HP OpenVMS Guide to System Security > Chapter 11 Securing a Cluster

Building a Common Environment

 » Table of Contents

 » Glossary

 » Index

Within a cluster, access control is mediated by individual nodes using a common set of authorization information. In the single security domain model, a process, acting on behalf of an authorized individual, requests access to a cluster-visible object, and a coordinating node determines the outcome by comparing its copy of the common authorization database with the security profile for the object being accessed. This model enforces security only when the authorization information and the object security profiles are consistent across all nodes in the cluster.

To achieve data consistency within the cluster, a site needs to:

Required Common System Files

The easiest way to ensure a single security domain is to maintain a single copy of each of the files listed in Table 11-1 “System Files That Must Be Common in a Cluster” on one or more cluster-mounted disks. As soon as any required file is created on one node, it must be created or commonly referenced on all remaining cluster members. When a cluster is configured with multiple system disks, you can use system logical names to ensure that only a single copy of each file exists.

The files in Table 11-1 “System Files That Must Be Common in a Cluster” contain data that must be synchronized. If your site chooses to maintain multiple versions of these files, you must synchronize the data, as “Synchronizing Multiple Versions of Files” explains.

Table 11-1 System Files That Must Be Common in a Cluster

File Description

NETOBJECT.DAT

Contains the DECnet object database. Among the information contained in this file is the list of known DECnet server accounts and passwords.

NETPROXY.DAT NET$PROXY.DAT

Contains the network proxy database. This file is maintained by the Authorize utility (AUTHORIZE).

QMAN$MASTER.DAT

Contains the master queue manager database. This file contains the security information for all shared batch and print queues. If two or more nodes intend to participate in a shared queuing system, a single copy of this file must be maintained on a shared disk.

RIGHTSLIST.DAT

Contains the rights identifier database. This file is maintained by AUTHORIZE and by various rights identifier system services.

SYSALF.DAT

Contains the system autologin file. This file is maintained by the System Management utility (SYSMAN).

SYSUAF.DAT

Contains the system user authorization file. This file is maintained by AUTHORIZE and modifiable through the Set User Authorization Information ($SETUAI) system service.

SYSUAFALT.DAT

Contains the system alternate user authorization file. This file serves as a backup to SYSUAF.DAT and is enabled through the SYSUAFALT system parameter.

VMS$OBJECTS.DAT

Contains the cluster-visible object database. Among the information contained in this file are the security profiles for all cluster-visible objects.

 

Recommended Common System Files

Although HP does not require that the files listed in Table 11-2 “System Files Recommended to Be Common” be common to all cluster members, it does recommend that the data in the files be fully synchronized. Table 11-3 “Using Multiple Versions of Required Cluster Files” explains how to coordinate these files and suggests possible consequences of poor synchronization.

Some of the recommended files are created only on request and may not exist in all configurations. Note that a file may be absent on one node only if it is absent on all other nodes. As soon as any required file is created on one node, it must be created or commonly referenced on all remaining cluster members.

Table 11-2 System Files Recommended to Be Common

File Description

VMS$AUDIT_SERVER.DAT

Contains information related to security auditing, such as enabled security-auditing events and the destination of the system security audit log file.

VMS$PASSWORD_HISTORY.DATA

Contains the system password history database. This file is maintained by the SET PASSWORD utility.

VMSMAIL_PROFILE.DATA

Contains the system mail database. This file is maintained by the Mail utility (MAIL). It holds mail profiles for all system users as well as a list of all mail forwarding addresses in use on the system.

VMS$PASSWORD_DICTIONARY.DATA

Contains the system password dictionary. The system password dictionary is a list of English words and phrases that cannot be used as account passwords.

VMS$PASSWORD_POLICY

Contains any site-specific password filters. This file is created and installed by the security administrator or system manager. (See “Site-Specific Filters” for details on password filters.)

 

Synchronizing Multiple Versions of Files

Using shared files is not the only way of achieving a single security domain. Some sites may have requirements for multiple copies of one or more of these system files on different nodes in a cluster. As long as the security information available to each node in the cluster is exactly the same, these sites operate in a single security domain.

Table 11-3 “Using Multiple Versions of Required Cluster Files” lists the files that require coordination, explains when to update these files, and suggests possible consequences of poor synchronization.

Table 11-3 Using Multiple Versions of Required Cluster Files

File Coordination Required Result of Poor Synchronization

VMS$AUDIT_SERVER.DAT

Update after any SET AUDIT command.

Possible partitioning of auditing domains

NETOBJECT.DAT

Update all versions after any NCP SET OBJECT or DEFINE OBJECT command.

Unexplained network login failures and unauthorized network access

NETPROXY.DAT NET$PROXY.DAT

Update all versions after any AUTHORIZE proxy command.

Unexplained network login failures and unauthorized network access

RIGHTSLIST.DAT

Update all versions after any change to any identifier or holder records.

Possible unauthorized system access and unauthorized access to protected objects

SYSALF.DAT

Update all versions after any SYSMAN ALF command.

Unexplained login failures and unauthorized system access

SYSUAF.DAT

Update all versions so the fields listed in Table 11-4 “Fields in SYSUAF.DAT Requiring Synchronization” are synchronized for each user record.

Possible unexplained login failures and unauthorized system access.

SYSUAFALT.DAT

Update all versions after any change to any authorization records in this file.

Possible unexplained login failures and unauthorized system access

VMS$OBJECTS.DAT

Update all versions after any change to the security profile of a cluster-visible object or after new cluster-visible objects are created. (See “Protecting Objects” for details.)

Possible unauthorized access to protected objects

VMSMAIL_PROFILE.DATA

Update all versions after any changes to mail forwarding parameters.

Possible authorized disclosure of information

VMS$PASSWORD_HISTORY.DATA

Update all versions after any password change.

Possible violation of the system password policy

VMS$PASSWORD_DICTIONARY.DATA

Update all versions after any site-specific additions.

Possible violation of the system password policy

VMS$PASSWORD_POLICY

Install common version on all nodes.

Possible violation of the system password policy