1. Overview
Security has always been a very important part of the host, most of the host's customers have a very high security requirements. z/Os CIM is based on an Open-source project Openpegasus, but combined with the advantages of the host in security performance, the Openpegasus own security system has been extended to enable CIM to meet the needs of users in this area.
SAF/RACF is the main security management interface and software module on z/OS, this article will mainly combine SAF/RACF to tell how z/Os CIM implements secure access to each module and how to configure it.
2. Overview of security mechanisms
In z/OS, the CIM server requires each client sending a request to have a user ID on z/OS. The CIM server and RACF will be identified based on the user ID requested by the customer. Only authorized users can access the CIM server and resources on the host.
To achieve this, we need to make some additional settings for the user ID running the CIM server (in z/OS CIM we recommend using CFZSRV as the ID for running the CIM server, which is used by default), so that when the CIM server receives a user request, Can be converted to the user ID to run the request processing thread, which is based on the user ID for authentication. In the SAF, there is a Surrogat class, which can be achieved by defining the Bpx.srv profile and giving the CFZSRV Read permission. Here we recommend defining a generic profile that allows Cfzsrv to convert to any user ID to avoid the need to define a lot of bpx.srv profile trouble. The following commands are defined for this profile and for Cfzsrv Read permissions:
Setropts classact (Surrogat) raclist (Surrogat) GENERIC (Surrogat)
Rdefine Surrogat bpx. srv.** UACC (NONE)
PERMIT bpx. srv.** CL (Surrogat) ACCESS (READ) ID (CFZSRV)
Setropts raclist (Surrogat) REFRESH
3. CIM Server access Control
For the access control of the CIM server, we specifically defined a class and Profile-wbem/cimserv in the SAF. The CIM server determines what the user can do by examining the user's access rights to the profile. The commands for defining this class and profile are as follows:
Setropts classact (CDT) raclist (CDT)
Rdefine +
CDT WBEM +
UACC (NONE) +
Cdtinfo (case (UPPER) +
MAXLENGTH (246) +
(ALPHA) +
Other (Alpha,numeric) +
Maxlenx (246) +
Keyqualifiers (0) +
Profilesallowed (YES) +
Posit (200) +
DEFAULTRC (8) +
DEFAULTUACC (NONE) +
Raclist (REQUIRED))
Setropts raclist (CDT) REFRESH
Setropts classact (WBEM) raclist (WBEM)
Rdefine WBEM cimserv UACC (NONE)
Setropts classact (WBEM) raclist (WBEM)
When a user request is received by the CIM server, the user is first checked for permission to connect to the CIM server. To access the CIM Server user ID requires at least the Read permission for Cimserv. For each CMPI interface implemented by various provider, different interfaces require different access rights of user ID to Cimserv. For more information, see the following table:
Operation |
Interface |
Cimserv access Rights |
Basic Read |
GetClass, Enumerateclasses,enumerateclassnames, Getinstance,enumerateinstance, Enumerateinstancenames, GetProperty , Getqualifier, Enumeratequalifier |
READ |
Basic Write |
SetProperty |
UPDATE |
Method |
Executemethod |
UPDATE |
Schema manipulation |
Createclass, Modifyclass, Deleteclass |
Control |
Instance manipulation |
CreateInstance, Modifyinstance, deleteinstance |
UPDATE |
Indication Subscription |
CreateInstance, Modifyinstance, deleteinstance |
UPDATE |
Association traversal |
Associators, Associatornames, References,referencenames |
READ |
Query |
ExecQuery |
READ |
Qualifier Declaration |
Setqualifier, Deletequalifier |
Control |