stap-authorize-server-cert(8)

1STAP-AUTHORIZE-SERVER-CERT(8)System Manager's ManuaSlTAP-AUTHORIZE-SERVER-CERT(8)
2
3
4

NAME

6       stap-authorize-server-cert - systemtap server authorization utility
7
8

SYNOPSIS

10       stap-authorize-server-cert CERTFILE [ DIRNAME ]
11
12

DESCRIPTION

14       A  systemtap  compile  server  listens  for  connections  from  clients
15       (stap-client) on a secure SSL network port and accepts requests to  run
16       the  stap front end. Each server advertises its presence and configura‐
17       tion on the local network using mDNS  (avahi)  allowing  for  automatic
18       detection by clients.
19
20
21       The  security  of  the  SSL  network  connection between the client and
22       server depends on the proper management of server certificates.
23
24
25       The trustworthiness of a given systemtap server can not  be  determined
26       automatically without a trusted certificate authority issuing systemtap
27       server certificates. This is not practical  in  everyday  use  and  so,
28       clients must authenticate servers against their own database of trusted
29       server certificates. In this context, establishing a  given  server  as
30       trusted by a given client means adding that server's certificate to the
31       client's database of trusted servers.
32
33
34       The stap-authorize-server-cert program adds the given  server  certifi‐
35       cate  to the given client-side certificate database, making that server
36       a trusted server for clients using that database.
37
38

ARGUMENTS

40       The stap-authorize-server-cert program accepts two arguments:
41
42
43       CERTFILE
44              This is the name of the file containing the certificate  of  the
45              new  trusted  server. This is the file named stap.cert which can
46              be found in the server's certificate database.   On  the  server
47              host, for servers started by the stap-server service, this data‐
48              base   can    be    found    in    /var/lib/stap-server/.system‐
49              tap/ssl/server/.   For servers run by other non-root users, this
50              database can be found in $HOME/.systemtap/ssl/server/.  For root
51              users  (EUID=0),  it  can  be  found in the stappaths (7) manual
52              page.
53
54       DIRNAME
55              This optional argument is the name of the  directory  containing
56              the client-side certificate database to which the certificate is
57              to be added. If not specified, the default, for non-root  users,
58              is  $HOME/.systemtap/ssl/client.   For  root users (EUID=0), the
59              default is listed in the stappaths (7) manual page.  The default
60              result  is  that  all  users  on the client host will trust this
61              server when stap-authorize-server-cert is run by root  and  that
62              only  the user running stap-authorize-server-cert will trust the
63              server otherwise.
64
65

SAFETY AND SECURITY

67       Systemtap is an administrative tool.  It exposes kernel  internal  data
68       structures  and  potentially private user information.  See the stap(1)
69       manual page for additional information on safety and security.
70
71
72       The systemtap server and its related utilities use  the  Secure  Socket
73       Layer  (SSL) as implemented by Network Security Services (NSS) for net‐
74       work security. The NSS tool certutil is used for the generation of cer‐
75       tificates. The related certificate databases must be protected in order
76       to maintain the security of the system.  Use of the utilities  provided
77       will  help to ensure that the proper protection is maintained. The sys‐
78       temtap client will check for proper access  permissions  before  making
79       use of any certificate database.
80
81

FILES

83       ~/.systemtap/ssl/client/
84              User's private client side certificate database.
85
86
87       /var/lib/stap-server/.systemtap/ssl/server/stap.cert
88              Server  certificate  for servers started by the stap-server ser‐
89              vice.
90
91

BUGS

97       Use the Bugzilla link of the project web  page  or  our  mailing  list.
98       http://sources.redhat.com/systemtap/, <systemtap@sources.redhat.com>.
99
100
101
102                                                 STAP-AUTHORIZE-SERVER-CERT(8)