Security Center

Product Overview

Security Center enables security administrators to define, document, and apply a corporate security policy to an MCP ClearPath server. The following system security features are included in Security Center:

  • Create and apply user account policies for user accounts.

  • Manage role-based access control for Application and JAVA Realms.

  • Create and apply system-wide security policies.

  • Create and apply guard files.

  • Use MCP File Explorer to navigate a tree structure of the MCP file system to

    • Displayfile properties.

    • View and modify the file attributes SECURITYTYPE, SECURITYUSE, and SECURITYMODE.

    • View and modify file permissions.

  • Provide for the maintenance and creation of Remote Users, Kerberos users, Transaction Server users, and user accounts.

  • Manage network policies (TCP/IP filtering and IPsec).

  • Manage the cryptography environments and the keys and certificates for use by applications using the MCP Cryptographic Services. For more information, refer to Operating Environment Encryption Option.

  • Configure and manage the Kerberos configuration information.

The Unisys Locum RealTime Monitor, Unisys Locum SafeSurvey, and Unisys Locum SafeAudit products are integrated with Security Center.

General Features

Notes:

  • If role-based access control is enabled for the Security Center product, then the role of the usercode determines what operations the usercode can perform. If role-based access control is disabled, then the attributes of the usercode determine whether or not the usercode can connect to Security Center.

  • Users of systems with the SECADMIN feature turned off need PU (privileged user) privileges to access Security Center. Users of systems with the SECADMIN feature turned on must have SECADMIN privileges to access Security Center.

Security Center provides an environment for running management applications, structured as components and referred to as modules.

The server applications run on ClearPath servers. The client applications run on Windows platforms.

The following modules are available in Security Center.

Security Policy Management Module

The Security Policy Management module enables you to

  • Create and maintain user account policies to be used for maintaining MCP user accounts.

  • Create, maintain, and apply system-wide security policies across multiple ClearPath servers. These security policies contain the logging options of the MCP server for the system SUMLOG and job log.

  • Maintain a history of system-wide policy changes.

  • Use a default Transaction Server template to create Transaction Server users.

  • Use the TCP/IP filter rules feature to create, update, and maintain the rules applied by the TCP/IP network provider to all incoming and outgoing packets. By using these rules, security administrators can restrict access to the MCP Environment. This feature provides a wizard to help security administrators to create and edit rule files.

    This feature also includes a testing wizard to test the rules file before deploying it to the Unisys ClearPath MCP Environment.

  • Create, maintain, test, and apply IPsec policies to the ClearPath MCP Environment.

File Access Management Module

The File Access Management module provides the ability to

  • Create, maintain, and apply MCP GUARDFILES to restrict access to files and databases.

  • Use MCP File Explorer to navigate a tree structure of the MCP file system to

    • Displayfile properties.

    • View and modify the file attributes SECURITYTYPE, SECURITYUSE, and SECURITYMODE.

    • View and modify file permissions.

MCP User Account Management Module

The MCP User Account Management module provides the ability to

  • Maintain MCP user accounts, remote users, Kerberos user identities, and Transaction Server account information.

  • Apply user account policies created in the MCP Security Policy Management module.

  • Clone an existing usercode. All attributes other than username are prefilled with the values of the existing usercode. Administrators can also clone a remote user or a Transaction Server user.

  • Query the system using various criteria and save the results into the MMC framework for later use. Modify and delete usercodes based on the result of a query.

  • Create, modify, and deploy user realms for the Java EE authentication and role-based authorization in the JBoss® Enterprise Application Platform (JBoss EAP). Realms associate usercodes with their assigned roles, specifically for use by the JBoss EAP. Role-based access control assigns roles to usercodes rather than assigning them to groups, thus minimizing management overhead.

  • Create, modify, and deploy role-based access control for applications running on an MCP server. Role-based access control assigns roles to usercodes rather than assigning them to groups. Applications can define realms (either applications or application subsystems), permissions, roles, and populate these sets with usercodes.

  • Create, modify, and deploy role-based access control for applications running on an MCP server. Role-based access control assigns roles to usercodes rather than assigning them to groups. Applications can define realms (either applications or application subsystems), permissions, roles, and populate these sets with usercodes.

MCP Cryptographic Services Management (CSM) Module

The MCP Cryptographic Services Management (CSM) module enables security administrators to configure and manage keys, certificates, and certificate stores for use with the ClearPath Secure Transport, McpCryptoApi for User Applications, and Library Maintenance Tape Encryption products and with the IPsec feature.

Security Center replicates the information between cryptographic environments—Cryptographic CoProcessors or Windows environments. The key, certificate, and certificate store information are kept in a secure Enterprise Database Server database in the MCP Environment.

The CSM module enables the security administrator to generate asymmetric keys and certificates for applications to use ClearPath Secure Transport, Web Transaction Server, FTP services, Secure Sockets Layer, or MCPCryptoApi for User Applications. CSM generates the machine keys for Tape Encryption as well as the symmetric keys for use by IPsec.

The CSM module also enables the security administrator to backup and restore keys and certificates. This capability is useful for sharing keys with disaster recovery sites (for Tape Encryption) and for sharing keys between systems using the IPsec feature. The configuration of the MCP cryptographic environment used for encryption can also be maintained with this module.

MCP Kerberos Configuration Management Module

The MCP Kerberos Configuration Management module enables security administrators to configure the MCP Kerberos product on an MCP server. The Kerberos Configuration Manager makes it easier for security administrators to install, configure, and manage Kerberos security and principal identifiers. Security administrators of Kerberos must have security administrator privileges in the MCP Environment and administrator privileges on the Windows server acting as the key distribution center (KDC) for the Kerberos system.

Unisys Locum Security, Alerting, Assessment, Auditing, and Administration Products

Unisys Locum security products provide comprehensive security alerting, assessment, auditing, and administration for ClearPath MCP systems. These products are available as part of Security Center.

The Unisys Locum products are summarized below:

  • Unisys Locum Safe and Secure (ADMINISTER) Provides administration capabilities for security administrators, auditors, and compliance officers.

  • Unisys Locum RealTime Monitor (ALERT) is the MCP security dashboard that provides immediate alerts of security violations.

  • Unisys Locum SafeSurvey (ASSESS) provides the ability to assess the security of the ClearPath MCP Environment and compare compliance and performance over time.

  • Unisys Locum SecureAudit (AUDIT) provides comprehensive reports on system and security events and enables the security administrator to perform forensic analysis on the system sumlog to investigate security events.

Benefits of Unisys Locum Security Products

Implementing the complementary Unisys Locum security alerting, assessment, auditing, and administration products provides the following benefits:

  • Because these products are tailored to meet the unique requirements of clients who have ClearPath MCP systems, the resulting security alerting, assessment, auditing, and administration solution is especially suited to the MCP Environment.

  • Operation that starts “out-of-the-box” is easily reconfigurable with the purchased license keys, which saves time and money,

  • These products are pre-integrated and pretested, which results in minimal costs to upgrade the existing security infrastructure.

  • The graphical reports about the security of the ClearPath MCP Environment enable you to quickly review and access the security of your system.

  • The monitoring and reporting capabilities quickly and easily provide information needed for internal and external audits, which reduces costly preparation time.

  • The ability to identify early trends in the security of the enterprise system affords you more time to determine impacts of the trends.

  • The solution provides improved risk management, thus, reducing financial exposure.

  • The improved risk management and reduction in time required to detect attempted security breaches saves you time and money.

  • The solution centralizes and simplifies security administration.

Licensing

Each of the Unisys Locum security alerting, assessment, auditing, and administration products is licensed separately. Summary versions of Unisys Locum RealTime Monitor, Unisys Locum SafeSurvey, and Unisys Locum SecureAudit are included with each ClearPath MCP system. Evaluation license keys are available for download from www.unisys.com/locum for Unisys Locum RealTime Monitor, Unisys Locum SafeSurvey and Unisys Locum SecureAudit that enable full product functionality for a limited period of time.

Contact your Unisys representative for more information on Unisys Locum Safe and Secure evaluation licenses.

Unisys Locum Safe and Secure

Safe and Secure is the Unisys Locum security software solution for the entire range of Unisys ClearPath MCP systems for centralized security administration. In this world of increasing emphasis on security and compliance, Safe and Secure centralizes and simplifies security administration, providing an easy-to-use single point of control in single and multisystem environments. Safe and Secure offers a wide range of powerful tools that include administration, inquiry and reporting facilities. You can tailor these capabilities to comply with your policy requirements by using the extensive set of Security Policy Options available with the Safe and Secure product.

The following points summarize the key features available with this product.

  • User authentication

    • Safe and Secure implements password aging, which can be applied to both usercodes and accesscodes. Accesscode aging allows full synchronization of the password across all owning usercodes.

    • Extensive password control and validation options enable the administrator to define exactly how aging works on the system. The strength of passwords that users select can be controlled. Various options are available to disallow certain passwords. For example, passwords that contain usercode names can be automatically disallowed.

    • The user verification feature is a secret mechanism, whereby a security question and answer is stored in the definition of the user.

  • Access control

    • Station lockout and/or user lockout can be enforced when a user reaches the Maximum Logon Attempts setting.

    • Session limits enable extra control over active user sessions. The administrator can view all active sessions on the system and, if required, terminate unwanted sessions.

    • The controlled usercode feature allows emergency usercodes to be configured in case of the eventuality that emergency access is required.

    • Access control also provides logon investigation capabilities.

    • Control and restriction of ODT commands for security administrators.

  • Authorization

    • Safe and Secure implements the ability to delegate Administrator rights, using objects and permission to create sub-administrator status. For example, specific administrators might only be designated permissions to enable them to reset passwords and reactivate users.

    • The regimes feature enables you to partition the user population such that a Regime Administrator only controls the users for a specific regime.

    • The system command authorization enables the administrator to give a unique and specific command list to individual users, instead of assigning full privileges.

  • Administration

    • Through the profile feature, you can easily create new user accounts and modify existing ones.

    • Templates enable you to group users by roles.

    • The zonal update feature provides simultaneous Userdatafile and CFILE update capability across multiple ClearPath MCP servers.

Security Administration has never been easier than through the client-based AdminDesk of Safe and Secure. The simplification of user management through the implementation of profiles saves you time and effort in the creation of new user accounts and modifications for existing ones. In addition, AdminDesk supports SSL for all client-host connections.

Because of the range of password control and validation options, you can define exactly how password aging works on your system, which provides you with excellent authentication control in protecting your system. Additionally, the Controlled Usercode feature enables you to configure emergency usercodes as needed.

Unisys Locum RealTime Monitor

Unisys Locum RealTime Monitor is the MCP security dashboard. It enables the security administrator to collect data from multiple ClearPath MCP systems to one or more security workstations plus it allows specific alerts and criticality settings.

Unisys Locum RealTime Monitor provides advanced, real-time monitoring for any defined ClearPath MCP event, not only those related to security. Unisys Locum RealTime Monitor offers the power and flexibility to create the monitoring environment that you need by specifying alert filters and activity codes. Unisys Locum RealTime Monitor gives total monitoring control over ClearPath MCP systems with tools to keep the administrator updated on critical events even when away from a PC and provides a selection of options to display or process the data.

  • Easy designation of events as alerts through

    • A generic method of designating events as alerts by function, such as: security policy changes, privileged actions, and user suspensions

    • The major/minor log record type, which can be further refined to include only security-relevant events

  • Flexible mapping of alert type to severity

    • Default mapping so that RealTime Monitor works out of the box

    • Customer-specified mapping

  • Rules file implemented to specify the actions taken for alerts. Actions include:

    • Display

    • Write-to-file

    • Forward

    • Count

    • Escalation of alerts to email, file, or SYSLOG

  • RealTime Monitor provides the following features for ease of use:

    • A local display of real-time alerts through a dashboard summary, including time-line graphing of alert traffic

    • Configurable display characteristics

    • The ability to monitor multiple MCP systems simultaneously

    • A single display per system, or, optionally, a single combined display, with the combined display color-coded by originating system

    • Color-coded alert highlights to denote severity

    • Host storage of messages that the host is unable to send

  • RealTime Monitor allows multiple monitor workstations to be serviced from a single MCP host

    • Each monitor workstation has its own filters, so its alerts can be configured independently

    • Event filters can be set and changed by a security administrator

  • Easy configuration of RealTime Monitor through RealTime Config (a component of Security Center).

Unisys Locum SafeSurvey

Unisys Locum SafeSurvey is a security assessment tool that is integrated with Security Center. SafeSurvey allows the customer to perform quantitative analysis of security status on the MCP host.

Unisys Locum SafeSurvey provides security administrators and auditors with a series of detailed reports that analyze and highlight areas where system security might be at risk.

Unisys Locum SafeSurvey is available in two parts: SafeSurvey Host, which runs on the ClearPath MCP Environment and can be run as a stand-alone, and SafeSurvey Client, which provides a user-friendly graphical interface on Windows environments.

Running Unisys Locum SafeSurvey on a regular basis helps to keep management informed of the current status of the security environment on each system. This information, which is presented in several reports, enables management to take the necessary actions before security breaches occur. Unisys Locum SafeSurvey reports are clear, concise, and presented in a nontechnical format.

Security administrators can

  • Print all the reports or a selection of reports from both the SafeSurvey Client and the SafeSurvey Host.

  • Send the reports to a disk file or to a printer.

  • Produce line graphs, bar charts, and pie charts for one or more reports.

  • Produce differential reports. The differences between two reports are highlighted for easy comparison.

  • Schedule scans to be done at the MCP system at a predetermined time/internal. The reports are processed by the SafeSurvey Host and the SafeSurvey Client can download them when it next connects.

Unisys Locum SafeSurvey includes the following key features.

  • USERDATAFILE Analysis

    This test analyzes the USERDATAFILE definitions. It highlights usercodes with special privileges and investigates the use of security-related usercode attributes. The USERDATAFILE analysis reports the following information:

    • USERDATAFILE statistics

    • Usercode privileges such as PU (privileged) or SECADMIN (security administrator)

    • Use of security-related attributes such as NODEFAULTUSE or COMSONLYLOGON

    • Remote user definitions

  • Password Penetration Tests

    Computer hackers try to exploit systems through usercodes that use passwords that are weak or easy to guess. Unisys Locum SafeSurvey performs a number of tests on each password to determine the ease by which an unwelcome user might gain access to the system. Unisys Locum SafeSurvey performs the following checks:

    • Usercodes or accesscodes with no passwords

    • Usercodes or accesscodes for which the password is identical to the usercode/password name

    • Usercodes or accesscodes with an easy-to-guess password

    • Usercodes with multiple passwords

    When looking for easy-to-guess passwords, Unisys Locum SafeSurvey checks the password against a list of popular words and names and repeated character strings and character sequences.

  • Policy-Based Security Assessment

    This feature enables customers and auditors assessing the ClearPath MCP Environment to use SafeSurvey to compare the actual security settings (SECOPT, LOGGING, and so on) of the system with a defined system policy and to note any discrepancies. You can use a policy-based security assessment to graphically track compliance events.

  • Transaction Server CFILE Analysis

    The Transaction Server CFILE analysis identifies obsolete usercode entries and hidden privileges contained in program and station definitions. The Transaction Server CFILE analysis produces the following reports:

    • Transaction Server CFILE statistics

    • USERDATAFILE and Transaction Server CFILE compatibility check

    • Transaction Server CFILE program definitions analysis

    • Transaction Server CFILE station definitions analysis

    • Default definition analysis

    • CFILE Station Usage report

  • System Configuration Analysis

    The system configuration analysis interrogates and displays the settings of all relevant system options and settings including:

    • MCP run-time options

    • SECOPT options (including Secure Access Control Module options)

    • TCP/IP security settings

    • MCS status information

    • Disk File Analysis

    Unisys Locum SafeSurvey analyzes the entire disk subsystem and produces a report that identifies the following characteristics:

    • Code files with special privileges

    • Code files with operational privileges

    • Public code files and data files

    The User Privileges snapshot includes role-based access control (RBAC) permissions and the CMOS CFILE privileges.

  • Other System Reports

    • Distributed System Service (DSS) configuration report

    • Kerberos Principal Identifier (PID) analysis

    • Role-Based Access Control (RBAC) capabilities report

    • Report for GUARDFILES

  • Secure Connections

    Unisys Locum SafeSurvey uses SSL/TLS to protect the assessment data in transit between the ClearPath MCP Environment and the security administrator's workstation. You can enable this security feature by configuring SSL/TLS for Security Center access.

Two versions of Unisys Locum SafeSurvey are available.

Summary version

You can use the summary version to view a summary of the security configuration on a Unisys ClearPath MCP server.

The summary version of Unisys Locum SafeSurvey is included with the operating environment.

Full version

Provides the following functionality:

  • Reports that contain specific usercodes and other entities

  • Ability to save the reports into a PC-based database

  • Graph generation to depict changes over time or to compare reports

Unisys Locum SecureAudit

Unisys Locum SecureAudit produces consolidated reports for MCP systems, thus providing a security reporting solution for your enterprise. Security reporting is essential to many jobs and departments, such as security administration and external auditing. Authorized users can use SecureAudit to produce specific reports.

Security reports inform you of any activity or condition that might pose a security threat. SecureAudit allows you to perform quantitative analysis of security events on the MCP host.

SecureAudit accesses the SUMLOG file, which is used by the MCP to log system activity, and produces a comprehensive set of security reports that are

  • Relevant: Each report targets a specific security issue.

  • Nontechnical: Technical jargon is avoided.

  • Readable: Layouts are clear and easy to use.

  • Concise: Extraneous information is omitted.

  • Several reporting modes

    • Batch mode

      This mode enables you to create standard reports.

    • Interactive mode

      This mode provides a menu-driven interface that enables you to generate reports from any CANDE or Transaction Server workstation using terminal emulation. You can direct reports to the workstation in paged format, to a disk file for report archiving, or to a print file. In the latter case, SecureAudit controls the routing of printed output. You can also route reports directly to a PDF file or Windows PC disk.

    • Client mode

      This mode enables you to create and view reports from a Windows interface. You can also store reports within a local database on your PC, and you can create graphical analysis of the reports.

  • Multiple SUMLOG reporting

    You can create reports that cover a specified time range without complicated SUMLOG consolidation. SecureAudit identifies the required SUMLOG files to be analyzed.

  • Reports

    Most reports can be filtered, enabling you to view exactly what you need. The following standard reports are available in all modes:

    System Security Violations

    Logon Violations

    MCS Initializations

    File Accesses

    Program Executions

    System Commands

    Unsuccessful Password Changes

    Session Information

    Window Accesses

    COMS CFILE Events

    File Status Events

    Userdata Changes

    Installation Records

    User Validations

    Unauthorized File Accesses

    Role Based Access Control

    Guardfile Activity

    Password Changes

    Privileged Actions

    Run-time Usercode Changes

    DMSII Database Events

    DMSII File Activity

    In addition, the client mode provides the following reports:

    • Statistics

    • Graphical, which offer advanced statistical reporting

  • Correlation Reports

    SecureAudit provides correlation capabilities that enable the security administrator to perform forensic analysis on the system SUMLOG to investigate security events.

Two versions of Unisys Locum SecureAudit are available.

Summary version

You can use the summary version to view a summary of the security configuration on a Unisys ClearPath MCP server.

The summary version of Unisys Locum SecureAudit is included with the operating environment.

Full version

Provides the following functionality:

  • Detailed data, which can be saved to a local database

  • Graphical reports

  • Correlation reports

New Features/Enhancements

The following new features and enhancements are added in this release:

  • Security Center now notifies the user when a key has expired.

  • New security options are added for managing new security capabilities are included in Security Center.

  • The following new security options and code file verification options introduced in MCP are included in Locum products:

    • SECURECOMM MCPSQL

    • SECURECOMM CONNPSH

    • SECURECOMM OLEDB

    • SECURECOMM AIS

    • ALGOLCHECK

    • AISFILEACCESS

    • CLIENTENCRYPTION

    • SERVERENCRYPTION

    • PLATFORMACCESS

    • PLATFORMADMIN

    • CODEVERIFYCHECK

    • CODEVERIFYGEN

  • The security policy report generated by Unisys Locum SafeSurvey reports the children of SECURECOMM instead of just SECURECOMM, to match the SECURECOMM children reported by the Security Center SPT file.

  • Unisys Locum Safe and Secure, SafeSurvey, SecureAudit, and RealTime Monitor support both Custard keys and Unisys-formatted MCP keys.

  • Locum products now use InstallShield MSI file packaging instead of Inno Setup file packaging.

  • Codefile Verification

    A new, optional disk file header attribute is created to store checksums calculated for code files. Stored checksums will be verified when code files are opened for execution, and, if needed, (re)generated just before the file is closed. New security options are created to set how and when code files are marked and verified.

Ordering Information

Security Center is included as part of the operating environment. Source code is not available for this product.

Product Information

Refer to the following documents for more information:

  • Security Center Help

  • MCP Security Overview and Implementation Guide

  • Security Operations Guide

  • Unisys Locum SafeSurvey Getting Started Guide

  • Unisys Locum SafeSurvey Help

  • Unisys Locum SecureAudit Getting Started Guide

  • Unisys Locum SecureAudit Help

  • Unisys Locum RealTime Monitor Getting Started Guide

  • Unisys Locum RealTime Monitor Help

  • Unisys Locum AdminDesk Help

  • Unisys Locum Safe and Secure Getting Started Guide

For more information on Locum product documentation, refer to the Unisys Product Support website at https://www.support.unisys.com/common/welcome.aspx?pla=MCP&nav=LSS.

Prev  Up  Next
Secure Shell (SSH) for ClearPath MCP  Home  Security Software Developer's Kit (SDK)