书签分享收藏举报版权申诉 / 159

立即下载加入VIP,交流精品资源

当前位置：首页 > 标准规范 > 国际标准 > ANSI > ANSI INCITS 539-2016 Information Technology C Management of Security Credentials.pdf

ANSI INCITS 539-2016 Information Technology C Management of Security Credentials.pdf

上传人：boatfragile160

文档编号：435841

上传时间：2018-11-14

格式：PDF

页数：159

大小：1.09MB

《ANSI INCITS 539-2016 Information Technology C Management of Security Credentials.pdf》由会员分享，可在线阅读，更多相关《ANSI INCITS 539-2016 Information Technology C Management of Security Credentials.pdf（159页珍藏版）》请在麦多课文档分享上搜索。

1、American National StandardDeveloped byfor Information Technology Management of Security CredentialsINCITS 539-2016INCITS 539-2016INCITS 539-2016American National Standardfor Information Technology Management of Security CredentialsSecretariatInformation Technology Industry CouncilApproved July 1, 20

2、16American National Standards Institute, Inc.Approval of an American National Standard requires review by ANSI that therequirements for due process, consensus, and other criteria for approval havebeen met by the standards developer.Consensus is established when, in the judgement of the ANSI Board of

3、Standards Review, substantial agreement has been reached by directly andmaterially affected interests. Substantial agreement means much more thana simple majority, but not necessarily unanimity. Consensus requires that allviews and objections be considered, and that a concerted effort be madetowards

4、 their resolution.The use of American National Standards is completely voluntary; theirexistence does not in any respect preclude anyone, whether he has approvedthe standards or not, from manufacturing, marketing, purchasing, or usingproducts, processes, or procedures not conforming to the standards

5、.The American National Standards Institute does not develop standards andwill in no circumstances give an interpretation of any American NationalStandard. Moreover, no person shall have the right or authority to issue aninterpretation of an American National Standard in the name of the AmericanNatio

6、nal Standards Institute. Requests for interpretations should beaddressed to the secretariat or sponsor whose name appears on the titlepage of this standard.CAUTION NOTICE: This American National Standard may be revised orwithdrawn at any time. The procedures of the American National StandardsInstitu

7、te require that action be taken periodically to reaffirm, revise, orwithdraw this standard. Purchasers of American National Standards mayreceive current information on all standards by calling or writing the AmericanNational Standards Institute.American National StandardPublished byAmerican National

8、 Standards Institute, Inc.25 West 43rd Street, New York, NY 10036Copyright 2016 by Information Technology Industry Council (ITI)All rights reserved.No part of this publication may be reproduced in anyform, in an electronic retrieval system or otherwise,without prior written permission of ITI, 1101 K

9、 Street NW, Suite 610, Washington, DC 20005. Printed in the United States of AmericaCAUTION: The developers of this standard have requested that holders of patents that may berequired for the implementation of the standard disclose such patents to the publisher. However,neither the developers nor th

10、e publisher have undertaken a patent search in order to identifywhich, if any, patents may apply to this standard. As of the date of publication of this standardand following calls for the identification of patents that may be required for the implementation ofthe standard, no such claims have been

11、made. No further patent search is conducted by the de-veloper or publisher in respect to any standard it processes. No representation is made or impliedthat licenses are not required to avoid infringement in the use of this standard.i CONTENTS Forewordxi Introductionxii 1 Scope 1 1.1 Simple Identity

12、 Management Profile . 1 1.2 Role Based Authorization Profile 1 1.3 Credential Management Profile 1 1.4 Certificate Management Profile 1 2 Normative references 1 DMTF component documents . 2 3 Terms and definitions 3 4 Symbols and abbreviated terms 5 5 Simple Identity Management . 6 5.1 Synopsis . 6

13、5.2 Description 6 5.2.1 Authenticated entities 7 5.2.2 Account 8 5.2.3 Account states . 8 5.2.4 Local account security policies 8 5.2.5 Access ingress point 9 5.2.6 Identity context . 9 5.3 Implementation . 9 5.3.1 Base requirements . 9 5.3.2 Account creation 11 5.3.3 Account management 12 5.3.4 Rep

14、resenting a third-party authenticated principal 16 5.3.5 Managing account identity groups . 17 5.3.6 Representing access ingress point 17 5.3.7 Identity context . 18 5.4 Methods 18 5.4.1 CIM_AccountManagementService.CreateAccount( ) 18 5.4.2 CIM_Account.RequestStateChange( ) 20 5.4.3 Profile convent

15、ions for operations . 21 5.4.4 CIM_Account . 22 5.4.5 CIM_EnabledLogicalElementCapabilities 23 5.4.6 CIM_AccountOnSystem 23 5.4.7 CIM_AccountManagementCapabilities . 23 5.4.8 CIM_AccountManagementService 23 5.4.9 CIM_AccountSettingData 24 5.4.10 CIM_AssignedIdentity 24 5.4.11 CIM_Dependency 25 5.4.1

16、2 CIM_ElementCapabilities 25 5.4.13 CIM_ElementSettingData 25 5.4.14 CIM_Group 26 5.4.15 CIM_HostedService . 26 5.4.16 CIM_Identity . 27 5.4.17 CIM_IdentityContext 27 5.4.18 CIM_MemberOfCollection . 27 5.4.19 CIM_OwningCollectionElement . 28 5.4.20 CIM_ServiceAffectsElement 28 5.4.21 CIM_SettingsDef

17、ineCapabilities 28 5.4.22 CIM_UserContact 29 5.5 Use cases . 29 Error! Unknown document property name. ii 5.5.1 Profile registration 29 5.5.2 Determine whether CIM_Account.ElementName can be modified . 38 5.5.3 Determine whether account state management is supported . 38 5.5.4 Determine whether acco

18、unt management is supported 38 5.5.5 Create an account 38 5.5.6 Determine account defaults . 39 5.5.7 Delete an account 39 5.5.8 Modify the password for an account 39 5.5.9 Clear an account 40 5.5.10 Change state to enabled offline . 40 5.5.11 Add an account identity to a group 40 5.5.12 Remove an a

19、ccount identity from a group . 40 5.5.13 Determine the context of a security principal . 40 5.6 CIM elements 41 5.6.1 CIM_Account . 42 5.6.2 CIM_AccountManagementCapabilities . 42 5.6.3 CIM_AccountManagementService 43 5.6.4 CIM_AccountOnSystem 43 5.6.5 CIM_AccountSettingData 43 5.6.6 CIM_AssignedIde

20、ntity (CIM_Account) . 44 5.6.7 CIM_AssignedIdentity (Group) 44 5.6.8 CIM_AssignedIdentity (UserContact) 44 5.6.9 CIM_Dependency (access ingress) . 44 5.6.10 CIM_ElementCapabilities (CIM_AccountManagementService) 45 5.6.11 CIM_ElementCapabilities (CIM_Account) . 45 5.6.12 CIM_ElementSettingData 45 5.

21、6.13 CIM_EnabledLogicalElementCapabilities 46 5.6.14 CIM_Group 46 5.6.15 CIM_HostedService . 46 5.6.16 CIM_Identity . 46 5.6.17 CIM_IdentityContext 47 5.6.18 CIM_MemberOfCollection (group membership) 47 5.6.19 CIM_OwningCollectionElement . 47 5.6.20 CIM_ServiceAffectsElement 48 5.6.21 CIM_SettingsDe

22、fineCapabilities (CIM_AccountManagementCapabilities) . 48 5.6.22 CIM_SettingsDefineCapabilities (CIM_EnabledLogicalElementCapabilities) . 48 5.6.23 CIM_UserContact 49 5.6.24 CIM_RegisteredProfile . 49 6 Role Based Authorization 50 6.1 Synopsis . 50 6.2 Description 50 6.2.1 Role authorization service

23、: CIM_RoleBasedAuthorizationService 51 6.2.2 Authorized roles and privileges: CIM_Role and CIM_Privilege . 51 6.2.3 Security principal: CIM_Identity . 52 6.2.4 Privilege management . 52 6.3 Implementation . 53 6.3.1 Modeling the authorized role . 53 6.3.2 Authorized role management . 56 6.3.3 Author

24、ized role membership of security principal 56 6.3.4 Privilege management capability . 57 6.4 Methods 58 6.4.1 CIM_RoleBasedAuthorizationService.ModifyRole( ) . 58 6.4.2 CIM_RoleBasedAuthorizationService.AssignRoles( ) . 59 6.4.3 CIM_RoleBasedAuthorizationService.ShowAccess( ) 60 6.4.4 CIM_RoleBasedA

25、uthorizationService.ShowRoles( ) . 61 6.4.5 Profile conventions for operations . 63 iii 6.4.6 CIM_ConcreteDependency . 63 6.4.7 CIM_ElementCapabilities 65 6.4.8 CIM_HostedService . 65 6.4.9 CIM_MemberOfCollection . 65 6.4.10 CIM_OwningCollectionElement . 66 6.4.11 CIM_Privilege . 66 6.4.12 CIM_RoleB

26、asedManagementCapabilities . 66 6.4.13 CIM_Role . 66 6.4.14 CIM_RoleBasedAuthorizationService . 66 6.4.15 CIM_RoleLimitedToTarget . 67 6.4.16 CIM_ServiceAffectsElement 67 6.4.17 CIM_ServiceServiceDependency 67 6.5 Use cases . 67 6.5.1 Profile registration 68 6.5.2 Minimal instantiation of the profil

27、e . 68 6.5.3 Evaluating scope and privileges 69 6.5.4 Scope of the role and privileges for a managed element 72 6.5.5 Service processor roles use cases 74 6.5.6 Determine the roles managed by a service . 75 6.5.7 Determine candidate roles for a security principal . 76 6.5.8 Determine the roles to wh

28、ich a security principal is currently assigned 76 6.5.9 Determine the roles that scope a managed element . 77 6.5.10 Determine the current privileges of a security principal for a managed element 77 6.5.11 Modify a single privilege of an existing role . 77 6.5.12 Determine whether privilege manageme

29、nt is supported for a principal 78 6.5.13 Determine whether one-to-one privilege management is supported for an account 78 6.5.14 Assign custom privileges to an identity 78 6.6 CIM elements 79 6.6.1 CIM_ConcreteDependency (privilege). 79 6.6.2 CIM_ConcreteDependency (role) 80 6.6.3 CIM_ElementCapabi

30、lities 80 6.6.4 CIM_HostedService . 80 6.6.5 CIM_MemberOfCollection (privilege). 81 6.6.6 CIM_MemberOfCollection (identity). 81 6.6.7 CIM_OwningCollectionElement . 81 6.6.8 CIM_Privilege . 82 6.6.9 CIM_RoleBasedManagementCapabilities . 82 6.6.10 CIM_RegisteredProfile . 82 6.6.11 CIM_Role . 83 6.6.12

31、 CIM_RoleBasedAuthorizationService . 83 6.6.13 CIM_RoleLimitedToTarget . 83 6.6.14 CIM_ServiceAffectsElement CIM_Role 84 6.6.15 CIM_ServiceAffectsElement CIM_Privilege . 84 6.6.16 CIM_ServiceServiceDependency 85 7 Credential Management 86 7.1 Synopsis . 86 7.2 Description 86 7.2.1 Credential store 8

32、7 7.2.2 Credentials . 88 7.2.3 Authorization 88 7.3 Implementation . 88 7.3.1 Credentials . 88 7.3.2 Credential store 89 7.3.3 Utilizing credentials 89 7.3.4 Credential access authorization . 89 Error! Unknown document property name. iv 7.4 Methods 90 7.4.1 Profile conventions for operations . 91 7.

33、4.2 CIM_CredentialManagementService . 91 7.4.3 CIM_CredentialContext . 91 7.4.4 CIM_ConcreteDependency (CIM_CredentialStore) 91 7.4.5 CIM_HostedService . 92 7.4.6 CIM_CredentialStore . 92 7.4.7 CIM_MemberOfCollection (CIM_Credential) . 92 7.4.8 CIM_MemberOfCollection (CIM_CredentialStore) 93 7.4.9 C

34、IM_OwningCollectionElement . 93 7.4.10 CIM_ServiceAffectsElement (CIM_CredentialStore) . 93 7.4.11 CIM_ServiceAffectsElement (CIM_Credential) . 94 7.4.12 CIM_Credential 94 7.4.13 CIM_Identity . 94 7.4.14 CIM_AssociatedPrivilege . 94 7.5 Use cases . 94 7.5.1 Profile registration 95 7.5.2 Determining

35、the credential management service for a credential . 95 7.6 CIM elements 96 7.6.1 CIM_Credential 96 7.6.2 CIM_CredentialManagementService . 97 7.6.3 CIM_CredentialContext . 97 7.6.4 CIM_ConcreteDependency . 97 7.6.5 CIM_HostedService . 98 7.6.6 CIM_CredentialStore . 98 7.6.7 CIM_MemberOfCollection (

36、CIM_Credential) . 98 7.6.8 CIM_MemberOfCollection (CIM_CredentialStore) 99 7.6.9 CIM_OwningCollectionElement . 99 7.6.10 CIM_ServiceAffectsElement (CIM_CredentialStore) . 99 7.6.11 CIM_ServiceAffectsElement (CIM_Credential) . 100 7.6.12 CIM_CredentialManagementCapabilities 100 7.6.13 CIM_Identity .

37、100 7.6.14 CIM_AssociatedPrivilege . 101 8 Certificate Management 102 8.1 Synopsis . 102 8.2 Description 102 8.2.1 Key store 103 8.2.2 Public key infrastructure 104 8.2.3 Authorization 104 8.3 Implementation . 105 8.3.1 Key store 105 8.3.2 Certificate management service 105 8.3.3 Certificate chain .

38、 106 8.3.4 Authorization 106 8.4 Methods 107 8.4.1 CIM_CertificateManagementService.ImportPublicPrivateKeyPair( ) 107 8.4.2 CIM_CertificateManagementService.CreateKeystore( ) . 108 8.4.3 CIM_CertificateManagementService.CreateCertificateSigningRequest( ) 109 8.4.4 CIM_CertificateManagementService.Cr

39、eateSelfSignedCertificate( ) 112 8.4.5 CIM_CertificateManagementService.ImportEncodedCertificates( ) 114 8.4.6 CIM_CertificateManagementService.ImportCertificates( ) 115 8.4.7 CIM_CertificateManagementService.ExportEncodedCertificates( ) 116 8.4.8 CIM_CertificateManagementService.ApplyCRL( ) 118 8.4

40、.9 CIM_CertificateManagementService.ApplyDecodedCRL( ) 119 8.4.10 Profile conventions for operations . 120 8.4.11 CIM_CertificateManagementCapabilities 120 v 8.4.12 CIM_CertificateManagementService . 120 8.4.13 CIM_CredentialContext . 121 8.4.14 CIM_ConcreteDependency (CIM_Keystore) . 121 8.4.15 CIM

41、_ConcreteDependency (CIM_X509Certificate) . 121 8.4.16 CIM_ElementCapabilities 122 8.4.17 CIM_HostedService . 122 8.4.18 CIM_Keystore 122 8.4.19 CIM_MemberOfCollection . 122 8.4.20 CIM_OwningCollectionElement . 123 8.4.21 CIM_RegisteredProfile . 123 8.4.22 CIM_ServiceAffectsElement 123 8.4.23 CIM_Un

42、signedCredential . 124 8.4.24 CIM_X509Certificate 124 8.4.25 CIM_X509CRL . 124 8.4.26 CIM_Identity . 124 8.4.27 CIM_AssociatedPrivilege . 125 8.4.28 CIM_ConcreteDependency . 125 8.5 Use cases . 125 8.5.1 Profile registration 125 8.5.2 Simple certificate management . 126 8.5.3 Keystore . 127 8.5.4 Im

43、port asymmetric key . 128 8.5.5 CSR and self-signed certificate . 129 8.5.6 Import and export of certificates 130 8.5.7 CRL 131 8.6 CIM elements 134 8.6.1 CIM_CertificateManagementCapabilities 135 8.6.2 CIM_CertificateManagementService . 135 8.6.3 CIM_CredentialContext . 136 8.6.4 CIM_ConcreteDepend

44、ency (CIM_Keystore) . 136 8.6.5 CIM_ConcreteDependency (CIM_X509Certificate) . 136 8.6.6 CIM_ConcreteDependency . 137 8.6.7 CIM_ElementCapabilities 137 8.6.8 CIM_HostedService . 137 8.6.9 CIM_Keystore 138 8.6.10 CIM_ServiceAffectsElement (CIM_Credential) . 138 8.6.11 CIM_MemberOfCollection . 138 8.6

45、.12 CIM_OwningCollectionElement . 139 8.6.13 CIM_RegisteredProfile . 139 8.6.14 CIM_ServiceAffectsElement (CIM_Keystore) 139 8.6.15 CIM_UnsignedCredential . 140 8.6.16 CIM_X509Certificate 140 8.6.17 CIM_X509CRL . 141 8.6.18 CIM_AssociatedPrivilege . 141 Error! Unknown document property name. vi Figu

46、res Figure 1 Simple Identity Management profile: Class diagram . 7 Figure 2 Profile registration (Simple Identity Management implementation) . 29 Figure 3 Basic system accounts 30 Figure 4 Full account capabilities . 31 Figure 5 Account capabilities with ranges 32 Figure 6 Third-party authenticated

47、user . 33 Figure 7 Accounts with group membership 34 Figure 8 Role-oriented groups . 36 Figure 9 Access ingress point and identity context 37 Figure 10 Role Based Authorization Profile: Class diagram 51 Figure 11 Profile registration (Role Based Authorization implementation) 68 Figure 12 Minimal ins

48、tantiation 68 Figure 13 Cumulative Role Privilege example . 69 Figure 14 Scope of the roles 72 Figure 15 Fixed accounts with role membership privilege management . 73 Figure 16 Fixed accounts with individual account privilege management . 74 Figure 17 IPMI service processor with role management 75 F

49、igure 18 Credential Management Profile: Class diagram 87 Figure 19 Profile registration (Specialized profile for Certificate Management profile) Figure 20 Certificate Management profile: Class diagram . 103 Figure 21 Profile registration (Certificate Management profile implementation) 126 Figure 22 Simple certificate management . 127 Figure 23 Key store 128 Figure 24 Importing public/private key pair 129 Figure 25 Creating CSR and self-signed certificate . 130 Figure 26

下载提示：本站仅提供存储空间/不修改/不编辑

1.请仔细阅读文档，确保文档完整性，对于不预览、不比对内容而直接下载带来的问题本站不予受理。
2.下载的文档，不会出现我们的网址水印。
3、该文档所得收入（下载+内容+预览）归上传者、原创作者；如果您是本文档原作者，请点此认领！既往收益都归您。

同意并开始全文预览

文档包含非法信息？点此举报后获取现金奖励！

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10000 积分 0人已下载

下载	加入VIP,交流精品资源

版权申诉 word格式文档无特别注明外均可编辑修改；预览文档经过压缩，下载后原文更清晰！ 立即下载

配套讲稿：: 如PPT文件的首页显示word图标，表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
特殊限制：: 部分文档作品中含有的国旗、国徽等图片，仅作为作品整体效果示例展示，禁止商用。设计者仅对作品中独创性部分享有著作权。
关键词：: ANSIINCITS5392016INFORMATIONTECHNOLOGYCMANAGEMENTOFSECURITYCREDENTIALSPDF

麦多课文档分享所有资源均是用户自行上传分享，仅供网友学习交流，未经上传用户书面授权，请勿作他用。

关于本文

本文标题：ANSI INCITS 539-2016 Information Technology C Management of Security Credentials.pdf
链接地址：http://www.mydoc123.com/p-435841.html