1 mike 1.1.2.1
|
2 mike 1.1.2.11 1. The user that runs cimervermain is determined by the
3 PEGASUS_CIMSERVERMAIN_USER constant defined in
4 <Pegasus/Common/Constants.h>
|
5 mike 1.1.2.1
|
6 mike 1.1.2.4 2. All files but the repository are owned by root. The cimservermain
|
7 mike 1.1.2.12 process may read the root owned files, but it must ask the executor
8 to modify them.
|
9 mike 1.1.2.1
|
10 mike 1.1.2.8 3. The executor gives ownership of the repository to the server user
11 upon startup.
|
12 mike 1.1.2.2
|
13 mike 1.1.2.12 4. The Executor now checks whether Pegasus repository exists and errors
14 out if not.
|
15 mike 1.1.2.2
|
16 mike 1.1.2.8 5. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket).
|
17 mike 1.1.2.3
|
18 mike 1.1.2.12 6. The executor will not start if a CIM server is already running.
19
20 7. For logging purposes, the executor uses "cimexecutor" as its syslog
|
21 mike 1.1.2.3 identifier.
|
22 mike 1.1.2.5
|
23 mike 1.1.2.12 8. Setting up PAM authentiction (non-standalone).
|
24 mike 1.1.2.5
25 First compile with PEGASUS_PAM_AUTHENTICATION.
26
27 Next install the PAM configuration file.
28
29 % cd $PEGASUS_ROOT
30 % cp rpm/wbem /etc/pam.d
31 % chmod 0644 /etc/pam.d/wbem
32
|
33 mike 1.1.2.12 9. To build for standalone PAM authentication, compile with these:
|
34 mike 1.1.2.8
35 PEGASUS_PAM_AUTHENTICATION
36 PEGASUS_USE_PAM_STANDALONE_PROC
|
37 mike 1.1.2.5
|
38 mike 1.1.2.12 10. To run cimserver to use PAM, use these configuration parameters.
|
39 mike 1.1.2.5
|
40 mike 1.1.2.8 enableAuthentication=true
41
|
42 mike 1.1.2.12 11. To build SSL support, compile with these.
|
43 mike 1.1.2.8
44 OPENSSL_HOME=/usr
45 PEGASUS_HAS_SSL=true
|
46 mike 1.1.2.7
|
47 mike 1.1.2.12 12. To run cimerver to use SSL, use these configuration parameters.
|
48 mike 1.1.2.7
|
49 mike 1.1.2.8 enableHttpsConnection=true
50 enableAuthentication=true
51 sslClientVerificationMode=optional
52 sslTrustStoreUserName=root
|
53 mike 1.1.2.7
|
54 mike 1.1.2.12 13. To add a user to cimserver.passwd, use the following format (the given
|
55 mike 1.1.2.8 user must be a real system user).
|
56 mike 1.1.2.7
|
57 mike 1.1.2.8 jsmith:AB5bZ.JX9fQzA
|
58 mike 1.1.2.7
|
59 mike 1.1.2.8 Use the following program to generate the password (at least on
60 Linux).
|
61 mike 1.1.2.7
|
62 mike 1.1.2.8 #define _XOPEN_SOURCE
63 #include <unistd.h>
64 #include <stdio.h>
|
65 mike 1.1.2.7
|
66 mike 1.1.2.8 int main()
67 {
68 printf("%s\n", crypt("changeme", "AB"));
69 return 0;
70 }
|
71 mike 1.1.2.7
|
72 mike 1.1.2.8 Compile and link the program as follows.
|
73 mike 1.1.2.7
|
74 mike 1.1.2.8 % gcc -o mkpasswd mkpasswd.cpp -lcrypt
|
75 mike 1.1.2.7
|
76 mike 1.1.2.12 14. The KerberosAuthenticationHandler.h and all Kerberos authentication
|
77 mike 1.1.2.9 logic is not part of the Pegasus repository.
|
78 mike 1.1.2.10
|
79 mike 1.1.2.12 15. The CIMExportIndicationRequestMessage comes back into the server
|
80 mike 1.1.2.10 and is delivered to an indication consumer (which must be loaded).
81
|
82 mike 1.1.2.12 16. The following authentication schemes were rewritten and are now
83 part of the executor.
84
85 - PAM Basic Authentication
86 - PAM Basic Authentication, using cimservera program.
87 - Secure Local Authenticaiton
88
89 The following authentication schemes still reside in cimservermain.
90
91 - SSL certificate authentication
92 - Secure Basic (uses cimserver.passwd file).
|
93 mike 1.1.2.10
|
94 mike 1.1.2.13 17. Places that NEW_SESSION_KEY request is used.
95
96 - SSL certificate authentication.
97 - Indication service.
98
|
99 mike 1.1.2.14 18. Note that "secure basic" authentication and "SSL peer authentication"
100 cannot be used together since the validate user (performed by
101 SSL peer authentication) fails since the username is not in the
102 cimserver.passwd file.
103
|