A Detailed list of the LBL Akenti Servers
/home/itg10/http/htdocs/security/Akenti/private/lbl-servers.html
idcg-ca.lbl.gov (aka akenti) - CA servers
LBNL Netscape Certificate Authority server running on idcg-ca.lbl.gov.
Accessible as https://idcg-ca.lbl.gov.
It issues Identity Certificates on behalf of Lawrence Berkeley National
Laboratory. This machine should not be running a web server. Ideally it would be
isolated from net except for the CA.
Old Netscape CA for LBNL (currently used by Akenti)
executable /export/home/NSCA/ns-home/bin/cms/ns-httpd
ServerRoot /export/home/NSCA/ns-home/cms-idcg-ca
Config file /export/home/NSCA/ns-home/cms-idcg-ca/config/magnus.conf
Port 444 - get to this by https:/idcg-ca:444.
Start script /export/home/NSCA/ns-home/cms-idcg-ca/start (as root) or /etc/rc2.d S99nsCA start-sh
Passphrases see /export/home/NSCA/ns-home/cms-idcg-ca/passphrase
Certificate Signing Key File
Certificate Server DataBase
Directory Server
Key File Password
Ordinary users can use unprivileged operations.
To be a privileged user, you need to be added as a privileged user
by a current administrator user
Server to adminster the CA server
executable /export/home/NSCA/ns-home/admserv/ns-admin
NetsiteRoot /export/home/NSCA/ns-home
Port 28772.
Start script/export/home/NSCA/ns-home/start-admin (as root)
Accessible from akenti, rocky or griffy
need to authenticate as admin, i*.
From here you have all control over the idcg-ca.
informix backend for the Netscape CA
executable/export/home/NSCA/informix/bin/oinit
Start script/etc/rc2.d/S99ifmx (as root)
user runs as cmsdbuse which needs an entry and password in YP
DOEGrid CA and internal ldap servers
executable: /local/dsd-grid/server-root/bin/cert/bin/jssjava
root: /local/dsd-grid/server-root
Config file: /local/dsd-grid/server-root/cert-dsd-ca/config/CMS.cfg
Port: 443
Trouble-shooting
When starting the CA, it rejects the password for the DataBase Server.
- Check that the user cmsdbuse exists and has the password that you are trying to use.
- Check that the informix data base is up: there should be some processes called oninit.
- cd /export/home/NSCA/informix/; source ifmx.csh; bin/dbaccess This is an
interactive program that lets you attempt to connect as user cmsdbuse to the data base. If this fails you may get some informative error messages.
- The one thing that has got us several times is for the hostname in NSCA/informix/etc/sqlhosts not to match the name you get from typing "hostname"
idcg-ds.lbl.gov (aka akenti) - LDAP servers version 1.03
LBNL LDAP on idcg-ds.lbl.gov (really idcg-ca). The web gateway server is accessible remotely via http://idcg-ds.lbl.gov/. Anyone can do lookups and searches.
Privileged users (e.g. Directory Manager) can enter new users
The Netscape CA on idcg-ca stores Identity Certificates in the data base on
idcg-ds. The LDAP server also runs on this machine on port 389. Akenti looks
up User Certificates via the LDAP protocol, both to verify UserCertificates that
have been presented by web clients and to get public keys to verify signers of
Attribute Certificates.
executable /export/home/ns-ds-home/bin/slapd/server/ns-slapd
Root directory /export/home/ns-ds-home/slapd-idcg-ds
Logs /export/home/ns-ds-home/slapd-idcg-ds/logs
ports 389 and secure port 636
Start script /export/home/ns-ds-home/slapd-idcg-ds/start
Passphrase f* ?
LDAP web gateway
executable /export/home/http/httpsd
DocumentRoot /export/home/http/htdocs
Port 80
Start script /export/home/http/start or /etc/rc2.d/S99httpd
Alias /dshtml /export/home/ns-ds-home/slapd-idcg-ds/dsgw/html provides
the LDAP server's homepage
Open access for read,compare and search, must be privileged user
(cn,password) for write.
Directory Manager works with password p*
Server to administer the LDAP server
executable/export/home/ns-ds-home/admserv/ns-admin
NetsiteRoot/export/home/ns-ds-home
Port 3582
Start script /export/home/ns-ds-home/start-admin
user admin, password t*.
Accessible from akenti, rocky or griffy.
idcg-ds.lbl.gov (aka akenti) - LDAP servers version 4.0b
LBNL LDAP server on idcg-ds.lbl.gov (really idcg-ca).
This is available for testing. The old data base was migrated on 1/25/99.
executable /export/home/ns-ds-home-4.0/server4/bin/slapd/server/ns-slapd
Root directory /export/home/ns-ds-home-4.0/server4/slapd-idcg-ds
Logs /export/home/ns-ds-home-4.0/server4/slapd-idcg-ds/logs
ports 4445
Start script /export/home/ns-ds-home-4.0/server4/slapd-idcg-ds/start-slapd
Passphrase t* ?
LDAP web gateway (aka administration server)
HTTP interface to add and modify entries. It is also called the adminstration
server when accessed via the Netscape Console program.
executable /export/home/ns-ds-home-4.0/server4/bin/admin/ns-admin
RootDirectory /export/home/ns-ds-home-4.0/server4/admin-serv
Port 9084
Start script /export/home/ns-ds-home-4.0/server4/start-admin
Open access for read,compare and search, must be privileged user
(cn,password) for write.
Directory Manager works with password p*
Netscape Console used to administer the LDAP server
Graphic interface to adminster and configure the LDAP server and gateway.
This no longer runs as a server. It is run by root from the command line.
Note the files named ns-admin now are part of
what used to be called the web gateway. Be sure that you have your DISPLAY
var set and that you have xhost'ed idcg-ca.
executable/export/home/ns-ds-home-4.0/server4/startconsole
NetsiteRoot/export/home/ns-ds-home-4.0/server4
login admin, t*
george: MSQL server (sometimes used by Akenti)
It stores attribute certificates. It is contacted
by the java application that generates attribute certificates,
AttributeCertificateMain.java. The user of this application must have write
permission in the MSQL data base, granted by the /usr/local/Hughes/msql.acl
file. It may be contacted by Akenti when looking for Attribute Certificates.
Start script/etc/rc2.d/S99msqld
imglib.lbl.gov - Akenti servers
Akenti web server on imglib.lbl.gov, https://imglib.lbl.gov
Accessing ImgLib via this server gets you an encrypted
connection and presents your Identity Certificate to the server.You must have an
Identity Certificate issued by IDCG-CA or DieselCert.ca.sandia.gov to access this server
ServerRoot /home/imglib3/http.imglib
Executable /home/imglib3/http.imglib/httpd-akenti
DocumentRoot /home/imglib3/http.imglib/akenti-docs
port 443
conf /home/imglib3/http.imglib/conf/httpd-akenti.conf, Akenti.conf
Start script /home/imglib3/http.imglib/start-akenti
passphrase i*a*
Akenti Monitor server
executable /home/imglib3/http.imglib/StartMonitor.sh
Port 9999 - specified in Akenti.conf
Port to talk to applet 12000 - specified in Akenti.conf
conf /home/imglib3/http.imglib/conf/Akenti.conf
passphrase none
Akenti cache server
executable /home/imglib3/http.imglib/StartCacheManager.sh
Caching directory /home/imglib3/http.imglib/cache - specified in Akenti.conf
Port 6789 - specified in Akenti.conf
conf /home/imglib3/http.imglib/conf/Akenti.conf
passphrase none
Akenti resource definition server - provides the Akenti resource templates to
UseCondition Create application
Executable /home/imglib3/http.imglib/StartResServer.sh
DocumentRoot /home/imglib3/http.imglib/akenti-docs
port 8008
conf /home/imglib3/http.imglib/conf/Akenti.conf
passphrase none
rocky.lbl.gov - Akenti servers
Akenti development secure apache server
ServerRoot /home/imglib3/http.rocky
Executable /home/imglib3/http.rocky/httpd-akenti
DocumentRoot /home/imglib3/http.rocky/akenti-docs
port 443
conf /home/imglib3/http.rocky/conf/httpd-akenti.conf, Akenti.conf
Start script/home/imglib3/http.rocky/start_http
passphrase r*a*
Akenti Monitor server
executable /home/imglib3/http.rocky/StartMonitor.sh
Port 9999 - specified in Akenti.conf
Port to talk to applet 12000 - specified in Akenti.conf
conf /home/imglib3/http.rocky/conf/Akenti.conf
passphrase none
Akenti cache server
executable /home/imglib3/http.rocky/StartCacheManager.sh
Caching directory /home/imglib3/http.rocky/cache - specified in Akenti.conf
Port 6789 - specified in Akenti.conf
conf /home/imglib3/http.rocky/conf/Akenti.conf
passphrase none
Akenti resource definition server - provides the Akenti resource templates to
UseCondition Create application
Executable /home/imglib3/http.rocky/StartResServer.sh
DocumentRoot /home/imglib3/http.rocky/akenti-docs
port 8008
conf /home/imglib3/http.rocky/conf/Akenti.conf
passphrase none
Notes on the Akenti servers:
The Akenti servers on imglib and rocky share files and directories where
possible. The real files live under the production server in http.imglib
and the development server links to them. The imglib stuff is updated
from rocky at appropriate intervals.
The scripts directory is aliased to akenti-docs/cgi-bin in the conf file. This
gets the scripts under the root .htauthority file in akenti-docs but causes
the files in this directory to be executed and not displayed.