When changing the Authentication configuration, there are several things that you can control:
Who can access the CIMOM
What authentication module is used
See the following settings:
Directs the http_server to allow local authentication without supplying a password, relying on local system file permissions.
You can use this setting with the Basic or Digest settings.
http_server.allow_local_authentication = option
|
Option |
Use |
|---|---|
|
false |
Disable local authentication. |
|
true |
Enables local authentication. This is the default setting for Linux. |
http_server.allow_local_authentication = true
Specifies a location for the password file. This is required if the http_server.use_digest setting is enabled.
http_server.digest_password_file = path_filename
The default path and filename for the digest password file is /etc/openwbem/digest_auth.passwd.
http_server.digest_password_file = /etc/openwbem/digest_auth.passwd
Determines whether the server should attempt to authenticate clients with SSL Client Certificate verification.
This setting is disabled by default.
http_server.ssl_client_verification = option
|
Option |
Use |
|---|---|
|
autoupdate |
Specifies the same functionality as the Optional option; however, previously unknown client certificates that pass HTTP authentication are added to a trust store so that subsequent client connections with the same certificate do not require HTTP authentication. |
|
disabled |
Disables client certificate checking. This is the default setting. |
|
optional |
Allows a trusted certificate to be authenticated (no HTTP authentication is necessary). Also allows an untrusted certificate to pass the SSL handshake if the client passes the HTTP authentication. |
|
required |
Requires a trusted certificate for the SSL handshake to succeed. |
http_server.ssl_client_verification = disabled
Specifies a directory containing the OpenSSL trust store.
http_server.ssl_trust_store = path
The default path for the trust store file is /etc/openwbem/truststore.
http_server.ssl_trust_store = /etc/openwbem/truststore
Directs the HTTP server to use Digest authentication, which bypasses the Basic authentication mechanism. To use Digest, you must set up the digest password file using owdigestgenpass.
Digest doesn’t use the authentication module specified by the OWCIMOMD.authentication_module configuration setting.
http_server.use_digest = option
|
Option |
Use |
|---|---|
|
false |
Enables the Basic authentication mechanism. This is the default for OES 2 Linux. |
|
true |
Disables the Basic authentication mechanism. This is the default OpenWBEM setting. |
http_server.use_digest = false
Specifies the user name of the user that has access to all Common Information Model (CIM) data in all namespaces maintained by the OWCIMOMD. This user can be used to administer the /root/security name space, which is where all ACL user rights are stored.
ACL processing is not enabled until the OpenWBEM_Acl1.0.mof file has been imported.
owcimomd.ACL_superuser = username
owcimomd.ACL_superuser = root
Enables or disables anonymous logins to owmgmt_openwebem_lx_nwd.
owcimomd.allowed_anonymous = option
|
Option |
Use |
|---|---|
|
false |
Requires login with a user name and password to access OWCIMOMD data. This is the default and recommended setting. |
|
true |
Allows anonymous logins to OWCIMOMD. This disables authentication. No user name or password is required to access OWCIMOMD data. |
owcimomd.allowed_anonymous = false
Specifies a list of users who are allowed to access OWCIMOMD data.
owcimomd.allowed_users = option
|
Option |
Use |
|---|---|
|
username |
Specifies one or more users who are allowed to access the OWCIMOMD data. Separate each user name with a space. |
|
* |
Allows all users to authenticate (for example, if you choose to control access with ACLs instead). This option is enforced for all authentication methods unless owcimomd.allow_anonymous is set to true. This is the default setting. |
owcimomd.allowed_users = bcwhitely jkcarey jlanderson
Specifies the authentication module that is used by OWCIMOMD. This setting should be an absolute path to the shared library containing the authentication module.
owcimomd.authentication_module = path_filename
The following are the default path and filename for the authentication modules:
|
Platform |
File Location |
|---|---|
|
Linux x86 |
/usr/lib/openwbem/authentication/libnovellauthentication.so |
|
Linux 64 |
/usr/lib64/openwbem/authentication/libnovellauthentication.so |
owcimomd.authentication_module = /usr/lib/openwbem/authentication/libnovellauthentication.so
Specifies the path to the password file when the simple authentication module is used.
This setting is disabled by default.
simple_auth.password_file = path_filename
simple_auth.password_file = /etc/openwbem/simple_auth.passwd