cycles-quartz/examples/transfers/sgx_default_qcnl.conf

{
    // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Dont change them.
  
    //PCCS server address
    "pccs_url": "https://global.acccache.azure.net/sgx/certification/v4/"
  
    // To accept insecure HTTPS certificate, set this option to false
    ,"use_secure_cert": false
  
    // You can use the Intel PCS or another PCCS to get quote verification collateral.  Retrieval of PCK
    // Certificates will always use the PCCS described in pccs_url.  When collateral_service is not defined, both
    // PCK Certs and verification collateral will be retrieved using pccs_url
    //,"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/"
    ,"collateral_service": "https://global.acccache.azure.net/sgx/certification/v4/"
  
    // Type of update to TCB Info. Possible value: early, standard. Default is standard.
    // early indicates an early access to updated TCB Info provided as part of a TCB recovery event
    // (commonly the day of public disclosure of the items in scope)
    // standard indicates standard access to updated TCB Info provided as part of a TCB recovery event
    // (commonly approximately 6 weeks after public disclosure of the items in scope)
    //, "tcb_update_type" : "standard"
  
    // If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used.
    // The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while
    // the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The pccs_api_version
    // setting is ignored if collateral_service is set to the Intel PCS. In this case, the pccs_api_version is forced to be 3.1
    // internally.  Currently, only values of 3.0 and 3.1 are valid.  Note, if you set this to 3.1, the PCCS use to retrieve
    // verification collateral must support the new 3.1 APIs.
    //,"pccs_api_version": "3.1"
  
    // Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed.
    // It will first wait one second and then for all forthcoming retries it will double the waiting time.
    // By using retry_delay you disable this exponential backoff algorithm
    ,"retry_times": 6
  
    // Sleep this amount of seconds before each retry when a transfer has failed with a transient error
    ,"retry_delay": 10
  
    // If local_pck_url is defined, the QCNL will try to retrieve PCK cert chain from local_pck_url first,
    // and failover to pccs_url as in legacy mode.
    //,"local_pck_url": "http://localhost:8081/sgx/certification/v4/"
  
    // If local_pck_url is not defined, set pck_cache_expire_hours to a none-zero value will enable local cache.
    // The PCK certificates will be cached in memory and then to the disk drive.
    // The local cache files will be sequentially searched in the following directories until located in one of them:
    // Linux : $AZDCAP_CACHE, $XDG_CACHE_HOME, $HOME, $TMPDIR, /tmp/
    // Windows : $AZDCAP_CACHE, $LOCALAPPDATA\..\..\LocalLow
    // Please be aware that the environment variable pertains to the account executing the process that loads QPL,
    // not the account used to log in. For instance, if QPL is loaded by QGS, then those environment variables relate to
    // the "qgsd" account, which is the account that runs the QGS daemon.
    // You can remove the local cache files either manually or by using the QPL API, sgx_qpl_clear_cache. If you opt to
    // delete them manually, navigate to the aforementioned caching directories, find the folder named .dcap-qcnl, and delete it.
    // Restart the service after all cache folders were deleted. The same method applies to "verify_collateral_cache_expire_hours"
    ,"pck_cache_expire_hours": 168
  
    // To set cache expire time for quote verification collateral in hours
    // See the above comment for pck_cache_expire_hours for more information on the local cache.
    ,"verify_collateral_cache_expire_hours": 168
  
    // When the "local_cache_only" parameter is set to true, the QPL/QCNL will exclusively use PCK certificates
    // from local cache files and will not request any PCK certificates from service providers, whether local or remote.
    // To ensure that the PCK cache is available for use, an administrator must pre-populate the cache folders with
    // the appropriate cache files. To generate these cache files for specific platforms, the administrator can use
    // the PCCS admin tool. Once the cache files are generated, the administrator must distribute them to each platform
    // that requires provisioning.
    ,"local_cache_only": false
  
    // You can add custom request headers and parameters to the get certificate API.
    // But the default PCCS implementation just ignores them.
    //,"custom_request_options" : {
    //  "get_cert" : {
    //    "headers": {
    //      "head1": "value1"
    //    },
    //    "params": {
    //      "param1": "value1",
    //      "param2": "value2"
    //    }
    //  }
    //}
  }
Update docs with Azure SGX & cleanup other docs (#254) Co-authored-by: Dave Kaj <davidkajpust@informal.systems> Co-authored-by: Ubuntu <big-cycles@quartz-sgx-test-release.vjset0kafl0exefwnpdw0qebjd.bx.internal.cloudapp.net> Co-authored-by: hu55a1n1 <sufialhussaini@gmail.com> 2024-10-16 17:56:54 +00:00			`{`
			`// *** ATTENTION : This file is in JSON format so the keys are case sensitive. Dont change them.`

			`//PCCS server address`
			`"pccs_url": "https://global.acccache.azure.net/sgx/certification/v4/"`

			`// To accept insecure HTTPS certificate, set this option to false`
			`,"use_secure_cert": false`

			`// You can use the Intel PCS or another PCCS to get quote verification collateral. Retrieval of PCK`
			`// Certificates will always use the PCCS described in pccs_url. When collateral_service is not defined, both`
			`// PCK Certs and verification collateral will be retrieved using pccs_url`
			`//,"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/"`
			`,"collateral_service": "https://global.acccache.azure.net/sgx/certification/v4/"`

			`// Type of update to TCB Info. Possible value: early, standard. Default is standard.`
			`// early indicates an early access to updated TCB Info provided as part of a TCB recovery event`
			`// (commonly the day of public disclosure of the items in scope)`
			`// standard indicates standard access to updated TCB Info provided as part of a TCB recovery event`
			`// (commonly approximately 6 weeks after public disclosure of the items in scope)`
			`//, "tcb_update_type" : "standard"`

			`// If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used.`
			`// The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while`
			`// the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The pccs_api_version`
			`// setting is ignored if collateral_service is set to the Intel PCS. In this case, the pccs_api_version is forced to be 3.1`
			`// internally. Currently, only values of 3.0 and 3.1 are valid. Note, if you set this to 3.1, the PCCS use to retrieve`
			`// verification collateral must support the new 3.1 APIs.`
			`//,"pccs_api_version": "3.1"`

			`// Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed.`
			`// It will first wait one second and then for all forthcoming retries it will double the waiting time.`
			`// By using retry_delay you disable this exponential backoff algorithm`
			`,"retry_times": 6`

			`// Sleep this amount of seconds before each retry when a transfer has failed with a transient error`
			`,"retry_delay": 10`

			`// If local_pck_url is defined, the QCNL will try to retrieve PCK cert chain from local_pck_url first,`
			`// and failover to pccs_url as in legacy mode.`
			`//,"local_pck_url": "http://localhost:8081/sgx/certification/v4/"`

			`// If local_pck_url is not defined, set pck_cache_expire_hours to a none-zero value will enable local cache.`
			`// The PCK certificates will be cached in memory and then to the disk drive.`
			`// The local cache files will be sequentially searched in the following directories until located in one of them:`
			`// Linux : $AZDCAP_CACHE, $XDG_CACHE_HOME, $HOME, $TMPDIR, /tmp/`
			`// Windows : $AZDCAP_CACHE, $LOCALAPPDATA\..\..\LocalLow`
			`// Please be aware that the environment variable pertains to the account executing the process that loads QPL,`
			`// not the account used to log in. For instance, if QPL is loaded by QGS, then those environment variables relate to`
			`// the "qgsd" account, which is the account that runs the QGS daemon.`
			`// You can remove the local cache files either manually or by using the QPL API, sgx_qpl_clear_cache. If you opt to`
			`// delete them manually, navigate to the aforementioned caching directories, find the folder named .dcap-qcnl, and delete it.`
			`// Restart the service after all cache folders were deleted. The same method applies to "verify_collateral_cache_expire_hours"`
			`,"pck_cache_expire_hours": 168`

			`// To set cache expire time for quote verification collateral in hours`
			`// See the above comment for pck_cache_expire_hours for more information on the local cache.`
			`,"verify_collateral_cache_expire_hours": 168`

			`// When the "local_cache_only" parameter is set to true, the QPL/QCNL will exclusively use PCK certificates`
			`// from local cache files and will not request any PCK certificates from service providers, whether local or remote.`
			`// To ensure that the PCK cache is available for use, an administrator must pre-populate the cache folders with`
			`// the appropriate cache files. To generate these cache files for specific platforms, the administrator can use`
			`// the PCCS admin tool. Once the cache files are generated, the administrator must distribute them to each platform`
			`// that requires provisioning.`
			`,"local_cache_only": false`

			`// You can add custom request headers and parameters to the get certificate API.`
			`// But the default PCCS implementation just ignores them.`
			`//,"custom_request_options" : {`
			`// "get_cert" : {`
			`// "headers": {`
			`// "head1": "value1"`
			`// },`
			`// "params": {`
			`// "param1": "value1",`
			`// "param2": "value2"`
			`// }`
			`// }`
			`//}`
			`}`