MCP Security Policy Management enables an administrator to establish and organize system-wide security settings and user account policies, and to maintain a history of changes made to the system policy settings. These policies can be derived from the preconfigured sample policies distributed with Security Center or built from scratch.

Sample policies are provided with predefined standard logging options that correspond to different security levels (S0, S1, S2, and U). In addition, the security administrator can establish a set of options appropriate to the site.

The logging options specify which of four result types recorded in a log record (success, failure, security relevant, security violation) result in a given major and minor type being logged. The logging options also determine whether records of that subtype are written to a system log, to the job log for the job, or to both logs.

For example, if subtype 2/3's (Beginning of Task) “security relevant” bit is set for SUMLOG, and is not set for job log, then, when a type 2/3 record is generated, and its result type is “security relevant,” it is be written to the system log (in this case, to the security log), and not to the job log.

The Security Policy snap-in provides two capabilities for administering the logging options:

The TCP/IP Filtering Rules feature is a component of the MCP Security Policy Management snap-in. Security Policy Management can be used to create, update, test, and maintain the rules applied by the TCP/IP network provider to all incoming and outgoing packets. By using these rules, the security administrator can restrict access to the MCP environment. This feature provides a wizard designed to help the security administrator create and edit rules files. See TCP/IP Filtering for more information on the TCP/IP filtering.

The IPsec policy feature of the MCP Security Policy Management module enables an administrator to create, test, modify, reorder, and delete the IPsec policies applied by the TCP/IP network provider to IP packets (if enabled). This feature provides a wizard designed to help the security administrator implement IPsec policies.

Refer to Network Security and Cryptography Services for more details on configuring, testing, and deploying IPsec policies.

MCP File Access Management enables an administrator to create and apply guard files through a wizard and to manage MCP file security attributes.

MCP User Account Management enables an administrator to manage MCP user accounts, configure remote user access, and configure Transaction Server usercode entries. It also enables management of Java Realms (for MCP-enabled user realms for J2EE) and Application Realms (for application role-based access control). For more information about realms, see Support for Role-Based Access Control in the Application Environment.

For usercode attributes and Transaction Server usercode attributes, Security Center uses the concept of an active policy that defines the attributes shown. This active policy can be selected from the user account policies and Transaction Server usercode policies that are available on the security administrator's workstation. User Account Management also allows the security administrator to use the Query Browser feature to obtain a list of all usercodes qualified by user attributes, and to receive alerts when certain USERDATAFILE actions occur.

MCP Cryptographic Services Manager enables the security administrator to generate and manage keys, certificates, and certificate stores for use with the Secure Transport, tape encryption, and McpCryptoApi for User Applications products. MCP Cryptographic Services Manager also controls keys associated with database encryption.

MCP Kerberos Management enables the security administrator to configure the MCP Kerberos product on an MCP server. The Kerberos Configuration Manager is designed to make it easier for the security administrator to install, configure, and manage Kerberos security and principal identifiers. Security administrators of Kerberos must have security-administrator privileges in the MCP environment and administrator privileges on the Windows 2000 server acting as the Key Distribution Center (KDC) for the Kerberos system. MCP Kerberos Management also provides wizards to help the security administrator enable the Kerberos product on the MCP environment.

The Security Center database holds the MCP environment key and certificate information in the Cryptographic Services logical database and holds user realm information in the realms logical database. Access to the database is controlled by the SECURITYCENTERGF guard file. The database must be at the same level as the Security Center server.

MCP Neighborhood Explorer extension enables you to interact with your MCP file system. It uses Windows Explorer to present data as a structured hierarchy of folders and files. MCP servers are presented under the “MCP Neighborhood” icon, similar to the way that Windows Explorer presents your other network computers and resources. This connection to MCP servers enables programs such as Security Center, Workload Manager, and License Center to have full access to the complete MCP file system, as though they were logged onto a CANDE session.