The
- basic checks - simple system checks, such as the existence of files, valid hostnames, protected keys
- cross checks - related configuration fields don't conflict
- recommended-value checks - checks that recommended values are being used
These checking groups are described in more detail in the sections below.
This document is prepared under Contract Number HSHQDC-14-C-B0035 for DHS S&T CSD
1. Basic Checks
Section | Field | Checks Performed |
autoconf | bindir | directory exists, is readable and searchable |
datarootdir | directory exists, is readable and searchable | |
sbindir | directory exists, is readable and searchable | |
sysconfdir | directory exists, is readable and searchable | |
irdbd | sql-database | database name isn't null |
sql-username | valid SQL user name was given | |
sql-password | SQL password/hash defined; at least 40 characters long | |
server-host | only alphanumerics, dash, and dot; no consecutive dots | |
server-port | only digits; only positive numbers; no fractional part | |
myrpki | bpki_servers_directory | directory exists, is readable and searchable |
handle | only alphanumerics, dash, and underscore | |
irdbd_server_host | only alphanumerics, dash, and dot; no consecutive dots | |
irdbd_server_port | only digits; only positive numbers; no fractional part | |
irdbd_sql_database | database name isn't null | |
irdbd_sql_password | SQL password/hash defined; at least 40 characters long | |
irdbd_sql_username | valid SQL user name was given | |
pubd_server_host | only alphanumerics, dash, and dot; no consecutive dots | |
pubd_server_port | only digits; only positive numbers; no fractional part | |
pubd_sql_database | database name isn't null | |
pubd_sql_password | SQL password/hash defined; at least 40 characters long | |
pubd_sql_username | valid SQL user name was given | |
publication_base_directory | directory exists, is readable and searchable | |
publication_root_cert_directory | directory exists, is readable and searchable | |
publication_root_module | module isn't null | |
publication_rsync_module | module isn't null | |
publication_rsync_server | only alphanumerics, dash, and dot; no consecutive dots | |
rootd_server_host | only alphanumerics, dash, and dot; no consecutive dots | |
rootd_server_port | only digits; only positive numbers; no fractional part | |
rpkid_server_host | only alphanumerics, dash, and dot; no consecutive dots | |
rpkid_server_port | only digits; only positive numbers; no fractional part | |
rpkid_sql_database | database name isn't null | |
rpkid_sql_password | SQL password/hash defined; at least 40 characters long | |
rpkid_sql_username | valid SQL user name was given | |
run_pubd | boolean value -- "yes" or "no" (either case) | |
run_rootd | boolean value -- "yes" or "no" (either case) | |
run_rpkid | boolean value -- "yes" or "no" (either case) | |
shared_sql_password | SQL password/hash defined; at least 40 characters long | |
shared_sql_username | valid SQL user name was given | |
start_irdbd | boolean value -- "yes" or "no" (either case) | |
start_pubd | boolean value -- "yes" or "no" (either case) | |
start_rootd | boolean value -- "yes" or "no" (either case) | |
start_rpkid | boolean value -- "yes" or "no" (either case) | |
pubd | bpki-ta | file exists, is readable |
irbe-cert | file exists, is readable | |
pubd-cert | file exists, is readable | |
pubd-key | file exists, is readable only by owner | |
publication-base | directory exists, is readable and searchable | |
server-host | only alphanumerics, dash, and dot; no consecutive dots | |
server-port | only digits; only positive numbers; no fractional part | |
sql-database | database name isn't null | |
sql-password | SQL password/hash defined; at least 40 characters long | |
sql-username | valid SQL user name was given | |
rootd | bpki-ta | file exists, is readable |
child-bpki-cert | file exists, is readable | |
rootd-bpki-cert | file exists, is readable | |
rootd-bpki-crl | file exists, is readable | |
rootd-bpki-key | file exists, is readable only by owner | |
rpki-base-uri | url uses http:// or rsync://, network location given, 0 or 1 colons in network location | |
rpki-class-name | class name isn't null | |
rpki-root-cert | file exists, is readable | |
rpki-root-cert-uri | url uses http:// or rsync://, network location given, 0 or 1 colons in network location | |
rpki-root-crl | file exists, is readable | |
rpki-root-dir | directory exists, is readable and searchable | |
rpki-root-key | file exists, is readable only by owner | |
rpki-root-manifest | file exists, is readable | |
rpki-subject-cert | file exists, is readable | |
rpki-subject-lifetime | numeric portion is positive, unit is for hours, days, or months | |
rpki-subject-pkcs10 | file exists, is readable | |
server-host | only alphanumerics, dash, and dot; no consecutive dots | |
server-port | only digits; only positive numbers; no fractional part | |
rpkid | bpki-ta | file exists, is readable |
irbe-cert | file exists, is readable | |
irdb-cert | file exists, is readable | |
irdb-url | url uses http://, network location given, 0 or 1 colons in network location | |
rpkid-cert | file exists, is readable | |
rpkid-key | file exists, is readable only by owner | |
server-host | only alphanumerics, dash, and dot; no consecutive dots | |
server-port | only digits; only positive numbers; no fractional part | |
sql-database | database name isn't null | |
sql-password | SQL password/hash defined; at least 40 characters long | |
sql-username | valid SQL user name was given | |
web_portal | sql-database | database name isn't null |
sql-username | valid SQL user name was given | |
sql-password | password defined and at least 40 characters long | |
sql-password | SQL password/hash defined; at least 40 characters long | |
secret-key | SQL password/hash defined; at least 40 characters long |
2. Cross Checks
The cross checks ensure that pairs of configuration fields that are connected are the same. The fields may be located in the same section of the file or in different sections. The names of fields in different sections may or may not be the same.
The sections below contain tables describing the cross checks to be performed. Each table entry will list the section's field name, the "foreign" section, the foreign section's field name, and the comparison that will be performed.
For example, the rpkid and pubd sections both have a bpki-ta field, and they should contain the same values. Similarly, the myrpki section has the pubd_server_port field and the pubd section has the server-port, and they should both be the same.
The tables listed in this section contain duplicated entries. This is to allow this document to be used as a checklist to ensure that all checks have been implemented. Listing each cross check twice allows the checks to be performed in the checks for each section.
For example, the rpkid and pubd sections both have a bpki-ta field, and they should contain the same values. The rpkid section below will contain an entry for this check, as will the pubd section below.
As of this writing, all comparison checks are for equality. It is unknown if this may change in the future, so the comparison column is included in the case that it does.
Section:Field | Foreign Section:Field | Comparison |
autoconf | No cross checks are required for this section. | |
irdbd:server-host | myrpki:irdbd_server_host | equality |
irdbd:server-port | myrpki:irdbd_server_port | equality |
irdbd:sql-database | myrpki:irdbd_sql_database | equality |
irdbd:sql-password | myrpki:irdbd_sql_password | equality |
irdbd:sql-username | myrpki:irdbd_sql_username | equality |
myrpki:irdbd_server_host | irdbd:server-host | equality |
myrpki:irdbd_server_port | irdbd:server-port | equality |
myrpki:irdbd_sql_database | irdbd:sql-database | equality |
myrpki:irdbd_sql_password | irdbd:sql-password | equality |
myrpki:irdbd_sql_username | irdbd:sql-username | equality |
myrpki:pubd_server_host | pubd:server-host | equality |
myrpki:pubd_server_port | pubd:server-port | equality |
myrpki:pubd_sql_database | pubd:sql-database | equality |
myrpki:pubd_sql_password | pubd:sql-password | equality |
myrpki:pubd_sql_username | pubd:sql-username | equality |
myrpki:publication_base_directory | pubd:publication-base | equality |
myrpki:rootd_server_host | rootd:server-host | equality |
myrpki:rootd_server_port | rootd:server-port | equality |
myrpki:rpkid_server_host | rpkid:server-host | equality |
myrpki:rpkid_server_port | rpkid:server-port | equality |
myrpki:rpkid_sql_database | rpkid:sql-database | equality |
myrpki:rpkid_sql_password | rpkid:sql-password | equality |
myrpki:rpkid_sql_username | rpkid:sql-username | equality |
pubd:bpki-ta | rootd:bpki-ta | equality |
pubd:bpki-ta | rpkid:bpki-ta | equality |
pubd:irbe-cert | rpkid:irbe-cert | equality |
pubd:publication-base | myrpki:publication_base_directory | equality |
pubd:server-host | myrpki:pubd_server_host | equality |
pubd:server-port | myrpki:pubd_server_port | equality |
pubd:sql-database | myrpki:pubd_sql_database | equality |
pubd:sql-password | myrpki:pubd_sql_password | equality |
pubd:sql-username | myrpki:pubd_sql_username | equality |
rootd:bpki-ta | pubd:bpki-ta | equality |
rootd:bpki-ta | rpkid:bpki-ta | equality |
rootd:server-host | myrpki:rootd_server_host | equality |
rootd:server-port | myrpki:rootd_server_port | equality |
rpkid:bpki-ta | pubd:bpki-ta | equality |
rpkid:bpki-ta | rootd:bpki-ta | equality |
rpkid:irbe-cert | pubd:irbe-cert | equality |
rpkid:server-host | myrpki:rpkid_server_host | equality |
rpkid:server-port | myrpki:rpkid_server_port | equality |
rpkid:sql-database | myrpki:rpkid_sql_database | equality |
rpkid:sql-password | myrpki:rpkid_sql_password | equality |
rpkid:sql-username | myrpki:rpkid_sql_username | equality |
web_portal | No cross checks are required for this section. |
3. Recommended-Value Checks
The fields in this section are given values in the default
These fields have actual values they should contain.
Section:Field | Suggested Value |
myrpki:irdbd_server_host | 'localhost' |
myrpki:irdbd_sql_database | 'irdbd' |
myrpki:pubd_sql_database | 'pubd' |
myrpki:publication_root_module | 'root' |
myrpki:publication_rsync_module | 'rpki' |
myrpki:rootd_server_host | 'localhost' |
myrpki:rpkid_sql_database | 'rpkid' |
myrpki:run_pubd | 'no' |
myrpki:run_rootd | 'no' |
myrpki:run_rpkid | 'yes' |
myrpki:shared_sql_username | 'rpki' |
These fields are strongly suggested to match each other.
Section:Field | Foreign Section:Field | |
myrpki:bpki_servers_directory | autoconf::datarootdir/rpki | |
myrpki:publication_rsync_server | myrpki::pubd_server_host | |
myrpki:start_irdbd | myrpki::run_rpkid | |
myrpki:start_pubd | myrpki::run_pubd | |
myrpki:start_rootd | myrpki::run_rootd | |
myrpki:start_rpkid | myrpki::run_rpkid | |
pubd:bpki-ta | myrpki::bpki_servers_directory/ca.cer | |
pubd:pubd-cert | myrpki::bpki_servers_directory/pubd.cer | |
pubd:pubd-key | myrpki::bpki_servers_directory/pubd.key | |
pubd:irbe-cert | myrpki::bpki_servers_directory/irbe.cer | |
rootd:bpki-ta | myrpki::bpki_servers_directory/ca.cer | |
rootd:rootd-bpki-crl | myrpki::bpki_servers_directory/ca.crl | |
rootd:rootd-bpki-cert | myrpki::bpki_servers_directory/rootd.cer | |
rootd:rootd-bpki-key | myrpki::bpki_servers_directory/rootd.key | |
rootd:child-bpki-cert | myrpki::bpki_servers_directory/child.cer | |
rpkid:bpki-ta | myrpki::bpki_servers_directory/ca.cer | |
rpkid:rpkid-cert | myrpki::bpki_servers_directory/rpkid.cer | |
rpkid:rpkid-key | myrpki::bpki_servers_directory/rpkid.key | |
rpkid:irdb-cert | myrpki::bpki_servers_directory/irdbd.cer | |
rpkid:irbe-cert | myrpki::bpki_servers_directory/irbe.cer |