HP OpenVMS Systems
OpenVMS System Software
HP OpenVMS systems
Evolving business value
HP OpenVMS Security
HP OpenVMS provides a full range of security products and services from HP and our partners designed to protect a company's vital assets.
- Security services from HP [ PDF › | HTML › ]
- New product SNORT® for OpenVMS released ›
- Security features in OpenVMS Version 8.4 ›
- ACME LDAP Changes ›
- Global and Local Mapping of LDAP Users ›
- ACME Documentation Updates ›
- ACME Login restored during Upgrade ›
- HP Code Signing Service (HPCSS) ›
- HP SSL Version 1.4 for OpenVMS ›
- Security features in OpenVMS Version 8.3 ›
- ACME Agents and SYS$ACM-Enabled LOGINOUT.EXE and SETP0.EXE ›
- New LDAP Authentication Patch Kits (February 2007) ›
- Secure Delivery ›
- Encryption for OpenVMS including AES Encryption ›
- SSL ›
- CDSA ›
- Kerberos ›
- Open Source tools for OpenVMS ›
- IPsec ›
- SSH ›
- Ericom Software ›
- PointSecure ›
- Process Software ›
- Security course curriculum ›
Security Features in OpenVMS Version 8.4
ACME LDAP Changes
Global and Local Mapping of LDAP Users
The authentication method for OpenVMS version ACME LDAP agent on Version 8.3 and Version 8.3-1H1 supports only one-to-one mapping for users.
In one-to-one mapping, the user logging in to an OpenVMS system from an LDAP server must have a matching username in the SYSUAF.DAT file. Hence, a user must login with the exact username entry stored in the SYSUAF.DAT file. With OpenVMS Version 8.4 or later, LDAP ACME agent uses the concept of global and local mapping.
Using the global and local mapping:
- User can enter the user name that is common across the domain, at the login prompt.
- User name is mapped to a different name in the SYSUAF.DAT file during login.
- OpenVMS session after login uses the name and the privileges in the SYSUAF.DAT file for all purposes.
- The SET PASSWORD command has the capability to understand that this is a mapped user and synchronize any password change to the directory server.
Check the “Global and local mapping” section in the new ACME LDAP documentation › provided on OpenVMS V8.4 for details on using the mapping feature.
New document is provided for setup and configuration of ACMELDAP on OpenVMS V8.4. The documentation is available at the following location after installing OpenVMS V8.4:
- SYS$HELP:ACMELDAP_STD_CONFIG_INSTALL.PDF (With images)
The “Enabling External Authentication” and “Authentication and Credentials Management Extensions (ACME) Subsystem “sections is changed in “HP OpenVMS Guide to System Security” [ PDF › | HTML › ] to provide more details on the ACME environment/agents and the difference between the SYS$ACM and non SYS$ACM enabled logins.
The SYS$ACM enabled logins and the ACME environment is restored automatically when a system is upgraded to OpenVMS V8.4. Manual re-configuration is not required.
HP products deliver on "trustworthy and reliable" brand promise. The electronic cryptographic "signature" created for HP code (software, firmware, drivers, applications, patches, solutions, and so forth) provides you an industry standard method to verify the integrity and authenticity of the code you have received from HP before deployment.
Digitally signed code helps you manage the security vulnerability risk from using non-HP versions of our product’s software and firmware, which may fail to meet expectations and, worse, may harbor malicious code (such as a virus or a worm).
Further to comply with the other markets, such as mobile code, firmware in FIPS compliant devices, and increased threats posed by standard firmware interfaces HP products are delivered with this digital sign.
Earlier, OpenVMS followed its own signing mechanism based on Common Data Security Architecture (CDSA). During the installation of the kits, PCSI used the CDSA Validator to verify the signature. Kits created in either sequential (*.PCSI) or compressed (*.PCSI$COMPRESSED) formats were signed. Kits using VMSINSTAL for installation were not signed.
All new OpenVMS kits, which are updated for Version 8.4, including PCSI and VMSINSTAL based kits are signed using HP Code Signing Service (HPCSS). A new companion file, <full kit name>_HPC is created and is provided along with the kit. The kit is then verified using the companion file.
Note: OpenVMS Alpha Version 8.4 CDs are not signed with this mechanism.
From OpenVMS Version 8.4, a new product, HPBinarychecker, will get installed on OpenVMS systems to validate the kits signed using HPCSS. VMSINSTAL and PCSI are enhanced to use the validator. HP supplied Layered Products that use VMSINSTAL will be signed the way in which the PCSI kits were signed.
To validate the signed kit with the _HPC file extension, use the HPBinaryChecker executable. If the HPBinaryChecker is not available, PCSI displays that the HPBinaryChecker is not loaded and prompts you to install the Product. If the _ESW manifest file is present and no _HPC file is present, PCSI uses CDSA to validate the kit. CDSA validation will not be retired.
CDSA signing for OpenVMS Version 8.4 and beyond will be discontinued. For more information on installing the signed kit, see HP OpenVMS Version 8.4 Upgrade and Installation Manual. ›
Secure Sockets Layer (SSL) is the open standard security protocol for the secure transfer of sensitive information over the Internet. HP SSL Version 1.4 is based on OpenSSL 0.9.8h and it also includes the latest security updates from OpenSSL.org.
Please check the HP SSL V1.4 “Installation Guide and Release Notes › ” or the “HP OpenVMS Version 8.4 New Features and Documentation Overview › ” for more information on the new features and the Vulnerabilities fixed in HP SSL V1.4.
Note: HP SSL V1.4 is not backward compatible with earlier versions of
HP SSL. Please check the “Advisory for HP VMS SSL users on OpenVMS V8.4 for
Integrity servers and Alpha platform › ” or visit the “HP SSL for OpenVMS web page › ” for
Security Features in OpenVMS Version 8.3
New Optional SYS$ACM-Enabled LOGINOUT.EXE and SETP0.EXE Images and Two New Authentication and Credentials Management Extension (ACME) Agents
OpenVMS Version 8.3 includes optional SYS$ACM-enabled LOGINOUT.EXE and SETP0.EXE images that use the SYS$ACM system service for user authentication and password changes. When these images are used, login and password change requests are sent to the SYS$ACM service and handled by the ACME_SERVER process's authentication agents. A VMS authentication agent is configured by default to service standard VMS login and password-change requests.
- ACME subsystem
- ACME agents
- VMS (Standard OpenVMS policy) ACME agent
- MSV1_0 (Microsoft LAN Manager authentication) ACME agent
LDAP ACME agent
Kerberos ACME agent
New in Version 8.3, the Kerberos ACME agent provides functionality similar to the pam_krb5 utility on UNIX systems. In previous versions of OpenVMS, Kerberos for OpenVMS users were required to perform multiple login steps: once to log in to OpenVMS itself, and once to obtain Kerberos credentials. This ACME agent automatically acquires all credentials for you.
Provides authentication and persona-based credential services. Applications use these services to enforce authentication policies defined by ACME agents running in the context of the ACME_SERVER process.
In addition,customers can create additional ACME agents for custom authentication policies.
OpenVMS Version 8.3 includes Secure Delivery, which uses public key and digital signature technology to implement a system that provides OpenVMS users with the ability to authenticate and validate files from OpenVMS and third-party OpenVMS vendors.
Secure Delivery allows for digital signatures to authenticate the originator and validate the contents of software kits installed on OpenVMS systems. If the kit or manifest has been tampered with in any way, the validation process fails. If the certificates used to sign the file have been revoked, the validation process fails.
Secure Delivery has been integrated into PCSI, which automatically ensures that software installed on OpenVMS was not tampered with prior to installation.
For an overview of Secure Delivery on OpenVMS, and how to invoke its components using CDSA, see the Secure Delivery for OpenVMS documentation in
HP Open Source Security for OpenVMS,
Volume 1: CDSA
Encryption for OpenVMS
OpenVMS Version 8.3 integrates the former Encryption for OpenVMS software product into the operating system. This eliminates the requirement for a separate product installation and product license. In addition, OpenVMS Version 8.3 now includes support for the Advanced Encryption Standard (AES) algorithm, which allows OpenVMS users, system managers, security managers, or programmers to secure their files, save sets, or application data with AES encryption.
Encryption is used to convert sensitive or otherwise private data to an unintelligible form called cipher text. This is done for the purpose of data confidentiality. Decryption reverses this process, taking the unintelligible cipher text and converting the data back into its original form, called plain text. Encryption and decryption are also known as encipher and decipher.
For more information, see:
- Encryption for OpenVMS
- “Encryption” and “Using Encryption” section in the HP OpenVMS Guide to System Security provided with OpenVMS V8.4 [ PDF › | HTML › ].
- HP OpenVMS Utility Routines Manual [ PDF › | HTML › ].
HP SSL for OpenVMS
Secure Sockets Layer (SSL) is the open standard security protocol for the secure transfer of sensitive information over the Internet. SSL provides three things: privacy through encryption, server authentication, and message integrity. Client authentication is available as an optional function.
Protecting communication links to OpenVMS applications over a TCP/IP connection can be accomplished through the use of SSL. The OpenSSL APIs establish private, authenticated and reliable communications links between applications.
HP SSL Version 1.4 for OpenVMS › is based on OpenSSL 0.9.8h and includes all of the latest security updates from OpenSSL.org.
For more information about HP SSL for OpenVMS, see the HP SSL Version 1.4 for OpenVMS Installation Guide and Release Notes. › The SSL source code is an open-source project from
OpenSSL derived this software from the industry standard Secure Socket Layer (SSL) V2.0/V3.0 specifications orignally from Netscape, and the Transport Layer Security (TLS) V1.0 specification from IETG. ›
The OpenSSL 0.9.8h baselevel supports the following components:
Note: The OpenVMS port of the Cryptography library does not contain the RC5 and IDEA symmetric ciphers. HP does not have a commercial distribution agreement for these algorithms.
Download HP SSL for OpenVMS ›
CDSA (Common Data Security Architecture) for OpenVMS
The Common Data Security Architecture (CDSA) is a multiplatform, industry-standard security infrastructure. Starting with Version 7.3-1, CDSA is part of the OpenVMS Alpha base operating system. CDSA is compatible with OpenVMS Alpha Version 7.2-2 and higher.
CDSA provides a stable, standards-based programming interface that enables applications to access operating system security services. With CDSA, developers can create cross-platform, security-enabled applications. Security services, such as cryptography and other public key operations, are available through a dynamically extensible interface to a set of plug-in application programming interface modules (API functions). These modules can be supplemented or changed as business needs and technologies evolve.
For general information about CDSA, see:
CDSA Source CodeFor a binary compilation of the CDSA sources that have been ported to the OpenVMS operating system, see:
Kerberos for OpenVMS
Kerberos for OpenVMS, based on MIT Kerberos V5, is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.
Kerberos Version 3.1 for HP OpenVMS › is based on MIT Kerberos V5 Release 1.4.1. Starting with OpenVMS Version 7.3-2, Kerberos is included with the OpenVMS base operating system. Kerberos Version 3.1 runs on OpenVMS Alpha and Integrity servers Version 8.3 and higher and supports authentication to happen over IPv6. Kerberos Version 3.0 and 2.0 are also available for download.
There are many other Open Source tools ported on to OpenVMS. Click here › to find more information on the Open Source tools.
Some of the security tools provided and not listed in this page are:
- SNORT for OpenVMS
HP TCP/IP Services for OpenVMS IPsec provides an infrastructure to allow secure communications (authentication, integrity, confidentiality) over IP-based networks between systems and devices that implement the IPsec protocol suite.
OpenVMS IPsec › offers protection against replay attacks, packet tampering, and spoofing -- and it keeps others from viewing critical data such as passwords and financial information sent over the Internet.
For more information about OpenVMS IPsec, see
Configuring and Using TCP/IP Services for OpenVMS IPsec [ PDF › ].
SSH for OpenVMS
Secure Shell (SSH) is a combination of client and server software that transparently encrypts and decrypts data flow between hosts on a network. OpenVMS SSH software is based on SSH2 Software from SSH Communications Security › .
SSH functionality is available as part of TCP/IP Services Version 5.4 and higher.
Ericom Software and OpenVMS
Ericom Software provides SSH, SSL, Single Sign On, and Kerberos secure terminal emulation solutions
Ericom® Software and HP have enjoyed a long-standing business and technology relationship since 1996, when Ericom's PowerTerm® terminal emulation solution was included in Pathworks 32.
The number of OpenVMS users who use or are planning to use SSH and SSL support in their operating system continues to grow. Many of these users also require a secure terminal emulator with secure file transfer.
Ericom Software is proud to provide a range of secure solutions for these users. For a complete breakdown of Ericom's PowerTerm host access and Web-to-Host solutions that support SSL, SSH, Single Sign On, and Kerberos security protocols. See:
- PowerTerm and OpenVMS: A Natural Partnership ›
- Host Access Solutions with SSH Protocols ›
- Host Access Solutions with SSL Protocols ›
PointSecure and OpenVMS
PointSecure Provides Security Products for OpenVMS VAX and OpenVMS Alpha with System Detective AO and IS
The Security SnapShot provides OpenVMS customers with a fast and easy way to perform a high level assessment of potential security exposures. This non-intrusive tool focuses on user profiles, file security and system/network security.
The Security Snapshot performs sixteen security checks on your system and will provide you with a pass/fail assessment. This will help you determine the strengths and weaknesses of your system.
Your business processes depend on the applications and data that support them - so you need to be sure that your data and systems are secure. This is not always possible because of the rapid changes in business and technology that increase your organization's control and security challenges. The Security Snapshot will allow you to quickly and easily see potential exposures that may affect your strategic business objectives. For a 16-point checkup for OpenVMS systems, see:
System Detective AO
System Detective AO is a rules based security and compliance tool designed to enforce user accountability. By monitoring and recording user sessions as well as providing proactive responses to triggered events, System Detective AO helps to maintain the security and integrity of OpenVMS systems.
System Detective IS is an interactive session monitoring tool designed to give administrators the ability to interactively monitor user sessions. This product allows administrators to take action to help users or eliminate unwarranted user activity all in real-time.
PointSecure also provides a PC based auditing tool called PointAudit which analyzes the SYSUAF.lis file and provides a breakdown of user profiles allowing for quick and easy account review. For Additional product information, see:
- PointSecure customer letter › (from OpenVMS VP Mark Gorham, February 2003)
- http://www.pointsecure.com (PointSecure web site) ›
- Email: email@example.com (for sales information)
Planning your migration requires a good understanding of what your current environment looks like. Determining what HP layered products and what commercial (3rd party / ISV) or Open Source products are present is a critical initial step in the planning.
PointSecure, working with HP OpenVMS, has created a tool called Migration Advisor that aids in collecting information about your current OpenVMS system environment. For the Migration Advisor FAQ, click here › or for a quick overview, click here › . Migration Advisor can be downloaded from PointSecure at http://www.pointsecure.com/products/MigrationAdvisor.aspx › .
Process Software Provides SSH for OpenVMS
SSH server and client provide secure encrypted communications over the Internet and are the defacto standard. In addition, there are some other advantages of SSH for OpenVMS:
- Multi-protocol support: SSH protocol v1 and v2 server and client(SSH)
- Provides secure file transfer with Secure Copy Protocol (SCP)
- Secures numerous applications with port forwarding
- Provides many authentication and encryption options
- The SSH server operates with most third-party SSH clients
- Data compression support saves time and connection fees
- Supports HP TCP/IP Services for OpenVMS 4.2 or higher
For more information, see
Security is more important now than ever
Companies taking advantage of the tremendous market potential of the information superhighway are daily faced with security risks that may hurt, or even kill, their business.
Today, when business increasingly depends on securedata, a vulnerable company will not last. Potential hazards,from the inside as well as the outside, must be addressed effectively.