...

Text file src/github.com/sassoftware/relic/distro/linux/relic.yml

Documentation: github.com/sassoftware/relic/distro/linux

     1---
     2# Tokens on which signing keys can be found. Each configured key refers to a token by name.
     3tokens:
     4
     5  # Use a PKCS#11 library as a token
     6  mytoken:
     7    # Full path to provider library
     8    provider: /usr/lib64/softhsm/libsofthsm.so
     9
    10    # Optional selectors to pick a token from those the provider offers
    11    label: alpha
    12    serial: 99999
    13
    14    # PIN is optional for command-line use, but required for servers. See also 'pinfile'.
    15    pin: 123456
    16    #pin: "" # blank PIN, without prompting
    17
    18    # If true, try to save the PIN in the system keyring (command-line only)
    19    #usekeyring: false
    20
    21    # Optional login user. Useful values:
    22    # 0 - CKU_SO
    23    # 1 - CKU_USER (default)
    24    # 2 - CKU_CONTEXT_SPECIFIC, SafeNet: CKU_AUDIT
    25    # 0x80000001 - SafeNet: CKU_LIMITED_USER
    26    #user: 1
    27
    28    # Optional parameters for server mode
    29    #timeout: 60  # Terminate each attempt after N seconds (default: 60)
    30    #retries: 5   # Retry failed commands N times (default: 5)
    31
    32  # Use GnuPG scdaemon as a token
    33  myscd:
    34    type: scdaemon
    35    # Optionally specify the scdaemon socket path. If not provided then the
    36    # default will be used.
    37    provider: /run/myscd/S.scdaemon
    38
    39    # Optional serial number of the expected card.
    40    serial: D99999999999999999999
    41
    42    # PIN is optional for command-line use, but required for servers. See also 'pinfile'.
    43    pin: 123456
    44
    45  # Use private key files as a "token". The path to the key is specified in the key section(s)
    46  file:
    47    type: file
    48    # If the private key is protected with a password, specify it here
    49    pin: password
    50
    51# Keys that can be used for signing
    52keys:
    53
    54  my_token_key:
    55    # Which token, defined above, to find the key on
    56    token: mytoken
    57
    58    # Optional selectors to pick a key from those in the token
    59    # CKA_LABEL:
    60    label: "label"
    61    # CKA_ID:
    62    id: 00112233
    63
    64    # Path to a PGP certificate, if PGP signing is desired. Can be ascii-armored or binary.
    65    pgpcertificate: ./keys/rsa1.pub
    66
    67    # Path to a X509 certificate, if X509 signing is desired. Can be PEM, DER,
    68    # or PKCS#7 (p7b) format, with optional certificate chain.
    69    x509certificate: ./keys/rsa1.cer
    70
    71    # true if a RFC 3161 timestamp should be attached, see 'timestamp' below
    72    timestamp: false
    73
    74    # Clients with any of these roles can utilize this key
    75    roles: ['somegroup']
    76
    77  my_scd_key:
    78    token: myscd
    79    # Specify which key to use. For OpenPGP cards this will be either OPENPGP.1 or OPENPGP.3.
    80    id: OPENPGP.1
    81
    82    # The remaining options are the same as above
    83    pgpcertificate: ./keys/rsa1.pub
    84    x509certificate: ./keys/rsa1.cer
    85    timestamp: false
    86    roles: ['somegroup']
    87
    88  my_file_key:
    89    token: file
    90    # Path to the private key file. The password is specified in the token configuration above.
    91    keyfile: ./keys/rsa1.key
    92
    93    # The remaining options are the same as above
    94    pgpcertificate: ./keys/rsa1.pub
    95    x509certificate: ./keys/rsa1.cer
    96    timestamp: false
    97    roles: ['somegroup']
    98
    99  aliased_key:
   100    # When alias is set, this key name becomes an alias for the other key.
   101    # Alises cannot override any parameters of the key, including roles.
   102    alias: my_token_key
   103
   104# Server-specific configuration
   105server:
   106  # What port to listen on. Defaults to :6300.
   107  # Socket activation via systemd is also supported, in which case this is ignored.
   108  listen: ":6300"
   109
   110  # Listen for non-secure connections. This is only useful for health checks,
   111  # since every other endpoint requires a client certificate. Defaults to none.
   112  listenhttp: ":6301"
   113
   114  # Private key for server TLS. PEM format, RSA or ECDSA
   115  keyfile: /etc/relic/server/server.key
   116
   117  # X.509 certificate for server TLS. PEM format. If a cert chain is needed it
   118  # should follow the main cert.
   119  certfile: /etc/relic/server/server.key
   120
   121  # Optional logfile for server errors. If not set, then standard error is used
   122  logfile: /var/log/relic/server.log
   123
   124  # How many worker subprocesses to spawn per token. Usually only 1 is required.
   125  #numworkers: 1
   126
   127  # Set the frequency and tolerance of token health checks
   128  #tokencheckinterval: 60  # ping the token every N seconds
   129  #tokenchecktimeout: 30   # fail a ping if it is stuck for N seconds
   130  #tokencheckfailures: 3   # the server will report "not healthy" after N failed pings
   131
   132  # Optional list of URLs that are part of a cluster of servers
   133  #siblings:
   134  #- https://relic1:6300
   135  #- https://relic2:6300
   136
   137# Instead of including token PINs in this file, you can specify an alternate
   138# "pin file" which is a YAML file holding key-value pairs where the key is the
   139# name of the token and the value is the PIN.
   140#pinfile: /etc/relic/pin.yaml
   141
   142# Configure trusted timestamping servers, used by keys that have timestamping
   143# enabled when using a signature type that supports it.
   144timestamp:
   145  # RFC 3161 timestamp server(s). If more than one is provided then they will
   146  # be tried in the order given until one succeeds.
   147  urls:
   148    - http://mytimestamp.server/rfc3161
   149
   150  # Non-RFC3161 timestamp server(s), used for appmanifest only
   151  msurls:
   152    - http://mytimestamp.server
   153
   154  # Optional timeout for each timestamp request
   155  timeout: 60
   156
   157  # Optional alternate CA certificate file for contacting timestamp servers
   158  # cacert: /etc/pki/tls/mychain.pem
   159
   160  # Optional memcache servers for memoizing timestamp requests
   161  #memcache:
   162  # - 127.0.0.1:11211
   163
   164  # Optional rate limit for timestamp requests
   165  #ratelimit: 1  # requests per second
   166  #rateburst: 10 # burst capacity
   167
   168# AMQP broker used to submit audit logs
   169amqp:
   170  # Optional audit logging to an AMQP broker
   171  #url: amqp://guest:guest@127.0.0.1:5672
   172
   173  # Optional TLS parameters
   174  #cacert:
   175  #keyfile:
   176  #certfile:
   177
   178  # "fanout" type exchange to send audit messages to, default relic.signatures
   179  #sigsXchg: relic.signatures
   180
   181# Authentication to the server is via client certificate. Certificates are
   182# identified by their fingerprint. Fingerprints can be obtained by using the
   183# "relic remote register" command on the client to generate the key, or by
   184# checking the server error log after attempting to connect.
   185clients:
   186  E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855:
   187    # Display name for this client
   188    nickname: myuser
   189    # List of roles this user possesses. Must contain at least one of the roles
   190    # on a key for the user to access that key.
   191    roles: ['somegroup']
   192
   193  # Alternately, clients can be authenticated using one or more CA
   194  # certificates. The CA that the client matches determines the roles they have
   195  # access to, and the subject DN of the leaf certificate is logged. This can
   196  # be used to delegate access to a short-lived build process.
   197  #my_root_ca:
   198  #  nickname: my_root_ca
   199  #  certificate: |
   200  #    -----BEGIN CERTIFICATE-----
   201  #    asdfasdfasdf
   202  #    -----END CERTIFICATE-----
   203  #  roles: ['somegroup']

View as plain text