skel/share/defaults/dcache.properties

#  -----------------------------------------------------------------------
#     dCache default values
#  -----------------------------------------------------------------------
@DEFAULTS_HEADER@
#
#   Properties prefixed by 'dcache' are either not specific to any
#   particular service, or used by several services. In the former case,
#   the property is annotated with (not-for-services). In the latter case,
#   a similarly named property prefixed by the service type is defined
#   for each service using the property.
#

#  -----------------------------------------------------------------------
#     Parameters related to dCache startup
#  -----------------------------------------------------------------------

# If defined, the UID of the java process will be set.  Notice that
# log files will continue to be generated with the user id that
# invoked the init script. When undefined or left blank, the UID will
# not be changed.
(not-for-services)dcache.user=@dcache.user@

# Type of namespace backend. Legal value is chimera.
(one-of?chimera)dcache.namespace=chimera

# The layout determines which domains to start.
(not-for-services)dcache.layout=${host.name}

# Base directory for layout files
(not-for-services)dcache.layout.dir=${dcache.paths.etc}/layouts

# The layout file describes the domains of a layout
(not-for-services)dcache.layout.uri=file:${dcache.layout.dir}/${dcache.layout}.conf

# Directory for PID files
(not-for-services)dcache.pid.dir=@dcache.pid.dir@

# PID file for daemon wrapper script
(not-for-services)dcache.pid.java=${dcache.pid.dir}/dcache.${dcache.domain.name}-java.pid

# PID file for Java process
(not-for-services)dcache.pid.daemon=${dcache.pid.dir}/dcache.${dcache.domain.name}-daemon.pid

# Directory for log files
(not-for-services)dcache.log.dir=@dcache.log.dir@

# Path to log file
(not-for-services)dcache.log.file=${dcache.log.dir}/${dcache.domain.name}.log

# This variable describes what should be done with an existing log
# file when a domain is started.  The options are either to rename
# LOGFILE to LOGFILE.old so allowing a new log file to be created, or
# to retain the log file and subsequent logging information will be
# appended.
#
(not-for-services,one-of?new|keep)dcache.log.mode=keep

# Logback configuration file
(not-for-services)dcache.log.configuration=file:${dcache.paths.etc}/logback.xml

# Log levels
#
# Log levels for various log output targets. Possible log levels are off, error, warn, info,
# debug and trace. Log levels can also be adjusted at runtime using the log commands in
# the dCache admin shell.
#
# Detailed log configuration can be done in the logback configuration file, logback.xml.
#
(not-for-services,one-of?off|error|warn|info|debug|trace|all)dcache.log.level.file=warn
(not-for-services,one-of?off|error|warn|info|debug|trace|all)dcache.log.level.pinboard=info
(not-for-services,one-of?off|error|warn|info|debug|trace|all)dcache.log.level.remote=off
(not-for-services,one-of?off|error|warn|info|debug|trace|all)dcache.log.level.events=off
(not-for-services,one-of?off|error|warn|info|debug|trace|all)dcache.log.level.access=info

# How many days to keep access logs
dcache.log.access.max-history=30

# Host on which the remote log server will run
# relative to this dCache installation
#
(not-for-services)dcache.log.server.host=localhost

# Port on which the remote log server will listen
#
(not-for-services)dcache.log.server.port=9867

# Log formats
#
# These define the log format of various log output targets. For details on the format visit
# http://logback.qos.ch/manual/layouts.html#conversionWord
#
# Detailed log configuration can be done in the logback configuration file, logback.xml.
#
(not-for-services)dcache.log.format.file=%d{dd MMM yyyy HH:mm:ss} \\(%X{cells.cell}\\) [%X{org.dcache.ndc}] %m%n
(not-for-services)dcache.log.format.pinboard=[%t] [%X{org.dcache.ndc}] %m

# Delay, in seconds, between automatic restarts of a crashed domain
(not-for-services)dcache.restart.delay=10

# Directory used for creating the files to surpress automatic restart
(not-for-services)dcache.restart.dir=/tmp

# File used to suppress automatic restart
(not-for-services)dcache.restart.file=${dcache.restart.dir}/.dcache-stop.${dcache.domain.name}

# Java maximum heap size
(not-for-services)dcache.java.memory.heap=512m

# Java maximum direct buffer size
(not-for-services)dcache.java.memory.direct=512m

# Directory where to store heapdumps
(not-for-services)dcache.java.oom.location=${dcache.log.dir}

# Path to heap dump file
(not-for-services)dcache.java.oom.file=${dcache.java.oom.location}/${dcache.domain.name}-oom.hprof

# Extra jar files to add to the class path
(not-for-services)dcache.java.classpath=

#  ---- The Library path
#
#   Can contain .so libraries for JNI.
#
(not-for-services)dcache.java.library.path=${dcache.paths.lib}


#  ---- Java VM options
#
#  Properties that control the options to the Java VM instances.
#
#  There are two kinds of Java virtual machine instances: short-lived
#  and long-lived.
#
#  The short-lived invocations are expected to run as quickly as
#  possible and generally complete within a few seconds.
#
#  The long-lived invocations are the dCache domains.  These will have
#  the same duration as a dCache domain; i.e., many months or years.
#
#  dCache uses different Java options to hint to the JVM that the
#  different invocations have different expected lifetimes; for
#  example, short-lived invocations should favour startup speed over
#  long-term optimisation.
#
#  The JVM options used are dcache.java.options and
#  dcache.java.options.short-lived, both of which include
#  dcache.java.options.common.  In general, these three properties
#  should not be directly reconfigured, but site customisation should
#  be achieved through other properties.  In particular, additional
#  java command-line arguments may be added by configuring either the
#  dcache.java.options.extra or dcache.java.options.short-lived.extra
#  property (or both).

#  This property allows site-specific extra options that are used only
#  for long-lived JVM instances.
#
(not-for-services)dcache.java.options.extra=

#  This property allows site-specific extra options that are used only
#  for short-lived JVM instances.
#
(not-for-services)dcache.java.options.short-lived.extra=

#  This property provides Java command-line arguments for long-lived
#  JVM instances.  Sites should not modify this property, but use the
#  dcache.java.options.extra property to add any site-specific
#  arguments.
#
(not-for-services)dcache.java.options=\
    -server \
    -Xmx${dcache.java.memory.heap} \
    -XX:MaxDirectMemorySize=${dcache.java.memory.direct} \
    -Dsun.net.inetaddr.ttl=${dcache.net.inetaddr.lifetime} \
    -Dorg.globus.tcp.port.range=${dcache.net.wan.port.min},${dcache.net.wan.port.max} \
    -Djava.net.preferIPv4Stack=true \
    -Dorg.dcache.dcap.port=${pool.dcap.port} \
    -Dorg.dcache.net.tcp.portrange=${dcache.net.lan.port.min}:${dcache.net.lan.port.max} \
    -Dorg.globus.jglobus.delegation.cache.lifetime=${dcache.authn.gsi.delegation.cache.lifetime} \
    -Dorg.globus.jglobus.crl.cache.lifetime=${dcache.authn.gsi.crl.cache.lifetime} \
    -Djava.security.krb5.realm=${dcache.authn.kerberos.realm} \
    -Djava.security.krb5.kdc=${dcache.authn.kerberos.key-distribution-center-list} \
    -Djavax.security.auth.useSubjectCredsOnly=false \
    -Djava.security.auth.login.config=${dcache.authn.jaas.config} \
    -XX:+HeapDumpOnOutOfMemoryError \
    -XX:HeapDumpPath=${dcache.java.oom.file} \
    -javaagent:${dcache.paths.classes}/aspectjweaver-1.7.3.jar \
    ${dcache.java.options.common} \
    ${dcache.java.options.extra}


#  This property provides Java command-line arguments for short-lived
#  JVM instances.  Sites should not modify this property, but
#  configure the dcache.java.options.short-lived.extra property to add
#  any site-specific arguments.
#
(not-for-services)dcache.java.options.short-lived=\
    -client \
    -XX:+TieredCompilation \
    -XX:TieredStopAtLevel=0 \
    ${dcache.java.options.common} \
    ${dcache.java.options.short-lived.extra}


#  This property provides Java command-line arguments for both
#  short-lived and long-lived JVM instances.  In general, sites should
#  not modify this property, but modify either the
#  dcache.java.options.extra property, the
#  dcache.java.options.short-lived.extra property or both properties
#  to add any site-specific arguments.
#
#  Notes:
#     - wantLog4jSetup is used by eu.emi:trustmanager
#
(not-for-services)dcache.java.options.common=\
    -Djava.awt.headless=true \
    -DwantLog4jSetup=n


# Whether to cache the compiled configuration files. If disabled most dCache
# scripts will invoke the dCache boot loader to compile the configuration files.
# When enabled the compiled configuration files are cached and only recompiled
# if any of the input files have changed.
(not-for-services)dcache.config.cache=true

# The following property describes whether dCache should run under Terracotta.
# It is only supported by the srm service at this time,so do not enable it in
# dcache.conf; instead, enable it, in the layout file, for the domain the srm
# service runs within.
#
#  For example:
#
#    [srmDomain]
#     dcache.terracotta.enabled=true
#     dcache.terracotta.install.dir=/opt/terracotta
#
#    [srmDomain/srm]
#    [srmDomain/spacemanager]
#
(not-for-services,one-of?true|false)dcache.terracotta.enabled=false

# The following parameter specifies the location of Terracotta
# If dcache.terracotta.enabled is true then this must be specified as well
(not-for-services)dcache.terracotta.install.dir=

# Location of the Terracotta configuration file
(not-for-services)dcache.terracotta.config.path=${dcache.paths.etc}/tc-config.xml

#  -----------------------------------------------------------------------
#     Parameters related to what runs inside a domain
#  -----------------------------------------------------------------------

# A batch file to execute in every domain before services are loaded.
(deprecated,not-for-services)domain.preload=file:${dcache.paths.share}/cells/preload.fragment
(not-for-services)dcache.domain.preload=${domain.preload}

# Directory containing service batch files (the batch files that start
# dCache cells)
(deprecated)domain.service.dir=${dcache.paths.share}/services
dcache.domain.service.dir=${domain.service.dir}

# Base URI of service batch files (the batch files that start dCache
# cells). The trailing slash is significant due to how URIs are
# resolved relative to each other.
(deprecated)domain.service.uri.base=file:${dcache.domain.service.dir}/
dcache.domain.service.uri.base=${domain.service.uri.base}

# URI to service batch file. A relative URI is resolved by
# searching the plugin directories. If not found, it is resolved
# relative to domain.service.uri.base.
(deprecated)domain.service.uri=${dcache.domain.service}.batch
dcache.domain.service.uri=${domain.service.uri}

#  -----------------------------------------------------------------------
#     Common network related parameters
#  -----------------------------------------------------------------------

# Port range used for transfers using typical WAN protocols
(deprecated,not-for-services)net.wan.port.min=20000
(deprecated,not-for-services)net.wan.port.max=25000
(not-for-services)dcache.net.wan.port.min=${net.wan.port.min}
(not-for-services)dcache.net.wan.port.max=${net.wan.port.max}

# Port range used for transfers using typical LAN protocols
(deprecated,not-for-services)net.lan.port.min=33115
(deprecated,not-for-services)net.lan.port.max=33145
(not-for-services)dcache.net.lan.port.min=${net.lan.port.min}
(not-for-services)dcache.net.lan.port.max=${net.lan.port.max}

# Java DNS cache (seconds)
(deprecated,not-for-services)net.inetaddr.lifetime=1800
(not-for-services)dcache.net.inetaddr.lifetime=${net.inetaddr.lifetime}

#
#   Various components can bind to a particular network interface.  The value of
#   the dcache.net.listen property describes which interface a door should use.
#   The value is the IP address of the interface the component should use; for
#   example, the loop-back interface (commonly 'lo') is '127.0.0.1' for IPv4,
#   '::1' for IPv6.
#
#   The address '0.0.0.0' listens on all interfaces for IPv4
#   connections and '::' listens on all interfaces for IPv6
#   connections (depending on the platform, an IPv4 address may be
#   converted to the equivalent IPv6 address and match '::').  The
#   keyword 'any' will listen on all interfaces.
#
(deprecated)listen = any
dcache.net.listen=${listen}

#  -----------------------------------------------------------------------
#          Cell Communication
#  -----------------------------------------------------------------------

#  ---- Which message broker implementation to use
#
#   Selects between various message brokers. The message broker
#   determines how dCache domains communicate with each other. Valid
#   values are:
#
#   'cells' is the classic cells based system. It relies on a central
#   location service that all domains connect to. The host, port and
#   domain of this service is defined by broker.host, broker.port and
#   broker.domain.
#
#   'amq' connects to an ActiveMQ broker.
#
#   'amq-embedded' starts an embedded ActiveMQ broker in the domain
#   specified by broker.domain. For other domains this is equivalent
#   as specifying 'amq'.
#
#   'cells+amq-embedded' is a hybrid broker. An embedded ActiveMQ
#   broker is started in the domain specified by broker.domain. At the
#   same time a classic cells location service is instantiated in the
#   same domain. Thus both 'cells' and 'amq' can be used by other
#   domains to connect to the broker.
#
#   'openmq' connects to an OpenMQ broker.
#
#   'cells+openmq' is a hybrid solution. A connection to an OpenMQ
#   broker is established. At the same time a classic cells location
#   service is instantiated in dCacheDomain. Thus both 'cells' and
#   'openmq' can be used by other domains to connect to the broker.
#
#   'none' no broker connection is establish. This is used for single
#   domain deployments.
#
(deprecated,not-for-services,one-of?cells|none\
                        |amq|amq-embedded|cells+amq-embedded\
                        |openmq|cells+openmq)\
broker.scheme=cells
(not-for-services,one-of?cells|none\
                        |amq|amq-embedded|cells+amq-embedded\
                        |openmq|cells+openmq|${broker.scheme})\
dcache.broker.scheme=${broker.scheme}


#  ---- Broker for interdomain communication
#
#   By default both the cells and the hybrid broker styles use a star
#   topology with all messages going through a central domain. This
#   domain is usually dCacheDomain, but any domain can be used.
#
#   As all other domains need to connect to the broker, broker.host
#   has to be configured throughout the dCache instance unless the
#   broker runs on the local host or if there is no broker.
#
#   Domains open a UDP port to listen for topology information.  The
#   information is sent from the broker.domain domain.  The port
#   number that a domain listens for topology information is
#   configured by the broker.client.port property.  This is either
#   the port number or 0 (indicating a randomly chosen port number).
#
#   NOTE: broker.client.port must be EITHER a unique port number OR
#   0.  This means that it is almost certainly wrong to configure this
#   property anywhere other than in a domain's context (i.e., immediately
#   after declaring a domain).
#
#   Inter-domain messages are sent via TCP on the port defined by
#   broker.messaging.port.  Since topology discovery uses UDP,
#   broker.port and broker.messaging.port may have the same port
#   number.
#
(deprecated,not-for-services)broker.domain=dCacheDomain
(not-for-services)dcache.broker.domain=${broker.domain}
(deprecated,not-for-services)broker.host=localhost
(not-for-services)dcache.broker.host=${broker.host}
(deprecated,not-for-services)broker.port=11111
(not-for-services)dcache.broker.port=${broker.port}
(deprecated,not-for-services)broker.messaging.port=${dcache.broker.port}
(not-for-services)dcache.broker.messaging.port=${broker.messaging.port}
(deprecated,not-for-services)broker.client.port = 0
(not-for-services)dcache.broker.client.port = ${broker.client.port}

#  ---- Location of location manager configuration file
#
#   Only used with broker.scheme=cells and only by the
#   ${broker.domain} domain.  If the file doesn't exist then a default
#   'star' topology is used, where the ${broker.domain} domain accepts
#   connections from all other domains and routes messages
#   accordingly.
#
#   If the ${broker.cells.config} file exists then it is read by the
#   lmd cell running in ${broker.domain} on startup.  This allows
#   site-specific adjustments to the messaging topology.
#
#   Please note that adjusting the messaging topology is an advance
#   feature that few (if any) dCache deployments need to adjust.
#   Using a different messaging technology may be a preferable
#   solution; see broker.scheme property for the alternatives.
#
#   The user ${dcache.user} must be able to write into the directory
#   in which the file is located for the 'setup write' command of
#   location manager cell (lmd) to work.
#
(deprecated,not-for-services)broker.cells.config=${dcache.paths.etc}/lm.config
(not-for-services)dcache.broker.cells.config=${broker.cells.config}

#  ---- Port and host used for ActiveMQ broker
#
#   Determines the host and port used for the ActiveMQ broker. The
#   host defaults to ${broker.host}. Only used if messageBroker is set
#   to either jms or hybrid.
#
(deprecated,not-for-services)broker.amq.host=${dcache.broker.host}
(not-for-services)dcache.broker.amq.host=${broker.amq.host}
(deprecated,not-for-services)broker.amq.port=11112
(not-for-services)dcache.broker.amq.port=${broker.amq.port}
(deprecated,not-for-services)broker.amq.ssl.port=11113
(not-for-services)dcache.broker.amq.ssl.port=${broker.amq.ssl.port}

#  ---- Connection URL for ActiveMQ
#
#   By default, the ActiveMQ connection URL is formed from
#   broker.amq.host and broker.amq.port properties. The broker.amq.url
#   property may be used to configure more advanced broker
#   topologies. Consult the ActiveMQ documentation for possible
#   values.
#
(deprecated,not-for-services)broker.amq.url=failover:tcp://${broker.amq.host}:${broker.amq.port}
(not-for-services)dcache.broker.amq.url=${broker.amq.url}

#  ----- OpenMQ broker host
(deprecated,not-for-services)broker.openmq.host=${dcache.broker.host}
(not-for-services)dcache.broker.openmq.host=${broker.openmq.host}

#  ----- OpenMQ broker port
(deprecated,not-for-services)broker.openmq.port=11112
(not-for-services)dcache.broker.openmq.port=${broker.openmq.port}

#  ----- OpenMQ interval in milliseconds between connection attempts
(deprecated,not-for-services)broker.openmq.reconnect.interval=30000
(not-for-services)dcache.broker.openmq.reconnect-interval=${broker.openmq.reconnect.interval}
(not-for-services,one-of?MILLISECONDS|SECONDS|MINUTES|HOURS|DAYS)dcache.broker.openmq.reconnect-interval.unit=MILLISECONDS

#  -----------------------------------------------------------------------
#          Cell addresses of dCache components
#  -----------------------------------------------------------------------

(deprecated)pnfsmanager=${pnfsmanager.cell.name}
(deprecated)poolmanager=${poolmanager.cell.name}
(deprecated)billing=${billing.cell.name}
(deprecated)gplazma=${gplazma.cell.name}
(deprecated)spacemanager=${spacemanager.cell.name}

dcache.service.broadcast=${broadcast.cell.name}
dcache.service.pnfsmanager=${pnfsmanager}
dcache.service.poolmanager=${poolmanager}
dcache.service.billing=${billing}
dcache.service.gplazma=${gplazma}
dcache.service.spacemanager=${spacemanager}
dcache.service.pinmanager=${pinmanager.cell.name}
dcache.service.replica=${replica.cell.name}
dcache.service.transfermanager=${transfermanagers.cell.name}
dcache.service.copymanager=CopyManager


#  -----------------------------------------------------------------------
#          Common authentication properties
#  -----------------------------------------------------------------------

# GSI caching parameters (ms)
(deprecated,not-for-services)gsi.delegation.cache.lifetime=30000
(not-for-services)dcache.authn.gsi.delegation.cache.lifetime=${gsi.delegation.cache.lifetime}
(deprecated,not-for-services)gsi.crl.cache.lifetime=60000
(not-for-services)dcache.authn.gsi.crl.cache.lifetime=${gsi.crl.cache.lifetime}


#  ---- Kerberos realm
#
#  Your kerberos 5 realm, used by Kerberos dcap and FTP doors
#
(deprecated,not-for-services)kerberos.realm=EXAMPLE.ORG
(not-for-services)dcache.authn.kerberos.realm=${kerberos.realm}

#  ---- Kerberos key distribution center
#
#  A comma-separated list of KDC hostnames.  localhost may be used if
#  a KDC multiplexer is running on the same machine as the Kerberos FTP doors.
#
(deprecated)kerberos.key-distribution-center-list=localhost
dcache.authn.kerberos.key-distribution-center-list=${kerberos.key-distribution-center-list}

#  ----- JAAS configuration file
#
#  Template JAAS configuration files are available in the
#  share/examples/kerberos directory as jgss.conf and jgss_host.conf.
#  Please copy these files into ${dcache.paths.etc} and modify their
#  content as appropriate.  The minimum configuration is to change
#  the principle value, replacing "door.example.org" with the FQDN of
#  the door and replacing "EXAMPLE.ORG" with the Kerberos Realm.
#
#  The file jgss.conf is suitable for a domain running a Kerberos FTP
#  door and jgss_host.conf is suitable for a domain running a Kerberos
#  dcap door.  Only one file may be specified per domain.
#
(deprecated)kerberos.jaas.config=${dcache.paths.etc}/jgss.conf
dcache.authn.jaas.config=${kerberos.jaas.config}
#dcache.authn.jaas.config=${dcache.paths.etc}/jgss.conf
#dcache.authn.jaas.config=${dcache.paths.etc}/jgss_host.conf


#  ---- SSL Server certificate
#
#   This parameter specifies the path to the file containing the
#   PKCS12 encoded server certificate used for SSL. The host certificate
#   in /etc/grid-security/ needs to be converted to PKCS12 format before
#   it can be used with SSL. Use the 'bin/dcache import
#   hostcert' command to perform this task. This is used in Webadmin and WebDAV
#
#   Notice that for GSI the host cetificate in /etc/grid-security/ is used
#   directly.
#
(deprecated)keyStore=${dcache.paths.etc}/hostcert.p12
dcache.authn.keystore=${keyStore}

#  ---- Password for SSL server certificate
#
#   This parameter specifies the password with which the PKCS12 encoded
#   server certificate is encrypted.
#
(deprecated)keyStorePassword=dcache
dcache.authn.keystore.password=${keyStorePassword}

#  ---- Trusted SSL CA certificates
#
#   This parameter specifies the path to a Java Keystore containing
#   the the trusted CA certicates used for SSL. The CA certificates
#   in /etc/grid-security/certificates/ need to be converted into a
#   Java Keystore file before they can be used with SSL. Use the
#   'bin/dcache import cacerts' command to perform this task.
#   This is used in httpd and WebDAV.
#
#   Notice that for GSI the CA cetificates in
#   /etc/grid-security/certificates/ are used directly.
#
(deprecated)trustStore=${dcache.paths.etc}/certificates.jks
dcache.authn.truststore=${trustStore}

#  ---- Password for trusted SSL CA certificates
#
#   This parameter specifies the password with which the Java Keystore
#   containing the trusted CA certificates is encrypted.
#
(deprecated)trustStorePassword=dcache
dcache.authn.truststore.password=${trustStorePassword}

# ---- Host private key in PEM format
(deprecated)grid.hostcert.key=${dcache.paths.grid-security}/hostkey.pem
dcache.authn.hostcert.key=${grid.hostcert.key}

# ---- Host certificate in PEM format
(deprecated)grid.hostcert.cert=${dcache.paths.grid-security}/hostcert.pem
dcache.authn.hostcert.cert=${grid.hostcert.cert}

# ---- Host certificate refresh period
#
# This option influences in which intervals the host certificate will be
# reloaded on a running door.
#
(deprecated)grid.hostcert.refresh=43200
dcache.authn.hostcert.refresh=${grid.hostcert.refresh}
dcache.authn.hostcert.refresh.unit=SECONDS

#  ---- Verification of the issuer chain of the host certificate
#
#  This can have advantages and disadvantages. If the used host certificates
#  are in a Grid environment, where they are supposed to be signed by trusted
#  CA certificates, setting this to true establishes a fail-fast behaviour.
#
#  If the certificates are self-signed or signed by a custom-CA, this value
#  should be set to false.
#
(deprecated,one-of?true|false)grid.hostcert.verify=true
(one-of?true|false|${grid.hostcert.verify})dcache.authn.hostcert.verify=${grid.hostcert.verify}

#  ---- Directory containing trusted CA certificates
(deprecated)grid.ca.path=${dcache.paths.grid-security}/certificates
dcache.authn.capath=${grid.ca.path}

# ---- CA certificates refresh period
#
# Grid-based authentication usually requires to load a set of
# certificates that are accepted as certificate authorities. This
# option influences in which interval these trust anchors are
# reloaded.
#
(deprecated)grid.ca.refresh=43200
dcache.authn.capath.refresh=${grid.ca.refresh}
(one-of?MILLISECONDS|SECONDS|MINUTES|HOURS|DAYS)dcache.authn.capath.refresh.unit=SECONDS

# ---- Path to vomsdir directory
#
# Contains attribute validation information for authorized VOMS servers
dcache.authn.vomsdir=${dcache.paths.grid-security}/vomsdir


# ---- Flags to disable ciphers
#
#   Comma separated list of flags related to ciphers.
#
#   DISABLE_BROKEN_DH
#
#   Diffie-Hellman is broken in Java 1.7u6 and forward. If  DISABLE_BROKEN_DH is
#   included, dCache will disable all cipher families involving Diffie-Hellman on
#   those versions of Java. Depending on the client, this may result in less
#   secure SSL/TLS/GSI connections.
#
#   The symptoms of running with broken Diffie-Hellman enabled is that approximately
#   0.4% of all connections will fail during handshake.
#
#   DISABLE_EC
#
#   Elliptic Curve ciphers are broken in Java 1.7 on Linux. The problem is that the
#   JRE successfully negotiates the use of cipher variants not supported by libnss3.
#   If this option is specified, dCache will disable all cipher families involving
#   Elliptic Curve ciphers.
#
(deprecated)dcache.security.ciphers=DISABLE_EC,DISABLE_BROKEN_DH
dcache.authn.ciphers=${dcache.security.ciphers}

#  ---- Whether to overwrite existing files on upload
#
#   The following property affects FTP doors, WebDAV doors and the SRM.
#   For dcap see the truncate property.  For xrootd, the policy is
#   controlled by the client. Note that setting the property to false
#   will break standards compliance.
#
(deprecated,one-of?true|false)overwriteEnabled=true
(one-of?true|false|${overwriteEnabled})dcache.enable.overwrite=${overwriteEnabled}


#  -----------------------------------------------------------------------
#          Database Configuration
#  -----------------------------------------------------------------------
#
#   The current setup assumes that one or more PostgreSQL servers are
#   used by the various dCache components.  Database user and database
#   password are configurable. The dCache components use the databases 'dcache',
#   'replicas', 'companion' and 'billing'.  However, these might be located on
#   separate hosts.
#
#   The most performant configuration is to have the database server
#   running on the same host as the dCache component that will
#   access it.  Therefore, the default value for all the following
#   variables is 'localhost'.  Uncomment and change these variables
#   only if you have a reason to deviate from this scheme.
#
#   For example, one valid deployment would be to put the 'billing'
#   database on different host than the pnfs server database and
#   companion, but keep the httpDomain on the admin host.

#  ---- Whether to manage database schemas automatically
#
#   When true, database schemas will be automatically updated when
#   needed. Not all services support this setting. This settings
#   applies to a complete domain and must not be defined at the
#   service level.
#
(one-of?true|false)dcache.db.schema.auto=true


#  -----------------------------------------------------------------------
#       Tape protection
#  -----------------------------------------------------------------------
#
#   The    tape   protection    feature   is    only    available   if
#   dcache.authz.staging  is   defined,   and  there  is  a
#   similarly  named file  containing a  list of  FQANs and  DNs whose
#   owners are allowed to stage files (i.e., to read files from dCache
#   that are stored only on tape).
#
#   Stage configuration can  be provided either on the  door or on the
#   PoolManager as described in the following two cases below:
#
#      1) stage configuration provided on the door
#         (remember to repeat the same configuration on each door):
#         dcache.authz.staging.pep=doors
#      2) stage configuration provided on the PoolManager:
#         dcache.authz.staging.pep=PoolManager
#
(deprecated)stageConfigurationFilePath=
(deprecated,one-of?doors|PoolManager)stagePolicyEnforcementPoint=doors
dcache.authz.staging=${stageConfigurationFilePath}
(one-of?doors|PoolManager|${stagePolicyEnforcementPoint})dcache.authz.staging.pep=${stagePolicyEnforcementPoint}


#  -----------------------------------------------------------------------
#         Provide information about message broker
#  -----------------------------------------------------------------------
#
#   The following properties provide information about the broker
#   domain.  The actual domain is defined by broker.domain.
#
(immutable)dcache.broker.net.ports.tcp-when-scheme-is-cells=${dcache.broker.messaging.port}
(immutable)dcache.broker.net.ports.udp-when-scheme-is-cells=${dcache.broker.port} ${dcache.broker.client.port}
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-cells=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-cells=${dcache.broker.client.port}

(immutable)dcache.broker.net.ports.tcp-when-scheme-is-amq=
(immutable)dcache.broker.net.ports.udp-when-scheme-is-amq=
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-amq=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-amq=

(immutable)dcache.broker.net.ports.tcp-when-scheme-is-amq-embedded=${dcache.broker.amq.port} ${dcache.broker.amq.ssl.port}
(immutable)dcache.broker.net.ports.udp-when-scheme-is-amq-embedded=
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-amq-embedded=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-amq-embedded=

(immutable)dcache.broker.net.ports.tcp-when-scheme-is-cells+amq-embedded=${dcache.broker.amq.port} ${dcache.broker.amq.ssl.port} ${dcache.broker.messaging.port}
(immutable)dcache.broker.net.ports.udp-when-scheme-is-cells+amq-embedded=${dcache.broker.port} ${dcache.broker.client.port}
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-cells+amq-embedded=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-cells+amq-embedded=${dcache.broker.client.port}

(immutable)dcache.broker.net.ports.tcp-when-scheme-is-openmq=${dcache.broker.openmq.port}
(immutable)dcache.broker.net.ports.udp-when-scheme-is-openmq=
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-openmq=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-openmq=

(immutable)dcache.broker.net.ports.tcp-when-scheme-is-cells+openmq=${dcache.broker.openmq.port} ${dcache.broker.messaging.port}
(immutable)dcache.broker.net.ports.udp-when-scheme-is-cells+openmq=${dcache.broker.port} ${dcache.broker.client.port}
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-cells+openmq=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-cells+openmq=${dcache.broker.client.port}

(immutable)dcache.broker.net.ports.tcp-when-scheme-is-none=
(immutable)dcache.broker.net.ports.udp-when-scheme-is-none=
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-none=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-none=

(immutable)dcache.broker.net.ports.tcp=${dcache.broker.net.ports.tcp-when-scheme-is-${dcache.broker.scheme}}
(immutable)dcache.broker.net.ports.udp=${dcache.broker.net.ports.udp-when-scheme-is-${dcache.broker.scheme}}
(immutable)dcache.non-broker.net.ports.tcp=${dcache.non-broker.net.ports.tcp-when-scheme-is-${dcache.broker.scheme}}
(immutable)dcache.non-broker.net.ports.udp=${dcache.non-broker.net.ports.udp-when-scheme-is-${dcache.broker.scheme}}


# Old properties
(forbidden)cell.name=Use <service>.cell.name instead
(forbidden)db.host=Use <service>.db.host instead
(forbidden)db.name=Use <service>.db.name instead
(forbidden)db.user=Use <service>.db.user instead
(forbidden)db.password=Use <service>.db.password instead
(forbidden)db.driver=Use <service>.db.driver instead
(forbidden)db.url=Use <service>.db.url instead
(forbidden)db.schema.changelog=Use <service>db.schema.changelog instead
(forbidden)db.schema.auto=Use dcache.db.schema.auto or <service>.db.schema.auto instead
(forbidden)db.connections.max-per-partition=Use <service>.db.connections.max-per-partition instead
(forbidden)db.connections.min-per-partition=Use <service>.db.connections.min-per-partition instead
(forbidden)db.connections.partition-count=Use <service>.db.connections.partition-count instead
(forbidden)port=Use <service>.net.port instead
(forbidden)kerberos.service-principle-name=Use ftp.authn.kerberos.service-principle-name or dcap.authn.kerberos.service-principle-name