syntax-version=1
# This is a configuration file understood by the nCipher configuration     
# library, as well as being written automatically by some software         
# it can be edited manually. When manually editing this file, the following
# rules should be observed:                                                
#  o The syntax-version line must be first line of the file.               
#  o The file must only contain characters with ASCII values between 32 and
#    127 and \t, \r and \n.                                             
#  o Strings in the section-headers and field names are case sensitive.    
#  o field-value lines look like FIELDNAME=VALUE, white space before and   
#    after FIELDNAME and VALUE is harmless, it is stripped away by the     
#    configuration library.                                                
#  o Lines starting with a # are comments and ignored by the library, some 
#    comments are autogenerated by the library to assist in documenting    
#    the configuration options. Comments may be manually added to this     
#    file, however they might be overwritten if they are in a section that 
#    gets modified by a software utility.                                  
#  o If a section has multiple entries, each entry after the first is      
#    introduced by a line consisting of one or more hyphens ("-")        


[server_settings]
# Start of the server_settings section
# Hardserver settings which can be changed by calling hsc_serversettings with
# the hardserver running
# Each entry has the following fields:
#
# The hardserver's logging level, one of info, notice, client, remoteserver,
# error, serious, internal, startup, fatal, fatalinternal (default=info)
#  loglevel=STRING
#
# Level of detail to log, for diagnostics or debugging.
#  logdetail=FLAGS
#
# The maximum queue length for a remote connection between 1 and 4096
# (default=4096)
#  connect_maxqueue=INT
#
# Number of seconds to wait before retrying a remote connection (default=10)
#  connect_retry=INT
#
# Number of seconds between keepalive packets for remote connections
# (default=10)
#  connect_keepalive=INT
#
# Number of seconds of inactivity before we say that a remote connection is
# broken (default=90)
#  connect_broken=INT
#
# After a netHSM has failed, how many seconds should the hardserver wait for
# it to become available again, before failing commands destined to the netHSM
# with a NetworkError message. For commands to have a chance of succeeding
# after a netHSM has failed, this value should be greater than connect_retry.
# If it is set to 0, then commands to the netHSM are failed with NetworkError
# immediately a netHSM has failed. (default = 35)
#  connect_command_block=INT
#
# Number of seconds before the first keepalive packet for remote incoming
# connections (default=30)
#  accept_keepidle=INT
#
# Number of seconds between keepalive packets for remote incoming connections.
# The socket will timeout after ten consecutive probe failures (default=10)
#  accept_keepalive=INT
#
# Maximum PCI interface version. 0 implies no limit. (default=0)
#  max_pci_if_vers=INT


[module_settings]
# Start of the module_settings section
# Per-module settings which can be changed by calling hsc_serversettings with
# the hardserver running
# Each entry has the following fields:
#
# Module ESN
#  esn=ESN
#
# Priority class of this module -- lower number is higher priority. (values
# 1-100, default 100)
#  priority=INT


[server_remotecomms]
# Start of the server_remotecomms section
# Hardserver remote communication settings, these are only read at hardserver
# startup time
# Each entry has the following fields:
#
# The port for the hardserver to listen to for incoming impath connections or
# 0 for none (default=9004). Note that any firewall must be configured to
# allow connections to this port.
#  impath_port=PORT
#
# Specific IP address the hardserver will bind to to listen for incoming
# impath connections (default INADDR_ANY)
#  impath_addr=ADDRESS
#
# Interface name the hardserver will bind to (used if impath_addr is
# INADDR_ANY); default is bind to all interfaces.
#  impath_interface=INTERFACE


[server_startup]
# Start of the server_startup section
# Hardserver communication settings, these are only read at hardserver startup
# time
# Each entry has the following fields:
#
# Name of unix socket to use for non-privileged connections on unix
# (default=/dev/nfast/nserver)
#  unix_socket_name=STRING
#
# Name of unix socket to use for privileged connections on unix
# (default=/dev/nfast/priv/privnserver)
#  unix_privsocket_name=STRING
#
# Name of pipe to use for non-privileged connections on windows or empty
# string for none (default=\\.\pipe\crypto)
#  nt_pipe_name=STRING
#
# Users allowed to issue non-privileged connections on windows or empty string
# for anyone (default="")
#  nt_pipe_users=STRING
#
# Name of pipe to use for privileged connections on windows or empty string
# for none (default=\\.\pipe\privcrypto)
#  nt_privpipe_name=STRING
#
# Users allowed to issue privileged connections on windows or empty string for
# anyone (default="")
#  nt_privpipe_users=STRING
#
# The port for the hardserver to listen to for local non-privileged TCP
# connections or 0 for none. Java clients default to connecting to 9000
# (default=0)
#  nonpriv_port=PORT
#
# The port for the hardserver to listen to for local privileged TCP
# connections or 0 for none. Java clients default to connecting to 9001
# (default=0)
#  priv_port=PORT
#
# list of serial device nodes or COM ports for serial devices e.g COM1:COM2 or
# /dev/cua2:/dev/cua3 (default="")
#  serial_dtpp_devices=STRING
#
# list of local dtpp IP devices (e.g. nForce Ultra) e.g 10.100.0.8:10.101.0.8
# (default="")
#  net_dtpp_devices=STRING


[nethsm_imports]
# Start of the nethsm_imports section
# The netHSMs that the hardserver should import. Note that the limits listed
# here must be at least as strict as the netHSM's own configuration, or the
# netHSM will reject attempts to connect with ServerAccessDenied.
# Each entry has the following fields:
#
# New module number to assign to the imported nethsm, or 0 to use the next
# unassigned module number. (default=0)
#  local_module=INT
#
# IP address of the nethsm
#  remote_ip=ADDR
#
# Port to connect to on the nethsm
#  remote_port=PORT
#
# ESN of the nethsm to import
#  remote_esn=ESN
#
# The hash of the key that the nethsm should authenticate themselves with. If
# set to forty zeroes, key authentication is not performed (NOT RECOMMENDED).
#  keyhash=KEYHASH
#
# The time interval in seconds between session key renegotiation for the
# impath connection, or 0 for unlimited. (default=60*60*24s=1 day).
#  timelimit=INT
#
# Amount of data in bytes to encrypt with a session key before session key
# renegotiation, or 0 for unlimited. (default=1024*1024*8b=8Mb).
#  datalimit=INT
#
# Whether to make a privileged connection to the nethsm (default=0)
#  privileged=INT
#
# Whether to use high-numbered ports for privileged connections (default=0)
#  privileged_use_high_port=INT
#
# ESN of this client's nToken
#  ntoken_esn=ESN


[load_seemachine]
# Start of the load_seemachine section
# The SEE machines that the modules should load and possibly start for the
# benefit of other hardserver clients. Incorporates payShield startup settings
# Each entry has the following fields:
#
# The module to load the SEE machine onto
#  module=INT
#
# The filename of the SEE machine for this module to host. If the module is a
# payShield this must be the full path to emvsmtype(1,2).sar with the desired
# version number.
#  machine_file=STRING
#
# The ident of the seeconf key that protects the SEE machine. Only
# module-protected keys can be used here. If the machine is not encrypted then
# leave this field blank.
#  encryption_key=STRING
#
# The hash of the key that the SEE machine is signed by. This is only required
# if you are using the dynamic feature enable and the SEE machine is
# encrypted. (If the SEE machine is not encrypted then the signing key hash
# can be extracted from it automatically.)
#  signing_hash=KEYHASH
#
# The filename of the userdata to pass to the SEE machine on startup. If
# userdata is "" then the seemachine is loaded but not started. (default="").
# If the module is a payShield then this field must be left blank.
#  userdata=STRING
#
# The PublishedObject name to use for publishing the KeyID of the started SEE
# machine. If worldid_pubname is "" then the KeyID is not published. This
# field is ignored if userdata is "". (default=""). If the module is a
# payShield then this field must be left blank.
#  worldid_pubname=STRING
#
# Program to run after loading the SEE machine to perform any initialisation
# required by the SEE machine or its clients, or "" if no initialisation is
# required. This program must accept an argument of the form "-m <module>".
# (default=""). If the module is a payShield, simply enter "payshield".
#  postload_prog=STRING
#
# Args to pass to postload_prog, less '-m <module>' which will be
# automatically passed as the first argument. This field is ignored if
# postload_prog is "". (default=""). If the module is a payShield then enter
# "-n <psiname> [-d]".
#  postload_args=STRING
#
# Set to "yes" to pull the SEE machine and userdata from the RFS before
# loading on the remote module. (default=no)
#  pull_rfs=ENUM


[slot_imports]
# Start of the slot_imports section
# Remote slots that the hardserver should import to modules on this machine
# Each entry has the following fields:
#
# ESN of the local module to import the slot to
#  local_esn=ESN
#
# SlotID to use to refer to the slot when it is imported on the local module
# (default=2)
#  local_slotid=INT
#
# IP address of the machine hosting the slot to import
#  remote_ip=ADDR
#
# Port to connect to on the remote machine
#  remote_port=PORT
#
# ESN of the remote module to import the slot from
#  remote_esn=ESN
#
# SlotID of the slot to import on the remote module (default=0)
#  remote_slotid=INT


[slot_exports]
# Start of the slot_exports section
# Local slots that the hardserver should allow remote modules to import
# Each entry has the following fields:
#
# ESN of the local module whose slot is allowed to be exported.
#  local_esn=ESN
#
# SlotID of the slot which is allowed to be exported. (default=0)
#  local_slotid=INT
#
# IP address of the machine allowed to import the slot or 0.0.0.0 to allow all
# machines. (default=0.0.0.0)
#  remote_ip=ADDR
#
# ESN of the module allowed to import the slot or "" to allow all modules
# which are permitted in the security world. (default ="")
#  remote_esn=ESN


[remote_file_system]
# Start of the remote_file_system section
# The remote file system volumes that this machine hosts for the benefit of
# netHSMs. WARNING: This section is automatically written by the rfs-setup
# utility, it is recommended not to edit entries in this section.
# Each entry has the following fields:
#
# IP address of the machine allowed to access this volume or 0.0.0.0 to allow
# any IP address. (default=0.0.0.0)
#  remote_ip=ADDR
#
# ESN of the remote module allowed to access this volume or "" to allow any
# module (default="")
#  remote_esn=ESN
#
# The hash of the key that the machine must authenticate themselves with, or
# 40 zeros to indicate no key authentication required. (default=40 zeros)
#  keyhash=KEYHASH
#
# The local filename for the volume to which this entry corresponds
#  native_path=STRING
#
# The name of the volume which the remote host uses to access the files in
# native_path
#  volume=STRING
#
# Set to "yes" to allow a remote server to read the contents of a file in this
# volume. (default=no)
#  allow_read=ENUM
#
# Set to "yes" to allow a remote server to write the contents of a file in
# this volume. (default=no)
#  allow_write=ENUM
#
# Set to "yes" to allow a remote server to list the contents of a directory in
# this volume. (default=no)
#  allow_list=ENUM
#
# Set to "yes" if this volume represents a directory (default=no)
#  is_directory=ENUM
#
# Set to "yes" if files in this volume are text files which need to be opened
# in text mode. (default=no)
#  is_text=ENUM


[rfs_sync_client]
# Start of the rfs_sync_client section
# The remote file system that this client will synchronise its key management
# data files with.
# Each entry has the following fields:
#
# IP address of the RFS server to synchronise against.
#  remote_ip=ADDR
#
# Port to connect to the RFS server with (default 9004).
#  remote_port=PORT
#
# Set to 'yes' to use an authenticated channelt to the RFS.
#  use_kneti=ENUM
#
# ESN of the local module to use for authentication (default = first module;
# only required if use_kneti=yes).
#  local_esn=ESN


[remote_slot_imports]
# Start of the remote_slot_imports section
# Remote slots that the local hardserver should allow to be imported at the
# request of remote servers
# Each entry has the following fields:
#
# ESN of the local module allowed to import the slot.
#  local_esn=ESN
#
# IP address of the machine whose slot is allowed to be imported or 0.0.0.0 to
# allow all machines. (default=0.0.0.0)
#  remote_ip=ADDR
#
# ESN of the remote module whose slot is allowed to be imported or "" to allow
# all modules which are permitted in the security world. (default ="")
#  remote_esn=ESN
#
# SlotID of the slot which is allowed to be imported. (default=0)
#  remote_slotid=INT
