|
|
|
|
9.1 Setting Up OpenWBEM
To set up OpenWBEM, select the Web-Based Enterprise Management software
selection or pattern in YaST when you install SUSE Linux Enterprise Server or select it as a
component to install on a server that is already
running SUSE Linux Enterprise Server. This software selection includes
the following packages:
This section includes the following information:
9.1.1 Starting, Stopping, or Checking Status for owcimomd
When Web-Based Enterprise Management software is installed, the daemon,
owcimomd, is started by default. The following table explains how to
start, stop, and check status for owcimomd.
Table 9-1 Commands for Managing owcimomd
Start owcimomd
|
As root in a console shell, enter rcowcimomd
start.
|
Stop owcimomd
|
As root in a console shell, enter rcowcimomd
stop.
|
Check owcimomd status
|
As root in a console shell, enter rcowcimomd
status.
|
9.1.2 Ensuring Secure Access
The default setup of OpenWBEM is relatively secure. However, you might
want to review the following to ensure access to OpenWBEM components is
as secure as desired for your organization.
Certificates
Secure Socket Layers (SSL) transports require a certificate for secure
communications to occur. When OES is installed, OpenWBEM has a
self-signed certificate generated for it.
If desired, you can replace the path for the default certificate with a
path to a commercial certificate that you have purchased or with a
different certificate that you have generated in the
http_server.SSL_cert =
path_filename setting in
the openwbem.conf file.
The default generated certificate is in the following location:
/etc/openwbem/servercert.pem
If you want to generate a new certificate, use the following command.
Running this command replaces the current certificate, so Novell
recommends making a copy of the old certificate before generating a new
one.
As root in a console shell, enter
sh/etc/openwbem/owgencert.
If you want to change the certificate that OpenWBEM uses, see
Section 9.2.2,
Changing the Certificate Configuration.
Ports
OpenWBEM is configured by default to accept all communications through
a secure port, 5989. The following table explains the port
communication setup and recommended configuration.
Table 9-2 Port Communication Setup and Recommended Configurations
5989
|
Secure
|
The secure port that OpenWBEM communications use via HTTPS
services.
This is the default configuration.
With this setting, all communications between the CIMOM and client
applications are encrypted when sent over the Internet between
servers and workstations. Users must authenticate through the
client application to view this information.
Novell recommends that you maintain this setting in the
configuration file.
In order for the OpenWBEM CIMOM to communicate with the necessary
applications, this port must be open in routers and firewalls if
they are present between the client application and the nodes
being monitored.
|
5988
|
Unsecure
|
The unsecure port that OpenWBEM communications use via HTTP
services.
This setting is disabled by default.
With this setting, all communications between the CIMOM and client
applications are open for review when sent over the Internet
between servers and workstations by anyone without any
authentication.
Novell recommends that you use this setting only when attempting
to debug a problem with the CIMOM. As soon as the problem is
resolved, set the non-secure port option back to Disabled.
In order for the OpenWBEM CIMOM to communicate with the necessary
applications that require non-secure access, this port must be
open in routers and firewalls if they are present between the
client application and the nodes being monitored.
|
If you want to change the default port assignments, see
Section 9.2.3,
Changing the Port Configuration.
Authentication
The following authentication settings are set and enabled as the
default for OpenWBEM in SUSE Linux Enterprise Server.
You can change any of the default settings. See
Section 9.2.1,
Changing the Authentication Configuration.
-
http_server.allow_local_authentication
= true
-
http_server.ssl_client_verification
= disabled
-
http_server.use_digest = false
-
owcimomd.allow_anonymous = false
-
owcimomd.allowed_users = root
-
owcimomd.authentication_module =
/usr/lib/openwbem/authentication/libpamauthentication.so
The OpenWBEM CIMOM is PAM enabled by default; therefore the local root
user can authenticate to the OpenWBEM CIMOM with local root user
credentials.
9.1.3 Setting Up Logging
You can change any of the default settings. For more information, see
Section 9.2.4,
Changing the Default Logging Configuration.
By default, logging for OpenWBEM is set up as follows.
-
log.main.components = *
-
log.main.level = ERROR
-
log.main.type = syslog
This means that owcimomd logging is set up to go to the
/var/log/messages file or to other
files depending on the configuration of syslogd. It
logs all errors for all components (owcimomd).
|
|
|