HP WBEM Services for HP-UX System Administrators Guide

Manufacturing Part Number: B8465-90001 E0902

U.S.A. Copyright 2002 Hewlett-Packard Company. All rights reserved.

Legal Notices
The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and tness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty. A copy of the specic warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Ofce. Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies. HEWLETT-PACKARD COMPANY 3000 Hanover Street Palo Alto, California 94304 U.S.A. Use of this manual and exible disk(s) or tape cartridge(s) supplied for this pack is restricted to this product only. Additional copies of the programs may be made for security and back-up purposes only. Resale of the programs in their present form or with alterations, is expressly prohibited. Copyright Notices. copyright 2002 Hewlett-Packard Company, all rights reserved. Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws. copyright 1979, 1980, 1983, 1985-93 Regents of the University of California This software is based in part on the Fourth Berkeley Software Distribution under license from the Regents of the University of California.

copyright 1980, 1984, 1986 Novell, Inc. copyright 1986-1992 Sun Microsystems, Inc. copyright 1985-86, 1988 Massachusetts Institute of Technology. copyright 1989-93 The Open Software Foundation, Inc. copyright 1986 Digital Equipment Corporation. copyright 1990 Motorola, Inc. copyright 1990, 1991, 1992 Cornell University copyright 1989-1991 The University of Maryland copyright 1988 Carnegie Mellon University

This product includes software developed by The Open Group Pegasus Project (http://www.opengroup.org/pegasus). The Open Group Pegasus Project Copyright (c) 2000, 2001, 2002 BMC Software, Hewlett-Packard Company, IBM, The Open Group, Tivoli Systems. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). OpenSSL Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). This package is an SSL implementation written by Eric Young (eay@cryptsoft.com), written so as to conform with Netscapes SSL. Original SSLeay License: Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved.

Contents
1. Overview of WBEM Services
WBEM Services Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 WBEM Services Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2. How Does WBEM Services Work?

Who Uses WBEM Services?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WBEM Services Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How WBEM Services Processes Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WBEM Services Executables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 18 19 21 23

3. Example of a Client Request

Example Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Example Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4. Installing and Setting up WBEM Services

Before Starting WBEM Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Providers Included with WBEM Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Clients Included with WBEM Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and Stopping WBEM Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The cimserver Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cimserverd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maintaining the Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CIM Server Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The cimcong Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 40 40 42 42 43 44 46 48

5. Security Considerations
User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS and HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Namespace Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 50 50 51 53

6. Troubleshooting
Checklist for Troubleshooting WBEM Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Contents
WBEM Services Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Standard CIM Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WBEM Services Command Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 57 58 62

A. How Resources are Represented (CIM Schema) B. WBEM Services CIM Operations
The InvokeMethod Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Operations Implemented by Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Operations on Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Class Manipulation Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Qualier Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 79 80 81 82

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

HP WBEM Services for HP-UX System Administrators Guide

Preface
This guide describes how a system administrator uses HP WBEM Services for HP-UX on HP 9000 servers running the HP-UX operating system. The contents are as follows: Chapter 1, Overview of WBEM Services, introduces WBEM Services: what it is, where it comes from, and how you can learn more about it. Chapter 2, How Does WBEM Services Work?, gives you an idea of how providers and clients work. The WBEM Services commands are summarized in Chapter 2. Chapter 3, Example of a Client Request, shows a client request and the response received, both encoded in XML. Chapter 4, Installing and Setting up WBEM Services, describes what system administrators should do before they actually use WBEM Services for HP-UX. It tells how to prepare the system for installation, and how to start WBEM Services. It lists the WBEM Services conguration properties that can be set. Chapter 5, Security Considerations, describes WBEM Services security, and describes WBEM Services authentication, authorization, and encryption. Chapter 6, Troubleshooting, lists some suggestions to try if you have trouble. It also lists the messages generated by WBEM Services. Appendix A gives you some background into CIM terms used by clients and providers to represent resources in the repository. Appendix B lists the operations implemented in WBEM Services.

 Table 1

The Glossary denes terms you may encounter when using WBEM Services.

Printing History Printing Date September, 2002 Part Number B8463-90001 First Edition

The last printing date and part number indicate the current edition, which applies to the 1.0 version of HP WBEM Services for HP-UX. The printing date changes when a new edition is printed. (Minor corrections and updates which are incorporated at reprint do not cause the date to change.) The part number is revised when extensive technical changes are incorporated. New editions of this manual will incorporate all material updated since the previous edition. HP Printing Division:
Infrastructure Solutions Division Hewlett-Packard Co. 19111 Pruneridge Ave. Cupertino, CA 95014

10

Overview of WBEM Services

Overview of WBEM Services

This chapter introduces HP WBEM Services for HP-UX: what it is, where it comes from, and how you can learn more about it. WBEM Services acts as an information broker; it is a way that providers and clients can communicate. A provider is developed to offer access to a resource. The provider denes the resource and tells WBEM Services what information they will provide to clients, and what actions they will perform for clients. Clients send requests to WBEM to get information about, and access to, the registered resources. HP WBEM Services for HP-UX runs on HP-UX computers. However, communication is not limited to HP-UX. The information is stored and exchanged using widely accepted WBEM standards developed by the Distributed Management Task Force, Inc. (see http://www.dmtf.org). WBEM Services is based on The Open Groups Pegasus Open Source Software (OSS) Project (see http://www.opengroup.org/pegasus). Because information is formatted for the web, the exchange is not platform-dependent. WBEM-standard products can provide information about resources on several operating systems and platforms. To understand more about WBEM standards and design, go to http://www.dmtf.org/education/index.php and begin the tutorial for CIM (Common Interface Model). The CIM operations that WBEM Services supports are listed in Appendix B.

Chapter 1

11

Overview of WBEM Services WBEM Services Standards

WBEM Services Standards

WBEM Services implements DMTF WBEM standards. The three core standards used by WBEM Services are: A data model, CIM, the Common Information Model standard The CIM specication is the language and methodology for describing management data. CIM is a conceptual information model for describing resources. It is not bound to a particular implementation, so WBEM Services can accept requests from other platforms. WBEM Services keeps information about its managed resources in the WBEM Services repository, following the Common Information Model. For an overview of data representation, see Appendix A. For more information, see Common Information Model (CIM) Specication, Version 2.0 (from http://www.dmtf.org/standards/cim_spec_v20/index.php). An encoding specication, CIM-XML xmlCIM is the specication for representing CIM in XML. Requests come from clients to WBEM Services as CIM operations encoded in XML. WBEM Services sends the responses to the clients in XML. For an overview of XML, see http://www.w3.org/XML for the W3C Architecture domains Extensible Markup Language (XML) For more information about XML, see DMTFs Representation of CIM in XML (from http://www.dmtf.org/standards/published_documents.php). Chapter 3 has an example of an xml-encoded request and response. A transport mechanism, CIM Operations over HTTP CIM Operations over HTTP Specication (from http://www.dmtf.org/standards/ published_documents.php) species the way HTTP (HyperText Transfer Protocol) is used to

12

Chapter 1

Overview of WBEM Services WBEM Services Standards transport the CIM information. This document denes a mapping of CIM operations onto HTTP that allows implementations of CIM to interoperate in an open, standardized manner. For more information about the WBEM Services HTTP Server, the ports reserved for WBEM Services, and other transport issues, see Chapter 5 Security Considerations. For more information about DMTFs WBEM standards, see http://www.dmtf.org.

Chapter 1

13

Overview of WBEM Services WBEM Services Architecture

WBEM Services Architecture

The four main components of WBEM Services are: CIM server, the Common Information Model server CIM server interacts with providers. CIM server receives requests from management clients. It contacts the provider of that information, and waits for the providers response. It sends that response back to the client. CIM repository The repository keeps denitions of the data about all the managed objects and their providers. When a valid request is received, WBEM Services will go to the repository and look up the managed resource. The resource owners register their provider with WBEM Services, telling what information or methods they will provide and how WBEM Services can invoke the appropriate action. WBEM Services denes several operations to query or manipulate the repository. Information can be entered as MOF les, using the cimmof command. Information can be entered as XML les, using the wbemexec command. For information about maintaining and restoring the repository, see Maintaining the Repository section of Chapter 4, and the checklist in Chapter 6, Troubleshooting. MOF Compiler (Managed Object Format) The compiler reads MOF les and loads their information into the repository. A MOF le is a text representation of CIM classes. MOF standards are dened by the DMTF, and are explained in their tutorial section Specifying Schema at http://www.dmtf.org/education/cimtutorial. For more information, see the cimmof man page. HTTP Server (HyperText Transfer Protocol) The server handles communication between WBEM Services and clients.

14

Chapter 1

Overview of WBEM Services WBEM Services Architecture WBEM Services product includes an embedded HTTP server. This is not a web servers. It will receive only valid CIM messages, and reject any other HTTP request.

For more information, see Chapter 5, Security Considerations.

Chapter 1

15

Overview of WBEM Services WBEM Services Architecture

16

Chapter 1

How Does WBEM Services Work?

How Does WBEM Services Work?

This chapter gives you an idea of how WBEM Services for HP-UX provides a management infrastructure so clients and providers can communicate. It outlines how providers register their resources properties (attributes or characteristics) and methods (capabilities, operations, or actions) with WBEM Services. It gives an overview of how clients use WBEM to make a request about a resource and receive a response. Chapter 3 has an example of an actual request sent by a client, and the response it received. WBEM Services can receive requests from clients on many different kinds of systems and platforms, as long as the requests conform to the DMTF CIM-XML standard. WBEM Services processes the clients requests, and passes it to the appropriate providers. When providers receive requests, they pass information back to WBEM Services. Then WBEM Service sends a response back to the client.

Chapter 2

17

How Does WBEM Services Work? Who Uses WBEM Services?

Who Uses WBEM Services?

Providers use WBEM Services to help their users manage particular things about their resource. Clients use WBEM Services to manage resources. Following information in provider documentation, developers write a software client to send requests to WBEM Services. WBEM Services conveys the request to the appropriate registered provider. The providers send information back to WBEM Services. WBEM Services sends that information back to the client in a response. One response is sent for each request, even when the information comes from several providers. See Appendix A for some of the common terms and concepts used by providers to represent resources.

WBEM Services Providers

To manage a resource, a developer writes software called a CIM provider. When you install a provider on your system, it registers itself with WBEM Services. When a Provider Installs When a provider registers with WBEM Services, it supplies this information: The denition of the resource. See Appendix A, How Resources are Represented. Resources are dened largely by characteristics inherited from the most general classes and passed to the more specic subclasses. For example, there could be a schema, Creature, that contained a class Human. Human could, in turn, have a subclass Female. Class Female could, in turn, have several more subclasses until we get to the specic instance of MyMother. Resources can also be grouped in namespaces. WBEM Services installs with four namespaces, listed in Appendix A. What information the resource provider will expose (make available) about the resource. These are the properties and methods. Chapter 2

18

How Does WBEM Services Work? Who Uses WBEM Services? For example, One property of MyMother would be her unique Name and SocialSecurityNumber. Other properties might include Birthdate and PhoneNumber. A shared library to invoke the actions that are offered to manage the resource. For example, It would be handy if the method callMother would remind me of her PhoneNumber when her Birthdate approaches. Information about the provider itself: its version, its type, a description of itself, how to invoke it, and the name of its shared libraries.

Providers are enabled automatically when they registered. After that, you can disabled them with the cimprovider command. Once disabled, they can only be re-enabled with the cimprovider command. Provider Responsibilities Developers of a WBEM resource provider are responsible for informing their users (clients) about their provider: how to specify the providers resources in CIM schema, and what properties and methods it offers. After a resource has been registered, the providers developers can replace it with a newer version to add, remove, and modify information about the resource, including new classes, properties, and methods.

Client Requests
Management clients make requests to WBEM Services. A client request must include: A properly formed HTTP header. A remote request must be addressed to the WBEM Services HTTP server on wbem-http port or wbem-https port. Requests must be written in XML. For information about XML coding for CIM, see Specication for the Representation of CIM in XML, Version 2.0 July 20th, 1999 at http://www.dmtf.org/ download/spec/xmls/CIM_XML_Mapping20.php The operation desired and its required parameters. For example, the GetClass operation requires a class name. The osinfo request in Chapter 3 uses the EnumerateInstances operation; its only requirement is the class name.

Chapter 2

19

How Does WBEM Services Work? Who Uses WBEM Services? The namespace. For example, the osinfo request in Chapter 3 species the PG_OperatingSystem class in the root/cimv2 namespace.

It is the responsibility of the resources provider to document the name of the resource and its properties and methods. Client developers can use the documentation to write client software. System Administrators use the documentation to decide whether to install the provider. A client can use CIM operations, such as the EnumerateInstances operation used in the example in Chapter 3. The client developer uses standard CIM operations like GetClass and GetProperty to gather resource information. The CIM operations supported by WBEM Services are listed in Appendix B.

20

Chapter 2

How Does WBEM Services Work? How WBEM Services Processes Requests

How WBEM Services Processes Requests

The client request is a CIM operation sent by HTTP to WBEM Services. The request is encoded in XML (eXtensible Markup Language). WBEM Services HTTP server listens for CIM messages on the wbem-http or the wbem-https port. 1. First, the client connects to WBEM Services HTTP server. A remote client sends a valid system login (name and password) to a system with WBEM Services that has the appropriate provider installed. For information about login permissions, see Chapter 5, Security Considerations. 2. WBEM Services CIM Server uses its XML decoder to parse the XML in the request. If there is an error, it returns an error message and stops processing the request. Only a valid CIM operation is accepted. A request could be rejected by the HTTP Server if it had badly formed HTTP headers or badly formed XML. For information about XML coding for CIM, see Specication for the Representation of CIM in XML, Version 2.0 July 20th, 1999 at http://dmtf.org/download/spec/xmls/CIM_XML_Mapping20.php 3. If the request is valid, the CIM Server consults the CIM repository and checks the following things: Does this namespace exist? If not, an error is returned and WBEM Services stops processing the request. For example, the osinfo request used in Chapter 3 has this namespace information:

<LOCALNAMESPACEPATH> <NAMESPACE NAME =root/> <NAMESPACE NAME=cimv2/> </LOCALNAMESPACEPATH>

Does this user have permission in this namespace? If the WBEM Services property enableNamespaceAuthorization is set to true, WBEM Services will also check to be sure the user is allowed access to this namespace. (See Chapter 5, Security Considerations, for more about authorization.) Does this class exist? WBEM Services looks up the classname given in the request. 21

Chapter 2

How Does WBEM Services Work? How WBEM Services Processes Requests For example, the osinfo request used in Chapter 3 has this class information:
<IPARAMVALUE NAME=ClassName> <CLASSNAME NAME=PG_OperatingSystem/> </IPARAMVALUE>

Does this resource have a registered provider? If there is no provider registered for this resource, WBEM Services returns an error to the client. For example, the provider for the osinfo client request is the Operating System Provider.

4. When WBEM Services nds the registered provider, it also nds the providers instructions about how to reach its appropriate shared library. WBEM Services uses this to invokes the appropriate method, and tell the provider which user is making the request. After receiving the request, the providers developers are responsible for any additional user authorization it requires, for performing the action, and for returning a response to WBEM Services. 5. WBEM Services CIM Server waits for a response from the provider, and conveys the response back to the client. Each request gets one response, even if it contains information from more than one provider. For example, a client may ask WBEM Services for a list of all the printers available to a system. Several providers may respond, one for each type of printer. WBEM Services waits till all the providers respond and combines the information in one response to the client. If no provider can be reached, or none respond, WBEM Services returns an error (CIM_ERR_NOT_SUPPORTED) to the client. For a list of the standard CIM errors and other messages, see Chapter 6, Troubleshooting.

22

Chapter 2

How Does WBEM Services Work? WBEM Services Executables

WBEM Services Executables

This section lists WBEM Services eight commands, one executable script, and one daemon process. The eight commands have man pages with more information. The daemon also has a man page. The eight commands are: cimauth - authorize users for a specied namespace You can add, modify, or remove authorization per user, per namespace. Assign Read or Write permissions. (Write does not automatically include Read.) You can also list all authorizations. This command is only relevant if the property enableNamespaceAuthorization is set to true, which is not the default. (Set the enableNamespaceAuthorization property with the cimconfig command.) You can also list the authorizations congured on the CIM Server. You must have root permission to use cimauth. You can use cimauth only when CIM Server is running. cimconfig - set, unset, or get CIM Server properties. An operation using the current option changes the value immediately; an operation using the planned option takes effect the next time the CIM Server is started with the cimserver command. WBEM Services properties are listed in Chapter 4. You must have root permission to use cimcong. For current values, CIM Server must be running. For planned values CIM Server can be running or not. cimmof - used by WBEM Services to compile .mof (Managed Object Format) les and put the information into the repository. MOF formatted les can be used for resource and/or provider information. MOF les must follow the DMTF standard format. The cimmof man page has rules for specifying locations where the les are loaded. Use the -h option for help with cimmof syntax.

Chapter 2

23

How Does WBEM Services Work? WBEM Services Executables You must have root permission to use cimmof. For schema can only be loaded as local root, regardless of any authorizations done through cimauth. If namespace authorization is enabled, the user must also have Write authorization in the namespace. You can use cimmof only when CIM Server is running. cimprovider - disable, enable, or remove registered CIM providers or CIM provider modules. An option lists the providers, modules, and module status. The list option can be executed by any user. You must have local root permission to use the other options. You can use cimprovider only when CIM Server is running. cimserver - start or gracefully stop WBEM Services. After installation, you must start CIM Server with this command the rst time. If the system is rebooted after that, CIM Server is intended to automatically restart. However, there are three times that the CIM Server can only be started by an operator command: The rst time after WBEM Services installs If the server was stopped by an operators command If an operator disables both the HTTPS and HTTP connections in the planned conguration. For a planned conguration to take take effect, an operator stops and restarts CIM Server. However, it cannot restart with both ports disabled. Therefore, when you enter the command to restart, it must include an option to enable one (and only one) of the connections. Use the -v option to see the version number of the CIM Server. Use the -h option for help with command syntax. At shutdown, you can specify a value for the shutdown property on the cimserver command line. This value will be used only for this shutdown. For example, if the system is stressed, you may want to allow this shutdown an unusually long time. At startup, you can specify several property and value pairs on the cimserver command line. These values will be used for the current process.

24

Chapter 2

How Does WBEM Services Work? WBEM Services Executables After a restart, the values will return to their previous settings. See Chapter 5 for the cimconfig command and a list of settable properties. For example, if the system is stressed, you can stop the CIM Server and specify a temporary shutdown timeout, longer than the usual. If you try to start CIM Server when it is already running, no action is taken. You will see this message: Error: Bind failed. Failed to bind to socket. You must have root permissions to use cimserver to stop or start. You can stop or get a version number with cimserver only when CIM Server is running. You start only when CIM Server is not running. openssl - generate and manage x509 certicates. Use openssl to manage various cryptography functions of OpenSSLs crypto library from the shell. WBEM Services includes a limited version of the full OpenSSL toolkit. OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. For more about OpenSSL, go to http://www.openssl.org/docs. The openssl man page on your system may have a description of all the OpenSSL options. However, WBEM Services only supports the following options: ca - a minimal CA application. ciphers - SSL cipher display and cipher list tool gendsa - generates a DSA private key from a set of parameters rsautl - RSA utility to sign, verify, encrypt and decrypt data using the RSA algorithm dsa - processes DSA keys genrsa - generates an RSA private key req - PKCS#10 certicate and certicate generating utility verify - utility to verify certicates x509 - certicate display and signing utility dsaparam - DSA parameter manipulation and generation

Chapter 2

25

How Does WBEM Services Work? WBEM Services Executables rsa - processes RSA keys version - prints OpenSSL version information You must have root permission to use openssl. You can use openssl whether CIM Server is running or not. osinfo - run a WBEM Services client that gathers information about the operating system where the command is issued. The command uses the Operating System Provider, which is bundled with WBEM Services for HP-UX. The response lists some properties of the class, including the hostname, operating system type, version, user license, OS capability (32- or 64-bit), last boot time, local date time, and system uptime. By default, the information is formatted for display in English with uptime displayed in days, hours, minutes, and seconds. You can choose to get the information in CIM format. You can use the command for troubleshooting, to see if WBEM Services can return a simple request about its own system. Any user can execute the osinfo command; root permission is not required. You can use it only when CIM Server is running. wbemexec - submit a CIM Operation Request to a CIM Server. The request must be encoded in XML. The CIM response is also encoded in XML.You will get a message if the request does not pass the syntax checks of the CIM Servers HTTP server or the XML decoder. If you do not specify an input le, wbemexec will assume all information is coming from stdin. By default, the operation is executed on the local host, but the command allows specifying a different hostname. If no port number is specied, wbemexec rst attempts to connect to the CIM Server on the default port for wbem-http service; if that fails, it tries the default port for wbem-https. By default, the request is sent as an HTTP/1.1 request, using the HTTP M-POST method. You can choose to specify a method (either POST or M-POST) and the HTTP version (1.0 or 1.1). You can specify that SSL (Secured Socket Layer) protocol be used between wbemexec and the CIM Server. Be sure to use this option if you specify a host name and port number that expects clients to connect using HTTPS. 26 Chapter 2

How Does WBEM Services Work? WBEM Services Executables If you have specied a host name or a port number, you can specify the username and password to be used for the connection to the CIM Server. By default, wbemexec has a 20 second timeout. You can specify a different timeout. You do not need root permission to use wbemexec. You can use wbemexec only when CIM Server is running. The cimserverd daemon has a man page, with instructions on changing its polling interval. cimserverd - WBEM Services way to automatically restart itself in case of failure. cimserverd is not intended to be used by operators. It is designed for WBEM Services itself. Users can, however set the interval for cimserverd. To see how to do that, read the cimserverd man page. Users start (and halt) CIM Server with the cimserver command. If the CIM Server was halted by an operator with the cimserver command, cimserverd cannot automatically restart it. The WBEM Services script is: init_repository - used by WBEM Services and providers, this script initializes the repository. If the repository is moved or corrupted, you should rst try to restore it from backup. If that does not work, you use the init_repository script to restore it to the state it was in at installation. You will lose everything that was entered after install, so you will need to re-install any providers you added. You do not need root permission to use init_repository. You can use it only when CIM Server is running.

Chapter 2

27

How Does WBEM Services Work? WBEM Services Executables

28

Chapter 2

Example of a Client Request

Example of a Client Request

This chapter gives an example of a client request and the response. The request is for the EnumerateInstances operation on the PG_OperatingSystem class. Requests and responses are encoded in XML. For more information about XML, see Specication for the Representation of CIM in XML, Version 2.0 July 20th, 1999, at: http://www.dmtf.org/download/spec/xmls/CIM_XML_Mapping20.ph p The following information is in a table format. The rst column has line numbers for the actual request and response. The middle column may group several related lines. The right-hand column is a comment on the corresponding middle column. The request is rst; it is 16 lines long. Next is the response; it is actually 172 lines long, but lines 81 to 170 were cut for brevity.

Chapter 3

29

Example of a Client Request Example Request

Example Request
Table 3-1 1 2 3 4 5 EnumerateInstances Request for PG_OperatingSystem Class Begin specifying that this is an XML-encoded CIM message. (See end at line 15 and 16) This is a simple request for the operation: method EnumerateInstances <?xml version=1.0 ?> <CIM CIMVERSION=2.0 DTDVERSION=2.0> <MESSAGE ID=51000 PROTOCOLVERSION=1.0> <SIMPLEREQ> <IMETHODCALL NAME=EnumerateInstances>

6 7 8 9 10 11 12

<LOCALNAMESPACEPATH> <NAMESPACE NAME=root/> <NAMESPACE NAME=cimv2/> </LOCALNAMESPACEPATH> <IPARAMVALUE NAME=ClassName> <CLASSNAME NAME=PG_OperatingSystem/> </IPARAMVALUE> Line 6 begins (and 9 ends) specifying the /root/cimv2 namespace for the CIM operation Line 10 begins (and 12 ends) specifying the class name (required) for EnumerateInstances : PG_OperatingSystem Ending of the method call and simple request. Ending of the CIM operation request message. Lines 1-3: This is checked when the request comes to the HTTP Server. At this point, several things have to happen to continue:

13 14 15 16

</IMETHODCALL> </SIMPLEREQ> </MESSAGE> </CIM>

30

Chapter 3

Example of a Client Request Example Request The client must be able to connect to the system on the authorized port. CIM Server must be running. The user/password pair must pass authorization. The request must have a properly formed header. When the request is parsed, it must not contain xml errors. Lines 4 and 5: At this point, WBEM Services considers the operation that is requested. If it is a supported operation, the process continues. Lines 6 - 9: Two criteria must be met to continue: This namespace must be valid. If enableNamespaceAuthorization property is enabled, this user must be authorized to access this namespace Lines 10 - 12: The classname must exist, and it must have a provider registered. The provider must respond to the request. Here, the OS Provider is registered for the PG_OperatingSystem class. Checking the provider documentation, you can see that it supports the EnumerateInstances method.

Now it is up to the provider to process the request and send a response. If the resource does not respond, WBEM Services will send a message to the client. If the resource sends its own error, WBEM Services will pass this on to the client in its response. Often, these messages will be appended to a standard CIM error.

Chapter 3

31

Example of a Client Request Example Response

Example Response
The table shows the response to the request to EnumerateInstances for PG_Operating System. The return value is a named instance. Named instances include both INSTANCENAME (the instance with its key properties) and INSTANCE (all the properties). Because this instance has so many properties, some of them have been cut from the example text. Table 3-2 1 2 3 EnumerateInstances Response for PG_OperatingSystem Class Lines 1 - 3 indicate this is an XML-encoded message. (See end at lines 171 and 172.) This is simple response to Enumerate Instances method Return value is named instance (all properties) Begin keys of class name

<?xml version =1.0 encoding=utf-8?> <CIM CIMVERSION=2.0 DTDVERSION=2.0> <MESSAGE ID=51000 PROTOCOLVERSION=1.0

4 5

<SIMPLERSP> <IMETHODRESPONSE NAME=EnumerateInstances>

6 7 8 9 10 11 12 13

<IRETURNVALUE> <VALUE.NAMEDINSTANCE> <INSTANCENAME CLASSNAME=PG_OperatingSystem> <KEYBINDING NAME=CreationClassName <KEYVALUE VALUETYPE=string> CIM_OperatingSystem </KEYVALUE> </KEYBINDING>

One key for this instance. It is CreationClassN ame, a string, and its value is CIM_Operating System

32

Chapter 3

Example of a Client Request Example Response Table 3-2 14 15 16 17 18 19 20 21 22 23 EnumerateInstances Response for PG_OperatingSystem Class

<KEYBINDING NAME=CSCreationClassName <KEYVALUE VALUETYPE=string> CIM_UnitaryComputerSystem </KEYVALUE> </KEYBINDING> <KEYBINDING NAME=CSName> <KEYVALUE VALUETYPE=string> mycomputer.hp.com </KEYVALUE> </KEYBINDING> The next key is CSName, also a string, with value mycomputer.hp. com Next key is CSCreationClas sName, a string, with value CIM_UnitaryC omput erSystem

24 25 26 27 28

<KEYBINDING NAME=Name> <KEYVALUE VALUETYPE=string HP-UX </KEYVALUE> </KEYBINDING> The next key is Name, also a string, with the value of HP-UX

29 30

</INSTANCENAME> <INSTANCE CLASSNAME=PG_OperatingSystem>

End of keys for instance Begin all properties of instance

Chapter 3

33

Example of a Client Request Example Response Table 3-2 31 32 33 34 35 EnumerateInstances Response for PG_OperatingSystem Class

<PROPERTY NAME=CSCreationClassName TYPE=string> <VALUE> CIM_UnitaryComputerSystem </VALUE> </PROPERTY> First key property is CSCreationClas sName, a string, with value = CIM_UnitaryC omputerSystem

36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

<PROPERTY NAME=CSName TYPE=string> <VALUE> mycomputer.hp.com </VALUE> </PROPERTY> <PROPERTY NAME=CreationClassName TYPE=string> <VALUE> CIM_OperatingSystem </VALUE> </PROPERTY> <PROPERTY NAME=Name TYPE=string> <VALUE> HP-UX </VALUE> </PROPERTY> <PROPERTY NAME=Caption TYPE=string> <VALUE> Next property Next key property Next key property Next key property

34

Chapter 3

Example of a Client Request Example Response Table 3-2 53 54 55 56 57 58 EnumerateInstances Response for PG_OperatingSystem Class

The current Operating System </VALUE> </PROPERTY> <PROPERTY NAME=Description TYPE=string> <VALUE> This instance reflects the Operating System on which the CIMOM is executing (as distinguished from instances of other installed operating systems that could be run). </VALUE> </PROPERTY> <PROPERTY NAME=Status TYPE=string> <VALUE> Unknown </VALUE> </PROPERTY> <PROPERTY NAME=OSType TYPE=unint16> <VALUE> 8 </VALUE> </PROPERTY> Next property (unsigned integer, 16 bit) (DMTF species that 8 = HP-UX) Next property

Next property

59 60 61 62 63 64 65 66 67 68 69 70

Chapter 3

35

Example of a Client Request Example Response Table 3-2 71 72 73 74 75 76 77 78 79 80 EnumerateInstances Response for PG_OperatingSystem Class

<PROPERTY NAME=LastBootUpTime TYPE=datetime> <VALUE> 2010924091618.000000-420 </VALUE> </PROPERTY> <PROPERTY NAME=CurrentTimeZone TYPE=sint16> <VALUE> -420 </VALUE> </PROPERTY> ... Several properties of the instance were removed from this example. ... Next property (signed integer, 16 bit) Next property (datetime data type)

171

</INSTANCE>

End of this instances properties End of named instance End return value End method response End simple response End message End CIM XML message

172 173 174 175 171 172

</VALUE.NAMEDINSTANCE> </IRETURNVALUE> </IMETHODRESPONSE> </SIMPLERSP> </MESSAGE> </CIM>

36

Chapter 3

Installing and Setting up WBEM Services

Installing and Setting up WBEM Services

This chapter describes what system administrators should do before they actually use WBEM Services for HP-UX.

NOTE

Do not move or change any WBEM Services le locations! All directories are pre-determined. Provider and client developers need a stable le system. The les need to stay where they expect to see them.

This chapter lists the prerequisites you need before you can use WBEM Services. Full instructions for installing are in the WBEM Services for HP-UX Release Notes. (You can view, print, and download a copy of the Release Notes from http://www.docs.hp.com.) Installation is mostly automatic; you do not have conguration options. Be sure you enter swverify B8465BA at the end of install. After install, you must start WBEM Services for the rst time, with the cimserver. Enter: cimserver (no options). After installing, you can set some options, the properties of WBEM Services itself. Once WBEM Services is running with the properties you want, back up the les listed below. The rst two les are the SSL certicates les. The next four are the directories for the repository les. /var/opt/wbem/server.pem /var/opt/wbem/client.pem /var/opt/wbem/repository/root/ /var/opt/wbem/repository/root#PG_InterOp/ /var/opt/wbem/repository/root#PG_Internal/ /var/opt/wbem/repository/root#cimv2/

Chapter 4

37

Installing and Setting up WBEM Services

Continue to back up these les regularly. If these les are deleted, moved, or corrupted, you need to back up the var/opt/wbem/repository directory. If you dont have a backup le for the SSL certicates les, you will need to re-install WBEM Services or re-create certicates using OpenSSL toolkit. See http://www.openssl.org/docs/ for information on adding back the certicates you used since the last time you installed. If you do not have backup les for the repository, you can only return to the state of the last install. You will lose everything that was added since the last time you installed. You will have to reinstall any providers you added. Any data will be lost.

38

Chapter 4

Installing and Setting up WBEM Services Before Starting WBEM Services

Before Starting WBEM Services

For WBEM Services to work, these things must be present: Congured ports: WBEM Services for HP-UX supports only ports 5988 (wbem_http) and 5989 (wbem_https). These two ports are specied by the Distributed Management Task Force and are registered with IANA (Internet Assigned Numbers Authority at http://www.iana.org).

NOTE

Hewlett-Packard supports only these two port congurations: HTTP on port 5988, and HTTPS on port 5989.

By default, WBEM Services HTTP server listens for SSL (Secure Sockets Layer) encrypted communications on the HTTPS (secure) port, 5989. If you are sure your environment is secure, you could set the conguration so the server will listen at the HTTP (not SSL) port, 5988. See Chapter 5, Security Considerations. When WBEM Services receives an HTTP request over the congured port, it checks user authentication, parses the request, looks up the resource, and contacts the registered provider if applicable. The provider sends a response to WBEM Services, and WBEM Services sends it back to the client through this port. WBEM Services infrastructure: Install (swinstall) and verify (swverify) the software product bundle B8465BA. See the Release Notes for specic information about installing your version of WBEM Services for HP-UX. The release notes can be viewed or printed from http://www.docs.hp.com -> network and system management.

Chapter 4

39

Installing and Setting up WBEM Services Before Starting WBEM Services

NOTE

If you already have WBEM Services installed, check your release notes before uninstalling it or re-installing it. You could remove all the les associated with WBEM Services and make all your providers unavailable.

NOTE

Do not move or change WBEM Services les. Their locations are predetermined.

Providers Included with WBEM Services

Three providers are shipped with WBEM Services for HP-UX. These providers are installed automatically with WBEM Services. They are: The Computer System Provider ComputerSystem provider gives basic computer system information, like the computer name and status. The Operating System Provider OperatingSystem provider gives basic identify information about the managed system where it is running. It is a generic operating system provider. The Process Provider The Process Provider supplies basic UNIX process information, such as the name of the executable image, process ID, priority, execution state, and various process resource utilization statistics. To see a list of provider modules on your system, use the cimprovider -l command. To see a provider in a particular module, use cimprovider -l -m <modulename>.

Clients Included with WBEM Services

The WBEM Services product includes a simple client you can use to exercise the infrastructure. After installing the infrastructure and the bundled providers, you can run it to check that things are running smoothly. 40 Chapter 4

Installing and Setting up WBEM Services Before Starting WBEM Services The osinfo command invokes a client request to the included Operating System Provider. If all is well, you will receive a formatted text reply that looks something like the following:
Name: HP-UX OperatingSystem InformationHost: MySystem.com Version: B.11.00 UserLicense: Unlimited user license OSCapability: 32 bit LastBootTime: Jul 17, 2002 16:18:35 (-0700) LocalDateTime: Aug 9, 2002 15:57:47 (-0700) SystemUpTime: 1985952 seconds = 22 days, 23 hrs, 39 mins, 12 secs

See Chapter 3 of this book for the request sent by osinfo, and the unformatted response.

Chapter 4

41

Installing and Setting up WBEM Services Starting and Stopping WBEM Services

Starting and Stopping WBEM Services

You must start CIM Server with the cimserver command when it rst installs. After that, it is designed to be always running and ready to serve CIM requests, unless a user command stops it. To see if the CIM Server is running, enter ps -ef|grep -v cimserverd |grep cimserver cimserver is a WBEM Services daemon process; it is designed to restart automatically when the operating system reboots, and stay running as long as the operating system is running. If cimserver should fail, another daemon (cimserverd) automatically restarts it. However, cimserver will not be automatically restarted in two cases. In both cases, you need to start it with the cimserver command: If a user deliberately stopped the CIM Server with the cimserver -s command, and then never restarted it If a user disabled both the HTTP and the HTTPS connections. This is done with the cimconfig command, setting both enableHttpConnection and enableHttpsConnection to false. When you restart CIM Server, you can specify the type of connection on the cimserver command line to get started. Once the CIM Server is running, use cimconfig to enable one type of connection type in the properties le.

The cimserver Command

Use the cimserver command to start WBEM Services after you rst install it. If you stop the CIM Server, restart it with the cimserver command. If CIM Server was stopped by a user command, the cimserverd daemon cannot automatically restart it, and CIM Server will not be automatically started on reboot. Entering cimserver with no options starts the CIM Server on the system where the command is issued. Use the -s option to stop the CIM Server, the -v option to see the version number of the CIM Server, and the -h option for help on the commands syntax.

42

Chapter 4

Installing and Setting up WBEM Services Starting and Stopping WBEM Services On startup, you have the option of including parameters to specify conguration property values, but these settings will last only as long as the current process. Use the format <propertyName>=<value>. For a more lasting value, change the shutdown timeout property value with cimconfig. For a list of properties and their default value, see the man page for the cimconfig command. One conguration value, shutdownTimeout, is only valid with cimserver -s, the shutdown form. (And it is the only property that the stop form can use.) That timeout value is only used for that particular shutdown. Specify the amount of time for a graceful shutdown; after timeout passes, CIM Server will kill all processes, nished or not. You must be a privileged user (have root permissions on the local system) to use the cimserver command.

cimserverd
The cimserverd daemon automatically restarts the cimserver process if it fails. However, it will not restart cimserver if it was stopped by a user command. cimserverd is intended for WBEM Services, not for users. Users start the CIM Server with the cimserver command. Privileged users can reset the timing, however. By default, cimserverd checks the status of the cimserver process every 30 seconds. To adjust the time between checks, edit the value in the /etc/opt/wbem/cimserver_retry.conf le. After editing the le, you must kill the process to force cimserverd to read the le: 1. Find the cimserverd PID (process identication number), using ps - ef |grep cimserverd 2. Kill the process, using kill -9 <pid_number> 3. cimserverd will automatically respawn, because it has an entry in /etc/inittab

Chapter 4

43

Installing and Setting up WBEM Services Maintaining the Repository

Maintaining the Repository

WBEM Services keeps denitions of the data about managed objects and their providers in its repository. The repository les (in /var/opt/wbem/repository/) are created as a by-product of the WBEM Services installation. They should never be deleted or moved. Four namespaces install with WBEM Services. Others may be added by clients and providers. The four that are automatically installed are: root: The root namespace exists to conforms to the DMTF specications. root/cimv2: The standard CIM schemas go here. Also, the schemas for the bundled providers. root/PG_Interop: This is for provider registration. This space is reserved exclusively for providers, and all providers must register here. (See cimprovider man page.) root/PG_Internal: This space is reserved for use by WBEM Services only.

It is important to schedule frequent backups of the repository directories and les. If the repository is moved or lost or it becomes corrupted, restore the les you backed up. If you cannot restore the les, the init_repository script will restore the les to the way they were when you rst installed WBEM Services. The three providers that installed with WBEM Services will be intact. However, any managed objects, providers, or namespaces that you added since you rst installed WBEM Services will be gone. You will need to re-register (perhaps reinstall) all the added providers. To run the script, enter the following commands: 1. cimserver -s (Shut down the CIM Server.) 2. mv /var/opt/wbem/repository /var/opt/wbem/repository.bak (Move the /var/opt/wbem/repository directory.) 3. cimserver

44

Chapter 4

Installing and Setting up WBEM Services Maintaining the Repository (Start the CIM Server.) 4. /opt/wbem/sbin/init_repository (Run the init_repository script.)

Chapter 4

45

Installing and Setting up WBEM Services CIM Server Properties

CIM Server Properties

After WBEM Services for HP-UX is installed, you can congure these properties, using the cimconfig command. You must have privileged user (root) capabilities to modify properties. It is good practice to regularly backup the two property conguration les: /var/opt/wbem/cimserver_current.conf contains the current values /var/opt/wbem/cimserver_planned.conf contains planned values, not yet in effect

NOTE

Do not edit conguration les directly! Use the cimconfig command to change the property values in the les.

At startup, you can temporarily modify property values, by entering a propertyname=value pair on the cimserver command line, However, these modications last only as long as that execution of the CIM Server. At shutdown, you can temporarily modify just one property value, shutdownTimeout, by entering a value on the cimserver shutdown command line. The timeout value can be changed dynamically. The others cannot. For all the other properties, you must use the -p parameter to indicate your change, then you must stop and restart CIM Server. The -p parameter is explained in the cimconfig command summary below. enableHttpConnection - Set to true or false. The default is false, which means that WBEM Services will listen at port 5989 HTTPS connection. Setting it to true allows user access through port 5988, using HTTP TCP/IP communication. Use HTTP connections only if you are certain your environment is secure. For more information, see Chapter 5, Security Considerations.

46

Chapter 4

Installing and Setting up WBEM Services CIM Server Properties There are two ways to connect: HTTPS and HTTP. WBEM Services cannot listen on both ports simultaneously. If both properties are set to true, only HTTPS connections will be allowed. If both are set to false, neither method will be allowed, and the CIM Server will be shut down and disabled from automatically re-starting. enableHttpsConnection - Set to true or false. The default, true, allows user access through port 5989, using HTTPS TCP/IP communication. HTTPS connection has better security than HTTP. For more information, see Chapter 5, Security Considerations. There are two ways to connect: HTTPS and HTTP. WBEM Services cannot listen on both ports simultaneously. If both properties are set to true, only HTTPS connections will be allowed. If both are set to false, neither method will be allowed, and the CIM Server will be shut down and disabled from automatically re-starting. enableNamespaceAuthorization Set to true or false. The default, false, means that users are authorized across all namespaces. If enableNamespaceAuthorization is set to true, you must authorize each user, namespace by namespace, with the cimauth command. You can use namespace authorization if you need the extra security of restricting access to certain namespaces. Users with root permission on the local system are always privileged users. A privileged user can grant namespace authorizations to others. For more information, see Chapter 5, Security Considerations. enableRemotePrivilegedUserAccess - Set to true or false. The default, false, means that no remote privileged users can access the CIM Server. A remote priviledged user is a user from another system who has been authorized as root on this system (see the cimauth command.) If privileged access is set to true, a remote privileged user can access the CIM Server. For more information, about user authorization, see Chapter 5, Security Considerations. shutdownTimeout - Set to a number of seconds. When a cimserver -s shutdown command is issued, the timeout is the maximum number of seconds allowed for the CIM Server to complete outstanding CIM operation requests before shutting down. If the specied timeout period expires, the CIM Server will shut down, even if there are still CIM operations in progress. Minimum value is 2 seconds. Default value is 10 seconds.

Chapter 4

47

Installing and Setting up WBEM Services The cimcong Command

The cimcong Command

The cimconfig command manages CIM Server conguration properties. The operations are executed on the CIM Server running on the local host. Use the cimconfig command to get, set, or unset CIM Server property values. Use the -l (list) option to see all properties and their values. An operation on a current property (cimconfig with -c option) takes effect immediately. An operation on a planned property (cimconfig with a -p option) takes affect the next time the CIM Server is started with the cimserver command. Dynamic properties can be set with either current or planned. Non-dynamic properties must be set using the planned option. Modications made by cimconfig remain in effect until they are changed by another cimconfig command. WBEM Services must be up and running to issue the cimconfig command. You can temporarily modify property values when WBEM Services is down, by entering options at startup in the cimserver command line, However, these modications last only as long as that execution of the CIM Server.

48

Chapter 4

Security Considerations

Security Considerations
This chapter describes WBEM Services security. Security is checked rst at the communication path. WBEM Services has three pathways: Local users with requests: If the user is on the same system as the WBEM Services, WBEM accepts the authentication already done by the system itself. See Local Authentication, below. Remote users with requests: If the user is coming from a remote system, he enters through the WBEM Services HTTP Server. The embedded HTTP server receives only valid CIM Messages; all other requests are rejected. User information is included in the XML-encoded HTTP message header. The CIM Server checks the user-password information. See Remote Authentication, below. Providers: WBEM interacts with its registered providers through shared libraries.

NOTE

CIM providers run as privileged users. Be very careful installing a provider that does not come from a trusted source.

After WBEM passes on a request to a provider, the provider is responsible for checking its own security. The provider sets the rules about which requests it considers, and the conditions for granting or refusing them. If a provider requires authorization beyond that checked by WBEM Services, the provider supplier is responsible for documenting its own rules. WBEM Services uses dedicated ports for CIM-XML trafc. Two ports are specied by DMT and registered with IANA for CIM-XML communications between remote clients and the CIM Server: HTTP TCP/IP communication on port 5988 (wbem_http) HTTPS TCP/IP communication on port 5989 (wbem_https)

Hewlett-Packard supports only these two port congurations.

Chapter 5

49

Security Considerations User Authentication

User Authentication
When a user request comes through HTTP (HyperText Transport Protocol) or HTTPS (HTTP Secure), the CIM Server determines whether this is a legitimate user on the system. If the request does not pass authentication, the request is rejected without processing. Local users are users on a system sending requests to WBEM Services on the same system. Remote users are users on a system sending requests to WBEM Services on another system.

Local User Authentication

For local users, the CIM Server uses a local authentication mechanism. The CIM Server uses the existing le system security to authenticate the user. WBEM accepts the authentication already done by the system itself, so local requests include only the users login names, not their passwords.

Remote User Authentication

Remote users accessing CIM Server are authenticated with a request/challenge mechanism using HTTP Basic authentication. A request is received from a management client. The CIM Server challenges the client to send a Base64 encoded username and password in the HTTP Authorization header. To verify that the encoded user-password pair are authorized on the system, WBEM Services calls PAM (Pluggable Authentication Module). For information about PAM, see the PAM man page and go to http://docs.hp.com. Click on your operating system (for example HP-UX 11.0). Next, click System Adminstration. View, download, or print the manual Managing Systems and Workgroups: A Guide for HP-UX System Administrators.

50

Chapter 5

Security Considerations User Authentication When WBEM Services installs, the CIM Server will be congured with a randomly-generated, self-signed certicate. If a self-signed server certicate does not give a sufcient level of trust, the system administrator can use a central Certicate Authority to issue certicates.

HTTPS and HTTP

WBEM Services listens on one port at a time, either the HTTPS or the HTTP port. By default, enableHttpsConnection is set to true, and WBEM Services listens on port 5989. You can set the HTTPS connection to false, and set the property enableHttpConnection to true. Use the cimconfig command to reset the property le. To change properties temporarily, for just one session, start CIM Server with the cimserver command and use the command-line properties option. If you try to set both HTTPS and HTTP to true (enabled), WBEM Services will listen only at the HTTPS port. If you set both to false (disabled), WBEM Services cannot function. When you restart to make the change effective, the CIM Server will not be able to restart. You will have to use the cimserver command with only one of the options, either enableHttpsConnection=true or enableHttpConnection=true. This sets the property temporarily and starts WBEM Services. Once CIM server is running, use cimconfig to set a connection in the properties le. By default, WBEM Services uses SSL (Secured Socket Layer) for all communications, with server-side certicates that are trusted by the management application. This gives both spoof protection and condentiality. There is an option to disable SSL, but change it with caution.

NOTE

Basic Authentication requires the client to pass both the user name and password, both in Base64 encoding. This encoding is not secure. SSL should only be disabled in a highly secure environment, where passing clear text passwords is not an issue.

Chapter 5

51

Security Considerations User Authentication WBEM Services uses OpenSSL to support HTTPS connections. OpenSSL is a cryptography toolkit that implements the network protocols and related cryptography standards of SSL v2/v3 and TLS (Transport Layer Security). For more about OpenSSL, go to http://www.openssl.org/docs. On the HTTPS port, CIM clients are required to use SSL (Secure Socket Layer) to establish connections with the CIM Server and to send or receive CIM requests.

52

Chapter 5

Security Considerations Namespace Authorization

Namespace Authorization
CIM Services gives authenticated users controlled access to the entire CIM schema. It does not check security for specic resources, like individual classes and instances. However, you can choose to control each users access by requiring authorization for each user on each namespace. A user with root permission (uid 0) on the local system can use the cimconfig command to set the WBEM Services enableNamespaceAuthorization property to true, then use the cimauth command to set each users access authorization on each namespace.

NOTE

A user with root permission on the local system (uid 0) always has all permissions on all namespaces.

When namespace authorization is set to true, and a user submits a request for a namespace that he isnt authorized on, this user error is displayed: Not authorized to run <requesting operation> in the namespace <requesting namespace>. For more information about authorization, see the man pages for the cimauth and cimconfig commands. Authorizations are: Read, Write, or Read and Write. (Notice that Write does not automatically include Read.) The following CIM operations require Write authorization:
CreateClass CreateInstance DeleteClass DeleteInstance DeleteQualifer InvokeMethod ModifyClass ModifyInstance SetProperty SetQualier

The following CIM operations require Read authorization:

EnumerateClasses

Chapter 5

53

Security Considerations Namespace Authorization

EnumerateClassNames EnumerateInstances EnnumerateInstanceNames EnumerateQualiers GetClass GetInstance GetProperty GetQualier

A summary of the operations is in Appendix B.

54

Chapter 5

Troubleshooting

Troubleshooting
This chapter is for people who are having trouble while trying to use WBEM Services. There is a short checklist of things to check before calling support. The WBEM Services messages are listed here.

Chapter 6

55

Troubleshooting Checklist for Troubleshooting WBEM Services

Checklist for Troubleshooting WBEM Services

If you are having trouble with WBEM Services, try this checklist before calling Support: Is CIM Server is running? Enter ps -ef|grep -v cimserverd |grep cimserver. If it isnt running, enter cimserver (no options). Is WBEM services installed correctly? Enter: swverify B8465BA Do you have the essential les? These directories and les are created as a by-product of the WBEM Services installation. They should never be moved. The rst two les are the SSL certicates les. The next four are the directories for the repository les. /var/opt/wbem/server.pem /var/opt/wbem/client.pem /var/opt/wbem/repository/root /var/opt/wbem/repository/root#PG_InterOp /var/opt/wbem/repository/root#PG_Internal /var/opt/wbem/repository/root#cim2 If any of these les are missing, restore all the repository directories and les from your backup. If you cannot restore the respository directories, you will have to re-initialize the repository. This will return it to the state it was in when you installed WBEM Services, and you will lose any changes made since then. See Maintaining the Repository in Chapter 4. Are you trying to process a request when the provider is not registered? Enter cimprovider -l -s to list the name and status of the registered provider modules and cimprovider -l -m <modulename> to see the individual providers in that module. Exercise the path that requests follow: enter osinfo. This invokes a simple request. It should process and display a response to show you it completed. Check the syslog les. WBEM Services messages are listed below.

56

Chapter 6

Troubleshooting WBEM Services Messages

WBEM Services Messages

The WBEM Services messages are listed in four groups: syslog messages, standard CIM messages, and command messages, and SSL errors.

Syslog Messages
WBEM Services puts the following messages in syslog: When CIM Server starts up, it logs a message, for example: Jun 17 11:47:31 mysystem cimserver[5863]: Started HP WBEM Services for HP-UX B8465BA version A.01.00 on port 5989. When CIM Server shuts down, it logs a message, for example: Jun 17 11:47:50 mysystem cimserver[5863]: CIM Server stopped. If CIM Server gets a request to enable both HTTP and HTTPS connections, it logs a message, for example: Jun 17 13:58:11 mysystem cimserver[9618]: Enabling both HTTP and HTTPS connections is unsupported. Only the HTTPS connection is enabled. When CIM Server gets a request to disable both HTTP and HTTPS connections, it logs a message, for example: Jun 17 13:58:42 mysystem cimserver[9624]: Neither HTTP nor HTTPS connection is enabled. CIMServer will not be started. It is possible to disable both connections in the planned conguration, using cimconfig. However, WBEM Services cannot function without a connection. Enable one of the connections now; default is HTTPS. You need to restart the CIM Server for the planned conguration to take effect. If you leave both ports disabled, the CIM Server will not restart unless you specify a connection type on the command line of the cimserver command. (For example, enter: cimserver enableHttpsConnection=TRUE.) Once started, use cimconfig to set a port type in a more lasting way.

Chapter 6

57

Troubleshooting WBEM Services Messages When cimserverd detects that cimserver is not running (but it was not shut down by the cimserver -s command) it logs a message, for example: Jun 17 20:55:18 mysystem cimserverd[6991]: cimserver not running, attempting restart

Standard CIM Messages

Each CIM exception has a message string. There can be (and often is) additional message content after this standard code and format, but that varies. CIM Status Codes are dened by DMTF. In addition to these error codes, a text description of the error is returned Two lists of error messages follow. This rst list is ordered by error number. The second list has the same messages, but they are ordered alphabetically. Following the lists, there are two examples of a return with a CIM error. 0 = CIM_ERR_SUCCESS The operation completed without error. 1 = CIM_ERR_FAILED A general error occurred that is not covered by a more specic error code. 2 = CIM_ERR_ACCESS_DENIED Access to a CIM resource was not available to the client. 3 = CIM_ERR_INVALID_NAMESPACE The target namespace does not exist. 4 = CIM_ERR_INVALID_PARAMETER One or more parameter values passed to the method were invalid. 5 = CIM_ERR_INVALID_CLASS The specied class does not exist. 6 = CIM_ERR_NOT_FOUND

58

Chapter 6

Troubleshooting WBEM Services Messages The requested object could not be found. 7 = CIM_ERR_NOT_SUPPORTED The requested operation is not supported. 8 = CIM_ERR_CLASS_HAS_CHILDREN Operation cannot be carried out on this class because it has subclasses. 9 = CIM_ERR_CLASS_HAS_INSTANCES Operation cannot be carried out on this class because it has instances. 10 = CIM_ERR_INVALID_SUPERCLASS Operation cannot be carried out because the specied superclass does not exist. 11 = CIM_ERR_ALREADY_EXISTS Operation cannot be carried out because an object already exists. 12 = CIM_ERR_NO_SUCH_PROPERTY The specied property does not exist: 13 = CIM_ERR_TYPE_MISMATCH The value supplied is not compatible with the type. 14 = CIM_ERR_QUERY_LANGUAGE_NOT_SUPPORTED The query language is not recognized or supported. 15 = CIM_ERR_INVALID_QUERY The query is not valid for the specied query language. 16 = CIM_ERR_METHOD_NOT_AVAILABLE The extrinsic method could not be executed. 17 = CIM_ERR_METHOD_NOT_FOUND The specied extrinsic method does not exist. This list has the same messages as above; however, it is ordered alphabetically, and without the error number: CIM_ERR_ACCESS_DENIED Access to a CIM resource was not available to the client Chapter 6 59

Troubleshooting WBEM Services Messages CIM_ERR_ALREADY_EXISTS Operation cannot be carried out because an object already exists CIM_ERR_CLASS_HAS_CHILDREN Operation cannot be carried out on this class because it has subclasses CIM_ERR_CLASS_HAS_INSTANCES Operation cannot be carried out on this class because it has instances CIM_ERR_FAILED A general error occurred that is not covered by a more specic error code CIM_ERR_INVALID_CLASS The specied class does not exist CIM_ERR_INVALID_NAMESPACE: The target namespace does not exist CIM_ERR_INVALID_PARAMETER One or more parameter values passed to the method were invalid CIM_ERR_METHOD_NOT_AVAILABLE The extrinsic method could not be executed. CIM_ERR_METHOD_NOT_FOUND The specied extrinsic method does not exist. CIM_ERR_INVALID_QUERY The query is not valid for the specied query language. CIM_ERR_INVALID_SUPERCLASS Operation cannot be carried out because the specied superclass does not exist. CIM_ERR_NO_SUCH_PROPERTY The specied property does not exist. CIM_ERR_TYPE_MISMATCH The value supplied is incompatible with the type. 60 Chapter 6

Troubleshooting WBEM Services Messages CIM_ERR_NOT_FOUND The requested object could not be found. CIM_ERR_NOT_SUPPORTED The requested operation is not supported. Examples of CIM Responses For example, consider a client requesting a createInstance operation on the PG_OperatingSystem class, when this operation is not supported by the Operating System provider. The requestor will receive the following response (shown below encoded in XML) <?xml version=1.0 encoding=utf-8?> <CIM CIMVERSION=2.0 DTDVERSION=2.0> <MESSAGE ID=53000 PROTOCOLVERSION=1.0> <SIMPLERSP> <IMETHODRESPONSE NAME=CreateInstance> <ERROR CODE=7 DESCRIPTION=CIM_ERR_NOT_SUPPORTED: The requested operation is not supported: OperatingSystemProvider does not support createInstance/> </IMETHODRESPONSE> </SIMPLERSP> </MESSAGE> </CIM> In the above example, you see these four components of the response: 1. CIM error code of 7 2. Translation to CIM_ERR_NOT_SUPPORTED 3. Expanded text message The requested operation is not supported 4. The non-standard additional message OperatingSystem Provider does not support createInstance As a second example, consider a client that mistakenly provides too few or too many keys to a GetInstance operation on the PG_OperatingSystem class. The following response is sent (shown below encoded in XML):

Chapter 6

61

Troubleshooting WBEM Services Messages <?xml version=1.0 encoding=utf-8?> <CIM CIMVERSION=2.0 DTDVERSION=2.0> <MESSAGE ID=35002 PROTOCOLVERSION=1.0> <SIMPLERSP> <IMETHODRESPONSE NAME=GetInstance> <ERROR CODE=4 DESCRIPTION=CIM_ERR_INVALID_PARAMETER: One or more parameter values passed to the method were invalid: Wrong number of keys/> </IMETHODRESPONSE> </SIMPLERSP> </MESSAGE> </CIM> In the above example, you see these four components of the response: 1. CIM error code of 4 2. Translation to CIM_ERR_INVALID_PARAMETER 3. Expanded text message: One or more parameter values passed to the method were invalid 4. The non-standard additional message: Wrong number of keys

WBEM Services Command Messages

These messages come from the WBEM Services commands. They are written to stdout. cimauth Command Messages Message: You must have superuser privilege to run this command. If you do not have root permissions (uid=0) on the local system, get a logon that does, or have such a privileged user to give you permission. (See Chapter 5; see the cimauth man page.) Message: Failed to add authorizations. Please make sure that the authorization schema is loaded on the CIMOM.

62

Chapter 6

Troubleshooting WBEM Services Messages Essential information is missing from the repository. See Maintaining the Repository in Chapter 4. Message: Failed to add authorizations. Specified user authorization already exists. If you want the authorization added, you do not need to do anything; it is there. To modify, use the -m option. To remove, use the -r option. Message: Failed to modify authorizations. Specified user authorizations were not found. Enter cimauth -l to list all the authorizations. See if the one you want to modify is in the list, and if you are spelling it right. If its not in the list, you need to add it with the -a option. Then re-issue the command. Message: Failed to remove authorizations. Specified user authorizations were not found. Enter cimauth -l to list all the authorizations. See if the one you want to remove is in the list, and if you are spelling it right. If its not in the list, you need to add it with the -a option. Then re-issue the command. Message: CIM Server may not be running. To see if cimserver is running, enter: ps -ef|grep -v cimserverd |grep cimserver Perhaps an operator stopped it by command, but did not restart it. To start it, enter: cimserver cimcong Command Messages Message: Current value of properties can not be listed because the CIM Server is not running Check for cimserver using ps -ef|grep -v cimserverd |grep cimserver. Perhaps it was never started at install, or someone may have stopped it with cimserver -s. To start it again, enter cimserver. Message: Failed to get property. Please make sure that the config schema is loaded in the CIM Server. Essential information is missing from the repository. See Maintaining the Repository in Chapter 4.

Chapter 6

63

Troubleshooting WBEM Services Messages Message: Failed to set the config property. Please make sure that the config schema is loaded in the CIM Server. Essential information is missing from the repository. See Maintaining the Repository in Chapter 4. Message: Failed to unset the config property. Please make sure that the config schema is loaded in the CIM Server. Essential information is missing from the repository. See Maintaining the Repository in Chapter 4. Message: Failed to list the config properties. Please make sure that the config schema is loaded in the CIM Server. Essential information is missing from the repository. See Maintaining the Repository in Chapter 4. Message: Specified property name was not found. Check the spelling of the property name. Re-issue the command specifying a valid cong property. For a list of properties, enter: cimconfig -l Message: Specified property value is not valid. See the cimconfig man page for the range of allowed values for the property, and reissue the command with a valid value. Message: Specified property cannot be modified. You are trying to modify a property that is not dynamic. Dynamic properties can be changed immediately, while CIM Server is running. To modify a non-dynamic property you must modify the planned value, then stop and start CIM Server (with cimserver command). For more information, see the cimconfig man page. Message: Current value can not be determined because the CIM Server is not running. To see if cimserver is running, enter: ps -ef|grep -v cimserverd |grep cimserver Perhaps an operator stopped it by command, but did not restart it. To start it, enter: cimserver Message: Planned value can not be determined because the CIM Server is not running.

64

Chapter 6

Troubleshooting WBEM Services Messages To see if cimserver is running, enter: ps -ef|grep -v cimserverd |grep cimserver Perhaps an operator stopped it by command, but did not restart it. To start it, enter: cimserver Message: CIM Server may not be running. To see if cimserver is running, enter: ps -ef|grep -v cimserverd |grep cimserver Perhaps an operator stopped it by command, but did not restart it. To start it, enter: cimserver cimmof Command Messages Message: Warning: class already in repository (OK to ignore) The same class is already loaded, so you do not need to do it again. If you really want to replace this class, rst delete it, then load your new MOF le. Message: Cannot connect to: mysystem: 5989. Command failed. CIM Server is not running. You tried to send a request to system mysystem, through port number 5989. An operator may have stopped the CIM Server. To restart it, enter cimserver. Then re-issue the cimmof command. Message: Cant open file <filename>. Check the MOF le that you specied. It could not be opened; it may not exist, the pathname may be incomplete, or there may be a typing error. Re-issue the command specifying a valid MOF le. Message: Could not open include file <filename>. Check the MOF include le that you specied. It could not be opened; it may not exist, the pathname may be incomplete, or there may be a typing error. Re-issue the command specifying a valid MOF le. Message: <filename>:<lineNumber>: parse error before string There is a parsing error before string. If it is your own le, edit the it to correct invalid syntax, and then reissue the command. If you got the le from a provider, contact the providers support team.

Chapter 6

65

Troubleshooting WBEM Services Messages Message: Error adding class <classname> to the repository: CIM_ERR_INVALID_SUPERCLASS: Operation cannot be carried out since the specified superclass does not exist. The le you specied contains schema denition for a class with a superclass, but its superclass is not in the CIM Repository now. You must load the superclass before you load its subclasses. If it is your own MOF le, edit it to check the spelling of the class and superclass, and the path and spelling of the MOF le in your command. If you got the MOF le from a provider, contact the providers support team. Message: Could not find declaration for Qualifier named <qualifier_name> WBEM Services cannot nd the qualier name in the MOF le in the CIM repository. If it is your own MOF le, check the qualier name in the MOF le you specied. If it is misspelled, correct it. To see all qualiers, go to /var/opt/wbem/repository/<namespace>/qualiers. If the qualier does not exist in the CIM Repository, add it, and then re-issue the command. If you got the MOF le from a provider, contact the providers Support team. cimprovider Command Messages Message: Required arguments missing. Change the syntax of your command; perhaps check spelling. cimprovider does not recognize the options you entered. Enter cimprovider, with no options, to see correct usage. Also see cimprovider man page. Message: Missing required value for flag Check your syntax for a ag that is missing its value. Enter cimprovider, with no options, to see correct usage. Also see cimprovider man page. Message: The CIM Server may not be running To see if cimserver is running, enter: ps -ef|grep -v cimserverd |grep cimserver

66

Chapter 6

Troubleshooting WBEM Services Messages Perhaps an operator stopped it by command, but did not restart it. To start it, enter: cimserver Message: Provider module already disabled You cannot disable a provider that is already disabled. Use cimprovider -l -m <modulename> to see status of all the providers in the specied module. Message: You must have superuser privilege to unregister providers. If you do not have root permissions (uid=0) on the local system, get a logon that does, or have such a privileged user to give you permission. (See Chapter 5; see the cimauth man page.) Message: You must have superuser privilege to disable or enable providers If you do not have root permissions (uid=0) on the local system, get a logon that does, or have such a privileged user to give you permission. (See Chapter 5; see the cimauth man page.) Message: Provider module can not be enabled since it is disabling You cannot enable a provider while another client is disabling the module. Enable it later. Message: Specified provider was not registered You are trying to manage an unregistered provider. (To conrm, use the cimprovider -l command.) Register the provider. cimserver Command Messages Message: Error: Bind failed. Failed to bind to socket. You tried to start CIM Server, but it is already running. Message: Unrecognized command line option Re-issue the command specifying a valid option. For help with options, type cimserver -h or see the man page. Message: Duplicate shutdown option specified The -s option was specied more than once. Re-issue the command with a valid option. For help with options, enter cimserver -h or see the man page. Chapter 6 67

Troubleshooting WBEM Services Messages Message: Unrecognized config property: <configProperty> Check the spelling of the property. Re-issue the command specifying a valid cong property. For a list of properties, enter cimconfig -l. Message: Invalid property value: shutdownTimeout=<value> Specify a shutdownTimeout value that is a valid integer, 2 or greater. Message: Unable to connect to CIM Server. CIM Server may not be running To see if cimserver is running, enter: ps -ef|grep -v cimserverd |grep cimserver Perhaps an operator stopped it by command, but did not restart it. I To start it in that case, enter: cimserver Perhaps someone has disabled both types of connection (HTTPS and HTTP). To start it in that case, enter either:
cimserver enableHttpsConnection=true (default) cimserver enableHttpConnection=true

Message: Failed to shut down server: CIM_ERR_INVALID_NAMESPACE: The target namespace does not exist root/PG_Internal The cimserver command cannot stop the CIM Server. The only way to stop the CIM Server is to kill the CIM Server process:
1) Find the process ID (PID) of cimserver. Enter ps -ef|grep -v cimserverd |grep cimserver 2) Kill the process: kill -9 <PID>

The most likely cause is that the CIM repository was moved or deleted, or that it is empty or corrupted. Try replacing all the directories and les in /var/opt/wbem/repository/ with your backup copy. If you cannot replace the repository directories, you can use the init_repository script to restore your repository to what it was when you rst installed WBEM Services. You will need to re-install any providers you added since you installed WBEM Services. (You do not need to re-install the three providers that are bundled with WBEM Services.)

68

Chapter 6

Troubleshooting WBEM Services Messages openssl and SSL-Related Messages Server-side SSL (Secure Socket Layer) Errors Could not get certificate and/or private key The present le is missing, empty, or not readable. Restore the certicate le (/var/opt/wbem/server.pem) from backup, then stop and restart the CIM Server. Client-side SSL (Secure Socket Layer) Errors RAND_load_file - failed Check the random seed le (ll /var/opt/wbem/ssl.rnd). If it exists, set permissions so it has read permission for all. If the le does not exist, or its size is zero, restore it from backup. RAND_seed - Not enough seed data Check the random seed le (ll /var/opt/wbem/ssl.rnd). If it does not exist, or if its size is zero, restore it from backup. If it exists and has some content, try doubling the size of the le: copy the existing content and paste it onto the end of the le. Could not get certificate and/or private key The present le is missing, empty, or not readable. Restore the certicate le (/var/opt/wbem/client.pem) from backup, then reissue the client request. Random seed file required Clients must pass a random seed le in the OperationContext, and this one did not. osinfo Command Messages Message: Cannot get info from OS provider Verify that the provider in your request is listed. Enter cimprovider -l -m OperatingSystemModule. Message: Cannot connect to CIM Server See if cimserver process is running. Enter ps -ef|grep -v cimserverd |grep cimserver. Start the process with the cimserver command (no options).

Chapter 6

69

Troubleshooting WBEM Services Messages wbemexec Command Messages Message: Invalid input: expected XML request. Check the coding of the request. The input must be a valid CIM request encoded in XML according to the DMTF Specication for the Representation of CIM in XML. Message: Invalid XML request Correct the XML request, and re-issue the command. Refer to the text following the message for more specic information about the invalid XML request. For more information about XML, see the DMTF Specication for the Representation of CIM in XML V. 1.0. (http://www.dmtf.org/download/spec/xmls/ CIM_HTTP_Mapping10. php) Message: Timed out waiting for response You can change the timeout value with a wbemexec command option. The request may require more processing time than allowed by the specied or default timeout period. Specify a timeout value longer than the value previously specied or longer than the default. Check syslog for possible errors or problems with the CIM Server or providers. An error may have occurred in the CIM Server, preventing the CIM Server from responding to requests. (A list of syslog messages is in this chapter.) If necessary, stop and re-start the CIM Server. Re-issue the wbemexec command. Message: wbemexec: Failed to connect to CIM Server First, read the text that follows this message, for more information about the problem. Enter ps -ef|grep -v cimserverd |grep cimserver. If the cimserver process is not running, enter cimserver (no options) to start it. After this, the log le should record an attempt to start cimserver and a conrmation that cimserver started. On the CIM Server host, enter uname -a to be sure you have specied the appropriate host name.

70

Chapter 6

Troubleshooting WBEM Services Messages Enter cimconfig -l -c to list current values of properties. See if the enabled connection is port HTTP or HTTPS. Now see if your request specied the corresponding port. By default, HTTPS (default type) enters port 5989; HTTP enters Port 5988. You may not be authorized to connect to the CIM Server. See Chapter 5. Message: wbemexec: M-POST method invalid with HTTP version 1.0 Modify the command line. Either specify HTTP version 1.1 with the M-POST or POST method, or specify HTTP version 1.0 with the POST method. The M_POST method is only valid for HTTP versions 1.1 and later. Message: wbemexec: No input Be sure that you did not specify an empty le, or redirect input from an empty le. Message: wbemexec: Unable to use requested input file: file cannot be opened. Check to be sure there is sufcient memory to open a le, and that you have not reach the open-le limit. wbemexec can nd the le, and the permissions allow the le to be read, but the le cannot be opened for some other reason. Message: wbemexec: Unable to use requested input file: file does not exist. Check the pathname and spelling of the input le you specied. Message: wbemexec: Unable to use requested input file: file is not readable. Check the permission settings on the specied input le and its directories, modify if necessary, and re-issue the command.

Chapter 6

71

Troubleshooting WBEM Services Messages

72

Chapter 6

How Resources are Represented (CIM Schema)

How Resources are Represented (CIM Schema)

The WBEM Services repository stores information about the managed resources. To register with WBEM Services, a provider must dene its resource by the classes and subclasses that dene it. Then the provider must describe the properties that it will expose, and the methods that it will support. The properties describe what a class is, the methods describe what it can do. Properties are attributes or characteristics of the resource. Methods are its actions, capabilities, or behaviors. To made a request, the client must rst identify, by its classes and subclasses, the resource it wants to manage. The resource descriptions are done using object-oriented modeling. Object- oriented modeling represents real things in an abstract schema. Objects are arranged from most general to most specic. Many attributes of the more general parent are inherited by their more specic children. Like object-oriented programming languages, the subclasses inherit the denitions of properties and methods from the parent class. Unlike some object-oriented programming, they do not inherit the implementations. This section briey denes basic concepts about object representation. As system administrator, you do not need to understand this to install WBEM Services or maintain it. However, it is the language that is used to explain resources. These are the terms that are used to describe what providers and clients do, and how resources can be managed. For more information about object representation, visit the tutorial at: http://www.dmtf.org/education/cimtutorial.php The schema is the most general abstraction that represents real things in the WBEM standard. A schema is a collection of classes. Each class in a schema can only belong to that schema. Each class name must be unique within a schema; a schema cannot have two classes with the same name.

Appendix A

73

How Resources are Represented (CIM Schema)

The class is the basic modeling unit. It is a collection or set of objects that have similar properties and purposes. Each class denes a certain type of managed object, for example operating systems or system memory. Objects in the class contain properties (describing what it is) and methods (what it can do). A class can contain other classes (its subclasses). It can also contain instances. Subclasses are grouped by similarities. Subclasses inherit properties and methods from their parent (their superclass), and can also add their own local properties and methods. Subclasses are themselves classes, and they can have their own subclasses. CIM_SoftwareElement, for example, is a class. It has several subclasses, like HPUX_SoftwareElement, Win32_SoftwareElement Linux_RPM_SoftwareElement, Linux_Debian_SoftwareElement. An instance can be a discrete occurrence of any object, like your computers hard drive or the printer on your desk. It is the most specic member of the hierarchy. An instance cannot have any subclasses. All instances in a class share the same properties and methods. Each has a unique name (see key properties, below). Methods are the behaviors of the class, for example, the OperatingSystem class has a Reboot method and a printer has an EnableDevice method to put it online. Not all classes have methods. An intrinsic method models a CIM operation. Standard intrinsic methods (such as enumerateInstances, getInstance, modifyInstance) are relevant to all classes. An extrinsic method is dened on a CIM Class in some Schema that is unique to that class. Properties are the attributes of a class. For example, there is a ParticipatingCS association between a CIM_ComputerSystem and a CIM_Cluster. This association has two properties, RoleOfNode and StateOfNode, to describe attributes of the ComputerSystem as a node within the Cluster. Key properties (one or more properties dened with a key qualier) are identiers. Keys in classes and subclasses provide a way to uniquely identify the instance that inherits them. All instances inherit a key, or a set of keys, from their superclass. The value that the instance gives these keys is its own identication. It is the only instance in its namespace that is allowed to have that name. More than one key property is a compound key.

74

Appendix A

How Resources are Represented (CIM Schema)

Consider how to uniquely identify a user account on a Unix system. You could use two key properties: the value of the user accounts Name property and the value of the systems Name property. Consider also the identifying pair used to route your email to you: user-name@domain-name. Classes are either concrete or abstract. A concrete class (like CIM_Operating System) has real instances, particular computer systems. A concrete class must have at least one key property. An abstract class like CIM_ManagedElement can not have any instances, and it is not required to have key properties. Its subclasses can have keys as they get more specic. Associations can be dened between classes. For example, there is a ParticipatingCS association between CIM_ComputerSystem (the entire computer system) CIM_Operating System (the OS software that exists on that system). The association itself is a class, so it can have properties and methods. For example, two properties of ParticipatingCS are RoleOfNode and StateOfNode. Namespaces can give you a logical way to group things, in order to control their scope and visibility. A namespace is not a physical location; it is more like a logical database containing specic classes and instances. Namespace grouping can be used to separate instances and make sure there are no collisions with others of the same name. Namespaces also can be used to limit access. HP WBEM Services for HP-UX installs with four pre-dened namespaces. root (in /root directory): The root namespace exists to conforms to the DMTF specications. root#cimv2 (in /root/cimv2): The standard CIM schemas go here. Also, the schemas for the bundled providers. root#PG_Interop (in /root/PG_Interop): This is for provider registration. This space is reserved exclusively for providers, and all providers must register here. (See cimprovider man page.) root#PG_Internal (in /root/PG_Internal): This is a private space, for use by WBEM Services only.

Appendix A

75

How Resources are Represented (CIM Schema)

76

Appendix A

WBEM Services CIM Operations

WBEM Services CIM Operations

HP WBEM Services for HP-UX supports a subset of the DMTF-dened CIM operations. If you are installing a client or provider, be sure these are sufcient operations.

Appendix B

77

WBEM Services CIM Operations The InvokeMethod Operation

The InvokeMethod Operation

The following operation is a way to invoking the class of methods called extrinsic methods. (This is the way WBEM Services supports extrinsic methods.) If a provider has registered with WBEM Services as a method provider, it will support the use of InvokeMethod. InvokeMethod (Write) Takes a method name with input and output parameters, and an instance. The instance is specied by its namespace, classname, and key properties and values. Invokes the specied method on the specied instance.

78

Appendix B

WBEM Services CIM Operations Operations Implemented by Providers

Operations Implemented by Providers

The following CIM operations are implemented by instance providers for the classes they support. The methods are intrinsic. If the provider does not support a particular method, the implementation returns CIM_ERR_NOT_SUPPORTED. GetInstance (Read) Takes a namespace, classname, and key properties and values. Returns the instance with all its properties. EnumerateInstances (Read) Takes a namespace and a classname. Returns all instances of the specied class, including all properties. When invoked on a class with subclasses, WBEM Services will pass the EnumerateInstance CIM operation to providers for all of the subclasses, and combine all the results into a single response. EnumerateInstanceNames (Read) Takes a namespace and a classname. Returns all instances of the specied class. It returns all key properties, but it does not return non-key properties.When invoked on a class with subclasses, WBEM Services will pass the EnumerateInstanceNames CIM operation to providers for all of the subclasses, and combine all the results into a single response. CreateInstance (Write) Takes a namespace, classname, and key properties and values. Can accept other properties and values. Creates an instance that meets those criteria. DeleteInstance (Write) Takes a namespace, classname, and key properties and values. Can accept other properties and values. Deletes the instance that meets those criteria. ModifyInstance (Write) Takes a namespace, classname, and key properties and values. Can accept other properties and values. Modies the instance that meets those criteria.

Appendix B

79

WBEM Services CIM Operations Operations on Properties

Operations on Properties
Operations on properties are listed below. GetProperty (Read) Takes a namespace, classname, and key properties and values to specify an instance. Also takes the property desired. Returns the value of the property for the specied instance. SetProperty (Write) Takes a namespace, classname, and key properties and values, to specify a class. Also takes the desired property and value. Sets the desired property of that instance to the specied value.

80

Appendix B

WBEM Services CIM Operations Class Manipulation Operations

Class Manipulation Operations

The class manipulation operations can be used by CIM clients to explicitly manipulate schema. Schema manipulation can be done implicitly through a MOF le. When the MOF compiler loads a MOF le, the compiler will use a series of CreateClass Operations to create the classes contained in the le. Class manipulation operations are listed below: GetClass (Read) Takes a namespace and classname. Returns the class denition with all properties and methods. EnumerateClasses (Read) Takes a namespace and, optionally, a classname. Returns a list of all the classes and subclasses of that namespace (and classname if you specied it), including the denitions of all properties and methods. EmumerateClassNames (Read) Takes a namespace and classname. Returns a list of all subclasses of that namespace and class, including denitions of all key properties. Does not return non-key properties or methods. CreateClass (Write) Takes a namespace and class denition. Creates the specied class. ModifyClass (Write) Takes a namespace and a new class specication. Replaces the existing class specication to the new (modied) one. DeleteClass (Write) Takes a namespace and classname. Removes the class from the namespace. If the class has subclasses, you must remove the subclasses rst.

Appendix B

81

WBEM Services CIM Operations Qualier Operations

Qualier Operations
Qualier declaration operations are listed below: GetQualifier (Read) Takes a namespace and a qualier name. Returns the information on that qualier, such as scope, avor, and default value. (A qualier is a modier containing information that describes a class, an instance, a property, or a method.) EnumerateQualifiers (Read) Takes a namespace. Returns all qualiers dened in the specied namespace. (A qualier is a modier containing information that describes a class, an instance, a property, or a method.) SetQualifier (Write) Takes a namespace and qualier name. Also takes a qualier declaration. Replaces the existing qualier declaration with the specied declaration. (A qualier is a modier containing information that describes a class, an instance, a property, or a method.) DeleteQualifier (Write) Takes a a namespace and a qualier name. Deletes the specied qualier from the specied namespace.

82

Appendix B

Glossary core model

Glossary
CIM (Common Information Model) A hierarchical object-based model developed by the DMTF that denes a large number of concepts common to most computer systems. See Common Information Model. CIM client A client application that issues CIM operation requests over HTTP and processes the responses. CIM Object Manager (CIMOM) Manages CIM objects in an WBEM-enabled system. CIMOM receives and processes CIM operation requests and issues responses. CIM Object Manager repository A central storage area managed by the Common Information Model Object Manager (CIM Object Manager). This repository contains the denitions of classes and instances that represent managed objects and the relationships among them. Also see repository. CIM schema A collection of class denitions used to represent managed objects that occur in every management environment. Also see core model, common model, and extension schema. cipher A key-selected transformation between plain text and cipher text. With a good cipher, the secret information inside the cipher remains hidden, even when the cipher text is stored or transmitted. class A collection of instances, all of which support a common type; that is, a set of properties and methods. The common properties and methods are dened as

features of the class. For example, the class called Modem represents all the modems present in a system. Common Information Model (CIM) A common data model of an implementationneutral schema for describing overall management information in a network/enterprise environment. CIM is comprised of a Specication and a Schema. The Specication denes the details for integration with other management models dened by the DMTF, such as SNMPs MIBs or the DMIs MIFs. The Schema provides the actual model descriptions. Common Information Model Object Manager (CIM Object Manager) A component in the CIM management infrastructure that handles the interaction between management applications and clients. common model The second layer of the CIM schema, which includes a series of domain-specic but platform-independent classes. The domains are systems, networks, applications, and other management-related data. The common model is derived from the core model. Also see extension schema. core model The rst layer of the CIM schema, which includes the top-level classes and their properties and associations. The core model sets the conceptual framework for the schema of the rest of the managed environment. Systems, applications, networks and related information are modeled as extensions to the core model.

Glossary

83

Glossary Desktop Management Interface (DMI) The core model is both domain- and platform-independent. Also see common model and extension schema. Desktop Management Interface (DMI) An initiative by the DMTF. The DMI allows desktop computers, hardware and software products, and peripherals whether they are standalone systems or linked into networks to be manageable and intelligent. It allows them to communicate their system resource requirements and to coexist in a manageable PC system. The DMI is independent of operating system and processor, enabling the development of manageable PC products and applications across platforms. Desktop Management Task Force (DMTF) An industry-wide consortium committed to making computing devices easier to use, understand, congure and manage. (www.dmtf.org) domain The class to which a property or method belongs. For example, if status is a property of Logical Device, it is said to belong to the Logical Device domain. extensible markup language (XML) A simplied subset of SGML that offers powerful and extensible data modeling capabilities. An XML Document is a collection of data represented in XML. An XML Schema is a grammar that describes the structure of an XML Document. extension schema The third layer of the CIM schema, which includes platform-specic extensions of the CIM schema such as Microsoft Windows NT, UNIX, and Microsoft ExchangeServer. Also see common model and core model. extrinsic method A method dened on a CIM Class in some Schema that is unique to that class (versus intrinsic methods which apply across all classes). Also see intrinsic method. HTTP (Hypertext Transfer Protocol) An application-level protocol for distributed, collaborative, hypermedia information systems. It is a generic stateless protocol that can be used for many tasks through extensions of its request methods, error codes and headers. HTTP Server WBEM Services uses a small-footprint special-services light-weight server that processes HTTP requests and returns standard HTTP responses. The server is not intended as a replacement for a web server. The server does not serve up HTML web pages and does not run CGI applications. indication An operation executed as a result of some action such as the creation, modication, or deletion of an instance, access to an instance, or modication or access to a property. Indications can also result from the passage of a specied period of time. An indication typically results in an event. inheritance The relationship that describes how classes and instances are derived from parent classes, or superclasses. A class can spawn a new subclass, also called a child class. A subclass contains all the methods and properties of its parent class.

84

Glossary

Glossary management information base (MIB) Inheritance is one of the features that allows the CIM classes to function as templates for actual managed objects in the CIM environment. instance A representation of a real-world managed object that belongs to a particular class, or a particular occurrence of an event. Instances contain actual data. instance provider A type of provider that supports instances of system- and property-specic classes. Instances providers can support data retrieval, modication, deletion, enumeration, or query processing. Instance providers can also invoke methods Also see class provider and property provider. intrinsic method A method dened for the purpose of modeling a CIM operation. Standard intrinsic methods (such as enumerateInstances, getInstance, modifyInstance) are relevant to all classes. Also see extrinsic method. Kerberos A security mechanism that provides authentication, data integrity, data privacy, and mutual authentication. (Available through PAM in HP-UX) key A property that is used to provide a unique identier for an instance of a class. Key properties are marked with the Key qualier. A compound key has more than one property, with a Key qualier. key qualier A qualier that must be attached to every property in a class that serves as part of the key for that class. light-weight HTTP server A smallfootprint server that processes HTTP requests and returns standard HTTP responses. The server is not intended as a replacement for a web server. The server does not serve up HTML web pages and does not run CGI applications. local property A non-system property dened for a class but not inherited from a superclass. managed object A hardware or software system component that is represented as an instance of the CIM class. Information about managed objects is supplied by data and event providers, as well as by the CIM Object Manager. managed object format (MOF) A compiled language for dening classes and instances. A MOF compiler takes information from a .mof formatted text le and adds the data to the CIM Object Manager repository. MOF eliminates the need to write code, thus providing a simple and fast technique for modifying the CIM Object Manager repository. DMTF makes their schemas available as MOF les. management application An application or service that uses information originating from one or more managed objects in a managed environment. Management applications retrieve this information and perform operations through calls to the CIM Object Manager from the CIM Object Manager. management information base (MIB) A database of managed objects, written in text.

Glossary

85

Glossary management information format (MIF) database management information format (MIF) database Part of DMI that stores and manages information and passes it to management applications on request. MIFs dene the standard manageable attributes of PC products in categories including PC systems, servers, printers, LAN adapters, modems, and software applications. Management Interface (MI) The MI allows DMI-enabled applications to access, manage and control desktop systems, components and peripherals. metamodel A CIM component that describes the entities and relationships representing managed objects. For example, classes, instances, and associations are included in the metamodel. metaschema The metaschema is a formal denition of the model. It denes the terms used to express the model and its usage and semantics. method 1. A function describing the behavior of a class. Including a method in a class does not guarantee an implementation of the method. The Implemented qualier is attached to the method to indicate that an implementation is available for the class. 2. A function included in a CIM Object Manager API interface. MOF le A text le that contains denitions of classes and instances, using Managed Object Format (MOF) formatting. multiple inheritance The ability of a subclass to derive from more than one superclass. named element An entity that can be expressed as an object in the meta schema. namespace A unit for grouping classes and instances to control their scope and visibility. Namespaces are not physical locations; they are more like logical databases containing specic classes and instances. Objects located within a namespace must have unique names (specied by one or more key values) within that namespace. Objects in a different namespaces can be unique even if they have the same keys, because the two objects reside in separate namespaces. object path A formatted string used to access namespaces, classes, and instances. Each object on the system has a unique path which identies it locally or over the network. Object paths are conceptually similar to Universal Resource Locators (URL). Open Database Connectivity (ODBC) A specication for an API that denes a standard set of routines with which an application can access data in a data source. operational semantics The formalization of real objects by putting them into a common language. override Indicates that the property, method, or reference in the derived class overrides the similar construct in the parent class in the inheritance tree or in the specied parent class. PAM (Pluggable Authentication Model) A Hewlett-Packard product that coordinates user authentication tools for system security.

86

Glossary

Glossary superclass property A name/value pair that describes a unit of data for a class. Property names cannot begin with a digit and cannot contain white space. Property values must have a valid Managed Object Format (MOF) data type. property provider A type of provider that supports the retrieval and modication of the CIM properties. provider An executable that can return and/or set information, execute methods, generate indications, or respond to other requests regarding a given managed object. provider data sheet (PDS) Provides basic provider information to software professionals who will design, implement, enhance, and/or support client applications that will use this provider. It contains information about what this provider does, what interfaces it uses, how to install it and what platforms and operating systems are supported. provider registration A provider needs to register with the CIMOM so that the CIMOM will know what properties and methods are supported. A special object is created during registration to relate the information about the provider to the classes in the CIM schema that it supports. qualier A modier containing information that describes a class, an instance, a property, a method, or a parameter. reference A special string property type that is marked with the reference qualier, indicating that it is a pointer to other instances. repository This repository contains the denitions of classes and instances that represent managed objects and the relationships among them. The WBEM Services repository is not available for use by clients or providers for static or persistent data storage. Also see CIM Object Manager repository. required property A property that must have a value. schema A collection of class denitions that describe managed objects in a particular environment. Simple Network Management Protocol (SNMP) A protocol of the Internet reference model used for network management. standard schema A common conceptual framework for organizing and relating the various classes representing the current operational state of a system, network, or application. The standard schema is dened by the Desktop Management Task Force (DMTF) in the Common Information Model (CIM). subclass A class that is derived from a superclass. The subclass inherits all features of its superclass, but can add new features or redene existing ones. subschema A part of a schema owned by a particular organization. The Win32 schema is an example of a subschema. superclass The class from which a subclass inherits

Glossary

87

Glossary WBEM (Web-Based Enterprise Management) WBEM (Web-Based Enterprise Management) An initiative based on a set of management and Internet standard technologies developed to unify the management of enterprise computing environments. WBEM provides the ability for the industry to deliver a well-integrated set of standard-based management tools leveraging the emerging technologies such as CIM and XML. WBEM Services (HP WBEM Services for HP-UX) A Hewlett-Packard product that uses WBEM and DMTF standards to manage HP-UX system resources. web server Full-service web servers act as HTTP servers. In addition, they have many other capabilities, like running CGI scripts. Understanding the distinction between a limited-service HTTP server and a full-service Web server is critical to understanding security on HP WBEM Services for HP-UX. WBEM Services uses its own embedded HTTP server (a light-weight server), not a web server. Acknowledgement: Much of this information was gathered from: http://dmtf.org/ education/cimtutorial.php, and much more information is available there.

88

Glossary

Index
A architecture of WBEM Services, 14 associations, 75 authentication local users, 50 remote users, 50 authorization namespace, 53 authorization for CIM operations, 53 B backing up les, 44 C checklist for troubleshooting, 56 CIM HTTP WBEM Services standard, 12 CIM messages, 58 CIM operations authorizations, 53 CIM Operations over HTTP DMTF standard, 12 CIM repository, 14 CIM Server WBEM Services architecture, 14 CIM server properties, 46 cimauth command, 23 cimcong command, 23 cimmof command, 23 cimprovider command, 24 cimserver command, 24, 42 cimserverd daemon, 27 class, 74 client requirements, 19 command messages, 62 commands cimauth, 23 cimcong, 23 cimmof, 23 cimprovider, 24 cimserver, 24 list of, 23 openssl, 25 osinfo, 26 wbemexec, 26 conguration properties, 46 CreateClass operation, 81 CreateInstance operation, 79 D DeleteClass operation, 81 DeleteInstance operation, 79 DeleteQualier operation, 82 E enableHttpConnection, 46 enableHttpsConnection, 47 enableNamespaceAuthorization, 47 enableRemotePrivilegedUserAccess, 47 EnumerateClasses operation, 81 EnumerateClassNames operation, 81 EnumerateInstanceNames operation, 79 EnumerateInstances operation, 79 EnumerateQualiers operation, 82 error messages, 57 G GetClass operation, 81 GetInstance operation, 79 GetProperty operation, 80 GetQualier operation, 82 H HTTP connection enabling, 46 HTTP server, 14 connecting, 21 HTTPS and HTTP, 51 HTTPS connection enabling, 47 I init_repository, 27 initializing respository, 44 installing WBEM, 37 instance, 74 InvokeMethod operation, 78 K key property, 74 M messages, 57 method, 74 methods, 74

89

Index
ModifyClass operation, 81 ModifyInstance operation, 79 MOF Compiler, 14 N namespace, 75 namespace authorization, 47, 53 O object-oriented modeling, 73 openssl command, 25 operation CreateClass, 81 CreateInstance, 79 DeleteClass, 81 DeleteInstance, 79 DeleteQualier, 82 EnumerateClasses, 81 EnumerateClassNames, 81 EnumerateInstanceNames, 79 EnumerateInstances, 79 EnumerateQualiers, 82 GetClass, 81 GetInstance, 79 GetProperty, 80 GetQualier, 82 InvokeMethod, 78 ModifyClass, 81 ModifyInstance, 79 SetProperty, 80 SetQualier, 82 osinfo command, 26 overview of WBEM Services, 11 P ports, 39 ports (HTTPS and HTTP), 51 prerequisites, 39 processing requests, 21 properties enableHttpsConnection, 47 enableNamespaceAuthorization, 47 enableRemotePrivilegedUserAccess, 47 shutdownTimeout, 47 properties of CIM server, 46 property, 74 provider requirements, 18 responsibilities, 19 R repository les, 44 repository, initializing, 44 request example, 30 processing, 21 S schema, 73 Secure Socket Layer, 52 Security, 49 SetProperty operation, 80 SetQualier operation, 82 shutdownTimeout, 47 Software Development Kit, 11 SSL, 52 subclasses, 74 syslog messages, 57 T troubleshooting, 55 troubleshooting WBEM Services, 56 W WBEM Services architecture, 14 commands, 23 messages, 57 overview, 11 processing requests, 21 starting, 42 stopping, 42 WBEM Services standards, 12 wbemexec command, 26 X XML decoder, 21 xmlCIM, 12

90