Secure Pegasus

Use this topic to find out about the options that are available for ensuring that the CIM server is secure.

One of the most significant concerns for a Pegasus administrator is how to configure security. This is particularly true for i5/OS™ because of i5/OS platform security requirements, significant functions were added to the open source implementation. In Pegasus, there are two types of security checks, authentication and authorization.

Create an SSL key and certificate for Pegasus
For Pegasus to run in Secure Sockets Layer (SSL) mode, a private key and certificate are required. Pegasus checks for its private key and certificate during startup. If those files do not exist, Pegasus creates its private key and a self-signed 365-day certificate. You can also create a private key and certificate with this information.
Configure the CIM server to verify client certificates
You can configure the CIM server to use secure sockets layer (SSL) to verify client certificate's and to check certificate revocation lists (CRLs) on the main SSL port and the export SSL port.
Authentication
Pegasus uses an authentication process to determine which users can log into the CIMOM. Unless the enableAuthentication property of cimconfig command is set to false, authentication is performed for every connection, before users can access the CIM data.
Enable Kerberos
Pegasus on iSeries™ supports both Kerberos and Enterprise Identity Mapping (EIM). To enable Kerberos, use the cimconfig commands to set the httpAuthType configuration option to Kerberos (this is the default value).
Authorize Pegasus
A type of security check that is required for Pegasus on i5/OS is verifying that users have access to the objects they are trying to change. This process is called authorization.

Parent topic: Common Information Model

Related concepts

Enterprise Identity Mapping (EIM) topic

cimconfig usage information

Network Authentication Service topic

Hostname resolutions considerations topic