Manualshelf

ASAP 3.0 Client Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
31323334353637383940
HP NonStop ASAP Client Manual Page 39 of 161
TACL 3> SCF
1-> ASSUME PROCESS $TLSV
2-> ADD SERVICE ssgcom, PROGRAM $system.system.ssgcom, ACCESS
ALL, SUBTYPE DYNAMIC, TYPE CONVERSATION, DISPLAY OFF, DEFAULT ON
There is no requirement that the service name be “SSGCOM”. You can call the
service whatever you’d like. Also, as mentioned above, by specifying “DEFAULT ON”,
any user who connects to the port will be presented with an SSGCOM prompt. Since
SSGCOM will be configured to only allow access to ASAP data, this configuration does
not pose any security issues. However, if you would prefer to force the user to guess”
the correct service name, you can set DEFAULT to OFF. In this case, a user
connecting interactively from a Telnet client will be presented with the standard
TelServ “Enter Choice>” prompt and nothing more. At that point they’d have to enter
“SSGCOM” to even get the SSGCOM prompt, and even then there’s nothing they can
do in terms of compromising system security.
3. Set SSG Security Parameters
The last step on the NonStop system is to define SSG security settings. This is done
by editing the $SYSTEM.SYSTEM.SSGCONF file and adding the following lines:
SET SECURE DEFAULT USER
SET SECURE TACL NONE
SET SECURE ASAP ANY
SET SECURE MEASCOM ANY
SET VERIFYUSER OFF
The various “SET SECURE” statements limit which server resources can be accessed
by SSGCOM. Specifically, only access to ASAP and MEASCOM are permitted (the
latter is used by the ASAP Client’s “Show Related Measurement” capability). Thus the
SSG subsystem itself will only be able to supply ASAP data, and nothing else.
The “SET VERIFYUSER OFF” statement configures SSGCOM to bypass its internal
user ID/password verification step, which means that anyone is able to utilize SSG
services as no user ID and password are required or transmitted. But since the other
security settings have limited the SSG to only supplying ASAP data, this access does
not pose a threat. Furthermore, in many ways this type of configuration is actually
more secure than those requiring a logon, because not every user who needs to
access ASAP data is required to have a valid logon to the NonStop server. They only
need to be able to access the SSGCOM service across the network in order to obtain
ASAP data; they do not need to have any logon information for the NonStop itself.