1 kumpf 1.2
|
2 kumpf 1.3 1. The user that runs cimervermain is determined by the
3 PEGASUS_CIMSERVERMAIN_USER constant defined in
|
4 kumpf 1.2 <Pegasus/Common/Constants.h>
5
6 2. All files but the repository are owned by root. The cimservermain
|
7 kumpf 1.3 process may read the root owned files, but it must ask the executor
|
8 kumpf 1.2 to modify them.
9
10 3. Cimservermain owns the local-domain socket file (/tmp/cimxml.socket).
11
12 4. The executor now detects whether the CIM server is already running.
13
14 5. For logging purposes, the executor uses "cimserver" as its syslog
15 identifier.
16
17 6. Setting up PAM authentiction (non-standalone).
18
|
19 kumpf 1.3 First compile with PEGASUS_PAM_AUTHENTICATION.
20
|
21 kumpf 1.2 Next install the PAM configuration file.
22
23 % cd $PEGASUS_ROOT
24 % cp rpm/wbem /etc/pam.d
25 % chmod 0644 /etc/pam.d/wbem
26
27 7. To build for standalone PAM authentication, compile with these:
28
29 PEGASUS_PAM_AUTHENTICATION
30 PEGASUS_USE_PAM_STANDALONE_PROC
31
32 8. To run cimserver to use PAM, use these configuration parameters.
33
|
34 kumpf 1.3 enableAuthentication=true
|
35 kumpf 1.2
36 9. To build SSL support, compile with these.
|
37 kumpf 1.3
|
38 kumpf 1.2 OPENSSL_HOME=/usr
39 PEGASUS_HAS_SSL=true
40
41 10. To run cimerver to use SSL, use these configuration parameters.
42
|
43 kumpf 1.3 enableHttpsConnection=true
44 enableAuthentication=true
45 sslClientVerificationMode=optional
|
46 kumpf 1.2 sslTrustStoreUserName=root
47
48 11. To add a user to cimserver.passwd, use the following format (the given
49 user must be a real system user).
50
51 jsmith:AB5bZ.JX9fQzA
52
53 Use the following program to generate the password (at least on
54 Linux).
55
56 #define _XOPEN_SOURCE
57 #include <unistd.h>
58 #include <stdio.h>
59
60 int main()
61 {
62 printf("%s\n", crypt("changeme", "AB"));
63 return 0;
64 }
65
66 Compile and link the program as follows.
67 kumpf 1.2
68 % gcc -o mkpasswd mkpasswd.cpp -lcrypt
69
70 12. The KerberosAuthenticationHandler.h and all Kerberos authentication
71 logic is not part of the Pegasus repository.
72
73 13. The following authentication schemes were rewritten and are now
74 part of the executor.
75
76 - PAM Basic Authentication
77 - PAM Basic Authentication, using cimservera program.
78 - Secure Local Authenticaiton
79 - Secure Basic (uses cimserver.passwd file).
80
81 The following authentication schemes still reside in cimservermain.
82
83 - SSL peer authentication
84 - Kerberos (source not available to Pegasus).
85
|
86 kumpf 1.3 14. Note that using "secure basic" authentication and "SSL peer
|
87 kumpf 1.2 authentication" togehter breaks the end-to-end tests (validate
88 user fails since the user is not in the cimserver.passwd file).
89
90 15. The install script is responsible for propertly setting ownership
91 of all files (including the Pegasus repository).
92
93
|