Skip to content

Commit

Permalink
Refactor configstd.cpp: Remove redundant variables and update pvacms …
Browse files Browse the repository at this point in the history 
…documentation for improved clarity and option usage.
  • Loading branch information
@george-mcintyre
george-mcintyre committed Dec 9, 2024
1 parent 8805d9d commit 7127067
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 54 deletions.
4 changes: 2 additions & 2 deletions certs/authn/std/configstd.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,12 @@ void ConfigStd::fromStdEnv(const std::map<std::string, std::string> &defs) {

// EPICS_PVAS_TLS_KEYCHAIN
if (pickone({"EPICS_PVAS_TLS_KEYCHAIN"})) {
ensureDirectoryExists(tls_srv_cert_filename = tls_srv_private_key_filename = pickone.val);
ensureDirectoryExists(tls_srv_cert_filename = pickone.val);
}

// EPICS_PVAS_TLS_KEYCHAIN
if (pickone({"EPICS_PVAS_TLS_KEYCHAIN_PWD_FILE"})) {
tls_srv_cert_password = tls_srv_private_key_password = getFileContents(pickone.val);
tls_srv_cert_password = getFileContents(pickone.val);
}

// EPICS_PVAS_TLS_PKEY
Expand Down
123 changes: 71 additions & 52 deletions documentation/securepva.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1711,58 +1711,77 @@ PVACMS Usage
.. code-block:: console
Usage: pvacms -a <acf> <opts>
-a <acf> Access Security configuration file
-c <CA P12 file> Specify CA certificate file location
Overrides xTLS_KEYCHAIN
environment variables.
Default ca.p12
-e <CA key file> Specify CA private key file location
Overrides EPICS_CA_TLS_PKEY
environment variables.
-d <cert db file> Specify cert db file location
Overrides EPICS_PVACMS_DB
environment variable.
Default certs.db
-h Show this message.
-k <P12 file> Specify certificate file location
Overrides EPICS_PVACMS_TLS_KEYCHAIN
environment variable.
Default server.p12
-l <P12 file> Specify private key file location
Overrides EPICS_PVACMS_TLS_PKEY
environment variable.
Default same as P12 file
-n <ca_name> To specify the CA's name if we need
to create a root certificate.
Defaults to the CA
-m <pvacms org> To specify the pvacms organization name if
we need to create a server certificate.
Defaults to the name of this executable (pvacms)
-o <ca_org> To specify the CA's organization if we need
to create a root certificate.
Defaults to the hostname.
Use '-' to leave unset.
-p <password file> Specify certificate password file location
Overrides EPICS_PVACMS_TLS_KEYCHAIN_PWD_FILE
environment variable.
'-' sets no password
-q <password file> Specify private key password file location
Overrides EPICS_PVACMS_TLS_PKEY_PWD_FILE
environment variable.
'-' sets no password
-s <CA secret file> Specify CA certificate password file
Overrides EPICS_CA_KEYCHAIN_PWD_FILE
environment variables.
'-' sets no password
-t <CA secret file> Specify CA private key password file
Overrides EPICS_CA_PKEY_PWD_FILE
environment variables.
'-' sets no password
-u <ca_org_unit> To specify the CA's organizational unit
-v Make more noise.
-V Print version and exit.
PVACMS - Certificate Management Service
pvacms [OPTIONS]
OPTIONS:
-h, --help Show this message
-v, --verbose Make more noise
-V, --version Print version and exit.
--ck, --ca-keychain TEXT [/Users/george/.epics/certs/ca.pem]
Specify CA keychain file location
--cpk, --ca-private-key TEXT
Specify CA private key file location
--ckp, --ca-keychain-pwd TEXT
Specify CA keychain password file location
--cpkp, --ca-private-key-pwd TEXT
Specify CA private key password file location
--pk, --pvacms-keychain TEXT [/Users/george/.epics/certs/pvacms.pem]
Specify PVACMS keychain file location
--ppk, --pvacms-private-key TEXT
Specify PVACMS private key file location
--pkp, --pvacms-keychain-pwd TEXT
Specify PVACMS keychain password file location
--ppkp, --pvacms-private-key-pwd TEXT
Specify PVACMS private key password file location
--ak, --admin-keychain TEXT
Specify PVACMS admin user's keychain file location
--apk, --admin-private-key TEXT
Specify PVACMS admin user's private key file location
--akp, --admin-keychain-pwd TEXT
Specify PVACMS admin user's keychain password file location
--apkp, --admin-private-key-pwd TEXT
Specify PVACMS admin user's private key password file location
--cn, --ca-name TEXT [EPICS Root CA]
Specify the CA's name. Used if we need to create a root
certificate
--co, --ca-org TEXT [ca.epics.org]
Specify the CA's Organization. Used if we need to create a root
certificate
--cou, --ca-org-unit TEXT [EPICS Certificate Authority]
Specify the CA's Organization Unit. Used if we need to create a
root certificate
--cc, --ca-country TEXT
Specify the CA's Country. Used if we need to create a root
certificate
--pn, --pvacms-name TEXT [PVACMS]
Specify the PVACMS name. Used if we need to create a PVACMS
certificate
--po, --pvacms-org TEXT [ca.epics.org]
Specify the PVACMS Organization. Used if we need to create a
PVACMS certificate
--pou, --pvacms-org-unit TEXT [EPICS Certificate Authority]
Specify the PVACMS Organization Unit. Used if we need to create a
PVACMS certificate
--pc, --pvacms-country TEXT
Specify the PVACMS Country. Used if we need to create a PVACMS
certificate
-s, --acf TEXT [/Users/george/.epics/auth/pvacms.acf]
Access security Configuration File
-d, --cert-db TEXT [/Users/george/.epics/db/certs.db]
Specify cert db file location
--client-require-approval BOOLEAN [1]
Generate Client Certificates in PENDING_APPROVAL state
--server-require-approval BOOLEAN [1]
Generate Server Certificates in PENDING_APPROVAL state
--gateway-require-approval BOOLEAN [1]
Generate Server Certificates in PENDING_APPROVAL state
--svm, --status-validity-mins UINT [30]
Set Status Validity Time in Minutes
--sme, --status-monitoring-enabled BOOLEAN [1]
Require Peers to monitor Status of Certificates Generated by this
server by default. Can be overridden in each CCR
.. _pvacms_configuration:
Expand Down

0 comments on commit 7127067

Please sign in to comment.