{ // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them. //PCCS server address "pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/" // To accept insecure HTTPS certificate, set this option to false ,"use_secure_cert": true // You can use the Intel PCS or another PCCS to get quote verification collateral. Retrieval of PCK // Certificates will always use the PCCS described in pccs_url. When collateral_service is not defined, both // PCK Certs and verification collateral will be retrieved using pccs_url //,"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/" // If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used. // The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while // the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The pccs_api_version // setting is ignored if collateral_service is set to the Intel PCS. In this case, the pccs_api_version is forced to be 3.1 // internally. Currently, only values of 3.0 and 3.1 are valid. Note, if you set this to 3.1, the PCCS use to retrieve // verification collateral must support the new 3.1 APIs. //,"pccs_api_version": "3.1" // Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed. // It will first wait one second and then for all forthcoming retries it will double the waiting time. // By using retry_delay you disable this exponential backoff algorithm ,"retry_times": 6 // Sleep this amount of seconds before each retry when a transfer has failed with a transient error ,"retry_delay": 10 // If local_pck_url is defined, the QCNL will try to retrieve PCK cert chain from local_pck_url first, // and failover to pccs_url as in legacy mode. //,"local_pck_url": "http://localhost:8081/sgx/certification/v4/" // If local_pck_url is not defined, set pck_cache_expire_hours to a none-zero value will enable local cache. // The PCK certificates will be cached in memory and then to the disk drive. // ===== Important: Once the local cache files are created, currently there is no other way to clean them other // than to delete them manually, or wait for them to expire after "pck_cache_expire_hours" hours. // To delete the cache files manually, go to these foders: // Linux : $AZDCAP_CACHE, $XDG_CACHE_HOME, $HOME, $TMPDIR, /tmp/ // Windows : $AZDCAP_CACHE, $LOCALAPPDATA\..\..\LocalLow // If there is a folder called .dcap-qcnl, delete it. Restart the service after all cache // folders were deleted. The same method applies to "verify_collateral_cache_expire_hours" ,"pck_cache_expire_hours": 168 // To set cache expire time for quote verification collateral in hours // See the above comment for pck_cache_expire_hours for more information on the local cache. ,"verify_collateral_cache_expire_hours": 168 // When the "local_cache_only" parameter is set to true, the QPL/QCNL will exclusively use PCK certificates // from local cache files and will not request any PCK certificates from service providers, whether local or remote. // To ensure that the PCK cache is available for use, an administrator must pre-populate the cache folders with // the appropriate cache files. To generate these cache files for specific platforms, the administrator can use // the PCCS admin tool. Once the cache files are generated, the administrator must distribute them to each platform // that requires provisioning. ,"local_cache_only": false // You can add custom request headers and parameters to the get certificate API. // But the default PCCS implementation just ignores them. //,"custom_request_options" : { // "get_cert" : { // "headers": { // "head1": "value1" // }, // "params": { // "param1": "value1", // "param2": "value2" // } // } //} }