Changing Graph Studio Server Settings

This topic provides instructions for changing the Graph Studio server settings. To access the settings, expand the Servers menu in the Administration application and click Server Settings.

You can have one option open for editing at a time. If you are in the process of modifying an option and have not saved the changes, all other Edit buttons are disabled until you save or cancel the changes.

After changing any of the server settings, you must restart Graph Studio to apply the change.

Change the sysadmin Password
Change the Server's Hostname
Set the Default Graphmart File Connection
Configure the Vault Options
Configure Login Blocking
Regenerate the Server Secret
Change the Application Ports
Configure an Email Server
Change the Application Home Page URLs
Change the HTTP Session Timeout
Configure User Settings
Enable or Disable the SPARQL Endpoint
Change the URI Prefix
Configure Global Prefixes
Set the Version Environment Variable
Configure DU Cluster Network Connections

Change the sysadmin Password

To change the system administrator (sysadmin) password, expand the Administrator option and click Edit.

Type the new password in the Password and Confirm Password fields. Then click Save.

Change the Server's Hostname

Set the Default Graphmart File Connection

Configure the Vault Options

Graph Studio can be integrated with an external secret store (vault) such as HashiCorp Vault, where passwords and other credentials can be stored externally to the application, so it does not have to maintain those secure credentials. With such integration in place, Graph Studio Server Settings include the Vault configuration:

The administrators of the users' machines are responsible for setting up access to the external vault interface. For a new install of Graph Studio, a file called vault.config needs to be created under the install directory Server/data, which contains the properties needed to use the external vault. Here is an example of the contents of the vault.config file:

	org.openanzo.security.vault.vaultBasePath=anzodssd
        org.openanzo.security.vault.vaultType=Hashicorp
        org.openanzo.security.vault.vaultUrl=http://127.0.0.1:8200
        #org.openanzo.security.vault.vaultUrl=unix://[work/vault-agent/vault.socket]
        org.openanzo.security.vault.vaultToken=*****

There are multiple ways to connect to an external vault. The above example shows the use of a URL and a token, which are usually provided by the administrators of the vault system.

Another common way for the application to access the vault is to run a local agent called the Vault agent on the host server for Graph Studio. The agent maintains the connection to Hashicorp, the tokens and the authentication. The Graph Studio application connects to the Vault agent either via a local IP or a Unix domain socket.

Once the configuration file is saved and Graph Studio is installed, the server will detect the file and configure the application with the specified settings.

From the Vault entry in the Server Settings, the admin user can configure the same properties that are specified in the vault.config file, as well as the path to the file itself. Expand the Vault option to view or edit these properties.

Click the EDIT button to edit the settings.

In addition to the parameters described above, the Vault Token File parameter is provided for the case where a Kubernetes or Helm spin-up would involve a vault token that a startup process would write to a file, and Graph Studio would read it at start time. The option Vault Delete Token File can be used to delete that file after it has been read, so the next time you start the application, the scripts would write the token file again.

Regular Graph Studio server has credentials like the admin password and connection passwords stored inside the Graph Studio journal. Using a vault, you can move those values into the vault using the Store All Encrypted Values in Vault button. It looks through the Graph Studio journal, finds all the encrypted values, moves them over into the vault, and changes the references to point to those vault values.

If you choose to store all encrypted values in vault, when managing all such values (connection credentials, etc.) in the corresponding Graph Studio interface you will be able to choose to store them locally inside the Graph Studio journal or to store them in the vault under one of managed config objects. You will also be able to use the option "Use Stored Password" to pick the value from the vault to use as your password.

Configure Login Blocking

Regenerate the Server Secret

Cambridge Semantics recommends that you back up the current Graph Studio installation before regenerating the secret. Regenerating the secret requires a restart of Graph Studio.

To change the password for the Graph Studio key and trust stores, expand the Regenerate Secret option.
Click the Regenerate Secret button. Review the confirmation message that is displayed (shown below) and click Yes to generate a new secret.
Graph Studio generates the new secret and presents a dialog box that displays the encrypted secret to copy. For example:
Make sure you copy the secret because it is not possible to view again.
If you regenerated the secret on a server where the Graph Studio Admin CLI is used, the secret also needs to be changed in the ~/.anzo/settings.trig file for the Graph Studio service user. To replace the secret in settings.trig, follow these steps:
1. Open ~/.anzo/settings.trig for editing.
2. Locate the system:keystorePassword and system:truststorePassword properties.
3. Replace both the object values for both properties with the secret that was copied in step 3. Replace only the content between the quotation marks as shown below:
```
system:keystorePassword "<new_secret>"^^anzo:password ;
system:truststorePassword "<new_secret>"^^anzo:password ;
```
4. Save and close settings.trig.
Restart Graph Studio to apply the new secret.

Change the Application Ports

To change, enable, or disable the Graph Studio server application ports, expand the Ports option and click Edit.

Change the values in the Port fields to specify alternate port numbers. To enable or disable a port, move the slider next to the application name to the left or right. The list below describes the settings:

The fields at the top of the screen specify the Graph Studio server ports. By default, the Graph Studio and Graph Studio SSL ports are enabled. If you want to disable one of the ports, click the Enabled drop down list and select the option that you want to leave enabled. To change port numbers, click in the Port field and specify the port.
The Application and Application SSL ports are the HTTP and HTTPS client application ports.
The Auxiliary and Auxiliary SSL ports are the HTTP and HTTPS Administration client ports.

For information about managing the certificates to use for the SSL ports, see Replacing the Self-Signed Certificate.

Configure an Email Server

To configure an SMTP server for sending email, expand Email Server Configuration and click Edit.

Host Name is the host name or IP address for the SMTP server.
Port is the port for the connection.
If the email server is configured for SSL authentication, select the Use SSL checkbox to enable SSL authentication.
Specify the Username and Password to use for authentication.

Click Save to save the changes.

Change the Application Home Page URLs

To change the home page path for the Graph Studio and Administration application URLs, expand Home Pages and click Edit.

The Admin Home Page is the home page path for the Administration application.
The Application Home Page is the home page path for the Graph Studio application.

Click Save to save the changes.

Change the HTTP Session Timeout

To configure the HTTP session timeout value, expand HTTP Session Management and click Edit.

Click the Session Timeout drop-down list and select the timeout value. Then click Save to save the change.

Configure User Settings

Allow Anonymous Access

Before enabling anonymous access, consider the following security implications:

Anonymous User Permissions
Anonymous User Limitations
Important Considerations

Anonymous User Permissions

When anonymous access is enabled:

The server allows any user to connect to the Hi-Res Analytics application without a username and password. A user can connect to without having an account in Graph Studio.
Anonymous users are considered members of the Everyone role. Anonymous users can view artifacts that are shared as readable by Everyone.

Anonymous User Limitations

Anonymous users cannot:

Add, delete, or modify data. Anonymous users cannot write or delete data even if the Everyone role has write or delete access.
Change permissions on the artifacts in Graph Studio. Anonymous users cannot change the Sharing or Security tab settings for any artifacts even if the Everyone role has write or delete access to an artifact's metadata.

Important Considerations

This section lists important ideas to consider before enabling anonymous access.

Consider existing access control: User permissions might have been previously configured without anticipating that other users could have anonymous access. Before enabling anonymous access, consider that data that is viewable by the Everyone role becomes visible to anonymous users. You might need to change the permissions for existing data, such as by granting read access to the Authenticated Users role instead of the Everyone role. For more information about permissions, see Predefined Graph Studio Roles and Permissions.
Consider server network protections: Consider that anyone who can reach the server via the network will be able to use it as an anonymous user. Evaluate firewalls and other network protection mechanisms to limit access to the Graph Studio server as desired. For example, you might want to allow anonymous access to anyone inside your organization's internal network but disable access to the server from the public internet.
Anonymous access can be useful: Allowing anonymous access makes it easy to share data and views of data with others. For example, it means that you can share your Hi-Res Analytics dashboards with people who do not have a user account. It also lets you embed read-only interactive Hi-Res Analytic views inside other websites.

Enable or Disable the SPARQL Endpoint

If you want to enable or disable the Graph Studio SPARQL endpoint, select or clear the Enable SPARQL Endpoint checkbox.

Change the URI Prefix

To change the prefix that Graph Studio uses when generating URIs, type the new value in the URI Prefix field. The URI Prefix is mostly used for consistency in internal data, but it is also used by default for data model URI prefixes when the model does not define the URI template to use. When changing the URI Prefix, make sure that the value is a valid prefix. See Relative IRIs in the SPARQL Query Language specification for more information.

To enable or disable the Graph Studio SPARQL endpoint or customize the URI prefix that Graph Studio generates for data identifiers, expand Data Interchange and click Edit.

Configure Global Prefixes

The Global Prefix Manager stores standard prefixes and any custom prefixes that you want Graph Studio to recognize globally. Defining global prefixes creates shortcuts for inserting the prefixes in Query Builder and data layer queries. To manage global prefixes, expand Global Prefix Manager.

To add a prefix, click Add Prefix. Graph Studio opens the Create Prefix dialog box. In the Prefix field, specify the abbreviation that you want to use to represent the URI. In the Prefix URI field, specify the full, valid URI. For example:

Click Save to save the definition. To use global prefix shortcuts in the Graph Studio application, type "prefix" followed by a space in the Query Builder or a Query Step to open a tooltip that lists the global prefixes. For example:

Clicking a prefix inserts a PREFIX statement into the query. In addition, typing the abbreviation for a global prefix followed by a colon (:) automatically inserts the PREFIX statement into the query without opening the tooltip. For example, typing ex: inserts a statement for the prefix that was defined in the example above.

Set the Version Environment Variable

To change the variable value for the Version Environment tag that is displayed at the top of the Graph Studio application and that Graph Studio adds to archived versions of entities, expand Versioning and click Edit.

Edit the value in the Versioning Environment field and click Save. The images below show examples of the version tags that are controlled by the Versioning Environment setting. This image shows the version at the top of the Graph Studio application:

For artifact versions, the black rectangles in the image below highlight the areas where the environment version variable value is displayed:

Configure DU Cluster Network Connections

These settings configure the connection from the worker nodes back to the leader node. For instructions on connecting the leader to Graph Studio, see Connecting to a Distributed Unstructured Cluster.

To change the network settings, expand Distributed Pipeline and click Edit.

If the Kubernetes infrastructure is set up to deploy Anzo Unstructured clusters on-demand, you do not need to configure these settings. For information about Kubernetes-based deployments, see Kubernetes Requirements.

Modify the settings as needed:

Distributed Pipeline Client Hostname: The hostname or IP address for the leader instance.
The value must be a routable IP address or hostname. If the leader node is installed on the Graph Studio host server, specify the IP address or hostname of the server. Do not use 127.0.0.1 or localhost.
Distributed Pipeline Primary Seednode: The IP address and port for the leader instance. By default the leader port is 2551.
Distributed Pipeline Callback Hostname: The hostname or IP address for the instance. Typically this is the same value as the Distributed Pipeline Client Hostname.

Click Save to save the changes.