 |
» |
|
|
|
|
|
|
|
New Optional SYS$ACM-Enabled LOGINOUT.EXE and SETP0.EXE Images and Two New
Authentication and Credentials Management Extension (ACME) Agents
OpenVMS Version 8.3 includes optional SYS$ACM-enabled LOGINOUT.EXE and SETP0.EXE
images that use the SYS$ACM system service for user authentication and password changes.
When these images are used, login and password change requests are sent to the
SYS$ACM service and handled by the ACME_SERVER process's authentication agents.
A VMS authentication agent is configured by default to service standard VMS
login and password-change requests.
ACME Components:
- ACME subsystem
Provides authentication and persona-based credential services. Applications
use these services to enforce authentication policies defined by ACME agents
running in the context of the ACME_SERVER process.
- ACME agents
-
VMS (Standard OpenVMS policy) ACME agent
-
MSV1_0 (Microsoft LAN Manager authentication) ACME agent
-
LDAP ACME agent
New in Version 8.3, the LDAP ACME agent allows users to log into an OpenVMS system using
authentication information held in an LDAP directory,
thus allowing common authentication across many platforms.
|
LDAP Authentication patch kits (February 2007)
New production quality LDAP Authentication patch kits are now available from the
IT Resource Center.
Search for VMS83A_ACMELDAP-V0100 for OpenVMS Alpha and VMS83I_ACMELDAP-V0100 for OpenVMS for Integrity servers.
These kits provide optional login and set password functionality that utilizes the SYS$ACM
system service for user authentication and password changes. When this optional functionality
is enabled, login and password change requests are sent to the SYS$ACM service and handled
by the ACME_SERVER process’s authentication agents. These kits contain an LDAP authentication
agent that allows for login and password-change requests to be directed to any LDAP V3 compliant directory server.
These patch kits have been rigorously tested and are qualified for use in production environments.
Important: If you plan to use the LDAP ACME kit to authenticate to a Microsoft Active Directory Domain,
you must initiate all password changes from a Microsoft platform.
OpenVMS Engineering is working on an updated LDAP ACME patch kit that will remove this restriction.
After the kit is installed, see the LDAP ACME Agent Readme file for
detailed information on how to configure the system.
This readme file is also located at
SYS$HELP:ACME_DEV_README.TXT.
Release notes can be found at SYS$HELP:VMS83x_ACMELDAP-V0100.RELEASE_NOTES.
|
-
Kerberos ACME agent
New in Version 8.3, the Kerberos ACME agent provides functionality similar to the
pam_krb5 utility on UNIX systems.
In previous versions of OpenVMS, Kerberos
for OpenVMS users were required to perform multiple
login steps: once to log in to OpenVMS itself, and
once to obtain Kerberos credentials. This ACME agent
automatically acquires all credentials for you.
In addition,
customers can create additional ACME agents for custom
authentication policies.
Secure Delivery for OpenVMS
OpenVMS Version 8.3 includes Secure Delivery, which uses
public key and digital signature technology to implement a
system that provides OpenVMS users with the ability to authenticate and validate
files from OpenVMS and third-party OpenVMS vendors.
Secure Delivery allows for digital signatures to
authenticate the originator and validate the contents of software kits
installed on OpenVMS systems. If the kit or manifest has been tampered with in any way,
the validation process fails. If the certificates used to sign the file have been
revoked, the validation process fails.
Secure Delivery has been integrated into PCSI, which automatically ensures that
software installed on OpenVMS was not tampered with prior to installation.
For an overview of Secure Delivery on OpenVMS, and how
to invoke its components using CDSA, see the
Secure Delivery for OpenVMS documentation in
HP Open Source Security for OpenVMS,
Volume 1: CDSA
[ PDF |
HTML ].
Encryption for OpenVMS
OpenVMS Version 8.3 integrates the former Encryption for OpenVMS software product
into the operating system. This eliminates the requirement for a separate product
installation and product license. In addition, OpenVMS Version 8.3 now includes
support for the Advanced Encryption Standard (AES) algorithm, which allows OpenVMS
users, system managers, security managers, or programmers to secure their files,
save sets, or application data with AES encryption.
Encryption is used to convert sensitive or otherwise private data to an unintelligible
form called cipher text. This is done for the purpose of data confidentiality.
Decryption reverses this process, taking the unintelligible cipher text and
converting the data back into its original form, called plain text. Encryption
and decryption are also known as encipher and decipher.
For more information, see Encryption for OpenVMS
documentation in the Version 8.3 New Features and Documentation Overview
[ PDF
|
HTML ].
Many other important security features are included in the base operating system.
For more information, see the HP OpenVMS Guide to System Security
[ PDF |
HTML ].
|
|
|
|
|
Secure Sockets Layer (SSL) is the open standard security protocol for
the secure transfer of sensitive information over the Internet.
SSL provides three things: privacy through encryption, server
authentication, and message integrity. Client authentication is
available as an optional function.
Protecting communication links to OpenVMS applications over a
TCP/IP connection can be accomplished through the use of SSL.
The OpenSSL APIs establish private, authenticated and reliable
communications links between applications.
HP SSL Version 1.3
for OpenVMS is based on OpenSSL 0.9.7e
and includes all of the latest security updates from OpenSSL.org.
For more information about HP SSL for OpenVMS, see
HP Open Source Security for OpenVMS, Volume 2: HP SSL
[ PDF |
HTML ].
The SSL source code is an open-source project from
opensource.org,
maintained by the OpenSSL Group.
OpenSSL derived this software from the industry standard Secure Socket
Layer (SSL) V2.0/V3.0 specifications from
Netscape,
and the Transport Layer Security (TLS) V1.0 specification from
IETG.
The OpenSSL 0.9.7e baselevel supports the following components:
» Cryptography library
» SSL/TLS library
» OpenSSL command line tool
Note: The OpenVMS port of the Cryptography library does not
contain the RC5 and IDEA symmetric ciphers. HP does
not have a commercial distribution agreement for these algorithms.
» Download HP SSL for
OpenVMS
|
|
|
|
|
The Common Data Security Architecture (CDSA) is a multiplatform,
industry-standard security infrastructure. Starting with Version 7.3-1,
CDSA is part of the OpenVMS Alpha base operating system.
CDSA is compatible with OpenVMS Alpha Version 7.2-2 and higher.
CDSA provides a stable, standards-based programming interface that
enables applications to access operating system security services.
With CDSA, developers can create cross-platform, security-enabled
applications. Security services, such as cryptography and other
public key operations, are available through a dynamically extensible
interface to a set of plug-in application programming interface
modules (API functions). These modules can be supplemented or
changed as business needs and technologies evolve.
For general information about CDSA, see:
» SourceForge.net
» Intel Labs
For more information about CDSA on OpenVMS, see
HP Open Source Security for OpenVMS, Volume 1: CDSA
[ PDF |
HTML ].
CDSA Source Code
For a binary compilation of the CDSA sources
that have been ported to the OpenVMS operating system, see:
» Download CDSA
source code
|
|
|
|
|
Kerberos for OpenVMS, based on MIT Kerberos V5, is a network authentication protocol
designed to provide strong
authentication for client/server applications by using secret-key cryptography.
Kerberos Version 3.0 for HP OpenVMS
is based on MIT Kerberos V5 Release 1.4.1.
Starting with Version 7.3-2, Kerberos is included with the OpenVMS
base operating system. Kerberos Version 3.0 runs on OpenVMS I64 Version 8.2 and higher,
and OpenVMS Alpha Version 7.3-2 and higher. Kerberos Version 2.0 runs on
OpenVMS VAX Version 7.3.
For more information about Kerberos on OpenVMS, see
HP Open Source Security for OpenVMS, Volume 3: Kerberos
[ PDF |
HTML ].
» Download
Kerberos for OpenVMS
|
|
|
|
|
HP TCP/IP Services for OpenVMS IPsec provides an infrastructure to allow secure
communications (authentication, integrity, confidentiality) over
IP-based networks between systems and devices that implement the IPsec protocol suite.
OpenVMS IPsec
offers protection against replay attacks, packet tampering, and spoofing -- and it keeps others from
viewing critical data such as passwords and financial information sent over the Internet.
For more information about OpenVMS IPsec, see
Configuring and Using TCP/IP Services for OpenVMS IPsec
[ PDF ].
» Download
HP TCP/IP Services for OpenVMS featuring IPsec
|
|
|
|
|
Secure Shell (SSH) is a combination of client and server software that transparently
encrypts and decrypts data flow between hosts on a network. OpenVMS SSH
software is based on SSH2 Software from SSH Communications Security.
SSH functionality is available as part of TCP/IP Services Version 5.4 and higher.
See Ericom Software and
Process Software for our
OpenVMS partners' SSH solutions.
|
|
|
|
|
Ericom Software provides SSH, SSL, Single Sign On, and Kerberos secure
terminal emulation solutions
Ericom® Software and HP have enjoyed a long-standing business and technology
relationship since 1996, when Ericom's PowerTerm® terminal emulation solution was
included in Pathworks 32.
The number of OpenVMS users who use or are planning to use SSH and SSL
support in their operating system continues to grow. Many of these users also
require a secure terminal emulator with secure file transfer.
Ericom Software is proud to provide a range of secure solutions for these users. For a complete breakdown of Ericom's PowerTerm host access and Web-to-Host solutions that support SSL, SSH, Single Sign On, and Kerberos security protocols. See:
» PowerTerm and OpenVMS: A Natural Partnership
» Host Access Solutions with SSH Protocols
» Host Access Solutions with SSL Protocols
|
|
|
|
|
PointSecure Provides Security Products for OpenVMS VAX
and OpenVMS Alpha with System Detective AO and IS
Security SnapShot
The Security SnapShot provides OpenVMS customers with a fast and easy
way to perform a high level assessment of potential security exposures.
This non-intrusive tool focuses on user profiles, file security and
system/network security.
The Security Snapshot performs sixteen security checks on your system and
will provide you with a pass/fail assessment. This will help you
determine the strengths and weaknesses of your system.
Your business processes depend on the applications and data that support
them - so you need to be sure that your data and systems are secure.
This is not always possible because of the rapid changes in business and
technology that increase your organization's control and security
challenges. The Security Snapshot will allow you to quickly and easily
see potential exposures that may affect your strategic business
objectives. For a 16-point checkup for OpenVMS systems, see:
» Download free PointAudit
OpenVMS security snapshot
System Detective AO
System Detective AO is a rules based security and compliance tool
designed to enforce user accountability. By monitoring and
recording user sessions as well as providing proactive responses to
triggered events, System Detective AO helps to maintain the
security and integrity of OpenVMS systems.
System Detective IS is an interactive session monitoring tool designed
to give administrators the ability to interactively monitor
user sessions. This product allows administrators to take action to
help users or eliminate unwarranted user activity all in
real-time.
PointSecure also provides a PC based auditing tool called PointAudit
which analyzes the SYSUAF.lis file and provides a breakdown of
user profiles allowing for quick and easy account review.
For Additional product information, see:
Migration Advisor
Planning your migration requires a good understanding of what your current environment looks
like. Determining what HP layered products and what commercial (3rd party / ISV) or Open Source products are
present is a critical initial step in the planning.
PointSecure, working with HP OpenVMS, has created a tool called Migration Advisor that aids in collecting
information about your current OpenVMS system environment. For the Migration Advisor FAQ, click here or for a quick overview, click here. Migration Advisor can be downloaded from PointSecure at http://www.pointsecure.com/products/MigrationAdvisor.aspx.
|
|
|
|
|
Tell us what you think!
OpenVMS Engineering is considering the following security projects for future
versions of OpenVMS:
- IPSEC support
- Better random number generator
- SMIME support for VMS Mail
- Web services security
- Access control policy management
- PKI Toolkit (APIs/certificate management utilities/development tools)
- Certificate authority on OpenVMS
HP is committed to protecting your privacy. Learn more.
» Send Feedback
and tell us which of these products and projects you would like to see
part of future versions of OpenVMS.
|
|
![[process]](/images/logos/processlogo.gif){kind=small}
Process Software Provides SSH for OpenVMS