Secure Routing -- Protect Your Infrastructure

Configuration Guide

1 Introduction

After installing the rpki.net software (as described in the Installation Guide) the software must be configured to ensure proper execution. Much of the configuration is handled at install time and uses a set of standard defaults. The defaults are acceptable for most installations, but they should be examined to confirm that they meet the requirements of that installation.

It is assumed that the vast majority of rpki.net installations will be Relying Parties, with only a relatively small number of installations also acting as Certification Authorities. For this reason, the initial version of the Configuration Guide focuses on the RP software. The Certification-Authority part of the Configuration Guide will be expanded in due course.

This document is prepared under Contract Number HSHQDC-14-C-B0035 for DHS S&T CSD

1.1 How to Proceed?

Three questions will give broad answers to what must be done next to configure your rpki.net system.

Must I configure the Relying-Party tools?
You must configure the Relying-Party tools if you operate routers and want to use RPKI data to help secure them.
Most installations will only need to configure the Relying-Party tools.
Must I configure the Configuration-Authority tools?
You must configure the Configuration-Authority tools if you control RPKI resources and need software to let you request certificates, issue ROAs, or issue certificates to others.
Configuration Authorities are usually Relying Parties as well, so you will probably want to start by configuring the Relying-Party tools. After doing so, the CA tools should be configured.
What is the topology of my Configuration-Authority?
If you are running the Configuration-Authority tools, you must decide how to distribute the CA tools on your network. The CA tools may run on a single host or they may be distributed on more than one host. This will determine the settings of various parameters in the CA rpki.conf configuration file.

The remaining sections in this Guide provide further details and instructions for configuring the software for the different types of RPKI systems.

1 Introduction
- 1.1 How to Proceed?
2 Setting Up a Relying Party System
3 Setting Up a Configuration Authority System

2 Setting Up a Relying Party System

There are two central Relying-Party tools: rcynic and rpki-rtr. These programs distribute, manage, and reference RPKI objects, such as configuration files, certificates, and trust anchors.

rcynic is the primary validation program and checks syntax, signatures, expiration times, and conformance to the profiles for RPKI objects. The other Relying-Party tools use the output from rcynic.
rpki-rtr provides the rpki-rtr protocol.

A third tool, rcynic-cron runs as a cron job and executes rcynic and rpki-rtr periodically.

Configuration of these objects and the software tools is described in this section.

2.1 Files and Directories

The rpki.net software requires a configuration file and manages a number of files and directories. Setting up this environment is a large part of configuring the Relying-Party software. While much of it is done automatically by the installation process, there are portions that should be checked to ensure they are set properly.

2.1.1 rcynic.conf Configuration File

The rcynic.conf configuration file is central to the functioning of the rpki.net Relying-Party software. In particular, the file controls how and where rcynic fetches and stores data, and thus where rpki-rtr looks for data. Operational fine-tuning of other aspects of the Relying-Party software may be handled by way of this configuration file.

It is imperative that this file be set up properly in order for the rpki.net software to work as expected. It should also be checked periodically to ensure that it hasn't been changed (inadvertently or maliciously) and that it still meets local requirements. The rcynicchk command can assist with validating the configuration file.

rcynic.conf is an OpenSSL-style configuration file. The default name for the configuration is "rcynic.conf", but this can be overridden with the -c option on the command line. rcynic's configuration parameters are in a section called "[rcynic]", the OpenSSL library configuration parameters can be set in this file as well.

A default version of this file is created when the rpki.net software is installed. There are 27 options that may defined in rcynic.conf. Most configuration parameters are optional and have reasonable defaults. Generally speaking, the values in the default version of the file should be sufficient for most installations. However, the default version should be checked to ensure that it meets local requirements.

The following fields must be checked for validity in the local environment:

authenticated - directory for rcynic-validated objects. Ensure that this directory exists and may be written by rcynic's user.
lockfile - rcynic's lock file.
log-level - logging level.
rsync-program - path to the rsync program.
trust-anchor - path to one RPKI Trust Anchor file.
trust-anchor-directory - the directory that will hold RPKI Trust Anchor and Trust Anchor Locator files.
trust-anchor-locator - path to one RPKI Trust Anchor Locator file.
unauthenticated - directory where rcynic will store unauthenticated data.

Values do not need to be given to each of trust-anchor, trust-anchor-directory, and trust-anchor-locator. It depends on how the local installation intends to manage its Trust Anchors. However, the fields that will be used must be set up properly.

More information about these configuration fields and the rcynic.conf configuration file in general may be found in the Configuration File Reference.

2.1.2 Trust Anchors and Trust Anchor Locators

Trust Anchors (TAs) are represented as DER-formatted self-signed X.509 certificates.

A Trust Anchor Locator (TALs) is a file in the format specified in RFC-6490 , consisting of the rsync URI of the Trust Anchor followed by the Base64 encoding of the Trust Anchor's public key.

Either TAs or TALs (or a mix of both) can be used by the Relying-Party software. The cynic.conf contains fields that specify the files or directories in which to find TAs and TALs. The make-tal.sh script if you need to generate your own TAL for a Trust Anchor.

Configuration Field	Description
trust-anchor	This field specifies a Trust Anchor by naming the local file containing the TA.
trust-anchor-locator	This field specifies a Trust Anchor Locator by naming a local file containing the file containing the TAL.
trust-anchor-directory	This field specifies a directory containing Trust Anchors and or Trust Anchor Locators. Files in the given will be processed as TAs if their names have the ".cer" extension, while while files will be handled as TALs if their names have the ".tal" extension.

Example of a minimal rcynic.conf configuration file specifying nothing but Trust Anchor Locators:

    [rcynic]

        trust-anchor-locator.0 = trust-anchors/apnic.tal
        trust-anchor-locator.1 = trust-anchors/ripe.tal
        trust-anchor-locator.2 = trust-anchors/afrinic.tal
        trust-anchor-locator.3 = trust-anchors/lacnic.tal

Eventually, this should all be collapsed into a single Trust Anchor, at which point the above configuration could become something like:

    [rcynic]

        trust-anchor-locator = trust-anchors/iana.tal

In practice, TALs are more common than TAs, as they reduce the amount of locally configured data. TALs also allow the TA itself to be updated without requiring reconfiguration of validators like rcynic.

Trust Anchors do not need to be self-signed, but many programs (including OpenSSL) assume that they will be. The allow-non-self-signed-trust-anchor field in the rcynic.conf may be set if you need to use a non-self-signed Trust Anchor. Be aware that the results, while technically correct, may not be useful.

2.1.3 Selecting Trust Anchors

Validation in the RPKI system requires a set of Trust Anchors to use as a starting point when checking certificate chains. By definition, Trust Anchors can only be selected by the Relying Party.

A default set of Trust Anchors is supplied with the rpki.net system. The default Trust Anchors are installed as part of the normal installation process and these may be used if they suit your needs. However, the default set can be overridden if your installation has different requirements; see the rcynic documentation for details.

As of this writing, there is no single global Trust Anchor for the RPKI system, so you have to provide separate Trust Anchors for each Regional Internet Registry (RIR) which is publishing RPKI data. The rpki.net installation process installs the TAs it knows about.

ARIN's trust anchor locator is absent from the default set of Trust Anchors. This is the direct result of a deliberate policy decision by ARIN to require anyone using their Trust Anchor to jump through legal hoops. If ARIN changes this policy, their Trust Anchor Locator with be included along with those of the other RIRs.

Remember: It's only a Trust Anchor if you trust it. That decision can only be made by you.

2.2 rcynic Configuration

rcynic is the primary validation program and checks syntax, signatures, expiration times, and conformance to the profiles for RPKI objects. The other Relying-Party tools use the output from rcynic.

There are two methods of running rcynic. Each installation must select the one that works best for them:

run from cron via rcynic-cron (default method)
run rcynic in a chroot() jail environment

These methods are described below.

2.2.1 Running rcynic from cron()

The default configuration created by used in rpki.net's software install process and the various packaging systems will run rcynic from cron using the rcynic-cron wrapper script.

An installation may have additional requirements that aren't handled by rcynic-cron, and a home-grown wrapper may be needed. See the instructions for setting up your own cron jobs if you need different functionality than rcynic-cron provides.

See the instructions for setting up hierarchical rsync if you need to build a complex topology of rcynic validators.

2.2.2 Running rcynic in a chroot() Environment

rcynic has the ability to do all of its work in a chroot() jail. This used to be the default configuration, but this proved impractical to integrate properly with platform-specific packaging systems (e.g., FreeBSD ports or Ubuntu's apt-get). This behavior can still be used, if needed, by installing from source and using the --enable-rcynic-jail option to configure.

This section describes the process of setting up rcynic in a chrooted environment. The installation scripts that ship with rcynic attempt to do this automatically when requested for the supported platforms. However, the process is somewhat finicky, so some explanation is in order. If you're running on one of the supported platforms, the following steps may be handled for you by the Makefiles, but you may still want to understand this process.

rcynic itself does not include any direct support for running chrooted. It is designed to be (relatively) easy to run in a chroot jail.

To enable chroot support during installation, you should install from source and use the --enable-rcynic-jail option to ./configure.

rcynic-cron includes support for running chrooted. To use it, specify the --chroot option on rcynic-cron's command line. This will cause rcynic-cron to run rcynic in the chrooted environment. In order for this to work, rcynic-cron itself must run as root, since only root can issue the chroot() system call. When run as root, rcynic-cron takes care of changing the user ID of each process it starts to the unprivileged rcynic user.

2.2.2.1 Creating the chroot Jail Environment

By far the most complicated part of setting up rcynic to run in a chroot jail is setting the jail itself. The underlying principal is simple and obvious: a process running in the jail can't use files outside the jail. The difficulty is that the list of files that needs to be in the jail is system-dependent, can be rather long, and sometimes can only be discovered by trial and error.

Set-up requirements:

You'll either need statically linked copies of rcynic and rsync, or you'll need to figure out which shared libraries these programs need (try using the ldd command). Here we assume statically linked binaries, because that's simpler, but be warned that statically linked binaries are not even possible on some platforms, whether due to conscious decisions on the part of operating system vendors or due to hidden use of dynamic loading by other libraries at runtime. Once again, the Makefiles attempt to do the correct thing for your environment if they know what it is, but they might get it wrong.
You may find that the dynamic loader looks in a different place than you (and the Makefiles) would expect when running within the chroot jail. For example, you might think that library /usr/local/lib/libfoo.so being installed into a jail named /var/rcynic should go into /var/rcynic/usr/local/lib/libfoo.so, but we've seen cases where the dynamic loader ended up expecting to find it in /var/rcynic/lib/libfoo.so. Getting this right may require some trial and error testing.
You'll need a chroot wrapper program. As mentioned above, rcynic-cron can act as that wrapper program. This is recommended because it works the same way on all platforms and doesn't require additional external programs. Otherwise, you'll have to find a suitable wrapper program. Your platform may already have one (.e.g., FreeBSD has /usr/sbin/chroot). If it doesn't, you can download Wietse Venema's chrootuid program from ftp://ftp.porcupine.org/pub/security/chrootuid1.3.tar.gz.

Warning: The chroot program included in at least some GNU/Linux distributions is not adequate to this task. You need a wrapper that knows how to drop privileges after performing the chroot() operation itself. If in doubt, use chrootuid.

Absolute pathnames are used throughout these set-up instructions. This is not an accident. Programs running in jails under cron should not make assumptions about the current working directory or environment variable settings, and programs running in chroot jails would need different PATH settings anyway. It is safest to specify the full paths..

Unfortunately, the precise details of setting up a proper chroot jail vary wildly from one system to another, so the following instructions may not be a precise match for the preferred way of doing this on your platform. Please feel free to contribute scripts for other platforms.

Build the static binaries.
You might want to test them at this stage too, although you can defer that until after you've got the jail built.
Create a userid under which to run rcynic.
Here we'll assume that's a user named rcynic, whose default group is also named rcynic. Do not add any other userids to the rcynic group unless you really know what you are doing.
Build the jail environment.
You'll need, at minimum, a directory in which to put the binaries, a subdirectory tree that's writable by the userid which will be running rcynic and rsync, your trust anchors, and whatever device inodes the various libraries need on your system. Most likely the devices that matter will be /dev/null, /dev/random, and /dev/urandom; if you're running a FreeBSD system with devfs, you do this by mounting and configuring a devfs instance in the jail, on other platforms you probably use the mknod program or something similar.
Important: Other than the directories that you want rcynic and rsync to be able to modify, nothing in the initial jail setup should be writable by the rcynic userid. In particular, rcynic and rsync should not be allowed to modify: their own binary images, any of the configuration files, or your trust anchors. It's simplest just to have root own all the files and directories that rcynic and rsync are not allowed to modify, and make sure that the permissions for all of those directories and files make them writable only by root.
The following instructions will create a sample jail environment. It is assumed that /var/rcynic will hold the jail.
1. Create the jail hierarchy.
  The following commands create a sample jail tree.
```
    $ mkdir /var/rcynic
    $ mkdir /var/rcynic/bin
    $ mkdir /var/rcynic/data
    $ mkdir /var/rcynic/dev
    $ mkdir /var/rcynic/etc
    $ mkdir /var/rcynic/etc/trust-anchors
```
2. Copy Trust Anchors into jail.
  Trust anchors must be copied into /var/rcynic/etc/trust-anchors.
3. Copy rcynic and rsync into jail.
  Copy the statically linked rcynic and rsync into /var/rcynic/bin.
4. Copy system files into jail.
  Copy /etc/resolv.conf and /etc/localtime (if it exists) into /var/rcynic/etc.
5. Create rcynic.conf.
  Create an rcynic configuration file as /var/rcynic/etc/rcynic.conf. Path names in this file must match the jail setup; more on this below.
6. Set required jail ownerships.
  The following commands will set owner, group, and file permissions for several directories.
```
    $ chmod -R go-w /var/rcynic
    $ chown -R root:wheel /var/rcynic
    $ chown -R rcynic:rcynic /var/rcynic/data
```
7. devfs mounts.
  If you're using devfs, arrange for it to be mounted at /var/rcynic/dev; otherwise, create whatever device inodes you need in /var/rcynic/dev and make sure that they have sane permissions. It is probably safe to assume that whatever permissions are used in your system /dev directory may be considered sane.
8. Configure rcynic.conf. Edit rcynic.conf to match this configuration:
```
    [rcynic]

    rsync-program           = /bin/rsync
    authenticated           = /data/authenticated
    unauthenticated         = /data/unauthenticated
    xml-summary             = /data/rcynic.xml
    trust-anchor-directory  = /etc/trust-anchors
```
Testing the Jail.
Once this is all set up, rcynic may be tested in the jail. Test it from the command line first. If that works, it should be able to be run under cron.
chroot, chrootuid, and other programs of this type are usually intended to be run by root, and should not be setuid programs unless you really know what you are doing.
Sample test command line:
```
    # /usr/local/bin/chrootuid /var/rcynic rcynic /bin/rcynic -s -c /etc/rcynic.conf
```

2.2.2.2 Building Static Binaries

On FreeBSD, building a statically linked rsync is easy: one just sets the environment variable LDFLAGS='-static' before building rsync and the right thing will happen. Since this is really just GNU configure picking up the environment variable, the same trick should work on those platforms that support -static. Also, some platforms are missing some or all of the non-shared libraries needed to link the resulting binary.

For simplicity, we've taken the same approach with rcynic. This command will work:

    $ make LDFLAGS='-static'

This isn't necessary on platforms where we know that static linking works -- the default is static linking where supported.

2.2.2.3 syslog from chrooted Environments

Depending on how the syslog() library call and the syslog daemon are implemented on your platform, syslog may not work properly with rcynic in a chroot jail. On FreeBSD, the easiest way to fix this is to add the following lines to /etc/rc.conf:

    altlog_proglist="named rcynic"
    rcynic_chrootdir="/var/rcynic"
    rcynic_enable="YES"

This tells syslog to listen on an additional PF_UNIX socket within rcynic's chroot jail.

(Depending on the system, the actual daemon name may be something like syslogd or rsyslogd.)

2.3 rpki-rtr Configuration

rpki-rtr is an implementation of the RPKI-router protocol defined in RFC-6810. rpki-rtr depends on rcynic to collect and validate the RPKI data. rpki-rtr provides that data to routers that must do prefix origin authentication. Data are sent to routers in a lightweight format.

rpki-rtr is an intermediary between rcynic, a post-processor, and a listener. These three other entities must be installed and configured. The software installation should set up rcynic and a post-processor. The listener must be installed manually.

2.3.1 Post-processing of rcynic Output

If you are using rcynic-cron to run rcynic and rpki-rtr, then post-processing is already being handled and you can skip the rest of this section.

If a non-standard cron job is running rcynic and rpki-rtr, then you must set up post-processing of rcynic output. Post-processing can be handled by adding something like this (with correct pathnames) to your local cron job:

    /usr/local/bin/rpki-rtr cronjob /var/rcynic/data/authenticated /var/rcynic/rpki-rtr

The rpki-rtr cronjob command must have write access to a directory in which it can store processed versions of the data received from rcynic. In the example above, the directory /var/rcynic/rpki-rtr must be writable by the user ID executing the cron job.

As part of the configuration process, execute the rpki-rtr cronjob command at least once before configuring the rpki-rtr server. This allows the rpki-rtr server executions to run smoothly.

2.3.2 rpki-rtr's Listener

A server listener must be set up that invokes rpki-rtr server. The choice of server listener to use depends on the network protocol being used to transport this protocol. rpki-rtr is happy to run under inetd, xinetd, sshd, or a home-grown service. rpki-rtr operates fairly simply, just reading from stdin and writing to stdout.

rpki-rtr server server should be run as a non-privileged user. Some installations may prefer to set up a separate UNIX userid for this purpose.

rpki-rtr server takes an optional argument specifying the path to its data directory. If this argument is omitted, rpki-rtr server uses the directory in which it is run.

The details of how to set up a listener vary depending on the network protocol and the operating system on which it is run. Below are three examples, running under inetd (on FreeBSD), running under sshd, or running as a free-standing server using rpki-rtr listener.

2.3.2.1 rpki-rtr's Listener with inetd

Running under inetd with plain TCP is insecure and should only be done for testing, but you can also run it with TCP-MD5 or TCP-AO, or over IPsec. The inetd configuration is generally the same, the details of how you set up TCP-MD5, TCP-AO, or IPsec are platform specific.

To run under inetd, you need to:

Add an entry to /etc/services defining a symbolic name for the port, if one doesn't exist already. At present, there is no well-known port defined for this protocol. This example will use port 42420 and the symbolic name rpki-rtr.
Add this entry to /etc/services:
```
    rpki-rtr          42420/tcp
```

Add the service line to /etc/inetd.conf:

    rpki-rtr stream tcp nowait nobody /usr/local/bin/rpki-rtr rpki-rtr server /var/rcynic/rpki-rtr

This assumes that you want the server to run as user nobody, which is generally a safe choice. A new non-privileged user could be created for this purpose. DO NOT run the server as root; it shouldn't do anything bad, but it is a network server that doesn't need root access, therefore it shouldn't have root access.

2.3.2.2 rpki-rtr's Listener with sshd

To run rpki-rtr server under sshd, the following steps must be followed:

Decide whether to run a new instance of sshd on a separate port or use the standard port. rpki-rtr doesn't care, but some people seem to think that it's somehow more secure to run this service on a different port. Setting up sshd in general is beyond the scope of this documentation, but most likely you can copy the bulk of your configuration from the standard configuration.
Configure sshd to know about the rpki-rtr subsystem. Add something like this to your sshd.conf:
```
    Subsystem rpki-rtr /usr/local/bin/rpki-rtr
```
Configure the userid(s) you expect SSH clients to use to connect to the server. For operational use you almost certainly do NOT want this user to have a normal shell, instead you should configure its shell to be the server (e.g., /usr/local/bin/rpki-rtr) and its home directory to be the rpki-rtr data directory (e.g., /var/rcynic/rpki-rtr.) If you're using passwords to authenticate instead of SSH keys, which is not recommended, you will always need to set the password(s) here when configuring the userid(s).
Configure the .ssh/authorized_keys file for your clients; if you're using the example values given above, this would be /var/rcynic/rpki-rtr/.ssh/authorized_keys. You can have multiple SSH clients using different keys all logging in as the same SSH user, you just have to list all of the SSH keys here. You may want to consider using a command=parameter in the key line (see the sshd(8) man page) to lock down the SSH keys listed here so that they can only be used to run the rpki-rtr service.

If you're running a separate sshd for this purpose, you might also want to add an AuthorizedKeysFile entry pointing at this authorized_keys file. This ensures that the server will only use this authorized_keys file regardless of what other user accounts might exist on the machine:

    AuthorizedKeysFile /var/rcynic/rpki-rtr/.ssh/authorized_keys

There's a sample sshd.conf in the rpki.net source directory. You will have to modify it to suit your environment. The most important part is the Subsystem line, which runs the server.sh script as the rpki-rtr service, as required by the protocol specification.

2.3.2.3 rpki-rtr's Listener with Generic Support

rpki-rtr listener is a free-standing plain TCP server which just listens on a TCP socket then forks a child process running rpki-rtr server.

All of the caveats regarding plain TCP apply to rpki-rtr listener.

rpki-rtr listener takes one required argument, the TCP port number on which to listen; it also accepts a second argument which specifies the rcynic output directory, like rpki-rtr server.

    /usr/local/bin/rpki-rtr listener 42420 /var/rcynic/rpki-rtr

2.3.2.4 rpki-rtr's Listener with Other Programs

You can also run this code under other such network service programs. These include such programs as xinetd, faucet (from netpipes), or stunnel. Other than a few lines that might need to be modified to log the connection peer properly, the program really doesn't care.

You should, however, care whether the channel you have chosen is secure; it doesn't make a lot of sense to go to all the trouble of checking RPKI data then let the bad guys feed bad data into your routers anyway because you were running the rpki-rtr link over an unsecured TCP connection.

2.4 Setting Up a Local cron Wrapper

rcynic is designed to be run by the cron daemon. Consequently, most of the other Relying-Party tools are also designed to run under cron, so that they can make use of rcynic's output immediately after it finishes a validation run.

rcynic-cron runs the basic set of Relying-Party tools: rcynic, rcynic-html, and rpki-rtr. Nothing else must be done if this suffices for your purposes. This section is a discussion of alternative approaches.

The tools to be run by a cron wrapper depend on how you intend to use the Relying-Party tools. This section assumes a typical case in RPKI data are gathered and validated prior to the results being sent to routers using the rpki-rtr protocol. This section also assumes that the rpki.net software has been installed in the default locations.

The exact sequence for invoking rcynic itself varies depending both on whether or not the command is being run in a chroot jail. It also depends on the platform on which rcynic is running, as the chroot utilities on different platforms behave slightly differently. (Using a chroot jail used to be the default for rcynic, but it turned out that many users found the set-up involved to be too complex.)

If you're not using rcynic-cron, it's probably simplest to write a short wrapper shell script which calls the tools you want in the correct order. That is what will be shown here.

Once you've written this wrapper, add an entry in your crontab to have it run at some appropriate interval. Running the wrapper hourly, or perhaps every six hours, should be sufficient, depending on your installation's needs. The wrapper should be run at least once per day. It probably should not be run more frequently than once per hour, unless you really know what you are doing. Please do not just arrange for the script to run on the hour, instead pick some random minute value within the hour as the start time for your script. This helps help spread the load on the repository servers.

An appropriate set of repository directory must be created for use by the Relying-Party tools. These commands will create the directory and set its ownership appropriately.

    # mkdir /var/rcynic/rpki-rtr
    # chown rcynic /var/rcynic/rpki-rtr

On FreeBSD or Mac OSX, this wrapper script might look like this:

    #!/bin/sh -
    /usr/sbin/chroot -u rcynic -g rcynic /var/rcynic /bin/rcynic -c /etc/rcynic.conf || exit
    /var/rcynic/bin/rcynic-html /var/rcynic/data/rcynic.xml /usr/local/www/data/rcynic
    /usr/bin/su -m rcynic -c '/usr/local/bin/rpki-rtr cronjob /var/rcynic/data/authenticated /var/rcynic/rpki-rtr'

On GNU/Linux systems, the script might look like this if you use the chrootuid program:

    #!/bin/sh -
    /usr/bin/chrootuid /var/rcynic rcynic /bin/rcynic -c /etc/rcynic.conf || exit
    /var/rcynic/bin/rcynic-html /var/rcynic/data/rcynic.xml /var/www/rcynic
    /usr/bin/su -m rcynic -c '/usr/local/bin/rpki-rtr cronjob /var/rcynic/data/authenticated /var/rcynic/rpki-rtr'

If you use the chroot program instead of chrootuid, change the line that invokes rcynic to:

    /usr/sbin/chroot --userspec rcynic:rcynic /var/rcynic /bin/rcynic -c /etc/rcynic.conf || exit

2.5 Running a Hierarchical rsync Configuration

Having every relying party on the Internet contact every publication service is not terribly efficient. In many cases, it may make more sense to use a hierarchical configuration in which a few "gatherer" Relying Parties contact the publication servers directly, while a collection of other Relying Parties get their raw data from the gatherers.

Note: The Relying Parties in this configuration still perform their own validation, they just let the gatherers do the work of collecting the unvalidated data for them.

A gatherer in a configuration like this would look just like a stand-alone Relying Party as discussed above. The only real difference is that a gatherer must also make its unauthenticated data collection available to other Relying Parties. Assuming the standard configuration, this will be the directory /var/rcynic/data/unauthenticated and its subdirectories.

There are two slightly different ways to do this with rsync:

Via unauthenticated rsync, by configuring an rsyncd.conf "module".
Via rsync over a secure transport protocol such as ssh.

Since the downstream Relying Party performs its own validation in any case, either of these will work, but using a secure transport such as ssh will make it easier to track problems back to their source if a downstream Relying Party concludes that it has been receiving bad data.

The script for a downstream Relying Party using ssh might look like this:

    #!/bin/sh -

    PATH=/usr/bin:/bin:/usr/local/bin
    umask 022
    eval `/usr/bin/ssh-agent -s` >/dev/null
    /usr/bin/ssh-add /root/rpki_ssh_id_rsa 2>&1 | /bin/fgrep -v 'Identity added:'
    hosts='larry.example.org moe.example.org curly.example.org'

    for host in $hosts
    do
        /usr/bin/rsync --archive --update --safe-links rpkisync@${host}:/var/rcynic/data/unauthenticated/ /var/rcynic/data/unauthenticated.${host}/
    done

    eval `/usr/bin/ssh-agent -s -k` >/dev/null

    for host in $hosts
    do
        /usr/sbin/chroot -u rcynic -g rcynic /var/rcynic /bin/rcynic -c /etc/rcynic.conf -u /data/unauthenticated.${host}
        /var/rcynic/bin/rcynic-html /var/rcynic/data/rcynic.xml /usr/local/www/data/rcynic.${host}
    done

    cd /var/rcynic/rpki-rtr
    /usr/bin/su -m rcynic -c '/usr/local/bin/rpki-rtr cronjob /var/rcynic/data/authenticated'

where /root/rpki_ssh_id_rsa is an SSH private key authorized to log in as user rpkisync on the gatherer machines.

If you want to lock this down a little tighter, you could use ssh's command="..." mechanism as described in the sshd documentation to restrict the rpkisync user so that it can only run this one rsync command.

To avoid allowing the downstream Relying Parties any sort of login access at all on the gatherer machines, rsync can be run in an "insecure" configuration. The "insecure" rsync configuration would look more like this:

    #!/bin/sh -

    PATH=/usr/bin:/bin:/usr/local/bin
    umask 022
    hosts='larry.example.org moe.example.org curly.example.org'

    for host in $hosts
    do
        /usr/bin/rsync --archive --update --safe-links rsync://${host}/unauthenticated/ /var/rcynic/data/unauthenticated.${host}/
    done

    for host in $hosts
    do
        /usr/sbin/chroot -u rcynic -g rcynic /var/rcynic /bin/rcynic -c /etc/rcynic.conf -u /data/unauthenticated.${host}
        /var/rcynic/bin/rcynic-html /var/rcynic/data/rcynic.xml /usr/local/www/data/rcynic.${host}
    done

    cd /var/rcynic/rpki-rtr
    /usr/bin/su -m rcynic -c '/usr/local/bin/rpki-rtr cronjob /var/rcynic/data/authenticated'

Where "unauthenticated" here is an rsync module pointing at /var/rcynic/data/unauthenticated on each of the gatherer machines. Configuration for the "unauthenticated" module would look like:

    [unauthenticated]
        read only           = yes
        transfer logging    = yes
        path                = /var/rcynic/data/unauthenticated
        comment             = Unauthenticated RPKI data

3 Setting Up a Configuration Authority System

The sections that follow have the beginnings of a discussion on setting up a Configuration Authority system. These are incomplete and will be completed soon.

3.1 Files and Directories

The rpki.net software requires a general configuration file and manages a number of files and directories. Setting up this environment is a large part of configuring the Relying-Party software. While much of it is done automatically by the installation process, there are portions that should be checked to ensure they are set properly.

3.1.1 rpki.conf Configuration File

The rpki.conf configuration file is central to the functioning of the rpki.net software. It determines such things as which programs are run and the locations of keys, databases, and other objects. It is imperative that this file be set up properly in order for the rpki.net software to work as expected.

The rpki.conf file is composed of seven named sections of key/value entries. The name of each section is enclosed in square brackets. Each entry is comprised of the entry name, an equals sign, and the entry value. An entry's value can refer to an entry key in another section. The following configuration fragments show how the parts of rpki.conf may be set:


    [myrpki]
        irdbd_server_host = localhost
        irdbd_server_port = 4403

    [irdbd]
        server-port       = ${myrpki::irdbd_server_port}

The rpki.net installation process creates a default rpki.conf file. The default values are usually sufficient for most installations. However, the file must be examined to ensure that it is configured according to the needs of the installation. To be thorough, you may want to examine all the default values; however, the values listed in the subsections below are the minimum set that should be checked.

The first subsection below describes the daemon-execution flags that must be set in order to start only those daemons that should be run by your installation. The following subsections describe particular fields in each configuration section that must be checked.

After checking the rpki.conf file, the rpkichk command may be used to check that the values of the configuration entries appear to be sane.

Details on the rpki.conf configuration file may be found in the Configuration File Reference. The man page for rpkichk is in the Command Reference.

3.1.1.1 Execution Flags

There are several rpki.conf entries that control which rpki.net daemons will be executed. These flags must be set properly for your installation.

There are two separate sets of rpki.conf entries which control the necessary behavior. The run_ entries control whether the back-end code back end code manages the servers in question. The start_ entries control whether the start-up scripts should start the servers in question. The start_ entries will reference the values of the run_ entries if the related daemon will be run on the server on which the rpki.conf resides. If a daemon will be run on a different server, then the related start_ entry must reflect this.

Entry Name	Purpose	Default Value
run_rpkid	Run the rpkid and irdbd daemons.	yes
run_pubd	Run the pubd daemon.	yes
run_rootd	Run the rootd daemon.	no

There is another set of entries that refer to these flag entries. In most cases, the values of these entries should not be changed. These entries are expected to correspond to the referenced entries.

The following table lists these referencing entries.

Entry Name	Referenced Entry	Controlled Daemon
start_rpkid	${myrpki::run_rpkid}	rpkid
start_irdbd	${myrpki::run_rpkid}	irdbd
start_pubd	${myrpki::run_pubd}	pubd
start_rootd	${myrpki::run_rootd}	rootd

The only case where the start_ entries should be changed is when the back-end code is running on a different machine from one or more of the daemons. In this case, finer control is needed over which daemons to start on which machines.

3.1.1.2 [autoconf] Entries

The [autoconf] configuration section has four entries for commonly used directories. These entries are referenced by many of the other configuration sections. These values are set in the rpki.net automatic configuration process when the software is built and installed. The default entries are almost certainly acceptable, but they should be checked all the same.

Entry Name	Default Value
bindir	/usr/bin or /usr/local/bin
datarootdir	/usr/share or /usr/local/share
sbindir	/usr/sbin or /usr/local/sbin
sysconfdir	/etc

3.1.1.3 [myrpki] Entries

The [myrpki] configuration section is a shared section, with entries common to all the rpki.net daemons. Many of these entries are referenced by other sections of the rpki.conf file.

There are three directory entries that must be checked for validity. These are referenced in other sections, and bpki_servers_directory most widely.

Entry Name	Default Value
bpki_servers_directory	${autoconf::datarootdir}/rpki
publication_base_directory	${autoconf::datarootdir}/rpki/publication
publication_root_cert_directory	${myrpki::publication_base_directory}.root

There are a set of server entries that must be checked. There is a host and a port entry for each of the rpki.net daemons. These must be checked to ensure that the hostnames are correct and that the ports are not in use by other programs.

Entry Name	Default Value
rpkid_server_host	hostname (FQDN)
rpkid_server_port	4404
irdbd_server_host	"localhost"
irdbd_server_port	4403
pubd_server_host	hostname (FQDN)
pubd_server_port	4402
rootd_server_host	"localhost"
rootd_server_port	4401

The rpki.net daemons use a set of three databases, one for each daemon. (Except for cmd>rootd), that is.) There are configuration entries for the database name, the SQL username, and the SQL password for each of these databases. The default values should be okay, but they should be checked to be sure.

Entry Name	Default Value
shared_sql_username	"rpki"
shared_sql_password	auto-generated at install time
rpkid_sql_database	"rpkid"
rpkid_sql_username	${myrpki::shared_sql_username}
rpkid_sql_password	${myrpki::shared_sql_password}
irdbd_sql_database	"irdbd"
irdbd_sql_username	${myrpki::shared_sql_username}
irdbd_sql_password	${myrpki::shared_sql_password}
pubd_sql_database	"pubd"
pubd_sql_username	${myrpki::shared_sql_username}
pubd_sql_password	${myrpki::shared_sql_password}

3.1.1.4 [rpkid] Entries

The [rpkid] configuration section has entries specific to the rpkid daemon. Most of the default entries in this section are references to entries in the [myrpki] section.

There are five entries for rpkid-specific files. The default files are in the bpki_servers_directory directory, as specified in the [myrpki] section. The value of this directory entry should be checked for acceptability.

These file values should not be changed unless you really know what you're doing.

3.1.1.5 [irdbd] Entries

The [irdbd] configuration section has entries specific to the irdbd daemon. All the default entries in this section are references to entries in the [myrpki] section.

3.1.1.6 [pubd] Entries

The [pubd] configuration section has entries specific to the pubd daemon. Most of the default entries in this section are references to entries in the [myrpki] section.

There are four entries for rpkid-specific files. The default files are in the bpki_servers_directory directory, as specified in the [myrpki] section. The value of this directory entry should be checked for acceptability.

These values should not be changed unless you really know what you're doing.

3.1.1.7 [rootd] Entries

The [rootd] configuration section has entries specific to the rootd daemon. Most of the default entries in this section are references to entries in the [myrpki] section.

As is explained elsewhere, the rpki.net documentation strongly urges that rootd not be run by most installations. This section may be skipped by those that do not need to run rootd.

There are nine entries for rootd-specific files which contain paths specified by referencing other configuration values. The default files are in bpki_servers_directory, publication_base_directory, and publication_root_cert_directory , as specified in the [myrpki] section. The values of these directory entries should be checked for acceptability.

These values should not be changed unless you really know what you're doing.

3.1.1.8 [web_portal] Entries

The [web_portal] configuration section has entries specific to the rpki.net web interface. Most of the default entries in this section are references to entries in the [myrpki] section.

The single non-reference entry is the secret-key entry. This is the site-specific secret key used for Django. This secret key is generated during rpki.net installation and is almost certainly safe to leave as is.

3.1.2 Root Certificates

If a root CA will be run using rootd, a root certificate must be created. generate-root-certificate is very useful script for doing this, and it is available from hactrn.net.

The command sequence below demonstrates using generate-root-certificate.

    # cd /usr/share/rpki
    # wget https://subvert-rpki.hactrn.net/trunk/potpourri/generate-root-certificate --no-check-certificate
    # python generate-root-certificate

    # mkdir /usr/share/rpki/publication.root
    # rsync root.cer /usr/share/rpki/publication.root

    # rm /etc/rpki/trust-anchors/*
    # rsync root.tal /etc/rpki/trust-anchors/TestRoot.tal

This command sequence creates a root certificate, key, and Trust Anchor List. The certificate is saved in a publication directory. The TAL is moved to become the only set of Trust Anchors used by the RPKI software.

This command sequence assumes that the /etc/rpki.conf file has the following values. The values of these configuration fields are likely to refer to other fields, so be sure to check the actual value. The commands must be adjusted if this is not the case.

Entry Name	Assumed Value
bpki_servers_directory	/usr/share/rpki
publication_base_directory	/usr/share/rpki/publication
publication_root_cert_directory	/usr/share/rpki/publication.root

3.1.3 MySQL Database Configuration

rpki.net databases must be initialized prior to running rpkid, irdbd, or pubd. This initialization may be performed with the rpki-sql-setup command or it may be performed manually.

MySQL is used to manage the rpki.net databases. It is assumed that MySQL was installed during the rpki.net installation process detailed in the Installation Manual.

See the Configuration File Reference for details on the configuration file settings the daemons will use to find and authenticate themselves to their respective databases.

3.1.3.1 Automated Database Configuration

The rpki-sql-setup automatically generates the databases required by rpki.net. The script prompts for the MySQL root password then uses values from the rpki.conf to complete the database initialization.

    $ rpki-sql-setup
    Please enter your MySQL root password:

rpki-sql-setup will provide notice of the databases it creates. The -v option may be used to see more details about the actions taken during database creation.

The man page for rpki-sql-setup is in the Command Reference.

3.1.3.2 Manual Database Configuration

The rpki.net databases can be created manually. In these SQL command sequences, the irdb_database, irdb_user, irdb_password, rpki_database, rpki_user, rpki_password, pubd_database, pubd_user, and pubd_password values must match the values in the rpki.conf configuration file. Also, the $top variable must point to the top level of the rpki.net distribution.

Two databases must be created:

    $ mysql -u root -p
    mysql> CREATE DATABASE irdb_database;
    mysql> GRANT all ON irdb_database.* TO irdb_user@localhost IDENTIFIED BY 'irdb_password';
    mysql> CREATE DATABASE rpki_database;
    mysql> GRANT all ON rpki_database.* TO rpki_user@localhost IDENTIFIED BY 'rpki_password';
    mysql> USE rpki_database;
    mysql> SOURCE $top/schemas/sql/rpkid.sql;
    mysql> COMMIT;
    mysql> quit

If the pubd publication daemon will be run, a database for it must also be initialized. values used in rpki.conf.

    $ mysql -u root -p
    mysql> CREATE DATABASE pubd_database;
    mysql> GRANT all ON pubd_database.* TO pubd_user@localhost IDENTIFIED BY 'pubd_password';
    mysql> USE pubd_database;
    mysql> SOURCE $top/schemas/sql/pubd.sql;
    mysql> COMMIT;
    mysql> quit

3.1.4 rsyncd.conf Configuration File

The rsyncd command must be run when the rpki.net publication server pubd will be used. (rsyncd is standard on most Unix-like systems.) The rsyncd configuration will need to match the pubd configuration in the rpki.conf file. This will allow Relying Parties to find the RPKI objects managed by pubd.

The following is a sample rpki section that may be added to your system's rsyncd.conf file:

    [rpki]
        path                = /usr/share/rpki/publication
        use chroot          = no
        read only           = yes
        transfer logging    = yes
        comment             = for rpki.net's pubd daemon

This configuration section must be adapted for your own installation. In particular, the path field must match the directory listed as publication_base_directory in the rpki.conf file.

The publication_base_directory field may reference other fields in rpki.conf, but the actual path must be used in rsyncd.conf. The rpkichk -list command may be used to determine the actual path. The commands below illustrate how rpki.conf may list this field and what it translates to:

    $ rpkichk -list -untranslate | grep ^publication_base_directory
    publication_base_directory     	"${autoconf::datarootdir}/rpki/publication"

    $ rpkichk -list | grep ^publication_base_directory
    publication_base_directory     	"/usr/share/rpki/publication"

The rsyncdchk command may be used to check that the values of the configuration values in the rsyncd.conf file appear to be sane.

Details on the rpki.net-specific portions of the rsyncd.conf configuration file may be found in the Configuration File Reference. The man page for rsyncdchk is in the Command Reference.

3.2 irdbd Configuration

irdbd is a sample implementation of the server side of the IRDB callback subset of the left-right protocol. irdbd is part of the Internet Registry Back-End (IRBE) system. It shares an SQL database with the rpkic control program and the web interface.

In production use, this service is a function of the IRBE stub. irdbd may be suitable for production use in simple cases. However, a registry with a complex IRDB may need to extend or rewrite irdbd.

Configuration for irdbd is relatively simple, and is handled by setting up the rpki.conf file. See the Configuration File Reference for details.

3.3 pubd Configuration

pubd stores dynamic data in an SQL database, which must have been created for it, as explained in the MySQL setup instructions. pubd also stores the published objects themselves as disk files in a configurable location which should correspond to an appropriate module definition in rsyncd.conf; see the Configuration File Reference for details.

The pubd daemon may be run on the same host as the other rpki.net servers, or on a different host from them. The default is to run pubd together with the other servers on the same host. This choice will require different sets of configuration actions.

3.3.1 Running pubd on the Same Server

The rpki.conf file must be created as described in the rpki.conf Configuration File section. No additional configuration must performed if pubd will run on the same server as the other rpki.net servers.

3.3.2 Running pubd on a Different Server

The following guidelines describe how to set up an pubd server to run on a different machine than the rest of the back-end code. For this section, pubd and the back-end code will run on different machines, which will be named pubd.example.org and backend.example.org. Obviously, your installation will use different host names.

Most of the configuration is the same as in the normal case, but there are a few extra steps. The following instructions supplement the normal instructions, but do not replace them.

WARNING: These setup directions have not been tested extensively.

On backend.example.org, create the rpki.conf file as described in the rpki.conf Configuration File section.
The following settings will be used:
```
    irbe_server_host = backend.example.org
    pubd_server_host = pubd.example.org
```
Customize rpki.conf on backend.example.org:
- start_irdbd should be enabled.
- start_pubd should be disabled.
Enable run_pubd in rpki.conf.
Copy the rpki.conf file to pubd.example.org.
Customize the rpki.conf on pubd.example.org:
- start_irdbd should be disabled.
- start_pubd should be enabled.
Ensure that the SQL databases have been set up on both servers. The rpki-sql-setup script should do the right thing in each case, based on the setting of the start_ options.
Run "rpkic initialize" on backend.example.org. This will create the BPKI and write out all of the necessary keys and certificates. These are the .cer, .key, and .crl files.
The relevant BPKI files must be copied to pubd.example.org:
- the .cer file,
- the .crl file,
- the pubd.key file.
Run rpki-start-servers on the two server hosts when it's time to start the servers.
Do the usual setup, but keep in mind that the the back-end controlling all of these servers runs on backend.example.org, so that is where the rpkic or GUI commands to manage the servers must be issued. rpkic and the GUI both know how to talk to pubd over the network, so managing it remotely is fine.

3.4 rootd Configuration

rootd is a minimal implementation of the server side of the up-down protocol. It is a separate program because the root certificate of an RPKI certificate tree requires special handling and may also require a special handling policy. All rootd configuration comes from the rpki.conf configuration file; see the Configuration File Reference for details.

Warnings against using the rootd daemon:

rootd is a simple implementation intended for test use. It is not suitable for use in a production system.
You do not need to run rootd unless one of the following conditions holds true:
- You are IANA.
- You are certifying private address space.
- You are an RIR which refuses to accept IANA as the root of the public address hierarchy.
If none of these conditions are true, you do not need to run rootd.
The developers say that rootd is a mess, and it needs to be rewritten and merged into rpkid. It doesn't use the publication protocol and it requires far too many configuration parameters.

3.5 rpkid Configuration

rpkid is the main RPKI engine daemon. The rpki.conf configuration file must be created before rpkid can be used. Afterwards, the rpkic command line tool or the web interface must be used to guide the remaining dynamic configuration.

rpkid stores dynamic data in an SQL database, which must have been created for it. Initialization of this database is explained in the MySQL Database Configuration section.

The rpkid daemon may be run on the same host as the other rpki.net servers, or on a different host from them. The default is to run rpkid together with the other servers on the same host. This choice will require different sets of configuration actions.

3.5.1 Running rpkid on the Same Server

The rpki.conf file must be created as described in the rpki.conf Configuration File section. No additional configuration must performed if rpkid will run on the same server as the other rpki.net servers.

3.5.2 Running rpkid on a Different Server

The following guidelines describe how to set up an rpkid server to run on a different machine than the rest of the back-end code. For this section, rpkid and the back-end code will run on different machines, which will be named rpkid.example.org and backend.example.org. Obviously, your installation will use different host names.

Most of the configuration is the same as in the normal case, but there are a few extra steps. The following instructions supplement the normal instructions, but do not replace them.

WARNING: These setup directions have not been tested extensively.

On backend.example.org, create the rpki.conf file as described in the rpki.conf Configuration File section.
The following settings will be used:
```
    irbe_server_host  = backend.example.org
    rpkid_server_host = rpkid.example.org
```
Customize rpki.conf on backend.example.org:
- start_irdbd should be enabled.
- start_rpkid should be disabled.
Enable run_rpkid in rpki.conf.
Copy the rpki.conf file to rpkid.example.org.
Customize rpki.conf on rpkid.example.org:
- start_irdbd should be disabled.
- start_rpkid should be enabled.
Ensure that the SQL databases have been set up on both servers. The rpki-sql-setup script should do the right thing in each case, based on the setting of the start_ options.
Run "rpkic initialize" on backend.example.org. This will create the BPKI and write out all of the necessary keys and certificates. These are the .cer, .key, and .crl files.
The relevant BPKI files must be copied to rpkid.example.org:
- the .cer file,
- the .crl file,
- the rpkid.key file.
Run rpki-start-servers on the two server hosts when it's time to start the servers.
Do the usual setup, but keep in mind that the the back-end controlling all of these servers runs on backend.example.org, so that is where the rpkic or GUI commands to manage the servers must be issued. rpkic and the GUI both know how to talk to rpkid over the network, so managing it remotely is fine.

3.6 Initialization of Certification Authority Data

The Certification Authority data must be initialized. The rpkic command may be used to do this. rpkic uses the value of the handle field in the /etc/rpki.conf file as an identifier in the initialization.

The command sequence below demonstrates the rpkic commands needed to initialize the CA. This example assumes the handle field has the value "example-ca".

    # service rpki-ca restart
    # cd /usr/share/rpki
    # rpkic initialize
    # rpkic configure_publication_client /usr/share/rpki/example-ca.example-ca.repository-request.xml
    # rpkic configure_repository /usr/share/rpki/testCA.repository-response.xml

This example does not include the output from these commands. The path used in the configure_publication_client command was given in the output to the initialize command. Similarly, the path used in the in the configure_repository command was given in the configure_publication_client command.

The man page for rpkic is in the Command Reference.

3.7 Web Interface Configuration

rpki.net provides a web-based interface to the Certification Authority sytem. This interface is known as Web Portal. Several things must be configured prior to using the Web Portal: superusers, error notifications, and cron jobs. The required configuration actions are described in this section.

Once these other other things are set up, Users and Resource Holders must be defined for the Web Portal. See the Web Portal Administrator's Manual for details on how to create and modify the Web Portal's objects.

3.7.1 Configuring the Web Portal

The [web_portal] section in the /etc/rpki.conf configuration file contains fields relevant to the Web Portal. The value of the download-directory field must be checked to ensure that the directory is on a file system large enough to hold a dumped routing table. Default values for all other fields should be sufficient for most installations.

See the Configuration File Reference for details.

3.7.2 Creating a Web Portal Superuser

A superuser for the Web Portal should be created. The rpki-manage command will create the superuser and set its password. You will be prompted for a username, an email address, and a password. Strong passwords should be used for all accounts, but especially for the superuser accounts.

    # rpki-manage

The man page for rpki-manage is in the Command Reference.

3.7.3 Error Notifications via Email

By default, exceptions generated while the Web Portal is processing a request will be logged to the Apache log file. An email message will be sent to root@localhost as well.

If you wish to change where email is sent, you can edit /etc/rpki/local_settings.py and add the following lines:

    ADMINS = (('YOUR NAME', 'YOUR EMAIL ADDRESS'),)

For example,

    ADMINS = (('Joe User', 'joe@example.com'),)

3.7.4 Cron Jobs for the Web Portal

The Web Portal makes use of some external data sources to display the validation status of routing entries. Therefore, it is necessary to run some background jobs periodically to refresh this data. The Web Portal software makes use of the cron facility present in POSIX operating systems to perform these tasks.

3.7.4.1 Importing Routing Table Snapshots

In order for the Web Portal to display the validation status of routes covered by a resource holder's RPKI certificates, it needs a source of the currently announced global routing table. The Web Portal includes a script which can parse the output of the RouteViews full snapshot (warning: links to very large file!).

When the software is installed, there will be a /usr/local/sbin/rpkigui-import-routes script that should be invoked periodically. Routeviews.org updates the snapshot every two hours, so it does not make sense to run it more frequently than two hours. How often it should run depends on how often the routes you are interested in are changing.

Create an entry in root's crontab such as

    30  */2 *   *   *      /usr/local/sbin/rpkigui-import-routes

3.7.4.2 Importing ROAs

If you want the GUI's "routes" page to see ROAs when you click those buttons, you will need to run rcynic. See the instructions for setting up rcynic.

This data is imported by the rcynic-cron script. If you have not already set up that cron job, you should do so now. By default, rcynic-cron is run once an hour. This means that the routes view in the GUI will not immediately update as you create and destroy ROAs. You may wish to run rcynic-cron more frequently, or configure rcynic.conf to only include the TAL that is the root of your resources, and run the script more frequently (perhaps every 2-5 minutes.)

If you are running rootd, you may want to run with only your local Trust Anchor. In this case, to have the GUI be fairly responsive to changes, you may want to run the rcynic often. In this case, you may want to look at the jitter value in rcynic.conf.

3.7.4.3 Expiration Checking

The Web Portal can notify users when it detects that RPKI certificates will expire in the near future. Run the rpkigui-check-expired script as a cron job, perhaps once a night:

By default, it will warn of expiration 14 days in advance, but this may be changed by using the -t command-line option and specifying how many days in advance to check.

3.7.5 Verify the Web Portal is Working

To ensure that the Web Portal is working properly, navigate to https://YOURHOST/rpki/. You should see the login page for the Web Portal.

Enter the superuser name and password (as created in the section) in the login form. If the Web Portal is working properly, this will take you to the Web Portal's dashboard.

The Web Portal Administrator's Manual provides more information about administering the Web Portal.

3.7.6 Running the Web Portal as a Different User

By default, the Web Portal is run in embedded mode in mod_wsgi, which means it runs inside the Apache process. However, you can make the Web Portal run in daemon mode as a different user using mod_wsgi.

    $ ./configure --enable-wsgi-daemon-mode[=user[:group]]

Where user is the optional user to run the Web Portal as, and group is the optional group to run the Web Portal as. If user is not specified, it will run in a separate process but the same user as Apache is configured to run.

When run in daemon mode, a Unix-domain socket will be created in the same directory as the Apache log files. If the user you have specified to run the Web Portal as does not have permission to read a file in that directory, the web interface will return a "500 Internal Server Error" and you will see a "Permission Denied Error" in your Apache logs. The solution to this is to use the WSGISocketPrefix Apache configuration directive to specify an alternative location, such as:

    WSGISocketPrefix /var/run/wsgi

This directive must not be placed inside of the <VirtualHost> section. It must be located at the global scope.

See ModWSGI Configuration Directives for more information.

Sections of this document are derived or taken verbatim from Dragon Research Lab's RPKI Tools Manual.

Routing Security Step-by-Step Guide