Specifications
HP OpenVMS Version 8.4 for Integrity and Alpha servers SPD 82.35.19
Every security-relevant system object is labeled with the
UIC of its owner along with a simple protection mask.
The owner UIC consists of two fields: the user field
and a group field. System objects also have a protec-
tion mask that allows read, write, execute, and delete
access to the object’s owner, group, privileged system
users, and to all other users. The system manager can
protect system objects with access control lists (ACLs)
that allow access to be granted or denied to a list of in-
dividual users, groups, or identifiers. ACLs can also be
used to audit access attempts to critical system objects.
OpenVMS applies full protection to the following system
objects:
• Common event flag clusters
• Devices
• Files
• Group global sections
• Logical name tables
• Batch/print queues
• Resource domains
• Security classes
• System global sections
• ODS-2 volumes
• ODS-5 volumes
OpenVMS provides optional security solutions to protect
your information and communications:
• OpenVMS includes encryption for data confidential-
ity that ships as part of the operating system, thereby
removing the requirement to license and install En-
crypt separately. The ENCRYPT and DECRYPT
commands, now part of OpenVMS, support AES file
encryption with 128, 192, or 256 bit keys. AES en-
cryption is also supported by BACKUP/ENCRYPT,
allowing for the creation of encrypted tapes and
save-sets. The built-in encryption functionality is
backward-compatible with file and backup tapes cre-
ated by the former layered product Encryption for
OpenVMS. This layered product featured 56-bit Data
Encryption Standard (DES), which continues to func-
tion today, allowing for the decryption of archived
DES encrypted data. The AES encryption function-
ality supports Electronic Code Book (ECB) and Ci-
pher Block Chaining (CBC) block modes of encryp-
tion. The Cipher Feedback (CFB) and Output Feed-
back (OFB) 8-bit character stream modes are also
supported from the command line as well as by the
programmatic APIs.
• Secure Sockets Layer (SSL) for OpenVMS Alpha
and Integrity server systems provides secure transfer
of sensitive information over the Internet
• Common Data Security Architecture (CDSA) is con-
figured and initialized automatically during installa-
tion and upgrades and is required for Secure Deliv-
ery purposes and other security features. If you in-
stall a newer version of CDSA without upgrading the
base operating system, you must initalize the CDSA
software, using the following command. Enter the
command from an account that has both SYSPRV
and CMKRNL privileges (for example, the SYSTEM
account). $ @SYS$STARTUP:CDSA$UPGRADE
• Kerberos for OpenVMS
• Per-Thread Security Profiles
• External Authentication
• Global and Local Mapping of LDAP users
• HP Code Signing for OpenVMS: OpenVMS kits will
be signed using HP Code Signing Service (HPCSS)
Note: Users who are externally authenticated by their
LAN Manager need only remember a single user
name/password combination to gain access to their
OpenVMS and LAN Manager accounts.
Note: Because no system can provide complete se-
curity, HP cannot guarantee complete system security.
However, HP continues to enhance the security capabil-
ities of its products. Customers are strongly advised to
follow all industry-recognized security practices. Open-
VMS recommended procedures are included in the HP
OpenVMS Guide to System Security.
HP UTILITY PRICING ON OpenVMS FOR
INTEGRITY SERVERS
HP Utility Pricing on OpenVMS for Integrity servers en-
ables customers to pay for CPU resources when they
need them, thereby allowing them to respond to planned
or unplanned permanent load increases and temporary
spikes.
• Instant Capacity or iCAP is relevant for systems that
are purchased through capital expenditure.
Instant Capacity
Instant Capacity (iCAP) provides reserve capacity that
the customer can put into production quickly without dis-
rupting operations.
Benefits:
• Provides a highly available preconfigured "ready-to-
run" solution.
• Allows activation of reserve capacity when needed.
• Encompasses cell boards and individual cores.
• Allows you to defer or avoid purchase of capactiy
until used.
9