Brought up to date the README and TODO files.

2006-10-10 14:47:19 +00:00
parent ac412cb2cd
commit 18e290e209
28 changed files with 567 additions and 64 deletions
--- a/CASA-auth-token/java/server/Svc/README
+++ b/CASA-auth-token/java/server/Svc/README
@@ -1,3 +1,26 @@
+/***********************************************************************
+ * 
+ *  Copyright (C) 2006 Novell, Inc. All Rights Reserved.
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; version 2.1
+ *  of the License.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Library Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, Novell, Inc.
+ * 
+ *  To contact Novell about this file by physical or electronic mail, 
+ *  you may find current contact information at www.novell.com.
+ * 
+ *  Author: Juan Carlos Luciani <jluciani@novell.com>
+ *
+ ***********************************************************************/
 /***********************************************************************
 *
 *  README for AuthTokenSvc
@@ -19,10 +42,10 @@ Identity Token Providers for the generation of Identity Tokens.

 ENVIRONMENT SETTINGS

-The following options must be set in the JAVA_OPTS setting before starting Tomcat
-to allow the Kerberos authentication mechanism to work properly:
+The following options must be set in the JAVA_OPTS environment variable before
+starting Tomcat to allow the Kerberos authentication mechanism to work properly
+with Sun's Java:

-Djavax.security.auth.useSubjectCredsOnly=false
 -Djava.security.auth.login.config={replace with the path for JAAS configuration
                                   file for the service}
                                   
@@ -44,14 +67,21 @@ com.sun.security.auth.module.Krb5LoginModule required
      keyTab="/etc/krb5.keytab";
 }

-Please adjust the ticketCache and principal setting to match your installation. 
+Please adjust the ticketCache and principal setting to match your installation.
+
+By default, AuthTokenSvc reads its configuration from the "conf" folder under
+the WEB-INF folder of the Tomcat Web Application ($CATALINA_HOME/webapps/CasaAuthTokenSvc/WEB-INF/conf).
+This can be over-ridden by setting the following option in the JAVA_OPTS environment variable:
+
+ -Dcom.novell.casa.authtoksvc.config={replace with the path to the configuration
+                                      folder}

 CONFIGURATION

-AuthTokenSvc configuration consists of multiple entities. Most of the AuthTokenSvc
-configuration is contained within the "conf" folder under the WEB-INF folder of the
-application. For an example configuration setup for the AuthTokenSvc see the
-sampleConf folder.
+AuthTokenSvc configuration consists of multiple entities. The authTokenSvc configuration
+is contained within the "conf" folder under the WEB-INF folder of the application
+($CATALINA_HOME/webapps/CasaAuthTokenSvc/WEB-INF/conf). For an example configuration setup
+for the AuthTokenSvc see the sampleConf folder.

 The location of the AuthTokenSvc configuration folder can be over-ridden by specifying
 a different path via the com.novell.casa.authtoksvc.config system property.
@@ -60,7 +90,7 @@ CONFIGURING THE BASE SERVICE

 The ATS base settings are configured in the svc.settings file under the conf folder.

-Thhe following is an example svc.settings file:
+The following is an example svc.settings file:

 <?xml version="1.0" encoding="ISO-8859-1"?>
 <settings>
@@ -110,23 +140,42 @@ Note the following about the sample svc.settings file:

 - The KeyStorePwd setting specifies the password of the user specified by KeyStoreUser to get
  the private signing key from the keystore.
+
+ATSs digitally sign tokens, for this purpose it is necessary that keys be generated and installed
+in a keystore whose location and properties are configured in the crypto.properties file present in
+the "classes" folder under the WEB-INF folder of the AuthTokenSvc application
+($CATALINA_HOME/webapps/CasaAuthTokenSvc/WEB-INF/classes). Please note that you must edit the
+crypto.properties file with the appropriate information once the AuthTokenSvc is deployed to
+a Tomcat server.
 
 CONFIGURING SERVICES TO CONSUME CASA AUTHENTICATION TOKENS

-Services are configured to consume CASA authentication tokens by creating folders
-under the conf/enabled_services folders. Since CASA distinguishes between services
+By default, an ATS will issue CASA authentication tokens to be consumed by any service
+not explicitedly configured as a consumer in the ATS's configuration. This default
+behavior can be turned off by setting the following system property in the JAVA_OPTS
+environment variable:
+
+ -Dcom.novell.casa.authtoksvc.enabled_svcs_only=true
+
+Services explicitedly configured as consumers of CASA authentication tokens by creating
+folders under the conf/anabled_services folder. Since CASA distinguishes between services
 of the same name existing in different hosts, the first folder that must be created
 is one for the host where the service resides. The host folder name must match the
-DNS name of the host where the service resides. Services are configured by creating
-a folder under the appropriate host folder with a name matching the service name.
+DNS name of the host where the service resides unless the service resides in the same
+host as the ATS in which case the host folder name must be "localhost". Services are
+configured by creating a folder under the appropriate host folder with a name matching
+the service name.

-Note when configuring services that the service name and the host names must match
-the service and host names specified by the client applications when requesting
-tokens to authenticate to them.
+Note when configuring services that the service folder and the host folder names must match
+the service and host names specified by the client applications when requesting tokens to
+authenticate to them with the exception of when the service resides in the same host as the
+ATS in which case the host folder name is "localhost" and the host name specified by the
+application is the host's DNS name.

 The services folder must contain an auth.policy file, an authtoken.settings file,
-and an identoken.settings file. In the absence of any one of those files, the ATS
-will default to utilizing the files present under its conf folder.
+and an identoken.settings file. In the absence of any one of those files or if the service
+is not explicitedly configured, the ATS will default to utilizing the files present under
+its conf folder.

 The auth.policy file specifies the authentication realms (or contexts) to which
 entities can authenticate to gain access to the service. The auth.policy file also
@@ -140,7 +189,7 @@ The following is an example auth.policy file:
 	<auth_source>
 		<realm>CorpTree</realm>
 		<mechanism>Krb5Authenticate</mechanism>
-		<mechanism_info>host@tokenserver.company.novell.com</mechanism_info>
+		<mechanism_info>host/tokenserver.company.novell.com@KRB_REALM</mechanism_info>
 	</auth_source>
 	<auth_source>
 		<realm>CorpTree</realm>
@@ -167,8 +216,8 @@ Note the following about the sample auth.policy file:
  specified for an auth_source entry.
  
 - The name of the Krb5 Authentication mechanism is "Krb5Authenticate". This mechanism
-  requires that you specify the service's kerberos principal name under the mechanism_info
-  key.
+  defaults the service principal name to host/hostname@KERBEROS_REALM. You can use a
+  different service principal name under the mechanism_info key.
  
 - The name of the username/password authentication mechanism is "PwdAuthenticate" and
  it does not require any information to be included under the mechanism_info key.
@@ -213,7 +262,6 @@ The following is an example identoken.settings file:
 <settings>
 	<Attributes>sn,groupMembership,guid</Attributes>
 	<EncryptAttributes>false</EncryptAttributes>
-	<Certificate>Base64 encoded certificate</Certificate>
 </settings>

 Note the following about the sample identoken.settings file:
@@ -232,10 +280,6 @@ Note the following about the sample identoken.settings file:
  the file present in its conf folder (Attribute encryption is not yet supported
  by the Casa identity token provider).
  
- The Certificate setting specifies the certificate that must be utilized to encrypt
-  identity attribute data. The certificate contains the public key of the targeted
-  service. The certificate data is Base64 encoded.
-  
 - The identoken.settings file can also contain additional identity token provider
  specific settings.
  
@@ -268,22 +312,22 @@ mechanism:
 <settings>
 	<ClassName>com.novell.casa.authtoksvc.Krb5Authenticate</ClassName>
 	<RelativeClassPath>WEB-INF/classes</RelativeClassPath>
-	<ServicePrincipalName>host@authtokenserver.company.com</ServicePrincipalName>
+	<ServicePrincipalName>host</ServicePrincipalName>
 </settings>

 The base AuthTokenSvc package contains two authentication mechanisms, these are
 Krb5Authenticate and PwdAuthenticate. The configuration under sampleConf is set up
 to allow an AuthTokenSvc to leverage both mechanisms.

-The Krb5Authenticate mechanism requires that the following setting also be included
-in its mechanism.settings file:
+The Krb5Authenticate mechanism defaults the service principal name to "host/hostname",
+you can over-ride this parameter by adding the following entry to its mechanism.settings file:

 ServicePrincipalName - This is the name of the Kerberos Service Principal that the
 Authentication Token Service runs as when authenticating other entities.

 CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDERS

- TBD -
+<This feature is not currently supported>

 SECURITY CONSIDERATIONS