-
Notifications
You must be signed in to change notification settings - Fork 138
PKI Environment Variables
Various PKI tools supports cascading configuration files to define environment variables:
-
The default configuration is located at /usr/share/pki/etc/pki.conf. This file is read-only.
-
The system configuration is located at /etc/pki/pki.conf. This file can be customized by the system administrator.
-
(10.4.1 or later) The user configuration is located at
~/.dogtag/pki.conf
. This file can be created by individual users.
Notes:
-
To override an existing environment variable defined in the default
pki.conf
, specify the variable in a system configuration file (i.e./etc/pki/pki.conf
) or user configuration file (i.e.~/.dogtag/pki.conf
). Do not specify the custom environment variables on the command line. -
To define other environment variables not defined in the default
pki.conf
(e.g.NSPR_LOG_MODULES
), they can be specified in command line, or in the systempki.conf
or userpki.conf
. Make sure the variables are exported, for example:
$ export NSPR_LOG_MODULES="all:5"
-
JAVA_HOME
: Java home -
JNI_JAR_DIR
: JNI jar file location -
PKI_LIB
: PKI library -
RESTEASY_LIB
: RESTEasy library -
NSS_DEFAULT_DB_TYPE
: NSS database format -
PKI_LOGGING_CONFIG
: logging configuration location (default:/usr/share/pki/etc/logging.properties
)
The PKI_CLI_OPTIONS
parameter can be used to specify options for the PKI CLI (not for the PKI CLI command) that will be added to all executions of PKI CLI.
For example, the following option will cause all PKI CLI executions to run in verbose mode:
PKI_CLI_OPTIONS="-v"
The following option will cause all PKI CLI executions to ignore access banner (if configured):
PKI_CLI_OPTIONS="--ignore-banner"
Since version 10.4.1 PKI client supports the following SSL configuration parameters.
The SSL version ranges for stream and datagram can be specified with the following parameters:
-
SSL_STREAM_VERSION_MIN
(default isTLS_1_0
) -
SSL_STREAM_VERSION_MAX
(default isTLS_1_2
) -
SSL_DATAGRAM_VERSION_MIN
(default isTLS_1_1
) -
SSL_DATAGRAM_VERSION_MAX
(default isTLS_1_2
)
Valid values are: SSL_3_0
, TLS_1_0
, TLS_1_1
, TLS_1_2
.
The SSL ciphers can be customized using the following parameters:
-
SSL_DEFAULT_CIPHERS
: Enable default ciphers (default istrue
) -
SSL_CIPHERS
: List of additional ciphers (default is empty)
By default the PKI CLI will use the default SSL ciphers provided by NSS, but all SSL 2.0 ciphers will be disabled, and all ECC will be enabled. To disable the default ciphers, specify the following parameter:
SSL_DEFAULT_CIPHERS="false"
To enable additional ciphers, or to customize the default ciphers, specify the ciphers in SSL_CIPHERS
. For example:
SSL_CIPHERS=" TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA "
To disable a specific default cipher, specify a -
in front of the cipher name. For example:
SSL_CIPHERS=" TLS_RSA_WITH_AES_128_CBC_SHA256 -TLS_RSA_WITH_AES_256_CBC_SHA "
To strictly use certain ciphers (without the default ciphers), specify the following parameters:
SSL_CIPHERS=" TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA " SSL_DEFAULT_CIPHERS="false"
-
PKISPAWN_STARTUP_TIMEOUT_SECONDS
: Server startup timeout during installation in seconds (default:60
)
-
PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS
: Auto-enable subsystems (default:true
)
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |