wiki:MtDiary
Last modified 18/08/05 14:27:18

Mike Taylor Diary

Monday 1st Aug

Meeting with Ray Miller at OUCS:

Thursday 4th Aug

  1. Downloaded MIT Kerberos client file MITKerberosForWindows-2.6.5.exe
  2. Installed the above onto Statler.
    • Setup the Oxford realm and associated kdc servers
    • Using cont0129/itss collected tickets from Kerberos
    • Set Kinit running.
  3. Edited jaas_server.conf to our settings – note here that amount of confusion is occurring at this point with sasl-ca & SASL-CA it is unclear whether this is for a reason or that they are interchangeable (In a Linux environment they are not the same but the notes don’t carry this explanation.
  4. Created a keystore entry as per the instructions using the keytool utility found in the Java environment. Details set as: CN=Mike Taylor, OU=TALL, O=University of Oxford, L=Oxford, ST=Oxon, C=UK
  5. Hit a problem with "saslca.saslMechanisms" property at point 4 in the server setup of the SASL-CA Deployment Guide. Ended up sending email to Derek Morr.

Friday 5th Aug

No email from Derek so I reread the Deployment Guide and found that the “sasla.saslMechanisms” property should be added as a line into the sasl-ca.properties file, however I don’t have a copy of said file.

Friday 12th Aug

Derek Morr has responded back via email however his email:

Sorry for the delay in getting back to you. The README was out of sync with the source. The property should have been called saslca.SaslMechanisms?. That's the property that tells the SASL-CA which SASL mechanisms to support for client authentication.

Seems to have missed the point, as it reiterates what I have already found out. I have therefore requested a generic copy of sasl_ca.properties and where it should be located within the file structure.

Email 2 from Derek

The file needs to be called sasl-ca.properties, and it should be in apps/server/

Sample of sasl-ca.properties: 

saslca.ServerName = clarknova.et-test.psu.edu saslca.ServerPort = 61455 saslca.OpaqueCertLifetime = 28800 saslca.IdentityCertLifetime = 31536000 saslca.CertSkewSeconds = 300 saslca.SaslMechanisms = GSSAPI saslca.SaslMechanisms.GSSAPI = auth-only mutual-auth saslca.PrincipalMapper.GSSAPI = edu.psu.sasl_ca.util.KerberosPrincipalMapper
saslca.authz.GSSAPI = edu.psu.sasl_ca.authz.BannedUsers saslca.authz.GSSAPI.BannedUsers.File = /export/home/dvm105/sasl-ca/apps/server/banned.users
saslca.MaxConnections = 20
saslca.ThreadPoolTimeOut = 60
saslca.SerialNumberGenerator =
edu.psu.sasl_ca.serial.HashedTimeSerialNumberGenerator
saslca.SerialNumberGenerator.HashedTimeSNM.Algorithm = SHA1 saslca.KeyStore.File = /export/home/dvm105/sasl-ca/apps/server/sasl-ca.keystore
saslca.KeyStore.Alias = SASL-CA
saslca.KeyStore.Password = XXXXX
saslca.KeyStore.PrivateKeyPassword = XXXXX saslca.KeyStore.EncryptionKeyAlias = encryptionKey saslca.KeyStore.EncryptionKeyPassword = XXXXX saslca.KeyStore.MACKeyAlias = macKey saslca.KeyStore.MACKeyPassword = XXXXX saslca.CertSigningAlgorithm = SHA1withRSA saslca.ResolverFile = /export/home/dvm105/sasl-ca/apps/server/resolver.xml
saslca.ResolverSchemaFile =
/export/home/dvm105/sasl-ca/apps/server/schemas/shibboleth-resolver-1.0.xsd
saslca.MaxPKIOps = 10
saslca.CryptoHandleAlg = DESede/CBC/PKCS5Padding saslca.CryptoHandleMAC = HmacSHA1 saslca.PRNGAlgorithm = SHA1PRNG saslca.PRNGProvider = SUN saslca.C = string saslca.ST = string saslca.L = attribute saslca.O = string saslca.OU = attribute saslca.CN = attribute saslca.mail = attribute saslca.URL = attribute saslca.Principal = attribute saslca.C.value = US saslca.ST.value = Pennsylvania saslca.L.value = urn:mace:dir:attribute-def:psCampus
saslca.O.value = Pennsylvania State University saslca.OU.value = urn:mace:dir:attribute-def:psDepartment
saslca.CN.value = urn:mace:dir:attribute-def:displayName
saslca.mail.value = urn:mace:dir:attribute-def:mail saslca.URL.value = urn:mace:dir:attribute-def:labeledURI
saslca.Principal.value = urn:mace:dir:attribute-def:eduPersonPrincipalName