Novell Doc: OES 1 - Ensuring Secure Access

3.2 Ensuring Secure Access

The default setup of OpenWBEM is relatively secure. However, you might want to review the following to ensure access to OpenWBEM components is as secure as desired for your organization.

3.2.1 Certificates

Secure Socket Layers (SSL) transports require a certificate for secure communications to occur. When OES is installed, OpenWBEM has a self-signed certificate generated for it.

If desired, you can replace the path for the default certificate with a path to a commercial certificate that you have purchased or with a different certificate that you have generated in the http_server.SSL_cert = path_filename setting in the openwbem.conf file.

The default generated certificate is in the following locations:

Table 3-2 Default Locations for Generated Certificates

Platform	File Location
Linux	/etc/openwbem/hostkey+cert.pem
NetWare	sys:/system/cimom/etc/openwbem/hostkey+cert.pem

If you want to generate a new certificate, use the following commands. Running these commands replaces the current certificate, so Novell recommends making a copy of the old certificate before generating a new one.

Table 3-3 Commands for Generating Certificates

Platform	Command
Linux	As root in a console shell, enter `sh /etc/openwbem/owgencert`.
NetWare	As user Admin or with equivalent rights in a Bash console shell, enter `/system/cimom/etc/openwbem/owgencert`. To get a bash prompt, enter `bash` at the System Console prompt. To exit the bash console shell, enter `exit`. For more information about using bash commands on NetWare, see BASH in the Utilities Reference for OES.

Platform

Command

Linux

As root in a console shell, enter sh /etc/openwbem/owgencert.

NetWare

As user Admin or with equivalent rights in a Bash console shell, enter /system/cimom/etc/openwbem/owgencert.

To get a bash prompt, enter bash at the System Console prompt. To exit the bash console shell, enter exit. For more information about using bash commands on NetWare, see BASH in the Utilities Reference for OES.

If you want to change the certificate that OpenWBEM uses, see Changing the Certificate Configuration.

3.2.2 Ports

OpenWBEM is configured by default to accept all communications through a secure port, 5989. The following table explains the port communication setup and recommended configuration.

Table 3-4 Port Communication Setup and Rcommended Configurations

Port	Type	Notes and Recommendations
5989	Secure	The secure port that OpenWBEM communications use via HTTPS services. This is the default configuration. With this setting, all communications between the CIMOM and client applications are encrypted when sent over the Internet between servers and workstations. Users must authenticate through the client application to view this information. Novell recommends that you maintain this setting in the configuration file. In order for the OpenWBEM CIMOM to communicate with the necessary applications, this port must be open in routers and firewalls if they are present between the client application (iManager plug-in) and the nodes being monitored.
5988	Unsecure	The unsecure port that OpenWBEM communications use via HTTP services. This setting is disabled by default. With this setting, all communications between the CIMOM and client applications are open for review when sent over the Internet between servers and workstations by anyone without any authentication. Novell recommends that you use this setting only when attempting to debug a problem with the CIMOM. As soon as the problem is resolved, set this back to the secure port, 5989. In order for the OpenWBEM CIMOM to communicate with the necessary applications, this port must be open in routers and firewalls if they are present between the client application (iManager plug-in) and the nodes being monitored.

Port

Type

Notes and Recommendations

5989

Secure

The secure port that OpenWBEM communications use via HTTPS services.

This is the default configuration.

With this setting, all communications between the CIMOM and client applications are encrypted when sent over the Internet between servers and workstations. Users must authenticate through the client application to view this information.

Novell recommends that you maintain this setting in the configuration file.

In order for the OpenWBEM CIMOM to communicate with the necessary applications, this port must be open in routers and firewalls if they are present between the client application (iManager plug-in) and the nodes being monitored.

5988

Unsecure

The unsecure port that OpenWBEM communications use via HTTP services.

This setting is disabled by default.

With this setting, all communications between the CIMOM and client applications are open for review when sent over the Internet between servers and workstations by anyone without any authentication.

Novell recommends that you use this setting only when attempting to debug a problem with the CIMOM. As soon as the problem is resolved, set this back to the secure port, 5989.

If you want to change the default port assignments, see Changing the Port Configuration.

3.2.3 Authentication

The following authentication settings are set and enabled as the default for each platform for OpenWBEM in OES.

You can change any of the default settings. See Changing the Authentication Configuration.

Linux

On Linux, the following settings are default:

http_server.allow_local_authentication = true
http_server.ssl_client_verification = disabled
http_server.use_digest = false
owcimomd.allow_anonymous = false
owcimomd.allowed_users = *
owcimomd.authentication_module = /opt/novell/lib/openwbem/authentication/libnovellauthentication.so

On Linux, the OpenWBEM CIMOM is PAM enabled; therefore the following can occur:

Local users can authenticate to the OpenWBEM CIMOM with local user credentials.
If LUM is installed on the server where the OpenWBEM CIMOM is running, then the Linux/LUM-enabled user can authenticate to the OpenWBEM CIMOM.
If a Linux/LUM-enabled user has the Supervisor right for the Entry Rights property for the UNIX Workstation object that represents the Linux server, the OpenWBEM CIMOM grants that user Root privileges to that Linux server.

NetWare

On NetWare, the following settings are default:

http_server.allow_local_authentication = false
http_server.ssl_client_verification = disabled
http_server.use_digest = false
owcimomd.allow_anonymous = false
owcimomd.allowed_users = *

owcimomd.authentication_module = /system/cimom/lib/openwbem/authentication/libnetwareauthentication.nlm ldap_auth.ldap_host = 127.0.0.1 ldap_auth.cert_file = /public/RootCert.der

You need to reconfigure the LDAP settings as shown in the following table. To change these settings, see owcimomd.authentication_module.

Table 3-5 Recommended Changes for LDAP Settings

Setting	Recommended Change
ldap_auth.ldap_host	Change from a local IP address to the IP address or DNS name of the LDAP server for your network.
ldap_auth.cert_file	Change from the public/RootCert.der file on the local server to the RootCert.der file for the LDAP server in your network.
ldap_auth.searchbase	Set the LDAP search base to a container where the set of users that are using OpenWBEM is in the tree; otherwise, the search starts at the root of the tree.

The following additional LDAP settings are recognized by owcimom.nlm:

ldap_auth.ldap_port = 636
ldap_auth.bind_timelimit = 3
ldap_auth.binddn = anonymous
ldap_auth.bindpw = N/A
ldap_auth.search_timelimit = 10 seconds
ldap_auth.searchscope = sub
ldap_auth.user_cachesize = 10 entries

If you want to override these setting, you need to add them to the openwbem.conf file and make the changes as desired. To change these settings, see Configuring Additional LDAP Settings for NetWare.