summaryrefslogtreecommitdiffstats
path: root/base/server/man/man5/pki_default.cfg.5
diff options
context:
space:
mode:
Diffstat (limited to 'base/server/man/man5/pki_default.cfg.5')
-rw-r--r--base/server/man/man5/pki_default.cfg.567
1 files changed, 58 insertions, 9 deletions
diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5
index 6623ce6fd..df4f94428 100644
--- a/base/server/man/man5/pki_default.cfg.5
+++ b/base/server/man/man5/pki_default.cfg.5
@@ -24,7 +24,13 @@ pki_default.cfg \- Certificate Server instance default config file.
This file contains the default settings for a Certificate Server instance created using \fBpkispawn\fP. This file should not be edited, as it can be modified when the Certificate Server packages are updated. Rather, when setting up a Certificate Server instance, a user-provided configuration file can provide overrides to the defaults in /etc/pki/default.cfg. See \fBpkispawn(8)\fR for details.
.SH SECTIONS
-\fIdefault.cfg\fP is divided into subsystem-based sections ([DEFAULT] for general configuration and subsystem-type sections such as [CA] and [KRA]). These sections are stacked, so that parameters read in earlier sections can be overwritten by parameters in later sections. For the Java subsystems (CA, KRA, OCSP, and TKS), the sections read are [DEFAULT], [Tomcat] and the subsystem type section -- [CA], [KRA], [OCSP], and [TKS] -- in that order. This allows the ability to specify parameters to be shared by all subsystems in [DEFAULT] or [Tomcat], and subsystem-specific upgrades in the other sections.
+\fIdefault.cfg\fP contains parameters that are grouped into sections.
+These sections are stacked, so that parameters defined in earlier sections can
+be overwritten by parameters defined in later sections. The sections are read
+in the following order: [DEFAULT], [Tomcat], and the subsystem section ([CA],
+[KRA], [OCSP], [TKS], or [TPS]). This allows the ability to specify parameters
+to be shared by all subsystems in [DEFAULT] or [Tomcat], and subsystem-specific
+customization.
.PP
There are a small number of bootstrap parameters which are passed in the configuration file by \fBpkispawn\fP. Other parameter's values can be interpolated tokens rather than explicit values. For example:
.PP
@@ -134,7 +140,7 @@ Nickname for the administrator certificate.
.IP
Set to True to import an existing admin certificate for the admin user, rather than generating a new one. A subsystem-specific administrator will still be created within the subsystem's LDAP tree. This is useful to allow multiple subsystems within the same instance to be more easily administered from the same browser by using a single certificate.
-By default, this is set to False for CA subsystems and true for KRA, OCSP, and TKS subsystems. In this case, the admin certificate is read from the file ca_admin.cert in \fBpki_client_dir\fP.
+By default, this is set to False for CA subsystems and true for KRA, OCSP, TKS, and TPS subsystems. In this case, the admin certificate is read from the file ca_admin.cert in \fBpki_client_dir\fP.
Note that cloned subsystems do not create a new administrative user. The administrative user of the master subsystem is used instead, and the details of this master user are replicated during the install.
.TP
@@ -237,11 +243,11 @@ The security domain is a component that facilitates communication between subsys
.TP
.B pki_security_domain_hostname, pki_security_domain_https_port
.IP
-Location of the security domain. Required for KRA, OCSP, and TKS subsystems and for CA subsystems joining a security domain. Defaults to the location of the CA subsystem within the same instance.
+Location of the security domain. Required for KRA, OCSP, TKS, and TPS subsystems and for CA subsystems joining a security domain. Defaults to the location of the CA subsystem within the same instance.
.TP
.B pki_security_domain_user, pki_security_domain_password
.IP
-Administrative user of the security domain. Required for KRA, OCSP, and TKS subsystems, and for CA subsystems joining a security domain. Defaults to the administrative user for the CA subsystem within the same instance (caadmin).
+Administrative user of the security domain. Required for KRA, OCSP, TKS, and TPS subsystems, and for CA subsystems joining a security domain. Defaults to the administrative user for the CA subsystem within the same instance (caadmin).
.TP
.B pki_security_domain_name
.IP
@@ -308,7 +314,7 @@ Set to \fBTrue\fP if the subordinate CA will host its own security domain. Defa
Used when \fBpki_subordinate_create_security_domain\fP is set to \fBTrue\fP. Specifies the name of the security domain to be hosted on the subordinate CA.
.SS STANDALONE PKI PARAMETERS
-A stand-alone PKI subsystem is defined as a non-CA PKI subsystem that does not contain a CA as a part of its deployment, and functions as its own security domain. Currently, only stand-alone DRMs are supported.
+A stand-alone PKI subsystem is defined as a non-CA PKI subsystem that does not contain a CA as a part of its deployment, and functions as its own security domain. Currently, only stand-alone KRAs are supported.
.TP
.B pki_standalone
.IP
@@ -328,7 +334,7 @@ Will be generated by the first step of a stand-alone PKI process. This is the l
.PP
.B pki_external_storage_csr_path
.IP
-[DRM ONLY] Will be generated by the first step of a stand-alone DRM process. This is the location of the file containing the storage CSR (which will be presented to the external CA). Defaults to '%(pki_instance_configuration_path)s/kra_storage.csr'.
+[KRA ONLY] Will be generated by the first step of a stand-alone KRA process. This is the location of the file containing the storage CSR (which will be presented to the external CA). Defaults to '%(pki_instance_configuration_path)s/kra_storage.csr'.
.PP
.B pki_external_subsystem_csr_path
.IP
@@ -336,7 +342,7 @@ Will be generated by the first step of a stand-alone PKI process. This is the l
.PP
.B pki_external_transport_csr_path
.IP
-[DRM ONLY] Will be generated by the first step of a stand-alone DRM process. This is the location of the file containing the transport CSR (which will be presented to the external CA). Defaults to '%(pki_instance_configuration_path)s/kra_transport.csr'.
+[KRA ONLY] Will be generated by the first step of a stand-alone KRA process. This is the location of the file containing the transport CSR (which will be presented to the external CA). Defaults to '%(pki_instance_configuration_path)s/kra_transport.csr'.
.PP
.B pki_external_step_two
.IP
@@ -364,7 +370,7 @@ Required for the second step of a stand-alone PKI process. This is the location
.PP
.B pki_external_storage_cert_path
.IP
-[DRM ONLY] Required for the second step of a stand-alone DRM process. This is the location of the file containing the storage certificate (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/kra_storage.cert'.
+[KRA ONLY] Required for the second step of a stand-alone KRA process. This is the location of the file containing the storage certificate (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/kra_storage.cert'.
.PP
.B pki_external_subsystem_cert_path
.IP
@@ -372,7 +378,50 @@ Required for the second step of a stand-alone PKI process. This is the location
.PP
.B pki_external_transport_cert_path
.IP
-[DRM ONLY] Required for the second step of a stand-alone DRM process. This is the location of the file containing the transport certificate (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/kra_transport.cert'.
+[KRA ONLY] Required for the second step of a stand-alone KRA process. This is the location of the file containing the transport certificate (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/kra_transport.cert'.
+
+.SS TPS PARAMETERS
+.BR
+.TP
+.B pki_authdb_basedn
+.IP
+Specifies the base DN of TPS authentication database.
+.TP
+.B pki_authdb_hostname
+.IP
+Specifies the hostname of TPS authentication database. Defaults to localhost.
+.TP
+.B pki_authdb_port
+.IP
+Specifies the port number of TPS authentication database. Defaults to 389.
+.TP
+.B pki_authdb_secure_conn
+.IP
+Specifies whether to use a secure connection to TPS authentication database.
+Defaults to False.
+.TP
+.B pki_enable_server_side_keygen
+.IP
+Specifies whether to enable server-side key generation. Defaults to False.
+The location of the KRA instance should be specified in the \fBpki_kra_uri\fP
+parameter.
+.TP
+.B pki_ca_uri
+.IP
+Specifies the URI of the CA instance used by TPS to create and revoke user
+certificates. Defaults to the instance in which the TPS is running.
+.TP
+.B pki_kra_uri
+.IP
+Specifies the URI of the KRA instance used by TPS to archive and recover
+keys. Required if server-side key generation is enabled using the
+\fBpki_enable_server_side_keygen\fP parameter. Defaults to the instance in
+which the TPS is running.
+.TP
+.B pki_tks_uri
+.IP
+Specifies the URI of the TKS instance used by TPS to generate symmetric keys.
+Defaults to the instance in which the TPS is running.
.SH AUTHORS
Ade Lee <alee@redhat.com>. \fBpkispawn\fP was written by the Dogtag project.
generated by cgit (git 2.34.1) at 2024-06-24 18:53:54 +0000