1 mike 1.1.2.1
|
2 mike 1.1.2.11 1. The user that runs cimervermain is determined by the
3 PEGASUS_CIMSERVERMAIN_USER constant defined in
4 <Pegasus/Common/Constants.h>
|
5 mike 1.1.2.1
|
6 mike 1.1.2.4 2. All files but the repository are owned by root. The cimservermain
|
7 mike 1.1.2.12 process may read the root owned files, but it must ask the executor
8 to modify them.
|
9 mike 1.1.2.1
|
10 mike 1.1.2.8 3. The executor gives ownership of the repository to the server user
11 upon startup.
|
12 mike 1.1.2.2
|
13 mike 1.1.2.12 4. The Executor now checks whether Pegasus repository exists and errors
14 out if not.
|
15 mike 1.1.2.2
|
16 mike 1.1.2.8 5. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket).
|
17 mike 1.1.2.3
|
18 mike 1.1.2.12 6. The executor will not start if a CIM server is already running.
19
20 7. For logging purposes, the executor uses "cimexecutor" as its syslog
|
21 mike 1.1.2.3 identifier.
|
22 mike 1.1.2.5
|
23 mike 1.1.2.12 8. Setting up PAM authentiction (non-standalone).
|
24 mike 1.1.2.5
25 First compile with PEGASUS_PAM_AUTHENTICATION.
26
27 Next install the PAM configuration file.
28
29 % cd $PEGASUS_ROOT
30 % cp rpm/wbem /etc/pam.d
31 % chmod 0644 /etc/pam.d/wbem
32
|
33 mike 1.1.2.12 9. To build for standalone PAM authentication, compile with these:
|
34 mike 1.1.2.8
35 PEGASUS_PAM_AUTHENTICATION
36 PEGASUS_USE_PAM_STANDALONE_PROC
|
37 mike 1.1.2.5
|
38 mike 1.1.2.12 10. To run cimserver to use PAM, use these configuration parameters.
|
39 mike 1.1.2.5
|
40 mike 1.1.2.8 enableAuthentication=true
41
|
42 mike 1.1.2.12 11. To build SSL support, compile with these.
|
43 mike 1.1.2.8
44 OPENSSL_HOME=/usr
45 PEGASUS_HAS_SSL=true
|
46 mike 1.1.2.7
|
47 mike 1.1.2.12 12. To run cimerver to use SSL, use these configuration parameters.
|
48 mike 1.1.2.7
|
49 mike 1.1.2.8 enableHttpsConnection=true
50 enableAuthentication=true
51 sslClientVerificationMode=optional
52 sslTrustStoreUserName=root
|
53 mike 1.1.2.7
|
54 mike 1.1.2.12 13. To add a user to cimserver.passwd, use the following format (the given
|
55 mike 1.1.2.8 user must be a real system user).
|
56 mike 1.1.2.7
|
57 mike 1.1.2.8 jsmith:AB5bZ.JX9fQzA
|
58 mike 1.1.2.7
|
59 mike 1.1.2.8 Use the following program to generate the password (at least on
60 Linux).
|
61 mike 1.1.2.7
|
62 mike 1.1.2.8 #define _XOPEN_SOURCE
63 #include <unistd.h>
64 #include <stdio.h>
|
65 mike 1.1.2.7
|
66 mike 1.1.2.8 int main()
67 {
68 printf("%s\n", crypt("changeme", "AB"));
69 return 0;
70 }
|
71 mike 1.1.2.7
|
72 mike 1.1.2.8 Compile and link the program as follows.
|
73 mike 1.1.2.7
|
74 mike 1.1.2.8 % gcc -o mkpasswd mkpasswd.cpp -lcrypt
|
75 mike 1.1.2.7
|
76 mike 1.1.2.12 14. The KerberosAuthenticationHandler.h and all Kerberos authentication
|
77 mike 1.1.2.9 logic is not part of the Pegasus repository.
|
78 mike 1.1.2.10
|
79 mike 1.1.2.12 15. The CIMExportIndicationRequestMessage comes back into the server
|
80 mike 1.1.2.10 and is delivered to an indication consumer (which must be loaded).
81
|
82 mike 1.1.2.12 16. The following authentication schemes were rewritten and are now
83 part of the executor.
84
85 - PAM Basic Authentication
86 - PAM Basic Authentication, using cimservera program.
87 - Secure Local Authenticaiton
88
89 The following authentication schemes still reside in cimservermain.
90
91 - SSL certificate authentication
92 - Secure Basic (uses cimserver.passwd file).
|
93 mike 1.1.2.10
|