Security Center

Product Overview

Security Center enables security administrators to define, document, and apply a corporate security policy to an MCP ClearPath server. The following system security features are included in Security Center:

  • Create and apply user account policies for user accounts.

  • Manage role-based access control for Application and JAVA Realms.

  • Create and apply system-wide security policies.

  • Create and apply guard files.

  • Use MCP File Explorer to navigate a tree structure of the MCP file system to

    • Displayfile properties.

    • View and modify the file attributes SECURITYTYPE, SECURITYUSE, and SECURITYMODE.

    • View and modify file permissions.

  • Provide for the maintenance and creation of Remote Users, Kerberos users, Transaction Server users, and user accounts.

  • Manage network policies (TCP/IP filtering and IPsec).

  • Manage the cryptography environments and the keys and certificates for use by applications using the MCP Cryptographic Services. For more information, refer to Operating Environment Encryption Option.

  • Configure and manage the Kerberos configuration information.

The Unisys Locum RealTime Monitor, Unisys Locum SafeSurvey, and Unisys Locum SafeAudit products are integrated with Security Center.

General Features

Notes:

  • If role-based access control is enabled for the Security Center product, then the role of the usercode determines what operations the usercode can perform. If role-based access control is disabled, then the attributes of the usercode determine whether or not the usercode can connect to Security Center.

  • Users of systems with the SECADMIN feature turned off need PU (privileged user) privileges to access Security Center. Users of systems with the SECADMIN feature turned on must have SECADMIN privileges to access Security Center.

Security Center provides an environment for running management applications, structured as components and referred to as modules.

The server applications run on ClearPath servers. The client applications run on Windows platforms.

The following modules are available in Security Center.

Security Policy Management Module

The Security Policy Management module enables you to

  • Create and maintain user account policies to be used for maintaining MCP user accounts.

  • Create, maintain, and apply system-wide security policies across multiple ClearPath servers. These security policies contain the logging options of the MCP server for the system SUMLOG and job log.

  • Maintain a history of system-wide policy changes.

  • Use a default Transaction Server template to create Transaction Server users.

  • Use the TCP/IP filter rules feature to create, update, and maintain the rules applied by the TCP/IP network provider to all incoming and outgoing packets. By using these rules, security administrators can restrict access to the MCP Environment. This feature provides a wizard to help security administrators to create and edit rule files.

    This feature also includes a testing wizard to test the rules file before deploying it to the Unisys ClearPath MCP Environment.

  • Create, maintain, test, and apply IPsec policies to the ClearPath MCP Environment.

File Access Management Module

The File Access Management module provides the ability to

  • Create, maintain, and apply MCP GUARDFILES to restrict access to files and databases.

  • Use MCP File Explorer to navigate a tree structure of the MCP file system to

    • Displayfile properties.

    • View and modify the file attributes SECURITYTYPE, SECURITYUSE, and SECURITYMODE.

    • View and modify file permissions.

MCP User Account Management Module

The MCP User Account Management module provides the ability to

  • Maintain MCP user accounts, remote users, Kerberos user identities, and Transaction Server account information.

  • Apply user account policies created in the MCP Security Policy Management module.

  • Clone an existing usercode. All attributes other than username are prefilled with the values of the existing usercode. Administrators can also clone a remote user or a Transaction Server user.

  • Query the system using various criteria and save the results into the MMC framework for later use. Modify and delete usercodes based on the result of a query.

  • Create, modify, and deploy user realms for the Java EE authentication and role-based authorization in the JBoss® Enterprise Application Platform (JBoss EAP). Realms associate usercodes with their assigned roles, specifically for use by the JBoss EAP. Role-based access control assigns roles to usercodes rather than assigning them to groups, thus minimizing management overhead.

  • Create, modify, and deploy role-based access control for applications running on an MCP server. Role-based access control assigns roles to usercodes rather than assigning them to groups. Applications can define realms (either applications or application subsystems), permissions, roles, and populate these sets with usercodes.

  • Create, modify, and deploy role-based access control for applications running on an MCP server. Role-based access control assigns roles to usercodes rather than assigning them to groups. Applications can define realms (either applications or application subsystems), permissions, roles, and populate these sets with usercodes.

MCP Cryptographic Services Management (CSM) Module

The MCP Cryptographic Services Management (CSM) module enables security administrators to configure and manage keys, certificates, and certificate stores for use with the ClearPath Secure Transport, McpCryptoApi for User Applications, and Library Maintenance Tape Encryption products and with the IPsec feature.

Security Center replicates the information between cryptographic environments—Cryptographic CoProcessors or Windows environments. The key, certificate, and certificate store information are kept in a secure Enterprise Database Server database in the MCP Environment.

The CSM module enables the security administrator to generate asymmetric keys and certificates for applications to use ClearPath Secure Transport, Web Transaction Server, FTP services, Secure Sockets Layer, or MCPCryptoApi for User Applications. CSM generates the machine keys for Tape Encryption as well as the symmetric keys for use by IPsec.

The CSM module also enables the security administrator to backup and restore keys and certificates. This capability is useful for sharing keys with disaster recovery sites (for Tape Encryption) and for sharing keys between systems using the IPsec feature. The configuration of the MCP cryptographic environment used for encryption can also be maintained with this module.

MCP Kerberos Configuration Management Module

The MCP Kerberos Configuration Management module enables security administrators to configure the MCP Kerberos product on an MCP server. The Kerberos Configuration Manager makes it easier for security administrators to install, configure, and manage Kerberos security and principal identifiers. Security administrators of Kerberos must have security administrator privileges in the MCP Environment and administrator privileges on the Windows server acting as the key distribution center (KDC) for the Kerberos system.

Unisys Locum RealTime Monitor

Unisys Locum RealTime Monitor provides total monitoring control over ClearPath MCP systems with tools to keep the administrator updated on critical events even when away from a PC plus offers a selection of options to display or process the data.

For additional details and ordering information, see Unisys Locum RealTime Monitor.

Unisys Locum SafeSurvey

Unisys Locum SafeSurvey provides the tools to supply the security administrator with detailed reports and perform a security assessment of the system to highlight areas where the system might be at risk.

Unisys Locum SafeSurvey provides a series of reports that enables security administrators to review and analyze security status on MCP systems. Some of the reports provide information on allocation of usercode privileges, security-related attributes, and remote user definitions. This product analyzes the USERDATAFILE, password strength, system configuration, disk file privileges, and networking configuration.

The summary mode version of SafeSurvey, which provides a summary view of the security configuration, is packaged with Security Center. The full version is available through a separately priced feature.

For additional details and ordering information, see Unisys Locum SafeSurvey.

Unisys Locum SecureAudit

Unisys Locum SecureAudit produces consolidated reports for MCP systems, thus providing a security reporting solution for your enterprise. Security reporting is essential to many jobs and departments, such as security administration and external auditing. Authorized users can use SecureAudit to produce specific reports.

For additional details and ordering information, see Unisys Locum SecureAudit.

New Features/Enhancements

The following new features and enhancements were added for this release:

  • Security Center now notifies the user when a key has expired.

  • New security options were added for managing new security capabilities are included in Security Center.

  • SAFEANDSECURE now supports Unisys Keys, and all SAFE components work when SAFEANDSECURE KEY is installed in MCP.

  • Propagations of attributes can be done from one MCP host to another using CHAIN. Now this propagation can happen over an encrypted channel using SSL.

Ordering Information

Security Center is included as part of the operating environment. Source code is not available for this product.

Product Information

Refer to the following documents for more information:

  • Security Center Help

  • MCP Security Overview and Implementation Guide

  • Security Operations Guide

  • Unisys Locum SafeSurvey Help

  • Unisys Locum SecureAudit Help

  • Unisys Locum RealTime Monitor Help

  • Unisys Locum AdminDesk Help

For more information on Locum product documentation, refer to the Unisys Product Support website at https://www.support.unisys.com/common/welcome.aspx?pla=MCP&nav=LSS.

Prev  Up  Next
Secure Shell (SSH) for ClearPath MCP  Home  Security Software Developer's Kit (SDK)