= Mike Taylor Diary = == Monday 1st Aug == Meeting with Ray Miller at OUCS: * Need to run a Kerberos client on the machine that will run sasl-ca was told that the client was avialble from http://web.mit.edu/kerberos/www/dist * Created a service principle for sasl-ca/statler.conted.ox.ac.uk@OX.AC.UK * Created user to control the sasl-ca principle – cont0129/itss == Thursday 4th Aug == 1. Downloaded MIT Kerberos client file MITKerberosForWindows-2.6.5.exe[[BR]] 2. Installed the above onto Statler. * Setup the Oxford realm and associated kdc servers * Using cont0129/itss collected tickets from Kerberos * Set Kinit running. 3. Edited jaas_server.conf to our settings – note here that amount of confusion is occurring at this point with sasl-ca & SASL-CA it is unclear whether this is for a reason or that they are interchangeable (In a Linux environment they are not the same but the notes don’t carry this explanation.[[BR]] 4. Created a keystore entry as per the instructions using the keytool utility found in the Java environment. Details set as: CN=Mike Taylor, OU=TALL, O=University of Oxford, L=Oxford, ST=Oxon, C=UK[[BR]] 5. Hit a problem with "saslca.saslMechanisms" property at point 4 in the server setup of the SASL-CA Deployment Guide. Ended up sending email to Derek Morr. == Friday 5th Aug == No email from Derek so I reread the Deployment Guide and found that the “sasla.saslMechanisms” property should be added as a line into the sasl-ca.properties file, however I don’t have a copy of said file. == Friday 12th Aug == Derek Morr has responded back via email however his email: Sorry for the delay in getting back to you. The README was out of sync with the source. The property should have been called saslca.SaslMechanisms. That's the property that tells the SASL-CA which SASL mechanisms to support for client authentication. Seems to have missed the point, as it reiterates what I have already found out. I have therefore requested a generic copy of sasl_ca.properties and where it should be located within the file structure. Email 2 from Derek The file needs to be called sasl-ca.properties, and it should be in apps/server/ Sample of sasl-ca.properties: {{{ saslca.ServerName = clarknova.et-test.psu.edu saslca.ServerPort = 61455 saslca.OpaqueCertLifetime = 28800 saslca.IdentityCertLifetime = 31536000 saslca.CertSkewSeconds = 300 saslca.SaslMechanisms = GSSAPI saslca.SaslMechanisms.GSSAPI = auth-only mutual-auth saslca.PrincipalMapper.GSSAPI = edu.psu.sasl_ca.util.KerberosPrincipalMapper saslca.authz.GSSAPI = edu.psu.sasl_ca.authz.BannedUsers saslca.authz.GSSAPI.BannedUsers.File = /export/home/dvm105/sasl-ca/apps/server/banned.users saslca.MaxConnections = 20 saslca.ThreadPoolTimeOut = 60 saslca.SerialNumberGenerator = edu.psu.sasl_ca.serial.HashedTimeSerialNumberGenerator saslca.SerialNumberGenerator.HashedTimeSNM.Algorithm = SHA1 saslca.KeyStore.File = /export/home/dvm105/sasl-ca/apps/server/sasl-ca.keystore saslca.KeyStore.Alias = SASL-CA saslca.KeyStore.Password = XXXXX saslca.KeyStore.PrivateKeyPassword = XXXXX saslca.KeyStore.EncryptionKeyAlias = encryptionKey saslca.KeyStore.EncryptionKeyPassword = XXXXX saslca.KeyStore.MACKeyAlias = macKey saslca.KeyStore.MACKeyPassword = XXXXX saslca.CertSigningAlgorithm = SHA1withRSA saslca.ResolverFile = /export/home/dvm105/sasl-ca/apps/server/resolver.xml saslca.ResolverSchemaFile = /export/home/dvm105/sasl-ca/apps/server/schemas/shibboleth-resolver-1.0.xsd saslca.MaxPKIOps = 10 saslca.CryptoHandleAlg = DESede/CBC/PKCS5Padding saslca.CryptoHandleMAC = HmacSHA1 saslca.PRNGAlgorithm = SHA1PRNG saslca.PRNGProvider = SUN saslca.C = string saslca.ST = string saslca.L = attribute saslca.O = string saslca.OU = attribute saslca.CN = attribute saslca.mail = attribute saslca.URL = attribute saslca.Principal = attribute saslca.C.value = US saslca.ST.value = Pennsylvania saslca.L.value = urn:mace:dir:attribute-def:psCampus saslca.O.value = Pennsylvania State University saslca.OU.value = urn:mace:dir:attribute-def:psDepartment saslca.CN.value = urn:mace:dir:attribute-def:displayName saslca.mail.value = urn:mace:dir:attribute-def:mail saslca.URL.value = urn:mace:dir:attribute-def:labeledURI saslca.Principal.value = urn:mace:dir:attribute-def:eduPersonPrincipalName }}}