Overview

The CIM Object Manager validates a user's login information for the machine on which the CIM Object Manager is running. A validated user is granted some form of controlled access to the entire Common Information Model (CIM) Schema. The CIM Object Manager does not provide security for system resources such as individual classes and instances. However, the CIM Object Manager does allow control of global permissions on namespace and access control on a per-user basis.

All security-related information is represented by instances of security classes located in the root\Security namespace and must remain there permanently.

The following security features protect access to CIM objects on a WBEM-enabled system:

• Authentication - The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to the resources in a system.

• Authorization - The granting to a user, program, or process the right of access.

• Replay protection - A client cannot copy another client's last message sent to a CIM Object Manager. The CIM Object Manager uses the client keys to guarantee that all subsequent communication in the client-server session is with the same client that initiated the session and participated in the client-server authentication.

  The CIM Object Manager protects against a client picking up and sending another client's message to the server by validating digitally signed secret session keys. The CIM Object Manager will not accept an identical byte stream from a client without a valid secret session key.

• Digital signature - The CIM Object Manager uses Java digital signature classes to digitally sign the clients response to the server, however it does not digitally sign the server's response to a client.

Authentication

When a user logs in and enters a user name and password, the client encrypts the password and sends the encrypted password to the CIM Object Manager. When the user is authenticated, the CIM Object Manager sets up a client session. All subsequent operations occur within that secure client session.

Authorization

The CIM Object Manager creates two user accounts:

• wbemadmin - The administrative account used to access LDAP schema in the CIM Object Manager Repository. The wbemadmin account is created and its password is set during installation.

• guest - The default account used when no user name is specified during login.

Once the CIM Object Manager has authenticated the user's identity, that identity can be used to verify whether the user should be allowed to execute the application or any of its tasks. The CIM Object Manager supports capability-based authorization, which allows an administrator to assign read and write access to specific users. These authorizations are added to existing Solaris user accounts.

We do not recommend logging in as root because successful login to the root account depends on how name services (for example, DNS, NIS, or NIS+) are set up on your system.