ClearPath OS 2200 Release 17 continues the progression of features that you can use to secure your systems and data. Here are a few of the highlights:
Logging and Reporting ACR Actions
Access Control Record logging is a new feature of Release 17, supported by Apex and the Exec.
Access Control Records (ACRs) are available in Security Level 1 and higher to control access to files and other objects. Thus changes to an ACR can affect access to the files it’s attached to.
In this release, the Exec creates a type 831 log entry each time an ACR is created, updated, or deleted. This provides the raw data you need to monitor and audit access control changes. Note that this has no effect on the other ACR-related log entries, which are still generated.
Apex includes a new report, “Modified Access Control Records”, that lets you view any changes to ACRs, showing both the before and the after as recorded in each log entry, as well as the current value of the ACR.
Network Security Enhancements
Release 17 network security enhancements are embodied in new levels of CPComm, CPCommOS, and CryptoLib.
We’ve offered SHA2—the secure hash algorithm with several choices of large digest sizes—for a long time, but in this release we now support SHA-2-based signature creation in our utilities. This is particularly important as many browser vendors are phasing out support for SHA-1 signatures.
Release 17 includes enhanced support for PKCS private key file formats, both the older PKCS #1 format and the newer PKCS #8 format, including encrypted private key files. CryptoLib supports the new private key file formats provided by CPComm, including functions to derive an encryption key from a password.
Release 17 lets you put the password used to encrypt the private key in a separate file, rather than in the communications configuration file. That way you can give the password file stronger access protection.
Release 17 also includes Domain Name Security Extensions on Intel-based servers. The DNSSEC extensions are intended to help protect your ClearPath Forward Dorado system and its applications against Domain Name data that has been changed by malicious attackers.
Intel-based Dorado systems can also use Virtual LANs. A Virtual LAN, or VLAN, allows a local area network to be segmented through software configuration. VLAN membership can be changed through software, as opposed to physically reconfiguring your network. VLANs have the same attributes as a physical LAN but allow end hosts to be grouped together even if they are not on the same switch. Switch-based security is improved because network traffic is isolated between VLANs.
Another new feature in this release gives you single sign-on without requiring the auxiliary server required by Kerberos and NTLM, the two single sign-on methods we’ve supported for a long time. Instead it uses the identity certificate from your smart card or your workstation.
Apex Security Management and Auditing Enhancements
Apex 3.0, released as part of ClearPath OS 2200 Release 17.0, can do anything that you can do with Security Client, which is part of the Security Administration product. It not only replaces but enhances Security Client capabilities for management of file security, compartments, and quota sets, including reports on quota sets and file security.
This level also lets you select certificate-based authentication for a user-id.
Apex logon is also more flexible. In the previous release, you logged on to Apex using your default account and project-id. In this release, you can log onto Apex with a specific account and project-id.
You can learn more about these enhancements and others by watching the Unisys ClearPath OS 2200 Release 17.0 Technical Update videos on the Unisys support site or YouTube. On YouTube, see Unisys ClearPath OS 2200 Release 17.0 Technical Update. On the Unisys support site, log in with your credentials. (You will need access to ClearPath OS 2200 Software.) Select ClearPath OS 2200 software from the ClearPath OS 2200 Servers and Software menu, and then choose the Release 17.0 Technical Updates or use this link.