Specifications

ManualsBrandsVax ManualsHousehold AppliancesVEC-01

OpenVMS Operating System for Alpha and VAX (Versions 7.1, 7.1–1H1, 7.1–1H2, and 7.1–2) SPD 41.87.06

Operations

OpenVMS allows for varying levels of privilege to be

assigned to different operators. Operators can use

the OpenVMS Help Message utility to receive online

descriptions of error messages. In addition, system-

generated messages can be routed to different terminals

based on their interest to the console operators, tape li-

brarians, security administrators, and system managers.

Security

External Authentication

External authentication is an optional feature introduced

in OpenVMS Version 7.1 that enables OpenVMS sys-

tems to authenticate designated users within a LAN

Manager domain using their LAN Manager user name

and password.

Users who are externally authenticated by their

LAN Manager need only remember a single user

name/password combination to gain access to their

OpenVMS and LAN Manager accounts. In addition, the

OpenVMS DCL command SET PASSWORD has been

enhanced to update the user’s password in the LAN

Manager domain database (as well as optionally syn-

chronize the SYSUAF password).

For externally authenticated users, the normal system

authorization database (SYSUAF.DAT) is used to con-

struct the OpenVMS process proﬁle (UIC, privileges,

quotas, and so on) and to apply speciﬁc login restric-

tions. However, there are two key differences between

externally authenticated users and normal OpenVMS

users. For externally authenticated users:

• The password stored in the SYSUAF is not the pass-

word used to verify the user at login time.

• The SYSUAF user name selected to be used for

OpenVMS process identiﬁcation may not be the

same as the LAN Manager user name that was used

to authenticate the user at login. The system man-

ager speciﬁes the LAN Manager to OpenVMS user

name mapping for each user.

Minimum requirements:

• PATHWORKS Version 5.0E for OpenVMS, operating

as a LAN Manager domain member, backup domain

controller, or primary domain controller

• DECwindows Version 1.2-4

Security APIs

With OpenVMS Version 6.2, security APIs for intrusion

detection, proxy access, and impersonation services

were added on both the Alpha and VAX platforms to

provide better security in client/server applications.

Government Security Ratings

As the following table illustrates, OpenVMS is commit-

ted to consistently delivering rated security in our base

products.

Version Rating

Evaluation

Date

OpenVMS Alpha 6.1 C2 1996

SEVMS Alpha 6.1 B1 1996

OpenVMS VAX 6.1 C2 1995

SEVMS VAX 6.1 B1 1995

OpenVMS VAX 6.0 C2 1993

SEVMS VAX 6.0 B1 1993

VAX/VMS 4.3 C2 1988

These ratings represent the National Computer Se-

curity Center validation of the design of the Open-

VMS and SEVMS operating systems against DoD

5200.28-STD Department of Defense Trusted Com-

puter System Evaluation Criteria. To obtain an evalu-

ation summary, please visit the US NCSC at Trusted

Product Evaluation Program (TPEP) homepage at

http://www.radium.ncsc.mil/tpep/.

OpenVMS provides a rich set of tools to control user ac-

cess to system-controlled data structures and devices

that store information. OpenVMS employs a reference

monitor concept that mediates all access attempts be-

tween subjects (such as user processes) and security-

relevant system objects (such as ﬁles). OpenVMS also

provides a system security audit log ﬁle that records the

results of all object access attempts. The audit log can

also be used to capture information regarding a wide

variety of other security-relevant events.

The system manager maintains user account informa-

tion in the system user authorization ﬁle (SYSUAF).

When creating user accounts with the Authorize utility,

the system manager assigns the privileges and quotas

associated with each user account. The system man-

ager also assigns a user name, password, and unique

user identiﬁcation code (UIC) to each account. Addi-

tional identiﬁers can be assigned to each account, al-

lowing users to belong to multiple overlapping groups

or projects. The system manager can limit account use

by the time of day, day of week, and type of access,

such as local, remote, network, or batch.

To log in and gain access to the system, the user must

supply a valid user name and password. The pass-

word is encoded and does not appear on terminal dis-

plays. Users can change their password voluntarily, or

the system manager can specify how frequently pass-

words change, along with minimum password length,

and the use of randomly generated passwords.