Building, Installing, and Configuring the SDG This page describes the procedures for getting the SDG ready to run. This page assumes that you have first obtained and successfully built the DCE-Web WanD server (see Building DCE-Web). Building the SDG requires obtaining external software that is not supplied with the DCE-Web release. ------------------------------------------------------------------------ Getting external software The SDG requires an implementation of the SSL protocol, which in turn requires an implementation of the RSA public key cryptosystem. The SDG currently uses the following packages: * The SSLeay SSL Source * The RSAREF Source At startup the SDG prints copyright notices for these two packages. The SDG could be built with different SSL and RSA packages although we have not attempted this. Some other implementations are: * Netscape SSLRef * RSAREF with commercial distribution rights from Consensus Development. * BSAFE from RSA Data Security You should read the SSLeay and SSLapps FAQ to learn more about the SSLeay package. A slightly dated but very useful document is The Neverending Saga of Deploying a Free SSL Compliant Web Server. It gives lots of background about SSL, certificate authorities, and licensing. Regardless of how you satisfy these external software requirements, it is your responsibility to follow all licensing requirements for these packages. In shipping the SDG to you, the Open Group is in no way conveying any license or rights to these external packages. During the handshake phase, the SSL protocol negotiates a symmetrical cipher algorithm that both ends support, possibly including the IDEA and RC4 ciphers. IDEA and RC4 implementations are contained within SSLeay, but because of possible licensing issues, we have turned off these cryptosystems in the SSLeay top level Makefile. Note that disabling RC4 means the SDG will not operate with Netscape's Browser. RC4 is part of the BSAFE package (see above), and for more information on IDEA, send email or contact: Ascom Systec AG IDEA Licensing Gewerbepark CH-5506 Maegenwil Switzerland Phone : +41 62 889 59 54 Fax : +41 62 889 59 54 ------------------------------------------------------------------------ Browser Requirements The SDG requires that browser clients support the SSL protocol, including client certificates. Client certificates are required to securely map the user's identity to a DCE identity. In the past, a version of Mosaic with SSLeay support was used for testing the SDG. This modified Mosaic accepts RSA key and certificate files on the command line. You can start it with the following arguments: Mosaic -ssl cert=sdgclicert.pem -ssl key=sdgclikey.pem The browser client and SDG SSL key-exchange and encryption algorithms must also overlap for the two to communicate. SSLeay version 0.6.6 as compiled for the SDG (that is, without IDEA and RC4) supports the cipher modes: * DES_64_CBC_WITH_MD5 * DES_64_CBC_WITH_SHA * DES_192_EDE3_CBC_WITH_MD5 * DES_192_EDE3_CBC_WITH_SHA We are currently using Netscape to test the SDG. Authentication without a client certificate can be tested by setting the "VerifyClients" parameter to "Never" in the sdg.conf file. If you want assistance testing the SDG using Netscape or another SSL-capable browser, please contact dce-web-users-request@opengroup.org. ------------------------------------------------------------------------ Setting up the source tree Construct a directory tree containing wand/sdg/*opengroup-supplied-sources-from-the-tar-file* wand/sdg/SSLeay-0.6.6 wand/sdg/rsaref ------------------------------------------------------------------------ Building RSAREF Before you run make, be sure to edit the makefile as needed for your platform. $ mkdir wand/sdg/rsaref/lib $ cd wand/sdg/rsaref/lib $ cp ../install/unix/makefile . $ make ------------------------------------------------------------------------ Building SSLeay First apply our SSLeay patchkit which fixes Makefiles, adds DCE threads support, enables use of RSAREF, disables IDEA and RC4 encryption, and fixes several small bugs. It also incorporates SSLeay-0.6.6.patch1. This patch file is wand/sdg/OSF_SSLeay-0.6.6.diffs. $ cd wand/sdg $ patch < OSF_SSLeay-0.6.6.diffs $ cd SSLeay-0.6.6 Make SSLeay and run tests as described in wand/sdg/SSLeay-0.6.6/INSTALL. The SSLeay-0.6.6 build process self modifies some files which causes minor problems if the directories are stored in ClearCase. The quickest workaround is to checkout the following files before building: cleartool co -unr -nc SSLeay-0.6.6/crypto/objects/obj_dat.h cleartool co -unr -nc SSLeay-0.6.6/crypto/pem/pem.h A similar problem also occurs when executing the test suite (make test). You can do the same checkout trick as above, or just clone the subtree and run the tests from a normal file system directory. If you have difficulties building RSAREF and SSLeay with your standard C compiler, try using gcc: make CC=gcc You should not, however, try to build WanD and the SDG with gcc. ------------------------------------------------------------------------ Building SDG $ cd wand $ ./configure $ cd wand/sdg $ make ------------------------------------------------------------------------ Installing SDG To install SDG to run as a non-privileged user, execute the following commands (note that you must execute these steps from the mgmt directory in your build tree): $ cd wand/mgmt $ ./sdgexec -uid 1637 -gid 1000 sdginst.dcp SDGDIR is '/opt/www' {Installing DCE-Web files in /opt/www for host outpost} {make install returned 0} Note that if you are installing the SDG in a non-default directory with sdgexec, you need to reset the installDir variable in the sdginst.dcp script from /opt/www to your new installation directory path. Otherwise, use the following command sequence to install the SDG: $ su root $ cd sdg $ make install DESTDIR=dir where dir is a target install directory, (for example, /opt/www). ------------------------------------------------------------------------ Configuring the SDG You can use the GUI-based tool sdgcp to configure the SDG. You should first read about wandcp which is nearly identical to sdgcp. The text below assumes you have installed the SDG in /opt/www. su root start DCE if not already running cd /opt/www/bin sdgcp ... gui starts up ... select Parameters/Edit and make any changes necessary. select Configuration/configure server to add SDG entries to the DCE registry and namespace. select Configuration/start server to run the SDG. Please note that if you change the Server Installation Directory from /opt/www/ to something else via sdgcp you need to edit the ServerRoot: parameter in the SDG configuration file (by default, lib/sdg.conf) to reflect this change. Also note that if you change the Server Installation Directory value, the new value is not reflected in the directory for the New SDGCP Configuration File or Save SDGCP Configuration File dialogs, which instead revert to the default values of /opt/www. These dialogs need to update the directory path so that the tcl configuration scripts get saved in the same location as the rest of the commands and configuration scripts. To work around this problem, edit the value for the string in the first field of the dialogs. You must configure ACLs within your WanD server to permit the SDG's impersonation to a junction server. See the documentation regarding the wand-mgmt object and the i and I impersonation bits. The following example enables the SDG running as principal sdg to use WanD impersonation to a junction server. # dcecp dcecp> acl modify /.:/subsys/WWW/wand-mgmt -add {user sdg -i-} You can now go on to read about starting and running the SDG. ------------------------------------------------------------------------ Contents