Akenti Release Notes

Changes between AK1.4 and AK1.5 (June 25, 2004)

Changes  to release bundles

The release tar files are now structured to separate the Java, c++ and 3rd party code. We provide binaries for Linux RedHat 9 and Solaris 2.7 built with the g++ 3.2.2 compiler and java 1.4.2. Each Akenti bundle includes an example resource tree with instructions on how to install it, so that you can experiment with our tools before ceating your own resource tree. We depend on openldap 2.1.21, cppunit 1.9.11, xerces-c 2.5.0 and openssl 0.9.7. You can get these from their distributers, or you can download the libraries that we build against for Linux RedHat 9 or Solaris 2.7 from us.

Changes to build process

We have reordered the build process to build the c++ and Java parts separately. The c++ code provides the basic Akenti decsion engine, command-line tools for generating Akenti certificates from XML templates, displaying and checking policy, checking access for a user and other utility tools. It also includes an Akenti server and libraries for sending and receiving messages. We now only support building with g++ 3.2.2 and later.

The Java bundle has serveral variations of GUI tools to generate, display and check policy. It also contains an experimental version of a Java Akenti server.

Changes to certificate and  protocol schemas

We have updated the namespaces in the AkentiCertificate and AkentiProtocol schemas and they are now both located at http://dsd.lbl.gov/Akenti/2004/05/AkentiCertificate.xsd,AkentiProtocol.xsd. They are also included in the release bundles in the xml/schema directory. The code now has the xerces schema validiation enabled both in the certificate generators and the policy engine. The code will expect the schemas to be found at $AKENTI_HOME/xml/schema.

Certificates may now contain both xml and pem components (like in Akenti 1.4) or just the xml components. The variable AK_CERT_ENC in the akenti configuration file controls how the policy engine reads the certificate. If this not set or set to blank, it will read whatever sort of certificate it gets. If the certificate includes a pem section it will use that. Otherwise it will use the xml.
If it is set to XML, it will only expect there to be an xml section and will use that.

The ConvertAkentiCert tool 
    akenti CO -a <cert> -i PEM -o XML

can be used to convert the old style format to the  new XML only one.


Akenti command line tools

The set of command line tools have been c onsolidated into one tool called akenti which takes a command as its first argument.
There is a standard set of switches across all the commands starting with -h which prints a help message.  The command supports both a local and a remote interface for most of the functions. So that it will either call the linked in Akenti policy engine to make calls to a remote akenti server.

Akenti Server

 The server has been expanded beyond just simple check access calls to provide support for the new Java certificate generators, thus elminating the need for the Java ResDefServer. The messages to the Akenti server are all in soap and are defined in AkentiProtocol.xsd.  The client library interfaces to these calls use the same parameters as the local library interfaces.


Changes between AK1.3 and AK1.4 (July 22, 2003)

Updated our code to use more recent versions of openldap, Xerces-c and cppunit We now compile against The Makefiles have been changed to link dynamically against most libraries. The code now compiles with either gcc 2.96 or 3.2 on Redhat Linux and Solaris 5.7

Changes between AK1.2a and AK1.3 (Apr 23, 2003)

This release contains only bug fixes. The real changes were in AK1.2a which should have been numbered 1.3

Small fixes to the code to get it to compile and link with g++ 3.2. Note: the policyEngine does not yet work correctly when compiled with g++ 3.2, but we are working on that.

Fixed the makefiles to work for jdk1.4.1 and tested that the java sources would build with jdk1.4.1 Note, if you are using 1.4, you do not need to exlicitly load the jce, jsse or cryptix jar files

Udated binaries to openssl 0.9.7a. no changes were necessary in the source code.

Changes between AK1.2 and AK1.2a (Jan 6, 2003)

New Client API
deprecatedlibsrc/server/protocol/AkentiInsecurtClient interfaces
C_checkAccessInit, C_checkAccessLocal, checkAccessLocal, getCapability

Added libsrc/akCInf directory
AkClientInf - C compatible client side interface
AkEngInf - c compatible interface to AkentiEngine.
cap.cpp - routines to extract sections of the capability certificate

Added more support for XML certificates in C++
Added toXML and fromXML methods to the libsrc/certs/elements and
libsrc/certs classes

Tools
Added a command line certificate generator in C++ called certGen which can be
used instead of the Java one (certGen.sh, CertGen.java)

Redid the callClient.C program to use the new akCInf interfaces.

PolicyGenerator code
Improved instructions and help messages

ResDefinition server code
Modified the secure connection code in ResDefinitionServer and the sample
Client.java to do the random number intialization explicitly. It will
look for a .rand file to use for the seed.

The server reads the ResDefSSL value from akentiConf. If it is off creates
http a socket, if on creates https socket. It defaults to off. If the
connection is SSL, it needs to read ResDefServerKey and ResDefServerCert
file names from akentiConf.

Testcases
akentiServer
Added a sample Client program to call the server over https in the
akentiServer directory. It reads "clientKey.pem" and "clientCert.pem"
from a clientConf file.
libsrc/dirServices
Added retrival from ldap.doesciencegrid.org to test the referral code.
Note. This may hang if the ldap server is down,
Added unit tests for the new C interfaces
testcase/libsrc/policyEngine/TestAkCEngInf.c
testcase/akentiServer/ClientInfTest.c

Changes between AK1.1 and AK1.2