HP WBEM Services for HP-UX System Administrator Guide HP Part Number: 5900-1624 Published: April 2011
© Copyright 2010, 2011 Hewlett-Packard Company. All rights reserved Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Contents 1 Introduction to HP WBEM Services................................................................5 HP WBEM Services and common standards.................................................................................5 Common Information Model..................................................................................................5 CIM in Extensible Markup Language......................................................................................6 CIM operations over HTTP..............
Verifying certificates...........................................................................................................39 User group authorization.........................................................................................................40 Namespace authorization........................................................................................................40 5 Troubleshooting HP WBEM Services...........................................................
1 Introduction to HP WBEM Services This chapter describes HP WBEM Services, the architecture, and how it functions with other products. HP WBEM Services is an implementation of the DMTF-WBEM standard on HP-UX systems. HP WBEM Services enables management solutions to deliver increased control of enterprise resources at reduced cost.
http://www.dmtf.org/standards/cim. For an overview of the data representation, see Appendix A (page 52). CIM in Extensible Markup Language The markup language for describing data on the web is Extensible Markup Language (XML). DMTF defines a standard for representing the CIM elements and messages in XML, referred to as CIM-XML. Since CIM-XML provides a standard way of describing data, any WBEM client can access CIM data on any WBEM-enabled system.
The CIM repository can be modified, using CIM operations, which are provided through an XML file. Information can be entered in the repository either as MOF files using the cimmof command or as XML files using the wbemexec command. You can use the wbemexec command to execute CIM operations, such as create class or create instance, in the XML file. For more information on maintaining the repository, see “Maintaining the repository” (page 31).
How HP WBEM Services works? This section describes how HP WBEM Services processes requests received from management clients, and collaborates with respective providers to send information back to these management clients. In general, HP WBEM Services can receive requests from clients running on different kind of systems and platforms, as long as the requests conform to the DMTF CIM-XML standard. HP WBEM Services processes these client requests and passes them to the appropriate providers.
• “Software Distributor Provider” • “IOTree Provider” For more information on these providers, see “Providers available with HP WBEM Services” (page 22). Several other HP providers are available, which support the WBEM standard. For more information on HP providers that support WBEM, see the Provider Data sheets available at: http:// www.docs.hp.com —> Network and Systems Management —> HP WBEM Providers.
Figure 2 HP WBEM Services Processing Requests Any client request that is sent as an HTTP request to HP WBEM Services is a CIM operation. The request is encoded in CIM-XML. The HTTP server of HP WBEM Services listens for the CIM messages on the wbem-http or wbem-https port.
1. The client connects with the HTTP server. Any remote client, when sending a request, also sends a valid system login name and password information to a system with HP WBEM Services that has the appropriate provider installed. For information about login permissions, see Chapter 3 (page 33). 2. The CIM Server in HP WBEM Services uses its XML decoder to parse the XML data in the request. If an error occurs, the CIM Server returns an error message and stops processing the request.
CIM_ERR_NOT_SUPPORTED For a list of standard CIM errors and other error messages, see Chapter 5 (page 42). HP WBEM indications In a network where several clients and resources are managed, certain events might occur. These events, irrespective of nature or criticality, must be reported so that appropriate action is taken. In this network, you can receive a notification from HP WBEM Services when an event occurs.
A CIM message is a well-defined request or response data packet used to exchange information between the CIM applications. Following are the types of CIM messages: • CIM Operation Messages A CIM Operation Message is used to invoke an operation on the target CIM namespace. • CIM Export Messages A CIM Export Message is used to communicate information about a CIM namespace or element that is foreign to the target.
Table 1 Commands, Executable Scripts, and Daemon Processes in HP WBEM Services Name cimauth Type Command Version A.02.07 Required Permission root To Perform Authorizes users for a specified namespace. Use this command to add, modify, or remove authorization per user, per namespace. You can also assign Read or Write permissions. Note that assigning Write permission does not automatically include Read permission. Use this command to list all authorizations that are configured on the CIM Server.
Table 1 Commands, Executable Scripts, and Daemon Processes in HP WBEM Services (continued) Name cimprovagt Type Command Version A.02.07 Required Permission No user interface To Perform A wrapper process that is used by the cimserver to load the shared libraries of individual providers as separate processes distinct from the CIM Server and other providers. This process provides protection for the cimserver in the event of a failure that occurs with a provider as only that specific provider is affected.
Table 1 Commands, Executable Scripts, and Daemon Processes in HP WBEM Services (continued) Name Type init_repository Script Version A.02.07 Required Permission root To Perform Initializes the repository. If the repository is moved or corrupted, you must first attempt to restore it from backup. If you cannot restore the repository from the backup, use the init_repository script to restore the repository to the state it was in, when HP WBEM Services was installed.
2 Installing and setting up HP WBEM Services This chapter describes the procedures for installing and setting up HP WBEM Services. Compatibility information HP WBEM Services is available on HP-UX 11i v1, v2, and v3. The provider versions that are compatible with HP WBEM Services will vary based on the version of HP WBEM Services that you want to install and the operating system version on which you install it.
Verifying WBEM files and directories................[PASS] Total number of checks performed: 10 Total number of Errors: 0 To check the compatibility versions for HP WBEM Services, run the following command: fsweb2# wbemassist -c -ov 11.23 -pn utilProvider -pv A.01.08.02.01. The following output is displayed: Compatible WBEMServices Versions A.02.09 NOTE: The wbemassist utility checks and recommends solutions for problems encountered while using HP WBEM Services only.
Create the archive file using the cimreparchive tool. To restore the repository from the archive file, you must first stop the CIM Server and move the active repository files to a different location. Use the tar<2> command to extract the archived repository files and restart the CIM Server. For more information on the cimreparchive tool, see cimreparchive(1M).
1. 2. 3. 4. Download the product from http://software.hp.com. Copy the downloaded depot file to a local directory on the system. Log in to the HP-UX system as root and go to the directory where the depot is downloaded. Start the installation. swinstall -s WBEMServices The following files are installed: /etc/opt/hp/sslshare Shared SSL certificate files and trust store files.
+openssl.OPENSSL-INC,1=/opt/openssl,r=A.00.09.08n.003,a=HP-UX B.11.A +openssl.OPENSSL-LIB,1=/opt/openssl,r=A.00.09.08n.003,a=HP-UX B.11.A +openssl.OPENSSL-MAN,1=/opt/openssl,r=A.00.09.08n.003,a=HP-UX B.11.A +openssl.OPENSSL-MIS,1=/opt/openssl,r=A.00.09.08n.003,a=HP-UX B.11.A +openssl.OPENSSL-PRNG,1=/opt/openssl,r=A.00.09.08n.003,a=HP-UX B.11A +openssl.OPENSSL-PVT,1=/opt/openssl,r=A.00.09.08n.003,a=HP-UX B.11.A +openssl.OPENSSL-RUN,1=/opt/openssl,r=A.00.09.08n.003,a=HP-UX B.11.A +openssl.
NOTE: This command automatically aborts all current client connections and stops the CIM Server. After the version is upgraded, HP WBEM Services automatically restarts the CIM Server and any indication providers that are installed are restarted. Also, the disabled providers are enabled. IMPORTANT: After upgrading the HP WBEM Services version in your environment, you must upgrade the versions of the providers that are compatible with the HP WBEM Services version that you have upgraded to.
NOTE: This provider does not support the reboot and shutdown methods of the CIM_OperatingSystem class. The PG_OperatingSystem subclass adds the SystemUpTime and OperatingSystemCapability properties. Computer System Provider The Computer System Provider makes available basic computer system information, such as computer name, status, and administrator contact information.
Client applications can use this provider to determine all the IP addresses for a platform, determine which LAN interface is associated with a given IP address, and to determine which IP routes are supported by the platform. For platforms that have the LAN provider installed, you can relate a given IP address to its LAN interface, MAC address, logical port, and network interface card (NIC). NOTE: The current implementation is for HP-UX only.
The following software objects are supported by this provider: • Bundles - Collections of filesets from several different products, encapsulated for a specific purpose. Bundles can consist of groups of filesets or products. • Products - Collections of filesets, or (optionally) subproducts, and control scripts. Different versions of a product can be defined for different platforms and operating systems, as well as different revisions (releases) of the product.
FALSEVALUE>FALSE> If a configuration problem occurs with HP WBEM Services, then an error message is displayed. For more information on wbemexec, see the wbemexec(1).
NOTE: If you already have HP WBEM Services installed, check your release notes before removing or re-installing it. You can remove all the files associated with HP WBEM Services and make all your providers unavailable. IMPORTANT: Do not move or change HP WBEM Services files. Their locations are predetermined.
For information on the options that you can set, see “CIM Server properties” (page 30). You can also view the manpage for the cimconfig command. If you attempt to start the CIM Server when it is already running, the following message appears: /opt/wbem/lbin/cimserver: cimserver is already running (the PID found in the file "/etc/opt/wbem/cimserver_start.conf" corresponds to an existing process named "cimservermain"). NOTE: This message is displayed with HP WBEM Services version A.02.05 and later.
NOTE: The cimserverd daemon automatically restarts the CIM Server when it fails on a system, but not in cases where the CIM Server is manually halted. Using the cimconfig command The cimconfig command manages properties that are used to configure the CIM Server. The configuration operations are executed on the CIM Server running on the local host. Use the cimconfig command to view, set, or clear the CIM Server property values.
CIM Server properties After HP WBEM Services is installed, you can configure the properties listed in this section using the cimconfig command. You must have privileged user (root) permissions to modify the values of these properties. You must regularly backup the following property configuration files: For HP-UX: • /var/opt/wbem/cimserver_current.conf contains the current values that are not defaulted. • /var/opt/wbem/cimserver_planned.confcontains planned values, not yet in effect and not defaulted.
Describes the required level of support for certificate-based authentication. This property is only used when enableHttpsConnection is set to true. • idleConnectionTimeout If set to a positive integer, this value specifies a minimum timeout value for idle client connections. If set to zero, idle client connections do not time out. A client connection is considered idle when it is not in the process of sending a request and the CIM Server is not processing a request from that connection.
Four namespaces are installed with HP WBEM Services. Others can be added by clients and providers. The four namespaces that are automatically installed are: • root: The root namespace exists to conform to the DMTF specifications. • root/cimv2: The standard CIM schemas go here. Also, the schemas for the bundled providers. • root/PG_Interop: This is for provider registration. This space is reserved exclusively for providers, and all providers must register here.
3 Security considerations This chapter describes the security aspects of working with HP WBEM Services. In any network, security is always of prime importance. For HP WBEM Services, security is first checked at the communication channels.
To disable the Export HTTPS port, use the cimconfig command to set the planned value of the configuration property enableSSLExportClientVerification to false and restart the CIM Server. HP WBEM Services configuration options security disclaimer As a security best practice, HP recommends that you disable any network daemon that you do not use in your environment. Any daemon that is in use must be configured securely according to the threat environment in which they are located. This is a functionality vs.
4 Authentication methods in HP WBEM Services This chapter elaborates on the authentication methods in HP WBEM Services. HP WBEM Services supports the following authentication methods: • Local authentication: This method is used to authenticate requests from local users. In this scenario, if the user is on the same system as HP WBEM Services, then the authentication already performed by the system is used by HP WBEM Services. For more information, see “Local user authentication” (page 35).
Remote user authentication The CIM Server can authenticate remote users with one of the following methods: • HTTP Basic Authentication • Certificate Based Authentication Table 3 describes these authentication methods. Table 3 Remote User Authentication Methods Certificate Based Authentication (CBA) HTTP Basic Authentication Description The CIM Server requests the client certificate while HTTPS connection is in progress.
wbem auth required libpam_ldap.so.1 try_first_pass # Account management wbem account required libpam_hpsec.so.1 wbem account sufficient libpam_unix.so.1 wbem account required libpam_ldap.so.1 # Session management wbem session required libpam_hpsec.so.1 wbem session sufficient libpam_unix.so.1 wbem session required libpam_ldap.so.1 # Password management wbem password required libpam_hpsec.so.1 wbem password required libpam_ldap.so.1 try_first_pass wbem password required libpam_ldap.so.
NOTE: Basic Authentication requires the client to pass both the user name and password, in Base64 encoding. This encoding is not secure. SSL (enableHttpsConnection) must be disabled only in a highly secure environment where transferring clear text passwords does not pose a security threat. HP WBEM Services uses OpenSSL to support HTTPS connections. OpenSSL is a cryptography toolkit that implements the network protocols and related cryptography standards of SSL v2/v3 and TLS (Transport Layer Security).
If using CA certificates that are using 2048-bit encryption, HP recommends that you keep them. If the CA certificates are not using 2048-bit encryption, HP recommends that you get new CA certificates with 2048-bit encryption. Importing server certificates to the Trust Store CIM client applications must maintain a trust store in a .pem file. The CIM client applications must import the certificates stored in the /etc/opt/hp/sslshare/ cert.
User group authorization User group authorization consists of establishing the already authenticated user is a member of one of the configured groups in the authorizedUserGroups configuration property. If the user is not authorized, the client request is rejected without processing it and an authorization failure message is sent back.
EnumerateClasses EnumerateClassNames EnumerateInstances EnnumerateInstanceNames EnumerateQualifiers GetClass GetInstance GetProperty GetQualifier Namespace authorization 41
5 Troubleshooting HP WBEM Services This chapter elaborates on how to troubleshoot HP WBEM Services in your environment. This chapter is for people who are having trouble while trying to use HP WBEM Services. Checklist for troubleshooting HP WBEM Services Before contacting the support, read the checklist for troubleshooting HP WBEM Services. • Is CIM Server running? Enter the command ps -ef|grep cimserver. If it is not running, then you must start it. For HP-UX: enter cimserver (no options).
General Syslog messages HP WBEM Services puts the following messages in Syslog: • When CIM Server starts up, it logs a message, for example: fsweb2 cimserver[1593]: PGS10026: The CIM Server is listening on HTTPS port 5989. fsweb2 cimserver[1593]: PGS10028: The CIM server is listening on the local connection socket. fsweb2 cimserver[1593]: PGS10030: Started HP-UX WBEM Services version A.02.09.08.
The substitution data $0 identifies the subscription, and contains the values of the subscription Filter and Handler Name properties in the form "FilterName, HandlerName". This message might indicate that one or more indication providers has been removed or disabled, and you might have to re-install, re-register, and re-enable one or more indication providers to avoid missing indications.
• 5 = CIM_ERR_INVALID_CLASS The specified class does not exist. • 6 = CIM_ERR_NOT_FOUND The requested object could not be found. • 7 = CIM_ERR_NOT_SUPPORTED The requested operation is not supported. • 8 = CIM_ERR_CLASS_HAS_CHILDREN Operation cannot be carried out on this class because it has subclasses. • 9 = CIM_ERR_CLASS_HAS_INSTANCES Operation cannot be carried out on this class because it has instances.
• CIM_ERR_FAILED A general error occurred that is not covered by a more specific error code • CIM_ERR_INVALID_CLASS The specified class does not exist • CIM_ERR_INVALID_NAMESPACE The target namespace does not exist • CIM_ERR_INVALID_PARAMETER One or more parameter values passed to the method were invalid • CIM_ERR_METHOD_NOT_AVAILABLE The extrinsic method could not be executed. • CIM_ERR_METHOD_NOT_FOUND The specified extrinsic method does not exist.
1. 2. 3. 4. CIM error code of 7 Translation to CIM_ERR_NOT_SUPPORTED Expanded text message The requested operation is not supported The non-standard additional message OperatingSystem Provider does not support createInstance As a second example, consider a client that mistakenly provides too few or too many keys to a GetInstance operation on the PG_OperatingSystem class. The following response is sent:
• Message: Failed to remove authorizations. Specified user authorizations were not found. Enter cimauth -l to list all the authorizations. Locate the one you want to remove and verify that you have spelled it correctly. If it is not in the list, you need to add it with the -a option, then re-issue the command. • Message: CIM Server might not be running. To see if cimserver is running, enter: ps -ef|grep cimserver Perhaps an operator stopped it by command, but did not restart it. To start it.
• Message: Current value cannot be determined because the CIM Server is not running. To see if cimserver is running, enter: ps -ef|grep cimserver Perhaps an operator stopped it by command, but did not restart it. To start it, do the following: HP-UX: cimserver • Message: Planned value cannot be determined because the CIM Server is not running. To see if cimserver is running, enter: ps -ef|grep cimserver Perhaps an operator stopped it by command, but did not restart it.
6 Support and other resources About this document This document explains the architecture of HP WBEM Services for HP-UX. It also contains information on installing and administering HP WBEM Services in your environment. This document is intended for system administrators who are responsible for installing and administering HP WBEM Services.
These documents are available at www.hp.com/go/hpux-networking-docs and select HP-UX 11i WBEM Software collection.
A Representation of resources The HP WBEM Services repository stores information about the managed resources. To register with HP WBEM Services, a provider must define its resource by the classes and subclasses that define it. Then the provider must describe the properties that it will expose, and the methods that it will support. The properties describe what a class is, the methods describe what it can do. Properties are attributes or characteristics of the resource.
these keys is its own identification. It is the only instance in its namespace that is allowed to have that “name.” More than one key property is a compound key. Consider how to uniquely identify a user account on a UNIX system. You can use two key properties: the value of the user account’s Name property and the value of the system’s Name property. Also, you can identify with the pair used to route your email to you: user-name@domain-name. Classes are either concrete or abstract.
B Sample client request This appendix provides a sample of a client request and the response. The request is for the EnumerateInstances operation on the PG_OperatingSystem class. Requests and responses are encoded in XML. For more information about XML, see http:// www.dmtf.org/standards/WBEM. The information is represented in a table format. The first column has line numbers for the actual request and response. The middle column can group several related lines.
• Lines 6 - 9: Two criteria must be met to continue: ◦ This namespace must be valid. ◦ If enableNamespaceAuthorization property is enabled, this user must be authorized to access this namespace • Lines 10 - 12: The classname must exist, and it must have a provider registered. The provider must respond to the request. Here, the OS Provider is registered for the PG_OperatingSystem class. Checking the provider documentation, you can see that it supports the EnumerateInstancesmethod.
Table 6 EnumerateInstances Response for PG_OperatingSystem Class (continued) 56 19 20 21 mycomputer.hp.
Table 6 EnumerateInstances Response for PG_OperatingSystem Class (continued) 55 56 57 58 This instance reflects the Operating System on which Next property the CIMOM is executing (as distinguished from instances of other installed operating systems that could be run).
Table 6 EnumerateInstances Response for PG_OperatingSystem Class (continued) 58 171 End message 172 End CIM XML message Sample client request
Index A S authorization namespace, 40 authorization for CIM operations, 40 Secure Socket Layer, 38, 40 shutdownTimeout, 30 SSL, 38, 40 B T backing up files, 32 troubleshooting, 42 troubleshooting WBEM Services, 42 C checklist for troubleshooting, 42 CIM messages, 44 CIM operations authorizations, 40 W WBEM Services messages, 42 E enableHttpConnection, 30 enableHttpsConnection, 30 enableNamespaceAuthorization, 30 enableRemotePrivilegedUserAccess, 30 error messages, 42 H HTTP connection enabling, 3
Glossary C CIM (Common Information Model) A hierarchical object-based model developed by the DMTF that defines a large number of concepts common to most computer systems. CIM Client A client application that issues CIM operation requests over HTTP and processes the responses. CIM Object Manager (CIMOM) Manages CIM objects in an HP WBEM-enabled system. CIMOM receives and processes CIM operation requests and issues responses.
E extensible markup language (XML) A simplified subset of SGML that offers powerful and extensible data modeling capabilities. An XML Document is a collection of data represented in XML. An XML Schema is a grammar that describes the structure of an XML Document. extension schema The third layer of the CIM schema, which includes platform-specific extensions of the CIM schema such as Microsoft Windows NT, UNIX, and Microsoft ExchangeServer. Also see common model and core model.
L light-weight HTTP server A small footprint server that processes HTTP requests and returns standard HTTP responses. The server is not intended as a replacement for a web server. The server does not serve up HTML web pages and does not run CGI applications. local property A non-system property defined for a class but not inherited from a superclass. M managed object A hardware or software system component that is represented as an instance of the CIM class.
Open Database Connectivity (ODBC) A specification for an API that defines a standard set of routines with which an application can access data in a data source. operational semantics The formalization of real objects by putting them into a common language. override Indicates that the property, method, or reference in the derived class overrides the similar construct in the parent class in the inheritance tree or in the specified parent class.
W web server Full-service web servers act as HTTP servers. In addition, they have many other capabilities, like running CGI scripts. Understanding the distinction between a limited-service HTTP server and a full-service Web server is critical to understanding security on HP WBEM Services for HP-UX. HP WBEM Services uses its own embedded HTTP server (a light-weight server), not a web server. Acknowledgement: This information was gathered from: http://dmtf.org/ education/cimtutorial.