Safeguard Reference Manual (G06.24+, H06.03+ )

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

501

502

503

504

505

506

507

508

509

510

Event-Exit-Process Commands

Safeguard Reference Manual—520618-013

15-29

Processing of Authentication Requests

authentication request to the event-exit process. $CMON has the option of denying the

logon attempt prior to authentication by the event-exit process. Similarly, if Safeguard

is configured to do so, it sends a logon message to $CMON after authentication

occurs. $CMON again has the option of denying the logon attempt even after the user

has been authenticated.

Processing of Interactive Authentication

For interactive logon attempts, a process such as TACL provides the logon input and

authentication request in a call to USER_AUTHENTICATE_. This input is forwarded by

USER_AUTHENTICATE_ to the Safeguard $ZSMP process, which in turn routes it to

the event-exit process for evaluation. If the interactive logon attempt occurs at a

Safeguard terminal, the Safeguard software captures the input directly, and $ZSMP

routes it to the event-exit process. USER_AUTHENTICATE_ is not involved when the

logon attempt occurs at a Safeguard terminal.

The event-exit process can approve or deny the logon request, or it can engage in a

challenge/response dialog before approving or denying the request. Additionally, the

event-exit process can return a generated password as part of a password change

dialog. The Safeguard software does not check passwords or otherwise participate in

the authentication. It only routes messages between the event-exit process and

USER_AUTHENTICATE_. When the authentication is complete, the Safeguard

software updates the last logon time and logon failure count in the user’s record in the

Safeguard database. It also files the new password if a password change occurred and

the event-exit process requested filing of the password.

The password-quality exit is separate from the authentication exit, and it is not invoked

by the Safeguard software during an authentication event. For more information, see

Processing of Password-Quality Requests on page 15-30.

The event-exit process is responsible for prompting the user for verification of a new

password and for storing passwords in its own database. If a new password is

collected by the event-exit process, it can inform the Safeguard subsystem of this

change after authentication is complete. For more information, see User Database

Synchronization on page 15-31.

Processing of Programmatic Authentication

In programmatic logon attempts, a process provides the logon input and authentication

request in a call to VERIFYUSER or USER_AUTHENTICATE_. This input is forwarded

to the Safeguard $ZSMP process, which in turn routes it to the event-exit process for

evaluation.

Programmatic logon attempts handled by VERIFYUSER do not support an

authentication dialog or password generation. When the Safeguard software passes

this request to the event-exit process, it includes an indicator noting that this attempt is

incapable of engaging in a dialog. The event-exit process can only grant or deny the

authentication request.