Akenti Authority File
Security Hompage
![]() ![]() ![]() ![]() |
Regular authority files can be placed anywhere in the resource hierarchy where a stakeholder wishes to set access policy for that resource or its subtree. If an authority file exists for a resource, it must specify at least one Use Condition which must exist and be accessible by Akenti. If an authority file exists for a resource and no matching Use Condition can be found, all access will be denied to that resource.
If no authority file exists for a resource, the access policy will be inherited from the parent resource.
Root Authority File
The CA certificates are placed in this file by the administrator of the resource tree. They are obtained in a trusted manner from the respective CAs.
file assumes the Akenti server has direct file read access to the directory; web assumes an MSQL server is running on the specified host; ldap assumes there is an ldap server running on the default port on the specified host.
If more than one UseConditionCAandIssuer are combined by "OR" Akenti need only find one UseCondition issued by either of them. If a UseConditionCAandIssuer appears on its own line, Akenti must find a UseCondition issued by it.
The order of the elements is not significant except that the list of UseConditionCAandIssuers and UseConditionRequired directories are paired. At least one UseCondition must be found for each UseConditionCAandIssuer that appears on a line by itself or else access will be denied. A stakeholder should thus put all his UseConditions in one directory, so that if at least one is found then all can be found. Stakeholder responsibilities can be shared by putting more than one UseConditionCAandIssuer on a single line separated by "OR"s. Following that line, must be a line containing a list of the same number of UseConditionRequired directories also separated by "OR"s. Then if at least one UseCondition signed by one of the UseConditionCAandIssuers is found in one of the directories access checking will proceed.Naming Web accessible directories with a terminal "/" will keep the server from having to make two requests to get the contents of the directory. UseConditions are stored by the UseCondition generator by hash names as well as the given name. The hash names are used by Akenti to find the relevant UseConditions for a resource.
"-----BEGIN CERTIFICATE----- \MIICiDCCAfGgAwIBAgIBATANBgkqhkiG9w0BAQQFADBoMQswCQYD VQQGEwJVUzEoMCYGA1UEChMfRGllc2VsIENvbWJ1c3Rpb24gQ29sbGFib3JhdG9yeTEMMAoGA1UE\ CxMDU05MMSEwHwYDVQQDExhEaWVzZWxDZXJ0LmNhLnNhbmRpYS5nb3YwHhcNOTgwNDI3MTc1NTIw\ WhcNMDAwNDI2MTc1NTIwWjBoMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfRGllc2VsIENvbWJ1c3Rp\ b24gQ29sbGFib3JhdG9yeTEMMAoGA1UECxMDU05MMSEwHwYDVQQDExhEaWVzZWxDZXJ0LmNhLnNh\ bmRpYS5nb3YwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzWQJ/+kXTzJMZcJMACjJI+nSEh\ u9P8qq8Q6NFgdPgriFVE6tggLcFWHzI6kgvv7iVr5+nus6NOZotPOItjHEsyfRQ8YKEcZntBTkXF\ 7DN93LWqlpCSchlu/sJWjwLtRSACr91C8LQKCGTWr9Ln58Ohh99wIBHeKYoSjcRWVi+pAgMBAAGj\ QjBAMB0GA1UdDgQWBBTHMjfik68SFzDCA6Ji6pU61+e5iTAfBgNVHSMEGDAWgBTHMjfik68SFzDC\ A6Ji6pU61+e5iTANBgkqhkiG9w0BAQQFAAOBgQCJpjUkl75PUrm9h3lwt6MmmilelMQGts2X5q3d\ eSxBkiPPS9paMrN8UTY/mkVC6ZwQOlZ9oplBN+wyCXFiqMnGxaIR6iN07+RahwMku8nIhbw4QZIE\ 4XyLOM6yUtCIbZW3gzKvZtDKTjd+MPFARUaUanBqmkJ3jCNA3yh0Acf2ow==\ -----END CERTIFICATE-----"CertificateDirectory public ldap www-collab.ca.sandia.gov
"-----BEGIN CERTIFICATE-----\ MIICdDCCAd2gAwIBAgIBATANBgkqhkiG9w0BAQQFADBeMQswCQYDVQ\ QGEwJVUzEuMCwGA1UEChMlTGF3cmVuY2UgQmVya2VsZXkgTmF0aW9uYWwgTGFib3JhdG9yeTENMA\ sGA1UECxMESUNTRDEQMA4GA1UEAxMHSURDRy1DQTAeFw05NzA4MjkxNjMwNDJaFw05OTA4MjkxNj\ MwNDJaMF4xCzAJBgNVBAYTAlVTMS4wLAYDVQQKEyVMYXdyZW5jZSBCZXJrZWxleSBOYXRpb25hbC\ BMYWJvcmF0b3J5MQ0wCwYDVQQLEwRJQ1NEMRAwDgYDVQQDEwdJRENHLUNBMIGfMA0GCSqGSIb3DQ\ EBAQUAA4GNADCBiQKBgQDArly+tnX5eW7v4KT5CVf/IwR8rDkqniDUq34x/wqrKbM0AY+SV2hEHz\ +MCDgSlmPOXfwEplXW5IYYXqJ3+dK06et7mUodOhAB+0b6a8dVwul1+gRwEi80vft4+WvDUUHMZQ\ iq3UqFTsPN+09sW+2paqXNQZvBq2r+6/ovM4OqVwIDAQABo0IwQDAdBgNVHQ4EFgQUCQcdq1LvwV\ prM7kLlPLl7fmW4PswHwYDVR0jBBgwFoAUCQcdq1LvwVprM7kLlPLl7fmW4PswDQYJKoZIhvcNAQ\ EEBQADgYEAtcWt79TvzTl+zlkXBm8lqJPLXfsmwn0eaUGZiBkxhm5FGMUs02sUjaAUKiC6seR9xN\ E2C6EEJ7OyZRP7aqtNbbqeZBnUtCJN/iyFk9vQMMtJtTPr6uBbExhUaGFuJLMhHfMG/1pfDTIHQZ\ 10Q0sF1ZmLyAdhiQBXekI5c5iheP4=\ -----END CERTIFICATE-----"CertificateDirectory public ldap idcg-ds.lbl.gov