forked from AthenZ/athenz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
zts.properties
467 lines (377 loc) · 21.1 KB
/
zts.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
# Athenz ZTS Servlet properties file.
# If there is a value specified in the commented property line,
# then it indicates the default value
# Default root directory for ZTS Server. This must be passed as
# part of the startup script since it is used before the
# properties file is accessed.
#athenz.zts.root_dir=/opt/athenz/zts
# Comma separated list of authority implementation classes to support
# authenticating principals in ZTS
athenz.zts.authority_classes=com.yahoo.athenz.auth.impl.PrincipalAuthority,com.yahoo.athenz.auth.impl.CertificateAuthority
# If File Private Key store implementation is used in the Server,
# this setting specifies the path to the PEM encoded ZTS Server
# private key file (both RSA and EC privates keys are supported)
athenz.auth.private_key_store.private_key=/opt/athenz/zts/var/keys/zts_private.pem
# If File Private Key store implementation is used in the Server,
# this setting specifies the key identifier for the private key
# configured by the athenz.auth.private_key_store.private_key
# property
athenz.auth.private_key_store.private_key_id=0
# Key Manager password
#athenz.zts.ssl_key_manager_password=
# The path to the keystore file that contains the client's private key
# and certificate. Currently this is only used by the HttpCertSigner
# class implementation.
athenz.zts.ssl_key_store=/opt/athenz/zts/var/certs/zts_keystore.pkcs12
# Specifies the type for the keystore specified in the
# athenz.zts.ssl_key_store property
athenz.zts.ssl_key_store_type=PKCS12
# Password for the keystore specified in the athenz.zts.ssl_key_store property
#athenz.zts.ssl_key_store_password=athenz
# The path to the trust store file that contains CA certificates
# trusted by the http client running within this ZTS instance
athenz.zts.ssl_trust_store=/opt/athenz/zts/var/certs/zts_truststore.jks
javax.net.ssl.trustStore=/opt/athenz/zts/var/certs/zts_truststore.jks
# Type for the truststore specified in the athenz.zts.ssl_trust_store property
athenz.zts.ssl_trust_store_type=JKS
javax.net.ssl.trustStoreType=JKS
# Password for the truststore specified in the athenz.zts.ssl_trust_store property
#athenz.zts.ssl_trust_store_password=athenz
#javax.net.ssl.trustStorePassword=athenz
# Specifies the location for the athenz.conf file used by the ZMS Client
# library to determine what ZMS server to contact to.
athenz.athenz_conf=/opt/athenz/zts/conf/zts_server/athenz.conf
# If specified, this setting overrides the ZMS Server url value for the
# ZMS Client as retrieved from the athenz.conf file
#athenz.zts.zms_url=
# SelfCertSignerFactory implementation - if this factory class is used
# is used for the CertSigner implementation (athenz.zts.cert_signer_factory_class
# property), this setting specifies the private key filename that is used to sign
# certificate requests.
athenz.zts.self_signer_private_key_fname=/opt/athenz/zts/var/keys/zts_cert_signer_key.pem
# SelfCertSignerFactory implementation - if this factory class is used
# is used for the CertSigner implementation (athenz.zts.cert_signer_factory_class
# property), this setting specifies the private key password that is used to sign
# certificate requests.
#athenz.zts.self_signer_private_key_password=
# SelfCertSignerFactory implementation - if this factory class is used
# is used for the CertSigner implementation (athenz.zts.cert_signer_factory_class
# property), this setting specifies the dn for the CA certificate that ZTS
# will use
athenz.zts.self_signer_cert_dn=cn=Sample Self Signed Athenz CA,o=Athenz,c=US
# HttpCertSignerFactory implementation - if this factory class is used
# for the CertSigner implementation (athenz.zts.cert_signer_factory_class
# property), this setting specifies the base uri for the Certificate Signer Service
#athenz.zts.certsign_base_uri=
# HttpCertSignerFactory implementation - if this factory class is used
# for the CertSigner implementation (athenz.zts.cert_signer_factory_class
# property), this setting specifies in seconds the connect timeout
#athenz.zts.certsign_connect_timeout=10
# HttpCertSignerFactory implementation - if this factory class is used
# for the CertSigner implementation (athenz.zts.cert_signer_factory_class
# property), this setting specifies in seconds the request timeout.
# We're setting the initial value to a small on so we know right away
# if our idle connection has been been closed by cert signer and we'll
# use our retry setting to retry with a max timeout of 30 seconds.
#athenz.zts.certsign_request_timeout=5
# HttpCertSignerFactory implementation - if this factory class is used
# for the CertSigner implementation (athenz.zts.cert_signer_factory_class
# property), this setting specifies the number of times the request
# should be retried if it's not completed with the requested timeout value
#athenz.zts.certsign_retry_count=3
# Specifies the factory class that implements the Metrics interface
# used by the ZTS Server to report stats
#athenz.zts.metric_factory_class=com.yahoo.athenz.common.metrics.impl.NoOpMetricFactory
# Specifies the factory class that implements the AuditLoggerFactory
# interface used by the ZTS Server to log all changes to domain
# data for auditing purposes
#athenz.zts.audit_logger_factory_class=com.yahoo.athenz.common.server.log.impl.DefaultAuditLoggerFactory
# Specifies the factory class that implements the HostnameResolverFactory
# interface used by the ZTS Server to validate that the hostname field
# requested to be added to the X.509 certificate SAN dnsName field is
# a valid hostname (A/AAAA type) and not other type of dns record.
#athenz.zts.hostname_resolver_factory_class=
# Specifies the factory class that implements the PrivateKeyStoreFactory
# interface used by the ZTS Server to get access to its host specific
# private key
#athenz.zts.private_key_store_factory_class=com.yahoo.athenz.auth.impl.FilePrivateKeyStoreFactory
# Specifies the factory class that implements CertSignerFactory
# interface used by the ZTS Server to sign any certificate requests
athenz.zts.cert_signer_factory_class=com.yahoo.athenz.zts.cert.impl.SelfCertSignerFactory
#athenz.zts.keystore_signer.keystore=/opt/athenz/zts/var/keys/zts_cert_signer_keystore.pkcs12
#athenz.zts.keystore_signer.keystore.password=athenz
#athenz.zts.keystore_signer.keystore.ca_alias=zts_cert_signer_ca
#athenz.zts.keystore_signer.keystore.max_cert_expire_time=43200
# Specifies the factory class that implements ChangeLogStoreFactory
# interface used by the ZTS Server to retrieve the latest changes
# from the ZMS Server and save them locally
#athenz.zts.change_log_store_factory_class=com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStoreFactory
# Specifies the directory for storing zms domain json documents when
# ZMSFileChangeLogStoreFactory is configured for the change log factory
# class (athenz.zts.data_change_log_store_factory_class property)
athenz.zts.change_log_store_dir=/opt/athenz/zts/var
# Boolean setting to force users to request role tokens for specific
# roles rather than for domain which will includes all the roles the
# given principal has access in that domain
#athenz.zts.least_privilege_principle=false
# Specifies the maximum expiry timeout that a client can ask for when
# requesting a role token. If the client asks for a longer timeout, the
# server will automatically replace the value with this one
#athenz.zts.role_token_max_timeout=2592000
# Specifies the default expiry timeout for role tokens when the client
# does not specify any timeout parameters
#athenz.zts.role_token_default_timeout=7200
# Specifies the expiry timeout for signed policy documents that
# ZTS Server signs and returns to ZPU clients
#athenz.zts.signed_policy_timeout=604800
# Specifies timeout in seconds for NTokens issued by ZTS
# Server as part of the Instance bootstrap request
#athenz.zts.instance_token_timeout=86400
# Comma separated list of authorized proxy principals
#athenz.zts.authorized_proxy_users=
# Specifies the service name that the ostk instance documents are
# signed with.
#athenz.zts.ostk_host_signer_service=
# If the ZTS servlet is deployed along other servlets that may
# run on non-TLS ports, this setting forces that requests to
# ZTS are only accepted on secure TLS ports.
#athenz.zts.secure_requests_only=true
# Comma separated list of hostname suffixes that providers
# are allowed to use for their verifiers
#athenz.zts.provider_endpoints=
# Specifies in seconds how often to query ZMS Server for updates
# The default value is 60 seconds
#athenz.zts.zms_domain_update_timeout
# Specifies in seconds how often to query ZMS Server for the full
# list of domains to determine the deleted domains
# The default value is 3600 seconds
#athenz.zts.zms_domain_delete_timeout
# Specifies the factory class that implements the CertRecordStore
# interface used by the ZTS Server to store certificate data. In production,
# this is typically the jdbc/mysql cert record store while for tests it's
# the file cert record store
athenz.zts.cert_record_store_factory_class=com.yahoo.athenz.zts.cert.impl.JDBCCertRecordStoreFactory
# If the athenz.zts.cert_record_store_factory_class property is using
# the file cert record store factory, then this setting specifies
# the subdirectory name where record files will be stored.
#athenz.zts.cert_file_store_path=/opt/athenz/zts/var
# If the athenz.zts.cert_record_store_factory_class property is using
# the file cert record store factory, then this setting specifies
# the directory name where file store subdirectory will
# be created to store cert record files.
#athenz.zts.cert_file_store_name=zts_cert_records
# If the athenz.zts.cert_record_store_factory_class property is using
# the jdbc cert record store factory identified with
# com.yahoo.athenz.zts.cert.impl.JDBCCertRecordStoreFactory, then
# this setting specifies the JDBC URL where the ZTS Server will store
# certificate records for revocation checks
# jdbc:mysql://localhost:3306/zts - specifies MySQL instance
athenz.zts.cert_jdbc_store=jdbc:mysql://athenz-zts-db:3307/zts_store
# If the jdbcstore is pointing to a MySQL server then this specifies
# the name of the user that has full access to the zts database
athenz.zts.cert_jdbc_user=root
# If the jdbcstore is pointing to a MySQL server then this specifies
# the password for the jdbc user that has been granted full access
# to the configured zts database
#athenz.zts.cert_jdbc_password=mariadb
# If using the jdbc connector (either mysql or aws) for zts
# certificate data storage, this property specifies if the jdbc client
# should establish an SSL connection to the database server or not
#athenz.zts.cert_jdbc_use_ssl=false
# if using the jdbc connector (either mysql or aws) for zms
# certificate data storage and the athenz.zts.cert_jdbc_use_ssl property
# is set to true, this property specifies whether or not the jdbc client
# must verify the server certificate or not
#athenz.zts.cert_jdbc_verify_server_certificate=false
# If the athenz.zts.cert_record_store_factory_class property is using
# the aws rds mysql object store factory identified with
# com.yahoo.athenz.zts.cert.impl.AWSObjectStoreFactory, then
# this setting specifies AWS RDS instance hostname.
# The database server must be initialized with the ZTS
# server schema.
#athenz.zts.aws_rds_master_instance=
# If the athenz.zts.cert_record_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# the database user configured with IAM Role AWS authentication
# and full access to the zms store database
#athenz.zts.aws_rds_user=
# If the athenz.zts.cert_record_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# the IMA role that has been enabled for authentication
#athenz.zts.aws_rds_iam_role=
# If the athenz.zts.cert_record_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# the port number for the RDL database instance
#athenz.zts.aws_rds_master_port=3306
# If the athenz.zts.cert_record_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# the database engine used in rds
#athenz.zts.aws_rds_engine=mysql
# If the athenz.zts.cert_record_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# the database name in rds
#athenz.zts.aws_rds_database=zts_store
# If the athenz.zts.cert_record_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# in seconds how often to update the aws credentials for the IAM role
#athenz.zts.aws_rds_creds_refresh_time=300
# The maximum number of seconds that the server should wait
# for the certificate store connection object to return its results
#athenz.zts.cert_op_timeout=60
# When requesting TLS certificates for their corresponding NTokens,
# services must this dns suffix in their CSRs
#athenz.zts.cert_dns_suffix=.athenz.cloud
# Kerberos Authority Service Principal
#athenz.auth.kerberos.service_principal=
# Kerberos Authority location of keytab file
#athenz.auth.kerberos.keytab_location=
# Kerberos Authority debug boolean state
#athenz.auth.kerberos.debug=false
# Kerberos Authority - if there is a jaas.conf whose path is specified by
# the system property java.security.auth.login.config then this setting
# specifies the config section name to be used for the authority
#athenz.auth.kerberos.jaas_cfg_section=
# Kerberos Authority - login callback handler class
#athenz.auth.kerberos.login_callback_handler_class=
# Kerberos Authority - boolean flag whether or not to renew TGT
#athenz.auth.kerberos.renewTGT=true
# Kerberos Authority - boolean flag whether or not using ticket cache
#athenz.auth.kerberos.use_ticket_cache=true
# Kerberos Authority - file path for the ticket cache data
#athenz.auth.kerberos.ticket_cache_name=
# Kerberos Authority - in milliseconds the login window time for re-logins
#athenz.auth.kerberos.login_window=60000
# Kerberos Authority - privileged action class name
#athenz.auth.kerberos.krb_privileged_action_class=
# Kerberos Authority - the realm for kerberos users (this could be a realm
# that regular users (also authenticated as part of UserAuthority) are part of
#athenz.auth.kerberos.user_realm=
# Kerberos Authority - the domain name for users that are only authenticated
# by this authority
#athenz.auth.kerberos.krb_user_domain=krb
# Kerberos Authority - the realm name for users that are only authenticated
# by this authority
#athenz.auth.kerberos.krb_user_realm=
# ZTS is running within AWS so enable features such as getting temporary
# credentials, etc.
#athenz.zts.aws_enabled=false
# If ZTS is running within AWS, this setting specifies path a file that includes
# the AWS Public certificate that is needed to verify host identity documents
# provided by AWS.
#athenz.zts.aws_public_cert
# If ZTS is running within AWS and we need to validate the host identity document
# before we issue a TLS certificate for a service identified by its IAM role,
# the server verifies that the instance was booted within the configured number
# of seconds
#athenz.zts.aws_boot_time_offset=300
# Comma separated list of URIs that require authentication according to the RDL
# but we want the server to make the authentication as optional. The URI can
# include regex values based on + character to match resource URIs
# for example, /zts/v1/domain/.+/service
athenz.zts.no_auth_uri_list=/zts/v1/status
# Boolean flag to control whether or not to include c=1 component in the issued
# role token when the rolename argument passed to the api is null. The presence
# of the c=1 in the role token then would indicate that the token contains all
# the roles that the principal has access in the domain
#athenz.zts.role_complete_flag=true
# If configured, specifies a file name that contains the bundle of Athenz
# CA certificates. This is useful when there are multiple Athenz instances
# running in different regions/locations and each region/location has its own
# CA certificate and during instance register/refresh operation we want to
# return the full set of CA certs
#athenz.zts.x509_ca_cert_fname=
# The number of milliseconds to sleep between runs of the idle object
# evictor thread. When non-positive, no idle object evictor thread
# will be run. The pool default is -1, but we're using 30 minutes to
# make sure the evictor thread is running |
#athenz.db.pool_evict_idle_interval=1800000
# The minimum amount of time (in milliseconds) an object may sit
# idle in the pool before it is eligible for eviction by the idle
# object evictor (if any)
#athenz.db.pool_evict_idle_timeout=1800000
# The maximum number of connections that can remain idle in the pool,
# without extra ones being released, or negative for no limit
#athenz.db.pool_max_idle=8
# The maximum number of active connections that can be allocated
# from this pool at the same time, or negative for no limit
#athenz.db.pool_max_total=8
# The maximum lifetime in milliseconds of a connection. After this
# time is exceeded the connection will fail the next activation,
# passivation or validation test. A value of zero or less means the
# connection has an infinite lifetime
#athenz.db.pool_max_ttl=600000
# The maximum number of milliseconds that the pool will wait
# (when there are no available connections) for a connection to be
# returned before throwing an exception, or -1 to wait indefinitely
#athenz.db.pool_max_wait=-1
# The minimum number of connections that can remain idle in the pool,
# without extra ones being created, or zero to create none
#athenz.db.pool_min_idle=0
# The validation query used by the pool to determine if the connection
# is valid before returning it to the caller. The default value
# is the recommended query for the Mysql/J Connector
#athenz.db.pool_validation_query=/* ping */ SELECT 1
# List of valid values separated by | that a certificate
# request can include in the Subject O field. For example, if
# you allow to create certs with c=US,o=Company,cn=athenz.api
# and c=US,o=Company Inc.,cn=athenz.api, then the value for
# this property would be set to "Company|Company Inc.". If
# the property is not set, then no validation is carried out.
#athenz.zts.cert_allowed_o_values=
# If enabled, ZTS server will validate the OU field in
# any certificate request if one is specified. If the
# certificate is requested from a Copper Argos provider, the provider
# service name is automatically allowed as one of the valid OU
# values. Otherwise, the list of values can be configured using
# the athenz.zts.cert_allowed_ou_values property.
#athenz.zts.cert_request_verify_subject_ou=false
# List of valid values separated by | that a certificate
# request can include in the Subject OU field. For example, if
# you allow to create certs with c=US,o=Company,OU=Athenz,cn=athenz.api
# and c=US,o=Company Inc.,ou=Yahoo,cn=athenz.api, then the value for
# this property would be set to "Athenz|Yahoo". In case the
# certificate is requested from a Copper Argos provider, the provider
# service name is automatically allowed as one of the valid OU
# values. The validation is carried out only if the
# setting is enabled (set to true).
#athenz.zts.cert_allowed_ou_values=
# During certificate refresh operations zts server looks up
# the original certificate details (serial number, timestamp, etc)
# to detect compromise. If this database is lost, then server
# will not be able to refresh any certs, so we provide an option
# to regenerate the db based on requests rather than rejecting
# all. So while the certs are refreshed, compromise will not be
# detected during the first refresh, but during the second one
# it will be detected. The value of the setting is the number
# of milliseconds since epoch. Any refresh request where the cert
# has a timestamp before this date will be handled successfully
# if the db record is not found.
#athenz.zts.cert_refresh_reset_time=0
# When requesting role and service certificates not through
# Copper Argos providers, the server can verify that the IP
# address in the request indeed matches to the connection
# IP address. Typically this should be enabled by default
# but keeping it false for now for backward compatibility
# reasons.
#athenz.zts.cert_request_verify_ip=false
# If the athenz.zts.cert_record_store_factory_class property is using
# the dynamodb cert record store factory identified with
# com.yahoo.athenz.zts.cert.impl.DynamoDBCertRecordStoreFactory, then
# this setting specifies the table name where the ZTS Server will store
# certificate records for revocation checks. The table must be created
# with the following requirements: primary field - primaryKey.
# Enable TTL and call the attribute as ttl.
#athenz.zts.cert_dynamodb_table_name=
# When using the DynamoDB certificate record store factory (see
# property athenz.zts.cert_dynamodb_table_name) this setting specifies
# the configured number of hours that DynamoDB will purge expired
# records. Default value is 30 days.
#athenz.zts.cert_dynamodb_item_ttl_hours=720
# Athenz ZTS Service Health Check file path. If configured, the
# /zts/v1/status command would return failure if the file setting
# is configured but the file is not present. The idea is that once
# the server is started, an external process will verify that
# the server is running correctly by running some checks and if
# successful, it will create that file so that the server can
# now report that the server is ready to accept production traffic
#athenz.zts.health_check_path=