1 mike 1.1.2.1
|
2 mike 1.1.2.11 1. The user that runs cimervermain is determined by the
3 PEGASUS_CIMSERVERMAIN_USER constant defined in
4 <Pegasus/Common/Constants.h>
|
5 mike 1.1.2.1
|
6 mike 1.1.2.4 2. All files but the repository are owned by root. The cimservermain
|
7 mike 1.1.2.12 process may read the root owned files, but it must ask the executor
8 to modify them.
|
9 mike 1.1.2.1
|
10 mike 1.1.2.15 3. The executor grants ownership of the repository to the server user
|
11 mike 1.1.2.17 upon startup if the server user does not already own them. Although
12 at installation time this should have already been done.
|
13 mike 1.1.2.2
|
14 mike 1.1.2.12 4. The Executor now checks whether Pegasus repository exists and errors
15 out if not.
|
16 mike 1.1.2.2
|
17 mike 1.1.2.8 5. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket).
|
18 mike 1.1.2.3
|
19 mike 1.1.2.15 6. The executor now detects whether the CIM server is already running.
|
20 mike 1.1.2.12
21 7. For logging purposes, the executor uses "cimexecutor" as its syslog
|
22 mike 1.1.2.3 identifier.
|
23 mike 1.1.2.5
|
24 mike 1.1.2.12 8. Setting up PAM authentiction (non-standalone).
|
25 mike 1.1.2.5
26 First compile with PEGASUS_PAM_AUTHENTICATION.
27
28 Next install the PAM configuration file.
29
30 % cd $PEGASUS_ROOT
31 % cp rpm/wbem /etc/pam.d
32 % chmod 0644 /etc/pam.d/wbem
33
|
34 mike 1.1.2.12 9. To build for standalone PAM authentication, compile with these:
|
35 mike 1.1.2.8
36 PEGASUS_PAM_AUTHENTICATION
37 PEGASUS_USE_PAM_STANDALONE_PROC
|
38 mike 1.1.2.5
|
39 mike 1.1.2.12 10. To run cimserver to use PAM, use these configuration parameters.
|
40 mike 1.1.2.5
|
41 mike 1.1.2.8 enableAuthentication=true
42
|
43 mike 1.1.2.12 11. To build SSL support, compile with these.
|
44 mike 1.1.2.8
45 OPENSSL_HOME=/usr
46 PEGASUS_HAS_SSL=true
|
47 mike 1.1.2.7
|
48 mike 1.1.2.12 12. To run cimerver to use SSL, use these configuration parameters.
|
49 mike 1.1.2.7
|
50 mike 1.1.2.8 enableHttpsConnection=true
51 enableAuthentication=true
52 sslClientVerificationMode=optional
53 sslTrustStoreUserName=root
|
54 mike 1.1.2.7
|
55 mike 1.1.2.12 13. To add a user to cimserver.passwd, use the following format (the given
|
56 mike 1.1.2.8 user must be a real system user).
|
57 mike 1.1.2.7
|
58 mike 1.1.2.8 jsmith:AB5bZ.JX9fQzA
|
59 mike 1.1.2.7
|
60 mike 1.1.2.8 Use the following program to generate the password (at least on
61 Linux).
|
62 mike 1.1.2.7
|
63 mike 1.1.2.8 #define _XOPEN_SOURCE
64 #include <unistd.h>
65 #include <stdio.h>
|
66 mike 1.1.2.7
|
67 mike 1.1.2.8 int main()
68 {
69 printf("%s\n", crypt("changeme", "AB"));
70 return 0;
71 }
|
72 mike 1.1.2.7
|
73 mike 1.1.2.8 Compile and link the program as follows.
|
74 mike 1.1.2.7
|
75 mike 1.1.2.8 % gcc -o mkpasswd mkpasswd.cpp -lcrypt
|
76 mike 1.1.2.7
|
77 mike 1.1.2.12 14. The KerberosAuthenticationHandler.h and all Kerberos authentication
|
78 mike 1.1.2.9 logic is not part of the Pegasus repository.
|
79 mike 1.1.2.10
|
80 mike 1.1.2.16 15. The following authentication schemes were rewritten and are now
|
81 mike 1.1.2.12 part of the executor.
82
83 - PAM Basic Authentication
84 - PAM Basic Authentication, using cimservera program.
85 - Secure Local Authenticaiton
|
86 mike 1.1.2.15 - Secure Basic (uses cimserver.passwd file).
|
87 mike 1.1.2.12
88 The following authentication schemes still reside in cimservermain.
89
|
90 mike 1.1.2.15 - SSL peer authentication
91 - Kerberos (source not available to Pegasus).
|
92 mike 1.1.2.10
|
93 mike 1.1.2.16 16. Places that NEW_SESSION_KEY request is used.
|
94 mike 1.1.2.13
95 - SSL certificate authentication.
|
96 mike 1.1.2.16 - Indication service (before accepting connections).
|
97 mike 1.1.2.13
|
98 mike 1.1.2.16 17. Note that using "secure basic" authentication and "SSL peer
99 authentication" togehter breaks the end-to-end tests (validate
100 user fails since the user is not in the cimserver.passwd file).
101
102 18. Four provider agent user contexts:
103
104 - REQUESTOR MyProviderModule:*
105 - DESIGNATED MyProviderModule:fred
106 - PRIVILEGED MyProviderModule:root
107 - CIMSERVER MyProviderModule:pegasus
|