1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
|
****** [myrpki] section ******
The "[myrpki]" section contains all the parameters that you really need to
configure. The name "myrpki" is historical and may change in the future.
***** handle *****
Every resource-holding or server-operating entity needs a "handle", which is
just an identifier by which the entity calls itself. Handles do not need to be
globally unique, but should be chosen with an eye towards debugging operational
problems: it's best if you use a handle that your parents and children will
recognize as being you.
The "handle" option in the "[myrpki]" section specifies the default handle for
this installation. Previous versions of the CA tools required a separate
configuration file, each with its own handle setting, for each hosted entity.
The current code allows the current handle to be selected at runtime in both
the GUI and command line user interface tools, so the handle setting here is
just the default when you don't set one explictly. In the long run, this option
may go away entirely, but for now you need to set this.
Syntax is an identifier (ASCII letters, digits, hyphen, underscore -- no
whitespace, non-ASCII characters, or other punctuation).
No default value.
***** bpki_servers_directory *****
Directory for BPKI files generated by rpkic and used by rpkid and pubd. You
will not normally need to change this.
bpki_servers_directory = ${autoconf::datarootdir}/rpki
***** run_rpkid *****
Whether you want to run your own copy of rpkid (and irdbd). Leave this alone
unless you're doing something unusual like running a pubd-only installation.
run_rpkid = yes
***** rpkid_server_host *****
DNS hostname for rpkid. In most cases, this must resolve to a publicly-
reachable address to be useful, as your RPKI children will need to contact your
rpkid at this address.
No default value.
***** rpkid_server_port *****
Server port number for rpkid. This can be any legal TCP port number that you're
not using for something else.
rpkid_server_port = 4404
***** irdbd_server_host *****
DNS hostname for irdbd, or "localhost". This should be "localhost" unless you
really know what you are doing.
irdbd_server_host = localhost
***** irdbd_server_port *****
Server port number for irdbd. This can be any legal TCP port number that you're
not using for something else.
irdbd_server_port = 4403
***** run_pubd *****
Whether you want to run your own copy of pubd. In general, it's best to use
your parent's pubd if your parent allows you to do so, because this will reduce
the overall number of publication sites from which relying parties will need to
retrieve data. However, not all parents offer publication service, or you may
need to run pubd yourself for reliability reasons, or because you're certifying
private address space or private Autonomous System Numbers.
The out of band setup protocol will attempt to negotiate publication service
for you with whatever publication service your parent is using, if it can and
if you let it.
run_pubd = yes
***** pubd_server_host *****
DNS hostname for pubd, if you're running it. This must resolve to a publicly
reachable address to be useful.
No default value.
***** pubd_server_port *****
Server port number for pubd. This can be any legal TCP port number that you're
not using for something else.
pubd_server_port = 4402
***** pubd_contact_info *****
Contact information to include in offers of repository service. This only
matters when you're running pubd. This should be a human readable string,
perhaps containing an email address or URL.
No default value.
***** run_rootd *****
Whether you want to run your very own copy of rootd. Don't enable this unless
you really know what you're doing.
run_rootd = no
***** rootd_server_host *****
DNS hostname for rootd, if you're running it. This should be localhost unless
you really know what you are doing.
rootd_server_host = localhost
***** rootd_server_port *****
Server port number for rootd, if you're running it. This can be any legal TCP
port number that you're not using for something else.
rootd_server_port = 4401
***** publication_base_directory *****
Root of local directory tree where pubd should write out published data. You
need to configure this, and the configuration should match up with the
directory where you point rsyncd. Neither pubd nor rsyncd much cares where you
tell it to put this stuff, the important thing is that the rsync URIs in
generated certificates match up with the published objects so that relying
parties can find and verify rpkid's published outputs.
publication_base_directory = ${autoconf::datarootdir}/rpki/publication
***** publication_root_cert_directory *****
Root of local directory tree where rootd (sigh) should write out published
data. This is just like publication_base_directory, but rootd is too dumb to
use pubd and needs its own directory in which to write one certificate, one
CRL, and one manifest. Neither rootd nor rsyncd much cares where you tell them
to put this stuff, the important thing is that the rsync URIs in generated
certificates match up with the published objects so that relying parties can
find and verify rootd's published outputs.
publication_root_cert_directory = ${myrpki::publication_base_directory}.root
***** publication_rsync_module *****
rsyncd module name corresponding to publication_base_directory. This has to
match the module you configured into rsyncd.conf. Leave this alone unless you
have some need to change it.
publication_rsync_module = rpki
***** publication_root_module *****
rsyncd module name corresponding to publication_root_cert_directory. This has
to match the module you configured into rsyncd.conf. Leave this alone unless
you have some need to change it.
publication_root_module = root
***** publication_rsync_server *****
Hostname and optional port number for rsync URIs. In most cases this should
just be the same value as pubd_server_host.
publication_rsync_server = ${myrpki::pubd_server_host}
***** start_rpkid *****
rpkid startup control. This should usually have the same value as run_rpkid:
the only case where you would want to change this is when you are running the
back-end code on a different machine from one or more of the daemons, in which
case you need finer control over which daemons to start on which machines. In
such cases, run_rpkid controls whether the back-end code is doing things to
manage rpkid, while start_rpkid controls whether rpki-start-servers attempts to
start rpkid on this machine.
start_rpkid = ${myrpki::run_rpkid}
***** start_irdbd *****
irdbd startup control. This should usually have the same value as run_rpkid:
the only case where you would want to change this is when you are running the
back-end code on a different machine from one or more of the daemons, in which
case you need finer control over which daemons to start on which machines. In
such cases, run_rpkid controls whether the back-end code is doing things to
manage rpkid, while start_irdbd controls whether rpki-start-servers attempts to
start irdbd on this machine.
start_irdbd = ${myrpki::run_rpkid}
***** start_pubd *****
pubd startup control. This should usually have the same value as run_pubd: the
only case where you would want to change this is when you are running the back-
end code on a different machine from one or more of the daemons, in which case
you need finer control over which daemons to start on which machines. In such
cases, run_pubd controls whether the back-end code is doing things to manage
pubd, while start_pubd controls whether rpki-start-servers attempts to start
pubd on this machine.
start_pubd = ${myrpki::run_pubd}
***** start_rootd *****
rootd startup control. This should usually have the same value as run_rootd:
the only case where you would want to change this is when you are running the
back-end code on a different machine from one or more of the daemons, in which
case you need finer control over which daemons to start on which machines. In
such cases, run_rootd controls whether the back-end code is doing things to
manage rootd, while start_rootd controls whether rpki-start-servers attempts to
start rootd on this machine.
start_rootd = ${myrpki::run_rootd}
***** shared_sql_username *****
If you're comfortable with having all of the databases use the same MySQL
username, set that value here. The default setting of this variable should be
fine.
shared_sql_username = rpki
***** shared_sql_password *****
If you're comfortable with having all of the databases use the same MySQL
password, set that value here. You should use a locally generated password
either here or in the individual settings below. The installation process
generates a random value for this option, which satisfies this requirement, so
ordinarily you should have no need to change this option.
No default value.
***** rpkid_sql_database *****
SQL database name for rpkid's database. The default setting of this variable
should be fine.
rpkid_sql_database = rpkid
***** rpkid_sql_username *****
If you want to use a separate SQL username for rpkid's database, set it here.
rpkid_sql_username = ${myrpki::shared_sql_username}
***** rpkid_sql_password *****
If you want to use a separate SQL password for rpkid's database, set it here.
rpkid_sql_password = ${myrpki::shared_sql_password}
***** irdbd_sql_database *****
SQL database for irdbd's database. The default setting of this variable should
be fine.
irdbd_sql_database = irdbd
***** irdbd_sql_username *****
If you want to use a separate SQL username for irdbd's database, set it here.
irdbd_sql_username = ${myrpki::shared_sql_username}
***** irdbd_sql_password *****
If you want to use a separate SQL password for irdbd's database, set it here.
irdbd_sql_password = ${myrpki::shared_sql_password}
***** pubd_sql_database *****
SQL database name for pubd's database. The default setting of this variable
should be fine.
pubd_sql_database = pubd
***** pubd_sql_username *****
If you want to use a separate SQL username for pubd's database, set it here.
pubd_sql_username = ${myrpki::shared_sql_username}
***** pubd_sql_password *****
If you want to use a separate SQL password for pubd's database, set it here.
pubd_sql_password = ${myrpki::shared_sql_password}
|
