Configuration

# ---------------------------------------------------------------- #
#                                                                  # 
#         Data Object Identifier Server Configuration              #
#                                                                  #
# ---------------------------------------------------------------- #

# In this configuration file, a set of properties must be encrypted.
# To encrypt, a tool provided in the DOI-server can be used:
# java -jar DOI-server-1.0.0.jar -c <string to encrypt>
#
# To decrypt :
# java -jar DOI-server-1.0.0.jar -e <string to decrypt>

## ---- Application Name ----
## The application's name is automatically updated by maven
Starter.APP_NAME=${project.artifactId}

## ---- Building date ----
## The building date is automatically updated by maven
Starter.BUILD_DATE=${timestamp}

## ---- Application version ----
## The application's version is automatically updated by maven
Starter.VERSION=${project.version}

## Name of this configuration file
Starter.NAME=Production properties

## ---- Application copyright ----
Starter.COPYRIGHT=Copyright 2017-2019 CNES

## ---- Application mode ---
## It exists different contexts for the application :
## - DEV : Use of the test platform and no query are executed
## - POST_DEV : Use of the test platform and query are executed
## - PRE_PROD : Use of the production platform with a DOI test identifier
## - PROD : Use of the production platform with the true DOI identifier
Starter.CONTEXT_MODE=PROD

## ---- Mail server configuration ----
## - Mode TLS to true is not currently supported
## - Secret value must be encrypted.
## - server must have this syntax smtp://<host>:<port>
Starter.mail.send.tls=false  
Starter.mail.send.identifier=
Starter.mail.send.secret=
Starter.mail.send.server=
Starter.mail.send.protocol=SMTP
Starter.mail.send.encoding=UTF-8

## ---- Tunning Restlet connections ----
## Not currently used
Starter.maxTotalConnections=-1               
Starter.maxConnectionsPerHost=-1

## ---- Security Regular expressions ----
## Not Used currently
Starter.security.userLoginRegex=^.{4,64}$
Starter.security.userPasswdRegex=^(?\=.*[a-z])(?\=.*[A-Z])(?\=.*\\W).{8,64}$|^(?\=.*[a-z])(?\=.*[0-9])(?\=.*\\W).{8,64}$|^(?\=.*[A-Z])(?\=.*[0-9])(?\=.*\\W).{8,64}$|^(?\=.*[A-Z])(?\=.*[0-9])(?\=.*[a-z]).{8,64}$

## ---- Server configuration ----
Starter.Server.contactAdmin = L-doi-support@cnes.fr
Starter.Server.Log.format={ciua} {cri} {ra} {m} {rp} {rq} {S} {ES} {es} {hh} {cig} {fi}

## ---- HTTPS server configuration ----
## secretKey, keystorePassword and TrustStorePassword are encrypted
Starter.Server.HTTPS.SecretKey=EPsM8QoV62dqUQ9gsO10qg==
Starter.Server.HTTPS.Port=8183
Starter.Server.HTTPS.KeystorePath=
Starter.Server.HTTPS.keystorePassword=EPsM8QoV62dqUQ9gsO10qg==
Starter.Server.HTTPS.TrustStorePath=
Starter.Server.HTTPS.TrustStorePassword=EPsM8QoV62dqUQ9gsO10qg==

## ---- HTTP server configuration ----
Starter.Server.HTTP.Port=8182

## ---- Proxy configuration ----
## Used parameter allows to make enable/disable the proxy configuration
## NoProxy.hosts contains hosts for which a proxy authentication is not needed

## The Starter.Proxy.type must take one of the following values : 
## NO_PROXY, PROXY_BASIC, PROXY_SPNEGO_API, PROXY_SPNEGO_JAAS
## Password must be encrypted
Starter.Proxy.type = NO_PROXY
#Starter.Proxy.host = localhost
#Starter.Proxy.port = 3128
#Starter.Proxy.login =
#Starter.Proxy.pwd =

#Starter.NoProxy.hosts= localhost
## Configuration for SPNEGO
#Starter.Proxy.Jass.Spn =
#Starter.Proxy.Jass.File =
#Starter.Proxy.Jass.Context =

## ---- Inist configuration ----
## login and pwd must be encrypted
Starter.Inist.doi =
Starter.Inist.login =
Starter.Inist.pwd =

## --- Token expiration delay
## Hour=10 , Month=5 , Year=1
Starter.Token.Unit = 10
Starter.Token.Delay = 12

## --- Token key generation
## A token key can be generated by the DOI server
#Starter.Token.key=

## ---- Jetty configuration ----
## Uncomment the following lines if you want to overlad the default values
##
## Thread pool minimum threads.
#Starter.MIN_THREADS=8
## Thread pool max threads.
#Starter.MAX_THREADS=200
## Thread pool threads priority.
#Starter.THREADS_PRIORITY=5
## Thread pool idle timeout in milliseconds; threads that are idle for longer than this period may be stopped.
#Starter.THREAD_MAX_IDLE_TIME_MS=60000
## Thread pool stop timeout in milliseconds; the maximum time allowed for the service to shutdown.
#Starter.THREAD_MAX_STOP_TIME_MS=5000
## Time in ms that connections will persist if listener is low on resources.
#Starter.LOW_RESOURCES_MAX_IDLE_TIME_MS=1000
## Low resource monitor period in milliseconds; when 0, low resource monitoring is disabled.
#Starter.LOW_RESOURCES_PERIOD=1000
## Low resource monitor max memory in bytes; when 0, the check disabled; memory used is calculated as (totalMemory-freeMemory).
#Starter.LOW_RESOURCES_MAX_MEMORY=0
## Low resource monitor max connections; when 0, the check is disabled.
#Starter.LOW_RESOURCES_MAX_CONNECTIONS=0
## Low resource monitor, whether to check if we're low on threads.
#Starter.LOW_RESOURCES_THREADS=true
## Connector acceptor thread count; when -1, Jetty will default to Runtime.availableProcessors() / 2, with a minimum of 1.
#Starter.ACCEPTOR_THREADS=-1
## Connector selector thread count; when -1, Jetty will default to Runtime.availableProcessors().
#Starter.SELECTOR_THREADS=-1
## Connector accept queue size; also known as accept backlog.
#Starter.ACCEPT_QUEUE_SIZE=0
## HTTP request header size in bytes; larger headers will allow for more 
## and/or larger cookies plus larger form content encoded in a URL;
## however, larger headers consume more memory and can make a server more 
## vulnerable to denial of service attacks.
#Starter.REQUEST_HEADER_SIZE=8192
## HTTP response header size in bytes; larger headers will allow for more 
## and/or larger cookies and longer HTTP headers (e.g. for redirection); 
## however, larger headers will also consume more memory
#Starter.RESPONSE_HEADER_SIZE=8192
## HTTP header cache size in bytes.
#Starter.REQUEST_BUFFER_SIZE=512
## HTTP output buffer size in bytes; a larger buffer can improve performance
## by allowing a content producer to run without blocking, however larger 
## buffers consume more memory and may induce some latency before a client
## starts processing the content.
#Starter.RESPONSE_BUFFER_SIZE=32768
## Connector idle timeout in milliseconds; see Socket.setSoTimeout(int); 
## this value is interpreted as the maximum time between some progress 
## being made on the connection; so if a single byte is read or written, 
## then the timeout is reset.
#Starter.IO_MAX_IDLE_TIME_MS=30000
## Connector TCP/IP SO linger time in milliseconds; when -1 is disabled; 
## see Socket.setSoLinger(boolean, int).
#Starter.SO_LINGER_TIME=-1
## Connector stop timeout in milliseconds; 
## the maximum time allowed for the service to shutdown
#Starter.GRACEFUL_SHUTDOWN=30000

## ---- Plugin ----
Starter.Plugin.UserGroupMgt=fr.cnes.doi.plugin.impl.db.DefaultUserRoleImpl
Starter.Plugin.ProjectSuffix=fr.cnes.doi.plugin.impl.db.DefaultProjectSuffixImpl
Starter.Plugin.Token=fr.cnes.doi.plugin.impl.db.DefaultTokenImpl
Starter.Plugin.Authentication=fr.cnes.doi.plugin.impl.db.DefaultLDAPImpl

# ---- IP allower for administration ---
#By default, localhost in IPv6 and IPV4 are set
#To set others IP, set them with a | between each IP
#Starter.admin.IP.allower=

# Threshold speed value in percent for sending an alert
Starter.Monitoring.Threshold_speed = 130

# Period of the job that updates the database from ldap (the unit is minute)
Starter.updateDatabaseJob.period = 30

## ---- Database settings ----
## User and Pwd are encrypted
# Doi Database url
Starter.Database.Doidburl = jdbc:postgresql://localhost:5432/doidb?currentSchema=doi_schema
# Doi DataBase user
Starter.Database.User =doiserver
# Doi DataBase password, must be encrypted by the AES algorithm
Starter.Database.Pwd  =
# Datasource Minimum idle connections - Default value 10
#Starter.Database.MinIdleConnections =
# Datasource Maximum idle connections - Default value 50
#Starter.Database.MaxIdleConnections =
# Datasource Maximum active connections - Default value 50
#Starter.Database.MaxActiveConnections =

## ---- LDAP Settings ----
## user, password are encrypted
# LDAP url such as ldap://<hostname>:<port>
Starter.LDAP.url = 
# LDAP user to bind the LDAP connection
# could be: uid=<login>,cn=users,cn=accounts,dc=sis,dc=cnes,dc=fr
Starter.LDAP.user = 
# LDAP password, must be encrypted by the AES algorithm 
Starter.LDAP.password = 
# LDAP group
Starter.LDAP.project =
# User in LDAP, which is administrator
Starter.LDAP.user.admin = 
# LDAP filter to search group
Starter.LDAP.search.group = cn=groups,cn=accounts,dc=sis,dc=cnes,dc=fr
# LDAP filter to search user
Starter.LDAP.search.user = cn=users,cn=accounts,dc=sis,dc=cnes,dc=fr
# User name attribute in LDAP
Starter.LDAP.attr.username = uid
# mail name attribute in LDAP
Starter.LDAP.attr.mail = mail
# fullaname attribute in LDAP
Starter.LDAP.attr.fullname = cn

## --- Attribution ---
# Html part to add attribution closed to the CNES logo
# Basically, it could be <a href="www.cnes.fr" target="_blank">
# <img src="/resources/images/Cnes-logo.png" width="50px" height="50px"/>&nbsp;&copy; CNES 2019</a>   
#Starter.attribution = 

## -- General setup --
#Uncomment and Set to false when the login/password can be in clear in the configuration file
#Default value is true 
#Starter.encrypted_fields = true

# Generate keystore
keytool -keystore doiServerKey.jks -alias doiServer -genkey -keyalg RSA -keysize 2048 -dname "CN=localhost,OU=DNO/ISA/VIP,O=CNES,L=Toulouse,ST=Unknown,C=FR" -sigalg "SHA1withRSA"

# or import the certificate in the keystore
keytool -import -alias <hostname> -keystore doiServerKey.jks -file <certificat file>

# List records in keystore (validity date for instance)
keytool -list -v -keystore doiServerKey.jks

# Extends the validity date
keytool -selfcert -v -alias doiServer -validity 3650 -keystore doiServerKey.jks

# To be useful, the certificate needs to be exported so that it can be 
# imported into other keystores such as those used by the Java VM or Windows.
# To export the certificate, use keytool with the following options:
keytool -export -v -alias doiServer -file doiServer.cer -keystore doiServerKey.jks

# You should now have a file called 'server.cer' that contains your server's 
# self-signed certificate. The server will present this certificate whenever 
# an HTTPS client sends a request. There are different ways of installing the 
# certificate on the server; in the Restlet example server code below, the 
# certificate is loaded from the keystore when the Restlet server is started.

# There are different ways to get a HTTPS client to trust your certificate. 
# If you are using a browser, there may be an option to add it to a list of 
# trusted certificates. In Windows XP, the certificate can be added to the 
# 'Trusted Root Certification Authorities' via Internet Options (in IE7 or 
# Control Panel - Internet Options). On the 'Content' tab, click 
# 'Certificates', then go to 'Trusted Root Certification Authorities' tab, 
# click 'Import...' and follow the steps to import your certificate file 
# ('server.cer'). It will give warnings about not being verified, which is ok 
# for testing, but it must be properly signed by proper Certification Authority
# for production. Firefox 3 also has the ability to add exceptions to trust 
# individual certificates (self-signed or issued by an unknown CA).

# If you are using another Java program instead of a browser, then you need 
# to let the Java VM know about the certificate. There are several ways to do 
# this, but here are two:

#  1. Import the certificate to the Java VM trusted certificates file, which is
# called 'cacerts' by default and located in the lib/security directory of the 
# Java home directory, for example 
# C:\Program Files\Java\jre6\lib\security\cacerts
# The keytool command to do this is:
 keytool -import\
 -alias serverX\
 -file serverX.cer\
 -keystore "C:\\Program Files\\Java\\jre6\\lib\\security\\cacerts"\
 -storepass "changeit"
 
 
# If you are using Python program instead of a browser, then you need 
# add the certificate to the Python certificates file, which is
# called 'cacert.pem' located in certifi directory.
# for example: 
# ...\Python\Python37-32\Lib\site-packages\certifi-2018.11.29-py3.7.egg\certifi\cacert.pem

 

#  2. Add the following Java VM arguments to your Java client command line:
  -Djavax.net.ssl.trustStore=C:\\\\somedir\\\\serverX.jks -Djavax.net.ssl.trustStoreType=JKS\
  -Djavax.net.ssl.trustStorePassword=password

# These arguments tell the Java VM where to find your certificate. Please note 
# that this approach should only be used in a test environment, not in 
# production, as the password is shown in plain text.