Mercurial > hg > freeDiameter
view doc/freediameter.conf.sample @ 18:e7187583dcf8
Added CA helper script
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Mon, 05 Oct 2009 17:13:01 +0900 |
parents | ef9ef3bf4752 |
children | 277ec00d793e |
line wrap: on
line source
# This is a sample configuration file for freeDiameter daemon. ############################################################## ## Peer identity and realm # The Diameter Identity of this daemon. # This must be a valid FQDN that resolves to the local host. # Default: hostname's FQDN #Identity = "aaa.koganei.wide.ad.jp"; # The Diameter Realm of this daemon. # Default: the domain part of Identity. #Realm = "wide.ad.jp"; ############################################################## ## Transport protocol configuration # The port this peer is listening on for incoming connections (TCP and SCTP). # Default: 3868 #Port = 3868; # The port this peer is listening on for incoming TLS connections (TCP and SCTP). # See TLS_old_method for more information. # Default: 3869 #SecPort = 3869; # Use RFC3588 method for TLS protection, where TLS is negociated after CER/CEA # on the same port. This only affects outgoing connections. It can be overwritten # on per peer basis. # Default: use RFC3588bis method with separate port for TLS. #TLS_old_method; # Disable use of TCP protocol (only SCTP) # Default : TCP enabled #No_TCP; # Disable use of SCTP protocol (only TCP) # Default : SCTP enabled #No_SCTP; # This option has no effect if freeDiameter is compiled with DISABLE_SCTP option, # in which case the value is forced to "SCTP disabled". # Prefer TCP over SCTP for establishing new connections. # It may be overwritten per peer in peer configuration blocs. # Default : SCTP is prefered. #Prefer_TCP; # Default number of streams per SCTP associations. # It can be overwritten per peer basis. # Default : 30 streams #SCTP_streams = 30; ############################################################## ## Endpoints configuration # Disable use of IP addresses (only IPv6) # Default : IP enabled #No_IP; # Disable use of IPv6 addresses (only IP) # Default : IPv6 enabled #No_IPv6; # Specify local addresses where the server must listen # Default : listen on all addresses available. #ListenOn = "202.249.37.5"; #ListenOn = "2001:200:903:2::202:1"; ############################################################## ## TLS Configuration # TLS is managed by the GNUTLS library in the freeDiameter daemon. # You may find more information about parameters and special behaviors # in the relevant documentation. # http://www.gnu.org/software/gnutls/manual/ # Credentials of the local peer # The X509 certificate and private key file to use for the local peer. # The files must contain PKCS-1 encoded RSA key, in PEM format. # (These parameters are passed to gnutls_certificate_set_x509_key_file function) # Default : NO DEFAULT #TLS_Cred = "<x509 certif file.PEM>" , "<x509 private key file.PEM>"; # Certificate authority / trust anchors # The file containing the list of trusted Certificate Authorities (PEM list) # (This parameter is passed to gnutls_certificate_set_x509_trust_file function) # The directive can appear several times to specify several files. # Default : GNUTLS default behavior #TLS_CA = "<file.PEM>"; # Certificate Revocation List file # The information about revoked certificates. # The file contains a list of trusted CRLs in PEM format. They should have been verified before. # (This parameter is passed to gnutls_certificate_set_x509_crl_file function) # Default : GNUTLS default behavior #TLS_CRL = "<file.PEM>"; # GNU TLS Priority string # This string allows to configure the behavior of GNUTLS key exchanges # algorithms. See gnutls_priority_init function documentation for information. # You should also refer to the Diameter required TLS support here: # http://tools.ietf.org/html/draft-ietf-dime-rfc3588bis-18#section-13.1 # Default : "NORMAL" # Example: TLS_Prio = "NONE:+VERS-TLS1.1:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL"; #TLS_Prio = "NORMAL"; # Diffie-Hellman parameters size # Set the number of bits for generated DH parameters # Valid value should be 768, 1024, 2048, 3072 or 4096. # (This parameter is passed to gnutls_dh_params_generate2 function, # it usually should match RSA key size) # Default : 1024 #TLS_DH_Bits = 1024; ############################################################## ## Timers configuration # The Tc timer of this peer. # It is the delay before a new attempt is made to reconnect a disconnected peer. # The value is expressed in seconds. The recommended value is 30 seconds. # Default: 30 #TcTimer = 30; # The Tw timer of this peer. # It is the delay before a watchdog message is sent, as described in RFC 3539. # The value is expressed in seconds. The default value is 30 seconds. Value must # be greater or equal to 6 seconds. See details in the RFC. # Default: 30 #TwTimer = 30; ############################################################## ## Applications configuration # Disable the relaying of Diameter messages? # For messages not handled locally, the default behavior is to forward the # message to another peer if any is available, according to the routing # algorithms. In addition the "0xffffff" application is advertised in CER/CEA # exchanges. # Default: Relaying is enabled. #NoRelay; # Other applications are configured by loading appropriate extensions. ############################################################## ## Extensions configuration # The freeDiameter daemon merely provides support for # Diameter Base Protocol. The specific application behaviors, # as well as advanced functions of the daemon, are provided # by loadable extensions (plug-ins). # These extensions may in addition receive the name of a # configuration file, the format of which is extension-specific. # # Format: #LoadExtension = "/path/to/extension" [ : "/optional/configuration/file" ] ; # # Exemples: #LoadExtension = "extensions/sample.so"; #LoadExtension = "extensions/sample.so":"conf/sample.conf"; ############################################################## ## Peers configuration # The local server listens for incoming connections. By default, # all unknown connecting peers are rejected. Extensions can override this behavior. # # In addition to incoming connections, the local peer can # be configured to establish and maintain connections to some # Diameter nodes and allow connections from these nodes. # This is achieved with the ConnectPeer directive described bellow. # # Note that the configured Diameter Id MUST match # the information received inside CEA, or the connection will be aborted. # # Format: #ConnectPeer = "diameterid" [ { parameter1; parameter2; ...} ] ; # Parameters that can be specified in the peer's parameter list: # No_TCP; No_SCTP; No_IP; No_IPv6; Prefer_TCP; TLS_old_method; # No_TLS; # assume transparent security instead of TLS # Port = 3868; # The port to connect to # SCTP_streams = 30; # TcTimer = 30; # TwTimer = 30; # ConnectTo = "202.249.37.5"; # ConnectTo = "2001:200:903:2::202:1"; # Examples: #ConnectPeer = "aaa.wide.ad.jp"; #ConnectPeer = "old.diameter.serv" { TcTimer = 60; TLS_old_method; No_SCTP; } ; ############################################################## # -------- Test configuration --------- Identity = "aaa.koganei.wide.ad.jp"; Realm = "wide.ad.jp"; Port = 3866; SecPort = 3867; TLS_old_method; No_IP; Prefer_TCP; SCTP_streams = 50; ListenOn = "202.249.37.5"; ListenOn = "2001:200:903:2::202:1"; TcTimer = 60; TwTimer = 6; NoRelay; LoadExtension = "extensions/dbg_monitor.fdx"; LoadExtension = "extensions/dict_nasreq.fdx"; LoadExtension = "extensions/dict_eap.fdx"; ConnectPeer = "jules.nautilus6.org" ; ConnectPeer = "aaa.nautilus6.org" { No_TLS; No_IP; No_TCP; SCTP_streams = 60; } ;