Enterprise Edition

The Enterprise Edition of Cumulocity provides several enhancements to the features provided by the Standard Edition. The following sections describe additional functionalities available in the Enterprise Edition.

Managing tenants

If you are a service provider or subscribed to the Enterprise Edition of Cumulocity, you may want to manage your own subtenants.

The tenants functionality allows you to create subtenants, subscribe them to the applications that you have available and potentially deactivate tenants if they are not in use anymore.

Important: There is a major difference between providing several tenants and providing several users with different permissions within a single tenant. Tenants are physically separated data spaces with a separate URL, with own users, a separate application management and no sharing of data by default. Users in a single tenant by default share the same URL and the same data space. So if your users, for example, are separate customers of yours and you need to strictly separate them because they may be competitors, we strongly recommend you to do so by working with tenants.

Info: If you would like to use this feature, please contact sales@cumulocity.com.

To be able to use the tenant functionality, your user needs to have the appropriate permissions. See Creating and editing global roles for information on editing permissions. Since editing tenants is a sensitive operation, permissions for editing tenants are more granular:

Viewing subtenants

Click Subtenants in the Tenants menu to view a list of all subtenants available in your account.

The Tenants page provides the following information on each subtenant:

In the management tenant, you will see an additional column “Parent tenant”. This column shows the tenant that created the listed tenant.

Creating subtenants

To add a new tenant, click Create tenant at the right of the top menu bar.

Create subtenant

The following properties may be provided:

Field Description
Domain/ URL Enter a unique ID as the first part of the URL. For example, if you enter "acme" as ID on cumulocity.com, the tenant's URL will be "acme.cumulocity.com". You can only use one subdomain level. For example, you can only use "acme.cumulocity.com" on cumulocity.com. You cannot use "mycustomer.acme.cumulocity.com". This is not permitted by the TLS standard.
Name The name of the tenant, e.g. the company's name.
Administrator's email You must provide a valid email address to enable users to reset their password.
Administrator's username Username for the administrator of this tenant.
Contact name Optional name of the contact.
Contact phone Optional phone number of the contact.
Send password reset link as email Selected by default. If you deselect this option, you need to provide a password and confirm the password (see Getting Started > Accessing and logging into the Cumulocity platform for more information on password strength).
Tenant policy You may select a tenant policy to be applied to the tenant from the dropdown list.

Note, that fields with an asterisk * are mandatory.

Click Save to apply your settings.

When the tenant is created, it is automatically provisioned with a first, administrative user (“Administrator’s username”). This administrator can create other users and set their permissions. The first user cannot be deleted to prevent you from locking yourself out.

From the management tenant, you can enable other tenants to create subtenants. To do so, check Allow creation of subtenants in the tenant editor.

Create subtenant

Viewing or editing subtenant properties

To edit subtenants properties, click on the desired subtenant or click Edit in the context menu, accessible through the menu icon.

In the Properties tab, all fields are editable except of the ID and the administrator’s username. For details on the fields, refer to Creating sub-tenants.

Sub-tenants

Support user access

In the management tenant, you will moreover find information here on the support user requests/access for the subtenants.

Support user access information

The following information is displayed here:

Field Description
Status May be either Enabled or Disabled.
Enabled indicates that:
- support user access has ben activated on platform level (see Customizing your platform),
- one or more subtenant users have activated support user access.
Disabled indicates that:
- support user access has been deactivated on platform level,
- support user access has been activated on platform level but deactivated for the subtenant,
- no subtenant user has currently any active support user access (i.e. as each support user request has either expired or has actively been deactivated).
Active requests count The number of requests currently active in the subtenant. Only displayed if support user access is not enabled globally on platform level. Shown as a number in a small red dot.
Expiry date Specifies the date on which support user access for the tenant will expire. If no date has been specified, the expiry date is set to “No limit”.

Suspending subtenants

You can temporarily suspend tenants. Suspending tenants blocks any access to this tenant, regardless whether the access is from devices, users or other applications.

To suspend a tenant, click the menu icon and from the context menu select Suspend.

Suspend tenant

In the upcoming dialog confirm the suspension by clicking OK and entering your password.

As part of suspending the tenant, an email is sent to the tenant administrator if an email address is configured for that administrator.

Info: If you are a service provider, you can suppress this email.

If a tenant is suspended, the tenant’s data remains in the database and can be made available any time later. To do so, click Activate.

Deleting subtenants

To finally delete a tenant and remove all the data of the tenant, click the menu icon and from the context menu select Remove.

Info: This action cannot be reverted. For security reasons, it is only available in the management tenant.

Subscribing and monitoring applications

In the Applications tab you can view all subscribed applications, subscribe tenants to applications or remove the applications from the tenant. By default, tenants will be subscribed to the standard Cumulocity applications.

Subscribe tenant

To subscribe an application to a tenant, hover over the applications under Available applications on the right and click Subscribe on the desired application.

To remove an application, hover over the applications under Subscribed applications on the left and click Unsubscribe.

Monitoring microservices

For all applications hosted as microservices by Cumulocity the status of the microservice is indicated next to its name by symbols:

Application details

The microservice may be in one of the following states:

You may view details on their status by expanding the respective entry.

Application details

The following information is provided:

Further details are provided on the Status tab of the respective application, see Administration > Managing applications.

Microservice billing

The microservice billing feature gathers information on microservice usage per subtenant for each microservice. This enables enterprise tenants and service providers to charge tenant not only based on subscriptions but also based on resources usage.

Billing modes

Cumulocity offers two billing modes:

The billing modes are specified per microservice in the microservice manifest and are set in the field “billingMode”.

RESOURCES: Sets the billing mode to resources-based. This is the default mode and will be applied to all microservices that are not explicitly switched to subscription-based billing mode.

SUBSCRIPTION: Sets the billing mode to subscription-based.

Isolation level

Two isolation levels are distinguished for microservices: per-tenant isolation and multi-tenant isolation.

In case of subscription-based billing, the entire resources usage is always assigned to the microservice owner, independent of the isolation level, while the subscribed tenant will be billed for the subscription.

In case of resources-based billing, charging depends on the isolation level:

In case of multi-tenant isolation level, the parent tenant as the owner of a microservice (e.g. the management tenant of an enterprise tenant or service provider) is charged for both subscribed applications (subscription-based billing) and used resources (resource-based billing) of the subtenants.

Resources usage assignment for billing mode and isolation level

Billing mode Microservice Isolation Resources usage assigned to
Subscription-based Per-tenant Owner
Subscription-based Multi-tenant Owner
Resources-based Per-tenant Subscriber
Resources-based Multi-tenant Owner

Collected values

The following values are collected on a daily base for each tenant:

Microservice resources are counted based at limits defined in the microservice manifest per day. At the end of each day, the information about resource usage is collected into the tenant statistics. It is also considered that a microservice might not be subscribed for a whole day.

Example: If a tenant was subscribed to a microservice for 12h and the microservice has 2 CPU and 2 GB of memory it should be counted as 1000 CPU milliseconds and 1024 MB of memory.

For billing purposes, in addition to CPU usage and memory usage the cause for the billing is collected (e.g. owner, subscription for tenant):

{
  "name": "cep",
	"cpu": 6000,
	"memory": "20000",
	"cause": "Owner"
},
{
  "name": "cep-small",
  "cpu": 1000,
  "memory": "2000",
  "cause": "Subscription for tenant"
}

Usage statistics

The information on the microservice usage is presented in the Usage Statistics page in the Tenants menu of the Administration application.

Tenant statistics

For more details, refer to Tenants > Tenant usage statistics in the Reference guide. Note that details are available only for daily usage. For a summary query only the sum of all issued requests is returned.

Scaling

Auto-scaling monitors your microservices and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. It is easy to configure the microservice scaling by setting the property scale in the Microservice manifest.

For instance, when you have a microservice with scale policy set to AUTO and the CPU usage points that it is needed to start a new microservice instance for three hours, the billing logs: (2424 + 324) * consumed resources.

2424 - one instance active for the whole day
324 - second instance active only three hours

Note that an audit record is created for every change of the number of instances.

Audit logs

For more information, refer to Auditing in the Reference guide.

Editing custom properties

The Custom properties tab allows you to view and modify values of custom properties, either predefined ones (like “External reference”) or those defined in the Properties library. Such properties are also displayed as columns in the usage statistics table.

Custom Properties

Limiting subtenant device number

The platform administrator can limit the count of concurrently registered root devices or simply all devices (including children devices). The platform administrator can also see the peak number of concurrently registered devices, root devices and the peak value of used storage in the Usage statistics page.

Limiting subtenant request rate

Platform administrators can limit the request rate of each subtenant via the following custom properties:

When there is no limit on tenant and system level, the limit feature is considered as disabled and the tenant gains unlimited access. To switch off request rate limiting after it was enabled, set the value to “-1”.

Retrieving usage statistics

The Usage statistics page provides statistical information on each subtenant.

Subtenant statistics

The following information is provided for each subtenant:

Moreover custom properties are displayed, if configured.

Custom properties may be defined in the Properties Library and then set their values in the Custom properties tab of the tenant.

You can filter the usage statistics list for a time period by adding the start and end date in the top menu bar and click Filter. You can also filter and sort the list on any column by clicking the filter icon next to the column name and providing the filtering criteria. For details on filtering, refer to Getting Started > Features and Functionalities > Filtering.

Click Export CSV at the right of the top menu bar to export the current view of the statistics table to a CSV file. A dialog will come up in which you can customize the CSV output.

Tenant policies

A tenant policy is a set of tenant options and retention rules. Tenant options and retention rules may be specified during tenant creation.

Assign tenant policy

Creating a tenant policy with a specific set of options and rules saves time when creating multiple tenants with the same settings.

Info: The options and rules are copied into the tenant. Editing the policy has no effect on tenants that have already been created.

Click Tenant policies in the Tenants menu to view all tenant policies available.

Tenant policies

For each tenant policy, the name, an optional description and the number of options and retention rules is provided, either in a list or a grid.

Adding a tenant policy

Click Add tenant policy in the top menu bar to create a new tenant policy.

Add new policy

  1. Enter a name and an optional description.

  2. Add at least one retention rule. For details on creating retention rules, refer to Administration > Managing data retention > Retention rules.

  3. Optionally, add a tenant option

  4. Click Save to save your settings.

Editing, duplicating and deleting policies

To edit a policy, click on the desired policy or click Edit in the context menu, accessible through the menu icon.

Policy context menu

To delete a retention rule or a tenant option from a policy, hover over it and click the delete icon.

To duplicate a policy, click the menu icon and from the context menu select Duplicate.

To delete a policy, click the menu icon and from the context menu select Delete.

Managing user hierarchies

With user hierarchies you can reflect independent organizational entities in Cumulocity that still share the same database. These entities can have limited permissions to subsets of the shared data and can manage their own sub-users.

Info: To be able to use this feature, your tenant must be subscribed to the application “feature-user-hierachy”.

Viewing user hierarchies

In the User page, user hierarchies are indicated by an arrow left from the user icon. Clicking on the arrow unfolds the user hierarchy. You can also fold and unfold the entire user hierarchy using the Expand all and Collapse all links on the top right.

A small number next to the user name shows how many direct sub-users a user has. Sub-users are users that can be managed by their respective parent user and that have at most the permissions of that parent user. In the example below, the user “Demo user” has one direct sub-user.

User hierarchies

Creating sub-users

User hierarchies are created by assigning an “owner” to a user. The “owner” can manage the user. The user can have at most the same permissions as the owner.

To assign an owner to a user, select the user in the Users page. In the Owner field, select a user from the dropdown list and click Done to confirm.

Select owner

Info: When creating a new user, the owner is automatically set to the user who is logged in. The owner can be changed later. Only users with USER ADMIN permission can assign an owner to a user.

If you want an owner to manage only their sub-users, make sure that the owner does not have a global role with user management permissions for all users.

As an example, the sample below shows a user with a business role. The user becomes the owner of a new user. Therefore the new user can only get a business role assigned as the user cannot have higher permissions than the owner.

Owner Sample

Delegating user hierarchies to other users

In Cumulocity, users can delegate their user hierarchies and permissions to another user. The delegated user then has the same user management permissions as the user who activated the delegation.

You may of course also delegate on a temporary basis, for example if you are temporarily unavailable.

To delegate your permissions to a user, either open the user and click the delegate icon in the Delegated by field, or click the menu icon at the right of the user entry in the user list and from the context menu, select Delegate.

User delegation

To undelegate, remove the delegation in the Delegate by field, or click Undelegate in the context menu.

If the delegated user also needs to manage specific devices, the admin user must assign this device permissions (inventory roles) directly to the intended user. This can be done by using Copy inventory roles from another user. For details refer to Managing permissions > Assigning inventory roles to users in the Administration section.

Info: Delegation works only inside user management and does not have any implication to other places.

Troubleshooting sub-users

In the example below the user cannot change the access to the Administration application, because the owner of the user has no “User management” permission. As a result, the owner user can not assign built-in applications (and the owned user cannot use them).

Warning message

Support user access

With the support user access feature, support users, i.e. users of the management tenant with specific permissions, can log into accounts of other subtenant’s users to provide help in case of any issues.

To so so, support user access must be enabled. This can globally be done on platform level or on user level as described below.

Configuring support user access

Support user access may be enabled on different levels.

Platform level

The management tenant can enable support user access for all subtenants on platform level. This is done in the Configuration page, see Customizing the platform.

If support user access is enabled, support users can log into any subtenant as any user, unless overridden on subtenant level. Subtenant users cannot enable/disable access themselves. If support user access is disabled support users can log in only to subtenants for which at least one user has explicitly enabled such access, as described next.

Subtenant/user level

If support user access is disabled on platform level, it may still be enabled by a subtenant user. This is done by clicking Enable support in the User menu, see Getting started > User options and settings.

The support access is then not restricted to the user who activated it but applies to all users of the subtenant. This is necessary for retracing of role/right issues.

After a user has activated support access, the menu item changes to Disable support, so that the user can disable a pending support request which has been resolved actively before it expires.

The duration of the active support request is configurable on platform level (default is 24 hours), see Customizing the platform.

Each new support request will prolong the support duration for the specified number of hours. After the last support request in a subtenant has expired or has been actively disabled by the user, the support user access for the subtenant will immediately be disabled (if not enabled globally).

Details on the status of support user requests and support user access for a tenant can be found in the Properties tab of the tenant, see Managing tenants.

Configuring support users

There are two alternative setups for support users in Cumulocity:

Info: The support user feature does not work when the support user has two-factor authentication enabled, but no phone number is provided. The phone number has to be provided first, in order to login as a support user.

Management tenant permission

To enable a management tenant user to support users in other tenants, you need to provide the user with either the “Support” global permission or the “Support” inventory role (both READ and CHANGE).

Using the “Support” inventory role, you can selectively assign support to particular users. Create a group of the tenants that you want the user to support, then assign the inventory role to the user and the group as described in Assigning inventory roles to users.

User-provided permission

Users can allow support, i.e. a management tenant user logging in as them. To do so, click the User button at the right of the top bar and from the context menu select Enable support access. For details, refer to Getting started > User options and settings.

Logging in as support user

To log in as support user, use the following username:

<support user>$<user>

“support user” is the user in the management tenant that executes the support. “user” is the supported user.

Alternatively, use

<support user>$

In this case, the support user will access the tenant with one of the administrative users.

Important: In many environments, access to the management tenant is specifically restricted to certain networks or hosts, or can only be used through a tunnel. When logging in using the support user functionality, you need to make sure to have access to the management tenant. If you use a tunnel to access the management tenant, you may need to use a login of the form <tenant>/<support user>$<user>.

Audit logs are created for each support user access and for the actions that support users perform. In the column “Who?” the author’s name will be shown in form of:

"support_user$user"

Example

As an example, suppose you get a support call from a user “john” in the tenant acme.cumulocity.com. The user cannot run certain functionality, and you suspect that it is a permission issue. Your username in the management tenant is “jill” and you are permitted to carry out support for acme.cumulocity.com. In this case, you can log in to acme.cumulocity.com using the username “jill$john” and your password for “jill”. Now you can reproduce what “john” is seeing.

Using single sign-on (SSO)

In order to use the single sign-on feature for enterprise tenants, the enterprise domain must be set up as redirect URI in the basic configurations. For more details see Changing settings > Configuring single sign-on under Administration.

If single sign-on providers have whitelists, the enterprise domain should be whitelisted.

Using the data broker

Data broker lets you share data selectively with other tenants. You can share:

Navigate to Data connectors if you would like to send data to another tenant. Navigate to Data subscriptions, if you would like to receive data from another tenant.

Data broker menus

Info: Devices that are forwarded using the data broker are charged like normal devices in the destination tenant.

Be aware of the following limitations of the data broker:

  • Cloud Remote Access cannot be used on the destination tenant.
  • The management tenant cannot be used as data broker source tenant.
  • Currently, the Fieldbus widget does not work on tenants that receive the fieldbus devices through data broker, as the corresponding data models are not synchronized.
  • Data broker does not guarantee the same order of messages on destination tenants as it was on the source tenant.
  • While we provide backwards compatibility, we cannot ensure that data broker can send data to Cumulocity tenants which run on earlier Cumulocity versions than the source.

Data connectors

A data connector describes the subset of the data that you would like to send to a destination tenant as well as the URL of that destination tenant.

Viewing data connectors

In the Data connectors page, you can manage existing data connectors or create new ones. Click Data connectors to see a list of all currently defined data connectors with their status.

Data broker connectors list

For each data connector, the following information is provided:

Use the slider to enable and disable data forwarding to the destination tenant. If data is being forwarded, the slider reads “active”. If data is not being forwarded, the slider reads “suspended” or “pending”. “Suspended” means that you have disabled forwarding. “Pending” means that the destination tenant has disabled forwarding.

Creating or editing data connectors

Click Add data connector in the top menu bar to create a new data connector.

Data broker edit connector

In the Settings tab, provide the following information to create a new data connector:

Field Description
Title The name of the data connector.
Target URL for data connector The URL of the tenant to which data will be forwarded. Once saved, you cannot edit this value anymore.
Description A textual description of the configuration. Both the name and the description will be visible on the destination side after accepting the subscription.
Data filters A set of filters that define what is copied to the destination. You need to configure at least one filter.

Click Add filter to configure a new filter.

Data broker configure filter

Each data filter contains the following information:

Field Description
Group or device The group or device that is forwarded. Selecting a group here results in all sub-groups and sub-devices being forwarded. Leaving the default option "All objects" selected will synchronize all types of objects, including internal and technical ones (not exclusively groups and devices), which may cause issues on the target tenant.
API The type of data being forwarded (alarms, events, measurements, manages objects) or being received (operations).
Fragments to filter The fragments that need to be present in a device to be forwarded.
Fragments to copy The fragments that are copied to the destination. If nothing is specified here, only standard properties of managed objects, alarms, events and measurements are forwarded (see below). Select Copy all fragments to forward the entire object.
Type filter Forwarded data needs to have this value in its "type" property.

Info: If the Group or device field is filled in, the entire descendant structure of the inventory is forwarded to the destination as soon as the connector stays active. if the Group or device field is empty or set to “all” the descendant structure of the inventory is not forwarded; in this case the filter works in “lazy” mode, i.e. forwards the device or asset along with its first event/measurement/alarm.

If operation API is checked in filters, operations created in the target tenant will be forwarded to the source tenant. This applies only to operations that meet the following conditions:

Updates of operation status coming from the source tenant will be forwarded to the destination tenant.

The heading of a data filter summarizes the configuration in one line. The standard properties that are copied by default are:

Once you have configured your data connector, click Save to save the configuration.

After saving, you will see a security code displayed below your configuration. The security code prevents unintended forwarding of data. You need to communicate this security key separately to an administrative user of the destination tenant. You can click the copy icon next to the security code to copy the code to your clipboard.

Security code

Switch to the Alarms tab to display current alarms for the data connector.

Warnings tab

For details on alarms, see Monitoring and controlling devices > Working with alarms in the Device Management section.

Data subscriptions

In the Data subscriptions page, you can manage existing data subscriptions or create new ones.

Click Data subscriptions to see a list of all currently defined data forwarded to your tenant.

Data subscriptions

For each subscription, the name, the target tenant and the status (enabled or disabled) is provided on a card.

Use the slider to temporarily stop forwarding data into your tenant.

To stop data forwarding and remove the data connector, click the menu icon and from the context menu select Delete.

How to set up data forwarding on the receiving end

  1. Click Add data subscription in the top menu bar to receive data.
  2. In the new card, enter the security code that you received from the sending end of the data.
  3. When the connection is established, click Accept to start forwarding data into your tenant. The subscription is active now.
  4. You can move the slider in the card to temporarily stop forwarding data into your tenant.

You can now navigate to the Device Management application or the Cockpit application. There will be a new “virtual group” with a specific icon (see the screenshot below) showing the forwarded devices. The group will have the same name as your subscription. Devices are “lazily” created on the destination side whenever they send data for the first time after setting up an active subscription.

Data broker group in cockpit app

Troubleshooting

On the source tenant, data broker queues data that cannot be forwarded immediately to the destination tenant. The amount of data that can be queued is limited. If Cumulocity cannot queue any further data, the oldest queued data is dropped. In this case, an alarm is raised in the tenant.

“Data broker processing is currently overloaded and may stop processing your events. Please contact support.”

To reduce the number of alarms, alarms are not triggered more often than once per minute.

Customizing your platform

Using the Enterprise Tenant of Cumulocity, you can specify various settings for the customization of your platform under the Settings menu.

Configuration

Info: For information on the general settings in the Customization tab, see Changing Settings > Configuration settings in the Administration section. Here, only the features will be explained which are exclusively available for Enterprise Tenants.

Applications

In the Applications section, you can specify the default applications for new tenants as a comma-separated list.

Applications settings

Passwords

In the Passwords section, you can specify password settings like default strength, length or validity for the users in your tenant.

Passwords settings

Support user

In the Support user section, you configure the parameters for the support user activation for subtenant users.

With the support user feature, support users (i.e. users with specific permissions in the management tenant) can access subtenant users in case of any issues. Refer to Supporting user access for further information.

Support user configuration

In the field Enable support user, specify if support user access is enabled for subtenant users. Possible values you can enter here are:

In the Validity limit field, you can optionally specify the support duration, i.e. for how many hours support user access will be prolonged after each support user request from a subtenant user. Enter a number specifying the number of hours. The default value is 24 hours.

The expiry date-time will be updated based on the duration specified in the Validity limit field, e.g. if the current expiry date-time is 01/09/2018 15:00 and duration has been kept at 24 hours, the enabling support user will update the expiry date to 01/10/2018 15:00.

Details on the status of support user requests and support user access for a tenant can be found in the Properties tab of the tenant, see Managing tenants.

Branding

With the Branding feature, you can fully customize the look of your tenant to your own preferences.

In the Branding tab, you can configure various parameters like logos, colors and font types used throughout the platform.

The parameters are configured on the left side of the tab while on the right you can immediately see your selections applied to a preview extract.

Branding tab

For a more detailed preview of your settings, click Open preview in the top menu bar to check the look and feel of your branding settings in the overall platform. You may interact and even switch applications in the preview. Every change that you make in the Branding tab will immediately be applied to the Preview page.

Branding tab

When you are done or want to store your settings, click Save at the bottom of the Configuration section to save your branding settings to your tenant.

Saving the settings will not yet apply them to the current tenant and respective subtenants. To do so, click Apply in the top menu bar.

Click Reset in the top menu bar to reset the branding of the current tenant and its subtenants to the default settings. The custom settings will still be saved but are no longer applied.

Configuration parameters

In the Configuration section, the following branding parameters can be configured.

General

Under General, you can edit the title which will be used in the browser tab.

Branding general

Main logo

Under Main logo, specify the following items:

Navigator logo

Under Navigator logo you can provide the navigator logo and set the navigator logo height located on top of the navigator panel.

Branding general

Type

In the Type section you specify the font settings for your branded version.

Branding type

You can choose your base and headings font, and select an option for the navigator font (either same as base or same as headings font). You may also add a link to existing remote fonts to be used.

Colors

In the Colors section you specify the colors to be used in your branding version.

Branding color

The following parameters can be specified by providing a hex, rgb or rgba value:

Top bar

In the Top bar section you specify the parameters for the top bar.

Branding topbar

The following parameters can be specified by providing a hex, rgb or rgba value:

Navigator

In the Navigator section you specify the parameters for the navigator.

Branding navigator

The following parameters can be specified by providing a hex, rgb or rgba value:

Misc

In the Misc section you may specify the “Button Border-Radius” by providing a value in pixel (px).

Domain name

In the Domain name tab you can activate your own custom domain name.

Info: To activate you domain, you need a valid license. Please contact our Sales team at sales@cumulocity.com to install a license for your domain.

Domain name

First you have to upload the appropriate certificate by clicking Upload Certificate. Make sure that

Info: If your certificate is not in a valid PKCS#12 format but you have PEM files for certificate, private key and authorization chain then you can generate a valid PKCS#12 file using the following command:

openssl pkcs12 -export -out out_keystore.p12 -inkey privkey.pem -in cert.pem -certfile chain.pe

Before activating the custom domain name, make sure that

After successful activation you will be redirected to your Enterprise Tenant at the new domain. You will also receive an email with information about the activation.

Info: After the activation is completed you will no longer be able to access your tenant with the cumulocity domain name. Instead, use your custom domain name.

Updating your certificate

When your certificate expires, you must update your certificate with a new one with an extended validation period. When updating a certificate, you need to make sure that

Info: Keep in mind that after replacing the certificate it may take some minutes until the new certificate has been delivered to the users/browsers.

Deactivating your certificate

If you wish to return to your old domain at Cumulocity, you can simply deactivate you certificate.

Important: Use with care. Your customers will not be able to access their subtenants anymore.

Troubleshooting

In case you cannot reach Cumulocity using your custom domain, we recommend to perform the following checks to verify your DNS setup.

Check if the DNS entry is correct

Execute the following command:

host management.<your domain name>

The following result should be returned:

management.<your domain name> is an alias for <instance domain name>
<instance domain name> has address <ip address>

Check if the API is responding

Execute the following command:

curl -v -u '<tenant ID>/<your user>:<your password>' --head http://management.<your domain name>/inventory/managedObjects

The following result should be returned:

...
HTTP/1.1 200 OK
...	

Info: Keep in mind that after changing the DNS entry it might take up to 24 hours until the new entry has been propagated.

Storage quota

The storage quota is in place for a tenant when a storage quota per device is set by the platform administrator. The total storage available to the user is calculated using the formula storage quota per device x number of devices. A check is performed every night to ensure the quota is not exceeded.

In case the quota is exceeded, an email is sent to all tenant administrators to warn them that data will be deleted the following night. After 24h, if the quota is still exceeded, all data retention limits are reduced by a fixed percentage. The storage quota per device will be reduced as a result of this rule.

Info: The storage quota feature needs to be defined on the tenant and cannot be enabled/disabled by configuration.

Example

Let us assume that a tenant has a storage quota of 10 GB. Retention rules are 80 days for measurements, 90 days for all other data.

The total storage is now at 9.8 GB.

Managing storage quota warning email

This feature is only visible if a storage quota was set for the tenant.

The tenant administrators can set a user group and threshold for an email to be sent once a day if the storage used is higher than a particular percentage of the storage quota. The default setup is sending an email to the “admin” group when the storage reaches 80% of maximum storage.

The email warning can also be disabled.