Table of Contents
1 Introduction
In the RPKI system, a Relying Party retrieves RPKI objects from repositories, validates those objects, and uses the validation results as input to provide BGP security.
The
- Section 2 Relying-Party Tools - Primary tools
required for a Relying Party.
- Section 3
rcynic Support Programs - Programs to post-processing to data collected by the Relying Party tools. - Section 4 RPKI Utility Programs - Tools to
assist in monitoring and maintaining the Relying Party system.
- Section 5 Parsons Utility Programs -
Additional tools to assist in monitoring and maintaining the Relying Party
system. The tools described in this section are provided by Parsons, Inc.,
and are not part of the
rpki.net software distribution. - Section 6 Certification-Authority
Daemons - Daemons that provide the Certification-Authority
functionality.
- Section 7 Certification-Authority Utilities -
Tools to assist in monitoring and maintaining the Certification-Authority
system.
- Section 8 Certification-Authority Test Tools -
Tools to test the Certification-Authority system.
This document is prepared under Contract Number HSHQDC-14-C-B0035 for DHS S&T CSD
2 Relying-Party Tools
Relying-Party tools:
2.1 rcynic
The default
Usage:
rcynic [options]
Where options are:
-a ARG --authenticated ARG root of authenticated data tree
-c ARG --config ARG override default name of config file
-h --help print this help message
-j ARG --jitter ARG set jitter value
-l ARG --log-level ARG set log level
-u ARG --unauthenticated ARG root of unauthenticated data tree
-e --use-stderr log to syslog
-s --use-syslog log to stderr
-V --version print program version
-x ARG --xml-file ARG set XML output file location
Most of
Most configuration parameters are optional and reasonable defaults are used.
If
The Step-By-Step Configuration File
Reference has a complete description of the
Data and Files
By default,
- directory of unauthenticated data
This directory contains raw data fetched by
rsync . In order to take full advantage ofrsync 's optimized transfers, this directory should be preserved and reused acrossrcynic runs. This preventsrcynic from having to re-fetch data that have not changed.The actual directory is named by the
unauthenticated field in thercynic.conf file. - directory of authenticated data
This directory contains data which
rcynic has validated. This is the real output of the validation process.The name of the authenticated directory is really a symbolic link to a directory with a name of the form
"authenticated.<timestamp>" , where <timestamp> is an ISO-8601 timestamp like 2001-04-01T01:23:45Z.rcynic creates a new timestamped directory every time it runs, and changes the symbolic link as an atomic operation when the validation process completes. The intent is that the symbolic link of the authenticated directory always points to the most recent usable validation results, so that programs which usercynic 's output don't need to worry about whether anrcynic run is in progress.The actual directory is named by the
authenticated field in thercynic.conf file.
In order for
Trust anchors cannot be confused with certificates. Trust anchors are always
placed in the top level of the tree, while data fetched via
Trust anchors and trust anchor locators taken from the directory named by
the
|
2.2 rpki-rtr
The software referred to as
In addition, a listener for the
The transfer protocol implemented by
Usage:
rpki-rtr [-h] [--debug]
[--log-level {debug,info,warning,error,critical}]
[--log-to {syslog,stderr}]
<command-specific options>
<command>
<command-specific arguments>
optional arguments:
-h, --help show this help message and exit
--debug debugging mode
--log-level {debug,info,warning,error,critical}
--log-to {syslog,stderr}
Commands:
server RPKI-RTR protocol server
listener TCP listener for RPKI-RTR protocol server
client Test client for RPKI-RTR protocol
cronjob Generate RPKI-RTR database from rcynic output
show Display content of RPKI-RTR database
The subcommands for 2.2.1 rpki-rtr client
This subcommand invokes a test client, which is primarily used for debugging.
Usage:
rpki-rtr client [-h] [--sql-database SQL_DATABASE]
[--force-version {0,1}] [--reset-session]
{loopback,tcp,ssh,tls} [host] [port]
positional arguments:
{loopback,tcp,ssh,tls}
connection protocol
host server host
port server port
optional arguments:
-h, --help show this help message and exit
--sql-database SQL_DATABASE
filename for sqlite3 database of client state
--force-version {0,1}
force specific protocol version
--reset-session reset any existing session found in sqlite3 database
2.2.2 rpki-rtr cronjob
This subcommand is run after executing
Usage:
rpki-rtr cronjob [-h] [--scan-roas SCAN_ROAS]
[--scan-routercerts SCAN_ROUTERCERTS]
[--force_zero_nonce]
rcynic_dir [rpki_rtr_dir]
positional arguments:
rcynic_dir directory containing validated rcynic output tree
rpki_rtr_dir directory containing RPKI-RTR database
optional arguments:
-h, --help show this help message and exit
--scan-roas SCAN_ROAS
specify an external scan_roas program
--scan-routercerts SCAN_ROUTERCERTS
specify an external scan_routercerts program
--force_zero_nonce force nonce value of zero
2.2.3 rpki-rtr listener
This subcommand provides an insecure TCP listener for the
Usage:
rpki-rtr listener [-h] [--refresh REFRESH] [--retry RETRY]
[--expire EXPIRE]
port [rpki_rtr_dir]
positional arguments:
port TCP port on which to listen
rpki_rtr_dir directory containing RPKI-RTR database
optional arguments:
-h, --help show this help message and exit
--refresh REFRESH override default refresh timer
--retry RETRY override default retry timer
--expire EXPIRE override default expire timer
In theory, RPKI will migrate to using TCP-AO in the future. When this happens, this listener functionality will either go away or become a TCP-AO listener.
2.2.4 rpki-rtr server
This subcommand provides the server side of the
Usage:
rpki-rtr server [-h] [--refresh REFRESH] [--retry RETRY]
[--expire EXPIRE]
[rpki_rtr_dir]
positional arguments:
rpki_rtr_dir directory containing RPKI-RTR database
optional arguments:
-h, --help show this help message and exit
--refresh REFRESH override default refresh timer
--retry RETRY override default retry timer
--expire EXPIRE override default expire timer
2.2.5 rpki-rtr show
This subcommand displays the current
Usage:
rpki-rtr show [-h] [rpki_rtr_dir]
positional arguments:
rpki_rtr_dir directory containing RPKI-RTR database
optional arguments:
-h, --help show this help message and exit
2.3 rcynic-cron
rcynic rpki-rtr cronjob rpkigui-rcynic rcynic-html
$ rcynic-cron [--chroot]
--chroot
run chrooted; only usable by root
If the
The
The
If
{autoconf.bindir}/rcynic -c {autoconf.sysconfdir}/rcynic.conf
The
{autoconf.bindir}/rpki-rtr cronjob \
{autoconf.RCYNIC_DIR}/data/authenticated \
{autoconf.RCYNIC_DIR}/rpki-rtr
The
{autoconf.bindir}/rpkigui-rcynic
The
{autoconf.bindir}/rcynic-html \
{autoconf.RCYNIC_DIR}/data/rcynic.xml \
{autoconf.RCYNIC_HTML_DIR}
This command is intended to be executed by
3 rcynic Support Programs
Utility Programs:
3.1 make-tal.sh
The
To create a TAL-format Trust Anchor Locator, use the
$top/rp/rcynic/make-tal.sh rsync://example.org/rpki/root/root.cer root.cer
The first argument must be an
Like any certificate, the
3.2 rcynic-html
Generally, you will not need to run
If for some reason you do need to run
$ rcynic-html rcynic.xml /web/server/directory/
$ rcynic-html --rrdtoolbinary /somewhere/rrdtool rcynic.xml /web/server/directory/
The second way involved changing the
3.3 rcynic-svn
To use
$ svnadmin create /somewhere/safe/rpki-archive
$ svn co file:///somewhere/safe/rpki-archive /somewhere/else/rpki-archive
These commands create the repository
Once the repository and working directory are set up, you need to arrange
for
Usage:
$ rcynic-svn --lockfile /var/rcynic/data/lock \
/var/rcynic/data/authenticated \
/var/rcynic/data/unauthenticated \
/var/rcynic/data/rcynic.xml \
/somewhere/else/rpki-archive
This execution assumes that
The last argument is the name of the Subversion working directory in which
the results will be archived. The other arguments are the names of those
portions of
3.4 rcynic-text
Usage:
$ rcynic-text rcynic.xml
3.5 rcynic.xsl
If for some reason XSLT works better in your environment than Python, you
might find this stylesheet to be a useful starting point. Be warned that
3.6 validation_status
Usage:
$ validation_status rcynic.xml
$ validation_status rcynic.xml | fgrep rpki.misbehaving.org
$ validation_status rcynic.xml | fgrep object_rejected
4 RPKI Utility Programs
The
Unless otherwise specified, all of these tools expect RPKI objects (certificates, CRLs, CMS signed objects) to be in DER format.
Several of these tools accept an
Utility Programs:
4.1 find_roa
Usage:
$ find_roa [-h | --help] [-a | --all]
[-m | --match-maxlength ] [-f | --show-filenames]
[-i | --show-inception] [-e | --show-expiration]
authtree [prefix...]
Where options are:
-h --help
Show help
-a --all
Show all ROAs, do no prefix matching at all
-e --show-expiration
Show ROA chain expiration dates
-f --show-filenames
Show filenames instead of URIs
-i --show-inception
Show inception dates
-m -match-maxlength
Pay attention to maxlength values
authtree
rcynic-authenticated output tree
prefix
ROA prefix(es) on which to match
4.2 hashdir
Usage:
$ hashdir [-h | --help] [-v | --verbose] rcynic_directory output_directory
Where options are:
-h --help
Show help
-v --verbose
Whistle while you work
rcynic_directory
rcynic-authenticated output tree
output_directory
Output directory to create
4.3 print_roa
Usage:
$ print_roa [-h | --help] [-b | --brief] [-c | --cms] [-s | --signing-time]
ROA [ROA...]
Where options are:
-h --help
Show help
-b --brief
Brief mode (only show ASN and prefix)
-c --cms
Print text representation of entire CMS blob
-s --signing-time
Show CMS signingTime
ROA
ROA object(s) to print
4.4 print_rpki_manifest
Usage:
$ print_rpki_manifest [-h | --help] [-c | --cms] manifest [manifest...]
Where options are:
-h --help
Show help
-c --cms
Print text representation of entire CMS blob
manifest
Manifest(s) to print
4.5 scan_roas
Other programs, such as the
Usage:
$ scan_roas [-h | --help] rcynic_directory [rcynic_directory...]
Where options are:
-h --help
Show help
rcynic_directory
rcynic-authenticated output tree
4.6 scan_routercerts
Other programs such as the
Usage:
$ scan_routercerts [-h | --help] rcynic_directory [rcynic_directory...]
Where options are:
-h --help
Show help
rcynic_directory
rcynic-authenticated output tree
4.7 uri
Usage:
$ uri [-h | --help] [-s | --single-line] cert [cert...]
Where options are:
-h --help
Show help
-s --single-line
Single output line per input file
cert
Object(s) to examine
5 Parsons Utility Programs
Parsons, Inc., provides a number of utility programs for use with the
Utility Programs:
map_whois - enables one to discover network resources in ARIN's whois database that could belong to an organization.rcynicchk - validates the contents of anrcynic.conf filerpkichk - validates the contents of anrpki.conf filersyncdchk - validates the contents of anrsyncd.conf file
5.1 map_whois
The
See the MapResources User's Guide for more information and examples of use.
Usage:
map_whois [-h] [-v] [-a ASN] [-p POC] [-o ORG] [-n NET] [-c CIDR]
[-i IP] [-u URL] [-t THRESHOLD] [-l] [-s] [-f {png,svg}] [-R RVDB]
[-L RESOURCELIST] [-j JSONFILE] [-g GRAPHFILE] [-r REPORTFILE]
[-X | -H | -D DBSTORE]
optional arguments:
-h, --help
show this help message and exit
-v, --verbose
increase output verbosity
-a ASN, --asn ASN
Start from the given ASN handle
-p POC, --poc POC
Start from the given POC handle
-o ORG, --org ORG
Start from the given Org handle
-n NET, --net NET
Start from the given Net handle
-c CIDR, --cidr CIDR
Start from the given CIDR block
-i IP, --ip IP
Start from the given IP address
-u URL, --url URL
Start from the given domain
-t THRESHOLD, --threshold THRESHOLD
Maximum number of dependencies to follow
-l, --longform
Dsplay detailed information
-s, --showgraph
Dsplay the graph
-f {png,svg}, --format {png,svg}
Graphviz file format to use
-R RVDB, --rvdb RVDB
Check against given Route Views Database file
-L RESOURCELIST, --resourcelist RESOURCELIST
Extract resource handles from the given file. Each line
of the file should be formatted as :, where
the different supported types are 'asn', 'poc', 'org',
'net', 'cidr', 'ip' and 'url'.
-j JSONFILE, --jsonfile JSONFILE
Output resource information in json format
-g GRAPHFILE, --graphfile GRAPHFILE
Output graph image
-r REPORTFILE, --reportfile REPORTFILE
Output report
-X, --nostore
Do not use any data store
-H, --hashstore
Use an indexed hash store
-D DBSTORE, --dbstore DBSTORE
Use a DB store and issue queries if needed
5.2 rcynicchk
Some fields are not able to be fully validated. For example, the
The default configuration file is
Basic checks are rudimentary checks of the configuration values in an
Recommended-value checks ensure that certain fields in an
In addition to validating the contents of an
Usage:
$ rcynicchk [options]
Where [options] are:
-config conffile specify configuration file to validate
-list only list configuration-section information
-basic only run basic checks
-recval only run recommended-value checks
-problems only show problems found
-summary give summary of checks only
-table provide results in tabular form
-verbose give verbose output
-Version show version and exit
-help show usage message and exit
-manpage show the manual page and exit
See Validation Checks for rcynic.conf Files
for more details on the various validation checks performed by
5.3 rpkichk
The default configuration file is
Basic checks are rudimentary checks of the configuration values in an
Cross-checks ensure that an
Recommended-value checks ensure that certain fields in an
In addition to validating the contents of an
Usage:
$ rpkichk [options]
Where [options] are:
-config conffile
specify configuration file to validate
-list
list configuration-section information
-names
list configuration-section names;
must be used in conjunction with -list
-untranslate
display untranslated values from the configuration file
must be used in conjunction with -list
-section section-name
specify section to examine;
must be used in conjunction with -list
-basic
only run basic checks
-cross
only run cross-checks
-recval
only run recommended-value checks
-problems
only show problems found
-summary
give summary of checks only
-table
provide results in tabular form
-noautoconf
don't check the autoconf section
-noirdbd
don't check the irdbd section
-nomyrpki
don't check the myrpki section
-nopubd
don't check the pubd section
-norootd
don't check the rootd section
-norpkid
don't check the rpkid section
-noweb_portal
don't check the web_portal section
-verbose
give verbose output
-Version
show version and exit
-help
show usage message and exit
-manpage
show the manual page and exit
See Validation Checks for rpki.conf Files
for more details on the various validation checks performed by
5.4 rsyncdchk
The default configuration file is
In addition to validating the contents of an
Usage:
rsyncdchk [options]
Where options may be:
-config conffile specify configuration file to validate
-list list configuration-section information
-names list configuration-section names;
must be used in conjunction with -list
-section section-name specify section to examine;
must be used in conjunction with -list
-basic only run basic checks
-problems only show problems found
-summary give summary of checks only
-table provide results in tabular form
-norpki don't check the rpki section
-noroot don't check the root section
-verbose give verbose output
-Version show version and exit
-help show usage message and exit
-manpage show the manual page and exit
See Validation Checks for rsyncd.conf Files
for more details on the various validation checks performed by
6 Certification-Authority Daemons
The
Certification-Authority Daemons:
6.1 irdbd
In production, this service acts as a a function of the IRBE stub.
By default,
The Step-By-Step Configuration File
Reference has a complete description of the
Since
Usage:
irdbd [-h] [-c CONFIG] [-f] [--pidfile PIDFILE] [--profile PROFILE]
[--log-level {debug,info,warning,error,critical}]
[--log-syslog [{auth,authpriv,cron,daemon,ftp,kern,
local0,local1,local2,local3,local4,
local5,local6,local7,
lpr,mail,news,security,syslog,user,uucp}] |
--log-stderr | --log-stdout | --log-file LOG_FILE |
--log-rotating-file FILENAME KBYTES COUNT |
--log-timed-rotating-file FILENAME HOURS COUNT]
Where the options are:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
override default location of configuration file
-f, --foreground do not daemonize
--pidfile PIDFILE override default location of pid file
--profile PROFILE enable profiling, saving data to PROFILE
--log-level {debug,info,warning,error,critical}
how verbosely to log
--log-syslog [{auth,authpriv,cron,daemon,ftp,kern,
local0,local1,local2,local3,local4,
local5,local6,local7,
lpr,mail,news,security,syslog,user,uucp}]
send logging to syslog
--log-stderr send logging to standard error
--log-stdout send logging to standard output
--log-file LOG_FILE send logging to a file, reopening if rotated away
--log-rotating-file FILENAME KBYTES COUNT
send logging to rotating file
--log-timed-rotating-file FILENAME HOURS COUNT
send logging to timed rotating file
The
6.2 pubd
By default,
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
pubd [-h] [-c CONFIG] [-f] [--pidfile PIDFILE] [--profile PROFILE]
[--log-level {debug,info,warning,error,critical}]
[--log-syslog [{auth,authpriv,cron,daemon,ftp,kern,
local0,local1,local2,local3,local4,
local5,local6,local7,
lpr,mail,news,security,syslog,user,uucp}] |
--log-stderr |
--log-stdout |
--log-file LOG_FILE |
--log-rotating-file FILENAME KBYTES COUNT |
--log-timed-rotating-file FILENAME HOURS COUNT]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
override default location of configuration file
-f, --foreground do not daemonize
--pidfile PIDFILE override default location of pid file
--profile PROFILE enable profiling, saving data to PROFILE
--log-level {debug,info,warning,error,critical}
how verbosely to log
--log-syslog [{auth,authpriv,cron,daemon,ftp,kern,
local0,local1,local2,local3,local4,local5,local6,local7,
lpr,mail,news,security,syslog,user,uucp}]
send logging to syslog
--log-stderr send logging to standard error
--log-stdout send logging to standard output
--log-file LOG_FILE send logging to a file, reopening if rotated away
--log-rotating-file FILENAME KBYTES COUNT
send logging to rotating file
--log-timed-rotating-file FILENAME HOURS COUNT
send logging to timed rotating file
The publication functionality could be combined with the main RPKI engine.
This would result in
- The hosting model allows installations which choose to run their own
copies of
rpkid to publish their output under a common publication point. In general, encouraging shared publication services where practical is beneficial for Relying Parties, as it will speed uprcynic synchronization time. - The publication server has to run on (or close to) the publication point
itself. This means it must be on a publicly reachable server to be useful.
rpkid , on the other hand, need only be reachable by the IRBE and its children in the RPKI tree.rpkid is a much more complex publication server, so in some situations it might be preferable to wrap tighter firewall constraints aroundrpkid than would be practical for a combinedrpkid /pubd daemon.
6.3 rootd
The root certificate of an RPKI certificate tree requires special handling and may also require a special handling policy.
By default,
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
rootd [-h] [-c CONFIG] [-f] [--pidfile PIDFILE]
[--log-level {debug,info,warning,error,critical}]
[--log-syslog [{auth,authpriv,cron,daemon,ftp,kern,
local0,local1,local2,local3,local4,
local5,local6,local7,
lpr,mail,news,security,syslog,user,uucp}] |
--log-stderr |
--log-stdout |
--log-file LOG_FILE |
--log-rotating-file FILENAME KBYTES COUNT |
--log-timed-rotating-file FILENAME HOURS COUNT]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
override default location of configuration file
-f, --foreground do not daemonize
--pidfile PIDFILE override default location of pid file
--log-level {debug,info,warning,error,critical}
how verbosely to log
--log-syslog [{auth,authpriv,cron,daemon,ftp,kern,
local0,local1,local2,local3,local4,local5,local6,local7,
lpr,mail,news,security,syslog,user,uucp}]
send logging to syslog
--log-stderr send logging to standard error
--log-stdout send logging to standard output
--log-file LOG_FILE send logging to a file, reopening if rotated away
--log-rotating-file FILENAME KBYTES COUNT
send logging to rotating file
--log-timed-rotating-file FILENAME HOURS COUNT
send logging to timed rotating file
6.4 rpkid
Configuration of
By default,
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
rpkid [-h] [-c CONFIG] [-f] [--pidfile PIDFILE] [--profile PROFILE]
[--log-level {debug,info,warning,error,critical}]
[--log-syslog [{auth,authpriv,cron,daemon,ftp,kern,
local0,local1,local2,local3,local4,
local5,local6,local7,
lpr,mail,news,security,syslog,user,uucp}] |
--log-stderr | --log-stdout | --log-file LOG_FILE |
--log-rotating-file FILENAME KBYTES COUNT |
--log-timed-rotating-file FILENAME HOURS COUNT]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
override default location of configuration file
-f, --foreground do not daemonize
--pidfile PIDFILE override default location of pid file
--profile PROFILE enable profiling, saving data to PROFILE
--log-level {debug,info,warning,error,critical}
how verbosely to log
--log-syslog [{auth,authpriv,cron,daemon,ftp,kern,
local0,local1,local2,local3,local4, local5,local6,local7,
lpr,mail,news,security,syslog,user,uucp}]
send logging to syslog
--log-stderr send logging to standard error
--log-stdout send logging to standard output
--log-file LOG_FILE send logging to a file, reopening if rotated away
--log-rotating-file FILENAME KBYTES COUNT
send logging to rotating file
--log-timed-rotating-file FILENAME HOURS COUNT
send logging to timed rotating file
7 Certification-Authority Utilities
The
Certification-Authority Utilities:
- 7.1
irbe_cli - 7.2
rpki-confgen - 7.3
rpki-manage - 7.4
rpki-sql-backup - 7.5
rpki-sql-setup - 7.6
rpki-start-servers - 7.7
rpkigui-apache-conf-gen - 7.8
rpkigui-check-expired - 7.9
rpkigui-import-routes - 7.10
rpkigui-rcynic - 7.11
rpkic - 7.12
rpkigui-query-routes
7.1 irbe_cli
Usage:
irbe_cli [top-level options] [command-options]
# Top-level options:
--config= --help --pem_out= --quiet --verbose
rpkid commands:
parent --action= --tag= --self_handle= --parent_handle= --bsc_handle=
--repository_handle= --peer_contact_uri= --sia_base=
--sender_name= --recipient_name= --bpki_cms_cert= --bpki_cms_glue=
--rekey --reissue --revoke --revoke_forgotten
--clear_replay_protection
repository --action= --tag= --self_handle= --repository_handle=
--bsc_handle= --peer_contact_uri= --bpki_cert= --bpki_glue=
--clear_replay_protection
self --action= --tag= --self_handle= --crl_interval= --regen_margin=
--bpki_cert= --bpki_glue= --rekey --reissue --revoke --run_now
--publish_world_now --revoke_forgotten --clear_replay_protection
list_received_resources --self_handle= --tag=
child --action= --tag= --self_handle= --child_handle= --bsc_handle=
--bpki_cert= --bpki_glue= --reissue --clear_replay_protection
list_published_objects --self_handle= --tag= --child_handle=
bsc --action= --tag= --self_handle= --bsc_handle= --key_type=
--hash_alg= --key_length= --signing_cert= --signing_cert_crl=
--generate_keypair
pubd commands:
ghostbuster --action= --tag= --client_handle= --uri=
certificate --action= --tag= --client_handle= --uri=
roa --action= --tag= --client_handle= --uri=
manifest --action= --tag= --client_handle= --uri=
client --action= --tag= --client_handle= --base_uri= --bpki_cert=
--bpki_glue= --clear_replay_protection
config --action= --tag= --bpki_crl=
crl --action= --tag= --client_handle= --uri=
7.2 rpki-confgen
The
The
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
rpki-confgen [-h] --read-xml FILE
[--write-xml FILE] [--write-wiki FILE] [--write-conf FILE]
[--set VARVAL] [--pwgen VAR] [--toc TRACNAV] [--autoconf]
optional arguments:
-h, --help show this help message and exit
--read-xml FILE XML input file defining sections and options
--write-xml FILE XML file to write
--write-wiki FILE TracWiki file to write
--write-conf FILE rpki.conf configuration file to write
--set VARVAL variable setting in form "VAR=VAL"
--pwgen VAR set variable to generated password
--toc TRACNAV set TOC value to use with TracNav plugin
--autoconf configure [autoconf] section
7.3 rpki-manage
A large number of commands are available through
- Running "rpki-manage" "rpki-manage help provides a list of available commands. The command list is divided into five sections.
- Running "rpki-manage help <command>" (e.g., "rpki-manage help diffsettings") will provide a description of the command and its arguments.
Usage:
rpki-manage command [options] [args]
Options:
-v VERBOSITY, --verbosity=VERBOSITY
Verbosity level; 0=minimal output, 1=normal output,
2=verbose output, 3=very verbose output
--settings=SETTINGS The Python path to a settings module, e.g.
"myproject.settings.main". If this isn't provided,
the DJANGO_SETTINGS_MODULE environment variable
will be used.
--pythonpath=PYTHONPATH
A directory to add to the Python path, e.g.
"/home/djangoprojects/myproject".
--traceback Raise on exception
--version show program's version number and exit
-h, --help show this help message and exit
commands:
[auth]
changepassword change a user's password for django.contrib.auth
createsuperuser used to create a superuser
[django]
check checks configuration's compatibility with this version of Django
cleanup clean out expired sessions (only with the database back-end at the moment)
compilemessages compiles .po files to .mo files for use with built-in gettext support
createcachetable creates the table needed to use the SQL cache backend
dbshell runs the command-line client for a database
diffsettings displays differences between the current settings.py and Django's default settings
dumpdata output contents of the database as a fixture of the given format
flush returns database to the state it was in immediately after syncdb was executed
inspectdb introspects database tables in the given database and outputs a Django model module
loaddata installs the named fixture(s) in the database
makemessages runs over a source tree of the current directory to find strings for translation
runfcgi run project as a fastcgi application
shell runs a Python interactive interpreter.
sql prints the CREATE TABLE SQL statements for the given app name(s)
sqlall prints the CREATE TABLE, custom SQL, and CREATE INDEX SQL statements for the given model module name(s)
sqlclear prints the DROP TABLE SQL statements for the given app name(s)
sqlcustom prints the custom table modifying SQL statements for the given app name(s)
sqldropindexes prints the DROP INDEX SQL statements for the given model module name(s)
sqlflush returns a list of the SQL statements required to return all tables in the database to the state they were in just after they were installed
sqlindexes prints the CREATE INDEX SQL statements for the given model module name(s)
sqlinitialdata renamed: see 'sqlcustom'
sqlsequencereset prints the SQL statements for resetting sequences for the given app name(s)
startapp creates a Django app directory structure for the given app name
startproject creates a Django project directory structure for the given project name
validate validates all installed models
[sessions]
clearsessions clean out expired sessions (only with the database back-end at the moment)
[south]
convert_to_south converts named application to use South
datamigration creates a new template data migration for the given app
graphmigrations outputs a GraphViz dot file of all migration dependencies
migrate runs migrations for all apps
migrationcheck runs migrations for each app in turn, detecting missing depends_on values
schemamigration creates a new template schema migration for the given app
startmigration deprecated command
syncdb create database tables for all apps in INSTALLED_APPS whose tables haven't already been created
test discover and run tests in the specified modules or the current directory
testserver runs a development server with data from the given fixture(s)
[staticfiles]
collectstatic collect static files in a single location
findstatic finds the absolute paths for the given static file(s)
runserver starts a light-weight Web server for development and also serves static files
7.4 rpki-sql-backup
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
rpki-sql-backup [-h] [-c CONFIG] [-o OUTPUT]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
override default location of configuration file
-o OUTPUT, --output OUTPUT
destination for SQL dump (default: stdout)
7.5 rpki-sql-setup
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
rpki-sql-setup [-h] [-c CONFIG] [-v] [--mysql-defaults MYSQL_DEFAULTS]
[--upgrade-scripts UPGRADE_SCRIPTS]
[--create | --drop | --script-drop |
--drop-and-create | --fix-grants |
--create-if-missing | --apply-upgrades]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
specify alternate location for rpki.conf
-v, --verbose whistle while you work
--mysql-defaults MYSQL_DEFAULTS
specify MySQL root access credentials via a
configuration file
--upgrade-scripts UPGRADE_SCRIPTS
override default location of upgrade scripts
--create create databases and load schemas
--drop drop databases
--script-drop send SQL commands to drop databases to standard
output
--drop-and-create drop databases then recreate them and load
schemas
--fix-grants whack database access to match current
configuration file
--create-if-missing create databases and load schemas if they don't
exist already
--apply-upgrades apply upgrade scripts to existing databases
7.6 rpki-start-servers
This command starts the required CA daemons. It uses the
By default,
The Step-By-Step Configuration File
Reference has a complete description of the
Usage:
usage: rpki-start-servers [-h] [-c CONFIG] [--log-directory LOG_DIRECTORY]
[--log-backup-count LOG_BACKUP_COUNT]
[--log-level {debug,info,warning,error,critical}]
[--log-file |
--log-rotating-file-kbytes LOG_ROTATING_FILE_KBYTES |
--log-rotating-file-hours LOG_ROTATING_FILE_HOURS |
--log-syslog [{auth,authpriv,cron,daemon,ftp,kern,
local0,local1,local2,local3,local4,local5,local6,local7,
lpr,mail,news,security,syslog,user,uucp}]]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
override default location of configuration file
--log-directory LOG_DIRECTORY
where to write write log files when not using syslog
--log-backup-count LOG_BACKUP_COUNT
keep this many old log files when rotating
--log-level {debug,info,warning,error,critical}
how verbosely to log
--log-file log to files, reopening if rotated away
--log-rotating-file-kbytes LOG_ROTATING_FILE_KBYTES
log to files, rotating after this many kbytes
--log-rotating-file-hours LOG_ROTATING_FILE_HOURS
log to files, rotating after this many hours
--log-syslog [{auth,authpriv,cron,daemon,ftp,kern,
local0,local1,local2,local3,local4,local5,local6,local7,
lpr,mail,news,security,syslog,user,uucp}]
log syslog
7.7 rpkic
A large number of commands are available through
- Running "rpkic --help" provides a list of commands and a very brief explanation of each command.
- Running "help" within the
rpkic environment gives a list of the available commands. - Adding a command name at the end (e.g., "help load_asns") will provide a description of the command and its arguments.
Usage:
rpkic [-h] [-c CONFIG] [-i IDENTITY] [--profile PROFILE] [command [arguments]]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
override default location of configuration file
-i IDENTITY, --identity IDENTITY, --handle IDENTITY
set initial entity handle
--profile PROFILE enable profiling, saving data to PROFILE
commands:
select_identity select an identity handle for use with later commands
initialize initialize an RPKI installation. DEPRECATED
create_identity create a new resource-holding entity
initialize_server_bpki
initialize server BPKI portion of an RPKI
installation
update_bpki update BPKI certificates. Assumes an existing RPKI
installation
configure_child configure a new child of this RPKI entity
delete_child delete a child of this RPKI entity
configure_parent configure a new parent of this RPKI entity
delete_parent delete a parent of this RPKI entity
configure_root configure the current resource holding identity as a
root
delete_root delete local RPKI root as parent of the current
entity
configure_publication_client
configure publication server to know about a new
client
delete_publication_client
delete a publication client of this RPKI entity
configure_repository
configure a publication repository for this RPKI
entity
delete_repository delete a repository of this RPKI entity
delete_identity delete the current RPKI identity (rpkid
7.8 rpkigui-apache-conf-gen
Usage:
rpkigui-apache-conf-gen [-h] [-v] [--apache-version APACHE_VERSION]
[--freebsd | --debian | --ubuntu | --redhat | --macosx | --guess]
[-i | -r | -P]
optional arguments:
-h, --help show this help message and exit
-v, --verbose whistle while you work
--apache-version APACHE_VERSION
Apache version (default 22)
--freebsd configure for FreeBSD
--debian configure for Debian
--ubuntu configure for Ubuntu
--redhat, --fedora, --centos
configure for Redhat/Fedora/CentOS
--macosx, --darwin configure for Mac OS X (Darwin)
--guess guess which platform configuration to use
-i, --install install configuration
-r, --remove, --deinstall, --uninstall
remove configuration
-P, --purge remove configuration with extreme prejudice
7.9 rpkigui-check-expire
Usage:
rpkigui-check-expired [ -nV ] [ handle1 handle2... ]
options:
-h, --help show this help message and exit
-V, --version display script version
-f ADDRESS, --from=ADDRESS
specify the return email address for notifications
-t DAYS, --expire-time=DAYS
specify the number of days in the future to check
-l LOG_LEVEL, --level=LOG_LEVEL
set logging level
[default: WARNING]
7.10 rpkigui-import-routes
Usage:
rpkigui-import-routes [options] [PATH]
options:
-h, --help show this help message and exit
-t TYPE, --type=TYPE specify the input file type (auto, text, mrt)
[default: auto]
-l LOG_LEVEL, --level=LOG_LEVEL
set logging level
[default: ERROR]
-u PROG, --bunzip2=PROG
specify bunzip2 program to use
-b PROG, --bgpdump=PROG
specify path to bgpdump binary
-j JITTER, --jitter=JITTER
specify upper bound of startup delay, in seconds
[default: 0]
--lockfile=LOCKFILE set name of lock file; empty string disables locking
[default: /tmp/rpkigui-import-routes.lock]
--timeout=TIMEOUT specify timeout for download and import, in seconds
[default: 5400]
7.11 rpkigui-query-routes
Usage:
rpkigui-query-routes [options] PREFIX
options:
--version show program's version number and exit
-h, --help show this help message and exit
7.12 rpkigui-rcynic
The
The
Usage:
rpkigui-rcynic [options]
options:
-h, --help show this help message and exit
-l LOG_LEVEL, --level=LOG_LEVEL
specify the logging level [default: ERROR]
-f LOGFILE, --file=LOGFILE
specify the rcynic XML file to parse
-r DIR, --root=DIR specify the chroot directory for the rcynic jail
[default: /var/rcynic/data]
8 Certification-Authority Test Tools
The
The test tools are only present in the source tree. Neither is installed
during the
Unlike the configuration files used by the other programs, these test programs read test descriptions written in the YAML serialization language. Each test script describes a hierarchy of RPKI entities, including hosting relationships and resource assignments, in a relatively compact form. The CA test programs use these descriptions to generate a set of configuration files, populate the back-end database, and drive the test.
See http://www.yaml.org/ for more information on YAML. See the test configuration language for details on the content of these YAML files.
Certification-Authority Test Tools:
8.1 smoketest
The YAML test description defines the test configuration for
Usage:
smoketest [-h] [-c CONFIG] [--profile] [-y] yaml_file
positional arguments:
yaml_file YAML description of test network
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
configuration file for various
implementation-specific items
--profile enable profiling
-y ignored; present only for backwards
compatability
8.2 yamltest
At present,
Running
Usage:
yamltest [-h] [-c CONFIG] [-f] [-k] [-p PIDFILE] [--skip_config]
[--stop_after_config] [--synchronize] [--profile]
[--store-router-private-keys]
yaml_file
positional arguments:
yaml_file YAML description of test network
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
configuration file
-f, --flat_publication
disable hierarchical publication
-k, --keep_going keep going until all subprocesses exit
-p PIDFILE, --pidfile PIDFILE
save pid to this file
--skip_config skip over configuration phase
--stop_after_config stop after configuration phase
--synchronize synchronize IRDB with daemons
--profile enable profiling
--store-router-private-keys
write generate router private keys to disk
Sections of this document are derived or taken verbatim from Dragon Research Lab's RPKI Tools Manual.
Copyright (c) 2015, Parsons, Inc
All rights reserved