Synchronizing Authorization Data

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Securing a Cluster

Building a Common Environment

Managing the Audit Log File

Synchronizing Authorization Data

On a cluster, all elements of the user authorization data should exist in a common database. These authorization elements include the system user authorization files (SYSUAF.DAT and its backup SYSUAFALT.DAT), the rights database (RIGHTSLIST.DAT), the network authorization file (NETPROXY.DAT) and its object database file (NETOBJECTS.DAT), which are present on all OpenVMS systems, and optionally, the autologin file, SYSALF.DAT.

A secure cluster requires that the authorization data be synchronized across all nodes. If a site chooses to maintain multiple versions of these files, then you must synchronize the data. Each user should have the same UIC, group number, and set of identifiers defined on every node. Coordination of privileges and access rights is also critical. A shared disk is protected only as much as its least protected node. If you maintain separate authorization files on each node in the cluster, ensure that user privileges are common across all copies of the system user authorization file (SYSUAF.DAT). Fields in SYSUAF.DAT Requiring Synchronization lists the fields of SYSUAF.DAT that must be identical on each node.

Table 4 Fields in SYSUAF.DAT Requiring Synchronization
Internal Name $SETUAI Item Code

UAF$R_DEF_CLASS
UAI$_DEF_CLASS

UAF$Q_DEF_PRIV
UAI$_DEF_PRIV

UAF$B_DIALUP_ACCESS_P
UAI$_DIALUP_ACCESS_P

UAF$B_DIALUP_ACCESS_S
UAI$_DIALUP_ACCESS_S

UAF$B_ENCRYPT
UAI$_ENCRYPT

UAF$B_ENCRYPT2
UAI$_ENCRYPT2

UAF$Q_EXPIRATION
UAI$_EXPIRATION

UAF$L_FLAGS
UAI$_FLAGS

UAF$B_LOCAL_ACCESS_P
UAI$_LOCAL_ACCESS_P

UAF$B_LOCAL_ACCESS_S
UAI$_LOCAL_ACCESS_S

UAF$B_NETWORK_ACCESS_P
UAI$_NETWORK_ACCESS_P

UAF$B_NETWORK_ACCESS_S
UAI$_NETWORK_ACCESS_S

UAF$B_PRIME_DAYS
UAI$_PRIMEDAYS

UAF$Q_PRIV
UAI$_PRIV

UAF$Q_PWD
UAI$_PWD

UAF$Q_PWD2
UAI$_PWD2

UAF$Q_PWD_DATE
UAI$_PWD_DATE

UAF$Q_PWD2_DATE
UAI$_PWD2_DATE

UAF$B_PWD_LENGTH
UAI$_PWD_LENGTH

UAF$Q_PWD_LIFETIME
UAI$_PWD_LIFETIME

UAF$B_REMOTE_ACCESS_P
UAI$_REMOTE_ACCESS_P

UAF$B_REMOTE_ACCESS_S
UAI$_REMOTE_ACCESS_S

UAF$R_MAX_CLASS
UAI$_MAX_CLASS

UAF$R_MIN_CLASS
UAI$_MIN_CLASS

UAF$W_SALT
UAI$_SALT

UAF$L_UIC
Not applicable

**Table 4** **Fields in SYSUAF.DAT Requiring Synchronization**
Internal Name	$SETUAI Item Code
UAF$R_DEF_CLASS	UAI$_DEF_CLASS
UAF$Q_DEF_PRIV	UAI$_DEF_PRIV
UAF$B_DIALUP_ACCESS_P	UAI$_DIALUP_ACCESS_P
UAF$B_DIALUP_ACCESS_S	UAI$_DIALUP_ACCESS_S
UAF$B_ENCRYPT	UAI$_ENCRYPT
UAF$B_ENCRYPT2	UAI$_ENCRYPT2
UAF$Q_EXPIRATION	UAI$_EXPIRATION
UAF$L_FLAGS	UAI$_FLAGS
UAF$B_LOCAL_ACCESS_P	UAI$_LOCAL_ACCESS_P
UAF$B_LOCAL_ACCESS_S	UAI$_LOCAL_ACCESS_S
UAF$B_NETWORK_ACCESS_P	UAI$_NETWORK_ACCESS_P
UAF$B_NETWORK_ACCESS_S	UAI$_NETWORK_ACCESS_S
UAF$B_PRIME_DAYS	UAI$_PRIMEDAYS
UAF$Q_PRIV	UAI$_PRIV
UAF$Q_PWD	UAI$_PWD
UAF$Q_PWD2	UAI$_PWD2
UAF$Q_PWD_DATE	UAI$_PWD_DATE
UAF$Q_PWD2_DATE	UAI$_PWD2_DATE
UAF$B_PWD_LENGTH	UAI$_PWD_LENGTH
UAF$Q_PWD_LIFETIME	UAI$_PWD_LIFETIME
UAF$B_REMOTE_ACCESS_P	UAI$_REMOTE_ACCESS_P
UAF$B_REMOTE_ACCESS_S	UAI$_REMOTE_ACCESS_S
UAF$R_MAX_CLASS	UAI$_MAX_CLASS
UAF$R_MIN_CLASS	UAI$_MIN_CLASS
UAF$W_SALT	UAI$_SALT
UAF$L_UIC	Not applicable

Use SYSMAN if you choose to create an autologin file and maintain the file in the common authorization database with your authorization files and rights database. On clustered systems, the autologin file must include the cluster node name as a prefix to the terminal name. For example, the terminal TTA0 on node WILLOW would be represented as WILLOW$TTA0. See Using the System Management Utility for an overview of SYSMAN.

Building a Common Environment

Managing the Audit Log File