CollapseAll image

Create a Digest User

The general flow for creating a user is described in the DASH Simple Identity Management profile DSP 1034 chapter 9.5. The following steps show how to do this specifically for Intel AMT Digest users.

1.  Verify that Create (value 2) is supported in the system, and if so find the CIM_AccountManagementService instance, and the relevant CIM_ComputerSystem instance (see DASH SIM profile DSP1034 chapter 9.5 and also the Discovery flow).

2.  Two parameters are required to create a Digest user: an EPR for the relevant CIM_ComputerSystem and an AccountTemplate.

a.   Extract an EPR from the relevant CIM_ComputerSystem instance.

b.   Create an AccountTemplate in the following format:

<tns:AccountTemplate xmlns:d="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_Account">

  <d:CreationClassName>CIM_Account</d:CreationClassName>

  <d:ElementName>Intel(r) AMT digest account</d:ElementName>

  <d:EnabledState>2</d:EnabledState>

  <d:Name>UserName</d:Name>

  <d:OrganizationName>None</d:OrganizationName>

  <d:RequestedState>2</d:RequestedState>

  <d:SystemCreationClassName>CIM_ComputerSystem</d:SystemCreationClassName>

  <d:SystemName>ManagedSystem</d:SystemName>

  <d:UserID> UserName </d:UserID>

  <d:UserPassword>C1D3BC40894D439D5F563BAEE79A2136</d:UserPassword>

  <d:UserPasswordEncryptionAlgorithm>2</d:UserPasswordEncryptionAlgorithm>

</tns:AccountTemplate>

The UserID will be the name of the digest user.

The UserPassword field is a combination of the user-name, password and digest-realm created by using the HTTP Digest MD5 (A1) and represented in hexadecimal format.  This is defined in RFC2617 as the concatenation username-value ":" realm-value ":" passwd, where username-value is provided by the client as the value of the UserID property. passwd is the underlying user password. realm-value is the HTTP digest realm value as retrieved in the Get Digest Realm use case.

 Note:

The following fields can be omitted:

   ElementName

   OrganizationName

   EnabledState

   RequestedState

Intel AMT uses the UserID, UserPassword and OrganizationName fields to define user-name, password and organization-name for an account.

Although the Name field should be the actual user name, Intel AMT ignores this value and will use the UserID value. Therefore, when creating the DigestPassword, it should be based on the same value as the UserID field.

The xml-namespaces in the example might change according to the implementation of the WS-Management client.

3.  Invoke CIM_AccountManagementService.CreateAccount, supplying the CIM_ComputerSystem EPR and the filled-in AccountTemplate.

Additional Information

The following example shows all of the relevant steps.

Assume the following parameters:

   User-Name = “SimpleUser!”

   Password = “Admin!09”

   Organization-Name = <empty>

1.  Get the EPR for the ManagedSystem instance of CIM_ComputerSystem.

<wsa:Address>default</wsa:Address>

<wsa:ReferenceParameters>

<wsman:ResourceURI>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ComputerSystem</wsman:ResourceURI>

<wsman:SelectorSet>

<wsman:Selector Name="Name">ManagedSystem</wsman:Selector>

<wsman:Selector Name="CreationClassName">CIM_ComputerSystem</wsman:Selector>

</wsman:SelectorSet>

</wsa:ReferenceParameters>

2.  Get the digest realm string from the platform CIM_AccountManagementCapabilities. UserPasswordEncryptionSalt (as defined in the Get Digest Realm flow).
For example: “Digest:BE492E942F6260A739E2E5298A96B85E”.

3.  Create the UserPassword in digest Hexadecimal format:
The result from the above values will be: “BF39B9CB3AA12094410D7E7CD8629728”.

4.  Create the AccountTemplate.

<tns:AccountTemplate xmlns:d="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_Account">

  <d:CreationClassName>CIM_Account</d:CreationClassName>

  <d:ElementName>Intel(r) AMT digest account</d:ElementName>

  <d:EnabledState>2</d:EnabledState>

  <d:Name> SimpleUser!</d:Name>

  <d:OrganizationName> </d:OrganizationName>

  <d:RequestedState>2</d:RequestedState>

  <d:SystemCreationClassName>CIM_ComputerSystem</d:SystemCreationClassName>

  <d:SystemName>ManagedSystem</d:SystemName>

  <d:UserID> SimpleUser! </d:UserID>

  <d:UserPassword> BF39B9CB3AA12094410D7E7CD8629728</d:UserPassword>

  <d:UserPasswordEncryptionAlgorithm>2</d:UserPasswordEncryptionAlgorithm>

</tns:AccountTemplate>

5.  Invoke CIM_AccountManagementSerivce.CreateAccount() with the two parameters defined above (the EPR and the AccountTemplate).

 Note:

   In Release 3.2 you cannot create a user with user-name: “Administrator”.

   In 4.0 and later releases you cannot create a user with user-name: “Admin”.

   You cannot create a user with a user-name that has the prefix: “$$...”.

   Notice the length limitation in the "Detailed Description" section.

   See also the “Detailed Description” for other limitations on the user-name format, the maximum number of Digest users, and other limitations.

   This method creates five objects and all the relevant associations, as shown in the Digest diagram:

CIM_Account

CIM_EnabledLogicalElementCapabilites

CIM_Identity

CIM_Role

CIM_Privilege

   These objects exist for each user – there are no many-to-one relationships, although the DASH profiles support such an implementation.

   A user at this point has access to all of the realms listed as defaults in the table Realm Names and Realm Shortcuts To change the privileges of a selected user, change the permitted realms by using the CIM_Privilege Get and Put methods (described in Get User (Digest/Kerberos) Privileges and Update User (Digest/Kerberos) Privileges).

 

Instance Diagram

Classes Used in This Flow

SDK Sample

Not applicable

 

See Also:

   Creating a Digest User

Copyright © 2006-2022, Intel Corporation. All rights reserved.