> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# BloodHound Configuration Supplement

> This page provides example configuration details for BloodHound and BloodHound Enterprise

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

# Configuration Elements

Configuration elements with a `.` in their name are part of a nested JSON configuration block:

`tls.cert_file` translates to the following JSON structure:

```json theme={null}
{
  "tls": {
    "cert_file": "/path/to/cert"
  }
}
```

## version

Version of the configuration file. This is useful for detecting when new, breaking configuration changes occur.

## bind\_addr

Bind address for the API.

Example: `<host>:<port>`

## slow\_query\_threshold

Threshold in milliseconds for caching queries.

## max\_graphdb\_cache\_size

Number of cache items for graph queries.

## max\_api\_cache\_size

Number of cache items for API utilities.

## metrics\_port

Bind address for the tool and metric API.

**This port is sensitive and access must be guarded!**

Example: `<host>:<port>`

## root\_url

External facing HTTP URL that represents the root path for the application.

Example: `http://localhost/`

## work\_dir

Local directory for storing work files and temporary ingest artifacts.

Example: `/opt/bhe/work`

## log\_level

Default log level for the application. This parameter may be set to one of the following values:

* `"DEBUG"`
* `"INFO"`
* `"ERROR"`

## log\_path

If not empty, enables the application to record logs to the provided file along with std out.

## tls

TLS configuration to start the BloodHound API using HTTPS.

<Tip>
  For a step-by-step example on BloodHound Community Edition, see [Enable Transport Layer Security (TLS)](/get-started/custom-installation#enable-transport-layer-security-tls) in the custom installation guide.
</Tip>

### tls.cert\_file

Path to the TLS certificate file.

### tls.key\_file

Path to the TLS certificate signing key.

## graph\_driver

Determines the driver to use when accessing the graph database. This parameter may be set to one of the following
values:

* `"neo4j"`
* `"pg"`

## database

### database.connection

Primary database connection URL. This URL must be specified in one of the following formats:

* `"postgresql://user:password@host:port/db_name"`

## neo4j

### neo4j.connection

Graph database connection URL when Neo4j is enabled. This URL must be specified in one of the following formats:

* `"neo4j://user:password@host:port/db_name"`

## crypto

Cryptographic configuration settings.

### crypto.jwt

JWT configuration settings.

### crypto.jwt.signing\_key

Base64 encoded byte array for signing key for user session JWTs. This value **must be 32 bytes** in length when decoded
as the JWT signing method used by the API is `HMAC-SHA2-256`.

### crypto.argon2

Argon2 cryptographic settings for password enabled authentication.

### crypto.argon2.memory\_kibibytes

Amount of memory the Argon2 password hash function should utilize. See the
[recommended parameters](https://www.password-hashing.net/argon2-specs.pdf) section of the Argon2 specification for
further information about this value.

### crypto.argon2.num\_iterations

Number of iterations the Argon2 password hash function should execute. See the
[recommended parameters](https://www.password-hashing.net/argon2-specs.pdf) section of the Argon2 specification for
further information about this value.

### crypto.argon2.num\_threads

Number of threads the Argon2 password hash function should utilize during digest. See the
[recommended parameters](https://www.password-hashing.net/argon2-specs.pdf) section of the Argon2 specification for
further information about this value.

## saml

### saml.sp\_cert

Certificate that the API instance should use when presenting as a SAML Service Provider.

### saml.sp\_key

Private RSA key that the API instance should use when presenting as a SAML Service Provider.

### saml.sp\_ca\_chain

Certificate chain that contains the signing authority for the certificate and private key the API instance should use
when presenting as a SAML Service Provider.

## default\_admin

Default admin user configuration details. This configuration drives the creation of the first user that may log in and
finish setting up the BloodHound instance.

### default\_admin.principal\_name

Principal name of the default admin user.

`Deprecated`

### default\_admin.password

Initial password for the default admin user.

### default\_admin.email\_address

Email address for the default admin user.

### default\_admin.first\_name

First name for the default admin user.

### default\_admin.last\_name

Last name for the default admin user.

### default\_admin.expire\_now

Expires the default admin user's initial password, requiring a password reset on first logon. This parameter may be set
to one of the following values:

* `true`
* `false`

## collectors\_bucket\_url

Collector bucket URL for collectors sourced upstream.

`For BloodHound Enterprise internal use only.`

## collectors\_base\_path

Collector base path for collectors sourced upstream.

`For BloodHound Enterprise internal use only.`

## datapipe\_interval

Interval in seconds that the service will wait before checking for new data.

## enable\_startup\_wait\_period

Enables a startup wait period that defers ingest and analysis until a given amount of time. This parameter may be set to
one of the following values:

* `true`
* `false`

## enable\_api\_logging

Enables API HTTP request logging. This parameter may be set to one of the following values:

* `true`
* `false`

## enable\_cypher\_mutations

Enables graph database mutations via the cypher search endpoint. This parameter may be set to one of the following
values:

* `true`
* `false`

## disable\_analysis

Disables graph data analysis. This parameter may be set to one of the following values:

* `true`
* `false`

## disable\_cypher\_complexity\_limit

Disables cypher complexity limiting. This parameter may be set to one of the following values:

* `true`
* `false`

## disable\_ingest

Disables graph data ingest. This parameter may be set to one of the following values:

* `true`
* `false`

## disable\_migrations

Disables database migrations. This parameter may be set to one of the following values:

* `true`
* `false`

## graph\_query\_memory\_limit

Graph query memory limit in gigabytes.

## fedramp\_eula\_text

Text to display for the alternative FedRAMP EULA acceptance page.

## enable\_text\_logger

Enables text output instead of JSON output for the API log. This parameter may be set to
one of the following values:

* `true`
* `false`

## recreate\_default\_admin

Allow recreating the default admin account to help with lockouts/loading database dumps. This parameter may be set to
one of the following values:

* `true`
* `false`

## force\_download\_embedded\_collectors

Forces Bloodhound users to download the collectors that are embedded in the container. BHCE only allows for downloading embedded collectors. This parameter may be set to the following values:

* `true`
* `false`

## enable\_user\_analytics

Enables SpecterOps to gather analytics on user activity to help enhance the product. This parameter may be set to the following values:

* `true`
* `false`

# OS Environment Config Format

An operator may set any option via an environment variable by prefixing it with `bhe_` and replacing dots (`.`) with underscores (`_`):

```bash theme={null}
export bhe_bind_addr="192.168.100.100"
export bhe_root_url="https://example.com"
export bhe_database_connection="postgres://bhe:weneedbetterpasswords@localhost:5432/bhe"
export bhe_neo4j_connection="neo4j://bhe:weneedbetterpasswords@localhost:7687/bhe"

bhapi
```

# Example JSON Configuration

An operator may use the below example to author a JSON configuration:

```json theme={null}
{
  "version": 1,
  "bind_addr": "0.0.0.0:8080",
  "root_url": "http://0.0.0.0:8080/",
  "work_dir": "/opt/bhe_work",
  "log_level": "INFO",
  "log_path": "",
  "tls": {
    "cert_file": "",
    "key_file": ""
  },
  "graph_driver": "pg",
  "database": {
    "connection": "postgresql://bhe:bhe4eva@localhost/bhe"
  },
  "default_admin": {
    "principal_name": "admin",
    "password": "admin",
    "first_name": "Initial",
    "last_name": "Admin",
    "expire_now": true
  },
  "crypto": {
    "jwt": {
      "signing_key": "<BASE64_ENCODED_32_BYTE_KEY>"
    },
    "argon2": {
      "memory_kibibytes": 1048576,
      "num_iterations": 4,
      "num_threads": 4
    }
  },
  "saml": {
    "sp_cert": "CERT CONTENT",
    "sp_key": "-----BEGIN PRIVATE KEY-----\nKEY CONTENT\n-----END PRIVATE KEY-----"
  },
  "graph_query_memory_limit": 2,
  "force_download_embedded_collectors": false,
  "enable_user_analytics": false
}
```