A Practical Approach to WBEM[s]CIM Management

On any client/server interface, questions of authentication arise: the server wants to authenticate the client to ensure that it is authorised to do the operations it requests and the client wants to authenticate the server so that it feels comfortable in passing confidential information such as passwords to it and so that it can trust the answers to its queries.

The DMTF's common models contain an infrastructure for managing authentication information for any user ”see page 117. This section deals more with the practical details of authenticating clients accessing the WBEM server.

The basic WBEM architecture, as illustrated in Figure 4.4 on page 39, contains a position for a security plug-in and this provides the focus for client authentication: it is really no more than an exit point to external authentication tools such as an LDAP or Radius server.

The normal mechanism for a WBEM client to request an operation from a WBEM server is, of course, through CIM-XML over HTTP. HTTP, as defined in RFC2068, uses a challenge/response authentication protocol: the client makes a request, the server offers the client a number of mechanisms by which it can authenticate itself, the client selects the most secure one that it supports and authenticates itself. The server then checks the authentication and, if satisfied, answers the request. This process is repeated for each operation carried out over HTTP, as illustrated in Figure 7.12.

Figure 7.12: HTTP Authentication Exchange

The DMTF's "CIM Operations over HTTP" specification (DSP0200) specifies two types of authentication:

  1. Basic Authentication, as described in RFC2068. This is recognised as being insecure , as passwords and user names are passed from the client to the server in plain text and are therefore subject to interception by a so-called "man in the middle" (MITM) attack. Because of this vulnerability, DSP0200 forbids the use of Basic Authentication in other than a secure environment unless it is combined with encryption of the type employed by the Secure Sockets Layer (SSL).

  2. Digest Authentication, as described in RFC1945 and refined in RFC2617.

There are therefore three ways of authenticating a WBEM client: Basic Authentication over SSL, Digest Authentication, or some other protocol applicable to your application.

Different CIM server implementations support different authentication mechanisms: openPegasus, for example, supports only Basic Authentication over SSL whereas openWBEM supports both Basic and Digest Authentication.

Категории