/[pdpsoft]/nl.nikhef.pdp.fetchcrl/tags/fetch-crl-3.0.18/fetch-crl.cnf.example
ViewVC logotype

Contents of /nl.nikhef.pdp.fetchcrl/tags/fetch-crl-3.0.18/fetch-crl.cnf.example

Parent Directory Parent Directory | Revision Log Revision Log


Revision 3135 - (show annotations) (download)
Mon Nov 14 12:33:38 2016 UTC (4 years, 11 months ago) by davidg
File size: 16186 byte(s)
Tagged version 3.0.18 with postprocessing hooks

1 #
2 # EXAMPLE configuration file for Fetch-crl3
3 # @(#)$Id$
4 #
5 # configuration file fetch-crl3
6 # use SEMICOLON (;) or \001 (^A) as list separators in values
7 #
8 # ---------------------------------------------------------------------------
9 # cfgdir sets the directory where subordinate configuration files are
10 # found. These files are read in addition to the main config file.
11 # The default directory is /etc/fetch-crl.d/ and is used by default, so
12 # to suppress this behaviour set this to the empty value ""
13 #
14 # cfgdir = /etc/fetch-crl.d
15 #
16 # ---------------------------------------------------------------------------
17 # infoset set the location where the meta-data files (.info or .crl_url)
18 # are help by default. All trust anchors listed there are processes, so
19 # to suppress this behaviour set this to the empty value ""
20 #
21 # infodir = /etc/grid-security/certificates
22 #
23 # ---------------------------------------------------------------------------
24 # cadir sets the location where the trust anchors themselves are found, as
25 # PEM files, to be used in the CRL verification by openssl. They are usually
26 # names after the trust anchor proper name ("alias.0"), or after the filename
27 # of the trust anchor, the basename of the meta-data file name ("hash.0").
28 # It defaults to infodir
29 #
30 # cadir = /etc/grid-security/certificates
31 #
32 # ---------------------------------------------------------------------------
33 # output sets the location where the retrieved CRLs are written by default.
34 # It can be overridden on a per-output-format basis by setting the
35 # "output_<fmt>" options. It should point to a directory (even for the
36 # NSS output format. It defaults to infodir
37 #
38 # output = /etc/grid-security/certificates
39 #
40 # ---------------------------------------------------------------------------
41 # statedir points to the directory where per-CRL state files are kept. These
42 # state files record the retrieval time, last-retrieved (modification) time,
43 # best-before date and the (cached) content of the CRL. For the purposes of
44 # the CRL state, all CRL URLs for a particular trust anchor index are
45 # considered equal.
46 # If it is unset, no state is preserved, but the last-retrieved time is
47 # guessed from the modification time. If statedir does not exist, or is
48 # not writable, it is not used but silently ignored. Writeability is
49 # determined by perl's "-w" test.
50 # It defaults to /var/cache/fetch-crl
51 #
52 # statedir = /var/cache/fetch-crl
53 #
54 # ---------------------------------------------------------------------------
55 # formats lists one or more ways to write out the CRL to the output
56 # directories. It can be one or more of "openssl", "der", "pem", or "nss"
57 # in a comma-separated list.
58 # * the "openssl" format writes out "hash.rX" files, with <hash> being the
59 # first 4 bytes of the digest of the subject DN, and "X" a sequence number
60 # of the CRL starting at 0 (".r0"). When used with OpenSSL version 1.0.0
61 # or above, it can write out the CRL with two possible hash algorithms at
62 # the same time: the 'old' MD5 of the binary subject DN representation, or
63 # the 'new' SHA1 based digest of the canonical representation. Whether
64 # one or two hashes are written is determined by the "opensslmode" option.
65 # * "pem" writes out the CRL in PEM (RFC1421) format, to the file named
66 # after the "nametemplate_pem" setting (default: @ANCHORNAME@.@R@.crl.pem)
67 # in the output or output_pem directory
68 # * "der" does the same in DER binary format, to a file names
69 # after the "nametemplate_der" setting (default: @ANCHORNAME@.@R@.crl)
70 # in the output or output_der directory
71 # * "nss" adds (or replaces) the named CRL in the NSS database in
72 # <output>/<nssdbprefix>cert8.db, using the Mozilla crlutil tool
73 #
74 # formats = openssl
75 #
76 # ---------------------------------------------------------------------------
77 # specialised output directories
78 #
79 # output_pem = /etc/pki/tls/certs
80 # output_der = /var/tmp
81 # output_nss = /etc/pki/nssdb
82 #
83 # ---------------------------------------------------------------------------
84 # name templates are used to construct the file name of a CRL for installation
85 # based on the meta-data of the CA. It uses token replacement to construct
86 # a specific and unique filename. The tokens recognised are the same as those
87 # of the pre- and postpend URLs:
88 # @ANCHORNAME@ base name of the trust anchor meta-data file name
89 # @ALIAS@ alias name of the trust anchor from the info file (defaults
90 # to the @ANCHORNAME@)
91 # @R@ the sequence number of the CRL for this trust anchor
92 #
93 # nametemplate_der = @ANCHORNAME@.@R@.crl
94 # nametemplate_pem = @ANCHORNAME@.@R@.crl.pem
95 #
96 # ---------------------------------------------------------------------------
97 # catemplate has a (list of) potential names of the certificate of the
98 # trust anchor -- it is used to find the CA data for verifying the
99 # retrieved CRLs. Even if you only use NSS databases, you need a directory
100 # with PEM formatted certificates of the issuing CAs.
101 #
102 # catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@
103 #
104 # When @HASH@ (c_hash from default OpenSSL version as based on the retrieved
105 # CRL) is used in this template list, a CRL will *always* be retrieved first,
106 # even if no corresponding trust anchor is found later. Use of @HASH@ is
107 # only recommended in case the name of the crl_url or info file is different
108 # from the name of the trust anchor.
109 #
110 # catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@; @HASH@.0
111 #
112 # ---------------------------------------------------------------------------
113 # opensslmode is used if the openssl format for output is specified and also
114 # OpenSSL version 1.0.0 or higher are used. If so, you can have the CRL data
115 # be written out twice, once with the 'old' and once with the 'new' hash style
116 # Default is dual mode, so if OpenSSL 1.x is present, by default TWO files
117 # are written
118 #
119 # opensslmode = dual
120 # opensslmode = single
121 #
122 # ---------------------------------------------------------------------------
123 # nonssverify disables the checking of imported CRLs into an NSS database.
124 # so that you can create a database withonly CRLs, and no CAs. It passes the
125 # "-B" option to the crlutil tool
126 #
127 # nonssverify
128 #
129 # ---------------------------------------------------------------------------
130 # use up to <parallelism> thread in parallel to retrieve and install CRLs
131 # This feature is likely NOT COMPATIBLE with the use of NSS databases for
132 # CRLs, due to thread contention issues
133 #
134 # parallelism = 5
135 #
136 # ---------------------------------------------------------------------------
137 # wait up to <randomwait> seconds before doing anything at all
138 # useful for randoming the start time and download from cron across the world
139 #
140 # randomwait = 0
141 #
142 # ---------------------------------------------------------------------------
143 # logmode defined how the log and error messages are written out:
144 # direct - print them immediately, only the message
145 # qualified - print immediately, but prexif it with the message type
146 # "WARN", "ERROR", "VERBOSE(x)", or "DEBUG(x)"
147 # cache - save messages and dump them all at once at the end
148 # syslog - write the message to system with a decent severity level
149 # using facility <syslogfacility> (default: daemon)
150 #
151 # logmode = qualified
152 #
153 # ---------------------------------------------------------------------------
154 # wait at most <httptimeout> seconds for the retrieval of a data blob
155 # from a remote URL (http, https, or ftp). The timeout covers the whole
156 # retrieval process, incliding DNS resolution. Default is 120 seconds.
157 #
158 # httptimeout = 30
159 #
160 # ---------------------------------------------------------------------------
161 # httpproxy sets the url for the HTTP proxy to use (in perl LWP style). Or
162 # use ENV to pick up the settings from the environment
163 #
164 # http_proxy = http://localhost:8001/
165 #
166 # ---------------------------------------------------------------------------
167 # nowarnings suppresses the pritning and logging or any and all warnings (but
168 # not errors or verbose messages)
169 #
170 # nowarnings
171 #
172 # ---------------------------------------------------------------------------
173 # noerrors suppresses the pritning and logging or any and all errors (but
174 # not warnings or verbose messages). It also suppresses retrieval errors.
175 #
176 # noerrors
177 #
178 # ---------------------------------------------------------------------------
179 # rcmode determines if the return code of fetch-crl will be influenced by
180 # CRL retrieval errors. If rcmode is "normal" (default), any reported errors
181 # will cause the return exit status to be "1".
182 # normal - both retrieval and other errors set exit code 1
183 # differentiated - retrieval errors result in exit code 2, presence
184 # of any other reported errors result in exit 1
185 # noretrievalerrors - retrieval errors only results in exit code 0, presence
186 # of any other reported errors result in exit 1
187 # Note that setting "noerrors" will suppress retrieval errors entirely!
188 #
189 # rcmode = normal
190 #
191 # ---------------------------------------------------------------------------
192 # noquiet ignores a single "-q" option on the commandline and honours the
193 # verbosity set here even if -q is specified. To counter this setting, give
194 # at least two (2) "-q" arguments
195 #
196 # noquiet
197 #
198 # ---------------------------------------------------------------------------
199 # agingtolerance sets the time in hours before retrieval warnings become
200 # errors for a CRL retrieval. If you also suppress warnings, you will
201 # prevent any annoying messages for a trust anchor for up to <hrs> hours.
202 # The IGTF currently recommends an aging tolerance of 24 hours, to allow
203 # for network disruptions and connectivity problems.
204 #
205 # agingtolerance = 24
206 #
207 # ---------------------------------------------------------------------------
208 # cache_control_request sends a cache-control max-age hint towards the
209 # server in the HTTP request, that suggests to intermediate caches and
210 # reverse proxies to cache CRL replies no longer than the specified time
211 # This control is a hint towards caching servers and CDNs and cannot be
212 # enforced. It does NOT affect the cache local to fetch-crl
213 # Default is unset, and no Cache-control header will be sent unless this
214 # config option is specified
215 #
216 # cache_control_request = 3600
217 #
218 # ---------------------------------------------------------------------------
219 # prepend_url URLs are tried first before using any URLs form the crl_url
220 # file or the .info crl_url (crl_url.0) fields
221 #
222 # prepend_url = file:///share/grid-security/certificates/@ALIAS@.r@R@
223 #
224 # ---------------------------------------------------------------------------
225 # postpend_url URLs are tried last, only if all URLs form the crl_url file
226 # or the .info crl_url (crl_url.0) fields have already failed or timed out
227 #
228 # postpend_url = http://dist.eugridpma.info/certificates/@ANCHORNAME@.r@R@
229 #
230 # ---------------------------------------------------------------------------
231 # path to openssl version to use
232 # openssl = /usr/bin/openssl
233 #
234 # ---------------------------------------------------------------------------
235 # path to use to find utilities like OpenSSL or crlutil. Default leaves it
236 # unmodified
237 #
238 # path = /bin:/usr/bin:/usr/ucb
239 #
240 # ---------------------------------------------------------------------------
241 # settings "backups" will trigger the generation of backup files (~ files)
242 # when writing CRLs to an output destination.
243 #
244 # backups
245 #
246 # ---------------------------------------------------------------------------
247 # stateless supresses any use of the state directory, even if it exists and
248 # is writable
249 #
250 # stateless
251 #
252 # ---------------------------------------------------------------------------
253 # By default, the perl LWP library does not use IPv6 network sockets. The
254 # perl module Net::INET6GLUE::INET6_as_INET can mitigate this behaviour
255 # by re-mapping all INET socket calls to INET6 socket calls. If you have
256 # the Net::INET6Glue module installed, you may enable this flag in the
257 # cofiguration. Note: the Net::INET6Glue module MUST be installed for this
258 # flag to work. Installation of this module is options and it does not
259 # ship by default with fetch-crl3. You can obtain this module from CPAN.
260 #
261 # inet6glue
262 #
263 # ---------------------------------------------------------------------------
264 # To run a script after the completion of every fetch-crl run, set this
265 # path to point to an executable. The named program will be invoked
266 # with the following arguments
267 # "v1" "global" <infodir-path> <cadir-path> <output-path>
268 # - return code of the program will influence return status of fetch-crl
269 # - this must be a program path - no arguments are allowed here. Use wrapping
270 # in a script if you must pass your own arguments as well
271 #
272 # postexec = <path>
273 #
274 # ---------------------------------------------------------------------------
275 # override version or packager to influence the User-Agent header in http
276 # requests. But please leave them alone
277 # version = 3.0
278 # packager = EUGridPMA
279
280 # ===========================================================================
281 # PER TRUST ANCHOR OVERRIDES
282 # ===========================================================================
283 #
284 # many settings can be overrules in a per-trust anchor section of the
285 # configuration file. For each trust anchor, only a SINGLE override
286 # section will be used. If a section names after the @ALIAS@ exists,
287 # it will take precedence over any section named after @ANCHORNAME@.
288 #
289 # To have a section work with either ".info" or ".crl_url" files, name it
290 # after the @ANCHORNAME@, since that one will be the same for both.
291 # Example: the DutchGrid CA "NIKHEF" can be either [NIKHEF] or [16da7552]
292 # (the latter is the commonly used file name), but using [16da7552] will
293 # result in the section being recognised in both cases
294 #
295 #
296 [16da7552]
297
298 # ---------------------------------------------------------------------------
299 # agingtolerance for this trust anchor specifically. Use it if the retrieval
300 # for this CA is unreliable.
301 #
302 # agingtolerance = 12
303 #
304 # ---------------------------------------------------------------------------
305 # replace the list of CRL URLs for this CA and this CRL sequence number
306 # by a completely new set. E.g. from a different place, or a local
307 # cache, or ...
308 #
309 # crl_url.0 = http://ca.dutchgrid.nl/medium/cacrl.pem; file:///etc/grid-security/certificates/16da7552.r0
310 #
311 # ---------------------------------------------------------------------------
312 # To never hear of this CA again, suppress both errors and warnings:
313 #noerrors
314 #nowarnings
315 #
316 # ---------------------------------------------------------------------------
317 # Do not process symlinked meta-data, preventing triple downloads with
318 # the new-format IGTF distribution before release 1.37 (1.33 up to and
319 # including 1.36 also symlinked the .info file to the hash names)
320 #nosymlinks
321 #
322 # ---------------------------------------------------------------------------
323 # To run a script after the successful completion of each CRL retrieval set
324 # path to point to an executable. The named program will be invoked
325 # with the following arguments
326 # "v1" "ta" <ta-alias> <infofilename> <cadir-path> <output-path>
327 # - return code of the program will influence return status of fetch-crl
328 # - program may run IN PARALLEL, so should be written to permit concurrent
329 # execution
330 # - this must be a program path - no arguments are allowed here. Use wrapping
331 # in a script if you must pass your own arguments as well
332 #
333 # postexec = <path>
334 #
335 # ---------------------------------------------------------------------------
336 # You can also (un) set the following on a per-trust anchor basis:
337 #
338 # (no)prepend_url (no)postpend_url (no)http_proxy (no)statedir --
339 # either remove a global setting, or put in a new setting with value
340 #
341 # (no)warnings (no)noerrors (no)nocache --
342 # override a global setting (no value possible)
343 #
344 # agingtolerance httptimeout nametemplate_der nametemplate_pem
345 # cadir catemplate
346 # set these to a local value (but they cannot be unset)
347 #
348 #
349 # Share and enjoy -- and remember that up to 7 verbosity levels are
350 # significant :-) "-vvvvvvvv" is a useful option ...
351 #
352 #

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28