mgmt: add certificate generation/export instructions to nfd.conf.sample.in and README.md
rename configuration file's "keyfile" field to "certfile" to reflect usage of
an NDN certificate
nfd.conf certfile paths are now interpreted as relative to nfd.conf's location
refs: #1332
Change-Id: Ib91cffd3d113ef084bf19e87a85172ddfd16b7eb
diff --git a/nfd.conf.sample.in b/nfd.conf.sample.in
index c7710a1..c915202 100644
--- a/nfd.conf.sample.in
+++ b/nfd.conf.sample.in
@@ -1,26 +1,26 @@
-; the general section contains settings of nfd process
+; The general section contains settings of nfd process.
; general
; {
; }
-; the face_system section defines what faces and channels are created
+; The face_system section defines what faces and channels are created.
face_system
{
- ; the unix section contains settings of UNIX stream faces and channels
+ ; The unix section contains settings of UNIX stream faces and channels.
unix
{
listen yes ; set to 'no' to disable UNIX stream listener, default 'yes'
path /var/run/nfd.sock ; UNIX stream listener path
}
- ; the tcp section contains settings of TCP faces and channels
+ ; The tcp section contains settings of TCP faces and channels.
tcp
{
listen yes ; set to 'no' to disable TCP listener, default 'yes'
port 6363 ; TCP listener port number
}
- ; the udp section contains settings of UDP faces and channels
+ ; The udp section contains settings of UDP faces and channels.
udp
{
port 6363 ; UDP unicast port number
@@ -31,36 +31,95 @@
; Example multicast settings
; NFD creates one UDP multicast face per NIC
+
; mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
; mcast_port 56363 ; UDP multicast port number
; mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
}
- ; the ether section contains settings of Ethernet faces and channels
+ ; The ether section contains settings of Ethernet faces and channels.
+ ; These settings will NOT work without root or setting the appropriate
+ ; permissions:
+ ;
+ ; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd
+ ;
+ ; You may need to install a package to use setcap:
+ ;
+ ; **Ubuntu:**
+ ;
+ ; sudo apt-get install libcap2-bin
+ ;
+ ; **Mac OS X:**
+ ;
+ ; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
+ ; tar zxvf ChmodBPF.tar.gz
+ ; open ChmodBPF/Install\ ChmodBPF.app
+ ;
+ ; or manually:
+ ;
+ ; sudo chgrp admin /dev/bpf*
+ ; sudo chmod g+rw /dev/bpf*
+
ether
{
mcast no
- ; Example multicast settings
- ; NFD creates one Ethernet multicast face per NIC
- ; mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
- ; mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
+
+ ; Example multicast settings
+ ; NFD creates one Ethernet multicast face per NIC
+ ;
+ ; mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
+ ; mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
}
}
-; the authorizations section grants privileges to authorized keys
+; The authorizations section grants privileges to authorized keys.
authorizations
{
- ; an authorize section grants privileges to a key
+ ; An authorize section grants privileges to a NDN certificate.
authorize
{
- keyfile @SYSCONFDIR@/ndn/keys/default.pub ; public key file
- privileges ; set of privileges granted to this public key
+ ; If you do not already have NDN certificate, you can generate
+ ; one with the following commands.
+ ;
+ ; 1. Generate and install a self-signed identity certificate:
+ ;
+ ; ndnsec-keygen /`whoami` | ndnsec-install-cert -
+ ;
+ ; Note that the argument to ndnsec-key will be the identity name of the
+ ; new key (in this case, /your-username). Identities are hierarchical NDN
+ ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
+ ; You may create additional keys and identities as you see fit.
+ ;
+ ; 2. Dump the NDN certificate to a file:
+ ;
+ ; sudo mkdir -p @SYSCONFDIR@/ndn/keys/
+ ; ndnsec-cert-dump -i /`whoami` > default.ndncert
+ ; sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert
+ ;
+ ; The "certfile" field below specifies the default key directory for
+ ; your machine. You may move your newly created key to the location it
+ ; specifies or path.
+
+ certfile keys/default.ndncert ; NDN identity certificate file
+ privileges ; set of privileges granted to this identity
{
control-header
faces
fib
- ; stats
strategy-choice
}
}
+
+ ; You may have multiple authorize sections that specify additional
+ ; certificates and their privileges.
+
+; authorize
+; {
+; certfile keys/this_cert_does_not_exist.ndncert
+; authorize
+; privileges
+; {
+; faces
+; }
+; }
}