From 14a9628f0552d3818cd58fb085e7544cdbb3b5eb Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Wed, 3 Aug 2016 18:27:49 +0000 Subject: Dump of rpki.net Wiki, to capture content not linked into the manual. --- doc/wiki-dump/doc%2FRPKI%2FCA%2FUI%2Frpkic | 105 +++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 doc/wiki-dump/doc%2FRPKI%2FCA%2FUI%2Frpkic (limited to 'doc/wiki-dump/doc%2FRPKI%2FCA%2FUI%2Frpkic') diff --git a/doc/wiki-dump/doc%2FRPKI%2FCA%2FUI%2Frpkic b/doc/wiki-dump/doc%2FRPKI%2FCA%2FUI%2Frpkic new file mode 100644 index 00000000..044372d3 --- /dev/null +++ b/doc/wiki-dump/doc%2FRPKI%2FCA%2FUI%2Frpkic @@ -0,0 +1,105 @@ += The rpkic tool = + +[[TracNav(doc/RPKI/TOC)]] +[[PageOutline]] + +rpkic is a command line interface to rpkid and pubd. It implements +largely the same functionality as the [[GUI|web interface]]. In most +cases you will want to use the web interface for normal operation, but +rpkic is available if you need it. + +rpkic can be run either in an interactive mode or by passing a single +command on the command line when starting the program; the former mode +is intended to be somewhat human-friendly, the latter mode is useful +in scripting, cron jobs, and automated testing. + +Some rpkic commands write out data files, usually in the current +directory. + +rpkic uses the same system-wide [[Configuration|rpki.conf]] file as +the other CA tools as its default configuration file. + +rpkic includes a "help" command which provides inline help for its +several commands. + +== Selecting an identity == + +The //handle// variable in rpki.conf specifies the handle of the +default identity for an rpkic command, but this is just the default. +rpkid can host an arbitrary number of identities, and rpkic has to be +able to control all of them. + +When running rpkic interactively, use rpkic's "select_identity" +command to set the current identity handle. + +When running rpkic with a single command on the command line, use the +"-i" (or "--identity") option to set the current identity handle. + +== rpkic in setup phase == + +See the [[..|introduction to the user interfaces]] for an overview of +how setup phase works. The general structure of the setup phase in +rpkic is as described there, but here we provide the specific commands +involved. The following assumes that you have already installed the +software and started the servers. + +* The rpkic "initialize" command writes out an "identity.xml" file in + addition to all of its other tasks. + +* A parent who is using rpkic runs the "configure_child" command to + configure the child, giving this command the identity.xml file the + child supplied as input. configure_child will write out a response + XML file, which the parent sends back to the child. + +* A child who is running rpkic runs the "configure_parent" command to + process the parent's response, giving it the XML file sent back by + the parent as input to this command. configure_parent will write + out a publication request XML file, which the child sents to the + repository operator. + +* A repository operator who is using rpkic runs the + "configure_publication_client" command to process a client's + publication request. configure_publication_client generates a + confirmation XML message which the repository operator sends back to + the client. + +* A publication client who is using rpkic runs the + "configure_repository" command to process the repository's response. + +== rpkic in data maintenance phase == + +rpkic uses whitespace-delimited text files (called ".csv files", for +historical reasons) to control issuance of addresses and autonomous +sequence numbers to children, and to control issuance of ROAs. See +the "load_asns", "load_prefixes", and "load_roa_requests" commands. + +== Maintaining child validity data == + +All resources issued to child entities are tagged with a validity +date. If not updated, these resources will eventually expire. rpkic +includes two commands for updating these validity dates: + +* "renew_child" updates the validity date for a specific child. + +* "renew_all_children" updates the validity date for all children. + +== BPKI maintenance == + +Certificates and CRLs in the BPKI have expiration dates and netUpdate +dates, so they need to be maintained. Failure to maintain these will +eventually cause the CA software to grind to a halt, as expired +certificates will cause CMS validation failures. + +rpkic's "update_bpki" command takes care of this. Usually one will +want to run this periodically (perhaps once per month), under cron. + +== Forcing synchronization == + +Most rpkic commands synchronize the back end database with the daemons +automatically, so in general it should not be necessary to synchronize +manually. However, since these are separate databases, it is +theoretically possible for them to get out of synch, perhaps because +something crashed at exactly the wrong time. + +rpkic's "synchronize" command runs a synchronization cycle with rpkid +(if {{{run_rpkic}}} is set) and pubd (if {{{run_pubd}}} is set). -- cgit v1.2.3