Chapter 11. OpenWBEM

Chapter 11. OpenWBEM¶

Contents

11.1. Setting Up OpenWBEM
11.2. Changing the OpenWBEM CIMOM Configuration
11.3. For More Information

Novell® has embraced the open standard strategies of Web-Based Enterprise Management (WBEM) proposed by the Distributed Management Task Force (DMTF). Implementing these strategies can substantially reduce the level of complexity associated with managing disparate systems in your network.

The following information describes a few of the components proposed by the DMTF standards. Understanding what these are and how they relate to each other can help you understand what OpenWBEM is and how you most effectively use it in your network.

Web-Based Enterprise Management (WBEM) is a set of management and Internet standard technologies developed to unify the management of enterprise computing environments. WBEM provides the ability for the industry to deliver a well-integrated set of standards-based management tools leveraging the emerging Web technologies. The DMTF has developed a core set of standards that make up WBEM:
- A data model: the Common Information Model (CIM) standard
- An encoding specification: CIM-XML Encoding Specification
- A transport mechanism: CIM operations over HTTP
The Common Information Model (CIM) is a conceptual information model that describes management and is not bound to a particular implementation. This allows for the interchange of management information between management systems and applications. This can be either agent-to-manager or manager-to-manager communications that provide for distributed system management. There are two parts to CIM: the CIM Specification and the CIM Schema.
The CIM Specification describes the language, naming, and meta schema. The meta schema is a formal definition of the model. It defines the terms used to express the model and their usage and semantics. The elements of the meta schema are Classes, Properties, and Methods. The meta schema also supports Indications and Associations as types of Classes, and References as types of Properties.
The CIM Schema provides the actual model descriptions. The CIM Schema supplies a set of classes with properties and associations that provide a well understood conceptual framework within which it is possible to organize the available information about the managed environment.
The Common Information Model Object Manager (CIMOM) is a CIM object manager or, more specifically, an application that manages objects according to the CIM standard.
CIMOM providers are software that performs specific tasks within the CIMOM that are requested by client applications. Each provider instruments one or more aspects of the CIMOM's schema.

SUSE® Linux Enterprise Server contains the open source CIMOM from the OpenWBEM project.

The Web-Based Enterprise Management software selection includes a set of packages that contain basic Novell providers, including some sample providers, and a base set of accompanying Novell schemas.

As Novell moves forward with OpenWBEM and development of specific providers, it will provide tools that offer the following important features:

Efficient monitoring of network systems
Recording of alterations within existing management configurations
Hardware inventory and asset management

Understanding how the OpenWBEM CIMOM is set up and how to configure it can help you monitor and manage disparate systems in your network with more confidence and ease.

11.1. Setting Up OpenWBEM¶

To set up OpenWBEM, select the Web-Based Enterprise Management software selection or pattern in YaST when you install SUSE Linux Enterprise Server or select it as a component to install on a server that is already running SUSE Linux Enterprise Server. This software selection includes the following packages:

cim-schema, Common Information Model (CIM) Schema:: This package contains the Common Information Model (CIM). CIM is a model for describing overall management information in a network or enterprise environment. CIM consists of a specification and a schema. The specification defines the details for integration with other management models. The schema provides the actual model descriptions.
openwbem, Web Based Enterprise Management (WBEM) Implementation:: This package contains an implementation of OpenWBEM. OpenWBEM is a set of software components that help facilitate the deployment of the Distributed Management Task Force (DMTF) CIM and WBEM technologies. If you are not familiar with the DMTF and its technologies, you can visit the DMTF Web site.
openwbem-base-providers:: This package contains a Novell Linux instrumentation of base operating system components such as computer, system, operating system, and processes for the OpenWBEM CIMOM.
openwbem-smash-providers:: This package contains a Novell Linux instrumentation of the Systems Management Architecture for Server Hardware (SMASH) providers for the OpenWBEM CIMOM.
yast2-cim, YaST2 - CIM Bindings:: This package adds CIM bindings to YaST2 (YaST2 is the Graphical User Interface of the SUSE System Tools Manager). These bindings provide a client interface to the Common Information Model Object Manager (CIMOM).

This section includes the following information:

11.1.1. Starting, Stopping, or Checking Status for owcimomd¶

When Web-Based Enterprise Management software is installed, the daemon, owcimomd, is started by default. The following table explains how to start, stop, and check status for owcimomd.

Table 11.1. Commands for Managing owcimomd¶

Task	Linux Command
Start owcimomd	As root in a console shell, enter rcowcimomd start.
Stop owcimomd	As root in a console shell, enter rcowcimomd stop.
Check owcimomd status	As root in a console shell, enter rcowcimomd status.

11.1.2. Ensuring Secure Access¶

The default setup of OpenWBEM is relatively secure. However, you might want to review the following to ensure access to OpenWBEM components is as secure as desired for your organization.

11.1.2.1. Certificates¶

Secure Socket Layers (SSL) transports require a certificate for secure communications to occur. When OES is installed, OpenWBEM has a self-signed certificate generated for it.

If desired, you can replace the path for the default certificate with a path to a commercial certificate that you have purchased or with a different certificate that you have generated in the http_server.SSL_cert = path_filename setting in the /etc/openwbem/openwbem.conf file.

The default generated certificate is in the following location:

/etc/openwbem/servercert.pem

If you want to generate a new certificate, use the following command. Running this command replaces the current certificate, so Novell recommends making a copy of the old certificate before generating a new one.

As root in a console shell, enter

sh/etc/openwbem/owgencert

If you want to change the certificate that OpenWBEM uses, see Section 11.2.2, “Changing the Certificate Configuration”.

11.1.2.2. Ports¶

OpenWBEM is configured by default to accept all communications through a secure port, 5989. The following table explains the port communication setup and recommended configuration.

Table 11.2. Port Communication Setup and Recommended Configurations¶

Port	Type	Notes and Recommendations
5989	Secure	The secure port that OpenWBEM communications use via HTTPS services. This is the default configuration. With this setting, all communications between the CIMOM and client applications are encrypted when sent over the Internet between servers and workstations. Users must authenticate through the client application to view this information. Novell recommends that you maintain this setting in the configuration file. In order for the OpenWBEM CIMOM to communicate with the necessary applications, this port must be open in routers and firewalls if they are present between the client application and the nodes being monitored.
5988	Unsecure	The unsecure port that OpenWBEM communications use via HTTP services. This setting is disabled by default. With this setting, all communications between the CIMOM and client applications are open for review when sent over the Internet between servers and workstations by anyone without any authentication. Novell recommends that you use this setting only when attempting to debug a problem with the CIMOM. As soon as the problem is resolved, set the non-secure port option back to Disabled. In order for the OpenWBEM CIMOM to communicate with the necessary applications that require non-secure access, this port must be open in routers and firewalls if they are present between the client application and the nodes being monitored.

Port

Type

Notes and Recommendations

5989

Secure

The secure port that OpenWBEM communications use via HTTPS services.

This is the default configuration.

With this setting, all communications between the CIMOM and client applications are encrypted when sent over the Internet between servers and workstations. Users must authenticate through the client application to view this information.

Novell recommends that you maintain this setting in the configuration file.

In order for the OpenWBEM CIMOM to communicate with the necessary applications, this port must be open in routers and firewalls if they are present between the client application and the nodes being monitored.

5988

Unsecure

The unsecure port that OpenWBEM communications use via HTTP services.

This setting is disabled by default.

With this setting, all communications between the CIMOM and client applications are open for review when sent over the Internet between servers and workstations by anyone without any authentication.

Novell recommends that you use this setting only when attempting to debug a problem with the CIMOM. As soon as the problem is resolved, set the non-secure port option back to Disabled.

In order for the OpenWBEM CIMOM to communicate with the necessary applications that require non-secure access, this port must be open in routers and firewalls if they are present between the client application and the nodes being monitored.

If you want to change the default port assignments, see Section 11.2.3, “Changing the Port Configuration”.

11.1.2.3. Authentication¶

The following authentication settings are set and enabled as the default for OpenWBEM in SUSE Linux Enterprise Server.

You can change any of the default settings. See Section 11.2.1, “Changing the Authentication Configuration”.

http_server.allow_local_authentication = true
http_server.ssl_client_verification = disabled
http_server.use_digest = false
owcimomd.allow_anonymous = false
owcimomd.allowed_users = root
owcimomd.authentication_module = /usr/lib/openwbem/authentication/libpamauthentication.so

The OpenWBEM CIMOM is PAM enabled by default; therefore the local root user can authenticate to the OpenWBEM CIMOM with local root user credentials.

11.1.3. Setting Up Logging¶

You can change any of the default settings. For more information, see Section 11.2.4, “Changing the Default Logging Configuration”.

By default, logging for OpenWBEM is set up as follows.

log.main.components = *
log.main.level = ERROR
log.main.type = syslog

This means that owcimomd logging is set up to go to the /var/log/messages file or to other files depending on the configuration of syslogd. It logs all errors for all components (owcimomd).

11.2. Changing the OpenWBEM CIMOM Configuration¶

When OpenWBEM CIMOM (owcimomd) starts, it reads it run-time configuration from the openwbem.conf file. The openwbem.conf file is located in the /etc/openwbem directory.

Any setting that has the options commented out with a semicolon (;) or pound sign (#) uses the default setting.

When making changes to this file, you can use any text editor that saves the file in a format that is native to the platform you are using.

You can change any of the settings in the openwbem.conf file. This section discusses the following configuration settings:

11.2.1. Changing the Authentication Configuration¶

When changing the Authentication configuration, there are several things that you can control:

Who can access the CIMOM
What authentication module is used

See the following settings:

11.2.1.1. http_server.allow_local_authentication ¶

Purpose

Directs the http_server to allow local authentication without supplying a password, relying on local system file permissions.

You can use this setting with the Basic or Digest settings.

Syntax

http_server.allow_local_authentication = option

Option	Description
true	Enables local authentication. This is the default setting.
false	Disables local authentication.

Option

Description

true

Enables local authentication.

This is the default setting.

false

Disables local authentication.

Example

http_server.allow_local_authentication = true

11.2.1.2. http_server.digest_password_file ¶

Purpose

Specifies a location for the password file. This is required if the http_server.use_digest setting is enabled.

Syntax

http_server.digest_password_file = path_filename

The following is the default path and filename for the digest password file:

/etc/openwbem/digest_auth.passwd

Example

http_server.digest_password_file = /etc/openwbem/digest_auth.passwd

11.2.1.3. http_server.ssl_client_verification ¶

Purpose

Determines whether the server should attempt to authenticate clients with SSL Client Certificate verification.

This setting is disabled by default.

Syntax:

http_server.ssl_client_verification = option

Option	Description
autoupdate	Specifies the same functionality as the Optional option; however, previously unknown client certificates that pass HTTP authentication are added to a trust store so that subsequent client connections with the same certificate do not require HTTP authentication.
disabled	Disables client certificate checking. This is the default setting.
optional	Allows a trusted certificate to be authenticated (no HTTP authentication is necessary). Also allows an untrusted certificate to pass the SSL handshake if the client passes the HTTP authentication.
required	Requires a trusted certificate for the SSL handshake to succeed.

Example

http_server.ssl_client_verification = disabled

11.2.1.4. http_server.ssl_trust_store ¶

Purpose

Specifies a directory containing the OpenSSL trust store.

Syntax

http_server.ssl_trust_store = path

The following is the default path for the trust store file.

/etc/openwbem/truststore

Example

http_server.ssl_trust_store = /etc/openwbem/truststore

11.2.1.5. http_server.use_digest¶

Purpose

Directs the HTTP server to use Digest authentication, which bypasses the Basic authentication mechanism. To use digest, you must set up the digest password file using owdigestgenpass.

Digest doesn’t use the authentication module specified by the owcimomd.authentication_module configuration setting.

Syntax

http_server.use_digest = option

Option	Description
false	Enables the Basic authentication mechanism. This is the default setting.
true	Disables the Basic authentication mechanism.

Option

Description

false

Enables the Basic authentication mechanism.

This is the default setting.

true

Disables the Basic authentication mechanism.

Example

http_server.use_digest = false

11.2.1.6. owcimomd.ACL_superuser¶

Purpose

Specifies the username of the user that has access to all Common Information Model (CIM) data in all namespaces maintained by the owcimomd. This user can be used to administer the /root/security name space, which is where all ACL user rights are stored.

ACL processing is not enabled until the OpenWBEM_Acl1.0.mof file has been imported.

Syntax

owcimomd.ACL_superuser = username

Example

owcimomd.ACL_superuser = root

11.2.1.7. owcimomd.allow_anonymous¶

Purpose

Enables or disables anonymous logins to owcimomd.

Syntax

owcimomd.allow_anonymous = option

Option	Description
false	Requires login with a username and password to access owcimomd data. This is the default and recommended setting.
true	Allows anonymous logins to owcimomd. This disables authentication. No username or password is required to access owcimomd data.

Option

Description

false

Requires login with a username and password to access owcimomd data.

This is the default and recommended setting.

true

Allows anonymous logins to owcimomd.

This disables authentication. No username or password is required to access owcimomd data.

Example

owcimomd.allowed_anonymous = false

11.2.1.8. owcimomd.allowed_users¶

Purpose

Specifies a list of users who are allowed to access owcimomd data.

Syntax

owcimomd.allowed_users = option

Option	Description
`username`	Specifies one or more users who are allowed to access the owcimomd data. Separate each username with a space. The root user is the default setting.
*	Allows all users to authenticate (for example, if you choose to control access with ACLs instead). This option is enforced for all authentication methods unless owcimomd.allow_anonymous is set to `true`.

Option

Description

username

Specifies one or more users who are allowed to access the owcimomd data.

Separate each username with a space.

The root user is the default setting.

Allows all users to authenticate (for example, if you choose to control access with ACLs instead).

This option is enforced for all authentication methods unless owcimomd.allow_anonymous is set to true.

Example

owcimomd.allowed_users = bcwhitely jkcarey jlanderson

11.2.1.9. owcimomd.authentication_module¶

Purpose

Specifies the authentication module that is used by owcimomd. This setting should be an absolute path to the shared library containing the authentication module.

Syntax

owcimomd.authentication_module = path_filename

The following is the default path and filename for the authentication modules:

/usr/lib/openwbem/authentication/libpamauthentication.so

Example

owcimomd.authentication_module = /usr/lib/openwbem/authentication/libpamauthentication.so

11.2.1.10. simple_auth.password_file¶

Purpose

Specifies the path to the password file when the simple authentication module is used.

This setting is disabled by default.

Syntax

simple_auth.password_file = path_filename

Example

simple_auth.password_file = /etc/openwbem/simple_auth.passwd

11.2.2. Changing the Certificate Configuration¶

The http_server.SSL_cert and the http_server.SSL_key settings specify the location of the file or files that contains the host's private key and the certificate that is used by OpenSSL for HTTPS communications.

The .pem files are located in the following default location:

/etc/openwbem/servercert.pem

/etc/openwbem/serverkey.pem

Syntax

http_server.SSL_cert = path_filename

http_server.SSL_key = path_filename


Both the key and certificate can be in the same file. In this case, the values of http_server.SSL_cert and http_server.SSL_key would be the same.

Examples

http_server.SSL_cert = /etc/openwbem/servercert.pem

http_server.SSL_key = /etc/openwbem/servercert.pem

http_server.SSL_key = /etc/openwbem/serverkey.pem

11.2.3. Changing the Port Configuration¶

The http_server.http_port and server.https_port settings specify the port number that owcimomd listens on for all HTTP and HTTPS communications.

Syntax

http_server.http_port = option

http_server.https_port = option

Option	Description
`Specific_port_number`	Specify the specific port for HTTP or HTTPS communications. For HTTP, the default port is 5988. For HTTPS, the default port is 5989.
-1	Disables HTTP or HTTPS connections (for example, if you only want to support HTTPS connections).
0	Dynamically assigns a port number at runtime.

Option

Description

Specific_port_number

Specify the specific port for HTTP or HTTPS communications.

For HTTP, the default port is 5988.

For HTTPS, the default port is 5989.

-1

Disables HTTP or HTTPS connections (for example, if you only want to support HTTPS connections).

Dynamically assigns a port number at runtime.

Example

These settings disable the HTTP port and enable port 5989 for HTTPS communications:

http_server.http_port = -1

http_server.https_port = 5989

11.2.4. Changing the Default Logging Configuration¶

The following log settings in the owcimomd.conf file let you specify where and how much logging occurs, the type of errors logged, and the log size, filename, and format:

If you want to set up debug logging, see Section 11.2.5, “Configuring Debug Logging”.

If you want to set up additional logs, see Section 11.2.6, “Configuring Additional Logs”.

11.2.4.1. log.main.categories¶

Purpose

Specifies the categories the log outputs.

Syntax

log.main.categories = option

Option	Description
`category_name`	Specifies the categories to be logged using a space delimited list. The categories used in owcimomd are: DEBUG ERROR FATAL INFO For more information about these options, see Section 11.2.4.4, “log.main.level”. If specified in this option, the predefined categories are not treated as levels, but as independent categories. No default is available; and if a category is not set, no categories are logged and the log.main.level setting is used.
*	All categories are logged. This is the default setting.

Option

Description

category_name

Specifies the categories to be logged using a space delimited list.

The categories used in owcimomd are:

DEBUG
ERROR
FATAL
INFO

For more information about these options, see Section 11.2.4.4, “log.main.level”.

If specified in this option, the predefined categories are not treated as levels, but as independent categories. No default is available; and if a category is not set, no categories are logged and the log.main.level setting is used.

All categories are logged.

This is the default setting.

Example

log.main.categories = FATAL ERROR INFO

11.2.4.2. log.main.components¶

Purpose

Specifies the components that the log outputs.

Syntax

log.main.components = option

Option	Description
`component_name`	Specifies the components to be logged (such as owcimomd) using a space-delimited list. Providers can use their own components.
*	Specifies that all components are logged. This is the default setting.

Option

Description

component_name

Specifies the components to be logged (such as owcimomd) using a space-delimited list.

Providers can use their own components.

Specifies that all components are logged.

This is the default setting.

Example

log.main.components = owcimomd nssd

11.2.4.3. log.main.format¶

Purpose

Specifies the format (text mixed with printf() style conversion specifiers) of the log messages.

Syntax

log.main.format = conversion_specifier

Option	Specifies
%%	%
%c	Component (such as owcimomd)
%d	Date Can be followed by a date format specifier enclosed between braces. For example, %d{%H:%M:%S} or %d{%d %b %Y %H:%M:%S}. If no date format specifier is given, then ISO 8601 format is assumed. The only addition is %Q, which is the number of milliseconds. For more information about the date format specifiers, see the documentation for the strftime() function found in the <ctime> header.
%e	Message as XML CDATA. This includes the “<![CDATA[“ and ending “]]>”
%F	Filename
%l	Filename and line number. For example, file.cpp(100)
%L	Line number
%M	Method name where the logging request was issued (only works on C++ compilers which support __PRETTY_FUNCTION__ or C99’s __func__).
%m	Message
%n	Platform-dependent line separator character (\n) or characters (\r\n).
%p	Category, also known as level or priority.
%r	Number of milliseconds elapsed between the start of the application and the creation of the logging event.
%t	Thread ID
\n	New line
\t	Tab
\r	Line feed
\\	\
\x<hexDigits>	Character represented in hexadecimal

It is possible to change the minimum field width, the maximum field width, and justification. The optional format modifier is placed between the percent sign (%) and the conversion character. The first optional format modifier is the left justification flag, which is the minus (-) character. The optional minimum field width modifier follows, which is an integer that represents the minimum number of characters to output. If the data item requires fewer characters, it is padded with spaces on either the left or the right, according to the justification flag. If the data item is larger than the minimum field width, the field is expanded to accommodate the data.

The maximum field width modifier is designated by a period (.) followed by a decimal constant. If the data item is longer than the maximum field, then the extra characters are removed from the beginning of the data item (by default) or from the end (if the left justification flag was specified).

Examples

Log4j TTCC layout:

"%r [%t] %-5p %c - %m"

Similar to TTCC but with some fixed-size fields:

"%-6r [%15.15t] %-5p %30.30c - %m"

XML output conforming to log4j.dtd 1.2, which can be processed by Chainsaw (if used, this must be on one line; it is split up here for readability):

"<log4j:event logger="%c" timestamp="%d{%s%Q}" level="%p" thread="%t"> <log4j:message>%e</log4j:message> <log4j:locationInfo class="" method="" file="%F" line="%L"/></log4j:event>"

The following is the default:

log.main.format = [%t]%m

11.2.4.4. log.main.level¶

Purpose

Specifies the level the log outputs. If set, the log outputs all predefined categories at and above the specified level.

Syntax

log.main.level = option

Option	Description
DEBUG	Logs all Debug, Info, Error, and Fatal error messages.
ERROR	Logs all Error and Fatal error messages. This is the default setting.
FATAL	Logs only Fatal error messages.
INFO	Logs all Info, Error, and Fatal error messages.

Example

log.main. level = ERROR

11.2.4.5. log.main.location¶

Purpose

Specifies the location of the log file owcimomd uses when the log.main.type setting option specifies that logging is sent to a file.

Syntax

log.main.location = path_filename

Example

log.main.location = /system/cimom/var/owcimomd.log

11.2.4.6. log.main.max_backup_index¶

Purpose

Specifies the amount of backup logs that are kept before the oldest is erased.

Syntax

log.main.backup_index = option

Option	Description
`unsigned_integer_above_0`	Specifies the number of backup logs kept. The default setting is 1 log file.
0	No backup logs are made and the log is truncated when it reaches the maximum file size.

Option

Description

unsigned_integer_above_0

Specifies the number of backup logs kept.

The default setting is 1 log file.

No backup logs are made and the log is truncated when it reaches the maximum file size.

Example

log.main.max_backup_index = 1

11.2.4.7. log.main.max_file_size¶

Purpose

Specifies the maximum size (in KB) that the owcimomd log can grow to.

Syntax

log.main.max_file_size = option

Option	Description
`unsigned _integer_in_KB`	Limits the log to a certain size in KB.
0	Lets the log grow to an unlimited size. This is the default setting.

Option

Description

unsigned _integer_in_KB

Limits the log to a certain size in KB.

Lets the log grow to an unlimited size.

This is the default setting.

Example

log.main.max_file_size = 0

11.2.4.8. log.main.type¶

Purpose

Specifies the type of main log owcimomd uses.

Syntax

log.main.type = option

Option	Description
file	Sends all messages to a file that is identified in the log.main.location configuration setting.
null	Disables logging.
syslog	Sends all messages to the syslog interface. This is the default setting.

Option

Description

file

Sends all messages to a file that is identified in the log.main.location configuration setting.

null

Disables logging.

syslog

Sends all messages to the syslog interface.

This is the default setting.

Example

log.main.type = syslog

11.2.5. Configuring Debug Logging¶

If owcimomd is run in debug mode, then the debug log is active with the following settings:

log.debug.categories = *
log.debug.components = *
log.debug.format = [%t] %m
log.debug.level = *
log.debug.type = stderr

11.2.5.1. Debug Log with Color ¶

If you want a color version of the debug log, use the following ASCII escape codes:

log.debug.format = \x1b[1;37;40m[\x1b[1;31;40m%-.6t\x1b[1;37;40m]\x1b[1;32;40m %m\x1b[0;37;40m

If you want to use additional colors, use the following codes with the log.debug.format command:

Table 11.3. Additional Color Codes for the log.debug.format Command¶

Color	Codes
red	\x1b[1;31;40m
dark red	\x1b[0;31;40m
green	\x1b[1;32;40m
dark green	\x1b[0;32;40m
yellow	\x1b[1;33;40m
dark yellow	\x1b[0;33;40m
blue	\x1b[1;34;40m
dark blue	\x1b[0;34;40m
purple	\x1b[1;35;40m
dark purple	\x1b[0;35;40m
cyan	\x1b[1;36;40m
dark cyan	\x1b[0;36;40m
white	\x1b[1;37;40m
dark white	\x1b[0;37;40m
gray	\x1b[0;37;40m
reset color	\x1b[0;37;40m

11.2.6. Configuring Additional Logs¶

If you want to create additional logs, list the log names under this setting:

owcimomd.additional_logs = logname

Separate multiple lognames spaces.

Syntax

owcimomd.additional_logs = logname

For each log, the following settings apply:

log.log_name.categories
log.log_name.components
log.log_name.format
log.log_name.level
log.log_name.location
log.log_name.max_backup_index
log.log_name.max_file_size

Example

owcimomd.additional_logs = errorlog1 errorlog2 errorlog3

11.3. For More Information¶

For more information about OpenWBEM, see the following information:

Documents in usr/share/doc/packages/openwbem on the local server filesystem:
- readme
- openwbem-faq.html
A Novell Cool Solutions Article: An Introduction to WBEM and OpenWBEM in SUSE Linux
OpenWBEM Web site
DMTF Web site