ࡱ>  (@ b/ 0DTimes New Romanl4t!0hz0DFutura LtRomanl4t!0hz0 " ` .  @n?" dd@  @@`` T % * &, c $@f3@{g46d6d!0ppp@ <4!d!d0<X5 <4BdBdo0<uʚ;2Nʚ;<4dddd0?  O = Pegasus Security Implementation+Author: Nag Boranna Hewlett-Packard CompanySecurity Block Diagram Authentication Block Diagram  Authorization Block Diagram Authentication Implementation   Authentication Components Authorization Implementation   Authorization Components Security Configurations  Enabling Authentication  Enabling Authorization /T  ` ` ̙33` 333MMM` ff3333f` f` f` 3>?" dd@,|?" dd@   " @ ` n?" dd@   @@``PR    @ ` ` p>> ^(    6i P  T Click to edit Master title style! !  0ll   RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  0p ``  72/26/02  0t `   ? Pegasus CIMOM  0x `   @*H  0޽h ? ̙33 Default Design0 P8( m    Nآkk z%   v* K%%KKpp  N0kk  @%  x* K%%KKppd  c $ ?XK  4  Nkk  M)  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  Tkk z   v* K%%KKpp  Tʻkk  @  x* K%%KKppH  0.k ? ̙33 P$(  Pr P S |p  r P S ԡ `   H P 0޽h ? ̙33E$  ##0+ (  r  S `P    g # l?0-<PCG8 ;Monitor  h # l`?0-<Pp K HTTP Acceptor"   i # lD?0-<Pi AHTTP Connection  j # lx?0-<P AHTTP Connection db k <G0*HI"8^b l 6G)HWJII8 m # l?0-<P: MHTTP Connection"  B n  bE`FNQ&UVW}))? XX6381-D81^ DS &{'LO^ D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= qR&QJ 7JJ >:*;9>:+$.+] x!+] 6381$ 3-D^ D %D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= qR&N7#Q7JK J 7J>:8*;9+ +$ x!+ ] x!+$(,`C0*0*ITNT0*0* BCCloud   < Network   db o@ <GHObIh*G jb p@ BZG *H$.I3@Gi q 6Z=g 9creates  r # l$?0-<Pp   ZHTTP Authenticator Delegator"   s # l8?0-<PP @  [CIM Operation Request Decoder"   t # l ?0-<P` @ XCIM Export Request Decoder"   u # l?0-<P  \CIM Operation Response Encoder"  dR v@ <ZGuHb4Iu" ^b w 6G0*HhIC* " ^b x 6G0*HIC" :  y # l?0-<P ^ CIM Operation Request Dispatcher"!  db z <G0*H3I^yP dR {@ <GYHOIYdb | <G&*H6I jdb } <ZG(HIuc6  ~ <Gq[H ~ D#2. Socket Message   <G7H"   i7#3. HTTP Request Message #5.HTTP Challenge Response Msg88   <G`H  : k K#6. HTTP Request Messages   <!GdH` 0J| J#8. CIM Request Messages   <"GH 0J{ K#9. CIM Response Messages   <)GTHa P  K#10.HTTP Response Message B   b(E`FNQ&UVW}))? XX6381-D81^ DS &{'LO^ D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= qR&QJ 7JJ >:*;9>:+$.+] x!+] 6381$ 3-D^ D %D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= qR&N7#Q7JK J 7J>:8*;9+ +$ x!+ ] x!+$(,`C0*0*ITNT0*0* BCCloud 0;  LRepository and Providers dR  <ZGHI   <0GH F[ K#1. Socket Ready for read   <4GH+  |@  C#11. Socket Write   # lX8?0-<Pp  `Authentication Manager.   jb  BG0*HBI@2 p db  <G)H'I j"   <>GHk  p  L#4. HTTP Challenge Message   # l@?0-<P 00 `"CIM Operation Request Authorizer"#  dR  <GHGIp   <EGdH`    J#7. CIM Request Messages ^r  6GH<I @: H  0޽h ?6ghk7gil8ngo9hip:mrv;rsw<rtx=sz>yu{?um|@y}A~BCDEFGmnHIKrTrmUVWXt ̙33u  %`$$(  x  c $0     # lP?0-<PP  WAuthenticator (Interface)"    # l$?0-<P _ UAuthentication Manager"    # l8?0-<P p ZLocal Authentication Handler"  ^B  6DfP P n  # l ?0-<P ` `p ZBasic Authentication Handler"    # l ?0-<P  p ODigest Authentication Handler XB   0Dfu   XB   0Dfu XB   0DfuP P XB   0Dfn  n^B  @ 6Dfn0 n  # l?0-<P T  ]Basic Authenticator (Interface)"   ^B  6DfN ``   # ld?0-<P pp APAM"    # l8?0-<P  XSecure Basic Authenticator"  XB  0Df 0 0 XB  0Df  XB  0Df `` XB  0Df 0    # l ?0-<P  XSimple Basic Authenticator"  ^B @ 6Df  ^r  6GH؛IuP_` dr @ <ZGHduIA2`   # l"?0-<P 0T  ]Local Authenticator (Interface)"   ^B  6DfN    # l'?0-<P 00 ^ File System Based Authentication"!   XB  0Df  db  <GgHOI60   # l,?0-<P ` T  ^ Digest Authenticator (Interface)"!   db   <ZG0*H`8IpP  ! T1?GYHl?P} P PPlug-in Authentication Modules  " T5?GYHl? M OPlug-in Authentication Module  # T8?G3H?@k @HTTP Specific   $ < <GYH7s P 0k xFHandles HTTP Specific Information, but does not deal with the protocolGG H  0޽h ? !"#$ ̙33s   #   )0K(  0x 0 c $8    0 # lTz?0-<PP p  @ User Manager    0 # lH~?0-<P _ V"CIM Operation Request Authorizer## ^b 0 6G&*HHIv_  0 # l,?0-<PP JAuthorization Handler ^ 0 6G,HI,p b %0 B?}))?  HInstance Repository db &0@ <ZG0*H= I;@o '0  `̙ jJ?Z YLoad Authorizations*(2   (0  `t̙ jJ?_  ZVerify Authorization*(2   )0  `x̙ jJ?`  ZVerify Authorization*(2  H 0 0޽h ??`0000000%0&0 ̙33z  *" ( @  l  C l@P     0Խ` Z Startup: - CIMSever creates the HTTPAuthenticatorDelegator queue. - HTTPAuthenticatorDelegator creates AuthenticationManager - AuthenticationManager loads the AuthenticationHandlers (Currently it is creating instances of Authentication Handlers, but it should be changed to dynamically load those handlers) On Client Request: - HTTPConnection queue gets created when there is connection request from a client - HTTPConnection creates AuthenticationInfo object to keep track of the authentication information for this connection. HTTPConnection and AuthenticationInfo object gets created for each new connection. - HTTPConnection gets CIM requests, adds AuthenticationInfo object reference & passes to Delegator - Delegator parse the request and looks for  Authorization or  PegasusAuthorization header tags - If the  Authorization and  PegasusAuthorization tags are not found: * Calls getAuthResponseHeader() of the AuthenticationManger * Sends challenge to the HTTPConnection queue, and eventually to the client - If the  Authorization tag is found: * Calls performHttpAuthentication() method of AuthenticationManager * If authentication is successful, then it passes the request to Decoders. Else calls getAuthResponseHeader() of the AuthenticationManger and sends challenge back. - If the  PegasusAuthorization tag is found: * Calls performPegasusAuthentication() method of AuthenticationManager * If authentication is successful, then it passes the request to Decoders. Else calls getAuthResponseHeader() of the AuthenticationManger and sends challenge back. - In all these cases the AuthenticationInfo object is updated with the authentication status for that connection session.8 2+iH  0޽h ? ̙33F  $( ` $r $ S  @    $ 0  tAuthentication Manager - AuthenticationManager loads the Authentication Handlers - When perforHttpAuthentication() or performPegasusAuthentication() methods are called * it parses the HTTP headers to get the auth type, user name & password information * calls authenticate() method of the Authentication Handler module * On successful authentication, updates AuthenticationInfo object and returns true else false - When getAuthResoponseHeader() method is called, it gets the header from Authentication Handlers Authentication Handlers (LocalAuthenticationHandler) - Implements the Authenticator interface - Creates response header when getAuthResoponseHeader() method is called (may get the header information from the authenticator module). - Extracts user name and password (or digest string) from the header info passed with the authenticate() and calls the authenticate() method of the loaded authenticator module. Authenticators (SecureLocalAuthenticator) - Implements specific authenticator interface (e.g, BasicAuthenticator) - The getAuthResponseHeader() method will return the authentication challenge header info. - The authenticate() method will verify the user name and password or the digest string and return true on successful authentication, false otherwise.V 2d=H $ 0޽h ? ̙33  8=(  8r 8 S     8 0{M`@  +Startup: - CIMSever creates the CIMOperationRequestAuthorizer queue if requireAuthorization config property is set to true. - CIMOperationRequestAuthorizer gets an instance of UserManager - UserManager creates AuthirizationHandler - AuthenticationHandler loads authorizations from the Repository. On Client Request: - CIMOperationRequestAuthorizer queue receives a request message from Decoder - CIMOperationRequestAuthorizer calls verifyAuthorization( ) method of UserManager. - UserManager calls verifyAuthorization( ) method of AuthorizationHandler. - AuthorizationHandler verifies the authorizations and return true if authorization were found else false8 2"Z:    +/  SH 8 0޽h ? ̙33  rj<(  <r < S D@   P < 0 b  0CIMOperationRequestAuthorizer - Gets the user name, namespace, authentication type and CIM method names from the CIM request - Calls UserManager s verifyAuthorization( ) method User Manager - Creates AuthirizationHandler and calls its verifyAuthorization( ) method Authorization Handler - Loads authorizations from the repository - Verifies user authorizations when verifyAuthorization( ) method is calledB 2 LxZh!$ qH < 0޽h ? ̙333  s( @c@@N@ r  S (@@     03v  aConfiguration Properties required for Authentication Module requireAuthentication = true | false httpAuthType = Basic | Digest passwordFilePath = cimserver.passwd (use the file in PEGASUS_HOME directory) Configuration Properties required for Authorization Module requireAuthorization = true | false enableRemotePrivilegedUserAccess = true | false (enable or disable remote root access to the cimom) 0 2<;t g <H  0޽h ? ̙33$    (d(  (r ( S  <     ( 0@p`  R1. Set the following configuration properties in the cimserver_planned.conf file requireAuthentication = true httpAuthType = Basic (to enable HTTP Basic Authentication) passwordFilePath = cimserver.passwd (to create/use the password file in PEGASUS_HOME directory) 3. Start cimserver 4. Add new users to cimom (Refer to pegasus/src/Clients/cimuser/doc/cimuser.htm) To add user  nag with password  nag (user  nag must be valid system user on that system) cimuser -a -u nag -w nag 5. Run any CIM clients to do CIM operations with the cimom. Note: (1) On Unix systems, the cimuser CLI can only be run locally as  root . (2) Basic/Digest authentication are not fully implemented on the CIMServer and the CIMClient API. 2L4  0 D   fF# h  H ( 0޽h ? ̙33   ,&(  ,r , S `   t , 0`n  1. Set the following configuration properties in the cimserver_planned.conf file requireAuthorization = true enableRemotePrivilegedUserAccess = false (to disable remote root user access to the cimom) 2. Start cimserver 3. Add authorizations to the CIM users (Refer to pegasus/src/Clients/cimuser/doc/cimauth.html) To add both read and right authorizations to user  nag on namespace  root/cimv2 cimauth -a -u nag -n root/cimv2 -R -W 4. Run any CIM clients to do CIM operations with the cimom. Note: (1) On Unix systems, user  root by default will have all the authorizations for local clients (the clients that use ConnectLocal() of CIMClient API. (2) The cimauth CLI can only be run locally as  root on Unix systems. 24  "3 1 \ S  7H , 0޽h ? ̙330 zr@ (  X  C XK   r  S Ի M)   H  0.k ? ̙330 ~p ( |  ^  S XK   x  c $XD M)   H  0.k ? ̙330 ~4( I; 4^ 4 S XK   x 4 c $t M)   H 4 0.k ? ̙33rL Ya8Ma?p3_Wݝ)x.~(  (@ / 0DTimes New Romanl4t!0hz0 DFutura LtRomanl4t!0hz0 " DComic Sans MSnl4t!0hz0 B ` .  @n?" dd@  @@``On-screen ShowHewlett Packard4 2 Times New Roman Futura LtComic Sans MSDefault DesignPegasus Security ArchitectureSecurity ArchitectureAuthenticationAuthorizationAuthentication Implementation Authentication ComponentsAuthorization Implementation Authorization ComponentsSecurity ConfigurationsEnabling AuthenticationEnabling Authorization  Fonts UsedDesign Template Slide Titles Slide Title_AITAIT_-AITAIT--&G& JwSwgw  - @Times New RomanSwgw  -   @@`` T % * &, c $@f3@{g4NdNd!0ppp@ <4!d!d0<X5 <4BdBdo0<uʚ;2Nʚ;<4dddd0?  O = Pegasus Security Implementation+Author: Nag Boranna Hewlett-Packard Company,,Security Architecture Authentication   Authorization  Authentication Implementation   Authentication Components Authorization Implementation   Authorization Components Security Configurations  Enabling Authentication  Enabling Authorization /T E$  ##0+ (  r  S `P    g # l?0-<PCG8 ;Monitor  h # l`?0-<Pp K HTTP Acceptor"   i # lD?0-<Pi AHTTP Connection  j # lx?0-<P AHTTP Connection db k <G0*HI"8^b l 6G)HWJII8 m # l?0-<P: MHTTP Connection"  B n  bE`FNQ&UVW}))? XX6381-D81^ DS &{'LO^ D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= qR&QJ 7JJ >:*;9>:+$.+] x!+] 6381$ 3-D^ D %D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= qR&N7#Q7JK J 7J>:8*;9+ +$ x!+ ] x!+$(,`C0*0*ITNT0*0* BCCloud   < Network   db o@ <GHObIh*G jb p@ BZG *H$.I3@Gi q 6Z=g 9creates  r # l$?0-<Pp   ZHTTP Authenticator Delegator"   s # l8?0-<PP @  [CIM Operation Request Decoder"   t # l ?0-<P` @ XCIM Export Request Decoder"   u # l?0-<P  \CIM Operation Response Encoder"  dR v@ <ZGuHb4Iu" ^b w 6G0*HhIC* " ^b x 6G0*HIC" :  y # l?0-<P ^ CIM Operation Request Dispatcher"!  db z <G0*H3I^yP dR {@ <GYHOIYdb | <G&*H6I jdb } <ZG(HIuc6  ~ <Gq[H ~ D#2. Socket Message   <G7H"   i7#3. HTTP Request Message #5.HTTP Challenge Response Msg88   <G`H  : k K#6. HTTP Request Messages   <!GdH` 0J| J#8. CIM Request Messages   <"GH 0J{ K#9. CIM Response Messages   <)GTHa P  K#10.HTTP Response Message B   b(E`FNQ&UVW}))? XX6381-D81^ DS &{'LO^ D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= qR&QJ 7JJ >:*;9>:+$.+] x!+] 6381$ 3-D^ D %D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= qR&N7#Q7JK J 7J>:8*;9+ +$ x!+ ] x!+$(,`C0*0*ITNT0*0* BCCloud 0;  LRepository and Providers dR  <ZGHI   <0GH F[ K#1. Socket Ready for read   <4GH+  |@  C#11. Socket Write   # lX8?0-<Pp  `Authentication Manager.   jb  BG0*HBI@2 p db  <G)H'I j"   <>GHk  p  L#4. HTTP Challenge Message   # l@?0-<P 00 `"CIM Operation Request Authorizer"#  dR  <GHGIp   <EGdH`    J#7. CIM Request Messages ^r  6GH<I @: H  0޽h ?6ghk7gil8ngo9hip:mrv;rsw<rtx=sz>yu{?um|@y}A~BCDEFGmnHIKrTrm  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPlRTUVWXYZ[\]^_`abcdefghxkmnopqStuvwQz{|}~Root EntrydO)P=cs Current User2)SummaryInformation(H PowerPoint Document(4DocumentSummaryInformation8%, T % * &, c $@f3@{g4NdNd!0ppp@ <4!d!d0<X5 <4BdBdo0<uʚ;2Nʚ;<4dddd0?  O = Pegasus Security Implementation+Author: Nag Boranna Hewlett-Packard Company,,Security Block Diagram Authentication Block Diagram  Authorization Block Diagram Authentication Implementation   Authentication Components Authorization Implementation   Authorization Components Security Configurations  Enabling Authentication  Enabling Authorization /T  P$(  Pr P S |`  r P S ԡ0 `   H P 0޽h ? ̙33r#)  (@ / 0DTimes New Romanl4t!0hz0 DFutura LtRomanl4t!0hz0 " DComic Sans MSnl4t!0hz0 B ` .  @n?" dd@  !"#$3&'()*+,-./01Oh+'0 px   @ L X dpxPegasus Securitye Nag BorannaXGives an overview of Pegasus Authentication and Authorization Implementation and usage.AIT228Microsoft PowerPointPeg@0q@ G_06L@p*()@UGg  3& &&#TNPP2OMit & TNPP &&TNPP    --- !---&G& MJwSwgw M - @Times New RomanSwgw 3 - .2 R2/26/02   .&y&  . 2 f1 .--q@-- @Times New RomanSwgw S - .32 wPegasus Security Architecture!!*.--!-- @BComic Sans MSwSwgw 6 - .$2 4Author: Nag Boranna  .@BComic Sans MSwSwgw W - .2 .Hewlett . . 2 - . .2 Packard Company  .--"Systemwf  -&TNPP &՜.+,0    UVWXt ̙33u  %`$$(  x  c $0     # lP?0-<PP  WAuthenticator (Interface)"    # l$?0-<P _ UAuthentication Manager"    # l8?0-<P p ZLocal Authentication Handler"  ^B  6DfP P n  # l ?0-<P ` `p ZBasic Authentication Handler"    # l ?0-<P  p ODigest Authentication Handler XB   0Dfu   XB   0Dfu XB   0DfuP P XB   0Dfn  n^B  @ 6Dfn0 n  # l?0-<P T  ]Basic Authenticator (Interface)"   ^B  6DfN ``   # ld?0-<P pp APAM"    # l8?0-<P  XSecure Basic Authenticator"  XB  0Df 0 0 XB  0Df  XB  0Df `` XB  0Df 0    # l ?0-<P  XSimple Basic Authenticator"  ^B @ 6Df  ^r  6GH؛IuP_` dr @ <ZGHduIA2`   # l"?0-<P 0T  ]Local Authenticator (Interface)"   ^B  6DfN    # l'?0-<P 00 ^ File System Based Authentication"!   XB  0Df  db  <GgHOI60   # l,?0-<P ` T  ^ Digest Authenticator (Interface)"!   db   <ZG0*H`8IpP  ! T1?GYHl?P} P PPlug-in Authentication Modules  " T5?GYHl? M OPlug-in Authentication Module  # T8?G3H?@k @HTTP Specific   $ < <GYH7s P 0k xFHandles HTTP Specific Information, but does not deal with the protocolGG H  0޽h ? !"#$ ̙33s   #   )0K(  0x 0 c $8    0 # lTz?0-<PP p  @ User Manager    0 # lH~?0-<P _ V"CIM Operation Request Authorizer## ^b 0 6G&*HHIv_  0 # l,?0-<PP JAuthorization Handler ^ 0 6G,HI,p b %0 B?}))?  HInstance Repository db &0@ <ZG0*H= I;@o '0  `̙ jJ?Z YLoad Authorizations*(2   (0  `t̙ jJ?_  ZVerify Authorization*(2   )0  `x̙ jJ?`  ZVerify Authorization*(2  H 0 0޽h ??`0000000%0&0 ̙33r Q:  - (@ / 0DTimes New RomanT5t!0hz0 DFutura LtRomanT5t!0hz0 " DComic Sans MSnT5t!0hz0 B ` .  @n?" dd@  @@`` T %  *  &,c $@f3@{g4NdNd!0ppp@ <4!d!d0<@6 <4BdBdo0<uʚ;2Nʚ;<4dddd0?  O = Pegasus Security Architecture+Author: Nag Boranna Hewlett-Packard Company",Security Architecture Authentication   Authorization  Authentication Implementation   Authentication Components Authorization Implementation   Authorization Components Security Configurations  Enabling Authentication  Enabling Authorization /T   P$(  Pr P S `  r P S x0 `   H P 0޽h ? ̙33r  (@ / 0DTimes New RomanT5t\!0thz0 DFutura LtRomanT5t\!0thz0 " DComic Sans MSnT5t\!0thz0 B ` .  @n?" dd@  @@`` T %  *  &,c $@f3@{g4NdNd!0hppp@ <4!d!d0$@6 <4BdBdo0$uʚ;2Nʚ;<4dddd0?  O = Pegasus Security Architecture+Author: Nag Boranna Hewlett-Packard Company",Security Architecture Authentication   Authorization  Authentication Implementation   Authentication Components Authorization Implementation   Authorization Components Security Configurations  Enabling Authentication  Enabling Authorization /T r  (@ / 0DTimes New RomanT5t!0hz0 DFutura LtRomanT5t!0hz0 " DComic Sans MSnT5t!0hz0 B ` .  @n?" dd@  @@`` T %  *  &,c $@f3@{g4NdNd!0ppp@ <4!d!d0<@6 <4BdBdo0<uʚ;2Nʚ;<4dddd0?  O = Pegasus Security Architecture+Author: Nag Boranna Hewlett-Packard Company",Security Architecture Authentication   Authorization  Authentication Implementation   Authentication Components Authorization Implementation   Authorization Components Security Configurations  Enabling Authentication  Enabling Authorization /T r  Root EntrydO)`@s Current User2*SummaryInformation(H PowerPoint Document(4k  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPlTUVWXYZ[\]^_`abcdefghxmnopqStuvwQz{|}~  !"#$3&'()*+,-./01horization  Fonts UsedDesign Template Slide Titles Slide Title"_ Bapu Patil_-AITAIT--&G& JwSwgw  - @Times New RomanSwgw  -