ANSI INCITS 539-2016 Information Technology C Management of Security Credentials.pdf

1、American National StandardDeveloped byfor Information Technology Management of Security CredentialsINCITS 539-2016INCITS 539-2016INCITS 539-2016American National Standardfor Information Technology Management of Security CredentialsSecretariatInformation Technology Industry CouncilApproved July 1, 20

2、16American National Standards Institute, Inc.Approval of an American National Standard requires review by ANSI that therequirements for due process, consensus, and other criteria for approval havebeen met by the standards developer.Consensus is established when, in the judgement of the ANSI Board of

3、Standards Review, substantial agreement has been reached by directly andmaterially affected interests. Substantial agreement means much more thana simple majority, but not necessarily unanimity. Consensus requires that allviews and objections be considered, and that a concerted effort be madetowards

4、 their resolution.The use of American National Standards is completely voluntary; theirexistence does not in any respect preclude anyone, whether he has approvedthe standards or not, from manufacturing, marketing, purchasing, or usingproducts, processes, or procedures not conforming to the standards

5、.The American National Standards Institute does not develop standards andwill in no circumstances give an interpretation of any American NationalStandard. Moreover, no person shall have the right or authority to issue aninterpretation of an American National Standard in the name of the AmericanNatio

6、nal Standards Institute. Requests for interpretations should beaddressed to the secretariat or sponsor whose name appears on the titlepage of this standard.CAUTION NOTICE: This American National Standard may be revised orwithdrawn at any time. The procedures of the American National StandardsInstitu

7、te require that action be taken periodically to reaffirm, revise, orwithdraw this standard. Purchasers of American National Standards mayreceive current information on all standards by calling or writing the AmericanNational Standards Institute.American National StandardPublished byAmerican National

8、 Standards Institute, Inc.25 West 43rd Street, New York, NY 10036Copyright 2016 by Information Technology Industry Council (ITI)All rights reserved.No part of this publication may be reproduced in anyform, in an electronic retrieval system or otherwise,without prior written permission of ITI, 1101 K

9、 Street NW, Suite 610, Washington, DC 20005. Printed in the United States of AmericaCAUTION: The developers of this standard have requested that holders of patents that may berequired for the implementation of the standard disclose such patents to the publisher. However,neither the developers nor th

10、e publisher have undertaken a patent search in order to identifywhich, if any, patents may apply to this standard. As of the date of publication of this standardand following calls for the identification of patents that may be required for the implementation ofthe standard, no such claims have been

11、made. No further patent search is conducted by the de-veloper or publisher in respect to any standard it processes. No representation is made or impliedthat licenses are not required to avoid infringement in the use of this standard.i CONTENTS Forewordxi Introductionxii 1 Scope 1 1.1 Simple Identity

12、 Management Profile . 1 1.2 Role Based Authorization Profile 1 1.3 Credential Management Profile 1 1.4 Certificate Management Profile 1 2 Normative references 1 DMTF component documents . 2 3 Terms and definitions 3 4 Symbols and abbreviated terms 5 5 Simple Identity Management . 6 5.1 Synopsis . 6

13、5.2 Description 6 5.2.1 Authenticated entities 7 5.2.2 Account 8 5.2.3 Account states . 8 5.2.4 Local account security policies 8 5.2.5 Access ingress point 9 5.2.6 Identity context . 9 5.3 Implementation . 9 5.3.1 Base requirements . 9 5.3.2 Account creation 11 5.3.3 Account management 12 5.3.4 Rep

14、resenting a third-party authenticated principal 16 5.3.5 Managing account identity groups . 17 5.3.6 Representing access ingress point 17 5.3.7 Identity context . 18 5.4 Methods 18 5.4.1 CIM_AccountManagementService.CreateAccount( ) 18 5.4.2 CIM_Account.RequestStateChange( ) 20 5.4.3 Profile convent

15、ions for operations . 21 5.4.4 CIM_Account . 22 5.4.5 CIM_EnabledLogicalElementCapabilities 23 5.4.6 CIM_AccountOnSystem 23 5.4.7 CIM_AccountManagementCapabilities . 23 5.4.8 CIM_AccountManagementService 23 5.4.9 CIM_AccountSettingData 24 5.4.10 CIM_AssignedIdentity 24 5.4.11 CIM_Dependency 25 5.4.1

16、2 CIM_ElementCapabilities 25 5.4.13 CIM_ElementSettingData 25 5.4.14 CIM_Group 26 5.4.15 CIM_HostedService . 26 5.4.16 CIM_Identity . 27 5.4.17 CIM_IdentityContext 27 5.4.18 CIM_MemberOfCollection . 27 5.4.19 CIM_OwningCollectionElement . 28 5.4.20 CIM_ServiceAffectsElement 28 5.4.21 CIM_SettingsDef

17、ineCapabilities 28 5.4.22 CIM_UserContact 29 5.5 Use cases . 29 Error! Unknown document property name. ii 5.5.1 Profile registration 29 5.5.2 Determine whether CIM_Account.ElementName can be modified . 38 5.5.3 Determine whether account state management is supported . 38 5.5.4 Determine whether acco

18、unt management is supported 38 5.5.5 Create an account 38 5.5.6 Determine account defaults . 39 5.5.7 Delete an account 39 5.5.8 Modify the password for an account 39 5.5.9 Clear an account 40 5.5.10 Change state to enabled offline . 40 5.5.11 Add an account identity to a group 40 5.5.12 Remove an a

19、ccount identity from a group . 40 5.5.13 Determine the context of a security principal . 40 5.6 CIM elements 41 5.6.1 CIM_Account . 42 5.6.2 CIM_AccountManagementCapabilities . 42 5.6.3 CIM_AccountManagementService 43 5.6.4 CIM_AccountOnSystem 43 5.6.5 CIM_AccountSettingData 43 5.6.6 CIM_AssignedIde

20、ntity (CIM_Account) . 44 5.6.7 CIM_AssignedIdentity (Group) 44 5.6.8 CIM_AssignedIdentity (UserContact) 44 5.6.9 CIM_Dependency (access ingress) . 44 5.6.10 CIM_ElementCapabilities (CIM_AccountManagementService) 45 5.6.11 CIM_ElementCapabilities (CIM_Account) . 45 5.6.12 CIM_ElementSettingData 45 5.

21、6.13 CIM_EnabledLogicalElementCapabilities 46 5.6.14 CIM_Group 46 5.6.15 CIM_HostedService . 46 5.6.16 CIM_Identity . 46 5.6.17 CIM_IdentityContext 47 5.6.18 CIM_MemberOfCollection (group membership) 47 5.6.19 CIM_OwningCollectionElement . 47 5.6.20 CIM_ServiceAffectsElement 48 5.6.21 CIM_SettingsDe

22、fineCapabilities (CIM_AccountManagementCapabilities) . 48 5.6.22 CIM_SettingsDefineCapabilities (CIM_EnabledLogicalElementCapabilities) . 48 5.6.23 CIM_UserContact 49 5.6.24 CIM_RegisteredProfile . 49 6 Role Based Authorization 50 6.1 Synopsis . 50 6.2 Description 50 6.2.1 Role authorization service

23、: CIM_RoleBasedAuthorizationService 51 6.2.2 Authorized roles and privileges: CIM_Role and CIM_Privilege . 51 6.2.3 Security principal: CIM_Identity . 52 6.2.4 Privilege management . 52 6.3 Implementation . 53 6.3.1 Modeling the authorized role . 53 6.3.2 Authorized role management . 56 6.3.3 Author

24、ized role membership of security principal 56 6.3.4 Privilege management capability . 57 6.4 Methods 58 6.4.1 CIM_RoleBasedAuthorizationService.ModifyRole( ) . 58 6.4.2 CIM_RoleBasedAuthorizationService.AssignRoles( ) . 59 6.4.3 CIM_RoleBasedAuthorizationService.ShowAccess( ) 60 6.4.4 CIM_RoleBasedA

25、uthorizationService.ShowRoles( ) . 61 6.4.5 Profile conventions for operations . 63 iii 6.4.6 CIM_ConcreteDependency . 63 6.4.7 CIM_ElementCapabilities 65 6.4.8 CIM_HostedService . 65 6.4.9 CIM_MemberOfCollection . 65 6.4.10 CIM_OwningCollectionElement . 66 6.4.11 CIM_Privilege . 66 6.4.12 CIM_RoleB

26、asedManagementCapabilities . 66 6.4.13 CIM_Role . 66 6.4.14 CIM_RoleBasedAuthorizationService . 66 6.4.15 CIM_RoleLimitedToTarget . 67 6.4.16 CIM_ServiceAffectsElement 67 6.4.17 CIM_ServiceServiceDependency 67 6.5 Use cases . 67 6.5.1 Profile registration 68 6.5.2 Minimal instantiation of the profil

27、e . 68 6.5.3 Evaluating scope and privileges 69 6.5.4 Scope of the role and privileges for a managed element 72 6.5.5 Service processor roles use cases 74 6.5.6 Determine the roles managed by a service . 75 6.5.7 Determine candidate roles for a security principal . 76 6.5.8 Determine the roles to wh

28、ich a security principal is currently assigned 76 6.5.9 Determine the roles that scope a managed element . 77 6.5.10 Determine the current privileges of a security principal for a managed element 77 6.5.11 Modify a single privilege of an existing role . 77 6.5.12 Determine whether privilege manageme

29、nt is supported for a principal 78 6.5.13 Determine whether one-to-one privilege management is supported for an account 78 6.5.14 Assign custom privileges to an identity 78 6.6 CIM elements 79 6.6.1 CIM_ConcreteDependency (privilege). 79 6.6.2 CIM_ConcreteDependency (role) 80 6.6.3 CIM_ElementCapabi

30、lities 80 6.6.4 CIM_HostedService . 80 6.6.5 CIM_MemberOfCollection (privilege). 81 6.6.6 CIM_MemberOfCollection (identity). 81 6.6.7 CIM_OwningCollectionElement . 81 6.6.8 CIM_Privilege . 82 6.6.9 CIM_RoleBasedManagementCapabilities . 82 6.6.10 CIM_RegisteredProfile . 82 6.6.11 CIM_Role . 83 6.6.12

31、 CIM_RoleBasedAuthorizationService . 83 6.6.13 CIM_RoleLimitedToTarget . 83 6.6.14 CIM_ServiceAffectsElement CIM_Role 84 6.6.15 CIM_ServiceAffectsElement CIM_Privilege . 84 6.6.16 CIM_ServiceServiceDependency 85 7 Credential Management 86 7.1 Synopsis . 86 7.2 Description 86 7.2.1 Credential store 8

32、7 7.2.2 Credentials . 88 7.2.3 Authorization 88 7.3 Implementation . 88 7.3.1 Credentials . 88 7.3.2 Credential store 89 7.3.3 Utilizing credentials 89 7.3.4 Credential access authorization . 89 Error! Unknown document property name. iv 7.4 Methods 90 7.4.1 Profile conventions for operations . 91 7.

33、4.2 CIM_CredentialManagementService . 91 7.4.3 CIM_CredentialContext . 91 7.4.4 CIM_ConcreteDependency (CIM_CredentialStore) 91 7.4.5 CIM_HostedService . 92 7.4.6 CIM_CredentialStore . 92 7.4.7 CIM_MemberOfCollection (CIM_Credential) . 92 7.4.8 CIM_MemberOfCollection (CIM_CredentialStore) 93 7.4.9 C

34、IM_OwningCollectionElement . 93 7.4.10 CIM_ServiceAffectsElement (CIM_CredentialStore) . 93 7.4.11 CIM_ServiceAffectsElement (CIM_Credential) . 94 7.4.12 CIM_Credential 94 7.4.13 CIM_Identity . 94 7.4.14 CIM_AssociatedPrivilege . 94 7.5 Use cases . 94 7.5.1 Profile registration 95 7.5.2 Determining

35、the credential management service for a credential . 95 7.6 CIM elements 96 7.6.1 CIM_Credential 96 7.6.2 CIM_CredentialManagementService . 97 7.6.3 CIM_CredentialContext . 97 7.6.4 CIM_ConcreteDependency . 97 7.6.5 CIM_HostedService . 98 7.6.6 CIM_CredentialStore . 98 7.6.7 CIM_MemberOfCollection (

36、CIM_Credential) . 98 7.6.8 CIM_MemberOfCollection (CIM_CredentialStore) 99 7.6.9 CIM_OwningCollectionElement . 99 7.6.10 CIM_ServiceAffectsElement (CIM_CredentialStore) . 99 7.6.11 CIM_ServiceAffectsElement (CIM_Credential) . 100 7.6.12 CIM_CredentialManagementCapabilities 100 7.6.13 CIM_Identity .

37、100 7.6.14 CIM_AssociatedPrivilege . 101 8 Certificate Management 102 8.1 Synopsis . 102 8.2 Description 102 8.2.1 Key store 103 8.2.2 Public key infrastructure 104 8.2.3 Authorization 104 8.3 Implementation . 105 8.3.1 Key store 105 8.3.2 Certificate management service 105 8.3.3 Certificate chain .

38、 106 8.3.4 Authorization 106 8.4 Methods 107 8.4.1 CIM_CertificateManagementService.ImportPublicPrivateKeyPair( ) 107 8.4.2 CIM_CertificateManagementService.CreateKeystore( ) . 108 8.4.3 CIM_CertificateManagementService.CreateCertificateSigningRequest( ) 109 8.4.4 CIM_CertificateManagementService.Cr

39、eateSelfSignedCertificate( ) 112 8.4.5 CIM_CertificateManagementService.ImportEncodedCertificates( ) 114 8.4.6 CIM_CertificateManagementService.ImportCertificates( ) 115 8.4.7 CIM_CertificateManagementService.ExportEncodedCertificates( ) 116 8.4.8 CIM_CertificateManagementService.ApplyCRL( ) 118 8.4

40、.9 CIM_CertificateManagementService.ApplyDecodedCRL( ) 119 8.4.10 Profile conventions for operations . 120 8.4.11 CIM_CertificateManagementCapabilities 120 v 8.4.12 CIM_CertificateManagementService . 120 8.4.13 CIM_CredentialContext . 121 8.4.14 CIM_ConcreteDependency (CIM_Keystore) . 121 8.4.15 CIM

41、_ConcreteDependency (CIM_X509Certificate) . 121 8.4.16 CIM_ElementCapabilities 122 8.4.17 CIM_HostedService . 122 8.4.18 CIM_Keystore 122 8.4.19 CIM_MemberOfCollection . 122 8.4.20 CIM_OwningCollectionElement . 123 8.4.21 CIM_RegisteredProfile . 123 8.4.22 CIM_ServiceAffectsElement 123 8.4.23 CIM_Un

42、signedCredential . 124 8.4.24 CIM_X509Certificate 124 8.4.25 CIM_X509CRL . 124 8.4.26 CIM_Identity . 124 8.4.27 CIM_AssociatedPrivilege . 125 8.4.28 CIM_ConcreteDependency . 125 8.5 Use cases . 125 8.5.1 Profile registration 125 8.5.2 Simple certificate management . 126 8.5.3 Keystore . 127 8.5.4 Im

43、port asymmetric key . 128 8.5.5 CSR and self-signed certificate . 129 8.5.6 Import and export of certificates 130 8.5.7 CRL 131 8.6 CIM elements 134 8.6.1 CIM_CertificateManagementCapabilities 135 8.6.2 CIM_CertificateManagementService . 135 8.6.3 CIM_CredentialContext . 136 8.6.4 CIM_ConcreteDepend

44、ency (CIM_Keystore) . 136 8.6.5 CIM_ConcreteDependency (CIM_X509Certificate) . 136 8.6.6 CIM_ConcreteDependency . 137 8.6.7 CIM_ElementCapabilities 137 8.6.8 CIM_HostedService . 137 8.6.9 CIM_Keystore 138 8.6.10 CIM_ServiceAffectsElement (CIM_Credential) . 138 8.6.11 CIM_MemberOfCollection . 138 8.6

45、.12 CIM_OwningCollectionElement . 139 8.6.13 CIM_RegisteredProfile . 139 8.6.14 CIM_ServiceAffectsElement (CIM_Keystore) 139 8.6.15 CIM_UnsignedCredential . 140 8.6.16 CIM_X509Certificate 140 8.6.17 CIM_X509CRL . 141 8.6.18 CIM_AssociatedPrivilege . 141 Error! Unknown document property name. vi Figu

46、res Figure 1 Simple Identity Management profile: Class diagram . 7 Figure 2 Profile registration (Simple Identity Management implementation) . 29 Figure 3 Basic system accounts 30 Figure 4 Full account capabilities . 31 Figure 5 Account capabilities with ranges 32 Figure 6 Third-party authenticated

47、user . 33 Figure 7 Accounts with group membership 34 Figure 8 Role-oriented groups . 36 Figure 9 Access ingress point and identity context 37 Figure 10 Role Based Authorization Profile: Class diagram 51 Figure 11 Profile registration (Role Based Authorization implementation) 68 Figure 12 Minimal ins

48、tantiation 68 Figure 13 Cumulative Role Privilege example . 69 Figure 14 Scope of the roles 72 Figure 15 Fixed accounts with role membership privilege management . 73 Figure 16 Fixed accounts with individual account privilege management . 74 Figure 17 IPMI service processor with role management 75 F

49、igure 18 Credential Management Profile: Class diagram 87 Figure 19 Profile registration (Specialized profile for Certificate Management profile) Figure 20 Certificate Management profile: Class diagram . 103 Figure 21 Profile registration (Certificate Management profile implementation) 126 Figure 22 Simple certificate management . 127 Figure 23 Key store 128 Figure 24 Importing public/private key pair 129 Figure 25 Creating CSR and self-signed certificate . 130 Figure 26