version 1.1.4.2, 2007/03/23 21:53:45
|
version 1.1.4.3, 2007/04/20 14:39:14
|
|
|
process may read the root owned files, but it must ask the executor | process may read the root owned files, but it must ask the executor |
to modify them. | to modify them. |
| |
3. The executor grants ownership of the repository to the server user |
3. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket). |
upon startup if the server user does not already own them. Although |
|
at installation time this should have already been done. |
|
| |
4. The Executor now checks whether Pegasus repository exists and errors |
4. The executor now detects whether the CIM server is already running. |
out if not. |
|
| |
5. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket). |
5. For logging purposes, the executor uses "cimserver" as its syslog |
|
|
6. The executor now detects whether the CIM server is already running. |
|
|
|
7. For logging purposes, the executor uses "cimexecutor" as its syslog |
|
identifier. | identifier. |
| |
8. Setting up PAM authentiction (non-standalone). |
6. Setting up PAM authentiction (non-standalone). |
| |
First compile with PEGASUS_PAM_AUTHENTICATION. | First compile with PEGASUS_PAM_AUTHENTICATION. |
| |
|
|
% cp rpm/wbem /etc/pam.d | % cp rpm/wbem /etc/pam.d |
% chmod 0644 /etc/pam.d/wbem | % chmod 0644 /etc/pam.d/wbem |
| |
9. To build for standalone PAM authentication, compile with these: |
7. To build for standalone PAM authentication, compile with these: |
| |
PEGASUS_PAM_AUTHENTICATION | PEGASUS_PAM_AUTHENTICATION |
PEGASUS_USE_PAM_STANDALONE_PROC | PEGASUS_USE_PAM_STANDALONE_PROC |
| |
10. To run cimserver to use PAM, use these configuration parameters. |
8. To run cimserver to use PAM, use these configuration parameters. |
| |
enableAuthentication=true | enableAuthentication=true |
| |
11. To build SSL support, compile with these. |
9. To build SSL support, compile with these. |
| |
OPENSSL_HOME=/usr | OPENSSL_HOME=/usr |
PEGASUS_HAS_SSL=true | PEGASUS_HAS_SSL=true |
| |
12. To run cimerver to use SSL, use these configuration parameters. |
10. To run cimerver to use SSL, use these configuration parameters. |
| |
enableHttpsConnection=true | enableHttpsConnection=true |
enableAuthentication=true | enableAuthentication=true |
sslClientVerificationMode=optional | sslClientVerificationMode=optional |
sslTrustStoreUserName=root | sslTrustStoreUserName=root |
| |
13. To add a user to cimserver.passwd, use the following format (the given |
11. To add a user to cimserver.passwd, use the following format (the given |
user must be a real system user). | user must be a real system user). |
| |
jsmith:AB5bZ.JX9fQzA | jsmith:AB5bZ.JX9fQzA |
|
|
| |
% gcc -o mkpasswd mkpasswd.cpp -lcrypt | % gcc -o mkpasswd mkpasswd.cpp -lcrypt |
| |
14. The KerberosAuthenticationHandler.h and all Kerberos authentication |
12. The KerberosAuthenticationHandler.h and all Kerberos authentication |
logic is not part of the Pegasus repository. | logic is not part of the Pegasus repository. |
| |
15. The following authentication schemes were rewritten and are now |
13. The following authentication schemes were rewritten and are now |
part of the executor. | part of the executor. |
| |
- PAM Basic Authentication | - PAM Basic Authentication |
|
|
- SSL peer authentication | - SSL peer authentication |
- Kerberos (source not available to Pegasus). | - Kerberos (source not available to Pegasus). |
| |
16. Places that NEW_SESSION_KEY request is used. |
14. Note that using "secure basic" authentication and "SSL peer |
|
|
- SSL certificate authentication. |
|
- Indication service (before accepting connections). |
|
|
|
17. Note that using "secure basic" authentication and "SSL peer |
|
authentication" togehter breaks the end-to-end tests (validate | authentication" togehter breaks the end-to-end tests (validate |
user fails since the user is not in the cimserver.passwd file). | user fails since the user is not in the cimserver.passwd file). |
| |
18. Four provider agent user contexts: |
15. The install script is responsible for propertly setting ownership |
|
of all files (including the Pegasus repository). |
|
|
| |
- REQUESTOR MyProviderModule:* |
|
- DESIGNATED MyProviderModule:fred |
|
- PRIVILEGED MyProviderModule:root |
|
- CIMSERVER MyProviderModule:pegasus |
|