


          Digital Equipment Corporation - Draft






                                  SPX Installation


                                  Kannan Alagappan


                            Digital Equipment Corporation

                              sphinx-request@clr.dec.com

                                        DRAFT




                                      May, 1991



          1  Introduction

          SPX  is an authentication service that enhances the security in
          open networks by using public key technology.  The purpose of
          this document is to describe the SPX installation procedure.
          Administrators should read the document      SPX Guide , before
          installing the SPX kit.  In the next section, we discuss how to
          get the SPX kit distribution.  Section 3 presents the export
          restrictions placed on the SPX crypto algorithm sources.  In
          Section 4, we briefly give an overview of the subdirectories in
          the SPX kit.  Section 5 explains how to build and verify the
          kit.  Section 6, presents the steps for selecting an X.500
          domain prefix and install SPX.  In section 7, we describe the
          procedure for creating the CA hierarchy, creating the CDC
          database, starting the CDC server.


          2  SPX Distribution

          The SPX kit is in two components:  (1) the kit without the
          sources for DES and RSA crypto algorithms (publically available)
          (2) the sources for the DES and RSA crypto algorithms (export
          controlled).  The crypto sources will be distributed only to
          individuals who declare themselves as US citizens working in the
          US.  Note that the publically available source kit is essentially
          useless without the crypto algorithms in either source or binary
          form.

          The SPX kit is available from the internet host crl.dec.com

          Digital's SPX authentication service is also known as Sphinx.



                                        - 1 -




          Digital Equipment Corporation - Draft



          (address 192.58.206.2) via anonymous FTP in the /pub/DEC/SPX
          directory.  Users can obtain the following files :

           SPX.v2.*-beta.tar.Z  - SPX sources (without the crypto algorithms)

           SPX.v2.*-doc.tar.Z   -  SPX documentation

           SPX-README -  README distribution notes

           kit-verifier.tar.Z  - sources for kit verifier program

           SPX-FORMS  - forms to request crypto algorithms

          A SPX maling list has been created for discussions related to
          the deployment of SPX public key based authentication service.
          The mailing list is intended to cover a wide range of issues
          including :

           Issues related to deployment of SPX, including technical
            issues, deployment status, availablity, etc.
           Issues related to protocol extensions, API issues,
            clarification of details, unpublished changes, etc.

          Please send contributions to the list at "sphinx@crl.dec.com".
          Administrative requests, e.g., additions to or deletions from
          the list, should be sent to "sphinx-request@crl.dec.com".


          3  SPX Restrictions

          SPX contains cryptographic code for performing RSA and DES
          operations.  The crypto algorithm source code is subject to U.S.
          export restrictions under the U.S. Department of State's
          International Traffic in Arms Regulations (22 CFR Subchapter M).
          Access to the SPX crypto algorithm source code will be granted
          under the condition that the receipent agress not to disclose
          information found in the crypto sources to people who are not
          authorized access to the information.

          SPX uses a patented RSA algorithm which is copyrighed in the
          source distribution.  Access to the SPX sources will be granted
          under the condition that the receipent agrees not to tamper with
          either the RSA algorithm or certification authority functions.
          The receipent is not authorized to use the RSA algorithm from
          SPX beyond the intended use in the SPX software.





                                        - 2 -




          Digital Equipment Corporation - Draft



          4  Contents of SPX kit

          The SPX kit contains the following:

                  ./doc           -  documentation

                  ./kit-verifier  - kit verifier source code

                  ./link-kit      - script for creating a linked build tree

                  ./src           - SPX source code

                  ./src/admin             - administrative utilities
          (createkey, createcertif, etc.)

                  ./src/appl/bsd  - Berkeley r-tools with SPX authentication
          (flogin, fcp, fsh)

                  ./src/include   - include files

                  ./src/lib       - SPX libraries

                  ./src/lib/api   - SPX library routines

                  ./src/lib/auth  - ASN.1 and certificate format

                  ./src/lib/cdb_gdbm - CDC database (server side)

                  ./src/lib/cdc  - CDC client stubs

                  ./src/lib/crypto  - crypto support routines

                  ./src/lib/crypto/algorithm - crypto algorithm sources

                  ./src/lib/crypto/bignum   - INRIA BigNum package

                  ./src/lib/gdbm  - gdbm database

                  ./src/lib/gssapi - GSSAPI library routines

                  ./src/lib/isode - isode library

                  ./src/man       - man pages

                  ./src/server    - CDC utilities and server
          (cdb_init, cdc_server, etc.)

                  ./src/user     - utilities for credential management
          (spxinit, spxlist, install_server, etc.)


                                        - 3 -




          Digital Equipment Corporation - Draft



          5  Verifying and Building the SPX kit

          Users can verify their SPX kit by seeing if the MD2 checksum
          generated over the compressed and tarred kit matches the
          checksum in the SPX-REAME file located on crl.dec.com in
          /pub/DEC/SPX directory.  Users should uncompress and untar the
          kit verifier program.  If they don't trust the MD2 source code
          provided, they can obtain the source code from RFC1115.  After
          making the kit verifier program, users can run the md2-file
          program with the kit file as input.  If the checksum matches the
          checksum in the SPX-README file for this particular version,
          then they can be assured that the kit has not been compromised.

          sejour> md2-file SPX.v2.1-beta.tar.Z
          1000000 bytes processed.
          computed digest: 1234567890abcdef1234567890abcdef

          SPX is intended to be portable software for UNIX(**), TCP/IP
          platforms.  Currently, we have ported SPX for Ultrix vax and
          mips platforms.  If changes are need for porting SPX to other


          systems, we would like to incorporate these changes in future
          SPX releases.  Users can send diffs of files to
          sphinx-info@crl.dec.com.

          Uncompress and untar the SPX kit.  Before building SPX, users
          need the crypto algorithm sources.  This can be obtained by
          following the instructions in the SPX-FORMS.  Crypto algorithm
          sources, which are in uuencoded format of a tar and compressed
          directory, will be mailed back to users.  Users need to install
          this directory in their SPX kit.

          sejour>    uncompress SPX.v2.2-beta.tar.Z ; tar xf
          SPX.v2.2-beta.tar

          sejour> ls
          SPX.v2.2-beta
          The top level SPX directory, SPX.v2.2-beta, will be referred to
          [SPX_TOP] in this document.

          sejour> cd [SPX_TOP]/src/lib/crypto
          sejour>    undecode spxalgorithm.tar.Z.uu ; uncompress
          spxalgorithm.tar.Z
          sejour> tar xf spxalgorithm.tar
          sejour> mv spxalgorithm algorithm



		** UNIX is a trademark of AT&T


                                        - 4 -




          Digital Equipment Corporation - Draft




          If you want to setup a build directory, edit the link-kit shell
          script with the appropriate SPXDIR name pointing to the SPX kit.
          Issue the link-kit command with the name of the build directory,
          referred to as  BUILDDIR (e.g., spx.v2.2-mips).  Now, edit the
          top level Makefile in the build directory setting the processor
          type and issue the make command to build the sources.

          After the sources are built, install the executables in a
          directory that is in everyone's path.


          6  SPX Installation

          Before installing the SPX kit, the adminstrator should select
          the best suitable X.500 name prefix for the local domain.  One
          procedure to minimize the risk is for the administrator to have
          their Organization name registered with RSADSI.  This involves
          users requesting a cross certificate issued by RSADSI for the
          domain prefix.  If two domains select the same domain prefix,
          RSADSI will inform the second requester that this name has
          already been used and a new domain prefix should be selected..
          Since RSADSI is acting as the "central" Internet wide Certification
          Authority, it is capable of determining name conflicts among
          multiple Organizations.  If the domain prefix name needs to be
          changed in the future, the administrator for the domain would
          need to reissue subordinate certificates for all principals.

          Once the adminstrator has selected a domain prefix, the X.500
          name should be maintained in  /etc/cdc.conf configuration file.
          Each host that is part of the local domain needs to have a
          configuration file with its domain prefix.

          sejour> cat /etc/cdc.conf
          /C=US/O=Digital/OU=LKG

          Next, adminstrators should select the host for the CDC database,
          by default CDC server should be running on this host.  Since the
          database can be NFS mounted on other hosts, multiple CDC servers
          can exist for a domain.  *[ Warning: gdbm is architecture
          dependent, therefore machines which NFS mount the CDC database
          must be the same type.  NFS mounting the CDC database to SUNs
          and VAXs will not work. ]* Thus, the CDC database is not
          replicated, but the CDC servers are replicated.




                                        - 5 -




          Digital Equipment Corporation - Draft



          Each host needs to know where its CDC servers are located and
          where CDC servers for remote domains are located.  This
          information is maintained in a configuratation file known as
          /etc/cdc.servers.  Given a domain prefix name, this file lists
          the servers for a particular CDC domain.  Note that servers are
          contacted in the order specified by the list.

          sejour> cat /etc/cdc.servers
          /C=US/O=Digital/OU=LKG filesv.lkg.dec.com sejour.lkg.dec.com
          /C=US/O=Digital/OU=LTN adlman.ssg.ltn.dec.com

          Applications and the CDC server ports should be entered in the
          /etc/services file and the service names should be entered in
          the /etc/inetd.conf file.  Users are referred to the
          [SPX_TOP]/src/install directory for additions to both files.
          For example, add following to /etc/services file.

                  flogin          221/tcp
                  fshell          222/tcp
                  cdc             223/tcp         cdc
                  cdc             223/udp         cdc

          Add following to /etc/inetd.conf file.

                  flogin stream  tcp  nowait  /usr/etc/flogind  flogind
                  fshell stream  tcp  nowait  /usr/etc/fshd     fshd

          Each system in the SPX domain needs these two files modified.
          After making changes, restart the inetd process.  Next, the
          modified Berkeley r-tool applications need to be installed on
          each workstation.  The r-tool programs, called flogind,
          login.sphinx, fshd, fcp and flogin should be added to the
          /usr/etc directory.


          7  Creating a new SPX domain and CDC database

          The cdb_setup utility will create a new Certification Authority
          hierarchy, and an enrollment file.  The cdb_init utility, which
          should be executed by root, will create a new CDC database.
          Follow the instruction for cdb_setup and cdb_init








                                        - 6 -




          Digital Equipment Corporation - Draft



          Administrator should create a new directory, refered to as
          [SPX_KEYS], to keep SPX keys and certificates.  Note that
          cdb_setup is not a priviliged utility

          sejour> cd [SPX_KEYS]
          sejour> cdb_setup
          Welcome to the SPX CDC Setup program

          This utility will create a new domain Certification Authority
          hierarchy.
          Enter your domain prefix : /C=US/O=Digital/OU=LKG

          Your domain prefix entered is '/C=US/O=Digital/OU=LKG'.
          correct? [y] y
          Would you like to create new keys [n] ? y

          We will create 512-bit RSA keys and X.509 certificates for the
          domain level CA, Users CA, Servers CA, Administrator principal,
          and CDC server principal.  
          Note that you will need to remember at most 5 passwords (1 for
          each principal).  However, if you choose to use the same
	  password for all your CAs, you will need to remember and
          type fewer passwords during setup.  This isn't a security
          threat as long as the passwords you enter are not 'easily
          guessable'.

          Would you like to use the convenient mode (i.e., same password
          for all your CAs) ? [y] y
          Enter your CA password: CApassword
          Verifying, please re-enter: CApassword

          Creating the domain level CA key ...
          Enter the local file name to store domain's key : LKG
          Some 'uncertainty' is needed to initialize the random
          number generator to generate your long term key.  Please
          enter up to 224 characters of text.  The quality of your key
          depends upon how 'uncertain' this input is.  When you
          think you have entered enough text, enter two successive
          carriage returns.

          sdfO*&^jhksdagfjklsatyvd978fahjfh_)(=jsdfjahwc
          gkraetkjhtakucjSDFJH`~43b
          KJDAOI  &*(%^&^T$RCZ 7896treFGuiy^&(#$%@78QUX JpioPUOLMVJr
          i}\H   [                                        H'?3KJYI
          _KGO:UTVSsd6-+UIOF8gtuyvt6UYiou76tu754vc9




                                        - 7 -




          Digital Equipment Corporation - Draft



          Thank you very much.

          name : OU=LKG

          Reminder : select password carefully (no dictionary words,
          names, places, etc.)
          Writing ... LKG_privkey, LKG_pubkey

          Creating the Users CA key ... in Users_privkey, Users_pubkey
          Some 'uncertainty' is needed to initialize the random
          number generator to generate your long term key.  Please
          enter up to 224 characters of text.  The quality of your key
          depends upon how 'uncertain' this input is.  When you
          think you have entered enough text, enter two successive
          carriage returns.

          *()&(*Y KLIYUBOIyskfhg_)(=jsdfjahwc
          gkraetkjhtakucjSDFJHasdf8adjhf
          KJ*&(67Jhgjkdsf7896987HJKL)&*Z 7896treFGuy^&(#PUO=MJradsf&*^
          i}\H   [        H'?3KJYI        &^GJGUYT*%^u754vc9dsfasdf

          Thank you very much.

          name : OU=Users

          Reminder : select password carefully (no dictionary words,
          names, places, etc.)
          Writing ... Users_privkey, Users_pubkey
          Creating the Servers CA key ... in Servers_privkey,
          Servers_privkey

          Some 'uncertainty' is needed to initialize the random
          number generator to generate your long term key.  Please
          enter up to 224 characters of text.  The quality of your key
          depends upon how 'uncertain' this input is.  When you
          think you have entered enough text, enter two successive
          carriage returns.

          sdf ksdyfoiasy dio oiy yoiu6876b 89790^*&^DUYT(v8 ofyoh
          jkasdf8adjh34
          }{J*&(6!~q23wJKL)&sdfdsf HKJH  jhkjh kjhkZ;lksdj:"LK'lafjh
          jklajP
          i}\*(&^*&^%&^467/,.MN,.?.547654&^%$RDFHG241--7897790df

          Thank you very much.

          name : OU=Servers
          Reminder : select password carefully (no dictionary words,
          names, places, etc.)
          Writing ... Servers_privkey, Servers_pubkey


                                        - 8 -




          Digital Equipment Corporation - Draft



          Creating the administrator's key ... (select a new password)
          Enter your administrator's password: Adminpassword
          Verifying, please re-enter: Adminpassword
          Enter the local file name to store administrator's key : admin

          Some 'uncertainty' is needed to initialize the random
          number generator to generate your long term key.  Please
          enter up to 224 characters of text.  The quality of your key
          depends upon how 'uncertain' this input is.  When you
          think you have entered enough text, enter two successive
          carriage returns.

          piouufO*&^jhksdUIOYBIODFYSB(*& 6v98yhoiyUYNycy80d74d591H`~43b
          I^U*B*C7 6987c6qv5867831`2`01`0s;dljfkj HIUY oi y  hkjasdhiyb
          oiyb698OLMVJr
          io78990KL:J
          OPIUOU&(*W&BE9086wbgt9gvvw85cvg7c592-`==c-)*jcwesd||fdsf\zxc

          Thank you very much.

          Enter real name (default is 'admin') : Network Administrator

          name : CN=Network Administrator

          Reminder : select password carefully (no dictionary words,
          names, places, etc.)
          Writing ... admin_privkey, admin_pubkey
          Creating the cdc's key ... (select a new password)

          Enter your cdc's password: CDCpassword
          Verifying, please re-enter: CDCpassword
          Some 'uncertainty' is needed to initialize the random
          number generator to generate your long term key.  Please
          enter up to 224 characters of text.  The quality of your key
          depends upon how 'uncertain' this input is.  When you
          think you have entered enough text, enter two successive
          carriage returns.

          `1278965$&^%#ouufO*&^jhksdUIOYBSB(*& 6v98yhoiyUYNycyd591H`~4
          rtew
          [}U*B*C7 6987c6qv5867831`2`01`0s;dljfkj HIUY oi y  hkjasdhiyb
          oiyb698OLMVJr
          %76qwuiTo7 OPIUOU&(*Wbgt&^TYGygfuyf&^%&D%$@#4-0[ wiempooi

          Thank you very much.


          name : CN=cdc

          Reminder : select password carefully (no dictionary words,
          names, places, etc.)
          Writing ... cdc_privkey, cdc_pubkey



                                        - 9 -




          Digital Equipment Corporation - Draft



          Now we will create X.509 certificates

          Creating principal certificates for Users CA ... (enter domain
          CA's password)
          Writing ... LKG_certif_Users

          Creating principal certificates for Servers CA ... (enter domain
          CA's password)
          Writing ... LKG_certif_Servers

          Creating TA certificates for Users CA ... (enter User CA's
          password)
          Writing ... Users_certif_LKG
          Creating TA certificates for Servers CA ... (enter Server CA's
          password)
          Writing ... Servers_certif_LKG


          Creating cross certificate from Users CA to Servers CA... (enter
          Users CA's password)
          Making a cross certificate
          Writing ... Users_certif_Servers
          Creating cross certificate from Servers CA to Users CA... (enter
          Servers CA's password)
          Making a cross certificate
          Writing ... Servers_certif_Users

          Creating principal certificate for adminstrator ... (enter Users
          CA's password)
          Writing ... Users_certif_admin
          Creating principal certificate for CDC server ... (enter Servers
          CA's password)
          Writing ... Servers_certif_cdc

          Creating TA certificate for administrator ... (enter
          administrator's password)
          Writing ... admin_certif_Users
          Creating TA certificate for CDC server ... (enter CDC server's
          password)
          Writing ... cdc_certif_Servers


          Now we will create the enrollment file
          Enter the local enrollment file name : enrollfile
          Setup complete.






                                       - 10 -




          Digital Equipment Corporation - Draft



          sejour> cat enrollfile
          Users admin PRINCIPAL
          Servers cdc PRINCIPAL
          . Users CA
          . Servers CA
          Servers Users TACERTIF
          Users Servers TACERTIF
          sejour>

          Now, if the directory /var/sphinx/dbase doesn't exist then
          create it.  If you do not already have root priviliges, become
          superuser and issue the cdb_init command.  The first two
          principals listed in the enroll file have administrative
          priviliges for adding new principals to the database.  Each line
          also has commented the files which are read from the local
          directory based on the two names specified.  The enroll file
          captures the CA hierarchy for the domain and it should be understood
          prior to initializing the database as follows.

          sejour# cd [SPX_KEYS]
          sejour# cdb_init -f enrollfile

          It should be noted that the public key and private key files
          contain the principal's RDN name, and UUID.  The public key file
          is followed by the BER encoded ascii hex key, while the private
          key file has a hash of the principal's password and the BER
          encoded key encrypted under a hash of the principal's password.
          Since both files are ascii, they can be easily passed around the
          network (via mail).
          Now, the administrator should start the cdc_server daemon on the
          master CDC host.  An example certificate created during
          cdb_setup is displayed as follows :














                                       - 11 -




          Digital Equipment Corporation - Draft



          sejour> displaycertif LKG Users
          Display certificate contents on Fri Jan 4 16:00:10 1991
          Version:        v1992 (1)
          Serial Number: 1
          Signature Algorithm: 1.3.14.7.2.3.1 (OSI Implementors Workshop:
          RSA with MD2)
              NULL parameter type
          Issuer:   /C=US/O=Digital/OU=LKG
          Subject:  /C=US/O=Digital/OU=LKG/OU=Users
              Valid       from:   Fri Jan 4 15:56:56 1991
                  to:      Sat Jan 4 15:56:56 1992
          Subject Key Algorithm Identifier: 2.5.8.1.1  (ISO 9594-8: RSA)
              INTEGER parameter type (value = 512)
          Subject Public Key:
          e:  (1 BigNumDigit)
              10001
          n:  (17 BigNumDigits, 512 bits)

          D70F5A022A2570DFF4574CA373895FE264A0F8387F692EBCC6F86881853F73C
             CEF87D8FFC330227598A364BBEDDD264C96FB7776DE4A8765348AAEF465C5
          Issuer UID:     0d 57 41 27 a1 56 d3 01 41 52 50 41 10 14 20 6f
          Subject UID:    a0 e4 84 27 dd 48 8b 01 41 52 50 41 10 14 20 6f
          Signature Algorithm Identifier: 1.3.14.7.2.3.1  (OSI
          Implementors Workshop: RSA with MD2)
              NULL parameter type
          Signature:

          D675658ABCDD8764232A585BC785685576DFFF755781975EACC87893E33433

          65B653229EEAD6976775469876408768796B0a007687546BCE54343653652897
                EA6754B99CADE000

          A few of other useful utilities are      cdb_dump and  cdb_load.
          These utilities are used to convert the gdbm database into an
          ascii file and vice versa.  This allows efficient editing and
          merging of the database as necessary.  The utility  cdb_list may
          be used to quickly list the keys and contents of principals who
          have been enrolled in the CDC database.  Once the CDC database
          has been created, the CDC daemon cdc_server should be started by
          the superuser.

          SPX allows principals to do autonomous distributed management
          during the enrollment process.  That is, a principal who would
          like to be added to the CDC database first creates its RSA keys
          wherever it would like (eg. on a PC or on a private workstation,
          possibly in a different domain).  The principal then needs to
          create a trusted authority (TA) certificate for a CA that it is
          willing to trust.  In a network environment, the CA may mail its
          public key file to new principals so that they can create a TA



                                       - 12 -




          Digital Equipment Corporation - Draft



          certificate.  It is the principal's responsibility to ensure
          that the CA's public key is valid.  Similarly, the principal may
          mail its public key file to the CA so that the CA can create a
          user certificate.  The administrator for the SPX domain may use
          either the cdb_edit or the cdb_init utility to add the new user
          to the database.

          To support user enrollment, SPX provides a spx_enroll shell
          script in the [SPX_TOP]/src/install directory.  The
          administrator should modify the SPX_KEY_DIR and
          SPX_ADMINISTRATOR variables in the spx_enroll file.  Also the
          spx_enroll file can be tailored to either mail the user's keys
          and certificate to the administrator, or copy the user's keys
          and certificate to a well know directory.  Administrators can
          decide their own enrollment policy based on security requirements.
          Note that servers also need to be enrolled.  If the servers are
          under the control of individual users, then the users should
          also spx_enroll the server principals.  Otherwise, administrators
          should spx_enroll servers.

          sejour> spx_enroll tardo Users
          sejour> spx_enroll sejour Servers

          The spx_enroll file creates the principal's keys and TA
          certificate.  Next, the administrator needs to create a
          principal certificate for each enrolled user or server.
          sejour> createcertif Users tardo

          sejour> createcertif Servers sejour

          Next, the principal's keys and certificates need to be added to
          the database either with the cdb_init utility using the "-a"
          option and a new enrollment file, or with the cdb_edit utility.
          Using the cdb_init utility is probably preferred if the
          administrator would like to register multiple principals at
          once.

          Users can change their password in the system by using the
          cdb_edit utility on the host with the master database.
          Modifying a password prompts for the principal's relative name
          to the domain (ie. "ou=users/cn=kannan alagappan").  This
          routine gets the user's encrypted private key from the CDC and
          prompts for the old password and new password.  If the old
          password is correct, it encrypts the private key using a hash of
          the new password and it re-enters the key in the CDC database.

          7.1 Establishing SPX Credentials (network login)




                                       - 13 -




          Digital Equipment Corporation - Draft



          Servers establish their verifier credentials by using the
          install_server utility.

          sejour# install_server -h
          Usage: install_server [-lv] [-c ca_name] [servername]
                  -l    use local key and certificate files to establish
          credentials
                  -c   alternate CA for principal (default is
          'OU=Servers')
                          (default CA may be specified by SPX_LOCAL_CA
          variable)
                  -v    verbose mode

          sejour# install_server
          SPX install server
          server's name : sejour
          SPX install server for
                  '/C=US/O=Digital/OU=LKG/OU=Servers/CN=sejour'
          Password : password
          First, users establish their claimant credentials by using the
          spxinit utility.

          sejour# spxinit -h
          Usage: spxinit [-lv] [-k key_size] [-t hours] [-c ca_name] [-n
          fullname]
                  -k    session key size (default 384)
                  -t    time interval for session (default 12 hours)
                  -l    use local key and certificate files to establish
          credentials
                  -c   alternate CA for principal (default is 'OU=Users')
                          (default CA may be specified by SPX_LOCAL_CA
          variable)
                  -n   real name for principal (default prompts for
          fullname)
                          (default fullname may be specified by
          SPX_LOCAL_NAME)
                  -v    verbose mode

          sejour# spxinit
          Enter full name with quotes (ie. John Doe) : Kannan Alagappan
          SPX Initialization for
                  '/C=US/O=Digital/OU=Users/CN=Kannan Alagappan'
          password : password





                                       - 14 -




          Digital Equipment Corporation - Draft



          sejour# spxlist
          Claimant Credentials for kannan
          fullname is '/C=US/O=Digital/OU=LKG/OU=Users/CN=Kannan Alagappan'
          uuid is 25 7d 51 26 97 00 2c 01 41 52 50 41 10 14 20 6f
          session keySize is 384 ; deleg_flag is ON
          credentials created locally : /tmp/claimant_kannan

                  not valid before   Wed Jan 9     9:15:46  1990
                  not valid after    Wed Jan 9    21:15:46  1990

          /C=US/O=Digital/OU=LKG/OU=Users/CN=Kannan Alagappan
                  has 3 Trusted Authorities
          TA #1 '/C=US/O=Digital/OU=LKG/OU=Users'

          TA #2 '/C=US/O=Digital/OU=LKG/OU=Servers'
          TA #3 '/C=US/O=Digital/OU=LKG'


          7.2 SPX authenticated application

          SPX supports the concept of global identity and network login.
          A user is assigned a global name based on his domain and simple
          name.  Access control decisions are based on global identities
          in a ".sphinx" ACL file in the local home directory.















                                       - 15 -