Client Security Considerations

Local vs. Remote Requests and Username/Password Authentication

A local connection mechanism exists for clients to communicate with the CIM Server on the same system. The connectLocal() function is used for this purpose, and does not take any arguments. The user ID passed to the provider is that of the process in which the client program is running. The CIM Server verifies that the user ID of the request is indeed that of the requesting process. namespace authorization, if enabled, is still performed.

When the client must be able to connect to a CIM Server on a remote system, or when it must be able to specify a different user than that of the process, it must use the connect() function. This function allows a hostname and port number to be specified, as well as a username and password.

SSL (Secure Socket Layer) for Encrypted Communication

When a client connects to a remote CIM server, it can specify the port number to which it wishes to connect. As normally configured, HP WBEM Services for HP-UX supports encrypted communication on port 5989 or unencrypted on port 5988. If the client specifies the address of an encrypted port, then it should use the form of connect() that takes an SSLContext argument. The SSLContext supplies the information needed by the client to perform a certificate-based authentication transaction with the target host, and causes all communication to be encrypted.

More information on the authentication and encryption algorithms used may be found in the HP WBEM Services for HP-UX System Administrator's Guide on docs.hp.com/hpux/netsys.

Since the client may not know in advance which port the target system has been configured to use, it can attempt to connect to one first, then the other. The preferred order would be to try encrypted port 5989 first when connecting to HP-UX systems.