Client Access Services is a ClearPath MCP feature that enables Windows workstations to interoperate with the MCP environment of a ClearPath MCP server in much the same way as they interoperate with the Windows server. This feature supports both file access and client/server programs that make use of named pipes.
Client Access Services provides a variant of X/Open SMB USER level security. (Refer to X/Open CAE Specification (1992), Protocols for X/Open PC Interworking: SMB, Version 2.) With USER level security, access to a server is available only after the server validates the username and password.
Using the Password GUEST
Client Access Services makes special use of the password GUEST. Specifying this password causes Client Access Services to provide guest access using a specially defined guest usercode. This feature is enabled by the presence of an RU specification of the form *ANYUSER OF NXSERVICES LOCALALIAS=<guest code> for a valid usercode <guest code> in the userdatafile.
Using a Mapped Usercode
Client Access Services supports a user aliasing feature that allows a user to establish a session with a usercode that is different from his workstation username. This aliasing is enabled by the presence of an RU specification of the form USERNAME OF NXSERVICES LOCALALIAS=<usercode> in the userdatafile where USERNAME is the user's username at his workstation.
Encrypted Password
Client Access Services supports of encrypted passwords from Windows workstations connected to the MCP environment over a LAN, using an authentication protocol often referred to as the NTLM protocol.
Microsoft networking has a number of different algorithms for password authentication. The newer algorithms are more secure than the older ones.
NTLMv2 Encryption
Besides NTLM, there is a more secure authentication protocol called NTLMv2. This protocol makes attacks on servers by malicious clients much more difficult to accomplish.
You can configure newer Windows clients such that they refuse to use the pre-NTLMv2 algorithms for password encryption. Windows clients configured in this way cannot be authenticated by MCP systems that are not configured for either Kerberos authentication (for example, Active Directory Domain authentication) or NTLMv2 authentication.
The NOLMHASH security option determines whether the LM password is stored in the USERDATAFILE and whether the LM protocol can be used for authentication.
You can change the setting of the NOLMHASH option to enable the LM protocol with the following system command:
SECOPT - NOLMHASH
Case Sensitivity in Passwords
Some Windows authentication protocols are case-sensitive. Passwords are not uppercased before being processed through the one-way functions. As a result, when a Windows client and an MCP system negotiate use of these protocols, the capitalization of the MCP system password entered by the user of the Windows client must match the capitalization of the password stored on the MCP system.
If quotation marks were used or if the CASESENSITIVEPW security option is set when establishing the MCP system password, then the capitalization of the password stored on the MCP system is exactly as entered. If quotation marks were not used and the CASESENSITIVEPW security option is reset when establishing the MCP system password (or if the password was changed from a Windows client), the password stored on the MCP system is in uppercase letters.
SMB Signing
Server Message Block (SMB) signing is a security mechanism in the SMB protocol that reduces the likelihood that an SMB session can be compromised. SMB signing adds an authenticating signature to each message that allows both the client and the server to verify that each message is from the entity they originally started the session with; for example, that a rogue system is not trying to take over the session and impersonate either the client or server.
The MCP system must have a Cryptography Engine enabled in order to use this feature.
SMB signing for Client Access Services is enabled with the SERVERSIGNING security option. By default, this option is set to DISABLED. To enable SMB signing, set this option to either ALLOWED or REQUIRED.
Enabling SMB signing makes Client Access Services compatible with Windows systems that have enabled the local security policy option Microsoft Network Client: Digitally sign communications (always).
The redirector also supports SMB signing. SMB signing for the redirector is enabled with the CLIENTSIGNING security option. Enabling CLIENTSIGNING makes the redirector compatible with Windows systems that have enabled the local security policy option Microsoft Network Server: Digitally sign communications (always).
Refer to the Client Access Services Administration Guide for additional information about the SMB signing feature.
SMB Encryption
Server Message Block (SMB) encryption is a security mechanism in the SMB 3 protocol that ensures a secure connection for an SMB session. SMB encryption is available when security for data sent over the Internet is important. Encryption supersedes SMB message signing.
The MCP system must have a Cryptography Engine enabled in order to use this feature.
SMB encryption for Client Access Services is enabled with the SERVERENCRYPTION security option. By default, this option is set to DISABLED. To enable SMB server encryption, set this option to either ALLOWED or REQUIRED.
The redirector also supports SMB encryption. SMB encryption for the redirector is enabled with the CLIENTENCRYPTION security option. Enabling CLIENTENCRYPTION makes the redirector compatible with Windows systems that require signing at the session or share level. Refer to the Client Access Services Administration Guide for additional information about the SMB server encryption feature.
Refer to the System Software Utilities Operations Reference for additional information concerning SMB encryption when using the redirector feature.
Logging Capabilities
Client Access Services writes entries into the system log for various events, including session log on and log off and share access. Share access logging is controlled with a combination of the SHARELOGGING security option, the Client Access Services general server attribute SHARELOGGING, and the Client Access Services share attribute LOGGING. These options and attributes allow the system administrator to control the level of logging for different shares.
