test

Solaris WBEM Services Administration Guide

Chapter 4 Administering Security (Tasks)

This chapter describes WBEM security mechanisms and the features that the CIM Object Manager enforces.

Here is a list of the information in this chapter.

WBEM Security Mechanisms

WBEM employs several mechanisms to ensure secure access to its data, including:

Each mechanism is described in more detail in the sections that follow.

Authentication

When a client application connects to a CIM Object Manager server, the client's user identity must be authenticated by the CIM Object Manager on the WBEM server. The user's WBEM client must provide a Solaris user identity and its accompanied login password. The identity and credential are used in a security authentication exchange between the client and WBEM server to verify that the client is a valid Solaris user who is allowed to log in to the WBEM server system.

If the WBEM server cannot verify the user identity and credential, and the user's identity is invalid, the WBEM server returns a CIM security exception that includes the NO_SUCH_PRINCIPAL error.

If the WBEM server cannot verify the user's identity and credential, and the user's password is invalid for that user's identity, the WBEM server returns a CIM security exception that includes the INVALID_CREDENTIAL error.

Role Assumption

A role identity can be assumed only when a WBEM user selects the Remote Method Invocation (RMI) protocol. Role assumption is not supported by the XML/HTTP protocol.

The Solaris implementation of WBEM supports the ability of a client to assume the identity of a Solaris role when that client is authenticated by the CIM Object Manager on the WBEM server. When the WBEM server uses RBAC authorizations to check authorization permission, the WBEM server checks the permission that is granted to the assumed role rather than the permission that is granted to the underlying user identity.

RBAC roles are described in more detail in “Role-Based Access Control (Overview)” in System Administration Guide: Security Services.

The client must provide the Solaris role identity and password, in addition to a Solaris user identity and password when the client attempts to connect.

If the WBEM server cannot verify the Solaris role identity, the WBEM server returns a CIM security exception that includes the NO_SUCH_ROLE error.

If the role password is invalid for the specified role identity, the WBEM server returns the INVALID_CREDENTIAL error in the CIM security exception.

If both the role identity and role password are valid, but the user is not allowed to assume the role, the WBEM server returns the CANNOT_ASSUME_ROLE error in the CIM security exception.

Secure Messaging

In the CIM RMI protocol, each request from the client to the WBEM server contains a message authenticator that is constructed from the data parameters in the message. A one-way digest is also created with a session key established during the authentication exchange.

The WBEM server verifies this message authenticator, which guarantees that the request came from the same client that was authenticated and that the message was not modified or replayed during its communications to the server.

If the message was modified, replayed, or created by a source that was not the original client, the WBEM server returns a CIM security exception that contains the CHECKSUM_ERROR error. The WBEM server also writes a log message to the WBEM log.

Authorization

After the WBEM server connects, the WBEM server uses the authenticated user or the role identity for all authorization checks on subsequent operations with the CIM client.

WBEM supports two types of authorization checking, based on:

The particular authorization checking mechanism that WBEM uses depends on how the MOF class provider is implemented. The particular authorization checking mechanism that WBEM uses for a specific MOF class operation depends on:

The classes defined in Solaris_Acl1.0.mof implement WBEM ACL-based security. WBEM ACL-based security provides a default authorization scheme for Solaris WBEM Services, and, under specific circumstances, applies to a particular set of CIM operations. ACL-based security is uniquely provided by Solaris WBEM Services.

You use Sun WBEM User Manager (wbemadmin) to establish an ACL for a specific namespace on the WBEM server. Sun WBEM User Manager enables you to add user names, or role names, to the ACL for the namespace, and to assign each user “read” or “write“ permission. Sun WBEM User Manager is described in Using Sun WBEM User Manager to Set Access Control and in wbemadmin(1M).

Write permission allows a user to modify the class metadata, modify instances of MOF classes in that namespace, and issue an invoke method on instances. The local WBEM server root user identity is always granted write permission to all namespaces on the server. All authenticated users without an explicit ACL entry are granted read permission by default.

Operations that include the accessing of MOF class metadata, such as getClass, use the WBEM ACLs. These operations include the checking of permissions that are granted to the authenticated user by the ACL for the namespace that contains the MOF class. You can set an RBAC role in an ACL entry, but the ACL entry is always checked against the user identity rather than the role identity. In other words, you can set a role name in an ACL, but the CIM Object Manager does not check the role name at runtime.

Operations that involve MOF class instances might include the checking of either WBEM ACLs or RBAC authorizations.

You can also grant permissions to a user, or role identity, that allow that user to access and modify the instances of MOF classes whose providers use the RBAC authorizations. You grant these permissions by using the Rights tool in the Solaris Management Console User tool. The granting of permissions to a user is described in “Creating or Changing a Rights Profile” in System Administration Guide: Security Services.

If the instances for a MOF class are stored in the WBEM persistent datastore, the CIM Object Manager checks the WBEM ACL for the namespace that contains the MOF class. If the MOF class provider implementation accesses the provider's datastore, or accesses system data in the Solaris operating environment, the MOF class provider implementation almost always uses RBAC authorization checking.

In general, if a MOF class definition contains a Provider qualifier, the provider implementation usually makes RBAC authorization checks. If the MOF class definition does not contain a Provider qualifier, the CIM Object Manager:

Auditing

The WBEM server writes audit records for certain events during processing. For example, the WBEM server writes audit records whenever the authentication of a client succeeds or fails, and whenever an operation that modifies user information is executed.

The WBEM server uses the underlying Solaris Basic Security Module (BSM) to write its audit records. You must enable the BSM auditing mechanism (bsmconv) in the Solaris operating environment on the WBEM server to ensure that audit information is recorded. This command is described in bsmconv(1M).

Note –

If you are using Trusted SolarisTM, you do not need to enable the BSM auditing mechanism.

Logging

The WBEM server writes log records to the WBEM log for particular security events, for example, when an authenticated session for a client is established or when authorization checking fails. You can review the WBEM log in the Solaris Management Console Log Viewer, which is described in Chapter 5, Viewing System Log Data (Tasks).

You can identify security-related log events by the category Security log, which is listed in the Category column. You can view only security log messages by selecting the category Security in the Log Viewer filter dialog box. Most security log messages include the user identity of the client and the name of the client host.

Using Sun WBEM User Manager to Set Access Control

Sun WBEM User Manager (wbemadmin) enables you and other privileged users to:

Note –

The user for whom you specify access control must have a Solaris user account.

What You Can and Cannot Do With Sun WBEM User Manager

You can set access privileges for individual namespaces or for a combination of a user and a namespace. When you add a user and select a namespace, the user is granted read access to CIM objects in the selected namespace by default.

Note –

An effective way to combine user and namespace access rights is to first restrict access to a namespace, and then grant individual users read, read and write, or write access to that namespace.

You cannot set access rights on individual managed objects. However you can set access rights for all managed objects in a namespace as well as on a per-user basis.

If you log in as root, you can set the following types of access to CIM objects:

Using Sun WBEM User Manager (Task Map)

The following table identifies the procedures that you need to follow to start and use Sun WBEM User Manager.

Task 

Description 

For Instructions 

Start the Sun WBEM User Manager. 

Start the Sun WBEM User Manager by using the wbemadmin command.

How to Start Sun WBEM User Manager

Grant default access rights to a user. 

Grant default access rights to a user by using the Users Access tool of the Sun WBEM User Manager. 

How to Grant Default Access Rights to a User

Change access rights for a user. 

Change access rights for a user by using the Read and Write check boxes in the Sun WBEM User Manager. 

How to Change Access Rights for a User

Remove access rights for a user. 

Remove access rights for a user by using the Users Access tool of the Sun WBEM User Manager. 

How to Remove Access Rights for a User

Set access rights for a namespace. 

Set access rights for a namespace by using the Namespace Access tool of the Sun WBEM User Manager. 

How to Set Access Rights for a Namespace

Remove access rights for a namespace. 

Remove access rights for a namespace by using the Namespace Access tool of the Sun WBEM User Manager. 

How to Remove Access Rights for a Namespace

Using Sun WBEM User Manager

This section describes how to start and use Sun WBEM User Manager.

How to Start Sun WBEM User Manager

  1. Become superuser.

  2. In a command window, type:


    # /usr/sadm/bin/wbemadmin

    Sun WBEM User Manager starts, and a Login dialog box opens.

    Note –

    Context-help information is available in the Context Help panel when you click on the fields in the Login dialog box.

  3. Fill in the fields on the Login dialog box.

    1. In the User Name field, type the user name.

      Note –

      You must have read access to the root\security namespace to log in. By default, Solaris users have guest privileges, which grant them read access to the default namespaces. Users with read access can view, but not change, user privileges.

      You must log in as root or a user with write access to the root\security namespace to grant access rights to users.

    2. In the Password field, type the password for the user account.

  4. Click OK.

    The User Manager dialog box opens. The dialog box contains a list of users and their access rights to WBEM objects within the namespaces on the current host.

How to Grant Default Access Rights to a User

  1. Start Sun WBEM User Manager.

  2. In the Users Access portion of the dialog box, click Add.

    A dialog box opens that lists the available namespaces.

  3. Type the name of a Solaris user account in the User Name field.

  4. Select a namespace from the listed namespaces.

  5. Click OK.

    The user name is added to the User Manager dialog box.

  6. To save changes and close the User Manager dialog box, click OK. To save changes and keep the dialog box open, click Apply.

    The user that you specified is granted read access to CIM objects in the namespace that you selected.

How to Change Access Rights for a User

  1. Start Sun WBEM User Manager.

  2. Select the user whose access rights you want to change.

  3. To grant the user read-only access, click the Read check box. To grant the user write access, click the Write check box.

  4. To save changes and close the User Manager dialog box, click OK. To save changes and keep the dialog box open, click Apply.

How to Remove Access Rights for a User

  1. Start Sun WBEM User Manager.

  2. In the Users Access portion of the dialog box, select the user name for which you want to remove access rights.

  3. Click Delete to delete the user's access rights to the namespace.

    A confirmation dialog box opens. This dialog box prompts you to confirm your decision to delete the user's access rights.

  4. To confirm, click OK.

  5. To save changes and close the User Manager dialog box, click OK. To save changes and keep the dialog box open, click Apply.

How to Set Access Rights for a Namespace

  1. Start Sun WBEM User Manager.

  2. In the Namespace Access portion of the dialog box, click Add.

    A dialog box opens. The dialog box lists the available namespaces.

  3. Select the namespace for which you want to set access rights:

    Note –

    By default, users have read-only access to a namespace.

    • To allow no access to the namespace, make sure that the Read and Write check boxes are not selected.

    • To allow write access, click the Write check box.

    • To allow read access, click the Read check box.

  4. To save changes and close the User Manager dialog box, click OK. To save changes and keep the dialog box open, click Apply.

How to Remove Access Rights for a Namespace

  1. Start Sun WBEM User Manager.

  2. In the Namespace Access portion of the dialog box, select the namespace for which you want to remove access control, and then click Delete.

    Access control is removed from the namespace, and the namespace is removed from the list of namespaces on the Sun WBEM User Manager dialog box.

  3. To save changes and close the User Manager dialog box, click OK. To save changes and keep the dialog box open, click Apply.

Troubleshooting Problems With WBEM Security

This section describes what to do when:

If a Client (User) Cannot Be Authenticated by the CIM Object Manager on the WBEM Server

If a client cannot be successfully authenticated by the CIM Object Manager on the WBEM server, the WBEM server returns a CIM security exception when it attempts to establish the CIM client handle in the client application. The exception contains an error code that indicates why the authentication attempt failed.

Error 

Probable Cause 

Solution 

NO_SUCH_PRINCIPAL

Specified user identity was not valid in the Solaris operating environment on the WBEM server, or the user account for that user identity either has no password or is locked. 

Check that the user has a valid user identity, that is, the user can log in to the Solaris operating environment on the WBEM server machine. The Solaris system that is set up as the WBEM server might be using user identities from a name service configured on the server, so you might need to check the name service tables. 

INVALID_CREDENTIAL

Password for the specified user (or role, if assuming a role identity) is not valid for that user in the Solaris operating environment on the WBEM server. 

Check that the user's password is correct. 

NO_SUCH_ROLE

Role identity that is assumed in the authentication to the WBEM server is not a valid RBAC role in the Solaris operating environment on the WBEM server. 

The role identity might be a valid entry in the passwd table on the server, but you will not be able to log in to the server under that identity (Solaris does not allow you to log in directly to role identities). So, you must check the passwd table for the role identity, and check the user_attr table to ensure that the role is defined as a role type of user. Role identities in the user_attr table each contain an attribute in the syntax type=role.

You can also check for a valid user or valid role identity by using the Solaris Management Console User tool. You can use User Management to check for a user, and you can use Role Management to check for a role. However, when using the User tool, you must know the correct source of the tables on the CIM Object Manager server. In other words, if the CIM Object Manager server is using a name service such as NIS, you must access the master server for that name service.

CANNOT_ASSUME_ROLE

Role identity is valid, but the specified user identity in the authentication exchange is not configured to assume that role. 

Explicitly assign users to roles by using the Administrative Role tool in the Solaris Management Console User tool collection, which is described in “Changing Role Properties” in System Administration Guide: Security Services.

If Other CIM Security Exception Errors Appear

The WBEM server can return other error indications in the CIM security exception. However, these indications typically identify a system failure in the authentication exchange. The WBEM client configuration might not be compatible with the WBEM server configuration for the security options in the authentication exchange.

If these error indications occur, check that the WBEM installation on the client machine contains the appropriate configuration property values for security in WbemClient.properties. This file is usually located in the vendor extension subdirectory in the WBEM installation directory /usr/sadm/lib/wbem/extension.

Also, check the client application CLASSPATH setting to ensure that sunwbem.jar and the extension directory path name are on the class path.

If an Authorization Check Fails

If a client is not authorized to access or modify the data associated with a request to the WBEM server, the WBEM server returns a CIM security exception for that request that includes the ACCESS_DENIED error.

The ACCESS_DENIED error indicates that a WBEM request could not be completed because the authenticated user or the role has not been granted the appropriate access to the data being managed by that request.

Check the security messages in the WBEM log for the failed request (viewing log data is described in Viewing Log Data Through Log Viewer). Authorization failure log messages specify Access denied in the Summary column. The User column lists the name of the authenticated user or the role name that was used in the check. The Source column lists the name of the provider that is making the check. Note that the name of the provider that is listed in this column is a user-friendly provider name, not the provider implementation class name.

The detailed message contains the name of the permission that was being checked, and that has not been granted to the user or role.

If the permission appears as namespace:right, the authorization check was using a namespace ACL. The authenticated user has not been granted that permission (read or write) for that namespace.

Use Sun WBEM User Manager (wbemadmin) to grant the user the appropriate permission. Sun WBEM User Manager is described in Using Sun WBEM User Manager to Set Access Control.

If the permission appears as solaris.application.right, the authorization check was using an RBAC authorization.

Use the Administrative Role tool in the Solaris Management Console User tool collection to grant the rights that you want to the user or role. This procedure is described in “Changing Role Properties” in System Administration Guide: Security Services.