Solaris WBEM Services Administrator's Guide

Sun WBEM Security Features

The CIM Object Manager validates a user's login information for the machine on which the CIM Object Manager is running. A validated user is granted some form of controlled access to the entire Common Information Model (CIM) Schema. The CIM Object Manager does not provide security for system resources such as individual classes and instances. However, the CIM Object Manager does allow control of global permissions on namespace and access control on a per-user basis.

The following security features protect access to CIM objects on a WBEM-enabled system:

Note that no digital signing of messages is performed.

Authentication

When a user logs in and enters a user name and password, the client uses the password to generate an encrypted digest which the server verifies. When the user is authenticated, the CIM Object Manager sets up a client session. All subsequent operations occur within that secure client session and contain a MAC token which uses the session key negotiated during authentication.

Authorization

Once the CIM Object Manager has authenticated the user's identity, that identity can be used to verify whether the user should be allowed to execute the application or any of its tasks. The CIM Object Manager supports capability-based authorization, which allows a privileged user to assign read and write access to specific users. These authorizations are added to existing Solaris user accounts.