diff options
Diffstat (limited to 'doc/14.RPKI.CA.Configuration.myrpki.wiki')
| -rw-r--r-- | doc/14.RPKI.CA.Configuration.myrpki.wiki | 413 |
1 files changed, 413 insertions, 0 deletions
diff --git a/doc/14.RPKI.CA.Configuration.myrpki.wiki b/doc/14.RPKI.CA.Configuration.myrpki.wiki new file mode 100644 index 00000000..d5611841 --- /dev/null +++ b/doc/14.RPKI.CA.Configuration.myrpki.wiki @@ -0,0 +1,413 @@ +{{{ +#!comment + +****************************************************************************** +THIS PAGE WAS GENERATED AUTOMATICALLY, DO NOT EDIT. + +Generated from $Id: rpki-confgen.xml 6070 2015-03-23 18:04:06Z melkins $ + by $Id: rpki-confgen 5856 2014-05-31 18:32:19Z sra $ +****************************************************************************** + +}}} +[[TracNav(doc/RPKI/TOC)]] +[[PageOutline]] + += [myrpki] section = #myrpki + +The "`[myrpki]`" section contains all the parameters that you really +need to configure. The name "`myrpki`" is historical and may change in +the future. + +== handle == #handle + +Every resource-holding or server-operating entity needs a "handle", +which is just an identifier by which the entity calls itself. Handles +do not need to be globally unique, but should be chosen with an eye +towards debugging operational problems: it's best if you use a handle +that your parents and children will recognize as being you. + +The "`handle`" option in the "`[myrpki]`" section specifies the +default handle for this installation. Previous versions of the CA +tools required a separate configuration file, each with its own handle +setting, for each hosted entity. The current code allows the current +handle to be selected at runtime in both the GUI and command line user +interface tools, so the handle setting here is just the default when +you don't set one explictly. In the long run, this option may go away +entirely, but for now you need to set this. + +Syntax is an identifier (ASCII letters, digits, hyphen, underscore -- +no whitespace, non-ASCII characters, or other punctuation). + +No default value. + +== bpki_servers_directory == #bpki_servers_directory + +Directory for BPKI files generated by rpkic and used by rpkid and +pubd. You will not normally need to change this. + +{{{ +#!ini +bpki_servers_directory = ${autoconf::datarootdir}/rpki +}}} + +== run_rpkid == #run_rpkid + +Whether you want to run your own copy of rpkid (and irdbd). Leave this +alone unless you're doing something unusual like running a pubd-only +installation. + +{{{ +#!ini +run_rpkid = yes +}}} + +== rpkid_server_host == #rpkid_server_host + +DNS hostname for rpkid. In most cases, this must resolve to a +publicly-reachable address to be useful, as your RPKI children will +need to contact your rpkid at this address. + +No default value. + +== rpkid_server_port == #rpkid_server_port + +Server port number for rpkid. This can be any legal TCP port number +that you're not using for something else. + +{{{ +#!ini +rpkid_server_port = 4404 +}}} + +== irdbd_server_host == #irdbd_server_host + +DNS hostname for irdbd, or "`localhost`". This should be "`localhost`" +unless you really know what you are doing. + +{{{ +#!ini +irdbd_server_host = localhost +}}} + +== irdbd_server_port == #irdbd_server_port + +Server port number for irdbd. This can be any legal TCP port number +that you're not using for something else. + +{{{ +#!ini +irdbd_server_port = 4403 +}}} + +== run_pubd == #run_pubd + +Whether you want to run your own copy of pubd. In general, it's best +to use your parent's pubd if your parent allows you to do so, because +this will reduce the overall number of publication sites from which +relying parties will need to retrieve data. However, not all parents +offer publication service, or you may need to run pubd yourself for +reliability reasons, or because you're certifying private address +space or private Autonomous System Numbers. + +The out of band setup protocol will attempt to negotiate publication +service for you with whatever publication service your parent is +using, if it can and if you let it. + +{{{ +#!ini +run_pubd = yes +}}} + +== pubd_server_host == #pubd_server_host + +DNS hostname for pubd, if you're running it. This must resolve to a +publicly reachable address to be useful. + +No default value. + +== pubd_server_port == #pubd_server_port + +Server port number for pubd. This can be any legal TCP port number +that you're not using for something else. + +{{{ +#!ini +pubd_server_port = 4402 +}}} + +== pubd_contact_info == #pubd_contact_info + +Contact information to include in offers of repository service. This +only matters when you're running pubd. This should be a human readable +string, perhaps containing an email address or URL. + +No default value. + +== run_rootd == #run_rootd + +Whether you want to run your very own copy of rootd. Don't enable this +unless you really know what you're doing. + +{{{ +#!ini +run_rootd = no +}}} + +== rootd_server_host == #rootd_server_host + +DNS hostname for rootd, if you're running it. This should be localhost +unless you really know what you are doing. + +{{{ +#!ini +rootd_server_host = localhost +}}} + +== rootd_server_port == #rootd_server_port + +Server port number for rootd, if you're running it. This can be any +legal TCP port number that you're not using for something else. + +{{{ +#!ini +rootd_server_port = 4401 +}}} + +== publication_base_directory == #publication_base_directory + +Root of local directory tree where pubd should write out published +data. You need to configure this, and the configuration should match +up with the directory where you point rsyncd. Neither pubd nor rsyncd +much cares //where// you tell it to put this stuff, the important +thing is that the rsync URIs in generated certificates match up with +the published objects so that relying parties can find and verify +rpkid's published outputs. + +{{{ +#!ini +publication_base_directory = ${autoconf::datarootdir}/rpki/publication +}}} + +== publication_root_cert_directory == #publication_root_cert_directory + +Root of local directory tree where rootd (sigh) should write out +published data. This is just like publication_base_directory, but +rootd is too dumb to use pubd and needs its own directory in which to +write one certificate, one CRL, and one manifest. Neither rootd nor +rsyncd much cares //where// you tell them to put this stuff, the +important thing is that the rsync URIs in generated certificates match +up with the published objects so that relying parties can find and +verify rootd's published outputs. + +{{{ +#!ini +publication_root_cert_directory = ${myrpki::publication_base_directory}.root +}}} + +== publication_rsync_module == #publication_rsync_module + +rsyncd module name corresponding to publication_base_directory. This +has to match the module you configured into `rsyncd.conf`. Leave this +alone unless you have some need to change it. + +{{{ +#!ini +publication_rsync_module = rpki +}}} + +== publication_root_module == #publication_root_module + +rsyncd module name corresponding to publication_root_cert_directory. +This has to match the module you configured into `rsyncd.conf`. Leave +this alone unless you have some need to change it. + +{{{ +#!ini +publication_root_module = root +}}} + +== publication_rsync_server == #publication_rsync_server + +Hostname and optional port number for rsync URIs. In most cases this +should just be the same value as pubd_server_host. + +{{{ +#!ini +publication_rsync_server = ${myrpki::pubd_server_host} +}}} + +== start_rpkid == #start_rpkid + +rpkid startup control. This should usually have the same value as +run_rpkid: the only case where you would want to change this is when +you are running the back-end code on a different machine from one or +more of the daemons, in which case you need finer control over which +daemons to start on which machines. In such cases, run_rpkid controls +whether the back-end code is doing things to manage rpkid, while +start_rpkid controls whether rpki-start-servers attempts to start +rpkid on this machine. + +{{{ +#!ini +start_rpkid = ${myrpki::run_rpkid} +}}} + +== start_irdbd == #start_irdbd + +irdbd startup control. This should usually have the same value as +run_rpkid: the only case where you would want to change this is when +you are running the back-end code on a different machine from one or +more of the daemons, in which case you need finer control over which +daemons to start on which machines. In such cases, run_rpkid controls +whether the back-end code is doing things to manage rpkid, while +start_irdbd controls whether rpki-start-servers attempts to start +irdbd on this machine. + +{{{ +#!ini +start_irdbd = ${myrpki::run_rpkid} +}}} + +== start_pubd == #start_pubd + +pubd startup control. This should usually have the same value as +run_pubd: the only case where you would want to change this is when +you are running the back-end code on a different machine from one or +more of the daemons, in which case you need finer control over which +daemons to start on which machines. In such cases, run_pubd controls +whether the back-end code is doing things to manage pubd, while +start_pubd controls whether rpki-start-servers attempts to start pubd +on this machine. + +{{{ +#!ini +start_pubd = ${myrpki::run_pubd} +}}} + +== start_rootd == #start_rootd + +rootd startup control. This should usually have the same value as +run_rootd: the only case where you would want to change this is when +you are running the back-end code on a different machine from one or +more of the daemons, in which case you need finer control over which +daemons to start on which machines. In such cases, run_rootd controls +whether the back-end code is doing things to manage rootd, while +start_rootd controls whether rpki-start-servers attempts to start +rootd on this machine. + +{{{ +#!ini +start_rootd = ${myrpki::run_rootd} +}}} + +== shared_sql_username == #shared_sql_username + +If you're comfortable with having all of the databases use the same +MySQL username, set that value here. The default setting of this +variable should be fine. + +{{{ +#!ini +shared_sql_username = rpki +}}} + +== shared_sql_password == #shared_sql_password + +If you're comfortable with having all of the databases use the same +MySQL password, set that value here. You should use a locally +generated password either here or in the individual settings below. +The installation process generates a random value for this option, +which satisfies this requirement, so ordinarily you should have no +need to change this option. + +No default value. + +== rpkid_sql_database == #rpkid_sql_database + +SQL database name for rpkid's database. The default setting of this +variable should be fine. + +{{{ +#!ini +rpkid_sql_database = rpkid +}}} + +== rpkid_sql_username == #rpkid_sql_username + +If you want to use a separate SQL username for rpkid's database, set +it here. + +{{{ +#!ini +rpkid_sql_username = ${myrpki::shared_sql_username} +}}} + +== rpkid_sql_password == #rpkid_sql_password + +If you want to use a separate SQL password for rpkid's database, set +it here. + +{{{ +#!ini +rpkid_sql_password = ${myrpki::shared_sql_password} +}}} + +== irdbd_sql_database == #irdbd_sql_database + +SQL database for irdbd's database. The default setting of this +variable should be fine. + +{{{ +#!ini +irdbd_sql_database = irdbd +}}} + +== irdbd_sql_username == #irdbd_sql_username + +If you want to use a separate SQL username for irdbd's database, set +it here. + +{{{ +#!ini +irdbd_sql_username = ${myrpki::shared_sql_username} +}}} + +== irdbd_sql_password == #irdbd_sql_password + +If you want to use a separate SQL password for irdbd's database, set +it here. + +{{{ +#!ini +irdbd_sql_password = ${myrpki::shared_sql_password} +}}} + +== pubd_sql_database == #pubd_sql_database + +SQL database name for pubd's database. The default setting of this +variable should be fine. + +{{{ +#!ini +pubd_sql_database = pubd +}}} + +== pubd_sql_username == #pubd_sql_username + +If you want to use a separate SQL username for pubd's database, set it +here. + +{{{ +#!ini +pubd_sql_username = ${myrpki::shared_sql_username} +}}} + +== pubd_sql_password == #pubd_sql_password + +If you want to use a separate SQL password for pubd's database, set it +here. + +{{{ +#!ini +pubd_sql_password = ${myrpki::shared_sql_password} +}}} |