Use of the Default Encrypted Password.
Each iRODS server has a server configuration file (iRODS/server/config/server.config)
which stores information (location, login, etc.) about the iCAT
database server (PostgreSQL) and rules sets, etc. used. This file
stores the iCAT database password in an encrypted form and allows the
server access to the iCAT database whether it is local to that server
or if it is located on another server (resource) in the system (zone).
Note: RCAT is sometimes mentioned in the comments in the server.config file and also in some places within the ICAT database – RCAT is a deprecated name for iCAT. An iRODS system (a zone) stores iRODS user names and passwords (in an encrypted form) in the iCAT database.
Also on the client machine the .irods/.irodsA file contains the encrypted password for the account described in .irods/.irodsEnv. The .irods/.irodsEnv file may be created or copied by hand but the .irods/.irodsA file is created using the 'iinit' which asks for the password and stores it in the .irods/.irodsA file.
When running rules the iRODS server ‘remembers’ that you authenticated and then recreates that context in the irodsReServer (for delayed rules). For immediate rules (in the irodsAgent), the client context is your irods user.
Use of the Grid Security Infrastructure (GSI).
iRODS supports GSI (Grid Security Infrastructure) as an authentication method. Both clients and servers need to be built with the GSI option when using the irodssetup script and you also you need to provide details of the globus location, etc.
iRODS servers run as a non-root user, (they don't have access to the private key and can't use the host certificate) so use whatever key is specified in the GSI environment. The GSI environment must be set up prior to starting a GSI-enabled iRODS server (using irodsctl start). The environment can be setup either by:
iRODS users can authenticate with GSI and can also now set the environment variable SERVER_DN to authenticate the server via the GSI system (perform mutual authentication). Even when GSI is set up users can still use the iRODS password system if desired.
Use of Kerberos.
Kerberos is now available for iRODS, it handles the authentication of users and the particular iRODS system (zone) is regarded as a service in Kerberos parlance. The following notes are additional to the description provided in the iRODS link above.
Clearly a Kerberos realm with which to interact, must be available.
About the iRODS system:
This will not work with the iRODS web browser.
Future Use of Shibboleth
The Shibboleth SP is currently only implemented in C++ as a module for Apache, IIS, and NSAPI.Shibboleth could be used with / within iRODS in a few ways, including:
Please refer to the legal disclaimer covering content on this site.