MCP Security Overview and Implementation Guide

ClearPath MCP 21.0

June 2023

8205 7498-003

Copyright © 2023 Unisys Corporation.

Warranty Disclaimer

NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information described herein is only furnished pursuant and subject to the terms and conditions of a duly executed agreement to purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the products described in this document are set forth in such agreement. Unisys cannot accept any financial or other responsibility that may be the result of your use of the information in this document or software material, including direct, special, or consequential damages.

You should be very careful to ensure that the use of this information and/or software material complies with the laws, rules, and regulations of the jurisdictions with respect to which it is used.

The information contained herein is subject to change without notice. Revisions may be issued to advise of such changes and/or additions.

Notice to U.S. Government End Users: This software and any accompanying documentation are commercial items which have been developed entirely at private expense. They are delivered and licensed as commercial computer software and commercial computer software documentation within the meaning of the applicable acquisition regulations. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys’ standard commercial license for the products, and where applicable, the restricted/limited rights provisions of the contract data rights clauses.

Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, are trademarks or registered trademarks of Unisys Corporation.
All other trademarks referenced herein are the property of their respective owners.

Table of Contents

Introduction
Documentation Updates
What’s New?
Secure MCP Environment
MCP Security Overview
Access Control
Restricting System Access
Security Policy Management
Status and Privileges
Security Administrator Status
Privileged User Status
Granulated Privileges
Defining Access Rights Using Security Center
Role-Based Access Control
Role-Based Access Control for Security Center and Workload Management
Role-Based Access Control for the Java Environment
Guard Files
Tape Security
Authentication
Authentication Methods
SECURITYSUPPORT Library
Kerberos and GSS-API
Windows Network Authentication Protocols (NTLM/NTLMv2)
Password Aging
Password Generation
Cryptography
Data Encryption
Ciphers and Message Digests
Key Exchange
Digital Signatures
Digital Certificates
Public Key Infrastructure
Key Generation and Support
Tape, CD, and DVD Encryption
Application, File, and Database Encryption
FIPS 140-2 Validation
Network Security
SSL/TLS
FTP Over SSL/TLS
SSL/TLS APIs
Secure File Transfer Protocol (SFTP)
SSH Client
Secure Terminal Sessions
Internet Protocol Security (IPsec)
Filtering
TCP/IP Packet Filtering
Dynamic Port Filtering
Client Access Services
Web Transaction Server
Audit and Assessment
SYSTEM/SUMLOG File
SYSTEM/SECURITYLOG File
Logging of Security-Related Events
Web Transaction Server Log
Locum SafeSurvey Utility
Locum SafeSurvey Utility Reports
Report Highlights
Locum SecureAudit Utility
Locum SecureAudit Utility Reports
Report Highlights
Locum RealTime Monitor Utility
PCI Compliance
Logging of Activities Associated with a Mix Number
Codefile Verification
Generating a Codefile Checksum
Verifying a Codefile Checksum
Maintaining Codefile Verification Data
Reporting Codefile Verification Data
Reporting Codefile Verification Failures
Installation Best Practices
Controlling System Security
Security Options: General Considerations
Security Option Values Set Automatically by Other Options
Security Option Values Set Explicitly
Setting the System SECADMIN Option (??SECAD Command)
Security-Administrator Status
Controlling Access to the Physical System
Controlling Access to the Computer Room
Recommendations for Computer Room Contents
Policies for Operators
Controlling Access to Devices Outside the Computer Room
Restricted-Access Devices Outside the Computer Room
Configuring Security Center to Use SSL/TLS
Secure Use of Remote Support
Hazardous Files
Securing Databases and ADDS Dictionaries
Database Elements
Using Guard Files
Protecting the Database Control File
Protecting the Database Data Files
Protecting the Database Audit Files
Logical Database Security
Securing the ADDS Dictionary
Securing an Enterprise Database Server Database That Uses ADDS
Initial Security Configuration Best Practices
Controlling System Access
Log-On Policy
Security Value of the Log-On Procedure
Maximum Log-On Attempts
Exceptions to the Log-On Procedure
Multi-Factor Authentication
Configuring Multi-Factor Authentication with a Third-Party Security Platform
Security Support Library
Types of Access Rights
Access Rights Designated in the SYSTEM/USERDATAFILE
Examples of Appropriate USERDATAFILE Attributes
Access Rights Designated in the COMS Utility
Examples of Appropriate Transaction Server Access Rights
Access Rights Associated with CANDE
Role-based Access for Applications
Controlling File Access
Mechanisms for Protecting Files
Basis of File-Access Checking
Security File Attributes
Scrubbing Data on Disk Files
Controlling Group Access to Files
GROUPCODE Grouping Mechanisms
Accesscode Grouping Mechanisms
Controlling Printer File Access
Protecting Remote Files
MCP File Access Management Feature in Security Center
Controlling Printing
Controlling Printing in the Print System
Controlling Remote-File Printing Through CANDE and Transaction Server
Security Uses of the FILEDATA Utility
Controlling Tape File Access
Implementing Tape Volume Security
Operating Tape Volume Security
Encrypting Library Maintenance Tapes, CDs and DVDs
Preparing for Use
Precautions for Safeguarding Data
Best Practices
Enabling Tape Encryption
Enabling Tape Decryption
Key or Keyset Compromise
Encrypting Disks
Preparing for Use
Precautions for Safeguarding Data
Best Practices
Enabling Disk Encryption
Key Compromise or Rekeying
Protecting Potentially Hazardous Files
System Commands for Potentially Hazardous Files
Files to Protect
Using Permanent Directories
Securing Wrapped and Container Files
Controlling Host Access
General Network Security Features
Access Control Features
Users from Remote Hosts
Restriction of Remote Hosts
TCP/IP Network Security Features
TCP/IP Access Control
Identification in a TCP/IP Network
Access to TCP/IP Network Commands
TCP/IP Filtering
Port Filtering
Dynamic Port Filtering
Broadcast Filtering
Enabling Port and Broadcast Filtering
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Secure Shell (SSH)
Web Transaction Server for ClearPath MCP
Telnet
Internet Protocol Security (IPsec)
Client Access Services Network Security Features
Kerberos Security Features
Authentication Support Features
Connectivity Services Security Features
BNA Network Security Features
BNA Access Control Features
Identification in a BNA Network
Access to BNA Network Commands
TCP/IP Filtering
Understanding TCP/IP Security Rules
Evaluating TCP/IP Security Rules
Deny and Allow Rules
Comparing Rules to Determine TCP/IP Request Action
Determining Open Ports on an MCP Server
Building a Rules File with the Security Policy Management Snap-in
Rules File Creation, Test, and Deployment Scenario
Comprehensive Example
Security with Web Transaction Server and WEBPCM
Web Transaction Server
Identifying Users and Allocating Access Rights
Tracking User Access
Restricting and Limiting User Access
Delaying Authentication Responses
Web Transaction Server Administration Security
Detecting User Break-In Attempts
Localizing Security Rules
Data Transparency
TCP/IP Filtering
Digest Authentication Is Unsupported
Using Web Transaction Server Site Manager to Configure Secure Transport
Requesting Client Certificates and Restricting Access
Hiding Server Identity
Use of Web Transaction Server with NTLM and Kerberos
WEBPCM
Identifying Users and Allocating Access Rights
Tracking User Access
Restricting and Limiting User Access
WEBPCM Administration Security
Detecting User Break-In Attempts
Localizing Security Rules
Data Transparency
Digest Authentication Is Unsupported
Use of WEBPCM with NTLM and Kerberos
NXSERVICES CREDENTIALS Files
Extension Kit for MCP Security Overview
Security in the MCP Environment
Extension Kit Security Considerations
Security in the Windows Environment
Security in the Container
Security Configuration
Maintaining System Security
Reinitializing the System
Making the SYSTEM/INFOGUARDSUPPORT Library Available
Tape Volume Security
Support and Maintenance
General Security Considerations
Adding Potentially Hazardous Files
Reinitializing the System
Support and Maintenance
Introduction to Security Center
Overview of Security Center
Locum SafeSurvey Client
Locum SecureAudit Client
Locum RealTime Config
Role-Based Access Control
Operation of Security Center
Security Center Guard File
Troubleshooting Connection and Access Problems
System Configuration
Client Access Services Pipe Definition
Client Displays “No process on the other end of the pipe”
Security Center Error Codes and Meanings
WINS and DNS Problems
Networking Problems (Ports Blocked)
Unable to Open Cryptography or User Realms Database
Installing Security Center
Preparing for Installation
Database Installation Process
System Library Requirements
Secure Erasure of Database Files
Troubleshooting
Migrating and Upgrading Security Center
Migrating the Security Center Database
Upgrading the Security Center Database
Key Manager Library
Operator Commands for the Key Manager Library
Troubleshooting the Key Manager Library
Support for Role-Based Access Control in the Application Environment
Java Realms
Realm Descriptor Attributes
Application Role-Based Access Control
Defining a User with Standard Usercode Attributes
Making a New Usercode
Standard Usercode Attributes
System-Maintained Usercode Attributes
Modifying Nonprivileged Usercode Attributes
Identifying Users from Remote Hosts
Using Local-Alias Usercodes
Automatic Log-On Service
Managing Usercodes for Remote Users
REMOTEUSER Statement
Functional Considerations
Identifying Kerberos Users
Protecting the USERDATAFILE
Protection from Unwarranted Change and Removal
Backing Up the USERDATAFILE
Security Configuration Best Practices
Network Security and Cryptography Services
Network Security Services
Kerberos Security
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Setting Up a Trusted Store
IP Security (IPsec)
Secure Shell (SSH)
MCP Cryptographic Services
Cryptography Overview
MCAPISUPPORT Library
CryptoProxy Service
Configuring the MCAPISUPPORT Library
MCP Cryptographic Services Manager
McpCryptoApi for User Applications
Database Encryption
Client Access Services Dependency on MCP Cryptographic Services
Installing Security Components
Installing SSL/TLS to the MCP Environment
Installing the MCP Components of MCP Cryptographic Services
Installing Kerberos Security to the MCP Environment
Installing Security Center to the MCP Environment
Installing the Windows Components of MCP Cryptographic Services
On-Premise Installation of Cryptography
Remote Installation of Cryptographic Services
Customizing Cryptography
Configuration
Diagnostics Logging and Troubleshooting
Activity Logging
Filtering Reports
Troubleshooting the Security System Layers
Audit and Compliance
Logging
Accountability
Auditing Tools
SUMLOG and Security Log
Controlling Access to the SUMLOG
MCP Security Policy Management
Selective Auditing Capability
Selective SUMLOG Access
Suggested Events and Actions to Log
LOGANALYZER
LOGGER
MCPSUPPORT Library Procedures
Making Audits
Defining Auditing Policy
Auditing with LOGANALYZER
LOGANALYZER Examples
Reading LOGANALYZER Reports
Counting Security Violations
Counting Logon Violations
Security-Violation Records and Suggested Responses
Violations That Do Not Increment Violation Counts
Logging of Security-Related Events
Logging of Network Security-Related Events
References and Related Documents

List of Figures

1. Guard File Protecting a File
2. Security Protocol Layers for ClearPath MCP Server
3. Cryptography Services Used with the MCP Environment

List of Tables

1. CLASS Security Option Values
2. CLASS Security Option Results (Value U)
3. CLASS Security Option Results (Values S0 – S2)
4. S1RESTRICTIONS and S2RESTRICTIONS Security Option Results
5. SECOPT Command Examples
6. SECOPT Option Purposes
7. SECOPT Command CANDE Option Values
8. SECOPT MECHANISMS Command Options
9. SECOPT MECHANISMS Command Option Attribute Values
10. SECOPT MECHANISMS Command Examples
11. Station Transaction Server Access Rights in a High-Security System
12. Log-On Identification Items
13. Types of Nonusercoded System Access
14. Required Secure Access Control Module Software
15. Usercode Restriction Options
16. Password Attributes
17. USERDATAFILE Attribute Settings for No System Security
18. USERDATAFILE Attribute Settings for Medium System Security
19. USERDATAFILE Attribute Settings for High System Security
20. Transaction Server Control-Capable Options
21. Security Specification Interaction
22. Methods for Assigning Transaction Server Control Capability
23. MONITOR Command Examples
24. Transaction Server Access Rights for Systems with Minimal Security
25. Transaction Server Access Rights for Systems with Medium Security
26. Transaction Server Access Rights for Systems with High Security
27. CANDE ?OP Command Options
28. Operations Affecting Tape Volume Attributes
29. Tape Volume Attributes Affected by Operations
30. LISTVOLUME Report for the Volume Directory
31. SL Command Options
32. Network Service Function Levels
33. BNA Node Access Control Levels
34. Network Prefix (NW) BNA Commands
35. Component Field Syntax
36. Codes Reported at the Security Center Workstation Client
37. Codes Reported at the ODT
38. Realm Descriptor Attributes for USERDATA
39. Usercode Attributes
40. LOGSELECT Values 0–7
41. LOGSELECT Values 8–15
42. USEDEFAULTCHARGE Summary
43. System-Maintained Usercode Attributes
44. Changing Nonprivileged Usercode Example
45. Log Entry Classes
46. Security Violation Codes
47. Violations That Do Not Increment Violation Counts
48. Networking Commands by Code
49. Networking Reports by Code
50. Networking Log-Only Reports by Code
     Next
     Introduction