Table of Contents
1 Introduction
In the RPKI system, a Relying Party retrieves RPKI objects from repositories, validates those objects, and uses the validation results as input to provide BGP security.
The
- Section 2 Relying-Party Tools - Primary tools
required for a Relying Party.
- Section 3
rcynic Support Programs - Programs to post-processing to data collected by the Relying Party tools. - Section 4 RPKI Utility Programs - Tools to
assist in monitoring and maintaining the Relying Party system.
- Section 5 Parsons Utility Programs -
Additional tools to assist in monitoring and maintaining the Relying Party
system. The tools described in this section are provided by Parsons, Inc.,
and are not part of the
rpki.net software distribution. - Section 6 Certification-Authority
Daemons - Daemons that provide the Certification-Authority
functionality.
- Section 7 Certification-Authority Utilities -
Tools to assist in monitoring and maintaining the Certification-Authority
system.
- Section 8 Certification-Authority Test Tools -
Tools to test the Certification-Authority system.
This document is prepared under Contract Number HSHQDC-14-C-B0035 for DHS S&T CSD
2 Relying-Party Tools
Relying-Party tools:
2.1 rcynic
The default
Usage:
rcynic [options] Where options are: -a ARG --authenticated ARG root of authenticated data tree -c ARG --config ARG override default name of config file -h --help print this help message -j ARG --jitter ARG set jitter value -l ARG --log-level ARG set log level -u ARG --unauthenticated ARG root of unauthenticated data tree -e --use-stderr log to syslog -s --use-syslog log to stderr -V --version print program version -x ARG --xml-file ARG set XML output file location
Most of
Most configuration parameters are optional and reasonable defaults are used.
If
The Step-By-Step Configuration File
Reference has a complete description of the
Data and Files
By default,
- directory of unauthenticated data
This directory contains raw data fetched by
rsync . In order to take full advantage ofrsync 's optimized transfers, this directory should be preserved and reused acrossrcynic runs. This preventsrcynic from having to re-fetch data that have not changed.The actual directory is named by the
unauthenticated field in thercynic.conf file. - directory of authenticated data
This directory contains data which
rcynic has validated. This is the real output of the validation process.The name of the authenticated directory is really a symbolic link to a directory with a name of the form
"authenticated.<timestamp>" , where <timestamp> is an ISO-8601 timestamp like 2001-04-01T01:23:45Z.rcynic creates a new timestamped directory every time it runs, and changes the symbolic link as an atomic operation when the validation process completes. The intent is that the symbolic link of the authenticated directory always points to the most recent usable validation results, so that programs which usercynic 's output don't need to worry about whether anrcynic run is in progress.The actual directory is named by the
authenticated field in thercynic.conf file.
In order for
Trust anchors cannot be confused with certificates. Trust anchors are always
placed in the top level of the tree, while data fetched via
Trust anchors and trust anchor locators taken from the directory named by
the
|
2.2 rpki-rtr
The software referred to as
In addition, a listener for the
The transfer protocol implemented by
Usage:
rpki-rtr [-h] [--debug] [--log-level {debug,info,warning,error,critical}] [--log-to {syslog,stderr}] <command-specific options> <command> <command-specific arguments> optional arguments: -h, --help show this help message and exit --debug debugging mode --log-level {debug,info,warning,error,critical} --log-to {syslog,stderr} Commands: server RPKI-RTR protocol server listener TCP listener for RPKI-RTR protocol server client Test client for RPKI-RTR protocol cronjob Generate RPKI-RTR database from rcynic output show Display content of RPKI-RTR databaseThe subcommands for
2.2.1 rpki-rtr client
This subcommand invokes a test client, which is primarily used for debugging.
Usage:
rpki-rtr client [-h] [--sql-database SQL_DATABASE] [--force-version {0,1}] [--reset-session] {loopback,tcp,ssh,tls} [host] [port] positional arguments: {loopback,tcp,ssh,tls} connection protocol host server host port server port optional arguments: -h, --help show this help message and exit --sql-database SQL_DATABASE filename for sqlite3 database of client state --force-version {0,1} force specific protocol version --reset-session reset any existing session found in sqlite3 database
2.2.2 rpki-rtr cronjob
This subcommand is run after executing
Usage:
rpki-rtr cronjob [-h] [--scan-roas SCAN_ROAS] [--scan-routercerts SCAN_ROUTERCERTS] [--force_zero_nonce] rcynic_dir [rpki_rtr_dir] positional arguments: rcynic_dir directory containing validated rcynic output tree rpki_rtr_dir directory containing RPKI-RTR database optional arguments: -h, --help show this help message and exit --scan-roas SCAN_ROAS specify an external scan_roas program --scan-routercerts SCAN_ROUTERCERTS specify an external scan_routercerts program --force_zero_nonce force nonce value of zero
2.2.3 rpki-rtr listener
This subcommand provides an insecure TCP listener for the
Usage:
rpki-rtr listener [-h] [--refresh REFRESH] [--retry RETRY] [--expire EXPIRE] port [rpki_rtr_dir] positional arguments: port TCP port on which to listen rpki_rtr_dir directory containing RPKI-RTR database optional arguments: -h, --help show this help message and exit --refresh REFRESH override default refresh timer --retry RETRY override default retry timer --expire EXPIRE override default expire timer
In theory, RPKI will migrate to using TCP-AO in the future. When this happens, this listener functionality will either go away or become a TCP-AO listener.
2.2.4 rpki-rtr server
This subcommand provides the server side of the
Usage:
rpki-rtr server [-h] [--refresh REFRESH] [--retry RETRY] [--expire EXPIRE] [rpki_rtr_dir] positional arguments: rpki_rtr_dir directory containing RPKI-RTR database optional arguments: -h, --help show this help message and exit --refresh REFRESH override default refresh timer --retry RETRY override default retry timer --expire EXPIRE override default expire timer
2.2.5 rpki-rtr show
This subcommand displays the current
Usage:
rpki-rtr show [-h] [rpki_rtr_dir] positional arguments: rpki_rtr_dir directory containing RPKI-RTR database optional arguments: -h, --help show this help message and exit
2.3 rcynic-cron
rcynic rpki-rtr cronjob rpkigui-rcynic rcynic-html
$ rcynic-cron [--chroot] --chroot run chrooted; only usable by root
If the
The
The
If
{autoconf.bindir}/rcynic -c {autoconf.sysconfdir}/rcynic.conf
The
{autoconf.bindir}/rpki-rtr cronjob \ {autoconf.RCYNIC_DIR}/data/authenticated \ {autoconf.RCYNIC_DIR}/rpki-rtr
The
{autoconf.bindir}/rpkigui-rcynic
The
{autoconf.bindir}/rcynic-html \ {autoconf.RCYNIC_DIR}/data/rcynic.xml \ {autoconf.RCYNIC_HTML_DIR}
This command is intended to be executed by
3 rcynic Support Programs
Utility Programs:
3.1 make-tal.sh
The
To create a TAL-format Trust Anchor Locator, use the
$top/rp/rcynic/make-tal.sh rsync://example.org/rpki/root/root.cer root.cer
The first argument must be an
Like any certificate, the
3.2 rcynic-html
Generally, you will not need to run
If for some reason you do need to run
$ rcynic-html rcynic.xml /web/server/directory/
$ rcynic-html --rrdtoolbinary /somewhere/rrdtool rcynic.xml /web/server/directory/
The second way involved changing the
3.3 rcynic-svn
To use
$ svnadmin create /somewhere/safe/rpki-archive $ svn co file:///somewhere/safe/rpki-archive /somewhere/else/rpki-archiveThese commands create the repository
Once the repository and working directory are set up, you need to arrange
for
Usage:
$ rcynic-svn --lockfile /var/rcynic/data/lock \ /var/rcynic/data/authenticated \ /var/rcynic/data/unauthenticated \ /var/rcynic/data/rcynic.xml \ /somewhere/else/rpki-archiveThis execution assumes that
The last argument is the name of the Subversion working directory in which
the results will be archived. The other arguments are the names of those
portions of
3.4 rcynic-text
Usage:
$ rcynic-text rcynic.xml
3.5 rcynic.xsl
If for some reason XSLT works better in your environment than Python, you
might find this stylesheet to be a useful starting point. Be warned that
3.6 validation_status
Usage:
$ validation_status rcynic.xml $ validation_status rcynic.xml | fgrep rpki.misbehaving.org $ validation_status rcynic.xml | fgrep object_rejected
4 RPKI Utility Programs
The
Unless otherwise specified, all of these tools expect RPKI objects (certificates, CRLs, CMS signed objects) to be in DER format.
Several of these tools accept an
Utility Programs:
4.1 find_roa
Usage:
$ find_roa [-h | --help] [-a | --all] [-m | --match-maxlength ] [-f | --show-filenames] [-i | --show-inception] [-e | --show-expiration] authtree [prefix...] Where options are: -h --help Show help -a --all Show all ROAs, do no prefix matching at all -e --show-expiration Show ROA chain expiration dates -f --show-filenames Show filenames instead of URIs -i --show-inception Show inception dates -m -match-maxlength Pay attention to maxlength values authtree rcynic-authenticated output tree prefix ROA prefix(es) on which to match
4.2 hashdir
Usage:
$ hashdir [-h | --help] [-v | --verbose] rcynic_directory output_directory Where options are: -h --help Show help -v --verbose Whistle while you work rcynic_directory rcynic-authenticated output tree output_directory Output directory to create
4.3 print_roa
Usage:
$ print_roa [-h | --help] [-b | --brief] [-c | --cms] [-s | --signing-time] ROA [ROA...] Where options are: -h --help Show help -b --brief Brief mode (only show ASN and prefix) -c --cms Print text representation of entire CMS blob -s --signing-time Show CMS signingTime ROA ROA object(s) to print
4.4 print_rpki_manifest
Usage:
$ print_rpki_manifest [-h | --help] [-c | --cms] manifest [manifest...] Where options are: -h --help Show help -c --cms Print text representation of entire CMS blob manifest Manifest(s) to print
4.5 scan_roas
Other programs, such as the
Usage:
$ scan_roas [-h | --help] rcynic_directory [rcynic_directory...] Where options are: -h --help Show help rcynic_directory rcynic-authenticated output tree
4.6 scan_routercerts
Other programs such as the
Usage:
$ scan_routercerts [-h | --help] rcynic_directory [rcynic_directory...] Where options are: -h --help Show help rcynic_directory rcynic-authenticated output tree
4.7 uri
Usage:
$ uri [-h | --help] [-s | --single-line] cert [cert...] Where options are: -h --help Show help -s --single-line Single output line per input file cert Object(s) to examine
5 Parsons Utility Programs
Parsons, Inc., provides a number of utility programs for use with the
Utility Programs:
map_whois - enables one to discover network resources in ARIN's whois database that could belong to an organization.rcynicchk - validates the contents of anrcynic.conf filerpkichk - validates the contents of anrpki.conf filersyncdchk - validates the contents of anrsyncd.conf file
5.1 map_whois
The
See the MapResources User's Guide for more information and examples of use.
Usage:
map_whois [-h] [-v] [-a ASN] [-p POC] [-o ORG] [-n NET] [-c CIDR] [-i IP] [-u URL] [-t THRESHOLD] [-l] [-s] [-f {png,svg}] [-R RVDB] [-L RESOURCELIST] [-j JSONFILE] [-g GRAPHFILE] [-r REPORTFILE] [-X | -H | -D DBSTORE] optional arguments: -h, --help show this help message and exit -v, --verbose increase output verbosity -a ASN, --asn ASN Start from the given ASN handle -p POC, --poc POC Start from the given POC handle -o ORG, --org ORG Start from the given Org handle -n NET, --net NET Start from the given Net handle -c CIDR, --cidr CIDR Start from the given CIDR block -i IP, --ip IP Start from the given IP address -u URL, --url URL Start from the given domain -t THRESHOLD, --threshold THRESHOLD Maximum number of dependencies to follow -l, --longform Dsplay detailed information -s, --showgraph Dsplay the graph -f {png,svg}, --format {png,svg} Graphviz file format to use -R RVDB, --rvdb RVDB Check against given Route Views Database file -L RESOURCELIST, --resourcelist RESOURCELIST Extract resource handles from the given file. Each line of the file should be formatted as: , where the different supported types are 'asn', 'poc', 'org', 'net', 'cidr', 'ip' and 'url'. -j JSONFILE, --jsonfile JSONFILE Output resource information in json format -g GRAPHFILE, --graphfile GRAPHFILE Output graph image -r REPORTFILE, --reportfile REPORTFILE Output report -X, --nostore Do not use any data store -H, --hashstore Use an indexed hash store -D DBSTORE, --dbstore DBSTORE Use a DB store and issue queries if needed
5.2 rcynicchk
Some fields are not able to be fully validated. For example, the
The default configuration file is
Basic checks are rudimentary checks of the configuration values in an
Recommended-value checks ensure that certain fields in an
In addition to validating the contents of an
Usage:
$ rcynicchk [options] Where [options] are: -config conffile specify configuration file to validate -list only list configuration-section information -basic only run basic checks -recval only run recommended-value checks -problems only show problems found -summary give summary of checks only -table provide results in tabular form -verbose give verbose output -Version show version and exit -help show usage message and exit -manpage show the manual page and exit
See Validation Checks for rcynic.conf Files
for more details on the various validation checks performed by
5.3 rpkichk
The default configuration file is
Basic checks are rudimentary checks of the configuration values in an
Cross-checks ensure that an
Recommended-value checks ensure that certain fields in an
In addition to validating the contents of an
Usage:
$ rpkichk [options]Where [options] are: -config conffile specify configuration file to validate -list list configuration-section information -names list configuration-section names; must be used in conjunction with -list -untranslate display untranslated values from the configuration file must be used in conjunction with -list -section section-name specify section to examine; must be used in conjunction with -list -basic only run basic checks -cross only run cross-checks -recval only run recommended-value checks -problems only show problems found -summary give summary of checks only -table provide results in tabular form -noautoconf don't check the autoconf section -noirdbd don't check the irdbd section -nomyrpki don't check the myrpki section -nopubd don't check the pubd section -norootd don't check the rootd section -norpkid don't check the rpkid section -noweb_portal don't check the web_portal section -verbose give verbose output -Version show version and exit -help show usage message and exit -manpage show the manual page and exit
See Validation Checks for rpki.conf Files
for more details on the various validation checks performed by
5.4 rsyncdchk
The default configuration file is
In addition to validating the contents of an
Usage:
rsyncdchk [options] Where options may be: -config conffile specify configuration file to validate -list list configuration-section information -names list configuration-section names; must be used in conjunction with -list -section section-name specify section to examine; must be used in conjunction with -list -basic only run basic checks -problems only show problems found -summary give summary of checks only -table provide results in tabular form -norpki don't check the rpki section -noroot don't check the root section -verbose give verbose output -Version show version and exit -help show usage message and exit -manpage show the manual page and exit
See Validation Checks for rsyncd.conf Files
for more details on the various validation checks performed by
6 Certification-Authority Daemons
The
Certification-Authority Daemons:
6.1 irdbd
In production, this service acts as a a function of the IRBE stub.
By default,
The Step-By-Step Configuration File
Reference has a complete description of the
Since
Usage:
irdbd [-h] [-c CONFIG] [-f] [--pidfile PIDFILE] [--profile PROFILE] [--log-level {debug,info,warning,error,critical}] [--log-syslog [{auth,authpriv,cron,daemon,ftp,kern, local0,local1,local2,local3,local4, local5,local6,local7, lpr,mail,news,security,syslog,user,uucp}] | --log-stderr | --log-stdout | --log-file LOG_FILE | --log-rotating-file FILENAME KBYTES COUNT | --log-timed-rotating-file FILENAME HOURS COUNT] Where the options are: -h, --help show this help message and exit -c CONFIG, --config CONFIG override default location of configuration file -f, --foreground do not daemonize --pidfile PIDFILE override default location of pid file --profile PROFILE enable profiling, saving data to PROFILE --log-level {debug,info,warning,error,critical} how verbosely to log --log-syslog [{auth,authpriv,cron,daemon,ftp,kern, local0,local1,local2,local3,local4, local5,local6,local7, lpr,mail,news,security,syslog,user,uucp}] send logging to syslog --log-stderr send logging to standard error --log-stdout send logging to standard output --log-file LOG_FILE send logging to a file, reopening if rotated away --log-rotating-file FILENAME KBYTES COUNT send logging to rotating file --log-timed-rotating-file FILENAME HOURS COUNT send logging to timed rotating file
The
6.2 pubd
By default,
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
pubd [-h] [-c CONFIG] [-f] [--pidfile PIDFILE] [--profile PROFILE] [--log-level {debug,info,warning,error,critical}] [--log-syslog [{auth,authpriv,cron,daemon,ftp,kern, local0,local1,local2,local3,local4, local5,local6,local7, lpr,mail,news,security,syslog,user,uucp}] | --log-stderr | --log-stdout | --log-file LOG_FILE | --log-rotating-file FILENAME KBYTES COUNT | --log-timed-rotating-file FILENAME HOURS COUNT] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG override default location of configuration file -f, --foreground do not daemonize --pidfile PIDFILE override default location of pid file --profile PROFILE enable profiling, saving data to PROFILE --log-level {debug,info,warning,error,critical} how verbosely to log --log-syslog [{auth,authpriv,cron,daemon,ftp,kern, local0,local1,local2,local3,local4,local5,local6,local7, lpr,mail,news,security,syslog,user,uucp}] send logging to syslog --log-stderr send logging to standard error --log-stdout send logging to standard output --log-file LOG_FILE send logging to a file, reopening if rotated away --log-rotating-file FILENAME KBYTES COUNT send logging to rotating file --log-timed-rotating-file FILENAME HOURS COUNT send logging to timed rotating file
The publication functionality could be combined with the main RPKI engine.
This would result in
- The hosting model allows installations which choose to run their own
copies of
rpkid to publish their output under a common publication point. In general, encouraging shared publication services where practical is beneficial for Relying Parties, as it will speed uprcynic synchronization time. - The publication server has to run on (or close to) the publication point
itself. This means it must be on a publicly reachable server to be useful.
rpkid , on the other hand, need only be reachable by the IRBE and its children in the RPKI tree.rpkid is a much more complex publication server, so in some situations it might be preferable to wrap tighter firewall constraints aroundrpkid than would be practical for a combinedrpkid /pubd daemon.
6.3 rootd
The root certificate of an RPKI certificate tree requires special handling and may also require a special handling policy.
By default,
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
rootd [-h] [-c CONFIG] [-f] [--pidfile PIDFILE] [--log-level {debug,info,warning,error,critical}] [--log-syslog [{auth,authpriv,cron,daemon,ftp,kern, local0,local1,local2,local3,local4, local5,local6,local7, lpr,mail,news,security,syslog,user,uucp}] | --log-stderr | --log-stdout | --log-file LOG_FILE | --log-rotating-file FILENAME KBYTES COUNT | --log-timed-rotating-file FILENAME HOURS COUNT] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG override default location of configuration file -f, --foreground do not daemonize --pidfile PIDFILE override default location of pid file --log-level {debug,info,warning,error,critical} how verbosely to log --log-syslog [{auth,authpriv,cron,daemon,ftp,kern, local0,local1,local2,local3,local4,local5,local6,local7, lpr,mail,news,security,syslog,user,uucp}] send logging to syslog --log-stderr send logging to standard error --log-stdout send logging to standard output --log-file LOG_FILE send logging to a file, reopening if rotated away --log-rotating-file FILENAME KBYTES COUNT send logging to rotating file --log-timed-rotating-file FILENAME HOURS COUNT send logging to timed rotating file
6.4 rpkid
Configuration of
By default,
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
rpkid [-h] [-c CONFIG] [-f] [--pidfile PIDFILE] [--profile PROFILE] [--log-level {debug,info,warning,error,critical}] [--log-syslog [{auth,authpriv,cron,daemon,ftp,kern, local0,local1,local2,local3,local4, local5,local6,local7, lpr,mail,news,security,syslog,user,uucp}] | --log-stderr | --log-stdout | --log-file LOG_FILE | --log-rotating-file FILENAME KBYTES COUNT | --log-timed-rotating-file FILENAME HOURS COUNT] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG override default location of configuration file -f, --foreground do not daemonize --pidfile PIDFILE override default location of pid file --profile PROFILE enable profiling, saving data to PROFILE --log-level {debug,info,warning,error,critical} how verbosely to log --log-syslog [{auth,authpriv,cron,daemon,ftp,kern, local0,local1,local2,local3,local4, local5,local6,local7, lpr,mail,news,security,syslog,user,uucp}] send logging to syslog --log-stderr send logging to standard error --log-stdout send logging to standard output --log-file LOG_FILE send logging to a file, reopening if rotated away --log-rotating-file FILENAME KBYTES COUNT send logging to rotating file --log-timed-rotating-file FILENAME HOURS COUNT send logging to timed rotating file
7 Certification-Authority Utilities
The
Certification-Authority Utilities:
- 7.1
irbe_cli - 7.2
rpki-confgen - 7.3
rpki-manage - 7.4
rpki-sql-backup - 7.5
rpki-sql-setup - 7.6
rpki-start-servers - 7.7
rpkigui-apache-conf-gen - 7.8
rpkigui-check-expired - 7.9
rpkigui-import-routes - 7.10
rpkigui-rcynic - 7.11
rpkic - 7.12
rpkigui-query-routes
7.1 irbe_cli
Usage:
irbe_cli [top-level options][command-options] # Top-level options: --config= --help --pem_out= --quiet --verbose rpkid commands: parent --action= --tag= --self_handle= --parent_handle= --bsc_handle= --repository_handle= --peer_contact_uri= --sia_base= --sender_name= --recipient_name= --bpki_cms_cert= --bpki_cms_glue= --rekey --reissue --revoke --revoke_forgotten --clear_replay_protection repository --action= --tag= --self_handle= --repository_handle= --bsc_handle= --peer_contact_uri= --bpki_cert= --bpki_glue= --clear_replay_protection self --action= --tag= --self_handle= --crl_interval= --regen_margin= --bpki_cert= --bpki_glue= --rekey --reissue --revoke --run_now --publish_world_now --revoke_forgotten --clear_replay_protection list_received_resources --self_handle= --tag= child --action= --tag= --self_handle= --child_handle= --bsc_handle= --bpki_cert= --bpki_glue= --reissue --clear_replay_protection list_published_objects --self_handle= --tag= --child_handle= bsc --action= --tag= --self_handle= --bsc_handle= --key_type= --hash_alg= --key_length= --signing_cert= --signing_cert_crl= --generate_keypair pubd commands: ghostbuster --action= --tag= --client_handle= --uri= certificate --action= --tag= --client_handle= --uri= roa --action= --tag= --client_handle= --uri= manifest --action= --tag= --client_handle= --uri= client --action= --tag= --client_handle= --base_uri= --bpki_cert= --bpki_glue= --clear_replay_protection config --action= --tag= --bpki_crl= crl --action= --tag= --client_handle= --uri=
7.2 rpki-confgen
The
The
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
rpki-confgen [-h] --read-xml FILE [--write-xml FILE] [--write-wiki FILE] [--write-conf FILE] [--set VARVAL] [--pwgen VAR] [--toc TRACNAV] [--autoconf] optional arguments: -h, --help show this help message and exit --read-xml FILE XML input file defining sections and options --write-xml FILE XML file to write --write-wiki FILE TracWiki file to write --write-conf FILE rpki.conf configuration file to write --set VARVAL variable setting in form "VAR=VAL" --pwgen VAR set variable to generated password --toc TRACNAV set TOC value to use with TracNav plugin --autoconf configure [autoconf] section
7.3 rpki-manage
A large number of commands are available through
- Running "rpki-manage" "rpki-manage help provides a list of available commands. The command list is divided into five sections.
- Running "rpki-manage help <command>" (e.g., "rpki-manage help diffsettings") will provide a description of the command and its arguments.
Usage:
rpki-manage command [options] [args] Options: -v VERBOSITY, --verbosity=VERBOSITY Verbosity level; 0=minimal output, 1=normal output, 2=verbose output, 3=very verbose output --settings=SETTINGS The Python path to a settings module, e.g. "myproject.settings.main". If this isn't provided, the DJANGO_SETTINGS_MODULE environment variable will be used. --pythonpath=PYTHONPATH A directory to add to the Python path, e.g. "/home/djangoprojects/myproject". --traceback Raise on exception --version show program's version number and exit -h, --help show this help message and exit commands: [auth] changepassword change a user's password for django.contrib.auth createsuperuser used to create a superuser [django] check checks configuration's compatibility with this version of Django cleanup clean out expired sessions (only with the database back-end at the moment) compilemessages compiles .po files to .mo files for use with built-in gettext support createcachetable creates the table needed to use the SQL cache backend dbshell runs the command-line client for a database diffsettings displays differences between the current settings.py and Django's default settings dumpdata output contents of the database as a fixture of the given format flush returns database to the state it was in immediately after syncdb was executed inspectdb introspects database tables in the given database and outputs a Django model module loaddata installs the named fixture(s) in the database makemessages runs over a source tree of the current directory to find strings for translation runfcgi run project as a fastcgi application shell runs a Python interactive interpreter. sql prints the CREATE TABLE SQL statements for the given app name(s) sqlall prints the CREATE TABLE, custom SQL, and CREATE INDEX SQL statements for the given model module name(s) sqlclear prints the DROP TABLE SQL statements for the given app name(s) sqlcustom prints the custom table modifying SQL statements for the given app name(s) sqldropindexes prints the DROP INDEX SQL statements for the given model module name(s) sqlflush returns a list of the SQL statements required to return all tables in the database to the state they were in just after they were installed sqlindexes prints the CREATE INDEX SQL statements for the given model module name(s) sqlinitialdata renamed: see 'sqlcustom' sqlsequencereset prints the SQL statements for resetting sequences for the given app name(s) startapp creates a Django app directory structure for the given app name startproject creates a Django project directory structure for the given project name validate validates all installed models [sessions] clearsessions clean out expired sessions (only with the database back-end at the moment) [south] convert_to_south converts named application to use South datamigration creates a new template data migration for the given app graphmigrations outputs a GraphViz dot file of all migration dependencies migrate runs migrations for all apps migrationcheck runs migrations for each app in turn, detecting missing depends_on values schemamigration creates a new template schema migration for the given app startmigration deprecated command syncdb create database tables for all apps in INSTALLED_APPS whose tables haven't already been created test discover and run tests in the specified modules or the current directory testserver runs a development server with data from the given fixture(s) [staticfiles] collectstatic collect static files in a single location findstatic finds the absolute paths for the given static file(s) runserver starts a light-weight Web server for development and also serves static files
7.4 rpki-sql-backup
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
rpki-sql-backup [-h] [-c CONFIG] [-o OUTPUT] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG override default location of configuration file -o OUTPUT, --output OUTPUT destination for SQL dump (default: stdout)
7.5 rpki-sql-setup
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
rpki-sql-setup [-h] [-c CONFIG] [-v] [--mysql-defaults MYSQL_DEFAULTS] [--upgrade-scripts UPGRADE_SCRIPTS] [--create | --drop | --script-drop | --drop-and-create | --fix-grants | --create-if-missing | --apply-upgrades] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG specify alternate location for rpki.conf -v, --verbose whistle while you work --mysql-defaults MYSQL_DEFAULTS specify MySQL root access credentials via a configuration file --upgrade-scripts UPGRADE_SCRIPTS override default location of upgrade scripts --create create databases and load schemas --drop drop databases --script-drop send SQL commands to drop databases to standard output --drop-and-create drop databases then recreate them and load schemas --fix-grants whack database access to match current configuration file --create-if-missing create databases and load schemas if they don't exist already --apply-upgrades apply upgrade scripts to existing databases
7.6 rpki-start-servers
This command starts the required CA daemons. It uses the
By default,
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
usage: rpki-start-servers [-h] [-c CONFIG] [--log-directory LOG_DIRECTORY] [--log-backup-count LOG_BACKUP_COUNT] [--log-level {debug,info,warning,error,critical}] [--log-file | --log-rotating-file-kbytes LOG_ROTATING_FILE_KBYTES | --log-rotating-file-hours LOG_ROTATING_FILE_HOURS | --log-syslog [{auth,authpriv,cron,daemon,ftp,kern, local0,local1,local2,local3,local4,local5,local6,local7, lpr,mail,news,security,syslog,user,uucp}]] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG override default location of configuration file --log-directory LOG_DIRECTORY where to write write log files when not using syslog --log-backup-count LOG_BACKUP_COUNT keep this many old log files when rotating --log-level {debug,info,warning,error,critical} how verbosely to log --log-file log to files, reopening if rotated away --log-rotating-file-kbytes LOG_ROTATING_FILE_KBYTES log to files, rotating after this many kbytes --log-rotating-file-hours LOG_ROTATING_FILE_HOURS log to files, rotating after this many hours --log-syslog [{auth,authpriv,cron,daemon,ftp,kern, local0,local1,local2,local3,local4,local5,local6,local7, lpr,mail,news,security,syslog,user,uucp}] log syslog
7.7 rpkic
A large number of commands are available through
- Running "rpkic --help" provides a list of commands and a very brief explanation of each command.
- Running "help" within the
rpkic environment gives a list of the available commands. - Adding a command name at the end (e.g., "help load_asns") will provide a description of the command and its arguments.
Usage:
rpkic [-h] [-c CONFIG] [-i IDENTITY] [--profile PROFILE] [command [arguments]] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG override default location of configuration file -i IDENTITY, --identity IDENTITY, --handle IDENTITY set initial entity handle --profile PROFILE enable profiling, saving data to PROFILE commands: select_identity select an identity handle for use with later commands initialize initialize an RPKI installation. DEPRECATED create_identity create a new resource-holding entity initialize_server_bpki initialize server BPKI portion of an RPKI installation update_bpki update BPKI certificates. Assumes an existing RPKI installation configure_child configure a new child of this RPKI entity delete_child delete a child of this RPKI entity configure_parent configure a new parent of this RPKI entity delete_parent delete a parent of this RPKI entity configure_root configure the current resource holding identity as a root delete_root delete local RPKI root as parent of the current entity configure_publication_client configure publication server to know about a new client delete_publication_client delete a publication client of this RPKI entity configure_repository configure a publication repository for this RPKI entity delete_repository delete a repository of this RPKI entity delete_identity delete the current RPKI identity (rpkidobject) renew_child update validity period for one child entity renew_all_children update validity period for all child entities load_prefixes load prefixes into IRDB from CSV file show_child_resources show resources assigned to children show_roa_requests show ROA requests show_ghostbuster_requests show Ghostbuster requests show_received_resources show resources received by this entity from its parent(s) show_published_objects show published objects show_bpki show this entity's BPKI objects load_asns load ASNs into IRDB from CSV file load_roa_requests load ROA requests into IRDB from CSV file load_ghostbuster_requests load Ghostbuster requests into IRDB from file add_router_certificate_request load router certificate request(s) into IRDB from XML file delete_router_certificate_request delete a router certificate request from the IRDB show_router_certificate_requests show this entity's router certificate requests synchronize whack daemons to match IRDB force_publication whack rpkid to force (re)publication of everything force_reissue whack rpkid to force reissuance of everything up_down_rekey initiate a "rekey" operation up_down_revoke initiate a "revoke" operation revoke_forgotten initiate a "revoke_forgotten" operation clear_all_sql_cms_replay_protection tell rpkid and pubd to clear replay protection version show current software version number list_self_handles list all handles in this rpkid instance
7.8 rpkigui-apache-conf-gen
Usage:
rpkigui-apache-conf-gen [-h] [-v] [--apache-version APACHE_VERSION] [--freebsd | --debian | --ubuntu | --redhat | --macosx | --guess] [-i | -r | -P] optional arguments: -h, --help show this help message and exit -v, --verbose whistle while you work --apache-version APACHE_VERSION Apache version (default 22) --freebsd configure for FreeBSD --debian configure for Debian --ubuntu configure for Ubuntu --redhat, --fedora, --centos configure for Redhat/Fedora/CentOS --macosx, --darwin configure for Mac OS X (Darwin) --guess guess which platform configuration to use -i, --install install configuration -r, --remove, --deinstall, --uninstall remove configuration -P, --purge remove configuration with extreme prejudice
7.9 rpkigui-check-expire
Usage:
rpkigui-check-expired [ -nV ] [ handle1 handle2... ] options: -h, --help show this help message and exit -V, --version display script version -f ADDRESS, --from=ADDRESS specify the return email address for notifications -t DAYS, --expire-time=DAYS specify the number of days in the future to check -l LOG_LEVEL, --level=LOG_LEVEL set logging level [default: WARNING]
7.10 rpkigui-import-routes
Usage:
rpkigui-import-routes [options] [PATH] options: -h, --help show this help message and exit -t TYPE, --type=TYPE specify the input file type (auto, text, mrt) [default: auto] -l LOG_LEVEL, --level=LOG_LEVEL set logging level [default: ERROR] -u PROG, --bunzip2=PROG specify bunzip2 program to use -b PROG, --bgpdump=PROG specify path to bgpdump binary -j JITTER, --jitter=JITTER specify upper bound of startup delay, in seconds [default: 0] --lockfile=LOCKFILE set name of lock file; empty string disables locking [default: /tmp/rpkigui-import-routes.lock] --timeout=TIMEOUT specify timeout for download and import, in seconds [default: 5400]
7.11 rpkigui-query-routes
Usage:
rpkigui-query-routes [options] PREFIX options: --version show program's version number and exit -h, --help show this help message and exit
7.12 rpkigui-rcynic
The
The
Usage:
rpkigui-rcynic [options] options: -h, --help show this help message and exit -l LOG_LEVEL, --level=LOG_LEVEL specify the logging level [default: ERROR] -f LOGFILE, --file=LOGFILE specify the rcynic XML file to parse -r DIR, --root=DIR specify the chroot directory for the rcynic jail [default: /var/rcynic/data]
8 Certification-Authority Test Tools
The
The test tools are only present in the source tree. Neither is installed
during the
Unlike the configuration files used by the other programs, these test programs read test descriptions written in the YAML serialization language. Each test script describes a hierarchy of RPKI entities, including hosting relationships and resource assignments, in a relatively compact form. The CA test programs use these descriptions to generate a set of configuration files, populate the back-end database, and drive the test.
See http://www.yaml.org/ for more information on YAML. See the test configuration language for details on the content of these YAML files.
Certification-Authority Test Tools:
8.1 smoketest
The YAML test description defines the test configuration for
Usage:
smoketest [-h] [-c CONFIG] [--profile] [-y] yaml_file positional arguments: yaml_file YAML description of test network optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG configuration file for various implementation-specific items --profile enable profiling -y ignored; present only for backwards compatability
8.2 yamltest
At present,
Running
Usage:
yamltest [-h] [-c CONFIG] [-f] [-k] [-p PIDFILE] [--skip_config] [--stop_after_config] [--synchronize] [--profile] [--store-router-private-keys] yaml_file positional arguments: yaml_file YAML description of test network optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG configuration file -f, --flat_publication disable hierarchical publication -k, --keep_going keep going until all subprocesses exit -p PIDFILE, --pidfile PIDFILE save pid to this file --skip_config skip over configuration phase --stop_after_config stop after configuration phase --synchronize synchronize IRDB with daemons --profile enable profiling --store-router-private-keys write generate router private keys to disk
Sections of this document are derived or taken verbatim from Dragon Research Lab's RPKI Tools Manual.
Copyright (c) 2015, Parsons, Inc
All rights reserved