Managing systems with OpenLMI requires authentication at two levels: First, all communications between managed systems and client systems must go over a secure connection. Second, valid account login information must be presented to the managed system to perform operations using OpenLMI.
OpenLMI uses the OpenPegasus CIMOM to talk to client applications and tools.
The protocol used by OpenLMI is called WBEM (Web-Based Enterprise Management) and functions over an HTTP transport layer. In order to authenticate this connection, standard HTTP “Basic” authentication is performed, which means that the username and password are transmitted alongside the requests. Because of the high-level of access that OpenLMI is granted on the managed system, it is very important to ensure that these credentials are not exposed. In order to do this, we configure the OpenPegasus CIMOM to use HTTPS for communication, thereby wrapping the requests in an encrypted channel and preserving the secrecy of the username and password. This approach requires provisioning an SSL certificate on the managed system to establish this trusted tunnel.
Instructions for doing this have been published at http://www.openlmi.org/PegasusSSL. The guide covers using both self-signed certificates as well as certificates signed by a Certificate Authority. Wherever possible we recommend managing certificates with a domain controller like FreeIPA.
Management level access to a system has to be carefully controlled, so make sure your SSL/TLS certificates are properly configured and managed!