Compare revisions

b08e2629 · b08e2629 · b08e2629 · b08e2629 · b08e2629 · b08e2629
--- a/warden_ra/README.openssl
+++ b/warden_ra/README.openssl
+OpenSSL local backed for Warden 3.# Registration Authority
+==========================================================
+
+Introduction
+------------
+
+This backend allows using basic `openssl ca`_ facility for certificate
+emission. Client information is kept as plain config files within "clients"
+subdirectory. Also, received CSRs and issued certificates are saved in "csr"
+and "newcerts" subdirectories, respectively. File "lock" is used to conduct
+concurrent access to running openssl binary.
+
+.. _openssl ca: https://www.openssl.org/docs/manmaster/man1/openssl-ca.html
+
+
+Installation
+------------
+
+Choose directory where OpenSSL CA structure will reside (for example
+"ca").
+
+    # mkdir ca
+    # cd ca/
+    /ca# mkdir certs crl newcerts private clients csr
+    /ca# chmod 700 private
+    /ca# touch index.txt
+    /ca# echo 1024 > serial
+
+Adjust permissions.
+
+   # s-bit, so newly created files receive permissions of parent
+   # directory, not of creator
+   ca# find . -type d | xargs chmod g+s
+   # owner - apache group (this is for Debian, adjust accordingly for
+   # different distribution)
+   ca# chgrp -R www-data .
+
+Generate CA root certificate.
+
+    ca# openssl genrsa -out private/ca.key.pem 4096
+    ca# openssl req -config openssl.cnf \
+                -key private/ca.key.pem \
+                -new -x509 -days 7300 -sha256 -extensions v3_ca \
+                -out certs/ca.cert.pem
+    ca# chmod 444 private/ca.key.pem certs/ca.cert.pem
+
+Create "openssl.cnf" in base directory. You can use "openssl.cnf.example" as
+a basis.
+
+
+Configuration
+-------------
+
+    Options for "Registry: OpenSSLRegistry" section.
+
+    base_dir: Base directory where OpenSSL CA environment is managed
+    subject_dn_template: Template for DN of issued certs, defaults to "DC=cz,DC=example-ca,DC=warden,CN=%s"
+    openssl_sign: OpenSSL command and arguments to run for signing, defaults to "openssl ca -config %(cnf)s -batch -extensions server_cert -days 375 -notext -md sha256 -in %(csr)s -subj '%(dn)s'"
+
+
+
+------------------------------------------------------------------------------
+
+Copyright (C) 2017 Cesnet z.s.p.o
--- a/warden_ra/apache22.conf
+++ b/warden_ra/apache22.conf
+SSLEngine on
+
+SSLVerifyClient optional
+SSLOptions +StdEnvVars +ExportCertData
+
+SSLCertificateFile      /opt/warden_server/cert.pem
+SSLCertificateKeyFile   /opt/warden_server/key.pem
+SSLCACertificateFile    /opt/warden_server/chain_TERENA_SSL_CA_3.pem
+
+WSGIScriptAlias /warden_ra /opt/warden-ra/warden_ra.wsgi
+
+<Directory /opt/warden-ra/warden_ra.wsgi>
+    Order allow,deny
+    Allow from all
+</Directory>
--- a/warden_ra/apache24.conf
+++ b/warden_ra/apache24.conf
+SSLEngine on
+
+SSLVerifyClient optional
+SSLOptions +StdEnvVars +ExportCertData
+
+SSLCertificateFile      /opt/warden_server/cert.pem
+SSLCertificateKeyFile   /opt/warden_server/key.pem
+SSLCACertificateFile    /opt/warden_server/chain_TERENA_SSL_CA_3.pem
+
+WSGIScriptAlias /warden_ra /opt/warden-ra/warden_ra.wsgi
+
+<Directory /opt/warden-ra/warden_ra.wsgi>
+    Require all granted
+</Directory>
--- a/warden_ra/ejbcaws.py
+++ b/warden_ra/ejbcaws.py
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2016, CESNET, z. s. p. o.
+# Use of this source is governed by an ISC license, see LICENSE file.
+
+import sys
+import socket
+import base64
+import suds.transport.http
+import suds.client
+import M2Crypto
+
+
+if sys.version_info[0] >= 3:
+    import urllib.request, urllib.error, urllib.parse
+    import http.client
+
+    def get_https_handler():
+        return urllib.request.HTTPSHandler
+else:
+    import urllib2
+    import httplib
+
+    def get_https_handler():
+        return urllib2.HTTPSHandler
+
+
+STATUS_FAILED = 11
+STATUS_GENERATED = 40
+STATUS_HISTORICAL = 60
+STATUS_INITIALIZED = 20
+STATUS_INPROCESS = 30
+STATUS_KEYRECOVERY = 70
+STATUS_NEW = 10
+STATUS_REVOKED = 50
+
+MATCH_TYPE_BEGINSWITH = 1
+MATCH_TYPE_CONTAINS = 2
+MATCH_TYPE_EQUALS = 0
+MATCH_WITH_CA = 5
+MATCH_WITH_CERTIFICATEPROFILE = 4
+MATCH_WITH_COMMONNAME = 101
+MATCH_WITH_COUNTRY = 112
+MATCH_WITH_DIRECTORYNAME = 204
+MATCH_WITH_DN = 7
+MATCH_WITH_DNSERIALNUMBER = 102
+MATCH_WITH_DNSNAME = 201
+MATCH_WITH_DOMAINCOMPONENT = 111
+MATCH_WITH_EDIPARTNAME = 205
+MATCH_WITH_EMAIL = 1
+MATCH_WITH_ENDENTITYPROFILE = 3
+MATCH_WITH_GIVENNAME = 103
+MATCH_WITH_GUID = 209
+MATCH_WITH_INITIALS = 104
+MATCH_WITH_IPADDRESS = 202
+MATCH_WITH_LOCALE = 109
+MATCH_WITH_ORGANIZATION = 108
+MATCH_WITH_ORGANIZATIONUNIT = 107
+MATCH_WITH_REGISTEREDID = 207
+MATCH_WITH_RFC822NAME = 200
+MATCH_WITH_STATE = 110
+MATCH_WITH_STATUS = 2
+MATCH_WITH_SURNAME = 105
+MATCH_WITH_TITLE = 106
+MATCH_WITH_TOKEN = 6
+MATCH_WITH_UID = 100
+MATCH_WITH_UPN = 208
+MATCH_WITH_URI = 206
+MATCH_WITH_USERNAME = 0
+MATCH_WITH_X400ADDRESS = 203
+
+TOKEN_TYPE_JKS = "JKS"
+TOKEN_TYPE_P12 = "P12"
+TOKEN_TYPE_PEM = "PEM"
+TOKEN_TYPE_USERGENERATED = "USERGENERATED"
+
+VIEW_RIGHTS = "/view_end_entity"
+EDIT_RIGHTS = "/edit_end_entity"
+CREATE_RIGHTS = "/create_end_entity"
+DELETE_RIGHTS = "/delete_end_entity"
+REVOKE_RIGHTS = "/revoke_end_entity"
+HISTORY_RIGHTS = "/view_end_entity_history"
+APPROVAL_RIGHTS = "/approve_end_entity"
+HARDTOKEN_RIGHTS = "/view_hardtoken"
+HARDTOKEN_PUKDATA_RIGHTS = "/view_hardtoken/puk_data"
+KEYRECOVERY_RIGHTS = "/keyrecovery"
+
+ENDENTITYPROFILEBASE = "/endentityprofilesrules"
+ENDENTITYPROFILEPREFIX = "/endentityprofilesrules/"
+USERDATASOURCEBASE = "/userdatasourcesrules"
+USERDATASOURCEPREFIX = "/userdatasourcesrules/"
+UDS_FETCH_RIGHTS = "/fetch_userdata"
+UDS_REMOVE_RIGHTS = "/remove_userdata"
+
+CABASE = "/ca"
+CAPREFIX = "/ca/"
+ROLE_PUBLICWEBUSER = "/public_web_user"
+ROLE_ADMINISTRATOR = "/administrator"
+ROLE_SUPERADMINISTRATOR = "/super_administrator"
+REGULAR_CAFUNCTIONALTY = "/ca_functionality"
+REGULAR_CABASICFUNCTIONS = "/ca_functionality/basic_functions"
+REGULAR_ACTIVATECA = "/ca_functionality/basic_functions/activate_ca"
+REGULAR_RENEWCA = "/ca_functionality/renew_ca"
+REGULAR_VIEWCERTIFICATE = "/ca_functionality/view_certificate"
+REGULAR_APPROVECAACTION = "/ca_functionality/approve_caaction"
+REGULAR_CREATECRL = "/ca_functionality/create_crl"
+REGULAR_EDITCERTIFICATEPROFILES = "/ca_functionality/edit_certificate_profiles"
+REGULAR_CREATECERTIFICATE = "/ca_functionality/create_certificate"
+REGULAR_STORECERTIFICATE = "/ca_functionality/store_certificate"
+REGULAR_RAFUNCTIONALITY = "/ra_functionality"
+REGULAR_EDITENDENTITYPROFILES = "/ra_functionality/edit_end_entity_profiles"
+REGULAR_EDITUSERDATASOURCES = "/ra_functionality/edit_user_data_sources"
+REGULAR_VIEWENDENTITY = "/ra_functionality/view_end_entity"
+REGULAR_CREATEENDENTITY = "/ra_functionality/create_end_entity"
+REGULAR_EDITENDENTITY = "/ra_functionality/edit_end_entity"
+REGULAR_DELETEENDENTITY = "/ra_functionality/delete_end_entity"
+REGULAR_REVOKEENDENTITY = "/ra_functionality/revoke_end_entity"
+REGULAR_VIEWENDENTITYHISTORY = "/ra_functionality/view_end_entity_history"
+REGULAR_APPROVEENDENTITY = "/ra_functionality/approve_end_entity"
+REGULAR_LOGFUNCTIONALITY = "/log_functionality"
+REGULAR_VIEWLOG = "/log_functionality/view_log"
+REGULAR_LOGCONFIGURATION = "/log_functionality/edit_log_configuration"
+REGULAR_LOG_CUSTOM_EVENTS = "/log_functionality/log_custom_events"
+REGULAR_SYSTEMFUNCTIONALITY = "/system_functionality"
+REGULAR_EDITADMINISTRATORPRIVILEDGES = "/system_functionality/edit_administrator_privileges"
+REGULAR_EDITSYSTEMCONFIGURATION = "/system_functionality/edit_systemconfiguration"
+REGULAR_VIEWHARDTOKENS = "/ra_functionality/view_hardtoken"
+REGULAR_VIEWPUKS = "/ra_functionality/view_hardtoken/puk_data"
+REGULAR_KEYRECOVERY = "/ra_functionality/keyrecovery"
+
+HARDTOKEN_HARDTOKENFUNCTIONALITY = "/hardtoken_functionality"
+HARDTOKEN_EDITHARDTOKENISSUERS = "/hardtoken_functionality/edit_hardtoken_issuers"
+HARDTOKEN_EDITHARDTOKENPROFILES = "/hardtoken_functionality/edit_hardtoken_profiles"
+HARDTOKEN_ISSUEHARDTOKENS = "/hardtoken_functionality/issue_hardtokens"
+HARDTOKEN_ISSUEHARDTOKENADMINISTRATORS = "/hardtoken_functionality/issue_hardtoken_administrators"
+
+RESPONSETYPE_CERTIFICATE = "CERTIFICATE"
+RESPONSETYPE_PKCS7 = "PKCS7"
+RESPONSETYPE_PKCS7WITHCHAIN = "PKCS7WITHCHAIN"
+
+NOT_REVOKED = -1
+REVOKATION_REASON_UNSPECIFIED = 0
+REVOKATION_REASON_KEYCOMPROMISE = 1
+REVOKATION_REASON_CACOMPROMISE = 2
+REVOKATION_REASON_AFFILIATIONCHANGED = 3
+REVOKATION_REASON_SUPERSEDED = 4
+REVOKATION_REASON_CESSATIONOFOPERATION = 5
+REVOKATION_REASON_CERTIFICATEHOLD = 6
+REVOKATION_REASON_REMOVEFROMCRL = 8
+REVOKATION_REASON_PRIVILEGESWITHDRAWN = 9
+REVOKATION_REASON_AACOMPROMISE = 10
+
+
+class HTTPSClientAuthHandler(get_https_handler()):
+
+    def __init__(self, key, cert):
+        get_https_handler().__init__(self)
+        self.key = key
+        self.cert = cert
+
+    def https_open(self, req):
+        return self.do_open(self.get_connection, req)
+
+    def get_connection(self, host, timeout=5):
+        if sys.version_info[0] >= 3:
+            return http.client.HTTPSConnection(host, key_file=self.key, cert_file=self.cert, timeout=timeout)
+        else:
+            return httplib.HTTPSConnection(host, key_file=self.key, cert_file=self.cert, timeout=timeout)
+
+
+class HTTPSClientCertTransport(suds.transport.http.HttpTransport):
+
+    def __init__(self, key, cert, *args, **kwargs):
+        suds.transport.http.HttpTransport.__init__(self, *args, **kwargs)
+        self.key = key
+        self.cert = cert
+
+    def u2open(self, u2request, timeout=None):
+        tm = timeout or self.options.timeout
+        if sys.version_info[0] >= 3:
+            url = urllib.request.build_opener(HTTPSClientAuthHandler(self.key, self.cert))
+        else:
+            url = urllib2.build_opener(HTTPSClientAuthHandler(self.key, self.cert))
+        if self.u2ver() < 2.6:
+            socket.setdefaulttimeout(tm)
+            return url.open(u2request)
+        else:
+            return url.open(u2request, timeout=tm)
+
+
+class Ejbca(object):
+
+    def __init__(self, url, cert=None, key=None):
+        self.url = url
+        self.cert = cert
+        self.key = key
+        self.transport = HTTPSClientCertTransport(self.key, self.cert) if self.cert else None
+        self.wsclient = suds.client.Client(self.url, transport=self.transport)
+
+
+    def get_version(self):
+        return self.wsclient.service.getEjbcaVersion()
+
+
+    def get_users(self):
+        return self.find_user(MATCH_WITH_DN, MATCH_TYPE_CONTAINS, "=")
+
+
+    def find_user(self, matchwith, matchtype, matchvalue):
+        usermatch = self.wsclient.factory.create('userMatch')
+        usermatch.matchwith = matchwith
+        usermatch.matchtype = matchtype
+        usermatch.matchvalue = matchvalue
+        return self.wsclient.service.findUser(usermatch)
+
+
+    def edit_user(self, user):
+        return self.wsclient.service.editUser(user)
+
+
+    def _decode_ejbca_cert(self, double_mess):
+        single_mess = base64.b64decode(double_mess)
+        cert_data = base64.b64decode(single_mess)
+        cert = M2Crypto.X509.load_cert_string(cert_data, M2Crypto.X509.FORMAT_DER)
+        return cert
+
+
+    def pkcs10_request(self, username, password, pkcs10, hardTokenSN, responseType):
+        res = self.wsclient.service.pkcs10Request(
+            arg0=username,
+            arg1=password,
+            arg2=pkcs10,
+            arg3=hardTokenSN,
+            arg4=responseType)
+        return self._decode_ejbca_cert(res["data"])
+
+
+    def find_certs(self, loginName, validOnly=False):
+        reslist = self.wsclient.service.findCerts(
+            arg0=loginName,
+            arg1=validOnly)
+        certs = []
+        for res in reslist:
+            double_mess = res["certificateData"]
+            if double_mess is not None:
+                cert = self._decode_ejbca_cert(double_mess)
+                cert.ejbca_status = res["type"]
+                certs.append(cert)
+        return certs
--- a/warden_ra/openssl.cnf.example
+++ b/warden_ra/openssl.cnf.example
+# OpenSSL root CA configuration file.
+# Copy to `/root/ca/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /var/spool/example-ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+unique_subject    = no
+
+# The root key and root certificate.
+private_key       = $dir/private/ca.key.pem
+certificate       = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_loose ]
+# Allow the CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = CZ
+stateOrProvinceName_default     = Czech Republic
+localityName_default            =
+0.organizationName_default      = Example
+organizationalUnitName_default  =
+emailAddress_default            =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client
+nsComment = "OpenSSL Generate Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth
+
--- a/warden_ra/warden_apply.sh
+++ b/warden_ra/warden_apply.sh
+#!/bin/bash
+
+key=key.pem
+csr=csr.pem
+cert=cert.pem
+result=${TMPDIR:-${TMP:-/tmp}}/cert.$$.$RANDOM
+config=${TMPDIR:-${TMP:-/tmp}}/conf.$$.$RANDOM
+if [ "$1" == "--cacert" ]; then
+  cacert="--cacert $2"
+  shift
+  shift
+fi
+url="$1"
+client="$2"
+password="$3"
+incert="$3"
+inkey="$4"
+
+trap 'rm -f "$config $result"' INT TERM HUP EXIT
+
+function flee { echo -e "$1"; exit $2; }
+
+[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} [--cacert CERT] url client.name password\n       ${0%.*} [--cacert CERT] url client.name cert_file key_file" 255
+
+url="${url%/}/getCert"
+
+for n in openssl curl; do
+    command -v "$n" 2>&1 >/dev/null || flee "Haven't found $n binary." 251
+done
+for n in "$csr" "$key" "$cert"; do
+    [ -e "$n" ] && flee "$n already exists, I won't overwrite, move them away first, please." 254
+done
+for n in "$result" "$config"; do
+    touch "$n" || flee "Error creating temporary file ($n)." 253
+done
+
+echo -e "default_bits=2048\ndistinguished_name=rdn\nprompt=no\n[rdn]\ncommonName=dummy" > "$config"
+
+openssl req -new -nodes -batch -keyout "$key" -out "$csr" -config "$config" || flee "Error generating key/certificate request." 252
+
+if [ -z "$inkey" ]; then
+    curl --progress-bar $cacert --request POST --data-binary '@-' "$url?name=$client&password=$password" < "$csr" > "$result"
+else
+    # local cert file name may be interpreted as a "nickname", add "./" to force interpretation as a file
+    if [[ ! "$incert" =~ "/" ]]; then
+        incert="./$incert"
+    fi
+    curl --progress-bar $cacert --request POST --data-binary '@-' --cert "$incert" --key "$inkey" "$url?name=$client" < "$csr" > "$result"
+fi
+
+case $(<$result) in '-----BEGIN CERTIFICATE-----'*)
+    mv "$result" "$cert"
+    flee "Succesfully generated key ($key) and obtained certificate ($cert)." 0
+esac
+
+flee "$(<$result)\n\nCertificate request failed. Please save all error messages for communication with registration authority representative." 252
--- a/warden_ra/warden_ra.cfg.dist
+++ b/warden_ra/warden_ra.cfg.dist
+{
+    "Log": {
+        "filename": "/var/log/warden_ra.log",
+        "level": "info"
+    },
+    "Registry": {
+
+// Example configuration for OpenSSL CA backend
+//        "type": "OpenSSLRegistry",
+//        "base_dir": "/var/spool/example-ca",
+//        "subject_dn_template": "DC=cz,DC=example-ca,DC=warden,CN=%s"
+
+// Example configuration for EJBCA backend
+//        "type": "EjbcaRegistry",
+//        "url": "https://ejbca.example.org/ejbca/ejbcaws/ejbcaws?wsdl",
+//        "cert": "warden_ra.cert.pem",
+//        "key": "warden_ra.key.pem",
+//        "ca_name": "Example CA",
+//        "certificate_profile_name": "Example",
+//        "end_entity_profile_name": "Example EE",
+//        "subject_dn_template": "DC=cz,DC=example-ca,DC=warden,CN=%s",
+//        "username_suffix": "@warden"
+
+    }
+}
--- a/warden_ra/warden_ra.py
+++ b/warden_ra/warden_ra.py
--- a/warden_ra/warden_ra.wsgi
+++ b/warden_ra/warden_ra.wsgi
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+from sys import path
+from os.path import dirname, join
+
+path.append(dirname(__file__))
+from warden_ra import build_server
+
+## JSON configuration with line comments (trailing #)
+from warden_ra import read_cfg
+application = build_server(read_cfg(join(dirname(__file__), "warden_ra.cfg")))
--- a/warden3/warden_server/LICENSE
+++ b/warden3/warden_server/LICENSE
--- a/warden3/warden_server/README
+++ b/warden3/warden_server/README
 +-------------------------+
-| Warden Server 3.0-beta2 |
+| Warden Server 3.0-beta3 |
 +-------------------------+

 Content
@@ -13,8 +13,8 @@ Content
 ------------------------------------------------------------------------------
 A. Introduction

-   Warden is a system for efficient sharing information about detected events
-(threats). Warden Server is server-side part of the software, the
+   Warden is a system for efficient sharing of information about detected
+events (threats). Warden Server is server-side part of the software, the
 communication hub, allowing to publish detected events and download yet
 unprocessed ones.

@@ -28,7 +28,7 @@ of Warden Server administration.
   Warden Server is Python/WSGI based, written primarily with Apache mod_wsgi
 in mind. Other WSGI servers/frameworks are not yet tested, so your mileage
 may vary. Authentication is X509 certificate (for machine or client
-identification) + shared secret (for client icentification, where
+identification) + shared secret (for client identification, where
 certificate does not suffice).

 ------------------------------------------------------------------------------
@@ -37,7 +37,7 @@ B. Dependencies
 1. Platform

    Python 2.7+
-	Apache 2.2
+	Apache 2.2/2.4
 	mod_wsgi 3.3+

 2. Python modules
@@ -46,6 +46,10 @@ B. Dependencies
    python-m2crypto 0.20+
    jsonschema 2.4+

+ 3. Database
+
+    MySQL | MariaDB >= 5.5
+
 ------------------------------------------------------------------------------
 C. Installation

@@ -54,32 +58,37 @@ C. Installation

   # cd /opt
   # tar xjf warden_server_3.0.tar.bz2
-   # ls
-   warden_server_3.0
+   # mv warden_server_3.0 warden_server

 * Create database and desired database users
   (We're using db "warden3" and user "warden@localhost" as an example.)

   # mysql -p

-   mysql> CREATE DATABASE warden3;
-   mysql> GRANT ALL ON warden3.* TO `warden`@`localhost`;
-   mysql> SET PASSWORD FOR 'warden'@'localhost' = PASSWORD('example');
-   mysql> FLUSH PRIVILEDGES;
+   > CREATE DATABASE warden3;
+   > CREATE USER 'warden'@'localhost' IDENTIFIED BY 'example';
+   > GRANT ALL ON warden3.* TO `warden`@`localhost`;
+   > FLUSH PRIVILEGES;

 * Create necessary table structure

-   mysql -p -u warden warden3 < warden3.0.sql
+   mysql -p -u warden warden3 < warden_3.0.sql
+
+ * Get up to date Idea schema
+
+   wget -O warden_server/idea.schema https://idea.cesnet.cz/_media/en/idea0.schema

 * Enable mod_wsgi, mod_ssl, include Warden configuration

   This depends heavily on your distribution and Apache configuration.
   Basically you need to create and include apache.conf:

-      Include /opt/warden_server_3.0/apache.conf
+      Include /opt/warden_server/apache.conf

   or paste the contents into whichever Directory, Location or VirtualHost
-   you dedicate for Warden. You can use apache.conf.dist as an example.
+   you dedicate for Warden.  You can use apache22.conf.dist or
+   apache24.conf.dist (for Apache version 2.2 or 2.4, respectively) as an
+   example.

   You may need to change paths to certificate/key/ca material, path to
   warden_server.wsgi and web path alias.
@@ -121,8 +130,9 @@ particular implementation object of the aspect, for example type of logger

 		Log: FileLogger, SysLogger
 		DB: MySQL
-		Auth: X509Authenticator, NoAuthenticator
-		Validator: JSONSchemaValidator, "NoValidator
+		Auth: X509Authenticator, X509NameAuthenticator,
+              X509MixMatchAuthenticator,PlainAuthenticator
+		Validator: JSONSchemaValidator, NoValidator
 		Handler: WardenHandler

 	"type" keyword is not mandatory, if not specified, first implementation
@@ -140,17 +150,31 @@ object from particular section list is used ("FileLogger" for example).
      facility: syslog facility, defaults to "daemon"
      level: least log level (CRITICAL, ERROR, WARNING, INFO, DEBUG)

-   NoAuthenticator: forego authentication, for debug purposes
-
   X509Authenticator: authenticate based on certificate chain validation,
       hostname corresponding with certificate CN or SubjectAltName and
-       optionally shared secret
+       optionally shared secret (note that more clients on one machine
+       will have to have the certificate with the same hostname, clients
+       than can be differentiated by separate secrets).
+       This method is OBSOLETE.
+
+    X509NameAuthenticator: authenticate based on certificate chain validation,
+        certificate CN must correspond with client _name_, NOT hostname.
+
+    X509MixMatchAuthenticator: automatically choose X509Authenticator or
+        X509NameAuthenticator based on existence of 'secret' in query. Allows
+        for seamless transition of clients between two authentication methods.
+
+   PlainAuthenticator: authenticate based on client name or shared secret, usable
+      over plain HTTP connection or HTTPS without client certificate - note that
+      this pretty much spoils security, and is meant only for testing and
+      debugging purposes, NOT for production servers

   NoValidator: forego event JSON validation, for debug purposes

   JSONSchemaValidator: validate incoming events based on JSON schema file
      filename: path to schema file, defaults to "idea.schema" at
-                installation directory
+                installation directory, for information on obtaining current
+                IDEA schema file, refer to https://idea.cesnet.cz/en/schema

   MySQL: database storage backend
      host: database server host, default "localhost"
@@ -208,7 +232,8 @@ warden_server.py register [--help] -n NAME -h HOSTNAME -r REQUESTOR
     -r REQUESTOR, --requestor REQUESTOR
                           requestor email
     -s SECRET, --secret SECRET
-                           authentication token
+                           authentication token (use explicit empty string to
+                           disable)
     --note NOTE           client freetext description
     --valid               valid client (default)
     --novalid

--- a/warden_server/README.test
+++ b/warden_server/README.test
--- a/warden3/warden_server/apache.conf.dist
+++ b/warden3/warden_server/apache.conf.dist
 SSLEngine on

-SSLVerifyClient require
+SSLVerifyClient optional
 SSLVerifyDepth 4
 SSLOptions +StdEnvVars +ExportCertData

 #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

-SSLCertificateFile      /opt/warden_server_3/etc/cert.pem
-SSLCertificateKeyFile   /opt/warden_server_3/etc/key.pem
-SSLCACertificateFile    /opt/warden_server_3/etc/tcs-ca-bundle.pem
+SSLCertificateFile      /opt/warden_server/etc/cert.pem
+SSLCertificateKeyFile   /opt/warden_server/etc/key.pem
+SSLCACertificateFile    /opt/warden_server/etc/tcs-ca-bundle.pem

-WSGIScriptAlias /warden3 /opt/warden_server_3/warden_server.wsgi
+WSGIScriptAlias /warden3 /opt/warden_server/warden_server.wsgi

-<Directory /opt/warden_server_3/warden_server.wsgi>
+<Directory /opt/warden_server/warden_server.wsgi>
    Order allow,deny
    Allow from all
 </Directory>
--- a/warden_server/apache24.conf.dist
+++ b/warden_server/apache24.conf.dist
+SSLEngine on
+
+SSLVerifyClient optional
+SSLVerifyDepth 4
+SSLOptions +StdEnvVars +ExportCertData
+
+#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+
+SSLCertificateFile      /opt/warden_server/etc/cert.pem
+SSLCertificateKeyFile   /opt/warden_server/etc/key.pem
+SSLCACertificateFile    /opt/warden_server/etc/tcs-ca-bundle.pem
+
+WSGIScriptAlias /warden3 /opt/warden_server/warden_server.wsgi
+
+<DirectoryMatch /opt/warden_server/warden_server.wsgi>
+	Require all granted
+</DirectoryMatch>
--- a/warden3/warden_server/catmap_mysql.json
+++ b/warden3/warden_server/catmap_mysql.json
--- a/warden3/warden_server/tagmap_mysql.json
+++ b/warden3/warden_server/tagmap_mysql.json
--- a/warden_server/test_warden_server.py
+++ b/warden_server/test_warden_server.py
--- a/warden3/warden_server/warden_3.0.sql
+++ b/warden3/warden_server/warden_3.0.sql
--- a/warden3/warden_server/warden_server.cfg.dist
+++ b/warden3/warden_server/warden_server.cfg.dist
--- a/warden3/warden_server/warden_server.py
+++ b/warden3/warden_server/warden_server.py
No results found