groups_claim | groups | Name of the JWT claim that contains group/role membership |
rbac.default_role | viewer | Role assigned to newly created user accounts |
rbac.admin_group | "" | OIDC group name that grants administrator access |
rbac.admin_subject | "" | OIDC subject (user ID) that grants administrator access |
rbac.bootstrap | false | When true, all authenticated users are treated as administrators |
For a complete guide to RBAC configuration, see Role-Based Access Control.
Storage
| Key | Description |
|---|---|
storage.salt | Cryptographic salt used for HMAC signing and token hashing. Auto-generated during setup (minimum 32 characters). Do not change after initial setup—existing tokens will become invalid. |
Internal Identities
Auto-generated cryptographic material for Symphony's internal messaging identity. Do not modify these values—they are created during initial setup and are required for operation.
| Key | Purpose |
|---|---|
symphony.jwt | Symphony account JWT |
symphony.seed | Symphony account seed |
symphony.signingseed | Symphony account signing seed |
operator.jwt | Operator JWT |
operator.seed | Operator seed |
operator.signingseed | Operator signing seed |
If these values are lost or corrupted, Symphony will not start. Restore them from a backup or perform a fresh setup.
Full Example
{
"logfile": "/var/lib/symphony/log/nats.log",
"naming": {
"product": "Cirata Symphony",
"short": "Symphony",
"byline": "The data orchestration foundation for enterprise AI",
},
"network": {
"uiport": 8080
},
"oidc": {
"issuer": "auth.example.com/realms/symphony",
"clientid": "symphony-api",
"uiclientid": "symphony-ui"
},
"symphony": {
"jwt": "eyJ0eXAiOiJKV1QiLC...",
"seed": "SAAB...",
"signingseed": "SAAB..."
},
"operator": {
"jwt": "eyJ0eXAiOiJKV1QiLC...",
"seed": "SOAB...",
"signingseed": "SOAB..."
},
"storage": {
"salt": "a-random-string-at-least-32-characters-long"
},
"rbac": {
"groups_claim": "groups",
"default_role": "viewer",
"admin_group": "",
"admin_subject": ""
}
}
nats.config
Configures the embedded NATS messaging server. Uses the NATS server configuration format. Most values are generated during setup and should not be changed.
Tunable Settings
| Key | Default | Description |
|---|---|---|
host | 0.0.0.0 | Network interface to listen on |
port | 4222 | NATS client port |
websocket.port | 9222 | WebSocket port for browser connections |
jetstream.max_mem | 1G | Maximum memory for JetStream in-memory storage. The CDN cache draws from this budget when the dependency resolution mode is Proxy or Mixed; not consumed by Bundle-only mode. |
jetstream.max_file | 1G | Maximum disk space for JetStream file-based storage |
debug | false | Enable NATS debug logging (commented out by default) |
trace | false | Enable NATS protocol trace logging |
trace_verbose | false | Enable verbose NATS protocol tracing |
tls.cert_file | (unset) | Path to PEM-encoded server certificate. Enables TLS when set with tls.key_file. |
tls.key_file | (unset) | Path to PEM-encoded private key |
tls.ca_file | (unset) | Path to CA certificate for client verification (optional) |
tls.timeout | 5 | TLS handshake timeout in seconds |
The TLS settings in nats.config are generated automatically from the NATS_TLS_CERT, NATS_TLS_KEY, and NATS_TLS_CA environment variables. When TLS is enabled, all connections to the NATS port must use TLS.
Auto-Generated Settings (Do Not Modify)
operator—Operator JWT for the NATS resolversystem_account—System account public keyresolver—Full account resolver configurationresolver_preload—Preloaded system and Symphony account JWTs
Configuration Directory
The configuration directory location depends on the deployment method:
| Deployment | Path |
|---|---|
| Linux (systemd) | /var/lib/symphony/ |
| RPM (systemd) | /var/lib/symphony/ |
| Docker Compose | /config/ inside the symphony container |
| Kubernetes | /config/ on the PersistentVolumeClaim |
Directory Contents
| File | Format | Purpose |
|---|---|---|
symphony.config | JSON | Application configuration |
nats.config | NATS config | Embedded messaging server configuration |
log/ | Directory | Log files for Symphony and the messaging server |
accounts/ | Directory | Account JWTs for the messaging server resolver |
storage/ | Directory | JetStream data (key-value stores, streams) |
See Also
- Role-Based Access Control—Configuring roles and permissions
- Troubleshooting—Diagnosing common issues