1 mike 1.1.2.1
|
2 mike 1.1.2.11 1. The user that runs cimervermain is determined by the
3 PEGASUS_CIMSERVERMAIN_USER constant defined in
4 <Pegasus/Common/Constants.h>
|
5 mike 1.1.2.1
|
6 mike 1.1.2.4 2. All files but the repository are owned by root. The cimservermain
|
7 mike 1.1.2.12 process may read the root owned files, but it must ask the executor
8 to modify them.
|
9 mike 1.1.2.1
|
10 mike 1.1.2.15 3. The executor grants ownership of the repository to the server user
|
11 mike 1.1.2.8 upon startup.
|
12 mike 1.1.2.2
|
13 mike 1.1.2.12 4. The Executor now checks whether Pegasus repository exists and errors
14 out if not.
|
15 mike 1.1.2.2
|
16 mike 1.1.2.8 5. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket).
|
17 mike 1.1.2.3
|
18 mike 1.1.2.15 6. The executor now detects whether the CIM server is already running.
|
19 mike 1.1.2.12
20 7. For logging purposes, the executor uses "cimexecutor" as its syslog
|
21 mike 1.1.2.3 identifier.
|
22 mike 1.1.2.5
|
23 mike 1.1.2.12 8. Setting up PAM authentiction (non-standalone).
|
24 mike 1.1.2.5
25 First compile with PEGASUS_PAM_AUTHENTICATION.
26
27 Next install the PAM configuration file.
28
29 % cd $PEGASUS_ROOT
30 % cp rpm/wbem /etc/pam.d
31 % chmod 0644 /etc/pam.d/wbem
32
|
33 mike 1.1.2.12 9. To build for standalone PAM authentication, compile with these:
|
34 mike 1.1.2.8
35 PEGASUS_PAM_AUTHENTICATION
36 PEGASUS_USE_PAM_STANDALONE_PROC
|
37 mike 1.1.2.5
|
38 mike 1.1.2.12 10. To run cimserver to use PAM, use these configuration parameters.
|
39 mike 1.1.2.5
|
40 mike 1.1.2.8 enableAuthentication=true
41
|
42 mike 1.1.2.12 11. To build SSL support, compile with these.
|
43 mike 1.1.2.8
44 OPENSSL_HOME=/usr
45 PEGASUS_HAS_SSL=true
|
46 mike 1.1.2.7
|
47 mike 1.1.2.12 12. To run cimerver to use SSL, use these configuration parameters.
|
48 mike 1.1.2.7
|
49 mike 1.1.2.8 enableHttpsConnection=true
50 enableAuthentication=true
51 sslClientVerificationMode=optional
52 sslTrustStoreUserName=root
|
53 mike 1.1.2.7
|
54 mike 1.1.2.12 13. To add a user to cimserver.passwd, use the following format (the given
|
55 mike 1.1.2.8 user must be a real system user).
|
56 mike 1.1.2.7
|
57 mike 1.1.2.8 jsmith:AB5bZ.JX9fQzA
|
58 mike 1.1.2.7
|
59 mike 1.1.2.8 Use the following program to generate the password (at least on
60 Linux).
|
61 mike 1.1.2.7
|
62 mike 1.1.2.8 #define _XOPEN_SOURCE
63 #include <unistd.h>
64 #include <stdio.h>
|
65 mike 1.1.2.7
|
66 mike 1.1.2.8 int main()
67 {
68 printf("%s\n", crypt("changeme", "AB"));
69 return 0;
70 }
|
71 mike 1.1.2.7
|
72 mike 1.1.2.8 Compile and link the program as follows.
|
73 mike 1.1.2.7
|
74 mike 1.1.2.8 % gcc -o mkpasswd mkpasswd.cpp -lcrypt
|
75 mike 1.1.2.7
|
76 mike 1.1.2.12 14. The KerberosAuthenticationHandler.h and all Kerberos authentication
|
77 mike 1.1.2.9 logic is not part of the Pegasus repository.
|
78 mike 1.1.2.10
|
79 mike 1.1.2.16 15. The following authentication schemes were rewritten and are now
|
80 mike 1.1.2.12 part of the executor.
81
82 - PAM Basic Authentication
83 - PAM Basic Authentication, using cimservera program.
84 - Secure Local Authenticaiton
|
85 mike 1.1.2.15 - Secure Basic (uses cimserver.passwd file).
|
86 mike 1.1.2.12
87 The following authentication schemes still reside in cimservermain.
88
|
89 mike 1.1.2.15 - SSL peer authentication
90 - Kerberos (source not available to Pegasus).
|
91 mike 1.1.2.10
|
92 mike 1.1.2.16 16. Places that NEW_SESSION_KEY request is used.
|
93 mike 1.1.2.13
94 - SSL certificate authentication.
|
95 mike 1.1.2.16 - Indication service (before accepting connections).
|
96 mike 1.1.2.13
|
97 mike 1.1.2.16 17. Note that using "secure basic" authentication and "SSL peer
98 authentication" togehter breaks the end-to-end tests (validate
99 user fails since the user is not in the cimserver.passwd file).
100
101 18. Four provider agent user contexts:
102
103 - REQUESTOR MyProviderModule:*
104 - DESIGNATED MyProviderModule:fred
105 - PRIVILEGED MyProviderModule:root
106 - CIMSERVER MyProviderModule:pegasus
|