HP WBEM Services for HP-UX System Administrator Guide HP Part Number: 766166-001 Published: March 2014 Edition: 1
© Copyright 2002, 2014 Hewlett-Packard Company. All rights reserved The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Contents HP secure development lifecycle......................................................................5 1 Introduction to HP WBEM Services................................................................6 HP WBEM Services and common standards.................................................................................6 Common Information Model..................................................................................................6 CIM in Extensible Markup Language.......................
User group authorization.........................................................................................................41 Namespace authorization........................................................................................................41 5 Troubleshooting HP WBEM Services...........................................................43 Checklist for troubleshooting HP WBEM Services........................................................................43 HP WBEM Services messages.......
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 Introduction to HP WBEM Services This chapter describes HP WBEM Services, the architecture, and how it functions with other products. HP WBEM Services is an implementation of the DMTF-WBEM standard on HP-UX systems. HP WBEM Services enables management solutions to deliver increased control of enterprise resources at reduced cost.
http://www.dmtf.org/standards/cim. For an overview of the data representation, see Appendix A (page 53). CIM in Extensible Markup Language The markup language for describing data on the web is Extensible Markup Language (XML). DMTF defines a standard for representing the CIM elements and messages in XML, referred to as CIM-XML. Since CIM-XML provides a standard way of describing data, any WBEM client can access CIM data on any WBEM-enabled system.
The CIM repository can be modified, using CIM operations, which are provided through an XML file. Information can be entered in the repository either as MOF files using the cimmof command or as XML files using the wbemexec command. You can use the wbemexec command to execute CIM operations, such as create class or create instance, in the XML file. For more information on maintaining the repository, see “Maintaining the repository” (page 32).
How HP WBEM Services works? This section describes how HP WBEM Services processes requests received from management clients, and collaborates with respective providers to send information back to these management clients. In general, HP WBEM Services can receive requests from clients running on different kind of systems and platforms, as long as the requests conform to the DMTF CIM-XML standard. HP WBEM Services processes these client requests and passes them to the appropriate providers.
• “Software Distributor Provider” • “IOTree Provider” For more information on these providers, see “Providers available with HP WBEM Services” (page 22). When a provider is installed in the network, it automatically registers with HP WBEM Services, using the MOF compiler. Information on the provider is stored in the CIM repository.
Figure 2 HP WBEM Services Processing Requests Any client request that is sent as an HTTP request to HP WBEM Services is a CIM operation. The request is encoded in CIM-XML. The HTTP server of HP WBEM Services listens for the CIM messages on the wbem-http or wbem-https port.
1. The client connects with the HTTP server. Any remote client, when sending a request, also sends a valid system login name and password information to a system with HP WBEM Services that has the appropriate provider installed. For information about login permissions, see Chapter 3 (page 34). 2. The CIM server in HP WBEM Services uses its XML decoder to parse the XML data in the request. If an error occurs, the CIM server returns an error message and stops processing the request.
CIM_ERR_NOT_SUPPORTED For a list of standard CIM errors and other error messages, see Chapter 5 (page 43). HP WBEM indications In a network where several clients and resources are managed, certain events might occur. These events, irrespective of nature or criticality, must be reported so that appropriate action is taken. In this network, you can receive a notification from HP WBEM Services when an event occurs.
A CIM message is a well-defined request or response data packet used to exchange information between the CIM applications. Following are the types of CIM messages: • CIM Operation Messages A CIM Operation Message is used to invoke an operation on the target CIM namespace. • CIM Export Messages A CIM Export Message is used to communicate information about a CIM namespace or element that is foreign to the target.
Table 1 Commands, Executable Scripts, and Daemon Processes in HP WBEM Services (continued) Name Type Version Required Permission To Perform option takes effect the next time the CIM server is started. When using the current values, the CIM server must be running. When using planned values, the CIM server can be running or not. For more information, see cimconfig(1M). cimmof Command A.02.07 root Used by HP WBEM Services to compile .mof files and to load the information in the repository.
Table 1 Commands, Executable Scripts, and Daemon Processes in HP WBEM Services (continued) Name Type Version Required Permission To Perform However, you can set the interval for this daemon. Normally, the CIM server is started and halted using the cimserver command. If you halt the CIM server using the cimserver command, the daemon does not automatically restart it in the event of a failure. For more information on using this command, see cimserverd(1M). cimservermain Process A.02.
Table 1 Commands, Executable Scripts, and Daemon Processes in HP WBEM Services (continued) Name Type Version Required Permission To Perform By default, the information is formatted for display in English with uptime displayed in days, hours, minutes, and seconds. You can choose to receive the information in the CIM format. You can use this command only when the CIM server is running. For more information on using this command, see osinfo(1M). ssltrustmgr Command A.02.
2 Installing and setting up HP WBEM Services This chapter describes the procedures for installing and setting up HP WBEM Services. Compatibility information HP WBEM Services is available on HP-UX 11i v1, v2, and v3. The provider versions that are compatible with HP WBEM Services will vary based on the version of HP WBEM Services that you want to install and the operating system version on which you install it.
Verifying WBEM SSL certificate permissions..........[PASS] Verifying WBEM files and directories................[PASS] Total number of checks performed: 10 Total number of Errors: 0 To check the compatibility versions for HP WBEM Services, run the following command: fsweb2# wbemassist -c -ov 11.23 -pn utilProvider -pv A.01.08.02.01. NOTE: The "-c" option from wbemassist command will be removed from the next release of WBEMServices due to the introduction of WBEM Management bundle (WBEMMgmtBundle).
For taking backups of files and repositories, HP recommends that you use the cimreparchive tool that is available with HP WBEM Services. The cimreparchive tool creates an archive copy of the CIM server repository in a specified archive file. The archive copy contains a consistent repository state even if it is created while the CIM server is running. Create the archive file using the cimreparchive tool.
IMPORTANT: Before installing the software, ensure that your system meets the requirements described in the section “Prerequisites” (page 20). Complete the following procedure to install HP WBEM Services: 1. Download the product from http://software.hp.com –>Security and manageability. 2. Copy the downloaded depot file to a local directory on the system. 3. Log in to the HP-UX system as root and go to the directory where the depot is downloaded. 4. Start the installation.
To ensure that the files installed by HP WBEM Services are not tampered with, run the following command: swverify WBEMServices If the files are not tampered, and are functioning as expected, then the following message is displayed: Verification succeeded Upgrading HP WBEM Services HP WBEM Services can be upgraded to a more recent version without having to stop the OE. All information on the previous version of HP WBEM Services will still be available.
Operating System Provider The Operating System Provider gives operating system information, such as OS type, version, last boot up time, local date and time, number of users, swap space size, and free physical memory. This provider is used by clients to determine the basic understanding of the identity of the managed system on which it is running. This provider uses the CIM_OperatingSystem class and the PG_OperatingSystem subclass. • SystemUpTime is a convenience property.
Process Provider The Process Provider makes available the basic UNIX process information, such as name of the executable image, process ID, priority, execution state, and various process resource utilization statistics. Client applications can use this provider to give clients an understanding of the processes running on the managed system within the context of its operating system.
The Network Information Service provider instruments the PG_NISServerService subclass of the CIM_Service class by adding the properties ServerType and ServerWaitFlag: • The ServerType property specifies if the instance is a master or slave server. • The ServerWaitFlag property specifies the NIS server wait state (wait/no wait). NOTE: Currently, the provider does not support all properties of the CIM_Service class or its superclasses. This provider extends the CIM_Service class that describes a NIS.
LocalDateTime: Aug 9, 2002 15:57:47 (-0700) SystemUpTime: 1985952 seconds = 22 days, 23 hrs, 39 mins, 12 secs • The wbemexec command This command is available with A.02.05 and later versions of HP WBEM Services. The webemexec command accepts a CIM-XML formatted file as input and sends it to the CIM server as a CIM Request. The following is a sample CIM-XML input file: PAGE 27NOTE: If you already have HP WBEM Services installed, check your release notes before removing or re-installing it. You can remove all the files associated with HP WBEM Services and make all your providers unavailable. IMPORTANT: Do not move or change HP WBEM Services files. Their locations are predetermined.
For information on the options that you can set, see “CIM server properties” (page 30). You can also view the manpage for the cimconfig command. If you attempt to start the CIM server when it is already running, the following message appears: /opt/wbem/lbin/cimserver: cimserver is already running (the PID found in the file "/etc/opt/wbem/cimserver_start.conf" corresponds to an existing process named "cimservermain"). NOTE: This message is displayed with HP WBEM Services version A.02.05 and later.
1. Find the Process Identification Number (PID) of the cimserverd daemon. ps -ef | grep cimserverd 2. Terminate the processes. kill -9 The cimserverd daemon is automatically re-spawned by init(1M) because it has an entry in the /etc/initttab file. NOTE: The cimserverd daemon automatically restarts the CIM server when it fails on a system, but not in cases where the CIM server is manually halted.
If an error occurs when you are adding or removing x509 certificates, then an error message is written to the standard output. For more information on using this command, see cimtrust(1M). CIM server properties After HP WBEM Services is installed, you can configure the properties listed in this section using the cimconfig command. You must have privileged user (root) permissions to modify the values of these properties.
• enableSubscriptionsForNonprivilegedUsers - Set to true or false. The default, false, means that only a privileged user (superuser) will be allowed to create Indication Subscriptions. • sslClientVerificationMode Describes the required level of support for certificate-based authentication. This property is only used when enableHttpsConnection is set to true. • idleConnectionTimeout If set to a positive integer, this value specifies a minimum timeout value for idle client connections.
As a result, the client is permitted to negotiate with the server during the SSL handshake phase. The default value of this property is DEFAULT. The other configurable values are HIGH and LOW. For more information, see the cimconfig command manpages. This is not a dynamic property. Hence, it requires a cimserver restart. Configuring Insight Remote Support (IRS) for WBEM Services HP WBEM Services version A.02.09.
If you cannot restore the files, the init_repository script will restore the files to the way they were when you first installed HP WBEM Services. The default providers that installed with HP WBEM Services will be intact. However, any managed objects, providers, or namespaces that you added since you first installed HP WBEM Services will be removed. You will need to re-register (or re-install) all the added providers. To run the init_repository script, enter the following commands: 1.
3 Security considerations This chapter describes the security aspects of working with HP WBEM Services. In any network, security is always of prime importance. For HP WBEM Services, security is first checked at the communication channels.
To disable the Export HTTPS port, use the cimconfig command to set the planned value of the configuration property enableSSLExportClientVerification to false and restart the CIM server. HP WBEM Services configuration options security disclaimer As a security best practice, HP recommends that you disable any network daemon that you do not use in your environment. Any daemon that is in use must be configured securely according to the threat environment in which they are located. This is a functionality vs.
4 Authentication methods in HP WBEM Services This chapter elaborates on the authentication methods in HP WBEM Services. HP WBEM Services supports the following authentication methods: • Local authentication: This method is used to authenticate requests from local users. In this scenario, if the user is on the same system as HP WBEM Services, then the authentication already performed by the system is used by HP WBEM Services. For more information, see “Local user authentication” (page 36).
Remote user authentication The CIM server can authenticate remote users with one of the following methods: • HTTP Basic Authentication • Certificate Based Authentication Table 3 describes these authentication methods. Table 3 Remote User Authentication Methods Certificate Based Authentication (CBA) HTTP Basic Authentication Description The CIM server requests the client certificate while HTTPS connection is in progress.
wbem auth required libpam_ldap.so.1 try_first_pass # Account management wbem account required libpam_hpsec.so.1 wbem account sufficient libpam_unix.so.1 wbem account required libpam_ldap.so.1 # Session management wbem session required libpam_hpsec.so.1 wbem session sufficient libpam_unix.so.1 wbem session required libpam_ldap.so.1 # Password management wbem password required libpam_hpsec.so.1 wbem password required libpam_ldap.so.1 try_first_pass wbem password required libpam_ldap.so.
NOTE: Basic Authentication requires the client to pass both the user name and password, in Base64 encoding. This encoding is not secure. SSL (enableHttpsConnection) must be disabled only in a highly secure environment where transferring clear text passwords does not pose a security threat. HP WBEM Services uses OpenSSL to support HTTPS connections. OpenSSL is a cryptography toolkit that implements the network protocols and related cryptography standards of SSL v2/v3 and TLS (Transport Layer Security).
If using CA certificates that are using 2048-bit encryption, HP recommends that you keep them. If the CA certificates are not using 2048-bit encryption, HP recommends that you get new CA certificates with 2048-bit encryption. Importing server certificates to the Trust Store CIM client applications must maintain a trust store in a .pem file. The CIM client applications must import the certificates stored in the /etc/opt/hp/sslshare/ cert.
User group authorization User group authorization consists of establishing the already authenticated user is a member of one of the configured groups in the authorizedUserGroups configuration property. If the user is not authorized, the client request is rejected without processing it and an authorization failure message is sent back.
EnumerateClasses EnumerateClassNames EnumerateInstances EnnumerateInstanceNames EnumerateQualifiers GetClass GetInstance GetProperty GetQualifier 42 Authentication methods in HP WBEM Services
5 Troubleshooting HP WBEM Services This chapter elaborates on how to troubleshoot HP WBEM Services in your environment. This chapter is for people who are having trouble while trying to use HP WBEM Services. Checklist for troubleshooting HP WBEM Services Before contacting the support, read the checklist for troubleshooting HP WBEM Services. • Is CIM server running? Enter the command ps -ef|grep cimserver. If it is not running, then you must start it. For HP-UX: enter cimserver (no options).
General Syslog messages HP WBEM Services puts the following messages in Syslog: • When CIM server starts up, it logs a message, for example: fsweb2 cimserver[1593]: PGS10026: The CIM server is listening on HTTPS port 5989. fsweb2 cimserver[1593]: PGS10028: The CIM server is listening on the local connection socket. fsweb2 cimserver[1593]: PGS10030: Started HP-UX WBEM Services version A.02.09.10.
The substitution data $0 identifies the subscription, and contains the values of the subscription Filter and Handler Name properties in the form "FilterName, HandlerName". This message might indicate that one or more indication providers has been removed or disabled, and you might have to re-install, re-register, and re-enable one or more indication providers to avoid missing indications.
• 5 = CIM_ERR_INVALID_CLASS The specified class does not exist. • 6 = CIM_ERR_NOT_FOUND The requested object was not found. • 7 = CIM_ERR_NOT_SUPPORTED The requested operation is not supported. • 8 = CIM_ERR_CLASS_HAS_CHILDREN Operation cannot be carried out on this class because it has subclasses. • 9 = CIM_ERR_CLASS_HAS_INSTANCES Operation cannot be carried out on this class because it has instances.
• CIM_ERR_INVALID_CLASS The specified class does not exist • CIM_ERR_INVALID_NAMESPACE The target namespace does not exist • CIM_ERR_INVALID_PARAMETER One or more parameter values passed to the method were invalid • CIM_ERR_METHOD_NOT_AVAILABLE The extrinsic method could not be executed. • CIM_ERR_METHOD_NOT_FOUND The specified extrinsic method does not exist. • CIM_ERR_INVALID_QUERY The query is not valid for the specified query language.
3. 4. Expanded text message The requested operation is not supported The non-standard additional message OperatingSystem Provider does not support createInstance As a second example, consider a client that mistakenly provides too few or too many keys to a GetInstance operation on the PG_OperatingSystem class. The following response is sent:
• Message: Failed to remove authorizations. Specified user authorizations were not found. Enter cimauth -l to list all the authorizations. Locate the one you want to remove and verify that you have spelled it correctly. If it is not in the list, you need to add it with the -a option, then re-issue the command. • Message: CIM server might not be running. To see if cimserver is running, enter: ps -ef|grep cimserver Perhaps an operator stopped it by command, but did not restart it. To start it.
• Message: Current value cannot be determined because the CIM server is not running. To see if cimserver is running, enter: ps -ef|grep cimserver Perhaps an operator stopped it by command, but did not restart it. To start it, do the following: HP-UX: cimserver • Message: Planned value cannot be determined because the CIM server is not running. To see if cimserver is running, enter: ps -ef|grep cimserver Perhaps an operator stopped it by command, but did not restart it.
6 Support and other resources About this document This document explains the architecture of HP WBEM Services for HP-UX. It also contains information on installing and administering HP WBEM Services in your environment. This document is intended for system administrators who are responsible for installing and administering HP WBEM Services.
7 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
A Representation of resources The HP WBEM Services repository stores information about the managed resources. To register with HP WBEM Services, a provider must define its resource by the classes and subclasses that define it. Then the provider must describe the properties that it will expose, and the methods that it will support. The properties describe what a class is, the methods describe what it can do. Properties are attributes or characteristics of the resource.
these keys is its own identification. It is the only instance in its namespace that is allowed to have that “name.” More than one key property is a compound key. Consider how to uniquely identify a user account on a UNIX system. You can use two key properties: the value of the user account’s Name property and the value of the system’s Name property. Also, you can identify with the pair used to route your email to you: user-name@domain-name. Classes are either concrete or abstract.
B Sample client request This appendix provides a sample of a client request and the response. The request is for the EnumerateInstances operation on the PG_OperatingSystem class. Requests and responses are encoded in XML. For more information about XML, see http:// www.dmtf.org/standards/WBEM. The information is represented in a table format. The first column has line numbers for the actual request and response. The middle column can group several related lines.
• Lines 6 - 9: Two criteria must be met to continue: ◦ This namespace must be valid. ◦ If enableNamespaceAuthorization property is enabled, this user must be authorized to access this namespace • Lines 10 - 12: The classname must exist, and it must have a provider registered. The provider must respond to the request. Here, the OS Provider is registered for the PG_OperatingSystem class. Checking the provider documentation, you can see that it supports the EnumerateInstancesmethod.
Table 6 EnumerateInstances Response for PG_OperatingSystem Class (continued) 22 23 24 25 28 29 End of keys for instance 30 Begin all properties of instance 31 32 33 CIM_UnitaryComputerSystem 34 35 36
Table 6 EnumerateInstances Response for PG_OperatingSystem Class (continued) 58 This instance reflects the Operating System on which Next property the CIMOM is executing (as distinguished from instances of other installed operating systems that could be run).
Glossary C CIM (Common Information Model) A hierarchical object-based model developed by the DMTF that defines a large number of concepts common to most computer systems. CIM Client A client application that issues CIM operation requests over HTTP and processes the responses. CIM Object Manager (CIMOM) Manages CIM objects in an HP WBEM-enabled system. CIMOM receives and processes CIM operation requests and issues responses.
E extensible markup language (XML) A simplified subset of SGML that offers powerful and extensible data modeling capabilities. An XML Document is a collection of data represented in XML. An XML Schema is a grammar that describes the structure of an XML Document. extension schema The third layer of the CIM schema, which includes platform-specific extensions of the CIM schema such as Microsoft Windows NT, UNIX, and Microsoft ExchangeServer. Also see common model and core model.
key qualifier A qualifier that must be attached to every property in a class that serves as part of the key for that class. L light-weight HTTP server A small footprint server that processes HTTP requests and returns standard HTTP responses. The server is not intended as a replacement for a web server. The server does not serve up HTML web pages and does not run CGI applications. local property A non-system property defined for a class but not inherited from a superclass.
O object path A formatted string used to access namespaces, classes, and instances. Each object on the system has a unique path which identifies it locally or over the network. Object paths are conceptually similar to Universal Resource Locators (URL). Open Database Connectivity (ODBC) A specification for an API that defines a standard set of routines with which an application can access data in a data source.
subclass A class that is derived from a superclass. The subclass inherits all features of its superclass, but can add new features or redefine existing ones. subschema A part of a schema owned by a particular organization. The Win32 schema is an example of a subschema. superclass The class from which a subclass inherits. W web server Full-service web servers act as HTTP servers. In addition, they have many other capabilities, like running CGI scripts.
Index A S authorization namespace, 41 authorization for CIM operations, 41 Secure Socket Layer, 39, 41 shutdownTimeout, 30, 31 SSL, 39, 41 B T backing up files, 32 troubleshooting, 43 troubleshooting WBEM Services, 43 C checklist for troubleshooting, 43 CIM messages, 45 CIM operations authorizations, 41 E enableHttpConnection, 30 enableHttpsConnection, 30 enableNamespaceAuthorization, 30 enableRemotePrivilegedUserAccess, 30 error messages, 43 H HTTP connection enabling, 30 HTTPS and HTTP, 38, 41 H
