 |
 |
||||||||
|
 |
||||||||
|
|
 |
New Features and Updates for APPX Router
Last Update: 11/17/01
Appendix A - Router Encryption Database "EX1" Format ==================================================== - Overview - [global] Section - [user] Section - [profile] Section - Sample Database File Overview ======== The database file for the local "EX1" encryption/security database on the APPX Router is a flat text file, containing sections delimited by "[...]" section headers. There is one [global] section defining global settings, one [user] section for each user ID defined, and as many different [profile] sections as needed to define the different security policies for the various users. The basic layout of the file is as follows. Blank lines are ignored, and comments may be added, prefixed with a semicolon. The section headers and keywords are not case sensitive. Of the character/text parameters, the [global].sharedsecret and [user].password parameters *are* case sensitive, the remainder are not. Optional entries are shown in braces. Parameter values may be specified as quoted strings if they contain spaces. Quoted strings may contain "escape" sequences initiated with a backslash ("\") character. Valid escapes are '\\' (a single backslash) and '\"' (a single quotation mark). All other escape sequences are reserved and will be flagged as errors. Sections with names starting with two underscores ("__") as well as keywords starting with two underscores ("__") are ignored by the APPX Router. These sections and keywords are reserved for applications that build EX1 database files, and need to store private data in the file. [global] format=EX1 {description=xxxx} {preflimit=preftag} {sharedsecret=xxxx} [user] id=xxxx ;A comment password=xxxx {profile=xxxx} {classes=a,b,c...} {overrides=...} [profile] profile=xxxx {classes=a,b,c...} {overrides=...} {addr=fromip,toip,ctl} {addr=fromip,toip,ctl} ... {allotheraddr=ctl} When the APPX Router loads a local database, it will create a log file with the same name as the database file, plus a ".log" extension. Syntax and other errors in the source database will be written to the .log file, in addition to basic statistics about what was loaded. Note: the APPX Router Manager program provides the ability to reload the database without stopping the Router. [global] Section ================ format=EX1 ---------- Specifies the format of the encryption database file. EX1 is the only value currently supported. description=xxxx ---------------- An optional description of the database. This text is included in several database related messages in the APPX Router log. preflimit=preftag ----------------- Associated with the list of allowed encryption modes (configured in the Router), are "preference tags." These are arbitrary assignments from "0" to "9". In the context of an "EX1" database, the preference tags are used to divide the allowed encryption modes into two groups - "preferred" and "alternate." The preflimit= parameter sets the boundary between preferred and alternate values by specifying the highest value in the "preferred" group. For example, if "preflimit=3" were specified, encryption modes with associated preference tags "0" through "3" would be classified as preferred, and "4" through "9" as alternate. If the preflimit= parameter is omitted, preflimit=5 is defaulted. sharedsecret=xxxx ----------------- In addition to the Diffie-Hellman key and the user ID password, an additional fixed encryption key can be factored into the final negotiated key. That key is specified with the sharedsecret= parameter. If omitted, or if specified as "sharedsecret=", a shared secret of all nulls will be used. Up to 32 characters may be specified. [user] Section ============== id=xxxx ------- Specifies the user ID. This parameter is required. Up to 32 characters (for PCMF/CICS compatibility, up to four characters). Two special user IDs are defined. The user ID "<nil>" is used when an all null user ID is specified by the client. The user ID "<unknown>" is used for any incoming connection type that does not include user ID information. Note: the "<unknown>" user ID is used to validate sessions only when encryption is set to one of the "Allowed" options in the APPX Router configuration. If encryption is set to "None", the database is not used at all, and connection requests without user ID information are accepted, subject only to the address range checking specified in the Router configuration. If set to "Required", connection requests not including user ID information are always rejected, unless mode 000 is specifically listed as an acceptable "encryption" mode. "<nil>", on the other hand, is a completely valid user ID, and is treated as such in all respects. In general, user IDs of the form "<...>" are reserved, and should not be used. password=xxxx ------------- Specifies the password (aka "ID Shared Secret") associated with the user ID. The password is factored into the final encryption session key. The parameter is required, but may be specified as "password=", which results in a password of all nulls. Up to 32 characters (for PCMF compatibility, up to eight characters, uppercase only). profile=xxxx ------------ Specifies the name of the [profile] section associated with this user ID. If the specified profile does not exist, or the profile= parameter is omitted, the profile section "<DEFAULT>" will be used. classes=a,b,c... ---------------- Additional security classes associated with this user ID. These security classes, plus any specified in the associated [profile], are added to the APPX Router security classes specified in the TCP/IP Listener "General" and "Addresses" tabs, when this user ID is used. The syntax requirements for the class names follow the same requirements as for the APPX Router (in v1.40, class names "A" through "Z" are allowed). This parameter is optional. overrides=... ------------- Optional overrides of host connection parameters ("Host Connection Overrides") may be added at the user and profile level. These are overrides as described in Appendix D of the "APPX Router Implementation Guide and Reference." In addition to the overrides which may be specified at the client, additional overrides may be specified in the [user] and [profile] records. These overrides are added to the mix when the particular user and profile records are selected for an incoming connection. Overrides are applied in the following order: 1. Base definitions (lowest priority) 2. Overrides from [profile] 3. Overrides from [user] 4. Overrides from client (Fmt-3) (highest priority) Thus if an LU6.2 user ID ("userid=jennifer") is specified in the [user] record, and also in the client Fmt-3 connect data ("userid=sally"), the latter value ("sally") is used when the LU6.2 session is established with the host. Note: clients can only include override data if they use Fmt-3 connections. The overrides from the [profile] and [user] records are available in all cases (although if the client does not use a Fmt-3 connect, the user ID will, by definition, be "<unknown>"). Most overrides must be explicitly enabled in the Host Connection definition. One use of override data in the database is to establish the LU6.2 signon data at the APPX Router, rather than having it come from the client, or be hard coded in the Host Connection definition. [profile] Section ================= profile=xxxx ------------ Specifies the name of the security profile. Required. Up to 32 characters. A special security profile named "<DEFAULT>" will be used if the profile specified by the user ID entry does not exist, or if the user ID entry does not specify a profile. If no "<DEFAULT>" security profile is defined, an implicit security profile, with the following contents, will be used: [profile] profile=<DEFAULT> allotheraddr=3 It is strongly recommended that the <DEFAULT> profile be explicitly defined, even if its contents are identical to the implicit one. Note: to force the use of a specific, non-<DEFAULT> profile in all cases, define the <DEFAULT> profile to reject all sessions: [profile] profile=<DEFAULT> allotheraddr=0 ;Reject everything classes=a,b,c... ---------------- Additional security classes associated with this profile. See the description of the classes= parameter in the [user] section for additional information. overrides=... ------------- Optional overrides of host connection parameters. See the description of the overrides= parameter in the [user] section for additional information. addr=fromip,toip,ctl -------------------- Specifies an IP address range for which a particular access rule applies. Zero or more addr= entries may be specified (up to 32). Each defines a range of IP addresses it matches, and an encryption rule to use ("ctl"). If an incoming IP address matches more than one addr= entry, the most specific addr= entry will be used (eg. the one defining the smallest range of IP addresses), or if more than one matching addr= entry has the same highest degree of specificity, the first entry will be used. To specify a single IP address, code the same address in the "fromip" and "toip" fields. The "ctl" field specifies the encryption requirements for the IP addresses matching this addr= record. The following values are valid: 0 - IP address not allowed 1 - Encryption not allowed 2 - Encryption not allowed, ID required 3 - Encryption optional 4 - Encryption optional, ID required 5 - Encryption required (either preferred or alternate modes) 6 - Encryption required (preferred only) allotheraddr=ctl ---------------- If an incoming IP address does not match any addr= entry, the ctl value specified in the allotheraddr= parameter will be used. This parameter is optional, and if omitted, "allotheraddr=0" will be defaulted. Sample Database File ==================== [global] preflimit=2 ;Preference tags "0"-"2" are preferred sharedsecret=foobar [user] id=fred password=secret profile=general overrides="userid=fsmith,password=kipling" ;LU6.2 signon data [user] id=anna password=tennis profile=general classes=c,d,e ;Anna can access additional transactions [user] id=sally password=blitzen profile=accounting [profile] profile=general addr=10.0.0.0,10.255.255.255,3 ;Encryption optional for internal users addr=0.0.0.0,255.255.255.255,5 ;Encryption required for all other users overrides="userdata=gen" ;Passed to MF app for "general" users [profile] profile=accounting addr=10.0.0.0,10.255.255.255,3 ;Encryption optional for internal users addr=196.9.12.0,196.9.15.255,6 ;Encryption req'd for extranet #1 users addr=200.1.2.0,200.1.2.255,6 ;Encryption req'd for extranet #2 users allotheraddr=0 ;Other IP addresses not allowed classes=b ;"Accounting" users may also access ; class "B" transactions. overrides="userdata=acct" ;Passed to MF app for "accounting" users [profile] profile=<default> allotheraddr=0 ;No access allowed via default profile
| << Previous Page | Next Page >> |
