® ™ XYGATE User Authentication Reference Manual HP Part Number: 657929-005 Published: December 2013 Edition: J06.03 and subsequent J-series RVUs. H06.03 and subsequent J-series RVUs. G06.10 and subsequent G-series RVUs.
© Copyright 2013 Hewlett-Packard Development Company, L.P Legal Notice Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Publication History Software Ver. Description Date 1.70 Reformatted for new template, re-arranged chapters and appendices. Jun. 2011 1.76 Updated Chapter 11 Impersonation; updated §12.2 LDAP_HOST and LDAP_PROXY_CACERT keywords; updated Chapter 16 What-if Testing “Syntax For Access Check”; consolidated appendix B48 UAGROUP into B5: “Configuring UAGroups”; re-arranged AUDIT File keywords in Appendix A:. Mar. 2012 1.80 Updated “System/SEEP Issues Affecting XUA” in the “Introduction”; added §1.
CONTENTS Introduction ........................................................................................... xvii Feature Highlights ......................................................................xvii XYGATE User Authentication (XUA) Architecture .................................. xix XUA Module Components ............................................................... xx System/SEEP Issues Affecting XUA ...................................................xxii What’s New in this Release.........
XYGATE® User Authentication™ Reference Manual Contents Chapter 2. Chapter 3. Node-Conditional Processing in the UAACL File ..................................33 2.1 Conditional Operators ........................................................... 33 2.2 Node Names or Patterns ........................................................ 35 2.3 Conditional Text ................................................................. 36 2.4 Configuring Logon Controls .............................................
XYGATE® User Authentication™ Reference Manual Contents 12.2 LDAP-Related UACONF Keywords .............................................. 60 12.3 Prepare 12.3.1 12.3.2 12.3.3 12.3.4 12.3.5 12.3.6 the NonStop System for LDAP Authentication ..................... 61 Checking for Network-Related Configuration .................... 61 Network Configuration Files that Need Checking ............... 62 Local CA Certificate File ............................................ 64 Telserv Process Configuration Checking ..
XYGATE® User Authentication™ Reference Manual Contents 14.2 RADIUS-Related UACONF Keywords ...........................................111 14.3 Prepare 14.3.1 14.3.2 14.3.3 14.3.4 the NonStop System for RADIUS Authentication ..................112 Checking for Network-Related Configuration ...................112 Network Configuration Files That Need Checking ..............113 Telserv Process Configuration Checking .........................115 Testing Network-Related System Configuration ................
XYGATE® User Authentication™ Reference Manual Contents 16.12 Testing the XUA Server .........................................................154 16.13 Interactive Keywords ...........................................................155 16.13.1 AUDIT .................................................................155 16.13.2 COMMENT ............................................................156 16.13.3 ENV....................................................................156 16.13.4 EXIT .................
XYGATE® User Authentication™ Reference Manual Contents 19.5.1 19.5.2 19.5.3 19.5.4 19.5.5 19.5.6 19.5.7 19.5.8 19.5.9 19.5.10 19.5.11 19.5.12 19.5.13 19.5.14 19.5.15 19.5.16 19.5.17 19.5.18 19.5.19 Audit File .............................................................183 Report date range ..................................................184 Subject Userid and/or Subject Login name .....................184 System ................................................................185 Terminal...............
XYGATE® User Authentication™ Reference Manual Contents A12: AUTHENTICATE_FREEZE_PERIOD ..............................................212 A13: AUTHENTICATE_MAXIMUM_ATTEMPTS........................................213 A14: COLLECTOR ......................................................................213 A15: COMPANY_NAME .................................................................213 A16: EMS_CRITICAL_IF_DENIED ......................................................214 A17: EXPLAIN_LOG .................
XYGATE® User Authentication™ Reference Manual Contents A47: MONITOR .........................................................................232 A48: MONITOR_ACCESS_CHECK ......................................................233 A49: MONITOR_AUDIT_SERVER ......................................................233 A50: MONITORAUDIT ..................................................................234 A51: PASSWORD_EXPIRES_MESSAGE ................................................234 A52: PASSWORD_MAY_CHANGE ...
XYGATE® User Authentication™ Reference Manual Contents B7: ANCESTOR ........................................................................257 B8: AUDIT_ACCESS_FAIL ............................................................258 B9: AUDIT_ACCESS_PASS ............................................................258 B10: AUTHENTICATE_FAIL_FREEZE .................................................259 B11: AUTHENTICATE_FAIL_FREEZE_MSG ...........................................
XYGATE® User Authentication™ Reference Manual Contents B42: RESULT_DENIED .................................................................282 B43: RESULT_GRANTED ...............................................................282 B44: RSA_AUTHENTICATE ............................................................283 B45: RSA_REQUIRE_PASSWORD ......................................................284 B46: SAFEGUARD_PRIVLOGON .......................................................285 B47: SUPERSUPEROK .........
XYGATE® User Authentication™ Reference Manual Contents C26: XUA_VOLUME ....................................................................311 C27: XUAHELP..........................................................................312 C28: Specialty Configuration Macros ...............................................
XYGATE® User Authentication™ Reference Manual Contents XYPRO Technology Corporation xvi Proprietary and Confidential
Introduction Welcome to the XYGATE® User Authentication™ product software from XYPRO Technology Corporation for the HP NonStop™ server. XYGATE User Authentication (XUA) was developed to fill the need for a user authentication tool to enhance Safeguard. XUA expands upon security functions native to NonStop systems, providing enhancements such as multi-factor authentication, sophisticated error management options and logon-specific audit reporting.
XYGATE® User Authentication™ Reference Manual Introduction Time-Based Logon Control XYGATEUA can restrict logons based on the time of the day. Time-based logon can be configured either by using the TIME keyword within a UAGROUP or can be configured for a TIMEGROUP. This is described in Chapter 6 and Appendix B: Impersonation Feature The impersonation feature removes the need for users to share sensitive IDs such as that of SUPER.SUPER to logon. This is described in Chapter 11.
XYGATE® User Authentication™ Reference Manual Introduction XYGATE User Authentication (XUA) Architecture XUA is a SEEP process that works closely with the Safeguard process $ZSMP. As shown in the diagram, when logon requests come from programs such as TACL or XAC, Safeguard forwards the request to the Authentication SEEP which is XUA. XUA makes its ruling based on the rules configured in the UACONF and UAACL files.
XYGATE® User Authentication™ Reference Manual Introduction XUA Module Components XUA is a TACL macro used to attach the XUA TACL segment. This macro has a default name of XUA but may be changed during installation. Note: If you specified a different name for this macro during your installation, be sure to use that name instead of XUA. The XUA module contains the following components: LICCHK The LICCHK program is used by the XUA_VERSION macro to display information about the XUA license.
XYGATE® User Authentication™ Reference Manual Introduction RADSRV The XUA_RADIUS_INSTALL macro creates the RADSRV file. It is the executable for the proxy server that mediates communication between XUA and the RADIUS server. RADIUSSS The RADIUSSS file is an edit file created by the XUA_RADIUS_INSTALL macro. During the execution of the XUA_RADIUS_INSTALL macro, the user will be prompted to enter a shared secret.
XYGATE® User Authentication™ Reference Manual Introduction System/SEEP Issues Affecting XUA This section discusses the SEEP issues that affect XUA. PHANDLE There is a field called a phandle in the Safeguard-to-XUA message that identifies the process doing the logon. In the first message to XUA for a particular logon dialog, it is correct. In subsequent messages for the same dialog it might be incorrect.
XYGATE® User Authentication™ Reference Manual Introduction the correct remote node (if EXPLICIT_NODES=ON); otherwise, the node will be \UNKNOWN. PASSWORD-MAY-CHANGE setting in Safeguard If the PASSWORD-MAY-CHANGE feature is utilized in Safeguard and XUA SEEP is enabled, changing the expired password within grace during logon, results in an unexpected “password change too soon” message from Safeguard.
XYGATE® User Authentication™ Reference Manual Introduction What’s New in this Release The following is a summary of documentation revisions or updates, and new features where applicable. Refer to the softdoc for detailed information about “System/SEEP Issues Affecting XUA” and “ENHANCEMENTS” and “ISSUES RESOLVED.” • Documentation – descriptions revised for “Managing the XYGATE License” in section 1.7 starting on page 28. • New – added the XYCERTM macro as described in section 12.3.
XYGATE® User Authentication™ Reference Manual Introduction General Syntax Notation The following list summarizes the notation conventions for syntax presentation in this manual. UPPERCASE LETTERS. Uppercase letters indicate keywords and reserved words; enter these items exactly as shown. Items not enclosed in brackets are required. For example: MAXATTACH < > Angle Brackets. A pair of matching angle brackets indicate variable items that you supply but without the brackets.
XYGATE® User Authentication™ Reference Manual Introduction … Ellipsis. An ellipsis immediately following a pair of brackets or braces indicates that you can repeat the enclosed sequence of syntax items any number of times. For example: M [ , ]... [ - ] {0|1|2|3|4|5|6|7|8|9}... An ellipsis immediately following a single syntax item indicates that you can repeat that syntax item any number of times. For example: "s-char..." Punctuation.
XYGATE® User Authentication™ Reference Manual Introduction Additional XYPRO Reference Manuals A number of XYGATE Microsoft Windows clients can be used to report from the XUA database to monitor alerts from NonStop systems and to modify the configuration of host XYGATE modules. The reference manuals for the client components are part of the XYGATE Online Help (XOH) package.
XYGATE® User Authentication™ Reference Manual Introduction XYPRO Technology Corporation xxviii Proprietary and Confidential
Chapter 1. Installing XUA This chapter describes the installation procedure for the XYGATE XUA files using the AutoInstall script. Running the AutoInstall script is a guided installation with minimal SUPER command line input except where noted. 1.1 Before You Begin Ensure that you have the following information ready before you begin the installation procedures: Administrator privileges for your PC. The name of the TACL service. SUPER.SUPER ID or an alias to SUPER.SUPER.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA User-Defined Configuration Values Required for AutoInstall You have the option of specifying the user-defined values shown in Table 1 when using the AutoInstall script. If you do not specify a value, AutoInstall will use default values given in Table 2. If necessary, contact your system manager for input to these questions.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Table 3 defines default configuration values and file locations that will be generated automatically by the AutoInstall script. Table 3: AutoInstall-Assigned Default Values or Locations Config File Configuration Settings Default Values Assigned by AutoInstall Script or Locations A staging subvolume for installation only. May be removed after installation has been completed.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Config File Configuration Settings Default Values Assigned by AutoInstall Script or Locations TRCONF XTR option TR_MASTER_SUBVOL $VOL.XYGATETR TRCONF XTR encryption options OFF TRCONF XTR SSL options OFF TRCONF XTR monitor/debug options OFF TRACL XTR/XUA $OWNER Authorized users OWNER running the script + SUPER.SUPER TRACL XTR option TR_INSTALLATION IP address and Port Number 1.2.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA In the Example below, $DAT90 is accepted as the default XTR volume. Example: Enter XTR volume <$DAT90>? Script prompts will return an error to the screen if the entered value is not valid. You can then change your response to a valid entry as shown below. Example: Enter XTR volume <$DAT90>? Zmywrk Invalid volume entry, try again Invalid response You can end the script by pressing Ctrl+Y at any prompt.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA 3. You can now run the AutoInstall script described in the next section. You may want to review that script with your system manager before you begin. 4. Obey the file IXYBIN to unpack program files and prepare them for the automated install script.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA If these commands cannot be issued by SUPER.SUPER (or an alias to SUPER.SUPER) at the time of the initial installation, the user has the option to stop the installation. The next time the user runs the IWIZARD, the installation process will continue from the point where it was stopped.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Now enter a subvolume name at the prompt below. It would be helpful to identify this as the XTR subvolume; for example, XYGATETR or XTRPROD, etc. Enter XTR subvol ? Discovering XUA ($*.*) ... Discovery complete. SEL --1) LOCATION VERSION OWNER AVAILABILITY ----------------- ------- ----------------- -----------$VOL.JIM XYPRO.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA XYGATE GUI programs. You can optionally authorize additional users and aliases by entering them at the next two prompts. Pressing without providing additional users or aliases means no additional users or alias will be authorized. If this is a new install, you will be asked for any additional users/aliases (90 characters max.) that you may want to have access to this environment.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Start a separate TACL session using a SUPER.SUPER logon, and perform the necessary licensing tasks as shown in the Example below. Example: TACL> RUN \N1.$VOL.ZXYPROUA.LICENSE Licensing Licensing Licensing Licensing Licensing Licensing $VOL.XYGATEUA.XYGATEUA $VOL.XYGATEUA.VULIB $VOL.XYGATEUA.XOADLL $VOL.XYGATEUA.USERINFO $VOL.XYGATETR.ADOPT $VOL.XYGATETR.USERINFO TACL> Logoff as the SUPER.SUPER or SUPER alias.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA WARNING: The start listner macro is intended for testing your XYGATE/TR configuration. For production usage, you must use the HP Listner by making entries in your PORTCONF. XYLISTEN has bound to port : 1121 Listner process $Y4LA started. Taking inventory ... Taking inventory complete. Validating the installation ... A final status screen will display the current XUA environment.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA 1.3.2 Securing the XYGATEUA Files with XYGATEOS This section describes how to secure the XYGATEUA files with XYGATEOS. FOGROUP SECURE-XYGATEUA-FILES DESCRIPTION "Secure XYGATE User Authenticate Module" ! (Everyone must be able to Read and Execute these Object Files) ! *** Selection Criteria *** MASK $SYSTEM.XYGATEUA.P++F001 $SYSTEM.XYGATEUA.XYGATEUA $SYSTEM.XYGATEUA.UACONF $SYSTEM.XYGATEUA.UAACL $SYSTEM.XYGATEUA.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Syntax: TACL> VOLUME <$NEWVOL>.ZXYPROUA Example: TACL> VOLUME $MYVOL.ZXYPROUA 2. Purge the old installation staging subvolume. If you know the location of the initial installation staging subvolume, PURGE all files to remove the old installation staging files. If you have selected a new location, you may skip this step. Syntax: $MYVOL ZXYPROUA 3> FUP PURGE <$VOL>..* ! Example: $MYVOL ZXYPROUA 3> FUP PURGE $MYVOL.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA 1.4.2 Running AutoInstall to Upgrade XTR Only Access to SUPER.SUPER (or an alias to SUPER.SUPER) will be required during the upgrade to perform necessary licensing tasks in a separate TACL session. This requirement will be indicated by the AutoInstall script and is also documented in this procedure.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA SEL --1) 2) LOCATION ----------------$VOL.XYGATETR $VOL.XTR150 VERSION ------1.55 1.50 P) Prompt for new location OWNER ----------------XYPRO.JAMES XYPRO.JAMES AVAILABILITY -----------Available Available Available Press BREAK or -Y to exit. Enter available selection: To upgrade an existing installation, choose the number (under the SEL heading above) of the existing environment to be upgraded.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA The AutoInstall script now checks the installed XTR version number against the available version as shown below. Verifying the system catalog can be written to ... Verified the system catalog can be written to. Verifications complete. Unpaking products: Unpaking XTRBIN ... Unpak of XTRBIN complete. Unpaking products complete.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA If the installed software is older than the current version, the script will notify you and perform the upgrade. Upgrading the XTR software requires licensing of one of the installation programs to perform this function. Comparing installed version of XTR to available version ... A higher version of XTR was found. XTR will be upgraded. Installing XTR from \N1.$VOL.P46DSDST ... Install of XTR complete.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Install of products complete. Performing products syntax check ... Products syntax check complete. Verifying XUA is listed in XTR TRACL file ... Done verifying XUA is listed in XTR TRACL file. Taking inventory ... Taking inventory complete. Validating the installation ... Product -------XUA XTR Distribution Version -------------------1.70 1.56 Installed Version ----------------1.70 1.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA The AutoInstall script will attempt to locate any already installed XTR environments and display these located environments as shown below. Establishing product locations ... ------------------------------------------------------------------------------The XYGATE Transaction Router (XTR) is used to provide communication between XYGATE GUI products and their HP NonStop server counterparts.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Updating config ... Config updated. Product locations established. Available version of XTR is not higher than the installed version. XTR installation skipped. Performing verifications ... If the installed XUA software product version is the same or newer than the version being installed by the script, the upgrade will be skipped as shown above.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Licensing requirements are to be performed by a SUPER.SUPER logon for XUA only: Example: TACL> RUN $VOL.XYGATEUA.XUA INSTALL TACL> XUA_FINISH_INSTALL Licensing Licensing Licensing Licensing $VOL.XYGATEUA.XYGATEUA $VOL.XYGATEUA.VULIB $VOL.XYGATEUA.XOADLL $VOL.XYGATEUA.USERINFO TACL> Logoff as the SUPER.SUPER or SUPER alias When you complete the licensing tasks, answer Y to the prompt below to continue.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Note: The AutoInstall script waits on a prompt while the user starts a separate TACL session when requested to perform specific actions. The user continues the script after the action by responding to this prompt. However, if the user stops the AutoInstall script for any reason, it must be restarted with the RUN command as shown below. This will continue the upgrade from the point of exit. Start the IWIZARD script.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA To upgrade an existing installation, choose the number (under the SEL heading) of the existing environment to be upgraded. Only environments that are owned by your userid are available to be upgraded. Other environments are shown for information only. Enter available selection: 1 Updating config ... Config updated.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Comparing installed version of XUA to available version ... A higher version of XUA was found. XUA will be upgraded. Installing XUA from \N1.$VOL.ZXYPROUA ... Install of XUA complete. If the installed software is older than the current version, the script will notify you and perform the upgrade. Upgrading the XTR software requires licensing of one of the installation programs to perform this function.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA Please go to another TACL session, logon as SUPER.SUPER or an alias of SUPER.SUPER, and RUN \N1.$VOL.ZXYPROUA.LICENSE You may continue when this has been done. If you decide not to continue, the next time the wizard is run, it will continue here, where you last stopped. Are you ready to continue ? Do not answer the above prompt yet. Start another TACL session using a SUPER.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA A final status screen will display the current XUA environment. Product -------XUA XTR Distribution Version -------------------1.70 1.56 Installed Version ----------------1.70 1.56 Listner is running and listening on port 1121. ----------------------------------------------------------------Validation finished. If no errors were reported, and the information shown was as expected, the installation was validated.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA 1. Locate the installation subvolume where the XUA product AutoInstall script was executed. Syntax: TACL> VOLUME <$NEWVOL>.ZXYPROUA Example: TACL> VOLUME $MYVOL.ZXYPROUA 2. If the UNIWIZ script does not exist, use the following command to unpack the software and make the script accessible: TACL> OBEY IXYBIN 3. Start the UNIWIZ script with the parameter Y.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA 1.7 Managing the XYGATE License XYGATE modules are “licensed” for a specific amount of time. This section describes the steps for checking the XYGATE license file. 1.7.1 Checking the Status of the Current License To check your current license expiration date, use the XUA_VERSION macro. Refer to Appendix C25: on page 309 for a description of this macro.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA 1.8 Configuring XUA Userids and Aliases All XYGATE modules use standard Guardian userids and Safeguard aliases. No XYGATE module requires that you create a new user database. XUA allows you to enter userids as either user names or user numbers, but the two are treated somewhat differently according to the following: • If a user number is entered, XUA will not check for the presence of the userid on that node.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA 1.8.1 Userids Users are specified as follows: Syntax: [\Node.]. –or– [\Node.], You can enter userids as user names or user numbers. Remember that if you enter a user name, XUA will check for the userid’s existence on the node where it is running. You can use an asterisk ( * ) in either the GROUP position or the MEMBER position.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA 1.8.2 Aliases Aliases are specified as follows: Syntax: ALIAS:"[\NODE.]" The ALIAS:" " syntax tells XYGATE (and the HP NonStop server) that the string is an alias. The quotation marks are necessary to prevent the string from being upshifted or TACL trying to interpret any special characters. You can use wildcarding to specify both nodes and alias names when appropriate. ALIAS:"*" represents all local aliases.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 1. Installing XUA 1.8.3 ACLGroups ACLGroup entries allow profiling of users by job function. For example, you may wish to allow certain operators to perform some of the tasks of SUPER Group members. For this situation create an ACLGROUP named $PRIVILEGED for example, which would include both the SUPER Group and the privileged operators. ACLGroups must be defined at the beginning of the UAACL file before any rules.
Chapter 2. Node-Conditional Processing in the UAACL File All XYGATE products have a file that defines the security rules supported by the product. There is an UAACL file per product per node Refer to Appendix B: “The UAACL File.” In many HP NonStop server networks, the UAACL file for any given product will almost be the same for every or almost every NonStop server in the network.
XYGATE® User Authentication™ Reference Manual Chapter 2. Node-Conditional Processing in the UAACL File <> An exact match between the individual node specified and the name of the node on which the UAACL file is being loaded. You can only specify an individual, non-wildcarded node name. If the names match, the conditional text will be ignored for that product and node. NODE <> "\DEV" would match any node except \DEV. LIKE Use LIKE when you wish to wildcard the names of nodes to include.
XYGATE® User Authentication™ Reference Manual Chapter 2. Node-Conditional Processing in the UAACL File Example 3: Node-Conditional to include a specific wildcarded node set #IF @NODE LIKE "\\NY.*" ...conditional text to include... #ENDIF In Example 4 below, if the name of the node on which the UAACL begins with \MARS then the text will not be included. If the name begins with any other value, the text will be included.
XYGATE® User Authentication™ Reference Manual Chapter 2. Node-Conditional Processing in the UAACL File Example 3: Node Name Specified With a Regular Expression #IF #NODE LIKE "\\MEL[0-9]{1,4}" ...conditional text to include... #END IF 2.3 Conditional Text The conditional text that is included or excluded from the UAACL file based on the node name must be expected for the XYGATE module’s UAACL file.
XYGATE® User Authentication™ Reference Manual Chapter 2. Node-Conditional Processing in the UAACL File ACL $SUPER FC? FCPROMPT "> " OPENSBYOBJECTS $*.*.SCF* $*.ZTCP*.* ALLOWCMD "EXIT" ALLOWCMD "HELP" ALLOWCMD "Y" ALLOWCMD "STOP $ATMTST" ALLOWCMD "START $ATMTST" ALLOWCMD "ABORT $ATMTST" ALLOWCMD "ALTER $ATMTST" ALLOWCMD "STATUS $ATMTST" DENYCMD * #ENDIF In Example 4 below, members of the $DBA ACLGROUP can manage the databases on both the development and production nodes.
XYGATE® User Authentication™ Reference Manual Chapter 2. Node-Conditional Processing in the UAACL File • If a member of the TECH SUPPORT staff tries to log on to a logged-off dial access terminal, permit it. • If a member of the OPERATIONS staff tries to log on to a logged-off dial access terminal, deny it. • If a member of the OPERATIONS staff tries to log on off-hours, permit it.
Chapter 3. Configuring Control Logons Based on the Ancestor Program ANCESTOR is an optional criterion. There is an originating process for every program that runs on the NonStop server. 3.1 Procedure When creating XUA rules, the ANCESTOR specification is used to make a rule that applies to every process started by an ancestor, such as all TCP/IP sessions or all NetBatch program runs. Syntax: ANCESTOR
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 3.
Chapter 4. Configuring Control Logons Based on Port PORT is an optional criterion. Every user performing an interactive logon is using a NonStop server port to perform the logon. The PORT may be a physical address such as $DIAL, a logical TCP/IP address such as 207.215.52.43, or IPV6 address such as fd1a:cb1d:4c31:f8e3:3:1:1:18 or another process that serves as the input and output for the user performing the logon such as $SYSTEM.XYGATEAC.XYGATEAC. 4.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 4.
Chapter 5. Configuring Control Logons Based on Requestor Program REQUESTOR is an optional criterion. Every logon request comes from a process executing the USER_AUTHENTICATE_ or VERIFYUSER procedure. The process for executing one of these two system calls is called the REQUESTOR. The XUA rules based on the requestor, deal with rules based on exactly which program the user is logging on to. 5.1 Procedure The following syntax and example shows how to restrict logons based on the requestor program.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 5.
Chapter 6. Configuring Control Logons Based on Time TIME is an optional criterion. XYGATEUA can be used to restrict logons based on the time of the day. 6.1 Procedure The following syntax and example shows how to restrict logons based on the time of day. Syntax: TIME { | [- } The below UAGROUP only allows security administrators to logon on Wednesday and Friday between 6:00 and 7.30 a.m.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 6.
Chapter 7. Considering Additional Logon Authorization Controls After the criteria are developed, there are additional keywords that can modify the decision to permit or deny the logon attempt. For example, certain users may be permitted to logon as other users, even when the destination userid is frozen. In another example, certain users may be allowed to logon as another user without knowing that user’s password.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 7.
Chapter 8. Deciding on Failed-Logon Consequences After the criteria are developed and the behavior of permitted logons determined, the behavior of failed logons can be controlled. The first step in determining the behavior of failed logons is to determine how many bad logons constitute a bad logon event. Many users mistype their passwords now and again so that one or two failed logons before a good logon could be considered a minor error.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 8.
Chapter 9. Deciding on the Amount of Logon-Specific Auditing After the criteria are developed and the behavior determined for both successful and failed logons, the auditing can be modified. In general, auditing is determined by the values defined by the keywords described in Appendix A: “The UACONF File.” These keywords will override specific XUA logon rules. 9.1 Keywords The NOAUDIT keyword causes the logon event to be omitted from the audit tables.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 9.
Chapter 10. Configuring Control Logons via Alternative Authentication Databases XUA supports Windows or OpenLDAP, RSA SecurID® and RADIUS authentication. XUA can be configured to divert user authentication on the NonStop server to an LDAP database. This brings the NonStop server to the single sign-on schema. The need to maintain passwords on the NonStop is eliminated by this feature. XUA may be configured to require the RSA SecurID authentication with or without a Guardian password. 10.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 10. Configuring Control Logons via Alternative Authentication Databases Configuring the RADIUS Interface XYGATEUA with its newly introduced Remote Authentication Dial-In User Service (RADIUS) interface enables authentication for logging onto TACL on the HP NonStop server. XUA and the RADIUS proxy will communicate over a TCP/IP connection, with the proxy functioning as the server, and XUA functioning as a client.
Chapter 11. Configuring the Impersonation Feature Impersonation is a feature that removes the need for users to share sensitive logon IDs such as that of SUPER.SUPER. The Impersonation feature allows authentication using third-party credentials. For example, security.user can logon as security.manager by supplying the username of security.user, password and the IMPERSONATION_CHARACTERS defined in The UACONF File.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 11. Configuring the Impersonation Feature • IMPERSONATION (Allow or disallow impersonation) If OPTIONAL, allow either target user’s password or use impersonation. If ALWAYS, disallow "un-impersonated" logon. If OFF, disallow impersonation. • IMPERSONATION_FROM_USER (List of users whose password can be supplied with impersonation) This keyword specifies what userids can be used to impersonate the target user IDs.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 11. Configuring the Impersonation Feature 11.2 Examples of Impersonation Logons Setting up and using the impersonation feature is described in the previous section. This section provides examples of impersonation logons only. • In Example 1 below sec.admin is the impersonator and is logging on in TACL as the alias super1, which is defined in the UAGROUP example in the previous section. In the Password field, sec.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 11. Configuring the Impersonation Feature • In Example 5 below, the password of alias super1 has expired. Example 5: Password expired TO_USER TACL 1> logon super1 Password://OPER.TOM//mypass *ERROR* Impersonation not allowed since user's password has expired.
Chapter 12. Configuring the LDAP Interface XYGATEUA interfaces to Windows Active Directory and OpenLDAP to enable single sign-on schema for the HP NonStop platform. This chapter describes the steps required to configure the LDAP interface. Single sign-on in general provides an employee with a single userid that is valid on multiple platforms. This allows the userid to match defined corporate standards, such as an employee number.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface 12.2 LDAP-Related UACONF Keywords This section lists the keywords in the UACONF file required to configure the password verification via Windows Active Directory or OpenLDAP. The keywords are described in Appendix A: starting on page 220 and are created in the UACONF file only by the XUA_LDAP_INSTALL macro described in section 12.5 starting on page 70.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface LDAP_PROXY_IP_PROC <$process name> LDAP_PROXY_LOG LDAP_PROXY_OPTIONS "" LDAP_PROXY_TIMEOUT 12.3 Prepare the NonStop System for LDAP Authentication This section describes how to prepare the NonStop system for authentication via the LDAP interface. 12.3.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface 12.3.2 Network Configuration Files that Need Checking Make sure that the files exist in Guardian, that they are properly configured, and a symbolic link (or copies of the files) exist in the /etc directory in the OSS space. $SYSTEM.ZTCPIP.RESOLVH Check that the RESOLVH file exists. > FILEINFO $SYSTEM.ZTCPIP.RESOLVH RESOLVH 101 3592 28JUL2005 21:07 255,255 AAAA 14 28 $SYSTEM.ZTCPIP.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface $SYSTEM.ZTCPIP.HOSTS Check that the HOSTS file exists. > fileinfo $SYSTEM.ZTCPIP.HOSTS HOSTS 101 2380 28JUL2006 13:05 255,255 AAAA 14 4 Check the content of the HOSTS file. >FUP COPY $SYSTEM.ZTCPIP.HOSTS 192.168.5.52 L1002J #G4SA portname 192.168.6.2 L1002K #G4SA portname 192.168.6.52 L1002L #G4SA portname 192.168.19.52 L1003S #G4SA portname 192.168.20.2 L1003T #G4SA portname 192.168.20.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface Note: The -> in the display indicates that this is a symbolic link. If the symbolic link does not exist, create one using the following command: ln -s /G/system/ztcpip/services services $SYSTEM.ZTCPIP.NETWORKS Check that the NETWORKS file exists. $SYSTEM ZTCPIP 25> fileinfo $SYSTEM.ZTCPIP.NETWORKS In OSS check that a symbolic link to $SYSTEM.ZTCPIP.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface Individual certificate files should be in PEM format: BASE64 format, delimited by " -----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface Telserv process name determined in step 1. 1-> INFO PROCESS $ZTN0, DETAIL TELSERV Detailed Info PROCESS \NODE.$ZTN0 PCPU................... 0 BCPU................... 1 PPIN................... 376 BPIN................... 373 This TCP/IP TACL................... ON Transport Process..... $ZTC0 process is *Menu................... ON Transport Type......... TCP/IP used. *Timeout Value.......... N/A Port...........
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface The process name ($ztc0) is determined in step 2. 1-> info process $ztc0, detail TCPIP Detailed Info PROCESS \NODE.$ZTC0 *TCP Send Space......... *UDP Send Space......... *Delay Ack Time......... *Keep Alive Idle........ *Keep Alive Interval.... *Host ID ............... *Host Name ............. 61440D *TCP Receive Space...... 61440D 9216D *UDP Receive Space...... 42080D 20 *Delay Ack..............
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface ls -al total 27 drwxrwxrwx drwxrwxrwx -rwxrwxr-- 1 SUPER.SUPER 1 SUPER.SUPER 1 XYPRO.JAMES SUPER SUPER XYPRO 4096 Sep 16 15:27 . 4096 Sep 17 07:32 .. 571 Sep 16 15:27 prngd.conf d. Random numbers are needed when making an SSL connection. If the prngd.conf file is missing, the random number generator program PRNGD will now run as though an empty prngd.conf file exists.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface Reply Reply Reply Reply from from from from 10.1.1.96: 10.1.1.96: 10.1.1.96: 10.1.1.96: bytes=32 bytes=32 bytes=32 bytes=32 time=10ms time=10ms time=10ms time=10ms TTL=255 TTL=255 TTL=255 TTL=255 The DNS name was successfully resolved to the correct IP address. Ping statistics for 10.1.1.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface Item 12.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface You will be asked a series of questions about configuring XYGATEUA to interface to one or more LDAP servers. You may abort the process at any prompt by hitting the BREAK key or pressing CTRL-Y in response to a prompt. Prompts that end with a value within angle brackets mean that hitting the return key with no other input will default to that value.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface (Item 4): What is the LDAP server type (Windows or OpenLDAP) ? Obtain this information from your LDAP administrator. One of the following inputs will determine which type of LDAP is being used: • WINDOWS – for Windows Active Directory • OpenLDAP – for OpenLDAP The corresponding UACONF keyword is LDAP_TYPE.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface (Item 8): If you would like to encrypt communications between XUA and the LDAP server, specify the unqualified name of the certificate file. Enter unqualified certificate file name ?mycert Enter the unqualified certificate filename if you will be using SSL encryption to communicate with the LDAP server.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface users will enter as part of the prefix to the password response in order to indicate which LDAP authentication point is to be used. When more than one LDAP authentication point is to be configured, each set of configuration values will be identified by a user-specified name.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface enter as part of a prefix added to the password response when authenticating via LDAP in order to indicate which LDAP authentication point to use. LDAP_GROUP LD2 What is the DNS name or IP Address of the LDAP server? ldap2.example.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface For example, if the string is "++" and the desired LDAP group is LD1, then users would enter ++LD1++ as a prefix to their password when authenticating. The corresponding UACONF keyword is LDAP_GROUP_CHARACTERS. (Item 14): Indicate whether all users should be authenticated via LDAP. Valid values are ON (all users), OFF (no users), or OPTIONAL (all users except when the LDAP server cannot be reached).
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface NonStop server, even if the network is down. The users’ NonStop passwords must be maintained and remembered for such cases.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface (Item 15): Do you want to configure the LDAP interface now Checking syntax ... XYGATEUA 1.80 (c) 1999-2012 XYPRO Technology Corporation XYPRO Technology \N1 20991231 LDAPPASS CHECKSUM 459520 (\N1.$QA2.XUA.LDAPPASS) XUA - LDAPPASS warning: LDAP GROUP LD3 not defined in UACONF file, value ignored UACONF CHECKSUM 541467491 (\N1.$QA2.XUA.ZZTEMP) UAACL CHECKSUM 740365426 (\N1.$QA2.XUA.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface TESTLDAP The TESTLDAP file is the script that invokes the LDAPSRV in the interactive mode. Refer to section 12.11, “Troubleshooting the XUA and LDAP Servers’ Communication” starting on page 85 for more information. LDAPPASS The LDAPPASS file is an edit file created by the install program. If LDAP is configured to do LOOKUP, then this file should have the password for the search user.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface 12.7 LDAP-Related UAGroup (UAACL) Keywords This section describes the LDAP-related keywords that are used to divert authentication to Windows Active Directory or an OpenLDAP.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface Chapter 15, “Mapping NonStop IDs to Alternative Authentication Databases” starting on page 129 for complete information on mapping. Important! When a Guardian user name is used for mapping, it should be specified in uppercase format. For example, specify TECH.OPER1 instead of tech.oper1. Example 1: Sample UAGROUP with mapping, if LDAP_BIND_NAME in UACONF ACLGROUP ACLGROUP ACLGROUP ACLGROUP $TECH-IDS TECH.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface MAP re:"^control-" delete MAP re:"^*.$" APPEND "@MYCOMPANY.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface User Expires : * None * Password Expires : * None * Password May Change : * None * Password Must Change : Every 90 days Password Expiry Grace : 21 days Last Logon : 2006-09-13 13:42:13.162144 Last Unsuccessful Lgn : 2007-01-16 10:46:22.574923 Fail count : 13 Static fail count : 121 Frozen/Thawed : Thawed Last Modification Time: 2007-01-16 10:46:22.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface 12.11 Troubleshooting the XUA and LDAP Servers’ Communication If XUA controls logons and the logon or test outcome produce unexpected results, you can use the TESTLDAP script to test an LDAP server availability outside of XUA. The TESTLDAP program can be invoked from the Guardian space by running XUA_EXECUTE_LDAP_PROXY macro. Using the trace option will give the trace data.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface ldap_send_server_request ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=0 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 0 ** Connections: * host: xyservb.xypro-23.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 12. Configuring the LDAP Interface Example 5: Sample session record in zzldlog file $SYSTEM XYGATEUA 36> ..fup copy zzldlog,,share ,fold -----------------------------------------------------MAIN(): Begin LDAP Proxy on 12/19/08 @ 13:47:32 47:32 Ldap host name:xxx@xyxxx-32.
Chapter 13. Configuring the RSA SecurID Interface XYGATEUA interfaces to RSA SecurID® to enable secure authentication for logging on to TACL on the HP NonStop server. This chapter describes the steps required to configure the RSA SecurID interface. XUA may be configured to require both the PASSCODE and the NonStop password or just the PASSCODE. XUA can be configured to force the RSA SecurID authentication on all the userids on the system or to limit the requirement to groups of users. As of version 1.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 13.2 RSA-Related UACONF Keywords This section lists the keywords in the UACONF file required to configure the password verification via RSA SecurID technology. The keywords are described in Appendix A: starting on page 242 and are created in the UACONF file only by the XUA_RSA_INSTALL macro described in section 13.6 starting on page 102.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 13.3 Prepare the NonStop System for RSA SecurID Authentication This section describes how to prepare the NonStop system for authentication via the RSA SecurID interface. 13.3.1 Checking for Network-Related Configuration Authentication via RSA SecurID requires communication between the HP NonStop system and another system in the network that hosts the RSA SecurID authentication server.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 13.3.2 RSA Authentication Server Files that Need Checking This section describes the RSA Authentication server configuration changes and the files that must be checked to enable the NonStop server to communicate with it. RSA authentication server configuration changes The RSA server administrator must alter the RSA server configuration as follows 1.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface securid and sdstatus.12 files If this is your first attempt to configure the NonStop server’s communication with the RSA authentication server, you will not have securid or sdstatus.12 files. However, if there was such an attempt done previously, remove those files which may be found in the /rsa directory. /rsa: ls -al ... -rw-rw-rw- 1 XYPRO.SCOTT -rw-rw-rw- 1 XYPRO.SCOTT ...
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface Check that the content of the RESCONF file is identical to the one in $SYSTEM.ZTCPIP subvolume. /etc: cat resolv.conf # # Configuration for the resolver part. (used by gethostbyname ()) # This domain entry must exist. domain mycompany.com nameserver 10.1.1.92 nameserver 10.1.1.102 If the symbolic link does not exist, create one using the following command: ln -s /G/system/ztcpip/resconf resolv.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface $SYSTEM.ZTCPIP.SERVICES Check that the SERVICES file exists. $SYSTEM ZTCPIP 23> fileinfo $SYSTEM.ZTCPIP.SERVICES SERVICES 101 4196 18DEC2007 9:02 255,255 AAAA 14 28 In OSS check that a symbolic link to $SYSTEM.ZTCPIP.SERVICES or a duplicate of this file exists in the /etc directory. /etc: ls –al ... lrwxrwxrwx 1 SUPER.SUPER /G/system/ztcpip/services ...
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 13.3.4 Telserv Process Configuration Checking To make sure your Telserv process is using the TCPIP stack intended for communication between the NonStop host and the SecurID authentication server, perform the checks suggested in this section. 1. Determine the Telserv process used by your session. The Telserv process name in $DATA WORK> who this example is $ZTN0 Home terminal: $ZTN0.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 4. Check if a DEFINE for a process other than TCP/IP process from step 2 is loaded in your OSS session. /etc: info_define all DEFINE NAME = =PTCPIP^FILTER^KEY CLASS = MAP FILE = \NODE.$SYSTEM.CONFPTCP.FILTER 5. DEFINE NAME CLASS FILE = =TCPIP^PROCESS^NAME = MAP The DEFINE must either match the = \NODE.$ZTC0 value from step 2, or not exist.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 6. Check the configuration of the TCP/IP process for the subnet settings. $DATA WORK 4> SCF 1-> info subnet $ztc0.#* The process name ($ztc0) is determined in step 2. TCPIP Info SUBNET \N1.$ZTC0.#* Name Devicename #SN1 #LOOP0 \NODE.L10023C 13.3.5 The IP address must match the Host ID in step 5. *IPADDRESS TYPE 10.1.1.74 127.0.0.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 4. PING the RSA authentication server host system by the DNS Name from the NonStop System. $DATA WORK 14> ping PING rsahost-server: 56 data bytes 64 bytes from 10.1.101.16: icmp_seq=0. 64 bytes from 10.1.101.16: icmp_seq=1. 64 bytes from 10.1.101.16: icmp_seq=2. 64 bytes from 10.1.101.16: icmp_seq=3. time=22. time=10. time=10. time=10.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 13.4 Considerations for RSA SecurID Configuration Table 5 below lists the prompts you will be required to answer when you run the XUA_RSA_INSTALL macro. You should determine these configuration values in advance to have them ready before you run the macro.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface Question 4: Do you want to use RSA authentication for all NonStop users? Decide if all users who logon to the NonStop server will be authenticated using RSA. This question is one of the prompts that appear during the XUA_RSA_INSTALL macro run in section 13.6 below and configures the RSA_AUTHENTICATE keyword.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 13.5 Preparing RSA Server for Communication with NonStop Server The administrator for the RSA Authentication Manager must alter the server configuration in order to enable the NonStop server to communicate with it as follows: 1. Add the NonStop server to the RSA Authentication Manager’s configuration as an agent host of the "net os agent" type. 2. Enable all the userids to use that agent host. 3.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface What is the TCP/IP process name <$ZTCP2>? Refer to your answer to Question 2 in Table 5. Specify the name of the current TCP/IP process through which XUA will communicate with the proxy. The name you specify here will be entered in the UACONF as the value for RSA_PROXY_IP_PROC.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 13.7 RSA-Related UAGroup (UAACL) Keywords This section describes the RSA-related keywords that are used to divert authentication to an RSA Authentication Manager (formerly the ACE/Server). The XYGATEUA UAACL file can contain the following RSA-related keywords: MAP RE:"" RSA_AUTHENTICATE { ON | OFF | OPTIONAL } RSA_REQUIRE_PASSWORD { ON | OFF } 13.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 13.9 Testing the RSA Interface and User Mapping Before you run XUA, you should test your configurations. Important! XUA does not run in warning mode. The initial configuration must be tested before the software is enabled as the authentication SEEP in Safeguard. Once configuration is done, you may run XYGATEUA in ACCESS, EXPLAIN, or SERVER modes.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface alias account was checked with the Safeguard. In this case, the mapping was used, but RSA authentication failed due to an invalid PASSCODE. Important! The following is a known issue with Safeguard. If the Safeguard authentication event is enabled and if the RSA_REQUIRE_PASSWORD is set to ON in the UACONF or UAACL file, then RSA authentication will not work correctly in What-if mode. 13.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface 13.11 Troubleshooting the XUA and RSA Authentication Manager If XUA controls logons and the logon or test outcome produce unexpected results, you can use the testrsa script to test an RSA Authentication Manager availability outside of XUA. The testrsa program can be invoked from the Guardian space by running XUA_EXECUTE_RSA_PROXY macro.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13. Configuring the RSA SecurID Interface p_rsa->resp = 1234 p_rsa->resp len = 4 07:50 just returned from AceContinueAuth()PASSCODE accepted. 07:50 authenticate(): case rsa_state_terminatePASSCODE accepted. 07:50 authenticate(): case rsa_state_closePASSCODE accepted. Access allowed. 07:50 main(): program exiting at point 2 Trace output is in $SYSTEM.XYGATEUA.ZZRSATR Example 2 above shows an interactive proxy session.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 13.
Chapter 14. Configuring the RADIUS Interface XYGATEUA interfaces to the Remote Authentication Dial-In User Service (RADIUS) protocol for logging on to TACL on the HP NonStop server. This chapter describes the steps required to configure the RADIUS interface. 14.1 Configuration Steps To configure the RADIUS interface, there are five basic steps: 14.2 1. Prepare the NonStop system for authentication via RADIUS (section 14.3). 2. Review the considerations for RADIUS configuration (section 14.4). 3.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface The following RADIUS-related keywords can be changed by editing the UACONF file directly, only after the Install macro run is completed. RADIUS_AUTHENTICATE { ON | OFF | OPTIONAL } RADIUS_HOST RADIUS_PORT RADIUS_PROXY_ENV "" RADIUS_PROXY_IP_PROC <$process name> RADIUS_PROXY_LOG RADIUS_PROXY_TIMEOUT RADIUS_REQUIRE_PASSWORD { ON | OFF } 14.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface 14.3.2 Network Configuration Files That Need Checking Make sure that the files exist in Guardian, are properly configured, and a symbolic links (or copies of the files) exist in the /etc directory in the OSS space. $SYSTEM.ZTCPIP.RESOLVH Check that RESOLVH file exist. > FILEINFO $SYSTEM.ZTCPIP.RESOLVH RESOLVH 101 3592 28JUL2005 21:07 255,255 AAAA 14 28 $SYSTEM.ZTCPIP.RESCONF Check that RESCONF file exist.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface $SYSTEM.ZTCPIP.HOSTS Check that HOSTS file exist. > fileinfo $SYSTEM.ZTCPIP.HOSTS HOSTS 101 2380 28JUL2006 13:05 255,255 AAAA 14 4 Check the content of the file. >FUP COPY $SYSTEM.ZTCPIP.HOSTS 192.168.5.52 L1002J #G4SA portname = L1002J 192.168.6.2 L1002K #G4SA portname = L1002K 192.168.6.52 L1002L #G4SA portname = L1002L 192.168.19.52 L1003S #G4SA portname = L1003S 192.168.20.2 L1003T #G4SA portname = L1003T 192.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface If the symbolic link does not exist, create one using the following command: ln -s /G/system/ztcpip/services services $SYSTEM.ZTCPIP.NETWORKS Check that NETWORKS file exist. $SYSTEM ZTCPIP 25> fileinfo $SYSTEM.ZTCPIP.NETWORKS In OSS check that a symbolic link to $SYSTEM.ZTCPIP.NETWORKS or a duplicate of this file exists in the /etc directory. /etc: ls –al ... lrwxrwxrwx 1 SUPER.SUPER /G/system/ztcpip/networks ...
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface Saved volume: $DATA.WORK Userid: 255,255 Username: SUPER.SUPER Logon name: SUPE.SUPER 2. Security: "OOOO" Determine what TCP/IP process is configured for the use of the Telserv process. $DATA WORK 13> SCF SCF - T9082H01 - (04DEC06) (15NOV06) - 04/09/2008 15:20:29 System \NODE (C) 1986 Tandem (C) 2006 Hewlett Packard Development Company, L.P. (Invoking \NODE. $DATA.WORK.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface DEFINE NAME CLASS FILE 5. = =_SRL_01 = MAP = \node.$SYSTEM.SYS12.ZTCP6SRL Check configuration of the TCP/IP process for Host ID and Host Name values. $DATA WORK 4> SCF SCF - T9082H01 - (04DEC06) (15NOV06) - 04/10/2008 15:25:07 System \NODE (C) 1986 Tandem (C) 2006 Hewlett Packard Development Company, L.P. (Invoking \NODE.$DATA.WORK.SCFCSTM) The process name ($ztc0) is determined in step 2.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface 14.3.4 Testing Network-Related System Configuration This section describes a simple test that can determine if the NonStop system is properly set up for network communication. 1. Open the FTP Connection to the NonStop host by the DNS Name (from Guardian). $DATA WORK 13> FTP FTP Client - T9552H02 - (15OCT2007) - COPYRIGHT TANDEM COMPUTERS INCORPORATED 20 07 An “Established” connection ftp> open node.mycompany.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface 14.4 Considerations for RADIUS Configuration Table 6 below lists the prompts you will be required to answer when you run the XUA_RADIUS_INSTALL macro. You should determine these configuration values in advance to have them ready before you run the macro.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface Question 5: Do you want to use RADIUS authentication for all NonStop users? Decide if all users who logon to the NonStop server will be authenticated using RADIUS. This question is one of the prompts that appear during the XUA_RADIUS_INSTALL macro run in the next section and configures the RADIUS_AUTHENTICATE keyword.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface The following entries are valid for the RADIUS_REQUIRE_PASSWORD keyword: { OFF | ON | } OFF – The users are only presented with the RADIUS PASSWORD, when logging on. ON – Users will be prompted for the NonStop password and then, if the password is correct, the RADIUS prompt(s) will be presented. Validity of both is required for successful logons.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface What is the TCPIP process name <$ZTCP2>? Refer to your answer to Question 3 in Table 6. Specify the name of the current TCP/IP process through which XUA will communicate with the proxy and then to the RADIUS server. The name you specify here will be entered in the UACONF file as the value for RADIUS_PROXY_IP_PROC.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface Do you want to configure the RADIUS interface now ? The last prompt allows you to review the summary of your decisions. If you answered Y, the UACONF file will be modified. If you answered N, the macro quits without making the modifications so that you will need to run it again later. 14.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface 14.8 Testing the RADIUS Interface and User Mapping Before you run XUA, you should test your configurations. Important! XUA does not run in warning mode. The initial configuration must be tested before the software is enabled as the authentication SEEP in Safeguard. Once configuration is done, you may run XYGATEUA in ACCESS, EXPLAIN, or SERVER modes.
XYGATE® User Authentication™ Reference Manual Chapter 14.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface Frozen/Thawed : Thawed Last Modification Time: 2011-03-16 17:07:34.485872 UAGROUP RADIUS_AUTHENTICATE Replying with access YES UAGROUP RADIUS_AUTHENTICATE Outcome is LOGON SEEP return 00000,00000,00000 Access result - YES using GROUP RADIUS_AUTHENTICATE In the Example above, user XYPRO.QA was mapped to alias qa based on the mapping configuration of the RADIUS_AUTHENTICATE UAGROUP.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface -------------------------------------------------------------Flags Optional --------------------------------------------------------------e Password echo (display password when entering it). -mon Monitor mode. TESTRAD FORMAT: - Runs RADIUS proxy server in INTERACTIVE mode. TESTRAD { HELP | [TRACE] [] } TRACE Include -mon flags. Optional flags.
XYGATE® User Authentication™ Reference Manual Chapter 14. Configuring the RADIUS Interface 11:40 License file is: /G/SYSTEM/XYGATEUA/p25f001 11:40 11:40 11:40 days=32420, 'XYPRO Technology \XYS7000 20991231' getting shared secret... entering interactive loop Enter User :tina Password : Challenged: RADIUS Challenge: Response : Accepted Enter User :EOF! Example 2 above shows an interactive session.
Chapter 15. Mapping NonStop IDs to Alternative Authentication Databases XUA provides the capability to map the NonStop user database to an alternative authentication database such as LDAP, RSA SecurID or RADIUS. One or more mapping rules can be specified in the UAACL file at the UAGroup level. These mapping rules will only apply to the UAGroup for which they are configured.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 15. Mapping NonStop IDs to Alternative Authentication Databases Users not included in the TO_USER list of the UAGROUP RSA-AUTHENTICATE will be evaluated based on the EVERYONE-ELSE UAGROUP and authenticated via Safeguard. 15.1 Using Regular Expressions to Match the Userids XUA uses the standard XYGATE regular expression library. Refer to the XYGATE Regular Expressions manual for more information about syntax and usage.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 15. Mapping NonStop IDs to Alternative Authentication Databases 15.2.1 APPEND Operator The APPEND operator causes the part of the name matched by the regular expression pattern to be appended with the supplied string. Syntax: MAP RE:"" APPEND <"string"> Example 1 below will add the string "–SecureID " immediately after any userid provided at logon resulting in OPER1-SecureID, which is OPER1’s ID in the RSA database.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 15. Mapping NonStop IDs to Alternative Authentication Databases In Example 4 below, the first line DELETEs the Group.Name, and then APPENDs the string "–SecureID", which would map HELPDESK.OPER1 to the RSA user account OPER1-SecureID. Example 4: Combining the DELETE and the APPEND operators MAP RE:"^.*\." DELETE MAP RE:"^.*$" APPEND "-SecureID" 15.2.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 15. Mapping NonStop IDs to Alternative Authentication Databases 15.2.5 EXIT Operator If different mapping schemas are desired for userids belonging to the same UAGroup, the EXIT operator can be used. Syntax: MAP RE:"" { INSERT | APPEND | DELETE | REPLACE } ["string"] EXIT In Example 7 below, users OPER1.RSA123 and OPER2-RSASEC are being authenticated through the same OPERATORS UAGROUP. The RSA userid for OPER.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 15. Mapping NonStop IDs to Alternative Authentication Databases 15.2.7 REPLACE Operator Syntax: MAP RE:"" REPLACE <"string"> The REPLACE operator would delete the part of the string that matches the regular expression and insert the specified quoted string in the same place. The rule in the Example 9 below will cause user HELPDESK.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 15.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 15. Mapping NonStop IDs to Alternative Authentication Databases Password Expires : * None * Password May Change : * None * Password Must Change : Every 90 days Password Expiry Grace : 21 days Last Logon : 2006-09-13 13:42:13.162144 Last Unsuccessful Lgn : 2007-01-16 10:46:22.574923 Fail count : 13 Static fail count : 121 Frozen/Thawed : Thawed Last Modification Time: 2007-01-16 10:46:22.
Chapter 16. What-if Testing The What-if mode can be used to test UAGroup rules before putting the rules into production. The testing can be done based on any logon control configuration settings. The What-if mode can also be used to test that userids and aliases are being correctly mapped to the correct IDs in the LDAP, RSA or RADIUS databases. And the What-if mode can also be used to research logon questions, such as why a particular logon failed. Syntax: RUN $SYSTEM.XYGATEUA.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing Operation LOGON/CHECK Permission ancestor The requestor’s ancestor; that is, a fully qualified object file name, such as $SYSTEM.SYSnn.TACL or $SYSTEMZTPIP.FTPSERV. You can also append a process name as in the following example: $SYSTEM.SYSnn.TACL:$XYZ port PORTs specified as or :. Entries can be wildcarded as in the following example: $ZTN0.#*:$SYSTEM.*.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.2 Testing Logon Outcome Based on Subject Userid The user requesting the logon. This defaults to the current user if omitted or if * is used. Wildcards are not allowed. Syntax: [{ | *} [ [{ | *} [{ | *} [{ | *} [ []]]]]]] Where: can be: ###,### group.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.4 Testing Logon Outcome Based on Ancestor Program Syntax: [{ | *} [ [{ | *} [{ | *} [{ | *} [ []]]]]]] Where: can be:
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.6 Testing the Impersonation Logon Syntax: [{ | *} [ [{ | *} [{ | *} [{ | *} [ []]]]]]] Where: can be: The What-if mode can be used to test UAGroup rules with impersonation before putting the rules into production.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.7 How to Predict a Result and UAGROUP Syntax: [{ | *} [ [{ | *} [{ | *} [{ | *} [ []]]]]]] Where: can be: Y or YES N or NO can be the exact name of the UAGROUP that is expected to be used to make the ruling.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.8 Testing Logon Outcome Based on Time The TIME command allows the user to set a future date and time in the What-if mode and check the logon access for that period.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing Password Expires : * None * Password May Change : * None * Password Must Change : * None * Password Expiry Grace : 15 days Last Logon : 2010-03-23 11:43:40.731171 Last Unsuccessful Lgn : 2010-03-22 16:08:44.554585 Fail count : * None * Static fail count : 148 Frozen/Thawed : Thawed Last Modification Time: 2010-03-23 11:43:40.722247 From User : 000,000 NULL.NULL Requestor : $NONE $NONE.NONE.NONE Ancestor : $NONE $NONE.NONE.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing Impersonation chars not in password field Bypassing impersonation since current acl does not require it Process state 02 state_needfirstpassword: Begin Proc Begin check_frozen_expired_flags Calling user_authenticate_priv with: GRP80.TST001,change80 Password verification returned 00000,00000 timegroup_check using TIMEGROUP values. Found target ID 080,001 (GRP80.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing SEEP return 00000,00070,00004 SEEP dialog ID 2 (dialog will continue) ECHO would be turned off Response? change79 User : GRP79.TST001 (079,001) on 2010-05-08 00:49:24.806581 User Expires : * None * Password Expires : * None * Password May Change : * None * Password Must Change : * None * Password Expiry Grace : 15 days Last Logon : 2010-04-28 09:31:29.649208 Last Unsuccessful Lgn : 2010-04-20 14:08:50.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.9 Testing the LDAP Interface This section provides an example of how to test the LDAP logon. Example: Testing the LDAP Logon 1> RUN XYGATEUA EXPLAIN Access check:logon "qa-LDAP8jxj" * 0,0 Alias : qa-LDAP8jxj User : QA.NEXT8JXJ (222,212) on 2007-01-16 10:48:13.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing User Expires : * None * Password Expires : * None * Password May Change : * None * Password Must Change : Every 90 days Password Expiry Grace : 21 days Last Logon : 2006-09-13 13:42:13.162144 Last Unsuccessful Lgn : 2007-01-16 10:46:22.574923 Fail count : 13 Static fail count : 121 Frozen/Thawed : Thawed Last Modification Time: 2007-01-16 10:46:22.574923 From User : 000,000 NULL.NULL Requestor : $NONE $NONE.NONE.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.10 Testing the RSA Interface This section provides an example of how to test the RSA logon. Example: Testing the RSA Logon 1> RUN XYGATEUA EXPLAIN Access check:logon "qa-rsa8jxj" * 0,0 Alias : qa-rsa8jxj User : QA.NEXT8JXJ (222,212) on 2007-01-16 10:48:13.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing User Expires : * None * Password Expires : * None * Password May Change : * None * Password Must Change : Every 90 days Password Expiry Grace : 21 days Last Logon : 2006-09-13 13:42:13.162144 Last Unsuccessful Lgn : 2007-01-16 10:46:22.574923 Fail count : 13 Static fail count : 121 Frozen/Thawed : Thawed Last Modification Time: 2007-01-16 10:46:22.574923 From User : 000,000 NULL.NULL Requestor : $NONE $NONE.NONE.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.11 Testing the RADIUS Interface This section provides an example of how to test the RADIUS logon. Example: Testing the RADIUS Logon 1> RUN XYGATEUA EXPLAIN Access check:logon xypro.qa User : XYPRO.QA (222,031) on 2011-03-28 16:57:58.656636 User Expires : * None * Password Expires : * None * Password May Change : * None * Password Must Change : * None * Password Expiry Grace : 15 days Last Logon : 2011-03-16 17:07:34.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing Response? qa123 User : XYPRO.QA (222,031) on 2011-03-28 16:58:03.992948 User Expires : * None * Password Expires : * None * Password May Change : * None * Password Must Change : * None * Password Expiry Grace : 15 days Last Logon : 2011-03-16 17:07:34.522623 Last Unsuccessful Lgn : 2011-03-16 17:07:25.992429 Fail count : * None * Static fail count : 124 Frozen/Thawed : Thawed Last Modification Time: 2011-03-16 17:07:34.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.12 Testing the XUA Server The command SERVER can be used to send requests to a named server in the EXPLAIN mode. This can be used to test a server without having to put it in production. The first step is to start the server. Example 1: How to start a XUA server for testing $SYSTEM.XYGATEUA 1> RUN XYGATEUA/name $XUA,NOWAIT/SERVER KEEPOPEN $SYSTEM.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.13 Interactive Keywords When run in access mode, XUA issues one of the two results: YES or NO. If EXPLAIN_MODE is ON, a list of the UAGroups that were considered is displayed as well. There are 21 interactive keywords in ACCESS MODE: AUDIT COMMENT (or ==) ENV EXIT EXPLAIN {ON | OFF} FC ! HELP H or HISTORY IGNOREPASSWORD {ON | OFF} INFO 16.13.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.13.2 COMMENT This command, when used at the beginning of a line, allows you to enter a text that is not processed in What-if mode. Syntax: COMMENT –or– == Example 3: How to enter a comment during What-if testing $SYSTEM XYGATEUA 18> RUN XYGATEUA ACCESS XYGATEUA 1.70 (c) 1999-2010 XYPRO Technology Corporation XYPRO \XYS7000 20031231 UACONF CHECKSUM 252062552 ($SYSTEM.XYGATEUA.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.13.5 EXPLAIN This command puts XUA Access into EXPLAIN mode, which generates information about its rulings on logon requests, including a list of the UAGroups that were considered. Syntax: EXPLAIN { ON | OFF } Example 6: How to turn on Explain mode Access check:explain on Explain mode on Access check:LOGON UATST.TEST003 * 0,0 * * 123.456.78.90 NO DEFAULT User : UATST.TEST003 (080,003) on 2004-03-03 10:37:42.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing Last Unsuccessful Lgn : 2004-03-03 09:58:36.510184 Fail count : * None * Static fail count : 38 Frozen/Thawed : Thawed Last Modification Time: 2004-03-03 10:37:31.670974 From User : 000,000 0,0 Requestor : $NONE $NONE.NONE.NONE Ancestor : $NONE $NONE.NONE.NONE To User : 080,003 UATST.TEST003 Port : 123.456.78.90 \SIMI.$SYSTEM.SYS04.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.13.6 FC The FC command allows you to recall, correct or change, and re execute a previous command.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing INFO Displays information about user If is alias specify as alias:"" [ LOGON | CHECK ] { | * } { | *} { | *} { | * | #MYTERM } [ []]
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing REPEAT Repeats a command TIME Time entered will be simulated. Example : TIME 01012010,09 :00 (January 1, 2010) TIME Returns to actual time. USERAUTH Toggles the program between using a call to user_authenticate_ and the internal program logic for EXPLAIN testing. ] Access check: 16.13.9 H or HISTORY This command is used to display your previous commands.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing UAACL CHECKSUM 1796613931 ($SYSTEM.XYGATEUA.UAACL) Access check: MONITOR $S.#XUA.MON Monitor mode on 16.13.12 PASSWORDPROMPT This command controls whether the program prompts for passwords. If set to OFF, the program does not prompt for passwords.. If set to ON, the default, you must enter the TO_USER’s password to complete the logon test.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.13.15 QUEUEPROCESS QUEUEPROCESS command can be used to read the queue and any entries whose time has passed are processed. This command can be used to process the entries in the queue when the XUA process is not installed or disabled in SEEP. Syntax: QUEUEPROCESS Example 12: Access check:queueprocess Time User Action 2010-02-02 14:21:10.454084 GRP80.TST001 THAW 00001 record processed 16.13.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing 16.13.17 SERVER The SERVER command followed by the process name will initiate the server mode. The What-if program sends the logon access requests to the specified server if the server mode is on. Syntax: SERVER Example: Access check:SERVER $TUA Server mode on Access check (Server $TUA): 16.13.18 TIME This command is used for time group testing.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16. What-if Testing Welcome to the XYPRO Technology Corporation Computing Facility \T.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 16.
Chapter 17. Completing the XUA Implementation After the software is installed, configured, and the configuration is tested, you can configure Safeguard to call the XUA server when processing logon requests. If the SECURITY-ADMINISTRATOR group is defined in your environment, you must be a member; otherwise, your userid must be a member of the super group for the following steps: • Installing the Safeguard Authentication SEEP (Step 2) • Enabling the Safeguard Authentication SEEP (Step 3).
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 17. Completing the XUA Implementation Step 2 - Install the Safeguard Authentication SEEP In order to have XUA mediate all user authentications on your system, you must configure and enable the Safeguard Authentication SEEP. To install the SEEP, use the XUA_SAFECOM_INSTALL macro.
Chapter 18. Managing the XUA Seep This section describes how to maintain the Safeguard Authentication SEEP. 18.1 Examining the XUA Seep To see whether or not the XUA SEEP is installed and/or enabled, start SAFECOM and enter the following command: $SYSTEM XYGATEUA 1> SAFECOM INFO EVENT-EXIT-PROCESS XUA EVENT-EXIT-PROCESS XUA ENABLED = ON RESPONSE-TIMEOUT = 60 SECONDS ENABLE-AUTHENTICATION-EVENT = ON ENABLE-AUTHORIZATION-EVENT = OFF ENABLE-PASSWORD-EVENT = OFF PROG = $SYSTEM.XYGATEUA.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 18. Managing the XUA Seep RESPONSE-TIMEOUT The RESPONSE-TIMEOUT parameter determines the time in seconds that Safeguard will wait for the SEEP to respond to an event. Safeguard’s response to a TIMEOUT depends on the type of SEEP as follows: • If a Password-Quality or Authorization SEEP times out and the user attempting the access is a local member of the SUPER group, Safeguard makes the ruling based on its own rules, and the event proceeds.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 18. Managing the XUA Seep ENABLE-PASSWORD-EVENT The ENABLE-PASSWORD-EVENT determines whether or not password events will be sent to the SEEP. The XYPRO Password SEEP is called XPQ. The PASSWORD SEEP behaves differently, depending on whether or not the AUTHENTICATION SEEP is also enabled as follows: • If both the PASSWORD and AUTHENTICATION SEEPs are enabled, password changes that occur at logon are not sent to the Password SEEP.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 18. Managing the XUA Seep SWAP The SWAP parameter determines the location of the SEEP’s swap space. The value must be a valid volume name. If no volume name is entered, the same volume that contains the PROG object file will be used. On S-Series systems, the swap space is actually controlled by the NSKCOM program. PRI The PRI parameter determines the priority at which the SEEP will be run at.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 18. Managing the XUA Seep The XUA_SAFECOM_BOUNCE macro can be used to stop and restart the server.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Chapter 18.
Chapter 19. XUA Auditing and Audit Reports Up to nine audit locations can be defined for XUA. The audit information can be written to diskfiles, processes and IP addresses. Refer to the AUDIT keywords described in Appendices A3:, A4: and A5: respectively. The XUA software also includes two macros (XUA_AUDIT_REPORT and XUA_REPORT) that will generate reports from audit information that is written to an ENSCRIBE file. 19.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.1.2 Audit File Rollover If any of the disk files specified using the AUDIT keyword in the UACONF file become unavailable, which can occur if the audit file fills up or is renamed, the XUA server will close the current file and then attempt to recreate and re-open the original filename. If the audit file named in the UACONF entry is still unavailable, then XUA will wait and retry the open operation.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports Example: $SYSTEM XYGATEUA 5> FI $VIK.XYGAUDIT.ACL* fi XYGAUDIT.ACL* $VIK.XYGAUDIT CODE EOF LAST MODIFIED OWNER RWEP PExt Sext ACL00015 3333 266240 30JUL2013 16:48 232,52 NNNC 300 300 ACL00016 3333 266240 25AUG2013 16:23 232,52 NNNC 300 300 $SYSTEM XYGATEUA 6> VOLUME $VIK.XYGATEUA $VIK XYGATEUA 7> RUN XUA INSTALL $VIK XYGATEUA 8> #OUTPUT [XUA_NEXTGEN XYGAUDIT.ACL] XYGAUDIT.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.2 Checksums XUA performs CHECKSUMs on the UACONF and UAACL files for added security. The CHECKSUMs are written to the audit files each time the XUA SEEP is started when these configuration files are reloaded and whenever syntax checks are done on these files. The CHECKSUMs are unique for any given configuration of the files CHECKSUM’d, which permits the detection of changes to the files. 19.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 02 SUBJECT-LOGIN-NAME PIC X(32). The login name, which may be the userid or alias depending on which was actually making a logon request. 02 target-group-number PIC 9(3). The target group number of the user which attempted to logon from the subject user. 02 target-user-number PIC 9(3). The target user number of the user which attempted to logon from the subject user. 02 target-login-name PIC X(32).
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 02 OUTCOME PIC X(24). The outcome generated by XUA, based on the UAGROUP in the UAACL File. This can be one of: 01 = YES 02 = NO 02 COMMENT PIC X(128). Any error text or additional information generated by XUA.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports Date produced: 04-MAR-2004 Page: 1 Criteria:2004-01-01 00:00 to 2004-03-04 23:59 File:TAAUTH 04-MAR-2004: The date on which the report was created Page: 1 Page no 2004-01-01 00:00 to 2004-03-04 23:59: Criteria selected when the report was created File:TAAUTH: Audit file name. 19.4.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.5 Interactive XUA_REPORTs Ad-hoc reports can be obtained from the audit files by using the XUA-supplied report macro. To generate XUA audit reports, use the macro XUA_REPORT. The macro will display a screen with all the criteria that you may choose to modify in order to limit the audit records to be included in a report. Syntax: XUA_REPORT [-D] The optional –D switch causes the entire ENFORM run to be displayed.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports When you are satisfied with all your selection criteria, press Z to create the report and exit from the macro. If you press ZP, the macro will generate the report and put you into the PERUSE program specified by the PERUSE_OBJECT keyword (page 236) in the UACONF file.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.5.2 Report date range Enter the start date in YYYY-MM-DD format. Enter the start time in HH:MM (24-hour) format. If the leading portion of a date is omitted, it will default to today’s date. For example, if today is 1999-01-13 and a date of 12 is entered, a date of 1999-01-12 will be used. To choose a date range, select B.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports If you put an asterisk ( * ) in front of a string representing a login name, XUA will include any login names containing the string you have entered in the report.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.5.5 Terminal You may limit your report to processing done from a selected terminal or group of terminals. You may enter a valid terminal name or an asterisk ( * ) to include all terminals. If you enter a portion of a terminal name, all terminals containing the entry will be included in the report. For example, if you enter "ZTNP", any TCP/IP terminals identified by those letters will be included in the report.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports If you put an asterisk ( * ) at the end of a string representing a UA Group, XUA will include any UA Groups that begin with the string you have entered in the report. UA GROUP: PASSWORD* finds all UA GROUPs starting with PASSWORD. UA GROUP: FROZEN_OK* finds all UA GROUPs starting with the text FROZEN_OK.
XYGATE® User Authentication™ Reference Manual Chapter 19.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports To select the type of audit, select J. Example: Selection? J Do you want to include Test results (T), Production results (P) or Both (B) types of results: Type of results (T,P,B) ? B 19.5.10 Comment You may limit the report to only those audit entries with COMMENTs that contain the string you enter here. To select the COMMENTs you want included in the report, select K.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.5.13 Sort Order You may choose the report format that best suits your needs. XUA comes with the following sort options: Sort Order Description SUBJECT Audit entries are grouped by the From User. TARGET Audit entries are grouped by the Target User TIME Audit entries appear in strict chronological order. SESSION Audit entries are grouped by process descriptor.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports If you put an asterisk ( * ) in front of a string representing a Target Login name, XUA will include any login names containing the string you have entered in the report.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports If you put an asterisk ( * ) in front of an IP address, XUA will include all IP addresses containing the entry in the report. IP Address: *207 finds all IP addresses containing 207 (for example, 207.456.78.01 and 123.207.78.01). IP Address: *52 finds all IP addresses containing 52 (for example, 12.456.78.52 and 123.456.52.78).
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports Note: Without the –D option, only the summary of the ENFORM report will be shown unless errors occur in the ENFORM run. If an error occurs, the entire ENFORM run will be displayed. If –D is specified, the entire ENFORM run will be displayed even if there are no errors. 19.5.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.6 XUA Report Formats XUA comes with the six report formats described below. Much of the information is the same on all the reports, but is arranged differently to emphasize different information. 19.6.1 The Subject Report Format The Subject report format groups audit entries by NSK Userid. Refer below for a sample Subject audit report. Each Userid that fits the other selection criteria will start a new page.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.6.2 The Target Report Format The Target report format groups audit entries by NSK Userid. Refer below for a sample Target audit report. Each Userid that fits the other selection criteria will start a new page. Sample Audit Report Sorted by Target XYPRO Technology Corp \SIMI XYGATE User Authentication Usage by Target User ( 80,003) SINI80.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.6.3 The Time Report Format The TIME report format lists each audit transaction in chronological order. The transactions included on the report will depend on the other selections made when running XUA_REPORT. Following is a sample TIME audit report.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports XYPRO Technology \N1 SUA-Report-Sorted-by-Time 2012-06-05 Date produced: 05-JUN-2012 Page: 3 Criteria:2012-06-05 00:00 to 2012-06-05 23:59 Comment:* File:audit Criteria Summary --------------------------------------------------------------Report date range........: 2012-06-05 00:00 to 2012-06-05 23:59 Comment contains.........: * Production/Test results..: Both Result (All,S,F).........: All Subject Terminal.........
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.6.4 The Session Report Format The SESSION report format displays audit data sorted by process descriptor.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.6.5 The COUNTS Report Format The COUNTS report format displays how many access requests were made sorted by the UAGROUP that was used to evaluate the request. Two numbers are reported: (1) the number of successful accesses and, (2) the number of failures. The following is a sample COUNTS audit report.
XYGATE® User Authentication™ Reference Manual Chapter 19. XUA Auditing and Audit Reports 19.6.6 The IP Report Format The IP report format displays audit data sorted by IP address.
Appendix A: The UACONF File An edit file named UACONF, which configures global values, is kept in the same volume and subvolume as the XYGATEUA object file. The UACONF file contains the keywords that define the external functionality of the XUA process, such as where and what records are audited, what home terminal the SEEP should have and whether privileged logons are permitted.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File UACONF Global Password and Logon Control Keywords This section describes keywords that are related to password and logon control. AUTHENTICATE_FAIL_FREEZE { ON | OFF } AUTHENTICATE_FAIL_STOP { ON | OFF } AUTHENTICATE_FAIL_TIMEOUT AUTHENTICATE_FREEZE_PERIOD AUTHENTICATE_MAXIMUM_ATTEMPTS FROZEN_OK { ON | OFF } GROUPMANAGER_OK { ON | OFF IPMAP <$vol.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File UACONF IMPERSONATION Keyword This UACONF keyword that allows logon by impersonation (refer to Chapter 11). IMPERSONATION_CHARACTERS "<2 special characters>" UACONF LDAP Authentication Keywords This section describes the UACONF keywords required to configure the password verification via Windows Active Directory or OpenLDAP.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File UACONF RADIUS Authentication Keywords This section describes the UACONF keywords required to configure the password verification via RADIUS server.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A2: Sample UACONF File The UACONF file configures global values.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A3: AUDIT (Filename) This keyword determines the audit file specifications when a filename is defined. Auditing is discussed in more detail at the beginning of Chapter 9, “Deciding on the Amount of Logon-Specific Auditing.” Syntax: AUDIT [CRITICAL] [EXT(pri,sec,max)] [NO_ROLL_MSGS] CRITICAL Critical is an audit attribute that is set on for authentication denials when the EMS_CRITICAL_IF_DENIED ON entry exists.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A4: AUDIT (Process Name or Device) Any one of the nine available AUDIT keyword entries can be defined as a process audit trail. The most common process audits are EMS and printing to the CONSOLE. Note: XYPRO does not recommend that XYGATEUA be configured to audit its activity to EMS.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A5: AUDIT (IP Process Name) Any one of the nine available AUDIT keyword entries can be defined as an IP address. This section deals with the IP address form of the AUDIT specification. Syntax: AUDIT IP [SYSLOG_PREFIX "<134>"] [SYSLOG_CRITICAL_PREFIX "<130>"] [CRITICAL] Example 1: How to configure XUA to audit to an IP address AUDIT $ZTC0 IP 208.202.151.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File SYSLOG_CRITICAL_PREFIX "<130> " The optional SYSLOG_CRITICAL_PREFIX sub-keyword is used to specify text that will be prepended at the front of any audit message being written to the IP address whose audit attribute is critical. <130> The standard message tag indicating a critical message (angle brackets are required).
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A6: AUDIT_ACCESS_FAIL This keyword is used to specify whether or not you want to write failed-logon attempts to the XUA audit logs. This value is determined during installation but can be changed at any time. It is a GLOBAL setting and can be overridden by individual UAGroup entries in the UAACL file. Syntax: AUDIT_ACCESS_FAIL { ON | OFF } Example: AUDIT_ACCESS_FAIL OFF The default value is ON.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A9: AUTHENTICATE_FAIL_FREEZE The AUTHENTICATE_FAIL_FREEZE keyword is used to force userids to be frozen when the number of failed logons without a good logon reaches the value of AUTHENTICATE_MAXIMUM_ATTEMPTS (page 213). Syntax: AUTHENTICATE_FAIL_FREEZE { ON | OFF } According to the following Example, when the number of failed logons becomes 3 (that is, equal to 3), then the userid will be frozen.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A11: AUTHENTICATE_FAIL_TIMEOUT The AUTHENTICATE_FAIL_TIMEOUT keyword defines the amount of time that the authenticating process will suspend when the number of failed logons without a good logon exceeds the value of AUTHENTICATE_MAXIMUM_ATTEMPTS (page 213).
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A13: AUTHENTICATE_MAXIMUM_ATTEMPTS The AUTHENTICATE_MAXIMUM_ATTEMPTS keyword defines the number of failed logons that will trigger the AUTHENTICATE_FAIL_FREEZE or AUTHENTICATE_FAIL_TIMEOUT or AUTHENTICATE_FAIL_STOP options.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A16: EMS_CRITICAL_IF_DENIED The EMS_CRITICAL_IF_DENIED keyword causes failed-authentication audit messages to be marked as critical, an internal audit attribute. When the AUDIT keyword (App. A3:, A4: or A5: starting on page 206) includes the CRITICAL sub-keyword, only messages marked as critical are included in the audit.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A17: EXPLAIN_LOG XUA can produce a log which contains information about its rulings on logon requests. If the keyword EXPLAIN_LOG is used and a valid disk file name is entered, XUA will write logon-attempt outcomes and their explanations including the UAGroup rules applied to this log. The argument to this keyword is the name of the file where these explanations will be written.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A18: EXPLICIT_NODES This keyword tells XUA whether or not to determine if the process attempting the logon on behalf of a user is local or remote and, if remote, determine remote node name. Syntax: EXPLICIT_NODES { ON | OFF } If EXPLICIT_NODES checking is ON, you can specify wildcarded node name(s) as well as specifying all remote access with the \* syntax when entering users in ACLGROUPs or UAGROUPs.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A19: FROZEN_OK The FROZEN_OK keyword allows a userid to logon to a frozen userid, such as when too many failed logons have occurred and AUTHENTICATE_FAIL_FREEZE is set. When FROZEN_OK is set to ON, the target userid can be logged on to, even when it is frozen. When FROZEN_OK is set to OFF, the target userid cannot be logged on to, when it is frozen.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A21: HOMETERM The HOMETERM terminal defines XUA server’s home terminal. The HOMETERM keyword is not required but if it is not specified, XUA will have the same home terminal as that of the $ZSMP(SAFEGUARD) process. Syntax: HOMETERM $ Example: HOMETERM $VHS A22: IGNORE_LEADING_SPACES This keyword can be used to control the removal of leading spaces from passwords.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A23: IPMAP In order for XUA to be able to capture the IP address in a session encrypted via XHE, XUA must query the IPMAP file in XYGATEHE’s subvolume. The IPMAP keyword specifies the XYGATEHE subvolume. The IPMAP file is maintained by XYGATEHE. Syntax: IPMAP <$vol.subvol location of XYGATEHE> Example: IPMAP $SYSTEM.XYGATEHE Note: When used in a network configuration, the IPMAP subvolume must be the same on all nodes.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A25: LDAP_AUTHENTICATE The LDAP_AUTHENTICATE keyword value determines if the authentication request will be sent to the LDAP server and in what manner. Syntax: LDAP_AUTHENTICATE {ON | OFF | OPTIONAL} ON – Users’ passwords and network IDs will be verified by LDAP. Note: The userid’s status on the NonStop server will be evaluated by Safeguard in addition to the LDAP’s password verification.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A26: LDAP_BIND_NAME The Bind Name will be used by the XUA server to create a fully qualified username in the LDAP directory. Syntax: LDAP_BIND_NAME "" The syntax of Bind Name differs depending on the type of LDAP.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A27: LDAP_DN_ATTRIBUTE The value for this keyword is the attribute containing the name against which the simple bind must be done. Syntax: LDAP_DN_ATTRIBUTE "" Example: LDAP_DN_ATTRIBUTE "entrydn" A28: LDAP_GROUP The LDAP_GROUP keyword is used to group a set of LDAP-specific configuration values when configuring multiple-LDAP authentication points.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A29: LDAP_GROUP_CHARACTERS When multiple-LDAP authentication points are configured and a user is authenticating via LDAP, the user can specify which authentication point to use by prefixing the password response with: Entered as a whole password prefix, this allows the user to specify which authentication point to use.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File In the LOGON Example below, USER1 is authenticating using the host X2.Y2.Z2.LOCAL. Hence, the user prefixes the password with the ++ symbols (specified by the LDAP_GROUP_CHARACTERS keyword in the UACONF file above), and also prefixes the LDAP Group name corresponding to the host name which is LD2. Refer also to the LDAP_GROUP keyword in the previous section.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A30: LDAP_GROUP_DEFAULT If the value is ON, indicates that the LDAP_GROUP under which it appears will be used when multiple LDAP Groups are configured and none is specified via a password prefix composed of the LDAP_GROUP value surrounded by the LDAP_GROUP_CHARACTERS string. Syntax: LDAP_GROUP_DEFAULT {ON | OFF} Example: LDAP_GROUP_DEFAULT ON When this keyword is not present, the default behavior is OFF.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A31: LDAP_HOST The LDAP_HOST keyword specifies the path to LDAP server. This can be either the DNS name or the IP address, which can be specified in IPV4 or IPV6 format. Syntax: LDAP_HOST { | [:ptr] } Example 1: How to configure LDAP using a DNS Name LDAP_HOST MYCOMPANY.LOCAL-NET Example 2: How to configure LDAP using an IPV4 Address LDAP_HOST 172.16.254.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File Example: DNS for host xyz.xypro.com resolved to IP 192.168.1.1 DNS elapsed time = 0.007698 seconds RDNS elapsed time = 0.000846 seconds Total DNS elapsed time = 0.008544 seconds … 58:15 58:15 Ldap host name passed:xyz.xypro.com:ptr Actual Ldap host name:abc.xypro.com In the above example the host name xyz.xypro.com was translated to abc.xypro.com.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A34: LDAP_PORT The value to LDAP_PORT keyword tells XUA which port is assigned to the LDAP server in the network. The most commonly used is port 389 which therefore is the default value. Syntax: LDAP_PORT Example: LDAP_PORT 389 The value of this keyword created by the XUA_LDAP_INSTALL macro (page 70) can be changed by editing the UACONF file after the macro run is completed.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A36: LDAP_PROXY_ENV The value of this keyword specifies parameters to be passed to the proxy program for troubleshooting. This value will be supplied by XYPRO Support personnel should the need arise for troubleshooting.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A39: LDAP_PROXY_LOG The value to this keyword specifies which OSS directory will host the proxy program’s activity logs.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A42: LDAP_SEARCH_USER The value of this keyword is the user to logon to the LDAP. Refer to LDAPPASS in section 12.6, “LDAP-Related Components” to configure the LDAPPASS file.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A45: LDAP_VERSION The current release of XUA only interfaces to the latest version of both Windows Active Directory and OpenLDAP. The latest version for each of these utilities is version 3. This option is reserved for future LDAP releases/versions.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A48: MONITOR_ACCESS_CHECK The MONITOR_ACCESS_CHECK keyword enables monitoring only for What-if queries, and not for queries coming from Safeguard. Note: If you have two MONITOR keywords defining two different output files, then monitor output will be sent only to the last file defined. Syntax: MONITOR_ACCESS_CHECK Example: MONITOR_ACCESS_CHECK $S.#XUA.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A50: MONITORAUDIT If this keyword is ON, XUA will write messages such as "Audit write 01 $SYSTEM.XYGATEUA.AUDIT" to the monitor dump file which indicates that a particular ruling was audited to the audit file. If the result was not audited because of AUDIT_ACCESS_PASS OFF or AUDIT_ACCESS_FAIL OFF, then XUA will not write this message.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A52: PASSWORD_MAY_CHANGE The keyword PASSWORD_MAY_CHANGE represents the number of days before the password expiration date in which the user may change his or her own password. If this keyword is omitted, XUA will check the value of the expiration date from Safeguard. If the password expiration date is not effective in Safeguard either, then the user may change his or her own password at any time.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A54: PERUSE_OBJECT The argument to the PERUSE_OBJECT keyword is the full program name of the Peruse program you wish to have XUA “drop” you into when running reports. Sites that use XYPRO’s combined SPOOLCOM and PERUSE program (XSP) will want to put that object name here. Otherwise, put the NonStop server standard PERUSE here.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A56: PQ_SEEP_OBJECT This keyword is required as a workaround due to an anomaly in Safeguard’s SEEP interface. When a user changes his or her password during logon, Safeguard sends the request to the AUTHENTICATION SEEP instead to the PASSWORD SEEP as it should. It tells XUA to forward the request to the password SEEP (XPQ).
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A58: RADIUS_AUTHENTICATE The RADIUS_AUTHENTICATE keyword value determines if the authentication request will be sent to the RADIUS server and in what manner. Syntax: RADIUS_AUTHENTICATE {ON | OFF | OPTIONAL} ON – Users will be authenticated via RADIUS server. If the RADIUS server is not available for communication with XUA for any reason, the logon request will be denied.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A59: RADIUS_HOST The RADIUS_HOST keyword specifies the path to RADIUS server. This can be either the DNS name or the IP address. Syntax: RADIUS_HOST Example: RADIUS_HOST MYCOMPANY.LOCAL-NET The value of this keyword created by the XUA_ RADIUS_INSTALL macro can be changed by editing the UACONF file after the macro run is completed.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A62: RADIUS_PROXY_IP_PROC This keyword is used to specify the name of the current TCP/IP process through which XUA will communicate with the proxy. Syntax: RADIUS_PROXY_IP_PROC <$process name> Example: RADIUS_PROXY_IP_PROC $ZTC0 The value of this keyword created by the XUA_RADIUS_INSTALL macro can be changed by editing the UACONF file after the macro run is completed.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A65: RADIUS_REQUIRE_PASSWORD The RADIUS_REQUIRE_PASSWORD keyword value determines whether or not all users, some users, or no users will be required to enter a Guardian PASSWORD in addition to the RADIUS password. This keyword can be present in the UACONF file, the UAACL file or both.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A66: RSA_AUTHENTICATE The RSA_AUTHENTICATE keyword value determines if the authentication request will be sent to the RSA server and in what manner. Syntax: RSA_AUTHENTICATE {ON | OFF | OPTIONAL} ON – Users will be authenticated via RSA SecurID technology. If the RSA server is not available for communication with XUA for any reason, the logon request will be denied.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A67: RSA_PROXY_ENV The value of this keyword specifies parameters to be passed to the proxy programs for troubleshooting. This value will be supplied by XYPRO Support personnel should the need for such troubleshooting arise.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A70: RSA_PROXY_TIMEOUT The value to this keyword will determine how many seconds XUA will wait for the RSA’s response to decide that the server is not available. Once the timeout is reached, XUA will process the logon request depending upon the RSA_AUTHENTICATE value.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A72: SUBJECT_LOOKUP This keyword is required as a work around for two Safeguard software anomalies: 1. The first anomaly causes Safeguard to send the underlying id rather than an alias to the SEEP. If the keyword SUBJECT_LOOKUP is set to ON, then XYGATEUA will retrieve the real subject login name via a process info lookup of the process that is logging in. If this keyword is omitted, SUBJECT_LOOKUP will be set to OFF.
XYGATE® User Authentication™ (XUA) 1.85 Reference Manual Appendix A: The UACONF File A73: SUPERSUPEROK This keyword defines how SUPER.SUPER (255,255) will be treated. Syntax: SUPERSUPEROK { ON | OFF } If SUPERSUPEROK is set to ON, then SUPER.SUPER is capable of logging on to any userid or Safeguard alias in the group. If SUPERSUPEROK is OFF, SUPER.SUPER will be evaluated as any other userid. SUPER.SUPER can be explicitly denied access in any UAGroup for a particular set of users if desired.
Appendix B: The UAACL File XYGATEUA can be configured in the UAACL file to restrict user group logon times and rules. This file specifies user groups and what logon rules will be applied to those differing groups of users. There are three primary entities defined in the UAACL File: ACLGroups Classifies profiles of groups. TIMEGroups Configures which users can logon what day and time of the week. UAGroups Configure a group of userids that will share the same authentication rules.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B1: Sample UAACL File This sample UAACL file shows how the three entities mentioned above and the keywords which are described in the following subsections are used in a production environment. Example 1: A Sample UAACL File ACLGROUP ACLGROUP ACLGROUP ACLGROUP ACLGROUP ACLGROUP ACLGROUP $EVERYONE $OK2FTP $OK2SUPER $OK2PRIV $SU-OK-OSS $DONT-FREEZE $PRIV-IDS ACLGROUP $WEEKDAYS ACLGROUP $WEEKENDS *.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File UAGROUP ALLOW-CONSOLE-LOGON PORT 10.1.1.17 $*.#* !SPECIFY THE RIGHT CONSOLE ! look for the TELSERV process dedicated to the console PASSWORD_REQUIRED ON RESULT_GRANTED !Selection Criteria: FROM_USER $EVERYONE TO_USER XYPRO.TERRI UAGROUP ALLOW-FTP-LOGON DESCRIPTION "These users can logon to FTP" PASSWORD_REQUIRED ON RESULT_GRANTED !Selection Criteria: FROM_USER $EVERYONE TO_USER $OK2FTP REQUESTOR $SYSTEM.ZTCPIP.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File ! ! ! ! ------------------------------------------------------------------The following groups enforce stepped-logons to PrivIDs in OSS & NSK And if any users can log directly on as a PrivID And control su to PrivIDs in OSS UAGROUP ALLOW-USERS-TO-PRIVIDS-OSS DESCRIPTION "must logon to own id before privid" RESULT_GRANTED !Selection Criteria: FROM_USER $OK2PRIV TO_USER $PRIV-IDS REQUESTOR $SYSTEM.SYSnn.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B2: Limits on UAACL Entries The UAACL File has limits on the amount of data specified in the file. The limits are as shown in the following table: Field ACLGroups Limit Description 100 ACLGROUPs that can be defined to group users by function into profiles. ACL IDs 20,000 The number of distinct userid references found in the entire file.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B3: Classifying the ACLGroups The ACLGroup entity classifies users into logical profiles in order to simplify the maintenance of userids in the UAGroup entries that make up the rest of the file. Syntax: ACLGROUP $ [NOT ] ACLGROUP keyword names may be up to 31-characters in length and include dashes ( - ). The first character must be a dollar sign ( $ ).
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File TIMEGROUP Keyword The TIMEGroup entity is an optional criterion which must start with the TIMEGROUP keyword, and must also contain the MEMBERS and TIME keywords. TIMEGROUP can be positioned anywhere but must be before the UAGROUP that has the TIMEGroup reference. Syntax: TIMEGROUP $ Example: Refer to Example 1 above and also the Sample UAACL File in Appendix B1:.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B5: Configuring UAGroups The User Authentication Group (UAGroup) entity defines the logon rules to be applied to various sets of users. UAGroups are where you enter all the criteria necessary to create the logon rules you want to enforce. The keyword UAGROUP is required, and the UAACL file can have a maximum of 1,000 UAGroup entities.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File UAGROUP EVERYONE-ELSE in Example 1 above will allow any user to logon as any other user if he or she knows the password. Only logons that have not been “caught” by prior UAGroups will be ruled using this UAGROUP EVERYONE-ELSE. You can use the exclamation point ( ! ) to start a comment anywhere on a line; the comment will continue for the remainder of the line. UAGroup entries can be quite complex.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File UAGroup Logon Control Keywords AUTHENTICATE_FAIL_FREEZE { ON | OFF } AUTHENTICATE_FAIL_FREEZE_MSG { ON | OFF } AUTHENTICATE_FAIL_STOP { ON | OFF } AUTHENTICATE_FAIL_TIMEOUT AUTHENTICATE_MAXIMUM_ATTEMPTS FROZEN_OK { ON | OFF } GROUPMANAGER_OK { ON | OFF } RESULT_DENIED SUPERSUPEROK { ON | OFF } TIME { | [- }
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File UAGroup RSA-Related Keywords RSA_AUTHENTICATE { ON | OFF | OPTIONAL } RSA_REQUIRE_PASSWORD { ON | OFF } UAGroup Userid-Mapping Keywords MAP RE:"" B7: ANCESTOR The ANCESTOR keyword allows selection of userids to which these rules apply based on the ancestor of the requestor to which the user is logging on. The ancestor can be specified using a wildcarded object file name.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B8: AUDIT_ACCESS_FAIL The AUDIT_ACCESS_FAIL keyword defines the writing of audit records after a failed logon. If AUDIT_ACCESS_FAIL is set to ON, audit records will be written. If AUDIT_ACCESS_FAIL is set to OFF, audit records will not be written. If present in a UAGroup, the value of this keyword overrides that in the UACONF file. If the keyword is omitted, the value in the UACONF file is used.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B10: AUTHENTICATE_FAIL_FREEZE The AUTHENTICATE_FAIL_FREEZE keyword is used to force userids to be frozen when the number of failed logons without a good logon reaches the value of AUTHENTICATE_MAXIMUM_ATTEMPTS. If present in a UAGroup, the value of this keyword overrides that in the UACONF file. If the keyword is omitted, the value in the UACONF file is used.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B11: AUTHENTICATE_FAIL_FREEZE_MSG The AUTHENTICATE_FAIL_FREEZE_MSG keyword controls whether or not a user is notified that his or her userid or alias has been frozen on the authentication attempt that caused freezing to occur.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B12: AUTHENTICATE_FAIL_STOP The AUTHENTICATE_FAIL_STOP keyword is used to stop the process when the number of failed logons without a good logon for a user reaches the limit set greater than the value of AUTHENTICATE_MAXIMUM_ATTEMPTS. If present in a UAGroup, the value of this keyword overrides that in the UACONF file. If the keyword is omitted, the value in the UACONF file is used.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B14: AUTHENTICATE_FREEZE_PERIOD The AUTHENTICATE_FREEZE_PERIOD option allows you to freeze a user temporarily. The XUA install program creates a database named UAQUEUE.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B15: AUTHENTICATE_MAXIMUM_ATTEMPTS The AUTHENTICATE_MAXIMUM_ATTEMPTS keyword defines the number of failed logons that will trigger the AUTHENTICATE_FAIL_FREEZE or AUTHENTICATE_FAIL_TIMEOUT or AUTHENTICATE_FAIL_STOP features. If present in a UAGroup, this keyword’s value overrides the one in the UACONF file. If this keyword is omitted, the value in the UACONF file is used. Refer to the Example in Appendix B12: on page 261.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B18: EMS_CRITICAL_IF_DENIED The EMS_CRITICAL_IF_DENIED keyword causes failed-authentication audit messages to be marked as critical, an internal audit attribute. When the AUDIT keyword (App. A3:, A4: or A5: starting on page 206) includes the CRITICAL sub-keyword, only messages marked as critical are included in the audit.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B19: FROM_USER This is a space-separated list of subject users; that is, the users who are trying to do the logon operation. You can enter userids and aliases on separate lines for clarity if you wish. A logged-off TACL will be user 0,0. Syntax: FROM_USER In the Example below, SUPER.SUPER and SECURITY.ADMIN can logon to themselves and each other even if their userids are frozen.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B21: GROUPMANAGER_OK The GROUPMANAGER_OK keyword defines how a group manager (user = 255) will be treated. When GROUPMANAGER_OK is set to ON, then the group manager for the group (group,255) is capable of logging on to any user id or Safeguard alias in the group. When GROUPMANAGER_OK is set to OFF, the group manager will be evaluated as any other user id.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B22: IGNORE_PASSWORD_REQUIRED The IGNORE_PASSWORD_REQUIRED keyword allows XUA to bypass internal "password required" settings of some other-than-TACL programs; for example, NDMCOM. This setting works only when the program is calling USER_AUTHENTICATE_ with option bit 7 set, which can be set using the “OPT 7” command when testing in What-if mode.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B23: IMPERSONATION Syntax: IMPERSONATION {ALWAYS | OFF | OPTIONAL} Authorize a group of users to logon to certain utilities as a specified user such as super.super with the user’s own password. If OPTIONAL, allow either target user’s password or use impersonation. If ALWAYS, disallow "un-impersonated" logon. If OFF, disallow impersonation.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B25: LDAP_AUTHENTICATE The LDAP_AUTHENTICATE keyword value determines if the authentication request will be sent to the LDAP server, and in what manner. Syntax: LDAP_AUTHENTICATE {ON | OFF | OPTIONAL} ON – users’ passwords and network IDs will be verified by LDAP.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B26: LDAP_BIND_NAME The Bind Name will be used by the XUA server to create a fully qualified username in the LDAP directory. Syntax: LDAP_BIND_NAME "" The syntax of Bind Name differs depending on the type of LDAP.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B27: LDAP_DN_ATTRIBUTE The value for this keyword is the attribute containing the name against which the simple bind must be done. Syntax: LDAP_DN_ATTRIBUTE "" Example: LDAP_DN_ATTRIBUTE "entrydn" If present in a UAGroup, this keyword’s value overrides the one in the UACONF file.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B29: LDAP_LOOKUP If the value is ON, XUA will make an inquiry to the LDAP server to look up the userid information including the domain in the LDAP database without mapping. Syntax: LDAP_LOOKUP {ON | OFF} Example: LDAP_LOOKUP ON If present in a UAGroup, this keyword’s value overrides the one in the UACONF file. The default behavior is OFF.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B33: MAP XUA provides the capability to map the NonStop user database to an alternative authentication database such as LDAP, RSA or RADIUS. One or more mapping rules can be specified in the UAACL file at the UAGroup level. These mapping rules will only apply to the UAGROUP for which they are configured.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B35: OMIT_PASSWORD_USERS The keyword OMIT_PASSWORD_USERS represents a subset of users in the FROM_USER list who do not have to supply a password while logging on to the users in the TO_USER list. Syntax: OMIT_PASSWORD_USERS The Example below allows all the members of the $SECURITY to logon as SUPER.SUPER. In addition, it allows SECURITY.ADMIN and SECURITY.OPER to logon as SUPER.SUPER without supplying a password.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B37: PASSWORD_REQUIRED The PASSWORD_REQUIRED keyword controls the need for a Guardian password on the userid. When PASSWORD_REQUIRED is set to ON, a password is needed to logon to the target userid. When PASSWORD_REQUIRED is set to OFF, the users in the FROM_USER list can logon to users in the TO_USER list without supplying the target user’s password. If present in a UAGroup, this keyword’s value overrides the one in the UACONF file.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B38: PORT The PORT keyword limits which port these rules apply to. PORT is specified by terminal and incoming IP address. Both must be included. The hometerm of the authenticating process must match one of the terminals listed. The IP address derived from the hometerm of the authenticating process must match one of the IP addresses listed. A PORT of $* represents all terminals.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File Example 3 below will deny members of the group TECH to logon on the terminal $ZTN0.#PTRUD24. Example 3: How to control logon based on users Home Terminal UAGROUP Restricted-hometerminal DESCRIPTION "Restricted users hometerminal" FROM_USER $EVERYONE TO_USER TECH.* PORT $ZTN0.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File Example: How to specify the SERVICE program in PORTCONF for XYGATETR Logon 21 $SYSTEM.XYGATEUA.SERVICE -xuaobject:$SYSTEM.XYGATETE.XYGATETR When the above entry is present in the PORTCONF file, then XUA uses the program named SERVICE to retrieve the IP address of the XYGATETR logon.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B40: RADIUS_REQUIRE_PASSWORD The RADIUS_REQUIRE_PASSWORD keyword value determines whether or not all users, some users, or no users will be required to enter a Guardian PASSWORD in addition to the RADIUS password. This keyword can be present in the UACONF file, the UAACL file or both. The UACONF value will be enforced globally unless overridden by values set in individual UAGroups in the UAACL file.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B41: REQUESTOR The REQUESTOR keyword allows the selection of userids to which these rules apply based on the wildcarded object file of the process requesting the logon. A REQUESTOR of * (asterisk) represents all requestors. Note: To prevent unexpected syntax errors, always put the REQUESTOR keyword last in any UAGroup where it is used.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File Example 4 below will prevent anyone from using su to become SUPER,SUPER, SEC.ADMIN, or APP1.OWNER.nm The combination of Examples 3 and 4 allow you to completely control who can use su to become a privileged ID. Note that the UAGROUP shown in Example 3 must precede the UAGROUP shown in Example 4.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B42: RESULT_DENIED If the keyword RESULT_DENIED is present in a UAGroup, then the userids in the TO_USER list cannot be logged on even with the correct password. This provides another way to accomplish the same thing as freezing a Safeguard user. Syntax: RESULT_DENIED In the Example below, no userids and aliases on the system will be allowed to logon to the system using the LOGIN program.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B44: RSA_AUTHENTICATE The RSA_AUTHENTICATE keyword value determines if the authentication request will be sent to the RSA server, and in what manner. Syntax: RSA_AUTHENTICATE {ON | OFF | OPTIONAL} ON – Users will be authenticated via RSA SecurID technology. If the RSA server is not available for communication with XUA for any reason, the logon request will be denied.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B45: RSA_REQUIRE_PASSWORD The RSA_REQUIRE_PASSWORD keyword value determines whether or not all users, some users, or no users will be required to enter a Guardian PASSWORD in addition to the PASSCODE. This keyword can be present in the UACONF file, the UAACL file or both. The UACONF value will be enforced globally unless overridden by values set in individual UAGroups in the UAACL file.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B46: SAFEGUARD_PRIVLOGON The SAFEGUARD_PRIVLOGON feature allows a program to set a special flag when calling USER_AUTHENTICATE_, and if the program also has a Safeguard diskfile ACL that has the PRIV-LOGON flag set, then logons are allowed without a password regardless of the Safeguard PASSWORD-REQUIRED setting.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B47: SUPERSUPEROK This keyword defines how SUPER.SUPER (255,255) will be treated. If SUPERSUPEROK is set to ON, then SUPER.SUPER is capable of logging on to any user id or Safeguard alias in the group. If SUPERSUPEROK is OFF, SUPER.SUPER will be evaluated as any other userid. If SUPERSUPEROK is set to OFF, then SUPER.SUPER must adhere to the access rules as defined in the UAACL.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File B48: TIME The TIME keyword defines the day and time range when logons are allowed. XUA will search for the user in both UAGroup and TIMEGroups (see page 252) and combine the restrictions to rule on the logon request.
XYGATE® User Authentication™ Reference Manual Appendix B: The UAACL File XYPRO Technology Corporation 288 Proprietary and Confidential
Appendix C: XUA Macros Several macros are supplied with the XUA software. These macros provide extra functionality or convenient methods of performing common tasks. Note: Throughout this manual, it is assumed that XUA is the name assigned to XUA at installation. If your installation uses another name, the macro names will change to match the name at your installation. The XUA macros are stored in the XUA_SEG TACL segment that is attached when the user executes XUA INSTALL.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C2: XUA_AUDIT_REPORT The XUA_AUDIT_REPORT is invoked by the XUA_REPORT macro described on page 304. It generates the ENFORM report using the criteria selected with the Report Selection Screen. The XUA_AUDIT_REPORT macro is available for batch purposes. Refer to Chapter 19, “XUA Auditing and Audit Reports” starting on page 175 for descriptions of all the selection criteria available for customizing reports.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros result Explanation of audit event; specify * for all. audit-file The name of the audit file from which to pull report data; for example, $SYSTEM.XYGATEUA.AUDIT. output-location Spooler location and report name; for example, $S.#XUA.REPORT. sort-type Specify SUBJECT, TARGET, TIME, SESSION, COUNTS, or . delete-comments Specify YES if you want to suppress comments; otherwise, specify NO.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros results will be included. All target login names and target users will be included. All outcomes will be selected. Final outcome ONLY will not be selected. Note: The arguments to the macro cannot have spaces in them, as spaces are used to determine which token is which. For the subject login name and other multiple value options, use the backslash ( \ ). For example to exclude a user security.admin from the security group, use SECURITY.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C3: XUA_DATETIME_MAKE The XUA_DATETIME_MAKE macro will calculate a date in the past equal to the entered. For example, if you enter 7, the macro will calculate the date seven days prior to the current date. An entry of 30 or 31 would be one month into the past. You can enter up to 3000 days in the past. The macro can be run on the command line or used in a TACL macro.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C4: XUA_DISPLAY_RADLOG The XUA_DISPLAY_RADLOG macro displays the contents of the RADIUS proxy log. Example 1: $SYSTEM.XYGATEUA 5> XUA_DISPLAY_RADLOG RADIUS Log $system.xygateua.zzradlog contains: -----------------------------------------------------MAIN(): Begin RADIUS Proxy on 05/16/12 @ 09:53:44 53:44 53:44 53:44 53:44 53:44 53:44 RADIUS host name:LINUX.XYPRO.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C5: XUA_DISPLAY_RSALOG The XUA_DISPLAY_RSALOG macro displays the contents of the RSA proxy log. Example 1: $SYSTEM.XYGATEUA 5> XUA_DISPLAY_RSALOG RSA Log $system.xygateua.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C6: XUA_DISPLAY_LDAPLOG The XUA_DISPLAY_LDAPLOG macro displays the contents of the LDAP proxy log that was selected. Syntax: XUA_DISPLAY_LDAPLOG Example 1: LDAP Log $system.xygateua.zzldlg1 contains: $SYSTEM.XYGATEUA 5> XUA_DISPLAY_LDAPLOG ********** BEGIN CLIENT TRANSACTION #0032 57:37 57:37 on 09/14/12 at 10:57:37 ********** Received Client request msg: 0054YN1N00000038abc.USER002@xypro-cf.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C7: XUA_EDIT_ACL The XUA_EDIT_ACL macro automates the recommended method of changing the UAACL file. First, the macro makes a duplicate of the current UAACL file and names it NEWUAACL. Then it presents the duplicate, NEWUAACL, for editing. After all the editing changes are done, the NEWUAACL is checked for syntax errors. If no errors are found, XUA_EDIT_ACL asks if you want to install the new ACL.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros XYGATE/UA 1.80 (c) 2003-2012 XYPRO Technology Corporation XYPRO Technology \SIMI 20121231 UACONF CHECKSUM 336940895 ($SYSTEM.XYGATEUA.UACONF) UAACL CHECKSUM 1451102739 ($SYSTEM.XYGATEUA.NEWUAACL) No syntax errors found Do you want to install the new ACL (Y/N) ?Y FILES DUPLICATED: 1 Last generation is $SYSTEM.XYGATEUA.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros At this point, you can enter N to save the erroneous file in order to fix the error; or enter Y to discard your changes. Either way, the existing UAACL file has not been changed and is still in use. Example – New UAACL file already exists If there is already a NEWUAACL file when you make the call to XUA_EDIT_ACL, then you need to decide what to do with that NEWUAACL file. Example 3: $SYSTEM.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C8: XUA_EXPLAIN Macro The XUA_EXPLAIN macro starts the XYGATEUA process in EXPLAIN mode, which generates information about its rulings on logon requests including a list of the UAGroups that were considered. It is the equivalent of typing RUN XYGATEUA EXPLAIN. Refer to Chapter 16, “What-if Testing” starting on page 137 for instructions on how to test XUA in those modes. Example: $SYSTEM.XYGATEUA 4> XUA_EXPLAIN XYGATEUA 1.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C9: XUA_EXPLAIN_ON|OFF The macro XUA_EXPLAIN_ON|OFF will send a request to turn EXPLAIN ON|OFF to the running server. Syntax: XUA_EXPLAIN_ON|OFF Example: How to put the XUA server into Explain Mode \NODE1 $SYSTEM.XYGATEUA 6> STATUS $XUA System \NODE1 Process $XUA Pri PFR %WT userid Program file Hometerm 199 011 222,80 $$SYSTEM.XYGATEUA.XYGATEUA $VHS Swap File Name: $AUDIT.#0 Current Extended Swap File Name: $AUDIT.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C11: XUA_INSTALL_LICENSE This macro is supplied to allow the XUA security administrator to check on a newly received license file and optionally load it. If you choose to load the new license, XUA renames the current license file (at the red arrow below) out of the way and moves the new license in.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C12: XUA_NETWORK_CHECK XUA_NETWORK_CHECK macro can be used for HP NonStop system configuration readiness for LDAP, RSA or RADIUS authentication. When the macro XUA_NETWORK_CHECK is invoked it will prompt the user for the DNS name of the LDAP, RSA or RADIUS server, if the DNS name is provided then the macro will do a PING test. If the DNS name is not provided the macro will skip the PING test and proceed to the system check.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C13: XUA_NEXTGEN The XUA_NEXTGEN macro allows users to check what the name of the next Audit file should be when the current Audit file is going to be rolled over when it reaches its size. Syntax: XUA_NEXTGEN [] Where: is an audit filename that must be provided as an input to this macro.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C15: XUA_SAFECOM_BOUNCE The XUA_SAFECOM_BOUNCE macro can be used to disable and enable the XUA process. Example: $SYSTEM XYGATEUA 13> XUA_SAFECOM_BOUNCE XYGATEUA disabled XYGATEUA enabled C16: XUA_SAFECOM_DISABLE XUA_SAFECOM_DISABLE 'turns off' the authentication event exit processing. It does not uninstall the XUA software; the XUA_SAFECOM_UNINSTALL macro must be used to uninstall the software.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C18: XUA_SAFECOM_INSTALL The XUA_SAFECOM_INSTALL macro modifies Safeguard to use XUA for the authentication event. This does not actually 'turn on' XUA; the XUA_SAFECOM_ENABLE macro does that but it configures Safeguard to use the software. The macro checks Safeguard’s HOMETERM. If the $ZSMP process is running on a Telserv (dynamic terminal) or non-existent terminal, XUA will not permit the user to install the SEEP.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C20: XUA_START This macro causes Safeguard to begin using the XUA server as the Authentication SEEP. Use this macro after the SEEP has been disabled using XUA_STOP or XUA_SAFECOM_DISABLE macros. Example: $SYSTEM XYGATEUA 15> XUA_START XYGATEUA enabled C21: XUA_STATUS This macro displays the status of the XUA server.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C22: XUA_STOP This macro causes Safeguard to stop using the XUA server as the Authentication SEEP. The XUA server is not removed (uninstalled) from Safeguard, merely disabled. Use the XUA_START macro to cause Safeguard to resume using the XUA server again.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C24: XUA_UPDATE_ACL This macro will load a NEWUAACL file that was created earlier but not put into use. This macro does not give you an opportunity to view or change the contents of the file. If you want to make further changes before loading the file, you must use the XUA_EDIT_ACL macro instead. Syntax: XUA_UPDATE_ACL Example: $SYSTEM XYGATEUA 10> XUA_UPDATE_ACL FILES DUPLICATED: 1 Last generation is $DISCB.P25SNTST.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros VPROC - T9617G03 - (30 JAN 2009) SYSTEM \XYS7000 Date 21 SEP 2012, 14:59:01 Copyright 2004 Hewlett-Packard Development Company, L.P. SYSTEM.XYGATEUA.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros PARAM-TEXT = cpus:1,8,9,0 min:4 max:8 object:$SYSTEM.XYGATEOS.XYGATEOS swap:$work1 param:SERVER EVENT-EXIT-PROCESS XPQ ENABLED = ON RESPONSE-TIMEOUT = 60 SECONDS ENABLE-AUTHENTICATION-EVENT = OFF ENABLE-AUTHORIZATION-EVENT = OFF ENABLE-PASSWORD-EVENT = ON PROG = $SYSTEM.XYGATEPQ.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C27: XUAHELP The XUAHELP macro displays the contents of the UAHELP file. Example: $SYSTEM.SECURITY 14> XUAHELP XUA_AUDIT_REPORT Allows user to generate report in single line which can reduce the size of a batch file XUA_DATETIME_MAKE This macro will calculate a date in the past equal to the days entered. This macro can be used to calculate dates and establish date ranges to include in a customized XUA report.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros XUA_SAFECOM_BOUNCE Disables and then enables XUA in Safeguard. You must be logged on as a member of the SECURITY-ADMINISTRATION group or if not using the SECURITY-ADMINISTRATION group as a member of the SUPER group to run this macro. XUA_SAFECOM_DISABLE Disables, but does not remove, XUA in Safeguard.
XYGATE® User Authentication™ Reference Manual Appendix C: XUA Macros C28: Specialty Configuration Macros The following macros are intended to assist configuring XUA for special cases, such as the LDAP, RSA or RADIUS interface, for example. The list of these macros is provided here for your information; the detailed description can be found in corresponding sections of this manual referred to below. XUA_LDAP_INSTALL assists in configuring an interface to an LDAP server (refer to section 12.5 on page 70).
XYPRO Technology Corporation 315 Proprietary and Confidential
