The security administrator can use Operations Interface (OI) commands to configure and inquire about the MCAPISUPPORT library. The security administrator can:
-
Specify the Windows environments of a ClearPath MCP server that are to be used for executing cryptography algorithms.
-
Initiate and terminate the MCAPISUPPORT library.
-
Inquire about the status of the MCAPISUPPORT library and CryptoProxy services.
-
List the database encryption keysets.
The security administrator can use the following commands to configure the MCAPISUPPORT library:
-
NA MCAPI CRYPTOALLOCATION
-
NA MCAPI CRYPTOPROXY
-
NA MCAPI +
-
NA MCAPI –
The following status commands are available:
NA MCAPI CRYPTOALLOCATION
This command is used to define and control the Windows environments within the ClearPath MCP server that are used to execute the cryptography algorithms.
| Note: | The administrator should use the MCP Cryptographic Services Manager of Security Center to install keys and certificates to the ClearPath MCP server. MCP Cryptographic Services should be installed on each of the Windows environments that are planned for cryptography use. For more information, see MCP Cryptographic Services Manager. For more information on Security Center, see Introduction to Security Center and the Security Center Help. |
── NA ── MCAPI ── CRYPTOALLOCATION ────────────────────────────────────────► ►─┬─────────────────────────────────────────────────────────────────────┬──┤ ├─ DISTRIBUTED ─┬─ ALL ───────────────────────────────────────────────┤ │ │ ┌◄──────────────────┐ │ │ ├─ + ─┬─┴─┬─<IP address>──┬─┴─────────────────────────┤ │ └─ ─ ─┘ └─<domain name>─┘ │ ├─ ACTIVE ── = ─┬─<IP address>──┬─ , ── STANDBY ── = ─┬─<IP address>──┤ │ └─<domain name>─┘ └─<domain name>─┤ ├─ ONEONLY ── = ─┬─<IP address>──┬────────────────────────────────────┤ │ └─<domain name>─┘ │ └─ NONE ──────────────────────────────────────────────────────────────┘
The following options determine the allocation method to be used. If an option is not specified, then the current setting of the CRYPTOALLOCATION command is displayed.
DISTRIBUTED
New requests for cryptographic services are allocated in a successive and circular fashion to each Windows environment in the list.
-
ALL indicates that every available Windows environment within the ClearPath MCP server is used.
ALL is the default setting, which is applied when the MCAPISUPPORT library initializes and cannot locate its configuration file.
-
The options + and – enable you to add or remove certain IP addresses or domain names from the list for cryptographic services.
When a CRYPTOALLOCATION command changes the allocation from "ALL" to "+", the cryptographic services previously allocated via the "ALL" option are deleted before the "+" is done.
ACTIVE/STANDBY
All new requests for cryptographic services are made to the CryptoProxy service defined by ACTIVE. If that Windows environment is not available, then the request is routed to the CryptoProxy service defined by STANDBY. When the CryptoProxy service defined by ACTIVE becomes available again, all new requests are routed to it.
ONEONLY
Only the specified Windows environment is to be used.
NONE
No Windows environment can be used to run the cryptographic algorithms. This in effect disables the MCAPISUPPORT library.
For example:
NA MCAPI CRYPTOALLOCATION Current Proxy Allocation Method: DISTRIBUTED ALL with these Windows Environments: 192.168.16.14 Open Contexts(0) NA MCAPI CRYPTOALLOCATION DISTRIBUTED ALL NA MCAPI CRYPTOALLOCATION ACTIVE=192.168.16.2, STANDBY=192.168.17.2 NA MCAPI CRYPTOALLOCATION ONEONLY=clearpathnta.prod.mycompany.com
| Note: | These IP addresses must be NNS EVLAN IP addresses. |
NA MCAPI CRYPTOPROXY
This command is used to interrogate which CryptoProxy services are active and have opened communications with the MCAPISUPPORT library.
NA MCAPI CRYPTOPROXY
Current Proxy Allocation Method: DISTRIBUTED ALL with these Windows
Environments:
192.168.16.14 Open Contexts(0)For Libra 4100 and later systems, you can stop or start the CryptoProxy service. This option is useful when you want to update the CryptoProxy service to a later version while the MCP Firmware is running.
── NA ── MCAPI ── CRYPTOPROXY ─┬────────────────────────┬──────────────┤
├─ STOP ──┬─<IP Address>─┘
└─ START ─┘NA MCAPI CRYPTOPROXY STOP 255.255.255.9 NA MCAPI CRYPTOPROXY START 255.255.255.9
NA MCAPI + or NA MCAPI –
This command is used to manually initiate or terminate the MCAPISUPPORT library.
NA MCAPI STATUS
This command is used to interrogate and display the status of each CryptoProxy service. The interrogation can be limited to a selected set of proxies by specifying a list of IP addresses, separated by commas, following the word STATUS.
── NA ── MCAPI ── STATUS ───┬────────────────────────────────────────┬─────┤
│ ┌◄──────── , ───────┐ │
└───────┴───<IP address>────┴────────────┘NA MCAPI DEBUG
This system command controls debug tracing for the McpCryptoApi and interrogates the current setting of the McpCryptoApi DEBUG option.
── NA ── MCAPI ── DEBUG ────┬──────────────────────────┬──────────────────┤
├─ + ─ TRACE ─┬────────┬───┤
│ ├─ MIN ──┤ │
│ └─ FULL ─┘ │
└─ - ─ TRACE ──────────────┘NA MCAPI DEBUG + TRACE or NA MCAPI DEBUG – TRACE
This command turns tracing on or off in the McpCryptoApi library and in the CryptoProxy in the Windows environment.
The DEBUG + TRACE MIN option sets the tracing level to minimum. When set to minimum, the MCAPI traces the entry and exit from interfaces, including the input parameters and output values, and the context handle for each call. Tracing from I/O procedure calls are omitted, with the exception of errors, which are always traced. Additionally, proxy debug tracing is reset.
The DEBUG + TRACE FULL option resets the tracing level to the default setting, full.
Tracing produced by the McpCryptoApi library goes into the SUMLOG and can be viewed using LOGANALYZER using the following command:
LOG DIAG(MCAPI) UC.
Tracing produced by the CryptoProxy goes into a file in the windows environment called CryptoProxyDebugFile_xx.txt, where xx is a number from 1 to 25.
Whenever the CryptoProxy is started, it creates a new file.
The debug file can be found in the directory:
C:\ProgramData\Unisys\Mcp Firmware\Cryptography\
The setting of the DEBUG option is remembered across halt/loads and restarts of the McpCryptoApi library. If the option is turned on and a halt/load is done, when the McpCryptoApi library comes back up, tracing will still be enabled.
NA MCAPI LIST DMKEYSETS
This command lists the database keys that exist on the system.
── NA ── MCAPI ── LIST ─── DMKEYSETS───────────────────────────────────────┤
