The security mechanism and configuration of z/Os CIM

Source: Internet
Author: User
Tags requires

1. Overview

Security has always been a very important part of the host, most of the host's customers have a very high security requirements. z/Os CIM is based on an Open-source project Openpegasus, but combined with the advantages of the host in security performance, the Openpegasus own security system has been extended to enable CIM to meet the needs of users in this area.

SAF/RACF is the main security management interface and software module on z/OS, this article will mainly combine SAF/RACF to tell how z/Os CIM implements secure access to each module and how to configure it.

2. Overview of security mechanisms

In z/OS, the CIM server requires each client sending a request to have a user ID on z/OS. The CIM server and RACF will be identified based on the user ID requested by the customer. Only authorized users can access the CIM server and resources on the host.

To achieve this, we need to make some additional settings for the user ID running the CIM server (in z/OS CIM we recommend using CFZSRV as the ID for running the CIM server, which is used by default), so that when the CIM server receives a user request, Can be converted to the user ID to run the request processing thread, which is based on the user ID for authentication. In the SAF, there is a Surrogat class, which can be achieved by defining the Bpx.srv profile and giving the CFZSRV Read permission. Here we recommend defining a generic profile that allows Cfzsrv to convert to any user ID to avoid the need to define a lot of bpx.srv profile trouble. The following commands are defined for this profile and for Cfzsrv Read permissions:

Setropts classact (Surrogat) raclist (Surrogat) GENERIC (Surrogat)

Rdefine Surrogat bpx. srv.** UACC (NONE)

PERMIT bpx. srv.** CL (Surrogat) ACCESS (READ) ID (CFZSRV)

Setropts raclist (Surrogat) REFRESH

3. CIM Server access Control

For the access control of the CIM server, we specifically defined a class and Profile-wbem/cimserv in the SAF. The CIM server determines what the user can do by examining the user's access rights to the profile. The commands for defining this class and profile are as follows:

Setropts classact (CDT) raclist (CDT)

Rdefine +

CDT WBEM +

UACC (NONE) +

Cdtinfo (case (UPPER) +

MAXLENGTH (246) +

(ALPHA) +

Other (Alpha,numeric) +

Maxlenx (246) +

Keyqualifiers (0) +

Profilesallowed (YES) +

Posit (200) +

DEFAULTRC (8) +

DEFAULTUACC (NONE) +

Raclist (REQUIRED))

Setropts raclist (CDT) REFRESH

Setropts classact (WBEM) raclist (WBEM)

Rdefine WBEM cimserv UACC (NONE)

Setropts classact (WBEM) raclist (WBEM)

When a user request is received by the CIM server, the user is first checked for permission to connect to the CIM server. To access the CIM Server user ID requires at least the Read permission for Cimserv. For each CMPI interface implemented by various provider, different interfaces require different access rights of user ID to Cimserv. For more information, see the following table:

Operation Interface Cimserv access Rights
Basic Read GetClass, Enumerateclasses,enumerateclassnames, Getinstance,enumerateinstance, Enumerateinstancenames, GetProperty , Getqualifier, Enumeratequalifier READ
Basic Write SetProperty UPDATE
Method Executemethod UPDATE
Schema manipulation Createclass, Modifyclass, Deleteclass Control
Instance manipulation CreateInstance, Modifyinstance, deleteinstance UPDATE
Indication Subscription CreateInstance, Modifyinstance, deleteinstance UPDATE
Association traversal Associators, Associatornames, References,referencenames READ
Query ExecQuery READ
Qualifier Declaration Setqualifier, Deletequalifier Control

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.