-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.SL3
320 lines (310 loc) · 19 KB
/
README.SL3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
MICO SL3
--------
MICO SL3 is an implementation of the modified Adiron's
LLC. SecurityLevel3 API. The API was modified by ObjectSecurity
Ltd. during the work on the IST project COACH. For more information
about SecurityLeve3, please have a look at http://coach.objectweb.org/
and http://www.adiron.com/ORBAsec3.html
What is this for?
-----------------
Basically we can say that SL3 API is the API designed to deal with
CSIv2 security. It is not complete truth since it also might supports
Kerberos, SESAME and other security architectures, but the main usage
seems to be to provide the API for dealing with CSIv2 based security
service. That is also true for MICO where we have written SL3 project
solely for working together with MICO CSIv2 implementation.
Installation
------------
You have to configure MICO with '--enable-sl3' configure option to be
able to use MICO SL3 implementation.
Command-line options
--------------------
There is only one command-line option provided to tell the application
that we need to use SL3, -ORBSL3. It is nearly always used together
with the -ORBCSIv2 option. The only exception is when SL3 is used
directly to deal with only transport layer security, in this case the
option -ORBCSIv2 is not used. This applies to the SL3 security aware
application only, i.e. an application which setups all needed
credentials by itself in its code. If there is a need to setup
appropriate SL3 credentials in SL3 security unaware application, then
there is a possibility to use SL3 extended command-line options
(-ORBSL3CmdExt) together with appropriate credentials creation
option. All SL3 options are listed in the table below.
----------------------------------------------------------------------
option name | description
----------------------------------------------------------------------
-ORBSL3 | enables SL3
----------------------------------------------------------------------
-ORBCSIv2 | enables CSIv2, when combined with
| -ORBSL3 it enables CSIv2 part of SL3
----------------------------------------------------------------------
-ORBSL3CmdExt | enables recognition of extended
| command-line options (all options
| below in this table)
----------------------------------------------------------------------
-ORBSL3TCPIPInitiator | enables TCPIP initiator credentials,
| where binding socket is system
| selected
----------------------------------------------------------------------
-ORBSL3TCPIPInitiator2 | enables TCPIP initiator credentials,
| parameter is <host>:<port> and it
| is used for initiator socket binding
----------------------------------------------------------------------
-ORBSL3TCPIPAcceptor | enables TCPIP acceptor credentials,
| where binding socket is system
| selected
----------------------------------------------------------------------
-ORBSL3TCPIPAcceptor2 | enables TCPIP acceptor credentials,
| parameter is <host>:<port>, which
| specifies acceptor listening host
| and port
----------------------------------------------------------------------
-ORBSL3TLSInitiator | enables TLS initiator with system
| selected binding port
----------------------------------------------------------------------
-ORBSL3TLSInitiator2 | enables TLS initiator with parameter
| <host>:<port> to specify binding
| host and port
----------------------------------------------------------------------
-ORBSL3TLSInitiatorOptions | provides TLS initiator required
| options: <CA>,<C cert>,<C key>
| where <CA> is certificate
| authority's certificate file, <C
| cert> is client's certificate file
| and <C key> is client's private key
| file
----------------------------------------------------------------------
-ORBSL3TLSAcceptor | enables TLS acceptor with system
| selected binding port
----------------------------------------------------------------------
-ORBSL3TLSAcceptor2 | enables TLS acceptor with parameter
| <host>:<port> to specify binding
| host and port
----------------------------------------------------------------------
-ORBSL3TLSAcceptorOptions | provides TLS acceptor required
| options: <CA>,<S cert>,<S key>
| where <CA> is certificate
| authority's certificate file, <S
| cert> is server's certificate file
| and <S key> is server's private key
| file
----------------------------------------------------------------------
-ORBSL3TLSInitiatorVerifyDepth | provides <number> TLS initiator
| verify depth
----------------------------------------------------------------------
-ORBSL3TLSAcceptorVerifyDepth | provides <number> TLS acceptor
| verify depth
----------------------------------------------------------------------
-ORBSL3IPCInitiator | enables initiator credentials for
| colocated calls
----------------------------------------------------------------------
-ORBSL3IPCAcceptor | enables acceptor credentials for
| colocated calls
----------------------------------------------------------------------
-ORBSL3CSIClientUser | adds GSSUP client's user/password
| for a specified realm in a form of
| <realm>,<user name>,<user password>
| parameter
----------------------------------------------------------------------
-ORBSL3CSIServerUser | adds GSSUP server's user/password in
| a form of <user name>,<user
| password> parameter
----------------------------------------------------------------------
-ORBSL3CSIServerRealm | provides <realm> server realm
| parameter
----------------------------------------------------------------------
Demos
-----
MICO SL3 demos are provided in the mico/demo/sl3 directory. Please
read README file in this directory to find more information about
various demos provided.
Exception table
---------------
Generally MICO SL3 code throws either CORBA::NO_PERMISSION or
CORBA::BAD_PARAM exceptions. The table below lists all returned
exception minor ids with a description why this exception was
thrown. It aims to easy debugging of SL3 enabled application.
____________________________________________________________________
exception | minor id | reason
--------------------------------------------------------------------
NO_PERMISSION | 10001 | There are not own credentials set for
| | client side (initiator side) while
| | application tries to open GIOP connection
| | to the target object
--------------------------------------------------------------------
BAD_PARAM | 20001 | There are not credentials of a given creds id
| | registered on transport security CredentialsCurator
| | which user tries to remove, i.e. this
| | exception is thrown by
| | TransportSecurity::CredentialsCurator::remove_credentials
| | operation
--------------------------------------------------------------------
BAD_PARAM | 20002 | There are not credentials of a given creds id
| | registered on transport security CredentialsCurator
| | which user tries to release, i.e. this
| | exception is thrown by
| | TransportSecurity::CredentialsCurator::release_credentials
| | operation
--------------------------------------------------------------------
BAD_PARAM | 30001 | There are not credentials of a given creds id
| | registered on security level3 CredentialsCurator
| | which user tries to release, i.e. this
| | exception is thrown by
| | SecurityLevel3::CredentialsCurator::release_own_credentials
| | operation
--------------------------------------------------------------------
BAD_PARAM | 40001 | This exception is thrown from
| | TCPIPArgBuilder::add_tcpip_initiator_options
| | operation, because the builder is intended
| | to create accept only credentials
--------------------------------------------------------------------
BAD_PARAM | 40002 | This exception is thrown from
| | TCPIPArgBuilder::add_tcpip_acceptor_options
| | operation, because the builder is intended
| | to create initiate only credentials
--------------------------------------------------------------------
BAD_PARAM | 40003 | This exception is thrown from
| | TCPIPArgBuilder::add_accepting_context_observer
| | operation, because the builder is intended
| | to create initiate only credentials or
| | supplied observer reference is nil
--------------------------------------------------------------------
BAD_PARAM | 40004 | This exception is thrown from
| | TCPIPArgBuilder::add_initiating_context_observer
| | operation, because the builder is intended
| | to create accept only credentials or
| | supplied observer reference is nil
--------------------------------------------------------------------
BAD_PARAM | 40005 | This exception is thrown from
| | TCPIPArgBuilder::add_credentials_observer
| | operation, because of supplied nil observer
| | reference
--------------------------------------------------------------------
BAD_PARAM | 50001 | This exception is thrown from
| | OpenSSLConfigArgBuilder::add_tls_acceptor_options
| | operation, because the builder is intended
| | to create initiate only credentials
--------------------------------------------------------------------
BAD_PARAM | 50002 | This exception is thrown from
| | OpenSSLConfigArgBuilder::add_tls_acceptor_options_with_passphrase
| | operation, because the builder is intended
| | to create initiate only credentials
--------------------------------------------------------------------
BAD_PARAM | 50003 | This exception is thrown from
| | OpenSSLConfigArgBuilder::add_tls_initiator_options
| | operation, because the builder is intended
| | to create accept only credentials
--------------------------------------------------------------------
BAD_PARAM | 50004 | This exception is thrown from
| | OpenSSLConfigArgBuilder::add_tls_initiator_options_with_passphrase
| | operation, because the builder is intended
| | to create accept only credentials
--------------------------------------------------------------------
BAD_PARAM | 50005 | This exception is thrown from
| | OpenSSLConfigArgBuilder::add_tls_anonymous_initiator_options
| | operation, because the builder is intended
| | to create accept only credentials
--------------------------------------------------------------------
BAD_PARAM | 50006 | This exception is thrown from
| | OpenSSLConfigArgBuilder::add_initiator_verify_depth
| | operation, because the builder is intended
| | to create accept only credentials or
| | supplied depth value is smaller than zero
--------------------------------------------------------------------
BAD_PARAM | 50007 | This exception is thrown from
| | OpenSSLConfigArgBuilder::add_acceptor_verify_depth
| | operation, because the builder is intended
| | to create initiate only credentials or
| | supplied depth value is smaller than zero
--------------------------------------------------------------------
BAD_PARAM | 50008 | This exception is thrown from
| | OpenSSLConfigArgBuilder::add_initiator_identity_verifier
| | operation, because the builder is intended
| | to create accept only credentials or
| | supplied verifier reference is nil.
--------------------------------------------------------------------
BAD_PARAM | 50009 | This exception is thrown from
| | OpenSSLConfigArgBuilder::add_acceptor_identity_verifier
| | operation, because the builder is intended
| | to create initiate only credentials or
| | supplied verifier reference is nil.
--------------------------------------------------------------------
BAD_PARAM | 60001 | This exception is thrown from
| | CSIArgBuilder::add_password_generator
| | operation, because the builder is intended
| | to create accept only credentials or
| | supplied generator reference is nil.
--------------------------------------------------------------------
BAD_PARAM | 60002 | This exception is thrown from
| | CSIArgBuilder::add_password_processor
| | operation, because the builder is intended
| | to create initiate only credentials or
| | supplied processor reference is nil.
--------------------------------------------------------------------
BAD_PARAM | 60003 | This exception is thrown from
| | CSIArgBuilder::add_trust_in_server_decider
| | operation, because the builder is intended
| | to create accept only credentials or
| | supplied decider reference is nil.
--------------------------------------------------------------------
BAD_PARAM | 60004 | This exception is thrown from
| | CSIArgBuilder::add_transport_credentials
| | operation, because of supplied nil
| | credentials reference
--------------------------------------------------------------------
BAD_PARAM | 60005 | This exception is thrown from
| 60006 | CSIArgBuilder::add_transport_credentials
| 60007 | operation, because supplied credentials
| 60008 | usage does not match exactly usage of
| | created credentials
--------------------------------------------------------------------
BAD_PARAM | 60009 | This exception is thrown from
| | CSIArgBuilder::add_credentials_observer
| | operation, because of supplied nil
| | observer reference
--------------------------------------------------------------------
BAD_PARAM | 60010 | This exception is thrown from
| | CSIArgBuilder::add_client_credentials_observer
| | operation, because the builder is intended
| | to create initiate only credentials or
| | supplied observer reference is nil.
--------------------------------------------------------------------
BAD_PARAM | 60011 | This exception is thrown from
| | CSIArgBuilder::add_target_credentials_observer
| | operation, because the builder is intended
| | to create accept only credentials or
| | supplied observer reference is nil.
--------------------------------------------------------------------
BAD_PARAM | 60012 | This exception is thrown from
| | CSIArgBuilder::add_ATLAS_object
| | operation, because the builder is intended
| | to create initiate only credentials or
| | supplied token dispenser or token processor
| | reference is nil.
--------------------------------------------------------------------
BAD_PARAM | 60013 | This exception is thrown from
| | CSIArgBuilder::add_token_processor
| | operation, because the builder is intended
| | to create accept only credentials or
| | supplied token processor reference is nil.
--------------------------------------------------------------------
BAD_PARAM | 60014 | This exception is thrown from
| | CSIArgBuilder::add_identity_processor
| | operation, because the builder is intended
| | to create initiate only credentials or
| | supplied identity processor reference is
| | nil.
--------------------------------------------------------------------
BAD_PARAM | 60015 | This exception is thrown from
| 60016 | CSI CredetialsAcquirer as a result of trying
| 60017 | to create credentials from probably corrupted
| | argument list
--------------------------------------------------------------------
NO_PERMISSION | 70001 | This exception is thrown by security
| | service when set trust decider does not
| | trust a target
--------------------------------------------------------------------
NO_PERMISSION | 70002 | This exception is thrown by security
| | service when it is not able to establish
| | context based on transport credentials
--------------------------------------------------------------------