|
version 1.1, 2006/12/28 03:59:20
|
version 1.1.2.13, 2007/01/10 02:02:07
|
|
|
|
| |
|
| |
1. The user that runs cimervermain is determined by the |
| |
PEGASUS_CIMSERVERMAIN_USER constant defined in |
| |
<Pegasus/Common/Constants.h> |
| |
|
| |
2. All files but the repository are owned by root. The cimservermain |
| |
process may read the root owned files, but it must ask the executor |
| |
to modify them. |
| |
|
| |
3. The executor gives ownership of the repository to the server user |
| |
upon startup. |
| |
|
| |
4. The Executor now checks whether Pegasus repository exists and errors |
| |
out if not. |
| |
|
| |
5. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket). |
| |
|
| |
6. The executor will not start if a CIM server is already running. |
| |
|
| |
7. For logging purposes, the executor uses "cimexecutor" as its syslog |
| |
identifier. |
| |
|
| |
8. Setting up PAM authentiction (non-standalone). |
| |
|
| |
First compile with PEGASUS_PAM_AUTHENTICATION. |
| |
|
| |
Next install the PAM configuration file. |
| |
|
| |
% cd $PEGASUS_ROOT |
| |
% cp rpm/wbem /etc/pam.d |
| |
% chmod 0644 /etc/pam.d/wbem |
| |
|
| |
9. To build for standalone PAM authentication, compile with these: |
| |
|
| |
PEGASUS_PAM_AUTHENTICATION |
| |
PEGASUS_USE_PAM_STANDALONE_PROC |
| |
|
| |
10. To run cimserver to use PAM, use these configuration parameters. |
| |
|
| |
enableAuthentication=true |
| |
|
| |
11. To build SSL support, compile with these. |
| |
|
| |
OPENSSL_HOME=/usr |
| |
PEGASUS_HAS_SSL=true |
| |
|
| |
12. To run cimerver to use SSL, use these configuration parameters. |
| |
|
| |
enableHttpsConnection=true |
| |
enableAuthentication=true |
| |
sslClientVerificationMode=optional |
| |
sslTrustStoreUserName=root |
| |
|
| |
13. To add a user to cimserver.passwd, use the following format (the given |
| |
user must be a real system user). |
| |
|
| |
jsmith:AB5bZ.JX9fQzA |
| |
|
| |
Use the following program to generate the password (at least on |
| |
Linux). |
| |
|
| |
#define _XOPEN_SOURCE |
| |
#include <unistd.h> |
| |
#include <stdio.h> |
| |
|
| |
int main() |
| |
{ |
| |
printf("%s\n", crypt("changeme", "AB")); |
| |
return 0; |
| |
} |
| |
|
| |
Compile and link the program as follows. |
| |
|
| |
% gcc -o mkpasswd mkpasswd.cpp -lcrypt |
| |
|
| |
14. The KerberosAuthenticationHandler.h and all Kerberos authentication |
| |
logic is not part of the Pegasus repository. |
| |
|
| |
15. The CIMExportIndicationRequestMessage comes back into the server |
| |
and is delivered to an indication consumer (which must be loaded). |
| |
|
| |
16. The following authentication schemes were rewritten and are now |
| |
part of the executor. |
| |
|
| |
- PAM Basic Authentication |
| |
- PAM Basic Authentication, using cimservera program. |
| |
- Secure Local Authenticaiton |
| |
|
| |
The following authentication schemes still reside in cimservermain. |
| |
|
| |
- SSL certificate authentication |
| |
- Secure Basic (uses cimserver.passwd file). |
| |
|
| |
17. Places that NEW_SESSION_KEY request is used. |
| |
|
| |
- SSL certificate authentication. |
| |
- Indication service. |
| |
|
Return to
notes.txt
CVS log
Up to [Pegasus] / pegasus / src / Executor