HP WBEM Services for HP-UX and Linux System Administrator's Guide

Security Considerations

Chapter 6 61

6 Security Considerations

This chapter describes HP WBEM Services security.

Security is checked first at the communication path. HP WBEM Services

has three pathways:

• Local users with requests: If the user is on the same system as the

HP WBEM Services, HP WBEM Services accepts the authentication

already done by the system itself. See Local Authentication, below.

• Remote users with requests: If the user is coming from a remote

system, he enters through the HP WBEM Services HTTP Server. The

embedded HTTP server receives only valid CIM requests; all other

requests are rejected. User information is included in the

XML-encoded HTTP message header. The CIM Server checks the

user-password information. See Remote Authentication, below.

• Providers: HP WBEM Services interacts with its registered providers

through shared libraries.

NOTE CIM providers run as privileged users. Be very careful installing a

provider that does not come from a trusted source.

After HP WBEM Services passes on a request to a provider, the provider

is responsible for checking its own security. The provider sets the rules

about which requests it considers, and the conditions for granting or

refusing them. If a provider requires authorization beyond that checked

by HP WBEM Services, the provider supplier is responsible for

documenting its own rules.

HP WBEM Services uses dedicated ports for CIM-XML traffic. Two ports

are specified by DMT and registered with IANA for CIM-XML

communications between remote clients and the CIM Server:

• HTTP TCP/IP communication on port 5988 (wbem_http)

• HTTPS TCP/IP communication on port 5989 (wbem_https)

Hewlett-Packard supports only these two port configurations.