PKI Environment Variables - dogtagpki/pki GitHub Wiki

Overview

Various PKI tools supports cascading configuration files to define environment variables:

  • The default configuration is located at /usr/share/pki/etc/pki.conf. This file is read-only.

  • The system configuration is located at /etc/pki/pki.conf. This file can be customized by the system administrator.

  • (10.4.1 or later) The user configuration is located at ~/.dogtag/pki.conf. This file can be created by individual users.

Notes:

  • To override an existing environment variable defined in the default pki.conf, specify the variable in a system configuration file (i.e. /etc/pki/pki.conf) or user configuration file (i.e. ~/.dogtag/pki.conf). Do not specify the custom environment variables on the command line.

  • To define other environment variables not defined in the default pki.conf (e.g. NSPR_LOG_MODULES), they can be specified in command line, or in the system pki.conf or user pki.conf. Make sure the variables are exported, for example:

$ export NSPR_LOG_MODULES="all:5"

Global Configuration

  • JAVA_HOME: Java home

  • JNI_JAR_DIR: JNI jar file location

  • PKI_LIB: PKI library

  • RESTEASY_LIB: RESTEasy library

  • NSS_DEFAULT_DB_TYPE: NSS database format

  • PKI_LOGGING_CONFIG: logging configuration location (default: /usr/share/pki/etc/logging.properties)

Client Configuration

Default CLI Options

The PKI_CLI_OPTIONS parameter can be used to specify options for the PKI CLI (not for the PKI CLI command) that will be added to all executions of PKI CLI.

For example, the following option will cause all PKI CLI executions to run in verbose mode:

PKI_CLI_OPTIONS="-v"

The following option will cause all PKI CLI executions to ignore access banner (if configured):

PKI_CLI_OPTIONS="--ignore-banner"

SSL Configuration

Since version 10.4.1 PKI client supports the following SSL configuration parameters.

SSL Version Ranges

The SSL version ranges for stream and datagram can be specified with the following parameters:

  • SSL_STREAM_VERSION_MIN (default is TLS_1_0)

  • SSL_STREAM_VERSION_MAX (default is TLS_1_2)

  • SSL_DATAGRAM_VERSION_MIN (default is TLS_1_1)

  • SSL_DATAGRAM_VERSION_MAX (default is TLS_1_2)

Valid values are: SSL_3_0, TLS_1_0, TLS_1_1, TLS_1_2.

SSL Ciphers

The SSL ciphers can be customized using the following parameters:

  • SSL_DEFAULT_CIPHERS: Enable default ciphers (default is true)

  • SSL_CIPHERS: List of additional ciphers (default is empty)

By default the PKI CLI will use the default SSL ciphers provided by NSS, but all SSL 2.0 ciphers will be disabled, and all ECC will be enabled. To disable the default ciphers, specify the following parameter:

SSL_DEFAULT_CIPHERS="false"

To enable additional ciphers, or to customize the default ciphers, specify the ciphers in SSL_CIPHERS. For example:

SSL_CIPHERS="
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
"

To disable a specific default cipher, specify a - in front of the cipher name. For example:

SSL_CIPHERS="
TLS_RSA_WITH_AES_128_CBC_SHA256
-TLS_RSA_WITH_AES_256_CBC_SHA
"

To strictly use certain ciphers (without the default ciphers), specify the following parameters:

SSL_CIPHERS="
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
"
SSL_DEFAULT_CIPHERS="false"

PKI Server Installation Configuration

  • PKISPAWN_STARTUP_TIMEOUT_SECONDS: Server startup timeout during installation in seconds (default: 60)

PKI Server Runtime Configuration

  • PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS: Auto-enable subsystems (default: true)

See Also

⚠️ **GitHub.com Fallback** ⚠️