Installation
Compatibility
This authentication
plugin will work with an ICAT version of 4.6 or greater.
Summary of steps
- Please follow the
generic installation instructions
- Update the icat.properties file for icat.server to see the
authenticator and restart icat to see the change. The easiest way is
to rerun the setup script for the icat.server.
- Add users
- Check that it works.
The authn_db.setup.properties file
- container
- May be either glassfish or wildfly - though only glassfish
is working fully at the moment.
- home
- is the top level of the container installation. For
glasssfish it must contain "glassfish/domains" and for wildfly it
must contain jboss-modules.jar.
- port
- is the administration port of the container which is
typically 4848 for glassfish and 9990 for wildfly.
- secure
- must be set to true or false. If true then only https and
not http connections will be allowed.
- db.vendor
- This is the conventional name of the database: such as
oracle or mysql. Currently the only value that is significant is
"oracle" which should be used to mark such databases.
- db.driver
- is the name of the jdbc driver and must match the jar file
for your database that you stored in the previous step.
- db.url
- url to connect to your database. For example:
jdbc:mysql://localhost:3306/icat
- db.username
- username to connect to your database.
- db.password
- password to connect to your database.
The authn_db.properties file
- ip
- If access to the DB authentication should only be allowed
from certain IP addresses then provide a space separated list of
allowed values. These take the form of an IPV4 or IPV6 address
followed by the number of bits (starting from the most significant)
to consider.
- mechanism
- if specified is a label to appear before the user name as it
is made available to ICAT for authorization. For example if this is
set to 'db' then the user 'root' will be provided to ICAT as
'db/root', but of no mechanism is specified it will be provided
simply as 'root'.
Update the icat.properties file for your ICAT
This is required for icat to see the new authenticator. As any
earlier version of this authenticator will have been removed then it
is important to perform this next step promptly.
If you still have the installation directory for icat then edit the
icat.properties to refer to the new authenticator and type:
./setup install
Otherwise edit the icat.properties file in the config directory for
your domain and restart the glassfish domain.
Add users
Users should be added by
manually adding them to the database table PASSWD. This has two
columns, one for the username and one for the password. The password
may be entered as clear text without a leading "$" or a
cryptographic hash of a password may be stored. A password hash must
start with a "$" character and be in the same form as found
in the shadow(5) password file. It may be created using the
mkpasswd(1) utility on Debian systems or grub-crypt on Red Hat derived
systems or the python crypt module. The supported hash algorithms are
MD5, SHA-256, and SHA-512.
Check that authn.db works
Use testicat (which is installed with ICAT) with one of the
entries in the database PASSWD table. It should report that it logs
in but may or may not have the permission to run the rest of the
test. If it does not report that it has logged in then please check
the server.log and the authn_db.log files which can both be found in
the logs directory below your domain.