Cumulocity IoT documentation Enterprise tenant Customizing your platform

Customizing your platform

With the Enterprise tenant of Cumulocity IoT, you can customize your platform in various aspects and according to your requirements.

Apart from various configuration settings, you can use your individual branding and your individual domain name.

Click Enterprise tenant in the Settings menu to access these settings.

Configuration

On the Configuration tab, you can configure various properties for your tenant.

Requirements

APPLICATION ACCESS:

Users must have access to the Administration application of the Enterprise tenant.

ROLES & PERMISSIONS:

To view settings: READ permission for the “Options management” permission type
To manage (create, edit, update) all existing settings: ADMIN permission for the “Options management” permission type

On tenant creation, there are default roles available that can be used as a sample configuration for the above-mentioned permissions:

Tenant Manager - manages tenant-wide configurations like applications, tenant options and retention rules

Info

In some of the properties you can configure email templates for various purposes. Be aware that the corresponding emails are send with “text/html” as content type.

Placeholders

The following placeholders can be found in the Configuration tab:

Placeholder	Description
{host}	The value of this placeholder is “https://” + “<<tenantId>>” + “<<base-domain>>”. For example, if “tenantId” is auto-generated, the host will be `https://t12345678.cumulocity.com`.
{tenant-domain}	This is the location in which a tenant can be accessed. It is equal to “https://” + “<<tenantDomainName>>”. For example, {tenant-domain} can be `https://myTenant.cumulocity.com`. In case of an Enterprise tenant, the {tenantDomain} placeholders can have different values. An example tenant domain is `https://myTenant.myhost.com`.
{token}	An automatically generated system token for password reset purposes. When a user requests a password reset, a new random token will be generated. This token will be associated only with the particular user and will allow for a single password reset action. The standard way of using this placeholder is along with the {tenant-domain} property as “{tenant-domain}?token={token}”.
{email}	Will be replaced with the email address of the recipient user as stored in the user settings. Some views in the UI recognize this parameter and prefill the respective field with this value, for example, during the process of password reset.
{username}	Will be replaced with the value of the username property specified in the user configuration, see User options and settings.
{binaryId}	Will be replaced with the respective `binaryId` for the binary artefact to be used in the download link.
{exportApi}	Will be replaced with the respective API in which the error occurred.
{size}	Will be replaced with the storage usage percentage value.

Info

The above mentioned placeholders might not be applicable to certain templates. While preparing content, note the information provided in the UI.

Two-factor authentication

Under Two-factor authentication, you can change the SMS template which is sent to the users.

Support link

In the Support link section, you can provide a URL which is then used as default link for the Request support option in the user menu. If you set this value to “false”, then the Request support option in the user menu will be hidden. If you leave the Support link field empty, the URL for the link will be taken from the tenant options. However, an application can override this setting by defining the “supportUrl” application option.

Password reset

In the Password reset section you can change all settings related to password reset email templates.

At the top you can select if you want to allow sending emails to unknown email addresses.

In the Password reset email template fields, provide an email template to be used when the address is known and one to be used when the address is unknown. The link to reset the password might for example be: {tenant-domain}/apps/devicemanagement/index.html?token={token}&email={email}.

In the Email subject field, provide a subject for all password reset related emails.

In the following two fields provide an email template to be used on password change confirmation and a template for the invitation email.

Email server

In the Email server section, you can configure custom email server settings.

In the Protocol and encryption field, select a protocol/encryption type from the dropdown list. May be one of:

SMTP (no encryption): email.protocol=smtp and email.connection.encrypted=false
SMTP (STARTTLS): email.protocol=smtp and email.connection.encrypted=true
SMTPS (SSL/TLS): email.protocol=smtps and email.connection.encrypted=true

Provide the host, port, username, password, and sender address for the email server. The empty password configuration is supported for the Enterprise tenant.

Data export

In the Data export section, you can set the email subject and email template for data export and specify the User unauthorized error message.

Storage limit

In the Storage limit section, you can specify the email subject and email template for emails being send before data is removed on exceeding the storage limit (warning) and after data removal is performed (limit exceeded).

Suspending tenants

In the Suspending tenants section, you can provide settings for emails being send on tenant suspension.

At the top you can select if you want to send the email to the suspended tenant’s administrator and specify an additional email receiver. Below you set the subject and template for the tenant suspended email.

Click Save configuration at the bottom to save your settings.

Info

Some additional configuration settings can be specified globally in the Management tenant. Contact your Operations team for further details.

Branding

With the Branding feature, you can fully customize the look of your tenant to your own preferences.

Requirements

APPLICATION ACCESS:

The branding feature comes as default with the Enterprise tenant and is available in the Administration application.

The branding functionality is enabled by subscribing to the “feature-branding” application.

ROLES & PERMISSIONS:

To manage the branding configuration:
- READ, ADMIN, CREATE permission for the “Inventory” permission type
- READ, ADMIN permission for the “Options management” permission type
To apply the branding configuration: READ, ADMIN permission for the “Application management” permission type

On tenant creation, there are default roles available that can be used as a sample configuration for the above-mentioned permissions:

Tenant Manager - manages tenant-wide configurations like applications, tenant options and retention rules

To configure branding settings

In the Branding tab, you can configure various parameters like logos, colors and font types used throughout the platform.

The parameters are configured at the left side of the tab while at the right you can immediately see your selections applied to a preview extract.

For a more detailed preview of your settings, click Open preview in the top menu bar to check the look and feel of your branding settings in the overall platform. You may interact and even switch applications in the preview. Every change that you make in the Branding tab will immediately be applied to the Preview page.

When you are done or want to store your settings, click Save at the bottom of the Configuration section to save your branding settings to your tenant.

Saving the settings will not yet apply them to the current tenant and respective subtenants. To do so, click Apply in the top menu bar.

Click Remove branding in the top menu bar to reset the branding of the current tenant and its subtenants to the default settings. The custom settings will still be saved but are no longer applied.

Configuration parameters

In the Configuration section, the following branding parameters can be configured.

General

Under General, you can edit the title which will be used in the browser tab.

Main logo

Under Main logo, specify the following items:

The favicon - will be displayed in the browser’s address bar. Click Choose file to select a file from your file system. The supported favicon format is “ico”.
Your branding logo - will be shown during application loading. Click Choose file to select a file from your file system. The supported formats are “png”, “svg” and “jpg”.
The brand logo height.

Navigator logo

Under Navigator logo you can provide the navigator logo and set the navigator logo height located on top of the navigator panel.

Font

In the Font section you specify the font settings for your branded version.

You can select your base and headings font stack, and select an option for the navigator font stack (either same as base or same as headings font). You may also add a link to existing remote fonts to be used.

Colors

In the Colors section you specify the colors to be used in your branding version.

The following parameters can be specified by providing a hex, rgb or rgba value:

Main brand color.
Secondary brand color - the default value is “#07b91A”.
Dark brand color - mainly used for two-color icons. The default value is “#0B385B”.
Light brand color - mainly used for two-color icons. The default value is “#5FAEEC”.
Text color - the default value is “#444”.
Link color - the default value is the same as the main brand color.
Main background color - the default value for this item is “#FAFAFA”.

Top bar

In the Top bar section you specify the parameters for the top bar.

The following parameters can be specified by providing a hex, rgb or rgba value:

Background color - the default value is “#FFFFFF”.
Text color - the default value is “49595B”.
Button hover text color - the default value is the main brand color.

Navigator

In the Navigator section you specify the parameters for the navigator.

The following parameters can be specified by providing a hex, rgb or rgba value:

Background color - the default value is “#2c3637”.
Logo wrapper background color - the default value is “Transparent”.
Title color - the default value is “#FFFFFF”.
Text and buttons color - the default value is “#FAFAFA”.
Separator line color - the default value is “#FAFAFA”.
Text color of the current item in the navigator - the default value is “#FAFAFA”.
Background color of the current item in the navigator with the main brand color as default.

Misc

In the Misc section you specify the “Button Border-Radius” by providing a value in pixel (px).

In the Cookie banner section you specify the settings for the banner with the cookie usage information. If not disabled here, the banner is shown for all users of the current tenant and all subtenants until a user clicks Agree and proceed.

Disabling the cookie banner, also disables the product experience tracking by Gainsight for the current tenant and all subtenants.

The following parameters can be specified:

Title - cookie banner title
Text - cookie banner text with a general statement on the cookie usage and the use cases for it
Link to privacy policy - a link to the page with the privacy policy

Domain name

A key feature of the Enterprise tenant is the ability to operate the Cumulocity IoT platform using a custom domain name. This means that you can configure the platform to serve you and your customers using a host name of choice, for example *.iot.mycompany.com rather than the default URL of Cumulocity IoT. In addition you’ll be able to create subtenants using your domain. These will be using <subtenantName>.iot.mycompany.com as their host names.

Requirements

APPLICATION ACCESS:

The domain management feature comes as default with the Enterprise tenant tenant and is available in the Administration application.

The domain management functionality is enabled by subscribing to the “sslmanagement” microservice.

ROLES & PERMISSIONS:

To upload certificate:
- READ, ADMIN permission for the “Inventory” permission type;
- READ, ADMIN permission for the “Options management” permission type;
- READ, ADMIN permission for the “Application management” permission type;

On tenant creation, there are default roles available that can be used as a sample configuration for the above-mentioned permissions:

Tenant Manager - manages tenant-wide configurations like applications, tenant options and retention rules

PREREQUISITES

There are three prerequisites for using a custom domain:

To activate your domain, a valid license that covers your wildcard domain is required. Please contact product support to install a license for your domain.
You’ve obtained a valid wildcard SSL certificate for your IoT domain, for example a certificate for *.iot.mycompany.com.
There is a valid DNS configuration for your domain which ensures that all requests to *.iot.mycompany.com are routed to Cumulocity IoT. (see below).

SSL CERTIFICATE REQUIREMENTS

The following criteria must be met by any SSL certificate to be used with the Enterprise tenant feature:

The certificate is currently valid and has not expired. More specifically, validFrom points to a point in time in the past, and validTo to a point in the future.
The certificate has been issued by a well-established certificate authority (CA). Self-signed certificates are explicitly not supported.
The certificate is a wildcard certificate issued for your domain *.iot.mycompany.com. The use of a wildcard certificate is mandatory, as it will also be used for subdomains created from your Enterprise tenant.
Every single certificate in the chain is provided using the X509 format.
The common name (CN) in the subject of the primary certificate (the first one in the chain) holds the value of your wildcard domain name, for example, “CN=*.iot.mycompany.com”.

Cumulocity IoT supports a single certificate that is signed by the root CA, as well as a full chain certificate which contains one or more intermediate certificates.

Info

The custom domain name functionality is only available for Cumulocity IoT cloud installations or on-prem installations which don’t use a custom load balancer.

To package the SSL certificate in PKCS #12

In order to use an SSL certificate with Cumulocity IoT, the certificate together with its private key must be uploaded to the platform in a single file, using the PKCS #12 file format.

Most certificate authorities deliver their certificates and corresponding private keys in the PEM file format, using two separate text files for the certificate chain and the private key. Make sure that the private key is not protected with a password/passphrase.

Such PEM files can easily be repackaged into #PKCS #12 using OpenSSL. In the following example, OpenSSL is used to combine a certificate chain (chain.cert) and the corresponding key (privkey.pem) into a PKCS #12 keystore file (out_keystore.p12) that can be used with Cumulocity IoT.

openssl pkcs12 -export -out out_keystore.p12 -inkey privkey.pem -in cert.pem -certfile chain.pem

DNS requirements for enterprise domains

The DNS entries for your custom domain must be configured in a way that all requests are routed to the Cumulocity IoT platform.

We strongly recommend you to use a wildcard CNAME entry for this purpose. The CNAME must contain your wildcard domain from the certificate in the NAME field. The VALUE field of the CNAME entry must point to the hostname of Cumulocity IoT. This target hostname can be easily determined by looking at your current tenant URL. If your tenant URL is http://mytenant.cumulocity.com, the target hostname is mytenant.cumulocity.com. Please also make sure to delete any conflicting A entries.

Example:

If you want to use *.iot.mycompany.com for your enterprise subtenants and if you’re using the Cumulocity IoT at mytenant.cumulocity.com, the following CNAME entry must be added to your DNS zone:

NAME                   TYPE   VALUE
----------------------------------------------------
*.iot.mycompany.com.   CNAME  mytenant.cumulocity.com.

We highly discourage any use of alternative DNS configurations for the following reasons:

Wildcard A entries take the IP address of the platform in the value field and hence redirect all requests based on the given IP rather than a hostname. This results in major problems if the IP address of the IoT platform should change in the future.
Singular A entries or singular CNAME entries instead of DNS wild cards require a single DNS entry for each enterprise domain being created. This is very error prone and prevents the creation of subtenants without always tampering with DNS settings.

To upload the certificate and activate your domain

Once the DNS configuration is in place and if a certificate with the given requirements is available, it can be easily uploaded to the platform.

On the Domain name tab in the Enterprise tenant page, click Upload certificate. Select the certificate from your file system and click Upload.

Afterwards, you can activate the domain with a single click on its name. After the domain has been activated, you will be redirected to your Enterprise tenant using the new domain name. You will also receive an email with information about the activation. Note that your Management tenant domain name is static, for example, if your wildcard domain is “* .iot.mycompany.com” then your Management tenant domain will be “management.iot.mycompany.com”.

Info

After the activation is completed you will no longer be able to access your tenant with the Cumulocity IoT domain name. Instead, use your custom domain name.

To update your certificate

When your certificate expires, you must update your certificate with a new one with an extended validation period. When updating a certificate, you must make sure that the certificate meets the following requirements:

It is valid, like when being uploaded for the first time.
It is currently valid (validFrom in the past and validTo in the future).
It has exactly the same common name (domain name) as the currently active certificate.

Info

Keep in mind that after replacing the certificate it may take some minutes until the new certificate has been delivered to the users/browsers.

To deactivate your certificate

If you wish to return to your old domain at Cumulocity IoT, you can simply deactivate you certificate.

Important

Use with care. Your customers will not be able to access their subtenants anymore.

Troubleshooting

In case you cannot reach Cumulocity IoT using your custom domain, we recommend you to perform the following checks to verify your DNS setup.

Check if the DNS entry is correct

Execute the following command:

host management.<your domain name>

The following result should be returned:

management.<your domain name> is an alias for <instance domain name>
<instance domain name> has address <ip address>

Check if the API is responding

Execute the following command:

curl -v -u '<tenant ID>/<your user>:<your password>' --head http://management.<your domain name>/inventory/managedObjects

The following result should be returned:

...
HTTP/1.1 200 OK
...

Info

Keep in mind that after changing the DNS entry it might take up to 24 hours until the new entry has been propagated.