Man Linux: Main Page and Category List

NAME

       stap-authorize-server-cert - systemtap server authorization utility

SYNOPSIS

       stap-authorize-server-cert CERTFILE [ DIRNAME ]

DESCRIPTION

       A  systemtap  compile  server  listens  for  connections  from  clients
       (stap-client) on a secure SSL network port and accepts requests to  run
       the   stap   front   end.  Each  server  advertises  its  presence  and
       configuration on the local network  using  mDNS  (avahi)  allowing  for
       automatic detection by clients.

       The  security  of  the  SSL  network  connection between the client and
       server depends on the proper management of server certificates.

       The trustworthiness of a given systemtap server can not  be  determined
       automatically without a trusted certificate authority issuing systemtap
       server certificates. This is not practical  in  everyday  use  and  so,
       clients must authenticate servers against their own database of trusted
       server certificates. In this context, establishing a  given  server  as
       trusted by a given client means adding that server's certificate to the
       client's database of trusted servers.

       The  stap-authorize-server-cert   program   adds   the   given   server
       certificate  to the given client-side certificate database, making that
       server a trusted server for clients using that database.

ARGUMENTS

       The stap-authorize-server-cert program accepts two arguments:

       CERTFILE
              This is the name of the file containing the certificate  of  the
              new  trusted  server. This is the file named stap.cert which can
              be found in the server's certificate database.   On  the  server
              host,  for  servers  started  by  the  stap-server service, this
              database           can           be           found           in
              /var/lib/stap-server/.systemtap/ssl/server/.  For servers run by
              other  non-root  users,  this   database   can   be   found   in
              $HOME/.systemtap/ssl/server/.   For  root users (EUID=0), it can
              be found in /etc/systemtap/ssl/server.

       DIRNAME
              This optional argument is the name of the  directory  containing
              the client-side certificate database to which the certificate is
              to be added. If not specified, the default, for non-root  users,
              is  $HOME/.systemtap/ssl/client.   For  root users (EUID=0), the
              default  is  /etc/systemtap/ssl/client,  which  is  the   global
              client-side  certificate  database.  That is, the default result
              is that all users on the client host will trust this server when
              stap-authorize-server-cert is run by root and that only the user
              running  stap-authorize-server-cert  will   trust   the   server
              otherwise.

SAFETY AND SECURITY

       Systemtap  is  an administrative tool.  It exposes kernel internal data
       structures and potentially private user information.  See  the  stap(1)
       manual page for additional information on safety and security.

       The  systemtap  server  and its related utilities use the Secure Socket
       Layer (SSL) as implemented  by  Network  Security  Services  (NSS)  for
       network  security.  The NSS tool certutil is used for the generation of
       certificates. The related certificate databases must  be  protected  in
       order  to  maintain  the  security of the system.  Use of the utilities
       provided will help to ensure that the proper protection is  maintained.
       The  systemtap  client  will check for proper access permissions before
       making use of any certificate database.

FILES

       /etc/systemtap/ssl/client/
              Public (root's) client side certificate database.

       ~/.systemtap/ssl/client/
              User's private client side certificate database.

       /var/lib/stap-server/.systemtap/ssl/server/stap.cert
              Server  certificate  for  servers  started  by  the  stap-server
              service.

SEE ALSO

       stap(1), stap-server(8), stap-client(8), NSS, certutil

BUGS

       Use  the  Bugzilla  link  of  the project web page or our mailing list.
       http://sources.redhat.com/systemtap/, <systemtap@sources.redhat.com>.