2 ms.aruran 1.4.4.2 <html xmlns:v="urn:schemas-microsoft-com:vml"
3 xmlns:o="urn:schemas-microsoft-com:office:office"
4 xmlns:w="urn:schemas-microsoft-com:office:word"
5 xmlns:st1="urn:schemas-microsoft-com:office:smarttags"
6 xmlns="http://www.w3.org/TR/REC-html40" xmlns:o>
7
8
9 <head>
10 <meta http-equiv=Content-Type content="text/html; charset=windows-1252">
11 <meta name=ProgId content=Word.Document>
12 <meta name=Generator content="Microsoft Word 10">
13 <meta name=Originator content="Microsoft Word 10">
14 <link rel=File-List href="PegasusSSLGuidelines_files/filelist.xml">
15 <link rel=Edit-Time-Data href="PegasusSSLGuidelines_files/editdata.mso">
16 <!--[if !mso]>
17 <style>
18 v\:* {behavior:url(#default#VML);}
19 o\:* {behavior:url(#default#VML);}
20 w\:* {behavior:url(#default#VML);}
21 .shape {behavior:url(#default#VML);}
22 </style>
23 ms.aruran 1.4.4.2 <![endif]-->
24 <title>OpenPegasus SSL Guidelines</title>
25 <o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
26 name="date"/>
27 <!--[if gte mso 9]><xml>
28 <o:DocumentProperties>
29 <o:Author>IBM_USER</o:Author>
30 <o:LastAuthor>IBM_USER</o:LastAuthor>
31 <o:Revision>2</o:Revision>
32 <o:TotalTime>6</o:TotalTime>
33 <o:Created>2006-12-19T07:20:00Z</o:Created>
34 <o:LastSaved>2006-12-19T07:26:00Z</o:LastSaved>
35 <o:Pages>1</o:Pages>
36 <o:Words>5126</o:Words>
37 <o:Characters>29220</o:Characters>
38 <o:Company>IBM</o:Company>
39 <o:Lines>243</o:Lines>
40 <o:Paragraphs>68</o:Paragraphs>
41 <o:CharactersWithSpaces>34278</o:CharactersWithSpaces>
42 <o:Version>10.3501</o:Version>
43 </o:DocumentProperties>
44 ms.aruran 1.4.4.2 </xml><![endif]--><!--[if gte mso 9]><xml>
45 <w:WordDocument>
46 <w:SpellingState>Clean</w:SpellingState>
47 <w:GrammarState>Clean</w:GrammarState>
48 <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
49 </w:WordDocument>
50 </xml><![endif]--><!--[if !mso]><object
51 classid="clsid:38481807-CA0E-42D2-BF39-B33AF135CC4D" id=ieooui></object>
52 <style>
53 st1\:*{behavior:url(#ieooui) }
54 </style>
55 <![endif]-->
56 <style>
57 <!--
58 /* Font Definitions */
59 @font-face
60 {font-family:Courier;
61 panose-1:2 7 4 9 2 2 5 2 4 4;
62 mso-font-charset:0;
63 mso-generic-font-family:modern;
64 mso-font-format:other;
65 ms.aruran 1.4.4.2 mso-font-pitch:fixed;
66 mso-font-signature:3 0 0 0 1 0;}
67 @font-face
68 {font-family:Wingdings;
69 panose-1:5 0 0 0 0 0 0 0 0 0;
70 mso-font-charset:2;
71 mso-generic-font-family:auto;
72 mso-font-pitch:variable;
73 mso-font-signature:0 268435456 0 0 -2147483648 0;}
74 @font-face
75 {font-family:Times;
76 panose-1:2 2 6 3 5 4 5 2 3 4;
77 mso-font-charset:0;
78 mso-generic-font-family:roman;
79 mso-font-pitch:variable;
80 mso-font-signature:536902279 -2147483648 8 0 511 0;}
81 /* Style Definitions */
82 p.MsoNormal, li.MsoNormal, div.MsoNormal
83 {mso-style-parent:"";
84 margin:0in;
85 margin-bottom:.0001pt;
86 ms.aruran 1.4.4.2 mso-pagination:widow-orphan;
87 font-size:12.0pt;
88 font-family:"Times New Roman";
89 mso-fareast-font-family:"Times New Roman";}
90 h2
91 {mso-margin-top-alt:auto;
92 margin-right:0in;
93 mso-margin-bottom-alt:auto;
94 margin-left:0in;
95 mso-pagination:widow-orphan;
96 mso-outline-level:2;
97 font-size:18.0pt;
98 font-family:"Times New Roman";
99 font-weight:bold;}
100 h3
101 {mso-margin-top-alt:auto;
102 margin-right:0in;
103 mso-margin-bottom-alt:auto;
104 margin-left:0in;
105 mso-pagination:widow-orphan;
106 mso-outline-level:3;
107 ms.aruran 1.4.4.2 font-size:13.5pt;
108 font-family:"Times New Roman";
109 font-weight:bold;}
110 h4
111 {mso-margin-top-alt:auto;
112 margin-right:0in;
113 mso-margin-bottom-alt:auto;
114 margin-left:0in;
115 mso-pagination:widow-orphan;
116 mso-outline-level:4;
117 font-size:12.0pt;
118 font-family:"Times New Roman";
119 font-weight:bold;}
120 a:link, span.MsoHyperlink
121 {color:blue;
122 text-decoration:underline;
123 text-underline:single;}
124 a:visited, span.MsoHyperlinkFollowed
125 {color:blue;
126 text-decoration:underline;
127 text-underline:single;}
128 ms.aruran 1.4.4.2 p
129 {mso-margin-top-alt:auto;
130 margin-right:0in;
131 mso-margin-bottom-alt:auto;
132 margin-left:0in;
133 mso-pagination:widow-orphan;
134 font-size:12.0pt;
135 font-family:"Times New Roman";
136 mso-fareast-font-family:"Times New Roman";}
137 span.spelle
138 {mso-style-name:spelle;}
139 span.SpellE
140 {mso-style-name:"";
141 mso-spl-e:yes;}
142 span.GramE
143 {mso-style-name:"";
144 mso-gram-e:yes;}
145 @page Section1
146 {size:8.5in 11.0in;
147 margin:1.0in 1.25in 1.0in 1.25in;
148 mso-header-margin:.5in;
149 ms.aruran 1.4.4.2 mso-footer-margin:.5in;
150 mso-paper-source:0;}
151 div.Section1
152 {page:Section1;}
153 /* List Definitions */
154 @list l0
155 {mso-list-id:51972189;
156 mso-list-template-ids:81668992;}
157 @list l0:level1
158 {mso-level-number-format:bullet;
159 mso-level-text:\F0B7;
160 mso-level-tab-stop:.5in;
161 mso-level-number-position:left;
162 text-indent:-.25in;
163 mso-ansi-font-size:10.0pt;
164 font-family:Symbol;}
165 @list l1
166 {mso-list-id:257178838;
167 mso-list-template-ids:1636469146;}
168 @list l1:level1
169 {mso-level-number-format:bullet;
170 ms.aruran 1.4.4.2 mso-level-text:\F0B7;
171 mso-level-tab-stop:.5in;
172 mso-level-number-position:left;
173 text-indent:-.25in;
174 mso-ansi-font-size:10.0pt;
175 font-family:Symbol;}
176 @list l2
177 {mso-list-id:335961387;
178 mso-list-template-ids:303987346;}
179 @list l2:level1
180 {mso-level-number-format:bullet;
181 mso-level-text:\F0B7;
182 mso-level-tab-stop:.5in;
183 mso-level-number-position:left;
184 text-indent:-.25in;
185 mso-ansi-font-size:10.0pt;
186 font-family:Symbol;}
187 @list l3
188 {mso-list-id:432287186;
189 mso-list-template-ids:401260786;}
190 @list l3:level1
191 ms.aruran 1.4.4.2 {mso-level-number-format:bullet;
192 mso-level-text:\F0B7;
193 mso-level-tab-stop:.5in;
194 mso-level-number-position:left;
195 text-indent:-.25in;
196 mso-ansi-font-size:10.0pt;
197 font-family:Symbol;}
198 @list l4
199 {mso-list-id:448670368;
200 mso-list-template-ids:342922132;}
201 @list l4:level1
202 {mso-level-number-format:bullet;
203 mso-level-text:\F0B7;
204 mso-level-tab-stop:.5in;
205 mso-level-number-position:left;
206 text-indent:-.25in;
207 mso-ansi-font-size:10.0pt;
208 font-family:Symbol;}
209 @list l5
210 {mso-list-id:605886313;
211 mso-list-template-ids:2101529026;}
212 ms.aruran 1.4.4.2 @list l5:level1
213 {mso-level-number-format:bullet;
214 mso-level-text:\F0B7;
215 mso-level-tab-stop:.5in;
216 mso-level-number-position:left;
217 text-indent:-.25in;
218 mso-ansi-font-size:10.0pt;
219 font-family:Symbol;}
220 @list l6
221 {mso-list-id:610279438;
222 mso-list-template-ids:-795200846;}
223 @list l6:level1
224 {mso-level-number-format:bullet;
225 mso-level-text:\F0B7;
226 mso-level-tab-stop:.5in;
227 mso-level-number-position:left;
228 text-indent:-.25in;
229 mso-ansi-font-size:10.0pt;
230 font-family:Symbol;}
231 @list l7
232 {mso-list-id:620840603;
233 ms.aruran 1.4.4.2 mso-list-template-ids:-1801667564;}
234 @list l7:level1
235 {mso-level-number-format:bullet;
236 mso-level-text:\F0B7;
237 mso-level-tab-stop:.5in;
238 mso-level-number-position:left;
239 text-indent:-.25in;
240 mso-ansi-font-size:10.0pt;
241 font-family:Symbol;}
242 @list l8
243 {mso-list-id:633027112;
244 mso-list-template-ids:-1360881254;}
245 @list l8:level1
246 {mso-level-number-format:bullet;
247 mso-level-text:\F0B7;
248 mso-level-tab-stop:.5in;
249 mso-level-number-position:left;
250 text-indent:-.25in;
251 mso-ansi-font-size:10.0pt;
252 font-family:Symbol;}
253 @list l9
254 ms.aruran 1.4.4.2 {mso-list-id:902104985;
255 mso-list-template-ids:750025012;}
256 @list l9:level1
257 {mso-level-number-format:bullet;
258 mso-level-text:\F0B7;
259 mso-level-tab-stop:.5in;
260 mso-level-number-position:left;
261 text-indent:-.25in;
262 mso-ansi-font-size:10.0pt;
263 font-family:Symbol;}
264 @list l10
265 {mso-list-id:958562085;
266 mso-list-template-ids:-55920690;}
267 @list l10:level1
268 {mso-level-number-format:bullet;
269 mso-level-text:\F0B7;
270 mso-level-tab-stop:.5in;
271 mso-level-number-position:left;
272 text-indent:-.25in;
273 mso-ansi-font-size:10.0pt;
274 font-family:Symbol;}
275 ms.aruran 1.4.4.2 @list l11
276 {mso-list-id:1106390704;
277 mso-list-template-ids:-953544102;}
278 @list l11:level1
279 {mso-level-number-format:bullet;
280 mso-level-text:\F0B7;
281 mso-level-tab-stop:.5in;
282 mso-level-number-position:left;
283 text-indent:-.25in;
284 mso-ansi-font-size:10.0pt;
285 font-family:Symbol;}
286 @list l11:level2
287 {mso-level-number-format:bullet;
288 mso-level-text:o;
289 mso-level-tab-stop:1.0in;
290 mso-level-number-position:left;
291 text-indent:-.25in;
292 mso-ansi-font-size:10.0pt;
293 font-family:"Courier New";
294 mso-bidi-font-family:"Times New Roman";}
295 @list l11:level3
296 ms.aruran 1.4.4.2 {mso-level-number-format:bullet;
297 mso-level-text:\F0A7;
298 mso-level-tab-stop:1.5in;
299 mso-level-number-position:left;
300 text-indent:-.25in;
301 mso-ansi-font-size:10.0pt;
302 font-family:Wingdings;}
303 @list l12
304 {mso-list-id:1409960379;
305 mso-list-template-ids:-1094543752;}
306 @list l12:level1
307 {mso-level-number-format:bullet;
308 mso-level-text:\F0B7;
309 mso-level-tab-stop:.5in;
310 mso-level-number-position:left;
311 text-indent:-.25in;
312 mso-ansi-font-size:10.0pt;
313 font-family:Symbol;}
314 @list l13
315 {mso-list-id:1721326241;
316 mso-list-template-ids:644010464;}
317 ms.aruran 1.4.4.2 @list l13:level1
318 {mso-level-number-format:bullet;
319 mso-level-text:\F0B7;
320 mso-level-tab-stop:.5in;
321 mso-level-number-position:left;
322 text-indent:-.25in;
323 mso-ansi-font-size:10.0pt;
324 font-family:Symbol;}
325 @list l14
326 {mso-list-id:1731073149;
327 mso-list-template-ids:-2060307636;}
328 @list l14:level1
329 {mso-level-number-format:bullet;
330 mso-level-text:\F0B7;
331 mso-level-tab-stop:.5in;
332 mso-level-number-position:left;
333 text-indent:-.25in;
334 mso-ansi-font-size:10.0pt;
335 font-family:Symbol;}
336 @list l15
337 {mso-list-id:1950238906;
338 ms.aruran 1.4.4.2 mso-list-template-ids:-1705468504;}
339 @list l15:level1
340 {mso-level-number-format:bullet;
341 mso-level-text:\F0B7;
342 mso-level-tab-stop:.5in;
343 mso-level-number-position:left;
344 text-indent:-.25in;
345 mso-ansi-font-size:10.0pt;
346 font-family:Symbol;}
347 ol
348 {margin-bottom:0in;}
349 ul
350 {margin-bottom:0in;}
351 -->
352 </style>
353 <!--[if gte mso 10]>
354 <style>
355 /* Style Definitions */
356 table.MsoNormalTable
357 {mso-style-name:"Table Normal";
358 mso-tstyle-rowband-size:0;
359 ms.aruran 1.4.4.2 mso-tstyle-colband-size:0;
360 mso-style-noshow:yes;
361 mso-style-parent:"";
362 mso-padding-alt:0in 5.4pt 0in 5.4pt;
363 mso-para-margin:0in;
364 mso-para-margin-bottom:.0001pt;
365 mso-pagination:widow-orphan;
366 font-size:10.0pt;
367 font-family:"Times New Roman";}
368 </style>
369 <![endif]-->
370 </head>
371
372
373
374 <body lang=EN-US link=blue vlink=blue style='tab-interval:.5in'>
375
376 <div class=Section1>
377
378 <h2><span class=SpellE>OpenPegasus</span> 2.6 SSL Guidelines</h2>
379
380 ms.aruran 1.4.4.2 <p><b>Version: </b>1.2<br>
381 <b>Created: </b><st1:date Year="2005" Day="20" Month="7">July 20, 2005</st1:date></p>
382
383 <p class=MsoNormal><b>Updated: </b><st1:date Year="2006" Day="19"
384 Month="12"><b>December</b> 19, 2006</st1:date> </p>
385
386 <ul type=disc>
387 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
388 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#OVERVIEW">Overview</a>
389 </li>
390 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
391 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#RELATED">Related
392 Information</a> </li>
393 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
394 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#BUILDING">Building
395 Pegasus with SSL</a> </li>
396 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
397 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#CERTS">Creating SSL
398 Certificates</a> </li>
399 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
400 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#CONFIGURE">Configuring
401 ms.aruran 1.4.4.2 Pegasus for SSL</a> </li>
402 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
403 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#DESIGN">SSL Design
404 Question List</a> </li>
405 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
406 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#TRUSTSTORE"><span
407 class=SpellE>Truststore</span> Management</a> </li>
408 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
409 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#CLI"><span
410 class=SpellE>cimtrust</span> & <span class=SpellE>cimcrl</span> CLI</a>
411 </li>
412 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
413 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#CLIENT">Configuring
414 the Pegasus CIM Client for SSL</a> </li>
415 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
416 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#AUTH">SSL
417 Authorization</a> </li>
418 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
419 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#EXT">Critical
420 Extension Handling</a> </li>
421 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
422 ms.aruran 1.4.4.2 mso-list:l7 level1 lfo1;tab-stops:list .5in'><a href="#RESOURCES">Resources</a>
423 </li>
424 </ul>
425
426 <h3><a name=OVERVIEW>Overview</a></h3>
427
428 <p>The following document serves as a guide on how to build and configure
429 Pegasus for SSL support. It also discusses how to utilize a certificate-based
430 infrastructure and configure the Pegasus CIM client. </p>
431
432 <p>This guide requires a basic understanding of SSL, <span class=SpellE>OpenSSL</span>,
433 and basic authentication. This guide is intended to help developers and
434 administrators make the right decisions about how to use SSL for their
435 particular application. It is not intended to be a primary source of education
436 on SSL. If you are not familiar with these <span class=GramE>technologies</span>,
437 consult the sources in the <a href="#RESOURCES">Resources</a> section at the
438 bottom. </p>
439
440 <p>Note: In this document, the term "trust" refers only to
441 authentication. It does not imply full trust in the traditional sense, because
442 it does not take into account authorization checks. It remains the
443 ms.aruran 1.4.4.2 responsibility of providers and clients to perform authorization, and therefore
444 establish real trust. Likewise, the term "Trust Store" can be
445 misleading since the "store" is only a source of authentication
446 credentials. Please bear this in mind when documenting recommended deployments
447 or building clients or providers. </p>
448
449 <h3><a name=RELATED>Related Information</a></h3>
450
451 <p class=MsoNormal>A significant portion of the information in this document is
452 taken <span class=GramE>from various <span class=SpellE>PEP's</span></span>.
453 This document attempts to bring all of this information together in a cohesive
454 and simplified format. </p>
455
456 <ul type=disc>
457 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
458 mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#035 - Add support for
459 /dev/random in <span class=SpellE>SSLContext</span> </li>
460 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
461 mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#060 - SSL support in
462 CIM/XML indication delivery </li>
463 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
464 ms.aruran 1.4.4.2 mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#074 - <span
465 class=SpellE>SSLContext</span> and Certificate verification interface
466 enhancement </li>
467 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
468 mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#165 - SSL Client
469 Verification </li>
470 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
471 mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#187 - SSL Certificate
472 Management Enhancements </li>
473 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
474 mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#200 - Recommended <span
475 class=SpellE>OpenPegasus</span> 2.5 Build and Configuration Options for
476 Selected Platforms</li>
477 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
478 mso-list:l15 level1 lfo2;tab-stops:list .5in'>PEP#268 – SSL Client Certificate
479 Propagation</li>
480 </ul>
481
482 <h3><a name=BUILDING>Building Pegasus with SSL</a></h3>
483
484 <p>To build Pegasus with HTTPS support, you will need to build against the <a
485 ms.aruran 1.4.4.2 href="http://www.openssl.org"><span class=SpellE>OpenSSL</span> package</a>. <span
486 style='color:black'>The SSL support outlined here has been tested against
487 recent releases of the major versions 0.9.7X and 0.9.8X (most notably, 0.9.7d).
488 Because some versions of 0.9.6X do not contain full support for the security
489 functions that Pegasus utilizes (for example, certificate-based authentication
490 is not fully supported by some versions of 0.9.6X), Pegasus does not officially
491 support major version 0.9.6. See <span class=SpellE>Bugzilla</span> 4048 for
492 more information. </span>Because this is an open source project, the SSL
493 support has been tested with many versions of <span class=SpellE>OpenSSL</span>,
494 but we cannot guarantee it has been tested with every version on every
495 platform. A list of recent <span class=SpellE>OpenSSL</span> releases, and
496 important-to-review security advisories and fixes, can be found on the <a
497 href="http://www.openssl.org/news"><span class=SpellE>OpenSSL</span> News page</a>.
498 </p>
499
500 <p>After grabbing the <span class=SpellE>OpenSSL</span> source <span
501 class=SpellE>tarball</span>, you need to set the following environment
502 variables before building Pegasus: </p>
503
504 <ul type=disc>
505 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
506 ms.aruran 1.4.4.2 mso-list:l14 level1 lfo3;tab-stops:list .5in'>PEGASUS_HAS_SSL=1 </li>
507 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
508 mso-list:l14 level1 lfo3;tab-stops:list .5in'>OPENSSL_HOME=<location of
509 the SDK package> <span class=GramE>This</span> directory must contain
510 the <span class=SpellE>OpenSSL</span> include directory,
511 $(OPENSSL_HOME)/include, and the <span class=SpellE>OpenSSL</span> library
512 directory, $(OPENSSL_HOME)/lib. </li>
513 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
514 mso-list:l14 level1 lfo3;tab-stops:list .5in'>OPENSSL_BIN=<location of
515 the binary package> <span class=GramE>This</span> only needs to be set
516 if the <span class=SpellE>OpenSSL</span> binaries are not in
517 $(OPENSSL_HOME)/bin.</li>
518 </ul>
519
520 <p class=MsoNormal>Note that Pegasus supports SSLv3 and TLSv1 by default. It
521 does NOT support SSLv2. To turn on SSLv2 support, enable the additional
522 environment variable: </p>
523
524 <ul type=disc>
525 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
526 mso-list:l9 level1 lfo4;tab-stops:list .5in'>PEGASUS_ENABLE_SSLV2=1 </li>
527 ms.aruran 1.4.4.2 </ul>
528
529 <p>It is not recommended to enable this protocol, as there have been many
530 security weaknesses associated with it. Unless you are dealing with very
531 outdated clients, you probably do not need to enable it. </p>
532
533 <p>After setting these variables, proceed as normal with the build instructions
534 in the <span class=SpellE>readme</span> file. </p>
535
536 <h3><a name=CERTS>Creating SSL Certificates</a></h3>
537
538 <p class=MsoNormal>There are two options for creating the <span class=SpellE>CIMOM's</span>
539 certificate: </p>
540
541 <ul type=disc>
542 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
543 mso-list:l5 level1 lfo5;tab-stops:list .5in'>Self-signed certificate </li>
544 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
545 mso-list:l5 level1 lfo5;tab-stops:list .5in'>Certificate issued by a
546 third-party certificate authority</li>
547 </ul>
548 ms.aruran 1.4.4.2
549 <p>To generate a self-signed certificate, you must create a private key, a
550 certificate signing request (CSR), and finally the public x509 certificate. You
551 also need an SSL configuration file that defines the parameters of the
552 Distinguished Name (DN). You can use the one that comes with Pegasus, <span
553 class=SpellE>ssl.cnf</span> in the root directory, or generate your own. For a
554 self-signed certificate, the subject is the same as the issuer. Execute the
555 following commands to create a self-signed certificate. The PEGASUS_ROOT and
556 PEGASUS_HOME have to be set to your respective installation and source
557 directory. You will also need an <span class=SpellE>OpenSSL</span>
558 configuration file. There is a sample configuration file that comes with the <span
559 class=SpellE>OpenSSL</span> package. </p>
560
561 <ul type=disc>
562 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
563 mso-list:l12 level1 lfo6;tab-stops:list .5in'>To generate a private key,
564 execute the following<span class=GramE>:</span><br>
565 <span class=SpellE><span style='font-family:Courier;color:#009900'>openssl</span></span><span
566 style='font-family:Courier;color:#009900'> <span class=SpellE>genrsa</span>
567 -out <span class=SpellE>myserver.key</span> 1024</span><br>
568 Set the "<span class=SpellE>sslKeyFilePath</span>" configuration
569 ms.aruran 1.4.4.2 property to point to this key file. </li>
570 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
571 mso-list:l12 level1 lfo6;tab-stops:list .5in'>To generate a certificate
572 signing request, execute the following:<br>
573 <span class=SpellE><span style='font-family:Courier;color:#009900'>openssl</span></span><span
574 style='font-family:Courier;color:#009900'> <span class=SpellE>req</span> -<span
575 class=SpellE>config</span> <span class=SpellE>openssl.cnf</span> -new -key
576 <span class=SpellE>myserver.key</span> -out <span class=SpellE>myserver.csr</span></span>
577 </li>
578 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
579 mso-list:l12 level1 lfo6;tab-stops:list .5in'>At this point, the
580 certificate signing request can be sent out to a third-party certificate
581 authority for signing, or a self-signed certificate can be generated. To
582 generate a self-signed certificate, execute the following<span
583 class=GramE>:</span><br>
584 <span class=SpellE><span style='font-family:Courier;color:#009900'>openssl</span></span><span
585 style='font-family:Courier;color:#009900'> x509 -in <span class=SpellE>myserver.csr</span>
586 -out <span class=SpellE>myserver.cert</span> -<span class=SpellE>req</span>
587 -<span class=SpellE>signkey</span> <span class=SpellE>myserver.key</span>
588 -days 365</span><br>
589 Set the "<span class=SpellE>sslCertificateFilePath</span>"
590 ms.aruran 1.4.4.2 configuration property to point to this certificate file. The above CSR
591 file can be discarded after the certificate is created. </li>
592 </ul>
593
594 <p>After creating the <span class=SpellE>keypair</span>, make sure you protect
595 the information sufficiently by changing permissions on the files and/or
596 directories. The following table shows the recommended privileges: </p>
597
598 <table class=MsoNormalTable border=1 cellspacing=1 cellpadding=0 width="30%"
599 style='width:30.0%;mso-cellspacing:.7pt'>
600 <tr style='mso-yfti-irow:0'>
601 <td style='padding:.75pt .75pt .75pt .75pt'>
602 <p class=MsoNormal align=center style='text-align:center'><b>SSL file<o:p></o:p></b></p>
603 </td>
604 <td style='padding:.75pt .75pt .75pt .75pt'>
605 <p class=MsoNormal align=center style='text-align:center'><b>Pegasus <span
606 class=SpellE>Config</span> property<o:p></o:p></b></p>
607 </td>
608 <td style='padding:.75pt .75pt .75pt .75pt'>
609 <p class=MsoNormal align=center style='text-align:center'><b>Permissions<o:p></o:p></b></p>
610 </td>
611 ms.aruran 1.4.4.2 </tr>
612 <tr style='mso-yfti-irow:1'>
613 <td style='padding:.75pt .75pt .75pt .75pt'>
614 <p class=MsoNormal>Private key</p>
615 </td>
616 <td style='padding:.75pt .75pt .75pt .75pt'>
617 <p class=MsoNormal><span class=SpellE>sslKeyFilePath</span></p>
618 </td>
619 <td style='padding:.75pt .75pt .75pt .75pt'>
620 <p class=MsoNormal><span class=SpellE>rwx</span>------</p>
621 </td>
622 </tr>
623 <tr style='mso-yfti-irow:2'>
624 <td style='padding:.75pt .75pt .75pt .75pt'>
625 <p class=MsoNormal>Public certificate</p>
626 </td>
627 <td style='padding:.75pt .75pt .75pt .75pt'>
628 <p class=MsoNormal><span class=SpellE>sslCertificateFilePath</span></p>
629 </td>
630 <td style='padding:.75pt .75pt .75pt .75pt'>
631 <p class=MsoNormal><span class=SpellE>rwxr-xr-x</span></p>
632 ms.aruran 1.4.4.2 </td>
633 </tr>
634 <tr style='mso-yfti-irow:3'>
635 <td style='padding:.75pt .75pt .75pt .75pt'>
636 <p class=MsoNormal><span class=SpellE>Truststore</span></p>
637 </td>
638 <td style='padding:.75pt .75pt .75pt .75pt'>
639 <p class=MsoNormal><span class=SpellE>sslTrustStore</span></p>
640 </td>
641 <td style='padding:.75pt .75pt .75pt .75pt'>
642 <p class=MsoNormal><span class=SpellE>rwxr-xr-x</span></p>
643 </td>
644 </tr>
645 <tr style='mso-yfti-irow:4;mso-yfti-lastrow:yes'>
646 <td style='padding:.75pt .75pt .75pt .75pt'>
647 <p class=MsoNormal>CRL store </p>
648 </td>
649 <td style='padding:.75pt .75pt .75pt .75pt'>
650 <p class=MsoNormal><span class=SpellE>crlStore</span></p>
651 </td>
652 <td style='padding:.75pt .75pt .75pt .75pt'>
653 ms.aruran 1.4.4.2 <p class=MsoNormal><span class=SpellE>rwxr-xr-x</span></p>
654 </td>
655 </tr>
656 </table>
657
658 <p>The administrator is responsible for ensuring that the above file
659 permissions are set correctly. The administrator should also ensure that all
660 containing directories all the way up to the base directory are not
661 world-writable. Pegasus only checks the following conditions when starting up: </p>
662
663 <ul type=disc>
664 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
665 mso-list:l1 level1 lfo7;tab-stops:list .5in'>The <span class=SpellE>sslKeyFilePath</span>
666 and the <span class=SpellE>sslCertificateFilePath</span> are readable by
667 the CIMOM. </li>
668 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
669 mso-list:l1 level1 lfo7;tab-stops:list .5in'>The <span class=SpellE>sslTrustStore</span>
670 and <span class=SpellE>crlStore</span> are readable by the CIMOM if they
671 are a single file. </li>
672 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
673 mso-list:l1 level1 lfo7;tab-stops:list .5in'>The <span class=SpellE>sslTrustStore</span>
674 ms.aruran 1.4.4.2 and <span class=SpellE>crlStore</span> are readable and writable by the
675 CIMOM if they are a directory.</li>
676 </ul>
677
678 <p>These same file permissions should be used for protecting a client's private
679 key, public key, <span class=SpellE>truststore</span>, and <span class=SpellE>crl</span>
680 store as well. </p>
681
682 <p>For more information on generating keys and certificates, consult the <a
683 href="http://www.openssl.org/docs/HOWTO/"><span class=SpellE>OpenSSL</span>
684 HOW-TO documentation</a>. </p>
685
686 <h3><a name=CONFIGURE>Configuring Pegasus for SSL</a></h3>
687
688 <p class=MsoNormal>There are many environment variable settings associated with
689 SSL. Here is a brief discussion of the subtleties of these options and how they
690 work together to create a more secure environment. More information on the
691 default and recommended settings can be found in PEP#200 Recommended <span
692 class=SpellE>OpenPegasus</span> 2.5 Build and Configuration Options for
693 Selected Platforms. Additionally, the section on <a href="#DESIGN">Design
694 Question List</a> should help determine what these settings should be for a
695 ms.aruran 1.4.4.2 given application. </p>
696
697 <p><span class=SpellE><span class=GramE><b>enableHttpsConnection</b></span></span><br>
698 This is disabled by default on most platforms. It is recommended that all
699 remote communication be done over the HTTPS port. However, if you are sending <span
700 class=SpellE>cleartext</span> passwords over the wire, it is imperative that
701 you only use the secure port. For added security, the HTTP port can be disabled
702 to prevent clients from connecting to it. The HTTPS connection is enabled by
703 default only on the following platforms: </p>
704
705 <ul type=disc>
706 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
707 mso-list:l6 level1 lfo8;tab-stops:list .5in'>LINUX </li>
708 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
709 mso-list:l6 level1 lfo8;tab-stops:list .5in'>OS-400 </li>
710 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
711 mso-list:l6 level1 lfo8;tab-stops:list .5in'>HP_UX (if
712 PEGASUS_USE_RELEASE_CONFIG_OPTIONS is true) </li>
713 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
714 mso-list:l6 level1 lfo8;tab-stops:list .5in'>VMS (if
715 PEGASUS_USE_RELEASE_CONFIG_OPTIONS is true)</li>
716 ms.aruran 1.4.4.2 </ul>
717
718 <p><span class=SpellE><span class=GramE><b>httpsPort</b></span></span><br>
719 The default setting is 5989, the official WBEM secure port. </p>
720
721 <p><span class=SpellE><span class=GramE><b>sslCertificateFilePath</b></span></span>
722 <br>
723 This is the path to the x509 server certificate. The server certificate may be
724 a chain in which case the file should contain PEM encoded certificates
725 beginning with the server certificate and followed by each signing certificate
726 authority (CA) including the root CA. If the server certificate is a self
727 signed certificate, the file only contains the self-signed certificate in PEM
728 format. The certificate cannot be encrypted because there is currently no
729 mechanism for decrypting the certificate using a user-supplied password. This
730 property must be defined if <span class=SpellE>enableHttpsConnection</span> is
731 true. Any failure in finding this file will result in the <span class=SpellE>cimserver</span>
732 failing to start. See <a href="#CERTS">Creating SSL Certificates</a> for more
733 information. </p>
734
735 <p><span class=SpellE><span class=GramE><b>sslKeyFilePath</b></span></span><br>
736 This is the path to the server's private key. All keys should be at least 1024
737 ms.aruran 1.4.4.2 bytes long. This property must be defined if <span class=SpellE>enableHttpsConnection</span>
738 is true. Any failure in finding this file will result in the <span
739 class=SpellE>cimserver</span> failing to start. See <a href="#CERTS">Creating
740 SSL Certificate</a> for more information. </p>
741
742 <p><span class=SpellE><span class=GramE><b>sslClientVerificationMode</b></span></span><br>
743 This setting controls how the <span class=SpellE>cimserver</span> (i.e. the
744 HTTPS port) is configured. There are three possible settings: disabled,
745 required, optional. There is no "right" setting for this property.
746 The default is disabled and it is fine to leave the setting as disabled if you
747 are going to use basic authentication to authenticate all client requests. In
748 many applications where a physical person is there to supply a username and
749 password, basic authentication is sufficient. Other environments may be
750 heterogeneous, in which case it makes sense to allow both basic authentication
751 and SSL certificate verification. The setting of this variable also impacts
752 what happens during the <span class=SpellE>OpenSSL</span> handshake: </p>
753
754 <ul type=disc>
755 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
756 mso-list:l4 level1 lfo9;tab-stops:list .5in'><b>"<span class=GramE>required</span>"</b>
757 -- The server requires that the client certificate be trusted in order for
758 ms.aruran 1.4.4.2 the handshake to continue. If the client fails to send a certificate or
759 sends an <span class=SpellE>untrusted</span> certificate, the handshake is
760 immediately terminated. </li>
761 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
762 mso-list:l4 level1 lfo9;tab-stops:list .5in'><b>"<span class=GramE>optional</span>"</b>
763 -- The server will request that a client certificate be sent, but will
764 continue the handshake even if no certificate is received. If
765 authentication is enabled, the server will seek to authenticate the client
766 via an alternative method of authentication. <span style='color:black'>As
767 of 2.5.1, if a certificate is sent but it is not validated, the handshake
768 will fail. <i>Before 2.5.1<span class=GramE>,the</span> handshake would
769 have continued and basic authentication would have proceeded.</i></span> </li>
770 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
771 mso-list:l4 level1 lfo9;tab-stops:list .5in'><b>"<span class=GramE>disabled</span>"</b>
772 -- The server will not prompt the client for a certificate. <i>This is the
773 default.</i></li>
774 </ul>
775
776 <p class=MsoNormal>Pegasus currently ties a certificate to a valid OS user.
777 Multiple certificates may be registered to the same user. When a certificate is
778 authenticated, Pegasus views it in the same way as if a user was authenticated
779 ms.aruran 1.4.4.2 via basic authentication. The providers receive the username that the
780 certificate was mapped to. See the SSL Authorization section for more
781 information. </p>
782
783 <p><span class=SpellE><span class=GramE><b>sslTrustStore</b></span></span><br>
784 This setting controls the <span class=SpellE>truststore</span> for the <span
785 class=SpellE>cimserver's</span> HTTPS connection. It can be either a directory
786 or a single root CA file. When set to a directory, it is recommended that you
787 use the <span class=SpellE>cimtrust</span> CLI to populate the <span
788 class=SpellE>truststore</span> as there are strict naming requirements for
789 trusted certificate files. See the <a href="#CLI"><span class=SpellE>cimtrust</span>
790 & <span class=SpellE>cimcrl</span> CLI</a> section for further information.
791 </p>
792
793 <p><span class=SpellE><span class=GramE><b>sslTrustStoreUserName</b></span></span><br>
794 This setting is only utilized if the <span class=SpellE>sslTrustStore</span> is
795 a single CA file. It is not used if the <span class=SpellE>sslTrustStore</span>
796 setting is a directory, but it still must be set to a valid system user. This
797 is because the validation of the property is done independently of the <span
798 class=SpellE>sslTrustStore</span> setting. This property represents the valid
799 OS user that corresponds to the root certificate. All requests authenticated
800 ms.aruran 1.4.4.2 with a certificate under the root CA will be associated with this user and the
801 username will be propagated to providers. If applications desire for there to
802 be a one-to-one correspondence between users and certificates, it is
803 recommended that each certificate be registered individually using the <a
804 href="#CLI"><span class=SpellE>cimtrust</span> CLI</a>. </p>
805
806 <p><span class=SpellE><span class=GramE><b>crlStore</b></span></span><br>
807 This is where the CRL (Certificate Revocation List) store resides. It is important
808 to note that certificates are checked first against the CRL (if specified) and
809 then against the server <span class=SpellE>truststore</span>. The <a href="#CLI"><span
810 class=SpellE>cimcrl</span> CLI</a> should be used for CRL management. </p>
811
812 <h4>Configuration Limitations</h4>
813
814 <p class=MsoNormal>The following are configuration limitations: </p>
815
816 <ul type=disc>
817 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
818 mso-list:l2 level1 lfo10;tab-stops:list .5in'>The x509 server certificate
819 file cannot be encrypted. The reason for this is that there is currently
820 no mechanism in Pegasus to grab the password needed to <span class=SpellE>unencrypt</span>
821 ms.aruran 1.4.4.2 it. Therefore, the best way to secure the file is to follow the file
822 permissions settings specified in <a href="#CERTS">Creating SSL
823 Certificates.</a> </li>
824 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
825 mso-list:l2 level1 lfo10;tab-stops:list .5in'>There is no property to
826 specify supported cipher lists at this time. Pegasus uses the default <span
827 class=SpellE>OpenSSL</span> cipher list. The cipher lists can be found at <a
828 href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a>
829 and <a
830 href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a>
831 </li>
832 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
833 mso-list:l2 level1 lfo10;tab-stops:list .5in'>The verification depth
834 cannot be specified. Pegasus uses the default <span class=SpellE>OpenSSL</span>
835 depth of 9. This means the <span class=SpellE>OpenSSL</span> will only
836 accept client certificate chains up to 9 levels deep. </li>
837 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
838 mso-list:l2 level1 lfo10;tab-stops:list .5in'>No hostname checking is
839 performed to ensure that the subject field of the distinguished name (DN)
840 matches the hostname.</li>
841 </ul>
842 ms.aruran 1.4.4.2
843 <h3><a name=DESIGN>SSL Design Question List</a></h3>
844
845 <p>The following questions may be helpful in determining how to configure
846 Pegasus CIM Server.</p>
847
848 <p class=MsoNormal><b>Should I enable the HTTPS port?</b><br>
849 Yes, especially if you are sending passwords with requests. The HTTP port can
850 be disabled for additional security if desired. <br>
851 <b>Should I configure the CIMOM to use a <span class=SpellE>truststore</span>?</b><br>
852 This depends on the infrastructure of the application. If all clients are using
853 basic authentication over the secure port (and the passwords are secured), then
854 a <span class=SpellE>truststore</span> may not be needed. If an application
855 does not want to store user/<span class=SpellE>pw</span> information, then it
856 is a good idea to use a certificate-based infrastructure. If a CIMOM
857 certificate is compromised, the <span class=SpellE>cimserver</span> and the
858 providers of the system are compromised. The severity of this scenario is
859 dependent on the resources the providers have access to. If an OS password is
860 compromised, the entire system may be compromised. If using peer verification,
861 it is important to ensure that 1) the <span class=SpellE>cimserver</span> is
862 properly configured to use a <span class=SpellE>truststore</span>, 2) the <span
863 ms.aruran 1.4.4.2 class=SpellE>truststore</span> is loaded properly and protected, and 3)
864 authorization checks are performed after a certificate is verified. These same
865 conditions also apply to a client that is verifying a server.<br>
866 <b>Should I use a self-signed certificate or one issued by a third-party
867 certificate authority?</b><br>
868 Generally, scalability will determine whether it's appropriate to use a self-signed
869 certificate or one issued by <span class=SpellE>Verisign</span> or another
870 third-party certificate authority. If an administrator administrates their
871 self-signed certificates correctly, they are no less secure than one issued by
872 a CA. What a CA buys you is scalability. An up front cost of setting up a CA
873 relationship will be offset by the convenience of having that CA
874 "vouch" for <span class=SpellE>certs</span> it has signed, in large
875 deployments. In small deployments the incremental cost might never outweigh the
876 initial CA-setup cost. <br>
877 One important thing to remember is that you should not use the same certificate
878 for multiple <span class=SpellE>CIMOMs</span>. If using a self-signed
879 certificate, a different one should be generated for each CIMOM, using some
880 unique piece of data to make them different. That way, if one of the
881 certificates is compromised, the other ones remain secure. <br>
882 <b>Should the <span class=SpellE>truststore</span> be a single root CA file or
883 a directory?</b><br>
884 ms.aruran 1.4.4.2 If you only anticipate connections from a narrowly defined set of clients, then
885 a single root CA certificate file should be sufficient. Alternatively, multiple
886 trusted certificates may be stored in PEM format inside of a single CA file. If
887 you anticipate getting requests from a heterogeneous set of clients, then it
888 probably makes sense to use the directory option to allow flexibility in the
889 future. In the latter scenario, the same single root CA file can still be used
890 with the additional step of using <span class=SpellE>cimtrust</span> to
891 register it. It's important to note that when registering a root CA, only one
892 user can be associated with ALL certificates under that CA. Following the
893 principle of least privilege, it is not a good idea to register a root CA to a
894 privileged user if lesser privileged users will be connecting with it. <br>
895 <b>How do I protect the <span class=SpellE>keystore</span> and the <span
896 class=SpellE>truststore</span>?</b><br>
897 The server's private key should always be protected; it is private for a
898 reason. Only the system administrator should be able to see it. The public
899 certificate can be viewed by <span class=GramE>anyone,</span> however, it
900 should be protected from alteration by system users. Similarly, any <span
901 class=SpellE>truststore</span> or CRL file or directory should also be
902 protected from alteration. See <a href="#CERTS">Creating SSL Certificates</a>
903 for the recommended file privileges. <br>
904 <b>When do I need to use a CRL?</b><br>
905 ms.aruran 1.4.4.2 Certificate Revocation Lists are regularly issued by CA's. They contain a list
906 of certificates that have been revoked. Any application using a CA certificate
907 in its <span class=SpellE>truststore</span> should also implement <span
908 class=SpellE>CRLs</span> (if the CA supports them). Pegasus itself does not
909 check CRL validity dates during startup. Therefore, it is the responsibility of
910 the administrator to regularly download or acquire the CRL and import it into
911 the CRL store using the <a href="#CLI"><span class=SpellE>cimcrl</span> CLI</a>.
912 <span class=SpellE><span style='color:black'>CRLs</span></span><span
913 style='color:black'> are not checked for expiration during the SSL callback.
914 This means that if a CRL for a particular issuer has expired, Pegasus still
915 accepts certificates from the issuer and uses the expired CRL as the latest.
916 Again, it is the responsibility of the administrator to ensure the CRL is up to
917 date. <span class=SpellE>CRLs</span> are not checked for critical extensions
918 during CRL verification. If a CRL contains a critical extension it will be
919 ignored. </span><br>
920 If using self-signed certificates, however, a CRL is most likely not needed
921 (You can create a self-signed CRL but it is not really necessary). Because of
922 this, the certificate deletion option available via <span class=SpellE>cimtrust</span>
923 is primarily intended for self-signed certificates. Technically, <span
924 class=SpellE>CRL's</span> are the correct way to revoke compromised or invalid
925 certificates. <br>
926 ms.aruran 1.4.4.2 <b>What is the order of operations for certificate verification?</b><br>
927 The certificate is checked against any <span class=SpellE>CRLs</span> first
928 before going through the rest of the verification process. Verification starts
929 with the root certificate and continues down to the peer certificate. If
930 verification fails at any of these points, the certificate is considered <span
931 class=SpellE>untrusted</span> and the verification process reports an error. </p>
932
933 <h3><a name=TRUSTSTORE></a><span class=SpellE><span style='mso-bookmark:TRUSTSTORE'>Truststore</span></span><span
934 style='mso-bookmark:TRUSTSTORE'> Management</span></h3>
935
936 <p class=MsoNormal>There are two directions of trust in an SSL client-server
937 handshake: The client trusts the server. The server trusts the client. Pegasus
938 provides a way to implement one or both of these relationships. Ideally, an
939 application should support both levels of trust for maximum security and this
940 is the implementation Pegasus recommends. However, in some scenarios it may
941 make sense to only implement one of these; in that case, it is possible to override
942 the client or the server to "trust all certificates." For example, if
943 all clients will be using basic authentication over HTTPS, then the server can
944 be setup to "trust all client certificates." </p>
945
946 <p>To tell the <span class=SpellE>cimserver</span> to require that all clients
947 ms.aruran 1.4.4.2 be trusted, simply set the <span class=SpellE>sslClientVerification<span
948 style='color:black'>Mode</span></span> property to "required."<br>
949 To tell the <span class=SpellE>cimserver</span> to trust all clients, set the <span
950 class=SpellE>sslClientVerification<span style='color:black'>Mode</span></span>
951 property to "disabled" or "optional". </p>
952
953 <p>The SSL verification in Pegasus is independent of any other authentication
954 mechanism. It can still be utilized when authentication is disabled. When
955 authentication is enabled, the first line of defense is SSL client
956 verification. <span style='color:black'>In situations where a client is not
957 authenticated by SSL because the client sent no certificate and the setting is
958 "optional", the server will attempt to authenticate the client via
959 another method of <span class=GramE>authentication .</span> In this case, the
960 authentication mechanism specified by the configuration property "<span
961 class=SpellE>httpAuthType</span>" will be used for remote connections and
962 local authentication will be used for local connections. In situations where a
963 client is not authenticated by SSL because the client certificate was invalid,
964 the handshake will be terminated. <br>
965 <i>Note: Before 2.5.1, in the latter case, authentication would have proceeded
966 in the same way as if the client had sent no certificate. To enable the legacy
967 behavior, the compile-time flag PEGASUS_OVERRIDE_SSL_CERT_VERIFICATION_RESULT
968 ms.aruran 1.4.4.2 should be defined.</i> </span></p>
969
970 <p>See the <a href="#CLIENT">Configuring the Pegasus CIM Client for SSL</a>
971 section below on how to setup the client's <span class=SpellE>truststore</span>.
972 </p>
973
974 <h3><a name=CLI></a><span class=SpellE><span class=GramE><span
975 style='mso-bookmark:CLI'>cimtrust</span></span></span><span style='mso-bookmark:
976 CLI'> & <span class=SpellE>cimcrl</span> CLI</span></h3>
977
978 <p class=MsoNormal><span class=SpellE><span class=GramE>cimtrust</span></span>
979 CLI may be used to add, remove or list X509 certificates in a PEM format <span
980 class=SpellE>truststore</span>. <span class=SpellE><span class=GramE>cimcrl</span></span>
981 CLI may be used to add, remove or list X509 Certificate Revocation Lists in a
982 PEM format CRL store. The <span class=SpellE>CLIs</span> interface with a
983 Certificate control provider that runs as part of Pegasus's core. It operates
984 on the <span class=SpellE>PG_SSLCertificate</span> and <span class=SpellE>PG_SSLCertificateRevocationList</span>
985 classes in root/<span class=SpellE>PG_Internal</span>. It is recommended that
986 the <span class=SpellE>CLIs</span> be used in place of manual configuration for
987 several reasons: </p>
988
989 ms.aruran 1.4.4.2 <ul type=disc>
990 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
991 mso-list:l13 level1 lfo11;tab-stops:list .5in'><span class=SpellE>OpenSSL</span>
992 places strict naming restrictions on certificates and <span class=SpellE>CRLs</span>
993 in a directory (the files are looked up via a subject hash code) </li>
994 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
995 mso-list:l13 level1 lfo11;tab-stops:list .5in'>Certificate instances are
996 stored in the repository along with the corresponding username. If the
997 certificate is not properly registered, the username mapping will fail.<span
998 style='color:fuchsia'> </span><span class=SpellE><span class=GramE><span
999 style='color:black'>cimtrust</span></span></span><span style='color:black'>
1000 CLI supports the ability to register a certificate without a username for
1001 root certificates and intermediate certificates, since these certificates
1002 represent a collection of users. In this scenario, each leaf certificate
1003 must be registered to an individual user. See the Authorization section
1004 for more information on username validation.</span> </li>
1005 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1006 mso-list:l13 level1 lfo11;tab-stops:list .5in'><span style='color:black'>The
1007 <span class=SpellE>CLIs</span>, or more correctly the provider they
1008 operate on, supports dynamic deletion of certificates by resetting the <span
1009 class=SpellE>cimserver's</span> SSL context.</span><span style='color:
1010 ms.aruran 1.4.4.2 fuchsia'> </span>Normally, you would need to stop and start the <span
1011 class=SpellE>cimserver</span> to accomplish this. </li>
1012 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1013 mso-list:l13 level1 lfo11;tab-stops:list .5in'>The <span class=SpellE>CLIs</span>,
1014 or more correctly the provider they operate on, performs a ton of error
1015 checking you would not get by manually configuring the stores. This alerts
1016 the administrator to various error conditions (e.g. the certificate
1017 expired) associated with a certificate or CRL.</li>
1018 </ul>
1019
1020 <p class=MsoNormal>The CIMOM must be up and running while executing <span
1021 class=SpellE>cimtrust/cimcrl</span> CLI. The <span class=SpellE>cimtrust</span>
1022 and <span class=SpellE>cimcrl</span> <span class=SpellE>manpages</span> provide
1023 more information on commands and syntax. </p>
1024
1025 <h3><a name=CLIENT>Configuring the Pegasus CIM Client for SSL</a></h3>
1026
1027 <p>A Pegasus CIM client can be configured to use SSL by using a constructor
1028 that takes an <span class=SpellE>SSLContext</span>. The construction of the <span
1029 class=SpellE>SSLContext</span> is really what controls the behavior of the
1030 client during the SSL handshake. Without going into minute details about what
1031 ms.aruran 1.4.4.2 happens under the covers, here is a description of the various <span
1032 class=SpellE>SSLContext</span> constructor parameters. </p>
1033
1034 <p>Here's a code snippet that shows how to call a client constructor that
1035 connects to a server over SSL and can present its own trusted certificate if
1036 the server requests it. In this scenario, the client also checks the server
1037 certificate against its <span class=SpellE>truststore</span> and specifies an
1038 additional callback in addition to the default one (the user-specified callback
1039 is optional and can be set to null). </p>
1040
1041 <p class=MsoNormal style='margin-left:.5in'><span class=SpellE><span
1042 class=GramE><span style='font-family:Courier'>client.connect</span></span></span><span
1043 class=GramE><span style='font-family:Courier'>(</span></span><span
1044 style='font-family:Courier'> hostname, port, <span class=SpellE><b>SSLContext</b></span><b>(<span
1045 class=SpellE>trustStore</span>, <span class=SpellE>certPath</span>, <span
1046 class=SpellE>keyPath</span>, <span class=SpellE>verifyCert</span>, <span
1047 class=SpellE>randomFile</span>),</b> username, password); </span></p>
1048
1049 <p>Here's a code snippet that shows how to call a client constructor that
1050 connects to a server over SSL and does not possess its own trusted certificate.
1051 In this scenario, the client also checks the server certificate against its <span
1052 ms.aruran 1.4.4.2 class=SpellE>truststore</span>. </p>
1053
1054 <p class=MsoNormal style='margin-left:.5in'><span class=SpellE><span
1055 class=GramE><span style='font-family:Courier'>client.connect</span></span></span><span
1056 class=GramE><span style='font-family:Courier'>(</span></span><span
1057 style='font-family:Courier'> hostname, port, <span class=SpellE><b>SSLContext</b></span><b>(<span
1058 class=SpellE>trustStore</span>, NULL, <span class=SpellE>randomFile</span>),</b>
1059 username password); </span></p>
1060
1061 <ul type=disc>
1062 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1063 mso-list:l3 level1 lfo14;tab-stops:list .5in'><span class=SpellE><span
1064 class=GramE><b>trustStore</b></span></span> -- This specifies the <span
1065 class=SpellE>truststore</span> that the client uses to verify server
1066 certificates. It can be <span class=SpellE>String::EMPTY</span> if no <span
1067 class=SpellE>truststore</span> exists. </li>
1068 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1069 mso-list:l3 level1 lfo14;tab-stops:list .5in'><span class=SpellE><span
1070 class=GramE><b>certPath</b></span></span> -- This specifies the x509
1071 certificate of the client that will be sent during an SSL handshake. Note
1072 that this certificate will only be sent if the server requests it. If this
1073 ms.aruran 1.4.4.2 option is specified, the <span class=SpellE>keyPath</span> parameter must
1074 also be specified. </li>
1075 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1076 mso-list:l3 level1 lfo14;tab-stops:list .5in'><span class=SpellE><span
1077 class=GramE><b>keyPath</b></span></span> -- This specifies the private key
1078 of the client. If this option is specified, the <span class=SpellE>certPath</span>
1079 parameter must also be specified. </li>
1080 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1081 mso-list:l3 level1 lfo14;tab-stops:list .5in'><span class=SpellE><span
1082 class=GramE><b>crlPath</b></span></span> -- This specifies an optional CRL
1083 store path. The client checks the CRL list first, before attempting any
1084 further authentication, including the user-specified callback. </li>
1085 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1086 mso-list:l3 level1 lfo14;tab-stops:list .5in'><span class=SpellE><span
1087 class=GramE><b>verifyCert</b></span></span> -- This is a user-specified
1088 verification callback. If this is set to null, the default <span
1089 class=SpellE>OpenSSL</span> verification callback will be executed. You
1090 can implement this method to "trust all servers" or to perform
1091 additional authentication checks that <span class=SpellE>OpenSSL</span>
1092 does not perform by default. </li>
1093 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1094 ms.aruran 1.4.4.2 mso-list:l3 level1 lfo14;tab-stops:list .5in'><span class=SpellE><span
1095 class=GramE><b>randomFile</b></span></span> -- A file to seed the pseudo
1096 random number generator (PRNG).</li>
1097 </ul>
1098
1099 <p>Here are some general guidelines on implementing peer verification for the
1100 client: </p>
1101
1102 <ul type=disc>
1103 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1104 mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should enable
1105 peer verification by specifying a <span class=SpellE>truststore</span> and
1106 (optionally) a user-specified callback function. </li>
1107 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1108 mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should employ a <span
1109 class=SpellE>truststore</span> in order to properly verify the server. The
1110 <span class=SpellE>truststore</span> should contain a file or directory of
1111 trusted CA certificates. The <span class=SpellE>cimtrust</span> CLI cannot
1112 be used to configure client <span class=SpellE>truststores</span>. The
1113 trusted certificate(s) should be placed in a protected file or directory
1114 specified by the <span class=SpellE>trustStore</span> parameter. Keep in
1115 ms.aruran 1.4.4.2 mind that the SSL context generally has to be reloaded to pick up any <span
1116 class=SpellE>truststore</span> changes. </li>
1117 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1118 mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client could also use a
1119 user-specified callback in addition to the default verification callback,
1120 if additional verifications are desired over the normal checks that <span
1121 class=SpellE>OpenSSL</span> performs. In most cases, the default
1122 verification callback is sufficient for checking server certificates. </li>
1123 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1124 mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should ensure
1125 that adequate entropy is attained. </li>
1126 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1127 mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should use a CRL
1128 store if the <span class=SpellE>truststore</span> contains CA certificates
1129 that support one. </li>
1130 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1131 mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should only use
1132 the SSLv3 and TLSv1 protocols. By default, Pegasus is not built with SSLv2
1133 support. </li>
1134 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1135 mso-list:l11 level1 lfo15;tab-stops:list .5in'>The client should perform
1136 ms.aruran 1.4.4.2 post-connection checks. </li>
1137 <ul type=circle>
1138 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
1139 auto;mso-list:l11 level2 lfo15;tab-stops:list 1.0in'>Ensure a certificate
1140 was received. </li>
1141 <ul type=square>
1142 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
1143 auto;mso-list:l11 level3 lfo15;tab-stops:list 1.5in'>WARNING: In
1144 some implementations of SSL a NULL server certificate is perfectly valid
1145 and authenticates against all trust stores. If the client does not
1146 ensure a certificate exists then the client is not providing server
1147 authentication and could have a security bulletin class defect.</li>
1148 </ul>
1149 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
1150 auto;mso-list:l11 level2 lfo15;tab-stops:list 1.0in'>Validate that the
1151 certificate received was issued to the host for which the client was attempting
1152 to connect. </li>
1153 <ul type=square>
1154 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
1155 auto;mso-list:l11 level3 lfo15;tab-stops:list 1.5in'>Ensure that the
1156 common name (CN) in the server’s certificate subject matches the host
1157 ms.aruran 1.4.4.2 name of the server. For X509v3 certificates, the “<span
1158 class=SpellE><span class=spelle>SubjectAltName</span></span>” fields in
1159 the certificate's extended attributes are also valid host names for the
1160 certificate. </li>
1161 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
1162 auto;mso-list:l11 level3 lfo15;tab-stops:list 1.5in'>WARNING: If
1163 the client does not ensure the host name of the server is the same as
1164 one of the host names explicitly described in the server’s certificate,
1165 you have not authenticated the server’s identity. Any other server
1166 which was issued a certificate from the same trusted CA can masquerade
1167 as the server unless the client performs the host name check.</li>
1168 </ul>
1169 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:
1170 auto;mso-list:l11 level2 lfo15;tab-stops:list 1.0in'>Ensure that
1171 certificate verification methods/routines return no errors.</li>
1172 </ul>
1173 </ul>
1174
1175 <p>Because only the above arguments can be passed into the Pegasus <span
1176 class=SpellE>SSLContext</span>, there are some limitations in the client
1177 configuration: </p>
1178 ms.aruran 1.4.4.2
1179 <ul type=disc>
1180 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1181 mso-list:l10 level1 lfo16;tab-stops:list .5in'>The verification depth
1182 cannot be specified. Pegasus uses the default <span class=SpellE>OpenSSL</span>
1183 depth of 9. </li>
1184 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1185 mso-list:l10 level1 lfo16;tab-stops:list .5in'>The cipher list cannot be
1186 specified. Pegasus uses the default <span class=SpellE>OpenSSL</span>
1187 cipher list. The cipher lists can be found at <a
1188 href="http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_</a>
1189 and <a
1190 href="http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_">http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_</a>
1191 </li>
1192 <li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
1193 mso-list:l10 level1 lfo16;tab-stops:list .5in'>No hostname checking is
1194 performed to ensure that the subject field of the distinguished name (DN)
1195 matches the hostname. If desired, a user-specified callback should be
1196 configured to perform this check or any additional checks relevant to the
1197 application.</li>
1198 </ul>
1199 ms.aruran 1.4.4.2
1200 <h3><a name=AUTH>SSL Authorization</a></h3>
1201
1202 <p>The following paragraphs concern authorization of users authenticated by
1203 certificate on the <span class=SpellE>cimserver's</span> HTTPS port. </p>
1204
1205 <p>It is important to note that SSL certificates are verified during the
1206 initial handshake, BEFORE any further authentication takes place. If a
1207 certificate fails, the connection can be terminated immediately, resulting in a
1208 connection exception. This scenario will occur if the <span class=SpellE>sslClientVerification</span>
1209 property is set to "required" and no certificate or an <span
1210 class=SpellE>untrusted</span> certificate is sent. </p>
1211
1212 <p>Further <b><i>authorization</i></b> checks must be performed when validating
1213 the user that is mapped to the certificate. First, the user that is registered
1214 to the certificate is validated as a valid system user and a valid <span
1215 class=SpellE>cimuser</span> (if the <span class=SpellE>cimuser</span> function
1216 has been configured). <span style='color:black'>In the case of a certificate
1217 chain, the username authorization starts with the leaf certificate. If it
1218 successfully finds a mapping for the leaf certificate, it continues; if there
1219 is no username for the leaf certificate, the validation proceeds up to the root
1220 ms.aruran 1.4.4.2 certificate. If the root certificate is reached and there is still no mapped
1221 username, the authorization fails.</span><span style='color:fuchsia'> </span>Additionally,
1222 if Pegasus was configured to use PAM, the <span class=SpellE>pam_acct_mgmt</span>
1223 function will be called with the user that is mapped to the certificate. This
1224 ensures that any login conditions that would have been placed on a user
1225 authenticated via basic authentication are still applied to a user
1226 authenticated via certificate. The <span class=SpellE>pam_authenticate</span>
1227 method will NOT be called. Lastly, the providers must authorize the user. They
1228 receive the username that was mapped to the certificate in the <span
1229 class=SpellE>OperationContext</span>. </p>
1230
1231 <p>A provider may request the client's certificate chain information through
1232 its provider registration MOF. The "<span class=SpellE>RequestedOperationContextContainers</span>"
1233 property of <span class=SpellE>PG_Provider</span> should be set to include the
1234 "<span class=SpellE>SSLCertificateChain</span>" by setting the value “0”.
1235 If a client is authenticated via trusted certificate, then the container will
1236 include a certificate for each level in the client's certificate chain, up to a
1237 maximum depth of seven.</p>
1238
1239 <p><span style='font-family:Times'>The behavior of this property is dependent
1240 on the overall CIMOM settings. The "<span class=SpellE>enableHttpsConnection</span>"
1241 ms.aruran 1.4.4.2 configuration property must be set to true for the property to have any effect.
1242 Additionally, the "<span class=SpellE>sslClientVerificationMode</span>"
1243 configuration property must be set to either "required" or
1244 "optional". If "required" is specified, then the container
1245 will always be populated. If "optional" is specified, the container
1246 will be populated only if the client is authenticated via trusted certificate,
1247 as opposed to another mechanism such as basic authentication. Because the
1248 container may not always be included in the <span class=SpellE>OperationContext</span>,
1249 providers should always check for its existence before performing operations on
1250 it. See the <span class=SpellE>SSLCertificateInfo</span> class in
1251 Pegasus/Common/<span class=SpellE>SSLContext.h</span> for a full list of
1252 certificate parameters that the <span class=SpellE>SSLCertificateChainContainer</span>
1253 supports. <u1:p></u1:p></span></p>
1254
1255 <h3><a name=EXT>Critical Extension Handling</a></h3>
1256
1257 <p><span style='color:black'>The extensions defined for X.509 v3 certificates
1258 provide methods for associating additional attributes with users or public keys
1259 and for managing the certification hierarchy. Each extension in a certificate
1260 may be designated as critical or non-critical. Pegasus relies on the underlying
1261 <span class=SpellE>OpenSSL</span> implementation to handle critical extensions
1262 ms.aruran 1.4.4.2 specified in a certificate. Please refer to the <span class=SpellE>OpenSSL</span>
1263 documentation for more information on currently supported extensions in <span
1264 class=SpellE>OpenSSL</span> and on the behavior of <span class=SpellE>OpenSSL</span>
1265 in the case of unhandled critical extensions.</span><span style='color:fuchsia'>
1266 </span></p>
1267
1268 <h3><a name=RESOURCES>Resources</a></h3>
1269
1270 <p>For <span class=SpellE>OpenSSL</span> information pick up a copy of
1271 O'Reilly's Network Security with <span class=SpellE>OpenSSL</span> or go to the
1272 <span class=SpellE>OpenSSL</span> Site<span class=GramE>:</span><br>
1273 <a href="http://www.openssl.org">http://www.openssl.org</a> </p>
1274
1275 <p>A really fabulous guide on certificate management and installation with <span
1276 class=SpellE>OpenSSL</span><span class=GramE>:</span><br>
1277 <a href="http://www.gagravarr.org/writing/openssl-certs/index.shtml">http://www.gagravarr.org/writing/openssl-certs/index.shtml</a>
1278 </p>
1279
1280 <p><span class=GramE>x509</span> Certificate and CRL RFC:<br>
1281 <a href="http://www.ietf.org/rfc/rfc2459.txt?number=2459">http://www.ietf.org/rfc/rfc2459.txt?number=2459</a>
1282 </p>
1283 ms.aruran 1.4.4.2
1284 <p>SSLv3 RFC<span class=GramE>:</span><br>
1285 <a href="http://wp.netscape.com/eng/ssl3/">http://wp.netscape.com/eng/ssl3</a> </p>
1286
1287 <p>TLSv1 RFC<span class=GramE>:</span><br>
1288 <a href="http://www.ietf.org/rfc/rfc2246.txt">http://www.ietf.org/rfc/rfc2246.txt</a>
1289 </p>
1290
1291 <p>Basic Authentication RFC<span class=GramE>:</span><br>
1292 <a href="http://www.faqs.org/rfcs/rfc2617.html">http://www.faqs.org/rfcs/rfc2617.html</a>
1293 </p>
1294
1295 <div class=MsoNormal align=center style='text-align:center'>
1296
1297 <hr size=2 width="100%" align=center>
1298
1299 </div>
1300
1301 <p><i><span style='font-size:10.0pt'>Copyright (c) 2005 EMC Corporation;
1302 Hewlett-Packard Development Company, L.P.; IBM Corp.; The Open Group; VERITAS
1303 Software Corporation</span><br>
1304 ms.aruran 1.4.4.2 <br>
1305 </i><i><span style='font-size:7.5pt'>Permission is hereby granted, free of
1306 charge, to any person obtaining a copy of this software and associated
1307 documentation files (the "Software"), to deal in the Software without
1308 restriction, including without limitation the rights to use, copy, modify,
1309 merge, publish, distribute, sublicense, and/or sell copies of the Software, and
1310 to permit persons to whom the Software is furnished to do so, subject to the
1311 following conditions:</span><br>
1312 </i><i><span style='font-size:10.0pt'><br>
1313 </span></i><i><span style='font-size:7.5pt'>THE ABOVE COPYRIGHT NOTICE AND THIS
1314 PERMISSION NOTICE SHALL BE INCLUDED IN ALL COPIES OR SUBSTANTIAL PORTIONS OF
1315 THE SOFTWARE. THE SOFTWARE IS PROVIDED<span class=GramE> "</span>AS
1316 IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
1317 LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
1318 AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
1319 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
1320 CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
1321 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</span></i></p>
1322
1323 <div class=MsoNormal align=center style='text-align:center'>
1324
1325 ms.aruran 1.4.4.2 <hr size=2 width="100%" align=center>
1326
1327 </div>
1328
1329 </div>
1330
1331 </body>
1332
|