2/26/021 Pegasus Security Architecture Author: Nag Boranna Hewlett-Packard Company.

Slides:

Advertisements

Similar presentations

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.

Remote Procedure Call sockets TCP, UDP Internet Protocol (IP) Remote Procedure Call: hides communication details behind a procedure call and helps bridge.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Getting a Web Page (And what to do once you’ve got it)

Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

The Pros and Cons of Collecting Performance Data using Agentless Technology Dima Seliverstov John Tavares Tianxiang Zhang BMC Software, Inc.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Web Proxy Server. Proxy Server Introduction Returns status and error messages. Handles http CGI requests. –For more information about CGI please refer.

CVSQL 2 The Design. System Overview System Components CVSQL Server –Three network interfaces –Modular data source provider framework –Decoupled SQL parsing.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

 2000 Deitel & Associates, Inc. All rights reserved. Chapter 24 – Web Servers (PWS, IIS, Apache, Jigsaw) Outline 24.1Introduction 24.2Microsoft Personal.

Hyrax Architecture Two cooperating processes: –Front-end provides DAP interface –Back-end reads data Both parts can be customized –Front-end: different.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Securing Microsoft® Exchange Server 2010

CIMOM Implementation. What is Pegasus? Pegasus is an open-source reference implementation of the DMTF WBEM specifications Pegasus is a work project of.

W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.

Assemblies & Namespaces1. 2 Assemblies (1).NET applications are represented by an assembly An assembly is a collection of all software of which the application.

.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

1 Electronic Messaging Module - Electronic Messaging ♦ Overview Electronic messaging helps you exchange messages with other computer users anywhere in.

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

10/25/20151 Single Sign-On Web Service Supervisors: Viktor Kulikov Alexander Sherman Liana Lipstov Pavel Bilenko.

Author - Title- Date - n° 1 Partner Logo EU DataGrid, Work Package 5 The Storage Element.

1 - Charlie Wiseman - 05/11/07 Design Review: XScale Charlie Wiseman ONL NP Router.

Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 Customization Using Interceptors Using an interceptor-based framework for providing customized client-side.

Getting Started with OPC.NET OPC.NET Software Client Interface Client Base Server Base OPC Wrapper OPC COM Server Server Interface WCF Alternate.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

WWW: an Internet application Bill Chu. © Bei-Tseng Chu Aug 2000 WWW Web and HTTP WWW web is an interconnected information servers each server maintains.

IS 4506 Establishing Microsoft SMTP Service.  Overview Introduction to Microsoft SMTP Service SMTP Service features SMTP administration interface SMTP.

 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.

PHP Cookies. Cookies are small files that are stored in the visitor's browser. Cookies can be used to identify return visitors, keep a user logged into.

Reliability/ Secure IOC / Outlook M. Clausen / DESY 1 CA-Put Logging BurtSave Warm Reboot Matthias Clausen DESY/ MKS.

IS-907 Java EE World Wide Web - Overview. World Wide Web - History Tim Berners-Lee, CERN, 1990 Enable researchers to share information: Remote Access.

Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.

JS (Java Servlets). Internet evolution [1] The internet Internet started of as a static content dispersal and delivery mechanism, where files residing.

Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.

ICM – API Server & Forms Gary Ratcliffe.

File Transfer And Access (FTP, TFTP, NFS). Remote File Access, Transfer and Storage Networks For different goals variety of approaches to remote file.

(ITI310) By Eng. BASSEM ALSAID SESSIONS 9: Dynamic Host Configuration Protocol (DHCP)

Chapter 4 Request and Response. Servlets are controlled by the container.

Overview of OpenPegasus Debugging Hints and Tips Karl Schopmeyer Project Coordinator, Pegasus Open Source Project October 2013.

Overview of OpenPegasus Provider Registration Karl Schopmeyer Project Coordinator, Pegasus Open Source Project October 2013.

Device Management vOLTHA

Alain Bethuyne Web Security Architect BNPParibas Fortis

Ask the Experts – Building Login-Based Sites in AEM

Agenda Introduction Security flow for a request Authentication

Lecture 22 – April 9, 2002 Subprotocols – static and dynamic.

Implementing Network Access Protection

Notes on WSMAN Client for OpenPegasus

Writing a Custom DispatchHandler

Creating Novell Portal Services Gadgets: An Architectural Overview

PHP / MySQL Introduction

Chapter 3: Windows7 Part 4.

Iteration 1 Presentation

HACKIN G CITRIX.

Message Passing Systems

Presentation transcript:

2/26/021 Pegasus Security Architecture Author: Nag Boranna Hewlett-Packard Company

2/26/022 Security Architecture Monitor HTTP Acceptor HTTP Connection HTTP Connection HTTP Connection Network creates HTTP Authenticator Delegator CIM Operation Request Decoder CIM Export Request Decoder CIM Operation Response Encoder CIM Operation Request Dispatcher #2. Socket Message #3. HTTP Request Message #5.HTTP Challenge Response Msg #6. HTTP Request Messages #8. CIM Request Messages #9. CIM Response Messages #10.HTTP Response Message Repository and Providers #1. Socket Ready for read #11. Socket Write Authentication Manager #4. HTTP Challenge Message CIM Operation Request Authorizer #7. CIM Request Messages

2/26/023 Authentication Authenticator (Interface) Authentication Manager Local Authentication Handler Basic Authentication Handler Digest Authentication Handler Basic Authenticator (Interface) PAM Secure Basic Authenticator Simple Basic Authenticator Local Authenticator (Interface) File System Based Authentication Digest Authenticator (Interface) Plug-in Authentication Modules Plug-in Authentication Module HTTP Specific Handles HTTP Specific Information, but does not deal with the protocol

2/26/024 Authorization User Manager CIM Operation Request Authorizer Authorization Handler Instance Repository Load Authorizations Verify Authorization

2/26/025 Authentication Implementation Startup: - CIMSever creates the HTTPAuthenticatorDelegator queue. - HTTPAuthenticatorDelegator creates AuthenticationManager - AuthenticationManager loads the AuthenticationHandlers (Currently it is creating instances of Authentication Handlers, but it should be changed to dynamically load those handlers) On Client Request: - HTTPConnection queue gets created when there is connection request from a client - HTTPConnection creates AuthenticationInfo object to keep track of the authentication information for this connection. HTTPConnection and AuthenticationInfo object gets created for each new connection. - HTTPConnection gets CIM requests, adds AuthenticationInfo object reference & passes to Delegator - Delegator parse the request and looks for ‘Authorization’ or ‘PegasusAuthorization’ header tags - If the ‘Authorization’ and ‘PegasusAuthorization’ tags are not found: * Calls getAuthResponseHeader() of the AuthenticationManger * Sends challenge to the HTTPConnection queue, and eventually to the client - If the ‘Authorization’ tag is found: * Calls performHttpAuthentication() method of AuthenticationManager * If authentication is successful, then it passes the request to Decoders. Else calls getAuthResponseHeader() of the AuthenticationManger and sends challenge back. - If the ‘PegasusAuthorization’ tag is found: * Calls performPegasusAuthentication() method of AuthenticationManager * If authentication is successful, then it passes the request to Decoders. Else calls getAuthResponseHeader() of the AuthenticationManger and sends challenge back. - In all these cases the AuthenticationInfo object is updated with the authentication status for that connection session.

2/26/026 Authentication Components Authentication Manager - AuthenticationManager loads the Authentication Handlers - When perforHttpAuthentication() or performPegasusAuthentication() methods are called * it parses the HTTP headers to get the auth type, user name & password information * calls authenticate() method of the Authentication Handler module * On successful authentication, updates AuthenticationInfo object and returns true else false - When getAuthResoponseHeader() method is called, it gets the header from Authentication Handlers Authentication Handlers (LocalAuthenticationHandler) - Implements the Authenticator interface - Creates response header when getAuthResoponseHeader() method is called (may get the header information from the authenticator module). - Extracts user name and password (or digest string) from the header info passed with the authenticate() and calls the authenticate() method of the loaded authenticator module. Authenticators (SecureLocalAuthenticator) - Implements specific authenticator interface (e.g, BasicAuthenticator) - The getAuthResponseHeader() method will return the authentication challenge header info. - The authenticate() method will verify the user name and password or the digest string and return true on successful authentication, false otherwise.

2/26/027 Authorization Implementation Startup: - CIMSever creates the CIMOperationRequestAuthorizer queue if requireAuthorization config property is set to true. - CIMOperationRequestAuthorizer gets an instance of UserManager - UserManager creates AuthirizationHandler - AuthenticationHandler loads authorizations from the Repository. On Client Request: - CIMOperationRequestAuthorizer queue receives a request message from Decoder - CIMOperationRequestAuthorizer calls verifyAuthorization( ) method of UserManager. - UserManager calls verifyAuthorization( ) method of AuthorizationHandler. - AuthorizationHandler verifies the authorizations and return true if authorization were found else false

2/26/028 Authorization Components CIMOperationRequestAuthorizer - Gets the user name, namespace, authentication type and CIM method names from the CIM request - Calls UserManager’s verifyAuthorization( ) method User Manager - Creates AuthirizationHandler and calls its verifyAuthorization( ) method Authorization Handler - Loads authorizations from the repository - Verifies user authorizations when verifyAuthorization( ) method is called

2/26/029 Security Configurations Configuration Properties required for Authentication Module requireAuthentication = true | false httpAuthType = Basic | Digest passwordFilePath = cimserver.passwd (use the file in PEGASUS_HOME directory) Configuration Properties required for Authorization Module requireAuthorization = true | false enableRemotePrivilegedUserAccess = true | false (enable or disable remote root access to the cimom)

2/26/0210 Enabling Authentication 1. Set the following configuration properties in the cimserver_planned.conf file requireAuthentication = true httpAuthType = Basic (to enable HTTP Basic Authentication) passwordFilePath = cimserver.passwd (to create/use the password file in PEGASUS_HOME directory) 3. Start cimserver 4. Add new users to cimom (Refer to pegasus/src/Clients/cimuser/doc/cimuser.htm) To add user ‘nag’ with password ‘nag’ (user ‘nag’ must be valid system user on that system) cimuser -a -u nag -w nag 5. Run any CIM clients to do CIM operations with the cimom. Note: (1) On Unix systems, the cimuser CLI can only be run locally as ‘root’. (2) Basic/Digest authentication are not fully implemented on the CIMServer and the CIMClient API.

2/26/0211 Enabling Authorization 1. Set the following configuration properties in the cimserver_planned.conf file requireAuthorization = true enableRemotePrivilegedUserAccess = false (to disable remote root user access to the cimom) 2. Start cimserver 3. Add authorizations to the CIM users (Refer to pegasus/src/Clients/cimuser/doc/cimauth.html) To add both read and right authorizations to user ‘nag’ on namespace ‘root/cimv2’ cimauth -a -u nag -n root/cimv2 -R -W 4. Run any CIM clients to do CIM operations with the cimom. Note: (1) On Unix systems, user ‘root’ by default will have all the authorizations for local clients (the clients that use ConnectLocal() of CIMClient API. (2) The cimauth CLI can only be run locally as ‘root’ on Unix systems.