****** Configuring the RPKI CA tools ******
This section describes the configuration file syntax and settings.
Each of the programs that make up the RPKI tookit can potentially take its own
configuration file, but for most uses this is unnecessarily complicated. The
recommended approach is to use a single configuration file, and to put all of
the parameters that a normal user might need to change into a single section of
that configuration file, then reference these common settings from the program-
specific sections of the configuration file via macro expansion. The
configuration file parser supports a limited version of the macro facility used
in OpenSSL's configuration parser. An expression such as
foo = ${bar::baz}
sets foo to the value of the baz variable from section bar. The section name
ENV is special: it refers to environment variables.
***** rpki.conf *****
The default name for the shared configuration file is rpki.conf. The location
of the system-wide rpki.conf file is selected by ./configure during
installation; the default location is /usr/local/etc, unless you use the --
sysconfdir option to ./configure, in which case the default location is
whatever directory you gave ./configure as the argument to this option.
You can override the build-time default filename at runtime by setting the
RPKI_CONF environment variable to the name of the configuration file you want
to use. Most of the programs also take a command-line option specifying the
name of the configuration file; if both the command line option and the
environment variable are set, the command line option wins.
Unless you really know what you're doing, you should start by copying the
rpki.conf from the rpkid/examples directory and modifying it, as the sample
configuration file already includes all the additional settings necessary to
use the simplified configuration.
We really should have a configuration wizard script which leads you through the
process of creating a basic rpki.conf file, but we haven't written it yet.
Someday Real Soon Now.
[myrpki]
The [myrpki] section of rpki.conf contains all the parameters that you really
need to configure. The name myrpki] is historical and may change in the future.
# Handle naming hosted resource-holding entity () represented
# by this myrpki instance. Syntax is an identifier (ASCII letters,
# digits, hyphen, underscore -- no whitespace, non-ASCII characters,
# or other punctuation). You need to set this.
handle = Me
Every resource-holding or server-operating entity needs a "handle", which is
just an identifier by which the entity calls itself. Handles do not need to be
globally unique, but should be chosen with an eye towards debugging operational
problems: it's best if you use a handle that your parents and children will
recognize as being you.
Previous versions of the CA tools required a separate configuration file, each
with its own handle setting, for each hosted entity. The current code allows
the current handle to be selected at runtime in both the GUI and command line
user interface tools, so the handle setting here is just the default when you
don't set one explictly.
# Directory for BPKI files generated by rpkic and used by rpkid and pubd.
# Default is where we expect autoconf to decide that our data files
# belong, you might want or need to change this. In the long term
# this should be handled by a setup wizard.
bpki_servers_directory = /usr/local/share/rpki
You shouldn't need to change this unless you used the --datarootdir option to
tell ./configure; if you did, you'll need to adjust the setting of
bpki_servers_directory to match whatever you told ./configure.
# Whether you want to run your own copy of rpkid (and irdbd). You
# want this on unless somebody else is hosting rpkid service for you.
run_rpkid = true
You probably don't need to change this.
# DNS hostname and server port numbers for rpkid and irdbd. rpkid's
# server host has to be a publicly reachable name to be useful;
# irdbd's server host should always be localhost unless you really
# know what you are doing. Port numbers can be any legal TCP port
# number that you're not using for something else.
rpkid_server_host = rpkid.example.org
rpkid_server_port = 4404
irdbd_server_host = localhost
irdbd_server_port = 4403
You'll need to set at least the rpkid_server_host parameter here. You may be
able to use the default port numbers, or may need to pick different ones.
Unless you plan to run irdbd on a different machine from rpkid, you should
leave irdbd_server_host alone.
# Whether you want to run your own copy of pubd. In general, it's
# best to use your parent's pubd if you can, to reduce the overall
# number of publication sites that relying parties need to check, so
# don't enable this unless you have a good reason.
run_pubd = false
# DNS hostname and server port number for pubd, if you're running it.
# Hostname has to be a publicly reachable name to be useful, port can
# be any legal TCP port number that you're not using for something
# else.
pubd_server_host = pubd.example.org
pubd_server_port = 4402
# Contact information to include in offers of repository service.
# This only matters when we're running pubd. This should be a human
# readable string, perhaps containing an email address or URL.
pubd_contact_info = repo-man@rpki.example.org
The out of band setup protocol will attempt to negotiate publication service
for you with whatever publication service your parent is using, if you let it,
so in most cases you should not need to run pubd unless you need to issue
certificates for private IP address space or private Autononmous System
Numbers.
If you do run pubd, you will need to set pubd_server_host. You may also need to
set pubd_server_port, and you should provide something helpful as contact
information in pubd_contact_info if you plan to offer publication service to
your RPKI children, so that grandchildren (or descendents even further down the
tree) who receive referrals to your service will know how to contact you.
# Whether you want to run your very own copy of rootd. Don't enable
# this unless you really know what you're doing.
run_rootd = false
# Server port number for rootd, if you're running it. This can be any
# legal TCP port number that you're not using for something else.
rootd_server_port = 4401
You shouldn't run rootd unless you're the root of an RPKI tree. Who gets to be
the root of the public RPKI tree is a political issue outside the scope of this
document. For everybody else, the only reason for running rootd (other than
test purposes) would be to support certification of private IP addresses and
ASNs. The core tools can do this without any problem, but the simplified
configuration mechanism does not (yet) make this easy to do.
# Root of local directory tree where pubd (and rootd, sigh) should
# write out published data. You need to configure this, and the
# configuration should match up with the directory where you point
# rsyncd. Neither pubd nor rsyncd much cares -where- you tell them to
# put this stuff, the important thing is that the rsync:// URIs in
# generated certificates match up with the published objects so that
# relying parties can find and verify rpkid's published outputs.
publication_base_directory = publication/
# rsyncd module name corresponding to publication_base_directory.
# This has to match the module you configured into rsyncd.conf.
# Leave this alone unless you have some need to change it.
publication_rsync_module = rpki
# Hostname and optional port number for rsync:// URIs. In most cases
# this should just be the same value as pubd_server_host.
publication_rsync_server = ${myrpki::pubd_server_host}
These parameters control the mapping between the rsync URIs presented by rsyncd
and the local filesystem on the machine where pubd and rsyncd run. Any changes
here must also be reflected as changes in rsyncd.conf. In most cases you should
not change the value of publication_rsync_module from the default; since pubd
can't (and should not) rewrite rsyncd.conf, it's best to use a static rsync
module name here and let pubd do its work underneath that name. In most cases
publication_rsync_server should be the same as publication_rsync_server, which
is what the macro invocation in the default setting does.
publication_base_directory, like other pathnames in rpki.conf, can be either a
relative or absolute pathname; if relative, it's interpreted with respect to
the directory in which the programs in question were started. It's probably
better to use an absolute pathname, since this pathname must also appear in
rsyncd.conf.
# Startup control. These all default to the values of the
# corresponding run_* options, to keep things simple. The only case
# where you would want to change these is when you are running the
# back-end code on a different machine from one or more of the
# daemons, in which case you need finer control over which daemons to
# start on which machines. In such cases, "run_*" controls whether
# the back-end code is doing things to manage the daemon in question,
# while "start_*" controls whether rpki-start-servers attempts to
# start the daemon in question.
start_rpkid = ${myrpki::run_rpkid}
start_irdbd = ${myrpki::run_rpkid}
start_pubd = ${myrpki::run_pubd}
start_rootd = ${myrpki::run_rootd}
You don't need to change these unless for some reason you need to run rpkid,
pubd, or both on different machines from your back end code. In such cases, you
can use these options to control which daemons start on which hosts, and to
tell the back end code (rpkic and the GUI) that they're responsible for talking
to rpkid and pubd even though those daemons are running on other hosts.
The main reason why you might want to do this would be cases where you might
want to run rpkid and pubd in a DMZ while keeping all of the back end code
behind a firewall.
# SQL configuration. You can ignore this if you're not running any of
# the daemons yourself.
# If you're comfortable with having all of the databases use the same
# MySQL username and password, set those values here. It's ok to
# leave the default username alone, but you should use a locally
# generated password either here or in the individual settings below.
shared_sql_username = rpki
shared_sql_password = fnord
# If you want different usernames and passwords for the separate SQL
# databases, enter those settings here; the shared_sql_* settings are
# only referenced here, so you can remove them entirely if you're
# setting everything in this block.
rpkid_sql_database = rpkid
rpkid_sql_username = ${myrpki::shared_sql_username}
rpkid_sql_password = ${myrpki::shared_sql_password}
irdbd_sql_database = irdbd
irdbd_sql_username = ${myrpki::shared_sql_username}
irdbd_sql_password = ${myrpki::shared_sql_password}
pubd_sql_database = pubd
pubd_sql_username = ${myrpki::shared_sql_username}
pubd_sql_password = ${myrpki::shared_sql_password}
These settings control how rpkid, irdbd, and pubd talk to the MySQL server. At
minimum, each daemon needs its own database; in the simplest configuration, the
username and password can be shared, which is what the macro references in the
default configuration does. If for some reason you need to set different
usernames and passwords for different daemons, you can do so by changing the
daemon-specific variables.
***** rsyncd.conf *****
If you're running pubd, you'll also need to run rsyncd. Your rsyncd
configuration will need to match your pubd configuration in order for relying
parties to find the RPKI objects managed by pubd.
Here's a sample rsyncd.conf file:
pid file = /var/run/rsyncd.pid
uid = nobody
gid = nobody
[rpki]
use chroot = no
read only = yes
transfer logging = yes
path = /some/where/publication
comment = RPKI publication
You may need to adapt this to your system. In particular, you will need to set
the path option to match the directory you named as publication_base_directory
in rpki.conf.
You may need to do something more complicated if you are already running rsyncd
for other purposes. See the rsync(1) and rsyncd.conf(5) manual pages for more
details.
***** Other configuration files and options *****
In most cases the simplified configuration in the [myrpki] section of rpki.conf
should suffice, but in case you need to tinker, here are details on the the
rest of the configuration options. In most cases the default name of the
configuration file for a program is the name of the program followed by .conf,
and the section name is also named for the program, so that you can combine
sections into a single configuration file as shown with rpki.conf.
* Common configuration options
* rpkid configuration
* irdbd configuration
* pubd configuration
* rootd configuration
***** Next steps *****
Once you've finished with configuration, the next thing you should read is the
MySQL setup instructions.
***** Running rpkid or pubd on a different server *****
The default configuration runs rpkid, pubd (if enabled) and the back end code
all on the same server. For many purposes, this is fine, but in some cases you
might want to split these functions up among different servers.
As noted briefly above, there are two separate sets of rpki.conf options which
control the necessary behavior: the run_* options and the start_* options. The
latter are usually tied to the former, but you can set them separately, and
they control slightly different things: the run_* options control whether the
back end code attempts to manage the servers in question, while the start_*
flags control whether the startup scripts should start the servers in question.
Here's a guideline to how to set up the servers on different machines. For
purposes of this description we'll assume that you're running both rpkid and
pubd, and that you want rpkid and pubd each on their own server, separate from
the back end code. We'll call these servers rpkid.example.org,
pubd.example.org, and backend.example.org.
Most of the configuration is the same as in the normal case, but there are a
few extra steps. The following supplements but does not replace the normal
instructions.
WARNING: These setup directions have not (yet) been tested extensively.
* Create rpki.conf as usual on backend.example.org, but pay particular
attention to the settings of rpkid_server_host, irbe_server_host, and
pubd_server_host: these should name rpkid.example.org, backend.example.org,
and pubd.example.org, respectively.
* This example assumes that you're running pubd, so make sure that both
run_rpkid and run_pubd are enabled in rpki.conf.
* Copy the rpki.conf to the other machines, and customize each copy to that
machine's role:
o start_rpkid should be enabled on rpkid.example.org and disabled on the
others.
o start_pubd should be enabled on pubd.example.org and disabled on the
others.
o start_irdbd should be enabled on backend.example.org and disabled on the
others.
* Make sure that you set up SQL databases on all three servers; the rpki-sql-
setup script should do the right thing in each case based on the setting of
the start_* options.
* Run "rpkic initialize" on the back end host. This will create the BPKI and
write out all of the necessary keys and certificates.
* "rpkic initialize" should have created the BPKI files (.cer, .key, and .crl
files for the several servers). Copy the .cer and .crl files to the pubd and
rpkid hosts, along with the appropriate private key: rpkid.example.org should
get a copy of the rpkid.key file but not the pubd.key file, while
pubd.example.org should get a copy of the pubd.key file but not the rpkid.key
file.
* Run rpki-start-servers on each of the three hosts when it's time to start the
servers.
* Do the usual setup dance, but keep in mind that the the back end controlling
all of these servers lives on backend.example.org, so that's where you issue
the rpkic or GUI commands to manage them. rpkic and the GUI both know how to
talk to rpkid and pubd over the network, so managing them remotely is fine.
a>
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
|