This repository has been archived by the owner on Apr 5, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 12
/
application.properties.sample
427 lines (365 loc) · 16.1 KB
/
application.properties.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
# Copyright 2020 Intel Corporation
# SPDX-License-Identifier: Apache 2.0
# MUST, SHOULD, and MAY are used in accordance with RFC2119.
### ALL: RECOMMENDED #################################################
# These properties SHOULD be set when running any SDO Java software.
###############################################################################
# A comma-separated list of acceptable Java SecureRandom algorithms, ordered
# from most preferred to least.
#
# Linux systems usually have the blocking NativePRNG provider.
#
# Windows systems usually have Windows-PRNG.
#
# SHA1PRNG ends the default list as a final fallback. It is not
# recommended if better alternatives are available, but is widely supported.
#
# Type: List<String>
# Defaults-To: NativePRNG, Windows-PRNG, SHA1PRNG
# Affects: DI, TO0, TO1, TO2
# Examples: org.sdo-secure-random = SHA1PRNG
# org.sdo-secure-random = PKCS11, NativePRNGNonBlocking
# See-Also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SecureRandom
# org.sdo.secure-random =
### ALL: OPTIONAL #################################################
# These properties MAY be set when running the SDO Java software.
###############################################################################
# The URL for the EPID verifier.
#
# If left blank, Intel's EPID verifier will be used.
# If this value is set, the property org.sdo.epid.test-mode
# will be ignored.
#
# Type: URI
# Defaults-To: https://verify.epid.trustedservices.intel.com/
# Affects: TO1, TO2
# Example: org.sdo.epid.epid-online-url = http://localhost:9999/
# org.sdo.epid.epid-online-url =
# Set this flag to use the EPID development server instead of the
# production server.
# The development server accepts EPID test keys.
#
# This flag must be set only in development environments,
# and must never be set in production.
#
# If org.sdo.epid.epid-online-url is set, this flag is ignored.
#
# Type: Boolean
# Defaults-To: false
# Affects: TO1, TO2
# Example: org.sdo.epid.test-mode = false
# org.sdo.epid.test-mode =
### DEVICE: REQUIRED #################################################
# These properties MUST be set when running the SDO Java device.
###############################################################################
# The location of the device's PEM-encoded X.509 certificate.
#
# Type: URI. Relative URIs (filesystem paths) and file: URIs
# are accepted.
# Affects: DI TO1 TO2
# Examples: org.sdo.device.cert = http://localhost/device.crt
# org.sdo.device.cert = file://home/sdo/device.pem
# org.sdo.device.cert = /usr/local/etc/device.x509
# org.sdo.device.cert = ./keys/device.txt
org.sdo.device.cert =
# The location of the device's PEM-encoded PKCS8 private key.
#
# The SDO Java software does not support encrypted PKCS8 files.
# This behavior can be overridden by replacing the FactoryBean<PrivateKey> bean
# in your Spring configuration.
#
# Type: URI. Relative URIs (filesystem paths) and file: URIs
# are accepted.# Affects: DI TO1 TO2
# Examples: org.sdo.device.cert = http://localhost/device.key
# org.sdo.device.cert = file://home/sdo/device.p8
# org.sdo.device.cert = /usr/local/etc/device.key
# org.sdo.device.cert = ./keys/device.txt
org.sdo.device.key =
### DEVICE: RECOMMENDED #################################################
# These properties SHOULD be set when running the SDO Java device.
###############################################################################
# The address of the DI server to contact if the device has no credentials.
#
# If device credentials are available
# (see property org.sdo.device.credentials)
# then this value is ignored.
#
# This property has no default. It may only be omitted if you know your device
# will never need to run DI.
#
# Type: URI
# Affects: DI
# Example: org.sdo.di.uri = http://192.0.2.1:8039/
# org.sdo.di.uri =
### DEVICE: OPTIONAL #################################################
# These properties MAY be set when running the SDO Java device.
###############################################################################
# The location of the device's credential (.oc) file.
#
# If valid device credentials exist at the given location, the device will load
# those credentials for SDO.
#
# If the device loads the credentials given by this property, it will not run
# the DI protocol to obtain credentials.
#
# If this property is left blank or omitted, the Java device will always run
# the DI protocol for device credentials.
#
# Type: URI. Relative URIs (filesystem paths) and file: URIs
# are accepted.
# Affects: DI
# Examples: org.sdo.device.credentials = file:///etc/device.oc
# org.sdo.device.credentials = /home/sdo/device.credentials
# org.sdo.device.credentials =
# The filesystem location at which the device will save generated credentials
# once the SDO protocol is complete.
#
# If the specified directory does not exist, the SDO Java device will create it.
#
# If this property is blank or omitted, the device will not save generated
# credentials. This can be useful for test or demonstration environments in
# which the protocol must be run repeatedly from the same credentials.
#
# Type: java.nio.file.Path
# Affects: DI
# Example: org.sdo.device.output-dir = /tmp
# org.sdo.device.output-dir =
# The device's serial number.
#
# If this flag is not set, the SDO Java device will generate a serial number.
#
# Type: String
# Defaults-To: null
# Affects: DI
# Example: org.sdo.device.serial = 12345678
# org.sdo.device.serial =
# Set this flag to stop the SDO Java device after it runs the DI protocol.
#
# If this flag is not set, the SDO Java device will proceed directly to TO1
# after DI. It can be useful to set this flag and stop the device while
# DI-generated proxies are extended and/or registered with rendezvous.
# This is common in test environments.
#
# Type: Boolean
# Defaults-To: true
# Affects: DI, TO1
# Example: org.sdo.device.stop-after-di = true
# org.sdo.device.stop-after-di =
### OWNER: REQUIRED #################################################
# These properties MUST be set when running the SDO Java owner.
###############################################################################
# The location of the owner's PEM-encoded X.509 certificate.
#
# Type: URI. Relative URIs (filesystem paths) and file: URIs
# are accepted.
# Affects: TO0 TO2
# Examples: org.sdo.owner.cert = http://localhost/owner.crt
# org.sdo.owner.cert = file://home/sdo/owner.pem
# org.sdo.owner.cert = /usr/local/etc/owner.x509
# org.sdo.owner.cert = ./keys/owner.txt
org.sdo.owner.cert =
# The location of the owner's PEM-encoded PKCS8 private key.
#
# The SDO Java software does not support encrypted PKCS8 files.
# This behavior can be overridden by replacing the FactoryBean<PrivateKey> bean
# in your Spring configuration.
#
# Type: URI. Relative URIs (filesystem paths) and file: URIs
# are accepted.
# Affects: TO0 TO2
# Examples: org.sdo.owner.cert = http://localhost/owner.key
# org.sdo.owner.cert = file://home/sdo/owner.p8
# org.sdo.owner.cert = /usr/local/etc/owner.key
# org.sdo.owner.cert = ./keys/owner.txt
org.sdo.owner.key =
### OWNER: OPTIONAL ####################################################
# These properties MAY be set when running the SDO Java owner.
###############################################################################
# The filesystem location at which the owner will save generated ownership
# proxies once the SDO protocol is complete.
#
# If the specified directory does not exist, the SDO Java owner will create it.
#
# If this property is blank or omitted, the owner will not save
# generated proxies. This can be useful for test or demonstration environments
# in which the protocol must be run repeatedly from the same proxies.
#
# Type: java.nio.file.Path
# Affects: TO2
# Example: org.sdo.owner.output-dir = /tmp
# org.sdo.owner.output-dir =
# The filesystem location from which the owner will load ownership proxies.
#
# Each file in the given directory will be checked to see if it contains
# a valid ownership proxy. If it does, the owner will load it.
#
# If more than one file in the proxy directory contains the same SDO UUID (g2),
# then behavior is undefined, and whichever proxy is loaded last will override
# the others.
#
# Type: java.nio.file.Path
# Defaults-To: the value of system property "java.io.tmpdir"
# Affects: TO0 TO2
# Example: org.sdo.owner.proxy-dir = /usr/lib/share/sdo
# org.sdo.owner.proxy-dir =
# *** OnDie ECDSA configuration settings ***
# In typical environments, only sdo.ondiecache.cachedir and sdo.ondiecache.autoupdate are used
# and only when supporting OnDie ECDSA devices.
# The cachedir is used to store CRL files and can be populated by either setting autoupdate to true
# or by running the provided script (onDieCache.py) to load the directory with CRL files from the cloud.
# If autoupdate is set to true the owner application will load the cache upon startup. However, if operating
# in OnPrem mode then this is not possible so the script should be used. To run the script, python must be installed.
# Invoke as follows: python onDieCache.py CACHEDIR
# where CACHEDIR = target location to store CRL files. Typically, this will match the value of sdo.ondiecache.cachedir.
# However, it is also possible to run the script on a different host and then copy the downloaded files into sdo.ondiecache.cachedir.
# The exact setup will vary depending on the runtime environment and user needs.
# property: sdo.ondiecache.cachedir
# specifies the directory where OnDie cache files are located
# Type: java.nio.file.Path
# Defaults-To: no default
# Affects: TO2
# Example: sdo.ondiecache.cachedir = /usr/lib/share/ondiecache
# sdo.ondiecache.cachedir =
# property: sdo.ondiecache.autoupdate
# Set this to true or false to enable autoupdate of cachedir from urlsources
# Type: boolean
# Defaults-To: false
# Affects: TO2
# sdo.ondiecache.autoupdate = true
# property: sdo.ondiecache.urlsources
# Comma separate list of urls containing cert and CRL files for OnDie ECDSA. This should only be needed when
# debugging or working with pre-production hardware.
# Type: string
# Defaults-To: https://tsci.intel.com/content/OnDieCA/certs/,https://tsci.intel.com/content/OnDieCA/crls/
# Affects: TO2
# sdo.ondiecache.urlsources = https://tsci.intel.com/content/OnDieCA/certs/,https://tsci.intel.com/content/OnDieCA/crls/
# property: sdo.ondiecache.revocations
# Set this to true or false to enable revocation checking of OnDie ECDSA signatures. This should not be
# used in production environments and only used when debugging or working with pre-production hardware.
# Type: boolean
# Defaults-To: true
# Affects: TO2
# sdo.ondiecache.revocations = false
###############################################################################
# The value of TO0.OwnerSign.to0d.ws to send when registering proxies in TO0.
#
# SDO 1.12 defines ws:
#
# The wait time offered by the Owner, which is adjusted and confirmed in
# TO0.AcceptOwner.ws.
#
# The wait time is negotiated with the server, see TO0.AcceptOwner.ws.
# After the negotiated wait time passes, the owner must re-run the TO0
# Protocol to refresh its mapping.
#
# Type: java.time.Duration
# Defaults-To: PT1H (one hour in ISO-8601 notation)
# Affects: TO0, TO1, TO2
# Example: org.sdo.to0.ownersign.to0d.ws = PT1D
# org.sdo.to0.ownersign.to0d.ws =
# The value of TO0.OwnerSign.to1d.bo.dns1 to send when
# registering proxies in TO0.
#
# SDO 1.12 defines dns1:
#
# A DNS name where the Owner is listening for a TO2 connection. Any
# IP address resolved by the DNS name must be equivalently able to
# process the TO2 connection. A null string (“”) may be used if only the
# “i1” value matters.
#
# Type: String
# Defaults-To: The local hostname, if it can be discovered.
# This can produce unexpected results on machines with
# dynamic name services,
# as discovered hostnames may not be resolvable.
# Affects: TO0, TO2
# Example: org.sdo.to0.ownersign.to1d.bo.dns1 = localhost.localdomain
# org.sdo.to0.ownersign.to1d.bo.dns1 =
# The value of TO0.OwnerSign.to1d.bo.i1 to send when registering proxies in TO0.
#
# SDO 1.12 defines i1:
#
# An Internet address where the Owner is listening for a TO2
# connection. It may be 0.0.0.0 if only “dns1” matters. Since the to1d
# value has a time limit associated with it (“ws”), the server may use the
# Internet address to create a temporary address that is harder to map
# to its identity. If both DNS and IP address are specified, the IP
# address is used only when the DNS address fails to resolve.
#
# Type: java.net.InetAddress
# Defaults-To: The loopback address, if the local DNS
# name can not be discovered, and 0.0.0.0 otherwise.
# Affects: TO0, TO2
# Example: org.sdo.to0.ownersign.to1d.bo.i1 = 192.0.2.1
# org.sdo.to0.ownersign.to1d.bo.i1 =
# The value of TO0.OwnerSign.to1d.bo.port1 to send when registering
# proxies in TO0.
#
# SDO 1.12 defines port1:
#
# A TCP port where the Owner is listening for a TO2 connection. A
# value of zero (0) indicates that the default port (80 for HTTP or 443
# for HTTPS) is used.
#
# Type: Integer
# Defaults-To: 8042
# Affects: TO0, TO2
# Example: org.sdo.to0.ownersign.to1d.bo.port1 = 8042
# org.sdo.to0.ownersign.to1d.bo.port1 =
### PUBLIC-KEY INFRASTRUCTURE (PKIX): REQUIRED #########################
# These properties MUST be set when running SDO tools
# which perform PKIX operations.
###############################################################################
# The set of certificates for certificate trust anchors (CA roots)
# used when validating device certificate chains.
#
# The value of this property is a comma-separated list of URIs.
# All certificate files must be X.509 PEM.
#
# Relative URIs (filesystem paths) and file: URIs are accepted.
# If the URI identifies a filesystem directory, all files in that directory
# will be used.
#
# Type: Set<URI>
# Affects: TO0, TO1
# Example: org.sdo.pkix.trust-anchors = /opt/ca-roots, https://ca.example/cert.pem
org.sdo.pkix.trust-anchors =
### PUBLIC-KEY INFRASTRUCTURE (PKIX): OPTIONAL #########################
# These properties MAY be set when running SDO tools
# which perform PKIX operations.
###############################################################################
# Whether to enable checking of device certificate chains (PM.OwnershipProxy.dc)
# during TO0.
#
# Type: Boolean
# Affects: TO0
# Default: false
# Example org.sdo.pkix.revocation-checking-enabled = true
# org.sdo.pkix.revocation-checking-enabled =
# A comma-separated list of URIs at which to find
# Certificate Revocation Lists (CRLs).
#
# If the URIs are to directories, every X.509 PEM CRL in each directory
# will be loaded.
#
# The SDO Java software interprets the absence of this property as
# 'no CRL information available'. Note that this is not the same as being
# set to nothing, or to an empty directory, which means
# 'CRLs available, and there are none.'
# The PKIX engine will try to fallback from an inconclusive CRL check
# but can pass a CRL check against an empty set.
#
# Type: Set<URI>
# Affects: TO0
# Example: org.sdo.pkix.crls = http://localhost/crl, /usr/local/crls
# org.sdo.pkix.crls =
# A comma-separated list of PKIX verification options to set.
#
# For CRL checking only, a value of "PREFER_CRLS, SOFT_FAIL, NO_FALLBACK"
# can be useful.
#
# Type: Set<java.security.cert.PKIXRevocationChecker.Option>
# Affects: TO0
# Default: PREFER_CRLS, SOFT_FAIL, NO_FALLBACK
# Example: org.sdo.pkix.revocation-options = PREFER_CRLS, SOFT_FAIL, NO_FALLBACK
# org.sdo.pkix.revocation-options =