Advanced startup options for the cimconfig command

You can change the advanced startup options for the CIM server with the cimconfig command.

Start of change The following list describes the advanced startup options for the cimconfig command, their default values, and whether they can be changed dynamically. End of change

Note: The shutdownTimeout, logLevel, traceLevel, traceComponents and traceFilePath settings can be changed dynamically. The others cannot. For all the other properties, you must use the -p parameter to indicate your change. You must then stop and restart the CIM Server for the change to take effect.

Important: These are options are intended to be used only by advanced users.

messageDir

The default directory to search for the message bundles. The default value points to the shipped message bundles.

Default value: /QIBM/ProdData/OS400/CIM/msg
Dynamic: No

logLevel

Sets the level of data logged. Set to TRACE, INFORMATION, SEVERE, FATAL. The log data is saved in the QYCMCIMOM job log.

Default value: INFORMATION
Dynamic: Yes

enableNormalization

If set to true, ensures objects delivered from providers are complete and accurate. The default is false. Do not normalize objects from trusted entities. Objects from the repository, control providers, IBM^® shipped providers and certain vendor providers known to reliably produce valid objects should not be normalized. Only objects from 3rd party providers added to a distribution should be normalized. The values are true or false.

Default value: false
Dynamic: No

excludeModulesFromNormalization

Disables normalization for objects from specific provider modules. If enableNormalization is set to true, all provider objects will be normalized except for those on this exclusion list.

Default value: “”
Dynamic: No

repositoryIsDefaultInstanceProvider

Enables the repository component of the CIM server to provide CIM object instances by default. Default means that if there is no provider to service the client request for the CIM instance, then the CIM server repository is used. This includes both creating and retrieving instances. If the value of the repositoryIsDefaultInstanceProvider option is changed to false, the i5/OS™ providers that implement CIM metric classes will no longer function properly. The values are true or false.

Default value: true
Dynamic: No

enableAuthentication

If set to true, performs authentication before any request is allowed into the CIM server for processing. The default is true. Setting this property to false will allow unauthenticated access to the CIM server.

Set enableAuthentication to false only if you are certain your environment is secure and if you have a very good reason.

The values are true or false.

Default value: true
Dynamic: No

sslCertificateFilePath

Path to the CIM server’s certificate file.

This property must be set to a valid certificate if enableHttpsConnection or enableSSLExportClientVerification is set to true. Note that an expired certificate is considered valid when it is loaded by the CIM server.

Start of change If sslKeyFilePath is not specified then the CIM server will attempt to load the private key from the certificate file. End of change

Default value: ssl/keystore/servercert.pem
Dynamic: No

sslKeyFilePath

Path to the CIM server’s private key file. This property is not required to be set if the certificate specified in sslCertificateKeyPath contains the private key.

Start of change This file is not protected by a pass phrase and must be kept in a protected directory. The value that is specified in the default value is a protected directory. End of change

Default value: ssl/keystore/serverkey.pem
Dynamic: No

sslTrustStore

Path to the directory or file containing the trusted certificates for CIM Operation requests. The truststore can include CA certificates.

This property must be set if sslClientVerificationMode is set to required.

If sslClientVerificationMode is set to optional, then this property may be set to empty. In this case no certificates are trusted.

If this property is set to an empty directory, or an empty file, then no certificates are trusted.

If sslClientVerificationMode is set to disabled, this property is not used.

Default value: ssl/truststore/
Dynamic: No

exportSSLTrustStore

Path to the directory or file containing the trusted certificates for CIM Export requests. The truststore can include CA certificates.

This property must be set if enableSSLExportClientVerificationMode is set to true.

If this property is set to an empty directory, or an empty file, then no export certificates are trusted.

This property only takes effect if enableSSLExportClientVerification is set to true.

Default value: ssl/exporttruststore/
Dynamic: No

crlStore

Path to the directory or file containing the certificate revocation lists.

If this property is not set, set to an empty directory, or set to an empty file, then no CRLs are loaded.

This property only takes effect if sslClientVerificationMode is set to required or optional, or enableSSLExportClientVerification is set to true.

Default value: ssl/crlstore/
Dynamic: No

sslClientVerificationMode

Sets the mode of SSL client certificate verification.

Set to required, optional, or disabled.

If set to required, the CIM server always requires verification of a client certificate on the HTTPS port and rejects the request if the client certificate is not trusted. The httpAuthType property is not used.

Optional means the CIM server will verify a client certificate if available, otherwise the CIM server will use the httpAuthType setting for client verification.

Disabled means the CIM server will always use the httpAuthType setting for client verification.

This property is only effective if enableHttpsConnection is set to true.

Default value: optional
Dynamic: No

sslTrustStoreUserName

Identifies the username that is to be user context for the CIM Operation request when certificate authentication is used, and a username cannot be associated with a specific certificate file. The user context is the i5/OS user profile under which the provider is invoked to perform the CIM request. This property must be set to a valid user profile on i5/OS.

If sslClientVerificationMode is set to disabled, this property has no effect.

Start of change If sslTrustStore is set to a directory, then this property has no effect. The username associated with the certificate file in the directory is the user context for the CIM operation request. The default setting for sslTrustStore is a directory. End of change

Start of change If sslTrustStore is set to a single file, then this property must be set to a username, otherwise the CIM server will log an error and not start. In this case, ALL certificates included in the file are assigned to the username specified by sslTrustStoreUserName. This user name becomes the user context for the CIM Operation request. End of change

Default value: ""
Dynamic: No

enableSubscriptionsForNonprivilegedUsers

Set to true or false. The default is false. False means that only a user with *IOSYSCFG and *ALLOBJ authorities will be allowed to create Indication Subscriptions.

Default value: false
Dynamic: No

enableSSLExportClientVerification

Set to true or false. If true, allows export clients to connect using HTTPS on the port specified by the service name wbem-exp-https. Only CIM Export requests are allowed on this port.

Note:

If the wbem-exp-https port is not defined in the system’s TCP/IP services table, then the CIM server will log an error and not start. Since wbem-exp-https is an IANA standard service, it will be in the i5/OS services table by default. End of change

If false, then no requests are allowed on the wbem-exp-https port.

Default value: true
Dynamic: No

shutdownTimeout

Start of change Set to a number of seconds. When an ENDTCPSVR *CIMOM command is issued, the timeout is the maximum number of seconds allowed for the CIM server to complete outstanding CIM operation requests before shutting down. If the specified timeout period expires, the CIM server will shut down, even if there are still CIM operations in progress. Minimum value is 2 seconds. Default value is 10 seconds. End of change

Default value: 10
Dynamic: Yes

traceLevel

Start of change Level of debug trace. Range is 1 to 4. A traceLevel of 1 only traces function exits, the minimum trace. A trace level of 4 is the maximum trace. End of change

Default value: 1
Dynamic: Yes

traceFilePath

Path to the trace file.

Default value: /qibm/userdata/os400/cim/cimserver.trc
Dynamic: Yes

traceComponents

Components of Pegasus to trace. The valid settings are listed in Settings for the traceComponents option.

Default value: empty
Dynamic: Yes

enableAssociationTraversal

Set to true or false. The default is true. True means association traversal is enabled. False will disable association traversal.

Default value: true
Dynamic: No

enableIndicationService

Set to true or false. The default is true. True means the indication service is enabled. False will disable the indication service.

Default value: true
Dynamic: No

tempLocalAuthDir

The directory where the Pegasus server writes temporary files that it uses during local authentication.

Default value: /tmp
Dynamic: No