Manualshelf

HP WBEM Services for HP-UX System Administrator Guide (5900-1624, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i WBEM Software
31323334353637383940
4 Authentication methods in HP WBEM Services
This chapter elaborates on the authentication methods in HP WBEM Services.
HP WBEM Services supports the following authentication methods:
Local authentication:
This method is used to authenticate requests from local users. In this scenario, if the user is on
the same system as HP WBEM Services, then the authentication already performed by the
system is used by HP WBEM Services. For more information, see “Local user authentication
(page 35).
Remote Authentication:
This method is used to authenticate remote users that send requests. If the user request is from
a remote system, then it is first directed to the HTTP server of HP WBEM Services. The HTTP
server receives only valid CIM requests and all other requests are rejected. User information
is included in the XML-encoded HTTP message header and the CIM Server checks the
user-password and SSL certificate information. For more information, see “Remote user
authentication” (page 36).
Providers: HP WBEM Services interacts with its registered providers through shared libraries.
NOTE: CIM providers can run as privileged users. Be cautious while installing a provider that
does not come from a trusted source.
After HP WBEM Services passes on a request to a provider, the provider is responsible for checking
its own security. The provider sets the rules about which requests it considers, and the conditions
for granting or refusing them. If a provider requires authorization beyond that checked by HP
WBEM Services, the provider supplier is responsible for documenting its own rules.
HP WBEM Services uses dedicated ports for CIM-XML traffic. Two ports are specified by DMTF
and registered with IANA for CIM-XML communication between the remote clients and the CIM
Server:
HTTP TCP/IP communication on port 5988 (wbem_http)
HTTPS TCP/IP communication on port 5989 (wbem_https)
HP supports only these two port configurations.
User authentication
When a user request comes through the HTTP or HTTPS port, the CIM Server determines if the user
is a legitimate user on the system or not. If the request does not pass authentication, the request is
rejected without processing it any further.
Local user authentication
For local users, the CIM Server uses a local authentication mechanism. The CIM Server uses the
existing file system security to authenticate the user. HP WBEM Services accepts the authentication
already done by the system. As a result, local requests include only the login name of the user.
The password information is not required.
The CIM Server automatically authenticates local connections. Local connections are those
connections that are established using the connectLocal method in the CIMClient interface.
This authentication method eliminates the need for specifying the user name or password when
issuing management commands on the local system.
The UNIX domain socket connection point is used for local connections, so this traffic is not visible
on the network interconnect.
User authentication 35