Argus Policy Decision Point (PDP): Configuration

Configuration File Syntax

The PDP is configured through the use of the pdp.ini file. This file is a standard INI file with three defined sections. The SERVICE section contains properties related the PDP service as a whole and how it listens for incoming requests. The POLICY section contains properties for the retrieval of policies from the Policy Administration Point (PAP). The final section, SECURITY, contains properties that related to various security aspects of the service, the services private key and certificate, for example.

Basic Configuration Options

SERVICE section

Property Description Required? Default Value
entityID This is a unique identifier for the PDP. It must be a URI (URL or URN) and the same entity ID should be used for all PDP instances that make up a single logical PDP. If a URL is used it need not resolve to any specific webpage. Y None. Recommended value is a URL corresponding to the logical PDP service (e.g. http://pdp.example.org).
hostname This is the hostname or IP address to which the service will bind. Y None.
port This is the port to which the service will bind. N 8152
adminHost The hostname upon which the service will listen for admin commands. N 127.0.0.1
adminPort This is the port upon which the service will listen for admin command. N 8153
adminPassword This is the password required to accompany admin commands. If unspecified than no password is required to run admin commands. N None

POLICY section

Property Description Required? Default Value
paps A space separated list of PAP endpoint URLs. Endpoints will be tried in turn until one returns a successful response. This provides limited failover support. If more intelligent failover is necessary or load balancing is required, a dedicated load-balancer/failover appliance should be used. Y None
retentionInterval The number of minutes the PDP will retain (cache) a policy retrieved from the PAP. After this time is passed the PDP will again call out to the PAP and retrieve the policy. N 240 (4 hours)

SECURITY section

Property Description Required? Default Value
servicePrivateKey An absolute path to the file containing the unencrypted, PEM-encoded, private key used by this service. All PDPs instances within a single logical PDP should use the same key. Y None.
serviceCertificate An absolute path to the file containing the unencrypted, PEM-encoded, certifcate used by this service. All PDPs instances within a single logical PDP should use the same key. Y None.
trustInfoDir An absolute path to the directory that contains standard X.509 trust information, such as the IGTF Trust Anchor Distribution. Y None
enableSSL Indicates whether the service port should use SSL/TLS or not. N false
requireClientCertAuthentication Indicates whether the client must use a valid client certificate to authenticate to the PDP N false

Example pdp.ini files

The following example file contain the bare minimum required for a valid PDP configuration file.
[SERVER]
entityID = http://argus.example.org/pdp
hostname = argus.example.org

[POLICY]
paps = https://argus.example.org:8150/pap/services/ProvisioningService

[SECURITY]
servicePrivateKey = /etc/grid-security/hostkey.pem
serviceCertificate = /etc/grid-security/hostcert.pem
trustInfoDir = /etc/grid-security/certificates
# HTTPS enabled
enableSSL = true

Advanced Configuration Options

The following advanced options are available but are unlikely to ever be used by deployers. They are mostly for performing very fine-grained tuning of request/response handling parameters. Incorrectly configuring these can have a very negative impact on performance so deployers should not change these unless they are very sure they understand what the impact will be.

SERVICE section

Property Description Required? Default Value
maximumRequests The maximum number of requests that will be processed simultaneously. Additional requests will be queued. N 200
requestQueueSize The maximum number of requests that will be queued up when all the processing threads are busy. Incoming requests received when all processing threads are busy and the queue is full will receive an HTTP 503 error. N 500
connectionTimeout This is the length of time, in seconds, the service will wait for the client to send information before it considers the request timed out. N 30 seconds
receiveBufferSize This is the size, in bytes, that will be allocated to the HTTP request buffer. N 16384 (16kb)
sendBufferSize This is the size, in bytes, that will be allocated to the HTTP response buffer. N 16384 (16kb)

POLICY section

Property Description Required? Default Value
policySetId The ID of the policy to fetch from the PAP. N -1
connectionTimeout This is the length of time, in seconds, the PAP client will wait for the PAP to send information before it considers the request timed out. N 30 seconds
receiveBufferSize This is the size, in bytes, that will be allocated to the PAP client send buffer. N 16384 (16kb)
sendBufferSize This is the size, in bytes, that will be allocated to the PAP client request buffer. N 16384 (16kb)

SECURITY section

Property Description Required? Default Value
trustInfoRefresh The frequency, in minutes, that the trust material specified by trustInfoDir will be checked for updates. N 60 (1 hour)
messageValidityPeriod The number of seconds, from the time a message is issued, until it is considered expired. N 300s (5 minutes)
clockSkew The allowance, in seconds, used when computing validity periods. N 30s
Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r10 - 2016-07-05 - MaartenLitmaath
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback