Go to main content

Remote Administration Daemon Developer's Guide

Exit Print View

Updated: May 2019
 
 

RAD Authenticating Remote Clients

The default configuration for REST accepts connections only from a local system on a UNIX socket. However, you can open a public port and provide secure transport over TLS for remote RAD clients. This section provides information about the three general steps required:

  1. Create a service instance to handle requests from remote clients.

  2. Test the remote connection.

  3. Set up a RAD connection.

How to Create a Service Instance to Handle Requests from Remote Clients

  1. Create a SMF service manifest by copying the /lib/svc/manifest/system/rad.xml manifest and modifying it.

    The following example shows a sample SMF manifest after modification.

    # cat rad-remote-http.xml
    <?xml version="1.0" ?>
    <!DOCTYPE service_bundle
     SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
    
    <service_bundle type="manifest" name="site/rad">
       <service version="1" type="service" name="site/rad">
           <dependency restart_on="none" type="service"
               name="multi_user_dependency" grouping="require_all">
               <service_fmri value="svc:/milestone/multi-user"/>
           </dependency>
           <exec_method name='start' type='method' exec='/usr/lib/rad/rad -sp' timeout_seconds='0'/>
           <exec_method name='stop' type='method' exec=':kill' timeout_seconds='0'/>
           <instance name='remote-http' enabled='false' complete='true'>
             <property_group name='ssl_port' type='xport_tls'>
               <propval name='certificate' type='astring' value='/etc/rad/cert.pem'/>
               <propval name='generate' type='boolean' value='true'/>
               <propval name='localonly' type='boolean' value='false'/>
               <propval name='pam_service' type='astring' value='rad-tls'/>
               <propval name='port' type='integer' value='12303'/>
               <propval name='privatekey' type='astring' value='/etc/rad/key.pem'/>
               <propval name='proto' type='astring' value='rad_http'/>
               <propval name='value_authorization' type='astring' value='solaris.smf.value.rad'/>
             </property_group>
             <property_group name='config' type='application'>
               <property name='moduledir' type='astring'>
                 <astring_list>
                   <value_node value='/usr/lib/rad/transport'/>
                   <value_node value='/usr/lib/rad/protocol'/>
                   <value_node value='/usr/lib/rad/module'/>
                   <value_node value='/usr/lib/rad/site-modules'/>
                 </astring_list>
               </property>
             </property_group>
           </instance>
           <template>
               <common_name>
                     <loctext xml:lang="C">Remote RAD HTTP</loctext>
               </common_name>
               <description>
                   <loctext xml:lang="C">RAD connections over REST (HTTP)</loctext>
               </description>
           </template>
       </service>
    </service_bundle>
    

    Note the following items in the example manifest:

    • The port property defines the port number on which RAD accepts remote connection, which in this example is set to 12303.

    • The proto property defines the protocol to use. In this example, it is set to HTTP as indicated by rad-http.

  2. Copy the manifest to the site-wide SMF manifest location at /lib/svc/manifest/site.
    # cp rad-remote-http.xml
                                /lib/svc/manifest/site
  3. Restart the svc:/system/manifest-import:default service instance.
    # svcadm restart manifest-import
  4. Enable the newly created rad:remote-http service instance.
    # svcadm enable rad:remote-http

How to Test the Remote Connection in RAD

  • Make the following request in a browser on a remote client.

    https://hostname:12303

    The request returns a response similar to the following example:

    {
            "status": "illegal access",
            "payload": {
                    "Message": "Response content type 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' requested 
                    yet only 'application/json' is supported by the origin server.",
                    "HTTP Method": "GET",
                    "URI": "/",
                    "RAD Operation": null
            }
    }

How to Set Up a RAD Connection

After you have created a service instance to handle remote requests, the next step is to authenticate and establish a RAD connection from a client. To authenticate:

  1. Save the user credentials a JSON file to authenticate.

    For example:

    # cat body.json
    {
          "username": "testuser",
          "password": "testpassword",
          "scheme": "pam",
          "preserve": true,
          "timeout": -1
    }
  2. Ensure that the RAD server's certificate will be trusted.

    Perform this procedure once per client. Choose the steps for your certificate source.

    • RAD server is using a self-signed certificate.
      1. Copy the certificate only from the server to the client.
        RADserver # cp /etc/rad/RADserver.pem  /net/RADclient/etc/certs/CA

        Use a unique name, such as the RAD server name, as in RADserver.pem.

      2. Restart the ca-certificates service on the client.
        RADclient # svcadm restart ca-certificates
    • RAD server is using a CA certificate.
      1. Ensure that the certificate for the issuing CA is in the /etc/certs/CA directory on the client.
        RADclient # ls /etc/certs/CA
        ...
        Example-Security_EV_RootCA1.pem
        Example-Security_RootCA2.pem
        Example-Security_Root_CA.pem
        ...
      2. If necessary, restart the ca-certificates service.
        RADclient # svcadm restart ca-certificates

      For example, you can now use the curl command on the client with a slightly different set of options to make a TLS connection to the RAD server.

      RADclient # curl -H "Content-type: application/json" -X POST \ 
       --data-binary @body.json \ 
       -v -c cookie.txt -b cookie.txt \
       https://RADserver.example.com:12303/api/com.oracle.rad.authentication/1.0/Session