Global¶
This document give a brief overview over the system configuration items. You find those settings in the files in the <configfir>/config.d/system directory.
Database¶
Configure the settings for the database layer. You need at least a configuration for the main database. It is possible to provide a seperate database for logging purposes, just copy the complete block from system.database.main to system.database.logging and adjust as required. If you don’t configure a logging database, the main database is used.
The general configuration block looks like:
main:
type: supported driver name
name: name of the database
host: host
port: port
user: database user
passwd: database credential
namespace: namespace (to be used with oracle)
environment:
db_driver_env_key: value
driver:
LongReadLen: 10000000
OpenXPKI supports MariaDB (MySQL), PostgreSQL and Oracle.
The namespace parameter is used only by the Oracle driver.
Options given to driver are passed to DBI as extra parameters.
Check perldoc OpenXPKI::Server::Database::Driver::<type> for more info on the parameters.
The recommended driver is MariaDB2 which uses the perl MariaDB driver module while
MariaDB internally uses the old mysql driver of perl. Depending on the OS and perl
version used this might just be an alias but we have also seen very strange issues here.
System¶
Settings about filesystem, daemon and services to start. Located at system.server
os related stuff
i18n locale settings:
i18n:
locale_directory: path to the gettext locales on your system
default_language: supported locale (e.g. en_US.utf8)
Location of the locale files and the default language used. If you set another language than C, make sure you have the correct po-files installed, otherwise OpenXPKI won’t even start! This usually only affects logging and system messages as most of the client related output uses the locale settings from the client session. We recommend using C as default.
daemon settings
Those settings determine the properties of the OpenXPKI daemon openxpkid.:
name: label for your process list, useful if you are running multiple servers.
user: Unix user to run as (numeric or name)
group: Group to run as (numeric or name)
socket_file: Location of the communication socket.
pid_file: Location of the pid file.
environment:
key: value
log4perl: path to your Log4perl configuration file (the primary system logger).
stderr: File to redirect stderr to after dettaching from console.
tmpdir: Location for temporary files, writable by the daemon.
session:
directory: Directory to store the session information.
lifetime: Lifetime of the sessions on the server side.
The socket, pidfile and stderr are created during startup while running as root. The directory must exist, be writeable by root and accessible by the user the daemon runs as. The tmpdir must be writable by the daemon user, it can be a ramfs but can grow large in high volume environments.
system internals
transport:
Simple: 1
The transport setting is reserved for future use, leave it untouched.
service:
Default:
enabled: 1
timeout: 120
SCEP:
enabled: 1
The service block lists all services to be enabled, the key is the name of the service, the enabled key is supported by all services, for all other parameters consult the concrete service documentation (perldoc OpenXPKI::Service::<ServiceName>).
multi-node support
shift: 8
node:
id: 0
data_exchange:
TODO - this is not used yet
Server Type (Fork vs. PreFork)¶
The default is Fork which create a new child on every incoming
connection, handles the current request and exits. The webui resuses the
backend connection as long as the CGI wrapper is running but most of the
other clients don’t and there require a new fork on every request.
To reuse existing childs you can set the server type to prefork which forkes of child process on server startup and reuses them for multiple connections. In server.yaml uncomment this block:
type: PreFork
prefork:
min_servers: 5
min_spare_servers: 5
max_servers: 25
max_spare_servers: 10
The option is optional, if not provided the defaults of the Net::Server module are used.
Watchdog¶
The openxpkid daemon forks a watchdog process to take care of background processes.
It is initialised with default settings, but you can provide your own values by setting them at system.watchdog.
# How to deal with exceptions
max_exception_threshhold: 10
interval_sleep_exception: 60
max_tries_hanging_workflows: 3
# Control the wait intervals
interval_wait_initial: 60
interval_loop_idle: 5
interval_loop_run: 1
# You should not change this unless you know what you are doing
max_instance_count: 1
disabled: 0
Please see perldoc OpenXPKI::Server::Watchdog for details.
Crypto layer (global)¶
Define several parameters for the basic crypto tools.
api settings
You should not need to touch this unless you are developing your own crypto classes.
tokenapi:
certsign: OpenXPKI::Crypto::Backend::API
datasafe: OpenXPKI::Crypto::Backend::API
scep: OpenXPKI::Crypto::Tool::SCEP::API
The setting denotes the name of the perl module used as backend class when using a token of the given class. Default tokens are certsign, is used for all ca operations, and datasafe, used to internally´ encrypt data. Any tokens that are not defined here, use OpenXPKI::Crypto::Backend::API by default. If you run a scep server, you must add the line for the scep module, as it does not work with the default.
configuration of the default tokens
token:
default:
backend: OpenXPKI::Crypto::Backend::OpenSSL
api: OpenXPKI::Crypto::Backend::API
engine: OpenSSL
key_store: OPENXPKI
# OpenSSL binary location
shell: /usr/bin/openssl
# OpenSSL binary call gets wrapped with this command
wrapper: ''
# random file to use for OpenSSL
randfile: /var/openxpki/rand
pkcs7:
backend: OpenXPKI::Crypto::Tool::PKCS7
api: OpenXPKI::Crypto::Tool::PKCS7::API
javaks:
backend: OpenXPKI::Crypto::Tool::CreateJavaKeystore
api: OpenXPKI::Crypto::Tool::CreateJavaKeystore::API
If you have non-standard file locations, you might want to change the OpenSSL relevant settings here, the wrapper allows you to provide the name of a wrapper command which is commonly necessary if you use hardware security modules or other special OpenSSL eninges for your crypto operations. See the section about using HSMs for more details.
Developer note: See OpenXPKI::Crypto::TokenManager::get_system_token
PKI Realms¶
The detailed settings of each realm are given in the specific realm configuration. To use a realm you need to specify and enable it at system.realms.
democa:
label: This is just a verbose label for your CA
You should use only 7bit word characters and no spaces as name for the realm.