Table of Contents

• Background
• Download
• Steps to compile and install
• Compiling as Dynamic Shared Object
• Compiling with apache (possible)
• Apache with SSL (required)
• Read Apache INSTALL file
• Read mod_ssl INSTALL file
• Prepare httpd.conf
• Makefile Usage
• Start Apache
• Explanation of the directives
• Passing control to other modules
• Supporting access controlled and non-access controlled resources

Background

Akenti is a security model and architecture that is intended to provide scalable security services in highly distributed network environments. The project goals are:

• to achieve the same level of expressiveness of access control that would be accomplished through a local human controller in the decision loop
• to accurately reflect the existing policy: authority, delegation, and responsibility present in these environments.

• digitally signed certificates capable of carrying:
• user identity authentication
• resource usage requirements ("use-conditions")
• user attribute authorizations ("attribute certificates")
• set of user rights ("capability certificates")
• delegated authorization ("delegation certificates")
• authorization decisions split among on-line and off-line entities

If you are on Linux/Unix, you must download the source.

• mod_akenti.tar.gz

• Akenti shared object libraries.  Click here to download akenti source
• OpenSSL shared object libraries (required). Download openssl from http://www.openssl.org
• OpenLDAP shared object libraries (required). Download openldap from http://www.openldap.org

• Compiling with Apache (possible)

I have not tried this option as it involves a whole bunch of things to be compiled and linked for even small changes in the akenti module. But you can always use a C++ compiler and statically link both the Akenti and the Apache libraries in order to make the Apache executable.
• Compiling as Dynamic Shared Object

To use this method, you must have apache compiled and installed with DSO support.
RedHat Linux comes with Apache compiled with DSO support.

 Extract Akenti module
 $ gunzip < mod_akenti.tar.gz | tar xvf -

Find out where the program apxs is installed. I assume it is in /usr/local/apache/bin.
Change the following lines inside the Makefile

APXS=/usr/local/apache/bin/apxs
APACHECTL=/usr/local/apache/bin/apachectl

to where it is installed.

• Read Apache INSTALL file

Read the INSTALL file comes with apache to configure and start apache.
• Read mod_ssl INSTALL file

Read the INSTALL file that comes with mod_ssl package.
To download mod_ssl go to http://www.mod_ssl.org


• Prepare httpd.conf
• Getting Apache to Link the stdc++ Library (Ref. Zachary C. Miller)

There are a number of global symbols used by C++ programs which are found in the C++ Standard Library which is not normally needed by the Apache library. Normally the C++ compiler/linkder takes care of linking the appropriate libraries to C++ programs but in the case of a C driver (e.g. apache) dynamically loading a C++ shared object the linker is not involved.

You can dynamically load arbitrary shared objects (and their global symbols) into apache using the Loadfile directive in the httpd.conf file. This directive must be specified before any LoadModule directive which loads a C++ module.

The file you need to load will be a different file based on your operating system, compiler version and the c++ standard library version. You can compile a dummy C++ program and then use the ldd command to determine which file holds the correct version and location of the standard C++ library.

Do not forget to update your httpd.conf file everytime you upgrade your standard C++ library

• Getting Apache to Link Akenti .so libraries

You can use the above mentioned Loadfile option to load akenti engine's shared object libraries. In order to do that you need to load openssl shared object libraries and openldap shared object libraries before loading akenti .so libraries. Please note that the ordering is very important.
• AkentiConf directive

Akenti policy engine requires Akenti configuration file. The AkentiConf directive is used to input the configuration file to Akenti via Apache. You need to give absolute path name for the configuration file.


• Makefile Usage
  If you are outside Akenti Environment (i.e. if you have already downloaded akenti source and built akenti shared object libraries), then you are required to set the following environment variables before using the Makefile. Otherwise, you can expect some warnings and errors. The env variables are
  • APACHE_HOME - The Apache web server home directory
  • AKENTI_HOME - The Akenti home directory
  • OPENSSL_HOME - The openssl library home directory
  • OPENLDAP_HOME - The openldap library home directory
  • LOGGER_HOME - The NetLogger library home directory

  If you are within Akenti Environment (mod_akenti is included in Akenti 1.1 source also), then you are required to modify two variables inside the Makefile.in

  • APACHECTL= {APACHE_HOME}/bin/apachectl
  • APXS= {APACHE_HOME}/bin/apxs
    

• Start Apache

Apache can be started, restarted and stopped through the Makefile.
• make install(loads the most recently compiled version of mod_akenti.so to the directory where Apache searches for dynamic objects.)
• make restart (restarts the Apache server)
• make startssl (starts the secure Apache server)
• make stop (stops the Apache server)
• make reload (loads the most recently compiled version of mod_akenti.so to the directory where Apache searches for dynamic objects, then stops and starts the secure Apache server)

Please refer to "prepare http.conf" section of this document.

Passing Control to other modules

The current version of mod_akenti does not address this. But it is possible to hand over the control to other Apache modules if the http resource requested is not controlled by Akenti. The provision will be provided in the next version. This will require additional directives in the httpd.conf file.

Supporting access controlled and non-access controlled resources

The current version of mod_akenti does not address this feature. By handing over the control to other modules Akenti can be a part of the existing non-access controlled server with minor configuration changes. The SSL is still required. This feature will require additional directives in the httpd.conf file and some changes in the akenti module.