# # OpenXPKI Meta Configuration File # # Written by Martin Bartosch for the OpenXPKI project 2006 # Copyright (c) 2006 by The OpenXPKI Project # $Revision: 318 $ # # # # This meta configuration file is used to produce a valid OpenXPKI # configuration file set. # # Section names are specified in square brackets, e. g. [foo] and may # be opened/continued more than once: # [foo] # bar: 123 # [baz] # xyz: 456 # [foo] # continued: 789 # # Multi-values can be specified by repeating the key: # [foo] # multi: abc # multi: def # multi: ghi # # It is possible to reference any other variable defined in the configuration # file using $(section.key), e. g. # [baz] # uvw: $(foo.bar) # # These references may be nested and may also be used within reference names # themselves: # # [foo] # id: bar # indirect: $(foo.$(id)) # # This is identical to referencing $(foo.bar) which in turn is 123 (see above). # # It is possible to attach multiple values or entire sections in order # to form hierarchical structures: # [blurb] # root: $(foo) # # # ########################################################################### # Global configuration settings and directory specifications [global] name: OpenXPKI [deployment] # Configuration style for generated XML configuration files, REQUIRED. # Allowed values: # all-in-one - generates one single XML configuration file # multi-file - generates several XML files that are referenced via XInclude #xmlstyle: all-in-one xmlstyle: multi-file [dir] # common prefix prefix: /usr # machine-specific files (libraries etc) exec_prefix: $(dir.prefix) # executable user programs bindir: $(dir.exec_prefix)/bin # documentation of executable user programs mandir: $(dir.exec_prefix)/man # auxiliary programs (not intended to be run by users) # libexecdir: $(dir.exec_prefix)/lib/openxpki # read-only architecture independent data files datarootdir: $(dir.prefix)/share datadir: $(dir.datarootdir)/openxpki # read-only configuration files sysconfdir: $(dir.prefix)/etc openxpkiconfdir: $(dir.sysconfdir)/openxpki cadir: $(dir.openxpkiconfdir)/ca # data files modified by the application localstatedir: $(dir.prefix)/var openxpkistatedir: $(dir.localstatedir)/openxpki openxpkisessiondir: $(dir.openxpkistatedir)/session dataexchange: $(dir.openxpkistatedir)/dataexchange # locales localedir: $(dir.datarootdir)/locale # temp files tmpdir: $(dir.localstatedir)/tmp # perllib: # templates templatedir: $(dir.datadir)/templates ########################################################################### # Common files [file] # OpenSSL binary loation, REQUIRED openssl: /usr/bin/openssl openca_scep: /usr/bin/openca-scep openca_sv: /usr/bin/openca-sv createjavakeystore: /usr/bin/create_javakeystore ########################################################################### # OpenXPKI Server configuration [server] # server process environment, REQUIRED # low-privilege runtime user (server process runs as this user) runuser: openxpki rungroup: openxpki # administrative user, used for file ownership admuser: root admgroup: root # ownership of the server socket, defaults to runuser:rungroup # socketowner: openxpki # socketgroup: openxpki # configuration files config: $(dir.openxpkiconfdir)/openxpki.xml logconfig: $(dir.openxpkiconfdir)/log.conf # data files #pidfile: $(dir.localstatedir)/run/openxpki.pid pidfile: $(dir.openxpkistatedir)/openxpki.pid socketfile: $(dir.openxpkistatedir)/openxpki.socket stderrfile: $(dir.openxpkistatedir)/stderr.log # session limits session_lifetime: 1200 # client communication transport: Simple serialization: Simple serialization: JSON service: Default service: SCEP ########################################################################### # System log configuration [log] logfile: $(dir.openxpkistatedir)/openxpki.log syslog_facility: local7 # facility: $(log_facility_auth) # facility: $(log_facility_audit) # facility: $(log_facility_monitor) # facility: $(log_facility_system) # # facilities # [log_facility_auth] # facility: auth # level: INFO # appender: Logfile # appender: Syslog # appender: DBI # [log_facility_audit] # facility: audit # level: INFO # appender: Syslog # appender: DBI # [log_facility_monitor] # facility: monitor # level: INFO # appender: Logfile # [log_facility_sytem] # facility: system # level: DEBUG # appender: Logfile # appender: Syslog ########################################################################### # Internationalization [i18n] # Language specific settings, REQUIRED defaultlanguage: C ########################################################################### # Database configuration [database] # REQUIRED server_id: 0 server_shift: 8 # Specify database backend to use, REQUIRED # Allowed values: SQLite, DB2, Oracle, MySQL, PostgreSQL type: SQLite # Database name (DB-specific, see perldoc DBD::) name: $(dir.openxpkistatedir)/sqlite.db # Define these settings as needed. Undefined keys will not show up in the # output configuration. Defined but empty settings will result in an # empty XML tag. #host: localhost #port: #user: #passwd: #namespace: # You can usually leave this untouched, it will automatically reference # the correct options section based on the database type you selected. options: $(DB-$(database.type)-Options) # database vendor specific options [DB-SQLite-Options] [DB-DB2-Options] CLASSPATH: /home/db2inst1/sqllib/java/sqlj.zip:/home/db2inst1/sqllib/function:/home/db2inst1/sqllib/java/db2java.zip:/home/db2inst1/sqllib/java/runtime.zip DB2INSTANCE: db2inst1 DB2DIR: /usr/IBMdb2/V7.1 INSTHOME: /home/db2inst1 [DB-Oracle-Options] ORACLE_HOME: /opt/oracle/OraHome ORACLE_SID: OPENXPKI01 [DB-MySQL-Options] [DB-PostgreSQL-Options] ########################################################################### # PKI configuration # this continues the global section [global] debug: 0 # PKI Realm identifiers (sections in this configuration file) pkirealm: Realm 1 # pkirealm: Realm 2 ########################################################################### # Realm definitions [Realm 1] name: I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA issuingca: TEST_DUMMY_CA_1 issuingca: TEST_DUMMY_CA_2 subsystem: TEST_SCEP_SERVER_1 subsystem: TEST_SCEP_PKCS7_TOOL_1 subsystem: TEST_CREATE_JAVAKEYSTORE_1 profiles: $(profiles) #notifier: TEST_DUMMY_NOTIFIER_RT_1 [Realm 2] name: I18N_OPENXPKI_DEPLOYMENT_TEST_USER_CA issuingca: TEST_USER_CA_1 issuingca: TEST_USER_CA_2 profiles: $(profiles) ########################################################################### # Auxiliary subsystems: # SCEP [TEST_DUMMY_NOTIFIER_RT_1] type: RT username: rt_user password: rt_password url: http://rt_host/path/to/rt/ timeout: 10 [TEST_SCEP_SERVER_1] id: testscepserver1 cert_alias: testscepserver1 type: scep shell: $(file.openca_scep) backend: OpenXPKI::Crypto::Tool::SCEP dir: $(dir.cadir)/scepdummyserver1 [TEST_SCEP_PKCS7_TOOL_1] id: testsceppkcs7tool1 type: pkcs7 shell: $(file.openca_sv) backend: OpenXPKI::Crypto::Tool::PKCS7 dir: $(dir.cadir)/scepdummyserver1 [TEST_CREATE_JAVAKEYSTORE_1] id: testcreatejavakeystore type: createjavakeystore shell: $(file.createjavakeystore) backend: OpenXPKI::Crypto::Tool::CreateJavaKeystore dir: /tmp ########################################################################### # Issuing CAs # for Realm 1 (OpenXPKI Test CA) [TEST_DUMMY_CA_1] # internal CA ID id: testdummyca1 dir: $(dir.cadir)/testdummyca1 cacert_alias: testdummyca1 #cacert_identifier: crl_publication_file_format: PEM crl_publication_file_name: $(dir.cadir)/testdummyca1/crl.pem # Issue for other CA identifiers as well # If none specified, only issue for self #crl_issue_for: #crl_issue_for: [TEST_DUMMY_CA_2] # internal CA ID id: testdummyca2 dir: $(dir.cadir)/testdummyca2 cacert_alias: testdummyca2 #cacert_identifier: crl_publication_file_format: PEM crl_publication_file_name: $(dir.cadir)/testdummyca2/crl.pem # for Realm 2 (Test User CA) [TEST_USER_CA_1] # internal CA ID id: testuserca1 dir: $(dir.cadir)/testuserca1 [TEST_USER_CA_2] # internal CA ID id: testuserca2 dir: $(dir.cadir)/testuserca2 ########################################################################### # Profiles [baseprofile] [endentityprofile] foo: bar baz: 1234 [profiles] #crl: $(crlprofile) endentity: $(endentityprofile) #selfsignedca: $(selfsignedcaprofile) ########################################################################### # LDAP public configuration [ldappublic] # Common use ldap options use_ldap: no excluded_roles: publish_all_roles server: localhost port: 60389 version: 3 login: cn=Manager,dc=openxpki,dc=org password: secret use_tls: no use_sasl: no # Multiple suffix lines are supported suffix: dc=openxpki,dc=org suffix: dc=openxpki,c=DE suffix: dc=openxpki,c=RU # These keys work if ldappublic.use_tls is set to 'yes' client_cert: no client_key: no ca_cert: no # This key works if ldappublic.use_sasl is set to 'yes' sasl_mechanism: EXTERNAL