Operating Environment Encryption Option

Product Overview

The Operating Environment Encryption Option provides cryptography services for the MCP Environment. These cryptographic services are offloaded to co-resident hardware on the ClearPath MCP Environment: Cryptographic CoProcessors or Windows partitions. The software for the offloaded cryptographic services is provided on the MCP Cryptographic Services CD-ROM.

The Operating Environment Encryption Option also enables the following MCP services, which use these cryptographic services:

  • MCP Cryptographic Services

  • ClearPath Secure Transport (SSL/TLS)

  • ClearPath Kerberos Security

  • Remote Web Enabler ODT Communications Using Secure Sockets Layer (MCPvm systems only)

  • Disk Encryption (Supported on all Libra systems and all ClearPath MCP Software Series systems that run CSS Firmware level 4.0 or later.)

  • McpCryptoApi for User Applications

  • Internet Protocol Security (IPsec)

  • Secure Shell (Secure File Transfer Protocol)

  • XML Encryption

The Operating Environment Encryption Option and the MCP Cryptographic Services are required by the Internet protocol security (IPsec) feature of the TCP/IP Interprocess Communications Services product.

General Features

MCP Cryptographic Services

MCP Cryptographic Services is composed of the following services:

  • Unisys ClearPath Crypto-Proxy

    This service uses the Microsoft Windows cryptographic services to provide cryptography to the MCP Environment. Within a ClearPath system, the MCP Environment can use multiple cryptographic environments to provide cryptographic services simultaneously, thus offering increased reliability and redundancy.

  • Unisys ClearPath SecurityCenter Agent

    Security Center uses this service to assist the security administrator in creating and managing the keys used to encrypt and decrypt the data. You can localize the Security Center interface as part of the localization and internationalization kit.

    This service also enables the security administrator to request and install the certificates that bind an application or Web site to its public key.

ClearPath Secure Transport

ClearPath Secure Transport implements the Secure Sockets Layer (SSL) protocol and the Internet standard Transport Layer Security (TLS) protocol version 1.0—documented in RFC 2246—and TLS 1.2—documented in RFC 5246— in the ClearPath MCP Environment. The primary purpose of the SSL and TLS protocols is to ensure secure transmission of confidential information over the Internet.

You can use the ClearPath Secure Transport to encrypt sensitive data such as credit card numbers and other financial information that is transmitted between consumers and product Web sites.

Web Transaction Server for ClearPath MCP uses the ClearPath Secure Transport to protect objects marked as secure by the Web administrator. The secure objects are protected by the SSL protocol.

The FTP products, client and server, can enable ClearPath Secure Transport in both implicit and explicit modes to secure file transfers across the network.

Programs using the MCP Sockets Interface and TCPIPNATIVESERVICE port files through the Port File API can secure their protocols by enabling SSL and TLS.

ClearPath Secure Transport includes

  • Common Security Layer

    SSL and TLS provides a common security layer for all TCP applications. Security is handled just above the transport layer to relieve the burden of securing the data from each application.

  • Client-Side Secure Sockets Layer (SSL)

    This feature enables an application running in the MCP Environment to function as an SSL client. The application initiates an SSL session (FTP, for instance) as a client. MCP system software is responsible for sending all client protocol messages and responding to all server protocol messages.

  • Peer Authentication

    Peer authentication allows the MCP server to authenticate a client. The client sends the MCP server a certificate and a signed message. The server authenticates the client. Peer authentication is for situations in which the server wants to restrict access to the server or a resource to authorized clients

  • TLS Support for Advanced Encryption Standard (AES)

    AES cipher suites are supported in the secure sockets layer. AES is the cryptography algorithm approved by the US Government as a replacement to data encryption standard (DES). This feature enables MCP software to keep pace with current encryption technology.

ClearPath Kerberos Security

ClearPath Kerberos Security can provide a secure log-on to the MCP Environment; it also provides a programmatic interface that enables MCP client-server applications to add core security services.

Kerberos Security enables the MCP to identify and authenticate users and automatically log them on to MARC without prompting the users for a password. Kerberos Security never sends a password in the clear across the network. Once users are connected to the MCP host, they can initiate Kerberos-authenticated Telnet connections to other systems.

MCP applications can be enhanced to authenticate clients by using the Generic Security Services Application Program Interface (GSS-API). This API is an extended version of the standard Generic Security Services API published by the Internet Engineering Taskforce (IETF) Request for Comments (RFC) 2078. Applications can also encrypt individual messages and apply data-integrity checking by means of the GSS-API. Client applications can also use the GSS-API to authenticate server applications.

Users who access a Kerberos-enabled system need only to log on once to the Kerberos server. They are then automatically logged on when connecting to any other Kerberos-enabled system.

The components of Kerberos Security on the MCP system are

  • The *SYSTEM/KERBEROS/SUPPORT library

  • Enhancements to system software, including the MCP, MARC, Transaction Server, TELNET, Station Transfer, MAKEUSER, and LOGANALYZER

  • GSS-API, which is available to ALGOL and NEWP programs

    An include file is provided that defines the interface. Applications import the GSS-API interface into their programs by including this file at compile time.

    Kerberos Security supports AES128, DES, AES256, and RC4 data encryption.

  • DES encryption, which is available natively on ClearPath systems.

  • RC4 encryption, which is most commonly used by the Windows platform, is available on ClearPath systems either natively in the MCP Environment or in the Windows environment by using the MCP Crypto Application Program Interface (MCAPI).

  • AES Encryption, which is only available in the Windows environment by using the MCP Crypto Application Program Interface (MCPAPI) (Web Enabler).

Kerberos Security requires a Kerberos workstation client and a Kerberos server. The Windows Kerberos workstation client can be a Kerberized version of the INFOConnect terminal emulator.

Internet Protocol Security (IPsec)

IPsec secures network data at the IP layer and uses policies to define the security protection that is not to be applied at the MCP-to-network boundary. Traffic can be forbidden from being transmitted unencrypted (DISCARD), allowed to be transmitted unencrypted (BYPASS), or encrypted prior to transmission (PROTECT).

Refer to the MCP Security Overview for more IPsec details.

Remote Web Enabler ODT Communication Using Secure Sockets Layer (SSL)

This feature provides 128-bit encryption capabilities for network communication with a remote Web Enabler operator display terminal (ODT). This capability enables the Virtual Machine for ClearPath MCP software to hide the protocol details from network sniffers, packet filters, and other spy software.

McpCryptoApi for User Applications

The McpCryptoApi programmatic interface enables applications to call a variety of encryption services from the MCP Environment.

The McpCryptoApi security service includes the MCAPISUPPORT library in the MCP Environment.

The McpCryptoApi programmatic interface enables applications to

  • Encrypt or decrypt data (using RC4, 3DES, RSA, and AES (128, 192, 256 bit modes).

  • Generate a digest, also known as a hash or fingerprint (using SHA1, HMAC, and SHA-256).

  • Use RSA to generate and verify digital signatures.

  • Generate encryption keys.

  • Generate pseudorandom byte patterns.

  • Manage digital certificates by using a partial Public Key Infrastructure (PKI) capability.

The McpCryptoApi programmatic interface includes support the Advanced Encryption Standard (AES) algorithm. The AES algorithm is recommended for new applications and replaces the DES algorithm in existing applications that require the use of a symmetric key-block cipher. The AES algorithm enables the use of 128-bit, 192-bit, or 256-bit keys and provides stronger security than the DES algorithm. Use of ECB and CBC modes is supported.

The McpCryptoApi interface supplies cryptographic functions to ClearPath MCP applications and system software. This interface is available to ALGOL, NEWP, and COBOL85 programs.

Secure Shell (SSH) for ClearPath MCP

The Secure Shell (SSH) for ClearPath MCP product provides an implementation of the industry-standard Secure Shell (SSH) protocols, which enable secure data communications. See “Secure Shell (SSH) for ClearPath MCP” later in this section.

XML Encryption

XML Encryption allows COBOL or ALGOL applications to easily encrypt or decrypt data in XML documents. You require MCP Cryptography to enable this feature. For more information, see the WEBAPPSUPPORT Application and Programming Guide.

New Features/Enhancements

The following new features and enhancements are available in this release:

  • ClearPath Secure Transport

    ClearPath Secure Transport now supports stronger algorithms that satisfy the requirements set forth by the National Institute of Standards and Technology (NIST), in its CNSA Suite. This enables your MCP system to interoperate with other systems that support TLS 1.2 using today’s most commonly used encryption algorithms.

  • Internet Protocol Security (IPsec)

    • IPsec encryption is now available for IPv4 traffic.

    • All encryption now uses the latest, most secure algorithms that IPsec supports.

    • A streamlined data path to improve throughput, which enables a link protected by IPsec to perform similarly to an unencrypted link.

Configuration Requirements

Hardware

  • An Intel-based server or Cryptography CoProcessor attached to one of the following Libra servers: 880 or 890.

System Software

  • MARC

  • Transaction Server

  • GSS-API

  • DIGEST library

  • TELNET

  • DSS

  • Resolver

Third-Party Products

  • Kerberos Key Distribution Center server: Windows server

  • Clients

    • Kerberized INFOConnect terminal emulator for Windows

    • Any other Kerberized Telnet VT100 emulator

Ordering Information

The cryptographic services are subject to U.S. Government export regulations.

Platform

Style

United States only

The ordering style for the Operating Environment Encryption Option-US is CS 10-END.

Other countries

The ordering style for the Operating Environment Encryption Option-International is CS 10-ENI.

Source Code is not available for this product.

Product Information

Refer to the following documents for more information:

  • ClearPath Enterprise Servers Security Software Developers Kit (2621 1060)

  • ClearPath Kerberos Security Configuration and Administration Guide (8807 8878)

  • ClearPath Enterprise Servers MCP Implementation Guide (6871 4260)

  • MCP Security Overview and Implementation Guide (8205 7498)

  • MCP Sockets Service Programming Guide (4310 3530)

  • Security Center Help (4310 9263)

  • Virtual Machine for the Java Platform on ClearPath MCP Programming Guide (8212 6095)

Prev  Up  Next
Multi-Factor Authentication  Home  Secure Access Control Module