summaryrefslogtreecommitdiffstats
path: root/base/deploy/etc/default.cfg
diff options
context:
space:
mode:
Diffstat (limited to 'base/deploy/etc/default.cfg')
-rw-r--r--base/deploy/etc/default.cfg315
1 files changed, 315 insertions, 0 deletions
diff --git a/base/deploy/etc/default.cfg b/base/deploy/etc/default.cfg
new file mode 100644
index 000000000..abd0fb441
--- /dev/null
+++ b/base/deploy/etc/default.cfg
@@ -0,0 +1,315 @@
+###############################################################################
+## Default Configuration: ##
+## ##
+## Values in this section are common to more than one PKI subsystem, and ##
+## contain required information which MAY be overridden by users as ##
+## necessary. ##
+## ##
+## There are also some meta-parameters that determine how the PKI ##
+## configuratiion should work. ##
+## ##
+###############################################################################
+[DEFAULT]
+
+# The sensitive_parameters contains a list of parameters which may contain
+# sensitive information which must not be displayed to the console nor stored
+# in log files for security reasons.
+sensitive_parameters=
+ pki_admin_password
+ pki_backup_password
+ pki_client_database_password
+ pki_client_pin
+ pki_client_pkcs12_password
+ pki_clone_pkcs12_password
+ pki_ds_password
+ pki_one_time_pin
+ pki_pin
+ pki_security_domain_password
+ pki_token_password
+
+# The spawn_scriplets contains a list of scriplets to be executed by pkispawn.
+spawn_scriplets=
+ initialization
+ infrastructure_layout
+ instance_layout
+ subsystem_layout
+ selinux_setup
+ webapp_deployment
+ slot_substitution
+ security_databases
+ configuration
+ finalization
+
+# The destroy_scriplets contains a list of scriplets to be executed by pkidestroy.
+destroy_scriplets=
+ initialization
+ configuration
+ webapp_deployment
+ subsystem_layout
+ security_databases
+ instance_layout
+ selinux_setup
+ infrastructure_layout
+ finalization
+
+# By default, the following parameters will be set for Tomcat and Apache instances.
+# There is no reason to uncomment these. They are provided for reference in
+# case someone wants to override them in their config file.
+#
+# Tomcat instances:
+# pki_subsystem_name=pki_tomcat
+# pki_https_port=8443
+# pki_http_port=8080
+#
+# Apache instances:
+# pki_subsystem_name=pki_tomcat
+# pki_https_port=443
+# pki_http_port=80
+
+pki_admin_cert_request_type=crmf
+pki_admin_dualkey=False
+pki_admin_keysize=2048
+pki_admin_password=
+pki_audit_group=pkiaudit
+pki_audit_signing_key_algorithm=SHA256withRSA
+pki_audit_signing_key_size=2048
+pki_audit_signing_key_type=rsa
+pki_audit_signing_signing_algorithm=SHA256withRSA
+pki_audit_signing_token=Internal Key Storage Token
+pki_backup_keys=False
+pki_backup_password=
+pki_client_database_dir=
+pki_client_database_password=
+pki_client_database_purge=True
+pki_client_dir=
+pki_client_pkcs12_password=
+pki_ds_bind_dn=cn=Directory Manager
+pki_ds_ldap_port=389
+pki_ds_ldaps_port=636
+pki_ds_password=
+pki_ds_remove_data=True
+pki_ds_secure_connection=False
+pki_group=pkiuser
+pki_instance_id=%(pki_instance_name)s
+pki_issuing_ca=
+pki_restart_configured_instance=True
+pki_security_domain_hostname=%(pki_hostname)s
+pki_security_domain_https_port=8443
+pki_security_domain_name=%(pki_dns_domainname)s Security Domain
+pki_security_domain_password=
+pki_security_domain_user=
+pki_skip_configuration=False
+pki_skip_installation=False
+pki_ssl_server_key_algorithm=SHA256withRSA
+pki_ssl_server_key_size=2048
+pki_ssl_server_key_type=rsa
+pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s
+pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s
+pki_ssl_server_token=Internal Key Storage Token
+pki_subsystem_key_algorithm=SHA256withRSA
+pki_subsystem_key_size=2048
+pki_subsystem_key_type=rsa
+pki_subsystem_token=Internal Key Storage Token
+pki_token_name=internal
+pki_token_password=
+pki_user=pkiuser
+
+###############################################################################
+## Apache Configuration: ##
+## ##
+## Values in this section are common to PKI subsystems that run ##
+## as an instance of 'Apache' (RA and TPS subsystems), and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[Apache]
+
+###############################################################################
+## Tomcat Configuration: ##
+## ##
+## Values in this section are common to PKI subsystems that run ##
+## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ##
+## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ##
+## required information which MAY be overridden by users as necessary. ##
+## ##
+## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ##
+## or a 'TKS Clone', change the value of 'pki_clone' ##
+## from 'False' to 'True'. ##
+## ##
+## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
+## are MUTUALLY EXCLUSIVE entities!!! ##
+###############################################################################
+[Tomcat]
+pki_ajp_port=8009
+pki_clone=False
+pki_clone_pkcs12_password=
+pki_clone_pkcs12_path=
+pki_clone_replicate_schema=True
+pki_clone_replication_master_port=
+pki_clone_replication_clone_port=
+pki_clone_replication_security=None
+pki_clone_uri=
+pki_enable_java_debugger=False
+pki_enable_proxy=False
+pki_proxy_http_port=80
+pki_proxy_https_port=443
+pki_security_manager=true
+pki_tomcat_server_port=8005
+
+###############################################################################
+## CA Configuration: ##
+## ##
+## Values in this section are common to CA subsystems including 'PKI CAs', ##
+## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+## ##
+## EXTERNAL CAs: To specify an 'External CA', change the value ##
+## of 'pki_external' from 'False' to 'True'. ##
+## ##
+## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ##
+## of 'pki_subordinate' from 'False' to 'True'. ##
+## ##
+## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
+## are MUTUALLY EXCLUSIVE entities!!! ##
+###############################################################################
+[CA]
+pki_ca_signing_key_algorithm=SHA256withRSA
+pki_ca_signing_key_size=2048
+pki_ca_signing_key_type=rsa
+pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s CA
+pki_ca_signing_signing_algorithm=SHA256withRSA
+pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
+pki_ca_signing_token=Internal Key Storage Token
+pki_external=False
+pki_external_ca_cert_chain_path=
+pki_external_ca_cert_path=
+pki_external_csr_path=
+pki_external_step_two=False
+pki_import_admin_cert=False
+pki_ocsp_signing_key_algorithm=SHA256withRSA
+pki_ocsp_signing_key_size=2048
+pki_ocsp_signing_key_type=rsa
+pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s CA
+pki_ocsp_signing_signing_algorithm=SHA256withRSA
+pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_token=Internal Key Storage Token
+pki_subordinate=False
+pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=caadmin
+pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s CA
+pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-CA
+pki_ds_database=%(pki_instance_name)s-CA
+pki_ds_hostname=%(pki_hostname)s
+pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA
+pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s
+
+
+###############################################################################
+## KRA Configuration: ##
+## ##
+## Values in this section are common to KRA subsystems ##
+## including 'PKI KRAs' and 'Cloned KRAs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[KRA]
+pki_import_admin_cert=True
+pki_storage_key_algorithm=SHA256withRSA
+pki_storage_key_size=2048
+pki_storage_key_type=rsa
+pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA
+pki_storage_signing_algorithm=SHA256withRSA
+pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
+pki_storage_token=Internal Key Storage Token
+pki_transport_key_algorithm=SHA256withRSA
+pki_transport_key_size=2048
+pki_transport_key_type=rsa
+pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA
+pki_transport_signing_algorithm=SHA256withRSA
+pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
+pki_transport_token=Internal Key Storage Token
+pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=kraadmin
+pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s KRA
+pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-KRA
+pki_ds_database=%(pki_instance_name)s-KRA
+pki_ds_hostname=%(pki_hostname)s
+pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA
+pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s
+
+###############################################################################
+## OCSP Configuration: ##
+## ##
+## Values in this section are common to OCSP subsystems ##
+## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[OCSP]
+pki_import_admin_cert=True
+pki_ocsp_signing_key_algorithm=SHA256withRSA
+pki_ocsp_signing_key_size=2048
+pki_ocsp_signing_key_type=rsa
+pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP
+pki_ocsp_signing_signing_algorithm=SHA256withRSA
+pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
+pki_ocsp_signing_token=Internal Key Storage Token
+pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=ocspadmin
+pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s OCSP
+pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-OCSP
+pki_ds_database=%(pki_instance_name)s-OCSP
+pki_ds_hostname=%(pki_hostname)s
+pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP
+pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s
+
+###############################################################################
+## RA Configuration: ##
+## ##
+## Values in this section are common to PKI RA subsystems, and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[RA]
+
+###############################################################################
+## TKS Configuration: ##
+## ##
+## Values in this section are common to TKS subsystems ##
+## including 'PKI TKSs' and 'Cloned TKSs', and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[TKS]
+pki_import_admin_cert=True
+pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
+pki_admin_name=%(pki_admin_uid)s
+pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
+pki_admin_uid=tksadmin
+pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_id)s TKS
+pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s
+pki_ds_base_dn=o=%(pki_instance_id)s-TKS
+pki_ds_database=%(pki_instance_name)s-TKS
+pki_ds_hostname=%(pki_hostname)s
+pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s
+pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS
+pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s
+
+###############################################################################
+## TPS Configuration: ##
+## ##
+## Values in this section are common to PKI TPS subsystems, and contain ##
+## required information which MAY be overridden by users as necessary. ##
+###############################################################################
+[TPS]