Poster of Linux kernelThe best gift for a Linux geek
STAP-AUTHORIZE-SERVER-CERT

STAP-AUTHORIZE-SERVER-CERT

Section: Maintenance Commands (8)
Local index Up
 

NAME

stap-authorize-server-cert - systemtap server authorization utility

 

SYNOPSIS


stap-authorize-server-cert CERTFILE [ DIRNAME ]

 

DESCRIPTION

A systemtap compile server listens for connections from clients (stap-client) on a secure SSL network port and accepts requests to run the stap front end. Each server advertises its presence and configuration on the local network using mDNS (avahi) allowing for automatic detection by clients.

The security of the SSL network connection between the client and server depends on the proper management of server certificates.

The trustworthiness of a given systemtap server can not be determined automatically without a trusted certificate authority issuing systemtap server certificates. This is not practical in everyday use and so, clients must authenticate servers against their own database of trusted server certificates. In this context, establishing a given server as trusted by a given client means adding that server's certificate to the client's database of trusted servers.

The stap-authorize-server-cert program adds the given server certificate to the given client-side certificate database, making that server a trusted server for clients using that database.

 

ARGUMENTS

The stap-authorize-server-cert program accepts two arguments:

CERTFILE
This is the name of the file containing the certificate of the new trusted server. This is the file named stap.cert which can be found in the server's certificate database. On the server host, for servers started by the stap-server service, this database can be found in /var/lib/stap-server/.systemtap/ssl/server/. For servers run by other non-root users, this database can be found in $HOME/.systemtap/ssl/server/. For root users (EUID=0), it can be found in the stappaths (7) manual page.
DIRNAME
This optional argument is the name of the directory containing the client-side certificate database to which the certificate is to be added. If not specified, the default, for non-root users, is $HOME/.systemtap/ssl/client. For root users (EUID=0), the default is listed in the stappaths (7) manual page. The default result is that all users on the client host will trust this server when stap-authorize-server-cert is run by root and that only the user running stap-authorize-server-cert will trust the server otherwise.

 

SAFETY AND SECURITY

Systemtap is an administrative tool. It exposes kernel internal data structures and potentially private user information. See the stap(1) manual page for additional information on safety and security.

The systemtap server and its related utilities use the Secure Socket Layer (SSL) as implemented by Network Security Services (NSS) for network security. The NSS tool certutil is used for the generation of certificates. The related certificate databases must be protected in order to maintain the security of the system. Use of the utilities provided will help to ensure that the proper protection is maintained. The systemtap client will check for proper access permissions before making use of any certificate database.

 

FILES

~/.systemtap/ssl/client/
User's private client side certificate database.

/var/lib/stap-server/.systemtap/ssl/server/stap.cert
Server certificate for servers started by the stap-server service.

 

SEE ALSO

stap(1), stappaths(7), stap-server(8), stap-client(8), NSS, certutil

 

BUGS

Use the Bugzilla link of the project web page or our mailing list. http://sources.redhat.com/systemtap/, <systemtap@sources.redhat.com>.


 

Index

NAME
SYNOPSIS
DESCRIPTION
ARGUMENTS
SAFETY AND SECURITY
FILES
SEE ALSO
BUGS

This document was created by man2html, using the manual pages.
Time: 22:02:26 GMT, April 16, 2011