5.4 Ensuring Secure Access

The default setup of OpenWBEM is relatively secure. However, you might want to review the following to ensure access to OpenWBEM components is as secure as desired for your organization.

5.4.1 Certificates

Secure Socket Layers (SSL) transports require a certificate for secure communications to occur. When OES is installed, OpenWBEM has a self-signed certificate generated for it.

If desired, you can replace the path for the default certificate with a path to a commercial certificate that you have purchased or with a different certificate that you have generated in the http_server.SSL_cert = path_filename setting in the openwbem.conf file.

The default generated certificate is in the following location:

/etc/openwbem/servercert.pem

If you want to generate a new certificate, use the following command. Running this commad replaces the current certificate, so Novell recommends making a copy of the old certificate before generating a new one.

  1. As root in a console shell, enter sh /etc/openwbem/owgencert.

If you want to change the certificate that OpenWBEM uses, see Changing the Certificate Configuration.

5.4.2 Ports

OpenWBEM is configured by default to accept all communications through a secure port, 5989. Information in the following table explains the port communication setup and recommended configuration.

Table 5-2 Port Communication Setup and Recommended Configurations

Port

Type

Notes and Recommendations

5989

Secure

The secure port that OpenWBEM communications use via HTTPS services.

This is the default configuration.

With this setting, all communications between the CIMOM and client applications are encrypted when sent over the Internet between servers and workstations. Users must authenticate through the client application to view this information.

Novell recommends that you maintain this setting in the configuration file.

In order for the OpenWBEM CIMOM to communicate with the necessary applications, this port must be open in routers and firewalls if they are present between the client application (iManager plug-in) and the nodes being monitored.

5988

Non-secure

The non-secure port that OpenWBEM communications use via HTTP services.

This setting is disabled by default.

With this setting, all communications between the CIMOM and client applications are open for review when sent over the Internet between servers and workstations by anyone without any authentication.

Novell recommends that you use this setting only when attempting to debug a problem with the CIMOM. As soon as the problem is resolved, set this back to the secure port, 5989.

In order for the OpenWBEM CIMOM to communicate with the necessary applications, this port must be open in routers and firewalls if they are present between the client application (iManager plug-in) and the nodes being monitored.

If you want to change the default port assignments, see Changing the Port Configuration.

5.4.3 Authentication

The following authentication settings are set and enabled as the default for each platform for OpenWBEM in OES.

You can change any of the default settings. See Changing the Authentication Configuration.

On Linux, the following settings are default:

  • http_server.allow_local_authentication = true

  • http_server.ssl_client_verification = disabled

  • http_server.use_digest = false

  • owcimomd.allow_anonymous = false

  • owcimomd.allowed_users = *

  • owcimomd.authentication_module = /opt/novell/lib/openwbem/authentication/libnovellauthentication.so

On Linux, the OpenWBEM CIMOM is PAM-enabled; therefore the following can occur:

  • Local users can authenticate to the OpenWBEM CIMOM with local user credentials.

  • If LUM is installed on the server where the OpenWBEM CIMOM is running, then the LUM-enabled user can authenticate to the OpenWBEM CIMOM.

  • If a LUM-enabled user has the Supervisor right for the Entry Rights property for the UNIX Workstation object that represents the Linux server, the OpenWBEM CIMOM grants that user Root privileges to that Linux server.