-
Notifications
You must be signed in to change notification settings - Fork 131
/
dcache.properties
770 lines (667 loc) · 32.9 KB
/
dcache.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
# -----------------------------------------------------------------------
# dCache default values
# -----------------------------------------------------------------------
@DEFAULTS_HEADER@
#
# Properties prefixed by 'dcache' are either not specific to any
# particular service, or used by several services. In the former case,
# the property is annotated with (not-for-services). In the latter case,
# a similarly named property prefixed by the service type is defined
# for each service using the property.
#
# -----------------------------------------------------------------------
# Parameters related to dCache startup
# -----------------------------------------------------------------------
# If defined, the UID of the java process will be set. Notice that
# log files will continue to be generated with the user id that
# invoked the init script. When undefined or left blank, the UID will
# not be changed.
(not-for-services)dcache.user=@dcache.user@
# Type of namespace backend. Legal value is chimera.
(one-of?chimera)dcache.namespace=chimera
# The layout determines which domains to start.
(not-for-services)dcache.layout=${host.name}
# Base directory for layout files
(not-for-services)dcache.layout.dir=${dcache.paths.etc}/layouts
# The layout file describes the domains of a layout
(not-for-services)dcache.layout.uri=file:${dcache.layout.dir}/${dcache.layout}.conf
# Directory for PID files
(not-for-services)dcache.pid.dir=@dcache.pid.dir@
# PID file for daemon wrapper script
(not-for-services)dcache.pid.java=${dcache.pid.dir}/dcache.${dcache.domain.name}-java.pid
# PID file for Java process
(not-for-services)dcache.pid.daemon=${dcache.pid.dir}/dcache.${dcache.domain.name}-daemon.pid
# Directory for log files
(not-for-services)dcache.log.dir=@dcache.log.dir@
# Path to log file
(not-for-services)dcache.log.file=${dcache.log.dir}/${dcache.domain.name}.log
# This variable describes what should be done with an existing log
# file when a domain is started. The options are either to rename
# LOGFILE to LOGFILE.old so allowing a new log file to be created, or
# to retain the log file and subsequent logging information will be
# appended.
#
(not-for-services,one-of?new|keep)dcache.log.mode=keep
# Logback configuration file
(not-for-services)dcache.log.configuration=file:${dcache.paths.etc}/logback.xml
# Log levels
#
# Log levels for various log output targets. Possible log levels are off, error, warn, info,
# debug and trace. Log levels can also be adjusted at runtime using the log commands in
# the dCache admin shell.
#
# Detailed log configuration can be done in the logback configuration file, logback.xml.
#
(not-for-services,one-of?off|error|warn|info|debug|trace|all)dcache.log.level.file=warn
(not-for-services,one-of?off|error|warn|info|debug|trace|all)dcache.log.level.pinboard=info
(not-for-services,one-of?off|error|warn|info|debug|trace|all)dcache.log.level.remote=off
(not-for-services,one-of?off|error|warn|info|debug|trace|all)dcache.log.level.events=off
(not-for-services,one-of?off|error|warn|info|debug|trace|all)dcache.log.level.access=info
# How many days to keep access logs
dcache.log.access.max-history=30
# Host on which the remote log server will run
# relative to this dCache installation
#
(not-for-services)dcache.log.server.host=localhost
# Port on which the remote log server will listen
#
(not-for-services)dcache.log.server.port=9867
# Log formats
#
# These define the log format of various log output targets. For details on the format visit
# http://logback.qos.ch/manual/layouts.html#conversionWord
#
# Detailed log configuration can be done in the logback configuration file, logback.xml.
#
(not-for-services)dcache.log.format.file=%d{dd MMM yyyy HH:mm:ss} \\(%X{cells.cell}\\) [%X{org.dcache.ndc}] %m%n
(not-for-services)dcache.log.format.pinboard=[%t] [%X{org.dcache.ndc}] %m
# Delay, in seconds, between automatic restarts of a crashed domain
(not-for-services)dcache.restart.delay=10
# Directory used for creating the files to surpress automatic restart
(not-for-services)dcache.restart.dir=/tmp
# File used to suppress automatic restart
(not-for-services)dcache.restart.file=${dcache.restart.dir}/.dcache-stop.${dcache.domain.name}
# Java maximum heap size
(not-for-services)dcache.java.memory.heap=512m
# Java maximum direct buffer size
(not-for-services)dcache.java.memory.direct=512m
# Directory where to store heapdumps
(not-for-services)dcache.java.oom.location=${dcache.log.dir}
# Path to heap dump file
(not-for-services)dcache.java.oom.file=${dcache.java.oom.location}/${dcache.domain.name}-oom.hprof
# Extra jar files to add to the class path
(not-for-services)dcache.java.classpath=
# ---- The Library path
#
# Can contain .so libraries for JNI.
#
(not-for-services)dcache.java.library.path=${dcache.paths.lib}
# ---- Java VM options
#
# Properties that control the options to the Java VM instances.
#
# There are two kinds of Java virtual machine instances: short-lived
# and long-lived.
#
# The short-lived invocations are expected to run as quickly as
# possible and generally complete within a few seconds.
#
# The long-lived invocations are the dCache domains. These will have
# the same duration as a dCache domain; i.e., many months or years.
#
# dCache uses different Java options to hint to the JVM that the
# different invocations have different expected lifetimes; for
# example, short-lived invocations should favour startup speed over
# long-term optimisation.
#
# The JVM options used are dcache.java.options and
# dcache.java.options.short-lived, both of which include
# dcache.java.options.common. In general, these three properties
# should not be directly reconfigured, but site customisation should
# be achieved through other properties. In particular, additional
# java command-line arguments may be added by configuring either the
# dcache.java.options.extra or dcache.java.options.short-lived.extra
# property (or both).
# This property allows site-specific extra options that are used only
# for long-lived JVM instances.
#
(not-for-services)dcache.java.options.extra=
# This property allows site-specific extra options that are used only
# for short-lived JVM instances.
#
(not-for-services)dcache.java.options.short-lived.extra=
# This property provides Java command-line arguments for long-lived
# JVM instances. Sites should not modify this property, but use the
# dcache.java.options.extra property to add any site-specific
# arguments.
#
(not-for-services)dcache.java.options=\
-server \
-Xmx${dcache.java.memory.heap} \
-XX:MaxDirectMemorySize=${dcache.java.memory.direct} \
-Dsun.net.inetaddr.ttl=${dcache.net.inetaddr.lifetime} \
-Dorg.globus.tcp.port.range=${dcache.net.wan.port.min},${dcache.net.wan.port.max} \
-Djava.net.preferIPv4Stack=true \
-Dorg.dcache.dcap.port=${pool.dcap.port} \
-Dorg.dcache.net.tcp.portrange=${dcache.net.lan.port.min}:${dcache.net.lan.port.max} \
-Dorg.globus.jglobus.delegation.cache.lifetime=${dcache.authn.gsi.delegation.cache.lifetime} \
-Dorg.globus.jglobus.crl.cache.lifetime=${dcache.authn.gsi.crl.cache.lifetime} \
-Djava.security.krb5.realm=${dcache.authn.kerberos.realm} \
-Djava.security.krb5.kdc=${dcache.authn.kerberos.key-distribution-center-list} \
-Djavax.security.auth.useSubjectCredsOnly=false \
-Djava.security.auth.login.config=${dcache.authn.jaas.config} \
-XX:+HeapDumpOnOutOfMemoryError \
-XX:HeapDumpPath=${dcache.java.oom.file} \
-javaagent:${dcache.paths.classes}/aspectjweaver-1.7.3.jar \
${dcache.java.options.common} \
${dcache.java.options.extra}
# This property provides Java command-line arguments for short-lived
# JVM instances. Sites should not modify this property, but
# configure the dcache.java.options.short-lived.extra property to add
# any site-specific arguments.
#
(not-for-services)dcache.java.options.short-lived=\
-client \
-XX:+TieredCompilation \
-XX:TieredStopAtLevel=0 \
${dcache.java.options.common} \
${dcache.java.options.short-lived.extra}
# This property provides Java command-line arguments for both
# short-lived and long-lived JVM instances. In general, sites should
# not modify this property, but modify either the
# dcache.java.options.extra property, the
# dcache.java.options.short-lived.extra property or both properties
# to add any site-specific arguments.
#
# Notes:
# - wantLog4jSetup is used by eu.emi:trustmanager
#
(not-for-services)dcache.java.options.common=\
-Djava.awt.headless=true \
-DwantLog4jSetup=n
# Whether to cache the compiled configuration files. If disabled most dCache
# scripts will invoke the dCache boot loader to compile the configuration files.
# When enabled the compiled configuration files are cached and only recompiled
# if any of the input files have changed.
(not-for-services)dcache.config.cache=true
# The following property describes whether dCache should run under Terracotta.
# It is only supported by the srm service at this time,so do not enable it in
# dcache.conf; instead, enable it, in the layout file, for the domain the srm
# service runs within.
#
# For example:
#
# [srmDomain]
# dcache.terracotta.enabled=true
# dcache.terracotta.install.dir=/opt/terracotta
#
# [srmDomain/srm]
# [srmDomain/spacemanager]
#
(not-for-services,one-of?true|false)dcache.terracotta.enabled=false
# The following parameter specifies the location of Terracotta
# If dcache.terracotta.enabled is true then this must be specified as well
(not-for-services)dcache.terracotta.install.dir=
# Location of the Terracotta configuration file
(not-for-services)dcache.terracotta.config.path=${dcache.paths.etc}/tc-config.xml
# -----------------------------------------------------------------------
# Parameters related to what runs inside a domain
# -----------------------------------------------------------------------
# A batch file to execute in every domain before services are loaded.
(deprecated,not-for-services)domain.preload=file:${dcache.paths.share}/cells/preload.fragment
(not-for-services)dcache.domain.preload=${domain.preload}
# Directory containing service batch files (the batch files that start
# dCache cells)
(deprecated)domain.service.dir=${dcache.paths.share}/services
dcache.domain.service.dir=${domain.service.dir}
# Base URI of service batch files (the batch files that start dCache
# cells). The trailing slash is significant due to how URIs are
# resolved relative to each other.
(deprecated)domain.service.uri.base=file:${dcache.domain.service.dir}/
dcache.domain.service.uri.base=${domain.service.uri.base}
# URI to service batch file. A relative URI is resolved by
# searching the plugin directories. If not found, it is resolved
# relative to domain.service.uri.base.
(deprecated)domain.service.uri=${dcache.domain.service}.batch
dcache.domain.service.uri=${domain.service.uri}
# -----------------------------------------------------------------------
# Common network related parameters
# -----------------------------------------------------------------------
# Port range used for transfers using typical WAN protocols
(deprecated,not-for-services)net.wan.port.min=20000
(deprecated,not-for-services)net.wan.port.max=25000
(not-for-services)dcache.net.wan.port.min=${net.wan.port.min}
(not-for-services)dcache.net.wan.port.max=${net.wan.port.max}
# Port range used for transfers using typical LAN protocols
(deprecated,not-for-services)net.lan.port.min=33115
(deprecated,not-for-services)net.lan.port.max=33145
(not-for-services)dcache.net.lan.port.min=${net.lan.port.min}
(not-for-services)dcache.net.lan.port.max=${net.lan.port.max}
# Java DNS cache (seconds)
(deprecated,not-for-services)net.inetaddr.lifetime=1800
(not-for-services)dcache.net.inetaddr.lifetime=${net.inetaddr.lifetime}
#
# Various components can bind to a particular network interface. The value of
# the dcache.net.listen property describes which interface a door should use.
# The value is the IP address of the interface the component should use; for
# example, the loop-back interface (commonly 'lo') is '127.0.0.1' for IPv4,
# '::1' for IPv6.
#
# The address '0.0.0.0' listens on all interfaces for IPv4
# connections and '::' listens on all interfaces for IPv6
# connections (depending on the platform, an IPv4 address may be
# converted to the equivalent IPv6 address and match '::'). The
# keyword 'any' will listen on all interfaces.
#
(deprecated)listen = any
dcache.net.listen=${listen}
# -----------------------------------------------------------------------
# Cell Communication
# -----------------------------------------------------------------------
# ---- Which message broker implementation to use
#
# Selects between various message brokers. The message broker
# determines how dCache domains communicate with each other. Valid
# values are:
#
# 'cells' is the classic cells based system. It relies on a central
# location service that all domains connect to. The host, port and
# domain of this service is defined by broker.host, broker.port and
# broker.domain.
#
# 'amq' connects to an ActiveMQ broker.
#
# 'amq-embedded' starts an embedded ActiveMQ broker in the domain
# specified by broker.domain. For other domains this is equivalent
# as specifying 'amq'.
#
# 'cells+amq-embedded' is a hybrid broker. An embedded ActiveMQ
# broker is started in the domain specified by broker.domain. At the
# same time a classic cells location service is instantiated in the
# same domain. Thus both 'cells' and 'amq' can be used by other
# domains to connect to the broker.
#
# 'openmq' connects to an OpenMQ broker.
#
# 'cells+openmq' is a hybrid solution. A connection to an OpenMQ
# broker is established. At the same time a classic cells location
# service is instantiated in dCacheDomain. Thus both 'cells' and
# 'openmq' can be used by other domains to connect to the broker.
#
# 'none' no broker connection is establish. This is used for single
# domain deployments.
#
(deprecated,not-for-services,one-of?cells|none\
|amq|amq-embedded|cells+amq-embedded\
|openmq|cells+openmq)\
broker.scheme=cells
(not-for-services,one-of?cells|none\
|amq|amq-embedded|cells+amq-embedded\
|openmq|cells+openmq|${broker.scheme})\
dcache.broker.scheme=${broker.scheme}
# ---- Broker for interdomain communication
#
# By default both the cells and the hybrid broker styles use a star
# topology with all messages going through a central domain. This
# domain is usually dCacheDomain, but any domain can be used.
#
# As all other domains need to connect to the broker, broker.host
# has to be configured throughout the dCache instance unless the
# broker runs on the local host or if there is no broker.
#
# Domains open a UDP port to listen for topology information. The
# information is sent from the broker.domain domain. The port
# number that a domain listens for topology information is
# configured by the broker.client.port property. This is either
# the port number or 0 (indicating a randomly chosen port number).
#
# NOTE: broker.client.port must be EITHER a unique port number OR
# 0. This means that it is almost certainly wrong to configure this
# property anywhere other than in a domain's context (i.e., immediately
# after declaring a domain).
#
# Inter-domain messages are sent via TCP on the port defined by
# broker.messaging.port. Since topology discovery uses UDP,
# broker.port and broker.messaging.port may have the same port
# number.
#
(deprecated,not-for-services)broker.domain=dCacheDomain
(not-for-services)dcache.broker.domain=${broker.domain}
(deprecated,not-for-services)broker.host=localhost
(not-for-services)dcache.broker.host=${broker.host}
(deprecated,not-for-services)broker.port=11111
(not-for-services)dcache.broker.port=${broker.port}
(deprecated,not-for-services)broker.messaging.port=${dcache.broker.port}
(not-for-services)dcache.broker.messaging.port=${broker.messaging.port}
(deprecated,not-for-services)broker.client.port = 0
(not-for-services)dcache.broker.client.port = ${broker.client.port}
# ---- Location of location manager configuration file
#
# Only used with broker.scheme=cells and only by the
# ${broker.domain} domain. If the file doesn't exist then a default
# 'star' topology is used, where the ${broker.domain} domain accepts
# connections from all other domains and routes messages
# accordingly.
#
# If the ${broker.cells.config} file exists then it is read by the
# lmd cell running in ${broker.domain} on startup. This allows
# site-specific adjustments to the messaging topology.
#
# Please note that adjusting the messaging topology is an advance
# feature that few (if any) dCache deployments need to adjust.
# Using a different messaging technology may be a preferable
# solution; see broker.scheme property for the alternatives.
#
# The user ${dcache.user} must be able to write into the directory
# in which the file is located for the 'setup write' command of
# location manager cell (lmd) to work.
#
(deprecated,not-for-services)broker.cells.config=${dcache.paths.etc}/lm.config
(not-for-services)dcache.broker.cells.config=${broker.cells.config}
# ---- Port and host used for ActiveMQ broker
#
# Determines the host and port used for the ActiveMQ broker. The
# host defaults to ${broker.host}. Only used if messageBroker is set
# to either jms or hybrid.
#
(deprecated,not-for-services)broker.amq.host=${dcache.broker.host}
(not-for-services)dcache.broker.amq.host=${broker.amq.host}
(deprecated,not-for-services)broker.amq.port=11112
(not-for-services)dcache.broker.amq.port=${broker.amq.port}
(deprecated,not-for-services)broker.amq.ssl.port=11113
(not-for-services)dcache.broker.amq.ssl.port=${broker.amq.ssl.port}
# ---- Connection URL for ActiveMQ
#
# By default, the ActiveMQ connection URL is formed from
# broker.amq.host and broker.amq.port properties. The broker.amq.url
# property may be used to configure more advanced broker
# topologies. Consult the ActiveMQ documentation for possible
# values.
#
(deprecated,not-for-services)broker.amq.url=failover:tcp://${broker.amq.host}:${broker.amq.port}
(not-for-services)dcache.broker.amq.url=${broker.amq.url}
# ----- OpenMQ broker host
(deprecated,not-for-services)broker.openmq.host=${dcache.broker.host}
(not-for-services)dcache.broker.openmq.host=${broker.openmq.host}
# ----- OpenMQ broker port
(deprecated,not-for-services)broker.openmq.port=11112
(not-for-services)dcache.broker.openmq.port=${broker.openmq.port}
# ----- OpenMQ interval in milliseconds between connection attempts
(deprecated,not-for-services)broker.openmq.reconnect.interval=30000
(not-for-services)dcache.broker.openmq.reconnect-interval=${broker.openmq.reconnect.interval}
(not-for-services,one-of?MILLISECONDS|SECONDS|MINUTES|HOURS|DAYS)dcache.broker.openmq.reconnect-interval.unit=MILLISECONDS
# -----------------------------------------------------------------------
# Cell addresses of dCache components
# -----------------------------------------------------------------------
(deprecated)pnfsmanager=${pnfsmanager.cell.name}
(deprecated)poolmanager=${poolmanager.cell.name}
(deprecated)billing=${billing.cell.name}
(deprecated)gplazma=${gplazma.cell.name}
(deprecated)spacemanager=${spacemanager.cell.name}
dcache.service.broadcast=${broadcast.cell.name}
dcache.service.pnfsmanager=${pnfsmanager}
dcache.service.poolmanager=${poolmanager}
dcache.service.billing=${billing}
dcache.service.gplazma=${gplazma}
dcache.service.spacemanager=${spacemanager}
dcache.service.pinmanager=${pinmanager.cell.name}
dcache.service.replica=${replica.cell.name}
dcache.service.transfermanager=${transfermanagers.cell.name}
dcache.service.copymanager=CopyManager
# -----------------------------------------------------------------------
# Common authentication properties
# -----------------------------------------------------------------------
# GSI caching parameters (ms)
(deprecated,not-for-services)gsi.delegation.cache.lifetime=30000
(not-for-services)dcache.authn.gsi.delegation.cache.lifetime=${gsi.delegation.cache.lifetime}
(deprecated,not-for-services)gsi.crl.cache.lifetime=60000
(not-for-services)dcache.authn.gsi.crl.cache.lifetime=${gsi.crl.cache.lifetime}
# ---- Kerberos realm
#
# Your kerberos 5 realm, used by Kerberos dcap and FTP doors
#
(deprecated,not-for-services)kerberos.realm=EXAMPLE.ORG
(not-for-services)dcache.authn.kerberos.realm=${kerberos.realm}
# ---- Kerberos key distribution center
#
# A comma-separated list of KDC hostnames. localhost may be used if
# a KDC multiplexer is running on the same machine as the Kerberos FTP doors.
#
(deprecated)kerberos.key-distribution-center-list=localhost
dcache.authn.kerberos.key-distribution-center-list=${kerberos.key-distribution-center-list}
# ----- JAAS configuration file
#
# Template JAAS configuration files are available in the
# share/examples/kerberos directory as jgss.conf and jgss_host.conf.
# Please copy these files into ${dcache.paths.etc} and modify their
# content as appropriate. The minimum configuration is to change
# the principle value, replacing "door.example.org" with the FQDN of
# the door and replacing "EXAMPLE.ORG" with the Kerberos Realm.
#
# The file jgss.conf is suitable for a domain running a Kerberos FTP
# door and jgss_host.conf is suitable for a domain running a Kerberos
# dcap door. Only one file may be specified per domain.
#
(deprecated)kerberos.jaas.config=${dcache.paths.etc}/jgss.conf
dcache.authn.jaas.config=${kerberos.jaas.config}
#dcache.authn.jaas.config=${dcache.paths.etc}/jgss.conf
#dcache.authn.jaas.config=${dcache.paths.etc}/jgss_host.conf
# ---- SSL Server certificate
#
# This parameter specifies the path to the file containing the
# PKCS12 encoded server certificate used for SSL. The host certificate
# in /etc/grid-security/ needs to be converted to PKCS12 format before
# it can be used with SSL. Use the 'bin/dcache import
# hostcert' command to perform this task. This is used in Webadmin and WebDAV
#
# Notice that for GSI the host cetificate in /etc/grid-security/ is used
# directly.
#
(deprecated)keyStore=${dcache.paths.etc}/hostcert.p12
dcache.authn.keystore=${keyStore}
# ---- Password for SSL server certificate
#
# This parameter specifies the password with which the PKCS12 encoded
# server certificate is encrypted.
#
(deprecated)keyStorePassword=dcache
dcache.authn.keystore.password=${keyStorePassword}
# ---- Trusted SSL CA certificates
#
# This parameter specifies the path to a Java Keystore containing
# the the trusted CA certicates used for SSL. The CA certificates
# in /etc/grid-security/certificates/ need to be converted into a
# Java Keystore file before they can be used with SSL. Use the
# 'bin/dcache import cacerts' command to perform this task.
# This is used in httpd and WebDAV.
#
# Notice that for GSI the CA cetificates in
# /etc/grid-security/certificates/ are used directly.
#
(deprecated)trustStore=${dcache.paths.etc}/certificates.jks
dcache.authn.truststore=${trustStore}
# ---- Password for trusted SSL CA certificates
#
# This parameter specifies the password with which the Java Keystore
# containing the trusted CA certificates is encrypted.
#
(deprecated)trustStorePassword=dcache
dcache.authn.truststore.password=${trustStorePassword}
# ---- Host private key in PEM format
(deprecated)grid.hostcert.key=${dcache.paths.grid-security}/hostkey.pem
dcache.authn.hostcert.key=${grid.hostcert.key}
# ---- Host certificate in PEM format
(deprecated)grid.hostcert.cert=${dcache.paths.grid-security}/hostcert.pem
dcache.authn.hostcert.cert=${grid.hostcert.cert}
# ---- Host certificate refresh period
#
# This option influences in which intervals the host certificate will be
# reloaded on a running door.
#
(deprecated)grid.hostcert.refresh=43200
dcache.authn.hostcert.refresh=${grid.hostcert.refresh}
dcache.authn.hostcert.refresh.unit=SECONDS
# ---- Verification of the issuer chain of the host certificate
#
# This can have advantages and disadvantages. If the used host certificates
# are in a Grid environment, where they are supposed to be signed by trusted
# CA certificates, setting this to true establishes a fail-fast behaviour.
#
# If the certificates are self-signed or signed by a custom-CA, this value
# should be set to false.
#
(deprecated,one-of?true|false)grid.hostcert.verify=true
(one-of?true|false|${grid.hostcert.verify})dcache.authn.hostcert.verify=${grid.hostcert.verify}
# ---- Directory containing trusted CA certificates
(deprecated)grid.ca.path=${dcache.paths.grid-security}/certificates
dcache.authn.capath=${grid.ca.path}
# ---- CA certificates refresh period
#
# Grid-based authentication usually requires to load a set of
# certificates that are accepted as certificate authorities. This
# option influences in which interval these trust anchors are
# reloaded.
#
(deprecated)grid.ca.refresh=43200
dcache.authn.capath.refresh=${grid.ca.refresh}
(one-of?MILLISECONDS|SECONDS|MINUTES|HOURS|DAYS)dcache.authn.capath.refresh.unit=SECONDS
# ---- Path to vomsdir directory
#
# Contains attribute validation information for authorized VOMS servers
dcache.authn.vomsdir=${dcache.paths.grid-security}/vomsdir
# ---- Flags to disable ciphers
#
# Comma separated list of flags related to ciphers.
#
# DISABLE_BROKEN_DH
#
# Diffie-Hellman is broken in Java 1.7u6 and forward. If DISABLE_BROKEN_DH is
# included, dCache will disable all cipher families involving Diffie-Hellman on
# those versions of Java. Depending on the client, this may result in less
# secure SSL/TLS/GSI connections.
#
# The symptoms of running with broken Diffie-Hellman enabled is that approximately
# 0.4% of all connections will fail during handshake.
#
# DISABLE_EC
#
# Elliptic Curve ciphers are broken in Java 1.7 on Linux. The problem is that the
# JRE successfully negotiates the use of cipher variants not supported by libnss3.
# If this option is specified, dCache will disable all cipher families involving
# Elliptic Curve ciphers.
#
(deprecated)dcache.security.ciphers=DISABLE_EC,DISABLE_BROKEN_DH
dcache.authn.ciphers=${dcache.security.ciphers}
# ---- Whether to overwrite existing files on upload
#
# The following property affects FTP doors, WebDAV doors and the SRM.
# For dcap see the truncate property. For xrootd, the policy is
# controlled by the client. Note that setting the property to false
# will break standards compliance.
#
(deprecated,one-of?true|false)overwriteEnabled=true
(one-of?true|false|${overwriteEnabled})dcache.enable.overwrite=${overwriteEnabled}
# -----------------------------------------------------------------------
# Database Configuration
# -----------------------------------------------------------------------
#
# The current setup assumes that one or more PostgreSQL servers are
# used by the various dCache components. Database user and database
# password are configurable. The dCache components use the databases 'dcache',
# 'replicas', 'companion' and 'billing'. However, these might be located on
# separate hosts.
#
# The most performant configuration is to have the database server
# running on the same host as the dCache component that will
# access it. Therefore, the default value for all the following
# variables is 'localhost'. Uncomment and change these variables
# only if you have a reason to deviate from this scheme.
#
# For example, one valid deployment would be to put the 'billing'
# database on different host than the pnfs server database and
# companion, but keep the httpDomain on the admin host.
# ---- Whether to manage database schemas automatically
#
# When true, database schemas will be automatically updated when
# needed. Not all services support this setting. This settings
# applies to a complete domain and must not be defined at the
# service level.
#
(one-of?true|false)dcache.db.schema.auto=true
# -----------------------------------------------------------------------
# Tape protection
# -----------------------------------------------------------------------
#
# The tape protection feature is only available if
# dcache.authz.staging is defined, and there is a
# similarly named file containing a list of FQANs and DNs whose
# owners are allowed to stage files (i.e., to read files from dCache
# that are stored only on tape).
#
# Stage configuration can be provided either on the door or on the
# PoolManager as described in the following two cases below:
#
# 1) stage configuration provided on the door
# (remember to repeat the same configuration on each door):
# dcache.authz.staging.pep=doors
# 2) stage configuration provided on the PoolManager:
# dcache.authz.staging.pep=PoolManager
#
(deprecated)stageConfigurationFilePath=
(deprecated,one-of?doors|PoolManager)stagePolicyEnforcementPoint=doors
dcache.authz.staging=${stageConfigurationFilePath}
(one-of?doors|PoolManager|${stagePolicyEnforcementPoint})dcache.authz.staging.pep=${stagePolicyEnforcementPoint}
# -----------------------------------------------------------------------
# Provide information about message broker
# -----------------------------------------------------------------------
#
# The following properties provide information about the broker
# domain. The actual domain is defined by broker.domain.
#
(immutable)dcache.broker.net.ports.tcp-when-scheme-is-cells=${dcache.broker.messaging.port}
(immutable)dcache.broker.net.ports.udp-when-scheme-is-cells=${dcache.broker.port} ${dcache.broker.client.port}
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-cells=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-cells=${dcache.broker.client.port}
(immutable)dcache.broker.net.ports.tcp-when-scheme-is-amq=
(immutable)dcache.broker.net.ports.udp-when-scheme-is-amq=
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-amq=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-amq=
(immutable)dcache.broker.net.ports.tcp-when-scheme-is-amq-embedded=${dcache.broker.amq.port} ${dcache.broker.amq.ssl.port}
(immutable)dcache.broker.net.ports.udp-when-scheme-is-amq-embedded=
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-amq-embedded=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-amq-embedded=
(immutable)dcache.broker.net.ports.tcp-when-scheme-is-cells+amq-embedded=${dcache.broker.amq.port} ${dcache.broker.amq.ssl.port} ${dcache.broker.messaging.port}
(immutable)dcache.broker.net.ports.udp-when-scheme-is-cells+amq-embedded=${dcache.broker.port} ${dcache.broker.client.port}
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-cells+amq-embedded=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-cells+amq-embedded=${dcache.broker.client.port}
(immutable)dcache.broker.net.ports.tcp-when-scheme-is-openmq=${dcache.broker.openmq.port}
(immutable)dcache.broker.net.ports.udp-when-scheme-is-openmq=
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-openmq=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-openmq=
(immutable)dcache.broker.net.ports.tcp-when-scheme-is-cells+openmq=${dcache.broker.openmq.port} ${dcache.broker.messaging.port}
(immutable)dcache.broker.net.ports.udp-when-scheme-is-cells+openmq=${dcache.broker.port} ${dcache.broker.client.port}
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-cells+openmq=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-cells+openmq=${dcache.broker.client.port}
(immutable)dcache.broker.net.ports.tcp-when-scheme-is-none=
(immutable)dcache.broker.net.ports.udp-when-scheme-is-none=
(immutable)dcache.non-broker.net.ports.tcp-when-scheme-is-none=
(immutable)dcache.non-broker.net.ports.udp-when-scheme-is-none=
(immutable)dcache.broker.net.ports.tcp=${dcache.broker.net.ports.tcp-when-scheme-is-${dcache.broker.scheme}}
(immutable)dcache.broker.net.ports.udp=${dcache.broker.net.ports.udp-when-scheme-is-${dcache.broker.scheme}}
(immutable)dcache.non-broker.net.ports.tcp=${dcache.non-broker.net.ports.tcp-when-scheme-is-${dcache.broker.scheme}}
(immutable)dcache.non-broker.net.ports.udp=${dcache.non-broker.net.ports.udp-when-scheme-is-${dcache.broker.scheme}}
# Old properties
(forbidden)cell.name=Use <service>.cell.name instead
(forbidden)db.host=Use <service>.db.host instead
(forbidden)db.name=Use <service>.db.name instead
(forbidden)db.user=Use <service>.db.user instead
(forbidden)db.password=Use <service>.db.password instead
(forbidden)db.driver=Use <service>.db.driver instead
(forbidden)db.url=Use <service>.db.url instead
(forbidden)db.schema.changelog=Use <service>db.schema.changelog instead
(forbidden)db.schema.auto=Use dcache.db.schema.auto or <service>.db.schema.auto instead
(forbidden)db.connections.max-per-partition=Use <service>.db.connections.max-per-partition instead
(forbidden)db.connections.min-per-partition=Use <service>.db.connections.min-per-partition instead
(forbidden)db.connections.partition-count=Use <service>.db.connections.partition-count instead
(forbidden)port=Use <service>.net.port instead
(forbidden)kerberos.service-principle-name=Use ftp.authn.kerberos.service-principle-name or dcap.authn.kerberos.service-principle-name