(file) Return to PegasusSecurityArchitecture.ppt CVS log (file) (dir) Up to [Pegasus] / pegasus / doc
File: [Pegasus] / pegasus / doc / PegasusSecurityArchitecture.ppt (download) / (as text)
Revision: 1.1, Wed Jun 19 20:37:55 2002 UTC (21 years, 10 months ago) by kumpf
Branch: MAIN
CVS Tags: test, preBug9676, postBug9676, pep_88, pegasus25BeforeLicenseUpdate, mday-merge-start, mday-merge-pegasus/src/Pegasus/Server, mday-merge-pegasus/src/Pegasus/Common, mday-2-0-patches, local, VERSION_2_1_RELEASE_HEAD, VERSION_2_1_RELEASE_BRANCH, VERSION_2_1_RELEASE, VERSION_2_1_1_RELEASE, VERSION_2_01_01, VERSION_2_00_RC_4, VERSION_2_00_RC_3, VERSION_2_00_RC_2, VERSION_2_00_RC_1, VERSION_2_00_BRANCH, TEST, TASK_PEP328_SOLARIS_NEVADA_PORT, TASK_PEP317_1JUNE_2013, TASK_PEP233_EmbeddedInstSupport-merge_out_trunk, TASK_BUG_5314_IPC_REFACTORING_ROOT, TASK_BUG_5314_IPC_REFACTORING_BRANCH, TASK_BUG_5314_IPC_REFACTORING-V1, TASK_BUG_5191_QUEUE_CONSOLIDATION_ROOT, TASK_BUG_5191_QUEUE_CONSOLIDATION_BRANCH, TASK-TASK_PEP362_RestfulService_branch-root, TASK-TASK_PEP362_RestfulService_branch-merged_out_from_trunk, TASK-TASK_PEP362_RestfulService_branch-merged_in_to_trunk, TASK-TASK_PEP362_RestfulService_branch-merged_in_from_branch, TASK-TASK_PEP362_RestfulService_branch-branch, TASK-TASK-BUG4011_WinLocalConnect-branch-New-root, TASK-TASK-BUG4011_WinLocalConnect-branch-New-merged_out_to_branch, TASK-TASK-BUG4011_WinLocalConnect-branch-New-merged_out_from_trunk, TASK-TASK-BUG4011_WinLocalConnect-branch-New-merged_in_to_trunk, TASK-TASK-BUG4011_WinLocalConnect-branch-New-merged_in_from_branch, TASK-TASK-BUG4011_WinLocalConnect-branch-New-branch, TASK-PEP362_RestfulService-root, TASK-PEP362_RestfulService-merged_out_to_branch, TASK-PEP362_RestfulService-merged_out_from_trunk, TASK-PEP362_RestfulService-merged_in_to_trunk, TASK-PEP362_RestfulService-merged_in_from_branch, TASK-PEP362_RestfulService-branch, TASK-PEP348_SCMO-root, TASK-PEP348_SCMO-merged_out_to_branch, TASK-PEP348_SCMO-merged_out_from_trunk, TASK-PEP348_SCMO-merged_in_to_trunk, TASK-PEP348_SCMO-merged_in_from_branch, TASK-PEP348_SCMO-branch, TASK-PEP328_SOLARIS_NEVADA_PORT_v2-root, TASK-PEP328_SOLARIS_NEVADA_PORT_v2-branch, TASK-PEP328_SOLARIS_NEVADA_PORT-root, TASK-PEP328_SOLARIS_NEVADA_PORT-branch, TASK-PEP328_SOLARIS_IX86_CC_PORT-root, TASK-PEP328_SOLARIS_IX86_CC_PORT-branch-v2, TASK-PEP328_SOLARIS_IX86_CC_PORT-branch, TASK-PEP317_pullop-root, TASK-PEP317_pullop-merged_out_to_branch, TASK-PEP317_pullop-merged_out_from_trunk, TASK-PEP317_pullop-merged_in_to_trunk, TASK-PEP317_pullop-merged_in_from_branch, TASK-PEP317_pullop-branch, TASK-PEP311_WSMan-root, TASK-PEP311_WSMan-branch, TASK-PEP305_VXWORKS-root, TASK-PEP305_VXWORKS-branch-pre-solaris-port, TASK-PEP305_VXWORKS-branch-post-solaris-port, TASK-PEP305_VXWORKS-branch-beta2, TASK-PEP305_VXWORKS-branch, TASK-PEP305_VXWORKS-2008-10-23, TASK-PEP291_IPV6-root, TASK-PEP291_IPV6-branch, TASK-PEP286_PRIVILEGE_SEPARATION-root, TASK-PEP286_PRIVILEGE_SEPARATION-branch, TASK-PEP274_dacim-root, TASK-PEP274_dacim-merged_out_to_branch, TASK-PEP274_dacim-merged_out_from_trunk, TASK-PEP274_dacim-merged_in_to_trunk, TASK-PEP274_dacim-merged_in_from_branch, TASK-PEP274_dacim-branch, TASK-PEP268_SSLClientCertificatePropagation-root, TASK-PEP268_SSLClientCertificatePropagation-merged_out_to_branch, TASK-PEP268_SSLClientCertificatePropagation-merged_out_from_trunk, TASK-PEP268_SSLClientCertificatePropagation-merged_in_to_trunk, TASK-PEP268_SSLClientCertificatePropagation-merged_in_from_branch, TASK-PEP268_SSLClientCertificatePropagation-branch, TASK-PEP267_SLPReregistrationSupport-root, TASK-PEP267_SLPReregistrationSupport-merging_out_to_branch, TASK-PEP267_SLPReregistrationSupport-merging_out_from_trunk, TASK-PEP267_SLPReregistrationSupport-merged_out_to_branch, TASK-PEP267_SLPReregistrationSupport-merged_out_from_trunk, TASK-PEP267_SLPReregistrationSupport-merged_in_to_trunk, TASK-PEP267_SLPReregistrationSupport-merged_in_from_branch, TASK-PEP267_SLPReregistrationSupport-branch, TASK-PEP250_RPMProvider-root, TASK-PEP250_RPMProvider-merged_out_to_branch, TASK-PEP250_RPMProvider-merged_out_from_trunk, TASK-PEP250_RPMProvider-merged_in_to_trunk, TASK-PEP250_RPMProvider-merged_in_from_branch, TASK-PEP250_RPMProvider-branch, TASK-PEP245_CimErrorInfrastructure-root, TASK-PEP245_CimErrorInfrastructure-merged_out_to_branch, TASK-PEP245_CimErrorInfrastructure-merged_out_from_trunk, TASK-PEP245_CimErrorInfrastructure-merged_in_to_trunk, TASK-PEP245_CimErrorInfrastructure-merged_in_from_branch, TASK-PEP245_CimErrorInfrastructure-branch, TASK-PEP241_OpenPegasusStressTests-root, TASK-PEP241_OpenPegasusStressTests-merged_out_to_branch, TASK-PEP241_OpenPegasusStressTests-merged_out_from_trunk, TASK-PEP241_OpenPegasusStressTests-merged_in_to_trunk, TASK-PEP241_OpenPegasusStressTests-merged_in_from_branch, TASK-PEP241_OpenPegasusStressTests-branch, TASK-Bugs5690_3913_RemoteCMPI-root, TASK-Bugs5690_3913_RemoteCMPI-merged_out_to_branch, TASK-Bugs5690_3913_RemoteCMPI-merged_out_from_trunk, TASK-Bugs5690_3913_RemoteCMPI-merged_in_to_trunk, TASK-Bugs5690_3913_RemoteCMPI-merged_in_from_branch, TASK-Bugs5690_3913_RemoteCMPI-branch, TASK-Bug2102_RCMPIWindows-root, TASK-Bug2102_RCMPIWindows-merged_out_to_branch, TASK-Bug2102_RCMPIWindows-merged_out_from_trunk, TASK-Bug2102_RCMPIWindows-merged_in_to_trunk, TASK-Bug2102_RCMPIWindows-merged_in_from_branch, TASK-Bug2102_RCMPIWindows-branch, TASK-Bug2102Final-root, TASK-Bug2102Final-merged_out_to_branch, TASK-Bug2102Final-merged_out_from_trunk, TASK-Bug2102Final-merged_in_to_trunk, TASK-Bug2102Final-merged_in_from_branch, TASK-Bug2102Final-branch, TASK-Bug2021_RemoteCMPIonWindows-root, TASK-Bug2021_RemoteCMPIonWindows-merged_out_to_branch, TASK-Bug2021_RemoteCMPIonWindows-merged_out_from_trunk, TASK-Bug2021_RemoteCMPIonWindows-merged_in_to_trunk, TASK-Bug2021_RemoteCMPIonWindows-merged_in_from_branch, TASK-Bug2021_RemoteCMPIonWindows-branch, TASK-Bug2021_RCMPIonWindows-root, TASK-Bug2021_RCMPIonWindows-merged_out_to_branch, TASK-Bug2021_RCMPIonWindows-merged_out_from_trunk, TASK-Bug2021_RCMPIonWindows-merged_in_to_trunk, TASK-Bug2021_RCMPIonWindows-merged_in_from_branch, TASK-Bug2021_RCMPIonWindows-branch, TASK-BUG7240-root, TASK-BUG7240-branch, TASK-BUG7146_SqlRepositoryPrototype-root, TASK-BUG7146_SqlRepositoryPrototype-merged_out_to_branch, TASK-BUG7146_SqlRepositoryPrototype-merged_out_from_trunk, TASK-BUG7146_SqlRepositoryPrototype-merged_in_to_trunk, TASK-BUG7146_SqlRepositoryPrototype-merged_in_from_branch, TASK-BUG7146_SqlRepositoryPrototype-branch, TASK-BUG4011_WinLocalConnect-root, TASK-BUG4011_WinLocalConnect-merged_out_to_branch, TASK-BUG4011_WinLocalConnect-merged_out_from_trunk, TASK-BUG4011_WinLocalConnect-merged_in_to_trunk, TASK-BUG4011_WinLocalConnect-merged_in_from_branch, TASK-BUG4011_WinLocalConnect-branch-New, TASK-BUG4011_WinLocalConnect-branch, STABLE, SLPPERFINST-root, SLPPERFINST-branch, RELEASE_2_9_2-RC2, RELEASE_2_9_2-RC1, RELEASE_2_9_2, RELEASE_2_9_1-RC1, RELEASE_2_9_1, RELEASE_2_9_0-RC1, RELEASE_2_9_0-FC, RELEASE_2_9_0, RELEASE_2_9-root, RELEASE_2_9-branch, RELEASE_2_8_2-RC1, RELEASE_2_8_2, RELEASE_2_8_1-RC1, RELEASE_2_8_1, RELEASE_2_8_0_BETA, RELEASE_2_8_0-RC2, RELEASE_2_8_0-RC1, RELEASE_2_8_0-FC, RELEASE_2_8_0, RELEASE_2_8-root, RELEASE_2_8-branch, RELEASE_2_7_3-RC1, RELEASE_2_7_3, RELEASE_2_7_2-RC1, RELEASE_2_7_2, RELEASE_2_7_1-RC1, RELEASE_2_7_1, RELEASE_2_7_0-RC1, RELEASE_2_7_0-BETA, RELEASE_2_7_0, RELEASE_2_7-root, RELEASE_2_7-branch, RELEASE_2_6_3-RC2, RELEASE_2_6_3-RC1, RELEASE_2_6_3, RELEASE_2_6_2-RC1, RELEASE_2_6_2, RELEASE_2_6_1-RC1, RELEASE_2_6_1, RELEASE_2_6_0-RC1, RELEASE_2_6_0-FC, RELEASE_2_6_0, RELEASE_2_6-root, RELEASE_2_6-branch-clean, RELEASE_2_6-branch, RELEASE_2_5_5-RC2, RELEASE_2_5_5-RC1, RELEASE_2_5_5, RELEASE_2_5_4-RC2, RELEASE_2_5_4-RC1, RELEASE_2_5_4, RELEASE_2_5_3-RC1, RELEASE_2_5_3, RELEASE_2_5_2-RC1, RELEASE_2_5_2, RELEASE_2_5_1-RC1, RELEASE_2_5_1, RELEASE_2_5_0-RC1, RELEASE_2_5_0, RELEASE_2_5-root, RELEASE_2_5-branch, RELEASE_2_4_FC_CANDIDATE_1, RELEASE_2_4_3, RELEASE_2_4_2, RELEASE_2_4_1-BETA3, RELEASE_2_4_1-BETA2, RELEASE_2_4_1-BETA1, RELEASE_2_4_1, RELEASE_2_4_0-RC3, RELEASE_2_4_0-RC2, RELEASE_2_4_0, RELEASE_2_4-root, RELEASE_2_4-branch, RELEASE_2_3_2-testfreeze, RELEASE_2_3_2-root, RELEASE_2_3_2-releasesnapshot, RELEASE_2_3_2-branch-freeze, RELEASE_2_3_2-branch, RELEASE_2_3_1-root, RELEASE_2_3_1-branch, RELEASE_2_3_0-root, RELEASE_2_3_0-msg-freeze, RELEASE_2_3_0-branch, RELEASE_2_2_1-snapshot, RELEASE_2_2_0_0-release, RELEASE_2_2_0-root, RELEASE_2_2_0-branch, RELEASE_2_2-root, RELEASE_2_14_1, RELEASE_2_14_0-RC2, RELEASE_2_14_0-RC1, RELEASE_2_14_0, RELEASE_2_14-root, RELEASE_2_14-branch, RELEASE_2_13_0-RC2, RELEASE_2_13_0-RC1, RELEASE_2_13_0-FC, RELEASE_2_13_0, RELEASE_2_13-root, RELEASE_2_13-branch, RELEASE_2_12_1-RC1, RELEASE_2_12_1, RELEASE_2_12_0-RC1, RELEASE_2_12_0-FC, RELEASE_2_12_0, RELEASE_2_12-root, RELEASE_2_12-branch, RELEASE_2_11_2-RC1, RELEASE_2_11_2, RELEASE_2_11_1-RC1, RELEASE_2_11_1, RELEASE_2_11_0-RC1, RELEASE_2_11_0-FC, RELEASE_2_11_0, RELEASE_2_11-root, RELEASE_2_11-branch, RELEASE_2_10_1-RC1, RELEASE_2_10_1, RELEASE_2_10_0-RC2, RELEASE_2_10_0-RC1, RELEASE_2_10_0, RELEASE_2_10-root, RELEASE_2_10-branch, PRE_LICENSE_UPDATE_2003, PREAUG25UPDATE, POST_LICENSE_UPDATE_2003, POSTAUG25UPDATE, PEP286_PRIVILEGE_SEPARATION_ROOT, PEP286_PRIVILEGE_SEPARATION_CODE_FREEZE, PEP286_PRIVILEGE_SEPARATION_BRANCH, PEP286_PRIVILEGE_SEPARATION_1, PEP244_ServerProfile-root, PEP244_ServerProfile-branch, PEP233_EmbeddedInstSupport-root, PEP233_EmbeddedInstSupport-branch, PEP217_PRE_BRANCH, PEP217_POST_BRANCH, PEP217_BRANCH, PEP214ROOT, PEP214BRANCH, PEP214-root, PEP214-branch, PEP213_SIZE_OPTIMIZATIONS, PEP-214B-root, PEGASUS_FC_VERSION_2_2, PEGASUS_2_5_0_PerformanceDev-string-end, PEGASUS_2_5_0_PerformanceDev-rootlt, PEGASUS_2_5_0_PerformanceDev-root, PEGASUS_2_5_0_PerformanceDev-r2, PEGASUS_2_5_0_PerformanceDev-r1, PEGASUS_2_5_0_PerformanceDev-lit-end, PEGASUS_2_5_0_PerformanceDev-buffer-end, PEGASUS_2_5_0_PerformanceDev-branch, PEGASUS_2_5_0_PerformanceDev-AtomicInt-branch, PEG25_IBM_5_16_05, NPEGASUS_2_5_0_PerformanceDev-String-root, NNPEGASUS_2_5_0_PerformanceDev-String-branch, Makefile, MONITOR_CONSOLIDATION_2_5_BRANCH, LOCAL_ASSOCPROV-ROOT, LOCAL_ASSOCPROV-BRANCH, IBM_241_April1405, HPUX_TEST, HEAD, CQL_2_5_BRANCH, CIMRS_WORK_20130824, CHUNKTESTDONE_PEP140, BeforeUpdateToHeadOct82011, BUG_4225_PERFORMANCE_VERSION_1_DONE 
HP-Nag: Created a Pegasus Security Architecture slide set.

ࡱ>		(@
b/0DTimes New Romanl4t!0hz0DFutura LtRomanl4t!0hz0 "
`.
	@n?" dd@  @@``T
%
*
&,
c$@f3@{g46d6d!0ppp@<4!d!d0<X5<4BdBdo0<uʚ;2Nʚ;<4dddd0?
O=
Pegasus Security Implementation+Author: Nag Boranna
Hewlett-Packard CompanySecurity Block Diagram Authentication Block Diagram 
Authorization Block Diagram Authentication Implementation  
Authentication Components Authorization Implementation  	Authorization Components Security Configurations Enabling Authentication Enabling Authorization /T		` ` ̙33` 333MMM` ff3333f` f` f` 3>?" dd@,|?" dd@   " @ ` n?" dd@  @@``PR		 	@	`	`p>>^(	


6i	P
T Click to edit Master title style!
!

0ll	
RClick to edit Master text styles
Second level
Third level
Fourth level
Fifth level!


S

0p	``
72/26/02

0t	`	
?
Pegasus CIMOM

0x	` 
@*H
0޽h	? ̙33 Default Design0P8(	m


Nآkk	z%

v*K%%KKpp

N0kk		@%
x*K%%KKppd

c$	?XK
4

Nkk	
M)
RClick to edit Master text styles
Second level
Third level
Fourth level
Fifth level!


S

Tkk	z	
v*K%%KKpp

Tʻkk		@
x*K%%KKppH
0.k	? ̙33P$(	
Pr
P S|p
r
P Sԡ
` 
H
P0޽h	? ̙33E$
##0+ (	
r
 S`P


g
#l?0-<PCG8
;Monitor
h
#l`?0-<Pp
K
HTTP
Acceptor"	
i
#lD?0-<Pi
AHTTP
Connection
j
#lx?0-<P
AHTTP
Connectiondb
k<G0*HI"8^b
l6G)HWJII8
m
#l?0-<P:
MHTTP
Connection"B
n
bE`FNQ&UVW}))?XX6381-D81^DS	&{'LO^D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= 
qR&QJ
7JJ
>:*;9>:+$.+]
x!+]
6381$	3-D^D
%D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= 
qR&N7#Q7JK
J
7J>:8*;9+ +$	x!+]
x!+$(,`C0*0*ITNT0*0*BCCloud

<
Network		db
o@<GHObIh*Gjb
p@BZG *H$.I3@Gi
q
6Z=g
9creates
r
#l$?0-<Pp
ZHTTP
Authenticator
Delegator"
s
#l8?0-<PP

@
[CIM Operation
Request
Decoder"
t
#l	?0-<P`
@
XCIM Export
Request
Decoder"
u
#l?0-<P
\CIM Operation
Response
Encoder"dR
v@<ZGuHb4Iu"^b
w6G0*HhIC*
"^b
x6G0*HIC"
:

y
#l?0-<P
^ CIM Operation
Request
Dispatcher"!db
z<G0*H3I^yP
dR
{@<GYHOIYdb
|<G&*H6Ijdb
}<ZG(HIuc6

~
<Gq[H~
D#2. Socket
Message

<G7H"
i7#3. HTTP Request
Message
#5.HTTP Challenge Response Msg88

<G`H
 
:k
K#6. HTTP
Request
Messages

<!GdH`0J|
J#8. CIM
Request
Messages

<"GH0J{
K#9. CIM
Response
Messages

<)GTHaP

K#10.HTTP
Response
MessageB

b(E`FNQ&UVW}))?XX6381-D81^DS	&{'LO^D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= 
qR&QJ
7JJ
>:*;9>:+$.+]
x!+]
6381$	3-D^D
%D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= 
qR&N7#Q7JK
J
7J>:8*;9+ +$	x!+]
x!+$(,`C0*0*ITNT0*0*BCCloud
0;
LRepository and
ProvidersdR
<ZGHI

<0GHF[
K#1. Socket
Ready for read

<4GH+	|@
C#11. Socket
Write

#lX8?0-<Pp


`Authentication
Manager.jb
BG0*HBI@2
pdb
<G)H'I	j"

<>GHk p	
L#4. HTTP
Challenge
Message

#l@?0-<P 00
`"CIM Operation 
Request 
Authorizer"#dR
<GHGIp 

<EGdH`
	
J#7. CIM
Request
Messages^r
6GH<I
@:
H
0޽h	?6ghk7gil8ngo9hip:mrv;rsw<rtx=sz>yu{?um|@y}A~BCDEFGmnHIKrTrmUVWXt ̙33u
%`$$(	
x
 c$0



#lP?0-<PP	
WAuthenticator
(Interface)"

#l$?0-<P _
UAuthentication 
Manager"

#l8?0-<P p
ZLocal
Authentication
Handler"^B

6DfP
P
n

#l	?0-<P ``p
ZBasic
Authentication
Handler"

#l?0-<P 	p
ODigest
Authentication
HandlerXB
	
0Dfu   XB


0Dfu

 XB

0DfuP
P
 XB

0Dfn 
n^B

@
6Dfn0 n

#l?0-<P	T
]Basic
Authenticator
(Interface)" ^B

6DfN``

#ld?0-<Ppp
APAM"

#l8?0-<P
XSecure
Basic
Authenticator"XB

0Df00XB

0DfXB

0Df``XB

0Df0

#l?0-<P


XSimple
Basic
Authenticator"^B
@
6Df^r
6GH؛IuP_`
dr
@<ZGHduIA2`


#l"?0-<P	0T
]Local
Authenticator
(Interface)" ^B

6DfN

#l'?0-<P00
^ File System
Based
Authentication"! XB

0Dfdb
<GgHOI60


#l,?0-<P	` 
T
^ Digest
Authenticator
(Interface)"! db
 <ZG0*H`8IpP
	
!
T1?GYHl?P}
P
PPlug-in Authentication Modules
"
T5?GYHl? M
OPlug-in Authentication Module
#
T8?G3H?@k
@HTTP Specific 
$
< <GYH7sP
0k
xFHandles HTTP Specific Information, but does not deal with the protocolGGH
0޽h	? !"#$ ̙33s	
#		)0K(	
0x
0 c$8


0
#lTz?0-<PP
p

@User Manager


0
#lH~?0-<P _
V"CIM Operation 
Request 
Authorizer##^b
06G&*HHIv_

0
#l,?0-<PP
JAuthorization 
Handler^
06G,HI,p
b
%0
B?}))?	
HInstance 
Repositorydb
&0@<ZG0*H=
I;@o
'0
`̙jJ?Z
YLoad Authorizations*(2

(0
`t̙jJ?_

ZVerify Authorization*(2

)0
`x̙jJ?`

ZVerify Authorization*(2
H
00޽h	??`0000000%0&0 ̙33z
*"(	@
l
 Cl@P



0Խ`

Z
Startup:
- CIMSever creates the HTTPAuthenticatorDelegator queue.- HTTPAuthenticatorDelegator creates AuthenticationManager- AuthenticationManager loads the AuthenticationHandlers (Currently it is creating instances of Authentication Handlers, but it should be changed to dynamically load those handlers)On Client Request:
- HTTPConnection queue gets created when there is connection request from a client  - HTTPConnection creates AuthenticationInfo object to keep track of the authentication information for this connection. HTTPConnection and AuthenticationInfo object gets created for each new connection.- HTTPConnection gets CIM requests, adds AuthenticationInfo object reference & passes to Delegator   - Delegator parse the request and looks for  Authorization  or  PegasusAuthorization  header tags- If the  Authorization  and  PegasusAuthorization  tags are not found: 	* Calls getAuthResponseHeader() of the AuthenticationManger 	* Sends challenge to the HTTPConnection queue, and eventually to the client- If the  Authorization  tag is found:	* Calls performHttpAuthentication() method of AuthenticationManager	* If authentication is successful, then it passes the request to Decoders. Else calls 		getAuthResponseHeader() of the AuthenticationManger and sends challenge back. - If the  PegasusAuthorization  tag is found:	* Calls performPegasusAuthentication() method of AuthenticationManager	* If authentication is successful, then it passes the request to Decoders. Else calls 		getAuthResponseHeader() of the AuthenticationManger and sends challenge back. 
- In all these cases the AuthenticationInfo object is updated with the authentication status for that connection session.8 2+iH
0޽h	? ̙33F
$(	`
$r
$ S @


$
0 
tAuthentication Manager- AuthenticationManager loads the Authentication Handlers - When perforHttpAuthentication() or performPegasusAuthentication() methods are called 
	* it parses the HTTP headers to get the auth type, user name & password information
	* calls authenticate() method of the Authentication Handler module
	* On successful authentication, updates AuthenticationInfo object and returns true else false
- When getAuthResoponseHeader() method is called, it gets the header from Authentication Handlers
Authentication Handlers (LocalAuthenticationHandler)- Implements the Authenticator interface- Creates response header when getAuthResoponseHeader() method is called (may get the header information from the authenticator module).- Extracts user name and password (or digest string) from the header info passed with the authenticate() and calls the authenticate() method of the loaded authenticator module.
Authenticators (SecureLocalAuthenticator)- Implements specific authenticator interface (e.g, BasicAuthenticator)- The getAuthResponseHeader() method will return the authentication challenge header info.- The authenticate() method will verify the user name and password or the digest string and   return true on successful authentication, false otherwise.V 2d=H
$0޽h	? ̙33
8=(	
8r
8 S


8
0{M`@
+Startup:
- CIMSever creates the CIMOperationRequestAuthorizer queue if requireAuthorization config property is set to true.- CIMOperationRequestAuthorizer gets an instance of UserManager
- UserManager creates AuthirizationHandler- AuthenticationHandler loads authorizations from the Repository. 
On Client Request:
- CIMOperationRequestAuthorizer queue receives a request message from Decoder 
- CIMOperationRequestAuthorizer calls verifyAuthorization( ) method of UserManager. 
- UserManager calls verifyAuthorization( ) method of AuthorizationHandler.
- AuthorizationHandler verifies the authorizations and return true if authorization were found else false8 2"Z: 	+/SH
80޽h	? ̙33
rj<(	
<r
< SD@

P
<
0 b	
0CIMOperationRequestAuthorizer- Gets the user name, namespace, authentication type and CIM method names from the CIM request
- Calls UserManager s verifyAuthorization( ) method
 User Manager- Creates AuthirizationHandler and calls its verifyAuthorization( ) method
Authorization Handler
- Loads authorizations from the repository - Verifies user authorizations when verifyAuthorization( ) method is calledB 2LxZh!$
qH
<0޽h	? ̙333
s(	@c@@N@
r
 S(@@



03v
aConfiguration Properties required for Authentication Module
	requireAuthentication = true | false
	httpAuthType = Basic | Digest
	passwordFilePath = cimserver.passwd (use the file in PEGASUS_HOME directory)

Configuration Properties required for Authorization Module
	requireAuthorization = true | false
    	enableRemotePrivilegedUserAccess = true | false (enable or disable remote root access to the cimom)
0 2<;t
g <H
0޽h	? ̙33$	
 (d(	
(r
( S< 


(
0@p` 
R1. Set the following configuration properties in the cimserver_planned.conf file
    requireAuthentication = true 
    httpAuthType = Basic  (to enable HTTP Basic Authentication)
    passwordFilePath = cimserver.passwd (to create/use the password file in PEGASUS_HOME directory)
3. Start cimserver
4. Add new users to cimom (Refer to pegasus/src/Clients/cimuser/doc/cimuser.htm)
    To add user  nag  with password  nag  (user  nag  must be valid system user on that system)
    cimuser -a -u nag -w nag
5. Run any CIM clients to do CIM operations with the cimom. 

Note: 
(1) On Unix systems, the cimuser CLI can only be run locally as  root .
(2) Basic/Digest authentication are not fully implemented on the CIMServer and the CIMClient API. 2L4
0	D

	fF#	h			H
(0޽h	? ̙33
 ,&(	
,r
, S`

t
,
0`n

1. Set the following configuration properties in the cimserver_planned.conf file
    requireAuthorization = true 
    enableRemotePrivilegedUserAccess = false (to disable remote root user access to the cimom)
2. Start cimserver
3. Add authorizations to the CIM users (Refer to pegasus/src/Clients/cimuser/doc/cimauth.html)
    To add both read and right authorizations to user  nag  on namespace  root/cimv2 
    cimauth -a -u nag -n root/cimv2 -R -W
4. Run any CIM clients to do CIM operations with the cimom. 

Note:
    (1) On Unix systems, user  root  by default will have all the authorizations for local clients (the clients that use ConnectLocal() of CIMClient API.
    (2) The cimauth CLI can only be run locally as  root  on Unix systems. 24

"3

1	\S
7H
,0޽h	? ̙330zr@
(	
X
 CXK
r
 SԻ
M)
H
0.k	? ̙330~p (	|
 ^
  SXK
x
  c$XD
M)
H
 0.k	? ̙330~4(	I;
4^
4 SXK
x
4 c$t
M)
H
40.k	? ̙33rL	Ya8Ma?p3_Wݝ)x.~(
	(@
/0DTimes New Romanl4t!0hz0 DFutura LtRomanl4t!0hz0 " DComic Sans MSnl4t!0hz0 B
`.
	@n?" dd@  @@``On-screen ShowHewlett Packard42	Times New Roman
Futura LtComic Sans MSDefault DesignPegasus Security ArchitectureSecurity ArchitectureAuthenticationAuthorizationAuthentication Implementation Authentication ComponentsAuthorization Implementation Authorization ComponentsSecurity ConfigurationsEnabling AuthenticationEnabling AuthorizationFonts UsedDesign Template
Slide Titles
Slide Title_AITAIT_-AITAIT--&G&
JwSwgw

-	@Times New RomanSwgw

-	  @@``T
%
*
&,
c$@f3@{g4NdNd!0ppp@<4!d!d0<X5<4BdBdo0<uʚ;2Nʚ;<4dddd0?
O=
Pegasus Security Implementation+Author: Nag Boranna
Hewlett-Packard Company,,Security Architecture Authentication 

Authorization
 Authentication Implementation  
Authentication Components Authorization Implementation  	Authorization Components Security Configurations Enabling Authentication Enabling Authorization /T	E$
##0+ (	
r
 S`P


g
#l?0-<PCG8
;Monitor
h
#l`?0-<Pp
K
HTTP
Acceptor"	
i
#lD?0-<Pi
AHTTP
Connection
j
#lx?0-<P
AHTTP
Connectiondb
k<G0*HI"8^b
l6G)HWJII8
m
#l?0-<P:
MHTTP
Connection"B
n
bE`FNQ&UVW}))?XX6381-D81^DS	&{'LO^D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= 
qR&QJ
7JJ
>:*;9>:+$.+]
x!+]
6381$	3-D^D
%D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= 
qR&N7#Q7JK
J
7J>:8*;9+ +$	x!+]
x!+$(,`C0*0*ITNT0*0*BCCloud

<
Network		db
o@<GHObIh*Gjb
p@BZG *H$.I3@Gi
q
6Z=g
9creates
r
#l$?0-<Pp
ZHTTP
Authenticator
Delegator"
s
#l8?0-<PP

@
[CIM Operation
Request
Decoder"
t
#l	?0-<P`
@
XCIM Export
Request
Decoder"
u
#l?0-<P
\CIM Operation
Response
Encoder"dR
v@<ZGuHb4Iu"^b
w6G0*HhIC*
"^b
x6G0*HIC"
:

y
#l?0-<P
^ CIM Operation
Request
Dispatcher"!db
z<G0*H3I^yP
dR
{@<GYHOIYdb
|<G&*H6Ijdb
}<ZG(HIuc6

~
<Gq[H~
D#2. Socket
Message

<G7H"
i7#3. HTTP Request
Message
#5.HTTP Challenge Response Msg88

<G`H
 
:k
K#6. HTTP
Request
Messages

<!GdH`0J|
J#8. CIM
Request
Messages

<"GH0J{
K#9. CIM
Response
Messages

<)GTHaP

K#10.HTTP
Response
MessageB

b(E`FNQ&UVW}))?XX6381-D81^DS	&{'LO^D+ YL^0L8]T+ YL7Gn2H+IJ7GI:9]T:I:Q= 
qR&QJ
7JJ
>:*;9>:+$.+]
x!+]
6381$	3-D^D
%D^0L8]TH+ YL^0L8]T7G@8Cn2H+IJI:B,= 
qR&N7#Q7JK
J
7J>:8*;9+ +$	x!+]
x!+$(,`C0*0*ITNT0*0*BCCloud
0;
LRepository and
ProvidersdR
<ZGHI

<0GHF[
K#1. Socket
Ready for read

<4GH+	|@
C#11. Socket
Write

#lX8?0-<Pp


`Authentication
Manager.jb
BG0*HBI@2
pdb
<G)H'I	j"

<>GHk p	
L#4. HTTP
Challenge
Message

#l@?0-<P 00
`"CIM Operation 
Request 
Authorizer"#dR
<GHGIp 

<EGdH`
	
J#7. CIM
Request
Messages^r
6GH<I
@:
H
0޽h	?6ghk7gil8ngo9hip:mrv;rsw<rtx=sz>yu{?um|@y}A~BCDEFGmnHIKrTrm	

 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPlRTUVWXYZ[\]^_`abcdefghxkmnopqStuvwQz{|}~Root EntrydO)P=cs
Current User2)SummaryInformation(H	PowerPoint Document(4DocumentSummaryInformation8%,T
%
*
&,
c$@f3@{g4NdNd!0ppp@<4!d!d0<X5<4BdBdo0<uʚ;2Nʚ;<4dddd0?
O=
Pegasus Security Implementation+Author: Nag Boranna
Hewlett-Packard Company,,Security Block Diagram Authentication Block Diagram 
Authorization Block Diagram Authentication Implementation  
Authentication Components Authorization Implementation  	Authorization Components Security Configurations Enabling Authentication Enabling Authorization /T	P$(	
Pr
P S|`
r
P Sԡ0	`
H
P0޽h	? ̙33r#)
	(@
/0DTimes New Romanl4t!0hz0 DFutura LtRomanl4t!0hz0 " DComic Sans MSnl4t!0hz0 B
`.
	@n?" dd@	

 !"#$3&'()*+,-./01Oh+'0	
px	 
@LX
dpxPegasus SecurityeNag BorannaXGives an overview of Pegasus Authentication and Authorization Implementation and usage.AIT228Microsoft PowerPointPeg@0q@ G_06L@p*()@UGg	3&	&&#TNPP2OMit
&
TNPP	&&TNPP
---	!---&G&
MJwSwgw
M
-	@Times New RomanSwgw
3
-	.2
R2/26/02					.&y&		.	2
f1	.--q@--	@Times New RomanSwgw
S
-	.32
wPegasus Security Architecture!!*.--!--	@BComic Sans MSwSwgw
6
-	.$2
4Author: Nag Boranna


.@BComic Sans MSwSwgw
W
-	.2
.Hewlett
.	.	2
-.	.2
Packard Company


.--"Systemwf

-&TNPP	&՜.+,0	

UVWXt ̙33u
%`$$(	
x
 c$0



#lP?0-<PP	
WAuthenticator
(Interface)"

#l$?0-<P _
UAuthentication 
Manager"

#l8?0-<P p
ZLocal
Authentication
Handler"^B

6DfP
P
n

#l	?0-<P ``p
ZBasic
Authentication
Handler"

#l?0-<P 	p
ODigest
Authentication
HandlerXB
	
0Dfu   XB


0Dfu

 XB

0DfuP
P
 XB

0Dfn 
n^B

@
6Dfn0 n

#l?0-<P	T
]Basic
Authenticator
(Interface)" ^B

6DfN``

#ld?0-<Ppp
APAM"

#l8?0-<P
XSecure
Basic
Authenticator"XB

0Df00XB

0DfXB

0Df``XB

0Df0

#l?0-<P


XSimple
Basic
Authenticator"^B
@
6Df^r
6GH؛IuP_`
dr
@<ZGHduIA2`


#l"?0-<P	0T
]Local
Authenticator
(Interface)" ^B

6DfN

#l'?0-<P00
^ File System
Based
Authentication"! XB

0Dfdb
<GgHOI60


#l,?0-<P	` 
T
^ Digest
Authenticator
(Interface)"! db
 <ZG0*H`8IpP
	
!
T1?GYHl?P}
P
PPlug-in Authentication Modules
"
T5?GYHl? M
OPlug-in Authentication Module
#
T8?G3H?@k
@HTTP Specific 
$
< <GYH7sP
0k
xFHandles HTTP Specific Information, but does not deal with the protocolGGH
0޽h	? !"#$ ̙33s	
#		)0K(	
0x
0 c$8


0
#lTz?0-<PP
p

@User Manager


0
#lH~?0-<P _
V"CIM Operation 
Request 
Authorizer##^b
06G&*HHIv_

0
#l,?0-<PP
JAuthorization 
Handler^
06G,HI,p
b
%0
B?}))?	
HInstance 
Repositorydb
&0@<ZG0*H=
I;@o
'0
`̙jJ?Z
YLoad Authorizations*(2

(0
`t̙jJ?_

ZVerify Authorization*(2

)0
`x̙jJ?`

ZVerify Authorization*(2
H
00޽h	??`0000000%0&0 ̙33r Q:

-	(@
/0DTimes New RomanT5t!0hz0 DFutura LtRomanT5t!0hz0 " DComic Sans MSnT5t!0hz0 B
`.
	@n?" dd@  @@``T%	
*

&,c$@f3@{g4NdNd!0ppp@<4!d!d0<@6<4BdBdo0<uʚ;2Nʚ;<4dddd0?
O=
Pegasus Security Architecture+Author: Nag Boranna
Hewlett-Packard Company",Security Architecture Authentication 

Authorization
 Authentication Implementation  
Authentication Components Authorization Implementation  	Authorization Components Security Configurations Enabling Authentication Enabling Authorization /T	 P$(	
Pr
P S`
r
P Sx0	`
H
P0޽h	? ̙33r
	(@
/0DTimes New RomanT5t\!0thz0 DFutura LtRomanT5t\!0thz0 " DComic Sans MSnT5t\!0thz0 B
`.
	@n?" dd@  @@``T%	
*

&,c$@f3@{g4NdNd!0hppp@<4!d!d0$@6<4BdBdo0$uʚ;2Nʚ;<4dddd0?
O=
Pegasus Security Architecture+Author: Nag Boranna
Hewlett-Packard Company",Security Architecture Authentication 

Authorization
 Authentication Implementation  
Authentication Components Authorization Implementation  	Authorization Components Security Configurations Enabling Authentication Enabling Authorization /T	r
	(@
/0DTimes New RomanT5t!0hz0 DFutura LtRomanT5t!0hz0 " DComic Sans MSnT5t!0hz0 B
`.
	@n?" dd@  @@``T%	
*

&,c$@f3@{g4NdNd!0ppp@<4!d!d0<@6<4BdBdo0<uʚ;2Nʚ;<4dddd0?
O=
Pegasus Security Architecture+Author: Nag Boranna
Hewlett-Packard Company",Security Architecture Authentication 

Authorization
 Authentication Implementation  
Authentication Components Authorization Implementation  	Authorization Components Security Configurations Enabling Authentication Enabling Authorization /T	r

Root EntrydO)`@s
Current User2*SummaryInformation(H	PowerPoint Document(4k	

 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPlTUVWXYZ[\]^_`abcdefghxmnopqStuvwQz{|}~	

 !"#$3&'()*+,-./01horizationFonts UsedDesign Template
Slide Titles
Slide Title"_
Bapu Patil_-AITAIT--&G&
JwSwgw

-	@Times New RomanSwgw

-	
No CVS admin address has been configured
 Powered by
ViewCVS 0.9.2