1 kumpf 1.1.4.2
2 1. The user that runs cimervermain is determined by the
3 PEGASUS_CIMSERVERMAIN_USER constant defined in
4 <Pegasus/Common/Constants.h>
5
6 2. All files but the repository are owned by root. The cimservermain
7 process may read the root owned files, but it must ask the executor
8 to modify them.
9
10 3. The executor grants ownership of the repository to the server user
11 upon startup if the server user does not already own them. Although
12 at installation time this should have already been done.
13
14 4. The Executor now checks whether Pegasus repository exists and errors
15 out if not.
16
17 5. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket).
18
19 6. The executor now detects whether the CIM server is already running.
20
21 7. For logging purposes, the executor uses "cimexecutor" as its syslog
22 kumpf 1.1.4.2 identifier.
23
24 8. Setting up PAM authentiction (non-standalone).
25
26 First compile with PEGASUS_PAM_AUTHENTICATION.
27
28 Next install the PAM configuration file.
29
30 % cd $PEGASUS_ROOT
31 % cp rpm/wbem /etc/pam.d
32 % chmod 0644 /etc/pam.d/wbem
33
34 9. To build for standalone PAM authentication, compile with these:
35
36 PEGASUS_PAM_AUTHENTICATION
37 PEGASUS_USE_PAM_STANDALONE_PROC
38
39 10. To run cimserver to use PAM, use these configuration parameters.
40
41 enableAuthentication=true
42
43 kumpf 1.1.4.2 11. To build SSL support, compile with these.
44
45 OPENSSL_HOME=/usr
46 PEGASUS_HAS_SSL=true
47
48 12. To run cimerver to use SSL, use these configuration parameters.
49
50 enableHttpsConnection=true
51 enableAuthentication=true
52 sslClientVerificationMode=optional
53 sslTrustStoreUserName=root
54
55 13. To add a user to cimserver.passwd, use the following format (the given
56 user must be a real system user).
57
58 jsmith:AB5bZ.JX9fQzA
59
60 Use the following program to generate the password (at least on
61 Linux).
62
63 #define _XOPEN_SOURCE
64 kumpf 1.1.4.2 #include <unistd.h>
65 #include <stdio.h>
66
67 int main()
68 {
69 printf("%s\n", crypt("changeme", "AB"));
70 return 0;
71 }
72
73 Compile and link the program as follows.
74
75 % gcc -o mkpasswd mkpasswd.cpp -lcrypt
76
77 14. The KerberosAuthenticationHandler.h and all Kerberos authentication
78 logic is not part of the Pegasus repository.
79
80 15. The following authentication schemes were rewritten and are now
81 part of the executor.
82
83 - PAM Basic Authentication
84 - PAM Basic Authentication, using cimservera program.
85 kumpf 1.1.4.2 - Secure Local Authenticaiton
86 - Secure Basic (uses cimserver.passwd file).
87
88 The following authentication schemes still reside in cimservermain.
89
90 - SSL peer authentication
91 - Kerberos (source not available to Pegasus).
92
93 16. Places that NEW_SESSION_KEY request is used.
94
95 - SSL certificate authentication.
96 - Indication service (before accepting connections).
97
98 17. Note that using "secure basic" authentication and "SSL peer
99 authentication" togehter breaks the end-to-end tests (validate
100 user fails since the user is not in the cimserver.passwd file).
101
102 18. Four provider agent user contexts:
103
104 - REQUESTOR MyProviderModule:*
105 - DESIGNATED MyProviderModule:fred
106 kumpf 1.1.4.2 - PRIVILEGED MyProviderModule:root
107 - CIMSERVER MyProviderModule:pegasus
|