taler-docs

taler-exchange.conf.5.rst (26753B)

---

 ..
   This file is part of GNU TALER.
   Copyright (C) 2014-2024 Taler Systems SA
 
   TALER is free software; you can redistribute it and/or modify it under the
   terms of the GNU Affero General Public License as published by the Free Software
   Foundation; either version 2.1, or (at your option) any later version.
 
   TALER is distributed in the hope that it will be useful, but WITHOUT ANY
   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
   A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more details.
 
   You should have received a copy of the GNU Affero General Public License along with
   TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
 
   @author Florian Dold
   @author Benedikt Muller
   @author Sree Harsha Totakura
   @author Marcello Stanisci
   @author Christian Grothoff
   @author Javier Sepulveda
 
 
 taler-exchange.conf(5)
 ######################
 
 .. only:: html
 
    Name
    ====
 
    **taler-exchange.conf** - Taler exchange configuration file
 
 
 Description
 ===========
 
 .. include:: ../frags/common-conf-syntax.rst
 
 Files containing default values for many of the options described below
 are installed under ``$TALER_EXCHANGE_PREFIX/share/taler-exchange/config.d/``.
 The configuration file given with **-c** to Taler binaries
 overrides these defaults.
 
 A configuration file may include another, by using the ``@INLINE@`` directive,
 for example, in ``main.conf``, you could write ``@INLINE@ sub.conf`` to
 include the entirety of ``sub.conf`` at that point in ``main.conf``.
 
 Be extra careful when using ``taler-exchange-config -V VALUE`` to change configuration
 values: it will destroy all uses of ``@INLINE@`` and furthermore remove all
 comments from the configuration file!
 
 
 GLOBAL OPTIONS
 --------------
 
 The “[PATHS]” section is special in that it contains paths that can be
 referenced using “$” in other configuration values that specify
 filenames. For Taler exchange, it commonly contains the following paths:
 
 TALER_HOME
   Home directory of the user, usually “${HOME}”. Can be overwritten by
   testcases by setting ${TALER_TEST_HOME}.
 
 TALER_DATA_HOME
   Where should Taler store its long-term data.
   Usually “${TALER_HOME}/.local/share/taler-exchange/”.
 
 TALER_CONFIG_HOME
   Where is the Taler configuration kept.
   Usually “${TALER_HOME}/.config/taler-exchange/”.
 
 TALER_CACHE_HOME
   Where should Taler store cached data.
   Usually “${TALER_HOME}/.cache/taler-exchange/”.
 
 TALER_RUNTIME_DIR
   Where should Taler store system runtime data (like UNIX domain
   sockets). Usually “${TMP}/taler-exchange-runtime”.
 
 
 .. include:: frags/currency-spec.rst
 
 EXCHANGE OPTIONS
 ----------------
 
 The following options are from the “[exchange]” section and used by most
 exchange tools.
 
 CURRENCY
   Name of the currency, e.g. “EUR” for Euro.
 
 CURRENCY_ROUND_UNIT
   Smallest amount in this currency that can be transferred using the
   underlying RTGS. For example: "EUR:0.01" or "JPY:1".
 
 DB
   Plugin to use for the database, e.g. “postgres”.
 
 ATTRIBUTE_ENCRYPTION_KEY
   Attribute encryption key for storing attributes encrypted
   in the database. Should be a high-entropy nonce.
 
 SERVE
   Should the HTTP server listen on a UNIX domain socket (set option to "unix"), or on a TCP socket (set option to "tcp"), or be activated via systemd (set option to "systemd").
 
 UNIXPATH
   Path to listen on if we "SERVE" is set to "unix".
 
 UNIXPATH_MODE
   Access permission mask to use for the "UNIXPATH".
 
 PORT
   Port on which the HTTP server listens, e.g. 8080.
 
 BIND_TO
   Hostname to which the exchange HTTP server should be bound to, e.g. "localhost".
 
 MASTER_PUBLIC_KEY
   Crockford Base32-encoded master public key, public version of the
   exchange's long-time offline signing key.  This configuration option
   is also used by the **auditor** to determine the public key of the
   exchange which it is auditing.
 
 TINY_AMOUNT
   Smallest amount that can likely be transferred to the exchange.
   This value is published in the exchange's ``/keys`` response (as
   ``tiny_amount``) and is used in several places, for example as the
   default amount for KYC authentication wire transfers and by the
   auditor when reconciling incoming wire transfers. Because it is not
   specific to KYC, this option must be configured even when KYC is
   disabled (``ENABLE_KYC`` not set).
 
 SHOPPING_URL
   Web URL where users can discover shops that accept digital cash
   offered by this exchange. Optional, but highly recommended.
 
 AML_SPA_DIALECT
   Determines the variant of the AML SPA that should be shown. This
   will determine the set of forms shown to AML staff, statistics to
   be displayed on the main page, and influence the default set of
   properties/events the AML forms show when AML staff makes decisions.
   Possible values for now include "gls", "tops" and "magnet".
   Optional. The AML SPA will only show certain default forms and
   generic decisions if this option is not set.
 
 GLOBAL_PDF_FORM_DATA
   Set to a JSON object that should be provided as additional input
   to the PDF form generation logic when generating AML records in
   PDF format. Useful to specify global attributes for the Typst forms.
   Optional, global PDF form data injection will simply be off if
   this option is not specified.
 
 BANK_COMPLIANCE_LANGUAGE
   Determines the legal language (and possibly other UI/UX aspects)
   wallets should use when providing the user interface for this bank.
   Allows banks to communicate the desired compliance language they
   want to see used to the wallet. Wallets SHOULD follow the guidance
   provided by the bank, but some wallets MAY not understand all compliance
   languages. Optional, if not set wallets will use their default UI/UX.
 
 STEFAN_ABS
   Absolute amount to add as an offset in the STEFAN fee approximation
   curve (see DD47).  Defaults to CURRENCY:0 if not specified.
 
 STEFAN_LOG
   Amount to multiply by the base-2 logarithm of the total amount
   divided by the amount of the smallest denomination
   in the STEFAN fee approximation curve (see DD47).
   Defaults to CURRENCY:0 if not specified.
 
 STEFAN_LIN
   Linear floating point factor to be multiplied by the total amount
   to use in the STEFAN fee approximation curve (see DD47).
   Defaults to 0.0 if not specified.
 
 BASE_URL
   The base URL under which the exchange can be reached.
   Added to wire transfers to enable tracking by merchants.
   Used by the KYC logic when interacting with OAuth 2.0.
 
 TOPLEVEL_REDIRECT_URL
   Where to redirect visitors that access the top-level
   "/" endpoint of the exchange. Should point users to
   information about the exchange operator.
   Optional setting, defaults to "/terms".
 
 AGGREGATOR_IDLE_SLEEP_INTERVAL
   For how long should the taler-exchange-aggregator sleep when it is idle
   before trying to look for more work? Default is 60 seconds.
 
 CLOSER_IDLE_SLEEP_INTERVAL
   For how long should the taler-exchange-closer sleep when it is idle
   before trying to look for more work? Default is 60 seconds.
 
 TRANSFER_IDLE_SLEEP_INTERVAL
   For how long should the taler-exchange-transfer sleep when it is idle
   before trying to look for more work? Default is 60 seconds.
 
 WIREWATCH_IDLE_SLEEP_INTERVAL
   For how long should the taler-exchange-wirewatch sleep when it is idle
   before trying to look for more work? Default is 60 seconds.
 
 AGGREGATOR_SHARD_SIZE
   Which share of the range from [0,..2147483648] should be processed by one of the shards of the aggregator. Useful only for Taler exchanges with ultra high-performance needs. When changing this value, you must stop all aggregators and run "taler-exchange-dbinit -s" before resuming. Default is 2147483648 (no sharding).
 
 SIGNKEY_LEGAL_DURATION
   For how long are signatures with signing keys legally valid?
 
 MAX_KEYS_CACHING
   For how long should clients cache ``/keys`` responses at most?
 
 MAX_REQUESTS
   How many requests should the HTTP server process at most before committing suicide?
 
 TERMS_DIR
   Directory where the terms of service of the exchange operator can be fund.
   The directory must contain sub-directories for every supported language,
   using the two-character language code in lower case, e.g. "en/" or "fr/".
   Each subdirectory must then contain files with the terms of service in
   various formats.  The basename of the file of the current policy must be
   specified under ``TERMS_ETAG``.  The extension defines the mime type.
   Supported extensions include "html", "htm", "txt", "pdf", "jpg", "jpeg",
   "png" and "gif".  For example, using a ``TERMS_ETAG`` of "0", the structure
   could be the following:
 
   - $TERMS_DIR/en/0.pdf
   - $TERMS_DIR/en/0.html
   - $TERMS_DIR/en/0.txt
   - $TERMS_DIR/fr/0.pdf
   - $TERMS_DIR/fr/0.html
   - $TERMS_DIR/de/0.txt
 
 TERMS_ETAG
   Basename of the file(s) in the ``TERMS_DIR`` with the current terms of service.
   The value is also used for the "Etag" in the HTTP request to control
   caching.  Whenever the terms of service change, the ``TERMS_ETAG`` MUST also
   change, and old values MUST NOT be repeated.  For example, the date or
   version number of the terms of service SHOULD be used for the Etag.  If
   there are minor (e.g. spelling) fixes to the terms of service, the
   ``TERMS_ETAG`` probably SHOULD NOT be changed. However, whenever users must
   approve the new terms, the ``TERMS_ETAG`` MUST change.
 
 PRIVACY_DIR
   Works the same as ``TERMS_DIR``, just for the privacy policy.
 
 PRIVACY_ETAG
   Works the same as ``TERMS_ETAG``, just for the privacy policy.
 
 ENABLE_KYC
   Must be set to ``YES`` to enable AML/KYC rule enforcement. Note that the administrative endpoints will always work, even if the flag is set to ``NO``.
 
 KYC_SWAP_TOS_ACCEPTANCE
   Set to ``YES`` to signal to the merchant backend that it should
   swap the terms-of-service and KYC auth authentication steps in
   the user experience.  Optional, defaults to ``NO``.
 
 DISABLE_DIRECT_DEPOSIT
   Set to ``YES`` to indicate to wallets that deposits by non-merchants
   are not supported.  Defaults to ``NO``.
 
 
 EXCHANGE KYC PROVIDER OPTIONS
 -----------------------------
 
 The following options must be in the section "[kyc-provider-$PROVIDER_NAME]" sections.
 
 LOGIC
   API type of the KYC provider.
 
 Additional logic-specific options may be given in the
 section.
 
 
 EXCHANGE KYC OAUTH2 OPTIONS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 The following options must be in the section "[kyc-provider-XXX]" sections with "LOGIC = oauth2".
 
 
 KYC_OAUTH2_VALIDITY
   Duration (e.g. "12 months") of the validity of the performed KYC check. Can be "forever".
 
 KYC_OAUTH2_AUTHORIZE_URL
   URL of the OAuth2 endpoint to be used for KYC checks. The authorize URL is where the exchange will redirect the client to begin the authorization process.  Example: "http://localhost:8888/oauth/v2/authorize". To use the plugin in combination with the Challenger service's ``/setup`` step, append "#setup", thus "https://challenger.example.com/authorize#setup".  Here, "#setup" is not a fragment but merely a hint to the logic to determine the full authorization URL via the ``/setup/$CLIENT_ID`` handler.
 
 KYC_OAUTH2_TOKEN_URL
   URL of the OAuth2 endpoint to be used for KYC checks. This is where the server will ultimately send the authorization token from the client and obtain its access token (which currently must be a "bearer" token). Example: "http://localhost:8888/oauth/v2/token" (or just "/token")
 
 KYC_OAUTH2_INFO_URL
   URL of the OAuth2-protected resource endpoint, where the OAuth 2.0 token can be used to download information about the user that has undergone the KYC process. The exchange will use the access token obtained from the KYC_AUTH2_AUTH_URL to show that it is authorized to obtain the details. Example: "http://localhost:8888/api/user/me" or "http://localhost:8888/oauth/v2/info"
 
 KYC_OAUTH2_CLIENT_ID
   Client ID of the exchange when it talks to the KYC OAuth2 endpoint.
 
 KYC_OAUTH2_CLIENT_SECRET
   Client secret of the exchange to use when talking to the KYC Oauth2 endpoint.
 
 KYC_OAUTH2_SCOPE
   Scope argument to pass in the Oauth2 /authorize request.
   Optional, if not given no scope will be provided.
 
 KYC_OAUTH2_POST_URL
   URL to which the exchange will redirect the client's browser after successful authorization/login for the KYC process. Example: "http://example.com/thank-you"
 
 KYC_OAUTH2_CONVERTER_HELPER
   Helper to convert JSON with KYC data returned by the OAuth2.0 info endpoint into GNU Taler internal format. Specific to the OAuth 2.0 provider.
 
 KYC_OAUTH2_DEBUG_MODE
   Set to YES to allow error responses to include potentially
   sensitive private information (such as full responses
   from the OAuth 2.0 server) that might aid in debugging
   problems.  Should be set to "NO" in production.
 
 
 EXCHANGE KYC KYCAID OPTIONS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 The following options must be in the section "[kyc-provider-XXX]" sections with "LOGIC = kycaid".
 
 
 KYC_KYCAID_VALIDITY
   Duration (e.g. "12 months") of the validity of the performed KYC check. Can be "forever".
 
 KYC_KYCAID_AUTH_TOKEN
   Authentication token to access the KYC service.
 
 KYC_KYCAID_CONVERTER_HELPER
   Helper to convert JSON with KYC data returned by KYCAID into GNU Taler internal format. Should probably always be set to "taler-exchange-kyc-kycaid-converter.sh".
 
 KYC_KYCAID_FORM_ID
   ID that specifies the form to use for the KYC process.
 
 KYC_KYCAID_POST_URL
   URL to which the exchange will redirect the client's browser after successful authorization/login for the KYC process.
 
 
 EXCHANGE KYC PERSONA OPTIONS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 The following options must be in the section "[kyc-provider-XXX]" sections with "LOGIC = persona".
 
 
 KYC_PERSONA_VALIDITY
   Duration (e.g. "12 months") of the validity of the performed KYC check. Can be "forever".
 
 KYC_PERSONA_AUTH_TOKEN
   Authentication token to access the KYC service.
 
 KYC_PERSONA_SALT
   Salt value to use for request idempotency. Optional, generated at random per process if not given.
 
 KYC_PERSONA_SUBDOMAIN
   Subdomain to use under Persona.
 
 KYC_PERSONA_CONVERTER_HELPER
   Helper to convert JSON with KYC data returned by Persona into GNU Taler internal format. Should probably always be set to "taler-exchange-kyc-persona-converter.sh".
 
 KYC_PERSONA_POST_URL
   URL to which the exchange will redirect the client's browser after successful authorization/login for the KYC process.
 
 KYC_PERSONA_TEMPLATE_ID
   ID of the Persona template to use.
 
 EXCHANGE KYC PERSONA GLOBAL OPTIONS
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 The following option must be in the section "[kyclogic-persona]".
 
 
 WEBHOOK_AUTH_TOKEN
   Authentication token Persona must supply to our webhook. This is an optional setting.
 
 
 EXCHANGE KYC CHECK OPTIONS
 --------------------------
 
 The following options must be in "[kyc-check-$CHECK_NAME]" sections.
 
 TYPE
   Which type of check is this? Also determines
   the SPA form to show to the user for this check.
 
   * INFO: wait for staff or contact staff out-of band
     (only information shown, no SPA action)
   * FORM: SPA should show an inline (HTML) form
   * LINK: SPA may start external KYC process or upload
 
 PROVIDER_ID
   Provider id, present only if type is LINK.
   Refers to a ``kyc-provider-$PROVIDER_ID`` section.
 
 FORM_NAME
   Name of the SPA form, if type is FORM
   "INFO" and "LINK" are reserved and must not be used.
   The exchange server and the SPA must agree on a list
   of supported forms and the resulting attributes.
   The SPA should include a JSON resource file
   "forms.json" mapping form names to arrays of
   attribute names each form provides.
   The list of possible FORM names is fixed in the SPA
   for a particular exchange release.
 
 DESCRIPTION
   Descriptions to use in the SPA to display the check.
 
 DESCRIPTION_I18N
   JSON with internationalized descriptions to use
   in the SPA to display the check.
 
 REQUIRES
   ';'-separated list of fields that the CONTEXT must
   provide as inputs to this check. For example,
   for a FORM of type CHOICE, this might state
   ``choices: string[];``. The type after the ":"
   is for now purely for documentation and is
   not checked. However, it may be shown to AML staff
   when they configure measures.
 
 OUTPUTS = "business_name street city country registration"
   Description of the outputs provided by the check.
   Basically, the check's output is expected to
   provide the following fields as attribute inputs into
   a subsequent AML program. INFO never has any outputs.
 
 FALLBACK
   Name of an **original** measure to take if the check fails
   (for any reason, e.g. provider or form fail to
   satisfy constraints or provider signals user error)
   Usually should point to a measure that requests
   AML staff to investigate.  The fallback measure
   context always includes the reasons for the
   failure.
 
 EXCHANGE KYC RULES
 ------------------
 
 The following options must be in "[kyc-rule-$RULE_NAME]" sections.
 
 OPERATION_TYPE = WITHDRAW
   Operation that triggers this rule.
   Must be one of AGGREGATE, BALANCE, CLOSE, DEPOSIT, MERGE,
   REFUND, TRANSACTION or WITHDRAW
   See the Exchange KYC/AML Operator Manual for the
   operations these refer to.
 
 NEXT_MEASURES
   Space-separated list of next measures to be performed.
   The SPA should display *all* of these measures to the user.
   (They have a choice of either which ones, or in
   which order they are to be performed.)
   A special measure name "verboten" is used if the
   specified threshold may never be crossed
   (under this set of rules). This option is equivalent
   to the "new_measure" string in an AmlDecisionRequest
   (with IS_AND_COMBINATOR replacing the "+"-prefix).
 
 IS_AND_COMBINATOR
   "YES" if all NEXT_MEASURES will eventually need
   to be satisfied, "NO" the user has a choice between
   them. Not actually enforced by the exchange, but
   primarily used to inform the user whether this is
   an "and" or "or". YES for "and".
 
 EXPOSED
   YES if the rule (specifically, operation type,
   threshold, timeframe) and the general nature of
   the next measure (verboten or approval required)
   should be exposed to the client.
   Defaults to NO if not set.
 
 THRESHOLD
   Threshold amount above which the rule is
   triggered.  The total must be exceeded in the given
   timeframe.
 
 TIMEFRAME
   Timeframe over which the amount to be compared to
   the THRESHOLD is calculated (for example, "30 days").
   Ignored for BALANCE.  Can be 'forever'.
 
 ENABLED = NO
   Set to YES to enable the rule (default is NO).
 
 
 EXCHANGE AML PROGRAMS
 ---------------------
 
 The following options must be in "[aml-program-$PROG_NAME]" sections.
 
 COMMAND
   Name of the program to run. Must match a binary
   on the local machine where the exchange is running.
 
 DESCRIPTION
   Human-readable description of what this
   AML helper program will do. Used to show
   to the AML staff.
 
 ENABLED
   True if this AML program is enabled (and thus can be
   used in measures and exposed to AML staff).
   Optional, default is NO.
 
 FALLBACK
   Name of an **original** measure to take if COMMAND fails
   Usually points to a measure that asks AML staff
   to contact the systems administrator. The fallback measure
   context always includes the reasons for the
   failure.
 
 EXCHANGE KYC MEASURES
 ---------------------
 
 The following options must be in "[kyc-measure-$MEASURE_NAME]" sections.
 These sections define the **original** measures.
 
 CHECK_NAME
   Name of a possible check for this measure.  Optional.
   If not given or set to ``SKIP``, PROGRAM should be run immediately
   (on an empty set of attributes).
 
 CONTEXT = {"choices":["individual","business"]}
   Context for the check. The context can be
   just an empty JSON object if there is none.
 
 PROGRAM
   Program to run on the context and check data to
   determine the outcome and next measure.
   Refers to a ``[aml-program-$PROG_NAME]`` section name.
 
 VOLUNTARY
   Optional. Set to YES to allow this measure to be
   done voluntarily by a client. Used to offer the
   SPA to display measures even if they are
   not required. Default is NO.
 
 
 
 AGE_RESTRICTION_ENABLED
   Set to ``YES`` to enable age restriction on coins.  When age restriction is
   active, certain denominations can be marked with ``AGE_RESTRICTED = YES``
   (see `EXCHANGE COIN OPTIONS`_) and wallets must include an age commitment
   when withdrawing or spending such coins.  Default is ``NO``.
 
 AGE_GROUPS
   Only meaningful when ``AGE_RESTRICTION_ENABLED = YES``.
   A colon-separated string of increasing non-negative integers defining the
   age-group boundaries.  Each integer marks the start of the next group; the
   zero'th group begins implicitly at 0.  For example ``"10:18"`` defines three
   groups:
 
     1. Group 0: ages 0 through 9 (inclusive)
     2. Group 1: ages 10 through 17 (inclusive)
     3. Group 2: ages 18 and above
 
   If not given the default value ``"8:10:12:14:16:18:21"`` is used.
 
 
 EXCHANGE OFFLINE SIGNING OPTIONS
 --------------------------------
 
 The following options must be in the section "[exchange-offline]".
 
 MASTER_PRIV_FILE
   Location of the master private key on disk. Only used by tools that
   can be run offline (as the master key is for offline signing).
   Mandatory.
 
 SECM_TOFU_FILE
   Where to store the public keys of both crypto helper modules.
   Used to persist the keys after the first invocation of the tool,
   so that if they ever change in the future, this is detected and
   the tool can abort.
   Mandatory.
 
 SECM_DENOM_PUBKEY
   Public key of the (RSA) crypto helper module. Optional. If not given,
   we will rely on TOFU.  Note that once TOFU has been established,
   this option will also be ignored.
 
 SECM_ESIGN_PUBKEY
   Public key of the (EdDSA) crypto helper module. Optional. If not given,
   we will rely on TOFU.  Note that once TOFU has been established,
   this option will also be ignored.
 
 
 EXCHANGE RSA CRYPTO HELPER OPTIONS
 ----------------------------------
 
 The following options must be in the section "[taler-exchange-secmod-rsa]".
 
 LOOKAHEAD_SIGN
   How long do we generate denomination and signing keys ahead of time?
 
 OVERLAP_DURATION
   How much should validity periods for coins overlap?
   Should be long enough to avoid problems with
   wallets picking one key and then due to network latency
   another key being valid.  The ``DURATION_WITHDRAW`` period
   must be longer than this value.
 
 SM_PRIV_KEY
   Where should the security module store its long-term private key?
 
 KEY_DIR
   Where should the security module store the private keys it manages?
 
 UNIXPATH
   On which path should the security module listen for signing requests?
 
 Note that the **taler-exchange-secmod-rsa** also evaluates the ``[coin_*]``
 configuration sections described below.
 
 
 EXCHANGE CS CRYPTO HELPER OPTIONS
 ---------------------------------
 
 The following options must be in the section "[taler-exchange-secmod-cs]".
 
 LOOKAHEAD_SIGN
   How long do we generate denomination and signing keys ahead of time?
 
 OVERLAP_DURATION
   How much should validity periods for coins overlap?
   Should be long enough to avoid problems with
   wallets picking one key and then due to network latency
   another key being valid.  The ``DURATION_WITHDRAW`` period
   must be longer than this value.
 
 SM_PRIV_KEY
   Where should the security module store its long-term private key?
 
 KEY_DIR
   Where should the security module store the private keys it manages?
 
 UNIXPATH
   On which path should the security module listen for signing requests?
 
 Note that the **taler-exchange-secmod-cs** also evaluates the ``[coin_*]``
 configuration sections described below.
 
 
 
 EXCHANGE EDDSA CRYPTO HELPER OPTIONS
 ------------------------------------
 
 The following options must be in the section "[taler-exchange-secmod-eddsa]".
 
 LOOKAHEAD_SIGN
   How long do we generate denomination and signing keys ahead of time?
 
 OVERLAP_DURATION
   How much should validity periods for coins overlap?
   Should be long enough to avoid problems with
   wallets picking one key and then due to network latency
   another key being valid.  The ``DURATION_WITHDRAW`` period
   must be longer than this value.
 
 DURATION
   For how long should EdDSA keys be valid for signing?
 
 SM_PRIV_KEY
   Where should the security module store its long-term private key?
 
 KEY_DIR
   Where should the security module store the private keys it manages?
 
 UNIXPATH
   On which path should the security module listen for signing requests?
 
 .. include:: frags/exchange-database.rst
 .. include:: frags/exchange-account.rst
 .. include:: frags/exchange-coin.rst
 
 EXCHANGE SANCTIONSCHECK OPTIONS
 -------------------------------
 
 This section configures the taler-exchange-sanctionlist tool to enforce
 sanctions. The tool scores KYC records in two dimensions, the quality
 of the match (rating) and the number of attributes that were found in
 both sets (confidence).
 
 The following options must be in the section "[exchange-sanctionscheck]".
 
 RATER_COMMAND
   Program (and command-line arguments) for the helper program to
   execute to compare sanction list records. Usually set to
   something like "robocop $SANCTIONLIST.json", but can be any
   program that reads KYC attributes in JSON line-by-line and
   outputs a rating (0-1), confidence (0-1) and free-form sanction list
   identifier for each JSON input received.
 
 MIN_ROW_FILENAME
   Name of the file where taler-exchange-sanctionscheck will store the
   last row process during sanction list evaluation. Not in thed atabase
   as we frequently need to reset it when we get a new list, so no
   transactionality is needed or even desirable. There should be no
   need to change the default.
 
 FREEZE_RATING_LIMIT
   Match quality rating (on a scale of [0,1]) that must be exceeded
   for the exchange to automatically freeze an account. The account
   must satisfy both the rating limit and the confidence limit to be
   frozen.
 
 FREEZE_CONFIDENCE_LIMIT
   Match confidence rating (on a scale of [0,1]) that must be exceeded
   for the exchange to automatically freeze an account. A rating of 0
   means no attributes were available, while a rating of 1 indicates that
   we could compare the acconts across all dimensions.
 
 INVESTIGATION_LIMIT
   Limit (on a scale of [0,1]) that must be exceeded for an account to
   be flagged for manual investigation. Only applies of the account
   is not automatically frozen. The limit given is compared against
   the quality rating divided by the confidence score.
   If set at 0.95, a modest 0.8 match with low 0.5 confidence will
   trigger (1.6 > 0.95), but a good 0.9 match with a super-high 1.0
   confidence would not (0.9 < 0.95). On the other hand, a bad 0.2 match
   with super-low 0.1 confidence would again trigger (2.0 > 0.95).
 
 
 SEE ALSO
 ========
 
 taler-exchange-dbinit(1), taler-exchange-httpd(1), taler-exchange-offline(1), taler-exchange-sanctionscheck(1)
 
 BUGS
 ====
 
 Report bugs by using https://bugs.taler.net/ or by sending electronic
 mail to <taler@gnu.org>.