NIMSH authentication process

Edit online

Service requests from the communicating host (the NIM master) will build packets with the following data for authentication.

  • Hostname of NIM client
  • CPUID of NIM client
  • CPUID of NIM master
  • Return port for secondary (stderr) connection
  • Query flag (used to obtain registration information)

When a connection to the primary port is received, the service handler obtains peer information from the connecting socket. The source port must be in the privileged port space (only root user can bind to privileged ports). Using the privileged port space ensures that the originating user has the root UID. The return port number is retrieved and connected to from the secondary port, which is the reserved port in /etc/services.

The following sections describe the phases of the authentication process:

query flag set
When the query flag is set to 1, the service handler treats the incoming request as a client discovery for information. The client service handler obtains all relevant information necessary for defining itself as a NIM client and returns the information to the requesting NIM master then terminates the connection. The following data is returned when query flag is set:
  • Default hostname (value obtained from inet0)
  • Default route (value obtained from inet0)
  • Network address (value obtained from hostname)
  • Subnet mask (value obtained from hostname)
  • Network interface (value obtained from hostname)
Method request
If the query flag is not set, then a request for service (NIM operation) is pushed by the NIM master. The service handler validates the method request as follows:
  1. Verify hostname of NIM master is the client's recognized master hostname.
  2. Check the client CPUID passed, it should match the client's machine ID.
  3. Check the master CPUID passed, it should match the master's machine id stored in memory.
  4. Verify the operation passed is a method in the path /usr/lpp/bos.sysmgt/nim/methods.
  5. Check for cryptographic authentication setting.

For additional security, NIMSH supports push disablement. Push disablement disables method requests unless the request is a response to an active NIM client call being processed by the client's NIM master. When push disablement is set, NIMSH does not process any NIM operations controlled by the NIM master. Client control (nimclient commands) is the only way to perform NIM operations on the client when push disablement is set.