Remote Policy Decision Point service. It will accept the formated policy 
decision request and return positive/negative response.
Since the request and response information is critical, TLS should be 
switched on for securing communication.

Installation Howto
==================

The output of ./configure should be as follows.
[...]
Included components:
[...]
Charon service:        yes
[...]

After 'make' and 'make install', you can run the pdp service (named charon).

The approach of running the pdp service is the same as other services, such
as arex service. 
What you need to do is two steps:
1, Write a configuration file which specify the common configuration and 
   pdp service specific configuration.
2, Use "arched" command line to run pdp service.

For step 1, there is an example configuration file called charon_service.xml.example
in $ARC_LOCATION/share/doc/arc/. Besides the common configuration, you need to specify 
some specific configuration information as follows:
        <Service name="charon" id="charon_service">
            <!--The element <Evaluator/>, <Policy/> and <Request/> configuration
            are supposed to be used to load object; element <PolicyStore/> is
            supposed to be used to get the location of policy-->
            <charon:PolicyStore>
               <charon:Location Type="file">Policy_Example.xml</charon:Location>
               <!-- other policy location-->
            </charon:PolicyStore>
            <charon:Evaluator name="arc.evaluator" />
            <charon:Policy name="arc.policy" />
            <charon:Request name="arc.request" />
        </Service>
And you can also get the configuration schema from charon.xsd in the same directory.

Normaly you don't need to change <charon:Evaluator/> <charon:Policy/> and <pdp:Request/>, since
it is only supposed to be changed when you need to use some other kinds of policy evaluation
engine.
What you normaly need to change is <charon:PolicyStore/>. You can specify one or a number of policy
here by using one or a number of <charon:Location/>. The current supported type is "file", and some
other types like database will probably be supported in the future.

For step 2, you can use the "arched" daemon command line to run pdp service. 
./arched -c charon_service.xml -f

Usage Howto
============

The Charon service can be invoked by two ways:
1. by client "arcdecision";
2. by the pdpinvoker plugin which can be plugged into SecHandler,
   and then SecHandler can be plugged into service (the plugging
   is based on configuration file). For how to configure pdpinvoker
   into service, see the configuration file for echo service.

More detail explaination:
Since Charon service is a normal service, the client "arcdecision" is a 
prototype client which is supposed to send policy decision request to
Charon service and get back the policy decision result.
On the client side, you can run arcdecision command as follows:
./arcdecision -c pdp_client.xml -d DEBUG https://127.0.0.1:60000/Charon pdp_request.xml

On the other hand, Charon service more normaly will serve for those policy 
enforcement points which are in fact some services as well. So there is 
a security plugin called "pdpinvoker" which can be configured and used 
by any service. The configuration about pdpinvoker is as follows, and 
you can get the configuration scheme from src/hed/pdc/pdpserviceinvoker/ArcPDPServiceInvoker.xsd 
From the following piece of configuration for "echo", you can get how to
configure pdpserviceinvoker: <PDP name="pdpservice.invoker"/>
Notice that since the pdpserviceinvoker is actually a client to charon service,
it should have its own credential configuration. But surely you can use the 
same credential as the host service ("echo" service).
        <Service name="echo" id="echo">
            <SecHandler name="arc.authz" id="authz" event="incoming">
              <PDP name="simplelist.pdp" location="simplelist"/>
              <PDP name="arc.pdp">
                <PolicyStore>
                  <Location type="file">Policy_Example.xml</Location>
                  <!-- other policy location-->
                </PolicyStore>
              </PDP>
              <!--Remote pdp service (charon) invoking-->
              <PDP name="pdpservice.invoker">
                <ServiceEndpoint>https://127.0.0.1:60000/Charon</ServiceEndpoint>
                <KeyPath>./key.pem</KeyPath>
                <CertificatePath>./cert.pem</CertificatePath>
                <CACertificatePath>./ca.pem</CACertificatePath>
              </PDP>
              <PDP name="delegation.pdp"/>
            </SecHandler>
            <next id="echo"/>
            <echo:prefix>[ </echo:prefix>
            <echo:suffix> ]</echo:suffix>
        </Service>

In the charon_service.xml.example, there are two services: charon service, and echo service.
You run both of them (or more services) in the same container. But notice that if you 
switch on the pdpserviceinvoker under echo service, you can not specify the <ServiceEndpoint> of
 this pdpserviceinvoker to that pdp service in the same container. Instead you should specify 
the <ServiceEndpoint> to the other container or node.
