From 18e290e2095d5602be37549ffb42952a89794405 Mon Sep 17 00:00:00 2001 From: Juan Carlos Luciani Date: Tue, 10 Oct 2006 14:47:19 +0000 Subject: [PATCH] Brought up to date the README and TODO files. --- CASA-auth-token/README | 25 ++++- CASA-auth-token/java/README | 25 ++++- CASA-auth-token/java/TODO | 3 +- .../package/linux/CASA_auth_token_svc.changes | 5 + CASA-auth-token/java/server/Jaas/README | 23 ++++ CASA-auth-token/java/server/Svc/README | 104 +++++++++++++----- CASA-auth-token/java/server/Svc/TODO | 5 +- .../com/novell/casa/authtoksvc/AuthToken.java | 6 + .../casa/authtoksvc/Krb5_mechanism.settings | 1 - CASA-auth-token/non-java/README | 25 ++++- CASA-auth-token/non-java/TODO | 3 +- CASA-auth-token/non-java/client/README | 27 ++++- CASA-auth-token/non-java/client/TODO | 7 +- CASA-auth-token/non-java/client/csharp/README | 68 ++++++++++++ CASA-auth-token/non-java/client/csharp/TODO | 15 +++ .../non-java/client/mechanisms/krb5/README | 23 ++++ .../non-java/client/mechanisms/krb5/TODO | 3 +- .../non-java/client/mechanisms/pwd/README | 23 ++++ .../non-java/client/mechanisms/pwd/TODO | 3 +- .../linux/CASA_auth_token_native.changes | 11 ++ .../non-java/server/ApacheSupport/2.2/README | 30 ++++- .../non-java/server/AuthTokenValidate/README | 30 ++++- .../server/AuthTokenValidate/Svc/README | 80 ++++++++++++++ .../server/AuthTokenValidate/Svc/TODO | 13 +++ .../non-java/server/AuthTokenValidate/TODO | 4 +- .../idenTokenProviders/casa/README | 23 ++++ .../non-java/server/PamSupport/README | 23 ++++ .../non-java/utilities/IpcLibs/README | 23 ++++ 28 files changed, 567 insertions(+), 64 deletions(-) create mode 100644 CASA-auth-token/non-java/client/csharp/README create mode 100644 CASA-auth-token/non-java/client/csharp/TODO create mode 100644 CASA-auth-token/non-java/server/AuthTokenValidate/Svc/README create mode 100644 CASA-auth-token/non-java/server/AuthTokenValidate/Svc/TODO diff --git a/CASA-auth-token/README b/CASA-auth-token/README index 3abc9805..616da5a3 100644 --- a/CASA-auth-token/README +++ b/CASA-auth-token/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for auth_token @@ -45,7 +68,7 @@ cached. Once the client is authenticated to the ATS, it then requests Authentica Tokens from it using the obtained Session Token. When an ATS receives a request for an Authentication Token, it then verifies the validity of the received Session Token and then it creates the appropriate Identity Token for the target service which it then -embeds within the Authentication Token. The indentity information contained in the +embeds within the Authentication Token. The identity information contained in the Identity Token as well as the type of Identity Token utilized depends on what is configured for the tatget service. diff --git a/CASA-auth-token/java/README b/CASA-auth-token/java/README index 3abc9805..616da5a3 100644 --- a/CASA-auth-token/java/README +++ b/CASA-auth-token/java/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for auth_token @@ -45,7 +68,7 @@ cached. Once the client is authenticated to the ATS, it then requests Authentica Tokens from it using the obtained Session Token. When an ATS receives a request for an Authentication Token, it then verifies the validity of the received Session Token and then it creates the appropriate Identity Token for the target service which it then -embeds within the Authentication Token. The indentity information contained in the +embeds within the Authentication Token. The identity information contained in the Identity Token as well as the type of Identity Token utilized depends on what is configured for the tatget service. diff --git a/CASA-auth-token/java/TODO b/CASA-auth-token/java/TODO index 4bc8d36e..e45eac67 100644 --- a/CASA-auth-token/java/TODO +++ b/CASA-auth-token/java/TODO @@ -13,5 +13,4 @@ details outstanding items at the project level. OUTSTANDING ITEMS -- Plug-in auth_token into the CASA make system. - +None. diff --git a/CASA-auth-token/java/package/linux/CASA_auth_token_svc.changes b/CASA-auth-token/java/package/linux/CASA_auth_token_svc.changes index 4106964b..9814e631 100644 --- a/CASA-auth-token/java/package/linux/CASA_auth_token_svc.changes +++ b/CASA-auth-token/java/package/linux/CASA_auth_token_svc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Oct 10 08:45:22 MDT 2006 - jluciani@novell.com + +- Brought up to date the README and TODO files. + ------------------------------------------------------------------- Thu Sep 21 15:41:18 MDT 2006 - jluciani@novell.com diff --git a/CASA-auth-token/java/server/Jaas/README b/CASA-auth-token/java/server/Jaas/README index fae61bc0..a35e9033 100644 --- a/CASA-auth-token/java/server/Jaas/README +++ b/CASA-auth-token/java/server/Jaas/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for JaasSupport diff --git a/CASA-auth-token/java/server/Svc/README b/CASA-auth-token/java/server/Svc/README index 72d3625f..262b8a80 100644 --- a/CASA-auth-token/java/server/Svc/README +++ b/CASA-auth-token/java/server/Svc/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for AuthTokenSvc @@ -19,10 +42,10 @@ Identity Token Providers for the generation of Identity Tokens. ENVIRONMENT SETTINGS -The following options must be set in the JAVA_OPTS setting before starting Tomcat -to allow the Kerberos authentication mechanism to work properly: +The following options must be set in the JAVA_OPTS environment variable before +starting Tomcat to allow the Kerberos authentication mechanism to work properly +with Sun's Java: --Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config={replace with the path for JAAS configuration file for the service} @@ -44,14 +67,21 @@ com.sun.security.auth.module.Krb5LoginModule required keyTab="/etc/krb5.keytab"; } -Please adjust the ticketCache and principal setting to match your installation. +Please adjust the ticketCache and principal setting to match your installation. + +By default, AuthTokenSvc reads its configuration from the "conf" folder under +the WEB-INF folder of the Tomcat Web Application ($CATALINA_HOME/webapps/CasaAuthTokenSvc/WEB-INF/conf). +This can be over-ridden by setting the following option in the JAVA_OPTS environment variable: + + -Dcom.novell.casa.authtoksvc.config={replace with the path to the configuration + folder} CONFIGURATION -AuthTokenSvc configuration consists of multiple entities. Most of the AuthTokenSvc -configuration is contained within the "conf" folder under the WEB-INF folder of the -application. For an example configuration setup for the AuthTokenSvc see the -sampleConf folder. +AuthTokenSvc configuration consists of multiple entities. The authTokenSvc configuration +is contained within the "conf" folder under the WEB-INF folder of the application +($CATALINA_HOME/webapps/CasaAuthTokenSvc/WEB-INF/conf). For an example configuration setup +for the AuthTokenSvc see the sampleConf folder. The location of the AuthTokenSvc configuration folder can be over-ridden by specifying a different path via the com.novell.casa.authtoksvc.config system property. @@ -60,7 +90,7 @@ CONFIGURING THE BASE SERVICE The ATS base settings are configured in the svc.settings file under the conf folder. -Thhe following is an example svc.settings file: +The following is an example svc.settings file: @@ -110,23 +140,42 @@ Note the following about the sample svc.settings file: - The KeyStorePwd setting specifies the password of the user specified by KeyStoreUser to get the private signing key from the keystore. + +ATSs digitally sign tokens, for this purpose it is necessary that keys be generated and installed +in a keystore whose location and properties are configured in the crypto.properties file present in +the "classes" folder under the WEB-INF folder of the AuthTokenSvc application +($CATALINA_HOME/webapps/CasaAuthTokenSvc/WEB-INF/classes). Please note that you must edit the +crypto.properties file with the appropriate information once the AuthTokenSvc is deployed to +a Tomcat server. CONFIGURING SERVICES TO CONSUME CASA AUTHENTICATION TOKENS -Services are configured to consume CASA authentication tokens by creating folders -under the conf/enabled_services folders. Since CASA distinguishes between services +By default, an ATS will issue CASA authentication tokens to be consumed by any service +not explicitedly configured as a consumer in the ATS's configuration. This default +behavior can be turned off by setting the following system property in the JAVA_OPTS +environment variable: + + -Dcom.novell.casa.authtoksvc.enabled_svcs_only=true + +Services explicitedly configured as consumers of CASA authentication tokens by creating +folders under the conf/anabled_services folder. Since CASA distinguishes between services of the same name existing in different hosts, the first folder that must be created is one for the host where the service resides. The host folder name must match the -DNS name of the host where the service resides. Services are configured by creating -a folder under the appropriate host folder with a name matching the service name. +DNS name of the host where the service resides unless the service resides in the same +host as the ATS in which case the host folder name must be "localhost". Services are +configured by creating a folder under the appropriate host folder with a name matching +the service name. -Note when configuring services that the service name and the host names must match -the service and host names specified by the client applications when requesting -tokens to authenticate to them. +Note when configuring services that the service folder and the host folder names must match +the service and host names specified by the client applications when requesting tokens to +authenticate to them with the exception of when the service resides in the same host as the +ATS in which case the host folder name is "localhost" and the host name specified by the +application is the host's DNS name. The services folder must contain an auth.policy file, an authtoken.settings file, -and an identoken.settings file. In the absence of any one of those files, the ATS -will default to utilizing the files present under its conf folder. +and an identoken.settings file. In the absence of any one of those files or if the service +is not explicitedly configured, the ATS will default to utilizing the files present under +its conf folder. The auth.policy file specifies the authentication realms (or contexts) to which entities can authenticate to gain access to the service. The auth.policy file also @@ -140,7 +189,7 @@ The following is an example auth.policy file: CorpTree Krb5Authenticate - host@tokenserver.company.novell.com + host/tokenserver.company.novell.com@KRB_REALM CorpTree @@ -167,8 +216,8 @@ Note the following about the sample auth.policy file: specified for an auth_source entry. - The name of the Krb5 Authentication mechanism is "Krb5Authenticate". This mechanism - requires that you specify the service's kerberos principal name under the mechanism_info - key. + defaults the service principal name to host/hostname@KERBEROS_REALM. You can use a + different service principal name under the mechanism_info key. - The name of the username/password authentication mechanism is "PwdAuthenticate" and it does not require any information to be included under the mechanism_info key. @@ -213,7 +262,6 @@ The following is an example identoken.settings file: sn,groupMembership,guid false - Base64 encoded certificate Note the following about the sample identoken.settings file: @@ -232,10 +280,6 @@ Note the following about the sample identoken.settings file: the file present in its conf folder (Attribute encryption is not yet supported by the Casa identity token provider). -- The Certificate setting specifies the certificate that must be utilized to encrypt - identity attribute data. The certificate contains the public key of the targeted - service. The certificate data is Base64 encoded. - - The identoken.settings file can also contain additional identity token provider specific settings. @@ -268,22 +312,22 @@ mechanism: com.novell.casa.authtoksvc.Krb5Authenticate WEB-INF/classes - host@authtokenserver.company.com + host The base AuthTokenSvc package contains two authentication mechanisms, these are Krb5Authenticate and PwdAuthenticate. The configuration under sampleConf is set up to allow an AuthTokenSvc to leverage both mechanisms. -The Krb5Authenticate mechanism requires that the following setting also be included -in its mechanism.settings file: +The Krb5Authenticate mechanism defaults the service principal name to "host/hostname", +you can over-ride this parameter by adding the following entry to its mechanism.settings file: ServicePrincipalName - This is the name of the Kerberos Service Principal that the Authentication Token Service runs as when authenticating other entities. CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDERS -- TBD - + SECURITY CONSIDERATIONS diff --git a/CASA-auth-token/java/server/Svc/TODO b/CASA-auth-token/java/server/Svc/TODO index 7d10724a..54e2b1c0 100644 --- a/CASA-auth-token/java/server/Svc/TODO +++ b/CASA-auth-token/java/server/Svc/TODO @@ -10,12 +10,9 @@ This file contains a list of the items still outstanding for AuthTokenSvc. OUTSTANDING ITEMS -- Switch to a Web Services model where the Client/Server protocol uses SOAP. -- Switch to use WS-Security, WS-Policy, and WS-Conversation for Authentication Tokens and Session Tokens. +- Switch to a Web Services model where the Client/Server protocol uses SOAP.(This is under evaluation). - Add code to verify that client/server communications occur over HTTPS. - Add logging. - Create plug-in API for Identity Token Providers. -- Integrate into CASA build environment. -- Review Code. - Change printfs used for debugging into a suitable mechanism. diff --git a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/AuthToken.java b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/AuthToken.java index 55a23f0b..6cce42ca 100644 --- a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/AuthToken.java +++ b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/AuthToken.java @@ -37,6 +37,9 @@ import org.apache.axis.message.MessageElement; import javax.xml.namespace.QName; import java.io.*; +// Un-comment the following line to print Authentication Token Messages +//import org.apache.axis.utils.XMLUtils; + /* * AuthToken Class. @@ -113,6 +116,9 @@ public class AuthToken svcConfig, (targetHost.compareTo("localhost") == 0) ? false : true); + // Un-comment the following line to print Authentication Token Messages + //XMLUtils.PrettyElementToWriter(authTokenMessage.getSOAPEnvelope().getAsDOM(), new PrintWriter(System.out)); + // Now save the message as a string OutputStream outStream = new ByteArrayOutputStream(); authTokenMessage.writeTo(outStream); diff --git a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/Krb5_mechanism.settings b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/Krb5_mechanism.settings index 6aa16259..9c37571c 100644 --- a/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/Krb5_mechanism.settings +++ b/CASA-auth-token/java/server/Svc/src/com/novell/casa/authtoksvc/Krb5_mechanism.settings @@ -3,5 +3,4 @@ This is the authentication mechanism for the Krb5Authenticate scheme. The Krb5Authenticate scheme authenticates entities using Kerberos-V tokens. com.novell.casa.authtoksvc.Krb5Authenticate WEB-INF/classes - Specify the service's kerberos principal name diff --git a/CASA-auth-token/non-java/README b/CASA-auth-token/non-java/README index 3abc9805..616da5a3 100644 --- a/CASA-auth-token/non-java/README +++ b/CASA-auth-token/non-java/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for auth_token @@ -45,7 +68,7 @@ cached. Once the client is authenticated to the ATS, it then requests Authentica Tokens from it using the obtained Session Token. When an ATS receives a request for an Authentication Token, it then verifies the validity of the received Session Token and then it creates the appropriate Identity Token for the target service which it then -embeds within the Authentication Token. The indentity information contained in the +embeds within the Authentication Token. The identity information contained in the Identity Token as well as the type of Identity Token utilized depends on what is configured for the tatget service. diff --git a/CASA-auth-token/non-java/TODO b/CASA-auth-token/non-java/TODO index 4bc8d36e..d0dbcf9b 100644 --- a/CASA-auth-token/non-java/TODO +++ b/CASA-auth-token/non-java/TODO @@ -13,5 +13,4 @@ details outstanding items at the project level. OUTSTANDING ITEMS -- Plug-in auth_token into the CASA make system. - +- Allow the Windows client to be built under Cygwin. diff --git a/CASA-auth-token/non-java/client/README b/CASA-auth-token/non-java/client/README index 66ed0620..bde5cec6 100644 --- a/CASA-auth-token/non-java/client/README +++ b/CASA-auth-token/non-java/client/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for libcasa_c_authtoken @@ -17,8 +40,8 @@ libcasa_c_authtoken utilizes mechanism plug-ins for authenticating to ATSs. The client auth_token package installs mechanisms for the support of Kerberos5 and Username/Password authentication. To configure additional authentication mechanism plug-ins, place their configuration file in the folder for CASA Authentication Token module -configuration. The path to this folder under linux is /etc/opt/novell/CASA/authtoken.d/modules.d. -The path to this folder under Windows is \Program Files\novell\CASA\auth\mechanisms. The name of +configuration. The path to this folder under linux is /etc/CASA/authtoken.d/client.d/mechanisms.d/. +The path to this folder under Windows is \Program Files\novell\CASA\Etc\Auth\Mechanisms\. The name of the plug-in configuration file is related to the authentication mechanism type in the following manner: AuthenticationMechanismTypeName.conf. diff --git a/CASA-auth-token/non-java/client/TODO b/CASA-auth-token/non-java/client/TODO index a96f51d3..07ce4dc8 100644 --- a/CASA-auth-token/non-java/client/TODO +++ b/CASA-auth-token/non-java/client/TODO @@ -10,9 +10,4 @@ This file contains a list of the items still outstanding for libcasa_c_authtoken OUTSTANDING ITEMS -- Implementation of Linux specific code. -- Re-structure the token cache to differentiate between Session Tokens and Authentication Tokens. -- Use the CASA cache as the token store. -- Switch Client/Server protocol to use SOAP Messages. -- Enable communications over HTTPS instead of over HTTP. - +None. diff --git a/CASA-auth-token/non-java/client/csharp/README b/CASA-auth-token/non-java/client/csharp/README new file mode 100644 index 00000000..2fb1d8e2 --- /dev/null +++ b/CASA-auth-token/non-java/client/csharp/README @@ -0,0 +1,68 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ +/*********************************************************************** + * + * README for Novell.Casa.Client.Auth CSHARP Library + * + ***********************************************************************/ + +INTRODUCTION + +Novell.Casa.Client.Auth CSHARP Library provides a class for CSHARP client +applications to obtain authentication tokens from the CASA Authentication +Token Infrastructure. + +CLIENT APPLICATION PROGRAMMING NOTES + +The Novell.Casa.Client.Auth.Authtoken class provides static method ObtainAuthToken() +to allow client applications to obtain CASA Authentication Tokens. The caller must +supply the name of the service to which it wants to authenticate along with the name +of the host where it resides to the static method. The returned authentication token +is a Base64 encoded string. + +Applications utilizing CASA Authentication Tokens as passwords in protocols that require the +transfer of user name and password credentials should verify or remove any password length limits +as the length of CASA Authentication Tokens may be over 1K bytes. The size of the CASA Authentication +Tokens is directly dependent on the amount of identity information configured as required by the +consuming service. These applications should also set the user name to "CasaPrincipal". + +For examples of code which uses the Novell.Casa.Client.Auth.Authtoken class look at the test +application under the test folder. + +SECURITY CONSIDERATIONS + +CASA Authentication Tokens when compromised can be used to either impersonate +a user or to obtain identity information about the user. Because of this it is +important that the tokens be secured by applications making use of them. It is +recommended that the tokens be transmitted using SSL. + + + + + + + + + + diff --git a/CASA-auth-token/non-java/client/csharp/TODO b/CASA-auth-token/non-java/client/csharp/TODO new file mode 100644 index 00000000..41061da2 --- /dev/null +++ b/CASA-auth-token/non-java/client/csharp/TODO @@ -0,0 +1,15 @@ +/*********************************************************************** + * + * TODO for Novell.Casa.Client.Auth CSHARP Library + * + ***********************************************************************/ + +INTRODUCTION + +This file contains a list of the items still outstanding for the +Novell.Casa.Client.Auth CSHARP library. + +OUTSTANDING ITEMS + +- Include it in the Linux Client build/rpm. + diff --git a/CASA-auth-token/non-java/client/mechanisms/krb5/README b/CASA-auth-token/non-java/client/mechanisms/krb5/README index 6b5f03b1..d2e696fd 100644 --- a/CASA-auth-token/non-java/client/mechanisms/krb5/README +++ b/CASA-auth-token/non-java/client/mechanisms/krb5/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for krb5mech diff --git a/CASA-auth-token/non-java/client/mechanisms/krb5/TODO b/CASA-auth-token/non-java/client/mechanisms/krb5/TODO index c7b55ce1..d3df377c 100644 --- a/CASA-auth-token/non-java/client/mechanisms/krb5/TODO +++ b/CASA-auth-token/non-java/client/mechanisms/krb5/TODO @@ -10,5 +10,4 @@ This file contains a list of the items still outstanding for krb5mech. OUTSTANDING ITEMS -- Implementation of Linux specific code. - +None. diff --git a/CASA-auth-token/non-java/client/mechanisms/pwd/README b/CASA-auth-token/non-java/client/mechanisms/pwd/README index 12f170d6..002f9b8a 100644 --- a/CASA-auth-token/non-java/client/mechanisms/pwd/README +++ b/CASA-auth-token/non-java/client/mechanisms/pwd/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for pwmech diff --git a/CASA-auth-token/non-java/client/mechanisms/pwd/TODO b/CASA-auth-token/non-java/client/mechanisms/pwd/TODO index cf307b20..08437725 100644 --- a/CASA-auth-token/non-java/client/mechanisms/pwd/TODO +++ b/CASA-auth-token/non-java/client/mechanisms/pwd/TODO @@ -10,5 +10,4 @@ This file contains a list of the items still outstanding for pwmech. OUTSTANDING ITEMS -- Implementation of Linux specific code. - +None. diff --git a/CASA-auth-token/non-java/package/linux/CASA_auth_token_native.changes b/CASA-auth-token/non-java/package/linux/CASA_auth_token_native.changes index 33ea15d0..ebd84752 100644 --- a/CASA-auth-token/non-java/package/linux/CASA_auth_token_native.changes +++ b/CASA-auth-token/non-java/package/linux/CASA_auth_token_native.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Oct 10 08:46:22 MDT 2006 - jluciani@novell.com + +- Brought up to date the README and TODO files. + +------------------------------------------------------------------- +Mon Oct 9 09:28:37 MDT 2006 - jluciani@novell.com + +- Cleaned up compiler warnings that were present in some of the + components. + ------------------------------------------------------------------- Fri Oct 6 14:22:54 MDT 2006 - schoi@novell.com diff --git a/CASA-auth-token/non-java/server/ApacheSupport/2.2/README b/CASA-auth-token/non-java/server/ApacheSupport/2.2/README index 39fe47da..bde7ef2f 100644 --- a/CASA-auth-token/non-java/server/ApacheSupport/2.2/README +++ b/CASA-auth-token/non-java/server/ApacheSupport/2.2/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for mod_authn_casa @@ -35,9 +58,10 @@ for authenticating requests issued to mod_example: Require valid-user -Note that the name specified in the AuthName directive should match the name -configured under CASA for the authentication realm used by CASA to obtain -identity information for the service. +The AuthName directive specifies the name of the authentication REALM relayed +by the server to HTTP clients when requesting that the they authenticate using +the Basic Authentication scheme. The AuthName can be used by the HTTP client to +realize that the server is expecting CASA Authentication Token materials. mod_authn_casa supports the following configuration directives: diff --git a/CASA-auth-token/non-java/server/AuthTokenValidate/README b/CASA-auth-token/non-java/server/AuthTokenValidate/README index 287f9dfc..814a3ecc 100644 --- a/CASA-auth-token/non-java/server/AuthTokenValidate/README +++ b/CASA-auth-token/non-java/server/AuthTokenValidate/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for libcasa_s_authtoken @@ -16,9 +39,8 @@ module to perform the credential validation. To facilitate this, CASA Authentica provides PAM, Apache, and JAAS modules that can be used to validate credentials containing CASA Authentication tokens, -CONFIGURING TRUSTED AUTHENTICATION TOKEN SERVICES - -tbd. Add info about the installation of public certificates and trusted certificate authorities. +libcasa_s_authtoken relies on the CasaAuthtokenValidateD service in order to perform its +functions. To learn more about CasaAuthtokenValidateD see the Svc folder. CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDER MODULES @@ -30,7 +52,7 @@ is configured for CASA Authentication. The default identity token type is CasaId libcasa_s_authtoken supports different identity token types through an API that allows for the configuration of different Identity Token Provider plug-ins. An Identity Token Provider plug-in is configured by placing a configuration file for the plug-ins in the -/etc/opt/CASA/authtoken.d/modules.d folder. The name of the plug-in configuration file is related +/etc/CASA/authtoken.d/modules.d folder. The name of the plug-in configuration file is related to the identity token type in the following manner: IdentityTokenTypeName.conf. Identity Token Provider plug-in configuration files must must contain a directive indicating the diff --git a/CASA-auth-token/non-java/server/AuthTokenValidate/Svc/README b/CASA-auth-token/non-java/server/AuthTokenValidate/Svc/README new file mode 100644 index 00000000..84da76dc --- /dev/null +++ b/CASA-auth-token/non-java/server/AuthTokenValidate/Svc/README @@ -0,0 +1,80 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ +/*********************************************************************** + * + * README for CasaAuthtokenValidateD + * + ***********************************************************************/ + +INTRODUCTION + +CasaAuthtokenValidateD provides a service that is utilized by libcasa_s_authtoken +for the validation of CASA Authentication Tokens. + +Processes executing libcasa_s_authtoken communicate with CasaAuthTokenValidateD via +domain sockets. CasaAuthTokenValidateD validates authentication tokens by invoking +the appropriate CASA Authentication Token Java classes. + +COMMAND LINE PARAMETERS + +CasaAuthtokenValidateD has the following command line parameters: + + -b BeginThreads + + Optional parameter that specifies the initial number of threads utilized by the + service to process requests. + + -g GrowThreads + + Optional parameter that specifies the number of threads by which the service can + grow its thread pool utilized for processing requests. + + -m MaxThreads + + Optional parameter that specifies the maximum number of threads that the service + can have in its thread pool for processing requests. + + -D DebugLevel + + Optional parameter that specifies the level used for logging debugging information. + 0 being the lowest debug level. + + -d + Optional parameter that specifies that the service must be run as a daemon. + +SECURITY CONSIDERATIONS + +Appropriate rights need to be set on the folder used by CasaAuthtokenValidateD to +create its listeing socket to keep other services from hijacking it and taking on +the validation of CASA authentication sockets. CasaAuthtokenValidateD creates its +listen socket in the /var/lib/CASA/authtoken/validate/ folder. + + + + + + + + + diff --git a/CASA-auth-token/non-java/server/AuthTokenValidate/Svc/TODO b/CASA-auth-token/non-java/server/AuthTokenValidate/Svc/TODO new file mode 100644 index 00000000..a6cb6c81 --- /dev/null +++ b/CASA-auth-token/non-java/server/AuthTokenValidate/Svc/TODO @@ -0,0 +1,13 @@ +/*********************************************************************** + * + * TODO for CasaAuthtokenValidateD + * + ***********************************************************************/ + +INTRODUCTION + +This file contains a list of the items still outstanding for CasaAuthtokenValidateD. + +OUTSTANDING ITEMS + +None. diff --git a/CASA-auth-token/non-java/server/AuthTokenValidate/TODO b/CASA-auth-token/non-java/server/AuthTokenValidate/TODO index 2bf53b7a..730eb6f1 100644 --- a/CASA-auth-token/non-java/server/AuthTokenValidate/TODO +++ b/CASA-auth-token/non-java/server/AuthTokenValidate/TODO @@ -10,6 +10,4 @@ This file contains a list of the items still outstanding for libcasa_s_authtoken OUTSTANDING ITEMS -- Change AuthTokens to be SOAP messages secured with WS-Security and WS-Trust. -- Implement CheckAuthToken(). -- Finish README documentation. +None. diff --git a/CASA-auth-token/non-java/server/AuthTokenValidate/idenTokenProviders/casa/README b/CASA-auth-token/non-java/server/AuthTokenValidate/idenTokenProviders/casa/README index 61daecd2..81214d40 100644 --- a/CASA-auth-token/non-java/server/AuthTokenValidate/idenTokenProviders/casa/README +++ b/CASA-auth-token/non-java/server/AuthTokenValidate/idenTokenProviders/casa/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for casa_identoken diff --git a/CASA-auth-token/non-java/server/PamSupport/README b/CASA-auth-token/non-java/server/PamSupport/README index 3996c09d..1b8df1dd 100644 --- a/CASA-auth-token/non-java/server/PamSupport/README +++ b/CASA-auth-token/non-java/server/PamSupport/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for pam_casaauthtok diff --git a/CASA-auth-token/non-java/utilities/IpcLibs/README b/CASA-auth-token/non-java/utilities/IpcLibs/README index d10f19fb..efdcea61 100644 --- a/CASA-auth-token/non-java/utilities/IpcLibs/README +++ b/CASA-auth-token/non-java/utilities/IpcLibs/README @@ -1,3 +1,26 @@ +/*********************************************************************** + * + * Copyright (C) 2006 Novell, Inc. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version 2.1 + * of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, Novell, Inc. + * + * To contact Novell about this file by physical or electronic mail, + * you may find current contact information at www.novell.com. + * + * Author: Juan Carlos Luciani + * + ***********************************************************************/ /*********************************************************************** * * README for IpcLibs