diff options
| author | Rob Austein <sra@hactrn.net> | 2016-02-15 07:51:40 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2016-02-15 07:51:40 +0000 |
| commit | def95e42fda9a9e45bdf4f40a6ecb93b644dbf0b (patch) | |
| tree | 1505c5859484053e8a120acaef60869389d3d901 /rp/config/rpki-confgen.xml | |
| parent | 21527a93bf51875473bc29698189e9e9540aee1b (diff) | |
Checkpoint while shuffling stuff around for new installation scheme.
Installation of everything but Debian packages is probably broken, and
Debian packages are too at the moment due to (probably) minor errors
in buildtools/debian-skeleton, but enough has changed that this really
needs a snapshot checked in for backup.
svn path=/branches/tk705/; revision=6257
Diffstat (limited to 'rp/config/rpki-confgen.xml')
| -rw-r--r-- | rp/config/rpki-confgen.xml | 1111 |
1 files changed, 1111 insertions, 0 deletions
diff --git a/rp/config/rpki-confgen.xml b/rp/config/rpki-confgen.xml new file mode 100644 index 00000000..1b86a140 --- /dev/null +++ b/rp/config/rpki-confgen.xml @@ -0,0 +1,1111 @@ +<!-- -*- SGML -*- + $Id$ + + Documented option definitions for rpki-confgen to use in generating + rpki.conf and TracWiki documentation. + + Copyright (C) 2009-2013 Internet Systems Consortium ("ISC") + + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + + THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + PERFORMANCE OF THIS SOFTWARE. +--> + +<configuration ident = "$Id$"> + + <section name = "myrpki"> + + <doc> + The "`[myrpki]`" section contains all the parameters that you + really need to configure. The name "`myrpki`" is historical and + may change in the future. + </doc> + + <option name = "handle"> + <doc> + Every resource-holding or server-operating entity needs a + "handle", which is just an identifier by which the entity + calls itself. Handles do not need to be globally unique, but + should be chosen with an eye towards debugging operational + problems: it's best if you use a handle that your parents and + children will recognize as being you. + </doc> + <doc> + The "`handle`" option in the "`[myrpki]`" section specifies the + default handle for this installation. Previous versions of + the CA tools required a separate configuration file, each with + its own handle setting, for each hosted entity. The current + code allows the current handle to be selected at runtime in + both the GUI and command line user interface tools, so the + handle setting here is just the default when you don't set one + explictly. In the long run, this option may go away entirely, + but for now you need to set this. + </doc> + <doc> + Syntax is an identifier (ASCII letters, digits, hyphen, + underscore -- no whitespace, non-ASCII characters, or other + punctuation). + </doc> + </option> + + <option name = "bpki_servers_directory" + value = "${autoconf::datarootdir}/rpki"> + <doc> + Directory for BPKI files generated by rpkic and used by rpkid + and pubd. You will not normally need to change this. + </doc> + </option> + + <option name = "run_rpkid" + value = "yes"> + <doc> + Whether you want to run your own copy of rpkid (and irdbd). + Leave this alone unless you're doing something unusual like + running a pubd-only installation. + </doc> + </option> + + <option name = "rpkid_server_host"> + <doc> + DNS hostname for rpkid. In most cases, this must resolve to a + publicly-reachable address to be useful, as your RPKI children + will need to contact your rpkid at this address. + </doc> + </option> + + <option name = "rpkid_server_port" + value = "4404"> + <doc> + Server port number for rpkid. This can be any legal TCP port + number that you're not using for something else. + </doc> + </option> + + <option name = "irdbd_server_host" + value = "localhost"> + <doc> + DNS hostname for irdbd, or "`localhost`". This should be + "`localhost`" unless you really know what you are doing. + </doc> + </option> + + <option name = "irdbd_server_port" + value = "4403"> + <doc> + Server port number for irdbd. This can be any legal TCP port + number that you're not using for something else. + </doc> + </option> + + <option name = "run_pubd" + value = "yes"> + <doc> + Whether you want to run your own copy of pubd. In general, + it's best to use your parent's pubd if your parent allows you + to do so, because this will reduce the overall number of + publication sites from which relying parties will need to + retrieve data. However, not all parents offer publication + service, or you may need to run pubd yourself for reliability + reasons, or because you're certifying private address space or + private Autonomous System Numbers. + </doc> + <doc> + The out of band setup protocol will attempt to negotiate + publication service for you with whatever publication service + your parent is using, if it can and if you let it. + </doc> + </option> + + <option name = "pubd_server_host"> + <doc> + DNS hostname for pubd, if you're running it. This must + resolve to a publicly reachable address to be useful. + </doc> + </option> + + <option name = "pubd_server_port" + value = "4402"> + <doc> + Server port number for pubd. This can be any legal TCP port + number that you're not using for something else. + </doc> + </option> + + <option name = "pubd_contact_info"> + <doc> + Contact information to include in offers of repository + service. This only matters when you're running pubd. This + should be a human readable string, perhaps containing an email + address or URL. + </doc> + </option> + + <option name = "run_rootd" + value = "no"> + <doc> + Whether you want to run your very own copy of rootd. Don't + enable this unless you really know what you're doing. + </doc> + </option> + + <option name = "rootd_server_host" + value = "localhost"> + <doc> + DNS hostname for rootd, if you're running it. This should be + localhost unless you really know what you are doing. + </doc> + </option> + + <option name = "rootd_server_port" + value = "4401"> + <doc> + Server port number for rootd, if you're running it. This can + be any legal TCP port number that you're not using for + something else. + </doc> + </option> + + <option name = "publication_base_directory" + value = "${autoconf::datarootdir}/rpki/publication"> + <doc> + Root of local directory tree where pubd should write out published + data. You need to configure this, and the configuration should + match up with the directory where you point rsyncd. Neither pubd + nor rsyncd much cares //where// you tell it to put this stuff, the + important thing is that the rsync URIs in generated + certificates match up with the published objects so that relying + parties can find and verify rpkid's published outputs. + </doc> + </option> + + <option name = "rrdp_publication_base_directory" + value = "${autoconf::datarootdir}/rpki/rrdp-publication"> + <doc> + Root of local directory tree where pubd should write out RRDP + files. You need to configure this, and the configuration + should match up with the directory where you point the web + server (usually Apache) that serves the RRDP files. Neither + pubd nor Apache much cares //where// you tell it to put this + stuff, the important thing is that all the URIs match up so + that relying parties can find and verify rpkid's published + outputs. + </doc> + </option> + + <option name = "publication_rsync_module" + value = "rpki"> + <doc> + rsyncd module name corresponding to publication_base_directory. + This has to match the module you configured into `rsyncd.conf`. + Leave this alone unless you have some need to change it. + </doc> + </option> + + <option name = "publication_rsync_server" + value = "${myrpki::pubd_server_host}"> + <doc> + Hostname and optional port number for rsync URIs. In most cases + this should just be the same value as pubd_server_host. + </doc> + </option> + + <option name = "publication_rrdp_base_uri" + value = "https://${myrpki::pubd_server_host}/rrdp/"> + <doc> + Base URI for RRDP notification, snapshot, and delta files. + In most cases this should be a HTTPS URL for the directory + on the publication server where the notify.xml lives. + </doc> + </option> + + <option name = "publication_rrdp_notification_uri" + value = "${myrpki::publication_rrdp_base_uri}notify.xml"> + <doc> + URI for RRDP notification file. You shouldn't need to change this. + </doc> + </option> + + <option name = "start_rpkid" + value = "${myrpki::run_rpkid}"> + <doc> + rpkid startup control. This should usually have the same value as + run_rpkid: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_rpkid controls whether the back-end code is doing things to + manage rpkid, while start_rpkid controls whether + rpki-start-servers attempts to start rpkid on this machine. + </doc> + </option> + + <option name = "start_irdbd" + value = "${myrpki::run_rpkid}"> + <doc> + irdbd startup control. This should usually have the same value as + run_rpkid: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_rpkid controls whether the back-end code is doing things to + manage rpkid, while start_irdbd controls whether + rpki-start-servers attempts to start irdbd on this machine. + </doc> + </option> + + <option name = "start_pubd" + value = "${myrpki::run_pubd}"> + <doc> + pubd startup control. This should usually have the same value as + run_pubd: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_pubd controls whether the back-end code is doing things to + manage pubd, while start_pubd controls whether + rpki-start-servers attempts to start pubd on this machine. + </doc> + </option> + + <option name = "start_rootd" + value = "${myrpki::run_rootd}"> + <doc> + rootd startup control. This should usually have the same value as + run_rootd: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_rootd controls whether the back-end code is doing things to + manage rootd, while start_rootd controls whether + rpki-start-servers attempts to start rootd on this machine. + </doc> + </option> + + <option name = "shared_sql_engine" + value = "mysql"> + <doc> + Database engine to use. Default is MySQL, because that's what + we've been using for years. Now that all runtime database + access is via Django ORM, changing to another engine supported + by Django is just a configuration issue. + </doc> + <doc> + Current supported values are "mysql" (the default), "sqlite3", + and "postgresql". In theory it should be straightforward to + add support for any SQL engine Django supports. + </doc> + </option> + + <option name = "shared_sql_username" + value = "rpki"> + <doc> + If you're comfortable with having all of the databases use the + same SQL username, set that value here. The default setting + of this variable should be fine. + </doc> + </option> + + <option name = "shared_sql_password"> + <doc> + If you're comfortable with having all of the databases use the + same SQL password, set that value here. You should use a + locally generated password either here or in the individual + settings below. The installation process generates a random + value for this option, which satisfies this requirement, so + ordinarily you should have no need to change this option. + </doc> + </option> + + <option name = "rcynic_sql_engine" + value = "${myrpki::shared_sql_engine}"> + <doc> + SQL engine to use for rcynic's database. The default setting + of this variable should be fine. + </doc> + </option> + + <option name = "rcynic_sql_database" + value = "rcynic"> + <doc> + SQL database name for rcynic's database. The default setting of + this variable should be fine. + </doc> + </option> + + <option name = "rcynic_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for rcynic's database, + set it here. + </doc> + </option> + + <option name = "rcynic_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for rcynic's database, + set it here. + </doc> + </option> + + <option name = "rpkid_sql_engine" + value = "${myrpki::shared_sql_engine}"> + <doc> + SQL engine to use for rpkid's database. The default setting + of this variable should be fine. + </doc> + </option> + + <option name = "rpkid_sql_database" + value = "rpkid"> + <doc> + SQL database name for rpkid's database. The default setting of + this variable should be fine. + </doc> + </option> + + <option name = "rpkid_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for rpkid's database, + set it here. + </doc> + </option> + + <option name = "rpkid_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for rpkid's database, + set it here. + </doc> + </option> + + <option name = "irdbd_sql_engine" + value = "${myrpki::shared_sql_engine}"> + <doc> + SQL engine to use for irdbd's database. The default setting + of this variable should be fine. + </doc> + </option> + + <option name = "irdbd_sql_database" + value = "irdbd"> + <doc> + SQL database for irdbd's database. The default setting of this + variable should be fine. + </doc> + </option> + + <option name = "irdbd_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for irdbd's database, + set it here. + </doc> + </option> + + <option name = "irdbd_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for irdbd's database, + set it here. + </doc> + </option> + + <option name = "pubd_sql_engine" + value = "${myrpki::shared_sql_engine}"> + <doc> + SQL engine to use for pubd's database. The default setting + of this variable should be fine. + </doc> + </option> + + <option name = "pubd_sql_database" + value = "pubd"> + <doc> + SQL database name for pubd's database. The default setting of + this variable should be fine. + </doc> + </option> + + <option name = "pubd_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for pubd's database, + set it here. + </doc> + </option> + + <option name = "pubd_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for pubd's database, + set it here. + </doc> + </option> + + </section> + + <section name = "rcynic"> + + <doc> + rcynicng, unlike it's predecessor, uses the same `rpki.conf` + file as all the other programs in the RPKI toolkit. Start + rcynicng with "`-c filename`" to choose a different + configuration file. All options are in the "`[rcynic]`" + section. + </doc> + + <doc> + This section isn't really fleshed out yet, and just contains the + settings needed for the new SQL code to work. This will change + as the stuff that's currently only configurable on rcynicng's + command line becomes integrated with the configuration file. + </doc> + + <option name = "sql-engine" + value = "${myrpki::rcynic_sql_engine}"> + <doc> + SQL engine for rcynic. + </doc> + </option> + + <option name = "sql-database" + value = "${myrpki::rcynic_sql_database}"> + <doc> + SQL database name for rcynic. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::rcynic_sql_username}"> + <doc> + SQL user name for rcynic. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::rcynic_sql_password}"> + <doc> + SQL password for rcynic. + </doc> + </option> + + </section> + + <section name = "rpkid"> + + <doc> + rpkid's default config file is the system `rpki.conf` file. + Start rpkid with "`-c filename`" to choose a different config + file. All options are in the "`[rpkid]`" section. BPKI + Certificates and keys may be in either DER or PEM format. + </doc> + + <option name = "sql-engine" + value = "${myrpki::rpkid_sql_engine}"> + <doc> + SQL engine for rpkid. + </doc> + </option> + + <option name = "sql-database" + value = "${myrpki::rpkid_sql_database}"> + <doc> + SQL database name for rpkid. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::rpkid_sql_username}"> + <doc> + SQL user name for rpkid. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::rpkid_sql_password}"> + <doc> + SQL password for rpkid. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::rpkid_server_host}"> + <doc> + Host on which rpkid should listen for HTTP service requests. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::rpkid_server_port}"> + <doc> + Port on which rpkid should listen for HTTP service requests. + </doc> + </option> + + <option name = "irdb-url" + value = "http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/"> + <doc> + HTTP service URL rpkid should use to contact irdbd. If irdbd is + running on the same machine as rpkid, this can and probably should + be a loopback URL, since nobody but rpkid needs to talk to irdbd. + </doc> + </option> + + <option name = "bpki-ta" + value = "${myrpki::bpki_servers_directory}/ca.cer"> + <doc> + Where rpkid should look for the BPKI trust anchor. All BPKI + certificate verification within rpkid traces back to this + trust anchor. Don't change this unless you really know what + you are doing. + </doc> + </option> + + <option name = "rpkid-cert" + value = "${myrpki::bpki_servers_directory}/rpkid.cer"> + <doc> + Where rpkid should look for its own BPKI EE certificate. Don't + change this unless you really know what you are doing. + </doc> + </option> + + <option name = "rpkid-key" + value = "${myrpki::bpki_servers_directory}/rpkid.key"> + <doc> + Where rpkid should look for the private key corresponding to its + own BPKI EE certificate. Don't change this unless you really know + what you are doing. + </doc> + </option> + + <option name = "irdb-cert" + value = "${myrpki::bpki_servers_directory}/irdbd.cer"> + <doc> + Where rpkid should look for irdbd's BPKI EE certificate. + Don't change this unless you really know what you are doing. + </doc> + </option> + + <option name = "irbe-cert" + value = "${myrpki::bpki_servers_directory}/irbe.cer"> + <doc> + Where rpkid should look for the back-end control client's BPKI EE + certificate. Don't change this unless you really know what you + are doing. + </doc> + </option> + + </section> + + <section name = "irdbd"> + + <doc> + irdbd's default configuration file is the system `rpki.conf` + file. Start irdbd with "`-c filename`" to choose a different + configuration file. All options are in the "`[irdbd]`" section. + </doc> + + <doc> + Since irdbd is part of the back-end system, it has direct access to + the back-end's SQL database, and thus is able to pull its own BPKI + configuration directly from the database, and thus needs a bit less + configuration than the other daemons. + </doc> + + <option name = "sql-engine" + value = "${myrpki::irdbd_sql_engine}"> + <doc> + SQL engine for irdbd. + </doc> + </option> + + <option name = "sql-database" + value = "${myrpki::irdbd_sql_database}"> + <doc> + SQL database name for irdbd. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::irdbd_sql_username}"> + <doc> + SQL user name for irdbd. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::irdbd_sql_password}"> + <doc> + SQL password for irdbd. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::irdbd_server_host}"> + <doc> + Host on which irdbd should listen for HTTP service requests. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::irdbd_server_port}"> + <doc> + Port on which irdbd should listen for HTTP service requests. + </doc> + </option> + + <option name = "startup-message"> + <doc> + String to log on startup, useful when debugging a collection + of irdbd instances at once. + </doc> + </option> + + </section> + + <section name = "pubd"> + + <doc> + pubd's default configuration file is the system `rpki.conf` + file. Start pubd with "`-c filename`" to choose a different + configuration file. All options are in the "`[pubd]`" section. + BPKI certificates and keys may be either DER or PEM format. + </doc> + + <option name = "sql-engine" + value = "${myrpki::pubd_sql_engine}"> + <doc> + SQL engine for pubd. + </doc> + </option> + + <option name = "sql-database" + value = "${myrpki::pubd_sql_database}"> + <doc> + SQL database name for pubd. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::pubd_sql_username}"> + <doc> + SQL user name for pubd. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::pubd_sql_password}"> + <doc> + SQL password for pubd. + </doc> + </option> + + <option name = "publication-base" + value = "${myrpki::publication_base_directory}"> + <doc> + Root of directory tree where pubd should write out published data. + You need to configure this, and the configuration should match up + with the directory where you point rsyncd. Neither pubd nor rsyncd + much cares -where- you tell them to put this stuff, the important + thing is that the rsync URIs in generated certificates match up + with the published objects so that relying parties can find and + verify rpkid's published outputs. + </doc> + </option> + + <option name = "rrdp-publication-base" + value = "${myrpki::rrdp_publication_base_directory}"> + <doc> + Root of local directory tree where pubd should write out RRDP + files. You need to configure this, and the configuration + should match up with the directory where you point the web + server (usually Apache) that serves the RRDP files. Neither + pubd nor Apache much cares //where// you tell it to put this + stuff, the important thing is that all the URIs match up so + that relying parties can find and verify rpkid's published + outputs. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::pubd_server_host}"> + <doc> + Host on which pubd should listen for HTTP service requests. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::pubd_server_port}"> + <doc> + Port on which pubd should listen for HTTP service requests. + </doc> + </option> + + <option name = "bpki-ta" + value = "${myrpki::bpki_servers_directory}/ca.cer"> + <doc> + Where pubd should look for the BPKI trust anchor. All BPKI + certificate verification within pubd traces back to this + trust anchor. Don't change this unless you really know what + you are doing. + </doc> + </option> + + <option name = "pubd-cert" + value = "${myrpki::bpki_servers_directory}/pubd.cer"> + <doc> + Where pubd should look for its own BPKI EE certificate. Don't + change this unless you really know what you are doing. + </doc> + </option> + + <option name = "pubd-key" + value = "${myrpki::bpki_servers_directory}/pubd.key"> + <doc> + Where pubd should look for the private key corresponding to its + own BPKI EE certificate. Don't change this unless you really know + what you are doing. + </doc> + </option> + + <option name = "pubd-crl" + value = "${myrpki::bpki_servers_directory}/ca.crl"> + <doc> + Where pubd should look for the CRL covering its own BPKI EE + certificate. Don't change this unless you really know what + you are doing. + </doc> + </option> + + <option name = "irbe-cert" + value = "${myrpki::bpki_servers_directory}/irbe.cer"> + <doc> + Where pubd should look for the back-end control client's BPKI EE + certificate. Don't change this unless you really know what you + are doing. + </doc> + </option> + + <option name = "rrdp-base-uri" + value = "${myrpki::publication_rrdp_base_uri}"> + <doc> + RRDP base URI for naming snapshots and deltas. + </doc> + </option> + + </section> + + <section name = "rootd"> + + <doc> + You don't need to run rootd unless you're IANA, are certifying + private address space, or are an RIR which refuses to accept IANA as + the root of the public address hierarchy. + </doc> + + <doc> + Ok, if that wasn't enough to scare you off: rootd is a mess, + needs to be rewritten, or, better, merged into rpkid, and + requires far too many configuration parameters. + </doc> + + <doc> + rootd was originally intended to be a very simple program which + simplified rpkid enormously by moving one specific task (acting + as the root CA of an RPKI certificate hierarchy) out of rpkid. + As the specifications and code (mostly the latter) have evolved, + however, this task has become more complicated, and rootd would + have to become much more complicated to keep up. + </doc> + + <doc> + Don't run rootd unless you're sure that you need to do so. + </doc> + + <doc> + Still think you need to run rootd? OK, but remember, you have + been warned.... + </doc> + + <doc> + rootd's default configuration file is the system `rpki.conf` + file. Start rootd with "`-c filename`" to choose a different + configuration file. All options are in the "`[rootd]`" section. + Certificates and keys may be in either DER or PEM format. + </doc> + + <option name = "bpki-ta" + value = "${myrpki::bpki_servers_directory}/ca.cer"> + <doc> + Where rootd should look for the BPKI trust anchor. All BPKI + certificate verification within rootd traces back to this + trust anchor. Don't change this unless you really know what + you are doing. + </doc> + </option> + + <option name = "rootd-bpki-crl" + value = "${myrpki::bpki_servers_directory}/ca.crl"> + <doc> + BPKI CRL. Don't change this unless you really know what you are + doing. + </doc> + </option> + + <option name = "rootd-bpki-cert" + value = "${myrpki::bpki_servers_directory}/rootd.cer"> + <doc> + rootd's own BPKI EE certificate. Don't change this unless you + really know what you are doing. + </doc> + </option> + + <option name = "rootd-bpki-key" + value = "${myrpki::bpki_servers_directory}/rootd.key"> + <doc> + Private key corresponding to rootd's own BPKI EE certificate. + Don't change this unless you really know what you are doing. + </doc> + </option> + + <option name = "child-bpki-cert" + value = "${myrpki::bpki_servers_directory}/child.cer"> + <doc> + BPKI certificate for rootd's one and only up-down child (RPKI + engine to which rootd issues an RPKI certificate). Don't + change this unless you really know what you are doing. + </doc> + </option> + + <option name = "pubd-bpki-cert"> + <doc> + BPKI certificate for pubd. Don't set this unless you really + know what you are doing. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::rootd_server_host}"> + <doc> + Server host on which rootd should listen. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::rootd_server_port}"> + <doc> + Server port on which rootd should listen. + </doc> + </option> + + <option name = "rpki_data_dir" + value = "${myrpki::bpki_servers_directory}"> + <doc> + Directory where rootd should store its RPKI data files. This + is only used to construct other variables, rootd itself + doesn't read it. + </doc> + </option> + + <option name = "rpki_base_uri" + value = "rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/${myrpki::handle}-root/root"> + <doc> + rsync URI corresponding to directory containing rootd's + outputs. This is only used to construct other variables, + rootd itself doesn't read it. + </doc> + </option> + + <option name = "rpki-root-cert-uri" + value = "${rootd::rpki_base_uri}.cer"> + <doc> + rsync URI for rootd's root (self-signed) RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-cert-file" + value = "${rootd::rpki_data_dir}/root.cer"> + <doc> + Filename of rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-key-file" + value = "${rootd::rpki_data_dir}/root.key"> + <doc> + Private key corresponding to rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-crl-uri" + value = "${rootd::rpki_base_uri}/root.crl"> + <doc> + URI of the CRL for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-crl-file" + value = "${rootd::rpki_data_dir}/root.crl"> + <doc> + Filename of the CRL for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-manifest-uri" + value = "${rootd::rpki_base_uri}/root.mft"> + <doc> + URI of the manifest for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-manifest-file" + value = "${rootd::rpki_data_dir}/root.mft"> + <doc> + Filename of the manifest for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-subject-pkcs10-file" + value = "${rootd::rpki_data_dir}/subject.pkcs10"> + <doc> + Where rootd should stash a copy of the PKCS #10 request it gets + from its one (and only) child + </doc> + </option> + + <option name = "rpki-subject-lifetime" + value = "30d"> + <doc> + Lifetime of the one and only RPKI certificate rootd issues. + </doc> + </option> + + <option name = "rpki-class-name" + value = "${myrpki::handle}"> + <doc> + Up-down protocol class name for RPKI certificate rootd issues to its + one (and only) child. + </doc> + </option> + + <option name = "rpki-subject-cert-uri" + value = "${rootd::rpki_base_uri}/${myrpki::handle}.cer"> + <doc> + URI of the one (and only) RPKI certificate rootd issues. + </doc> + </option> + + <option name = "rpki-subject-cert-file" + value = "${rootd::rpki_data_dir}/${myrpki::handle}.cer"> + <doc> + Filename of the one (and only) RPKI certificate rootd issues. + </doc> + </option> + + <option name = "pubd-contact-uri" + value = "http://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/client/${myrpki::handle}-root"> + <doc> + URI at which rootd should contact pubd for service. + </doc> + </option> + + <option name = "rrdp-notification-uri" + value = "${myrpki::publication_rrdp_notification_uri"> + <doc> + RRDP URI for inclusion in generated objects. + </doc> + </option> + + </section> + + <section name = "web_portal"> + + <doc> + Glue to allow Django to pull user configuration from this file + rather than requiring the user to edit settings.py. + </doc> + + <!-- + We used to have SQL settings for the GUI here, but since + they're pretty much required to be identical to the ones for + irdbd at this point, the duplicate entries were just another + chance to misconfigure something, so I removed them. Not yet + sure whether this was the right approach. Too much historical + baggage in this file. + --> + + <option name = "secret-key"> + <doc> + Site-specific secret key for Django. + </doc> + </option> + + <option name = "allowed-hosts"> + <doc> + Name of virtual host that runs the Django GUI, if this is not + the same as the system hostname. Django's security code wants + to know the name of the virtual host on which Django is + running, and will fail when it thinks it's running on a + disallowed host. + </doc> + <doc> + If you get an error like "Invalid HTTP_HOST header (you may + need to set ALLOWED_HOSTS)", you will need to set this option. + </doc> + </option> + + <option name = "download-directory" + value = "/var/tmp"> + <doc> + A directory large enough to hold the RouteViews.org routing table dump + fetched by the rpkigui-import-routes script. + </doc> + </option> + + </section> + + <section name = "autoconf"> + + <doc> + rpki-confgen --autoconf records the current autoconf settings + here, so that other options can refer to them. The section name + "autoconf" is magic, don't change it. + </doc> + + <option name = "bindir"> + <doc> + Usually /usr/bin or /usr/local/bin. + </doc> + </option> + + <option name = "datarootdir"> + <doc> + Usually /usr/share or /usr/local/share. + </doc> + </option> + + <option name = "sbindir"> + <doc> + Usually /usr/sbin or /usr/local/sbin. + </doc> + </option> + + <option name = "sysconfdir"> + <doc> + Usually /etc or /usr/local/etc. + </doc> + </option> + + </section> + +</configuration> |