Argus Policy Decision Point (PDP): Configuration¶
Configuration Files¶
The PDP is configured through the use of the pdp.ini
file,
located in /etc/argus/pdp
directory.
There is also an environment file,
located in /etc/sysconfig/argus-pdp
,
that contains environment variables used by the init script that manage the
service.
Configuration File Syntax¶
The pdp.ini
file is a standard INI file with three defined sections.
The SERVICE
section contains properties related the PDP service as a
whole and how it listens for incoming requests. The POLICY
section
contains properties for the retrieval of policies from the Policy
Administration Point (PAP). The final section, SECURITY
, contains
properties that related to various security aspects of the service, the
services private key and certificate, for example.
Basic Configuration Options¶
SERVICE section¶
Property | Description | Required? | Default Value |
---|---|---|---|
entityID | This is a unique identifier for the PDP. It must be a URI (URL or URN) and the same entity ID should be used for all PDP instances that make up a single logical PDP. If a URL is used it need not resolve to any specific webpage. | Y | None. Recommended value is a URL corresponding to the logical PDP service (e.g. http://pdp.example.org ). |
hostname | This is the hostname or IP address to which the service will bind. | Y | None. |
port | This is the port to which the service will bind. | N | 8152 |
adminHost | The hostname upon which the service will listen for admin commands. | N | 127.0.0.1 |
adminPort | This is the port upon which the service will listen for admin command. | N | 8153 |
adminPassword | This is the password required to accompany admin commands. If unspecified than no password is required to run admin commands. | N | None |
POLICY section¶
Property | Description | Required? | Default Value |
---|---|---|---|
paps | A space separated list of PAP endpoint URLs. Endpoints will be tried in turn until one returns a successful response. This provides limited failover support. If more intelligent failover is necessary or load balancing is required, a dedicated load-balancer/failover appliance should be used. | Y | None |
retentionInterval | The number of minutes the PDP will retain (cache) a policy retrieved from the PAP. After this time is passed the PDP will again call out to the PAP and retrieve the policy. | N | 240 (4 hours) |
SECURITY section¶
Property | Description | Required | Default Value |
---|---|---|---|
servicePrivateKey | An absolute path to the file containing the unencrypted, PEM-encoded, private key used by this service. All PDPs instances within a single logical PDP should use the same key | Yes | None |
serviceCertificate | An absolute path to the file containing the unencrypted, PEM-encoded, certificate used by this service. All PDPs instances within a single logical PDP should use the same key | Yes | None |
trustInfoDir | An absolute path to the directory that contains standard X.509 trust information, such as the IGTF Trust Anchor Distribution | Yes | None |
enableSSL | Indicates whether the service port should use SSL/TLS or not | No | false |
tlsProtocol | Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1. | No | TLS |
enabledProtocols | Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1. | No | None |
requireClientCertAuthentication | Indicates whether the client must use a valid client certificate to authenticate to the PDP | No | false |
Example pdp.ini files¶
The following example file contain the bare minimum required for a valid PDP configuration file.
[SERVER]
entityID = http://argus.example.org/pdp
hostname = argus.example.org
[POLICY]
paps = https://argus.example.org:8150/pap/services/ProvisioningService
[SECURITY]
servicePrivateKey = /etc/grid-security/hostkey.pem
serviceCertificate = /etc/grid-security/hostcert.pem
trustInfoDir = /etc/grid-security/certificates
# HTTPS enabled
enableSSL = true
tlsProtocol = TLS
Advanced Configuration Options¶
The following advanced options are available but are unlikely to ever be used by deployers. They are mostly for performing very fine-grained tuning of request/response handling parameters. Incorrectly configuring these can have a very negative impact on performance so deployers should not change these unless they are very sure they understand what the impact will be.
SERVICE section¶
Property | Description | Required? | Default Value |
---|---|---|---|
maximumRequests | The maximum number of requests that will be processed simultaneously. Additional requests will be queued. | N | 200 |
requestQueueSize | The maximum number of requests that will be queued up when all the processing threads are busy. Incoming requests received when all processing threads are busy and the queue is full will receive an HTTP 503 error. | N | 500 |
connectionTimeout | This is the length of time, in seconds, the service will wait for the client to send information before it considers the request timed out. | N | 30 seconds |
receiveBufferSize | This is the size, in bytes, that will be allocated to the HTTP request buffer. | N | 16384 (16kb) |
sendBufferSize | This is the size, in bytes, that will be allocated to the HTTP response buffer. | N | 16384 (16kb) |
POLICY section¶
Property | Description | Required | Default Value |
---|---|---|---|
policySetId | The ID of the policy to fetch from the PAP | No | -1 |
connectionTimeout | This is the length of time, in seconds, the PAP client will wait for the PAP to send information before it considers the request timed out | None | 30 |
receiveBufferSize | This is the size, in bytes, that will be allocated to the PAP client send buffer | No | 16384 (16KB) |
sendBufferSize | This is the size, in bytes, that will be allocated to the PAP client request buffer | No | 16384 (16KB) |
SECURITY section¶
Property | Description | Required? | Default Value |
---|---|---|---|
trustInfoRefresh | The frequency, in minutes, that the trust material specified by trustInfoDir will be checked for updates. |
N | 60 (1 hour) |
messageValidityPeriod | The number of seconds, from the time a message is issued, until it is considered expired. | N | 300s (5 minutes) |
clockSkew | The allowance, in seconds, used when computing validity periods. | N | 30s |
enableSSL | Enable HTTPS on the service port (SSL/TLS). The serviceCertificate , servicePrivateKey , and trustInfoDir properties must also be defined in order to use this setting. |
N | false |
tlsProtocol | Which TLS protocol should be used whent HTTPS is enabled. Available values: TLS (default), TLSv1.2, TLSv1.1. | N | TLS |
enabledProtocols | Specifies the TLS protocol versions to be enabled for use on the connection. The standard names that can be passed are, for example: TLSv1.2, TLSv1.1 and TLSv1 | N | None |
Environment file¶
In the /etc/sysconfig/argus-pdp
file are defined Argus PDP environment variables,
described in the table below.
Variable Default value Meaning JAVACMD
/usr/bin/java
Absolute path of the JVM executable. PDP_JOPTS
-Xmx256M -Djdk.tls.trustNameService=true
Optional parameters to pass to the JVM when PDP is started/stopped PDP_START_JOPTS
empty Optional parameters to pass to the JVM only when PDP is started; useful to enable JMX or remote debug PDP_HOME
/usr/share/argus/pdp
Absolute path of PDP installation directory PDP_CONF
/etc/argus/pdp/pdp.ini
Absolute path of PDP configuration file. PDP_CONFDIR
/etc/argus/pdp
Absolute path of PDP configuration directory. PDP_LOGDIR
/var/log/argus/pdp
Absolute path of PDP logs directory. PDP_LIBDIR
/var/lib/argus/pdp/lib
Absolute path of PDP libraries. PDP_ENDORSEDDIR
/var/lib/argus/pdp/lib/endorsed
Absolute path of PDP endorsed libraries. PDP_PROVIDEDDIR
/var/lib/argus/pdp/lib/provided
Absolute path of PDP provided libraries. PDP_PID
/var/run/argus-pdp.pid
Absolute path of PDP PID file.
Attention
-Djdk.tls.trustNameService=true
is mandatory in Argus version 1.7 with TLS turned on.Attention
/etc/sysconfig/argus-pdp.rpmnew
will be created.