WBEM employs several mechanisms to ensure secure access to its data:
Authentication – The process of specifying a client's user identity to the WBEM server, and then using the client's credentials to verify the client.
Role assumption – Process that assumes that a Solaris OS role-based access control (RBAC) role identity is to be used by the WBEM server to check authorization.
Secure messaging – The process of adding a secure message authenticator to each client request message. This authenticator enables the WBEM server to check the origin of the message and to determine whether that message was modified during delivery.
Authorization – The process of verifying that an authenticated user or a role identity has been granted access to the data that is managed by WBEM. You use the Solaris Management Console User tool and Sun WBEM User Manager for authorization management.
Auditing – The process of writing an audit record of a specific operation that was performed by the WBEM server. These records track the changes that an authenticated user makes to the management data on the WBEM server system.
Logging – The writing of particular security-related events in the WBEM log. You can view the WBEM log by using the Solaris Management Console Log Viewer.
Each mechanism is described in more detail in the sections that follow.
When a client application connects to a CIMOM server, the client's user identity must be authenticated by the CIMOM on the WBEM server. The user's WBEM client must provide a Solaris OS user identity and its associated login password. The identity and credential are used in a security authentication exchange between the client and WBEM server. This exchange is to verify that the client is a valid Solaris OS user who is allowed to log in to the WBEM server system.
If the WBEM server cannot verify the user identity and credential and the user's identity is invalid, the WBEM server returns a CIM security exception. This exception includes the NO_SUCH_PRINCIPAL error.
If the WBEM server cannot verify the user's identity and credential and the user's password is invalid, the server returns a CIM security exception. This exception includes the INVALID_CREDENTIAL error.
A role identity can be assumed only when a WBEM user selects the Remote Method Invocation (RMI) protocol. Role assumption is not supported by the XML over HTTP protocol.
The Solaris platform implementation of WBEM supports the ability of a client to assume the identity of a Solaris OS role. When a client assumes the identity of a Solaris OS role, the client is authenticated by the CIMOM on the WBEM server. To check RBAC authorizations, the WBEM server uses the permission that is granted to the assumed role rather than the permission that is granted to the underlying user identity.
RBAC roles are described in more detail in Role-Based Access Control (Overview) in System Administration Guide: Security Services.
The client must provide the Solaris OS role identity and password in addition to a Solaris OS user identity and password when the client attempts to connect.
If the WBEM server cannot verify the Solaris OS role identity, the WBEM server returns a CIM security exception that includes the NO_SUCH_ROLE error.
If the role password is invalid for the specified role identity, the WBEM server returns the INVALID_CREDENTIAL error in the CIM security exception.
If both the role identity and role password are valid, but the user is not allowed to assume the role, the WBEM server returns an exception. The CANNOT_ASSUME_ROLE error is returned in the CIM security exception.
In the CIM RMI protocol, each request from the client to the WBEM server contains a message authenticator that is constructed from the message data. A one-way digest is also created with a session key that is established during the authentication exchange.
The WBEM server verifies this message authenticator. This verification guarantees two things: The request came from the same client that was authenticated The message was not modified or replayed on its way to the server
If the message was modified, replayed, or created by a source that was not the original client, the WBEM server returns a CIM security exception. This exception contains the CHECKSUM_ERROR error. The WBEM server also writes a log message to the WBEM log.
After connecting, the server uses the authenticated user or the role identity for all authorization checks on subsequent operations with the CIM client.
WBEM supports two types of authorization checking, using the following mechanisms:
Access control lists (ACLs) that are maintained by the WBEM server for specific name spaces
RBAC authorizations that are configured as part of the Solaris OS
The particular authorization checking mechanism that WBEM uses depends on how the MOF class provider is implemented. The particular authorization checking mechanism that WBEM uses for a specific MOF class operation depends on the following factors:
The particular operation that WBEM executes
How the MOF class provider is implemented
The classes defined in Solaris_Acl.mof implement WBEM ACL-based security. WBEM ACL-based security provides a default authorization scheme for Solaris WBEM Services. Under specific circumstances, WBEM-based security applies to a particular set of CIM operations. ACL-based security is uniquely provided by Solaris WBEM Services.
You use Sun WBEM User Manager (wbemadmin) to establish an ACL for a specific name space on the WBEM server. Sun WBEM User Manager enables you to add user, or role, names to the ACL for the name space. In addition, you can assign each user read or write permission. Sun WBEM User Manager is described in Using Sun WBEM User Manager to Set Access Control and in wbemadmin(1M).
Write permission allows a user to modify the class metadata, modify instances of MOF classes in that name space, and issue an invoke method on instances. The local WBEM server root user identity is always granted write permission to all name spaces on the server. All authenticated users without an explicit ACL entry are granted read permission by default.
Operations that include the accessing of MOF class metadata, such as getClass, use the WBEM ACLs. These operations check the permissions that are granted to the authenticated user by the ACL for the name space that contains the MOF class. You can set an RBAC role in an ACL entry. However, the ACL entry is always checked against the user identity rather than the role identity. In other words, you can set a role name in an ACL, but the CIMOM does not check the role name at runtime.
Operations that involve MOF class instances might include the checking of either WBEM ACLs or RBAC authorizations.
You can also grant permissions to a user, or role identity, which allow that user to access and modify the instances of MOF classes, whose providers use RBAC authorizations. You grant these permissions by using the Rights tool in the Solaris Management Console User tool. The granting of permissions to a user is described in Creating or Changing a Rights Profile in System Administration Guide: Security Services.
If the instances for a MOF class are stored in the WBEM persistent datastore, the CIMOM checks the WBEM ACL for the name space that contains the MOF class. Under the following conditions, the implementation of the MOF class provider almost always uses RBAC authorization checking:
The provider implementation for the MOF class accesses the provider's datastore
The provider implementation for the MOF class accesses system data in the Solaris OS
In general, if a MOF class definition contains a Provider qualifier, the provider implementation usually makes RBAC authorization checks. If the MOF class definition does not contain a Provider qualifier, the CIMOM takes the following actions:
Stores the instances of that class in the WBEM persistent datastore
Checks the ACL that controls access to the name space for the class to ensure that access is granted
The WBEM server writes audit records for certain events during processing. For example, the WBEM server writes audit records whenever client authentication succeeds or fails, and whenever an operation that modifies user information is executed.
The WBEM server uses the underlying Solaris Basic Security Module (BSM) to write its audit records. You must enable the BSM auditing mechanism (bsmconv) in the Solaris OS on the WBEM server to ensure that audit information is recorded. This command is described in bsmconv(1M).
Note - If you are using the Trusted Solaris software, you do not need to enable the BSM auditing mechanism.
The WBEM server writes log records to the WBEM log for particular security events. Two examples are when an authenticated session for a client is established and when an authorization fails. You can review the WBEM log in the Solaris Management Console Log Viewer, which is described in Chapter 9, Troubleshooting.
You can identify security-related log events by the category Security log, which is listed in the Category column. You can view only security log messages by selecting the category Security in the Log Viewer filter dialog box. Most security log messages include the user identity of the client and the name of the client host.