--- 1/draft-ietf-ipsp-config-policy-model-03.txt 2006-02-04 23:59:50.000000000 +0100 +++ 2/draft-ietf-ipsp-config-policy-model-04.txt 2006-02-04 23:59:50.000000000 +0100 @@ -1,20 +1,20 @@ Internet Engineering Task Force Jamie Jason INTERNET DRAFT Intel Corporation - 20-July-2001 Lee Rafalow + November-2001 Lee Rafalow IBM Eric Vyncke Cisco Systems IPsec Configuration Policy Model - draft-ietf-ipsp-config-policy-model-03.txt + draft-ietf-ipsp-config-policy-model-04.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six @@ -35,61 +35,62 @@ o facilitate agreement about the content and semantics of IPsec policy o enable derivations of task-specific representations of IPsec policy such as storage schema, distribution representations, and policy specification languages used to configure IPsec- enabled endpoints The schema described in this document models the IKE phase one parameters as described in [IKE] and the IKE phase two parameters for the IPsec Domain of Interpretation as described in [COMP, ESP, AH, DOI]. It is based upon the core policy classes as defined in - the Policy Core Information Model (PCIM) [PCIM]. + the Policy Core Information Model (PCIM) [PCIM] and on the Policy + Core Information Model Extensions (PCIMe) [PCIME]. Table of Contents Status of this Memo................................................1 Abstract...........................................................1 Table of Contents..................................................2 1. Introduction....................................................7 2. UML Conventions.................................................7 3. IPsec Policy Model Inheritance Hierarchy........................8 4. Policy Classes.................................................13 4.1. The Class IPsecPolicyGroup...................................14 4.2. The Class SARule.............................................15 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, RuleUsage, Mandatory, SequencedActions, PolicyRoles, and PolicyDecisionStrategy............................................15 - 4.2.2 The Property ExecutionStrategy.............................15 + 4.2.2 The Property ExecutionStrategy.............................16 4.2.3 The Property LimitNegotiation..............................17 4.3. The Class IKERule............................................18 4.3.1. The Property IdentityContexts..............................18 4.4. The Class IPsecRule..........................................19 4.6. The Association Class IPsecPolicyForEndpoint.................19 - 4.6.1. The Reference Antecedent...................................19 - 4.6.2. The Reference Dependent....................................19 + 4.6.1. The Reference Antecedent...................................20 + 4.6.2. The Reference Dependent....................................20 4.7. The Association Class IPsecPolicyForSystem...................20 4.7.1. The Reference Antecedent...................................20 4.7.2. The Reference Dependent....................................20 - 4.8. The Aggregation Class RuleForIKENegotiation..................20 - 4.8.1. The Property Priority......................................20 - 4.8.2. The Reference GroupComponent...............................20 + 4.8. The Aggregation Class RuleForIKENegotiation..................21 + 4.8.1. The Property Priority......................................21 + 4.8.2. The Reference GroupComponent...............................21 4.8.3. The Reference PartComponent................................21 4.9. The Aggregation Class RuleForIPsecNegotiation................21 4.9.1. The Property Priority......................................21 - 4.9.2. The Reference GroupComponent...............................21 - 4.9.3. The Reference PartComponent................................21 - 4.10. The Aggregation Class SAConditionInRule.....................21 + 4.9.2. The Reference GroupComponent...............................22 + 4.9.3. The Reference PartComponent................................22 + 4.10. The Aggregation Class SAConditionInRule.....................22 4.10.1. The Properties GroupNumber and ConditionNegated...........22 4.10.2. The Reference GroupComponent..............................22 4.10.3. The Reference PartComponent...............................22 4.11. The Aggregation Class PolicyActionInSARule..................22 - 4.11.1. The Reference GroupComponent..............................22 + 4.11.1. The Reference GroupComponent..............................23 4.11.2. The Reference PartComponent...............................23 4.11.3. The Property ActionOrder..................................23 5. Condition and Filter Classes...................................24 5.1. The Class SACondition........................................24 5.2. The Class IPHeaderFilter.....................................25 5.3. The Class CredentialFilterEntry..............................25 5.3.1. The Property MatchFieldName................................25 5.3.2. The Property MatchFieldValue...............................26 5.3.3. The Property CredentialType................................26 5.4. The Class IPSOFilterEntry....................................26 @@ -112,63 +113,64 @@ 6.2.1. The Property LifetimeSeconds...............................33 6.3. The Class IPsecBypassAction..................................34 6.4. The Class IPsecDiscardAction.................................34 6.5. The Class IKERejectAction....................................34 6.6. The Class PreconfiguredSAAction..............................34 6.6.1. The Property LifetimeKilobytes.............................35 6.7. The Class PreconfiguredTransportAction.......................35 6.8. The Class PreconfiguredTunnelAction..........................36 6.8.1. The Property DFHandling....................................36 6.9. The Class SANegotiationAction................................36 - 6.9.1. The Property MinLifetimeSeconds............................37 - 6.9.2. The Property MinLifetimeKilobytes..........................37 - 6.9.3. The Property RefreshThresholdSeconds.......................37 - 6.9.4. The Property RefreshThresholdKilobytes.....................38 - 6.9.5. The Property IdleDurationSeconds...........................38 - 6.10. The Class IPsecAction.......................................38 - 6.10.1. The Property UsePFS.......................................39 - 6.10.2. The Property UseIKEGroup..................................39 - 6.10.3. The Property GroupId......................................39 - 6.10.4. The Property Granularity..................................40 - 6.10.5. The Property VendorID.....................................40 - 6.11. The Class IPsecTransportAction..............................40 - 6.12. The Class IPsecTunnelAction.................................40 - 6.12.1. The Property DFHandling...................................41 - 6.13. The Class IKEAction.........................................41 - 6.13.1. The Property RefreshThresholdDerivedKeys..................41 - 6.13.2. The Property ExchangeMode.................................42 - 6.13.3. The Property UseIKEIdentityType...........................42 - 6.13.4. The Property VendorID.....................................42 - 6.13.5. The Property AggressiveModeGroupId........................42 - 6.14. The Class PeerGateway.......................................43 - 6.14.1. The Property Name.........................................43 - 6.14.2. The Property PeerIdentityType.............................43 - 6.14.3. The Property PeerIdentity.................................44 - 6.15. The Association Class PeerGatewayForTunnel..................44 - 6.15.1. The Reference Antecedent..................................44 - 6.15.2. The Reference Dependent...................................44 - 6.15.3. The Property SequenceNumber...............................45 - 6.16. The Aggregation Class ContainedProposal.....................45 - 6.16.1. The Reference GroupComponent..............................45 - 6.16.2. The Reference PartComponent...............................45 + 6.10. The Class IKENegotiationAction..............................37 + 6.10.1. The Property MinLifetimeSeconds...........................37 + 6.10.2. The Property MinLifetimeKilobytes.........................37 + 6.10.3. The Property RefreshThresholdSeconds......................38 + 6.10.4. The Property RefreshThresholdKilobytes....................38 + 6.10.5. The Property IdleDurationSeconds..........................38 + 6.11. The Class IPsecAction.......................................39 + 6.11.1. The Property UsePFS.......................................39 + 6.11.2. The Property UseIKEGroup..................................39 + 6.11.3. The Property GroupId......................................40 + 6.11.4. The Property Granularity..................................40 + 6.11.5. The Property VendorID.....................................40 + 6.12. The Class IPsecTransportAction..............................41 + 6.13. The Class IPsecTunnelAction.................................41 + 6.13.1. The Property DFHandling...................................41 + 6.14. The Class IKEAction.........................................41 + 6.14.1. The Property RefreshThresholdDerivedKeys..................42 + 6.14.2. The Property ExchangeMode.................................42 + 6.14.3. The Property UseIKEIdentityType...........................42 + 6.14.4. The Property VendorID.....................................43 + 6.14.5. The Property AggressiveModeGroupId........................43 + 6.15. The Class PeerGateway.......................................43 + 6.15.1. The Property Name.........................................43 + 6.15.2. The Property PeerIdentityType.............................44 + 6.15.3. The Property PeerIdentity.................................44 + 6.16. The Association Class PeerGatewayForTunnel..................44 + 6.16.1. The Reference Antecedent..................................45 + 6.16.2. The Reference Dependent...................................45 6.16.3. The Property SequenceNumber...............................45 - 6.17. The Association Class HostedPeerGatewayInformation..........46 - 6.17.1. The Reference Antecedent..................................46 - 6.17.2. The Reference Dependent...................................46 - 6.18. The Association Class TransformOfPreconfiguredAction........46 - 6.18.1. The Reference Antecedent..................................47 + 6.17. The Aggregation Class ContainedProposal.....................45 + 6.17.1. The Reference GroupComponent..............................46 + 6.17.2. The Reference PartComponent...............................46 + 6.17.3. The Property SequenceNumber...............................46 + 6.18. The Association Class HostedPeerGatewayInformation..........46 + 6.18.1. The Reference Antecedent..................................46 6.18.2. The Reference Dependent...................................47 - 6.18.3. The Property SPI..........................................47 - 6.18.4. The Property Direction....................................47 - 6.19 The Association Class PeerGatewayForPreconfiguredTunnel......47 - 6.19.1. The Reference Antecedent..................................48 - 6.19.2. The Reference Dependent...................................48 + 6.19. The Association Class TransformOfPreconfiguredAction........47 + 6.19.1. The Reference Antecedent..................................47 + 6.19.2. The Reference Dependent...................................47 + 6.19.3. The Property SPI..........................................47 + 6.19.4. The Property Direction....................................48 + 6.20 The Association Class PeerGatewayForPreconfiguredTunnel......48 + 6.20.1. The Reference Antecedent..................................48 + 6.20.2. The Reference Dependent...................................48 7. Proposal and Transform Classes.................................49 7.1. The Abstract Class SAProposal................................49 7.1.1. The Property Name..........................................49 7.2. The Class IKEProposal........................................50 7.2.1. The Property LifetimeDerivedKeys...........................50 7.2.2. The Property CipherAlgorithm...............................50 7.2.3. The Property HashAlgorithm.................................51 7.2.4. The Property PRFAlgorithm..................................51 7.2.5. The Property GroupId.......................................51 7.2.6. The Property AuthenticationMethod..........................51 @@ -265,26 +267,22 @@ 8.17.2. The Reference Dependent...................................74 8.18. The Association Class IKEIdentitysCredential................75 8.18.1. The Reference Antecedent..................................75 8.18.2. The Reference Dependent...................................75 9. Implementation Requirements....................................75 10. Security Considerations.......................................79 11. Intellectual Property.........................................80 12. Acknowledgments...............................................80 13. References....................................................80 14. Disclaimer....................................................81 - 15. Authors' Addresses............................................81 + 15. Authors' Addresses............................................82 16. Full Copyright Statement......................................82 - Appendix A (DMTF Core Model MOF)..................................82 - Appendix B (DMTF User Model MOF)..................................97 - Appendix C (DMTF Network Model MOF)..............................112 - Appendix D (DMTF Policy Model MOF)...............................121 1. Introduction Internet Protocol security (IPsec) policy may assume a variety of forms as it travels from storage to distribution point to decision point. At each step, it needs to be represented in a way that is convenient for the current task. For example, the policy could exist as, but is not limited to: o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in @@ -303,21 +301,21 @@ This document is organized as follows: o Section 2 provides a quick introduction to the Unified Modeling Language (UML) graphical notation conventions used in this document. o Section 3 provides the inheritance hierarchy that describes where the IPsec policy classes fit into the policy class hierarchy already defined by the Policy Core Information Model - (PCIM). + (PCIM) and Policy Core Information Model Extensions (PCIMe). o Sections 4 through 8 describes the class that make up the IPsec policy model. o Section 9 presents the implementation requirements for the classes in the model (i.e., the MUST/MAY/SHOULD status). The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS]. @@ -369,79 +367,80 @@ It should be noted that the UML static class diagram presented is a conceptual view of IPsec policy designed to aid in understanding. It does not necessarily get translated class for class into another representation. For example, an LDAP implementation may flatten out the representation to fewer classes (because of the inefficiency of following references). 3. IPsec Policy Model Inheritance Hierarchy - Like PCIM from which it is derived, the IPsec Configuration Policy - Model derives from and uses classes defined in the DMTF Common - Information Model (CIM). The following tree represents the - inheritance hierarchy for the IPsec policy model classes and how - they fit into PCIM and the other DMTF models (see Appendices for - descriptions of classes that are not being introduced as part of - IPsec model). CIM classes that are not used as a superclass from - which to derive new classes but are only referenced are not included - this inheritance hierarchy, but are included in the appropriate - appendix. + Like PCIM and PCIMe from which it is derived, the IPsec + Configuration Policy Model derives from and uses classes defined in + the DMTF [DMTF] Common Information Model (CIM). The following tree + represents the inheritance hierarchy for the IPsec policy model + classes and how they fit into PCIM, PCIMe and the other DMTF models + (see Appendices for descriptions of classes that are not being + introduced as part of IPsec model). CIM classes that are not used + as a superclass from which to derive new classes but are only + referenced are not included this inheritance hierarchy, but can be + found in the appropriate DMTF document [CIMCORE], [CIMUSER] or + [CIMNETWORK]. - ManagedElement (DMTF Core Model - Appendix A) + ManagedElement (DMTF Core Model - [CIMCORE]) | - +--Collection (DMTF Core Model - Appendix A) + +--Collection (DMTF Core Model - [CIMCORE]) | | | +--PeerIdentityTable | - +--ManagedSystemElement (DMTF Core Model - Appendix A) + +--ManagedSystemElement (DMTF Core Model - [CIMCORE]) | | - | +--LogicalElement (DMTF Core Model - Appendix A) + | +--LogicalElement (DMTF Core Model - [CIMCORE]) | | - | +--FilterEntryBase (DMTF Network Model - Appendix C) + | +--FilterEntryBase (DMTF Network Model - [CIMNETWORK]) | | | | | +--CredentialFilterEntry | | | - | | +--IPHeaderFilter (DMTF Network Model - Appendix C) + | | +--IPHeaderFilter (PCIMe) | | | | | +--IPSOFilterEntry | | | | | +--PeerIDPayloadFilterEntry | | | +--PeerGateway | | | +--PeerIdentityEntry | | - | +--Service (DMTF Core Model - Appendix A) - | | - | +--NetworkService (DMTF Network Model - Appendix C) + | +--Service (DMTF Core Model - [CIMCORE]) | | | +--IKEService | - +--OrganizationalEntity (DMTF User Model - Appendix B) + +--OrganizationalEntity (DMTF User Model - [CIMUSER]) | | - | +--UserEntity (DMTF User Model - Appendix B) + | +--UserEntity (DMTF User Model - [CIMUSER]) | | - | +--UsersAccess (DMTF User Model - Appendix B) + | +--UsersAccess (DMTF User Model - [CIMUSER]) | | | +--IKEIdentity | +--Policy (PCIM) | | | +--PolicyAction (PCIM) | | | - | | +--CompoundPolicyAction (DMTF Policy Model - Appendix D) + | | +--CompoundPolicyAction (PCIMe) | | | | | +--SAAction | | | | | +--SANegotiationAction | | | | + | | | +--IKENegotiationAction + | | | | | | | +--IKEAction | | | | | | | +--IPsecAction | | | | | | | +--IPsecTransportAction | | | | | | | +--IPsecTunnelAction | | | | | +--SAStaticAction | | | @@ -454,27 +453,27 @@ | | +--PreconfiguredSAAction | | | | | +--PreconfiguredTransportAction | | | | | +--PreconfiguredTunnelAction | | | +--PolicyCondition (PCIM) | | | | | +--SACondition | | - | +--PolicySet (DMTF Policy Model - Appendix D) + | +--PolicySet (PCIMe) | | | - | | +--PolicyGroup (PCIM) + | | +--PolicyGroup (PCIM & PCIMe) | | | | | | | +--IPsecPolicyGroup | | | - | | +--PolicyRule (PCIM) + | | +--PolicyRule (PCIM & PCIMe) | | | | | +--SARule | | | | | +--IKERule | | | | | +--IPsecRule | | | +--SAProposal | | | | | +--IKEProposal @@ -482,40 +481,40 @@ | | +--IPsecProposal | | | +--SATransform | | | +--AHTransform | | | +--ESPTransform | | | +--IPCOMPTransform | - +--Setting (DMTF Core Model - Appendix A) + +--Setting (DMTF Core Model - [CIMCORE]) | | - | +--SystemSetting (DMTF Core Model - Appendix A) + | +--SystemSetting (DMTF Core Model - [CIMCORE]) | | | +--AutostartIKESetting | - +--SystemConfiguration (DMTF Core Model - Appendix A) + +--SystemConfiguration (DMTF Core Model - [CIMCORE]) | +--AutostartIKEConfiguration The following tree represents the inheritance hierarchy of the IPsec policy model association classes and how they fit into PCIM and the other DMTF models (see Appendices for description of associations classes that are not being introduced as part of IPsec model). - Dependency (DMTF Core Model - Appendix A) + Dependency (DMTF Core Model - [CIMCORE]) | +--AcceptCredentialsFrom | - +--ElementAsUser (DMTF User Model - Appendix B) + +--ElementAsUser (DMTF User Model - [CIMUSER]) | | | +--EndpointHasLocalIKEIdentity | | | +--CollectionHasLocalIKEIdentity | +--FilterOfSACondition | +--HostedPeerGatewayInformation | +--HostedPeerIdentityTable @@ -539,155 +538,165 @@ +--PeerGatewayForTunnel | +--PolicyInSystem (PCIM) | | | +--SAProposalInSystem | | | +--SATransformInSystem | +--TransformOfPreconfiguredAction | - +--UsersCredential (DMTF User Model - Appendix B) + +--UsersCredential (DMTF User Model - [CIMUSER]) | +--IKEIdentitysCredential - ElementSetting (DMTF Core Model - Appendix A) + ElementSetting (DMTF Core Model - [CIMCORE]) | +--IKEAutostartSetting - MemberOfCollection (DMTF Core Model - Appendix A) + MemberOfCollection (DMTF Core Model - [CIMCORE]) | +--PeerIdentityMember PolicyComponent (PCIM) | +--ContainedProposal | +--ContainedTransform | - +--PolicyActionInPolicyRule (PCIM) + +--PolicyActionStructure (PCIMe) + | | + | +--PolicyActionInPolicyRule (PCIM & PCIMe) | | | +--PolicyActionInSARule | - +--PolicyConditionInPolicyRule (PCIM) + +--PolicyConditionStructure (PCIMe) + | | + | +--PolicyConditionInPolicyRule (PCIM & PCIMe) | | | +--SAConditionInRule | - +--PolicySetComponent (DMTF Policy Model - Appendix D) + +--PolicySetComponent (PCIMe) | +--RuleForIKENegotiation | +--RuleForIPsecNegotiation - SystemSettingContext (DMTF Core Model - Appendix A) + SystemSettingContext (DMTF Core Model - [CIMCORE]) | +--AutostartIKESettingContext 4. Policy Classes The IPsec policy classes represent the set of policies that are contained on a system. +--------------+ | PolicySet |* - | (Appendix D) |o--+ + | ([PCIMe]) |o--+ +--------------+ | ^ *| |(a) | +------+ | +--------------------+ +-------------+ | IPProtocolEndpoint | | PolicyGroup | - | (Appendix C) | | ([PCIM]) | + | ([CIMNETWORK]) | | ([PCIM]) | +--------------------+ +-------------+ |* ^ +-----------------+ | |(b) | | | |0..1 | +------------------+0..1 (c) *+------------+ | IPsecPolicyGroup |-----------| System | - +------------------+ |(Appendix A)| + +------------------+ | ([CIMCORE])| 1 o o 1 +------------+ (d) | | (e) +-----------------------+ +--------------------------+ | | | +---------------------------+ | | | PolicyTimePeriodCondition | | | | ([PCIM]) | | | +---------------------------+ | | *| | | |(f) | | *o | | +-------------+n *+--------+* n+--------------+ | | | SACondition |------o| SARule |o-------| PolicyAction | | | +-------------+ (g) +--------+ (h) | ([PCIM]) | | | ^ +--------------+ | | | *| ^ | | | |(i) | | | | *o | | | +-----------------+ +----------------------+ | | | | | CompoundPolicyAction | | - | | | | (Appendix D) | | + | | | | ([PCIMe]) | | | | | +----------------------+ | | *+---------+ +-----------+* | +-----| IKERule | | IPsecRule |---------------------------+ +---------+ +-----------+ - (a) PolicySetComponent (Appendix D) + (a) PolicySetComponent ([PCIMe]) (b) IPsecPolicyForEndpoint (c) IPsecPolicyForSystem (d) RuleForIKENegotiation (e) RuleForIPsecNegotiation (f) PolicyRuleValidityPeriod ([PCIM]) (g) SAConditionInRule (h) PolicyActionInSARule - (i) PolicyActionInPolicyAction + (i) PolicyActionInPolicyAction ([PCIMe]) An IPsecPolicyGroup represents the set of policies that are used on an interface. This IPsecPolicyGroup SHOULD be associated either directly with the IPProtocolEndpoint class instance that represents the interface (via the IPsecPolicyForEndpoint association) or indirectly (via the IPsecPolicyForSystem association) associated with the System that hosts the interface. The IKE and IPsec rules are used to build or to negotiate the IPsec - SADB. The SADB itself is not modeled by this document. + SADB. The IPsec rules represent the Security Policy Database. The + SADB itself is not modeled by this document. The rules usage can be described as (see also section 6 about actions): o an egress unprotected packet will first be checked against the - SADB. If no match is found, the IPsec rules will be checked. If - IKE negotiation is required by an IPsec rule, the corresponding - IKE rules will be used if no IKE SA already exists. The - negotiated or preconfigured SA will then be installed in the - SADB. + IPsec rules. If a match is found, the SADB will be checked. If + there is no corresponding IPsec SA in the SADB and if IKE + negotiation is required by the IPsec rule, the corresponding IKE + rules will be used. The negotiated or preconfigured SA will then + be installed in the SADB. o An ingress unprotected packet will first be checked against the - IPsec SADB. If no match is found, the IPsec rules will be - checked for a preconfigured SA. If a preconfigured SA exists, - this SA will be installed in the IPsec SADB. - o An ingress protected packet will be checked exactly as an - ingress unprotected packet. + IPsec rules. If a match is found, the SADB will be checked for a + corresponding IPsec SA. If there is no corresponding IPsec SA + and a preconfigured SA exists, this preconfigured SA will be + installed in the IPsec SADB. This behavior should only apply to + bypass and discard actions. + o An ingress protected packet will first be checked against the + IPsec rules. If a match is found, the SADB will be checked for a + corresponding IPsec SA. If there is no corresponding IPsec SA + and a preconfigured SA exists, this preconfigured SA will be + installed in the IPsec SADB. o An ingress IKE negotiation packet, which is not part of an existing IKE SA, will be checked against the IKE rules. The negotiated SA will then be installed in the SADB. 4.1. The Class IPsecPolicyGroup The class IPsecPolicyGroup serves as a container of either other IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The class definition for IPsecPolicyGroup is as follows: NAME IPsecPolicyGroup DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. - DERIVED FROM PolicyGroup (see [PCIM]) + DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe]) ABSTRACT FALSE PROPERTIES PolicyGroupName (from PolicyGroup) PolicyDescisionStrategy (from PolicySet) NOTE: for derivations of the schema that are used for policy distribution to an IPsec device (for example, COPS-PR), the server may follow all of PolicySetComponent associations and create one policy group which is simply a set of all of the IKE rules and a set of all of the IPsec rules. See the section on the PolicySetComponent aggregation for information on merging multiple @@ -701,167 +710,152 @@ actions for both types of rules. Through its derivation from PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has the PolicyRuleValidityPeriod association. Each valid IpsecPolicyGroup MUST contain SARules that each have a unique associated priority number in PolicySetComponent.Priority. The class definition for SARule is as follows: NAME SARule DESCRIPTION A base class for IKERule and IPsecRule. - DERIVED FROM PolicyRule (see [PCIM]) + DERIVED FROM PolicyRule (see [PCIM] & [PCIMe]) ABSTRACT FALSE PROPERTIES PolicyRuleName (from PolicyRule) Enabled (from PolicyRule) ConditionListType (from PolicyRule) RuleUsage (from PolicyRule) Mandatory (from PolicyRule) SequencedActions (from PolicyRule) ExecutionStrategy (from PolicyRule) PolicyRoles (from PolicyRule) PolicyDecisionStrategy (from PolicySet) LimitNegotiation 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, RuleUsage, Mandatory, SequencedActions, PolicyRoles, and PolicyDecisionStrategy - For a description of these properties, see Appendix D. + For a description of these properties, see [PCIM] and [PCIME]. In SARule subclass instances: - if the property Mandatory exists, it MUST be set to "true" - if the property SequencedActions exists, it MUST be set to "mandatory" - the property PolicyRoles is not used in the device-level model - if the property PolicyDecisionStrategy exists, it must be set to "FirstMatching" 4.2.2 The Property ExecutionStrategy - The ExecutionStrategy properties in the PolicyRule subclasses (and in - - the CompoundPolicyAction class) determine the behavior of the + The ExecutionStrategy properties in the PolicyRule subclasses (and + in the CompoundPolicyAction class) determine the behavior of the contained actions. It defines the strategy to be used in executing - the sequenced actions aggregated by a rule or a compound action. In - the case of actions within a rule, the PolicyActionInSARule - aggregation is used to collect the actions into an ordered set; in - the case of a compound action, the PolicyActionInPolicyAction - aggregation is used to collect the actions into an ordered subset. There are three execution strategies: do until success, do all and do until failure. - ôDo Until Successö causes the execution of actions according to the + "Do Until Success" causes the execution of actions according to the ActionOrder property in the aggregation instances until a successful execution of a single action. These actions may be evaluated to determine if they are appropriate to execute rather than blindly trying each of the actions until one succeeds. For an initiator, they are tried in the ActionOrder until the list is exhausted or one completes successfully. For example, an IKE initiator may have several IKEActions for the same SACondition. The initiator will try all IKEActions in the order defined by ActionOrder. I.e. it will possibly try several phase 1 negotiations possibly with different modes (main mode then aggressive mode) and/or with possibly multiple IKE peers. For a responder, when there is more than one action in the rule with "do until success" condition clause this provides alternative actions depending on the received proposals. For example, the same IKERule may be used to handle aggressive mode and main mode negotiations with different actions. The responder uses the first appropriate action in the list of actions. - ôDo Allö causes the execution all of the actions in aggregated set - + "Do All" causes the execution all of the actions in aggregated set according to their defined order. The execution continues regardless - of failures. - ôDo Until Failureö causes the execution of all actions according to - + "Do Until Failure" causes the execution of all actions according to predefined order until the first failure in execution of an action - instance. - For example, in a nested SAs case the actions of an initiatorÆs rule - + For example, in a nested SAs case the actions of an initiator's rule might be structured as: - IPsecRule.ExecutionStrategy=ÆDo AllÆ - + IPsecRule.ExecutionStrategy='Do All' | - +---1--- IPsecTunnelAction // set up SA from host to gateway - | - - +---2--- IPsecTransportAction // set up SA from host thru tunnel - - // to remote host + +---2--- IPsecTransportAction // set up SA from host through + // tunnel to remote host Another example, showing a rule with fallback actions might be - structured as: - IPsecRule.ExecutionStrategy=ÆDo Until SuccessÆ - + IPsecRule.ExecutionStrategy='Do Until Success' | - +---6--- IPsecTransportAction // negotiate SA with peer - | + +---9--- IPsecBypassAction // but if you must, allow in the clear - +---9--- IPsecBypassAction // but if you must, allow in the - - // clear - - The CompoundPolicyAction class (See Appendix D) may be used in - + The CompoundPolicyAction class (See [PCIME]) may be used in constructing the actions of IKE and IPsec rules when those rules - specify both multiple actions and fallback actions. The - ExecutionStrategy property in CompoundPolicyAction is used in - conjunction with that in the PolicyRule. For example, in nesting SAs with a fallback security gateway, the - actions of a rule might be structured as: - IPsecRule.ExecutionStrategy=ÆDo AllÆ - + IPsecRule.ExecutionStrategy='Do All' | - - +---1--- CompoundPolicyAction.ExecutionStrategy=ÆDo Until SuccessÆ - + +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success' | | - | +---1--- IPsecTunnelAction // set up SA from host to - | | // gateway1 - | | - | +---2--- IPsecTunnelAction // or set up SA to gateway2 - | - +---2--- IPsecTransportAction // then set up SA from host + // through tunnel to remote + // host - // thru tunnel to remote host + In the case of "Do All", a couple of actions can be executed + successfully before a subsequent action fails. In this case, some + IKE or IPsec actions may have resulted in SA creation. Even if the + net effect of the aggregated actions is failure, those created SA + MAY be kept or MAY be deleted. -4.2.3 The Property LimitNegotiation + In the case of "Do All", the IPsec selectors to be used during IPsec + SA negotiation are: + + for the last IPsecAction of the aggregation (i.e. usually the + innermost IPsec SA): this is the combination of the IPHeadersFilter + class and of the Granularity property of the IpsecAction; + for all other IPsecActions of the aggregation: the selector is the + source IP address being the local IP address and the destination IP + address being the PeerGateway IP address of the following + IPsecAction of the "Do All" aggregation. NB: the granularity is IP + address to IP address. + + If the above behavior is not desirable, the alternative is to define + several SARules one for each IPsec SA to be built. This will allow + the definition of specific IPsec selectors for all IpsecActions. + +4.2.3 The Property LimitNegotiation The property LimitNegotiation is used as part of processing either an IKE or an IPsec rule. Before proceeding with a phase 1 negotiation, this property is checked to determine if the negotiation role of the rule matches that defined for the negotiation being undertaken (e.g., Initiator, Responder, or Both). If this check fails (e.g. the current role is IKE responder while the rule specifies IKE initiator), then the IKE negotiation is stopped. Note that this only applies to new IKE phase 1 negotiations and has no effect on either renegotiation or refresh @@ -877,22 +871,22 @@ negotiation is a refresh operation by checking to see if the selector information matches that of an existing SA. If LimitNegotiation does not match and the selector corresponds to a new SA, the negotiation is stopped. The property is defined as follows: NAME LimitNegotiation DESCRIPTION Limits the role to be undertaken during negotiation. SYNTAX unsigned 16-bit integer - VALUE 1 û initiator-only - 2 û responder-only + VALUE 1 - initiator-only + 2 - responder-only 3 - both 4.3. The Class IKERule The class IKERule associates Conditions and Actions for IKE phase 1 negotiations. The class definition for IKERule is as follows: NAME IKERule DESCRIPTION Associates Conditions and Actions for IKE phase 1 negotiations. @@ -956,21 +950,21 @@ The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with a specific network interface. If an IPProtocolEndpoint of a system does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the IPsecPolicyForSystem associated IPsecPolicyGroup is used for that endpoint. The class definition for IPsecPolicyForEndpoint is as follows: NAME IPsecPolicyForEndpoint DESCRIPTION Associates a policy group to a network interface. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] Dependent[ref IPsecPolicyGroup[0..1]] 4.6.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an IPProtocolEndpoint instance. The [0..n] cardinality indicates that an IPsecPolicyGroup instance may be associated with zero or more IPProtocolEndpoint instances. @@ -986,21 +980,21 @@ The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a specific system. If an IPProtocolEndpoint of a system does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the IPsecPolicyForSystem associated IPsecPolicyGroup is used for that endpoint. The class definition for IPsecPolicyForSystem is as follows: NAME IPsecPolicyForSystem DESCRIPTION Default policy group for a system. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref System[0..n]] Dependent[ref IPsecPolicyGroup[0..1]] 4.7.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [0..n] cardinality indicates that an IPsecPolicyGroup instance may have an association to zero or more System instances. @@ -1014,31 +1008,32 @@ 4.8. The Aggregation Class RuleForIKENegotiation The class RuleForIKENegotiation associates an IKERule with the IPsecPolicyGroup that contains it. The class definition for RuleForIKENegotiation is as follows: NAME RuleForIKENegotiation DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that contains it. - DERIVED FROM PolicySetComponent (see Appendix D) + DERIVED FROM PolicySetComponent (see [PCIME]) ABSTRACT FALSE PROPERTIES Priority (from PolicySetComponent) GroupComponent [ref IPsecPolicyGroup [1..1]] PartComponent [ref IKERule [0..n]] 4.8.1. The Property Priority - For a description of this property, see Appendix D. + For a description of this property, see [PCIME]. 4.8.2. The Reference GroupComponent + The property GroupComponent is inherited from PolicyRuleInPolicyGroup and is overridden to refer to an IPsecPolicyGroup instance. The [1..1] cardinality indicates that an IKERule instance may be contained in one and only one IPsecPolicyGroup instance (i.e., IKERules are not shared across IPsecPolicyGroups). 4.8.3. The Reference PartComponent The property PartComponent is inherited from PolicyRuleInPolicyGroup @@ -1048,29 +1043,28 @@ 4.9. The Aggregation Class RuleForIPsecNegotiation The class RuleForIPsecNegotiation associates an IPsecRule with the IPsecPolicyGroup that contains it. The class definition for RuleForIPsecNegotiation is as follows: NAME RuleForIPsecNegotiation DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that contains it. - DERIVED FROM PolicySetComponent (see Appendix D) + DERIVED FROM PolicySetComponent (see [PCIME]) ABSTRACT FALSE PROPERTIES Priority (from PolicySetComponent) GroupComponent [ref IPsecPolicyGroup [1..1]] PartComponent [ref IPsecRule [0..n]] 4.9.1. The Property Priority - - For a description of this property, see Appendix D. + For a description of this property, see [PCIME]. 4.9.2. The Reference GroupComponent The property GroupComponent is inherited from PolicyRuleInPolicyGroup and is overridden to refer to an IPsecPolicyGroup instance. The [1..1] cardinality indicates that an IPsecRule instance may be contained in only one IPsecPolicyGroup instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). 4.9.3. The Reference PartComponent @@ -1074,28 +1068,29 @@ instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). 4.9.3. The Reference PartComponent The property PartComponent is inherited from PolicyRuleInPolicyGroup and is overridden to refer to an IPsecRule instance. The [0..n] cardinality indicates that an IPsecPolicyGroup instance may contain zero or more IPsecRules instance. 4.10. The Aggregation Class SAConditionInRule + The class SAConditionInRule associates an SARule with the SACondition instance(s) that trigger(s) it. The class definition for SAConditionInRule is as follows: NAME SAConditionInRule DESCRIPTION Associates an SARule with the SACondition instance(s) that trigger(s) it. - DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) + DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe]) ABSTRACT FALSE PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule) GroupComponent [ref SARule [0..n]] PartComponent [ref SACondition [1..n]] 4.10.1. The Properties GroupNumber and ConditionNegated For a description of these properties, see [PCIM]. @@ -1120,27 +1114,28 @@ the contained actions MUST be either subclasses of SAAction or instances of CompoundPolicyAction. For an IKERule, the contained actions MUST be related to phase 1 processing, i.e., IKEAction or IKERejectAction. Similarly, for an IPsecRule, contained actions MUST be related to phase 2 or preconfigured SA processing, e.g., IPsecTransportAction, IPsecBypassAction, etc. The class definition for PolicyActionInSARule is as follows: NAME PolicyActionInSARule DESCRIPTION Associates an SARule with its PolicyAction(s). - DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) + DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe]) ABSTRACT FALSE PROPERTIES GroupComponent [ref SARule [0..n]] PartComponent [ref PolicyAction [1..n]] ActionOrder (from PolicyActionInPolicyRule) 4.11.1. The Reference GroupComponent + The property GroupComponent is inherited from PolicyActionInPolicyRule and is overridden to refer to an SARule instance. The [0..n] cardinality indicates that an SAAction instance may be contained in zero or more SARule instances. 4.11.2. The Reference PartComponent The property PartComponent is inherited from PolicyActionInPolicyRule and is overridden to refer to an SAAction or CompoundPolicyAction instance. The [1..n] cardinality indicates @@ -1171,50 +1166,50 @@ The IPsec condition and filter classes are used to build the "if" part of the IKE and IPsec rules. *+-------------+ +--------------------| SACondition | | +-------------+ | * | | |(a) | 1 | - | +--------------+ + | +---------------+ | | FilterList | - | | (Appendix C) | - | +--------------+ + | |([CIMNETWORK]) | + | +---------------+ | 1 o |(b) |(c) | * | | +-----------------+ | | FilterEntryBase | - | | (Appendix C) | + | | ([CIMNETWORK]) | | +-----------------+ | ^ | | | +----------------+ | +-----------------------+ | | IPHeaderFilter |----+----| CredentialFilterEntry | - | | (Appendix C) | | +-----------------------+ + | | ([PCIME]) | | +-----------------------+ | +----------------+ | | | | +-----------------+ | +--------------------------+ | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | +-----------------+ +--------------------------+ | | *+-----------------------------+ +------------| CredentialManagementService | - | (Appendix B) | + | ([CIMUSER]) | +-----------------------------+ (a) FilterOfSACondition (b) AcceptCredentialsFrom - (c) EntriesInFilterList (see Appendix C) + (c) EntriesInFilterList (see [CIMNETWORK]) 5.1. The Class SACondition The class SACondition defines the conditions of rules for IKE and IPsec negotiations. Conditions are associated with policy rules via the SAConditionInRule aggregation. It is used as an anchor point to associate various types of filters with policy rules via the FilterOfSACondition association. It also defines whether Credentials can be accepted for a particular policy rule via the AcceptCredentialsFrom association. @@ -1233,21 +1228,21 @@ NAME SACondition DESCRIPTION Defines the preconditions for IKE and IPsec negotiations. DERIVED FROM PolicyCondition (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyConditionName (from PolicyCondition) 5.2. The Class IPHeaderFilter - The class IPHeaderFilter is defined in appendix C with the following + The class IPHeaderFilter is defined in [PCIMe] with the following note: 1) to specify 5-tuple filters that are to apply symmetrically (i.e., matches traffic in both directions of the same flow between the two peers), the Direction property of the FilterList should be set to "Mirrored". 5.3. The Class CredentialFilterEntry The class CredentialFilterEntry defines an equivalence class that @@ -1256,21 +1251,21 @@ CredentialManagementService(s) associated with the SACondition (AcceptCredentialsFrom). These credentials can be X.509 certificates, Kerberos tickets, or other types of credentials obtained during the Phase 1 exchange. The class definition for CredentialFilterEntry is as follows: NAME CredentialFilterEntry DESCRIPTION Specifies a match filter based on the IKE credentials. - DERIVED FROM FilterEntryBase (see Appendix C) + DERIVED FROM FilterEntryBase (see [CIMNETWORK]) ABSTRACT FALSE PROPERTIES Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchFieldName MatchFieldValue CredentialType 5.3.1. The Property MatchFieldName The property MatchFieldName specifies the sub-part of the credential to match against MatchFieldValue. The property is defined as @@ -1300,93 +1295,93 @@ 5.3.3. The Property CredentialType The property CredentialType specifies the particular type of credential that is being matched. The property is defined as follows: NAME CredentialType DESCRIPTION Defines the type of IKE credentials. SYNTAX unsigned 16-bit integer - VALUE 1 û X.509 Certificate - 2 û Kerberos Ticket + VALUE 1 - X.509 Certificate + 2 - Kerberos Ticket 5.4. The Class IPSOFilterEntry The class IPSOFilterEntry is used to match traffic based on the IP Security Options header values (ClassificationLevel and ProtectionAuthority) as defined in RFC1108. This type of filter entry is used to adjust the IPsec encryption level according to the IPSO classification of the traffic (e.g., secret, confidential, restricted, etc. The class definition for IPSOFilterEntry is as follows: NAME IPSOFilterEntry DESCRIPTION Specifies the a match filter based on IP Security Options. - DERIVED FROM FilterEntryBase (see Appendix C) + DERIVED FROM FilterEntryBase (see [CIMNETWORK]) ABSTRACT FALSE PROPERTIES Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchConditionType MatchConditionValue 5.4.1. The Property MatchConditionType The property MatchConditionType specifies the IPSO header field that will be matched (e.g., traffic classification level or protection authority). The property is defined as follows: NAME MatchConditionType DESCRIPTION Specifies the IPSO header field to be matched. SYNTAX unsigned 16-bit integer - VALUE 1 û ClassificationLevel - 2 û ProtectionAuthority + VALUE 1 - ClassificationLevel + 2 - ProtectionAuthority 5.4.2. The Property MatchConditionValue The property MatchConditionValue specifies the value of the IPSO header field to be matched against. The property is defined as follows: NAME MatchConditionValue DESCRIPTION Specifies the value of the IPSO header field to be matched against. SYNTAX unsigned 16-bit integer VALUE For ClassificationLevel, the values are: - 61 û TopSecret - 90 û Secret - 150 û Confidential - 171 û Unclassified + 61 - TopSecret + 90 - Secret + 150 - Confidential + 171 - Unclassified For ProtectionAuthority, the values are: - 0 û GENSER + 0 - GENSER 1 - SIOP-ESI - 2 û SCI - 3 û NSA + 2 - SCI + 3 - NSA 4 - DOE 5.5. The Class PeerIDPayloadFilterEntry The class PeerIDPayloadFilterEntry defines filters used to match ID payload values from the IKE protocol exchange. PeerIDPayloadFilterEntry permits the specification of certain ID payload values such as "*@company.com" or "193.190.125.0/24". Obviously this filter applies only to IKERules when acting as a responder. Moreover, this filter can be applied immediately in the case of aggressive mode but its application is to be delayed in the case of main mode. The class definition for PeerIDPayloadFilterEntry is as follows: NAME PeerIDPayloadFilterEntry DESCRIPTION Specifies a match filter based on IKE identity. - DERIVED FROM FilterEntryBase (see Appendix C) + DERIVED FROM FilterEntryBase (see [CIMNETWORK]) ABSTRACT FALSE PROPERTIES Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchIdentityType MatchIdentityValue 5.5.1. The Property MatchIdentityType The property MatchIdentityType specifies the type of identity provided by the peer in the ID payload." The property is defined @@ -1434,21 +1429,21 @@ 5.6. The Association Class FilterOfSACondition The class FilterOfSACondition associates an SACondition with the filter specifications (FilterList) that make up the condition. The class definition for FilterOfSACondition is as follows: NAME FilterOfSACondition DESCRIPTION Associates a condition with the filter list that make up the individual condition elements. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref FilterList[1..1]] Dependent [ref SACondition[0..n]] 5.6.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a FilterList instance. The [1..1] cardinality indicates that an SACondition instance MUST be associated with one and only one FilterList instance. @@ -1477,21 +1472,21 @@ AcceptCredentialsFrom list of services but there is no CredentialFilterEntry, this is considered equivalent to a CredentialFilterEntry that matches all credentials from those services. The class definition for AcceptCredentialFrom is as follows: NAME AcceptCredentialFrom DESCRIPTION Associates a condition with the credential management services to be trusted. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref CredentialManagementService[0..n]] Dependent [ref SACondition[0..n]] 5.7.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a CredentialManagementService instance. The [0..n] cardinality indicates that an SACondition instance may be associated with zero or more CredentialManagementServices instance. @@ -1509,23 +1504,28 @@ device may take when the evaluation of the associated condition results in a match. +----------+ | SAAction | +----------+ ^ | +-----------+--------------+ | | - *+----------------+ +---------------------+* - | SAStaticAction | | SANegotiationAction |o-----+ - +----------------+ +---------------------+ | + | +---------------------+ + | | SaNegotiationAction | + | +---------------------+ + | ^ + | | + *+----------------+ +----------------------+* + | SAStaticAction | | IKENegotiationAction |o----+ + +----------------+ +----------------------+ | ^ ^ | | | | | +-----------+-------+ | | | | | +-------------------+ | +-------------+ +-----------+ | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | +-------------------+ | +-------------+ +-----------+ | | ^ | +--------------------+ | | +----------------------+ | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | @@ -1542,44 +1542,44 @@ +-----------------------+ | +--------------+ (b) *| ^ | | | | *+-------------+ | | +-------| PeerGateway | | | +-------------+ | | +-----------------------------+ |0..1 *w| | +--| PreconfiguredTransportAction| | |(c) | | +-----------------------------+ | 1| | | | +--------------+ | | +---------------------------+ * | | System | - | +--| PreconfiguredTunnelAction |-----+ | (Appendix A) | + | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) | | +---------------------------+ (e) +--------------+ | | 2..6+---------------+ +-------| [SATransform] | (d) +---------------+ + (a) PeerGatewayForTunnel (b) ContainedProposal (c) HostedPeerGatewayInformation (d) TransformOfPreconfiguredAction (e) PeerGatewayForPreconfiguredTunnel 6.1. The Class SAAction - The class SAAction serves as the base class for IKE and IPsec - actions. Although the class is concrete, it MUST not be - instantiated. It is used for aggregating different types of actions - to IKE and IPsec rules. The class definition for SAAction is as - follows: + The class SAAction is abstract and serves as the base class for IKE + and IPsec actions. It is used for aggregating different types of + actions to IKE and IPsec rules. The class definition for SAAction + is as follows: NAME SAAction DESCRIPTION The base class for IKE and IPsec actions. DERIVED FROM PolicyAction (see [PCIM]) - ABSTRACT FALSE + ABSTRACT TRUE PROPERTIES PolicyActionName (from PolicyAction) DoActionLogging DoPacketLogging 6.1.1. The Property DoActionLogging The property DoActionLogging specifies whether a log message is to be generated when the action is performed. This applies for SANegotiationActions with the meaning of logging a message when the negotiation is attempted (with the success or failure result). This @@ -1614,30 +1615,29 @@ DESCRIPTION Specifies the whether to log when the resulting security association is used to process the packet. SYNTAX boolean VALUE true - a log message is to be generated when the resulting security association is used to process the packet. false - no log message is to be generated. 6.2. The Class SAStaticAction - The class SAStaticAction serves as the base class for IKE and IPsec - actions that do not require any negotiation. Although the class is - concrete, it MUST not be instantiated. The class definition for - SAStaticAction is as follows: + The class SAStaticAction is abstract and serves as the base class + for IKE and IPsec actions that do not require any negotiation. The + class definition for SAStaticAction is as follows: NAME SAStaticAction DESCRIPTION The base class for IKE and IPsec actions that do not require any negotiation. DERIVED FROM SAAction - ABSTRACT FALSE + ABSTRACT TRUE PROPERTIES LifetimeSeconds 6.2.1. The Property LifetimeSeconds The property LifetimeSeconds specifies how long the security association derived from this action should be used. The property is defined as follows: NAME LifetimeSeconds DESCRIPTION Specifies the amount of time (in seconds) that a @@ -1704,30 +1704,32 @@ 6.6. The Class PreconfiguredSAAction The class PreconfiguredSAAction is used to create a security association using preconfigured, hard-wired algorithms and keys. Notes: - the SPI for a PreconfiguredSAAction is contained in the association, TransformOfPreconfiguredAction; - - the session key (if applicable) is contained in an instance of the - class SharedSecret (see appendix B). The session key is stored in - the property secret, the property protocol contains either "ESP- - encryptö, ôESP-auth" or "AH", the property algorithm contains the - algorithm used to protect the secret (can be "PLAINTEXT" if the - IPsec entity has no secret storage), the value of property - RemoteID is the concatenation of the remote IPsec peer IP address - in dotted decimal, of the character "/", of ôINö (resp. ôOUTö) for - inbound SA (resp. outbound SA), of the character ô/ö and of the - hexadecimal representation of the SPI. + + - the session key (if applicable) is contained in an instance of + the class SharedSecret (see [CIMUSER]). The session key is + stored in the property secret, the property protocol contains + either "ESP-encrypt", "ESP-auth" or "AH", the property + algorithm contains the algorithm used to protect the secret + (can be "PLAINTEXT" if the IPsec entity has no secret storage), + the value of property RemoteID is the concatenation of the + remote IPsec peer IP address in dotted decimal, of the + character "/", of "IN" (resp. "OUT") for inbound SA (resp. + outbound SA), of the character "/" and of the hexadecimal + representation of the SPI. Although the class is concrete, it MUST not be instantiated. The class definition for PreconfiguredSAAction is as follows: NAME PreconfiguredSAAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of a security association. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES LifetimeKilobytes @@ -1788,186 +1789,203 @@ 6.8.1. The Property DFHandling The property DFHandling specifies how the Don't Fragment bit of the internal IP header is to be handled during IPsec processing. The property is defined as follows: NAME DFHandling DESCRIPTION Specifies the processing of the DF bit. SYNTAX unsigned 16-bit integer - VALUE 1 û Copy the DF bit from the internal IP header to the + VALUE 1 - Copy the DF bit from the internal IP header to the external IP header. - 2 û Set the DF bit of the external IP header to 1. - 3 û Clear the DF bit of the external IP header to 0. + 2 - Set the DF bit of the external IP header to 1. + 3 - Clear the DF bit of the external IP header to 0. 6.9. The Class SANegotiationAction - The class SANegotiationAction serves as the base class for IKE and - IPsec actions that result in a IKE negotiation. Although the class - is concrete, is MUST not be instantiated. The class definition for - SANegotiationAction is as follows: + The class SANegotiationAction specifies an action requesting + security policy negotiation. + + This is an abstract class. Currently, only one security policy + negotiation protocol action is subclassed from SANegotiationAction: + the IKENegotiationAction class. It is nevertheless expected that + other security policy negotiation protocols will exist and the + negotiation actions of those new protocols would be modeled as a + subclass of SANegotiationAction. NAME SANegotiationAction + DESCRIPTION Specifies a negotiation action . + DERIVED FROM SAAction + ABSTRACT TRUE + +6.10. The Class IKENegotiationAction + + The class IKENegotiationAction is abstract and serves as the base + class for IKE and IPsec actions that result in a IKE negotiation. + Although the class is concrete, is MUST not be instantiated. The + class definition for IKENegotiationAction is as follows: + + NAME IKENegotiationAction DESCRIPTION A base class for IKE and IPsec actions that specifies the parameters that are common for IKE phase 1 and IKE phase 2 IPsec DOI negotiations. - DERIVED FROM SAAction - ABSTRACT FALSE + DERIVED FROM SANegotiationAction + ABSTRACT TRUE PROPERTIES MinLifetimeSeconds MinLifetimeKilobytes RefreshThresholdSeconds RefreshThresholdKilobytes IdleDurationSeconds -6.9.1. The Property MinLifetimeSeconds +6.10.1. The Property MinLifetimeSeconds The property MinLifetimeSeconds specifies the minimum seconds lifetime that will be accepted from the peer. MinLifetimeSeconds is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. The property is defined as follows: NAME MinLifetimeSeconds DESCRIPTION Specifies the minimum acceptable seconds lifetime. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum seconds lifetime. -6.9.2. The Property MinLifetimeKilobytes +6.10.2. The Property MinLifetimeKilobytes The property MinLifetimeKilobytes specifies the minimum kilobytes lifetime that will be accepted from the peer. MinLifetimeKilobytes is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. Note that there has been considerable debate regarding the usefulness of applying kilobyte lifetimes to IKE phase 1 security associations, so it is likely that this property will only apply to the sub-class IPsecAction. The property is defined as follows: NAME MinLifetimeKilobytes DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum kilobytes lifetime. -6.9.3. The Property RefreshThresholdSeconds +6.10.3. The Property RefreshThresholdSeconds The property RefreshThresholdSeconds specifies what percentage of the seconds lifetime can expire before IKE should attempt to renegotiate the security association. A random value may be added to the calculated threshold (percentage x seconds lifetime) to reduce the chance of both peers attempting to renegotiate at the same time. The property is defined as follows: NAME RefreshThresholdSeconds DESCRIPTION Specifies the percentage of seconds lifetime that has expired before the security association is renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A value of 100 indicates that the security association should not be renegotiated until the seconds lifetime has been reached. -6.9.4. The Property RefreshThresholdKilobytes +6.10.4. The Property RefreshThresholdKilobytes The property RefreshThresholdKilobytes specifies what percentage of the kilobyte lifetime can expire before IKE should attempt to renegotiate the IPsec security association. A random value may be added to the calculated threshold (percentage x kilobyte lifetime) to reduce the chance of both peers attempting to renegotiate at the same time. Note, that as with the property MinLifetimeKilobytes, this property is probably only relevant to IPsecAction sub-classes. The property is defined as follows: NAME RefreshThresholdKilobytes DESCRIPTION Specifies the percentage of kilobyte lifetime that has expired before the IPsec security association is renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association should not be renegotiated until the kilobyte lifetime has been reached. -6.9.5. The Property IdleDurationSeconds +6.10.5. The Property IdleDurationSeconds The property IdleDurationSeconds specifies how many seconds a security association may remain idle (i.e., no traffic protected using the security association) before it is deleted. The property is defined as follows: NAME IdleDurationSeconds DESCRIPTION Specifies how long, in seconds, a security association may remain unused before it is deleted. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that idle detection should not be used for the security association (only the seconds and kilobyte lifetimes will be used). Any non- zero value indicates the number of seconds the security association may remain unused. -6.10. The Class IPsecAction +6.11. The Class IPsecAction The class IPsecAction serves as the base class for IPsec transport and tunnel actions. It specifies the parameters used for an IKE phase 2 IPsec DOI negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for IPsecAction is as follows: NAME IPsecAction DESCRIPTION A base class for IPsec transport and tunnel actions that specifies the parameters for IKE phase 2 IPsec DOI negotiations. - DERIVED FROM SANegotiationAction + DERIVED FROM IKENegotiationAction ABSTRACT FALSE PROPERTIES UsePFS UseIKEGroup GroupId Granularity VendorID -6.10.1. The Property UsePFS +6.11.1. The Property UsePFS The property UsePFS specifies whether or not perfect forward secrecy should be used when refreshing keys. The property is defined as follows: NAME UsePFS DESCRIPTION Specifies the whether or not to use PFS when refreshing keys. SYNTAX boolean VALUE A value of true indicates that PFS should be used. A value of false indicates that PFS should not be used. -6.10.2. The Property UseIKEGroup +6.11.2. The Property UseIKEGroup The property UseIKEGroup specifies whether or not phase 2 should use the same key exchange group as was used in phase 1. UseIKEGroup is ignored if UsePFS is false. The property is defined as follows: NAME UseIKEGroup DESCRIPTION Specifies whether or not to use the same GroupId for phase 2 as was used in phase 1. If UsePFS is false, then UseIKEGroup is ignored. SYNTAX boolean VALUE A value of true indicates that the phase 2 GroupId should be the same as phase 1. A value of false indicates that the property GroupId will contain the key exchange group to use for phase 2. -6.10.3. The Property GroupId +6.11.3. The Property GroupId The property GroupId specifies the key exchange group to use for phase 2. GroupId is ignored if (1) the property UsePFS is false, or (2) the property UsePFS is true and the property UseIKEGroup is true. If the GroupID number is from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the key exchange group to use for phase 2 @@ -1966,143 +1984,142 @@ phase 2. GroupId is ignored if (1) the property UsePFS is false, or (2) the property UsePFS is true and the property UseIKEGroup is true. If the GroupID number is from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the key exchange group to use for phase 2 when the property UsePFS is true and the property UseIKEGroup is false. - SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values. -6.10.4. The Property Granularity +6.11.4. The Property Granularity The property Granularity specifies how the selector for the security association should be derived from the traffic that triggered the negotiation. The property is defined as follows: NAME Granularity DESCRIPTION Specifies the how the proposed selector for the security association will be created. SYNTAX unsigned 16-bit integer - VALUE 1 û subnet: the source and destination subnet masks of + VALUE 1 - subnet: the source and destination subnet masks of the filter entry are used. - 2 û address: only the source and destination IP + 2 - address: only the source and destination IP addresses of the triggering packet are used. - 3 û protocol: the source and destination IP addresses + 3 - protocol: the source and destination IP addresses and the IP protocol of the triggering packet are used. - 4 û port: the source and destination IP addresses and + 4 - port: the source and destination IP addresses and the IP protocol and the source and destination layer 4 ports of the triggering packet are used. -6.10.5. The Property VendorID +6.11.5. The Property VendorID The property VendorID is used together with the property GroupID (when it is in the vendor-specific range) to identify the key exchange group. VendorID is ignored unless UsePFS is true and UseIKEGroup is false and GroupID is in the vendor-specific range (32768-65535). The property is defined as follows: NAME VendorID DESCRIPTION Specifies the IKE Vendor ID. SYNTAX string -6.11. The Class IPsecTransportAction +6.12. The Class IPsecTransportAction The class IPsecTransportAction is a subclass of IPsecAction that is used to specify use of an IPsec transport-mode security association. The class definition for IPsecTransportAction is as follows: NAME IPsecTransportAction DESCRIPTION Specifies that an IPsec transport-mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE -6.12. The Class IPsecTunnelAction +6.13. The Class IPsecTunnelAction The class IPsecTunnelAction is a subclass of IPsecAction that is used to specify use of an IPsec tunnel-mode security association. The class definition for IPsecTunnelAction is as follows: NAME IPsecTunnelAction DESCRIPTION Specifies that an IPsec tunnel-mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE PROPERTIES DFHandling -6.12.1. The Property DFHandling +6.13.1. The Property DFHandling The property DFHandling specifies how the tunnel should manage the Don't Fragment (DF) bit. The property is defined as follows: NAME DFHandling DESCRIPTION Specifies how to process the DF bit. SYNTAX unsigned 16-bit integer - VALUE 1 û Copy the DF bit from the internal IP header to the + VALUE 1 - Copy the DF bit from the internal IP header to the external IP header. - 2 û Set the DF bit of the external IP header to 1. - 3 û Clear the DF bit of the external IP header to 0. + 2 - Set the DF bit of the external IP header to 1. + 3 - Clear the DF bit of the external IP header to 0. -6.13. The Class IKEAction +6.14. The Class IKEAction The class IKEAction specifies the parameters that are to be used for IKE phase 1 negotiation. The class definition for IKEAction is as follows: NAME IKEAction DESCRIPTION Specifies the IKE phase 1 negotiation parameters. - DERIVED FROM SANegotiationAction + DERIVED FROM IKENegotiationAction ABSTRACT FALSE PROPERTIES RefreshThresholdDerivedKeys ExchangeMode UseIKEIdentityType VendorID AggressiveModeGroupId -6.13.1. The Property RefreshThresholdDerivedKeys +6.14.1. The Property RefreshThresholdDerivedKeys The property RefreshThresholdDerivedKeys specifies what percentage of the derived key limit (see the LifetimeDerivedKeys property of IKEProposal) can expire before IKE should attempt to renegotiate the IKE phase 1 security association. A random value may be added to the calculated threshold (percentage x derived key limit) to reduce the chance of both peers attempting to renegotiate at the same time. The property is defined as follows: NAME RefreshThresholdKilobytes DESCRIPTION Specifies the percentage of derived key limit that has expired before the IKE phase 1 security association is renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A value of 100 indicates that the IKE phase 1 security association should not be renegotiated until the derived key limit has been reached. -6.13.2. The Property ExchangeMode +6.14.2. The Property ExchangeMode The property ExchangeMode specifies which IKE mode should be used for IKE phase 1 negotiations. The property is defined as follows: NAME ExchangeMode DESCRIPTION Specifies the IKE negotiation mode for phase 1. SYNTAX unsigned 16-bit integer VALUE 1 - base mode 2 - main mode 4 - aggressive mode -6.13.3. The Property UseIKEIdentityType +6.14.3. The Property UseIKEIdentityType The property UseIKEIdentityType specifies what IKE identity type should be used when negotiating with the peer. This information is used in conjunction with the IKE identities available on the system and the IdentityContexts of the matching IKERule. The property is defined as follows: NAME UseIKEIdentityType DESCRIPTION Specifies the IKE identity to use during negotiation. SYNTAX unsigned 16-bit integer @@ -2111,318 +2128,322 @@ 3 - User FQDN 4 - IPv4 Subnet 5 - IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID -6.13.4. The Property VendorID +6.14.4. The Property VendorID The property VendorID specifies the value to be used in the Vendor ID payload. The property is defined as follows: NAME VendorID DESCRIPTION Vendor ID Payload. SYNTAX string VALUE A value of NULL means that Vendor ID payload will be neither generated nor accepted. A non-NULL value means that a Vendor ID payload will be generated (when acting as an initiator) or is expected (when acting as a responder). -6.13.5. The Property AggressiveModeGroupId +6.14.5. The Property AggressiveModeGroupId + The property AggressiveModeGroupId specifies which group ID is to be used in the first packets of the phase 1 negotiation. This property is ignored unless the property ExchangeMode is set to 4 (aggressive mode). If the AggressiveModeGroupID number is from the vendor- specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: NAME AggressiveModeGroupId DESCRIPTION Specifies the group ID to be used for aggressive mode. SYNTAX unsigned 16-bit integer -6.14. The Class PeerGateway +6.15. The Class PeerGateway The class PeerGateway specifies the security gateway with which the IKE services negotiates. The class definition for PeerGateway is as follows: NAME PeerGateway DESCRIPTION Specifies the security gateway with which to negotiate. - DERIVED FROM LogicalElement (see Appendix A) + DERIVED FROM LogicalElement (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Name PeerIdentityType PeerIdentity -6.14.1. The Property Name +6.15.1. The Property Name The property Name specifies a user-friendly name for this security gateway. The property is defined as follows: NAME Name DESCRIPTION Specifies a user-friendly name for this security gateway. SYNTAX string -6.14.2. The Property PeerIdentityType +6.15.2. The Property PeerIdentityType The property PeerIdentityType specifies the IKE identity type of the security gateway. The property is defined as follows: NAME PeerIdentityType DESCRIPTION Specifies the IKE identity type of the security gateway. SYNTAX unsigned 16-bit integer VALUE 1 - IPv4 Address 2 - FQDN 3 - User FQDN 4 - IPv4 Subnet 5 - IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID -6.14.3. The Property PeerIdentity +6.15.3. The Property PeerIdentity The property PeerIdentity specifies the IKE identity value of the security gateway. A conversion may be needed between the PeerIdentity string representation and the real value used in the ID payload (e.g. IP address is to be converted from a dotted decimal string into 4 bytes). The property is defined as follows: NAME PeerIdentity DESCRIPTION Specifies the IKE identity value of the security gateway. SYNTAX string -6.15. The Association Class PeerGatewayForTunnel +6.16. The Association Class PeerGatewayForTunnel The class PeerGatewayForTunnel associates IPsecTunnelActions with an ordered list of PeerGateways. The class definition for PeerGatewayForTunnel is as follows: NAME PeerGatewayForTunnel DESCRIPTION Associates IPsecTunnelActions with an ordered list of PeerGateways. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerGateway[0..n]] Dependent [ref IPsecTunnelAction[0..n]] SequenceNumber -6.15.1. The Reference Antecedent +6.16.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that there an IPsecTunnelAction instance may be associated with zero or more PeerGateway instances. Note: the cardinality 0 has a specific meaning: - - when the IKE service acts as a responder, this means that the - IKE service will accept phase 1 negotiation with any other - security gateway; + - when the IKE service acts as a responder, this means that + the IKE service will accept phase 1 negotiation with any + other security gateway; - when the IKE service acts as an initiator, this means that - the IKE service will use the destination IP address (of the - IP packets which triggered the SARule) as the IP address of - the peer IKE entity. + the IKE service will use the destination IP address (of + the IP packets which triggered the SARule) as the IP + address of the peer IKE entity. + +6.16.2. The Reference Dependent -6.15.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IPsecTunnelAction instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more IPsecTunnelAction instances. -6.15.3. The Property SequenceNumber +6.16.3. The Property SequenceNumber The property SequenceNumber specifies the ordering to be used when evaluating PeerGateway instances for a given IPsecTunnelAction. . The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the order of evaluation for PeerGateways. SYNTAX unsigned 16-bit integer VALUE Lower values are evaluated first. -6.16. The Aggregation Class ContainedProposal +6.17. The Aggregation Class ContainedProposal The class ContainedProposal associates an ordered list of - SAProposals with the SANegotiationAction that aggregates it. If the - referenced SANegotiationAction object is an IKEAction, then the + SAProposals with the IKENegotiationAction that aggregates it. If + the referenced IKENegotiationAction object is an IKEAction, then the referenced SAProposal object(s) must be IKEProposal(s). If the - referenced SANegotiationAction object is an IPsecTransportAction or + referenced IKENegotiationAction object is an IPsecTransportAction or an IPsecTunnelAction, then the referenced SAProposal object(s) must be IPsecProposal(s). The class definition for ContainedProposal is as follows: NAME ContainedProposal DESCRIPTION Associates an ordered list of SAProposals with an - SANegotiationAction. + IKENegotiationAction. + DERIVED FROM PolicyComponent (see [PCIM]) ABSTRACT FALSE - PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] + PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]] PartComponent[ref SAProposal[1..n]] SequenceNumber -6.16.1. The Reference GroupComponent +6.17.1. The Reference GroupComponent - - The property GroupComponent is inherited from PolicyComponent - and is overridden to refer to an SANegotiationAction - instance. The [0..n] cardinality indicates that an - SAProposal instance may be associated with zero or more - SANegotiationAction instances. + - The property GroupComponent is inherited from + PolicyComponent and is overridden to refer to an + IKENegotiationAction instance. The [0..n] cardinality + indicates that an SAProposal instance may be associated with + zero or more IKENegotiationAction instances. -6.16.2. The Reference PartComponent +6.17.2. The Reference PartComponent The property PartComponent is inherited from PolicyComponent and is overridden to refer to an SAProposal instance. The [1..n] - cardinality indicates that an SANegotiationAction instance MUST be + cardinality indicates that an IKENegotiationAction instance MUST be associated with at least one SAProposal instance. -6.16.3. The Property SequenceNumber +6.17.3. The Property SequenceNumber + The property SequenceNumber specifies the order of preference for the SAProposals. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the preference order for the SAProposals. SYNTAX unsigned 16-bit integer VALUE Lower-valued proposals are preferred over proposals with higher values. For ContainedProposals that - reference the same SANegotiationAction, SequenceNumber + reference the same IKENegotiationAction, SequenceNumber values must be unique. -6.17. The Association Class HostedPeerGatewayInformation +6.18. The Association Class HostedPeerGatewayInformation The class HostedPeerGatewayInformation weakly associates a PeerGateway with a System. The class definition for HostedPeerGatewayInformation is as follows: NAME HostedPeerGatewayInformation DESCRIPTION Weakly associates a PeerGateway with a System. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref System[1..1]] Dependent [ref PeerGateway[0..n] [weak]] -6.17.1. The Reference Antecedent +6.18.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [1..1] cardinality indicates that a PeerGateway instance MUST be associated with one and only one System instance. -6.17.2. The Reference Dependent +6.18.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more PeerGateway instances. -6.18. The Association Class TransformOfPreconfiguredAction +6.19. The Association Class TransformOfPreconfiguredAction The class TransformOfPreconfiguredAction associates a PreconfiguredSAAction with from two to six SATransforms that will be applied to the inbound and outbound traffic. The order of application of the SATransforms is implicitly defined in [IPSEC]. The class definition for TransformOfPreconfiguredAction is as follows: NAME TransformOfPreconfiguredAction DESCRIPTION Associates a PreconfiguredSAAction with from one to three SATransforms. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref SATransform[2..6]] Dependent[ref PreconfiguredSAAction[0..n]] SPI Direction -6.18.1. The Reference Antecedent +6.19.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an SATransform instance. The [2..6] - cardinality indicates that an SANegotiationAction instance may be + cardinality indicates that an PreconfiguredSAAction instance may be associated with from two to six SATransform instances. -6.18.2. The Reference Dependent +6.19.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to a PreconfiguredSAAction instance. The [0..n] cardinality indicates that an SATransform instance may be associated with zero or more PreconfiguredSAAction instances. -6.18.3. The Property SPI +6.19.3. The Property SPI The property SPI specifies the SPI to be used by the pre-configured action for the associated transform. The property is defined as follows: NAME SPI DESCRIPTION Specifies the SPI to be used with the SATransform. SYNTAX unsigned 32-bit integer -6.18.4. The Property Direction +6.19.4. The Property Direction The property Direction specifies whether the SPI property is for inbound or for outbound traffic. The property is defined as follows: NAME Direction DESCRIPTION Specifies whether the SA is for inbound or outbound traffic. SYNTAX unsigned 8-bit integer - VALUE 1 û this SA is for inbound traffic - 2 û this SA is for outbound traffic + VALUE 1 - this SA is for inbound traffic + 2 - this SA is for outbound traffic -6.19 The Association Class PeerGatewayForPreconfiguredTunnel +6.20 The Association Class PeerGatewayForPreconfiguredTunnel The class PeerGatewayForPreconfiguredTunnel associates one or one PeerGateway with multiple PreconfiguredTunnelActions. The class definition for PeerGatewayForPreconfiguredTunnel is as follows: NAME PeerGatewayForPreconfiguredTunnel DESCRIPTION Associates a PeerGateway with multiple PreconfiguredTunnelAction. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref PeerGateway[0..1]] Dependent[ref PreconfiguredTunnelAction[0..n]] -6.19.1. The Reference Antecedent +6.20.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an PeerGateway instance. The [0..1] cardinality indicates that an PreconfiguredTunnelAction instance may be associated with one PeerGteway instance. -6.19.2. The Reference Dependent +6.20.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to a PreconfiguredTunnelAction instance. The [0..n] cardinality indicates that an PeerGateway instance may be associated with zero or more PreconfiguredSAAction instances. 7. Proposal and Transform Classes The proposal and transform classes model the proposal settings an IPsec device will use during IKE phase 1 and 2 negotiations. +--------------+*w 1+--------------+ | [SAProposal] |--------| System | - +--------------+ (a) | (Appendix A) | + +--------------+ (a) | ([CIMCORE]) | ^ +--------------+ | |1 +----------------------+ | | | | +-------------+ +---------------+ | | IKEProposal | | IPsecProposal | | +-------------+ +---------------+ | *o | |(b) |(c) n| | @@ -2546,21 +2567,21 @@ The property GroupId specifies the proposed phase 1 security association key exchange group. This property is ignored for all aggressive mode exchanges. If the GroupID number is from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the proposed key exchange group for the phase 1 security association. SYNTAX unsigned 16-bit integer - VALUE 0 û Not applicable: used for aggressive mode. Consult + VALUE 0 - Not applicable: used for aggressive mode. Consult [IKE] for other valid values. 7.2.6. The Property AuthenticationMethod The property AuthenticationMethod specifies the proposed phase 1 authentication method. The property is defined as follows: NAME AuthenticationMethod DESCRIPTION Specifies the proposed authentication method for the phase 1 security association. @@ -2847,21 +2868,21 @@ 7.7.1. The Property Algorithm The property Algorithm specifies the transform ID of the IPCOMP compression algorithm to propose. The property is defined as follows: NAME Algorithm DESCRIPTION Specifies the transform ID of the IPCOMP compression algorithm. SYNTAX unsigned 16-bit integer - VALUE 1 û OUI: a vendor specific algorithm is used and + VALUE 1 - OUI: a vendor specific algorithm is used and specified in the property PrivateAlgorithm. Consult [DOI] for other valid values. 7.7.2. The Property DictionarySize The property DictionarySize specifies the log2 maximum size of the dictionary for the compression algorithm. For compression algorithms that have pre-defined dictionary sizes, this value is ignored. The property is defined as follows: @@ -2984,52 +3005,52 @@ The property Dependent is inherited from PolicyInSystem and is overridden to refer to an SATransform instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more SATransform instances. 8. IKE Service and Identity Classes +--------------+ +-------------------+ | System | | PeerIdentityEntry | - | (Appendix A) | +-------------------+ + | ([CIMCORE]) | +-------------------+ +--------------+ |*w 1| (a) (b) | +---+ +------------+ | | |*w 1 o +-------------+ +-------------------+ +---------------------+ | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | +-------------+ +-------------------+ +---------------------+ *| *| *| *| +----------------------+ |(d) +----------+ | (c) *| *| *| (e) | *+------------+* |(f) +-----------------| IKEService |-----+ | | (g) +------------+ |(h) | 0..1| *| *| *o +--------------------+ | +---------------------------+ | IPProtocolEndpoint | | | AutostartIKEConfiguration | - | (Appendix C) | (i)| +---------------------------+ + | ([CIMNETWORK]) | (i)| +---------------------------+ +--------------------+ | 0..1| | |(j) +----------------+ *| |* +-------------+* (k) +------------+ +-----------------------------+ | IKEIdentity |-------| Collection | | CredentialManagementService | - +-------------+ 0..1|(Appendix A)| | (Appendix B) | + +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) | *| +------------+ +-----------------------------+ |(l) *| +--------------+ | Credential | - | (Appendix B) | + | ([CIMUSER]) | +--------------+ (a) HostedPeerIdentityTable (b) PeerIdentityMember (c) IKEServicePeerGateway (d) IKEServicePeerIdentityTable (e) IKEAutostartSetting (f) AutostartIKESettingContext (g) IKEServiceForEndpoint (h) IKEAutostartConfiguration @@ -3062,34 +3083,34 @@ The class IKEService represents the IKE negotiation function. An instance of this service may provide that negotiation service for one or more interfaces (represented by the IPProtocolEndpoint class) of a System. There may be multiple instances of IKE services on a System but only one per interface. The class definition for IKEService is as follows: NAME IKEService DESCRIPTION IKEService is used to represent the IKE negotiation function. - DERIVED FROM NetworkService (see Appendix C) + DERIVED FROM Service (see [CIMCORE]) ABSTRACT FALSE 8.2. The Class PeerIdentityTable The class PeerIdentityTable aggregates the table entries that provide mappings between identities and their addresses. The class definition for PeerIdentityTable is as follows: NAME PeerIdentityTable DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances to provide a table of identity-address mappings. - DERIVED FROM Collection (see Appendix A) + DERIVED FROM Collection (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Name 8.3.1. The Property Name The property Name uniquely identifies the table. The property is defined as follows: NAME Name DESCRIPTION Name uniquely identifies the table. @@ -3098,21 +3119,21 @@ 8.3. The Class PeerIdentityEntry The class PeerIdentityEntry specifies the mapping between peer identity and their address. The class definition for PeerIdentityEntry is as follows: NAME PeerIdentityEntry DESCRIPTION PeerIdentityEntry provides a mapping between a peer's identity and address. - DERIVED FROM LogicalElement (see Appendix A) + DERIVED FROM LogicalElement (see [CIMCORE]) ABSTRACT FALSE PROPERTIES PeerIdentity PeerIdentityType PeerAddress PeerAddressType 8.3.1. The Property PeerIdentity The property PeerIdentity contains a string encoding of the Identity payload for the IKE peer. The property is defined as follows: @@ -3161,36 +3182,36 @@ The class AutostartIKEConfiguration groups AutostartIKESetting instances into configuration sets. When applied, the settings cause an IKE service to automatically start (negotiate or statically set as appropriate) the Security Associations. The class definition for AutostartIKEConfiguration is as follows: NAME AutostartIKEConfiguration DESCRIPTION A configuration set of AutostartIKESetting instances to be automatically started by the IKE service. - DERIVED FROM SystemConfiguration (see Appendix A) + DERIVED FROM SystemConfiguration (see [CIMCORE]) ABSTRACT FALSE 8.5. The Class AutostartIKESetting The class AutostartIKESetting is used to automatically initiate IKE negotiations with peers (or statically create an SA) as specified in the AutostartIKESetting properties. Appropriate actions are initiated according to the policy that matches the setting parameters. The class definition for AutostartIKESetting is as follows: NAME AutostartIKESetting DESCRIPTION AutostartIKESetting is used to automatically initiate IKE negotiations with peers or statically create an SA. - DERIVED FROM SystemSetting (see Appendix A) + DERIVED FROM SystemSetting (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Phase1Only AddressType SourceAddress SourcePort DestinationAddress DestinationPort Protocol 8.5.1. The Property Phase1Only @@ -3294,21 +3315,21 @@ appropriate identity for a negotiation. The ElementID property value (defined in the parent class, UsersAccess) should be that of either the IPProtocolEndpoint or Collection of endpoints as appropriate. The class definition for IKEIdentity is as follows: NAME IKEIdentity DESCRIPTION IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 negotiations. - DERIVED FROM UsersAccess (see Appendix B) + DERIVED FROM UsersAccess (see [CIMUSER]) ABSTRACT FALSE PROPERTIES IdentityType IdentityValue IdentityContexts 8.6.1. The Property IdentityType The property IdentityType is an enumeration that specifies the type of the IdentityValue. The property is defined as follows: @@ -3330,25 +3351,25 @@ NAME IdentityValue DESCRIPTION IdentityValue contains a string encoding of the Identity payload. SYNTAX string 8.6.3. The Property IdentityContexts The IdentityContexts property is used to constrain the use of IKEIdentity instances to match that specified in the IKERule.IdentityContexts. The IdentityContexts are formatted as - policy roles and role combinations [PCIM]. Each value represents - one context or context combination. Since this is a multi-valued - property, more than one context or combination of contexts can be - associated with a single IKEIdentity. Each value is a string of the - form: [&&]* + policy roles and role combinations [PCIM] & [PCIMe]. Each value + represents one context or context combination. Since this is a + multi-valued property, more than one context or combination of + contexts can be associated with a single IKEIdentity. Each value is + a string of the form: [&&]* where the individual context names appear in alphabetical order (according to the collating sequence for UCS-2). If one or more values in the IKERule.IdentityContexts array match one or more IKEIdentity.IdentityContexts then the identity's context matches. (That is, each value of the IdentityContext array is an ORed condition.) In combination with the address of the IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be 1 and only 1 IKEIdentity. The property is defined as follows: NAME IdentityContexts @@ -3364,21 +3385,21 @@ 8.7. The Association Class HostedPeerIdentityTable The class HostedPeerIdentityTable provides the name scoping relationship for PeerIdentityTable entries in a System. The PeerIdentityTable is weak to the System. The class definition for HostedPeerIdentityTable is as follows: NAME HostedPeerIdentityTable DESCRIPTION The PeerIdentityTable instances are weak (name scoped by) the owning System. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref System[1..1]] Dependent [ref PeerIdentityTable[0..n] [weak]] 8.7.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [1..1] cardinality indicates that a PeerIdentityTable instance MUST be associated in a weak relationship with one and only one System instance. @@ -3392,21 +3413,21 @@ 8.8. The Aggregation Class PeerIdentityMember The class PeerIdentityMember aggregates PeerIdentityEntry instances into a PeerIdentityTable. This is a weak aggregation. The class definition for PeerIdentityMember is as follows: NAME PeerIdentityMember DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry instances into a PeerIdentityTable. - DERIVED FROM MemberOfCollection (see Appendix A) + DERIVED FROM MemberOfCollection (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Collection [ref PeerIdentityTable[1..1]] Member [ref PeerIdentityEntry [0..n] [weak]] 8.8.1. The Reference Collection The property Collection is inherited from MemberOfCollection and is overridden to refer to a PeerIdentityTable instance. The [1..1] cardinality indicates that a PeerIdentityEntry instance MUST be associated with one and only one PeerIdentityTable instance (i.e., @@ -3424,21 +3445,21 @@ The class IKEServicePeerGateway provides the association between an IKEService and the list of PeerGateway instances that it uses in negotiating with security gateways. The class definition for IKEServicePeerGateway is as follows: NAME IKEServicePeerGateway DESCRIPTION Associates an IKEService and the list of PeerGateway instances that it uses in negotiating with security gateways. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerGateway[0..n]] Dependent [ref IKEService[0..n]] 8.9.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerGateway instances. @@ -3454,21 +3475,21 @@ The class IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses to map between addresses and identities as required. The class definition for IKEServicePeerIdentityTable is as follows: NAME IKEServicePeerIdentityTable DESCRIPTION IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] Dependent [ref IKEService[0..n]] 8.10.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a PeerIdentityTable instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerIdentityTable instances. @@ -3482,21 +3503,21 @@ 8.11. The Association Class IKEAutostartSetting The class IKEAutostartSetting associates an AutostartIKESetting with an IKEService that may use it to automatically start an IKE negotiation or create a static SA. The class definition for IKEAutostartSetting is as follows: NAME IKEAutostartSetting DESCRIPTION Associates a AutostartIKESetting with an IKEService. - DERIVED FROM ElementSetting (see Appendix A) + DERIVED FROM ElementSetting (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Element [ref IKEService[0..n]] Setting [ref AutostartIKESetting[0..n]] 8.11.1. The Reference Element The property Element is inherited from ElementSetting and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates an AutostartIKESetting instance may be associated with zero or more IKEService instances. @@ -3511,21 +3532,21 @@ 8.12. The Aggregation Class AutostartIKESettingContext The class AutostartIKESettingContext aggregates the settings used to automatically start negotiations or create a static SA into a configuration set. The class definition for AutostartIKESettingContext is as follows: NAME AutostartIKESettingContext DESCRIPTION AutostartIKESettingContext aggregates the AutostartIKESetting instances into a configuration set. - DERIVED FROM SystemSettingContext (see Appendix A) + DERIVED FROM SystemSettingContext (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] Setting [ref AutostartIKESetting [0..n]] SequenceNumber 8.12.1. The Reference Context The property Context is inherited from SystemSettingContext and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an AutostartIKESetting instance @@ -3558,21 +3579,21 @@ 8.13. The Association Class IKEServiceForEndpoint The class IKEServiceForEndpoint provides the association showing which IKE service, if any, provides IKE negotiation services for which network interfaces. The class definition for IKEServiceForEndpoint is as follows: NAME IKEServiceForEndpoint DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that provides negotiation services for the endpoint. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref IKEService[0..1]] Dependent [ref IPProtocolEndpoint[0..n]] 8.13.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..1] cardinality indicates that an IPProtocolEndpoint instance MUST by associated with at most one IKEService instance. @@ -3589,21 +3610,21 @@ The class IKEAutostartConfiguration provides the relationship between an IKEService and a configuration set that it uses to automatically start a set of SAs. The class definition for IKEAutostartConfiguration is as follows: NAME IKEAutostartConfiguration DESCRIPTION IKEAutostartConfiguration provides the relationship between an IKEService and an AutostartIKEConfiguration that it uses to automatically start a set of SAs. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] Dependent [ref IKEService [0..n]] Active 8.14.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an IKEService instance may be @@ -3637,21 +3658,21 @@ The class IKEUsesCredentialManagementService defines the set of CredentialManagementService(s) that are trusted sources of credentials for IKE phase 1 negotiations. The class definition for IKEUsesCredentialManagementService is as follows: NAME IKEUsesCredentialManagementService DESCRIPTION Associates the set of CredentialManagementService(s) that are trusted by the IKEService as sources of credentials used in IKE phase 1 negotiations. - DERIVED FROM Dependency (see Appendix A) + DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref CredentialManagementService [0..n]] Dependent [ref IKEService [0..n]] 8.15.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a CredentialManagementService instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more CredentialManagementService instances. @@ -3669,21 +3690,21 @@ IPProtocolEndpoint with a set of IKEIdentity instances that may be used in negotiating security associations on the endpoint. An IKEIdentity MUST be associated with either an IPProtocolEndpoint using this association or with a collection of IKEIdentity instances using the CollectionHasLocalIKEIdentity association. The class definition for EndpointHasLocalIKEIdentity is as follows: NAME EndpointHasLocalIKEIdentity DESCRIPTION EndpointHasLocalIKEIdentity associates an IPProtocolEndpoint with a set of IKEIdentity instances. - DERIVED FROM ElementAsUser (see Appendix B) + DERIVED FROM ElementAsUser (see [CIMUSER]) ABSTRACT FALSE PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] Dependent [ref IKEIdentity [0..n]] 8.16.1. The Reference Antecedent The property Antecedent is inherited from ElementAsUser and is overridden to refer to an IPProtocolEndpoint instance. The [0..1] cardinality indicates that an IKEIdentity instance MUST be associated with at most one IPProtocolEndpoint instance. @@ -3702,21 +3723,21 @@ that may be used in negotiating SAs for endpoints in the collection. An IKEIdentity MUST be associated with either an IPProtocolEndpoint using the EndpointHasLocalIKEIdentity association or with a collection of IKEIdentity instances using this association. The class definition for CollectionHasLocalIKEIdentity is as follows: NAME CollectionHasLocalIKEIdentity DESCRIPTION CollectionHasLocalIKEIdentity associates a collection of IPProtocolEndpoint instances with a set of IKEIdentity instances. - DERIVED FROM ElementAsUser (see Appendix B) + DERIVED FROM ElementAsUser (see [CIMUSER]) ABSTRACT FALSE PROPERTIES Antecedent [ref Collection [0..1]] Dependent [ref IKEIdentity [0..n]] 8.17.1. The Reference Antecedent The property Antecedent is inherited from ElementAsUser and is overridden to refer to a Collection instance. The [0..1] cardinality indicates that an IKEIdentity instance MUST be associated with at most one Collection instance. @@ -3730,21 +3751,21 @@ 8.18. The Association Class IKEIdentitysCredential The class IKEIdentitysCredential is an association that relates a set of credentials to their corresponding local IKE Identities. The class definition for IKEIdentitysCredential is as follows: NAME IKEIdentitysCredential DESCRIPTION IKEIdentitysCredential associates a set of credentials to their corresponding local IKEIdentity. - DERIVED FROM UsersCredential (see Appendix A) + DERIVED FROM UsersCredential (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref Credential [0..n]] Dependent [ref IKEIdentity [0..n]] 8.18.1. The Reference Antecedent The property Antecedent is inherited from UsersCredential and is overridden to refer to a Credential instance. The [0..n] cardinality indicates that IKEIdentity instance may be associated with zero or more Credential instances. @@ -3828,63 +3849,64 @@ 6.2.1. The Property LifetimeSeconds............................MUST 6.3. The Class IPsecBypassAction.............................SHOULD 6.4. The Class IPsecDiscardAction............................SHOULD 6.5. The Class IKERejectAction..................................MAY 6.6. The Class PreconfiguredSAAction...........................MUST 6.6.1. The Property LifetimeKilobytes..........................MUST 6.7. The Class PreconfiguredTransportAction....................MUST 6.8. The Class PreconfiguredTunnelAction.......................MUST 6.8.1. The Property DFHandling.................................MUST 6.9. The Class SANegotiationAction.............................MUST - 6.9.1. The Property MinLifetimeSeconds..........................MAY - 6.9.2. The Property MinLifetimeKilobytes........................MAY - 6.9.3. The Property RefreshThresholdSeconds.....................MAY - 6.9.4. The Property RefreshThresholdKilobytes...................MAY - 6.9.5. The Property IdleDurationSeconds.........................MAY - 6.10. The Class IPsecAction....................................MUST - 6.10.1. The Property UsePFS....................................MUST - 6.10.2. The Property UseIKEGroup................................MAY - 6.10.3. The Property GroupId...................................MUST - 6.10.4. The Property Granularity.............................SHOULD - 6.10.5. The Property VendorID...................................MAY - 6.11. The Class IPsecTransportAction...........................MUST - 6.12. The Class IPsecTunnelAction..............................MUST - 6.12.1. The Property DFHandling................................MUST - 6.13. The Class IKEAction......................................MUST - 6.13.1. The Property RefreshThresholdDerivedKeys................MAY - 6.13.2. The Property ExchangeMode..............................MUST - 6.13.3. The Property UseIKEIdentityType........................MUST - 6.13.4. The Property VendorID...................................MAY - 6.13.5. The Property AggressiveModeGroupId......................MAY - 6.14. The Class PeerGateway....................................MUST - 6.14.1. The Property Name....................................SHOULD - 6.14.2. The Property PeerIdentityType..........................MUST - 6.14.3. The Property PeerIdentity..............................MUST - 6.15. The Association Class PeerGatewayForTunnel...............MUST - 6.15.1. The Reference Antecedent...............................MUST - 6.15.2. The Reference Dependent................................MUST - 6.15.3. The Property SequenceNumber..........................SHOULD - 6.16. The Aggregation Class ContainedProposal..................MUST - 6.16.1. The Reference GroupComponent...........................MUST - 6.16.2. The Reference PartComponent............................MUST - 6.16.3. The Property SequenceNumber............................MUST - 6.17. The Association Class HostedPeerGatewayInformation........MAY - 6.17.1. The Reference Antecedent...............................MUST - 6.17.2. The Reference Dependent................................MUST - 6.18. The Association Class TransformOfPreconfiguredAction.....MUST + 6.10. The Class IKENegotiationAction...........................MUST + 6.10.1. The Property MinLifetimeSeconds.........................MAY + 6.10.2. The Property MinLifetimeKilobytes.......................MAY + 6.10.3. The Property RefreshThresholdSeconds....................MAY + 6.10.4. The Property RefreshThresholdKilobytes..................MAY + 6.10.5. The Property IdleDurationSeconds........................MAY + 6.11. The Class IPsecAction....................................MUST + 6.11.1. The Property UsePFS....................................MUST + 6.11.2. The Property UseIKEGroup................................MAY + 6.11.3. The Property GroupId...................................MUST + 6.11.4. The Property Granularity.............................SHOULD + 6.11.5. The Property VendorID...................................MAY + 6.12. The Class IPsecTransportAction...........................MUST + 6.13. The Class IPsecTunnelAction..............................MUST + 6.13.1. The Property DFHandling................................MUST + 6.14. The Class IKEAction......................................MUST + 6.14.1. The Property RefreshThresholdDerivedKeys................MAY + 6.14.2. The Property ExchangeMode..............................MUST + 6.14.3. The Property UseIKEIdentityType........................MUST + 6.14.4. The Property VendorID...................................MAY + 6.14.5. The Property AggressiveModeGroupId......................MAY + 6.15. The Class PeerGateway....................................MUST + 6.15.1. The Property Name....................................SHOULD + 6.15.2. The Property PeerIdentityType..........................MUST + 6.15.3. The Property PeerIdentity..............................MUST + 6.16. The Association Class PeerGatewayForTunnel...............MUST + 6.16.1. The Reference Antecedent...............................MUST + 6.16.2. The Reference Dependent................................MUST + 6.16.3. The Property SequenceNumber..........................SHOULD + 6.17. The Aggregation Class ContainedProposal..................MUST + 6.17.1. The Reference GroupComponent...........................MUST + 6.17.2. The Reference PartComponent............................MUST + 6.17.3. The Property SequenceNumber............................MUST + 6.18. The Association Class HostedPeerGatewayInformation........MAY 6.18.1. The Reference Antecedent...............................MUST 6.18.2. The Reference Dependent................................MUST - 6.18.3. The Property SPI.......................................MUST - 6.18.4. The Property Direction.................................MUST - 6.19. The Association Class PeerGatewayForPreconfiguredTunnel..MUST + 6.19. The Association Class TransformOfPreconfiguredAction.....MUST 6.19.1. The Reference Antecedent...............................MUST 6.19.2. The Reference Dependent................................MUST + 6.19.3. The Property SPI.......................................MUST + 6.19.4. The Property Direction.................................MUST + 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST + 6.20.1. The Reference Antecedent...............................MUST + 6.20.2. The Reference Dependent................................MUST 7. Proposal and Transform Classes 7.1. The Abstract Class SAProposal.............................MUST 7.1.1. The Property Name.....................................SHOULD 7.2. The Class IKEProposal.....................................MUST 7.2.1. The Property LifetimeDerivedKeys.........................MAY 7.2.2. The Property CipherAlgorithm............................MUST 7.2.3. The Property HashAlgorithm..............................MUST 7.2.4. The Property PRFAlgorithm................................MAY 7.2.5. The Property GroupId....................................MUST 7.2.6. The Property AuthenticationMethod.......................MUST @@ -4035,20 +4058,25 @@ [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998. [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001. + [PCIME] Moore, B., Rafalow, L., Ramberg, Y., Snir, Y., Westerinen, + A., Chadha, R., Brunner, M., Cohen, R. and Strassner, J., "Policy + Core Information Model Extensions", draft-ietf-policy-pcim-ext- + 05.txt, October 2001 Internet Draft work in progress + [DOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997. [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000. Internet-Draft work in progress. @@ -4059,20 +4087,32 @@ [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [IPSO] Kent, S., "U.S. Department of Defense Security Options for the Internet Protocol", RFC 1108, November 1991. [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the Internet Protocol", RFC 2401, November 1998. + [DMTF] Distributed Management Task Force, http://www.dmtf.org/ + + [CIMCORE] DMTF Common Information Model - Core Model v2.5, + http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and + http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof + + [CIMUSER] DMTF Common Information Model - User-Security Model v2.5, + http://www.dmtf.org/var/release/CIM_Schema25/CIM_User25.mof + + [CIMNETWORK] DMTF Common Information Model - Network Model v2.5, + http://www.dmtf.org/var/release/CIM_Schema25/CIM_Network25.mof + 14. Disclaimer The views and specification herein are those of the authors and are not necessarily those of their employer. The authors and their employer specifically disclaim responsibility for any problems arising from correct or incorrect implementation or use of this specification. 15. Authors' Addresses @@ -4080,21 +4120,21 @@ Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 E-Mail: jamie.jason@intel.com Lee Rafalow IBM Corporation, BRQA/502 4205 So. Miami Blvd. Research Triangle Park, NC 27709 - E-mail: rafalow@raleigh.ibm.com + E-mail: rafalow@watson.ibm.com Eric Vyncke Cisco Systems Avenue Marcel Thiry, 77 B-1200 Brussels Belgium E-mail: evyncke@cisco.com 16. Full Copyright Statement @@ -4116,3553 +4156,10 @@ The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Appendix A (DMTF Core Model MOF) - -// ================================================================== -// ManagedElement -// ================================================================== - [Abstract, Description ( - "ManagedElement is an abstract class that provides a common " - "superclass (or top of the inheritance tree) for the " - "non-association classes in the CIM Schema.")] - class CIM_ManagedElement - { - [MaxLen (64), Description ( - "The Caption property is a short textual description (one-" - "line string) of the object.") ] - string Caption; - [Description ( - "The Description property provides a textual description of " - "the object.") ] - string Description; - }; - -// ================================================================== -// Collection -// ================================================================== - [Abstract, Description ( - "Collection is an abstract class that provides a common" - "superclass for data elements that represent collections of " - "ManagedElements and its subclasses.")] - class CIM_Collection : CIM_ManagedElement - { - }; - -// ================================================================== -// ManagedSystemElement -// ================================================================== - [Abstract, Description ( - "CIM_ManagedSystemElement is the base class for the System " - "Element hierarchy. Membership Criteria: Any distinguishable " - "component of a System is a candidate for inclusion in this " - "class. Examples: software components, such as files; and " - "devices, such as disk drives and controllers, and physical " - "components such as chips and cards.") ] -class CIM_ManagedSystemElement : CIM_ManagedElement -{ - [Description ( - "A datetime value indicating when the object was installed. " - "A lack of a value does not indicate that the object is not " - "installed."), - MappingStrings {"MIF.DMTF|ComponentID|001.5"} ] - datetime InstallDate; - [MaxLen (256), Description ( - "The Name property defines the label by which the object is " - "known. When subclassed, the Name property can be overridden " - "to be a Key property.") ] - string Name; - [MaxLen (10), Description ( - " A string indicating the current status of the object. " - "Various operational and non-operational statuses are " - "defined. Operational statuses are \"OK\", \"Degraded\", " - "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that " - "the Element is functioning, but needs attention. Examples " - "of \"Stressed\" states are overload, overheated, etc. The " - "condition \"Pred Fail\" (failure predicted) indicates that " - "an Element is functioning properly but predicting a failure " - "in the near future. An example is a SMART-enabled hard " - "drive. \n" - " Non-operational statuses can also be specified. These " - "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", " - "\"Stopped\", " - "\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\"" - "indicates that a non-recoverable error has occurred. " - "\"Service\" describes an Element being configured, " - "maintained," - "cleaned, or otherwise administered. This status could apply " - "during mirror-resilvering of a disk, reload of a user " - "permissions list, or other administrative task. Not all " - "such " - "work is on-line, yet the Element is neither \"OK\" nor in " - "one of the other states. \"No Contact\" indicates that the " - "current instance of the monitoring system has knowledge of " - "this Element but has never been able to establish " - "communications with it. \"Lost Comm\" indicates that " - "the ManagedSystemElement is known to exist and has been " - "contacted successfully in the past, but is currently " - "unreachable." - "\"Stopped\" indicates that the ManagedSystemElement is " - "known " - "to exist, it is not operational (i.e. it is unable to " - "provide service to users), but it has not failed. It " - "has purposely " - "been made non-operational. The Element " - "may have never been \"OK\", the Element may have initiated " - "its " - "own stop, or a management system may have initiated the " - "stop."), - ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail", - "Starting", "Stopping", "Service", "Stressed", - "NonRecover", "No Contact", "Lost Comm", "Stopped"} ] - string Status; -}; - -// ================================================================== -// LogicalElement -// ================================================================== - [Abstract, Description ( - "CIM_LogicalElement is a base class for all the components " - "of " - "a System that represent abstract system components, such " - "as Files, Processes, or system capabilities in the form " - "of Logical Devices.") ] -class CIM_LogicalElement:CIM_ManagedSystemElement -{ -}; - -// ================================================================== -// CIM_SystemConfiguration -// ================================================================== - [Description ( - "CIM_SystemConfiguration represents the general concept " - "of a CIM_Configuration which is scoped by/weak to a " - "System. This class is a peer of CIM_Configuration since " - "the key structure of Configuration is currently " - "defined and cannot be modified with additional " - "properties.")] -class CIM_SystemConfiguration : CIM_ManagedElement { - [Propagated ("CIM_System.CreationClassName"), Key, - MaxLen (256), Description ( - "The scoping System's CreationClassName.") ] - string SystemCreationClassName; - [Propagated ("CIM_System.Name"), Key, MaxLen (256), - Description ("The scoping System's Name.") ] - string SystemName; - [Key, MaxLen (256), Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this property " - "allows all instances of this class and its subclasses to " - "be uniquely identified.") ] - string CreationClassName; - [Key, MaxLen (256), Description ( - "The label by which the Configuration object is known.") ] - string Name; -}; - -// =================================================================== -// Setting -// =================================================================== - [Abstract, Description ( - "The Setting class represents configuration-related and " - "operational parameters for one or more ManagedSystem" - "Element(s). A ManagedSystemElement may have multiple " - "Setting " - "objects associated with it. The current operational values " - "for an Element's parameters are reflected by properties in " - "the Element itself or by properties in its associations. " - "These properties do not have to be the same values present " - "in the Setting object. For example, a modem may have a " - "Setting baud rate of 56Kb/sec but be operating " - "at 19.2Kb/sec.") ] -class CIM_Setting : CIM_ManagedElement -{ - [MaxLen (256), Description ( - "The identifier by which the Setting object is known.") ] - string SettingID; - [Description ( - "The VerifyOKToApplyToMSE method is used to verify that " - "this Setting can be 'applied' to the referenced Managed" - "SystemElement, at the given time or time interval. This " - "method takes three input parameters: MSE (the Managed" - "SystemElement that is being verified), TimeToApply (which, " - "being a datetime, can be either a specific time or a time " - "interval), and MustBeCompletedBy (which indicates the " - "required completion time for the method). The return " - "value should be 0 if it is OK to apply the Setting, 1 if " - "the method is not supported, 2 if the Setting can not be " - "applied within the specified times, and any other number " - "if an error occurred. In a subclass, the " - "set of possible return codes could be specified, using a " - "ValueMap qualifier on the method. The strings to which the " - "ValueMap contents are 'translated' may also be specified in " - "the subclass as a Values array qualifier.") ] - uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, - [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); - [Description ( - "The ApplyToMSE method performs the actual application of " - "the Setting to the referenced ManagedSystemElement. It " - "takes three input parameters: MSE (the ManagedSystem" - "Element to which the Setting is being applied), " - "TimeToApply (which, being a datetime, can be either a " - "specific time or a time interval), and MustBeCompletedBy " - "(which indicates the required completion time for the " - "method). Note that the semantics of this method are that " - "individual Settings are either wholly applied or not " - "applied at all to their target ManagedSystemElement. The " - "return value should be 0 if the Setting is successfully " - "applied to the referenced ManagedSystemElement, 1 if the " - "method is not supported, 2 if the Setting was not applied " - "within the specified times, and any other number if an " - "error occurred. In a subclass, the set of possible return " - "codes could be specified, using a ValueMap qualifier on " - "the method. The strings to which the ValueMap contents are " - "'translated' may also be specified in the subclass as a " - "Values array qualifier.\n" - "Note: If an error occurs in applying the Setting to a " - "ManagedSystemElement, the Element must be configured as " - "when the 'apply' attempt began. That is, the Element " - "should NOT be left in an indeterminate state.") ] - uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, - [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); - [Description ( - "The VerifyOKToApplyToCollection method is used to verify " - "that this Setting can be 'applied' to the referenced " - "Collection of ManagedSystemElements, at the given time " - "or time interval, without causing adverse effects to " - "either the Collection itself or its surrounding " - "environment. The net effect is to execute the " - "VerifyOKToApply method against each of the Elements " - "aggregated by the Collection. This method takes three " - "input parameters: Collection (the Collection of Managed" - "SystemElements that is being verified), TimeToApply (which, " - "being a datetime, can be either a specific time or a time " - "interval), and MustBeCompletedBy (which indicates the " - "required completion time for the method). The return " - "value should be 0 if it is OK to apply the Setting, 1 if " - "the method is not supported, 2 if the Setting can not be " - "applied within the specified times, and any other number if " - "an error occurred. One output parameter is defined - " - "CanNotApply - which is a string array that lists the keys " - "of " - "the ManagedSystemElements to which the Setting can NOT be " - "applied. This enables those Elements to be revisited and " - "either fixed, or other corrective action taken.\n" - "In a subclass, the set of possible return codes could be " - "specified, using a ValueMap qualifier on the method. The " - "strings to which the ValueMap contents are 'translated' may " - "also be specified in the subclass as a Values array " - "qualifier.") ] - uint32 VerifyOKToApplyToCollection ( - [IN] CIM_CollectionOfMSEs ref Collection, - [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, - [OUT] string CanNotApply[]); - [Description ( - "The ApplyToCollection method performs the application of " - "the Setting to the referenced Collection of ManagedSystem" - "Elements. The net effect is to execute the ApplyToMSE " - "method against each of the Elements aggregated by the " - "Collection. If the input value ContinueOnError is FALSE, " - "this method applies the Setting to all Elements in the " - "Collection until it encounters an error, in which case it " - "stops execution, logs the key of the Element that caused " - "the error in the CanNotApply array, and issues a return " - "code " - "of 2. If the input value ContinueOnError is TRUE, then this " - "method applies the Setting to all the ManagedSystemElements " - "in the Collection, and reports the failed Elements in the " - "array, CanNotApply. For the latter, processing will " - "continue " - "until the method is applied to all Elements in the " - "Collection, regardless of any errors encountered. The key " - "of " - "each ManagedSystemElement to which the Setting could not be " - "applied is logged into the CanNotApply array. This method " - "takes four input parameters: Collection (the Collection of " - "Elements to which the Setting is being applied), " - "TimeToApply " - "(which, being a datetime, can be either a specific time or " - "a " - "time interval), ContinueOnError (TRUE means to continue " - "processing on encountering an error), and MustBeCompletedBy " - "(which indicates the required completion time for the " - "method). The return value should be 0 if the Setting is " - "successfully applied to the referenced Collection, 1 if the " - "method is not supported, 2 if the Setting was not applied " - "within the specified times, 3 if the Setting can not be " - "applied using the input value for ContinueOnError, and any " - "other number if an error occurred. One output parameter is " - "defined, CanNotApplystring, which is an array that lists " - "the keys of the ManagedSystemElements to which the Setting " - "was NOT able to be applied. This output parameter has " - "meaning only when the ContinueOnError parameter is TRUE.\n" - "In a subclass, the set of possible return codes could be " - "specified, using a ValueMap qualifier on the method. The " - "strings to which the ValueMap contents are 'translated' may " - "also be specified in the subclass as a Values array " - "qualifier.\n" - "Note: if an error occurs in applying the Setting to a " - "ManagedSystemElement in the Collection, the Element must be " - "configured as when the 'apply' attempt began. That is, the " - "Element should NOT be left in an indeterminate state.") ] - uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection, - [IN] datetime TimeToApply, [IN] boolean ContinueOnError, - [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]); - [Description ( - "The VerifyOKToApplyIncrementalChangeToMSE method " - "is used to verify that a subset of the properties in " - "this Setting can be 'applied' to the referenced Managed" - "SystemElement, at the given time or time interval. This " - "method takes four input parameters: MSE (the Managed" - "SystemElement that is being verified), TimeToApply (which, " - "being a datetime, can be either a specific time or a time " - "interval), MustBeCompletedBy (which indicates the " - "required completion time for the method), and a " - "PropertiesToApply array (which contains a list of the " - "property names whose values will be verified. " - "If they array is null or empty or constains the string " - "\"all\" " - "as a property name then all Settings properties shall be " - "verified. If it is set to \"none\" then no Settings " - "properties " - "will be verified). The return " - "value should be 0 if it is OK to apply the Setting, 1 if " - "the method is not supported, 2 if the Setting can not be " - "applied within the specified times, and any other number " - "if an error occurred. In a subclass, the " - "set of possible return codes could be specified, using a " - "ValueMap qualifier on the method. The strings to which the " - "ValueMap contents are 'translated' may also be specified in " - "the subclass as a Values array qualifier.") ] - uint32 VerifyOKToApplyIncrementalChangeToMSE( - [IN] CIM_ManagedSystemElement ref MSE, - [IN] datetime TimeToApply, - [IN] datetime MustBeCompletedBy, - [IN] string PropertiesToApply[]); - [Description ( - "The ApplyIncrementalChangeToMSE method performs the " - "actual application of a subset of the properties in " - "the Setting to the referenced ManagedSystemElement. It " - "takes four input parameters: MSE (the ManagedSystem" - "Element to which the Setting is being applied), " - "TimeToApply (which, being a datetime, can be either a " - "specific time or a time interval), MustBeCompletedBy " - "(which indicates the required completion time for the " - "method), and a " - "PropertiesToApply array (which contains a list of the " - "property names whose values will be applied. If a " - "property is not in this list, it will be ignored by the " - "apply. " - "If they array is null or empty or constains the string " - "\"all\" " - "as a property name then all Settings properties shall be " - "applied. If it is set to \"none\" then no Settings " - "properties " - "will be applied. ). " - "Note that the semantics of this method are that " - "individual Settings are either wholly applied or not " - "applied at all to their target ManagedSystemElement. The " - "return value should be 0 if the Setting is successfully " - "applied to the referenced ManagedSystemElement, 1 if the " - "method is not supported, 2 if the Setting was not applied " - "within the specified times, and any other number if an " - "error occurred. In a subclass, the set of possible return " - "codes could be specified, using a ValueMap qualifier on " - "the method. The strings to which the ValueMap contents are " - "'translated' may also be specified in the subclass as a " - "Values array qualifier.\n" - "Note: If an error occurs in applying the Setting to a " - "ManagedSystemElement, the Element must be configured as " - "when the 'apply' attempt began. That is, the Element " - "should NOT be left in an indeterminate state.") ] - uint32 ApplyIncrementalChangeToMSE( - [IN] CIM_ManagedSystemElement ref MSE, - [IN] datetime TimeToApply, - [IN] datetime MustBeCompletedBy, - [IN] string PropertiesToApply[]); - [Description ( - "The VerifyOKToApplyIncrementalChangeToCollection method " - "is used to verify that a subset of the properties in " - "this Setting can be 'applied' to the referenced " - "Collection of ManagedSystemElements, at the given time " - "or time interval, without causing adverse effects to " - "either the Collection itself or its surrounding " - "environment. The net effect is to execute the " - "VerifyOKToApplyIncrementalChangeToMSE method " - "against each of the Elements " - "aggregated by the Collection. This method takes three " - "input parameters: Collection (the Collection of Managed" - "SystemElements that is being verified), TimeToApply (which, " - "being a datetime, can be either a specific time or a time " - "interval), MustBeCompletedBy (which indicates the " - "required completion time for the method), and a " - "PropertiesToApply array (which contains a list of the " - "property names whose values will be verified. " - "If they array is null or empty or contains the string " - "\"all\" " - "as a property name then all Settings properties shall be " - "verified. If it is set to \"none\" then no Settings " - "properties " - "will be verified). The return " - "value should be 0 if it is OK to apply the Setting, 1 if " - "the method is not supported, 2 if the Setting can not be " - "applied within the specified times, and any other number if " - "an error occurred. One output parameter is defined - " - "CanNotApply - which is a string array that lists the keys " - "of " - "the ManagedSystemElements to which the Setting can NOT be " - "applied. This enables those Elements to be revisited and " - "either fixed, or other corrective action taken.\n" - "In a subclass, the set of possible return codes could be " - "specified, using a ValueMap qualifier on the method. The " - "strings to which the ValueMap contents are 'translated' may " - "also be specified in the subclass as a Values array " - "qualifier.") ] - uint32 VerifyOKToApplyIncrementalChangeToCollection ( - [IN] CIM_CollectionOfMSEs ref Collection, - [IN] datetime TimeToApply, - [IN] datetime MustBeCompletedBy, - [IN] string PropertiesToApply[], - [OUT] string CanNotApply[]); - [Description ( - "The ApplyIncrementalChangeToCollection method performs " - "the application of a subset of the properties in this " - "Setting to the referenced Collection of ManagedSystem" - "Elements. The net effect is to execute the " - "ApplyIncrementalChangeToMSE " - "method against each of the Elements aggregated by the " - "Collection. If the input value ContinueOnError is FALSE, " - "this method applies the Setting to all Elements in the " - "Collection until it encounters an error, in which case it " - "stops execution, logs the key of the Element that caused " - "the error in the CanNotApply array, and issues a return " - "code " - "of 2. If the input value ContinueOnError is TRUE, then this " - "method applies the Setting to all the ManagedSystemElements " - "in the Collection, and reports the failed Elements in the " - "array, CanNotApply. For the latter, processing will " - "continue " - "until the method is applied to all Elements in the " - "Collection, regardless of any errors encountered. The key " - "of " - "each ManagedSystemElement to which the Setting could not be " - "applied is logged into the CanNotApply array. This method " - "takes four input parameters: Collection (the Collection of " - "Elements to which the Setting is being applied), " - "TimeToApply " - "(which, being a datetime, can be either a specific time or " - "a " - "time interval), ContinueOnError (TRUE means to continue " - "processing on encountering an error), and MustBeCompletedBy " - "(which indicates the required completion time for the " - "method), and a PropertiesToApply array (which contains a " - "list " - "of the property names whose values will be applied. If a " - "property is not in this list, it will be ignored by " - "the apply. " - "If they array is null or empty or constains the string " - "\"all\" " - "as a property name then all Settings properties shall be " - "applied. If it is set to \"none\" then no Settings " - "properties " - "will be applied. ). " - "The return value should be 0 if the Setting is " - "successfully applied to the referenced Collection, 1 if the " - "method is not supported, 2 if the Setting was not applied " - "within the specified times, 3 if the Setting can not be " - "applied using the input value for ContinueOnError, and any " - "other number if an error occurred. One output parameter is " - "defined, CanNotApplystring, which is an array that lists " - "the keys of the ManagedSystemElements to which the Setting " - "was NOT able to be applied. This output parameter has " - "meaning only when the ContinueOnError parameter is TRUE.\n" - "In a subclass, the set of possible return codes could be " - "specified, using a ValueMap qualifier on the method. The " - "strings to which the ValueMap contents are 'translated' may " - "also be specified in the subclass as a Values array " - "qualifier.\n" - "Note: if an error occurs in applying the Setting to a " - "ManagedSystemElement in the Collection, the Element must be " - "configured as when the 'apply' attempt began. That is, the " - "Element should NOT be left in an indeterminate state.") ] - uint32 ApplyIncrementalChangeToCollection( - [IN] CIM_CollectionOfMSEs ref Collection, - [IN] datetime TimeToApply, - [IN] boolean ContinueOnError, - [IN] datetime MustBeCompletedBy, - [IN] string PropertiesToApply[], - [OUT] string CanNotApply[]); - -}; - -// ================================================================== -// CIM_SystemSetting -// ================================================================== - [Abstract, Description ( - "CIM_SystemSetting represents the general concept " - "of a CIM_Setting which is scoped by/weak to a System.")] -class CIM_SystemSetting : CIM_Setting { - [Propagated ("CIM_System.CreationClassName"), Key, - MaxLen (256), Description ( - "The scoping System's CreationClassName.") ] - string SystemCreationClassName; - [Propagated ("CIM_System.Name"), Key, MaxLen (256), - Description ("The scoping System's Name.") ] - string SystemName; - [Key, MaxLen (256), Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this property " - "allows all instances of this class and its subclasses to " - "be uniquely identified.") ] - string CreationClassName; - [Override ("SettingID"), Key, MaxLen (256)] - string SettingID; -}; - -// ================================================================== -// System -// ================================================================== - [Abstract, Description ( - "A CIM_System is a LogicalElement that aggregates an " - "enumerable set of Managed System Elements. The aggregation " - "operates as a functional whole. Within any particular " - "subclass of System, there is a well-defined list of " - "Managed System Element classes whose instances must be " - "aggregated.") ] -class CIM_System:CIM_LogicalElement -{ - [Key, MaxLen (256), Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this property " - "allows all instances of this class and its subclasses to " - "be uniquely identified.") ] - string CreationClassName; - [Key, MaxLen (256), Override ("Name"), Description ( - "The inherited Name serves as key of a System instance in " - "an enterprise environment.") ] - string Name; - [MaxLen (64), Description ( - "The System object and its derivatives are Top Level Objects " - "of CIM. They provide the scope for numerous components. " - "Having unique System keys is required. A heuristic can be " - "defined in individual System subclasses to attempt to " - "always " - "generate the same System Name Key. The NameFormat property " - "identifies how the System name was generated, using " - "the subclass' heuristic.") ] - string NameFormat; - [MaxLen (256), Description ( - "A string that provides information on how the primary " - "system " - "owner can be reached (e.g. phone number, email address, " - "...)."), - MappingStrings {"MIF.DMTF|General Information|001.3"} ] - string PrimaryOwnerContact; - [MaxLen (64), Description ( - "The name of the primary system owner."), - MappingStrings {"MIF.DMTF|General Information|001.4"} ] - string PrimaryOwnerName; - [Description ( - "An array (bag) of strings that specify the roles this " - "System " - "plays in the IT-environment. Subclasses of System may " - "override this property to define explicit Roles values. " - "Alternately, a Working Group may describe the heuristics, " - "conventions and guidelines for specifying Roles. For " - "example, for an instance of a networking system, the Roles " - "property might contain the string, 'Switch' or 'Bridge'.") ] - string Roles[]; -}; - -// ================================================================== -// Service -// ================================================================== - [Abstract, Description ( - "A CIM_Service is a Logical Element that contains the " - "information necessary to represent and manage the " - "functionality provided by a Device and/or SoftwareFeature. " - "A Service is a general-purpose object to configure and " - "manage the implementation of functionality. It is not the " - "functionality itself.") ] -class CIM_Service:CIM_LogicalElement -{ - [Key, MaxLen (256), Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this " - "property " - "allows all instances of this class and its subclasses to " - "be uniquely identified.") ] - string CreationClassName; - [Override ("Name"), Key, MaxLen (256), - Description ( - "The Name property uniquely identifies the Service and " - "provides an indication of the functionality that is " - "managed. This functionality is described in more detail in " - "the object's Description property. ") ] - string Name; - [MaxLen (10), Description ( - "StartMode is a string value indicating whether the Service " - "is automatically started by a System, Operating System, " - "etc. " - "or only started upon request."), - ValueMap {"Automatic", "Manual"} ] - string StartMode; - [Description ( - "Started is a boolean indicating whether the Service " - "has been started (TRUE), or stopped (FALSE).") ] - boolean Started; - [Propagated ("CIM_System.CreationClassName"), Key, - MaxLen (256), Description ( - "The scoping System's CreationClassName. ") ] - string SystemCreationClassName; - [Propagated ("CIM_System.Name"), Key, MaxLen (256), - Description ("The scoping System's Name.") ] - string SystemName; - [Description ( - "The StartService method places the Service in the started " - "state. It returns an integer value of 0 if the Service was " - "successfully started, 1 if the request is not supported and " - "any other number to indicate an error. In a subclass, the " - "set of possible return codes could be specified, using a " - "ValueMap qualifier on the method. The strings to which the " - "ValueMap contents are 'translated' may also be specified in " - "the subclass as a Values array qualifier.") ] - uint32 StartService(); - [Description ( - "The StopService method places the Service in the stopped " - "state. It returns an integer value of 0 if the Service was " - "successfully stopped, 1 if the request is not supported and " - "any other number to indicate an error. In a subclass, the " - "set of possible return codes could be specified, using a " - "ValueMap qualifier on the method. The strings to which the " - "ValueMap contents are 'translated' may also be specified in " - "the subclass as a Values array qualifier.") ] - uint32 StopService(); -}; - -// ================================================================== -// ServiceAccessPoint -// ================================================================== - [Abstract, Description ( - "CIM_ServiceAccessPoint represents the ability to utilize or " - "invoke a Service. Access points represent that a Service " - "is made available to other entities for use.") ] -class CIM_ServiceAccessPoint:CIM_LogicalElement -{ - [Key, MaxLen (256), Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this " - "property " - "allows all instances of this class and its subclasses to " - "be uniquely identified.") ] - string CreationClassName; - [Override ("Name"), Key, MaxLen (256), - Description ( - "The Name property uniquely identifies the " - "ServiceAccessPoint " - "and provides an indication of the functionality that is " - "managed. This functionality is described in more detail in " - "the object's Description property.") ] - string Name; - [Propagated ("CIM_System.CreationClassName"), Key, - MaxLen (256), Description ( - "The scoping System's CreationClassName.") ] - string SystemCreationClassName; - [Propagated ("CIM_System.Name"), Key, MaxLen (256), - Description ("The scoping System's Name.") ] - string SystemName; -}; - -// ================================================================== -// === Association class definitions === -// ================================================================== - -// ================================================================== -// Component -// ================================================================== - [Association, Abstract, Aggregation, Description ( - "CIM_Component is a generic association used to establish " - "'part of' relationships between Managed System Elements. " - "For " - "example, the SystemComponent association defines parts of " - "a System.") ] -class CIM_Component -{ - [Aggregate, Key, Description ( - "The parent element in the association.") ] - CIM_ManagedSystemElement REF GroupComponent; - [Key, Description ("The child element in the association.") ] - CIM_ManagedSystemElement REF PartComponent; -}; - -// ================================================================== -// Dependency -// ================================================================== - [Association, Abstract, Description ( - "CIM_Dependency is a generic association used to establish " - "dependency relationships between ManagedElements.") ] -class CIM_Dependency -{ - [Key, Description ( - "Antecedent represents the independent object in this " - "association.") ] - CIM_ManagedElement REF Antecedent; - [Key, Description ( - "Dependent represents the object dependent on the " - "Antecedent.") ] - CIM_ManagedElement REF Dependent; -}; - -// =================================================================== -// ElementSetting -// =================================================================== - [Association, Description ( - "ElementSetting represents the association between Managed" - "SystemElements and the Setting class(es) defined for them.") -] -class CIM_ElementSetting -{ - [Key, Description ("The ManagedSystemElement.") ] - CIM_ManagedSystemElement REF Element; - [Key, Description ( - "The Setting object associated with the ManagedSystem" - "Element.") ] - CIM_Setting REF Setting; -}; -// ================================================================== -// MemberOfCollection -// ================================================================== - [Association, Aggregation, Description ( - "CIM_MemberOfCollection is an aggregation used to establish " - "membership of ManagedElements in a Collection." ) ] -class CIM_MemberOfCollection -{ - [Key, Aggregate, Description ( - "The Collection that aggregates members") ] - CIM_Collection REF Collection; - [Key, Description ("The aggregated member of the collection.") -] - CIM_ManagedElement REF Member; -}; - -// ================================================================== -// CIM_SystemSettingContext -// ================================================================== - [Association, Aggregation, Description ( - "This relationship associates System-specific Configuration " - "objects with System-specific Setting objects, similar to " - "the " - "SettingContext association.")] -class CIM_SystemSettingContext { - [Aggregate, Key, Description ( - "The Configuration object that aggregates the Setting.") ] - CIM_SystemConfiguration REF Context; - [Key, Description ("An aggregated Setting.")] - CIM_SystemSetting REF Setting; -}; - -Appendix B (DMTF User Model MOF) - -// ================================================================== -// OrganizationalEntity -// ================================================================== - [Abstract, Description ( - "OrganizationalEntity is an abstract class from which classes " - "that fit into an organizational structure are derived.") ] -class CIM_OrganizationalEntity : CIM_ManagedElement - { - }; - -// ================================================================== -// UserEntity -// ================================================================== - [Abstract, Description ( - "UserEntity is an abstract class that represents users.") ] -class CIM_UserEntity : CIM_OrganizationalEntity - { - }; - -// ================================================================== -// UsersAccess -// ================================================================== - [Description ( - "The UsersAccess object class is used to specify a system user " - "that permitted access to system resources. The ManagedElement " - "that has access to system resources (represented in the model in " - "the ElementAsUser association) may be a person, a service, a " - "service access point or any collection thereof. Whereas the " - "Account class represents the user's relationship to a system " - "from the perspective of the security services of the system, the " - "UserAccess class represents the relationships to the systems " - "independent of a particular system or service.") ] -class CIM_UsersAccess: CIM_UserEntity - { - [Key, MaxLen (256), Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this property " - "allows all instances of this class and its subclasses to " - "be uniquely identified.")] - string CreationClassName; - [Key, MaxLen (256),Description ( - "The Name property defines the label by which the object is " - "known.")] - string Name; - [Key, Description ( - "The ElementID property uniquely specifies the ManagedElement " - "object instance that is the user represented by the " - "UsersAccess object instance. The ElementID is formatted " - "similarly to a model path except that the property-value " - "pairs are ordered in alphabetical order (US ASCII lexical " - "order).")] - string ElementID; - [Description ( - "Biometric information used to identify a person. The " - "property value is left null or set to 'N/A' for non-human " - "user or a user not using biometric information for " - "authentication."), - Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", - "Voice", "DNA-RNA", "EEG"} ] - uint16 Biometric[]; - }; - -// ================================================================== -// SecurityService -// ================================================================== - [ Abstract, Description ( - "CIM_SecurityService ...") ] -class CIM_SecurityService:CIM_Service -{ -}; - -// ================================================================== -// AuthenticationService -// ================================================================== - [Description ( - "CIM_AuthenticationService verifies users' identities through " - "some means. These services are decomposed into a subclass that " - "provides credentials to users and a subclass that provides for " - "the verification of the validity of a credential and, perhaps, " - "the appropriateness of its use for access to target resources. " - "The persistent state information used from one such verification " - "to another is maintained in an Account for that Users Access on " - "that AuthenticationService.") ] -class CIM_AuthenticationService:CIM_SecurityService - { - }; - -// ================================================================== -// CredentialManagementService -// ================================================================== - [Description ( - "CIM_CredentialManagementService issues credentials and manages " - "the credential lifecycle.") ] -class CIM_CredentialManagementService:CIM_AuthenticationService - { - }; - -// ================================================================== -// CertificateAuthority -// ================================================================== - [Description ("A Certificate Authority (CA) is a credential " - "management service that issues and cryptographically " - "signs certificates thus acting as an trusted third-party " - "intermediary in establishing trust relationships. The CA " - "authenicates the holder of the private key related to the " - "certificate's public key; the authenicated entity is " - "represented by the UsersAccess class.") ] -class CIM_CertificateAuthority:CIM_CredentialManagementService -{ - [Description ( - "The CAPolicyStatement describes what care is taken by the " - "CertificateAuthority when signing a new certificate. " - "The CAPolicyStatment may be a dot-delimited ASN.1 OID " - "string which identifies to the formal policy statement.") ] - string CAPolicyStatement; - [Description ( "A CRL, or CertificateRevocationList, is a " - "list of certificates which the CertificateAuthority has " - "revoked and which are not yet expired. Revocation is " - "necessary when the private key associated with the public " - "key of a certificate is lost or compromised, or when the " - "person for whom the certificate is signed no longer is " - "entitled to use the certificate."), Octetstring ] - string CRL[]; - [Description ("Certificate Revocation Lists may be " - "available from a number of distribution points. " - "CRLDistributionPoint array values provide URIs for those " - "distribution points.")] - string CRLDistributionPoint[]; - [Description ( "Certificates refer to their issuing CA by " - "its Distinguished Name (as defined in X.501)."), DN] - string CADistinguishedName; - [Description ( "The frequency, expressed in hours, at which " - "the CA will update its Certificate Revocation List. Zero " - "implies that the refresh frequency is unknown."), - Units("Hours")] - uint8 CRLRefreshFrequency; - [Description ( "The maximum number of certificates in a " - "certificate chain permitted for credentials issued by " - "this certificate authority or it's subordinate CAs.\n" - "The MaxChainLength of a superior CA in the trust " - "hierarchy should be greater than this value and the " - "MaxChainLength of a subordinate CA in the trust hierarchy " - "should be less than this value.")] - uint8 MaxChainLength; -}; - -// ================================================================== -// KerberosKeyDistributionCenter -// ================================================================== - [Description ( - "CIM_KerberosKeyDistributionCenter ...") ] -class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService -{ - [Override ("Name"), - Description ("The Realm served by this KDC.")] - string Name; - [Description ("The version of Kerberos supported by this " - "service."), - Values {"V4", "V5", "DCE", "MS"} ] - uint16 Protocol[]; -}; - -// ================================================================== -// Notary -// ================================================================== - [Description ( - "CIM_Notary is an AuthenticationService (credential " - "management service) which compares the " - "biometric characteristics of a person with the " - "known characteristics of an Users Access, and determines " - "whether the person is the UsersAccess. An example is " - "a bank teller who compares a picture ID with the person " - "trying to cash a check, or a biometric login service that " - "uses voice recognition to identify a user.") ] -class CIM_Notary:CIM_CredentialManagementService -{ - [Description ( "The types of biometric information which " - "this Notary can compare."), - Values { "N/A", "Other", "Facial", "Retina", "Mark", - "Finger", "Voice", "DNA-RNA", "EEG"} ] - uint16 Comparitors; - [Description ( - "The SealProtocol is how the decision of the Notary is " - "recorded for future use by parties who will rely on its " - "decision. For instance, a drivers licence frequently " - "includes tamper-resistent coatings and markings to protect " - "the recorded decision that a driver, having various " - "biometric characteristics of height, weight, hair and eye " - "color, using a particular name, has features represented in " - "a photograph of their face.")] - string SealProtocol; - [Description ( - "CharterIssued documents when the Notary is first " - "authorized, by whoever gave it responsibility, to perform " - "its service.")] - datetime CharterIssued; - [Description ( - "CharterExpired documents when the Notary is no longer " - "authorized, by whoever gave it responsibility, to perform " - "its service.")] - datetime CharterExpired; -}; - -// ================================================================== -// LocalCredentialManagementService -// ================================================================== - [Description ( - "CIM_LocalCredentialManagementService is a credential " - "management service that provides local system " - "management of credentials used by the local system.") ] -class -CIM_LocalCredentialManagementService:CIM_CredentialManagementService -{ -}; - -// ================================================================== -// SharedSecretService -// ================================================================== - [Description ( - "CIM_SharedSecretService is a service which ascertains " - "whether messages received are from the Principal with " - "whom a secret is shared. Examples include a login " - "service that proves identity on the basis of knowledge of " - "the shared secret, or a transport integrity service (like " - "Kerberos provides) that includes a message authenticity " - "code that proves each message in the messsage stream came " - "from someone who knows the shared secret session key.")] -class CIM_SharedSecretService:CIM_LocalCredentialManagementService -{ - [MaxLen (256), Description ( - "The Algorithm used to convey the shared secret, such as " - "HMAC-MD5,or PLAINTEXT.") ] - string Algorithm; - [Description ( - "The Protocol supported by the SharedSecretService.")] - string Protocol; -}; - -// ================================================================== -// PublicKeyManagementService -// ================================================================== - [Description ( - "CIM_PublicKeyManagementService is a credential management " - "service that provides local system management of public " - "keys used by the local system.") ] -class -CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService -{ -}; - -// ================================================================== -// Credential -// ================================================================== - [Abstract, Description ( - "Subclasses of CIM_Credential define materials, " - "information, or other data which are used to prove the " - "identity of a CIM_UsersAccess to a particular " - "CIM_SecurityService. Generally, there may be some shared " - "information, or credential material which is used to " - "identify and authenticate ones self in the process of " - "gaining access to, or permission to use, an Account. " - "Such credential material may be used to authenticate a " - "users access identity initially, as done by a " - "CIM_AuthenticationService (see later), and additionally on " - "an ongoing basis during the course of a connection or " - "other security association, as proof that each received " - "message or communication came from the owning user access " - "of " - "that credential material.") ] -class CIM_Credential:CIM_ManagedElement -{ -}; - -// ================================================================== -// PublicKeyCertificate -// ================================================================== - [Description ("A Public Key Certificate is a credential " - "that is cryptographically signed by a trusted Certificate " - "Authority (CA) and issued to an authenticated entity " - "(e.g., human user, service,etc.) called the Subject in " - "the certificate and represented by the UsersAccess class. " - "The public key in the certificate is cryptographically " - "related to a private key that is to be held and kept " - "private by the authenticated Subject. The certificate " - "and its related private key can then be used for " - "establishing trust relationships and securing " - "communications with the Subject. Refer to the ITU/CCITT " - "X.509 standard as an example of such certificates.") ] -class CIM_PublicKeyCertificate:CIM_Credential -{ - [Propagated ("CIM_System.CreationClassName"), - Key, MaxLen (256), Description ("Scoping System")] - string SystemCreationClassName; - [Propagated ("CIM_System.Name"), - Key, MaxLen (256),Description ("Scoping System")] - string SystemName; - [Propagated ("CIM_CertificateAuthority.CreationClassName"), - Key, MaxLen (256), Description ("Scoping Service")] - string ServiceCreationClassName; - [Propagated ("CIM_CertificateAuthority.Name"), - Key, MaxLen (256), Description ("Scoping Service")] - string ServiceName; - [Key, MaxLen (256), Description ( - "Certificate subject identifier")] - string Subject; - [MaxLen (256), Description ( - "Alternate subject identifier for the Certificate.")] - string AltSubject; - [Description ("The DER-encoded raw public key."), Octetstring] - uint8 PublicKey[]; -}; - -// ================================================================== -// UnsignedPublicKey -// ================================================================== - [Description ( - "A CIM_UnsignedPublicKey represents an unsigned public " - "key credential. The local UsersAccess (or subclass " - "thereof) accepts the public key as authentic because of " - "a direct trust relationship rather than via a third-party " - "Certificate Authority.") ] -class CIM_UnsignedPublicKey:CIM_Credential -{ - [Propagated ("CIM_System.CreationClassName"), - Key, MaxLen (256), Description ("Scoping System")] - string SystemCreationClassName; - [Propagated ("CIM_System.Name"), - Key, MaxLen (256),Description ("Scoping System")] - string SystemName; - [Propagated -("CIM_PublicKeyManagementService.CreationClassName"), - Key, MaxLen (256), Description ("Scoping Service")] - string ServiceCreationClassName; - [Propagated ("CIM_PublicKeyManagementService.Name"), - Key, MaxLen (256), Description ("Scoping Service")] - string ServiceName; - [Key, MaxLen (256), Description ( - "The Identity of the Peer with whom a direct trust " - "relationship exists. The public key may be used for " - "security functions with the Peer."), - ModelCorrespondence - {"CIM_PublicKeyManagementService.PeerIdentityType" } ] - string PeerIdentity; - [Description ("PeerIdentityType is used to describe the " - "type of the PeerIdentity. The currently defined values " - "are used for IKE identities."), - ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8", - "9", "10", "11"}, - Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN", - "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", - "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", - "DER_ASN1_GN", "KEY_ID"}, - ModelCorrespondence - {"CIM_PublicKeyManagementService.PeerIdentity" } ] - uint16 PeerIdentityType; - [Description ("The DER-encoded raw public key."), - Octetstring] - uint8 PublicKey[]; -}; - -// ================================================================== -// KerberosTicket -// ================================================================== - [Description ( - "A CIM_KerberosTicket represents a credential issued by a " - "particular Kerberos Key Distribution Center (KDC) " - "to a particular CIM_UsersAccess as the result of a " - "successful authentication process. There are two types of " - "tickets that a KDC may issue to a Users Access - a " - "TicketGranting ticket, which is used to protect and " - "authenticate communications between the Users Access and " - "the " - "KDC, and a Session ticket, which the KDC issues to two " - "Users Access to allow them to communicate with each other. " - ) ] -class CIM_KerberosTicket:CIM_Credential -{ - [Propagated ("CIM_System.CreationClassName"), Key, - MaxLen (256), Description ("Scoping System")] - string SystemCreationClassName; - [Propagated ("CIM_System.Name"), Key, - MaxLen (256),Description ("Scoping System")] - string SystemName; - [Key, MaxLen (256), Propagated - ("CIM_KerberosKeyDistributionCenter.CreationClassName"), - Description ("Scoping Service")] - string ServiceCreationClassName; - [Propagated ("CIM_KerberosKeyDistributionCenter.Name"), - Key, MaxLen (256), - Description ("Scoping Service. The Kerberos KDC Realm of " - "CIM_KerberosTicket is used to record the security " - "authority, or Realm, name so that tickets issued by " - "different Realms can be separately managed and " - "enumerated.")] - string ServiceName; - [Key, MaxLen (256), Description ("The name of the service " - "for which this ticket is used.")] - string AccessesService; - [Key, MaxLen (256), Description ( - "RemoteID is the name by which the user is known at " - "the KDC security service.")] - string RemoteID; - datetime Issued; - datetime Expires; - [Description ( - "The Type of CIM_KerberosTicket is used to indicate whether " - "the ticket in question was issued by the Kerberos Key " - "Distribution Center (KDC) to support ongoing communication " - "between the Users Access and the KDC (\"TicketGranting\"), " - "or was issued by the KDC to support ongoing communication " - "between two Users Access entities (\"Session\")." ), - Values {"Session", "TicketGranting"}] - uint16 TicketType; -}; - -// ================================================================== -// SharedSecret -// ================================================================== - [Description ( - "CIM_SharedSecret is the secret shared between a Users " - "Access " - "and a particular SharedSecret security service. Secrets " - "may be in the form of a password used for initial " - "authentication, or as with a session key, used as part of " - "a message authentication code to verify that a message " - "originated by the pricinpal with whom the secret is shared. " - "It is important to note that SharedSecret is not just the " - "password, but rather is the password used with a particular " - "security service.")] -class CIM_SharedSecret:CIM_Credential -{ - [Propagated ("CIM_System.CreationClassName"), Key, - MaxLen (256), Description ("Scoping System")] - string SystemCreationClassName; - [Propagated ("CIM_System.Name"), Key, - MaxLen (256),Description ("Scoping System")] - string SystemName; - [Key, MaxLen (256), Propagated - ("CIM_SharedSecretService.CreationClassName"), - Description ("Scoping Service")] - string ServiceCreationClassName; - [Propagated ("CIM_SharedSecretService.Name"), - Key, MaxLen (256), - Description ("Scoping Service")] - string ServiceName; - [Key, MaxLen (256), Description ( - "RemoteID is the name by which the user is known at " - "the remote secret key authentication service.")] - string RemoteID; - [Description ( - "secret is the secret known by the Users Access.")] - string secret; - [Description ( - "algorithm names the transformation algorithm, if any, used " - "to protect passwords before use in the protocol. For " - "instance, Kerberos doesn't store passwords as the shared " - "secret, but rather, a hash of the password.")] - string algorithm; - [Description ( - "protocol names the protocol with which the SharedSecret is " - "used.")] - string protocol; -}; - -// ================================================================== -// NamedSharedIKESecret -// ================================================================== - [Description ( - "CIM_NamedSharedIKESecret indirectly represents a shared " - "secret credential. The local identity, IKEIdentity, " - "and the remote peer identity share the secret that is " - "named by the SharedSecretName. The SharedSecretName is " - "used SharedSecretService to reference the secret.") ] -class CIM_NamedSharedIKESecret:CIM_Credential - -{ - [Propagated ("CIM_System.CreationClassName"), - Key, MaxLen (256), Description ("Scoping System")] - string SystemCreationClassName; - [Propagated ("CIM_System.Name"), - Key, MaxLen (256),Description ("Scoping System")] - string SystemName; - [Propagated ("CIM_SharedSecretService.CreationClassName"), - Key, MaxLen (256), Description ("Scoping Service")] - string ServiceCreationClassName; - [Propagated ("CIM_SharedSecretService.Name"), - Key, MaxLen (256), Description ("Scoping Service")] - string ServiceName; - [Key, MaxLen (256), Description ( - "The local Identity with whom the direct trust " - "relationship exists."), - ModelCorrespondence - {"CIM_NamedSharedIKESecret.LocalIdentityType" } ] - string LocalIdentity; - [Key, Description ("LocalIdentityType is used to describe " - "the type of the LocalIdentity."), - ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", - "9", "10", "11"}, - Values {"IPV4_ADDR", "FQDN", "USER_FQDN", - "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", - "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", - "DER_ASN1_GN", "KEY_ID"}, - ModelCorrespondence - {"CIM_NamedSharedIKESecret.LocalIdentity" } ] - uint16 LocalIdentityType; - [Key, MaxLen (256), Description ( - "The peer identity with whom the direct trust " - "relationship exists."), - ModelCorrespondence - {"CIM_NamedSharedIKESecret.PeerIdentityType" } ] - string PeerIdentity; - [Key, Description ("PeerIdentityType is used to describe " - "the type of the PeerIdentity."), - ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", - "9", "10", "11"}, - Values {"IPV4_ADDR", "FQDN", "USER_FQDN", - "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", - "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", - "DER_ASN1_GN", "KEY_ID"}, - ModelCorrespondence - {"CIM_NamedSharedIKESecret.PeerIdentity" } ] - uint16 PeerIdentityType; - [Description ("SharedSecretName is an indirect reference " - "to a shared secret. The SecretService does not expose " - "the actual secret but rather provides access to the " - "secret via a name.")] - string SharedSecretName; -}; - -// ================================================================== -// === Association class definitions === -// ================================================================== - -// ================================================================== -// ElementAsUser -// ================================================================== - [Association, Description ( - "CIM_ElementAsUser is an association used to establish the " - "'ownership' of UsersAccess object instances. That is, the " - "ManagedElement may have UsersAccess to systems and, therefore, " - "be 'users' on those systems. UsersAccess instances must have an " - "'owning' ManagedElement. Typically, the ManagedElements will be " - "limited to Collection, Person, Service and ServiceAccessPoint. " - "Other non-human ManagedElements that might be thought of as " - "having UsersAccess (e.g., a device or system) have services that " - "have the UsersAccess.")] -class CIM_ElementAsUser : CIM_Dependency - { - [Min (1), Max (1), Override ("Antecedent"), - Description ("The ManagedElement that has UsersAccess") ] - CIM_ManagedElement REF Antecedent; - [Override ("Dependent"), - Description ("The 'owned' UsersAccess") ] - CIM_UsersAccess REF Dependent; - }; - -// ================================================================== -// UsersCredential -// ================================================================== - [Association, Description ( - "CIM_UsersCredential is an association used to establish the " - "credentials that may be used for a UsersAccess to a system or " - "set of systems. " )] -class CIM_UsersCredential : CIM_Dependency - { - [Override ("Antecedent"), - Description ("The issued credential that may be used.") ] - CIM_Credential REF Antecedent; - [Override ("Dependent"), - Description ("The UsersAccess that has use of a credential") ] - CIM_UsersAccess REF Dependent; - }; - -// =================================================================== -// PublicPrivateKeyPair -// =================================================================== - [Association, Description ( - "This relationship associates a PublicKeyCertificate with " - "the Principal who has the PrivateKey used with the " - "PublicKey. The PrivateKey is not modeled, since it is not " - "a data element that ever SHOULD be accessible via " - "management applications, other than key recovery services, " - "which are outside our scope.") ] -class CIM_PublicPrivateKeyPair:CIM_UsersCredential -{ - [ Override ("Antecedent") ] - CIM_PublicKeyCertificate REF Antecedent; - [ Override ("Dependent") ] - CIM_UsersAccess REF Dependent; - [Description ( "The Certificate may be used for signature " - "only " - "or for confidentiality as well as signature"), - Values { "SignOnly", "ConfidentialityOrSignature"} ] - uint16 Use; - boolean NonRepudiation; - boolean BackedUp; - [Description ("The repository in which the certificate is " - "backed up.")] - string Repository; -}; - -// =================================================================== -// CAHasPublicCertificate -// =================================================================== - [Association, Description ( - "A CertificateAuthority may have certificates issued by other CAs. " - "This association is essentially an optimization of the CA having " - "a UsersAccess instance with an association to a certificate thus " - "mapping more closely to LDAP-based certificate authority " - "implementations.") ] -class CIM_CAHasPublicCertificate:CIM_Dependency -{ - [Max (1), Override ("Antecedent"), - Description ("The Certificate used by the CA")] - CIM_PublicKeyCertificate REF Antecedent; - [Override ("Dependent"), - Description ("The CA that uses a Certificate")] - CIM_CertificateAuthority REF Dependent; -}; - -// =================================================================== -// ManagedCredential -// =================================================================== - [Association, Description ( - "This relationship associates a CredentialManagementService " - "with the Credential it manages.") ] -class CIM_ManagedCredential:CIM_Dependency -{ - [Override ("Antecedent"), Min (1), Max (1), - Description ( "The credential management service")] - CIM_CredentialManagementService REF Antecedent; - [Override ("Dependent"), - Description ( "The managed credential")] - CIM_Credential REF Dependent; -}; - -// =================================================================== -// CASignsPublicKeyCertificate -// =================================================================== - [Association, Description ( - "This relationship associates a CertificateAuthority with " - "the certificates it signs.") ] -class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential -{ - [Override ("Antecedent"), Min (1), Max (1), - Description ( "The CA which signed the certificate")] - CIM_CertificateAuthority REF Antecedent; - [Override ("Dependent"), Weak, - Description ( "The certificate issued by the CA")] - CIM_PublicKeyCertificate REF Dependent; - string SerialNumber; - [ Octetstring ] - uint8 Signature[]; - datetime Expires; - string CRLDistributionPoint[]; -}; - -// ================================================================== -// LocallyManagedPublicKey -// ================================================================== - [Association, Description ( - "CIM_LocallyManagedPublicKey association provides the " - "relationship between a PublicKeyManagementService and an " - "UnsignedPublicKey.") ] -class CIM_LocallyManagedPublicKey:CIM_ManagedCredential -{ - [Override ("Antecedent"), Min (1), Max (1), - Description ("The PublicKeyManagementService that manages " - "an unsigned public key.") ] - CIM_PublicKeyManagementService REF Antecedent; - [Override ("Dependent"), Weak, Description ( - "An unsigned public key.") ] - CIM_UnsignedPublicKey REF Dependent; -}; - -// =================================================================== -// SharedSecretIsShared -// =================================================================== - [Association, Description ( - "This relationship associates a SharedSecretService with the " - "SecretKey it verifies.") ] -class CIM_SharedSecretIsShared : CIM_ManagedCredential -{ - [Override ("Antecedent"), Min (1), Max (1), - Description ("The credential management service")] - CIM_SharedSecretService REF Antecedent; - [Override ("Dependent"), Weak, - Description ( "The managed credential")] - CIM_SharedSecret REF Dependent; -}; - -// ================================================================== -// IKESecretIsNamed -// ================================================================== - [Association, Description ( - "CIM_IKESecretIsNamed association provides the " - "relationship between a SharedSecretService and a " - "NamedSharedIKESecret.") ] -class CIM_IKESecretIsNamed:CIM_ManagedCredential -{ - [Override ("Antecedent"), Min (1), Max (1), - Description ("The SharedSecretService that manages a " - "NamedSharedIKESecret.")] - CIM_SharedSecretService REF Antecedent; - [Override ("Dependent"), Weak, Description ( - "The managed NamedSharedIKESecret.") ] - CIM_NamedSharedIKESecret REF Dependent; -}; - -// =================================================================== -// KDCIssuesKerberosTicket -// =================================================================== - [Association, Description ( - "The KDC issues and owns Kerberos tickets. This association " - "captures the relationship between the KDC and its issued tickets." - ) ] -class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential -{ - [Override ("Antecedent"), Min (1), Max (1), - Description ( "The issuing KDC") ] - CIM_KerberosKeyDistributionCenter REF Antecedent; - [Override ("Dependent"), Weak, - Description ( "The managed credential")] - CIM_KerberosTicket REF Dependent; -}; - -// =================================================================== -// NotaryVerifiesBiometric -// =================================================================== - [Association, Description ( - "This relationship associates a Notary service with the " - "Users Access whose biometric information is verified.") ] -class CIM_NotaryVerifiesBiometric : CIM_Dependency -{ - [Override ("Antecedent"), - Description ("The Notary service that verifies biometric " - "information ") ] - CIM_Notary REF Antecedent; - [Override ("Dependent"), - Description ( "The UsersAccess that represents a person using " - "biometric information for authentication.")] - CIM_UsersAccess REF Dependent; -}; - -Appendix C (DMTF Network Model MOF) - -// ================================================================== -// NetworkService -// ================================================================== - [Abstract, Description ( - "This is an abstract base class, derived from the Service " - "class. It serves as the root of the network service " - "hierarchy. Network services represent generic functions " - "that are available from the network that configure and/or " - "modify the traffic being sent. For example, FTP is not a " - "network service, as it simply passes data unchanged from " - "source to destination. On the other hand, services " - "that provide quality of service (e.g., DiffServ) and " - "security (e.g., IPSec) do affect the traffic stream. " - "Quality of service, IPSec, and other services are " - "subclasses of this class. This class hierarchy enables " - "developers to match services to users, groups, " - "and other objects in the network.") ] - -class CIM_NetworkService : CIM_Service -{ - [Description ( - "This is a free-form array of strings that provide " - "descriptive words and phrases that can be used in queries " - "to help locate and identify instances of this service.") ] - string Keywords [ ]; - [Description ( - "This is a URL that provides the protocol, network " - "location, and other service-specific information required " - "in order to access the service. This should be implemented " - "as a LabeledURI, with syntax DirectoryString and a " - "matching rule of CaseExactMatch, for directory " - "implementors.") ] - string ServiceURL; - [Description ( - "This is a free-form array of strings that specify any " - "specific pre-conditions that must be met in order for this " - "service to start correctly. It is expected that subclasses " - "will refine the inherited StartService() and StopService()" - "methods to suit their own application-specific needs. This " - "property is used to specify application-specific conditions " - "needed by the refined StartService and StopService" - "methods.") ] - string StartupConditions [ ]; - [Description ( - "This is a free-form array of strings that specify any " - "specific parameters that must be supplied to the " - "StartService() method in order for this service to start " - "correctly. It is expected that subclasses will refine the " - "inherited StartService() and StopService() methods to suit " - "their own application-specific needs. This property is used " - "to specify application-specific parameters needed by the " - "refined StartService and StopService methods.") ] - string StartupParameters [ ]; -}; - -// ================================================================== -// ProtocolEndpoint -// ================================================================== - [Description ( - "A communication point from which data may be sent or " - "received. ProtocolEndpoints link router interfaces and " - "switch ports to LogicalNetworks.") ] - -class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint -{ - [Override ("Name"), MaxLen(256), Description ( - "A string which identifies this ProtocolEndpoint with either " - "a port or an interface on a device. To ensure uniqueness, " - "the Name property should be prepended or appended with " - "information from the Type or OtherTypeDescription " - "properties. The method chosen is described in the " - "NameFormat property of this class.") ] - string Name; - [MaxLen (256), Description ( - "NameFormat contains the naming heuristic that is chosen to " - "ensure that the value of the Name property is unique. For " - "example, one might choose to prepend the name of the port " - "or interface with the Type of ProtocolEndpoint that this " - "instance is (e.g., IPv4)followed by an underscore.") ] - string NameFormat; - [MaxLen (64), Description ( - "ProtocolType is an enumeration that provides additional " - "information that can be used to help categorize and " - "classify different instances of this class."), - ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", - "10", "11", "12", "13", "14", "15", "16", "17", - "18", "19", "20", "21"}, - Values { "Unknown", "Other", "IPv4", "IPv6", "IPX", - "AppleTalk", "DECnet", "SNA", "CONP", "CLNP", - "VINES", "XNS", "ATM", "Frame Relay", - "Ethernet", "TokenRing", "FDDI", "Infiniband", - "Fibre Channel", "ISDN BRI Endpoint", - "ISDN B Channel Endpoint", "ISDN D Channel Endpoint" -}, - ModelCorrespondence { - "CIM_ProtocolEndpoint.OtherTypeDescription"} ] - string ProtocolType; - [MaxLen(64), Description ( - "A string describing the type of ProtocolEndpoint that this " - "instance is when the Type property of this class (or any of " - "its subclasses) is set to 1 (e.g., 'Other'). The format of " - "the string inserted in this property should be similar in " - "format to the values defined for the Type property. This " - "property should be set to NULL when the Type property is " - "any value other than 1."), - ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ] - string OtherTypeDescription; -}; - -// ================================================================== -// IPProtocolEndpoint -// ================================================================== - [Description ( - "A ProtocolEndpoint that is dedicated to running IP.") ] - -class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint -{ - [Description ( - "The IP address that this ProtocolEndpoint represents, " - "formatted according to the appropriate convention as " - "defined in the AddressType property of this class " - " (e.g., 171.79.6.40).") ] - string Address; - [Description ( - "The mask for the IP address of this ProtocolEndpoint, " - "formatted according to the appropriate convention as " - "defined in the AddressType property of this class " - " (e.g., 255.255.252.0).") ] - string SubnetMask; - [Description ( - "An enumeration that describes the format of the address " - "property. Whenever possible, IPv4-compatible addresses " - "should be used instead of native IPv6 addresses (see " - "RFC 2373, section 2.5.4). In order to have a consistent " - "format for IPv4 addresses in a mixed IPv4/v6 environment, " - "all IPv4 addresses and both IPv4-compatible IPv6 addresses " - "and IPv4-mapped IPv6 addresses, per RFC 2373, section " - "2.5.4, should be formatted in standard IPv4 format. " - "However, this (the 2.2) version of the Network Common " - "Model will not explicitly support mixed IPv4/IPv6 " - "environments. This will be added in a future release."), - ValueMap { "0", "1", "2" }, - Values { "Unknown", "IPv4", "IPv6" } ] - uint16 AddressType; - [Description ( - "It is not possible to tell from the address alone if a " - "given IPProtocolEndpoint can support IPv4 and IPv6, or " - "just one of these. This property explicitly defines the " - "support for different versions of IP that this " - "IPProtocolEndpoint has. " - "\n\n" - "More implementation experience is needed in order to " - "correctly model mixed IPv4/IPv6 networks; therefore, this " - "version (2.2) of the Network Common Model will not support " - "mixed IPv4/IPv6 environments. This will be looked at " - "further in a future version."), - ValueMap { "0", "1", "2" }, - Values { "Unknown", "IPv4 Only", "IPv6 Only" } ] - uint16 IPVersionSupport; -}; - -// =================================================================== -// CIM_FilterEntryBase -// =================================================================== - [Description ( - " FilterEntryBase is an abstract class to define the naming " - "of all filter entries, and to allow their common " - "aggregation into FilterLists. The FilterEntry subclass " - "represents packet filtering. Other types of Entries are " - "possible - for example, to filter security credentials. \n" - " FilterEntryBase is weak to the network device (e.g., the " - "ComputerSystem) that contains it. Hence, the ComputerSystem " - "keys are propagated to this class.") ] - -class CIM_FilterEntryBase : CIM_LogicalElement -{ - [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, - MaxLen (256), - Description ( - "The scoping ComputerSystem's CreationClassName. ") ] - string SystemCreationClassName; - [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), - Description ( - "The scoping ComputerSystem's Name.") ] - string SystemName; - [Key, MaxLen (256), - Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this property " - "allows all instances of this class and its subclasses to " - "be uniquely identified.") ] - string CreationClassName; - [Key, MaxLen (256), - Description ( - "The Name property defines the label by which the Filter" - "Entry is known and uniquely identified.") ] - string Name; - [Description ( - "Boolean indicating that the match condition described " - "in the properties of the FilterEntryBase subclass " - "should be negated.") ] - boolean IsNegated; -}; - -// =================================================================== - -// CIM_IPHeaderFilter - -// =================================================================== - - [Description ("IPHeaderFilter contains the all of the " - "properties necessary to perform filtering on an IP header " - - "or a portion thereof.")] - -class CIM_IPHeaderFilter : CIM_FilterEntryBase - -{ - - [Description ("IpVersion identifies the version of the IP " - - "addresses for IP header filters. It is also used to " - - "determine the sizes of the OctetStrings in the four " - - "properties SrcAddress, SrcMask, DestAddress, and DestMask, " - - "as follows:\n" - - "ipv4(4): OctetString(SIZE (4))\n" - - "ipv6(6): OctetString(SIZE (16|20)), depending on whether\n" - - " a scope identifier is present"), - - ValueMap {"4", "6" }, - - Values { "IPv4", "IPv6" }, - - ModelCorrespondence { - - "CIM_IPHeaderFilter.SrcAddress", - - "CIM_IPHeaderFilter.SrcMask", - - "CIM_IPHeaderFilter.DestAddress", - - "CIM_IPHeaderFilter.DestMask" } ] - - uint8 IpVersion; - - [Description ("SrcAddress is an OctetString, of a size " - - "determined by the value of the IpVersion property, " - - "representing a source IP address. This value is compared to" - - " the source address in the IP header, subject to the mask " - - "represented in the SrcMask property."), - - OCTETSTRING, - - ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] - - uint8 SrcAddress[]; - - [Description ("SrcMask is an OctetString, of a size determined" - - " by the value of the IpVersion property, representing a mask" - - " to be used in comparing the source address in the IP header" - - " with the value represented in the SrcAddress property."), - - OCTETSTRING, - - ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] - - uint8 SrcMask[]; - - [Description ("DestAddress is an OctetString, of a size " - - "determined by the value of the IpVersion property, " - - "representing a destination IP address. This value is " - - "compared to the destination address in the IP header, " - - "subject to the mask represented in the DestMask property."), - - OCTETSTRING, - - ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] - - uint8 DestAddress[]; - [Description ("DestMask is an OctetString, of a size " - - "determined by the value of the IpVersion property, " - - "representing a mask to be used in comparing the destination " - - "address in the IP header with the value represented in the " - - "DestAddress property."), - - OCTETSTRING, - - ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] - - uint8 DestMask[]; - - [Description ("ProtocolID is an 8-bit unsigned integer, " - - "representing an IP protocol type. This value is compared to" - - " the Protocol field in the IP header.")] - - uint8 ProtocolID; - - [Description ("SrcPortStart represents the lower end of a " - - "range of UDP or TCP source ports. The upper end of the " - - "range is represented by the SrcPortEnd property. The value " - - "of SrcPortStart MUST be no greater than the value of " - - "SrcPortEnd. A single port is indicated by equal values for " - - "SrcPortStart and SrcPortEnd.\n" - - "\n" - - "A source port filter is evaluated by testing whether the " - - "source port identified in the IP header falls within the " - - "range of values between SrcPortStart and SrcPortEnd, " - - "including these two end points.")] - - uint16 SrcPortStart; - - [Description ("SrcPortEnd represents the upper end of a range " - - "of UDP or TCP source ports. The lower end of the range is " - - "represented by the SrcPortStart property. The value of " - - "SrcPortEnd MUST be no less than the value of SrcPortStart. " - - "A single port is indicated by equal values for SrcPortStart " - - "and SrcPortEnd.\n" - - "\n" - - "A source port filter is evaluated by testing whether the " - - "source port identified in the IP header falls within the " - - "range of values between SrcPortStart and SrcPortEnd, " - - "including these two end points.")] - - uint16 SrcPortEnd; - - [Description ("DestPortStart represents the lower end of " - - "a range of UDP or TCP destination ports. The upper end of " - - "the range is represented by the DestPortEnd property. The " - - "value of DestPortStart MUST be no greater than the value of " - - "DestPortEnd. A single port is indicated by equal values for" - " DestPortStart and DestPortEnd.\n" - - "\n" - - "A destination port filter is evaluated by testing whether " - - "the destination port identified in the IP header falls " - - "within the range of values between DestPortStart and " - - "DestPortEnd, including these two end points.")] - - uint16 DestPortStart; - - [Description ("DestPortEnd represents the upper end of a range" - - " of UDP or TCP destination ports. The lower end of the " - - "range is represented by the DestPortStart property. The " - - "value of DestPortEnd MUST be no less than the value of " - - "DestPortStart. A single port is indicated by equal values " - - "for DestPortStart and DestPortEnd.\n" - - "\n" - - "A destination port filter is evaluated by testing whether " - - "the destination port identified in the IP header falls " - - "within the range of values between DestPortStart and " - - "DestPortEnd, including these two end points.")] - - uint16 DestPortEnd; - - [Description ("DSCPs are defined as discrete code points, " - - "with no inherent structure, there is no semantically " - - "significant relationship between different DSCPs. " - - "Consequently, there is no provision for specifying a range " - - "of DSCPs in this property. Since, in IPv4, the DSCP field " - - "may contain bits to be interpreted as the TOS IP Precedence," - - " this property is also used to filter on IP Precedence. " - - "Similarly, the IPv6 Traffic Class field is also filtered " - - "using the value in this property."), - - MAXVALUE (63)] - - uint8 DSCP; - - [Description ("The 20-bit Flow Label field in the IPv6 header " - - "may be used by a source to label sequences of packets for " - - "which it requests special handling by the IPv6 devices, such" - - " as non-default quality of service or 'real-time' service. " - - "In the filter, this 20-bit string is encoded in a 24-bit " - - "octetstring by right-adjusting the value and padding on the " - - "left with b'0000'."), - - OCTETSTRING ] - - uint8 FlowLabel[]; - -}; - -// ================================================================== -// FilterList - -// ================================================================== - [Description ( - "A FilterList is used by network devices to identify routes " - "by aggregating a set of FilterEntries into a unit, called a " - "FilterList. FilterLists can also be used to accept or deny " - "routing updates." - "\n\n" - "A FilterList is weak to the network device (e.g., the " - "ComputerSystem) that contains it. Hence, the ComputerSystem " - "keys are propagated to this class.") ] - -class CIM_FilterList : CIM_LogicalElement -{ - [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, - MaxLen (256), Description ( - "The scoping ComputerSystem's CreationClassName. ") ] - string SystemCreationClassName; - - [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), - Description ("The scoping ComputerSystem's Name.") ] - string SystemName; - - [Key, Description ( - "The type of class that this instance is.") ] - string CreationClassName; - [Key, MaxLen(256), Description ( - "This is the name of the FilterList.") ] - string Name; - - [Description ( - "This defines whether the FilterList is used " - "for input, output, or both input and output " - "filtering. All values are used with respect to " - "the interface for which the FilterList applies. " - "\n\n" - "\"Not Applicable\" (0) is used when there is no " - "direction applicable to the FilterList.\n" - "\"Input\" (1) is used when the FilterList applies " - "to packets that are inbound on the related " - "interface.\n" - "\"Output\" (2) is used when the FilterList applies " - "to packets that are outbound on the related " - "interface.\n" - "\"Both\" (3) is used to indicate that " - "the direction is immaterial, e.g., to filter on " - "a source subnet regardless of whether the flow is " - "inbound or outbound.\n" - "\"Mirrored\" (4) is also applicable to " - "both inbound and outbound flow processing, but " - "indicates that the filter criteria are applied " - "asymmetrically to traffic in both directions " - "and, thus, specifies the reversal of source and " - "destination criteria (as opposed to the equality " - "of these criteria as indicated by \"Both\"). " - "The match conditions in the aggregated " - "FilterEntryBase subclass instances are defined " - "from the perspective of outbound flows and applied " - "to inbound flows as well by reversing the source " - "and destination criteria. So, for example, " - "consider a FilterList with 3 FilterEntries " - "indicating destination port = 80, and source and " - "destination addresses of a and b, respectively. " - "Then, for the outbound direction, the filter " - "entries match as specified and the 'mirror' (for " - "the inbound direction) matches on source " - "port = 80 and source and destination addresses " - "of b and a, respectively."), - Values {"Not Applicable", "Input", "Output", - "Both", "Mirrored" } ] - uint16 Direction; -}; - -// ================================================================== -// === Association class definitions === -// ================================================================== - -// ================================================================== -// EntriesInFilterList -// ================================================================== - [Association, Aggregation, Description ( - "This is a specialization of the CIM_Component aggregation " - "which is used to define a set of filter entries (subclasses " - "of FilterEntryBase) that are aggregated by a particular " - "FilterList.") ] -class CIM_EntriesInFilterList : CIM_Component -{ - [Aggregate, Max(1), Override ("GroupComponent"), - Description ( - "The FilterList, which aggregates the set " - "of FilterEntries.") ] - CIM_FilterList REF GroupComponent; - [Override ("PartComponent"), - Description ( - "Any subclass of FilterEntryBase which is a part of " - "the FilterList.") ] - CIM_FilterEntryBase REF PartComponent; - [Description ( - "The order of the Entry relative to all others in the " - "FilterList. A value of zero indicates that all the Entries " - "should be ANDed together. Use of the Sequence property " - "should be consistent across the List. It is not valid to " - "define some Entries as ANDed in the FilterList (Sequence" - "=0) while other Entries have a non-zero Sequence number.") ] - uint16 EntrySequence; -}; - -Appendix D (DMTF Policy Model MOF) - -// ================================================================== -// Policy -// ================================================================== - [Abstract, Description ( - "An abstract class defining the common properties of the policy " - "managed elements derived from CIM_Policy. The subclasses are " - "used to create rules and groups of rules that work together to " - "form a coherent set of policies within an administrative domain " - "or set of domains.") - ] -class CIM_Policy : CIM_ManagedElement -{ - [Description ( - "A user-friendly name of this policy-related object.") - ] - string CommonName; - [Description ( - "An array of keywords for characterizing / categorizing " - "policy objects. Keywords are of one of two types: \n" - "- Keywords defined in this and other MOFs, or in DMTF" - "white papers. These keywords provide a vendor-" - "independent, installation-independent way of " - "characterizing policy objects. \n" - "- Installation-dependent keywords for characterizing " - "policy objects. Examples include 'Engineering', " - "'Billing', and 'Review in December 2000'. \n" - "This MOF defines the following keywords: 'UNKNOWN', " - "'CONFIGURATION', 'USAGE', 'SECURITY', 'SERVICE', " - "'MOTIVATIONAL', 'INSTALLATION', and 'EVENT'. These " - "concepts are self-explanatory and are further discussed " - "in the SLA/Policy White Paper. One additional keyword " - "is defined: 'POLICY'. The role of this keyword is to " - "identify policy-related instances that may not be otherwise " - "identifiable, in some implementations. The keyword 'POLICY' " - "is NOT mutually exclusive of the other keywords " - "specified above.") - ] - string PolicyKeywords []; -}; - -// ================================================================== -// PolicySet -// ================================================================== - [Abstract, Description ("PolicySet is an abstract class that " - "represents a set of policies that form a coherent set. The " - "set of contained policies has a common decision strategy and " - "a common set of policy roles. Subclasses include " - "PolicyGroup and PolicyRule.")] -class CIM_PolicySet : CIM_Policy -{ - [Description ("PolicyDecisionStrategy defines the evaluation " - "method used for policies contained in the PolicySet. " - "FirstMatching enforces the actions of the first rule that " - "evaluates to TRUE. It is the only value currently defined."), - ValueMap { "1" }, - Values { "FirstMatching" } - ] - uint16 PolicyDecisionStrategy; - [Description ( - "The PolicyRoles property represents the roles and role " - "combinations associated with a PolicySet. All contained " - "PolicySet instances inherit the values of the PolicyRoles of " - "the aggregating PolicySet but the values are not copied. " - "A contained PolicySet instance may, however, add additional " - "PolicyRoles to those it inherits from its aggregating " - "PolicySet(s)\n" - "\n" - "Each value represents one role or role combination. Since " - "this is a multi-valued property, more than one role or " - "combination can be associated with a single PolicySet. Each " - "value is a string of the form:\n" - " [&&]*\n" - "where the individual role names appear in alphabetical order " - "(according to the collating sequence for UCS-2).") ] - string PolicyRoles []; - -}; - -// ================================================================== -// PolicyGroup -// ================================================================== - [Description ( - "An aggregation of PolicySet instances (PolicyGroups and/or " - "PolicyRules) that have the same decision strategy and inherit " - "policy roles. PolicyGroup instances are defined and named " - "relative to the CIM_System that provides their context.") - ] -class CIM_PolicyGroup : CIM_PolicySet -{ - [Propagated("CIM_System.CreationClassName"), - Key, MaxLen (256), - Description ("The scoping System's CreationClassName.") - ] - string SystemCreationClassName; - [Propagated("CIM_System.Name"), - Key, MaxLen (256), - Description ("The scoping System's Name.") - ] - string SystemName; - [Key, MaxLen (256), Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this property " - "allows all instances of this class and its subclasses to " - "be uniquely identified.") ] - string CreationClassName; - [Key, MaxLen (256), Description ( - "A user-friendly name of this PolicyGroup.") - ] - string PolicyGroupName; -}; - -// ================================================================== -// PolicyRule -// ================================================================== - [Description ( - "The central class used for representing the 'If Condition then " - "Action' semantics of a policy rule. A PolicyRule condition, in " - "the most general sense, is represented as either an ORed set of " - "ANDed conditions (Disjunctive Normal Form, or DNF) or an ANDed " - "set of ORed conditions (Conjunctive Normal Form, or CNF). " - "Individual conditions may either be negated (NOT C) or " - "unnegated (C). The actions specified by a PolicyRule are to be " - "performed if and only if the PolicyRule condition (whether it " - "is represented in DNF or CNF) evaluates to TRUE.\n" - "\n" - "The conditions and actions associated with a PolicyRule are " - "modeled, respectively, with subclasses of PolicyCondition and " - "PolicyAction. These condition and action objects are tied to " - "instances of PolicyRule by the PolicyConditionInPolicyRule and " - "PolicyActionInPolicyRule aggregations.\n" - "\n" - "A PolicyRule may also be associated with one or more policy " - "time periods, indicating the schedule according to which the " - "policy rule is active and inactive. In this case it is the " - "PolicyRuleValidityPeriod aggregation that provides this " - "linkage.\n" - "\n" - "The PolicyRule class uses the property ConditionListType, to " - "indicate whether the conditions for the rule are in DNF or " - "CNF. The PolicyConditionInPolicyRule aggregation contains " - "two additional properties to complete the representation of " - "the Rule's conditional expression. The first of these " - "properties is an integer to partition the referenced " - "PolicyConditions into one or more groups, and the second is a " - "Boolean to indicate whether a referenced Condition is " - "negated. An example shows how ConditionListType and these " - "two additional properties provide a unique representation " - "of a set of PolicyConditions in either DNF or CNF.\n" - "\n" - "Suppose we have a PolicyRule that aggregates five " - "PolicyConditions C1 through C5, with the following values " - "in the properties of the five PolicyConditionInPolicyRule " - "associations:\n" - " C1: GroupNumber = 1, ConditionNegated = FALSE\n" - " C2: GroupNumber = 1, ConditionNegated = TRUE\n" - " C3: GroupNumber = 1, ConditionNegated = FALSE\n" - " C4: GroupNumber = 2, ConditionNegated = FALSE\n" - " C5: GroupNumber = 2, ConditionNegated = FALSE\n" - "\n" - "If ConditionListType = DNF, then the overall condition for " - "the PolicyRule is:\n" - " (C1 AND (NOT C2) AND C3) OR (C4 AND C5)\n" - "\n" - "On the other hand, if ConditionListType = CNF, then the " - "overall condition for the PolicyRule is:\n" - " (C1 OR (NOT C2) OR C3) AND (C4 OR C5)\n" - "\n" - "In both cases, there is an unambiguous specification of " - "the overall condition that is tested to determine whether " - "to perform the PolicyActions associated with the PolicyRule.\n" - "\n" - "PolicyRule instances may also be used to aggregate other " - "PolicyRules and/or PolicyGroups. When used in this way to " - "implement nested rules, the conditions of the aggregating rule " - "apply to the subordinate rules as well. However, any side " - "effects of condition evaluation or the execution of actions MUST " - "NOT affect the result of the evaluation of other conditions " - "evaluated by the rule engine in the same evaluation pass. That " - "is, an implementation of a rule engine MAY evaluate all " - "conditions in any order before applying the priority and " - "determining which actions are to be executed.") - ] -class CIM_PolicyRule : CIM_PolicySet -{ - [Propagated("CIM_System.CreationClassName"), - Key, MaxLen (256), - Description ("The scoping System's CreationClassName.") - ] - string SystemCreationClassName; - [Propagated("CIM_System.Name"), - Key, MaxLen (256), - Description ("The scoping System's Name.") - ] - string SystemName; - [Key, MaxLen (256), Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this property " - "allows all instances of this class and its subclasses to " - "be uniquely identified.") ] - string CreationClassName; - [Key, MaxLen (256), Description ( - "A user-friendly name of this PolicyRule.") - ] - string PolicyRuleName; - [Description ( - "Indicates whether this PolicyRule is administratively " - "enabled, administratively disabled, or enabled for " - "debug. When the property has the value 3 (\"enabledFor" - "Debug\"), the entity evaluating the PolicyConditions is " - "instructed to evaluate the conditions for the Rule, but not " - "to perform the actions if the PolicyConditions evaluate to " - "TRUE. This serves as a debug vehicle when attempting to " - "determine what policies would execute in a particular " - "scenario, without taking any actions to change state " - "during the debugging. The default value is 1 " - "(\"enabled\")."), - ValueMap { "1", "2", "3" }, - Values { "enabled", "disabled", "enabledForDebug" } - ] - uint16 Enabled; - [Description ( - "Indicates whether the list of PolicyConditions " - "associated with this PolicyRule is in disjunctive " - "normal form (DNF) or conjunctive normal form (CNF)." - "The default value is 1 (\"DNF\")."), - ValueMap { "1", "2" }, - Values { "DNF", "CNF" } - ] - uint16 ConditionListType; - [Description ( - "A free-form string that can be used to provide " - "guidelines on how this PolicyRule should be used.") - ] - string RuleUsage; - [DEPRECATED {"CIM_PolicySetComponent.Priority"}, - Description ( - "PolicyRule.Priority is deprecated and replaced by " - "providing the priority for a rule (and a group) in the " - "context of the aggregating PolicySet instead of the " - "priority being used for all aggregating PolicySet " - "instances. Thus, the assignment of priority values is much " - "simpler.\n" - "\n" - "A non-negative integer for prioritizing this Policy" - "Rule relative to other Rules. A larger value " - "indicates a higher priority. The default value is 0.") - ] - uint16 Priority; - [Description ( - "A flag indicating that the evaluation of the Policy" - "Conditions and execution of PolicyActions (if the " - "Conditions evaluate to TRUE) is required. The " - "evaluation of a PolicyRule MUST be attempted if the " - "Mandatory property value is TRUE. If the Mandatory " - "property is FALSE, then the evaluation of the Rule " - "is 'best effort' and MAY be ignored.") - ] - boolean Mandatory; - [Description ( - "This property gives a policy administrator a way " - "of specifying how the ordering of the PolicyActions " - "associated with this PolicyRule is to be interpreted. " - "Three values are supported:\n" - " o mandatory(1): Do the actions in the indicated " - " order, or don't do them at all.\n" - " o recommended(2): Do the actions in the indicated " - " order if you can, but if you can't do them in this " - " order, do them in another order if you can.\n" - " o dontCare(3): Do them -- I don't care about the " - " order.\n" - "The default value is 3 (\"dontCare\")."), - ValueMap { "1", "2", "3" }, - Values { "mandatory", "recommended", "dontCare" } - ] - uint16 SequencedActions; - [Description ( - "ExecutionStrategy defines the strategy to be used in " - "executing the sequenced actions aggregated by this " - "PolicyRule. There are three execution strategies:\n" - "\n" - "Do Until Success - execute actions according to predefined\n" - " order, until successful execution of a\n" - " single action.\n" - "Do All - execute ALL actions which are part of\n" - " the modeled set, according to their\n" - " predefined order. Continue doing this,\n" - " even if one or more of the actions " - " fails.\n" - "Do Until Failure - execute actions according to predefined\n" - " order, until the first failure in\n" - " execution of an action instance."), - Values {"1", "2", "3"}, - ValueMap {"Do Until Success", "Do All", "Do Until Failure"}] - uint16 ExecutionStrategy; -}; - -// ================================================================== -// ReusablePolicyContainer -// ================================================================== - [Description ( - "A class representing an administratively defined " - "container for reusable policy-related information. " - "This class does not introduce any additional " - "properties beyond those in its superclass " - "AdminDomain. It does, however, participate in a " - "unique association for containing policy elements." - "\n\n" - "An instance of this class uses the NameFormat value" - "\"ReusablePolicyContainer\".") - ] -class CIM_ReusablePolicyContainer : CIM_AdminDomain -{ -}; - -// ================================================================== -// PolicyRepository *** deprecated -// ================================================================== - [DEPRECATED{"CIM_ReusablePolicyContainer"}, - Description ( - "The term 'PolicyRepository' has been confusing to both " - "developers and users of the model. The replacement class " - "name describes model element properly and is less likely " - "to be confused with a data repository." - "\n\n" - "A class representing an administratively defined " - "container for reusable policy-related information. " - "This class does not introduce any additional " - "properties beyond those in its superclass " - "AdminDomain. It does, however, participate in a " - "number of unique associations." - "\n\n" - "An instance of this class uses the NameFormat value" - "\"PolicyRepository\".") - ] -class CIM_PolicyRepository : CIM_AdminDomain -{ -}; - -// ================================================================== -// PolicyCondition -// ================================================================== - [Abstract, Description ( - "A class representing a rule-specific or reusable policy " - "condition to be evaluated in conjunction with a Policy" - "Rule. Since all operational details of a PolicyCondition " - "are provided in subclasses of this object, this class is " - "abstract.") - ] -class CIM_PolicyCondition : CIM_Policy -{ - [Key, MaxLen (256), Description ( - " The name of the class or the subclass used in the " - "creation of the System object in whose scope this " - "PolicyCondition is defined.\n\n" - " " - "This property helps to identify the System object in " - "whose scope this instance of PolicyCondition exists. " - "For a rule-specific PolicyCondition, this is the System " - "in whose context the PolicyRule is defined. For a " - "reusable PolicyCondition, this is the instance of " - "PolicyRepository (which is a subclass of System) that " - "holds the Condition.\n\n" - " " - "Note that this property, and the analogous property " - "SystemName, do not represent propagated keys from an " - "instance of the class System. Instead, they are " - "properties defined in the context of this class, which " - "repeat the values from the instance of System to which " - "this PolicyCondition is related, either directly via the " - "PolicyConditionInPolicyRepository association or indirectly" - " via the PolicyConditionInPolicyRule aggregation.") - ] - string SystemCreationClassName; - [Key, MaxLen (256), Description ( - " The name of the System object in whose scope this " - "PolicyCondition is defined.\n\n" - " " - "This property completes the identification of the System " - "object in whose scope this instance of PolicyCondition " - "exists. For a rule-specific PolicyCondition, this is the " - "System in whose context the PolicyRule is defined. For a " - "reusable PolicyCondition, this is the instance of " - "PolicyRepository (which is a subclass of System) that " - "holds the Condition.") - ] - string SystemName; - [Key, MaxLen (256), Description ( - "For a rule-specific PolicyCondition, the " - "CreationClassName of the PolicyRule object with which " - "this Condition is associated. For a reusable Policy" - "Condition, a special value, 'NO RULE', should be used to " - "indicate that this Condition is reusable and not " - "associated with a single PolicyRule.") - ] - string PolicyRuleCreationClassName; - [Key, MaxLen (256), Description ( - "For a rule-specific PolicyCondition, the name of " - "the PolicyRule object with which this Condition is " - "associated. For a reusable PolicyCondition, a " - "special value, 'NO RULE', should be used to indicate " - "that this Condition is reusable and not associated " - "with a single PolicyRule.") - ] - string PolicyRuleName; - [Key, MaxLen (256), Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this property" - " allows all instances of this class and its subclasses to " - "be uniquely identified.") ] - string CreationClassName; - [Key, MaxLen (256), Description ( - "A user-friendly name of this PolicyCondition.") - ] - string PolicyConditionName; -}; - -// ================================================================== - -// PolicyTimePeriodCondition -// ================================================================== - [Description ( - " This class provides a means of representing the time " - "periods during which a PolicyRule is valid, i.e., active. " - "At all times that fall outside these time periods, the " - "PolicyRule has no effect. A Rule is treated as valid " - "at ALL times, if it does not specify a " - "PolicyTimePeriodCondition.\n\n" - " " - "In some cases a Policy Consumer may need to perform " - "certain setup / cleanup actions when a PolicyRule becomes " - "active / inactive. For example, sessions that were " - "established while a Rule was active might need to " - "be taken down when the Rule becomes inactive. In other " - "cases, however, such sessions might be left up. In this " - "case, the effect of deactivating the PolicyRule would " - "just be to prevent the establishment of new sessions. \n\n" - " " - "Setup / cleanup behaviors on validity period " - "transitions are not currently addressed by the Policy " - "Model, and must be specified in 'guideline' documents or " - "via subclasses of CIM_PolicyRule, CIM_PolicyTimePeriod" - "Condition or other concrete subclasses of CIM_Policy. If " - "such behaviors need to be under the control of the policy " - "administrator, then a mechanism to allow this control " - "must also be specified in the subclasses.\n\n" - " " - "PolicyTimePeriodCondition is defined as a subclass of " - "PolicyCondition. This is to allow the inclusion of " - "time-based criteria in the AND/OR condition definitions " - "for a PolicyRule.\n\n" - " " - "Instances of this class may have up to five properties " - "identifying time periods at different levels. The values " - "of all the properties present in an instance are ANDed " - "together to determine the validity period(s) for the " - "instance. For example, an instance with an overall " - "validity range of January 1, 2000 through December 31, " - "2000; a month mask that selects March and April; a " - "day-of-the-week mask that selects Fridays; and a time " - "of day range of 0800 through 1600 would be represented " - "using the following time periods:\n" - " Friday, March 5, 2000, from 0800 through 1600;\n " - " Friday, March 12, 2000, from 0800 through 1600;\n " - " Friday, March 19, 2000, from 0800 through 1600;\n " - " Friday, March 26, 2000, from 0800 through 1600;\n " - " Friday, April 2, 2000, from 0800 through 1600;\n " - " Friday, April 9, 2000, from 0800 through 1600;\n " - " Friday, April 16, 2000, from 0800 through 1600;\n " - " Friday, April 23, 2000, from 0800 through 1600;\n " - " Friday, April 30, 2000, from 0800 through 1600.\n\n" - " " - "Properties not present in an instance of " - "PolicyTimePeriodCondition are implicitly treated as having " - "their value 'always enabled'. Thus, in the example above, " - "the day-of-the-month mask is not present, and so the " - "validity period for the instance implicitly includes a " - "day-of-the-month mask that selects all days of the month. " - "If this 'missing property' rule is applied to its fullest, " - "we see that there is a second way to indicate that a Policy" - "Rule is always enabled: associate with it an instance of " - "PolicyTimePeriodCondition whose only properties with " - "specific values are its key properties.") - ] -class CIM_PolicyTimePeriodCondition : CIM_PolicyCondition -{ - [Description ( - " This property identifies an overall range of calendar " - "dates and times over which a PolicyRule is valid. It is " - "formatted as a string representing a start date and time, " - "in which the character 'T' indicates the beginning of the " - "time portion, followed by the solidus character '/', " - "followed by a similar string representing an end date and " - "time. The first date indicates the beginning of the range, " - "while the second date indicates the end. Thus, the second " - "date and time must be later than the first. Date/times are " - "expressed as substrings of the form yyyymmddThhmmss. For " - "example: \n" - " 20000101T080000/20000131T120000 defines \n" - " January 1, 2000, 0800 through January 31, 2000, noon\n\n" - " " - "There are also two special cases in which one of the " - "date/time strings is replaced with a special string defined " - "in RFC 2445.\n " - " o If the first date/time is replaced with the string " - " 'THISANDPRIOR', then the property indicates that a " - " PolicyRule is valid [from now] until the date/time " - " that appears after the '/'.\n" - " o If the second date/time is replaced with the string " - " 'THISANDFUTURE', then the property indicates that a " - " PolicyRule becomes valid on the date/time that " - " appears before the '/', and remains valid from that " - " point on. "), - ModelCorrespondence { - "CIM_PolicyTimePeriodCondition.MonthOfYearMask", - "CIM_PolicyTimePeriodCondition.DayOfMonthMask", - "CIM_PolicyTimePeriodCondition.DayOfWeekMask", - "CIM_PolicyTimePeriodCondition.TimeOfDayMask", - "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"} - ] - string TimePeriod; - [Octetstring, Description ( - " The purpose of this property is to refine the valid time " - "period that is defined by the TimePeriod property, by " - "explicitly specifying in which months the PolicyRule is " - "valid. These properties work together, with the " - "TimePeriod used to specify the overall time period in " - "which the PolicyRule is valid, and the MonthOfYearMask used " - "to pick out the months during which the Rule is valid.\n\n" - " " - "This property is formatted as an octet string, structured " - "as follows:\n" - " o a 4-octet length field, indicating the length of the " - " entire octet string; this field is always set to " - " 0x00000006 for this property;\n" - " o a 2-octet field consisting of 12 bits identifying the " - " 12 months of the year, beginning with January and " - " ending with December, followed by 4 bits that are " - " always set to '0'. For each month, the value '1' " - " indicates that the policy is valid for that month, " - " and the value '0' indicates that it is not valid.\n\n" - " " - "The value 0x000000060830, for example, indicates that a " - "PolicyRule is valid only in the months May, November, " - "and December.\n\n" - " " - "If a value for this property is not provided, then the " - "PolicyRule is treated as valid for all twelve months, and " - "only restricted by its TimePeriod property value and the " - "other Mask properties."), - ModelCorrespondence { - "CIM_PolicyTimePeriodCondition.TimePeriod", - "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"} - ] - uint8 MonthOfYearMask[]; - [Octetstring, Description ( - " The purpose of this property is to refine the valid time " - "period that is defined by the TimePeriod property, by " - "explicitly specifying in which days of the month the Policy" - "Rule is valid. These properties work together, " - "with the TimePeriod used to specify the overall time period " - "in which the PolicyRule is valid, and the DayOfMonthMask " - "used to pick out the days of the month during which the " - "Rule is valid.\n\n " - " " - "This property is formatted as an octet string, structured " - "as follows:\n" - " o a 4-octet length field, indicating the length of the " - " entire octet string; this field is always set to " - " 0x0000000C for this property; \n" - " o an 8-octet field consisting of 31 bits identifying " - " the days of the month counting from the beginning, " - " followed by 31 more bits identifying the days of the " - " month counting from the end, followed by 2 bits that " - " are always set to '0'. For each day, the value '1' " - " indicates that the policy is valid for that day, and " - " the value '0' indicates that it is not valid. \n\n" - " " - "The value 0x0000000C8000000100000000, for example, " - "indicates that a PolicyRule is valid on the first and " - "last days of the month.\n\n " - " " - "For months with fewer than 31 days, the digits corresponding" - " to days that the months do not have (counting in both " - "directions) are ignored.\n\n" - " " - "If a value for this property is not provided, then the " - "PolicyRule is treated as valid for all days of the month, " - "and only restricted by its TimePeriod property value and the" - " other Mask properties."), - ModelCorrespondence { - "CIM_PolicyTimePeriodCondition.TimePeriod", - "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"} - ] - uint8 DayOfMonthMask[]; - [Octetstring, Description ( - " The purpose of this property is to refine the valid time " - "period that is defined by the TimePeriod property, by " - "explicitly specifying in which days of the month the Policy" - "Rule is valid. These properties work together, " - "with the TimePeriod used to specify the overall time period " - "in which the PolicyRule is valid, and the DayOfWeekMask used" - " to pick out the days of the week during which the Rule " - "is valid.\n\n " - " " - "This property is formatted as an octet string, structured " - "as follows:\n " - " o a 4-octet length field, indicating the length of the " - " entire octet string; this field is always set to " - " 0x00000005 for this property;\n" - " o a 1-octet field consisting of 7 bits identifying the 7 " - " days of the week, beginning with Sunday and ending with " - " Saturday, followed by 1 bit that is always set to '0'. " - " For each day of the week, the value '1' indicates that " - " the policy is valid for that day, and the value '0' " - " indicates that it is not valid. \n\n" - " " - "The value 0x000000057C, for example, indicates that a " - "PolicyRule is valid Monday through Friday.\n\n" - " " - "If a value for this property is not provided, then the " - "PolicyRule is treated as valid for all days of the week, " - "and only restricted by its TimePeriod property value and " - "the other Mask properties."), - ModelCorrespondence { - "CIM_PolicyTimePeriodCondition.TimePeriod", - "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"} - ] - uint8 DayOfWeekMask[]; - [Description ( - " The purpose of this property is to refine the valid time " - "period that is defined by the TimePeriod property, by " - "explicitly specifying a range of times in a day during which" - " the PolicyRule is valid. These properties work " - "together, with the TimePeriod used to specify the overall " - "time period in which the PolicyRule is valid, and the " - "TimeOfDayMask used to pick out the range of time periods " - "in a given day of during which the Rule is valid. \n\n" - " " - "This property is formatted in the style of RFC 2445: a " - "time string beginning with the character 'T', followed by " - "the solidus character '/', followed by a second time string." - " The first time indicates the beginning of the range, while " - "the second time indicates the end. Times are expressed as " - "substrings of the form 'Thhmmss'. \n\n" - " " - "The second substring always identifies a later time than " - "the first substring. To allow for ranges that span " - "midnight, however, the value of the second string may be " - "smaller than the value of the first substring. Thus, " - "'T080000/T210000' identifies the range from 0800 until 2100," - " while 'T210000/T080000' identifies the range from 2100 " - "until 0800 of the following day. \n\n" - " " - "When a range spans midnight, it by definition includes " - "parts of two successive days. When one of these days is " - "also selected by either the MonthOfYearMask, " - "DayOfMonthMask, and/or DayOfWeekMask, but the other day is " - "not, then the policy is active only during the portion of " - "the range that falls on the selected day. For example, if " - "the range extends from 2100 until 0800, and the day of " - "week mask selects Monday and Tuesday, then the policy is " - "active during the following three intervals:\n" - " From midnight Sunday until 0800 Monday; \n" - " From 2100 Monday until 0800 Tuesday; \n" - " From 2100 Tuesday until 23:59:59 Tuesday. \n\n" - " " - "If a value for this property is not provided, then the " - "PolicyRule is treated as valid for all hours of the day, " - "and only restricted by its TimePeriod property value and " - "the other Mask properties."), - ModelCorrespondence { - "CIM_PolicyTimePeriodCondition.TimePeriod", - "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"} - ] - string TimeOfDayMask; - [Description ( - " This property indicates whether the times represented " - "in the TimePeriod property and in the various Mask " - "properties represent local times or UTC times. There is " - "no provision for mixing of local times and UTC times: the " - "value of this property applies to all of the other " - "time-related properties."), - ValueMap { "1", "2" }, - Values { "localTime", "utcTime" }, - ModelCorrespondence { - "CIM_PolicyTimePeriodCondition.TimePeriod", - "CIM_PolicyTimePeriodCondition.MonthOfYearMask", - "CIM_PolicyTimePeriodCondition.DayOfMonthMask", - "CIM_PolicyTimePeriodCondition.DayOfWeekMask", - "CIM_PolicyTimePeriodCondition.TimeOfDayMask"} - ] - uint16 LocalOrUtcTime; -}; - -// ================================================================== -// VendorPolicyCondition -// ================================================================== - [Description ( - " A class that provides a general extension mechanism for " - "representing PolicyConditions that have not been modeled " - "with specific properties. Instead, the two properties " - "Constraint and ConstraintEncoding are used to define the " - "content and format of the Condition, as explained below.\n\n" - " " - "As its name suggests, VendorPolicyCondition is intended for " - "vendor-specific extensions to the Policy Core Information " - "Model. Standardized extensions are not expected to use " - "this class.") - ] -class CIM_VendorPolicyCondition : CIM_PolicyCondition -{ - [Octetstring, Description ( - "This property provides a general extension mechanism for " - "representing PolicyConditions that have not been " - "modeled with specific properties. The format of the " - "octet strings in the array is left unspecified in " - "this definition. It is determined by the OID value " - "stored in the property ConstraintEncoding. Since " - "ConstraintEncoding is single-valued, all the values of " - "Constraint share the same format and semantics."), - ModelCorrespondence { - "CIM_VendorPolicyCondition.ConstraintEncoding"} - ] - string Constraint []; - [Description ( - "An OID encoded as a string, identifying the format " - "and semantics for this instance's Constraint property."), - ModelCorrespondence { - "CIM_VendorPolicyCondition.Constraint"} - ] - string ConstraintEncoding; -}; - -// ================================================================== -// PolicyAction -// ================================================================== - [Abstract, Description ( - "A class representing a rule-specific or reusable policy " - "action to be performed if the PolicyConditions for a Policy" - "Rule evaluate to TRUE. Since all operational details of a " - "PolicyAction are provided in subclasses of this object, " - "this class is abstract.") - ] -class CIM_PolicyAction : CIM_Policy -{ - [Key, MaxLen (256), Description ( - " The name of the class or the subclass used in the " - "creation of the System object in whose scope this " - "PolicyAction is defined. \n\n" - " " - "This property helps to identify the System object in " - "whose scope this instance of PolicyAction exists. " - "For a rule-specific PolicyAction, this is the System " - "in whose context the PolicyRule is defined. For a " - "reusable PolicyAction, this is the instance of " - "PolicyRepository (which is a subclass of System) that " - "holds the Action. \n\n" - " " - "Note that this property, and the analogous property " - "SystemName, do not represent propagated keys from an " - "instance of the class System. Instead, they are " - "properties defined in the context of this class, which " - "repeat the values from the instance of System to which " - "this PolicyAction is related, either directly via the " - "PolicyActionInPolicyRepository association or indirectly " - "via the PolicyActionInPolicyRule aggregation.") - ] - string SystemCreationClassName; - [Key, MaxLen (256), Description ( - " The name of the System object in whose scope this " - "PolicyAction is defined. \n\n" - " " - "This property completes the identification of the System " - "object in whose scope this instance of PolicyAction " - "exists. For a rule-specific PolicyAction, this is the " - "System in whose context the PolicyRule is defined. For " - "a reusable PolicyAction, this is the instance of " - "PolicyRepository (which is a subclass of System) that " - "holds the Action.") - ] - string SystemName; - [Key, MaxLen (256), Description ( - "For a rule-specific PolicyAction, the CreationClassName " - "of the PolicyRule object with which this Action is " - "associated. For a reusable PolicyAction, a " - "special value, 'NO RULE', should be used to " - "indicate that this Action is reusable and not " - "associated with a single PolicyRule.") - ] - string PolicyRuleCreationClassName; - [Key, MaxLen (256), Description ( - "For a rule-specific PolicyAction, the name of " - "the PolicyRule object with which this Action is " - "associated. For a reusable PolicyAction, a " - "special value, 'NO RULE', should be used to " - "indicate that this Action is reusable and not " - "associated with a single PolicyRule.") - ] - string PolicyRuleName; - [Key, MaxLen (256), Description ( - "CreationClassName indicates the name of the class or the " - "subclass used in the creation of an instance. When used " - "with the other key properties of this class, this property" - " allows all instances of this class and its subclasses to " - "be uniquely identified.") ] - string CreationClassName; - [Key, MaxLen (256), Description ( - "A user-friendly name of this PolicyAction.") - ] - string PolicyActionName; -}; - -// ================================================================== -// CompoundPolicyAction -// ================================================================== - [Description ("CompoundPolicyAction is used to represent an " - "expression consisting of an ordered sequence of action " - "terms. Each action term is represented as a subclass of " - "the PolicyAction class. Compound actions are constructed " - "by associating dependent action terms together using the " - "PolicyActionInPolicyAction aggregation.") ] -class CIM_CompoundPolicyAction : CIM_PolicyAction -{ - [Description ( - "This property gives a policy administrator a way " - "of specifying how the ordering of the PolicyActions " - "associated with this PolicyRule is to be interpreted. " - "Three values are supported:\n" - " o mandatory(1): Do the actions in the indicated " - " order, or don't do them at all.\n" - " o recommended(2): Do the actions in the indicated " - " order if you can, but if you can't do them in this " - " order, do them in another order if you can.\n" - " o dontCare(3): Do them -- I don't care about the " - " order.\n" - "The default value is 3 (\"dontCare\")."), - ValueMap { "1", "2", "3" }, - Values { "mandatory", "recommended", "dontCare" }] - uint16 SequencedActions; - - [Description ("ExecutionStrategy defines the strategy to be " - "used in executing the sequenced actions aggregated by this " - "CompoundPolicyAction. There are three execution strategies:" - "\n\n" - "Do Until Success - execute actions according to predefined\n" - " order, until successful execution of a\n" - " single action.\n" - "Do All - execute ALL actions which are part of\n" - " the modeled set, according to their\n" - " predefined order. Continue doing this,\n" - " even if one or more of the actions " - " fails.\n" - "Do Until Failure - execute actions according to predefined\n" - " order, until the first failure in\n" - " execution of an action instance." - "The default value is 2 (\"Do All\")."), - Values {"1", "2", "3"}, - ValueMap {"Do Until Success", "Do All", "Do Until Failure"}] - uint16 ExecutionStrategy; -}; - -// ================================================================== -// VendorPolicyAction -// ================================================================== - [Description ( - " A class that provides a general extension mechanism for " - "representing PolicyActions that have not been modeled " - "with specific properties. Instead, the two properties " - "ActionData and ActionEncoding are used to define the " - "content and format of the Action, as explained below.\n\n" - " " - "As its name suggests, VendorPolicyAction is intended for " - "vendor-specific extensions to the Policy Core Information " - "Model. Standardized extensions are not expected to use " - "this class.") ] -class CIM_VendorPolicyAction : CIM_PolicyAction -{ - [Octetstring, Description ( - "This property provides a general extension mechanism for " - "representing PolicyActions that have not been " - "modeled with specific properties. The format of the " - "octet strings in the array is left unspecified in " - "this definition. It is determined by the OID value " - "stored in the property ActionEncoding. Since " - "ActionEncoding is single-valued, all the values of " - "ActionData share the same format and semantics."), - ModelCorrespondence { - "CIM_VendorPolicyAction.ActionEncoding"} - ] - string ActionData []; - [Description ( - "An OID encoded as a string, identifying the format " - "and semantics for this instance's ActionData property."), - ModelCorrespondence { - "CIM_VendorPolicyAction.ActionData"} - ] - string ActionEncoding; -}; -// ================================================================== -// === Association classes === -// ================================================================== - -// ================================================================== -// PolicyComponent -// ================================================================== - [Association, Abstract, Aggregation, Description ( - "CIM_PolicyComponent is a generic association used to " - "establish 'part of' relationships between the subclasses of " - "CIM_Policy. For example, the PolicyConditionInPolicyRule " - "association defines that PolicyConditions are part of a " - "PolicyRule.") - ] -class CIM_PolicyComponent -{ - [Aggregate, Key, Description ( - "The parent Policy in the association.") - ] - CIM_Policy REF GroupComponent; - [Key, Description ( - "The child/part Policy in the association.") - ] - CIM_Policy REF PartComponent; -}; - -// ================================================================== -// PolicyInSystem -// ================================================================== - [Association, Abstract, Description ( - " CIM_PolicyInSystem is a generic association used to " - "establish dependency relationships between Policies and the " - "Systems that host them. These Systems may be ComputerSystems" - " where Policies are 'running' or they may be Policy" - "Repositories where Policies are stored. This relationship " - "is similar to the concept of CIM_Services being dependent " - "on CIM_Systems as defined by the HostedService " - "association. \n" - " Cardinality is Max(1) for the Antecedent/System " - "reference since Policies can only be hosted in at most one " - "System context. Some subclasses of the association will " - "further refine this definition to make the Policies Weak " - "to Systems. Other subclasses of PolicyInSystem will " - "define an optional hosting relationship. Examples of each " - "of these are the PolicyRuleInSystem and PolicyConditionIn" - "PolicyRepository associations, respectively.") - ] -class CIM_PolicyInSystem : CIM_Dependency -{ - [Override ("Antecedent"), Max (1), Description ( - "The hosting System.") - ] - CIM_System REF Antecedent; - [Override ("Dependent"), Description ( - "The hosted Policy.") - ] - CIM_Policy REF Dependent; -}; - -// ================================================================== -// PolicySetInSystem -// ================================================================== - [Association, Abstract, Description ( - "PolicySetInSystem is an abstract association class that " - "represents a relationship between a System and a PolicySet used " - "in the administrative scope of that system (e.g., AdminDomain, " - "ComputerSystem). The Priority property is used to assign a " - "relative priority to a PolicySet within the administrative " - "scope in contexts where it is not a component of another " - "PolicySet.") - ] -class CIM_PolicySetInSystem : CIM_PolicyInSystem -{ - [Override ("Antecedent"), Min (1), Max(1), Description ( - "The System in whose scope a PolicySet is defined.") - ] - CIM_System REF Antecedent; - [Override ("Dependent"), Description ( - "A PolicySet named within the scope of a System.") - ] - CIM_PolicySet REF Dependent; - [Description ( - "The Priority property is used to specify the relative " - "priority of the referenced PolicySet when there are more " - "than one PolicySet instances applied to a managed resource " - "that are not PolicySetComponents and, therefore, have no " - "other relative priority defined. The priority is a " - "non-negative integer; a larger value indicates a higher " - "priority.")] - uint16 Priority; -}; - -// ================================================================== -// PolicyGroupInSystem -// ================================================================== - [Association, Description ( - "An association that links a PolicyGroup to the System " - "in whose scope the Group is defined.") - ] -class CIM_PolicyGroupInSystem : CIM_PolicySetInSystem -{ - [Override ("Antecedent"), Min(1), Max(1), Description ( - "The System in whose scope a PolicyGroup is defined.") - ] - CIM_System REF Antecedent; - [Override ("Dependent"), Weak, Description ( - "A PolicyGroup named within the scope of a System.") - ] - CIM_PolicyGroup REF Dependent; -}; - -// ================================================================== -// PolicyRuleInSystem -// ================================================================== - [Association, Description ( - "An association that links a PolicyRule to the System " - "in whose scope the Rule is defined.") - ] -class CIM_PolicyRuleInSystem : CIM_PolicySetInSystem -{ - [Override ("Antecedent"), Min(1), Max(1), Description ( - "The System in whose scope a PolicyRule is defined.") - ] - CIM_System REF Antecedent; - [Override ("Dependent"), Weak, Description ( - "A PolicyRule named within the scope of a System.") - ] - CIM_PolicyRule REF Dependent; -}; - -// ================================================================== -// PolicySetComponent -// ================================================================== - [Association, Aggregation, Description ( - "PolicySetComponent is a concrete aggregation class that " - "collects instances of PolicySet subclasses (PolicyGroups and " - "PolicyRules) into coherent sets of policies that have the same " - "decision strategy and are prioritized within the set.") - ] -class CIM_PolicySetComponent : CIM_PolicyComponent -{ - [Override ("GroupComponent"), Aggregate, Description ( - "A PolicySet that aggregates other PolicySet instances.") - ] - CIM_PolicySet REF GroupComponent; - [Override ("PartComponent"), Description ( - "A PolicySet aggregated into a PolicySet.") - ] - CIM_PolicySet REF PartComponent; - [Description ( - "A non-negative integer for prioritizing this PolicySet" - "component relative to components of the same PolicySet. A " - "larger value indicates a higher priority.") - ] - uint16 Priority; - -}; - -// ================================================================== -// PolicyGroupInPolicyGroup *** deprecated -// ================================================================== - [Association, Aggregation, DEPRECATED {"CIM_PolicySetComponent"}, - Description ( - "PolicySetComponent provides a more general mechanism for " - "aggregating both PolicyGroups and PolicyRules and doing so with " - "the priority value applying only to the aggregated set rather " - "than policy wide.\n" - "\n" - "A relationship that aggregates one or more lower-level " - "PolicyGroups into a higher-level Group. A Policy" - "Group may aggregate PolicyRules and/or other Policy" - "Groups.") - ] -class CIM_PolicyGroupInPolicyGroup : CIM_PolicyComponent -{ - [Override ("GroupComponent"), Aggregate, Description ( - "A PolicyGroup that aggregates other Groups.") - ] - CIM_PolicyGroup REF GroupComponent; - [Override ("PartComponent"), Description ( - "A PolicyGroup aggregated by another Group.") - ] - CIM_PolicyGroup REF PartComponent; -}; - -// ================================================================== -// PolicyRuleInPolicyGroup *** deprecated -// ================================================================== - [Association, Aggregation, DEPRECATED {"CIM_PolicySetComponent"}, - Description ( - "PolicySetComponent provides a more general mechanism for " - "aggregating both PolicyGroups and PolicyRules and doing so with " - "the priority value applying only to the aggregated set rather " - "than policy wide.\n" - "\n" - "A relationship that aggregates one or more PolicyRules " - "into a PolicyGroup. A PolicyGroup may aggregate " - "PolicyRules and/or other PolicyGroups.") - ] -class CIM_PolicyRuleInPolicyGroup : CIM_PolicyComponent -{ - [Override ("GroupComponent"), Aggregate, Description ( - "A PolicyGroup that aggregates one or more PolicyRules.") - ] - CIM_PolicyGroup REF GroupComponent; - [Override ("PartComponent"), Description ( - "A PolicyRule aggregated by a PolicyGroup.") - ] - CIM_PolicyRule REF PartComponent; - -}; - -// ================================================================== -// PolicyConditionInPolicyRule -// ================================================================== - [Association, Aggregation, Description ( - " A PolicyRule aggregates zero or more instances of the " - "PolicyCondition class, via the PolicyConditionInPolicyRule " - "association. A Rule that aggregates zero Conditions is not " - "valid -- it may, however, be in the process of being entered " - "into a PolicyRepository or being defined for a System. Note " - "that a PolicyRule should have no effect until it is -valid.\n\n" - " " - "The Conditions aggregated by a PolicyRule are grouped into " - "two levels of lists: either an ORed set of ANDed sets of " - "conditions (DNF, the default) or an ANDed set of ORed sets " - "of conditions (CNF). Individual PolicyConditions in these " - "lists may be negated. The property ConditionListType " - "specifies which of these two grouping schemes applies to a " - "particular PolicyRule.\n\n" - " " - "In either case, PolicyConditions are used to determine " - "whether to perform the PolicyActions associated with the " - "PolicyRule.\n\n" - " " - "One or more PolicyTimePeriodConditions may be among the " - "conditions associated with a PolicyRule via the Policy" - "ConditionInPolicyRule association. In this case, the time " - "periods are simply additional Conditions to be evaluated " - "along with any others that are specified for the Rule. ") - ] -class CIM_PolicyConditionInPolicyRule : CIM_PolicyComponent -{ - [Override ("GroupComponent"), Aggregate, Description ( - "This property represents the PolicyRule that " - "contains one or more PolicyConditions.") - ] - CIM_PolicyRule REF GroupComponent; - [Override ("PartComponent"), Description ( - "This property holds the name of a PolicyCondition " - "contained by one or more PolicyRules.") - ] - CIM_PolicyCondition REF PartComponent; - [Description ( - "Unsigned integer indicating the group to which the " - "PolicyCondition identified by the ContainedCondition " - "property belongs. This integer segments the Conditions " - "into the ANDed sets (when the ConditionListType is " - "\"DNF\") or similarly the ORed sets (when the Condition" - "ListType is \"CNF\") that are then evaluated.") - ] - uint16 GroupNumber; - [Description ( - "Indication of whether the Condition identified by " - "the ContainedCondition property is negated. TRUE " - "indicates that the PolicyCondition IS negated, FALSE " - "indicates that it IS NOT negated.") - ] - boolean ConditionNegated; -}; - -// ================================================================== -// PolicyRuleValidityPeriod -// ================================================================== - [Association, Aggregation, Description ( - "The PolicyRuleValidityPeriod aggregation represents " - "scheduled activation and deactivation of a PolicyRule. " - "If a PolicyRule is associated with multiple policy time " - "periods via this association, then the Rule is active if " - "at least one of the time periods indicates that it is " - "active. (In other words, the PolicyTimePeriodConditions " - "are ORed to determine whether the Rule is active.) A Time" - "Period may be aggregated by multiple PolicyRules. A Rule " - "that does not point to a PolicyTimePeriodCondition via this " - "association is, from the point of view of scheduling, " - "always active. It may, however, be inactive for other " - "reasons. For example, the Rule's Enabled property may " - "be set to \"disabled\" (value=2).") - ] -class CIM_PolicyRuleValidityPeriod : CIM_PolicyComponent -{ - [Override ("GroupComponent"), Aggregate, Description ( - "This property contains the name of a PolicyRule that " - "contains one or more PolicyTimePeriodConditions.") - ] - CIM_PolicyRule REF GroupComponent; - [Override ("PartComponent"), Description ( - "This property contains the name of a " - "PolicyTimePeriodCondition defining the valid time periods " - "for one or more PolicyRules.") - ] - CIM_PolicyTimePeriodCondition REF PartComponent; -}; - -// ================================================================== -// PolicyActionStructure -// ================================================================== - - [Association, Aggregation, Abstract, Description ( - "PolicyActions may be aggregated into rules and into " - "compound actions. PolicyActionStructure is the abstract " - "aggregation class for the structuring of policy actions.") - ] - -class CIM_PolicyActionStructure : CIM_PolicyComponent -{ - [Override ("GroupComponent"), Aggregate, Description ( - "PolicyAction instances may be aggregated into either " - "PolicyRule instances or CompoundPolicyAction instances.")] - CIM_Policy REF GroupComponent; - [Override ("PartComponent"), Description ( - "A PolicyAction aggregated by a PolicyRule or " - "CompoundPolicyAction.")] - CIM_PolicyAction REF PartComponent; - [Description ( - "ActionOrder is an unsigned integer 'n' that indicates the " - "relative position of a PolicyAction in the sequence of" - "actions associated with a PolicyRule or " - "CompoundPolicyAction. When 'n' is a positive integer, it " - "indicates a place in the sequence of actions to be " - "performed, with smaller integers indicating earlier " - "positions in the sequence. The special value '0' indicates " - "'don't care'. If two or more PolicyActions have the same " - "non-zero sequence number, they may be performed in any " - "order, but they must all be performed at the appropriate " - "place in the overall action sequence.\n" - "\n" - "A series of examples will make ordering of PolicyActions " - "clearer: \n" - " o If all actions have the same sequence number,\n" - " regardless of whether it is '0' or non-zero, any\n" - " order is acceptable.\n" - " o The values: \n" - " 1:ACTION A \n" - " 2:ACTION B \n" - " 1:ACTION C \n" - " 3:ACTION D \n" - " indicate two acceptable orders: A,C,B,D or C,A,B,D,\n" - " since A and C can be performed in either order, but\n" - " only at the '1' position. \n" - " o The values: \n" - " 0:ACTION A \n" - " 2:ACTION B \n" - " 3:ACTION C \n" - " 3:ACTION D \n" - " require that B,C, and D occur either as B,C,D or as\n" - " B,D,C. Action A may appear at any point relative to\n" - " B, C, and D. Thus the complete set of acceptable\n" - " orders is: A,B,C,D; B,A,C,D; B,C,A,D; B,C,D,A; \n" - " A,B,D,C; B,A,D,C; B,D,A,C; B,D,C,A. \n" - "\n" - "Note that the non-zero sequence numbers need not start with " - "'1', and they need not be consecutive. All that matters is " - "their relative magnitude.")] - uint16 ActionOrder; -}; - -// ================================================================== -// PolicyActionInPolicyRule -// ================================================================== - [Association, Aggregation, Description ( - " A PolicyRule aggregates zero or more instances of the " - "PolicyAction class, via the PolicyActionInPolicyRule " - "association. A Rule that aggregates zero Actions is not " - "valid--it may, however, be in the process of being entered " - "into a PolicyRepository or being defined for a System. " - "Alternately, the actions of the policy may be explicit in " - "the definition of the PolicyRule. Note that a PolicyRule " - "should have no effect until it is valid.\n\n" - " " - "The Actions associated with a PolicyRule may be given a " - "required order, a recommended order, or no order at all. " - "For Actions represented as separate objects, the " - "PolicyActionInPolicyRule aggregation can be used to express " - "an order." - "\n\n" - "This aggregation does not indicate whether a specified " - "action order is required, recommended, or of no " - "significance; the property SequencedActions in the " - "aggregating instance of PolicyRule provides this " - "indication.")] -class CIM_PolicyActionInPolicyRule : CIM_PolicyActionStructure -{ - [Override ("GroupComponent"), Aggregate, Description ( - "This property represents the PolicyRule that " - "contains one or more PolicyActions.") - ] - CIM_PolicyRule REF GroupComponent; - [Override ("PartComponent"), Description ( - "This property holds the name of a PolicyAction " - "contained by one or more PolicyRules.") - ] - CIM_PolicyAction REF PartComponent; -}; - -// ================================================================== -// PolicyActionInPolicyAction -// ================================================================== - [Association, Aggregation, Description ( - "PolicyActionInPolicyAction is used to represent the " - "compounding of policy actions into a higher-level policy " - "action.")] -class CIM_PolicyActionInPolicyAction : CIM_PolicyActionStructure -{ - [Override ("GroupComponent"), Aggregate, Description ( - "This property represents the CompoundPolicyAction that " - "contains one or more PolicyActions.") - ] - CIM_CompoundPolicyAction REF GroupComponent; - [Override ("PartComponent"), Description ( - "This property holds the name of a PolicyAction " - "contained by one or more CompoundPolicyActions.") - ] - CIM_PolicyAction REF PartComponent; -}; - -// ================================================================== -// PolicyContainerInPolicyContainer -// ================================================================== - [Association, Aggregation, Description ( - "A relationship that aggregates one or more lower-level " - "ReusablePolicyContainer instances into a higher-level " - "ReusablePolicyContainer.") - ] -class CIM_PolicyContainerInPolicyContainer: CIM_SystemComponent -{ - [Override ("GroupComponent"), Aggregate, Description ( - "A ReusablePolicyContainer that aggregates other " - "ReusablePolicyContainers.") - ] - CIM_ReusablePolicyContainer REF GroupComponent; - [Override ("PartComponent"), Description ( - "A ReusablePolicyContainer aggregated by another " - "ReusablePolicyContainer.") - ] - CIM_ReusablePolicyContainer REF PartComponent; -}; - -// ================================================================== -// PolicyRepositoryInPolicyRepository *** deprecated -// ================================================================== - [Association, Aggregation, - DEPRECATED {"CIM_PolicyContainerInPolicyContainer"}, - Description ( - "The term 'PolicyRepository' has been confusing to both " - "developers and users of the model. The replacement class " - "name describes model element properly and is less likely " - "to be confused with a data repository. ContainedDomain is a " - "general purpose mechanism for expressing domain hierarchy." - "\n\n" - "A relationship that aggregates one or more lower-level " - "PolicyRepositories into a higher-level Repository.") - ] -class CIM_PolicyRepositoryInPolicyRepository : CIM_SystemComponent -{ - [Override ("GroupComponent"), Aggregate, Description ( - "A PolicyRepository that aggregates other Repositories.") - ] - CIM_PolicyRepository REF GroupComponent; - [Override ("PartComponent"), Description ( - "A PolicyRepository aggregated by another Repository.") - ] - CIM_PolicyRepository REF PartComponent; -}; - -// ================================================================== -// ReusablePolicy -// ================================================================== - [Association, Description ( - "The ReusablePolicy association provides for the reuse of any " - "subclass of Policy in a ReusablePolicyContainer.") - ] -class CIM_ReusablePolicy : CIM_PolicyInSystem -{ - [Override ("Antecedent"), Max(1), Description ( - "This property identifies a ReusablePolicyContainer that " - "provides the administrative scope for the reuse of the " - "referenced policy element.") - ] - CIM_ReusablePolicyContainer REF Antecedent; - [Override ("Dependent"), Description ( - "A reusable policy element.") - ] - CIM_Policy REF Dependent; -}; - -// ================================================================== -// PolicyConditionInPolicyRepository *** deprecated -// ================================================================== - [Association, DEPRECATED {"CIM_ReusablePolicy"}, - Description ( - "The ReusablePolicy association is a more general relationship " - "that incorporates both Conditions and Actions as well as any " - "other policy subclass.\n" - "\n" - "A class representing the hosting of reusable " - "PolicyConditions by a PolicyRepository. A reusable Policy" - "Condition is always related to a single PolicyRepository, " - "via this association.\n\n" - " " - "Note, that an instance of PolicyCondition can be either " - "reusable or rule-specific. When the Condition is rule-" - "specific, it shall not be related to any " - "PolicyRepository via the PolicyConditionInPolicyRepository " - "association.") - ] -class CIM_PolicyConditionInPolicyRepository : CIM_PolicyInSystem -{ - [Override ("Antecedent"), Max(1), Description ( - "This property identifies a PolicyRepository " - "hosting one or more PolicyConditions. A reusable " - "PolicyCondition is always related to exactly one " - "PolicyRepository via the PolicyConditionInPolicyRepository " - "association. The [0..1] cardinality for this property " - "covers the two types of PolicyConditions: 0 for a " - "rule-specific PolicyCondition, 1 for a reusable one.") - ] - CIM_PolicyRepository REF Antecedent; - [Override ("Dependent"), Description ( - "This property holds the name of a PolicyCondition" - "hosted in the PolicyRepository. ") - ] - CIM_PolicyCondition REF Dependent; -}; - -// ================================================================== -// PolicyActionInPolicyRepository *** deprecated -// ================================================================== - [Association, DEPRECATED {"CIM_ReusablePolicy"}, - Description ( - "The ReusablePolicy association is a more general relationship " - "that incorporates both Conditions and Actions as well as any " - "other policy subclass.\n" - "\n" - "A class representing the hosting of reusable " - "PolicyActions by a PolicyRepository. A reusable Policy" - "Action is always related to a single PolicyRepository, " - "via this association.\n\n" - " " - "Note, that an instance of PolicyAction can be either " - "reusable or rule-specific. When the Action is rule-" - "specific, it shall not be related to any " - "PolicyRepository via the PolicyActionInPolicyRepository " - "association.") - ] -class CIM_PolicyActionInPolicyRepository : CIM_PolicyInSystem -{ - [Override ("Antecedent"), Max(1), Description ( - "This property represents a PolicyRepository " - "hosting one or more PolicyActions. A reusable " - "PolicyAction is always related to exactly one " - "PolicyRepository via the PolicyActionInPolicyRepository " - "association. The [0..1] cardinality for this property " - "covers the two types of PolicyActions: 0 for a - "rule-specific PolicyAction, 1 for a reusable one.") - ] - CIM_PolicyRepository REF Antecedent; - [Override ("Dependent"), Description ( - "This property holds the name of a PolicyAction" - "hosted in the PolicyRepository. ") - ] - CIM_PolicyAction REF Dependent; -};