Click Enterprise tenant in the Settings menu to access these settings.
Configuration
On the Configuration tab, you can configure various properties for your tenant.
Requirements
APPLICATION ACCESS:
Users must have access to the Administration application of the Enterprise tenant.
ROLES & PERMISSIONS:
To view settings: READ permission for the “Options management” permission type
To manage (create, edit, update) all existing settings: ADMIN permission for the “Options management” permission type
On tenant creation, there are default roles available that can be used as a sample configuration for the above-mentioned permissions:
Tenant Manager - manages tenant-wide configurations like applications, tenant options and retention rules
Info
In some of the properties you can configure email templates for various purposes. Be aware that the corresponding emails are send with “text/html” as content type.
Placeholders
The following placeholders can be found in the Configuration tab:
Placeholder
Description
{host}
The value of this placeholder is “https://” + “<<tenantId>>” + “<<base-domain>>”. For example, if “tenantId” is auto-generated, the host will be https://t12345678.cumulocity.com.
{tenant-domain}
This is the location in which a tenant can be accessed. It is equal to “https://” + “<<tenantDomainName>>”. For example, {tenant-domain} can be https://myTenant.cumulocity.com. In case of an Enterprise tenant, the {tenantDomain} placeholders can have different values. An example tenant domain is https://myTenant.myhost.com.
{token}
An automatically generated system token for password reset purposes. When a user requests a password reset, a new random token will be generated. This token will be associated only with the particular user and will allow for a single password reset action. The standard way of using this placeholder is along with the {tenant-domain} property as “{tenant-domain}?token={token}”.
{email}
Will be replaced with the email address of the recipient user as stored in the user settings. Some views in the UI recognize this parameter and prefill the respective field with this value, for example, during the process of password reset.
{username}
Will be replaced with the value of the username property specified in the user configuration, see User options and settings.
{binaryId}
Will be replaced with the respective binaryId for the binary artefact to be used in the download link.
{exportApi}
Will be replaced with the respective API in which the error occurred.
{size}
Will be replaced with the storage usage percentage value.
Info
The above mentioned placeholders might not be applicable to certain templates. While preparing content, note the information provided in the UI.
Two-factor authentication
Under Two-factor authentication, you can change the SMS template which is sent to the users.
Support link
In the Support link section, you can provide a URL which is then used as default link for the Request support option in the user menu. If you set this value to “false”, then the Request support option in the user menu will be hidden. If you leave the Support link field empty, the URL for the link will be taken from the tenant options. However, an application can override this setting by defining the “supportUrl” application option.
Password reset
In the Password reset section you can change all settings related to password reset email templates.
At the top you can select if you want to allow sending emails to unknown email addresses.
In the Password reset email template fields, provide an email template to be used when the address is known and one to be used when the address is unknown. The link to reset the password might for example be: {tenant-domain}/apps/devicemanagement/index.html?token={token}&email={email}.
In the Email subject field, provide a subject for all password reset related emails.
In the following two fields provide an email template to be used on password change confirmation and a template for the invitation email.
Email server
In the Email server section, you can configure custom email server settings.
In the Protocol and encryption field, select a protocol/encryption type from the dropdown list. May be one of:
SMTP (no encryption): email.protocol=smtp and email.connection.encrypted=false
SMTP (STARTTLS): email.protocol=smtp and email.connection.encrypted=true
SMTPS (SSL/TLS): email.protocol=smtps and email.connection.encrypted=true
Provide the host, port, username, password, and sender address for the email server. The empty password configuration is supported for the Enterprise tenant.
Data export
In the Data export section, you can set the email subject and email template for data export and specify the User unauthorized error message.
Storage limit
In the Storage limit section, you can specify the email subject and email template for emails being send before data is removed on exceeding the storage limit (warning) and after data removal is performed (limit exceeded).
Suspending tenants
In the Suspending tenants section, you can provide settings for emails being send on tenant suspension.
At the top you can select if you want to send the email to the suspended tenant’s administrator and specify an additional email receiver. Below you set the subject and template for the tenant suspended email.
Click Save configuration at the bottom to save your settings.
Info
Some additional configuration settings can be specified globally in the Management tenant. Contact your Operations team for further details.
Branding
With the Branding feature, you can fully customize the look of your tenant to your own preferences.
Requirements
APPLICATION ACCESS:
The branding feature comes as default with the Enterprise tenant and is available in the Administration application.
The branding functionality is enabled by subscribing to the “feature-branding” application.
ROLES & PERMISSIONS:
To manage the branding configuration:
READ, ADMIN, CREATE permission for the “Inventory” permission type
READ, ADMIN permission for the “Options management” permission type
To apply the branding configuration: READ, ADMIN permission for the “Application management” permission type
On tenant creation, there are default roles available that can be used as a sample configuration for the above-mentioned permissions:
Tenant Manager - manages tenant-wide configurations like applications, tenant options and retention rules
To configure branding settings
In the Branding tab, you can configure various parameters like logos, colors and font types used throughout the platform.
The parameters are configured at the left side of the tab while at the right you can immediately see your selections applied to a preview extract.
For a more detailed preview of your settings, click Open preview in the top menu bar to check the look and feel of your branding settings in the overall platform. You may interact and even switch applications in the preview. Every change that you make in the Branding tab will immediately be applied to the Preview page.
When you are done or want to store your settings, click Save at the bottom of the Configuration section to save your branding settings to your tenant.
Saving the settings will not yet apply them to the current tenant and respective subtenants. To do so, click Apply in the top menu bar.
Click Remove branding in the top menu bar to reset the branding of the current tenant and its subtenants to the default settings. The custom settings will still be saved but are no longer applied.
Configuration parameters
In the Configuration section, the following branding parameters can be configured.
General
Under General, you can edit the title which will be used in the browser tab.
Main logo
Under Main logo, specify the following items:
The favicon - will be displayed in the browser’s address bar. Click Choose file to select a file from your file system. The supported favicon format is “ico”.
Your branding logo - will be shown during application loading. Click Choose file to select a file from your file system. The supported formats are “png”, “svg” and “jpg”.
The brand logo height.
Navigator logo
Under Navigator logo you can provide the navigator logo and set the navigator logo height located on top of the navigator panel.
Font
In the Font section you specify the font settings for your branded version.
You can select your base and headings font stack, and select an option for the navigator font stack (either same as base or same as headings font). You may also add a link to existing remote fonts to be used.
Colors
In the Colors section you specify the colors to be used in your branding version.
The following parameters can be specified by providing a hex, rgb or rgba value:
Main brand color.
Secondary brand color - the default value is “#07b91A”.
Dark brand color - mainly used for two-color icons. The default value is “#0B385B”.
Light brand color - mainly used for two-color icons. The default value is “#5FAEEC”.
Text color - the default value is “#444”.
Link color - the default value is the same as the main brand color.
Main background color - the default value for this item is “#FAFAFA”.
Top bar
In the Top bar section you specify the parameters for the top bar.
The following parameters can be specified by providing a hex, rgb or rgba value:
Background color - the default value is “#FFFFFF”.
Text color - the default value is “49595B”.
Button hover text color - the default value is the main brand color.
Navigator
In the Navigator section you specify the parameters for the navigator.
The following parameters can be specified by providing a hex, rgb or rgba value:
Background color - the default value is “#2c3637”.
Logo wrapper background color - the default value is “Transparent”.
Title color - the default value is “#FFFFFF”.
Text and buttons color - the default value is “#FAFAFA”.
Separator line color - the default value is “#FAFAFA”.
Text color of the current item in the navigator - the default value is “#FAFAFA”.
Background color of the current item in the navigator with the main brand color as default.
Misc
In the Misc section you specify the “Button Border-Radius” by providing a value in pixel (px).
Cookie banner
In the Cookie banner section you specify the settings for the banner with the cookie usage information. If not disabled here, the banner is shown for all users of the current tenant and all subtenants until a user clicks Agree and proceed.
Disabling the cookie banner, also disables the product experience tracking by Gainsight for the current tenant and all subtenants.
The following parameters can be specified:
Title - cookie banner title
Text - cookie banner text with a general statement on the cookie usage and the use cases for it
Link to privacy policy - a link to the page with the privacy policy
Domain name
A key feature of the Enterprise tenant is the ability to operate the Cumulocity platform using a custom domain name. This means that you can configure the platform to serve you and your customers using a host name of choice, for example *.iot.mycompany.com rather than the default URL of Cumulocity. In addition you’ll be able to create subtenants
using your domain. These will be using <subtenantName>.iot.mycompany.com as their host names.
Requirements
APPLICATION ACCESS:
The domain management feature comes as default with the Enterprise tenant tenant and is available in the Administration application.
The domain management functionality is enabled by subscribing to the “sslmanagement” microservice.
ROLES & PERMISSIONS:
To upload certificate:
READ, ADMIN permission for the “Inventory” permission type;
READ, ADMIN permission for the “Options management” permission type;
READ, ADMIN permission for the “Application management” permission type;
On tenant creation, there are default roles available that can be used as a sample configuration for the above-mentioned permissions:
Tenant Manager - manages tenant-wide configurations like applications, tenant options and retention rules
PREREQUISITES
There are three prerequisites for using a custom domain:
To activate your domain, a valid license that covers your wildcard domain is required.
Please contact product support to install a license for your domain.
You’ve obtained a valid wildcard SSL certificate for your IoT domain, for
example a certificate for *.iot.mycompany.com.
There is a valid DNS configuration for your domain which ensures that all requests to *.iot.mycompany.com are
routed to Cumulocity. (see below).
SSL CERTIFICATE REQUIREMENTS
The following criteria must be met by any SSL certificate to be used with the Enterprise tenant feature:
The certificate is currently valid and has not expired. More specifically, validFrom points to a point in time in the
past, and validTo to a point in the future.
The certificate has been issued by a well-established certificate authority (CA). Self-signed certificates are
explicitly not supported.
The certificate is a wildcard certificate issued for your domain *.iot.mycompany.com. The use of a wildcard
certificate is mandatory, as it will also be used for subdomains created from your Enterprise tenant.
Every single certificate in the chain is provided using the X509 format.
The common name (CN) in the subject of the primary certificate (the first one in the chain) holds the value of your
wildcard domain name, for example, “CN=*.iot.mycompany.com”.
Cumulocity supports a single certificate that is signed by the root CA, as well as a full chain certificate which
contains one or more intermediate certificates.
Info
The custom domain name functionality is only available for Cumulocity cloud installations or on-prem installations which don’t use a custom load balancer.
To package the SSL certificate in PKCS #12
In order to use an SSL certificate with Cumulocity, the certificate together with its private key must be uploaded to the platform in a single file, using the PKCS #12 file format.
Most certificate authorities deliver their certificates and corresponding private keys in the PEM file format, using two
separate text files for the certificate chain and the private key. Make sure that the private key is not
protected with a password/passphrase.
Such PEM files can easily be repackaged into #PKCS #12 using OpenSSL. In the following
example, OpenSSL is used to combine a certificate chain (chain.cert) and the corresponding key (privkey.pem) into a
PKCS #12 keystore file (out_keystore.p12) that can be used with Cumulocity.
The DNS entries for your custom domain must be configured in a way that all requests are routed to the Cumulocity platform.
We strongly recommend you to use a wildcard CNAME entry for this purpose. The CNAME must contain your wildcard
domain from the certificate in the NAME field. The VALUE field of the CNAME entry must point to the hostname of Cumulocity. This target hostname can be easily determined by looking at your current tenant URL. If your tenant URL
is http://mytenant.cumulocity.com, the target hostname is mytenant.cumulocity.com. Please also make sure to delete any
conflicting A entries.
Example:
If you want to use *.iot.mycompany.com for your enterprise subtenants and if you’re using the Cumulocity at mytenant.cumulocity.com, the following CNAME entry must be added to your DNS zone:
NAME TYPE VALUE
----------------------------------------------------
*.iot.mycompany.com. CNAME mytenant.cumulocity.com.
We highly discourage any use of alternative DNS configurations for the following reasons:
Wildcard A entries take the IP address of the platform in the value field and hence redirect all requests based on
the given IP rather than a hostname. This results in major problems if the IP address of the IoT platform should
change in the future.
Singular A entries or singular CNAME entries instead of DNS wild cards require a single DNS entry for each
enterprise domain being created. This is very error prone and prevents the creation of subtenants without always
tampering with DNS settings.
To upload the certificate and activate your domain
Once the DNS configuration is in place and if a certificate with the given requirements is available, it can be easily
uploaded to the platform.
On the Domain name tab in the Enterprise tenant page, click Upload certificate. Select the certificate from your file system and click Upload.
Afterwards, you can activate the domain with a single click on its name. After the domain has been activated, you will be redirected
to your Enterprise tenant using the new domain name. You will also receive an email with information about the
activation. Note that your Management tenant domain name is static, for example, if your wildcard domain is “*
.iot.mycompany.com” then your Management tenant domain will be “management.iot.mycompany.com”.
Info
After the activation is completed you will no longer be able to access your tenant with the Cumulocity domain name. Instead, use your custom domain name.
To update your certificate
When your certificate expires, you must update your certificate with a new one with an extended validation period. When updating a certificate, you must make sure that the certificate meets the following requirements:
It is valid, like when being uploaded for the first time.
It is currently valid (validFrom in the past and validTo in the future).
It has exactly the same common name (domain name) as the currently active certificate.
Info
Keep in mind that after replacing the certificate it may take some minutes until the new certificate has been delivered to the users/browsers.
To deactivate your certificate
If you wish to return to your old domain at Cumulocity, you can simply deactivate you certificate.
Important
Use with care. Your customers will not be able to access their subtenants anymore.
Troubleshooting
In case you cannot reach Cumulocity using your custom domain, we recommend you to perform the following checks to verify your DNS setup.
Check if the DNS entry is correct
Execute the following command:
host management.<your domain name>
The following result should be returned:
management.<your domain name> is an aliasfor <instance domain name>
<instance domain name> has address <ip address>