NAME
stap-authorize-server-cert - systemtap server authorization utility
SYNOPSIS
stap-authorize-server-cert CERTFILE [ DIRNAME ]
DESCRIPTION
A systemtap compile server listens for connections from clients
(stap-client) on a secure SSL network port and accepts requests to run
the stap front end. Each server advertises its presence and
configuration on the local network using mDNS (avahi) allowing for
automatic detection by clients.
The security of the SSL network connection between the client and
server depends on the proper management of server certificates.
The trustworthiness of a given systemtap server can not be determined
automatically without a trusted certificate authority issuing systemtap
server certificates. This is not practical in everyday use and so,
clients must authenticate servers against their own database of trusted
server certificates. In this context, establishing a given server as
trusted by a given client means adding that server's certificate to the
client's database of trusted servers.
The stap-authorize-server-cert program adds the given server
certificate to the given client-side certificate database, making that
server a trusted server for clients using that database.
ARGUMENTS
The stap-authorize-server-cert program accepts two arguments:
CERTFILE
This is the name of the file containing the certificate of the
new trusted server. This is the file named stap.cert which can
be found in the server's certificate database. On the server
host, for servers started by the stap-server service, this
database can be found in
/var/lib/stap-server/.systemtap/ssl/server/. For servers run by
other non-root users, this database can be found in
$HOME/.systemtap/ssl/server/. For root users (EUID=0), it can
be found in /etc/systemtap/ssl/server.
DIRNAME
This optional argument is the name of the directory containing
the client-side certificate database to which the certificate is
to be added. If not specified, the default, for non-root users,
is $HOME/.systemtap/ssl/client. For root users (EUID=0), the
default is /etc/systemtap/ssl/client, which is the global
client-side certificate database. That is, the default result
is that all users on the client host will trust this server when
stap-authorize-server-cert is run by root and that only the user
running stap-authorize-server-cert will trust the server
otherwise.
SAFETY AND SECURITY
Systemtap is an administrative tool. It exposes kernel internal data
structures and potentially private user information. See the stap(1)
manual page for additional information on safety and security.
The systemtap server and its related utilities use the Secure Socket
Layer (SSL) as implemented by Network Security Services (NSS) for
network security. The NSS tool certutil is used for the generation of
certificates. The related certificate databases must be protected in
order to maintain the security of the system. Use of the utilities
provided will help to ensure that the proper protection is maintained.
The systemtap client will check for proper access permissions before
making use of any certificate database.
FILES
/etc/systemtap/ssl/client/
Public (root's) client side certificate database.
~/.systemtap/ssl/client/
User's private client side certificate database.
/var/lib/stap-server/.systemtap/ssl/server/stap.cert
Server certificate for servers started by the stap-server
service.
SEE ALSO
stap(1), stap-server(8), stap-client(8), NSS, certutil
BUGS
Use the Bugzilla link of the project web page or our mailing list.
http://sources.redhat.com/systemtap/, <systemtap@sources.redhat.com>.