/[pdpsoft]/nl.nikhef.pdp.fetchcrl/tags/fetch-crl-3.0.7-1/fetch-crl.cnf.example
ViewVC logotype

Annotation of /nl.nikhef.pdp.fetchcrl/tags/fetch-crl-3.0.7-1/fetch-crl.cnf.example

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2202 - (hide annotations) (download)
Tue Feb 22 07:55:17 2011 UTC (10 years, 9 months ago) by davidg
Original Path: trunk/fetchcrl/fetch-crl.cnf.example
File size: 12364 byte(s)
Add parallelism to documentation, iomprove makefile for non-GNU systems (oops)

1 davidg 1758 #
2     # EXAMPLE configuration file for Fetch-crl3
3     # @(#)$Id$
4     #
5     # configuration file fetch-crl3
6     # use SEMICOLON (;) or \001 (^A) as list separators in values
7     #
8     # ---------------------------------------------------------------------------
9 davidg 2084 # cfgdir sets the directory where subordinate configuration files are
10     # found. These files are read in addition to the main config file.
11     # The default directory is /etc/fetch-crl.d/ and is used by default, so
12     # to suppress this behaviour set this to the empty value ""
13     #
14     # cfgdir = /etc/fetch-crl.d
15     #
16     # ---------------------------------------------------------------------------
17 davidg 1758 # infoset set the location where the meta-data files (.info or .crl_url)
18     # are help by default. All trust anchors listed there are processes, so
19     # to suppress this behaviour set this to the empty value ""
20     #
21     # infodir = /etc/grid-security/certificates
22     #
23     # ---------------------------------------------------------------------------
24     # cadir sets the location where the trust anchors themselves are found, as
25     # PEM files, to be used in the CRL verification by openssl. They are usually
26     # names after the trust anchor proper name ("alias.0"), or after the filename
27     # of the trust anchor, the basename of the meta-data file name ("hash.0").
28     # It defaults to infodir
29     #
30     # cadir = /etc/grid-security/certificates
31     #
32     # ---------------------------------------------------------------------------
33     # output sets the location where the retrieved CRLs are written by default.
34     # It can be overridden on a per-output-format basis by setting the
35     # "output_<fmt>" options. It should point to a directory (even for the
36     # NSS output format. It defaults to infodir
37     #
38     # output = /etc/grid-security/certificates
39     #
40     # ---------------------------------------------------------------------------
41     # statedir points to the directory where per-CRL state files are kept. These
42     # state files record the retrieval time, last-retrieved (modification) time,
43     # best-before date and the (cached) content of the CRL. For the purposes of
44     # the CRL state, all CRL URLs for a particular trust anchor index are
45     # considered equal.
46     # If it is unset, no state is preserved, but the last-retrieved time is
47     # guessed from the modification time. If statedir does not exist, or is
48     # not writable, it is not used but silently ignored. Writeability is
49     # determined by perl's "-w" test.
50     # It defaults to /var/cache/fetch-crl
51     #
52     # statedir = /var/cache/fetch-crl
53     #
54     # ---------------------------------------------------------------------------
55     # formats lists one or more ways to write out the CRL to the output
56     # directories. It can be one or more of "openssl", "der", "pem", or "nss"
57     # in a comma-separated list.
58     # * the "openssl" format writes out "hash.rX" files, with <hash> being the
59     # first 4 bytes of the digest of the subject DN, and "X" a sequence number
60     # of the CRL starting at 0 (".r0"). When used with OpenSSL version 1.0.0
61     # or above, it can write out the CRL with two possible hash algorithms at
62     # the same time: the 'old' MD5 of the binary subject DN representation, or
63     # the 'new' SHA1 based digest of the canonical representation. Whether
64     # one or two hashes are written is determined by the "opensslmode" option.
65     # * "pem" writes out the CRL in PEM (RFC1421) format, to the file named
66     # after the "nametemplate_pem" setting (default: @ANCHORNAME@.@R@.crl.pem)
67     # in the output or output_pem directory
68     # * "der" does the same in DER binary format, to a file names
69     # after the "nametemplate_der" setting (default: @ANCHORNAME@.@R@.crl)
70     # in the output or output_der directory
71     # * "nss" adds (or replaces) the named CRL in the NSS database in
72     # <output>/<nssdbprefix>cert8.db, using the Mozilla crlutil tool
73     #
74     # formats = openssl
75     #
76     # ---------------------------------------------------------------------------
77     # specialised output directories
78     #
79     # output_pem = /etc/pki/tls/certs
80     # output_der = /var/tmp
81     # output_nss = /etc/pki/nssdb
82     #
83     # ---------------------------------------------------------------------------
84     # name templates are used to construct the file name of a CRL for installation
85     # based on the meta-data of the CA. It uses token replacement to construct
86     # a specific and unique filename. The tokens recognised are the same as those
87     # of the pre- and postpend URLs:
88     # @ANCHORNAME@ base name of the trust anchor meta-data file name
89     # @ALIAS@ alias name of the trust anchor from the info file (defaults
90     # to the @ANCHORNAME@)
91     # @R@ the sequence number of the CRL for this trust anchor
92     #
93     # nametemplate_der = @ANCHORNAME@.@R@.crl
94     # nametemplate_pem = @ANCHORNAME@.@R@.crl.pem
95     #
96     # ---------------------------------------------------------------------------
97     # catemplate has a (list of) potential names of the certificate of the
98     # trust anchor -- it is used to find the CA data for verifying the
99     # retrieved CRLs. Even if you only use NSS databases, you need a directory
100     # with PEM formatted certificates of the issuing CAs.
101     #
102     # catemplate = @ALIAS@.pem; @ALIAS@.@R@; @ANCHORNAME@.@R@
103     #
104     # ---------------------------------------------------------------------------
105     # opensslmode is used if the openssl format for output is specified and also
106     # OpenSSL version 1.0.0 or higher are used. If so, you can have the CRL data
107     # be written out twice, once with the 'old' and once with the 'new' hash style
108     # Default is dual mode, so if OpenSSL 1.x is present, by default TWO files
109     # are written
110     #
111     # opensslmode = dual
112     # opensslmode = single
113     #
114     # ---------------------------------------------------------------------------
115     # nonssverify disables the checking of imported CRLs into an NSS database.
116     # so that you can create a database withonly CRLs, and no CAs. It passes the
117     # "-B" option to the crlutil tool
118     #
119     # nonssverify
120     #
121     # ---------------------------------------------------------------------------
122 davidg 2202 # use up to <parallelism> thread in parallel to retrieve and install CRLs
123     # This feature is likely NOT COMPATIBLE with the use of NSS databases for
124     # CRLs, due to thread contention issues
125     #
126     # parallelism = 5
127     #
128     # ---------------------------------------------------------------------------
129 davidg 1758 # wait up to <randomwait> seconds before doing anything at all
130     # useful for randoming the start time and download from cron across the world
131     #
132     # randomwait = 0
133     #
134     # ---------------------------------------------------------------------------
135     # logmode defined how the log and error messages are written out:
136     # direct - print them immediately, only the message
137     # qualified - print immediately, but prexif it with the message type
138     # "WARN", "ERROR", "VERBOSE(x)", or "DEBUG(x)"
139     # cache - save messages and dump them all at once at the end
140     # syslog - write the message to system with a decent severity level
141     # using facility <syslogfacility> (default: daemon)
142     #
143     # logmode = qualified
144     #
145     # ---------------------------------------------------------------------------
146     # wait at most <httptimeout> seconds for the retrieval of a data blob
147     # from a remote URL (http, https, or ftp). The timeout covers the whole
148     # retrieval process, incliding DNS resolution. Default is 120 seconds.
149     #
150     # httptimeout = 30
151     #
152     # ---------------------------------------------------------------------------
153     # httpproxy sets the url for the HTTP proxy to use (in perl LWP style). Or
154     # use ENV to pick up the settings from the environment
155     #
156     # http_proxy = http://localhost:8001/
157     #
158     # ---------------------------------------------------------------------------
159     # nowarnings suppresses the pritning and logging or any and all warnings (but
160     # not errors or verbose messages)
161     #
162     # nowarnings
163     #
164     # ---------------------------------------------------------------------------
165     # noerrors suppresses the pritning and logging or any and all errors (but
166     # not warnings or verbose messages)
167     #
168     # noerrors
169     #
170     # ---------------------------------------------------------------------------
171     # agingtolerance sets the time in hours before retrieval warnings become
172     # errors for a CRL retrieval. If you also suppress warnings, you will
173     # prevent any annoying messages for a trust anchor for up to <hrs> hours.
174     # The IGTF currently recommends an aging tolerance of 24 hours, to allow
175     # for network disruptions and connectivity problems.
176     #
177     # agingtolerance = 24
178     #
179     # ---------------------------------------------------------------------------
180     # prepend_url URLs are tried first before using any URLs form the crl_url
181     # file or the .info crl_url (crl_url.0) fields
182     #
183     # prepend_url = file:///share/grid-security/certificates/@ALIAS@.r@R@
184     #
185     # ---------------------------------------------------------------------------
186     # postpend_url URLs are tried last, only if all URLs form the crl_url file
187     # or the .info crl_url (crl_url.0) fields have already failed or timed out
188     #
189     # postpend_url = http://dist.eugridpma.info/certificates/@ANCHORNAME@.r@R@
190     #
191     # ---------------------------------------------------------------------------
192     # path to openssl version to use
193     # openssl = /usr/bin/openssl
194     #
195     # ---------------------------------------------------------------------------
196     # path to use to find utilities like OpenSSL or crlutil. Default leaves it
197     # unmodified
198     #
199     # path = /bin:/usr/bin:/usr/ucb
200     #
201     # ---------------------------------------------------------------------------
202     # settings "backups" will trigger the generation of backup files (~ files)
203     # when writing CRLs to an output destination.
204     #
205     # backups
206     #
207     # ---------------------------------------------------------------------------
208     # stateless supresses any use of the state directory, even if it exists and
209     # is writable
210     #
211     # stateless
212     #
213     # ---------------------------------------------------------------------------
214     # override version or packager to influence the User-Agent header in http
215     # requests. But please leave them alone
216     # version = 3.0
217     # packager = EUGridPMA
218    
219     # ===========================================================================
220     # PER TRUST ANCHOR OVERRIDES
221     # ===========================================================================
222     #
223     # many settings can be overrules in a per-trust anchor section of the
224     # configuration file. For each trust anchor, only a SINGLE override
225     # section will be used. If a section names after the @ALIAS@ exists,
226     # it will take precedence over any section named after @ANCHORNAME@.
227     #
228     # To have a section work with either ".info" or ".crl_url" files, name it
229     # after the @ANCHORNAME@, since that one will be the same for both.
230     # Example: the DutchGrid CA "NIKHEF" can be either [NIKHEF] or [16da7552]
231     # (the latter is the commonly used file name), but using [16da7552] will
232     # result in the section being recognised in both cases
233     #
234     #
235     [16da7552]
236    
237     # ---------------------------------------------------------------------------
238     # agingtolerance for this trust anchor specifically. Use it if the retrieval
239     # for this CA is unreliable.
240     #
241     # agingtolerance = 12
242     #
243     # ---------------------------------------------------------------------------
244     # replace the list of CRL URLs for this CA and this CRL sequence number
245     # by a completely new set. E.g. from a different place, or a local
246     # cache, or ...
247     #
248     # crl_url.0 = http://ca.dutchgrid.nl/medium/cacrl.pem; file:///etc/grid-security/certificates/16da7552.r0
249     #
250     # ---------------------------------------------------------------------------
251     # To never hear of this CA again, suppress both errors and warnings:
252     #noerrors
253     #nowarnings
254     #
255     # ---------------------------------------------------------------------------
256 davidg 1878 # Do not process symlinked meta-data, preventing triple downloads with
257     # the new-format IGTF distribution before release 1.37 (1.33 up to and
258     # including 1.36 also symlinked the .info file to the hash names)
259     #nosymlinks
260     #
261     # ---------------------------------------------------------------------------
262 davidg 1758 # You can also (un) set the following on a per-trust anchor basis:
263     #
264     # (no)prepend_url (no)postpend_url (no)http_proxy (no)statedir --
265     # either remove a global setting, or put in a new setting with value
266     #
267     # (no)warnings (no)noerrors (no)nocache --
268     # override a global setting (no value possible)
269     #
270     # agingtolerance httptimeout nametemplate_der nametemplate_pem
271     # cadir catemplate
272     # set these to a local value (but they cannot be unset)
273     #
274     #
275     # Share and enjoy -- and remember that up to 7 verbosity levels are
276     # significant :-) "-vvvvvvvv" is a useful option ...
277     #
278     #

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28