diff options
Diffstat (limited to 'ca/rpki-confgen.xml')
| -rw-r--r-- | ca/rpki-confgen.xml | 1031 |
1 files changed, 0 insertions, 1031 deletions
diff --git a/ca/rpki-confgen.xml b/ca/rpki-confgen.xml deleted file mode 100644 index ba33c7c9..00000000 --- a/ca/rpki-confgen.xml +++ /dev/null @@ -1,1031 +0,0 @@ -<!-- -*- SGML -*- - $Id$ - - Documented option definitions for rpki-confgen to use in generating - rpki.conf and TracWiki documentation. - - Copyright (C) 2009-2013 Internet Systems Consortium ("ISC") - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. ---> - -<configuration ident = "$Id$"> - - <section name = "myrpki"> - - <doc> - The "`[myrpki]`" section contains all the parameters that you - really need to configure. The name "`myrpki`" is historical and - may change in the future. - </doc> - - <option name = "handle"> - <doc> - Every resource-holding or server-operating entity needs a - "handle", which is just an identifier by which the entity - calls itself. Handles do not need to be globally unique, but - should be chosen with an eye towards debugging operational - problems: it's best if you use a handle that your parents and - children will recognize as being you. - </doc> - <doc> - The "`handle`" option in the "`[myrpki]`" section specifies the - default handle for this installation. Previous versions of - the CA tools required a separate configuration file, each with - its own handle setting, for each hosted entity. The current - code allows the current handle to be selected at runtime in - both the GUI and command line user interface tools, so the - handle setting here is just the default when you don't set one - explictly. In the long run, this option may go away entirely, - but for now you need to set this. - </doc> - <doc> - Syntax is an identifier (ASCII letters, digits, hyphen, - underscore -- no whitespace, non-ASCII characters, or other - punctuation). - </doc> - </option> - - <option name = "bpki_servers_directory" - value = "${autoconf::datarootdir}/rpki"> - <doc> - Directory for BPKI files generated by rpkic and used by rpkid - and pubd. You will not normally need to change this. - </doc> - </option> - - <option name = "run_rpkid" - value = "yes"> - <doc> - Whether you want to run your own copy of rpkid (and irdbd). - Leave this alone unless you're doing something unusual like - running a pubd-only installation. - </doc> - </option> - - <option name = "rpkid_server_host"> - <doc> - DNS hostname for rpkid. In most cases, this must resolve to a - publicly-reachable address to be useful, as your RPKI children - will need to contact your rpkid at this address. - </doc> - </option> - - <option name = "rpkid_server_port" - value = "4404"> - <doc> - Server port number for rpkid. This can be any legal TCP port - number that you're not using for something else. - </doc> - </option> - - <option name = "irdbd_server_host" - value = "localhost"> - <doc> - DNS hostname for irdbd, or "`localhost`". This should be - "`localhost`" unless you really know what you are doing. - </doc> - </option> - - <option name = "irdbd_server_port" - value = "4403"> - <doc> - Server port number for irdbd. This can be any legal TCP port - number that you're not using for something else. - </doc> - </option> - - <option name = "run_pubd" - value = "yes"> - <doc> - Whether you want to run your own copy of pubd. In general, - it's best to use your parent's pubd if your parent allows you - to do so, because this will reduce the overall number of - publication sites from which relying parties will need to - retrieve data. However, not all parents offer publication - service, or you may need to run pubd yourself for reliability - reasons, or because you're certifying private address space or - private Autonomous System Numbers. - </doc> - <doc> - The out of band setup protocol will attempt to negotiate - publication service for you with whatever publication service - your parent is using, if it can and if you let it. - </doc> - </option> - - <option name = "pubd_server_host"> - <doc> - DNS hostname for pubd, if you're running it. This must - resolve to a publicly reachable address to be useful. - </doc> - </option> - - <option name = "pubd_server_port" - value = "4402"> - <doc> - Server port number for pubd. This can be any legal TCP port - number that you're not using for something else. - </doc> - </option> - - <option name = "pubd_contact_info"> - <doc> - Contact information to include in offers of repository - service. This only matters when you're running pubd. This - should be a human readable string, perhaps containing an email - address or URL. - </doc> - </option> - - <option name = "run_rootd" - value = "no"> - <doc> - Whether you want to run your very own copy of rootd. Don't - enable this unless you really know what you're doing. - </doc> - </option> - - <option name = "rootd_server_host" - value = "localhost"> - <doc> - DNS hostname for rootd, if you're running it. This should be - localhost unless you really know what you are doing. - </doc> - </option> - - <option name = "rootd_server_port" - value = "4401"> - <doc> - Server port number for rootd, if you're running it. This can - be any legal TCP port number that you're not using for - something else. - </doc> - </option> - - <option name = "publication_base_directory" - value = "${autoconf::datarootdir}/rpki/publication"> - <doc> - Root of local directory tree where pubd should write out published - data. You need to configure this, and the configuration should - match up with the directory where you point rsyncd. Neither pubd - nor rsyncd much cares //where// you tell it to put this stuff, the - important thing is that the rsync URIs in generated - certificates match up with the published objects so that relying - parties can find and verify rpkid's published outputs. - </doc> - </option> - - <option name = "rrdp_publication_base_directory" - value = "${autoconf::datarootdir}/rpki/rrdp-publication"> - <doc> - Root of local directory tree where pubd should write out RRDP - files. You need to configure this, and the configuration - should match up with the directory where you point the web - server (usually Apache) that serves the RRDP files. Neither - pubd nor Apache much cares //where// you tell it to put this - stuff, the important thing is that all the URIs match up so - that relying parties can find and verify rpkid's published - outputs. - </doc> - </option> - - <option name = "publication_rsync_module" - value = "rpki"> - <doc> - rsyncd module name corresponding to publication_base_directory. - This has to match the module you configured into `rsyncd.conf`. - Leave this alone unless you have some need to change it. - </doc> - </option> - - <option name = "publication_rsync_server" - value = "${myrpki::pubd_server_host}"> - <doc> - Hostname and optional port number for rsync URIs. In most cases - this should just be the same value as pubd_server_host. - </doc> - </option> - - <option name = "publication_rrdp_base_uri" - value = "https://${myrpki::pubd_server_host}/rrdp/"> - <doc> - Base URI for RRDP notification, snapshot, and delta files. - In most cases this should be a HTTPS URL for the directory - on the publication server where the notify.xml lives. - </doc> - </option> - - <option name = "publication_rrdp_notification_uri" - value = "${myrpki::publication_rrdp_base_uri}notify.xml"> - <doc> - URI for RRDP notification file. You shouldn't need to change this. - </doc> - </option> - - <option name = "start_rpkid" - value = "${myrpki::run_rpkid}"> - <doc> - rpkid startup control. This should usually have the same value as - run_rpkid: the only case where you would want to change this is - when you are running the back-end code on a different machine from - one or more of the daemons, in which case you need finer control - over which daemons to start on which machines. In such cases, - run_rpkid controls whether the back-end code is doing things to - manage rpkid, while start_rpkid controls whether - rpki-start-servers attempts to start rpkid on this machine. - </doc> - </option> - - <option name = "start_irdbd" - value = "${myrpki::run_rpkid}"> - <doc> - irdbd startup control. This should usually have the same value as - run_rpkid: the only case where you would want to change this is - when you are running the back-end code on a different machine from - one or more of the daemons, in which case you need finer control - over which daemons to start on which machines. In such cases, - run_rpkid controls whether the back-end code is doing things to - manage rpkid, while start_irdbd controls whether - rpki-start-servers attempts to start irdbd on this machine. - </doc> - </option> - - <option name = "start_pubd" - value = "${myrpki::run_pubd}"> - <doc> - pubd startup control. This should usually have the same value as - run_pubd: the only case where you would want to change this is - when you are running the back-end code on a different machine from - one or more of the daemons, in which case you need finer control - over which daemons to start on which machines. In such cases, - run_pubd controls whether the back-end code is doing things to - manage pubd, while start_pubd controls whether - rpki-start-servers attempts to start pubd on this machine. - </doc> - </option> - - <option name = "start_rootd" - value = "${myrpki::run_rootd}"> - <doc> - rootd startup control. This should usually have the same value as - run_rootd: the only case where you would want to change this is - when you are running the back-end code on a different machine from - one or more of the daemons, in which case you need finer control - over which daemons to start on which machines. In such cases, - run_rootd controls whether the back-end code is doing things to - manage rootd, while start_rootd controls whether - rpki-start-servers attempts to start rootd on this machine. - </doc> - </option> - - <option name = "shared_sql_engine" - value = "mysql"> - <doc> - Database engine to use. Default is MySQL, because that's what - we've been using for years. Now that all runtime database - access is via Django ORM, changing to another engine supported - by Django is just a configuration issue. - </doc> - <doc> - Current supported values are "mysql" (the default), "sqlite3", - and "postgresql". - </doc> - </option> - - <option name = "shared_sql_username" - value = "rpki"> - <doc> - If you're comfortable with having all of the databases use the - same SQL username, set that value here. The default setting - of this variable should be fine. - </doc> - </option> - - <option name = "shared_sql_password"> - <doc> - If you're comfortable with having all of the databases use the - same SQL password, set that value here. You should use a - locally generated password either here or in the individual - settings below. The installation process generates a random - value for this option, which satisfies this requirement, so - ordinarily you should have no need to change this option. - </doc> - </option> - - <option name = "rpkid_sql_engine" - value = "${myrpki::shared_sql_engine}"> - <doc> - SQL engine to use for rpkid's database. The default setting - of this variable should be fine. - </doc> - </option> - - <option name = "rpkid_sql_database" - value = "rpkid"> - <doc> - SQL database name for rpkid's database. The default setting of - this variable should be fine. - </doc> - </option> - - <option name = "rpkid_sql_username" - value = "${myrpki::shared_sql_username}"> - <doc> - If you want to use a separate SQL username for rpkid's database, - set it here. - </doc> - </option> - - <option name = "rpkid_sql_password" - value = "${myrpki::shared_sql_password}"> - <doc> - If you want to use a separate SQL password for rpkid's database, - set it here. - </doc> - </option> - - <option name = "irdbd_sql_engine" - value = "${myrpki::shared_sql_engine}"> - <doc> - SQL engine to use for irdbd's database. The default setting - of this variable should be fine. - </doc> - </option> - - <option name = "irdbd_sql_database" - value = "irdbd"> - <doc> - SQL database for irdbd's database. The default setting of this - variable should be fine. - </doc> - </option> - - <option name = "irdbd_sql_username" - value = "${myrpki::shared_sql_username}"> - <doc> - If you want to use a separate SQL username for irdbd's database, - set it here. - </doc> - </option> - - <option name = "irdbd_sql_password" - value = "${myrpki::shared_sql_password}"> - <doc> - If you want to use a separate SQL password for irdbd's database, - set it here. - </doc> - </option> - - <option name = "pubd_sql_engine" - value = "${myrpki::shared_sql_engine}"> - <doc> - SQL engine to use for pubd's database. The default setting - of this variable should be fine. - </doc> - </option> - - <option name = "pubd_sql_database" - value = "pubd"> - <doc> - SQL database name for pubd's database. The default setting of - this variable should be fine. - </doc> - </option> - - <option name = "pubd_sql_username" - value = "${myrpki::shared_sql_username}"> - <doc> - If you want to use a separate SQL username for pubd's database, - set it here. - </doc> - </option> - - <option name = "pubd_sql_password" - value = "${myrpki::shared_sql_password}"> - <doc> - If you want to use a separate SQL password for pubd's database, - set it here. - </doc> - </option> - - </section> - - <section name = "rpkid"> - - <doc> - rpkid's default config file is the system `rpki.conf` file. - Start rpkid with "`-c filename`" to choose a different config - file. All options are in the "`[rpkid]`" section. BPKI - Certificates and keys may be in either DER or PEM format. - </doc> - - <option name = "sql-engine" - value = "${myrpki::rpkid_sql_engine}"> - <doc> - SQL engine for rpkid. - </doc> - </option> - - <option name = "sql-database" - value = "${myrpki::rpkid_sql_database}"> - <doc> - SQL database name for rpkid. - </doc> - </option> - - <option name = "sql-username" - value = "${myrpki::rpkid_sql_username}"> - <doc> - SQL user name for rpkid. - </doc> - </option> - - <option name = "sql-password" - value = "${myrpki::rpkid_sql_password}"> - <doc> - SQL password for rpkid. - </doc> - </option> - - <option name = "server-host" - value = "${myrpki::rpkid_server_host}"> - <doc> - Host on which rpkid should listen for HTTP service requests. - </doc> - </option> - - <option name = "server-port" - value = "${myrpki::rpkid_server_port}"> - <doc> - Port on which rpkid should listen for HTTP service requests. - </doc> - </option> - - <option name = "irdb-url" - value = "http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/"> - <doc> - HTTP service URL rpkid should use to contact irdbd. If irdbd is - running on the same machine as rpkid, this can and probably should - be a loopback URL, since nobody but rpkid needs to talk to irdbd. - </doc> - </option> - - <option name = "bpki-ta" - value = "${myrpki::bpki_servers_directory}/ca.cer"> - <doc> - Where rpkid should look for the BPKI trust anchor. All BPKI - certificate verification within rpkid traces back to this - trust anchor. Don't change this unless you really know what - you are doing. - </doc> - </option> - - <option name = "rpkid-cert" - value = "${myrpki::bpki_servers_directory}/rpkid.cer"> - <doc> - Where rpkid should look for its own BPKI EE certificate. Don't - change this unless you really know what you are doing. - </doc> - </option> - - <option name = "rpkid-key" - value = "${myrpki::bpki_servers_directory}/rpkid.key"> - <doc> - Where rpkid should look for the private key corresponding to its - own BPKI EE certificate. Don't change this unless you really know - what you are doing. - </doc> - </option> - - <option name = "irdb-cert" - value = "${myrpki::bpki_servers_directory}/irdbd.cer"> - <doc> - Where rpkid should look for irdbd's BPKI EE certificate. - Don't change this unless you really know what you are doing. - </doc> - </option> - - <option name = "irbe-cert" - value = "${myrpki::bpki_servers_directory}/irbe.cer"> - <doc> - Where rpkid should look for the back-end control client's BPKI EE - certificate. Don't change this unless you really know what you - are doing. - </doc> - </option> - - </section> - - <section name = "irdbd"> - - <doc> - irdbd's default configuration file is the system `rpki.conf` - file. Start irdbd with "`-c filename`" to choose a different - configuration file. All options are in the "`[irdbd]`" section. - </doc> - - <doc> - Since irdbd is part of the back-end system, it has direct access to - the back-end's SQL database, and thus is able to pull its own BPKI - configuration directly from the database, and thus needs a bit less - configuration than the other daemons. - </doc> - - <option name = "sql-engine" - value = "${myrpki::irdbd_sql_engine}"> - <doc> - SQL engine for irdbd. - </doc> - </option> - - <option name = "sql-database" - value = "${myrpki::irdbd_sql_database}"> - <doc> - SQL database name for irdbd. - </doc> - </option> - - <option name = "sql-username" - value = "${myrpki::irdbd_sql_username}"> - <doc> - SQL user name for irdbd. - </doc> - </option> - - <option name = "sql-password" - value = "${myrpki::irdbd_sql_password}"> - <doc> - SQL password for irdbd. - </doc> - </option> - - <option name = "server-host" - value = "${myrpki::irdbd_server_host}"> - <doc> - Host on which irdbd should listen for HTTP service requests. - </doc> - </option> - - <option name = "server-port" - value = "${myrpki::irdbd_server_port}"> - <doc> - Port on which irdbd should listen for HTTP service requests. - </doc> - </option> - - <option name = "startup-message"> - <doc> - String to log on startup, useful when debugging a collection - of irdbd instances at once. - </doc> - </option> - - </section> - - <section name = "pubd"> - - <doc> - pubd's default configuration file is the system `rpki.conf` - file. Start pubd with "`-c filename`" to choose a different - configuration file. All options are in the "`[pubd]`" section. - BPKI certificates and keys may be either DER or PEM format. - </doc> - - <option name = "sql-engine" - value = "${myrpki::pubd_sql_engine}"> - <doc> - SQL engine for pubd. - </doc> - </option> - - <option name = "sql-database" - value = "${myrpki::pubd_sql_database}"> - <doc> - SQL database name for pubd. - </doc> - </option> - - <option name = "sql-username" - value = "${myrpki::pubd_sql_username}"> - <doc> - SQL user name for pubd. - </doc> - </option> - - <option name = "sql-password" - value = "${myrpki::pubd_sql_password}"> - <doc> - SQL password for pubd. - </doc> - </option> - - <option name = "publication-base" - value = "${myrpki::publication_base_directory}"> - <doc> - Root of directory tree where pubd should write out published data. - You need to configure this, and the configuration should match up - with the directory where you point rsyncd. Neither pubd nor rsyncd - much cares -where- you tell them to put this stuff, the important - thing is that the rsync URIs in generated certificates match up - with the published objects so that relying parties can find and - verify rpkid's published outputs. - </doc> - </option> - - <option name = "rrdp-publication-base" - value = "${myrpki::rrdp_publication_base_directory}"> - <doc> - Root of local directory tree where pubd should write out RRDP - files. You need to configure this, and the configuration - should match up with the directory where you point the web - server (usually Apache) that serves the RRDP files. Neither - pubd nor Apache much cares //where// you tell it to put this - stuff, the important thing is that all the URIs match up so - that relying parties can find and verify rpkid's published - outputs. - </doc> - </option> - - <option name = "server-host" - value = "${myrpki::pubd_server_host}"> - <doc> - Host on which pubd should listen for HTTP service requests. - </doc> - </option> - - <option name = "server-port" - value = "${myrpki::pubd_server_port}"> - <doc> - Port on which pubd should listen for HTTP service requests. - </doc> - </option> - - <option name = "bpki-ta" - value = "${myrpki::bpki_servers_directory}/ca.cer"> - <doc> - Where pubd should look for the BPKI trust anchor. All BPKI - certificate verification within pubd traces back to this - trust anchor. Don't change this unless you really know what - you are doing. - </doc> - </option> - - <option name = "pubd-cert" - value = "${myrpki::bpki_servers_directory}/pubd.cer"> - <doc> - Where pubd should look for its own BPKI EE certificate. Don't - change this unless you really know what you are doing. - </doc> - </option> - - <option name = "pubd-key" - value = "${myrpki::bpki_servers_directory}/pubd.key"> - <doc> - Where pubd should look for the private key corresponding to its - own BPKI EE certificate. Don't change this unless you really know - what you are doing. - </doc> - </option> - - <option name = "pubd-crl" - value = "${myrpki::bpki_servers_directory}/ca.crl"> - <doc> - Where pubd should look for the CRL covering its own BPKI EE - certificate. Don't change this unless you really know what - you are doing. - </doc> - </option> - - <option name = "irbe-cert" - value = "${myrpki::bpki_servers_directory}/irbe.cer"> - <doc> - Where pubd should look for the back-end control client's BPKI EE - certificate. Don't change this unless you really know what you - are doing. - </doc> - </option> - - <option name = "rrdp-base-uri" - value = "${myrpki::publication_rrdp_base_uri}"> - <doc> - RRDP base URI for naming snapshots and deltas. - </doc> - </option> - - </section> - - <section name = "rootd"> - - <doc> - You don't need to run rootd unless you're IANA, are certifying - private address space, or are an RIR which refuses to accept IANA as - the root of the public address hierarchy. - </doc> - - <doc> - Ok, if that wasn't enough to scare you off: rootd is a mess, - needs to be rewritten, or, better, merged into rpkid, and - requires far too many configuration parameters. - </doc> - - <doc> - rootd was originally intended to be a very simple program which - simplified rpkid enormously by moving one specific task (acting - as the root CA of an RPKI certificate hierarchy) out of rpkid. - As the specifications and code (mostly the latter) have evolved, - however, this task has become more complicated, and rootd would - have to become much more complicated to keep up. - </doc> - - <doc> - Don't run rootd unless you're sure that you need to do so. - </doc> - - <doc> - Still think you need to run rootd? OK, but remember, you have - been warned.... - </doc> - - <doc> - rootd's default configuration file is the system `rpki.conf` - file. Start rootd with "`-c filename`" to choose a different - configuration file. All options are in the "`[rootd]`" section. - Certificates and keys may be in either DER or PEM format. - </doc> - - <option name = "bpki-ta" - value = "${myrpki::bpki_servers_directory}/ca.cer"> - <doc> - Where rootd should look for the BPKI trust anchor. All BPKI - certificate verification within rootd traces back to this - trust anchor. Don't change this unless you really know what - you are doing. - </doc> - </option> - - <option name = "rootd-bpki-crl" - value = "${myrpki::bpki_servers_directory}/ca.crl"> - <doc> - BPKI CRL. Don't change this unless you really know what you are - doing. - </doc> - </option> - - <option name = "rootd-bpki-cert" - value = "${myrpki::bpki_servers_directory}/rootd.cer"> - <doc> - rootd's own BPKI EE certificate. Don't change this unless you - really know what you are doing. - </doc> - </option> - - <option name = "rootd-bpki-key" - value = "${myrpki::bpki_servers_directory}/rootd.key"> - <doc> - Private key corresponding to rootd's own BPKI EE certificate. - Don't change this unless you really know what you are doing. - </doc> - </option> - - <option name = "child-bpki-cert" - value = "${myrpki::bpki_servers_directory}/child.cer"> - <doc> - BPKI certificate for rootd's one and only up-down child (RPKI - engine to which rootd issues an RPKI certificate). Don't - change this unless you really know what you are doing. - </doc> - </option> - - <option name = "pubd-bpki-cert"> - <doc> - BPKI certificate for pubd. Don't set this unless you really - know what you are doing. - </doc> - </option> - - <option name = "server-host" - value = "${myrpki::rootd_server_host}"> - <doc> - Server host on which rootd should listen. - </doc> - </option> - - <option name = "server-port" - value = "${myrpki::rootd_server_port}"> - <doc> - Server port on which rootd should listen. - </doc> - </option> - - <option name = "rpki_data_dir" - value = "${myrpki::bpki_servers_directory}"> - <doc> - Directory where rootd should store its RPKI data files. This - is only used to construct other variables, rootd itself - doesn't read it. - </doc> - </option> - - <option name = "rpki_base_uri" - value = "rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/${myrpki::handle}-root/root"> - <doc> - rsync URI corresponding to directory containing rootd's - outputs. This is only used to construct other variables, - rootd itself doesn't read it. - </doc> - </option> - - <option name = "rpki-root-cert-uri" - value = "${rootd::rpki_base_uri}.cer"> - <doc> - rsync URI for rootd's root (self-signed) RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-cert-file" - value = "${rootd::rpki_data_dir}/root.cer"> - <doc> - Filename of rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-key-file" - value = "${rootd::rpki_data_dir}/root.key"> - <doc> - Private key corresponding to rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-crl-uri" - value = "${rootd::rpki_base_uri}/root.crl"> - <doc> - URI of the CRL for rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-crl-file" - value = "${rootd::rpki_data_dir}/root.crl"> - <doc> - Filename of the CRL for rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-manifest-uri" - value = "${rootd::rpki_base_uri}/root.mft"> - <doc> - URI of the manifest for rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-manifest-file" - value = "${rootd::rpki_data_dir}/root.mft"> - <doc> - Filename of the manifest for rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-subject-pkcs10-file" - value = "${rootd::rpki_data_dir}/subject.pkcs10"> - <doc> - Where rootd should stash a copy of the PKCS #10 request it gets - from its one (and only) child - </doc> - </option> - - <option name = "rpki-subject-lifetime" - value = "30d"> - <doc> - Lifetime of the one and only RPKI certificate rootd issues. - </doc> - </option> - - <option name = "rpki-class-name" - value = "${myrpki::handle}"> - <doc> - Up-down protocol class name for RPKI certificate rootd issues to its - one (and only) child. - </doc> - </option> - - <option name = "rpki-subject-cert-uri" - value = "${rootd::rpki_base_uri}/${myrpki::handle}.cer"> - <doc> - URI of the one (and only) RPKI certificate rootd issues. - </doc> - </option> - - <option name = "rpki-subject-cert-file" - value = "${rootd::rpki_data_dir}/${myrpki::handle}.cer"> - <doc> - Filename of the one (and only) RPKI certificate rootd issues. - </doc> - </option> - - <option name = "pubd-contact-uri" - value = "http://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/client/${myrpki::handle}-root"> - <doc> - URI at which rootd should contact pubd for service. - </doc> - </option> - - <option name = "rrdp-notification-uri" - value = "${myrpki::publication_rrdp_notification_uri"> - <doc> - RRDP URI for inclusion in generated objects. - </doc> - </option> - - </section> - - <section name = "web_portal"> - - <doc> - Glue to allow Django to pull user configuration from this file - rather than requiring the user to edit settings.py. - </doc> - - <!-- - We used to have SQL settings for the GUI here, but since - they're pretty much required to be identical to the ones for - irdbd at this point, the duplicate entries were just another - chance to misconfigure something, so I removed them. Not yet - sure whether this was the right approach. Too much historical - baggage in this file. - --> - - <option name = "secret-key"> - <doc> - Site-specific secret key for Django. - </doc> - </option> - - <option name = "allowed-hosts"> - <doc> - Name of virtual host that runs the Django GUI, if this is not - the same as the system hostname. Django's security code wants - to know the name of the virtual host on which Django is - running, and will fail when it thinks it's running on a - disallowed host. - </doc> - <doc> - If you get an error like "Invalid HTTP_HOST header (you may - need to set ALLOWED_HOSTS)", you will need to set this option. - </doc> - </option> - - <option name = "download-directory" - value = "/var/tmp"> - <doc> - A directory large enough to hold the RouteViews.org routing table dump - fetched by the rpkigui-import-routes script. - </doc> - </option> - - </section> - - <section name = "autoconf"> - - <doc> - rpki-confgen --autoconf records the current autoconf settings - here, so that other options can refer to them. The section name - "autoconf" is magic, don't change it. - </doc> - - <option name = "bindir"> - <doc> - Usually /usr/bin or /usr/local/bin. - </doc> - </option> - - <option name = "datarootdir"> - <doc> - Usually /usr/share or /usr/local/share. - </doc> - </option> - - <option name = "sbindir"> - <doc> - Usually /usr/sbin or /usr/local/sbin. - </doc> - </option> - - <option name = "sysconfdir"> - <doc> - Usually /etc or /usr/local/etc. - </doc> - </option> - - </section> - -</configuration> |