Skip to content

Setting up PAM

Jump to bottom Edit New page
Mike Conway edited this page Jul 22, 2014 · 7 revisions

iRODS supports PAM authentication, which is supported in Jargon. In order to set PAM up, the server must first be configured. This includes the setting up of a server SSL public/private key pair. This can be from a certificate agency, such as Verisign, or it can be a self signed certificate.

Note that the iRODS manual has a good section on PAM setup, this can be (obtained from RENCI's iRODS Cosortium site).

If you are using a self-signed certificate, or a certificate from an authority that is not included in the default Java certificate store, you will need to obtain the public key from iRODS and import it into the cert chain of your Java VM.

You use the Jave keytool for this, documented here. Using the steps from the iRODS documentation, as one would do when testing versus a localhost iRODS configured for unit testing, it might look like this:

sudo keytool -import -keystore cacerts -file /var/lib/irods/iRODS/server/config/certs/server.crt

This would be run in the directory of your JavaVM, usually under your JVM install, in a directory like:

jre/lib/security

Mac tip: I found for jdk1.7 on Mac you can find Java in something like:

/Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home

Where you should see a cacerts file. It should go something like this (the keystore password is usually changeit by default):

[root@eirods security]# sudo keytool -import -keystore cacerts -file /var/lib/irods/iRODS/server/config/certs/server.crt Enter keystore password: Owner: CN=localhost, OU=DICE, O=DICE, L=CH, ST=North Carolina, C=US Issuer: CN=localhost, OU=DICE, O=DICE, L=CH, ST=North Carolina, C=US Serial number: c584501847c209bb Valid from: Mon Mar 10 12:24:19 GMT-05:00 2014 until: Tue Mar 10 12:24:19 GMT-05:00 2015 Certificate fingerprints: MD5: F8:82:D7:1B:F2:2F:21:CE:53:4A:C9:5B:76:BA:9E:08 SHA1: 29:F3:95:36:4C:69:76:FD:8B:CF:C4:5C:15:79:AE:83:1F:27:57:B6 SHA256: 88:8C:95:49:41:27:60:01:A1:75:A2:AB:CD:6A:85:01:E8:9F:61:B6:27:43:3D:E2:5C:C5:57:71:90:A6:E8:19 Signature algorithm name: SHA1withRSA Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 8D 02 6D 2E 54 1A 80 BB 0C 7E 6A CE E2 82 0A B8 ..m.T.....j..... 0010: 70 35 C1 9F p5.. ] ]

#2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ]

#3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 8D 02 6D 2E 54 1A 80 BB 0C 7E 6A CE E2 82 0A B8 ..m.T.....j..... 0010: 70 35 C1 9F p5.. ] ]

Trust this certificate? [no]: yes Certificate was added to keystore

Setting up and running PAM tests

Per the docs on Setting up unit tests, one can edit the settings.xml to configure PAM testing. This includes setting

<test.option.pam>true</test.option.pam> <jargon.test.pam.user>pam</jargon.test.pam.user> <jargon.test.pam.password>pam</jargon.test.pam.password>

Tips and Gotchas

Try to run PamAuthCheck, which is in the server/bin directory. Of course you need an Unix user set up, and you need to use iasmin to add the user (with no password) in iRODS.

It should look like this...

-bash-4.1$ pwd

/var/lib/irods/iRODS/server/bin

-bash-4.1$ ./PamAuthCheck pam

pam

Authenticated

If PamAuthCheck doesn't work, it won't work though Jargon!

One thing I ran into was not having irods in the pam.d files (for Centos6). See these docs on adding an irods entry in pam.d

Add a custom footer
Add a custom sidebar
Clone this wiki locally