HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 12 Securing a Cluster

Synchronizing Authorization Data

On a cluster, all elements of the user authorization data should exist in a common database. These authorization elements include the system user authorization files (SYSUAF.DAT and its backup SYSUAFALT.DAT), the rights database (RIGHTSLIST.DAT), the network authorization file (NETPROXY.DAT) and its object database file (NETOBJECTS.DAT), which are present on all OpenVMS systems, and optionally, the autologin file, SYSALF.DAT.

A secure cluster requires that the authorization data be synchronized across all nodes. If a site chooses to maintain multiple versions of these files, then you must synchronize the data. Each user should have the same UIC, group number, and set of identifiers defined on every node. Coordination of privileges and access rights is also critical. A shared disk is protected only as much as its least protected node. If you maintain separate authorization files on each node in the cluster, ensure that user privileges are common across all copies of the system user authorization file (SYSUAF.DAT). “Fields in SYSUAF.DAT Requiring Synchronization” lists the fields of SYSUAF.DAT that must be identical on each node.

Table 12-4 Fields in SYSUAF.DAT Requiring Synchronization

Internal Name $SETUAI Item Code

UAF$R_DEF_CLASS

UAI$_DEF_CLASS

UAF$Q_DEF_PRIV

UAI$_DEF_PRIV

UAF$B_DIALUP_ACCESS_P

UAI$_DIALUP_ACCESS_P

UAF$B_DIALUP_ACCESS_S

UAI$_DIALUP_ACCESS_S

UAF$B_ENCRYPT

UAI$_ENCRYPT

UAF$B_ENCRYPT2

UAI$_ENCRYPT2

UAF$Q_EXPIRATION

UAI$_EXPIRATION

UAF$L_FLAGS

UAI$_FLAGS

UAF$B_LOCAL_ACCESS_P

UAI$_LOCAL_ACCESS_P

UAF$B_LOCAL_ACCESS_S

UAI$_LOCAL_ACCESS_S

UAF$B_NETWORK_ACCESS_P

UAI$_NETWORK_ACCESS_P

UAF$B_NETWORK_ACCESS_S

UAI$_NETWORK_ACCESS_S

UAF$B_PRIME_DAYS

UAI$_PRIMEDAYS

UAF$Q_PRIV

UAI$_PRIV

UAF$Q_PWD

UAI$_PWD

UAF$Q_PWD2

UAI$_PWD2

UAF$Q_PWD_DATE

UAI$_PWD_DATE

UAF$Q_PWD2_DATE

UAI$_PWD2_DATE

UAF$B_PWD_LENGTH

UAI$_PWD_LENGTH

UAF$Q_PWD_LIFETIME

UAI$_PWD_LIFETIME

UAF$B_REMOTE_ACCESS_P

UAI$_REMOTE_ACCESS_P

UAF$B_REMOTE_ACCESS_S

UAI$_REMOTE_ACCESS_S

UAF$R_MAX_CLASS

UAI$_MAX_CLASS

UAF$R_MIN_CLASS

UAI$_MIN_CLASS

UAF$W_SALT

UAI$_SALT

UAF$L_UIC

Not applicable

 

Use SYSMAN if you choose to create an autologin file and maintain the file in the common authorization database with your authorization files and rights database. On clustered systems, the autologin file must include the cluster node name as a prefix to the terminal name. For example, the terminal TTA0 on node WILLOW would be represented as WILLOW$TTA0. See “Using the System Management Utility” for an overview of SYSMAN.