General configuration settings are children of the <ICSCONFIG> tag and valid for all listener configurations.
The general configurations listed below are read by the ics configuration implementation. See extension libraries for the specific configurations of the extension libraries.
The <EXTLIBS> tag introduces a list of libraries <LIB> that should be loaded by the ics's library manager.
The extension libraries will provide the actual features of the ics infrastructure. Without any extension library configuration no facility will be provided.
The libraries need to be specified with their full path.
You need to specify the ics.exe as extension library provider. It provides the logger and the certificate manager.
On Windows you need to specifiy <LIB>ics.exe</LIB>, while on linux you need to specify <LIB>ics</LIB>
<EXTLIBS>
<LIB>ics.exe</LIB>
<LIB>httpauth</LIB>
<LIB>ldapauth</LIB>
</EXTLIBS>
Note: for security reasons you should only list libraries that are required for your specific site configuration.
The <DAEMONIZE> tag configures an abritrary number of daemonized extensions.
Each of the daemonized extension is started as a separate process and can provide services to the ics infrastructure
<DAEMONIZE>
<DAEMON ID="1" LIB="ics.exe" RUN="logger" PROCESSES="1">
<PORT>9000</PORT>
<DIR>F:/icstest\icstest\log</DIR>
</DAEMON>
</DAEMONIZE>
The ID attribute must be a unique attribute attached to the daemon.
The LIB attribute must the library as specified in the EXTLIB section that provides the service.
The RUN attribute specifies the command of the extension library that implements the daemon service.
The PROCESSES attribute specifies the number of instances of the daemon service to start.
The actional configuration of the daemon service must be contained in the DAEMON tag.
The <PROTOCOLS> tag introduces a list of protocols <PROTOCOL> that are provided by the protocol plug-in libraries.
The identifier of the protocols are hardcoded by the protocol plug-ins and this section serves as reference only.
<PROTOCOLS>
<PROTOCOL ID="1">HTTP</PROTOCOL>
<PROTOCOL ID="2">HTTPS</PROTOCOL>
</PROTOCOLS>
The <PROCESSES> tag configures the number of processes that should be started by ics as well as the name of the underprivileged user to run the worker processes with.
<PROCESSES RUNAS="wwwrun">1</PROCESSES>
The RUNAS attribute specifies the user with which the worker child process should be executed.
The <THREADSPERPROCESS> tag configures the number of threads that should be started by ics per process.
<THREADSPERPROCESS>5</THREADSPERPROCESS>
The <MULTIPLEXER> tag configures the multiplexer to use by the worker processes.
<MULTIPLEXER MAXCONNS="3000" IMPL="best" TIMEOUT="30" />
The MAXCONNS attribute specifies the max. number of connections to be served by one worker process.
The IMPL attribute specifies the multiplexer implementation to use.
The TIMEOUT attribute specifies the max. connection timeout in seconds.
Various protocols e.g. HTTP determine the format of an entitiy via the file extension. The configuration tag
<MIMETYPESFILE>
allows to specify a file which contains mappings between the mime type and the standard file extensions that these files carry. The file has the following format
comment lines are introduced by #
media types with several file extensions e.g.
application/x-compressed-tar tar.gz tar.Z tgz taz
Linux provides a mime-type file /etc/mime.types with that format.
The configuration of the mimetype file looks as follows:
<?xml version="1.0" encoding="UTF-8"?>
<ICSCONFIG VERSION="1.0">
<MIMETYPESFILE>/etc/mime.types</MIMETYPESFILE>
</ICSCONFIG>
If no mime type configuration is available the protocols use some standard mappings.
The <DEFAULTS> tag introduces extension library specific defaults configuration, which should apply to all listener specific sections and subsections.
<DEFAULTS>
<EXTENSIONSPECIFIC>
<EXTENSIONDETAIL>
...
</EXTENSIONDETAIL>
</EXTENSIONSPECIFIC>
</DEFAULTS>
Please see section specific configurations for details on supported configuration defaults.
ICS provides build-in transport layer security with secure key exchange using Diffie-Hellman key exchange.
This method requires empheral DH group keys that should be generated per installation and listed within the <SECURECONFIG> tag.
The <DH> tag identifies one empheral DH key of a specific key length defined by attribute KEYLENGTH.
The full path and file name to the generated DH key file is specified within the tag.
DH keys for 512 and 1024 bits should not be used to avoid weak Diffie-Hellman (DH) key exchange parameters. If no files for 512/1024 keys are specified a default of 2048 key will be returned even though a key fo 512/1024 is requested.
For Java 1.7 compatibility you will need to generate and specify a 1024 key file
Following an example configuration:
<SECURECONFIG>
<DH KEYLENGTH="2048">/etc/ics/certs/dh2048.pem</DH>
<DH KEYLENGTH="4096">/etc/ics/certs/dh4096.pem</DH>
</SECURECONFIG>
It is important that the empheral keys are generated for each installation and kept secret, thus the files should have read permission for the user that starts ics but not for the underprivileged or other users.
The keys can be generated using the openssl tool kit as follows.
openssl dhparam -out dh512.pem -2 512
openssl dhparam -out dh1024.pem -2 1024
openssl dhparam -out dh2048.pem -2 2048
openssl dhparam -out dh4096.pem -2 4096
Note:If no SECURECONFIG is available ICS will generate the keys on demand which will cause severe performance issues.
ICS provides a logging facility that can be used by protocol implementations.
The log configuration is introduced by the <LOG> tag
The logger process is provided as a daemonized extension library
<DAEMONIZE>
<DAEMON ID="1" LIB="ics.exe" RUN="logger" PROCESSES="1">
<PORT>9000</PORT>
<DIR>F:/icstest\icstest\log</DIR>
</DAEMON>
</DAEMONIZE>
In order to keep downward compatibility the log configuration also still supports the configuration of a logger process.
<LOG TYPE="OWN" HOST="localhost" PORT="9000">
However this should not be used anymore. Instead the LOG tag is required to configure the connection for the work processes
<LOG TYPE="OTHER" HOST="localhost" PORT="9000">
It comprises three attributes
Attribute TYPE determines whether the log process should be started locally (TYPE="OWN") or not.
Attribute HOST specifies the host hat runs the log process and to which a connection should be established.
Attribute PORT specifies the port that the logger process is running on.
The logger process currently runs as root user.
Note: for performance and security reasons the logger process should be started locally TYPE="OWN" with HOST specifying the local host.
Be aware that if you run multiple instances you must use different ports for each instance.
<LOG TYPE="OWN" HOST="localhost" PORT="9000">
<DIR>/var/log/ics</DIR>
</LOG>
The <DIR> tag configures the directory where the log files should be written to.