The WBEM Java Client SDK is a set of APIs that contain the components necessary to write management applications that communicate with WBEM-enabled management devices using XML and HTTP communication standards.
WBEM applications request information or services from the Common Information Model (CIM) Object Manager through the WBEM APIs. These APIs represent CIM objects as Java classes. These APIs can be used to describe managed objects and retrieve information about managed objects on a system.
WBEM client applications use the org.snia.wbem.client APIs to manipulate CIM objects. A client application uses the CIM API to construct an object (for example, a class, instance, or namespace) and then initializes, or instantiates that object. The application uses the client APIs to pass the object to the CIM Object Manager (CIMOM) and request an operation, such as creating a CIM class, instance, or deleting an instance.
CIM Listener (org.snia.wbem.listener) provides interfaces to process CIM/XML Indications.
The javadoc documentation includes the following packages that the client applications require to make CIM operation requests to a CIM Object Manager.
org.snia.wbem.client
org.snia.wbem.cim
org.snia.wbemcfg
org.snia.wbem.listener
You must use Xerces 1.4.4 version. It can be
downloaded from
http://xml.apache.org/dist/xerces-j/
Java 1.4 version is used because it includes JSSE
(for SSL), JAAS (Java authentication), JCE (Crypto). Note that all these
packages (JSEE, JAAS, JCE) are not part of earlier versions of Java. You may
download Java 1.4 from http://www.hp.com/go/java/.
The
Java CLASSPATH must include the following:
CLASSPATH=$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/jre/lib/jsse.jar:$XERCES_HOME/xerces-1_4_4/xerces.jar:$CIMCLIENT_HOME/cimclient.jar:.
This version supports both SSL and non-SSL based CIM/XML indications. Two-way SSL authentication is always enabled with CIM/XML Indications. Client SDK now includes the CIM Listener interfaces for writing CIM/XML indication consumers. Please refer to Java documentation of org.snia.wbem.listener package. You can also refer to the “CIM-XML Listener” section in this document on how to write consumers.
Note: SSL is fully supported with
Alpha 2 release and onwards.
WBEM client applications use the org.snia.wbem.client APIs to manipulate CIM
objects on the CIM Object Manager. A client application uses classes in org.snia.wbem.cim package to construct an object (for
example, a class, instance, or namespace) and initializes that object. Then
uses the client APIs to pass the object to the CIMOM and request a CIM
operation, such as creating a CIM class, instance, or namespace.
Client applications typically follow this sequence:
1. Connect to the CIMOM using CIMClient. A client application connects to the CIMOM before performing a CIM operation, such as creating a CIM class or updating a CIM instance.
2. Use the client APIs to request CIM operations. Most of the client programs perform tasks such as creating, deleting and modifying classes and instances; enumerating instances; invoking provider methods; and handling errors and exceptions.
3. Close the client connection to the CIM Object Manager using CIMClient, to free the server resources used by the client session.
Client applications typically import the required CIM classes and create CIM objects and then open client connection. Some of the common imports and CIM object creations are show below.
import org.snia.wbem.client.CIMClient;
import org.snia.wbem.cim.CIMNameSpace;
import org.snia.wbem.cim.CIMObjectPath;
import org.snia.wbem.cim.CIMClass;
import org.snia.wbem.cim.CIMProperty;
import org.snia.wbem.cim.CIMInstance;
import org.snia.wbem.cim.CIMValue;
import org.snia.wbem.cim.CIMQualifierType;
import org.snia.wbem.cim.CIMException;
CIMNameSpace clientNameSpace = null;
CIMClient cc = null;
int portNo = CIMNameSpace.DEFAULT_PORT;
String nameSpace =
"root/cimv2"; //
namespace
To open a client connection, you use the CIMClient class to connect to the CIM
Object Manager. You must specify the required type of connection (HTTP or
HTTPS) in the CIMNameSpace constructor. If connection type is not specified the
HTTP is used as the default. You must also specify the user name and password
for the connection to the specified CIM server.
Example HTTP connection:
String hostURL = "http://" +
hostname + ":" + portNo;
try
{
clientNameSpace = new CIMNameSpace(hostURL, nameSpace);
cc = new CIMClient(clientNameSpace, "guest",
"guest", CIMClient.HTTP);
}
catch (CIMException e)
{
System.err.println("Failed to access CIMOM: " + e);
}
Example
HTTPS connection:
String hostURL = "https://" +
hostname + ":" + portNo;
try
{
clientNameSpace = new CIMNameSpace(hostURL, nameSpace);
cc = new CIMClient(clientNameSpace, "guest",
"guest", CIMClient.HTTP);
}
catch (CIMException e)
{
System.err.println("Failed to access CIMOM: " + e);
}
The
following examples show how to do CIM operations using org.snia.wbem.client
APIs.
The
following example shows how to do enumerateClasses of CIM_ComputerSystem
try
{
System.out.println("\n*** Enumerate classes - No DEEP");
CIMObjectPath path = new CIMObjectPath("CIM_ComputerSystem");
Boolean deepInheritance = false;
Boolean localOnly = true;
Boolean includeQualifiers = true;
Boolean includeClassOrigin = true;
Enumeration en = cc.enumerateClasses(path, deepInheritance,
localOnly, includeQualifiers,
includeClassOrigin);
if (en != null)
{
while ( en.hasMoreElements() )
{
CIMClass cimclass = (CIMClass)
en.nextElement();
System.out.println("Class name: " +
cimclass.getName());
}
}
}
catch (CIMException ce)
{
System.err.println("Failed to enumerate classes: " + ce);
}
The
following example shows how to do invokeMethod on a Sample_MethodProvider.
// NOTE: The following test requires the Sample_MethodProviderClass
// and a sample method provider for Sample_MethodProviderClass.
//
System.out.println("\n*** Invoke Method.");
String testNameSpace = "root/SampleProvider";
String testClassName = "Sample_MethodProviderClass";
String methodName = "SayHello";
String inParamValue = "Yoda";
String goodReply = "Hello, " + inParamValue + "!";
String goodParam = "From Neverland";
CIMObjectPath currentPath;
Vector inParams = new Vector();
Vector outParams = new Vector();
CIMValue retValue;
try
{
// construct CIMObjectPath
//
currentPath = new CIMObjectPath(testClassName);
// set the namespace
//
currentPath.setNameSpace(testNameSpace);
// create parameter vectors
//
inParams.addElement( new CIMProperty("dummy",
new
CIMValue(inParamValue, CIMDataType.getPredefinedType(
CIMDataType.STRING))));
// call invokeMethod
//
retValue=cc.invokeMethod(currentPath, methodName, inParams,
outParams);
System.out.println("InvokeMethod response = " +
retValue.toString());
}
catch (CIMException ce)
{
System.err.println("invokeMethod Failed: " + ce);
}
Clients
may close the connection by calling the CIMClient.close() method. Client
connection will also be closed when the CIMClient object goes out of scope.
try
{
if( cc != null )
{
cc.close();
}
}
catch (CIMException ce)
{
System.err.println("Failed to close connection: " + ce);
}
Importing Certificates into
Java Trust Store
1. Export the server certificate from the .pem file.
Use openssl command to export Pegasus
CIMServer certificate file.
#
/opt/wbem/sbin/openssl x509 -in /var/opt/wbem/server.pem -out server.cer
2. Import the server certificate in
to the client trust store.
- Copy the server certificate on to the client system.
- Use Java keytool to import the certificate into the client
trust store.
# keytool
-import -alias sequoia1 -file server.cer -keystore mytruststore
You will be asked to enter a
password. The password is required only for modifying mytruststore in the
future. The keytool creates the trust store if it is not already exists and
then import the specified certificate. (For example we entered the password as
“wbem01”)
3. Specify the truststore in the
command line of the client application using “-Djavax.net.ssl.trustStore”.
For Example,
java -Djavax.net.ssl.trustStore=mytruststore
<MyClient> <system> root/cimv2 5989 ssl
4. If your client application is
written to update the truststore file programmatically then you must also
specify the password that was used to create the truststore using “-Djavax.net.ssl.trustStorePassword”.
For Example,
java
-Djavax.net.ssl.trustStore=mytruststore
-Djavax.net.ssl.trustStorePassword=wbem01 <MyClient> <system> root/cimv2 5989 ssl
Viewing Certificates and
Trust Store files
1.You view certificates in a certificate file using keytool
command.
keytool
-printcert -file server.cer
1.
You
can view all the certificates in a truststore using the keytool command.
keytool
-list -v -keystore mytruststore
The primary responsibility of the TrustManager is to determine whether the presented authentication credentials should be trusted or not. If the credentials are not trusted, the connection will be terminated. If no trust manager is specified by the client application then JSSE will use its own trust manager that supports authentication based on X.509 public key certificates.
If the default X509TrustManager behavior isn't suitable for your situation, you can implement your own X509TrustManager. JSSE interface allows you to override certification validation and continue the SSL handshake. You can also use the interface to discontinue an SSL handshake by performing additional validation on a server's digital certificate chain.
When an SSL client connects to an SSL server, the SSL server presents its digital certificate chain to the client for authentication. This certificate chain can contain invalid digital certificates. As per the SSL specification, the client should drop the SSL connection once it discovers an invalid certificate. However, some applications such as Web Browsers ask the user whether to accept the invalid certificate. The Trust Manager eliminates this inconsistent practice by enabling you to control when to continue or discontinue an SSL connection. Using a Trust Manager you can perform custom checks before continuing an SSL connection. For example, you can use the Trust Manager to specify that only users from specific localities, such as towns, states, or countries, or users with other special attributes, to gain access via the SSL connection.
Here is an example of a Trust
Manager that basically ignores the server certificates chain by not validating
the certificate chain. It accepts any certificates from any server and goes
ahead with SSL handshake.
import java.security.cert.*;
import java.security.KeyStore;
import javax.net.*;
import javax.net.ssl.*;
/**
This class implements the X509TrustManager
interface. It does not validate the
certificate chain sent by the server, it basically ignores the certificate
chain and goes ahead with the SSL hand shake.
*/
public class DontValidateCertificate
implements X509TrustManager
{
X509TrustManager
myX509TrustManager;
/**
* checkClientTrusted checks to see if the chain is in the
* keyStore object.
*/
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws
CertificateException
{
}
/**
* checkServerTrusted verifies to see if the chain is in the
* keyStore object.
*/
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws
CertificateException
{
}
/**
* This method retrieves all of the certificates in the keyStore
* and returns them in an X509Certificate array. We return null
* as we are accepting any certificates. We should only return null if we
are using this trust manager
* with CIMClient applications. However, we must return an empty
X509Certificate[] is used with
* CIM Listener (which is SSL Server) interface.
*/
public X509Certificate[] getAcceptedIssuers()
{
return null;
}
}
The Client SDK includes the following two simple trust managers.
org.snia.wbemcmd.xml.CertificateManager
org.snia.wbemcmd.xml.DontValidateCertificate
org.snia.wbem.listener.DoNotValidateClientCert ( Note: Use this with CIM Listener interface)
Client API uses JSSE trust manager by default. If you want the API to use your own trust manager then you need to explicitly specify.
Refer to JSSE reference guide http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html for more information about writing trust managers.
The Client SDK allows the client applications to specify the following configuration properties in a property file. If no property file is specified then the SDK will use default values for all the properties. If the property file is specified but one or more properties are not set in the property file, then SDK will use the default values for those properties.
Property Name |
Default Value |
DEBUG_XML DEBUG_XMLDECODE clientLogFilePath TrustManager |
False False "/logs/clientout.txt" Do not define this in properties file unless you have your own Trust Manager. Do not set it to NULL either. JSSE uses its default Trust Manager only if this property is not defined. |
The DEBUG_XML, DEBUG_XMLDECODE, and clientLogFilePath properties are only for developmental debug purposes and they should not be set in the release product and should not be exposed to the client application users.
Note: The debug trace or logging in the client API is not thread safe, it is recommended that clients do not use debug logging in a multi-threaded application.
The client applications can only use the set methods in “GlobalConfig” class to set the following configuration properties if needed. The above four properties can also be set using the set methods.
Property Name |
Default Value |
httpSocketProvider httpsSocketProvider |
org.snia.wbemcmd.xml.PlainSocketProvider org.snia.wbemcmd.xml.JSSESocketProvider |
The client applications can specify the properties file in the following ways:
1. Specify the property file on the command line by setting “–D org.snia.wbem.cimom.properties”
For example,
# java -Dorg.snia.wbem.cimom.properties=./cim.properties <myAapp>
2. Specify the property file programmatically using the System.setProperty() before creating the CIMClient object.
For example,
System.setProperty("org.snia.wbem.cimom.properties", “./cim.properties”);
A CIM-xml Listener is an HTTP server that receives and processes CIM Export Requests and issues CIM Export Responses. An CIM Export Message is used to transfer data from a CIM entity into a non-CIM entity.
What
are the components of a CIM-xml Listener?
CIM-XML consumer applications use the org.snia.wbem.listner APIs to handle CIM-XML
indications that are delivered by the client Applications. Please follow some of examples that are
provided with the SDK.
CIM-XML Listener Consumers typically follow this sequence:
1. Identify the port number they want to listen for indications.
2. Use the CIM Listener APIs to start listening on a particular port.
3. Write it’s own ‘indicationOccurred()’ method to process indication when received.
4. Start running as a process.
Import
CIMHTTP Listener
import
org.snia.wbem.listener.CIMHTTPListener;
Initialize and
extend CIMHTTPListener
CIMHTTPListener myCIML=null;
try
{
CIMHTTPListener ccl = new
CIMHTTPListener(listenerPortNo, isSSL)
{
public void
indicationOccured(CIMIndication e, String indURL)
{
handleIndication(e.getIndication(),
indURL);
}
};
ccl.startCIMHTTPListener();
}
catch (Exception e) {
System.out.println(e);
e.printStackTrace();
}
Indication
Processor method
Once the indication is received you can have your own handleIndication method that can process the CIMInstance which is passed by the CIMListener. Here is an example:
void handleIndication(CIMInstance ind,
String indURL)
{
System.out.println("----------
Begin of event data ----------");
System.out.println("--- Indication
URL : "+indURL);
System.out.println("--- Indication
: "+ind.toString());
try
{
Object o=null;
if
(ind.getClassName().startsWith("CIM_Class"))
o=(Object)ind.getProperty("classdefinition").getValue().getValue();
if
(ind.getClassName().startsWith("CIM_Inst"))
o=(Object)
ind.getProperty("sourceinstance").getValue().getValue();
if (o instanceof CIMInstance)
{
CIMInstance eo=(CIMInstance)o;
System.out.println("---
Embedded Instance: "+eo);
}
else if (o instanceof CIMClass) {
CIMClass eo=(CIMClass)o;
System.out.println("---
Embedded Class: "+eo);
}
System.out.println("-----------
End of event data -----------\n");
}
catch (Exception ee)
{
ee.printStackTrace();
}
}
SSL Support with CIM
Listener
The CIM Listener interface supports SSL for secure communication. The CIM Listener (a Server) can accept either http or https connections from the system delivering indications (an Indication Client). The Listener applications (Indication Consumers) using the CIM Listener API would require to have a server certificate and private key in order to support SSL enabled communication with the Indication clients. The Listener applications can write their own X509 Trust Manager where they can do additional validations like host name verification. However the CIM Listener API provides a default X509 Trust Manager that does not do any additional validations.
The CIM Listener running as server, does client authentication by requesting the Indication Client to send its certificate for authentication. Hence the Indication Client (e.g., CIM Server) trying to connect to the CIM Listener using https connection must have its own certificate.
In addition to the standard CIM Exceptions sent by the CIM Server to the client, the CIM Client library generates the following exceptions. The exception generated by the client library along with the reason and solution is explained below:
Exception: CIMCLIENT_ERR_SSL_HANDSHAKE_FAILED (Unable to Initialize
Specified TrustManager: org.snia.wbemcmd.xml.HTTPOutputSimple@ed0338)
Problem:
This exception indicates that the specified TrustManager may not exist, may contain invalid path, or it may not have required permission to load.
Solution:
Make sure that the TrustManager you have specified exist and has correct path and right permissions. Also make sure that the TrustManager is not set to “null”.
Exception: CIMCLIENT_ERR_SSL_HANDSHAKE_FAILED(SSL Factory Initialization
failed: org.snia.wbemcmd.xml.HTTPOutputSimple@ed0338)
Problem:
This exception may happen in number different scenarios. Such as, unable to find JSSE providers, unable to generate random seed, unable to connect to correct server, server had problem with SSL handshake, or policy permissions are incorrect.
Solution:
Follow JSSE specification and make sure the system java configurations are setup correctly.
Exception: CIMCLIENT_ERR_HTTP_ERROR(Couldn't
find trusted certificate, response=500)
Problem:
This exception may happen because of SSL handshake failure. SSL handshake may fail because the certificate sent by the server was an invalid certificate or the certificate is not in clients Trust store.
Solution:
Either add this certificate to client Trust store or handle the certificate appropriately in the Certificate Manager.
Exception: CIMCLIENT_ERR_TIMED_OUT (Request
Timeout)
Problem:
This exception indicates that a timeout has occurred on a socket read. This could mean the server or provider may be slow in responding to client request, or the client time out is small.
Solution:
Consider trying this operation at some other time or might want to set client timeout or increase the client timeout. Refer to CIMClient API java documentation for how to set client timeout.
Exception:
CIMCLIENT_ERR_CONNECTION_FAILED(Connection refused)
Problem:
This exception indicates that an error occurred while attempting to connect to CIMServer on a port. The CIMServer may not be running on the specified address or it may not be listening on the specified port.
Solution:
Check to make sure that the server address is correct and the port number specified is the correct port number for an SSL or non-SSL communication. (e.g., This exception may be thrown if the CIMServer is SSL enabled and listening on port 5989, the client trying to connect to non-SSL port 5988.)
Exception:
CIMCLIENT_ERR_CONNECTION_FAILED(sequoia Unknown host)
Problem: This exception indicates that the CIMServer address specified may contain an invalid system name or the system is not reachable.
Solution: Make sure the specified CIMServer address is correct and the remote system is reachable.
The cimclient library performs the SSL handshaking and receives the certificate/key
What environment settings must be in place for
certificates to be passed?
Clients must create a trust store, import certificates from the server they trust in to the trust store, provide the trust store path to the JSSE either on the command line ( java -Djavax.net.ssl.trustStore=mytruststore <MyClient> ) or through
System.setProperty("javax.net.trustStore", "mytruststore");
Does the cimclient library accept the
certificate and place it in the trust store?
How would the application specify to the cimclient library where the
trust store is
Client library using JSSE will only validate the server certificate using the trust store. It accepts only trusted certificates from the server. In case of non-trusted certificate the client library will call the trust manager if there is one specified. It is the job of trust manager to either accept the server certificate (possibly add that to the trust store) or reject the certificate.
How is the client application notified that the
certificate or key was placed in the trust store? Is this assumed?
Same as above
Can the client application set the environment
so that certificates or keys are required from some target systems but other
target systems are not validated or authenticated?
Yes, trust manager can do this.
Where can I find more information on Trust
Manager and Trust Stores?
More information can be found at J2SE web site. - ----
http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html
http://java.sun.com/j2se/1.4/docs/api/javax/net/ssl/X509TrustManager.html
I am unable use/initialize SSL connection,
what do I do?
Some applications have their own version of Java included in it and they use the included Java, not the one you installed on the systems (such as the one from /opt/java). In such cases make sure that java security configuration files are not modified.
How can I find out cimclient.jar version ?
1. Extract MANIFEST file
jar xf cimclient.jar META-INF/MANIFEST.MF
2. You can then look at MANIFEST file to fin
a] type META-INF/MANIFEST.MF
or
b] grep "Name:" META-INF/MANIFEST.MF
My GUI application doesn’t work properly on HP-UX?
There is a bug in Java 1.4 HP-UX version (and 1.3) AWT libraries. For this you will need to install PHSS_24303 patch. I also found that Patch PHSS_24303 replaced by PHSS_26262. So we will need PHSS_26262.
//
// Example
cim.properties
//
DEBUG_XML=false
DEBUG_XMLDECODE=false
clientLogFilePath=cimclient.txt
// CIM Clients may
specify their own Trust Manager to use
// instead of the
default JSSE TrustManager.
TrustManager=org.mycompany.myapp.MyCertificateManager