Updated README and TODO files to reflect the current state of the
project.
This commit is contained in:
Juan Carlos Luciani
@@ -18,6 +18,8 @@
|
||||
* To contact Novell about this file by physical or electronic mail,
|
||||
* you may find current contact information at www.novell.com.
|
||||
*
|
||||
* Author: Juan Carlos Luciani <jluciani@novell.com>
|
||||
*
|
||||
***********************************************************************/
|
||||
|
||||
package com.novell.casa.jaas;
|
||||
|
||||
@@ -82,18 +82,134 @@ The auth_token client/service protocol allows for the authentication of the clie
|
||||
auth_token relies in the server authentication mechanisms of SSL to verify the identity
|
||||
of the ATS.
|
||||
|
||||
IMPLEMENTATION STRATEGY AND CURRENT STATUS
|
||||
REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON WINDOWS
|
||||
|
||||
auth_token is currently under development and is not ready to be used in production.
|
||||
The implementation strategy has been to first complete the framework with all of its
|
||||
modules, APIs, and packaging to allow application writters to start developing to it.
|
||||
Once this is done, then the implementation focus will switch to completing the plumbing.
|
||||
- Install Visual Studio 2005.
|
||||
- Install Windows Platform SDK for Windows Server 2003 SP1.
|
||||
- Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for
|
||||
Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with
|
||||
Visual Studio.
|
||||
- Install Cygwin - See instructions below.
|
||||
|
||||
As of this time, a lot of the framework has been completed and there are sample
|
||||
applications that can be utilized to exercise it. For a more complete picture of where
|
||||
we are, look at the various TODO lists present in the child folders.
|
||||
Download and start cygwin install:
|
||||
Browse to http://sources.redhat.com/cygwin/
|
||||
|
||||
The schedule for completing auth_token is agressive.
|
||||
Click on "Install or update now!" or "Install Cygwin now"
|
||||
|
||||
Cygwin Setup:
|
||||
Next
|
||||
|
||||
Cygwin Setup - Choose Installation Type:
|
||||
Install from Internet
|
||||
Next
|
||||
|
||||
Cygwin Setup - Choose Installation Directory:
|
||||
Root Directory: C:\cygwin
|
||||
Install For: "All Users"
|
||||
|
||||
Default Text File Type: DOS
|
||||
|
||||
Cygwin Setup - Select Local Package Directory:
|
||||
Local Package Directory: C:\cygwin-packages
|
||||
|
||||
Cygwin Setup - Select Connection Type:
|
||||
Direct Connection
|
||||
|
||||
Choose A Download Site:
|
||||
ftp://ftp.nas.nasa.gov
|
||||
|
||||
Cywin Setup - Select Packages:
|
||||
Base:
|
||||
defaults
|
||||
|
||||
Devel:
|
||||
autoconf
|
||||
automake
|
||||
libtool
|
||||
make
|
||||
pkgconfig
|
||||
cvs
|
||||
gcc
|
||||
gcc-g++
|
||||
|
||||
Editors:
|
||||
vim (optional)
|
||||
|
||||
Net:
|
||||
openssh
|
||||
openssl
|
||||
|
||||
Text:
|
||||
more
|
||||
|
||||
Utils:
|
||||
clear (optional)
|
||||
|
||||
Cygwin Setup - Create Icons:
|
||||
Finish
|
||||
|
||||
Edit cygwin.bat (c:\cygwin\cygwin.bat) to add a call to
|
||||
%VS71COMNTOOLS%\vsvars32.bat (see example below). This sets up the
|
||||
Visual Studio tools in Cygwin.
|
||||
|
||||
Sample cygwin.bat:
|
||||
|
||||
@echo off
|
||||
|
||||
call "%VS71COMNTOOLS%\vsvars32.bat" > NUL
|
||||
|
||||
C:
|
||||
chdir C:\cygwin\bin
|
||||
|
||||
bash --login -i
|
||||
|
||||
|
||||
REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON LINUX
|
||||
|
||||
Install needed RPMs. Look at BuildRequires line in CASA_auth_token_svc.spec.in file
|
||||
in package/linux folder to see a list of RPM build dependencies.
|
||||
|
||||
BUILDING THE SOFTWARE PACKAGE
|
||||
|
||||
Windows: Start at Step 1.
|
||||
Linux: Skip to Step 2.
|
||||
|
||||
1. Run cygwin.bat to start up Cygwin.
|
||||
|
||||
2. Generate autotools files:
|
||||
./autogen.sh --prefix=/<install_dir> [--enable-debug]
|
||||
(<install_dir> is some writable directory where 'make install' will
|
||||
install files for testing.
|
||||
|
||||
3. To reconfigure later, or to configure software that came from a source
|
||||
distribution (.tar.gz) file, use configure.
|
||||
./configure --prefix/<install_dir> [--enable-debug]
|
||||
(run ./configure --help for more options)
|
||||
|
||||
4. Select your make target, here are a few interesting ones:
|
||||
|
||||
make [all] - build product files (package files not included)
|
||||
|
||||
make clean - clean up files built by 'make all'
|
||||
|
||||
make package - build product and package files
|
||||
|
||||
make package-clean - clean up package files
|
||||
|
||||
make install - install product files to <install_dir> specified by
|
||||
--prefix during configure
|
||||
|
||||
make uninstall - undo 'make install'
|
||||
|
||||
make dist - build a source distribution tarball.
|
||||
|
||||
make distclean - removes files to return state back to same as the
|
||||
source distribution (configure, Makefile.in files, and other distributed
|
||||
autotools files are not removed)
|
||||
|
||||
make maintainer-clean - removes files to return state back to same as
|
||||
the SVN checkout (you will need to run ./autogen.sh again before running
|
||||
make again)
|
||||
|
||||
SECURITY CONSIDERATIONS
|
||||
|
||||
|
||||
@@ -326,7 +326,19 @@ CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDERS
|
||||
|
||||
SECURITY CONSIDERATIONS
|
||||
|
||||
- TBD -
|
||||
The ATS runs over Tomcat and by default receives requests over HTTPS on port 2645. For ease
|
||||
of use, the basic ATS setup scrip creates a self-signed certificate to be used by SSL. The
|
||||
use of self-signed certificates weakens the security properties of the SSL channel by forcing
|
||||
clients to accept them. At this time, the default mode for auth_token clients is to allow
|
||||
self signed-certificates. It is recommended that administrators obtain a certificate signed
|
||||
by the appropriate authority and configure the ATS to use it and change the auth_token client
|
||||
configuration to not accept invalid certificates to avoid this issue.
|
||||
|
||||
CASA Authenticatication Tokens when compromised can be used to either impersonate
|
||||
a user or to obtain identity information about the user. Because of this it is
|
||||
important that the tokens be secured by applications making use of them. It is
|
||||
recommended that the tokens be transmitted using SSL.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -10,10 +10,13 @@ This file contains a list of the items still outstanding for AuthTokenSvc.
|
||||
|
||||
OUTSTANDING ITEMS
|
||||
|
||||
- Switch to a Web Services model where the Client/Server protocol uses SOAP.(This is under evaluation).
|
||||
- Switch Client/Server communication to use SOAP.(This is under evaluation).
|
||||
- Add code to verify that client/server communications occur over HTTPS.
|
||||
- Add logging.
|
||||
- Create plug-in API for Identity Token Providers.
|
||||
- Change printfs used for debugging into a suitable mechanism.
|
||||
- Create tool to connect Tomcat instance to Apache Server and disabling port 2645 listener.
|
||||
- Create tool to help administrators import certificates into the ATS's key store.
|
||||
- Create tool to better edit the iaRealms file.
|
||||
- Add identity token encryption capabilities.
|
||||
|
||||
|
||||
@@ -6,11 +6,13 @@
|
||||
|
||||
INTRODUCTION
|
||||
|
||||
This file contains a list of the items still outstanding for auth_token.
|
||||
This file contains a list of the items still outstanding for auth_token
|
||||
server-java components.
|
||||
|
||||
Note: There are TODO lists under each auth_token component. This file just
|
||||
details outstanding items at the project level.
|
||||
|
||||
OUTSTANDING ITEMS
|
||||
|
||||
None.
|
||||
- Create ATS Windows install.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user