XYGATE Access Control Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

141

142

143

144

145

146

147

148

149

150

XYGATE

Access Control Reference Manual

Appendix A: The ACCONF File

XYPRO Technology Corporation 118 Proprietary and Confidential

In order to use the SAFEGUARD_PRIVLOGON option, create a Safeguard DISKFILE

Protection Record for the XYGATEAC object file and set attribute PRIV-LOGON to ON

as shown below.

Example 5: The DISKFILE Protection Record for the XAC Object File

LAST-MODIFIED OWNER STATUS WARNING-MODE

$SYSTEM.XYGATEAC

XYGATEAC 10AUG08, 1:01 \*.253,1 THAWED OFF

\*.253,1 R,W,E,P,C,O

\*.*,* R,E

AUDIT-ACCESS-PASS = NONE AUDIT-MANAGE-PASS = ALL

AUDIT-ACCESS-FAIL = ALL AUDIT-MANAGE-FAIL = ALL

AUDIT-PRIV-LOGON = ON

LICENSE = ON PROGID = ON CLEARONPURGE = OFF PERSISTENT = ON

TRUST = OFF PRIV-LOGON = ON

The XYGATEAC object file must be PROGID’d and LICENSED. Setting PERSISTENT

to ON will preserve the Protection Record when an XAC software upgrade is

performed. Security best practice requires that AUDIT-PRIV-LOGON be set to ON.

Note: The Safeguard PRIV-LOGON feature allows a program to set a special flag

when calling USER_AUTHENTICATE_, and if the program also has a

Safeguard diskfile ACL that has the Safeguard PRIV-LOGON attribute set (valid

values are ON and OFF), logons are then allowed without specifying a

password regardless of the Safeguard PASSWORD-REQUIRED setting. Also,

successive logon authentication failures will not be subjected to timeouts.

When an XAC command is configured with:

USER_SWITCH SAFEGUARD_PRIVLOGON

and XYGATEUA is in use, then the XUA UAGROUP used to authorize the logon

operation must have a setting of SAFEGUARD_PRIVLOGON ON. If this setting

is not present, then XAC’s attempt to switch users will fail, and the XAC

command will not run. Refer to the XYGATE User Authentication (XUA)

Reference Manual for the SAFEGUARD_PRIVLOGON keyword which is

described in “The UAACL File” appendix (refer to “Additional XYPRO Reference

Manuals” in the “Introduction” for the instructions on how to get this and other

XYPRO manuals).

XYGATEUA will only respect the Safeguard PRIV-LOGON flag set to ON if

SAFEGUARD_PRIVLOGON keyword is set to ON for a UAGROUP in the

UAACL file. The default value is OFF.

UAGROUP Example:

UAGROUP SAFEGUARD-PRIVLOGON

DESCRIPTION "Safeguard Privlogon feature"

FROM_USER $EVERYONE-NET

TO_USER $EVERYONE

REQUESTOR $SYSTEM.XYGATEAC.XYGATEAC

SAFEGUARD_PRIVLOGON ON