HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 7 Managing System AccessEnabling External AuthenticationExternal authentication allows users to log in (or sign on) at the OpenVMS login prompt using their external user IDs and passwords. The LDAP external authentication agent, Kerberos external authentication agent, PATHWORKS, and Advanced Server for OpenVMS authentication modules (providing NT-compatible authentication) are supported as external authenticators of OpenVMS users. When successfully authenticated, the external user ID is mapped to the appropriate OpenVMS user name and the correct user profile is obtained. Before users can log in, the system administrator must enable external authentication by performing the following tasks:
These tasks are discussed in the following sections. Install and configure the ACME login and ACME authentication agentsIn order to authenticate users using external authentication for OpenVMS Version 8.3 and later, the system must have SYS$ACM-enabled external authentication. That is, the LOGINOUT.EXE and SETP0.EXE (SET PASSWORD) images must use the SYS$ACM system service for authentication. The new LOGINOUT.EXE and SETP0.EXE (SET PASSWORD) images are provided with the ACMELOGIN PCSI kit. This ACMELOGIN PCSI kit has to be extracted from SYS$UPDATE:ACME_DEV_KITS.BCK and installed. See the SYS$HELP:ACME_DEV_README.TXT for more details on installing the new LOGINOUT.EXE and SETP0.EXE (SET PASSWORD) images. Also, see the “Authentication and Credentials Management Extensions (ACME) Subsystem” for more details on how external authentication works when SYS$ACM system service is used with DCL commands to operate on the ACME subsystem. The default LOGINOUT.EXE and SETP0.EXE images provided with the operating system are the non-SYS$ACM versions, as provided with the previous versions of OpenVMS. After installing the ACMELOGIN kit, install and configure the authentication agent, based on the type of authentication requirement. To install and configure the authentication agent, follow the below steps. For a list of generic commands and configuration steps that you can use during the configuration process, see the "ACME Subsystem Controls" section.
Define external authentication logical names for non-SYS$ACM- enabled external authenticationFor the non-SYS$ACME enabled authentication (OpenVMS Version 8.2–1 and earlier) external authentication is enabled at the system level by defining the SYS$SINGLE_SIGNON systemwide executive-mode logical name. For more information, see the Differences between SYS$ACM and non-SYS$ACM external authentication section. By default, external authentication is disabled at both the system and user levels. However, when you invoke PATHWORKS or Advanced Server for OpenVMS, external authentication is automatically enabled, if the system administrator has defined logical names in SYSTARTUP_VMS.COM and marked user accounts in the SYSUAF, as described in the following paragraphs. No additional configuration is necessary for cluster members running the Advanced Server to enable the Advanced Server to participate in the external authentication process.
Mark user accounts in the SYSUAFEach externally authenticated user must have an entry in the SYSUAF file from which account information such as account restrictions and quotas are fetched during login. The user name in the SYSUAF record can be the same or different from the user name entered at the user name prompt. It depends on user name mapping support provided by the authentication agent, which validates the user. For example, Kerberos external authentication supports one to one mapping where the user name entered and the user name in the SYSUAF file must be same. At the user level, external authentication is enabled by a flag, EXTAUTH, in the SYSUAF record for the user. When set, the EXTAUTH flag denotes that the user is to be externally authenticated. For example, in the Authorize utility, you can enter commands similar to the following:
(See the HP OpenVMS System Management Utilities Reference Manual: A-L for more information on the Authorize utility EXTAUTH flag. Also, see the HP OpenVMS System Services Reference Manual: GETUTC-Z for more information on the UAI$V_EXTAUTH bit in the SYS$GETUAI and SYS$SETUAI system services UAI$_FLAGS item code.) Differences between SYS$ACM and non-SYS$ACM external authenticationThe LOGINOUT.EXE and SETP0.EXE (SET PASSWORD) images, provided with the ACMELOGIN kit (upon extracting SYS$UPDATE:ACME_DEV_KITS.BCK), utilize the SYS$ACM system service for user authentication and password changes. With these images installed, login and password change requests are sent to the SYS$ACM service and handled by the ACME_SERVER process’s authentication agents. The effect must be transparent to users, layered products and applications. If your site uses external authentication provided by Advanced Server and you are using the SYS$ACM-enabled LOGINOUT.EXE and SETP0.EXE images, you must be aware of how SYS$ACM-enabled external authentication operates compared with releases prior to Version 8.2–1.
Users can enter the /LOCAL_PASSWORD qualifier after their OpenVMS user name at the login prompt to inform OpenVMS to perform local authentication instead of external authentication. Users should specify their OpenVMS user name and password when using the /LOCAL_PASSWORD qualifier. For SYS$ACM-enabled external authentication (OpenVMS Version 8.3 and later): The SYSUAF flag /VMSAUTH denotes that the account can use standard (SYSUAF) authentication when the EXTAUTH flag requires external authentication. An application specifies the OpenVMS domain of interpretation when calling SYS$ACM to request standard OpenVMS authentication for a user account that normally uses external authentication. For non-SYS$ACM-enabled external authentication (OpenVMS Version 8.2–1 and earlier): As the use of the /LOCAL_PASSWORD qualifier is effectively overriding the security policy established by the system manager, it is only allowed under the following conditions:
See the HP OpenVMS Utility Routines Manual for more information on the /LOCAL_PASSWORD qualifier to LOGINOUT. Certain layered products and applications that use an authentication mechanism based on the traditional SYSUAF-based user name and password (for example, software that calls $HASH_PASSWORD or $GETUAI/$SETUAI to alter, fetch, or verify OpenVMS passwords) encounter problems in either of the following cases:
In such cases, the symptom is a user authentication failure from the layered product or application. For externally authenticated users, the normal system authorization database (SYSUAF.DAT) is used to construct the OpenVMS process profile (UIC, privileges, quotas, and so on) and to apply specific login restrictions. However, there are two key differences between externally authenticated users and normal OpenVMS users. The following is true for externally authenticated users:
OpenVMS attempts to keep a user's SYSUAF and external user password synchronized to minimize these problems. An up-to-date copy of the user's external password is kept in the SYSUAF, but this is not the case if, for example, the external password contains characters that are invalid in OpenVMS, or if SYSUAF password synchronization is disabled by the system manager. (Password synchronization is enabled by default.) If you enable external authentication, HP recommends you do the following to minimize incompatibility with layered products or applications that use traditional SYSUAF-based authentication:
The $GETUAI and $SETUAI system services do not support external passwords. These services operate only in passwords stored in the SYSUAF, and updates are not sent to the external authentication service. Sites using software that makes calls to these services to check passwords or updates must not enable external authentication. HP expects to provide a new programming interface to support external passwords in a future release. If you are an externally authenticated user, the DCL command SET PASSWORD sends the password change request to the external authenticator and changes your password on your OpenVMS system. A system manager can set an externally authenticated user's password by using a utility provided by the external authenticator. For example, in the case of NT compatible authentication, PATHWORKS and Advanced Server for OpenVMS provide the ADMINISTRATOR SET PASSWORD command. Using this method, the new password is propagated to the external authenticator immediately. You can enter a case-sensitive user name at the OpenVMS username prompt if you enclose it in quotes. If you do not enclose the user name in quotes, LOGINOUT converts the user name to uppercase characters. However, all user name entries in the SYSUAF file are stored in uppercase characters. A case insensitive search is performed in the SYSUAF file to locate the user record. Valid characters for external user IDs and passwords belong to the standard IBM extended (8-bit) ASCII character set. LOGINOUT and SET PASSWORD pass these strings case preserved, although the external authentication service uppercases both strings according to this character set. External passwords can contain characters that are not valid in OpenVMS passwords. If an external password contains a character that is invalid in an OpenVMS password, password synchronization is not performed and a message is issued. OpenVMS passwords are limited to the 7-bit ASCII characters A-Z, 0-9, _, and $. To be externally authenticated, a user provides his or her external user ID and password at the OpenVMS login prompt. When performing user name mapping, OpenVMS first tries to locate a match in the SYSUAF and uses that name if it finds a match; otherwise, it queries the external authentication database for a matching user ID. When successfully authenticated, the external user ID is mapped to the appropriate OpenVMS user name to obtain the correct user profile, and the login sequence is completed. External authentication is supported for interactive logins (including DECwindows) and network logins where a proxy is used or a user ID/password is supplied. If you have external authentication enabled on your system, target user names specified in DECnet proxies or Auto-Login (ALF) databases must exist in the SYSUAF. Externally-authenticated users who want to use DECnet proxies must have the same user name in the SYSUAF file and external database. When using DECnet proxies, it is important to maintain unique user names across OpenVMS and external domains. If the same user name appears in the SYSUAF file and external database identifying two different users, the use of this user name as a proxy is ambiguous. LOGINOUT treats the name as an OpenVMS user name for login purposes, even though the same name may map to a different OpenVMS user name. This occurs because name-mapping rules specify that OpenVMS attempt to find a match in the SYSUAF first. Externally authenticated users are considered to have a single password and are not subject to normal OpenVMS password policy (password expiration, password history, minimum and maximum password length restrictions), but are instead subject to any defined external authenticator policy. All other OpenVMS account restrictions remain in effect, such as disabled accounts, modal time restrictions, quotas, and so on. Externally authenticated users are identified by having the EXTAUTH flag set in their SYSUAF record. OpenVMS users whose accounts do not have the EXTAUTH flag set are not affected by external authentication. Although passwords are verified using the external authenticator database, OpenVMS attempts to keep the external and SYSUAF password fields synchronized. Password synchronization is enabled by default. Synchronization takes place at the completion of a successful externally authenticated login. If the external password is different than the password stored in the SYSUAF file, LOGINOUT updates the SYSUAF password field with the external password. (Synchronization may not be possible due to the different sets of valid characters allowed by OpenVMS and the external authenticator.) For SYS$ACM-enabled external authentication, if required, the password synchronization can be selectively turned off. See the “System Parameter SECURITY_POLICY Bit Mask Values” for more information on the SECURITY_POLICY system parameter, which controls the enabling and disabling of password synchronization. For non-SYS$ACM-enabled external authentication, if required, password synchronization can be selectively turned off. (See the “SYS$SINGLE_SIGNON Logical Name Bits” for more information on the SYS$SINGLE_SIGNON logical name bits, which control the enabling and disabling of password synchronization.) For non-SYS$ACM-enabled external authentication (OpenVMS Version 8.2–1 and earlier), the SYS$SINGLE_SIGNON systemwide executive-mode logical name controls overall external authentication operation. The logical name is translated as a hexadecimal string and treated as a bit vector, with each bit controlling a separate component. “SYS$SINGLE_SIGNON Logical Name Bits” contains the definitions of the SYS$SINGLE_SIGNON logical name bits, which are numbered from right to left (with the least significant bit first). Table 7-5 SYS$SINGLE_SIGNON Logical Name Bits
If SYS$SINGLE_SIGNON is undefined or equates to an invalid hexadecimal string, all bits are considered OFF. The following example definition enables external authentication (bit 0). All other components take their default values.
The following example definition enables external authentication (bit 0), forces uppercase terminal input at the username prompt (bit 3), and disables password synchronization (bit 4).
HP DECnet-Plus RequirementUsers with the EXTAUTH bit set in their SYSUAF account record cannot use explicit access control strings with systems running DECnet-Plus unless their externally authenticated password is all uppercase characters. For example, if you enter the following command:
where nodename is a system running DECnet-Plus and username is an EXTAUTH account, DECnet-Plus converts the string supplied in the password to uppercase characters before it is passed to the external authentication agent (a PATHWORKS or NT domain controller).
DECnet-Plus and NET_CALLOUTS ParameterTo run DECnet-Plus for OpenVMS with external authentication enabled, set the system parameter NET_CALLOUTS to 255. This causes user verification and proxy lookups to be done in LOGINOUT rather than DECnet. Failed Connection Attempts on POP ServerThe Post Office Protocol (POP) server does not use external authentication to authenticate connection attempts on the OpenVMS system. This causes connection attempts to fail if either of the following conditions exist:
This section describes how the SYS$ACM system service provides external authentication capability to applications that have to authenticate a user on an OpenVMS system. The Authentication and Credentials Management Extensions (ACME) subsystem provides authentication and persona-based credential services. Applications can use these services to interact with the user to perform one or more of the following functions: ACME supports standard OpenVMS authentication and external authentication policies; therefore, applications utilize the same mechanisms as used by the system's LOGINOUT and SET PASSWORD components. The ACME subsystem consists of the following components:
The ACME subsystem supports multiple ACME agents that can interact with each other to complete an authentication request. These interactions must occur in a controlled manner. When a user authentication dialog is in process, one ACME agent is the controlling agent and the other agents operate in the background as secondary agents. The controlling agent directs the user name and password prompts and is ultimately responsible for validating the user. The secondary agents can display messages, request additional passwords, issue credentials, or reject the authentication request, depending on how each agent is configured to interact with other agents. Operational control of the ACME subsystem includes the following:
The ACME_SERVER process starts automatically upon system boot, with the VMS ACME agent configured. OpenVMS Version 8.3 and later uses a site specific startup procedure, SYS$MANAGER:ACME$START.COM. You can edit the SYS$MANAGER:ACME$START.COM to enable the configuration of the various ACME agents that are required and also the order in which the agents are started. The SYS$MANAGER:ACME$START.COM is run as a result of one of the following conditions:
If you enable agents other than VMS ACME agent, edit the SYSTARTUP_VMS.COM procedure also to include the following command after all the dependent ACME agents: $ SET SERVER ACME/RESTART This ensures that all the required ACME agents are started automatically upon system boot. The executive-mode logical name ACME$START is used to locate this file. The ACME_SERVER can be configured to enable the agent in a specific order. When the user enters the username, at the user name prompt, the ACME agents are called in the order in which it is enabled. The first agent to successfully map the user's principal name to a valid user name within its domain, validates the user. The ordering of the ACME agents is important if the same principal name exists in two or more ACME agent domains. The first agent to map it successfully controls the authentication request. By default, however, it is recommended that the VMS ACME agent is configured first. For example, if the Kerberos authentication agent is configured on OpenVMS and the order of startup for OpenVMS and Kerberos ACME agent is such that the Kerberos agent is started first, only those accounts belonging to Kerberos can login. If the startup order is changed, you can change it back to the default order by performing the following procedure: Edit the SYS$MANAGER:ACME$START.COM (This file is available on OpenVMS Version 8.3 and later) to search for the section (near the end of the command procedure) where you can specify the desired agent ordering. Change the last line (beginning with AGENT_LIST) so that it appears in the procedure.
To start or stop the server manually, use these commands:
On providing a manual SET SERVER ACME/START command, all the ACME agents including the VMS ACME agent have to be configured manually. To configure the VMS ACME agent, use the following command:
To configure the LDAP ACME agent, run the SYS$STARTUP:LDAPACME$STARTUP-STD.COM command procedure or use the following command:
To configure the MSV1_0 ACME agent, run the SYS$STARTUP:NTA$STARTUP_NT_ACME.COM command procedure or use the following command:
To configure the Kerberos ACME agent, run SYS$STARTUP: KRB$STARTUP_KERBEROS_ACME.COM command procedure or use the following command:
When the ACME agents are configured, enable them using the following command:
Error information is written to the ACME subsystem log file, SYS$MANAGER:ACME$SERVER.LOG. To view the state of the ACME subsystem, use the following command:
Problems can be diagnosed by turning on tracing:
For more information on the commands, see the HP OpenVMS DCL Dictionary. To configure the number of worker threads, use the following command: SET SERVER ACME/CONFIG=THREAD_MAX This command is ignored on Integrity servers because only one worker thread is active.
These flags can be manipulated by SYS$SETUAI, SYS$GETUAI, and the AUTHORIZE utility on VAX, Alpha, and Integrity systems. Only the ACME subsystem on Alpha and Integrity servers recognizes these flags.
The following security policy bits control systemwide ACME subsystem operation on Alpha:
An authentication policy is defined by a particular combination of user identification, authentication, and authorization attributes. Policy attributes include:
The following authentication policies are supported at present:
The OpenVMS policy is a rich, case-insensitive, password-based authentication policy that includes single-password or dual-password accounts, password expiration, password lock, password expiration, minimum password lengths, system-generated passwords, intrusion detection and evasion, password dictionary and history filters, modal access restrictions, account expiration, and account lock. A user's credential information consists of the user's group and member identifier code (UIC), privileges, and rights identifiers. This information is stored in the system authorization (SYSUAF.DAT) and rights identifier (RIGHTSLIST.DAT) databases. The system authorization database also contains information about how and when the user can access the system. These modal restrictions limit access based on time of day, day of week, and type of access (for example, dialup, remote, or batch). OpenVMS credentials are stored in a persona. A persona is a protected, kernel-based data structure. The LDAP authentication policy is based on the Lightweight Directory Access Protocol. It supports validation against the user name and password located on the Directory Server, mapping the user to the OpenVMS user name in the SYSUAF file. For more information on LDAP, see the SYS$HELP:ACMELDAP_STD_CONFIG_INSTALL.PDF or SYS$HELP:ACMELDAP_STD_CONFIG_INSTALL.TXT . The credentials, such as the user and group identifiers and privileges, use the standard OpenVMS policy. The Advanced Server for OpenVMS MSV1_0 authentication policy is a distributed authentication policy based on Microsoft LAN Manager domain protocols. It supports password and challenge-response (NTLM) mechanisms. The policy supports case-sensitive passwords, password expiration, minimum time before password change, and account lock. A user's credential information consists of the user's system identifiers (primary and secondary SIDs) and privileges. Advanced Server for OpenVMS credentials are stored in an NT persona extension that is attached to a standard persona containing the OpenVMS credentials of the OpenVMS user name that has been mapped to the Microsoft user name by the Advanced Server database. The Kerberos authentication policy is based on the Kerberos protocol. It supports validation against the user name and password located on the Kerberos key distribution center database. The Kerberos principal name must be the same as the OpenVMS user name in SYSUAF. The credentials, such as the user and group identifiers and privileges, use the standard OpenVMS policy. |