-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathejbca.properties
More file actions
217 lines (188 loc) · 9.57 KB
/
Copy pathejbca.properties
File metadata and controls
217 lines (188 loc) · 9.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
#
# $Id: ejbca.properties.sample 25788 2017-05-02 11:55:16Z anatom $
#
# This is a sample file to override properties used
# during development (or deployment) of EJBCA. Note that some properties
# have been moved to cesecore.properties.
#
# You should copy and rename this file to ejbca.properties
# and customize at will.
#
# -------------- NOTE for Upgrades --------------
# When upgrading, the important options are:
# - ca.keystorepass (in cesecore.properties)
# - password.encryption.key (in cesecore.properties)
# - ca.cmskeystorepass
# Application server home directory used during development. The path can not end with a slash or backslash.
# Default: $APPSRV_HOME
appserver.home=/opt/wildfly
#appserver.home=/opt/glassfish3/glassfish
#appserver.home=${env.APPSRV_HOME}
# See also the section 'cluster configuration' for other JBoss options, for example
# for deploying on JBoss EAP.
# Which application server is used? Normally this is auto-detected from 'appserver.home' and should not be configured.
# Possible values: jboss, glassfish
# Default: <auto-detect>
#appserver.type=jboss
# To prevent accidental runs of tests or deploying the wrong thing in a production environment, we
# could prevent this by setting this variable to either "true" or "false".
# Setting this value to 'false' will allow system tests to alter the configuration of the running
# EJBCA instance.
# Default: true
#ejbca.productionmode=true
#ejbca.productionmode=false
# Set to true to allow dynamic re-configuration using properties files in the file
# system. Using this you can place a file /etc/ejbca/conf/ocsp.properties in the file system and
# override default values compiled into ejbca.ear.
# Currently this works for most values in ejbca.properties, web.properties, cmp.properties, externalra-caservice.properties, ocsp.properties, extendedkeyusage.properties, jaxws.properties
#
# Default: false
#allow.external-dynamic.configuration=false
# ------------ Basic CA configuration ---------------------
# Most CA options are configured in cesecore.properties, but some EJBCA-
# specific ones are configured here. When upgrading, the important options are:
# - ca.keystorepass (in cesecore.properties)
# - ca.cmskeystorepass
# Password used to protect CMS keystores in the database (CAs CMS signer/enc certificate).
# The default value is the same for convenience.
#ca.cmskeystorepass=foo123
# ------------- Approval configuration ------------------------
# Settings working as default values in the approval functionality
#
# Default request validity in seconds
# Default : 28800 (8 Hours)
#approval.defaultrequestvalidity=28800
# Default approval validity (how long an approved request should stay valid)
# Default : 28800 (8 Hours)
#approval.defaultapprovalvalidity=28800
# Default maximum allowed extension time for expired requests, in seconds
# Default : 0 (disabled)
#approval.defaultmaxextensiontime=0
# Setting excluding some classes from approval. When one of the classes in this list calls a method that normally
# required approval, the call is immediately allowed, bypassing the approval mechanism. The list is comma separated.
# Uncomment the line below to exclude extra from approvals.
#approval.excludedClasses=org.ejbca.extra.caservice.ExtRACAServiceWorker
# Uncomment the line below to exclude CMP from approval.
#approval.excludedClasses=org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean
# Uncomment the line below to exclude revocation by CMP from approval.
#approval.excludedClasses=org.ejbca.core.protocol.cmp.RevocationMessageHandler
# Default : empty
#approval.excludedClasses=
# ----------------- cluster configuration ----------------
# The configuration. Use "all" when clustering,
# or for example "production" when deploying on JBoss EAP.
# Default: default
#jboss.config=all
# Name of the farm directory. Use "farm" when clustering.
# Default: deploy
#jboss.farm.name=farm
#------------------- EJBCA Healthcheck settings -------------
# Specifies the basic settings of the EJBCA Healthcheck servlet
# for more detailed configuration edit the file src/publicweb/healthcheck/WEB-INF/web.xml
# URL: http://localhost:8080/ejbca/publicweb/healthcheck/ejbcahealth
#
# Parameter specifying amount of free memory (Mb) before alarming
# Default: 1
#healthcheck.amountfreemem=1
# Parameter specifying database test query string. Used to check that
# the database is operational.
# Default : Select 1 From CertificateData where fingerprint='XX'
#healthcheck.dbquery=Select 1 From CertificateData where fingerprint='XX'
# Parameter specifying IP addresses authorized to access the healthcheck
# servlet. Use ';' for between multiple IPs.
# IPv6 address can be specified, for example 127.0.0.1;0:0:0:0:0:0:0:1.
# "ANY" can be specified to allow any remote IP.
# Default: 127.0.0.1
#healthcheck.authorizedips=127.0.0.1
# Parameter to specify if the check of CA tokens should actually perform a signature test
# on the CA token, or it should only see if the token status is active.
# Default: false (don't perform a signature operation)
#healthcheck.catokensigntest=false
# Parameter to specify if a connection test should be performed on each publisher.
# Default: false
#healthcheck.publisherconnections=false
# Parameter to specify location of file containing information about maintenance
# Use this file to specify weather to include node in healthcheck or report as down for maintenance,
# which will return an error message (either the property name specified below or a custom message specified in web.xml).
# Default: empty (not used)
#healthcheck.maintenancefile=~/maintenance.properties
# Parameter to configure name of maintenance property, default = DOWN_FOR_MAINTENANCE
# The healthcheck.maintenancefile should contain a single line like this:
# DOWN_FOR_MAINTENANCE=true
# Where the node will be down for maintenance of the property is true, and not down for maintenance if the property is false.
# Default: DOWN_FOR_MAINTENANCE
#healthcheck.maintenancepropertyname=DOWN_FOR_MAINTENANCE
# Text string used to say that every thing is ok with this node.
# Default=ALLOK
#healthcheck.okmessage=ALLOK
# Parameter saying if a errorcode 500 should be sent in case of error.
# Default=true
#healthcheck.sendservererror=true
# Uncomment this parameter if you want a static error message instead of one generated by the HealthChecker.
# Default=null
#healthcheck.customerrormessage=EJBCANOTOK
#------------------- CLI settings -------------
ejbca.cli.defaultusername=ejbca
ejbca.cli.defaultpassword=ejbca
#------------------- Debug and special settings -------------
#
# Custom Available Access Rules. Use ';' to separate multiple access rules
# Available values are the Access Rules strings in Advanced mode of 'Access Rules' in 'Administrator Roles'
# Default: ""
#ejbca.customavailableaccessrules=
# To better protect from off-line brute force attacks of passwords on a compromised database, the
# computationally expensive BCrypt algorithm can be used. Using a higher log-rounds value will
# increase computational cost by log2. 1-31 can be used as BCrypt strength.
# 0 means simple SHA1 hashing will be used. A decent value for high security is ~8.
# Default=1
#ejbca.passwordlogrounds=1
# Parallel publishing invokes all the configured publishers for certificates in parallel instead of
# sequentially. So instead of waiting for the total time it takes to write to all publishers, you
# only have to wait for the time it takes to publish to the slowest one.
#
# This feature is non-compliant with the JEE5 specifications and could potentially have unintended
# side effects (even though none has been found so far).
# If you find any type of problem with this feature that can be mitigated by disabling it, please
# report it to the EJBCA developers or this option will disappear in a future version.
#
# Default: true
#publish.parallel.enabled=true
# ------------------- Peer Connector settings (Enterprise Edition only) -------------------
# These settings are never expected to be used and should be considered deprecated. If you do need
# to tweak this, please inform the EJBCA developers how and why this was necessary.
#
# Don't go through JCA for outgoing connections to peer systems. Applied at build time.
# Default: false
#peerconnector.rar.disabled=false
#
# Use TCP keep alive. Applied when connection pool is restarted. Default: true
#peerconnector.connection.sokeepalive=true
#
# Disable Nagle's algorithm. Applied when connection pool is restarted. Default: false
#peerconnector.connection.tcpnodelay=false
#
# Socket timeout in milliseconds. Applied when connection pool is restarted.
# Default: 20000 (default for Tomcat on the server side)
#peerconnector.connection.sotimeout=20000
#
# Connection pool size per peer connector. Applied when connection pool is restarted. Default: 100
#peerconnector.connection.maxpoolsize=100
#
# Background sync of certificate data. Batch size to compare. Default: 2000
#peerconnector.sync.batchsize=2000
#
# Background sync of certificate data. Number of entries to write in parallel. 1=sequential writes. Default: 12
#peerconnector.sync.concurrency=12
#
# Maximum allowed size for incoming messages. Default: 134217728 (128MiB)
#peerconnector.incoming.maxmessagesize=134217728
#
# How long a peer can be absent in milliseconds before (re-)authentication is triggered. Default: 60000
#peerconnector.incoming.authcachetime=60000
#
# How long to cache outgoing PeerData database objects.
# Default: 60000 (60 seconds)
# Possible values -1 (no caching) to 9223372036854775807 (2^63-1 = Long.MAX_VALUE).
# If you want caching for an infinite time then set something high for example 157680000000 (5years).
#peerconnector.cachetime=157680000000
#peerconnector.cachetime=-1