Manualshelf

RSC/MP Programming Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
81828384858687888990
Access Control Server
How ACS Works
Mapping of RSC/MP sessions to ACS objects can be done in either of two ways:
In the TDP (recommended) by setting the TERM object‘s ACSERVER attribute to
the name of the ACS object. This approach provides stronger security because it
does not rely on the RSC/MP application to supply the name of a properly
configured ACS object.
In the RSC/MP application by setting the HOST_ACS_NAME option to the name of
the ACS object that should control access. This option must be set prior to the
RscBeginSession call.
How ACS Works
The ACS facility works as follows:
At the start of an RSC/MP session (whe n the application calls RscBeginSession),
the TDP determines whether an ACS is configured for that workstation.
If an ACS is configured, the TDP sends the USER_ID and PASSWORD from the
header of its RscBeginSession message to the ACS. The user ID and password
come from the workstation options.
If the USER_ID and PASSWORD options are accepted by the ACS, the TDP starts
the session.
Note. The ACS mechanism provides application-defined security. The USER_ID and
PASSWORD options are passed to an ACS only. They are not related to Guardian
security, unless you choose to make use of Guardian security functions in your ACS
implementation.
An ACS object has two additional leve ls of access control. These controls are
determined by the ACS program and by the RECVWRITEREADS attribute of the ACS
object:
The USER_ID and PASSWORD can be validated on each RscWriteRead, which is
enabled by setting the RECVWRITEREADS attribute of the ACS object to YE S.
When the TDP receives an RscBeginSession message, the user-written ACS can
reply with a list of authorized servers. This list, maintained for each session,
contains the names of stand-alone servers and Pathway server classes. The TDP
checks the list to allow or block access (depending on the settings used by the
ACS) to the servers named in each subsequent RscWriteRead or RscWrite
function call.
The TDP can be configured to report successful and/or rejected ACS attempts on each
RscWrite or RscWriteRead. The logging of ACS status on an RscWrite/RscWriteRead
basis is configured in a TERM object using the option TERM LOGEVENTS
ACSALLOW to log successful attempts and the option TERM LOGEVENTS
ACSREJECT for rejected attempts. Refer to the HP NonStop Remote Server Call
(RSC/MP) Installation and Configuration Guide for information on setting up TERM
LOGEVENTS as part of TDP Logging.
HP NonStop Remote Server Call (RSC/MP) Programming Manual 522360-006
9- 2