Pegasus Enhancement Proposal (PEP)
PEP #: 200
Title: Recommended OpenPegasus 2.5 Build and Configuration Options for Selected Platforms
Version: 1.8
Created: 16 October 2004
Authors: Warren Otsuka, Denise Eckstein
Status: Approved (Ballot 100)
Abstract: This PEP defines a set of recommended options for building,
testing and running OpenPegasus 2.5 on a selected set of platforms. In this
version of the PEP, platform-specific configuration options have been documented
for the following platforms: Linux, HP-UX and OpenVMS.
Note 1: The recommendations defined in this PEP
are not intended to document the feature set included in any vendor's
OpenPegasus-based product. Rather, the purpose of this PEP is to provide
input to vendors when making product decisions.
Definition of the Problem
OpenPegasus supports a large number of build and runtime options. Determining
which options to use can be challenging. The purpose of this PEP is to simplify
the build, testing and administration of OpenPegasus 2.5 by providing
a recommended, tested set of options.
Proposed Solution
Security Considerations
- To avoid introducing security vulnerabilities, vendors must never ship
providers incompatible with the security assumptions used in their deployment.
For example, providers designed for a single-user deployment that don't perform
authorization must not be shipped with a CIM Server that expects the
providers to perform authorization. In addition, vendors should ensure they
configure the CIM Server consistently with the security requirements of their
deployment.
Environment Variable Settings for Building OpenPegasus 2.5
Definitions
ICU_INSTALL
Description: When set, points to the directory
containing the
ICU (International Components for Unicode) libraries.
Note that the 'lib' sub-directory is appended to this
variable. This is used during build to link to ICU.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: This environment variable is
only used if PEGASUS_HAS_MESSAGES is set. Refer to
PEGASUS_HAS_MESSAGES for additional details.
ICU_ROOT
Description: When set, points to the root directory
of the
ICU (International Components for Unicode) source tree (ie.
the directory before the source directory in the ICU distribution).
This is used during build
to compile against the ICU header files.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: This environment variable is
only used if PEGASUS_HAS_MESSAGES is set. Refer to
PEGASUS_HAS_MESSAGES for additional details.
OPENSSL_BIN
Description: Specifies the location of the OpenSSL binary
directory.
Default Value: Not Set
Recommended Value (Development Build): No Specific Recommendation
Recommended Value (Release Build): No Specific Recommendation
Required: No. If PEGASUS_HAS_SSL is set and OPENSSL_BIN is
not defined, OPENSSL_BIN will be set to $(OPENSSL_HOME)/bin.
OPENSSL_HOME
Description: Specifies the location of the OpenSSL
SDK directory. This directory must contain the OpenSSL include
directory, $(OPENSSL_HOME)/include, and the OpenSSL library directory,
$(OPENSSL_HOME)/lib.
Default Value: Not Set
Recommended Value (Development Build): No Specific Recommendation
Recommended Value (Release Build): No Specific Recommendation
Required: Yes, if PEGASUS_HAS_SSL is set.
PEGASUS_CIM_SCHEMA
Description: This variable is used internally by the OpenPegasus
development team when upgrading the OpenPegasus build environment to a new
version of the CIM Schema.
Default Value: CIM29
Recommended Value (Development Build): CIM29
Recommended Value (Release Build): CIM29
Required: No
Considerations: Additional code changes may be required when
upgrading or downgrading the CIM Schema version from CIM29.
PEGASUS_DEBUG
Description: Builds a debug version of OpenPegasus.
Concurrently, this flag controls
a) enabling compiler specific debug flags and b) the inclusion of
debug-specific functionality.
Default Value: Not Set
Recommended Value (Development Build): Set
Recommended Value (Release Build): Not Set
Required: No
PEGASUS_DISABLE_CQL
Description: When
this variable is set, support for Indication Subscription filters that have CQL as the language
is disabled. It does not remove CQL from the build.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Set
Required: No
PEGASUS_DISABLE_DEPRECATED_INTERFACES
Description: Removes deprecated symbol
definitions from Pegasus runtime libraries.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: If this option is set, the
resulting Pegasus libraries will not be binary compatible
with clients and providers built using interface definitions
from prior releases. This option may be used to slightly
reduce binary footprint in an environment where compatibility
is not required.
PEGASUS_DISABLE_LOCAL_DOMAIN_SOCKET
Description: Disables support for local (same-system)
connections over a Unix domain socket. If this option is NOT set, the CIM
Server is built to allow connections to be established using a
domain socket rather than a TCP port.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: (1) In high-threat environments, a customer
may want to disable all ports or reduce the number of exposed network ports.
Supporting a local connection mechanism using Unix domain socket allows the CIM Server to continue to receive and process requests from local
CIM Clients. (2) Enabling this option may
result in lose of functionality when sslClientVerificationMode = required.
(3) The "LOCAL_DOMAIN_SOCKET" functionality has not been
implemented for Windows. Therefore, by default, this option is
"Set" for Windows.
PEGASUS_DISABLE_PERFINST
Description: Builds a version of OpenPegasus that disables support for gathering performance data.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: The CIM_ObjectManager.GatherStatisticalData
property is used to control statistic gathering. Once enabled,
statistical data can be viewed by retrieving instances of the
CIM_StatisticalData class.
PEGASUS_DISABLE_PROV_USERCTXT
Description: Builds a version of OpenPegasus that disables
supports for the Provider User Context feature. This feature allows a
Provider to choose the user context in
which it is invoked, including the ability to run in the context of the user
requesting an operation.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: The Provider User Context feature may be
disabled by compiling with the PEGASUS_DISABLE_PROV_USERCTXT flag defined.
In this case, the Provider Registration Manager rejects provider
registration requests that specify a UserContext property value. The user
context in which providers run is then unchanged by this enhancement. Some
platforms, such as OS/400 and z/OS may define the
PEGASUS_DISABLE_PROV_USERCTXT as part of the platform configuration, since
these platforms already set the provider user context on a per-thread basis.
When the Provider User Context feature is enabled, support for each of the
User Context types may be disabled individually. Provider registration fails
when an unsupported UserContext value is specified. Individual user context
models are disabled with these compile flags:
- PEGASUS_DISABLE_PROV_USERCTXT_REQUESTOR
- PEGASUS_DISABLE_PROV_USERCTXT_DESIGNATED
- PEGASUS_DISABLE_PROV_USERCTXT_PRIVILEGED
- PEGASUS_DISABLE_PROV_USERCTXT_CIMSERVER
Please refer to SecurityGuidelinesForDevelopers.html / PEP223 for a discussion
of the rationale/advantages of user context providers to many platforms.
PEGASUS_DISABLE_PROV_USERCTXT_CIMSERVER
Description: Builds a version of OpenPegasus that disables
support for the Provider User Context "CIM Server" option.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: Support for the "CIM Server" option allows a
Provider to be invoked with the same
user context as the CIM Server. This model supports providers that are
released together with the CIM Server and for which the CIM Server's user
context is known to be acceptable. The provider retains full responsibility
for authorizing requesting users.
PEGASUS_DISABLE_PROV_USERCTXT_DESIGNATED
Description: Builds a version of OpenPegasus that disables
support for the Provider User Context "Designated" option.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: Support for the "Privileged" option allows
a Provider to be
invoked in the context of a single, designated user. This option allows a
provider to run in a consistent user context with an appropriate level of
privilege. The provider retains full responsibility for authorizing
requesting users.
PEGASUS_DISABLE_PROV_USERCTXT_PRIVILEGED
Description: Builds a version of OpenPegasus that disables
support for the Provider User Context "Privileged" option.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: Support for the "Privileged" option allows
a Provider to be invoked in the context of a
privileged user, potentially escalating the privilege of the requesting
user. The provider retains full responsibility for authorizing requesting
users. The Privileged User model is much like the Designated User model,
except that it clearly declares a privilege requirement and it allows such a
provider to be written in a way that is portable across platforms for which
the privileged user name differs.
PEGASUS_DISABLE_PROV_USERCTXT_REQUESTOR
Description: Builds a version of OpenPegasus that will not allow
a Provider to run as the "Requestor".
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: Support for the "Requestor" option allows a
Provider to be invoked in the context of the user requesting an operation.
This option reduces the complexity of writing a provider, because
authorization checks that the provider previously had to perform can instead
be performed by the underlying platform or managed resource. This reduction
in complexity is accompanied by an increase in the security of the solution,
because the redundant authorization checks in the provider are likely to
miss cases or get out of sync with the authorization model of the managed
resource or underlying platform.
PEGASUS_DISABLE_SLP
Description: The PEGASUS_DISABLE_SLP environment variable can
be used to disable support for SLP on platforms that, by default, include
SLP. Refer to the definition of
PEGASUS_ENABLE_SLP for additional information.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: The
PEGASUS_DISABLE_SLP variable should never be used in conjunction with the
PEGASUS_ENABLE_SLP variable. A build error will occur if both
variables are explicitly set.
PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER
Description: If set, a version of OpenPegasus that supports
CMPI providers and their dependent components is built.
Default Value: Not Set
Recommended Value (Development Build): Set (Linux Platform Only)
Recommended Value (Release Build): Set (Linux Platform Only)
Required: No
PEGASUS_ENABLE_COMPRESSED_REPOSITORY
PEGASUS_ENABLE_EXECQUERY
Description: When
this environment variable is set, processing of ExecQuery operations is
enabled. When not set, ExecQuery operation requests get a NotSupported
response. (Note: The PEGASUS_ENABLE_EXECQUERY environment variable controls
the definition of the PEGASUS_DISABLE_EXECQUERY compile macro.)
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
PEGASUS_ENABLE_EMAIL_HANDLER
Description: When this environment variable is set, an E-Mail
Indication Handler is built as part of the OpenPegasus build. The
E-Mail Indication Handler can be used to delivered CIM Indications to a designated e-mail
address.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: If PEGASUS_ENABLE_EMAIL_HANDLER is not set when
OpenPegasus is built,
a request to create an Email Indication Handler instance will be rejected
will the error CIM_ERR_NOT_SUPPORTED.
PEGASUS_ENABLE_JMPI_PROVIDER_MANAGER
Description: If set, a version of OpenPegasus that supports
JMPI providers and their dependent
components
is built.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
PEGASUS_ENABLE_OBJECT_NORMALIZER
Description: If set, builds in support so that objects
returned from provider instance operations can be validated.
The enableNormalization must also be set to 'yes' (default)
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
PEGASUS_ENABLE_REMOTE_CMPI
Description: If set, a version of OpenPegasus that supports
Remote CMPI providers and their dependent
components
is built.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
PEGASUS_ENABLE_SLP
Description: This
variable controls of the inclusion of SLP functionality in the OpenPegasus
build.
Default Value: Set for Windows; Not Set for all other Platforms
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: The PEGASUS_DISABLE_SLP environment variable can
be used to disable support for SLP on platforms that, by default, include
SLP.
PEGASUS_ENABLE_SORTED_DIFF
Description: This controls if the DIFFSORT function
is used rather than a simple DIFF of the test results files
to the static results file. Set to 'true' enables the sorted
diffs of results to static results files. Otherwise results
in regular diffs of results to static results files.
See Pegasus bug 2283 for background information concerning
this config variable.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
PEGASUS_ENABLE_SYSTEM_LOG_HANDER
Description: When this environment variable is set, a SysLog Indication Handler is built as part of the OpenPegasus build. The
SysLog Indication Handler can be used to delivered CIM Indications to the
system log file.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: If PEGASUS_ENABLE_SYSTEM_LOG_HANDLER is not set
when OpenPegasus is built, a request to create a SysLog Indication Handler instance
will be rejected with the error CIM_ERR_NOT_SUPPORTED.
PEGASUS_ENABLE_SSLV2
Description: By default, support for the SSLV2 protocol is
disabled in OpenPegasus 2.5. The option can be used to build a version of
OpenPegasus that supports SSLV2. This variable affects how SSL contexts are constructed for both the CIM Server and CIM
Clients.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: This is a tradeoff between interoperability and
security. Unless SSLV2 is required for backward compatibility
not recommend enabling this protocol.
PEGASUS_ENABLE_USERGROUP_AUTHORIZATION
Description: Builds a version of OpenPegasus that allows an
administrator to restrict access to CIM operations to members of a designed
set of groups. Refer to the
authorizedUserGroups configuration option for additional details.
Default Value: Set
Recommended Value (Development Build): Set
Recommended Value (Release Build): Set
Required: No
PEGASUS_EXTRA_C_FLAGS
Description: This environment variable allows a developer to
specify an additional set of flags to be included on the C compile
command line.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
PEGASUS_EXTRA_CXX_FLAGS
Description: This environment variable allows a developer to
specify an additional set of flags to be included on the C++ compile command
line.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
PEGASUS_EXTRA_LINK_FLAGS
Description: This environment variable allows a developer to
specify an additional set of flags to be included on the link command line.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
PEGASUS_HAS_MESSAGES
Description: When set (to anything) during the build,
OpenPegasus compiles with localization support. The
ICU (International Components for Unicode) variables,
ICU_ROOT and ICU_INSTALL, indicate that the
localization support is based on ICU. Only ICU is supported
at this time.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: If the PEGASUS_HAS_MESSAGES is not
set, OpenPegasus is built without localization support. This means that
all messages sent by the CIM Server and the CLIs are in English.
ICU is an open source project at
http://oss.software.ibm.com/icu.
Only English tran/slations are included with the OpenPegasus distribution.
The OpenPegasus distribution does not provide translated messages. But,
enabling for ICU would allow vendor to provide the translations. Refer
to the OpenPegasus Release README for additional information regarding
the use of ICU.
Although, in OpenPegasus 2.3.2, experience with localization support
has been limited to a select set of platforms, wider platform adoption
of this technology is planned for 2.5.
PEGASUS_HAS_SSL
Description: If set, a version of OpenPegasus that supports
SSL (i.e., https) is built.
Default Value: Not Set
Recommended Value (Development Build): Set
Recommended Value (Release Build): Set
Required: No
Considerations: Support for SSL in OpenPegasus is dependent on
the OpenSSL software developed by the
OpenSSL Project (http://www.openssl.org/).
If the PEGASUS_HAS_SSL variable is set, the variable OPENSSL_HOME must also be defined.
The OPENSSL_HOME variable is used, by the OpenPegasus build, to determine the
location of the OpenSSL include files, libraries and binaries.
PEGASUS_HOME
Description: Specifies the location of the
OpenPegasus working directory. The OpenPegasus
build will use this directory as the default location
for files generated during the build (e.g., binaries,
libraries, objects).
Default Value: None
Recommended Value (Development Build): No Specific Recommendation
Recommended Value (Release Build): No Specific Recommendation
Required: Yes
Considerations: The error "PEGASUS_HOME environment variable
undefined" is returned if the PEGASUS_HOME environment variable is not set.
This variable is also used during runtime. Refer to the section titled
"Environment Variable Settings for Running OpenPegasus 2.3.2 on Linux" for
additional details.
PEGASUS_INDICATIONS_Q_THRESHOLD
Description: Controls if indications providers are stalled if the indications
service queue is too large. It can be set to any positive value. If not set providers
are never stalled. This implies that the indications service queue may become as
large as necessary to hold all the indications generated. If set to any value then
providers are stalled by forcing them to sleep when they try to deliver an indication
and the indications service queue exceeds this value. They are resumed when the queue
count falls 10 percent below this value. Stall and resume log entries are made to
inform the administrator the condition has occurred.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: Use of this setting may have unintended
side-effects when using Out-of-Process Providers including delayed
processing of CIM Operation Requests.
PEGASUS_MAX_THREADS_PER_SVC_QUEUE
Description: Controls the maximum number of threads allowed
per message service queue. It is allowed to range between 1 and
MAX_THREADS_PER_SVC_QUEUE_LIMIT (currently 5000) as set in
pegasus/src/Pegasus/Common/MessageQueueService.cpp. If set to 0 (zero)
the max threads per service queue is then set to
MAX_THREADS_PER_SVC_QUEUE_LIMIT. If set larger than the
MAX_THREADS_PER_SVC_QUEUE_LIMIT it is set equal to
MAX_THREADS_PER_SVC_QUEUE_LIMIT. There are no other limits on the total number
of threads that can exist within the system at this time. When the server starts
there on the order of 10 to 20 message service queues created dependent upon
build options.
Default Value: 5
Recommended Value (Development Build): 5
Recommended Value (Release Build): 5
Required: No
Considerations: This flag affects consumption of system resources.
Not setting, or inappropriately setting this value, may cause the cimserver
to hang or crash.
PEGASUS_ROOT
Description: Specifies the location of the directory
that corresponds to "pegasus" source directory defined in the
OpenPegasus CVS source tree. This environment variable is
used by the OpenPegasus build to locate the required build
and source files (e.g., $(PEGASUS_ROOT)/mak and
$(PEGASUS_ROOT)/src).
Default Value: None
Recommended Value (Development Build): No Specific Recommendation
Recommended Value (Release Build): No Specific Recommendation
Required: Yes
Considerations: The error "PEGASUS_ROOT environment
variable undefined" is returned if the PEGASUS_ROOT
environment variable is not set.
PEGASUS_NOASSERTS
Description: Defines the NDEBUG compilation macro, which
causes the preprocessor to remove PEGASUS_ASSERT() statements.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Set
Required: No
PEGASUS_PAM_AUTHENTICATION
Description: Enables support for PAM-(Pluggable Authentication Modules)
based authentication.
Default Value: Not Set
Recommended Value (Development Build): Set
Recommended Value (Release Build): Set
Required: No
Considerations: Support for PAM in OpenPegasus is dependent on
platform support for PAM.
PEGASUS_PLATFORM
Description: Describes the target platform for the
build. The list of supported values for this variable
is defined in pegasus/mak/config.mak.
Default Value: None
Platform |
Recommended Value
Development Build |
Recommended Value
Release Build |
Linux IA32 |
LINUX_IX86_GNU |
LINUX_IX86_GNU |
Linux IA64 |
LINUX_IA64_GNU |
LINUX_IA64_GNU |
Linux X86_64 |
LINUX_X86_64_GNU |
LINUX_X86_64_GNU |
HP-UX PA-RISC |
HPUX_PARISC_ACC |
HPUX_PARISC_ACC |
HP-UX IPF |
HPUX_IA64_ACC |
HPUX_IA64_ACC |
OpenVMS Alpha |
VMS_ALPHA_DECCXX |
VMS_ALPHA_DECCXX |
OpenVMS IA64 |
VMS_IA64_DECCXX |
VMS_IA64_DECCXX |
Required: Yes
Considerations: The error "PEGASUS_PLATFORM
environment variable undefined." is returned if the PEGASUS_PLATFORM
environment variable is not set.
PEGASUS_REPOSITORY_MODE
Description: This variable defines the default mode used to
create repositories that are constructed as part of the automated build
tests. It does not affect the runtime environment. Valid values include: XML (causes
the repository to be built in XML mode); BIN (causes
the repository to be built in binary mode). Use cimconfig to
modify the runtime environment.
Default Value: XML
Recommended Value (Development Build): XML
Recommended Value (Release Build): XML
Required: No
PEGASUS_SNIA_EXTENSIONS
Description: This
variable is used to enable a set of workarounds that support the use of OpenPegasus
in the SNIA Test Environment.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Considerations: The functionality enabled with this
variable is experimental and subject to change.
PEGASUS_USE_PAM_STANDALONE_PROC
Description: Moves the processing of PAM requests from
the CIM Server process to a separate process managed by the
CIM Server.
Default Value: Not Set
Recommended Value (Development Build): Set
Recommended Value (Release Build): Set
Required: No
Considerations: If PAM Authentication is enabled, the PAM
API is used, during the processing of each request, to authenticate
the client. This level of use makes the CIM Server extremely
sensitive to memory leaks in the PAM library. In addition,
certain PAM modules are not thread-safe. If your platform
is experiencing problems with PAM Authentication, use of option
may provide a work-around. PEGASUS_USE_PAM_STANDALONE_PROC requires
PEGASUS_PAM_AUTHENTICATION to be set.
PEGASUS_USE_RELEASE_CONFIG_OPTIONS
Description:
If set, OpenPegasus is built using the "Release Build"
configuration options. By default, OpenPegasus is built using the
"Development Build" configuration options.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Set
Required: No
Considerations: (1)The PEGASUS_USE_RELEASE_CONFIG_OPTIONS variable allows a platform
vendor to easily toggle between two sets of configurations options, a set of
options tuned for the development/debug ("Development Build") environment and a set
of options tuned for the production environment
("Release Build"). Refer the section titled "Configuration
Properties" for additional detail. (2) For each configuration variable,
the "Recommended Value (Release Build)" value defines the recommended
settings to use for a "Release Build". Please refer to the
description of each variable for additional information.
PEGASUS_USE_RELEASE_DIRS
Description: If set, OpenPegasus is built using
the "Release Build" directory definitions. By default,
OpenPegasus is built using the "Development Build" directory
definitions.
Default Value: Not Set
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Set
Required: No
Considerations:
The PEGASUS_USE_RELEASE_DIRS variable allows a platform vendor to easily
toggle between two sets of directory definitions, a set tuned for the
development/debug ("Development Build") environment and a set
tuned for the production environment
("Release Build"). Refer the section titled "Configuration
Properties" for additional detail.
PEGASUS_USE_SYSLOGS
Description: If set, OpenPegasus will be built
to send log messages to the system logger (syslog).
Otherwise, log messages will be sent to OpenPegasus
specific log files.
Recommended Value (Development Build): Set
Recommended Value (Release Build): Set
Required: No
Considerations: This variable is currently
not implemented as an environment variable. To use
the option -DPEGASUS_USE_SYSLOGS must
be explicitly included in the appropriate platform
makefile (pegasus/mak/platform_*.mak).
PEGASUS_WINDOWS_SDK_HOME
Description: Thsi variable should be set to point
to the Microsoft Platform SDK on Windows if using a compiler
version [ 1300 (i.e. VC6). If using VC7 or VC8, this flag does
not need to be set, as the necessary libraries are already
included.
Recommended Value (Development Build): Not Set
Recommended Value (Release Build): Not Set
Required: No
Examples Building a Linux IA32 (#IA64) Development/Debug Version
export PEGASUS_ROOT=/home/pegasusbld/pegasus
export PEGASUS_HOME=/home/pegasusbld/pegasus/build
export PEGASUS_PLATFORM=LINUX_IX86_GNU
#export PEGASUS_PLATFORM=LINUX_IA64_GNU
export PEGASUS_PAM_AUTHENTICATION=true
export PEGASUS_USE_PAM_STANDALONE_PROC=true
export PEGASUS_HAS_SSL=yes
export OPENSSL_HOME=/usr/include/openssl
export PEGASUS_DEBUG=TRUEexport ENABLE_CMPI_PROVIDER_MANAGER=true
export PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
export PEGASUS_USE_SYSLOGS=true
export PATH=/home/pegasusbld:/home/pegasusbld/pegasus/build/bin:/usr/local/bin:$PATH
Building a Linux IA32 (#IA64) Production Release Version
export PEGASUS_ROOT=/home/pegasusbld/pegasus
export PEGASUS_HOME=/home/pegasusbld/pegasus/build
export PEGASUS_PLATFORM=LINUX_IX86_GNU
#export PEGASUS_PLATFORM=LINUX_IA64_GNUexport PEGASUS_DISABLE_CQL=true
export PEGASUS_DISABLE_DEPRECATED_INTERFACES=true
export PEGASUS_PAM_AUTHENTICATION=true
export PEGASUS_USE_PAM_STANDALONE_PROC=true
export PEGASUS_HAS_SSL=yes
export OPENSSL_HOME=/usr/include/openssl
export PEGASUS_USE_RELEASE_CONFIG_OPTIONS=true
export PEGASUS_USE_RELEASE_DIRS=true
export PEGASUS_NOASSERTS=true
export ENABLE_CMPI_PROVIDER_MANAGER=true
export PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
export PEGASUS_USE_SYSLOGS=true
export PATH=/home/pegasusbld:/home/pegasusbld/pegasus/build/bin:/usr/local/bin:$PATH
Environment Variable Settings for Running OpenPegasus 2.5
Definitions
PEGASUS_HOME
Description: There are multiple options for
configuring the location of OpenPegasus runtime
files (e.g., configuration files, libraries,
repository, executables). If no other option is
specified, OpenPegasus will attempt to use the value
PEGASUS_HOME.
Default Value: "."
Recommended Value (Development Build): The same value defined at build time.
Recommended Value (Release Build): Not Set
Required: No
Considerations: Although this variable can be useful in a
development environment use of this environment variable is not
recommended in a production environment. Instead, the use of
configuration properties to explicitly set the location of
runtime files and directories is recommended.
PEGASUS_MSG_HOME
Description: This value is not used by the CIM Server.
The CIM Server uses the messageDir configuration parameter to locate the directory
where the ICU resource bundles. However, CIM Client applications must rely on
an alternative mechanism to locate this directory.
Default Value: if $PEGASUS_HOME is set then "$PEGASUS_HOME/msg"
else "."
Recommended Value (Development Build): $PEGASUS_HOME/msg
Recommended Value (Release Build): Not Set
Required: No
Considerations: Use of the PEGASUS_MSG_HOME environment is not
recommended in a production environment, CIM Client application developers
are encouraged to use MessageLoader::setPegasusMsgHome(String home) to
explicitly set the directory where the ICU resource bundles are located.
Configuration Properties
Notation
This section describes the notation used to define the
configuration properties.
Default Value
The value of Default Value is the OpenPegasus
default setting for this configuration option. This
value is used if a platform-specific setting is not
defined.
Recommended Default Value
The PEGASUS_USE_RELEASE_CONFIG_OPTIONS variable allows a platform vendor
to easily toggle between two sets of configurations options, a set of options
tuned for the development/debug ("Development Build") environment and a set
of options tuned for the production environment
("Release Build"). The value of
Recommended Value (Development Build)
is the recommended default value for use in a development/
debug environment. The value of
Recommended Value (Release Build) is the recommended
default value for use in a production environment.
Recommend To Be Fixed/Hidden
Configuration options can be defined as fixed or
hidden. A "fix" configuration option is set at build time
and cannot be changed without rebuilding. "Fixed" configuration
options are not displayed using the cimconfig command. This
feature can be used by vendors to limit OpenPegasus
functionality and configurability.
A "hidden" configuration option is an option that is
configurable (i.e., "not fixed"), but not externally
advertised using the cimconfig command. The "hidden"
feature can be used to define "internal use only"
configuration options.
Dynamic?
If yes, the value of the configuration option can be
changed without stopping and restarting the CIM Server.
Directory Specifications
Note that the variables included in the following table
(e.g., $LOGDIR) are for documentation purposes only and have been defined to
simplify the description of the configuration options. In particular,
these variables DO NOT correspond to environment variables implemented in the
OpenPegasus code.
Platform |
|
|
Linux |
$LOGDIR |
/var/opt/tog-pegasus/log |
$PROVIDERDIRS |
/opt/tog-pegasus/providers/lib:/usr/lib/cmpi |
$REPOSITORYDIR |
/var/opt/tog-pegasus/repository |
$CERTIFICATEDIR |
/etc/opt/tog-pegasus |
$LOCALAUTHDIR |
/var/opt/tog-pegasus/cache/localauth |
$TRACEDIR |
/var/opt/tog-pegasus/cache/trace |
$CONFIGDIR |
/var/opt/tog-pegasus |
$PIDFILE |
/var/run/cimserver.pid |
$RANDOMDIR |
/etc/opt/tog-pegasus |
$SOCKETDIR |
/var/run/tog-pegasus/socket |
$MESSAGEDIR |
/opt/tog-pegasus/share/locale/ICU_Messages |
HP-UX |
$LOGDIR |
/var/opt/wbem |
$PROVIDERDIRS |
/opt/wbem/providers/lib |
$REPOSITORYDIR |
/var/opt/wbem/repository |
$CERTIFICATEDIR |
/etc/opt/hp/sslshare/ |
$LOCALAUTHDIR |
/var/opt/wbem |
$TRACEDIR |
/var/opt/wbem/trace |
$CONFIGDIR |
/etc/opt/wbem/ |
$PIDFILE |
/etc/opt/wbem/cimserver_start.conf |
$RANDOMDIR |
/var/opt/wbem |
$SOCKETDIR |
/var/opt/wbem/socket |
$MESSAGEDIR |
/opt/wbem/share/locale/ICU_Messages |
OpenVMS |
$LOGDIR |
/var/opt/wbem/logs |
$PROVIDERDIRS |
/var/opt/wbem/providers/lib |
$REPOSITORYDIR |
/var/opt/wbem/repository |
$CERTIFICATEDIR |
/etc/opt/hp/sslshare |
$LOCALAUTHDIR |
/var/opt/wbem |
$TRACEDIR |
/var/opt/wbem |
$CONFIGDIR |
/var/opt/wbem |
$PIDFILE |
/var/opt/wbem |
$RANDOMDIR |
/var/opt/wbem |
$SOCKETDIR |
|
$MESSAGEDIR |
|
Definitions
authorizedUserGroups
Description: If
the authorizedUserGroups property is set, the value is interpreted as
a list of comma-separated user groups whose members may issue CIM requests.
A user who is not a member of any of these groups is restricted from issuing
CIM requests, with the exception of privileged users (root user). If the
authorizedUserGroups property is not set, any user may issue CIM
requests.
Default Value: blank
Recommended Default Value(Development Build): blank
Recommended Default Value(Release Build): blank
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Example: #
cimconfig -s authorizedUserGroups=users,systemusers
Considerations: This feature is available only when the
OpenPegasus source is compiled with the flag
PEGASUS_ENABLE_USERGROUP_AUTHORIZATION set.
daemon
Description: This option enables/disables forking of the
code to create a background daemon process.
Default Value: true
Recommended Default Value(Development Build): true
Recommended Default Value(Release Build): true
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/Yes
Dynamic?: No
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
enableAssociationTraversal
Description: If true, the CIM Server will support
the fourn association traversal operators: Associators,
AssociatorNames,References, and ReferenceNames.
Default Value: true
Recommended Default Value(Development Build): true
Recommended Default Value(Release Build): true
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Considerations: There is still an outstanding
Provider Registration issues that restricts the degree to
which separate Providers can register for Associations.
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
enableAuthentication
Description: If true, a Client must be authenticated
to access the CIM Server.
Recommended Default Value(Development Build): false
Recommended Default Value(Release Build): true
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Source Configuration File: Pegasus/Config/SecurityPropertyOwner.cpp
enableBinaryRepository
enableHttpConnection
Description: If true, allows connections to
the CIM Server using the HTTP protocol
Default Value: true
Recommended Default Value(Development Build): true
Recommended Default Value(Release Build): false
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Considerations:
Enabling HTTP will allow clients to connect with security
properties different than those associated with encrypted SSL traffic, and
its configured SSL authentication or other security behavior.
This option should
only be enabled in environments where sending the HTTP Request and HTTP Response as
clear text messages does not introduce a security risk. Note that if authentication is enabled (enableAuthentication),
user names and passwords will be included in the text of the HTTP
message.
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
enableHttpsConnection
Description: If true, allows connections to
the CIM Server using the HTTPS protocol (HTTP using
Secure Socket Layer encryption)
Default Value: false
Recommended Default Value(Development Build): true
Recommended Default Value(Release Build): true
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Considerations: For this option to work,
the environment variable PEGASUS_HAS_SSL must have
been set when CIM Server was built.
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
enableIndicationService
Description: If true, the CIM Server will support
CIM Indications.
Default Value: true
Recommended Default Value(Development Build): true
Recommended Default Value(Release Build): true
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
enableNamespaceAuthorization
Description: If true, the CIM Server restricts
access to namespaces based on configured user authorizations
[user authorizations may be configured using the cimauth command]
Default Value: false
Recommended Default Value(Development Build): false
Recommended Default Value(Release Build): false
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Considerations:
This option offers limited functionality and, in most environments,
expensive to administer. It's use is not recommended.
Source Configuration File: Pegasus/Config/SecurityPropertyOwner.cpp
enableRemotePrivilegedUserAccess
Description: If true, the CIM Server allows
access by a privileged user from a remote system
Default Value: true
Recommended Default Value(Development Build): true
Recommended Default Value(Release Build): true
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Considerations: Many management operations require
privileged user access. Disabling remote access by
privileged user could significantly affect functionality.
Source Configuration File: Pegasus/Config/SecurityPropertyOwner.cpp
enableSSLExportClientVerification
Description: If true, the CIM Server allows HTTPS connection for CIMExport requests on the port specified by the service name "wbem-exp-https".
Default Value: false
Recommended Default Value(Development Build): true
Recommended Default Value(Release Build): false
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Source Configuration File: Pegasus/Config/SecurityPropertyOwner.cpp
enableSubscriptionsForNonprivilegedUsers
Description: If
true, operations (create instance, modify instance, delete instance, get
instance, enumerate instances, enumerate instance names) on indication
filter, listener destination, and subscription instances may be performed by
non-privileged users. Otherwise, these operations may only be performed on
these instances by privileged users.
Default Value: true
Recommended Default Value(Development Build): true
Recommended Default Value(Release Build): false
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Considerations: This option has meaning only if
enableIndicationService=true.
Source Configuration File: Pegasus/Config/SecurityPropertyOwner.cpp
exportSSLTrustStore
Description: Specifies the location of the OpenSSL truststore
for Indications. Consistent with the OpenSSL implementation, a truststore
can be either a file or directory. If the truststore is a directory, all the
certificates within the directory are considered trusted.
Default Value: indication_trust.pem
Recommended Default Value(Development Build): indication_trust.pem
Recommended Default Value(Release Build): $CERTIFICATEDIR/indication_trust.pem
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Source Configuration File: Pegasus/Config/SecurityPropertyOwner.cpp
forceProviderProcesses
Description: If true, the CIM Server runs Providers in separate
processes rather than loading and calling Provider libraries directly within
the CIM Server process.
Default Value: false
Recommended Default Value(Development Build): false
Recommended Default Value(Release Build): false
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
home
Description: If set, this configuration option defines
the runtime default value for PEGASUS_HOME.
Default Value: "./"
Recommended Default Value(Development Build)"./"
Recommended Default Value(Release Build)""
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
httpPort
Description: OpenPegasus first attempts to look up the
port number for HTTP using getservbyname for the 'wbem-http' service.
The httpPort configuration setting is used only when the
getservbyname lookup fails.
Default Value: blank
Recommended Default Value(Development Build): blank
Recommended Default Value(Release Build): blank
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Considerations: (1) The use of 5988 for WBEM HTTP is
recommended by the DMTF. This port has been registered with
IANA.
In a production environment, the recommendation is to use
/etc/services to configure the value of this port. (2)
With the release of OpenPegasus 2.5, the default values for httpPort was changed from 5988
to "". This
change was made to allow the OpenPegasus to differentiate between a default
setting of 5988 and a customer-defined setting of 5988. With this
change,
if the port number is explicitly set, the configured port will be used regardless
of the settings in /etc/services. If no port number is specified, the server
will continue to use the value in /etc/services.
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
httpsPort
Description:
OpenPegasus first attempts to look up the port number for HTTPS using
getservbyname for the 'wbem-https' service. The httpsPort configuration
setting is used only when the getservbyname lookup fails.
Default Value: blank
Recommended Default Value(Development Build): blank
Recommended Default Value(Release Build): blank
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Considerations: (1)The use of 5989 for WBEM HTTPS is
recommended by the DMTF. This port has been registered with
IANA.
In a production environment, the recommendation is to use
/etc/services to configure the value of this port.(2)
With the release of OpenPegasus 2.5, the default values for httpPort was
changed from 5989 to "". This
change was made to allow the OpenPegasus to differentiate between a default
setting of 5989 and a customer-defined setting of 5989. With this
change,
if the port number is explicitly set, the configured port will be used regardless
of the settings in /etc/services. If no port number is specified, the server
will continue to use the value in /etc/services.
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
logdir
Description: Specifies the name of the directory
to be used for the OpenPegasus specific log files.
Recommended Default Value(Development Build): logs
Recommended Default Value(Release Build): $LOGDIR
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: Yes
Considerations:
Source Configuration File: Pegsus/Config/LogPropertyOwner.cpp
logLevel
Description: Defines the desired level of logging.
Valid values include: TRACE, INFORMATION, WARNING, SEVERE,
FATAL.
Default Value: "INFORMATION"
Recommended Default Value(Development Build): "INFORMATION"
Recommended Default Value(Release Build): "SEVERE"
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: Yes
Considerations:
Source Configuration File: Pegsus/Config/LogPropertyOwner.cpp
maxProviderProcesses
Description: Limits
the number of provider processes (see 'forceProviderProcesses) that may run
concurrently. A 'maxProviderProcesses' value of '0' indicates that the
number of Provider Agent processes is unlimited
Default Value: 0
Recommended Default Value(Development Build): 0
Recommended Default Value(Release Build): 0
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/Yes
Dynamic?: No
Considerations:
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
messageDir
Description: Specifies the name of the directory to be used for
the OpenPegasus translated messages.
Default Value: msg
Recommended Default Value(Development Build): msg
Recommended Default Value(Release Build): $MESSAGEDIR/msg
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Considerations: Only used when message localization is enabled.
See PEGASUS_HAS_MESSAGES for details.
Source Configuration File: FileSystemPropertyOwner.cpp
providerDir
Description: Specifies the names of the directories
that contains Provider executables.
Recommended Default Value(Development Build): lib
Recommended Default Value(Release Build): $PROVIDERDIRS
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Considerations: The CIM Server runs as a privileged user.
And, since Providers run in the same process space as the CIM
Server, Providers also have privileged access to the system.
Allowing a registered Provider’s executable to be replaced with
malicious code would result in a critical security defect,
giving a malicious user privileged access to the system.
Adminstrators are responsible for ensuring that only trusted Providers
are loaded into providerDir. In order to simplify the management
task associated with securing Provider executable, the value
of providerDir can be fixed at build time (i.e., set to one or more
fixed, well-known locations).
Source Configuration File: Pegasus/Config/FileSystemPropertyOwner.cpp
repositoryDir
Description: Specifies the name of the directory
to be used for the OpenPegasus repository.
Recommended Default Value(Development Build): repository
Recommended Default Value(Release Build): $REPOSITORYDIR/repository
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Considerations:
Source Configuration File: Pegasus/Config/FileSystemPropertyOwner.cpp
repositoryIsDefaultInstanceProvider
Description: If true, the Repository functions
as the Instance Provider for all classes for which there
is not an explicitly registered Provider. This flag is
also used to control the behavior of the repository when
processing association operators.
Recommended Default Value(Development Build): true
Recommended Default Value(Release Build): false
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/Yes
Dynamic?: No
Considerations: This flag can be used to configure the CIM Server to allow
the Repository to be used by CIM Clients and CIM Providers as
a dynamic data store. The setting of this flag will
significantly affect CIM Server behavior as viewed
by the CIM Client.
The following issues should be considered when setting
repositoryIsDefaultInstanceProvider=true:
- Authorization. The repository has no concept of which users
(or components) are authorized to perform which operations.
- Appearance of instrumentation. A client application cannot
determine whether instrumentation exists for a given CIM class. For example,
imagine a client issues a CreateInstance operation on a Disk class for
which no provider is registered. The instance will be stored in the repository, and the client gets a "success" response. Does that mean a
disk device has been created on the server? Even worse, when another
client issues an EnumerateInstances operation, the spurious Disk instance
is returned. With repositoryIsDefaultInstanceProvider=false, the
CreateInstance operation above would have returned a NOT_SUPPORTED
error.
- Potential for inconsistent data. Using the repository as
a data cache increases the probability that a client will see stale
or incorrect data. A provider can better control the correlation
between the data returned and the current state of the underlying
managed resource (whether or not the provider caches the data).
The following issues should be considered when setting
repositoryIsDefaultInstanceProvider=false:
- Provider Availability. Certain Providers have been developed
to use the Repository as a dynamic data store. These Providers are
currently not supported on system where this flag is disabled. E.g., the Common
Diagnostics Model (CDM) Provider (http://developer.intel.com/design/servers/cdm/)
relies on use of the Repository to store instances
of CIM_DiagnosticSetting. If this flag set to false, this Provider
will not function correctly. Note that this feature is supported by other WBEM implementation.
Therefore, disabling this feature can increase the cost of migrating
existing Providers to OpenPegasus.
Source Configuration File: Pegasus/Config/RepositoryPropertyOwner.cpp
shutdownTimeout
Description: When a cimserver -s shutdown command is issued,
specifies the maximum time in seconds for the CIM Server to
complete outstanding CIM operation requests before shutting down;
if the specified timeout period expires, the CIM Server will shut
down, even if there are still CIM operations in progress.
Minimum value is 2 seconds.
Recommended Default Value(Development Build): 10
Recommended Default Value(Release Build): 10
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: Yes
Considerations:
Source Configuration File: Pegasus/Config/ShutdownPropertyOwner.cpp
slp
Description: When set to true, OpenPegasus activates an SLP SA
and issues DMTF defined SLP advertisements to this SA on startup.
Default Value: false
Recommended Default Value(Development Build): false
Recommended Default Value(Release Build): false
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Platform |
Source Configuration File |
Linux |
Pegasus/Config/DefaultPropertyTableLinux.h |
HP-UX |
Pegasus/Config/DefaultPropertyTableHpux.h |
OpenVMS |
Pegasus/Config/DefaultPropertyTableVms.h |
sslCertificateFilePath
Description: Contains the CIM Server SSL Certificate.
Recommended Default Value(Development Build): server.pem
Recommended Default Value(Release Build): $CERTIFICATEDIR/server.pem"
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Considerations:For a more detailed look at SSL options and their
ramifications, please see the SSL guidelines.
Source Configuration File: Pegasus/Config/SecurityPropertyOwner.cpp
sslClientVerificationMode
Description: Describes the desired level of support for
certificate-based authentication.
- “required” –
The server requires certificate-based client authentication. A client
MUST present a trusted certificate in order to access the CIM Server. If the client fails to send a certificate or
sends an untrusted certificate, the connection will be rejected.
- “optional” –
The server supports, but does not require, certificate-based client
authentication. The server will request and attempt to validate a client certificate,
however the connection will be accepted even if no certificate is sent or an untrusted
certificate is sent. The server will then seek to authenticate the client
via an authentication header.
- “disabled” – The server does not support certificate-based
client authentication.
Recommended Default Value(Development Build): optional
Recommended Default Value(Release Build): disabled
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Considerations: (1)
This property is only used if enableHttpsConnection is
"true".(2) If the platform does not support
PEGASUS_LOCAL_DOMAIN_SOCKET, OpenPegasus attempts to use either HTTPS or
HTTP to establish a local connection (connectLocal). For platforms
that do not support PEGASUS_LOCAL_DOMAIN_SOCKET, Clients which use
connectLocal, such as cimconfig -l -c, cimprovider -l -s and cimserver -s,
will not work if the "sslClientVerificationMode" variable is set to
"required" and HTTP is disabled. For these platforms, the recommended
course of action is to change the property value to "optional."
Source Configuration File: Pegasus/Config/SecurityPropertyOwner.cpp
sslKeyFilePath
Description: Contains the private key for the CIM Server SSL Certificate.
Recommended Default Value(Development Build): file.pem
Recommended Default Value(Release Build): $CERTIFICATEDIR/file.pem
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Considerations: File should be readable only by the user the cimserver is
running as and/or privileged users. The file should be writeable only by a
privileged user.
Source Configuration File: Pegasus/Config/SecurityPropertyOwner.cpp
sslTrustStore
Description: Specifies the location of the OpenSSL truststore.
Consistent with the OpenSSL implementation, a truststore can be either a
file or directory.
If the truststore is a directory, all the certificates
within the directory are considered trusted.
Recommended Default Value(Development Build): client.pem
Recommended Default Value(Release Build): $CERTIFICATEDIR/client.pem
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: No
Considerations:
Source Configuration File: Pegsus/Config/SecurityPropertyOwner.cpp
sslTrustStoreUserName
Description: Specifies the system user name to be associated
with all certificate-based authenticated requests.
Recommended Default Value(Development Build): NONE
Recommended Default Value(Release Build): NONE
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/No
Dynamic?: No
Considerations: This
property has no default; for security reasons, the system administrator must
explicitly specify this value. This feature allows a single user name to
be specified. This user will be associated with all certificates in the
truststore. In the future, OpenPegasus will allow a system administrator
to associate a distinct user name with each certificate.
Source Configuration File: Pegsus/Config/SecurityPropertyOwner.cpp
traceComponents
Description: Defines the components to be traced.
Default Value: ""
Recommended Default Value(Development Build): ""
Recommended Default Value(Release Build): ""
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/Yes
Dynamic?: Yes
Considerations:
Source Configuration File: Pegasus/Config/TracePropertyOwner.cpp
traceFilePath
Description: Specifies the location of the OpenPegasus trace
file.
Default Value: cimserver.trc
Recommended Default Value(Development Build): cimserver.trc
Recommended Default Value(Release Build): $TRACEDIR/cimserver.trc
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): Yes
Dynamic?: Yes
Considerations:
Source Configuration File: Pegasus/Config/TracePropertyOwner.cpp
traceLevel
Description: Defines the desired level of tracing.
Valid values include: 1, 2, 3, 4, 5.
Default Value: 1
Recommended Default Value(Development Build): 1
Recommended Default Value(Release Build): 1
Recommend To Be Fixed/Hidden(Development Build): No/No
Recommend To Be Fixed/Hidden(Release Build): No/Yes
Dynamic?: Yes
Considerations:
Source Configuration File: Pegasus/Config/TracePropertyOwner.cpp
Configuration Constants
Definitions
static char CURRENT_CONFIG_FILE [] =
Description: Default file name for the current configuration file.
Recommended Default Value(Development Build): cimserver_current.conf
Recommended Default Value(Release Build): $CONFIGDIR/cimserver_current.conf
Dynamic?: No
Platform |
Source Configuration File |
Linux |
Pegasus/Config/ConfigFileDirLinux.h |
HP-UX |
ConfigFileDirHpux.h |
OpenVMS |
Pegasus/Config/ConfigFileDirVms.h |
static char PLANNED_CONFIG_FILE [] =
Description: Default file name for the planned configuration file.
Recommended Default Value(Development Build): cimserver_planned.conf
Recommended Default Value(Release Build): $CONFIGDIR/cimserver_planned.conf
Dynamic?: No
Platform |
Source Configuration File |
Linux |
Pegasus/Config/ConfigFileDirLinux.h |
HP-UX |
Pegasus/Config/ConfigFileDirHpux.h |
OpenVMS |
Pegasus/Config/ConfigFileDirVms.h |
static char CIMSERVER_START_FILE [] =
Description: This is for the default file name for the cimserver startup
file containing the PID.
Default Value: /tmp/cimserver_start.conf
Recommended Default Value(Development Build): /tmp/cimserver_start.conf
Recommended Default Value(Release Build): $PIDFILE
Dynamic?: No
Platform |
Source Configuration File |
Linux |
Pegasus/Config/ConfigFileDirLinux.h |
HP-UX |
Pegasus/Config/ConfigFileDirHpux.h |
OpenVMS |
Pegasus/Config/ConfigFileDirVms.h |
Configuration Macros
Definitions
PEGASUS_SSLCLIENT_CERTIFICATEFILE
Description:
Recommended Default Value(Development Build): client.pem
Recommended Default Value(Release Build): $CERTIFICATEDIR/client.pem
Dynamic?: No
Considerations:
Source Configuration File: Pegasus/Common/Constants.h
PEGASUS_SSLCLIENT_RANDOMFILE
Description: On platforms that do not support /dev/random or
/dev/urandom, OpenSSL will use this file to seed the PRNG (Pseudo-Random
Number Generator). This PEGASUS_SSLCLIENT_RANDOMFILE defines the default CIM
Client random file.
Recommended Default Value(Development Build): ssl.rnd
Recommended Default Value(Release Build): $RANDOMDIR/ssl.rnd"
Dynamic?: No
Considerations: Use of this variable requires
PEGASUS_HAS_SSL to be set. CIM Client use of a shared random file is
not recommended. On systems where /dev/random or /dev/urandom are not
available, CIM Clients are encouraged to generate a unique random file which
contains sufficient entropy.
Source Configuration File: Pegasus/Common/Constants.h
PEGASUS_SSLSERVER_RANDOMFILE
Description: On platforms that do not support /dev/random or
/dev/urandom, OpenSSL will use this file to seed the PRNG (Pseudo-Random
Number Generator). This PEGASUS_SSLSERVER_RANDOMFILE defines the CIM Server
random file.
Recommended Default Value(Development Build): cimserver.rnd
Recommended Default Value(Release Build): $RANDOMDIR/cimserver.rnd
Dynamic?: No
Considerations:
(1)Use of this variable requires PEGASUS_HAS_SSL to be set.
(2) On systems where /dev/random or /dev/urandom are not
available, CIM Server vendors need to be sure that the cimserver.rnd file
contains sufficient entropy and is uniquely generated for each system.
Source Configuration File: Pegasus/Common/Constants.h
PEGASUS_LOCAL_AUTH_DIR
Description: For local connections (i.e., connectLocal), OpenPegasus
uses a file-based authentication mechanism.
Recommended Default Value(Development Build): /tmp
Recommended Default Value(Release Build): $LOCALAUTHDIR/localauth
Dynamic?: No
Considerations:
Source Configuration File: Pegasus/Common/Constants.h
PEGASUS_LOCAL_DOMAIN_SOCKET_PATH
Description:
Recommended Default Value(Development Build): /tmp/cimxml.socket
Recommended Default Value(Release Build): $SOCKETDIR/cimxml.socket
Dynamic?: No
Considerations:
Source Configuration File: Pegasus/Common/Constants.h
Version History
Version |
Date |
Author |
Change Description |
1.0 |
16 Oct 2004 |
Denise Eckstein |
Initial Submission |
1.1 |
25 Mar 2005 |
Denise Eckstein |
Replaced description of PEGASUS_HAS_PERFINST with
PEGASUS_DISABLE_PERFINST. Removed "export PEGASUS_HAS_PERFINST=true"
from examples.Added description for PEGASUS_ENABLE_SSLV2 variable.Changed
"Default Value" for PEGASUS_LOCAL_DOMAIN_SOCKET to "Set" for all
platforms except Windows. Updated description in Considerations section.
Removed definition of variables PEGASUS_USE_23PROVIDER_MANAGER and PEGASUS_USE_AUTOMATIC_TRUSTSTORE_UPDATE
Updated PEGASUS_USE_RELEASE_CONFIG_OPTIONS Consideration section to
clarify purpose of variable.
Fixed default values for authorizedUserGroups.
Added security sentence to enableHttpConnection Consideration section.
Renamed "enableProviderProcesses" to
"forceProviderProcesses"
Updated description for "enableSubscriptionsForNonprivilegedUsers"
Remove definition of enableSSLTruststoreAutoUpdate.
Updated descriptions of httpPort and httpsPort.
Updated sslClientVerificationMode Consideration section.
Added description for
maxProviderProcesses variable.
Renamed "Test Build" to "Development Build"
Updated PEGASUS_SSLSERVER_RANDOMFILE Consideration section.
Updated description of PEGASUS_LOCAL_AUTH_DIR.
Added environment variables PEGASUS_DISABLE_CQL, PEGASUS_ENABLE_EXECQUERY,
PEGASUS_EXTRA_CXX_FLAGS, PEGASUS_EXTRA_C_FLAGS, PEGASUS_EXTRAS_LINK_FLAGS,
PEGASUS_DISABLE_PROV_USERCTXT,
PEGASUS_DISABLE_PROV_USERCTXT_REQUESTOR, PEGASUS_DISABLE_PROV_USERCTXT_DESIGNATED,
PEGASUS_DISABLE_PROV_USERCTXT_PRIVILEGED and PEGASUS_DISABLE_PROV_USERCTXT_CIMSERVER.
|
1.2 |
25 Mar 2005 |
Denise Eckstein |
Added environment variable OPENSSL_BIN.
Changed defaults for httpPort and httpsPort to "blank".
|
1.3 |
12 Apr 2005 |
Denise Eckstein |
Removed reference to pam-devel version.
Removed references to PEGASUS_USE_23PROVIDER_MANAGER.
Changed PEGASUS_LOCAL_DOMAIN_SOCKET to PEGASUS_DISABLE_LOCAL_DOMAIN_SOCKET.
Removed PEGASUS_LOCAL_DOMAIN_SOCKET from example.
Added OpenVMS IA64 platform option.
|
1.4 |
29 June 2005 |
Denise Eckstein |
Removed definition of CVSROOT in the example.
Removed Build Prerequisite section. Not appropriate for this
document.
Added environment variables PEGASUS_ENABLE_OBJECT_NORMALIZER,
PEGASUS_WINDOWS_SDK_HOME, PEGASUS_DISABLE_DEPRECATED_INTERFACES, PEGASUS_ENABLE_SORTED_DIFF,
PEGASUS_ENABLE_COMPRESSED_REPOSITORY, PEGASUS_REPOSITORY_MODE,
PEGASUS_MAX_THREADS_PER_SVC_QUEUE
|
1.5 |
18 Aug 2005 |
Denise Eckstein |
Added Security Consideration Section
Added environment variables
PEGASUS_ENABLE_EMAIL_HANDLER
PEGASUS_ENABLE_SYSTEM_LOG_HANDLER
PEGASUS_ENABLE_SLP
PEGASUS_DISABLE_SLP
PEGASUS_SNIA_EXTENSIONS
PEGASUS_INDICATIONS_Q_THRESHOLD
Updated definition of PEGASUS_DEBUG
Updated definition of PEGASUS_DISABLE_PERFINST
Updated definition of PEGASUS_MAX_THREADS_PER_SVC_QUEUE
Added LINUX_X86_64_GNU to PEGASUS_PLATFORM table.
Changed PROVIDERDIRS value for Linux to /opt/tog-pegasus/providers/lib:/usr/lib/cmpi.
Updated value of TRACEDIR for Linux and HP-UX.
Added "slp" description.
Changed "Recommended Value (Release Build)" for
PEGASUS_DISABLE_DEPRECATED_INTERFACES to NOT SET.
|
1.6 |
29 Aug 2005 |
Denise Eckstein |
Fixed alphabetical ordering.
Added definition for PEGASUS_CIM_SCHEMA.
|
1.7 |
30 Aug 2005 |
Denise Eckstein |
Added reference to PEP 223 to the description of PEGASUS_DISABLE_PROV_USERCTXT.
Added references to Security Guideline documents.
Added clarification to PEGASUS_ENABLE_SSLV2 "Considerations".
|
1.8 |
01 Sept 2005 |
Denise Eckstein |
The tempLocalAuthDir config property was removed in 2.5. The PEGASUS_LOCAL_AUTH_DIR constant is used instead.
More alphabetical ordering fixes.Approved - Ballot 100 |
Copyright (c) 2004 EMC Corporation; Hewlett-Packard Development Company, L.P.; IBM Corp.; The Open Group; VERITAS Software Corporation
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without
limitation the rights to use, copy, modify, merge, publish, distribute,
sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions:
THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN ALL
COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
"AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Template last modified: January 20th 2004 by Martin Kirk
Template version: 1.6