diff options
Diffstat (limited to 'rpkid/examples')
| -rw-r--r-- | rpkid/examples/rpki.conf | 366 |
1 files changed, 0 insertions, 366 deletions
diff --git a/rpkid/examples/rpki.conf b/rpkid/examples/rpki.conf deleted file mode 100644 index 04e22369..00000000 --- a/rpkid/examples/rpki.conf +++ /dev/null @@ -1,366 +0,0 @@ -################################################################ -# -# $Id$ -# -# Config file for myrpki.py and RPKI daemons. -# -# NB: This config file is read both by Python code and also by the -# OpenSSL command line tool (running under mypki), so syntax must -# remain compatable with both parsers, and there's a big chunk of -# OpenSSL voodoo towards the end of this file. -# -################################################################ - -[myrpki] - -# Handle naming hosted resource-holding entity (<self/>) represented -# by this myrpki instance. Syntax is an identifier (ASCII letters, -# digits, hyphen, underscore -- no whitespace, non-ASCII characters, -# or other punctuation). You need to set this. - -handle = @HANDLE@ - -# Directory for BPKI files generated by rpkic and used by rpkid and pubd. -# Default is where we expect autoconf to decide that our data files -# belong, you might want or need to change this. In the long term -# this should be handled by a setup wizard. - -bpki_servers_directory = @DATAROOTDIR@/rpki - -# Whether you want to run your own copy of rpkid (and irdbd). You -# want this on unless somebody else is hosting rpkid service for you. - -run_rpkid = true - -# DNS hostname and server port numbers for rpkid and irdbd, if you're -# running them. rpkid's server host has to be a publicly reachable -# name to be useful; irdbd's server host should always be localhost -# unless you really know what you are doing. Port numbers can be any -# legal TCP port number that you're not using for something else. - -rpkid_server_host = rpkid.example.org -rpkid_server_port = 4404 -irdbd_server_host = localhost -irdbd_server_port = 4403 - -# Whether you want to run your own copy of pubd. In general, it's -# best to use your parent's pubd if you can, to reduce the overall -# number of publication sites that relying parties need to check, so -# don't enable this unless you have a good reason. - -run_pubd = false - -# DNS hostname and server port number for pubd, if you're running it. -# Hostname has to be a publicly reachable name to be useful, port can -# be any legal TCP port number that you're not using for something -# else. - -pubd_server_host = pubd.example.org -pubd_server_port = 4402 - -# Contact information to include in offers of repository service. -# This only matters when we're running pubd. This should be a human -# readable string, perhaps containing an email address or URL. - -pubd_contact_info = repo-man@rpki.example.org - -# Whether you want to run your very own copy of rootd. Don't enable -# this unless you really know what you're doing. - -run_rootd = false - -# Server port number for rootd, if you're running it. This can be any -# legal TCP port number that you're not using for something else. - -rootd_server_host = localhost -rootd_server_port = 4401 - -# Root of local directory tree where pubd (and rootd, sigh) should -# write out published data. You need to configure this, and the -# configuration should match up with the directory where you point -# rsyncd. Neither pubd nor rsyncd much cares -where- you tell them to -# put this stuff, the important thing is that the rsync:// URIs in -# generated certificates match up with the published objects so that -# relying parties can find and verify rpkid's published outputs. - -publication_base_directory = @DATAROOTDIR@/rpki/publication -publication_root_cert_directory = ${myrpki::publication_base_directory}.root - -# rsyncd module name corresponding to publication_base_directory. -# This has to match the module you configured into rsyncd.conf. -# Leave this alone unless you have some need to change it. - -publication_rsync_module = rpki - -# rsyncd module name corresponding to publication_root_cert_directory. -# This has to match the module you configured into rsyncd.conf. -# Leave this alone unless you have some need to change it. - -publication_root_module = root - -# Hostname and optional port number for rsync:// URIs. In most cases -# this should just be the same value as pubd_server_host. - -publication_rsync_server = ${myrpki::pubd_server_host} - -# Startup control. These all default to the values of the -# corresponding run_* options, to keep things simple. The only case -# where you would want to change these is when you are running the -# back-end code on a different machine from one or more of the -# daemons, in which case you need finer control over which daemons to -# start on which machines. In such cases, "run_*" controls whether -# the back-end code is doing things to manage the daemon in question, -# while "start_*" controls whether rpki-start-servers attempts to -# start the daemon in question. - -start_rpkid = ${myrpki::run_rpkid} -start_irdbd = ${myrpki::run_rpkid} -start_pubd = ${myrpki::run_pubd} -start_rootd = ${myrpki::run_rootd} - -# SQL configuration. You can ignore this if you're not running any of -# the daemons yourself. - -# If you're comfortable with having all of the databases use the same -# MySQL username and password, set those values here. It's ok to -# leave the default username alone, but you should use a locally -# generated password either here or in the individual settings below. - -shared_sql_username = rpki -shared_sql_password = fnord - -# If you want different usernames and passwords for the separate SQL -# databases, enter those settings here; the shared_sql_* settings are -# only referenced here, so you can remove them entirely if you're -# setting everything in this block. - -rpkid_sql_database = rpkid -rpkid_sql_username = ${myrpki::shared_sql_username} -rpkid_sql_password = ${myrpki::shared_sql_password} - -irdbd_sql_database = irdbd -irdbd_sql_username = ${myrpki::shared_sql_username} -irdbd_sql_password = ${myrpki::shared_sql_password} - -pubd_sql_database = pubd -pubd_sql_username = ${myrpki::shared_sql_username} -pubd_sql_password = ${myrpki::shared_sql_password} - -# End of [myrpki] section - -################################################################# -# -# In theory it should not be necessary to modify anything below this -# point, at least not if you're within the boundaries of the -# simplified configuration that the myrpki tool is intended to -# support. If you do have to modify anything below this point, please -# report it. -# -################################################################# - -[rpkid] - -# MySQL database name, user name, and password for rpkid to use to -# store its data. - -sql-database = ${myrpki::rpkid_sql_database} -sql-username = ${myrpki::rpkid_sql_username} -sql-password = ${myrpki::rpkid_sql_password} - -# Host and port on which rpkid should listen for HTTP service -# requests. - -server-host = ${myrpki::rpkid_server_host} -server-port = ${myrpki::rpkid_server_port} - -# HTTP service URL rpkid should use to contact irdbd. If irdbd is -# running on the same machine as rpkid, this can and probably should -# be a loopback URL, since nobody but rpkid needs to talk to irdbd. - -irdb-url = http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/ - -# Where rpkid should look for BPKI certs and keys used in the -# left-right protocol. The following values match where myirbe.py -# will have placed things. Don't change these without a reason. - -bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer -rpkid-key = ${myrpki::bpki_servers_directory}/rpkid.key -rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer -irdb-cert = ${myrpki::bpki_servers_directory}/irdbd.cer -irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer - -################################################################# - -[irdbd] - -# MySQL database name, user name, and password for irdbd to use to -# store its data. - -sql-database = ${myrpki::irdbd_sql_database} -sql-username = ${myrpki::irdbd_sql_username} -sql-password = ${myrpki::irdbd_sql_password} - -# Host and port on which irdbd should listen for HTTP service -# requests. - -server-host = ${myrpki::irdbd_server_host} -server-port = ${myrpki::irdbd_server_port} - -# Where irdbd should look for BPKI certs and keys used in the -# left-right protocol. The following values match where myirbe.py -# will have placed things. Don't change these without a reason. - -bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer -rpkid-cert = ${myrpki::bpki_servers_directory}/rpkid.cer -irdbd-cert = ${myrpki::bpki_servers_directory}/irdbd.cer -irdbd-key = ${myrpki::bpki_servers_directory}/irdbd.key - -################################################################# - -[pubd] - -# MySQL database name, user name, and password for pubd to use to -# store (some of) its data. - -sql-database = ${myrpki::pubd_sql_database} -sql-username = ${myrpki::pubd_sql_username} -sql-password = ${myrpki::pubd_sql_password} - -# Root of directory tree where pubd should write out published data. -# You need to configure this, and the configuration should match up -# with the directory where you point rsyncd. Neither pubd nor rsyncd -# much cares -where- you tell them to put this stuff, the important -# thing is that the rsync:// URIs in generated certificates match up -# with the published objects so that relying parties can find and -# verify rpkid's published outputs. - -publication-base = ${myrpki::publication_base_directory} - -# Host and port on which pubd should listen for HTTP service -# requests. - -server-host = ${myrpki::pubd_server_host} -server-port = ${myrpki::pubd_server_port} - -# Where pubd should look for BPKI certs and keys used in the -# left-right protocol. The following values match where myirbe.py -# will have placed things. Don't change these without a reason. - -bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer -pubd-cert = ${myrpki::bpki_servers_directory}/pubd.cer -pubd-key = ${myrpki::bpki_servers_directory}/pubd.key -irbe-cert = ${myrpki::bpki_servers_directory}/irbe.cer - -################################################################# - -[rootd] - -# You don't need to run rootd unless you're IANA, are certifying -# private address space, or are an RIR which refuses to accept IANA as -# the root of the public address hierarchy. -# -# Ok, if that wasn't enough to scare you off: rootd is a kludge, and -# needs to be rewritten, or, better, merged into rpkid. It does a -# number of things wrong, and requires far too many configuration -# parameters. You have been warned.... - -# BPKI certificates and keys for rootd - -bpki-ta = ${myrpki::bpki_servers_directory}/ca.cer -rootd-bpki-crl = ${myrpki::bpki_servers_directory}/ca.crl -rootd-bpki-cert = ${myrpki::bpki_servers_directory}/rootd.cer -rootd-bpki-key = ${myrpki::bpki_servers_directory}/rootd.key -child-bpki-cert = ${myrpki::bpki_servers_directory}/child.cer - -# Server host and port on which rootd should listen. - -server-host = ${myrpki::rootd_server_host} -server-port = ${myrpki::rootd_server_port} - -# Where rootd should write its output. Yes, rootd should be using -# pubd instead of publishing directly, but it doesn't. - -rpki-root-dir = ${myrpki::publication_base_directory} - -# rsync URI for directory containing rootd's outputs - -rpki-base-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/ - -# rsync URI for rootd's root (self-signed) RPKI certificate - -rpki-root-cert-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_root_module}/root.cer - -# Private key corresponding to rootd's root RPKI certificate - -rpki-root-key = ${myrpki::bpki_servers_directory}/root.key - -# Filename (as opposed to rsync URI) of rootd's root RPKI certificate - -rpki-root-cert = ${myrpki::publication_root_cert_directory}/root.cer - -# Where rootd should stash a copy of the PKCS #10 request it gets from -# its one (and only) child - -rpki-subject-pkcs10 = ${myrpki::bpki_servers_directory}/rootd.subject.pkcs10 - -# Lifetime of the one and only certificate rootd issues - -rpki-subject-lifetime = 30d - -# Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL -# for rootd's root RPKI certificate - -rpki-root-crl = root.crl - -# Filename (relative to rootd-base-uri and rpki-root-dir) of the -# manifest for rootd's root RPKI certificate - -rpki-root-manifest = root.mft - -# Up-down protocol class name for RPKI certificate rootd issues to its -# one (and only) child - -rpki-class-name = ${myrpki::handle} - -# Filename (relative to rootd-base-uri and rpki-root-dir) of the one -# (and only) RPKI certificate rootd issues - -rpki-subject-cert = ${myrpki::handle}.cer - -# The last four paramters in this section are really parameters for -# myirbe.py to use when constructing rootd's root RPKI certificate, -# via an indirection hack in the OpenSSL voodoo portion of this file. -# Don't ask why some of these are duplicated from other paramters in -# this section, you don't want to know (really, you don't). - -# ASNs to include in rootd's root RPKI certificate, in openssl.conf format - -root_cert_asns = AS:0-4294967295 - -# IP addresses to include in rootd's root RPKI certificate, in -# openssl.conf format - -root_cert_addrs = IPv4:0.0.0.0/0,IPv6:0::/0 - -# Whatever you put in rpki-base-uri, earlier in this section - -root_cert_sia = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/ - -# root_cert_sia + rpki-root-manifest - -root_cert_manifest = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.mft - -################################################################# - -# Glue to allow the django application to pull user configuration -# from this file rather than directly editing settings.py - -[web_portal] -sql-database = ${myrpki::irdbd_sql_database} -sql-username = ${myrpki::irdbd_sql_username} -sql-password = ${myrpki::irdbd_sql_password} - -################################################################# - -#[rpkic] -#autosync = false |