1. The user that runs cimervermain is determined by the PEGASUS_CIMSERVERMAIN_USER constant defined in 2. All files but the repository are owned by root. The cimservermain process may read the root owned files, but it must ask the executor to modify them. 3. The executor grants ownership of the repository to the server user upon startup. 4. The Executor now checks whether Pegasus repository exists and errors out if not. 5. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket). 6. The executor now detects whether the CIM server is already running. 7. For logging purposes, the executor uses "cimexecutor" as its syslog identifier. 8. Setting up PAM authentiction (non-standalone). First compile with PEGASUS_PAM_AUTHENTICATION. Next install the PAM configuration file. % cd $PEGASUS_ROOT % cp rpm/wbem /etc/pam.d % chmod 0644 /etc/pam.d/wbem 9. To build for standalone PAM authentication, compile with these: PEGASUS_PAM_AUTHENTICATION PEGASUS_USE_PAM_STANDALONE_PROC 10. To run cimserver to use PAM, use these configuration parameters. enableAuthentication=true 11. To build SSL support, compile with these. OPENSSL_HOME=/usr PEGASUS_HAS_SSL=true 12. To run cimerver to use SSL, use these configuration parameters. enableHttpsConnection=true enableAuthentication=true sslClientVerificationMode=optional sslTrustStoreUserName=root 13. To add a user to cimserver.passwd, use the following format (the given user must be a real system user). jsmith:AB5bZ.JX9fQzA Use the following program to generate the password (at least on Linux). #define _XOPEN_SOURCE #include #include int main() { printf("%s\n", crypt("changeme", "AB")); return 0; } Compile and link the program as follows. % gcc -o mkpasswd mkpasswd.cpp -lcrypt 14. The KerberosAuthenticationHandler.h and all Kerberos authentication logic is not part of the Pegasus repository. 15. The CIMExportIndicationRequestMessage comes back into the server and is delivered to an indication consumer (which must be loaded). 16. The following authentication schemes were rewritten and are now part of the executor. - PAM Basic Authentication - PAM Basic Authentication, using cimservera program. - Secure Local Authenticaiton - Secure Basic (uses cimserver.passwd file). The following authentication schemes still reside in cimservermain. - SSL peer authentication - Kerberos (source not available to Pegasus). 17. Places that NEW_SESSION_KEY request is used. - SSL certificate authentication. - Indication service. 18. Note that "secure basic" authentication and "SSL peer authentication" cannot be used together since the validate user (performed by SSL peer authentication) fails since the username is not in the cimserver.passwd file.