+```
+object NotificationCommand "mail-service-notification" {
+ command = [ ConfigDir + "/scripts/mail-service-notification.sh" ]
+
+ arguments += {
+ "-4" = {
+ required = true
+ value = "$notification_address$"
+ }
+ "-6" = "$notification_address6$"
+ "-b" = "$notification_author$"
+ "-c" = "$notification_comment$"
+ "-d" = {
+ required = true
+ value = "$notification_date$"
+ }
+ "-e" = {
+ required = true
+ value = "$notification_servicename$"
+ }
+ "-f" = {
+ value = "$notification_from$"
+ description = "Set from address. Requires GNU mailutils (Debian/Ubuntu) or mailx (RHEL/SUSE)"
+ }
+ "-i" = "$notification_icingaweb2url$"
+ "-l" = {
+ required = true
+ value = "$notification_hostname$"
+ }
+ "-n" = {
+ required = true
+ value = "$notification_hostdisplayname$"
+ }
+ "-o" = {
+ required = true
+ value = "$notification_serviceoutput$"
+ }
+ "-r" = {
+ required = true
+ value = "$notification_useremail$"
+ }
+ "-s" = {
+ required = true
+ value = "$notification_servicestate$"
+ }
+ "-t" = {
+ required = true
+ value = "$notification_type$"
+ }
+ "-u" = {
+ required = true
+ value = "$notification_servicedisplayname$"
+ }
+ "-v" = "$notification_logtosyslog$"
+ }
+
+ vars += {
+ notification_address = "$address$"
+ notification_address6 = "$address6$"
+ notification_author = "$notification.author$"
+ notification_comment = "$notification.comment$"
+ notification_type = "$notification.type$"
+ notification_date = "$icinga.long_date_time$"
+ notification_hostname = "$host.name$"
+ notification_hostdisplayname = "$host.display_name$"
+ notification_servicename = "$service.name$"
+ notification_serviceoutput = "$service.output$"
+ notification_servicestate = "$service.state$"
+ notification_useremail = "$user.email$"
+ notification_servicedisplayname = "$service.display_name$"
+ }
+}
+```
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ command | Array | **Required.** The command. This can either be an array of individual command arguments. Alternatively a string can be specified in which case the shell interpreter (usually /bin/sh) takes care of parsing the command. When using the "arguments" attribute this must be an array. Can be specified as function for advanced implementations.
+ env | Dictionary | **Optional.** A dictionary of macros which should be exported as environment variables prior to executing the command.
+ vars | Dictionary | **Optional.** A dictionary containing custom attributes that are specific to this command.
+ timeout | Duration | **Optional.** The command timeout in seconds. Defaults to `1m`.
+ arguments | Dictionary | **Optional.** A dictionary of command arguments.
+
+Command arguments can be used the same way as for [CheckCommand objects](09-object-types.md#objecttype-checkcommand-arguments).
+
+More details on specific attributes can be found in [this chapter](03-monitoring-basics.md#notification-commands).
+
+## ScheduledDowntime <a id="objecttype-scheduleddowntime"></a>
+
+ScheduledDowntime objects can be used to set up recurring downtimes for hosts/services.
+
+> **Best Practice**
+>
+> Rather than creating a `ScheduledDowntime` object for a specific host or service it is usually easier
+> to just create a `ScheduledDowntime` template and use the `apply` keyword to assign the
+> scheduled downtime to a number of hosts or services. Use the `to` keyword to set the specific target
+> type for `Host` or `Service`.
+> Check the [recurring downtimes](08-advanced-topics.md#recurring-downtimes) example for details.
+
+Example:
+
+```
+object ScheduledDowntime "some-downtime" {
+ host_name = "localhost"
+ service_name = "ping4"
+
+ author = "icingaadmin"
+ comment = "Some comment"
+
+ fixed = false
+ duration = 30m
+
+ ranges = {
+ "sunday" = "02:00-03:00"
+ }
+}
+```
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ host\_name | Object name | **Required.** The name of the host this scheduled downtime belongs to.
+ service\_name | Object name | **Optional.** The short name of the service this scheduled downtime belongs to. If omitted, this downtime object is treated as host downtime.
+ author | String | **Required.** The author of the downtime.
+ comment | String | **Required.** A comment for the downtime.
+ fixed | Boolean | **Optional.** Whether this is a fixed downtime. Defaults to `true`.
+ duration | Duration | **Optional.** How long the downtime lasts. Only has an effect for flexible (non-fixed) downtimes.
+ ranges | Dictionary | **Required.** A dictionary containing information which days and durations apply to this timeperiod.
+ child\_options | String | **Optional.** Schedule child downtimes. `DowntimeNoChildren` does not do anything, `DowntimeTriggeredChildren` schedules child downtimes triggered by this downtime, `DowntimeNonTriggeredChildren` schedules non-triggered downtimes. Defaults to `DowntimeNoChildren`.
+
+ScheduledDowntime objects have composite names, i.e. their names are based
+on the `host_name` and `service_name` attributes and the
+name you specified. This means you can define more than one object
+with the same (short) name as long as one of the `host_name` and
+`service_name` attributes has a different value.
+
+
+## Service <a id="objecttype-service"></a>
+
+Service objects describe network services and how they should be checked
+by Icinga 2.
+
+> **Best Practice**
+>
+> Rather than creating a `Service` object for a specific host it is usually easier
+> to just create a `Service` template and use the `apply` keyword to assign the
+> service to a number of hosts.
+> Check the [apply](03-monitoring-basics.md#using-apply) chapter for details.
+
+Example:
+
+```
+object Service "uptime" {
+ host_name = "localhost"
+
+ display_name = "localhost Uptime"
+
+ check_command = "snmp"
+
+ vars.snmp_community = "public"
+ vars.snmp_oid = "DISMAN-EVENT-MIB::sysUpTimeInstance"
+
+ check_interval = 60s
+ retry_interval = 15s
+
+ groups = [ "all-services", "snmp" ]
+}
+```
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ display\_name | String | **Optional.** A short description of the service.
+ host\_name | Object name | **Required.** The host this service belongs to. There must be a `Host` object with that name.
+ groups | Array of object names | **Optional.** The service groups this service belongs to.
+ vars | Dictionary | **Optional.** A dictionary containing custom attributes that are specific to this service.
+ check\_command | Object name | **Required.** The name of the check command.
+ max\_check\_attempts | Number | **Optional.** The number of times a service is re-checked before changing into a hard state. Defaults to 3.
+ check\_period | Object name | **Optional.** The name of a time period which determines when this service should be checked. Not set by default.
+ check\_timeout | Duration | **Optional.** Check command timeout in seconds. Overrides the CheckCommand's `timeout` attribute.
+ check\_interval | Duration | **Optional.** The check interval (in seconds). This interval is used for checks when the service is in a `HARD` state. Defaults to `5m`.
+ retry\_interval | Duration | **Optional.** The retry interval (in seconds). This interval is used for checks when the service is in a `SOFT` state. Defaults to `1m`. Note: This does not affect the scheduling [after a passive check result](08-advanced-topics.md#check-result-freshness).
+ enable\_notifications | Boolean | **Optional.** Whether notifications are enabled. Defaults to `true`.
+ enable\_active\_checks | Boolean | **Optional.** Whether active checks are enabled. Defaults to `true`.
+ enable\_passive\_checks | Boolean | **Optional.** Whether passive checks are enabled. Defaults to `true`.
+ enable\_event\_handler | Boolean | **Optional.** Enables event handlers for this host. Defaults to `true`.
+ enable\_flapping | Boolean | **Optional.** Whether flap detection is enabled. Defaults to `false`.
+ flapping\_threshold\_high | Number | **Optional.** Flapping upper bound in percent for a service to be considered flapping. `30.0`
+ flapping\_threshold\_low | Number | **Optional.** Flapping lower bound in percent for a service to be considered not flapping. `25.0`
+ enable\_perfdata | Boolean | **Optional.** Whether performance data processing is enabled. Defaults to `true`.
+ event\_command | Object name | **Optional.** The name of an event command that should be executed every time the service's state changes or the service is in a `SOFT` state.
+ volatile | Boolean | **Optional.** Treat all state changes as HARD changes. See [here](08-advanced-topics.md#volatile-services-hosts) for details. Defaults to `false`.
+ zone | Object name | **Optional.** The zone this object is a member of. Please read the [distributed monitoring](06-distributed-monitoring.md#distributed-monitoring) chapter for details.
+ name | String | **Required.** The service name. Must be unique on a per-host basis. For advanced usage in [apply rules](03-monitoring-basics.md#using-apply) only.
+ command\_endpoint | Object name | **Optional.** The endpoint where commands are executed on.
+ notes | String | **Optional.** Notes for the service.
+ notes\_url | String | **Optional.** URL for notes for the service (for example, in notification commands).
+ action\_url | String | **Optional.** URL for actions for the service (for example, an external graphing tool).
+ icon\_image | String | **Optional.** Icon image for the service. Used by external interfaces only.
+ icon\_image\_alt | String | **Optional.** Icon image description for the service. Used by external interface only.
+
+Service objects have composite names, i.e. their names are based on the host\_name attribute and the name you specified. This means
+you can define more than one object with the same (short) name as long as the `host_name` attribute has a different value.
+
+The actual check interval might deviate slightly from the configured values due to the fact that Icinga tries
+to evenly distribute all checks over a certain period of time, i.e. to avoid load spikes.
+
+Runtime Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ next\_check | Timestamp | When the next check occurs (as a UNIX timestamp).
+ last\_check | Timestamp | When the last check occurred (as a UNIX timestamp).
+ check\_attempt | Number | The current check attempt number.
+ state\_type | Number | The current state type (0 = SOFT, 1 = HARD).
+ last\_state\_type | Number | The previous state type (0 = SOFT, 1 = HARD).
+ last\_reachable | Boolean | Whether the service was reachable when the last check occurred.
+ last\_check\_result | CheckResult | The current [check result](08-advanced-topics.md#advanced-value-types-checkresult).
+ last\_state\_change | Timestamp | When the last state change occurred (as a UNIX timestamp).
+ last\_hard\_state\_change | Timestamp | When the last hard state change occurred (as a UNIX timestamp).
+ last\_in\_downtime | Boolean | Whether the service was in a downtime when the last check occurred.
+ acknowledgement | Number | The acknowledgement type (0 = NONE, 1 = NORMAL, 2 = STICKY).
+ acknowledgement\_expiry | Timestamp | When the acknowledgement expires (as a UNIX timestamp; 0 = no expiry).
+ downtime\_depth | Number | Whether the service has one or more active downtimes.
+ flapping\_last\_change | Timestamp | When the last flapping change occurred (as a UNIX timestamp).
+ flapping\_current | Number | Current flapping value in percent (see flapping\_thresholds)
+ flapping | Boolean | Whether the host is flapping between states.
+ state | Number | The current state (0 = OK, 1 = WARNING, 2 = CRITICAL, 3 = UNKNOWN).
+ last\_state | Number | The previous state (0 = OK, 1 = WARNING, 2 = CRITICAL, 3 = UNKNOWN).
+ last\_hard\_state | Number | The last hard state (0 = OK, 1 = WARNING, 2 = CRITICAL, 3 = UNKNOWN).
+ last\_state\_ok | Timestamp | When the last OK state occurred (as a UNIX timestamp).
+ last\_state\_warning | Timestamp | When the last WARNING state occurred (as a UNIX timestamp).
+ last\_state\_critical | Timestamp | When the last CRITICAL state occurred (as a UNIX timestamp).
+ last\_state\_unknown | Timestamp | When the last UNKNOWN state occurred (as a UNIX timestamp).
+
+
+## ServiceGroup <a id="objecttype-servicegroup"></a>
+
+A group of services.
+
+> **Best Practice**
+>
+> Assign service group members using the [group assign](17-language-reference.md#group-assign) rules.
+
+Example:
+
+```
+object ServiceGroup "snmp" {
+ display_name = "SNMP services"
+}
+```
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ display\_name | String | **Optional.** A short description of the service group.
+ groups | Array of object names | **Optional.** An array of nested group names.
+
+
+
+## TimePeriod <a id="objecttype-timeperiod"></a>
+
+Time periods can be used to specify when hosts/services should be checked or to limit
+when notifications should be sent out.
+
+Examples:
+
+```
+object TimePeriod "nonworkhours" {
+ display_name = "Icinga 2 TimePeriod for non working hours"
+
+ ranges = {
+ monday = "00:00-8:00,17:00-24:00"
+ tuesday = "00:00-8:00,17:00-24:00"
+ wednesday = "00:00-8:00,17:00-24:00"
+ thursday = "00:00-8:00,17:00-24:00"
+ friday = "00:00-8:00,16:00-24:00"
+ saturday = "00:00-24:00"
+ sunday = "00:00-24:00"
+ }
+}
+
+object TimePeriod "exampledays" {
+ display_name = "Icinga 2 TimePeriod for random example days"
+
+ ranges = {
+ //We still believe in Santa, no peeking!
+ //Applies every 25th of December every year
+ "december 25" = "00:00-24:00"
+
+ //Any point in time can be specified,
+ //but you still have to use a range
+ "2038-01-19" = "03:13-03:15"
+
+ //Evey 3rd day from the second monday of February
+ //to 8th of November
+ "monday 2 february - november 8 / 3" = "00:00-24:00"
+ }
+}
+```
+
+Additional examples can be found [here](08-advanced-topics.md#timeperiods).
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ display\_name | String | **Optional.** A short description of the time period.
+ ranges | Dictionary | **Required.** A dictionary containing information which days and durations apply to this timeperiod.
+ prefer\_includes | Boolean | **Optional.** Whether to prefer timeperiods `includes` or `excludes`. Default to true.
+ excludes | Array of object names | **Optional.** An array of timeperiods, which should exclude from your timerange.
+ includes | Array of object names | **Optional.** An array of timeperiods, which should include into your timerange
+
+
+Runtime Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ is\_inside | Boolean | Whether we're currently inside this timeperiod.
+
+
+## User <a id="objecttype-user"></a>
+
+A user.
+
+Example:
+
+```
+object User "icingaadmin" {
+ display_name = "Icinga 2 Admin"
+ groups = [ "icingaadmins" ]
+ email = "icinga@localhost"
+ pager = "icingaadmin@localhost.localdomain"
+
+ period = "24x7"
+
+ states = [ OK, Warning, Critical, Unknown ]
+ types = [ Problem, Recovery ]
+
+ vars.additional_notes = "This is the Icinga 2 Admin account."
+}
+```
+
+Available notification state filters:
+
+```
+OK
+Warning
+Critical
+Unknown
+Up
+Down
+```
+
+Available notification type filters:
+
+```
+DowntimeStart
+DowntimeEnd
+DowntimeRemoved
+Custom
+Acknowledgement
+Problem
+Recovery
+FlappingStart
+FlappingEnd
+```
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ display\_name | String | **Optional.** A short description of the user.
+ email | String | **Optional.** An email string for this user. Useful for notification commands.
+ pager | String | **Optional.** A pager string for this user. Useful for notification commands.
+ vars | Dictionary | **Optional.** A dictionary containing custom attributes that are specific to this user.
+ groups | Array of object names | **Optional.** An array of group names.
+ enable\_notifications | Boolean | **Optional.** Whether notifications are enabled for this user. Defaults to true.
+ period | Object name | **Optional.** The name of a time period which determines when a notification for this user should be triggered. Not set by default.
+ types | Array | **Optional.** A set of type filters when a notification for this user should be triggered. By default everything is matched.
+ states | Array | **Optional.** A set of state filters when a notification for this should be triggered. By default everything is matched.
+
+Runtime Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ last\_notification | Timestamp | When the last notification was sent for this user (as a UNIX timestamp).
+
+## UserGroup <a id="objecttype-usergroup"></a>
+
+A user group.
+
+> **Best Practice**
+>
+> Assign user group members using the [group assign](17-language-reference.md#group-assign) rules.
+
+Example:
+
+```
+object UserGroup "icingaadmins" {
+ display_name = "Icinga 2 Admin Group"
+}
+```
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ display\_name | String | **Optional.** A short description of the user group.
+ groups | Array of object names | **Optional.** An array of nested group names.
+
+
+## Zone <a id="objecttype-zone"></a>
+
+Zone objects are used to specify which Icinga 2 instances are located in a zone.
+Please read the [distributed monitoring chapter](06-distributed-monitoring.md#distributed-monitoring) for additional details.
+Example:
+
+```
+object Zone "master" {
+ endpoints = [ "icinga2-master1.localdomain", "icinga2-master2.localdomain" ]
+
+}
+
+object Zone "satellite" {
+ endpoints = [ "icinga2-satellite1.localdomain" ]
+ parent = "master"
+}
+```
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ endpoints | Array of object names | **Optional.** Array of endpoint names located in this zone.
+ parent | Object name | **Optional.** The name of the parent zone. (Do not specify a global zone)
+ global | Boolean | **Optional.** Whether configuration files for this zone should be [synced](06-distributed-monitoring.md#distributed-monitoring-global-zone-config-sync) to all endpoints. Defaults to `false`.
+
+Zone objects cannot currently be created with the API.
+
+
+## Runtime Objects <a id="object-types-runtime"></a>
+
+These objects are generated at runtime by the daemon
+from API actions. Downtime objects are also created
+by ScheduledDowntime objects.
+
+### Comment <a id="objecttype-comment"></a>
+
+Comments created at runtime are represented as objects.
+Note: This is for reference only. You can create comments
+with the [add-comment](12-icinga2-api.md#icinga2-api-actions-add-comment) API action.
+
+Example:
+
+```
+object Comment "my-comment" {
+ host_name = "localhost"
+ author = "icingaadmin"
+ text = "This is a comment."
+ entry_time = 1234567890
+}
+```
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ host\_name | Object name | **Required.** The name of the host this comment belongs to.
+ service\_name | Object name | **Optional.** The short name of the service this comment belongs to. If omitted, this comment object is treated as host comment.
+ author | String | **Required.** The author's name.
+ text | String | **Required.** The comment text.
+ entry\_time | Timestamp | **Optional.** The UNIX timestamp when this comment was added. If omitted, the entry time is volatile!
+ entry\_type | Number | **Optional.** The comment type (`User` = 1, `Downtime` = 2, `Flapping` = 3, `Acknowledgement` = 4).
+ expire\_time | Timestamp | **Optional.** The comment's expire time as UNIX timestamp.
+ persistent | Boolean | **Optional.** Only evaluated for `entry_type` Acknowledgement. `true` does not remove the comment when the acknowledgement is removed.
+
+### Downtime <a id="objecttype-downtime"></a>
+
+Downtimes created at runtime are represented as objects.
+You can create downtimes with the [schedule-downtime](12-icinga2-api.md#icinga2-api-actions-schedule-downtime) API action.
+
+Example:
+
+```
+object Downtime "my-downtime" {
+ host_name = "localhost"
+ author = "icingaadmin"
+ comment = "This is a downtime."
+ start_time = 1505312869
+ end_time = 1505312924
+}
+```
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ host\_name | Object name | **Required.** The name of the host this comment belongs to.
+ service\_name | Object name | **Optional.** The short name of the service this comment belongs to. If omitted, this comment object is treated as host comment.
+ author | String | **Required.** The author's name.
+ comment | String | **Required.** The comment text.
+ start\_time | Timestamp | **Required.** The start time as UNIX timestamp.
+ end\_time | Timestamp | **Required.** The end time as UNIX timestamp.
+ duration | Number | **Optional.** The duration as number.
+ entry\_time | Timestamp | **Optional.** The UNIX timestamp when this downtime was added.
+ fixed | Boolean | **Optional.** Whether the downtime is fixed (true) or flexible (false). Defaults to flexible. Details in the [advanced topics chapter](08-advanced-topics.md#fixed-flexible-downtimes).
+ triggers | Array of object names | **Optional.** List of downtimes which should be triggered by this downtime.
+
+Runtime Attributes:
+
+ Name | Type | Description
+ --------------------------|-----------------------|----------------------------------
+ trigger\_time | Timestamp | The UNIX timestamp when this downtime was triggered.
+ triggered\_by | Object name | The name of the downtime this downtime was triggered by.
+
+
+
+## Features <a id="object-types-features"></a>
+
+### ApiListener <a id="objecttype-apilistener"></a>
+
+ApiListener objects are used for distributed monitoring setups
+and API usage specifying the certificate files used for ssl
+authorization and additional restrictions.
+This configuration object is available as [api feature](11-cli-commands.md#cli-command-feature).
+
+The `TicketSalt` constant must be defined in [constants.conf](04-configuring-icinga-2.md#constants-conf).
+
+Example:
+
+```
+object ApiListener "api" {
+ accept_commands = true
+ accept_config = true
+
+ ticket_salt = TicketSalt
+}
+```
+
+Configuration Attributes:
+
+ Name | Type | Description
+ --------------------------------------|-----------------------|----------------------------------
+ cert\_path | String | **Deprecated.** Path to the public key.
+ key\_path | String | **Deprecated.** Path to the private key.
+ ca\_path | String | **Deprecated.** Path to the CA certificate file.
+ ticket\_salt | String | **Optional.** Private key for [CSR auto-signing](06-distributed-monitoring.md#distributed-monitoring-setup-csr-auto-signing). **Required** for a signing master instance.
+ crl\_path | String | **Optional.** Path to the CRL file.
+ bind\_host | String | **Optional.** The IP address the api listener should be bound to. If not specified, the ApiListener is bound to `::` and listens for both IPv4 and IPv6 connections.
+ bind\_port | Number | **Optional.** The port the api listener should be bound to. Defaults to `5665`.
+ accept\_config | Boolean | **Optional.** Accept zone configuration. Defaults to `false`.
+ accept\_commands | Boolean | **Optional.** Accept remote commands. Defaults to `false`.
+ max\_anonymous\_clients | Number | **Optional.** Limit the number of anonymous client connections (not configured endpoints and signing requests).
+ cipher\_list | String | **Optional.** Cipher list that is allowed. For a list of available ciphers run `openssl ciphers`. Defaults to `ALL:!LOW:!WEAK:!MEDIUM:!EXP:!NULL`.
+ tls\_protocolmin | String | **Optional.** Minimum TLS protocol version. Must be one of `TLSv1`, `TLSv1.1` or `TLSv1.2`. Defaults to `TLSv1`.
+ tls\_handshake\_timeout | Number | **Optional.** TLS Handshake timeout. Defaults to `10s`.
+ access\_control\_allow\_origin | Array | **Optional.** Specifies an array of origin URLs that may access the API. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Origin)
+ access\_control\_allow\_credentials | Boolean | **Deprecated.** Indicates whether or not the actual request can be made using credentials. Defaults to `true`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Credentials)
+ access\_control\_allow\_headers | String | **Deprecated.** Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. Defaults to `Authorization`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Headers)
+ access\_control\_allow\_methods | String | **Deprecated.** Used in response to a preflight request to indicate which HTTP methods can be used when making the actual request. Defaults to `GET, POST, PUT, DELETE`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Methods)
+ environment | String | **Optional.** Used as suffix in TLS SNI extension name; default from constant `ApiEnvironment`, which is empty.
+
+The attributes `access_control_allow_credentials`, `access_control_allow_headers` and `access_control_allow_methods`
+are controlled by Icinga 2 and are not changeable by config any more.
+
+
+The ApiListener type expects its certificate files to be in the following locations:
+
+ Type | Location
+ ---------------------|-------------------------------------
+ Private key | `DataDir + "/certs/" + NodeName + ".key"`
+ Certificate file | `DataDir + "/certs/" + NodeName + ".crt"`
+ CA certificate file | `DataDir + "/certs/ca.crt"`
+
+If the deprecated attributes `cert_path`, `key_path` and/or `ca_path` are specified Icinga 2
+copies those files to the new location in `DataDir + "/certs"` unless the
+file(s) there are newer.
+
+Please check the [upgrading chapter](16-upgrading-icinga-2.md#upgrading-to-2-8-certificate-paths) for more details.
+
+While Icinga 2 and the underlying OpenSSL library use sane and secure defaults, the attributes
+`cipher_list` and `tls_protocolmin` can be used to increase communication security. A good source
+for a more secure configuration is provided by the [Mozilla Wiki](https://wiki.mozilla.org/Security/Server_Side_TLS).
+Ensure to use the same configuration for both attributes on **all** endpoints to avoid communication problems which
+requires to use `cipher_list` compatible with the endpoint using the oldest version of the OpenSSL library. If using
+other tools to connect to the API ensure also compatibility with them as this setting affects not only inter-cluster
+communcation but also the REST API.
+
+### CheckerComponent <a id="objecttype-checkercomponent"></a>
+
+The checker component is responsible for scheduling active checks.
+This configuration object is available as [checker feature](11-cli-commands.md#cli-command-feature).