Skip to content

Configuration properties

The following table contains a list of properties in the HCL Leap file. You can adjust the settings listed in the file, or add your own for a custom configuration.

Table 1. List of properties in the configuration file

Setting Description
adminInfo Allows admin contact information to be shown within error messages.

If adminInfo1 and adminInfo2 are both provided, the error message will be “We are unable to process your request. If this error persists, report the problem to your administrator at adminInfo1, or adminInfo2, and provide error reference: XXX.”

If only adminInfo1 is provided, the error message will be “We are unable to process your request. If this error persists, report the problem to your administrator at adminInfo1 and provide error reference: XXX.”

If neither are provided, the error message will be “We are unable to process your request. If this error persists, report the problem to your administrator and provide error reference: XXX.”

ibm.nitro.NitroConfig.adminInfo1 = 
ibm.nitro.NitroConfig.adminInfo2 = 1-800-GET-HELP
anonBlockedMsg=[MESSAGE] When a user attempts to access a Leap application anonymously, an error message is displayed. The default message is “Anonymous access blocked”. You can change the default message to provide additional information to the user.

ibm.nitro.NitroConfig.anonBlockedMsg=Anonymous usage is not allowed
List of allowed (whitelist), and not allowed (blackList) of mimetypes, and the number of maximum file sizes for Application File uploads.

appFilesWhiteList – A space separated list of:
- mimetypes – text/plain application/vnd.xfdl
- partial mimetypes – text/audio/ /plain
- file extensions – GIF PDF XML
- default value – empty (everything is allowed)

appFilesBlackList – A space separated list of:
- mimetypes – text/plain application/vnd.xfdl
- partial mimetypes – text/audio/ /plain
- file extensions – GIF PDF XML
- default value – exe

appFilesMaxSize (size in kb) – A space separated list of:
- mimetypes – text/plain application/ /vnd.xfdl
- file extensions – GIF PDF XML or default as special type
- default value – 5000

ibm.nitro.NitroConfig.appFilesWhiteList = css js html exe text/plain application/vnd.xfdl mov avi 
ibm.nitro.NitroConfig.appFilesBlackList = exe 
ibm.nitro.NitroConfig.appFilesMaxSize.10000 = default 
ibm.nitro.NitroConfig.appFilesMaxSize.50000 = mov avi
appStats.timerEnabled appStats.refreshHour appStats.refreshDays By default, the timer is enabled and the collection time is set to 3 AM daily local server timer.

Note: Depending on the volume of applications, statistics collection may take 10+ minutes, adjust the timer and frequency to server quiet time.

appStats.timerEnabled - Enable Application Statistics collection.

To disable Application Statistics collection, set to false.

Default value: true

appStats.refreshHour - Sets the hour of day to start Application Statistics collection.

Value 0 to 23, indicating the hour of day to start the statistics collection process.

Default value: 3

appStats.refreshDays - Sets the Application Statistics collection day. Use full names of day of the week, separated by a comma, semicolon, or space.

Valid values: Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday

Default value: Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday

ibm.nitro.NitroConfig.appStats.refreshDays=Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday
attachmentFilesWhiteList attachmentFilesBlackList attachmentFilesMaxSize List of allowed (whitelist), and not allowed (blackList) of mimetypes, and the number of maximum file sizes for the Attachment form item.

attachmentFilesWhiteList – A space separated list of:
  • mimetypes – text/plain application/vnd.xfdl
  • partial mimetypes – text/audio/ /plain
  • file extensions – GIF PDF XML
  • default value – empty (everything is allowed)
attachmentFilesBlackList – A space separated list of:
  • mimetypes – text/plain application/vnd.xfdl
  • partial mimetypes – text/audio/ /plain
  • file extensions – GIF PDF XML
  • default value – exe js html svg
attachmentFilesMaxSize (size in kb) – A space separated list of:
  • mimetypes – text/plain application/ /vnd.xfdl
  • file extensions – GIF PDF XML or default as special type
  • default value – 5000

    • Examples:
      ibm.nitro.NitroConfig.attachmentFilesWhiteList = css js html exe text/plain application/vnd.xfdl mov avi
      ibm.nitro.NitroConfig.attachmentFilesBlackList = exe 
      ibm.nitro.NitroConfig.attachmentFilesMaxSize.10000 = default 
      ibm.nitro.NitroConfig.attachmentFilesMaxSize.50000 = mov avi
blockAnonAccess Anonymous access is not allowed by default which means that to use a Leap application or survey, users must authenticate with a valid user ID and password.
This setting determines anonymous access, where:
  • enabled - anonymous access is blocked
  • disabled - anonymous access is allowed
  • redirect - redirects the user to authenticate
Default value: redirect

The customThemes config settings define a list of customer-provided themes that can be used in Leap applications.

For each theme, two parameters must be set:
  • customThemes.[ID].displayName
  • customThemes.[ID].location
[ID] - An identifier for the custom theme (e.g. "corpTheme1").

The id can contain the letters 'a' through 'z' and numbers, and must start with a letter.

displayName - The theme name to be displayed in the Leap authoring UI.

location -The full URL of the theme's .css file.

For each theme, there are 2 optional parameters:
  • customThemes.[ID].isDefault
  • customThemes.[ID].nl.[LOCALE]
isDefault - If set to true, designates the theme as the default selection for new applications.

nl.[LOCALE] - For globalization support of the theme's display name. [LOCALE] is the locale code that identifies the language (e.g.,"en", "fr", "fr_CA", "zh").

After modifying these settings, restart the Leap server to see the changes in the authoring environment. If the location property of a theme is modified, any deployed applications using that custom theme need to be redeployed for changes to take affect.

customThemes.corpTheme1.displayName = Corporate Theme 1 = Thème d'entreprise 1 = 企业主题1
customThemes.corpTheme1.isDefault = true
customThemes.corpTheme1.location =
detectBrowser If Leap detects an unsupported browser, a warning message is displayed to the user. The user can still see the form after the warning message is closed.Where:
  • warn - The user is warned that the browser is unsupported. A list of supported browsers is displayed in the warning message. When the user closes the warning message, the form is displayed.
  • ignore - The user is not warned that the browser is unsupported, and the form is displayed.

Default value: warn

disableUseTab Hides the "Use" tab, and prevents fetching the list of deployed and usable applications, where:
  • true - "Use" tab is hidden
  • false - "Use" tab is displayed
Default value: false

EventHandler.infoLevelEvents EventHandler.debugLevelEvents EventHandler.auditLevelEvents Leap contains an event handling implementation that enables printing out all or specific events in the system log or in a separate file based on properties setting, by default this feature is not enabled. Change properties, in the file, to monitor events that you are interested in, and where you want to output the event information.

The following will output Events information in Application Server's system log at info or debug level:
  • EventHandler.infoLevelEvents
  • EventHandler.debugLevelEvents
auditLevelEvents will output to a file. The default file location on Windows is C:\febEvents.log and AIX/Linux is /febEvents.log, with maximum file size 5MB, back up to 5 files.

The content of the event output is in CSV format, the description of the data: Event topic, Event time stamp, User id, User email, Application uid, Application title, Form id, Record uid, Result

The following is the list of event topics that Leap sends out:
  • builder/app/delete – Application is deleted
  • builder
  • builder/app/deploy – Application is deployed for the first time
  • builder/app/redeploy – A deployed application is deployed again
  • builder/app/stop – A deployed application is stopped
  • builder/app/import – Application is imported
  • builder/app/importAndDeploy – Application is imported and deployed
  • builder/app/importAndDeployWithData – Application is imported and deployed with data
  • builder/app/export – Application is exported
  • builder/app/exportWithData – Application is exported with data
  • builder/app/upgrade – Application is upgraded
  • builder/app/upgradeWithDataReplaced – Application is upgraded and the data replaced
  • builder/app/result/export – Application data is exported from View Data (or REST API)
  • builder/app/retrieve/source – Application source is retrieved
  • builder/app/query/deployed – Application deployment state is queried
  • builder/record/submit – A record is submitted by normal app usage
  • builder/record/update – A record is updated by normal app usage
  • builder/record/delete – A record is deleted by normal app usage
  • builder/data/insert/user – A record is created as a result of a direct user action
  • builder/data/insert/code – A record is created indirectly
  • builder/data/update/user – A record is updated as a result of a direct user action
  • builder/data/update/code – A record is updated indirectly
  • builder/data/delete/user – A record is deleted as a result of a direct user action
  • builder/data/delete/code – A record is deleted indirectly
To capture failed events, use "builder/error/[EVENT_TOPIC]"

exportDataWithEmails By default when you export data from applications, emails are also exported. You can exclude emails from the export by changing the property value to false. Where:
  • true - emails are exported with application data
  • false - emails are not exported with application data
Default value: true

imageDomainWhitelist.enabled=true imageDomainWhitelist.[N].domain The imageDomainWhitelist config settings define a white-list of domains from where images can be uploaded to a Rich Text Entry field.

In addition to setting the following:

imageDomainWhitelist.enabled=true for each domain an additional parameters must be set.

imageDomainWhitelist.[N].domain = where "[N]" is an integer number identifying that service.

domain - The domain property implicitly allows sub-domains. For example, a domain property of allows URLs such as,, or

InfoEntryPoint.dailyInfo Provides HTML content that is shown in the login screen. Can be used for status messages, or help.
ibm.nitro.InfoEntryPoint.dailyInfo = Welcome to <b>HCL Leap</b>
LogoutServlet.postLogoutRedirectURL The value of this parameter tells Leap where to redirect user after log off. If the parameter is not configured or left blank, the user is redirected to the login page.

maximumRecordsToRetrieve Maximum number of records that are permitted for export from the View Data page at one time. If the number of records to be exported exceeds the number set by this property, the export is stopped, and an error message is shown.

Note: The default value of 20,000 is supported for base systems. Setting the value higher could result in poor performance, depending on result set size and server hardware.

MemberManager.adminAlias MemberManager.userProps.loginName MemberManager.userProps.displayName MemberManager.adminAlias setting is mandatory. For WebSphere Application Server only, configure the VMM login.

By default, Leap uses J2C alias vmmAdmin to authenticate with VMM. You must configure it here if you want to change the J2C alias name.

You must have WebSphere Application Server administrative user credentials to run Leap

If you use LDAP within WebSphere Application Server, there are a number of properties that look up user and group information. If your LDAP uses different property keys than the ones set by default, update the property keys here so that user and group look up function correctly.

If you are using LDAP within WebSphere Application Server, refer to the following settings:


Describes the LDAP property used as the login ID. Each loginName must be unique.

Default setting: uid

Represents a unique key for the user. This key must be identical to the loginName.

Default setting: uid

Represents a unique key for the group. The value is the LDAP property that is used. For example, cn, represents Common Name.

Default setting: cn

The email address of the user. Leap uses this email address to send notifications and other emails to the user.

Default setting: mail


Used to display the name of the user, instead of the login id.

Default setting: cn

ibm.was.MemberManager.userProps.loginName = mail = mail = name = mail
ibm.was.MemberManager.userProps.displayName = cn
purgeOrphanFilesHours In some circumstances, files attached to either application designs or user-submitted records can become orphaned if the primary design or record element is removed outside the normal process. File records which are older than this number of hours and are no longer associated with an existing primary record are removed.

Default value: 48

runtimeCSP The runtimeCSP setting defines the Content-Security-Policy (CSP) header that will be applied to running Forms.

Note: This setting only applies to Forms. It does not currently apply to App Pages, Summary Charts, or the View Data page.

For more information on CSP, see

For more information on Strict CSP, see Strict CSP

ibm.nitro.NitroConfig.runtimeCSP=default-src 'self' *; img-src *
runtimeResources.[N] Additional web resources to load into the Leap UI for leveraging the Custom Widget API. The values from these settings will be injected into the <head> section of Leap's HTML pages.

ibm.nitro.NitroConfig.runtimeResources.1 = <link rel='stylesheet' type='text/css' media='screen' href='/custom-widgets/samples/acme/Acme_Widgets.css'>
ibm.nitro.NitroConfig.runtimeResources.2 = <script type='text/javascript' src='/custom-widgets/samples/acme/Acme_common.js'></script>
ibm.nitro.NitroConfig.runtimeResources.3 = <script type='text/javascript' src='/custom-widgets/samples/acme/Acme_Boolean_Widget.js'></script>
secureJS Enables or disables JavaScript restrictions in run time forms. When a form designer adds custom JavaScript to an application, this flag restricts the scope of that custom JavaScript. This flag applies to the entire Leap server for all users.

Note: Setting this parameter to false might expose users to malicious JavaScript. Only set to false in a secured environment where Leap applications are created by trusted users.

For more information, see JavaScript API for Leap.
Default value: true

ibm.nitro.ApplicationCompilerService.secureJS = false
serviceAuthorization.enabled serviceAuthorization.[SERVICE_ID] Access to a service description may be given to a specific user, group, or special assignment. The access control is made up of two parts:
  • Who may "discover" and work with the service while designing an application.
  • Who may "invoke" the service.
Users or Groups provided must be defined using the attributes defined by = mail and = name respectively.

Special assignment valid values are:
  • all-authenticated: for app author "discover" privilege only
  • anonymous: for app authors and end-user "discover" and "invoke" privileges
  • all-authors: for end-user "invoke" privilege only
To enable service authorizations, set ibm.nitro.NitroConfig.serviceAuthorization.enabled=true. Multiple services may be defined. To define a service authorization, add ibm.nitro.NitroConfig.serviceAuthorization.serviceIdN where serviceIdN is the 'id' of the service description. The value must be a valid JSON string, see provided samples.

Note: A backslash (\) at the end of a line can be used to present a value over multiple lines. The backslash must be the very last character on the line.

ibm.nitro.NitroConfig.serviceAuthorization.enabled = true
ibm.nitro.NitroConfig.serviceAuthorization.serviceId1 = { \
   "comment": "Auth for Service 1", \
   "discover": { "users": ["user1"], "groups": ["group1"], "special": [] }, \
   "invoke": { "users": [], "groups": [], "special": ["all-authenticated"]" } \
serverURI Indicates the base URI used for critical functions, including editing applications, and email. Must include everything necessary to connect to the Leap context, for example, /apps.

With this entry, all emailed links, and absolute links visible during Leap design time start with the following base URI regardless of what the user enters in the address bar.

ibm.nitro.NitroConfig.serverURI =
servicesWhitelist.enabled servicesWhitelist.[N].actions servicesWhitelist.[N].domain The servicesWhitelist config settings define a white list of domains and HTTP actions that app authors are allowed to call directly from their applications using URL based services.

In addition to setting servicesWhitelist.enabled=true, for each service two additional parameters must be set:
  • servicesWhitelist.[N].domain =
  • servicesWhitelist.[N].actions =
The domain property implicitly allows sub-domains. For example, a domain property of allows URLs such as,, or

The https or http protocol included in the domain property is respected. For example, a domain property of only allows calls to secure SSL and not to non-secure

The actions property is a comma-separated list of the HTTP actions allowed for a particular domain. Valid values are GET, PUT, POST, DELETE, HEAD, and PATCH. If the actions value is missing, no actions are allowed.

Where [N] is an integer number identifying that service.

Default value: true

ibm.nitro.NitroConfig.servicesWhitelist.enabled = true
ibm.nitro.NitroConfig.servicesWhitelist.1.domain =
ibm.nitro.NitroConfig.servicesWhitelist.1.actions = GET
ibm.nitro.NitroConfig.servicesWhitelist.2.domain =
ibm.nitro.NitroConfig.servicesWhitelist.2.actions = GET, POST,PUT

Note: This white-list has no effect on service descriptions and custom service transports that were installed on the server by the administrator.
SetupAll.setupStatus After deploying Leap for the first time or upgrading to a newer version, there is a setup screen that is presented upon accessing the manage page. This setup screen shows the status of detecting and updating the database tables, checks that security is properly enabled, and a mail session is configured. This page requires the admin to click a button to fully progress through the setup.

To disable this setup page and required admin interaction add the property:
ibm.nitro.SetupAll.setupStatus = start
viewResponsesMaximumCount For DB2® or Oracle. The maximum number of records that are counted when returning record sets in pages. If the total number of records exceeds viewResponsesMaximumCount, then paging indicators will no longer accurately lists the total number of pages. Setting this value higher can have performance consequences for the server if there are many users viewing forms with large response lists.

Default value: 1000

xFrameOptions Use this setting to control the X-Frame-Options response header for Leap pages, which determines if Leap can be embedded into other web pages.

ibm.nitro.NitroConfig.xFrameOptions = SAMEORIGIN

Parent topic: Configuring the properties file