Updated README and TODO files to reflect the current state of the

project.
This commit is contained in:
Juan Carlos Luciani 2006-11-22 05:21:33 +00:00
parent cd04a3d4cf
commit cce03a7a13
19 changed files with 222 additions and 170 deletions

View File

@ -82,18 +82,13 @@ The auth_token client/service protocol allows for the authentication of the clie
auth_token relies in the server authentication mechanisms of SSL to verify the identity auth_token relies in the server authentication mechanisms of SSL to verify the identity
of the ATS. of the ATS.
IMPLEMENTATION STRATEGY AND CURRENT STATUS CURRENT STATUS
auth_token is currently under development and is not ready to be used in production. CASA-auth-token status is mostly code complete and has entered the testing phase. We will
The implementation strategy has been to first complete the framework with all of its be making changes during this phase based on the feedback received.
modules, APIs, and packaging to allow application writters to start developing to it.
Once this is done, then the implementation focus will switch to completing the plumbing.
As of this time, a lot of the framework has been completed and there are sample The items whose implemetation is still pending are listed in the TODO files for the various
applications that can be utilized to exercise it. For a more complete picture of where components.
we are, look at the various TODO lists present in the child folders.
The schedule for completing auth_token is agressive.
SECURITY CONSIDERATIONS SECURITY CONSIDERATIONS

View File

@ -82,26 +82,15 @@ The auth_token client/service protocol allows for the authentication of the clie
auth_token relies in the server authentication mechanisms of SSL to verify the identity auth_token relies in the server authentication mechanisms of SSL to verify the identity
of the ATS. of the ATS.
IMPLEMENTATION STRATEGY AND CURRENT STATUS
auth_token is currently under development and is not ready to be used in production.
The implementation strategy has been to first complete the framework with all of its
modules, APIs, and packaging to allow application writters to start developing to it.
Once this is done, then the implementation focus will switch to completing the plumbing.
As of this time, a lot of the framework has been completed and there are sample
applications that can be utilized to exercise it. For a more complete picture of where
we are, look at the various TODO lists present in the child folders.
The schedule for completing auth_token is agressive.
REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON WINDOWS REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON WINDOWS
- Install Visual Studio .NET 2003 - Install Visual Studio 2005.
- Install Windows Platform SDK for Windows Server 2003 SP1 - Install Windows Platform SDK for Windows Server 2003 SP1.
- Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with Visual Studio - Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for
Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with
Visual Studio.
- Install Cygwin - See instructions below. - Install Cygwin - See instructions below.
- Extract Expat-2.0.0.zip in casa source directory parent - Extract Expat-2.0.0.zip in casa source directory parent.
- Install Casa - Install Casa
Download and start cygwin install: Download and start cygwin install:
@ -179,9 +168,8 @@ bash --login -i
REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON LINUX REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON LINUX
Install latest mono and mono-devel RPM - Obtain RPMs from Install needed RPMs. Look at BuildRequires line in CASA_auth_token_server.spec.in file
www.go-mono.org. in package/linux folder to see a list of RPM build dependencies.
BUILDING THE SOFTWARE PACKAGE BUILDING THE SOFTWARE PACKAGE
@ -222,7 +210,7 @@ source distribution (configure, Makefile.in files, and other distributed
autotools files are not removed) autotools files are not removed)
make maintainer-clean - removes files to return state back to same as make maintainer-clean - removes files to return state back to same as
the CVS checkout (you will need to run ./autogen.sh again before running the SVN checkout (you will need to run ./autogen.sh again before running
make again) make again)
SECURITY CONSIDERATIONS SECURITY CONSIDERATIONS
@ -232,6 +220,15 @@ a user or to obtain identity information about the user. Because of this it is
important that the tokens be secured by applications making use of them. It is important that the tokens be secured by applications making use of them. It is
recommended that the tokens be transmitted using SSL. recommended that the tokens be transmitted using SSL.
Currently, the Authentication Token Client defaults to allow the setup of SSL
connections with an ATS even if the Certificate presented by the ATS is considered
invalid. In this mode, it is possible for a malicious user to set up a server which
impersonates an ATS for the purpose of acquiring user credentials. This default
will be modified once we implement a mechanism to give the user the option of either
approving or rejecting a certificate. If this behavior is un-acceptable to you then
you can configure the client to not allow SSL connections to be setup with invalid
server certificates by modifying the settings present in the client.conf file.

View File

@ -6,12 +6,13 @@
INTRODUCTION INTRODUCTION
This file contains a list of the items still outstanding for auth_token. This file contains a list of the items still outstanding for auth_token
client components.
Note: There are TODO lists under each auth_token component. This file just Note: There are TODO lists under each auth_token component. This file just
details outstanding items at the project level. details outstanding items at the project level.
OUTSTANDING ITEMS OUTSTANDING ITEMS
- Add mechanism to try communicating with ATS over port 443 if communications - Create Java binding to GetAuthToken() API.
over port 2645 fail.

View File

@ -34,6 +34,14 @@ interacting with ATSs, invoking the authentication mechanism plug-ins, and
managing the authentication token cache. libcasa_c_authtoken also provides managing the authentication token cache. libcasa_c_authtoken also provides
the Get Authentication Token API. the Get Authentication Token API.
CONFIGURATION
libcasa_c_authtoken has several configuration settings that can be modified to
change its default behavior. To modify the libcasa_c_authtoken configuration
you need to edit the client.conf file. The path to the client.conf file under
linux is /etc/CASA/authtoken/client/client.conf. The path to the client.conf file
under windows is \Program Files\novell\CASA\Etc\Auth\client.conf.
CONFIGURING ADDITIONAL AUTHENTICATION MECHANISM MODULES CONFIGURING ADDITIONAL AUTHENTICATION MECHANISM MODULES
libcasa_c_authtoken utilizes mechanism plug-ins for authenticating to ATSs. libcasa_c_authtoken utilizes mechanism plug-ins for authenticating to ATSs.

View File

@ -10,4 +10,14 @@ This file contains a list of the items still outstanding for libcasa_c_authtoken
OUTSTANDING ITEMS OUTSTANDING ITEMS
None. - Add mechanism to try communicating with ATS over port 443 if communications
over port 2645 fail.
- Enhance the AuthMechanism interface to support authentication schemes that
require several token exchanges between the client and the server. This will
also require the enhancement of the client/server protocol utilized for
authentication.
- Add mechanism to allow a user to either accept or reject server certificates
considered invalid.

View File

@ -34,7 +34,6 @@ authentication. The mechanism leverages the services of the native Kerberos 5
client to obtain Kerberos Tokens that can be used for authenticating an entity client to obtain Kerberos Tokens that can be used for authenticating an entity
to a Kerberos service. to a Kerberos service.
SECURITY CONSIDERATIONS SECURITY CONSIDERATIONS
The tokens that krb5mech generates are only utilized to authenticate the client The tokens that krb5mech generates are only utilized to authenticate the client

View File

@ -10,4 +10,7 @@ This file contains a list of the items still outstanding for krb5mech.
OUTSTANDING ITEMS OUTSTANDING ITEMS
None. - Change to also do server authentication once the AuthMechanism interface
is enhanced to support authentication schemes that require several token
exchanges between the client and the server. Allow this to be configurable.
.

View File

@ -10,4 +10,8 @@ This file contains a list of the items still outstanding for pwmech.
OUTSTANDING ITEMS OUTSTANDING ITEMS
None. - Allow the server to specify that Desktop credentials should not be
utilized.
- Try to find way to remove credentials from miCASA cache which are
found to be invalid.

View File

@ -18,6 +18,8 @@
* To contact Novell about this file by physical or electronic mail, * To contact Novell about this file by physical or electronic mail,
* you may find current contact information at www.novell.com. * you may find current contact information at www.novell.com.
* *
* Author: Juan Carlos Luciani <jluciani@novell.com>
*
***********************************************************************/ ***********************************************************************/
package com.novell.casa.jaas; package com.novell.casa.jaas;

View File

@ -82,18 +82,134 @@ The auth_token client/service protocol allows for the authentication of the clie
auth_token relies in the server authentication mechanisms of SSL to verify the identity auth_token relies in the server authentication mechanisms of SSL to verify the identity
of the ATS. of the ATS.
IMPLEMENTATION STRATEGY AND CURRENT STATUS REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON WINDOWS
auth_token is currently under development and is not ready to be used in production. - Install Visual Studio 2005.
The implementation strategy has been to first complete the framework with all of its - Install Windows Platform SDK for Windows Server 2003 SP1.
modules, APIs, and packaging to allow application writters to start developing to it. - Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for
Once this is done, then the implementation focus will switch to completing the plumbing. Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with
Visual Studio.
- Install Cygwin - See instructions below.
As of this time, a lot of the framework has been completed and there are sample Download and start cygwin install:
applications that can be utilized to exercise it. For a more complete picture of where Browse to http://sources.redhat.com/cygwin/
we are, look at the various TODO lists present in the child folders.
The schedule for completing auth_token is agressive. Click on "Install or update now!" or "Install Cygwin now"
Cygwin Setup:
Next
Cygwin Setup - Choose Installation Type:
Install from Internet
Next
Cygwin Setup - Choose Installation Directory:
Root Directory: C:\cygwin
Install For: "All Users"
Default Text File Type: DOS
Cygwin Setup - Select Local Package Directory:
Local Package Directory: C:\cygwin-packages
Cygwin Setup - Select Connection Type:
Direct Connection
Choose A Download Site:
ftp://ftp.nas.nasa.gov
Cywin Setup - Select Packages:
Base:
defaults
Devel:
autoconf
automake
libtool
make
pkgconfig
cvs
gcc
gcc-g++
Editors:
vim (optional)
Net:
openssh
openssl
Text:
more
Utils:
clear (optional)
Cygwin Setup - Create Icons:
Finish
Edit cygwin.bat (c:\cygwin\cygwin.bat) to add a call to
%VS71COMNTOOLS%\vsvars32.bat (see example below). This sets up the
Visual Studio tools in Cygwin.
Sample cygwin.bat:
@echo off
call "%VS71COMNTOOLS%\vsvars32.bat" > NUL
C:
chdir C:\cygwin\bin
bash --login -i
REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON LINUX
Install needed RPMs. Look at BuildRequires line in CASA_auth_token_svc.spec.in file
in package/linux folder to see a list of RPM build dependencies.
BUILDING THE SOFTWARE PACKAGE
Windows: Start at Step 1.
Linux: Skip to Step 2.
1. Run cygwin.bat to start up Cygwin.
2. Generate autotools files:
./autogen.sh --prefix=/<install_dir> [--enable-debug]
(<install_dir> is some writable directory where 'make install' will
install files for testing.
3. To reconfigure later, or to configure software that came from a source
distribution (.tar.gz) file, use configure.
./configure --prefix/<install_dir> [--enable-debug]
(run ./configure --help for more options)
4. Select your make target, here are a few interesting ones:
make [all] - build product files (package files not included)
make clean - clean up files built by 'make all'
make package - build product and package files
make package-clean - clean up package files
make install - install product files to <install_dir> specified by
--prefix during configure
make uninstall - undo 'make install'
make dist - build a source distribution tarball.
make distclean - removes files to return state back to same as the
source distribution (configure, Makefile.in files, and other distributed
autotools files are not removed)
make maintainer-clean - removes files to return state back to same as
the SVN checkout (you will need to run ./autogen.sh again before running
make again)
SECURITY CONSIDERATIONS SECURITY CONSIDERATIONS

View File

@ -326,7 +326,19 @@ CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDERS
SECURITY CONSIDERATIONS SECURITY CONSIDERATIONS
- TBD - The ATS runs over Tomcat and by default receives requests over HTTPS on port 2645. For ease
of use, the basic ATS setup scrip creates a self-signed certificate to be used by SSL. The
use of self-signed certificates weakens the security properties of the SSL channel by forcing
clients to accept them. At this time, the default mode for auth_token clients is to allow
self signed-certificates. It is recommended that administrators obtain a certificate signed
by the appropriate authority and configure the ATS to use it and change the auth_token client
configuration to not accept invalid certificates to avoid this issue.
CASA Authenticatication Tokens when compromised can be used to either impersonate
a user or to obtain identity information about the user. Because of this it is
important that the tokens be secured by applications making use of them. It is
recommended that the tokens be transmitted using SSL.

View File

@ -10,10 +10,13 @@ This file contains a list of the items still outstanding for AuthTokenSvc.
OUTSTANDING ITEMS OUTSTANDING ITEMS
- Switch to a Web Services model where the Client/Server protocol uses SOAP.(This is under evaluation). - Switch Client/Server communication to use SOAP.(This is under evaluation).
- Add code to verify that client/server communications occur over HTTPS. - Add code to verify that client/server communications occur over HTTPS.
- Add logging. - Add logging.
- Create plug-in API for Identity Token Providers. - Create plug-in API for Identity Token Providers.
- Change printfs used for debugging into a suitable mechanism. - Change printfs used for debugging into a suitable mechanism.
- Create tool to connect Tomcat instance to Apache Server and disabling port 2645 listener. - Create tool to connect Tomcat instance to Apache Server and disabling port 2645 listener.
- Create tool to help administrators import certificates into the ATS's key store.
- Create tool to better edit the iaRealms file.
- Add identity token encryption capabilities.

View File

@ -6,11 +6,13 @@
INTRODUCTION INTRODUCTION
This file contains a list of the items still outstanding for auth_token. This file contains a list of the items still outstanding for auth_token
server-java components.
Note: There are TODO lists under each auth_token component. This file just Note: There are TODO lists under each auth_token component. This file just
details outstanding items at the project level. details outstanding items at the project level.
OUTSTANDING ITEMS OUTSTANDING ITEMS
None. - Create ATS Windows install.

View File

@ -1,3 +1,4 @@
/*********************************************************************** /***********************************************************************
* *
* Copyright (C) 2006 Novell, Inc. All Rights Reserved. * Copyright (C) 2006 Novell, Inc. All Rights Reserved.
@ -63,6 +64,11 @@ CasaAuthtokenValidateD has the following command line parameters:
-d -d
Optional parameter that specifies that the service must be run as a daemon. Optional parameter that specifies that the service must be run as a daemon.
-s
Do not use multiple threads to call into the JVM when invoking the authentication
token verification classes. This option was added to have a temporary work around
to bug present in Sun's JVM Invoke Interface (BUG221420).
SECURITY CONSIDERATIONS SECURITY CONSIDERATIONS
Appropriate rights need to be set on the folder used by CasaAuthtokenValidateD to Appropriate rights need to be set on the folder used by CasaAuthtokenValidateD to

View File

@ -10,4 +10,4 @@ This file contains a list of the items still outstanding for libcasa_s_authtoken
OUTSTANDING ITEMS OUTSTANDING ITEMS
None. - Add support for encrypted identity tokens.

View File

@ -82,113 +82,10 @@ The auth_token client/service protocol allows for the authentication of the clie
auth_token relies in the server authentication mechanisms of SSL to verify the identity auth_token relies in the server authentication mechanisms of SSL to verify the identity
of the ATS. of the ATS.
IMPLEMENTATION STRATEGY AND CURRENT STATUS
auth_token is currently under development and is not ready to be used in production.
The implementation strategy has been to first complete the framework with all of its
modules, APIs, and packaging to allow application writters to start developing to it.
Once this is done, then the implementation focus will switch to completing the plumbing.
As of this time, a lot of the framework has been completed and there are sample
applications that can be utilized to exercise it. For a more complete picture of where
we are, look at the various TODO lists present in the child folders.
The schedule for completing auth_token is agressive.
REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON WINDOWS
- Install Visual Studio .NET 2003
- Install Windows Platform SDK for Windows Server 2003 SP1
- Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with Visual Studio
- Install Cygwin - See instructions below.
- Extract Expat-2.0.0.zip in casa source directory parent
- Install Casa
Download and start cygwin install:
Browse to http://sources.redhat.com/cygwin/
Click on "Install or update now!" or "Install Cygwin now"
Cygwin Setup:
Next
Cygwin Setup - Choose Installation Type:
Install from Internet
Next
Cygwin Setup - Choose Installation Directory:
Root Directory: C:\cygwin
Install For: "All Users"
Default Text File Type: DOS
Cygwin Setup - Select Local Package Directory:
Local Package Directory: C:\cygwin-packages
Cygwin Setup - Select Connection Type:
Direct Connection
Choose A Download Site:
ftp://ftp.nas.nasa.gov
Cywin Setup - Select Packages:
Base:
defaults
Devel:
autoconf
automake
libtool
make
pkgconfig
cvs
gcc
gcc-g++
Editors:
vim (optional)
Net:
openssh
openssl
Text:
more
Utils:
clear (optional)
Cygwin Setup - Create Icons:
Finish
Edit cygwin.bat (c:\cygwin\cygwin.bat) to add a call to
%VS71COMNTOOLS%\vsvars32.bat (see example below). This sets up the
Visual Studio tools in Cygwin.
Sample cygwin.bat:
@echo off
call "%VS71COMNTOOLS%\vsvars32.bat" > NUL
C:
chdir C:\cygwin\bin
bash --login -i
REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON LINUX
Install latest mono and mono-devel RPM - Obtain RPMs from
www.go-mono.org.
BUILDING THE SOFTWARE PACKAGE BUILDING THE SOFTWARE PACKAGE
Windows: Start at Step 1. 1. Install needed RPMs. Look at BuildRequires line in CASA_auth_token_server.spec.in file
Linux: Skip to Step 2. in package/linux folder to see a list of RPM build dependencies.
1. Run cygwin.bat to start up Cygwin.
2. Generate autotools files: 2. Generate autotools files:
./autogen.sh --prefix=/<install_dir> [--enable-debug] ./autogen.sh --prefix=/<install_dir> [--enable-debug]
@ -222,7 +119,7 @@ source distribution (configure, Makefile.in files, and other distributed
autotools files are not removed) autotools files are not removed)
make maintainer-clean - removes files to return state back to same as make maintainer-clean - removes files to return state back to same as
the CVS checkout (you will need to run ./autogen.sh again before running the SVN checkout (you will need to run ./autogen.sh again before running
make again) make again)
SECURITY CONSIDERATIONS SECURITY CONSIDERATIONS
@ -232,6 +129,10 @@ a user or to obtain identity information about the user. Because of this it is
important that the tokens be secured by applications making use of them. It is important that the tokens be secured by applications making use of them. It is
recommended that the tokens be transmitted using SSL. recommended that the tokens be transmitted using SSL.
Token validation requires the installation of the certificate used by ATSs to
sign the tokens. The software assumes that any certificate installed by the
administrator is valid.

View File

@ -6,12 +6,13 @@
INTRODUCTION INTRODUCTION
This file contains a list of the items still outstanding for auth_token. This file contains a list of the items still outstanding for auth_token
server components.
Note: There are TODO lists under each auth_token component. This file just Note: There are TODO lists under each auth_token component. This file just
details outstanding items at the project level. details outstanding items at the project level.
OUTSTANDING ITEMS OUTSTANDING ITEMS
- Add mechanism to try communicating with ATS over port 443 if communications None.
over port 2645 fail.

View File

@ -93,11 +93,3 @@ tcp/ip and Domain sockets communications.
By leveraging the File System Access Control features, you can scope communications that occur over By leveraging the File System Access Control features, you can scope communications that occur over
Domain sockets to specific or groups of users. Domain sockets to specific or groups of users.

View File

@ -10,5 +10,5 @@ This file contains a list of the items still outstanding for IpcLibs.
OUTSTANDING ITEMS OUTSTANDING ITEMS
- Add APIs to allow for the senging of fragmented request and reply data. - Add APIs to allow for the sending of fragmented request and reply data.