Overview

There are two separate mechanisms for administering security within the Solaris operating environment, WBEM ACL (access control list) based and Solaris RBAC (role-based access control) .

The classes defined in the Solaris_Acl1.0.mof file are used to implement ACL-based security. This provides a default authorization scheme for the Solaris WBEM Services, and applies to all CIM operations. This feature is specific to the Solaris WBEM Services.

Instances of the Solaris_Acl1.0.mof classes determine the default authorizations assigned to a WBEM user and/or namespace. Provider programs, however, are allowed to override this scheme for CIM operations relating to instance manipulation; the Sun Solaris providers use the RBAC scheme to do this.

You can use the (/usr/sadm/bin/wbemadmin) to add users to existing ACLs with either read or write permissions. See "Using the Sun WBEM User Manager to Set Access Control". You can also write WBEM applications using the Solaris_Acl1.0.mof classes to set access control. See "Using the APIs to Set Access Control".

The classes defined in the Solaris_Users1.0.mof file are used to implement Solaris RBAC security for defining user roles and priveleges, via the tool of the . The SMC tool lets you add users to existing roles and grant RBAC rights to existing users. (An RBAC right is managed in the portion of the SMC tool.) See "Solaris Management Console Tool".

Sun WBEM Security Features

The CIM Object Manager validates a user's login information for the machine on which the CIM Object Manager is running. A validated user is granted some form of controlled access to the entire Common Information Model (CIM) Schema. The CIM Object Manager does not provide security for system resources such as individual classes and instances. However, the CIM Object Manager does allow control of global permissions on namespace and access control on a per-user basis.

The following security features protect access to CIM objects on a WBEM-enabled system:

• Authentication - The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to the resources in a system.

• Authorization - The granting to a user, program, or process the right of access.

• Replay protection - The CIM Object Manager protects against a client picking up and sending another client's message to the server by validating a session key.

  A client cannot copy another client's last message sent to a CIM Object Manager. The CIM Object Manager uses a MAC for each message, based on a negotiated session key, to guarantee that all communication in the client-server session is with the same client that initiated the session and participated in the client-server authentication.

  A MAC is a token parameter added to a remote call which contains security information used to authenticate that single message. It is used to confirm that the message came from the client that was originally authenticated for the session, and that the message is not being replayed from some other client. This type of mechanism is used in WBEM for RMI messages. The session key negotiated in the user authentication exchange is used to encrypt the security information in the message's MAC token.

Note that no digital signing of messages is performed.

Authentication

When a user logs in and enters a user name and password, the client uses the password to generate an encrypted digest which the server verifies. When the user is authenticated, the CIM Object Manager sets up a client session. All subsequent operations occur within that secure client session and contain a MAC token which uses the session key negotiated during authentication.

Authorization

Once the CIM Object Manager has authenticated the user's identity, that identity can be used to verify whether the user should be allowed to execute the application or any of its tasks. The CIM Object Manager supports capability-based authorization, which allows a privileged user to assign read and write access to specific users. These authorizations are added to existing Solaris user accounts.

Solaris Management Console Tool

The SMC tool lets you add users to existing roles and grant RBAC rights to existing users. (An RBAC right is managed in the portion of the SMC tool.)

To Start SMC and Tool

1. Change to the location of the SMC invocation command by typing the following:

   # cd /usr/sbin

2. Start SMC by typing the following command:

   # smc

3. Double-click on "This Computer" (or single-click the expand/compress icon next to it) in the left-hand Navigation panel to expand the tree beneath it. Do the same for "System Configuration", and you will see the Users icon underneath.

4. Click on the Users icon to start the application.

Figure 3-1 Solaris Management Console, with Users Tool Selected

For more information on the , see the man page smc(1M).