Installation

To deploy an Authn SIMPLE Plugin you need:

  1. a suitable container to support EJBs,
  2. to install a copy of authn_simple.properties in the correct place,
  3. to deploy the .ear file,
  4. and see if it works.

EJB Container

In principle you can use any EJB container. Testing has been performed with glassfish 3.1.2 and these notes refer to that version.

You must already have a Java SE installed (i.e. the command "java" is known), then you can get Java EE 6 SDK Update 4 with JDK 6 Update 31 or later from http://www.oracle.com/technetwork/java/javaee/downloads/index.html and execute the script.

Request custom installation, install and configure, and enter proxy details if necessary on your site. Request a server domain, set the domain name and set the admin password. For a secure deployment of glassfish you should obtain a trusted certificate rather than using the self-signed one in the distribution.

authn_simple.properties

Obtain authn_simple.ear-1.0.0-config.zip and unzip it.

In the unpacked authn_simple.ear-1.0.0-config.zip file you will find a property file, authn_simple.properties, which should be copied to the config directory for your chosen glassfish domain. You will find your domain directory at $GLASSFISH_HOME/glassfish/domains. The authn_simple.properties file may need changing:

user.list
Space separated list of user names that this plugin authenticates.
user.<user>.password
For each user given in user.list, this sets the password this user. This may either be a clear text password or a cryptographic hash of a password.
A password hash must start with a "$" character and be in the same form as found in the shadow(5) password file. It may be created using the mkpasswd(1) utility on Debian systems or grub-crypt on Red Hat derived systems or the python crypt module. The supported hash algorithms are MD5, SHA-256, and SHA-512.
A clear text password must not start with a "$" character.
ip
if access to the SIMPLE authentication should only be allowed from certain IP addresses then provide a space separated list of allowed values. These take the form of an IPV4 or IPV6 address followed by the number of bits (starting from the most significant) to consider.
mechanism
if specified is a label to appear before the user name as it is made available to ICAT for authorization. For example if this is set to 'simple' then the user 'root' will be provided to ICAT as 'simple/root', but of no mechanism is specified it will be provided simply as 'root'.

Installing the .ear file

If you already have an authn_simple installed then you should first remove it with asadmin --port 4848 undeploy <ear> where the value of "ear" can be found by: asadmin --port 4848 list-applications Obtain authn_simple.ear-1.0.0.ear and install it with the command: asadmin --port 4848 deploy authn_simple.ear-1.0.0.ear If you have only one domain you may not need to specify the port and if the admin port is not 4848 then specify the correct value.

Check that authn_simple works

There is currently no stand alone mechanism to check that authn_simple is working properly. Please use the test.py script that comes with the ICAT installation if one of your root users can be authorized with this plugin.

In case of problems look at the log files: server.log and authn_simple.log which can both be found in the logs directory below your domain.