Difference: APPXLoginManagerForUnixLinux (59 vs. 60)

Revision 602009-12-08 - JeanNeron

Line: 1 to 1
 
META TOPICPARENT name="APPX500Features"

APPX Login Manager For Unix/Linux

Deleted:
<
<		This page describes how to install the APPX Login Manager command and how to use it to install, configure, and manage APPX Login Services on Unix/Linux systems.
 
Added:
>
>		This page describes how to install the APPX Login Manager command and how to use it to install, configure, and manage APPX Login Services on Unix/Linux systems.
 

The APPX Login Manager command is used to configure and manage APPX Login Services.

Line: 21 to 21
 
    • O/S Authentication
    • HT Authentication
    • APPX Authentication
Changed:
<
<
  • User & Group Impersonation (Unix/Linux only)
>
>
  • User & Group Impersonation (Unix/Linux only)
 
  • SSL Support
    • Anonymous
    • Server Certficates
Line: 34 to 34
 
    • Service configuration
    • Client request
Changed:
<
<

Installing the APPX Login Manager Command ( appxLoginMgr)

The APPX Login Manager ( appxLoginMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxLoginMgr command. So, there is nothing additional that you need to do to install the appxLoginMgr command. However, after you install APPX, you will need to run the appxLoginMgr command to configure and start an instance of the APPX Connection Service before any remote client connections may be established.
>
>

Installing the APPX Login Manager Command ( appxLoginMgr)

 
Changed:
<
<		The appxLoginMgr command is installed into the "tools" subdirectory of the directory where you installed APPX. So, if you installed APPX in "/usr/local/appx", the full pathname of the appxLoginMgr command will be "/usr/local/appx/tools/appxLoginMgr".
>
>		The APPX Login Manager ( appxLoginMgr) command is installed automatically when you install APPX on your system. The installer sets the necessary owner and group permissions for the appxLoginMgr command. So, there is nothing additional that you need to do to install the appxLoginMgr command. As part of installing APPX, you are given the opportunity to start the connection service. If you did not do this, then you will need to run the appxLoginMgr command to configure and start an instance of the APPX Connection Service before any remote client connections may be established.

The appxLoginMgr command is installed into the "services" subdirectory of the directory where you installed APPX. So, if you installed APPX in "/usr/local/appx", the full pathname of the appxLoginMgr command will be "/usr/local/appx/services/appxLoginMgr".

  The appxLoginMgr command must run with the permissions of the root user because it will be spawning appx processes running as each logged in user. Therefore, the owner of the appxLoginMgr command should be the root user and the SUID bit should be set so that the appxLoginMgr command can be run by users other than root but still be run with the permissions of root.

In the event that it is necessary to reset the permissions on the appxLoginMgr command, the following commands can be run by the root user to set the necessary owner and group permissions for the appxLoginMgr command.

Changed:
<
<
cd /usr/local/appx/tools
>
>
cd /usr/local/appx/tools
 chown root appxLoginMgr chgrp appxgrp appxLoginMgr chmod 4775 appxLoginMgr
Changed:
<
<
>
>

  You can check the permissions of the appxLoginMgr command by running the following command:
Changed:
<
<
ls -l appxLoginMgr
>
>
ls -l appxLoginMgr
  The recommended permissions should be as follows:
Changed:
<
<
-rwsrwxr-x 1 root root    636843 Jul 11 07:31 appxLoginMgr
>
>
-rwsrwxr-x 1 root root    636843 Jul 11 07:31 appxLoginMgr
 

Creating and Configuring an APPX Connection Service

Added:
>
>
 On Unix/Linux systems, an instance of the APPX Connection Service is initially created, configured, and started by running the appxLoginMgr command with the -install option. At least one appropriately configured instance of the APPX Connection Service must be created, configured, and started before a remote APPX Client can initiate an APPX session. You may create, configure, and start as many different instances of the APPX Connection Service as you desire. However, each concurrently running instance must be configured to listen for connection requests on a different TCP/IP port.

Creating a Connection Service

Line: 85 to 80
  Each instance of an APPX Connection Service must have a unique name. When creating an instance of a service, the -name option may be used to specify the name that you want the service to have. If you do not specify a name, a name will be assigned for you for example, appxd-8060.

TCP/IP Port Number

Changed:
<
<		When creating an instance of an APPX Connection Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for connection requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Login Manager Service. However, as a matter of convention, most APPX administrators configure the APPX Connection Service to listen for connections on port 8060. If additional instances of the APPX Login Manager are configured, each instance is typically assigned the next available port number after 8060.
>
>		When creating an instance of an APPX Connection Service, the -SockPort option must be used to specify the TCP/IP port number on which the service is to listen for connection requests. Any available TCP/IP port number may be specified when installing an instance of the APPX Login Manager Service. However, as a matter of convention, most APPX administrators configure the APPX Connection Service to listen for connections on port 8060. If additional instances of the APPX Login Manager are configured, each instance is typically assigned the next available port number after 8060.
 

Changing a Connection Service

Added:
>
>
 Two methods are available for modifying an existing instance of an APPX Connection Service.

Method 1 - The APPX Login Manager Command (appxLoginMgr)

Line: 101 to 98
 The appxLoginMgr command can be used to manage an instance of the APPX Connection Service. The appxLoginMgr command can be used to start, stop, restart, or display the status of an instance of an APPX Connection Service.

Method 2 - O/S Services

Changed:
<
<		Your operating system includes commands or programs that can be used to manage services. APPX Connection Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the command line tool service . 
[root@tubes tools]# service appxd-8060 status
>
>		Your operating system includes commands or programs that can be used to manage services. APPX Connection Services can be managed with these tools. The actual commands and programs vary depending on your operating system. Red Hat uses the command line tool service

. 

[root@tubes tools]# service appxd-8060 status
 up and running (process 13893 servicing port 8060)
Line: 131 to 130
  The second form of the -install command requires only that a TCP/IP port be specified. All other options are optional including the ServiceName. Any option not specified will be configured with an appropriate default value.
Changed:
<
<		Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).
>
>		Both forms of the -install command allow additional configuration options to be specified. The configuration options specified are stored in the service configuration file (ini).
  Both forms of the -install command optionally allow values to be specified for environment variables. If specified, the environment variables and their values are stored in the environment configuration file (env). The environment variables in the environment configuration file will be set for any APPX sessions which are started by the connection service.

In addition to creating the service configuration file and the environment configuration file, the -install command also creates an operating system service that will be automatically started when the computer system is started.

Changed:
<
<		After creating the configuration files and the operating system service, the -install command starts the service. -modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...
>
>		After creating the configuration files and the operating system service, the -install command starts the service. -modify -name=SERVICENAME [options]... [VARIABLE=VALUE]...
  The -modify command is used to modify the configuration of an existing Connection Service. The specified options will be updated in the service configuration files. Any options not specified will not be changed. After updating the configuration files, the -modify command restarts the service.

Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as SSLmode, or without a dash if you are referring to environment variables, such as APPX_KEYMAP.

Changed:
<
<		Note that the -modify command updates the service configuration file and the environment configuration file by removing the old files and creating new files with the updated options and environment variables.  Any comments that may have been manually added to these configuration files are not preserved.
>
>		Note that the -modify command updates the service configuration file and the environment configuration file by removing the old files and creating new files with the updated options and environment variables. Any comments that may have been manually added to these configuration files are not preserved.
  -replace -name=SERVICENAME [options]... [VARIABLE=VALUE]...
The -replace command is used to replace an existing Connection Service with a new Connection Service with the same name. The -replace command is effectively the same as a -remove command followed by an -install command. After updating the configuration files, the -replace command restarts the service. Note that when specifying variables on the command line, you must prefix them with a dash if you are referring to settings such as SSLmode, or without a dash if you are referring to environment variables, such as APPX_KEYMAP.
Line: 154 to 155
 

Configuration - Options

Options - General
Changed:
<
<		-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX connection service. When creating (installing) a connection service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when a connection service is being created, the connection service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
>
>		-name, -ServiceName=SERVICENAME
The ServiceName uniquely identifies an APPX connection service. When creating (installing) a connection service, the SERVICENAME value may be any string value that conforms to the rules for valid filenames on your server. If this option is omitted when a connection service is being created, the connection service will be created with a default ServiceName based on the following template: "appxd-" followed by the specified TCP/IP port number, e.g "appxd-8060".
  -DisplayName=DISPLAYNAME
The DisplayName is a "user-friendly" descriptive name for a connection service. The DISPLAYNAME value will appear in your system's Services control panel and will be displayed by the ps command. If you don't specify a DISPLAYNAME when a connection service is being created, the connection service will be created with a DISPLAYNAME based on the SERVICENAME.
Changed:
<
<		-engine, -AppxExecutable={../appx, PATHNAME}
>
>		-engine, -AppxExecutable={../appx, PATHNAME}
 
This option identifies the PATHNAME of the APPX engine that is to be run when initiating an APPX session. The specified PATHNAME may be alsolute or it may be relative to directory in which the service configuration file (ini) for the connection service is located. If this option is not specified, the default PATHNAME of "../appx" is used to initiate an APPX session.
Changed:
<
<		-LogDirectory={/tmp, LOGDIR}
>
>		-LogDirectory={/tmp, LOGDIR}
 
When the service is started, two log files are created in the LOGDIR directory - a connection service log file (.log) and a status file (.stat). Both log files have the same name as the ServiceName but one has a file extension of .log and the other has a file extension of .stat. If the LogDirectory option is not specified, the log files are created in the /tmp directory.
Changed:
<
<		-AM, -AuthenticationMethod={OS-User, Appx-User, HT-User(HTFILENAME)}
This option identifies the method by which the user ID and the password are to be validated when a connection request is received. If 'OS-User' authentication is specified, the user ID and the password are validated by the connection service using the operating system's authentication service. If 'Appx-User' authentication is specified, the user ID and the password are validated by APPX using the user file which is maintained in APPX System Administration. If 'HT-User(HTFILENAME)' authentication is specified, the user ID and the password are validated by the connection service using the HTFILENAME file is maintained with the htpasswd utility. If you specify 'Appx-User' authentication or HT-User authentication, the user being validated does not need an OS user account. If no authentication method is specified, the default authentication method is OS-User.
>
>		-AM, -AuthenticationMethod={OS-User, Appx-User, HT-User(HTFILENAME)}
This option identifies the method by which the user ID and the password are to be validated when a connection request is received. If 'OS-User' authentication is specified, the user ID and the password are validated by the connection service using the operating system's authentication service. If 'Appx-User' authentication is specified, the user ID and the password are validated by APPX using the user file which is maintained in APPX System Administration. If 'HT-User(HTFILENAME)' authentication is specified, the user ID and the password are validated by the connection service using the HTFILENAME file is maintained with the htpasswd utility. If you specify 'Appx-User' authentication or HT-User authentication, the user being validated does not need an OS user account. If no authentication method is specified, the default authentication method is OS-User.
  -ServiceType=Login
Changed:
<
<
The only valid value when configuring a Connection Service is "Login". If this option is not specified, the default value is Login.
>
>
The only valid value when configuring a Connection Service is "Login". If this option is not specified, the default value is Login.
 
Changed:
<
<		-ServiceDisable={true, false}
>
>		-ServiceDisable={true, false}
 
This option can be used to temporarily disable or "turn off" the connection service. If set to true, the connection service will still run but it will not accept login requests.
Changed:
<
<		-ServiceDisableLogin={true, false}
>
>		-ServiceDisableLogin={true, false}
 
This option can be used to disable or "turn off" processing of login requests from interactive clients. If set to true, login requests from interactive clients will not be processed.
Changed:
<
<		-ServiceDisableFMS={true, false}
>
>		-ServiceDisableFMS={true, false}
 
This option can be used to disable or "turn off" processing of connection requests from APPX/Net connections including the Windows APPX/ODBC driver. If set to true, connection requests from APPX/Net clients will not be processed.
Changed:
<
<		-ServiceDisableAppxKeys={true, false}
>
>		-ServiceDisableAppxKeys={true, false}
 
This option can be used to disable the ability to define an APPX keymap. If set to true, those interactive clients which support the ability to define an APPX keymap will not be allowed to do so.

-initScript={lsb, RedHat}

Line: 186 to 186
  -initScript={lsb, RedHat}
Used with -install option to specify the type of operating system that the service script is to be created for. If this option is not specified, appxLoginMgr will determine which type of service script to install.
Added:
>
>
 
Options - Session Identity/Permissions
Changed:
<
<		-ImpersonateUID={true, false}
If this value is set to false, an APPX session which is initiated by the connection service will run as the user of the connection ServiceOwner. Set this value to true if you want the APPX session to run with the permissions of a user (impersonate) other than the user of the connection service. If this value is set to true, then the ImpersonateUser option determines which user the APPX session should impersonate.
>
>		-ImpersonateUID={true, false}
If this value is set to false, an APPX session which is initiated by the connection service will run as the user of the connection ServiceOwner. Set this value to true if you want the APPX session to run with the permissions of a user (impersonate) other than the user of the connection service. If this value is set to true, then the ImpersonateUser option determines which user the APPX session should impersonate.
 
Changed:
<
<		-ImpersonateUser={LogonUser, NamedUser(USERID), ServiceOwner}
>
>		-ImpersonateUser={LogonUser, NamedUser(USERID), ServiceOwner}
 
This option determines which O/S user the APPX session should impersonate (run as).

If LogonUser is specified, the user ID of the APPX session will be set to the user ID that was provided by the client login. This user ID must be a valid O/S user. The connection service must be running with the permissions of the root user if the LogonUser option is specified.

If NamedUser is specified, the user ID of the APPX session will be set to the specified USERID. This USERID must be a valid O/S user. The connection service must be running with the permissions of the root user if the NamedUser option is specified.

Changed:
<
<		If ServiceOwner is specified, the user ID of the APPX session will be the user ID that the connection service is running as.
>
>		If ServiceOwner is specified, the user ID of the APPX session will be the user ID that the connection service is running as.
 
Changed:
<
<		-ImpersonateGID={true, false}
>
>		-ImpersonateGID={true, false}
 
If this value is set to false, an APPX session which is initiated by the connection service will run with the group permissions of the connection ServiceOwner. Set this value to true if you want the APPX session to have group permissions based on the ImpersonateGroup option.
Changed:
<
<		-ImpersonateGroup={User, LogonUser, LogonGroup, NamedGroup(GROUPNAME), ServiceOwner, ServiceGroup}
>
>		-ImpersonateGroup={User, LogonUser, LogonGroup, NamedGroup(GROUPNAME), ServiceOwner, ServiceGroup}
 
This option determines which group permissions the APPX session should run with.

If User is specified, the APPX session will run with the group permissions of the user that the session is running as (impersonating).

Line: 211 to 212
  If NamedGroup is specified, the group permissions of the APPX session will be set to the specified GROUPNAME. This GROUPNAME must be a valid O/S group.
Changed:
<
<		If ServiceOwner or ServiceGroup is specified.
>
>		If ServiceOwner or ServiceGroup is specified.
  -Umask=FILECREATIONMASK
When a file is created, the default permissions set by Unix/Linux are 666 (-rw-rw-rw-). When a directory is created, the default permissions set by Unix/Linux are 777 (drwxrwxrwx). If the umask option is specified, the FILECREATIONMASK value will modify the default permissions of files or directories that are created by the APPX session. The value of FILECREATIONMASK must be a decimal, hex, or octal number whose bits will be used to mask or turn off the corresonding bits of the default file creation permissions. For example, if you want files to be created with permissions of 644, the appropriate FILECREATIONMASK value would be 022 (octal). If you want files to be created with the default permissions of 666, the appropriate FILECREATIONMASK value would be 000 (octal). For more information on umask values, please refer to your Unix/Linux system documentation.
Changed:
<
<		If the umask option is not set, files and directories that are created by the APPX session will be given the default permissions of the Service Owner. -IncludeSystemEnv={true, false}
Set this option to true if you want the APPX sessions which are initiated by the connection service to inherit the environment of the connection service.
>
>		If the umask option is not set, files and directories that are created by the APPX session will be given the default permissions of the Service Owner. -IncludeSystemEnv={true, false}
Set this option to true if you want the APPX sessions which are initiated by the connection service to inherit the environment of the connection service.
 
Options - Startup Process
Changed:
<
<		-ServiceEnableCmds={true, false}
Set this option to true if you want to allow the client to specify a startup process. Set this option to false if you do not want to allow the client to specify a startup process. If set to true, then any APPX startup process that may have been specified by the client will be invoked when the connection with the APPX session is established. If set to true, then any startup process that is specified by the client will take precedence over any startup process that may have been specified in the connection service configuration. If the option is not specified, the default value is true.
>
>		-ServiceEnableCmds={true, false}
Set this option to true if you want to allow the client to specify a startup process. Set this option to false if you do not want to allow the client to specify a startup process. If set to true, then any APPX startup process that may have been specified by the client will be invoked when the connection with the APPX session is established. If set to true, then any startup process that is specified by the client will take precedence over any startup process that may have been specified in the connection service configuration. If the option is not specified, the default value is true.
  -AppxDatabase=DATABASEID
This option must be specified if the connection service is being configured to invoke a specific startup process when a client session is initiated. If specified, the DATABASEID must be valid, i.e. it must be defined in the Databases file in APPX System Administration.
Line: 233 to 235
  -AppxProcessName=PROCESSNAME
This option must be specified if the connection service is being configured to invoke a specific startup process when a client session is initiated. This option identifies the name of the process that is to be invoked when a client session is initiated. The PROCESSNAME must be of the type specified and must be defined in the specified APPX Application.
Added:
>
>
 
Options - TCP/IP
Changed:
<
<		-port, -SockPort={8060, PORT}
Configure the service to listen for connection requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
>
>		-port, -SockPort={8060, PORT}
Configure the service to listen for connection requests on the specified TCP/IP PORT number. This option is required with the -install option. You may choose any TCP/IP PORT number that is not reserved or already being used on your system.
 
Changed:
<
<		-TCPNoDelay={true, false}
>
>		-TCPNoDelay={true, false}
 
This option is used to tune the network performance of the APPX session. When set to true, TCP will send partially filled packets of data rather than wait for a packet to fill before sending it. This can result in improved interactive response time for the APPX session but will likely increase the number of data packets being transmitted over the network.
Changed:
<
<		-TCPEnableKeepAlive={true, false}
>
>		-TCPEnableKeepAlive={true, false}
 
Set this option to true if you want an APPX session to be able to detect that the connection between an APPX session and an APPX client has been lost. If this option is set to true and an APPX session has been waiting for a response from an APPX client for the length of time specified by TCPKeepIdle, then the APPX session will attempt to contact the APPX client to see if it can still be reached. If the APPX client cannot be contacted, then the APPX session will attempt to contact the APPX client every TCPKeepInterval seconds up to TCPKeepCount times. After TCPKeepCount attempts, if the APPX client is unable to be contacted, then the APPX session terminates.
Changed:
<
<		-TCPKeepIdle={300, SECONDS}
>
>		-TCPKeepIdle={300, SECONDS}
 
This option is used to set the number of seconds that an APPX session is to wait for a response from an APPX client before checking to see if the client can still be contacted.
Changed:
<
<		-TCPKeepCount={8, COUNT}
>
>		-TCPKeepCount={8, COUNT}
 
This option is used to set the number of times that an APPX session is to attempt to contact a non-responsive APPX client before the APPX session should terminate.
Changed:
<
<		-TCPKeepInterval={60, SECONDS}
>
>		-TCPKeepInterval={60, SECONDS}
 
This option is used to set the number of seconds that an APPX session is to wait between attemps to contact a non-responsive APPX client.
Added:
>
>
 
Options - SSL
Changed:
<
<		-SSLMode={optional, required, disabled}
This option is used to control whether or not APPX clients must use SSL connections.
optional - APPX clients may request either an SSL connection or a plain text connection
>
>		-SSLMode={optional, required, disabled}
This option is used to control whether or not APPX clients must use SSL connections.
optional - APPX clients may request either an SSL connection or a plain text connection
  required - APPX clients must request an SSL connection
Changed:
<
<		disabled - APPX clients may only request a plain text connection
>
>		disabled - APPX clients may only request a plain text connection
  -TrustedCAFile=CAFILENAME
This option identifies the pathname of the file that identifies which client certificates to trust (leave blank if client certificates are not required).
Line: 270 to 273
 -ServerPrivateKeyFile=KEYFILENAME
This option idenfies the pathname of server's private key file (unlocks the ServerCertificateFile).
Changed:
<
<		-RequireSSL={true, false}
>
>		-RequireSSL={true, false}
 
This option is not needed and has not been implemented.
Changed:
<
<		-RequireSSLClientCertificates={true, false}
>
>		-RequireSSLClientCertificates={true, false}
 
This option is not needed and has not been implemented.

-ServerPrivateKeyPassphrase=PASSPHRASE

Line: 278 to 281
  -ServerPrivateKeyPassphrase=PASSPHRASE
This option is not needed and has not been implemented.
Added:
>
>
 

Configuration - Environment Variables

Changed:
<
<
VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created and will be given to the environment of the appx sessions that are started by the Login Manager. Note that when specifying variables on the command line, you do not prefix them with a dash if you are referring to environment variables.
>
>
VARIABLE=VALUE
You can include a space-separated list of environment variables at the end of the command line when you use the -install option. These environment variables will be saved in the env file that is created and will be given to the environment of the appx sessions that are started by the Login Manager. Note that when specifying variables on the command line, you do not prefix them with a dash if you are referring to environment variables.
 

Synopsis - Service Management

appxLoginMgr [-start | -stop | -restart | -status] {SERVICENAME | -serviceName=SERVICENAME}

MANAGEMENT OPTIONS

Changed:
<
<
-start | < blank >
Start an instance of the Login Manager service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.
>
>
-start | < blank >
Start an instance of the Login Manager service using the configuration information in the SERVICENAME.ini and the SERVICENAME.env files.
  -stop
Changed:
<
<
Stop the instance of the Login Manager service that was started with the SERVICENAME.ini file.
>
>
Stop the instance of the Login Manager service that was started with the SERVICENAME.ini file.
  -restart
Changed:
<
<
Restart (stop and then start) the instance of the Login Manager that was started with the SERVICENAME.ini file.
>
>
Restart (stop and then start) the instance of the Login Manager that was started with the SERVICENAME.ini file.
  -status
Changed:
<
<
Report the status of the instance of the Login Manager that was started with the SERVICENAME.ini file.
>
>
Report the status of the instance of the Login Manager that was started with the SERVICENAME.ini file.
  EXAMPLES

Example 1: Configure and start a new instance of the Connection Service that will listen for connection requests on port 8060:

appxLoginMgr -install -port=8060

Changed:
<
<
Warning - the engine that you named has the setuid bit enabled
>
>
Warning - the engine that you named has the setuid bit enabled
 you may not want that bit set for the authentication method that you have chosen (OS-User) To turn off the setuid bit, chmod u-s ../appx Configuration written to: appxd-8060.ini
Line: 340 to 342
 The configuration file is created in whichever directory is your current directory at the time that the appxLoginMgr command is run to create the service. Therefore, before you run the appxLoginMgr command to create a service, you must first change to the directory where you want the configuration file to reside. For example, if you want the configuration file to be created in the APPX tools directory, you should change to the tools directory before you run the appxLoginMgr command.

The name of the configuration file and the location of the configuration file should not be changed. The service that is created will not work correctly if the name or the location of the configuration file is changed.

Changed:
<
<
# Appx connection manager configuration file
>
>
# Appx connection manager configuration file
 # # You can change this file by hand, or # use the uappxd program for better results
Line: 392 to 392
 # TCPNoDelay = true #disable TCP packet filling delay? # TrustedCAFile = #determines which client certificates to trust # Umask = #umask (file creation mask) given to spawned engines
Changed:
<
<
>
>
 

The Environment File (env)

Added:
>
>
 Each instance of an APPX Connection Service has an environment file that is used to store the environment variables relating to that specific instance of the connection service. The environment variables in the environment file are inherited by each APPX session that is started by the APPX Connection Service.

The -install option of the appxLoginMgr command creates the environment file when the service is created.

Line: 404 to 405
 The environment file is created in whichever directory is your current directory at the time that the appxLoginMgr command is run to create the service. Therefore, before you run the appxLoginMgr command to create a service, you must first change to the directory where you want the environment file to reside. For example, if you want the environment file to be created in the APPX tools directory, you should change to the tools directory before you run the appxLoginMgr command.

The name of the environment file and the location of the environment file should not be changed. The service that is created will not work correctly if the name or the location of the environment file is changed.

Changed:
<
<
# Appx connection manager environment variables
>
>
# Appx connection manager environment variables
 # # The entries in this file will become # environment variables in the engines
Line: 419 to 418
 # letter case IS important in this file # -------------------------------------------------- APPX_KEYMAP=WINDOWS
Changed:
<
<
>
>
 

The Status File (stat)

Added:
>
>
 When an APPX Connection Service is started, a status file is created in the specified LogDirectory. If a LogDirectory was not specified, then the status file is created in the /tmp directory.

The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxd-8430", the name of the status file will be "appxd-8430.stat".

Line: 427 to 427
 The name of the status file is the concatenation of the service name and ".stat". For example, if the service name is "appxd-8430", the name of the status file will be "appxd-8430.stat".

The status file can be viewed to see the actual context within which the service is running.

Changed:
<
<
appxd-8430 running as process 28192
>
>
appxd-8430 running as process 28192
 Effective User ID 0 Real User ID 0 Configuration values follow
Line: 477 to 475
 Umask = Environment variables follow APPX_KEYMAP = WINDOWS
Changed:
<
<
>
>
 

The Log File (log)

Added:
>
>
 When an APPX Connection Service is started, a log file is created in the specified LogDirectory. If a LogDirectory was not specified, then the log file is created in the /tmp directory.

The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxd-8430", the name of the log file will be "appxd-8430.log".

Line: 485 to 484
 The name of the log file is the concatenation of the service name and ".log". For example, if the service name is "appxd-8430", the name of the log file will be "appxd-8430.log".

When the connection service is started, the log file is initialized with the configuration of the connection service. The configuration information is followed by a dialog of messages relating to actions performed by the connection service. Each time the connection service processes a connection request, messages relating to the connection request are appended to the log file.

Changed:
<
<
*Daemonize = true
>
>
*Daemonize = true
 *DontForkEngine = false *InitScriptStyle = *SleepAfterFork =
Line: 533 to 530
 CAppxD::Run starting handleClients - starting handleClients - waiting
Changed:
<
<
>
>
 

Red Hat service command.

Line: 543 to 539
 

Synopsis - service Command

Changed:
<
<		service [serviceName] [start|stop|restart|status]
>
>		service [serviceName] [start|stop|restart|status]
 

Examples:

How to create private/public-keys without passphrase for server

Line: 547 to 544
 

Examples:

How to create private/public-keys without passphrase for server

Added:
>
>
 Example of appxLoginMgr parameter to identify private key:
Changed:
<
<
ServerPrivateKeyFile =/usr/local/appx/tools/tubes.internal.appx.com.private.key
>
>
ServerPrivateKeyFile =/usr/local/appx/tools/tubes.internal.appx.com.private.key
 

Example of openssl command to create private key:

Changed:
<
<
openssl genrsa -out tubes.internal.appx.com.private.key 1024
>
>
openssl genrsa -out tubes.internal.appx.com.private.key 1024
 
Changed:
<
<

How to create public SSL certificate for server

>
>

How to create public SSL certificate for server

 Example of appxLoginMgr parameter to identify SSL certificate:
Changed:
<
<
ServerCertificateFile =/usr/local/appx/tools/tubes.internal.appx.com.crt
>
>
ServerCertificateFile =/usr/local/appx/tools/tubes.internal.appx.com.crt
 

Example of openssl command to create SSL certificate:

Changed:
<
<
openssl req -new -days 365 -key tubes.internal.appx.com.private.key -x509 -out tubes.internal.appx.com.crt
>
>
openssl req -new -days 365 -key tubes.internal.appx.com.private.key -x509 -out tubes.internal.appx.com.crt
 
Added:
>
>
 

Warnings:

"the engine that you named has the setuid bit enabled"

Line: 569 to 566
 

Warnings:

"the engine that you named has the setuid bit enabled"

Changed:
<
<		This warning message is displayed when you start a service and the engine specified for AppxExecutable has the setuid bit set.
>
>		This warning message is displayed when you start a service and the engine specified for AppxExecutable has the setuid bit set.
 
Changed:
<
<		When launching an APPX session, the APPX Login Manager sets the real user ID and the effective user ID of the APPX session based on the value specified for the ImpersonateUser parameter.  If the engine has the setuid bit set, then the effective user of the APPX session will be changed by the operating system to be the owner of the APPX engine and the APPX session will run with the permissions of that user.
>
>		When launching an APPX session, the APPX Login Manager sets the real user ID and the effective user ID of the APPX session based on the value specified for the ImpersonateUser parameter. If the engine has the setuid bit set, then the effective user of the APPX session will be changed by the operating system to be the owner of the APPX engine and the APPX session will run with the permissions of that user.
 
Changed:
<
<
Warning - the engine that you named has the setuid bit enabled,
>
>
Warning - the engine that you named has the setuid bit enabled,
 you may not want that bit set for the authentication method that you have chosen (OS-User) To turn off the setuid bit, chmod u-s ../appx
Changed:
<
<
>
>
 

Issues:

Changed:
<
<
  1. The stop option of the Red Hat service command has a problem. It does seem to remove the running process; however, it produces errors.  Further, it fails to remove the PID from the (/var/run/appxd-8060.pid)
    /etc/init.d/appxd-8060: line 39: success: command not found
    /etc/init.d/appxd-8060: line 39: failure: command not found
    /etc/init.d/appxd-8060: line 43: failure: command not found
  2. The setuid warning message is display every time a configuration is loaded or saved.  This results in the message being displayed up to three times depending on the command being executed. Perhaps it should only be displayed when a configuration is saved.
>
>
  1. The stop option of the Red Hat service command has a problem. It does seem to remove the running process; however, it produces errors. Further, it fails to remove the PID from the (/var/run/appxd-8060.pid) 
    /etc/init.d/appxd-8060: line 39: success: command not found
    /etc/init.d/appxd-8060: line 39: failure: command not found
    /etc/init.d/appxd-8060: line 43: failure: command not found
  2. The setuid warning message is display every time a configuration is loaded or saved. This results in the message being displayed up to three times depending on the command being executed. Perhaps it should only be displayed when a configuration is saved.
 
  1. The setuid warning indicates that it is triggered by the OSUser AuthenticationMethod. AuthenticationMethod is not influenced by the setuid bit being turned on. However, ImpersonateUser is impacted.

Enhancement Suggestons:

  1. To match the Windows platform, he following should be valid syntax: "appxLoginMgr -install". It should default to port 8060, or the Windows platform should not default to port 8060.
Line: 593 to 587
 
  1. appxLoginMgr should create .ini and .env files in the tools subdirectory, and not in the current working directory.
  2. The appxLoginMgr -replace argument should require the -ServiceName option, and not assume ServiceName =appxd-8060.
  3. The requirements for use of -name argument seem inconsistant. Below are examples where + works, and - does not.
Changed:
<
<

    1. (-) ./appxLoginMgr -modify appxd-8060 -TCPNodelay=false

>
>

    1. (-) ./appxLoginMgr -modify appxd-8060 -TCPNodelay=false

 
    1. (+) ./appxLoginMgr -modify -name=appxd-8060 -TCPNodelay=false
    2. (-)./appxLoginMgr -status
    3. (+)./appxLoginMgr -status -name=appxd-8060
Line: 606 to 600
 
    1. (-) ./appxLoginMgr -status
    2. (+) ./appxLoginMgr -status appxd-8060
    3. (+) ./appxLoginMgr -status -name=8060
Changed:
<
<

  1. Warn users not to move configuration files. A service script is created in the /etc/init.d system directory for each service installed by running the appxLoginMgr command.  These scripts reference the corresponding service configuration files using a fully qualified absolute pathname.  If you move the configuration files to another directory or rename them, the service scripts will no longer work. We should probably warn via screen notice on service creation, and document inside the .ini and .env files that if the .ini, .env and appxLoginMgr/appxAuditLogger are move or renamed, then the /etc/init.d system startup script will fail to work. The service scripts also reference the appxLoginMgr command using a fully qualified absolute pathname.

  2. RequireSSL is not a valid parameter and should be removed from the configuration file.

  3. RequireSSLClientCertificates is not a valid parameter and should be removed from the configuratoin file.

  4. ServerPrivateKeyPassphrase is not a valid parameter and should be removed from the configuration file.

>
>

  1. Warn users not to move configuration files. A service script is created in the /etc/init.d system directory for each service installed by running the appxLoginMgr command. These scripts reference the corresponding service configuration files using a fully qualified absolute pathname. If you move the configuration files to another directory or rename them, the service scripts will no longer work. We should probably warn via screen notice on service creation, and document inside the .ini and .env files that if the .ini, .env and appxLoginMgr/appxAuditLogger are move or renamed, then the /etc/init.d system startup script will fail to work. The service scripts also reference the appxLoginMgr command using a fully qualified absolute pathname.

  2. RequireSSL is not a valid parameter and should be removed from the configuration file.

  3. RequireSSLClientCertificates is not a valid parameter and should be removed from the configuratoin file.

  4. ServerPrivateKeyPassphrase is not a valid parameter and should be removed from the configuration file.

 

Comments:

Added:
>
>
 Read what other users have said about this page or add your own comments.

View topic | History: r68 < r67 < r66 < r65 | More topic actions...
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback