Setting up the TLS Pool Dæmon
=============================

>   *After all the preparation has been done, it is relatively simple to start
>   the TLS Pool itself.*

Have a last look through your configuration file, which is usually in
`/etc/tlspool.conf` if you installed it system-wide.  Take note of at least the
following settings:

-   `socket_name` defines the path of the UNIX domain socket to the TLS Pool

-   `socket_user` and `socket_group` define the user and group that may access
    its socket, together with `socket_mode` for its access mode

-   `daemon_user` and `daemon_group` define the user and group running the TLS
    Pool

-   `db_envdir` should now be set to the absolute path at which you setup your
    BerkeleyDB database environment

-   `pkcs11_path` should point to your PKCS \#11 shared library

-   `pkcs11_token` should hold the identifying information of your token,
    created as per the directions provided by its manufacturer.  You usually
    mention things like `model`, `manufacturer` and `token` in this token-query
    description; you may want to add the `serial` if you need an attribute that
    usually identifies a token uniquely given the other settings

-   `pkcs11_pin` should be present, and only be present, if you intend to avoid
    any questions to user land about the PKCS \#11 PIN to use

-   `tls_dhparamfile` is for caching only, and will at worst cause a warning;
    you should however have it appointed to an absolute path for best results,
    like `/var/db/tlspool/db-params.pkcs3`

-   `tls_onthefly_signcert` and `tls_onthefly_signkey` should only be set if you
    intend to support on-the-fly creation of certificates.  If they exist, they
    should represent existing credentials, and any file reference should be an
    absolute path

-   `dnssec_rootkey` should be in an absolute path, such as
    `/var/tlspool/db/root.key`; be sure to download to that location a
    *validated* version of the root key distributed with the TLS Pool or
    obtained through

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    dig . dnskey | grep 257
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Once you are happy with your configuration, launch the TLS Pool with

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tlspool -kc /etc/tlspool.conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The argument `-c` provides a configuration file, and `-k` is used to kill any
TLS Pool running prior to this call.  You can repeat this command if ever you
change the configuration file and need the TLS Pool to restart to read the new
configuration.

Once the TLS Pool is running, it will output information as per the settings in
`log_level`, `log_filter` and `log_stderr`.  By default, that is quite a lot.