diff options
Diffstat (limited to 'pki/base/tps/doc/CS.cfg')
-rw-r--r-- | pki/base/tps/doc/CS.cfg | 52 |
1 files changed, 46 insertions, 6 deletions
diff --git a/pki/base/tps/doc/CS.cfg b/pki/base/tps/doc/CS.cfg index 57bedb8e8..5d80edde0 100644 --- a/pki/base/tps/doc/CS.cfg +++ b/pki/base/tps/doc/CS.cfg @@ -74,22 +74,46 @@ logging._036=# at this level logging._037=# 9 - LL_ALL_DATA_IN_PDU dump all the data in the PDU - a more logging._038=# chatty version of the above logging._039=# 10 - all logging -logging._040=######################################### +logging._040=# logging.audit.buffer.size: # in bytes +logging._041=# logging.audit.flush.interval: # in seconds, 0 disables flush thread +logging._042=# logging.*.file.type: +logging._043=# - file type: RollingLogFile or LogFile +logging._044=# logging.*.rolloverInterval: +logging._045=# - interval to roll over logs (seconds), 0 to disable rollover +logging._046=# logging.*.maxFileSize: +logging._047=# - size at which file rollover occurs, in kB +logging._048=# logging.*.expirationTime: +logging._049=# - maximum age of log, older unmodified logs are deleted( in seconds, 0 to disable) +logging._050=######################################### logging.debug.enable=true logging.debug.filename=[SERVER_ROOT]/logs/tps-debug.log logging.debug.level=10 +logging.debug.file.type=RollingLogFile +logging.debug.maxFileSize=2000 +logging.debug.rolloverInterval=2592000 +logging.debug.expirationTime=0 logging.audit.enable=true logging.audit.filename=[SERVER_ROOT]/logs/tps-audit.log logging.audit.signedAuditFilename=[SERVER_ROOT]/logs/signedAudit/tps_audit logging.audit.level=10 logging.audit.logSigning=false logging.audit.signedAuditCertNickname=auditSigningCert cert-[INSTANCE_ID] -logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,CONFIG_SIGNED_AUDIT,ENROLLMENT,PIN_RESET,FORMAT,UPGRADE -logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,CONFIG_SIGNED_AUDIT,ENROLLMENT,PIN_RESET,FORMAT,UPGRADE +logging.audit.selected.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL +logging.audit.selectable.events=AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING +logging.audit.buffer.size=512 +logging.audit.flush.interval=5 +logging.audit.file.type=RollingLogFile +logging.audit.maxFileSize=2000 +logging.audit.rolloverInterval=2592000 +logging.audit.expirationTime=0 logging.error.enable=true logging.error.filename=[SERVER_ROOT]/logs/tps-error.log logging.error.level=10 +logging.error.file.type=RollingLogFile +logging.error.maxFileSize=2000 +logging.error.rolloverInterval=2592000 +logging.error.expirationTime=0 conn.ca1._000=######################################### conn.ca1._001=# CA connection conn.ca1._002=# @@ -592,6 +616,10 @@ op.enroll.userKey._076=# Make sure the profile specified by the profileId to hav op.enroll.userKey._077=# short validity period (eg, 7 days) for the certificate. op.enroll.userKey._078=######################################### op.enroll.allowUnknownToken=true +#The three recovery schemes supported are: +# GenerateNewKey - Generate a new cert for the encryption cert. +# RecoverLast - Recover the most recent cert for the encryption cert. +# GenerateNewKeyandRecoverLast - Generate new cert AND recover last for encryption cert. op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2 op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing @@ -884,6 +912,8 @@ op.enroll.userKey.renewal.keyType.value.0=signing op.enroll.userKey.renewal.keyType.value.1=encryption op.enroll.userKey.renewal.signing.enable=true op.enroll.userKey.renewal.signing.certId=C1 +#encryption certId values for completeness only +#server code calculates actual values used. op.enroll.userKey.renewal.encryption.certId=C2 op.enroll.userKey.renewal.signing.certAttrId=c1 op.enroll.userKey.renewal.encryption.certAttrId=c2 @@ -1394,7 +1424,16 @@ tokendb._062=# - If not present, re-enrollment is allowed. tokendb._063=# - If present, re-enrollment is allowed when RE_ENROLL tokendb._064=# is set to YES. Otherwise, re-enrollment is not tokendb._065=# allowed. -tokendb._066=######################################### +tokendb._066=# tokendb.allowedTransitions: +tokendb._067=# - has transitions between the following states +tokendb._068=# TOKEN_UNINITIALIZED = 0, +tokendb._069=# TOKEN_DAMAGED =1, +tokendb._070=# TOKEN_PERM_LOST=2, +tokendb._071=# TOKEN_TEMP_LOST=3, +tokendb._072=# TOKEN_FOUND =4, +tokendb._073=# TOKEN_TEMP_LOST_PERM_LOST =5, +tokendb._074=# TOKEN_TERMINATED = 6 +tokendb._075=######################################### tokendb.auditLog=[SERVER_ROOT]/logs/tokendb-audit.log tokendb.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] tokendb.ssl=false @@ -1439,6 +1478,7 @@ tokendb.editUserTemplate=editUser.template tokendb.indexOperatorTemplate=indexOperator.template tokendb.auditAdminTemplate=auditAdmin.template target.tokenType.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey -log.instance.SignedAudit.selected.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE -log.instance.SignedAudit.selectable.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST +log.instance.SignedAudit.selected.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL +log.instance.SignedAudit.selectable.events=ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL log.instance.SignedAudit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST +tokendb.allowedTransitions=0:1,0:2,0:3,0:4,0:5,0:6,3:4,3:5,3:6,4:1,4:2,4:3,4:6 |