Akenti Release Notes
Changes between AK1.4 and AK1.5 (June 25,
2004)
Changes to release bundles
The release tar files are now structured to separate the Java, c++ and
3rd party code. We provide binaries for Linux RedHat 9 and
Solaris 2.7 built with the g++ 3.2.2 compiler and java 1.4.2.
Each Akenti bundle includes an example resource tree with instructions
on how to install it, so that you can experiment with our tools before
ceating your own resource tree. We depend on openldap 2.1.21, cppunit
1.9.11, xerces-c 2.5.0 and openssl 0.9.7. You can get these from their
distributers, or you can download the libraries that we build against
for Linux RedHat 9 or Solaris 2.7 from us.
Changes to build process
We have reordered the build process to build the c++ and Java parts
separately. The c++ code provides the basic Akenti decsion engine,
command-line tools for generating Akenti certificates from XML
templates, displaying and checking policy, checking access for a user
and other utility tools. It also includes an Akenti server and
libraries for sending and receiving messages. We now only support
building with g++ 3.2.2 and later.
The Java bundle has serveral variations of GUI tools to generate,
display and check policy. It also contains an experimental version of a
Java Akenti server.
Changes to certificate and protocol schemas
We have updated the namespaces in the AkentiCertificate and
AkentiProtocol schemas and they are now both located at
http://dsd.lbl.gov/Akenti/2004/05/AkentiCertificate.xsd,AkentiProtocol.xsd.
They are also included in the release bundles in the xml/schema
directory. The code now has the xerces schema validiation enabled both
in the certificate generators and the policy engine. The code will
expect the schemas to be found at $AKENTI_HOME/xml/schema.
Certificates may now contain both xml and pem components (like in
Akenti 1.4) or just the xml components. The variable AK_CERT_ENC in the
akenti configuration file controls how the policy engine reads the
certificate. If this not set or set to blank, it will read whatever
sort of certificate it gets. If the certificate includes a pem section
it will use that. Otherwise it will use the xml.
If it is set to XML, it will only expect there to be an xml section and
will use that.
The ConvertAkentiCert tool
akenti CO -a <cert> -i PEM -o XML
can be used to convert the old style format to the new XML only
one.
Akenti command line tools
The set of command line tools have been c onsolidated into one tool
called akenti which takes a command as its first argument.
There is a standard set of switches across all the commands starting
with -h which prints a help message. The command supports both a
local and a remote interface for most of the functions. So that it will
either call the linked in Akenti policy engine to make calls to a
remote akenti server.
Akenti Server
The server has been expanded beyond just simple check access
calls to provide support for the new Java certificate generators, thus
elminating the need for the Java ResDefServer. The messages to the
Akenti server are all in soap and are defined in
AkentiProtocol.xsd. The client library interfaces to these calls
use the same parameters as the local library interfaces.
Changes between AK1.3 and AK1.4 (July 22, 2003)
Updated our code to use more recent versions of openldap, Xerces-c and
cppunit
We now compile against
- openldap 2.1.21 (no code changes were necessary)
- cppunit 1.8.0 - minor changes were made to use the new
CPPUNITASSERT
- xerces-x 2.3.0 - changed our use of the 1.x deprcated API to the
new one
- openssl.0.9.7c - no code changes
The Makefiles have been changed to link dynamically against most
libraries.
The code now compiles with either gcc 2.96 or 3.2 on Redhat Linux and
Solaris 5.7
Changes between AK1.2a and AK1.3 (Apr 23, 2003)
This release contains only bug fixes. The real changes were in AK1.2a
which
should have been numbered 1.3
Small fixes to the code to get it to compile and link with g++ 3.2.
Note: the policyEngine does not yet work correctly when compiled with
g++ 3.2, but we are working on that.
Fixed the makefiles to work for jdk1.4.1 and tested that the java
sources
would build with jdk1.4.1 Note, if you are using 1.4, you do not need
to exlicitly load the jce, jsse or cryptix jar files
Udated binaries to openssl 0.9.7a. no changes were necessary in the
source code.
Changes between AK1.2 and AK1.2a (Jan 6, 2003)
New Client API
deprecatedlibsrc/server/protocol/AkentiInsecurtClient interfaces
C_checkAccessInit, C_checkAccessLocal, checkAccessLocal, getCapability
Added libsrc/akCInf directory
AkClientInf - C compatible client side interface
AkEngInf - c compatible interface to AkentiEngine.
cap.cpp - routines to extract sections of the capability certificate
Added more support for XML certificates in C++
Added toXML and fromXML methods to the libsrc/certs/elements and
libsrc/certs classes
Tools
Added a command line certificate generator in C++ called certGen which can be
used instead of the Java one (certGen.sh, CertGen.java)
Redid the callClient.C program to use the new akCInf interfaces.
PolicyGenerator code
Improved instructions and help messages
ResDefinition server code
Modified the secure connection code in ResDefinitionServer and the sample
Client.java to do the random number intialization explicitly. It will
look for a .rand file to use for the seed.
The server reads the ResDefSSL value from akentiConf. If it is off creates
http a socket, if on creates https socket. It defaults to off. If the
connection is SSL, it needs to read ResDefServerKey and ResDefServerCert
file names from akentiConf.
Testcases
akentiServer
Added a sample Client program to call the server over https in the
akentiServer directory. It reads "clientKey.pem" and "clientCert.pem"
from a clientConf file.
libsrc/dirServices
Added retrival from ldap.doesciencegrid.org to test the referral code.
Note. This may hang if the ldap server is down,
Added unit tests for the new C interfaces
testcase/libsrc/policyEngine/TestAkCEngInf.c
testcase/akentiServer/ClientInfTest.c
Changes between AK1.1 and AK1.2