Difference: APPXLoginManagerForUnixLinux (53 vs. 54)

Revision 542008-10-07 - SteveFrizzell

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"
Deleted:
<
<
 

APPX Login Manager For Unix/Linux

This page describes how to install the APPX Login Manager command and how to use it to install, configure, and manage APPX Login Services on Unix/Linux systems.
Line: 268 to 267
 disabled - APPX clients may only request a plain text connection

-TrustedCAFile=CAFILENAME

Changed:
<
<
This option identifies the pathname of the file that identifies which client certificates to trust.
>
>
This option identifies the pathname of the file that identifies which client certificates to trust (leave blank if client certificates are not required).
  -ServerCertificateFile=CERTFILENAME
This option identifies the pathname of the server's X509 certificate (leave blank for anonymous connections).
Line: 544 to 543
 

Red Hat service command.

Added:
>
>

Usage (service)

Synopsis - service Command

 
Changed:
<
<		Usage: service appxd-8060 {start|stop|status|reload|restart}

013) (Cosmetic) Redundant redundant redundant

data data data.

A minimal install produces three warning statements as documented below:

[root@APPX4.30TestBox tools]# ./appxLoginMgr -install -port=8060

Warning - the engine that you named has the setuid bit enabled,

you may not want that bit set for the authentication

method that you have chosen (OS-User)

To turn off the setuid bit, chmod u-s ../appx

Configuration written to: appxd-7777.ini

Environment written to: appxd-7777.env

Service script written to: /etc/init.d/appxd-8060

Configuration complete

Registering service

Starting appxd-8060: serviceName: appxd-8060

servicePath: /usr/local/appx/tools/

Looking for config file in appxd-8060.ini

Warning - the engine that you named has the setuid bit enabled,

>
>		service [serviceName] [start|stop|restart|status]
 
Changed:
<
<		you may not want that bit set for the authentication
>
>

Examples:

How to create private/public-keys without passphrase for server

Example of appxLoginMgr parameter to identify private key: 
ServerPrivateKeyFile =/usr/local/appx/tools/tubes.internal.appx.com.private.key
 
Changed:
<
<		method that you have chosen (OS-User)
>
>		Example of openssl command to create private key: 
openssl genrsa -out tubes.internal.appx.com.private.key 1024

How to create public SSL certificate for server

Example of appxLoginMgr parameter to identify SSL certificate: 
ServerCertificateFile =/usr/local/appx/tools/tubes.internal.appx.com.crt
 
Changed:
<
<		To turn off the setuid bit, chmod u-s ../appx
>
>		Example of openssl command to create SSL certificate: 
openssl req -new -days 365 -key tubes.internal.appx.com.private.key -x509 -out tubes.internal.appx.com.crt

Warnings:

"the engine that you named has the setuid bit enabled"

 
Changed:
<
<		Writing process ID to /var/run/appxd-7777.pid
>
>		This warning message is displayed when you start a service and the engine specified for AppxExecutable has the setuid bit set.
 
Changed:
<
<		running as process 12156 servicing port 8060
>
>		When launching an APPX session, the APPX Login Manager sets the real user ID and the effective user ID of the APPX session based on the value specified for the ImpersonateUser parameter.  If the engine has the setuid bit set, then the effective user of the APPX session will be changed by the operating system to be the owner of the APPX engine and the APPX session will run with the permissions of that user.
 
Added:
>
>
 Warning - the engine that you named has the setuid bit enabled,
Deleted:
<
<
 you may not want that bit set for the authentication
Deleted:
<
<
 method that you have chosen (OS-User)
Deleted:
<
<
 To turn off the setuid bit, chmod u-s ../appx
Added:
>
>
 
Changed:
<
<		up and running (process 12156 servicing port 8060)

Installation Complete

[root@APPX4.30TestBox tools]#

014) (Suggestion) Warn users not to move

configuration files.

We should probably warn via screen notice on service creation, and document inside the .ini and .env files that if the .ini, .env and appxLoginMgr/appxAuditLogger are move or renamed, then the /etc/init.d system startup script will fail to work. The /etc/inid.d/appxd-8060 startup script references by name and path the .ini, .env, and appxLoginMgr/appxAuditLogger files.

Suggested Behavior changes:

>
>

Issues:

  1. The stop option of the Red Hat service command has a problem. It does seem to remove the running process; however, it produces errors.  Further, it fails to remove the PID from the (/var/run/appxd-8060.pid)
    /etc/init.d/appxd-8060: line 39: success: command not found
    /etc/init.d/appxd-8060: line 39: failure: command not found
    /etc/init.d/appxd-8060: line 43: failure: command not found
  2. The setuid warning message is display every time a configuration is loaded or saved.  This results in the message being displayed up to three times depending on the command being executed. Perhaps it should only be displayed when a configuration is saved.
  3. The setuid warning indicates that it is triggered by the OSUser AuthenticationMethod. AuthenticationMethod is not influenced by the setuid bit being turned on. However, ImpersonateUser is impacted.

Enhancement Suggestons:

 
  1. To match the Windows platform, he following should be valid syntax: "appxLoginMgr -install". It should default to port 8060, or the Windows platform should not default to port 8060.
  2. In an effort to make appxdsvc and uappxd (appxLoginMgr) as similar as possible, consider allowing -status as a single argument that would list all appxLoginMgr daemons. (Perhaps this isn't practical on Unix platforms)
  3. APPX_KEYMAP environment variable should be initialized upon default install options. Currently "appxLoginMgr -install -SockPort=8060" does not place APPX_KEYMAP into appxLoginMgr-8060.env.
  4. appxLoginMgr should create .ini and .env files in the tools subdirectory, and not in the current working directory.
Changed:
<
<
  1. The appxLoginMgr -replace argument should require the -ServiceName option, and not assume ServiceName =appxd-8060.
>
>
  1. The appxLoginMgr -replace argument should require the -ServiceName option, and not assume ServiceName =appxd-8060.
 
  1. The requirements for use of -name argument seem inconsistant. Below are examples where + works, and - does not.

    1. (-) ./appxLoginMgr -modify appxd-8060 -TCPNodelay=false

    2. (+) ./appxLoginMgr -modify -name=appxd-8060 -TCPNodelay=false
Line: 629 to 611
 
    1. (-) ./appxLoginMgr -status
    2. (+) ./appxLoginMgr -status appxd-8060
    3. (+) ./appxLoginMgr -status -name=8060
Changed:
<
<

Issues:

  1. The stop option of the Red Hat service command has a problem. It does seem to remove the running process; however, it produces errors.  Further, it fails to remove the PID from the (/var/run/appxd-8060.pid)

/etc/init.d/appxd-8060: line 39: success: command not found

/etc/init.d/appxd-8060: line 39: failure: command not found

/etc/init.d/appxd-8060: line 43: failure: command not found

RequireSSL - Not Implemented. Do not Use.

  1. true
  2. false

RequireSSLClientCertificates

  1. True - Connecting clients must have client side SSL certificates.
  2. False - This is the default option. Connecting clients do not need to have client side SSL certificates.

ServerCertificateFile - This is the server's SSL public certificate

  1. The pathname of server's X509 certificate (leave blank for anonymous connections). An example is ServerCertificateFile =/usr/local/appx/tools/tubes.internal.appx.com.crt

ServerPrivateKeyFile - This is the server's SSL private server key

  1. Pathname of server's private key file (unlocks the ServerCertificateFile). An example is ServerPrivateKeyFile =/usr/local/appx/tools/tubes.internal.appx.com.private.key

ServerPrivateKeyPassphrase

  1. Passphrase that unlocks ServerPrivateKeyFile

SSLMode

  1. Enabled #SSL connection type (optional, required, disabled)
  2. Disabled
  3. Optional

TrustedCAFile = #determines which client certificates to trust

How to create a server's SSL private server key and server's SSL public certificate from the Unix/Linux command line with the openssl tool.

Create new private/public-keys without passphrase for server 

*openssl genrsa -out tubes.internal.appx.com.private.key 1024*

Create server's SSL public certificate 

*openssl req -new         -days 365         -key tubes.internal.appx.com.private.key         -x509         -out tubes.internal.appx.com.crt*

Limitations:

>
>

  1. Warn users not to move configuration files. A service script is created in the /etc/init.d system directory for each service installed by running the appxLoginMgr command.  These scripts reference the corresponding service configuration files using a fully qualified absolute pathname.  If you move the configuration files to another directory or rename them, the service scripts will no longer work. We should probably warn via screen notice on service creation, and document inside the .ini and .env files that if the .ini, .env and appxLoginMgr/appxAuditLogger are move or renamed, then the /etc/init.d system startup script will fail to work. The service scripts also reference the appxLoginMgr command using a fully qualified absolute pathname.

  2. RequireSSL is not a valid parameter and should be removed from the configuration file.

  3. RequireSSLClientCertificates is not a valid parameter and should be removed from the configuratoin file.

  4. ServerPrivateKeyPassphrase is not a valid parameter and should be removed from the configuration file.

 

Comments:

Read what other users have said about this page or add your own comments.
View topic | History: r68 < r67 < r66 < r65 | More topic actions...
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback