manualshive.com logo in svg

Sony Trinitron WEGA KV-DZ29M91, Service Manual, Page: 102 / 170

Share
Download
Sony Trinitron WEGA KV-DZ29M91 Service Manual Download Page 102

XYGATE

®

 Data Protection

 Reference Manual       

Appendix B: The DPACL File 

XYPRO Technology Corporation 

82

 

Proprietary and Confidential 

B3: 

Limits on DPACL Entries 

The DPACL file has limits on the amount of data that can be specified in the file. These 
limits are shown in the following output using the STATS command. 

$SYSTEM XYGATEDP 303> r

un xygatedp stats

 

XYGATEDP XYPRO Technology Corporation \N1       20991231 
DPCONF CHECKSUM 1747268874 ($SYSTEM.XYGATEDP.DPCONF) 
DPACL CHECKSUM 925902685 ($SYSTEM.XYGATEDP.dpacl) 
No syntax errors found 
No syntax warnings found 
 
Table         Current    Limit  Entry-size  Space-used 
ACL Groups          1      200          38          38 
ACL IDs             3    32766          54         162 
Access Vectors      3    32766           2           6 
Masks               6    10000         138         828 
Requestors          6     1000         170        1020 
DP Groups           1     1000         198         198 
Audits              3        9         288         864 
Segment           3MB    100MB                 3860880 

B4: 

ACL 

To establish access rules, you must define the users who will have access to the 
objects defined by the selection criteria for the DPGroup and grant them the necessary 
access authorities. 

Syntax:  

ACL <user specification> <operation permission> 

Example 1 below gives ENCRYPT,DECYPT privileges to everyone. 

Example 1: 

ACL $EVERYONE  ENCRYPT,DECRYPT 

To DENY an operation, specify it within parenthesis. 

Example 2 below denies DECRYPT privilege to user QA.TEST. 

Example 2: 

ACL QA.TEST (DENY DECRYPT) 

PROCESS_AS_ACL 

Use PROCESS_AS_ACL when the access rule you have created in a particular 
DPGroup is the final word. Users will be granted or denied access based on the ACL 
of the first DPGroup to match the selection criteria of the request. XDP will not 
continue searching for other matches. 

Important!

  PROCESS_AS_RULE and PROCESS_AS_ACL are mutually exclusive. 

They cannot be used in the same DPGroup. 

Summary of Contents for Trinitron WEGA KV-DZ29M91

Page 1: ...DP optimizes HPE SecureData for NonStop environments It supports implementation within applications that cannot be changed via its Intercept Library It also greatly simplifies the two SecureData APIs and provides support for all NonStop applications and OS environments including native and non native executables and both Guardian and OSS XYGATE Data Protection Reference Manual ...

Page 2: ......

Page 3: ...ts and services Nothing herein should be construed as constituting an additional warranty Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein Copyright 2016 XYPRO Technology Corporation All rights reserved This document as well as the software described in it is furnished under a License Agreement or Non disclosure Agreement The software m...

Page 4: ...items R through U for sort order CUSTOM in 6 2 14 added 6 3 XDP Audit Record Format show additional values for specifying sort order of CUSTOM and for operation option to indicate ENCRYPT DECRYPT in App C2 XDP_AUDIT_REPORT added App C5 XDP_CREATE_ENFORM and App C6 XDP_CREATE_SQLCI updated App C13 XDP_LIB_INSTALL added App C17 XDP_LIST_SEGMENT added App C21 XDP_MODIFY_SEGMENT updated App D1 Table o...

Page 5: ...nstall XDP 3 1 2 2 Creating the OSS Voltage Server 4 1 2 3 Completing the XDP Installation 5 1 3 Installing the XDP Voltage Library 5 1 4 Uninstalling XDP Using the Host UNINSTALL Macro 6 1 5 Managing the XYGATE License 6 1 5 1 Checking the Status of the Current License 6 1 5 2 Using the Host INSTALL Macro for License Maintenance 7 Chapter 2 Configuring XDP 9 2 1 The DPCONF File 9 2 2 The DPCONFAP...

Page 6: ...ue 22 5 1 1 XDP I O Architecture 23 5 2 Deciding on the Calling Order of the Intercept Libraries 23 5 2 1 If you want XDP s procedures to be called first 23 5 2 2 If you want your Application s Procedures to be Called First 24 5 3 Attaching XDP Library Code to Existing Object Code 800 Run Time Libraries or Programs 24 5 4 Manually Combining Application Libraries with XDP Libraries when Procedure N...

Page 7: ...ser specified title 43 6 2 17 V Display OSS PATHNAME 43 6 2 18 X Exit the report macro 44 6 2 19 Z Run the audit report 44 6 2 20 ZP Run the audit report and go into PERUSE 44 6 3 XDP Audit Record Format 45 Chapter 7 What if Testing 49 7 1 Testing Access Rules in Warning Mode 49 7 2 Auditing in Warning Mode 51 7 3 Generating Reports in Warning Mode 52 7 4 Operation 52 7 5 Object Type 52 7 6 Object...

Page 8: ...NONPROT_FILE_ACCESS 71 A9 AUDIT_NORECORD 71 A10 AUDIT_WARNING_FAIL 71 A11 AUDIT_WARNING_PASS 72 A12 BACKUPCPU 72 A13 COLLECTOR 73 A14 COMPANY_NAME 73 A15 DO_TRANSACTION_TIMING 73 A16 ENCRAUTHPARAMS 74 A17 ENCRMETHOD 74 A18 ENCRSERVICE 75 A19 ENCRYPT_SEND_TIMEOUT 76 A20 EXPLAIN_LOG 76 A21 HOMETERM 77 A22 MACRO_NAME 77 A23 PERUSE_OBJECT 77 A24 PRIORITY 78 A25 TRANSLATE_ERROR_CODES_TO_100 78 A26 VOLT...

Page 9: ... MASK 88 B16 MIXED_RECORD_IDENTIFIER 89 B17 OPERATION 89 B18 REQUESTOR 90 B19 RESULT_NORECORD 90 B20 TRACE 90 B21 WRITETHRUXDPERROR 91 Appendix C XDP Host Macros 93 C1 XDPHELP 93 C2 XDP_AUDIT_REPORT 96 C3 XDP_BOUNCE 99 C4 XDP_COMPILE 99 C5 XDP_CREATE_ENFORM 100 C6 XDP_CREATE_SQLCI 100 C7 XDP_DATETIME_MAKE 101 C8 XDP_EDIT_ACL 102 C9 XDP_EXPLAIN 103 C10 XDP_EXPLAIN_ON OFF 104 C11 XDP_FINISH_INSTALL ...

Page 10: ..._AUDIT 113 C28 XDP_SHUTDOWN 113 C29 XDP_START 114 C30 XDP_STATUS 114 C31 XDP_STOP 114 C32 XDP_SYNTAX_CHECK 115 C33 XDP_TEST_CONNECT 116 C34 XDP_UNINSTALL 118 C35 XDP_UPDATE_ACL 119 C36 XDP_VERSION 119 C37 XDP_VOLUME 120 Appendix D XDP Error Codes 121 D1 Table of XDP Error Codes 121 Appendix E XDP API Procedures 129 E1 __XYPRO_ENCR_MEMBLK_SIZE 129 E2 __XYPRO_ENCR_SEND_BUF_SIZE 129 E3 __XYPRO_ENCR_I...

Page 11: ...chnology Corporation xi Proprietary and Confidential E9 __XYPRO_ENCR_SEND_TO_ENCR_SRV 139 E10 __XYPRO_ENCR_IO_COMPLETED 141 E11 __XYPRO_ENCR_GET_ENCRYPT_DATA 143 E12 __XYPRO_ENCR_GET_LAST_RQ_TIME 144 E13 __XYPRO_ENCR_IS_EXT_PROVIDER 145 Glossary 147 Index 149 ...

Page 12: ...XYGATE Data Protection Reference Manual Contents XYPRO Technology Corporation xii Proprietary and Confidential ...

Page 13: ... Maintain As with all members of the XYGATE security family XDP supports user profiles that is ACLGroups This permits users and aliases to be grouped by function making the manipulation of a user in the XDP system a single operation rather than the modification of multiple records Easy Definition of Files and Groups of Files Encryption definitions for files are defined by creating FILEDEFs in the ...

Page 14: ...ts that have different options in the parameter files and it is also possible to define custom encryption methods on the Voltage key server All encryption methods must be registered in the DPCONF file and then they can be referenced in your FILEDEFs XDP currently supports up to 25 encryption methods COBOL85 Support Non CRE COBOL85 programs are fully supported without having to bind in the full COB...

Page 15: ... along with any output parameters XYGATE Data Protection XDP Architecture The following diagram shows the major components of XYGATEDP and its relationship with the Voltage Key Server Starting in the top left corner there is an application that has the XDP Run Time Library RTL attached All of the Guardian I O calls that the application makes are intercepted by the XDP RTL The XDP RTL accesses the ...

Page 16: ...ponents DPACL File This is an edit file that contains security and encryption settings for the application files that are being protected by XDP There are three different types of groups in the DPACL file ACLGroups DPGroups and ENCRYPTION_Groups DPCONF File This is an edit file that configures global values and is kept in the same volume and subvolume as the XYGATEDP object file The DPCONF file co...

Page 17: ... and DPCONF files These are edit files that are similar in concept and purpose to the xxACL and xxCONF files found in other XYGATE products Refer to Chapter 2 Configuring XDP for more information about the configuration procedures What s New in this Manual The following is a summary of documentation revisions or updates and new features where applicable Refer to the softdoc for detailed informatio...

Page 18: ...tax of a function is stated as RUN vol subvol XMA INSTALL and vol subvol on your system is equal to SYSTEM XYGATEMA then the actual command will be as follows RUN SYSTEM XYGATEMA XMA INSTALL Brackets Brackets enclose optional syntax items For example TERM system name terminal name INT ERRUPTS A group of items enclosed in brackets is a list from which you can choose one item or none The items in th...

Page 19: ...be entered as shown For example error NEXTFILENAME file name LISTOPENS SU process name su name Quotation marks around a symbol such as a bracket or brace indicate the symbol is a required character that you must enter as shown For example repetition constant list Item Spacing Spaces shown between items are required unless one of the items is a punctuation symbol such as a parenthesis or a comma Fo...

Page 20: ...XYGATE Data Protection Reference Manual Introduction XYPRO Technology Corporation xx Proprietary and Confidential ...

Page 21: ...tage SST then that requires additional setup steps For instructions on how to set up Voltage SST refer to Chapter 4 Setting up Tokenization in XDP SSL certificates are required for the HPE NonStop system to communicate with the Voltage SecureData Management console Refer to the section SSL Certificates Overview in the Voltage SecureData Administrator Guide for more information about SSL certificat...

Page 22: ...prise Clients HPE SecureData SimpleAPI HPE Nonstop API v4 3 API HP Nonstop Download voltage simple api c 4 3 0 NonStop OSS NSX D 32b r185596 sh gz for X86 based systems or voltage simple api c 4 3 0 NonStop OSS NSE A 32b r185596 sh gz for Itanium based systems This API installs in the OSS environment We suggest installing the API to the usr local voltage directory Please note your install volume a...

Page 23: ... of the license file named IP64F001 into the WORK ZXYPRODP subvolume before beginning the installation WORK ZXYPRODP FUP DUP license loc P99F001 IP64F001 SOURCEDATE To begin installing XDP login with a Security Administrator userid and enter the following at the TACL prompt DATA SECURITY 1 VOLUME WORK ZXYPRODP When you run the INSTALL macro for the initial installation or a subsequent upgrade you ...

Page 24: ...stem That is where the VOLTAGE library is usually located Existing VOLTAGE Library location vol subvol SYSTEM VOLTSDK What do you want to call the XYGATE audit file AUDIT Do you want XYGATEDP to audit to EMS N Spool Collector S Company Name XYPRO Technology Corporation What is the name of the TCP IP process ZTC2 VOLTAGE library location SYSTEM VOLTLIB XYGATEDP volume SYSTEM 1 2 2 Creating the OSS ...

Page 25: ...alls the XDP_FINISH_INSTALL macro will also bounce the XYGATEDP monitor process if it is running during the installation 1 3 Installing the XDP Voltage Library The XDP Voltage library is named XDPVTnnn where nnn is the XDP version number During the XDP installation the INSTALL macro asks for the Volume Subvolume location of the Voltage library file LIBVPHOS You will need to know the location of yo...

Page 26: ...me the macro leaves XDPVTnnn alone If LIBVPHOS is older the macro leaves XDPVTnnn alone If you wish to replace XDPVTnnn even if LIBVPHOS is older you will have to do this manually To do this purge or rename XDPVTnnn and then run the XDP_FINISH_INSTALL macro as described above starting with step 1 Once XDPVTnnn is installed the first time run the XDP_FINISH_INSTALL macro again only when a new Volta...

Page 27: ...opment Company L P 1 5 2 Using the Host INSTALL Macro for License Maintenance XYGATE modules are licensed for a specific amount of time To check your current license expiration date use the XDP_VERSION macro described above at the beginning of this section SYSTEM XYGATEDP 4 XDP_VERSION To install a new license you must first install the updated license file IP64F001 in your main installation subvo...

Page 28: ...XYGATE Data Protection Reference Manual Chapter 1 Installing XDP XYPRO Technology Corporation 8 Proprietary and Confidential ...

Page 29: ...DP Furthermore it prevents applications and XDP macros from inadvertently accessing other XDP instances that can exist on a system The macro name in the DPAPCONF file matches the process name of the XYGATEDP process and the XDP Pathway process that were chosen during the install process If different XDP installations exist on a system it is possible that data encrypted by one XDP installation cann...

Page 30: ... the installation of an XDP library from another XDP installation location EXAMPLE of the DPCONFAP file Do not modify this file DP_INSTALLATION VNEO2 XYGATEDP MACRO_NAME LDP 2 3 The DPACL File The default DPACL file is empty There is a DPACLSAM file that contains many sample rules You can copy any or all of these rules into your DPACL file Use them as models to build your own rules or rename the s...

Page 31: ...unctionality and because of this XYPRO suggests that locally defined encryption formats not be created or used Many of the settings in the meth file exist only to support locally defined encryption formats Support for the meth files will be removed in a future release of XYGATEDP because of the deprecation of these formats by Voltage 2 5 Configure for Non PAN Data Encryption This section explains ...

Page 32: ...mpile the CONF Files The DPCONF and DPACL files have to be compiled after updating The macro XDP_COMPILE performs this task There are two binary files produced by a successful compile and load that are named DPCNF ver and DPCNB ver You can also see a transient DPCNS ver file and a transient DPSTG ver file that will exist after the configuration is compiled but before it is loaded into XYGATEDP Ref...

Page 33: ...it file doesn t match the value in the template application Init file Note the following about the two above messages The application Init file is application loc DPCONFAP The template application Init file is xygatedp loc DPCONFAP The macro is the value to the right of the keyword macro_name in each of these files The install location refers to the XYGATEDP installation location The XDP library c...

Page 34: ... messages and you know that the XDP library is currently installed in that location then a Uninstall the XDP library from each application b Purge application loc DPCONFAP c Install the XDP library into the application 3 1 1 Application Init File The DPCONFAP file prevents multiple applications in the same location from referencing different XYGATEDP installations This could cause an application t...

Page 35: ... uninstalled the application loc DPCONFAP file must be manually purged to allow the installation of a XDP library from a different XYGATEDP installation location or to allow the installation of a XDP library from a XYGATDP installation with a macro name different from the value used for the prior XDP library installation The application loc DPCONFAP file must be purged manually because there is no...

Page 36: ...MODE is set to OFF XDPENCR will run in interactive mode This program will allow you to encrypt a file for XDP use or it will allow you to unencrypt a previously encrypted file Enter E to encrypt D to decrypt or press ENTER to exit e Please enter the input file name or press ENTER to quit SYSTEM xdpdata testin The input file is entry sequenced The only option is to process this file sequentially En...

Page 37: ...ata Protection Settings Overview section Once you have configured and enabled SST on the Voltage SecureData Management console and you have created the field encryption formats that you wish to use in your application you are ready to configure XDP to use the SST technology 4 2 Enabling Voltage SST in XDP Enabling tokenization on the Voltage SecureData Management console will produce a very large ...

Page 38: ...lamation point similar to the following ENCRMETHOD VOLTAGE TOKEN DISC XYGATEDP TOKMETH This line configures an encryption method called TOKEN in XDP and is provided as a sample for creating your own Voltage SST encryption formats Remove the exclamation point at the beginning of the line Next edit the TOKMETH file and make changes to the lines described in the following subsections 4 3 1 ENCRYPTION...

Page 39: ...nization encryption method then you will have to make an individual copy of the TOKMETH file for each method you have defined Be sure to edit each configuration file and change the METHODNAME line to match the associated encryption method name you used 4 3 6 ENCRMETHOD You will also have to add an ENCRMETHOD line to the DPCONF file for each encryption method you have defined For example ENCRMETHOD...

Page 40: ...the Voltage SecureData Management console perform the following procedure 1 Access the Voltage SecureData Management console and roll the Voltage SST encryption key 2 Produce the Voltage SST data file on the Voltage SecureData Management console 3 Rename the Voltage SST data file on the HPE NonStop system 4 Upload the Voltage SST data file to the HPE NonStop system using the same name as before 5 ...

Page 41: ...ndors that most likely intercept the same procedures that XDP needs to intercept The macro that is supplied with XDP to attach the XDP library code to application programs is able to combine the XDP run time library with certain other well known intercept libraries such as the Oracle GoldenGate replication library This creates a new run time library that can then be attached to the application pro...

Page 42: ...ou want to combine multiple intercept libraries you will most likely have a procedure name conflict This occurs because the intercept libraries probably try to intercept the same Guardian procedures The library attaching macro detects this condition and emits an appropriate error message To resolve this issue you must decide the order in which the application needs to call the procedures and then ...

Page 43: ...cedures are called first that means that all downstream procedure calls after XDP s procedures will receive encrypted data Depending on your data processing requirements this may or may not be desirable If the non XDP intercept library s require unencrypted data to be passed to them those procedures must be called first and the XDP procedures must be called second 5 2 Deciding on the Calling Order...

Page 44: ...dure calling order 5 3 Attaching XDP Library Code to Existing Object Code 800 Run Time Libraries or Programs Object code 100 objects can be an executable with a MAIN procedure or they can be a library without a MAIN procedure In either case the objects can be freely combined with other object code 100 files using binder Object code 800 objects can either be link files or load files Link files can ...

Page 45: ...e libraries so that the XDP procedures are called first For commercial products such as Oracle GoldenGate software and other supported intercept libraries use the supplied macros described in Appendix C that come with XDP for this purpose 5 4 1 Sample Bind Script when the XDP Library Procedures will come First Object Code 100 Programs Bind is used for object code 100 files The application s object...

Page 46: ...ncryption engine in the library directly without needing an external Pathway server Otherwise the two libraries are identical For our example we will use XDP8EXT The first set of commands renames the application s WRITEX procedure to be __XYPRO_WRITEX and then builds tmpapplb a temporary library This is an example of a TACL OBEY file for ELD eld r o tmpapplb applib rename WRITEX __XYPRO_WRITEX Not...

Page 47: ...cepts Any application procedure with a name in the left column will conflict with the XDP intercepted procedure Table 2 Guardian Procedures Intercepted by XDP XDP Intercepts these procedures And Invokes this procedure name AWAITIO __XYPRO_AWAITIO AWAITIOX __XYPRO_AWAITIOX AWAITIOXL __XYPRO_AWAITIOXL C85LIB_CLOSE_ __XYPRO_C85LIB_CLOSE_ C85LIB_DELETE_ __XYPRO_C85LIB_DELETE_ C85LIB_OPEN_ __XYPRO_C85L...

Page 48: ... __XYPRO_FILE_CONTROLBUF64_ FILE_GETINFO_ __XYPRO_FILE_GETINFO_ FILE_GETINFOLIST_ __XYPRO_FILE_GETINFOLIST_ FILE_LOCKFILE64_ __XYPRO_FILE_LOCKFILE64_ FILE_LOCKREC64_ __XYPRO_FILE_LOCKREC64_ FILE_OPEN_ __XYPRO_FILE_OPEN_ FILE_READ64_ __XYPRO_FILE_READ64_ FILE_READLOCK64_ __XYPRO_FILE_READLOCK64_ FILE_READUPDATE64_ __XYPRO_FILE_READUPD64_ FILE_READUPDATELOCK64_ __XYPRO_FILE_READUPDLOCK64_ FILE_SETKE...

Page 49: ...TELOCK READUPDATELOCKX __XYPRO_READUPDATELOCKX READUPDATEX __XYPRO_READUPDATEX READUPDATEXL __XYPRO_READUPDATEXL READX __XYPRO_READX REPLYX __XYPRO_REPLYX REPLYXL __XYPRO_REPLYXL SETMODENOWAIT __XYPRO_SETMODENOWAIT SETPARAM __XYPRO_SETPARAM UNLOCKFILE __XYPRO_UNLOCKFILE UNLOCKREC __XYPRO_UNLOCKREC WRITE __XYPRO_WRITE WRITEREADX __XYPRO_WRITEREADX WRITEUPDATE __XYPRO_WRITEUPDATE WRITEUPDATEUNLOCK _...

Page 50: ...XYGATE Data Protection Reference Manual Chapter 5 Resolving Issues that can Occur when Installing the XDP Library XYPRO Technology Corporation 30 Proprietary and Confidential ...

Page 51: ...ed in the DPCONF file If a filename is defined and does not exist XDP will create it with the following default parameters TYPE E EXT 300 300 16 REC 4000 BLOCK 4096 You can specify different EXTents in your DPCONF file as described in Appendix A3 AUDIT Filename on page 67 6 1 2 Diskfile Audit Trails If a diskfile name is specified for the AUDIT and no diskfile exists the file is created with the d...

Page 52: ...re XDP to audit to EMS and the CONSOLE AUDIT 0 EMS CONSOLEPRINT Refer to the AUDIT Process Name or Device in Appendix A4 on page 68 for more examples 6 1 4 IP Audit Trails Any one of the nine available AUDIT positions can be defined as an IP address This section deals with the IP address form of the AUDIT specification Note There is no error checking available on an IP port write In order to facil...

Page 53: ...G DP Group H Object Name I Result All S F N ALL J Production Test results None K Warning Non warning results None L Comment contains M Suppress comments No N Output file S XYGATE XDPSEC O Sort order OBJECT P Operation Q User specified title V Display OSS PATHNAME No X Exit the report macro Z Run the audit report ZP Run the audit report and go into PERUSE and return here Hit Break or Control Y to t...

Page 54: ...ing audit files to report from SYSTEM XYGATEDP CODE EOF LAST MODIFIED OWNER RWEP PExt SExt AUD00001 3333 65536 14NOV2013 11 18 232 44 NUUU 2 2 SYSTEM XYGATEDP CODE EOF LAST MODIFIED OWNER RWEP PExt SExt AUDIT O 3333 12288 14NOV2013 16 58 232 44 NUUU 2 2 Name of audit log SYSTEM XYGATEDP AUDIT 6 2 2 B Report date range You can limit the XYGATEDP report to a selected time period Enter the start from...

Page 55: ...rd a userid or login name to include in the report enter D Selection D Enter case sensitive Login Names separated by commas A leading on a Login Name will match any Login Names that contain the specified string A trailing will match any Login Names that start with the specified string The NOT keyword can be used login name list NOT login name list Login name Example 3 shows that if you put an aste...

Page 56: ...he XDP_REPORT macro You can enter a valid node name or an asterisk to include all nodes If you enter a portion of a node name all nodes containing the entry will be included in the report For example if you enter DAT any nodes containing those letters such as DATA1 EXDAT etc where users accessing the local node were authenticated will be included in the report To select the subject node s you want...

Page 57: ...up XDP will include any DP Groups containing the string you have entered in the report as in 1a below Example 1a DP GROUP FOGROUP finds all Object Groups containing FOGROUP POGROUP TEST finds all Object Groups containing POGROUP TEST If you put an asterisk at the end of a string representing a DP Group XDP will include any object groups that begin with the string you have entered in the report Exa...

Page 58: ...de any object groups containing the string you have entered in the report Example 1a OBJECT NAME DATAA QA finds all Object Names containing DATAA QA If you put an asterisk at the end of a string representing an object name XDP will include any object names that begin with the string you have entered in the report Example 1b OBJECT NAME DATAA finds all Object Names starting with DATAA If you enter ...

Page 59: ... generated by a Test What if by Production or both types of audits To select the type of audit select J Selection J Do you want to include Test results T Production results P or Both B types of results Type of results T P B Both B Valid entries are T Include audit entries generated by the What if program Test results can include WARNING messages P Include audit entries generated by the Production ...

Page 60: ... name Object SYSTEM XDPDATA TESTIN Group BASE24 2014 08 18 14 47 53 F Y Y ENCRYPT 232 44 QA TST DPGROUP BASE24 Warning mode ACCESS NORECORD SYSTEM XDPDATA TESTIN 2014 08 18 14 48 34 F N Y ENCRYPT 232 44 QA TST DPGROUP BASE24 ACCESS NO SYSTEM XDPDATA TESTIN XYPRO Technology Corporation N1 Data Protec Date produced 18 AUG 2014 14 52 Criteria 2014 08 18 00 00 to 2014 08 18 23 59 Test Y File SYSTEM XY...

Page 61: ...le The XDP_REPORT macro puts a job in the spooler called S XYGATE XDPSEC To change the spooler location select N Selection N Output file S XYGATE XDPSEC S HP1 LP 6 2 14 O Sort order You can choose the report format that best suits your needs XDP comes with the following sort options USER Audit entries are grouped by Userid LOGINNAME Audit entries are grouped by Login Name TIME Audit entries appear...

Page 62: ...election R Enter a comma separated list of columns to display on the report You may enter a to see the list of available columns Custom columns If you respond you are shown the following options Custom columns By entering after the prompt as shown you will see the available custom columns The available columns are DATE TIME SUBJECT GROUP NUMBER SUBJECT USER NUMBER SUBJECT LOGIN NAME SUBJECT SYSTEM...

Page 63: ...eration list NOT operation list A will display a list of common operations Operation ENCRYPT DECRYPT Enter operation names separated by commas The NOT keyword can be used operation list NOT operation list A will display a list of common operations Operation 6 2 16 Q User specified title You can specify a title to display in your report To enter a title select Q and enter your title at the prompt S...

Page 64: ...n the ENFORM run If an error occurs the entire ENFORM run will be displayed If D is specified the entire ENFORM run will be displayed even if there are no errors 6 2 20 ZP Run the audit report and go into PERUSE When you select ZP to create the report XDP will generate the report and put you directly into PERUSE When you have examined printed or written the report to an edit file and typed EXIT yo...

Page 65: ... Break or Control Y to terminate Selection To CLOSE the Report Selection screen type X press break to return to your TACL prompt 6 3 XDP Audit Record Format The following fields constitute the audit record format 02 date time data 03 year PIC 9 4 03 FILLER PIC X 1 03 month PIC 9 2 03 FILLER PIC X 1 03 day PIC 9 2 03 FILLER PIC X 1 03 hour PIC 9 2 03 FILLER PIC X 1 03 minute PIC 9 2 03 FILLER PIC X...

Page 66: ... and object type 0 represents some kind of startup event tagged with INTERNAL AUDIT in the object group 02 REQUEST TYPE PIC X 12 The operation requested such as ENCRYPT DECRYPT ENCRYPTDECRYPT 02 OPERATION PIC 9 3 The numeric code for the operation requested 02 MODIFIER PIC 9 3 There are 5 modifiers 0 means that no modifier is associated with the event 1 means an event associated with an encrypt de...

Page 67: ...PIC X 36 The process descriptor of the process for which the access ruling is being made 02 REQUESTOR OBJECT PIC X 36 The object file of the process performing the access request 02 REQUESTOR NAME PIC X 16 The name of the process requesting the operation 02 SEQUENCE NUMBER PIC 9 6 The sequence number of the XOS access ruling operation 02 RESULT PIC 9 2 The ruling generated by XDP based on the DPGr...

Page 68: ...XYGATE Data Protection Reference Manual Chapter 6 XDP Auditing and Audit Reports XYPRO Technology Corporation 48 Proprietary and Confidential ...

Page 69: ...s set to ON and the individual groups in the DPACL file have the keyword WARNING_MODE set to OFF then XDP will turn all the results to NORECORD because the DPCONF keyword is global If the DPCONF keyword WARNING_MODE is set to ON and the individual entries in the DPACL keyword have WARNING_MODE also set to OFF then the DPACL keyword takes precedence over DPCONF keyword When XDP is in warning mode e...

Page 70: ...is conversion can distort expected results when testing is occurring Example 1 Testing Access Rules SYSTEM XYGATEDP 177 run xygatedp explain XYGATEDP XYPRO Technology Corporation N1 20991231 DPCONF CHECKSUM 1750165851 SYSTEM XYGATEDP DPCONF DPACL CHECKSUM 1613910580 SYSTEM XYGATEDP dpacl Explain mode on Access check encrypt encryptedfile SYSTEM xdptest encrfile SYSTEM XYGATEDP wr qatstsw mgr Objec...

Page 71: ... Access result NO using DPGROUP GUARDIAN 7 2 Auditing in Warning Mode If WARNING_MODE is set to ON all access attempts are granted by XDP but accesses that would be denied if the rules were enforced are flagged with a warning message in the audit log which also indicates the rule that would have denied the access If the user has the required authority XDP allows the requested access and checks the...

Page 72: ...encryptedfile SYSTEM xdpdata testin SYSTEM XYGATEDP xdpencr Access result YES using DPGROUP BASE24 Access check Example 2 How to test the DECRYPT operation on a file Access check decrypt encryptedfile SYSTEM xdpdata infile SYSTEM XYGATEDP xdpencr Access result YES using DPGROUP BASE24 Access check Example 3 How to test the ENCRYPTDECRYPT operation on a file Access check encryptdecrypt encryptedfil...

Page 73: ...ing DPGROUP GUARDIAN Access check Example 2 Testing Requestor in what if mode SYSTEM XYGATEDP Run xygatedp access Access check encrypt encryptedfile oss xdptest cardfile users tst xdp abc Access result YES using DPGROUP OSS 7 8 User The userid or alias making the requested operation Wildcarded users are not allowed USER Syntax node node group user alias node alias The user is requesting the operat...

Page 74: ...FILE SYSTEM XDPDATA TESTIN SYSTEM XYGATEDP XDPENCR 20 XDP Error Invalid user specified 7 9 How to Predict a Result and DPGroup If the expected result or group is specified on one or more Access or What if queries then when the program terminates a message will be displayed showing how many unexpected results occurred If all are matched then XDP returns No unexpected results This allows you to run ...

Page 75: ...cess check EXIT 4 unexpected results 3 command errors 7 10 How to Run What if Using Input and Output Files In the input file the user can specify multiple queries and feed them to XDP The output can be sent to the screen an edit file or to the spooler You can include comments in the input file the comment character is a pair of equal signs The input and output files allow you to test in a batch mo...

Page 76: ...test encrfile SYSTEM XYGATEDP wr qatsts Objecttype 00098 ENCRYPTEDFILE for SYSTEM XDPTEST ENCRFILE Operation 00312 OPEN Modifier 00002 ENCRYPT Subject 183 255 QATSTSW MGR Requestor NONE SYSTEM XYGATEDP WR DPGROUP GUARDIAN Requestor 00003 matched SYSTEM XYGATEDP DPGROUP GUARDIAN Mask 00001 matched SYSTEM XDPTEST ENCRFILE DPGROUP GUARDIAN Selection criteria satisfied DPGROUP GUARDIAN User 002 access...

Page 77: ...fault AUDIT is ON Syntax AUDIT ON OFF TEST Example How to turn off auditing when doing What ifs SYSTEM XYGATEDP 73 run xygatedp explain XYGATEDP XYPRO Technology Corporation N1 20991231 DPCONF CHECKSUM 1750165851 SYSTEM XYGATEDP DPCONF DPACL CHECKSUM 1043931211 SYSTEM XYGATEDP dpacl Explain mode on Access check audit off Turning off audits Access check If you turn off AUDIT then auditing will not ...

Page 78: ...1 DPCONF CHECKSUM 1750165851 SYSTEM XYGATEDP DPCONF DPACL CHECKSUM 1043931211 SYSTEM XYGATEDP dpacl Explain mode on Access check COMMENT Testing DPGROUP BASE24 Access check 7 11 3 EXIT This command exits from XOS when running in ACCESS EXPLAIN mode Syntax EXIT Example How to exit What if testing Access check EXIT SYSTEM XYGATEDP 20 7 11 4 EXPLAIN This command puts XDP Access into EXPLAIN mode whic...

Page 79: ...RD Replying with access NORECORD Access result NORECORD using DPGROUP NO GROUP FOUND 7 11 5 FC XDP What if testing includes full FC functionality The FC command allows you to recall correct or change and re execute a previous command There are four ways to recall a command line To recall the command on the previous line enter only FC To recall a command on a specific line enter FC and the line num...

Page 80: ...red or respected REPEAT count Repeats a command count times and gives performance stats fc history command FC history processing is implemented operation objecttype objectname requestor user result group operation ENCRYPT DECRYPT ENCRYPTDECRYPT objecttype ENCRYPTEDFILE objectname Any Tandem filename non network name requestor object filename process name Default is NONE NONE NONE NONE if omitted o...

Page 81: ...warning mode Access check encrypt encryptedfile SYSTEM xdptest encrfile SYSTEM XYGATEDP wr qatstsw mgr Objecttype 00098 ENCRYPTEDFILE for SYSTEM XDPTEST ENCRFILE Operation 00312 OPEN Modifier 00002 ENCRYPT Subject 183 255 QATSTSW MGR Requestor NONE SYSTEM XYGATEDP WR DPGROUP GUARDIAN Requestor 00003 matched SYSTEM XYGATEDP DPGROUP GUARDIAN Mask 00001 matched SYSTEM XDPTEST ENCRFILE DPGROUP GUARDIA...

Page 82: ...eria satisfied DPGROUP GUARDIAN User 001 access 001 found DPGROUP GUARDIAN Access YES DPGROUP GUARDIAN Result converted to NORECORD due to warning mode DPGROUP GUARDIAN Replying with access NORECORD Objecttype 00098 ENCRYPTEDFILE for SYSTEM XDPTEST ENCRFILE Operation 00312 OPEN Modifier 00002 ENCRYPT Subject 232 044 QA TST Requestor NONE SYSTEM XYGATEDP WR DPGROUP GUARDIAN Requestor 00003 matched ...

Page 83: ...ACL file takes precedence over the DPCONF file Refer to Appendix B The DPACL File starting on page 79 A1 The DPCONF File Keywords The DPCONF file can contain one or more of the following keywords AUDIT filename EXT pri sec max NO_ROLL_MSGS AUDIT process name CONSOLEPRINT EMS AUDIT IP process name IP address port SYSLOG_PREFIX 134 normal text SYSLOG_CRITICAL_PREFIX 130 critical text AUDIT_ACCESS_FA...

Page 84: ...ine controls how many seconds XDP will wait for a send to an encryption server to complete before it times out A value of 0 disables timeouts The value is in seconds and it must be 0 no timeout or 5 Be careful not to set this value too low or the application will experience more timeout errors error 362 s on I O calls ENCRYPT_SEND_TIMEOUT 60 The next line controls whether the transaction timing lo...

Page 85: ... method that FPE uses on the Voltage mgmt console and that method uses a different value other than 6 digits for the leading unencrypted digit count then the leading unencrypted digit count here should be adjusted to match ENCRMETHOD VOLTAGE FPE CC6 SYSTEM XYGATEDP FPEMETH The TOKEN encryption value is commented out It can t be used until the SST token file has been uploaded from the Voltage serve...

Page 86: ...e refer to the Voltage documentation for additional information The next parameter is the common name ENCRAUTHPARAMS VOLTAGE host skyblue voltage com The next parameter is the host name ENCRAUTHPARAMS VOLTAGE skyblue voltage com The next parameter is the URL of the client policy file on the Voltage key server ENCRAUTHPARAMS VOLTAGE https voltage pp 0000 skyblue voltage com policy clientPolicy xml ...

Page 87: ... 1 How to configure XDP to audit to a diskfile AUDIT SECURE XDPAUDIT XDPAUDIT The size of an audit trail can be controlled using the EXT x x x options Example 2 below will set the XYGATEDP audit trail primary and secondary extents to 302 and the max extents to 17 Example 2 How to control XDP audit trail size AUDIT SYSTEM XYGATEDP AUDIT EXT 302 302 17 If any of the diskfiles specified using the AUD...

Page 88: ...ax AUDIT process name CONSOLEPRINT EMS CONSOLEPRINT The optional CONSOLEPRINT sub keyword causes the text TOKEN of messages that are logged to a collector to also print on the console Example 1 How to configure XDP to audit to the CONSOLE AUDIT 0 CONSOLEPRINT Example 1 above will send XDP audits to the console Please note that the text TOKENs are limited to 128 characters EMS The optional EMS sub ...

Page 89: ...e required normal text A free form text string that you want to prepend to the front of the message angle brackets are not required Note Both the 134 and the message string must be enclosed by double quotation marks In the example below XDP prefixed all the allowed operations with the text DP DP 2014 01 09 11 02 37 046880232044QA TST N1 2 109083XDP INTERNAL 00LOADACL 000000NN INTERNAL AUDIT VHS N1...

Page 90: ... audited If OFF denied access attempts will not be audited The default value is OFF Note This value is set in the DPCONF file during installation but can be overridden by individual DPGroup entries in the DPACL file A7 AUDIT_ACCESS_PASS This keyword determines whether or not XDP will write successful access attempts to the XDP audit logs Syntax AUDIT_ACCESS_PASS ON OFF If ON successful access atte...

Page 91: ... be audited If OFF No Record results will not be audited The default value is OFF Note This is a global setting that cannot be overridden by entries in the DPACL file there is no equivalent keyword in the DPGroups Therefore auditing of No Records is either ON or OFF for an entire system A10 AUDIT_WARNING_FAIL This keyword determines whether or not XDP will write unsuccessful access attempts to the...

Page 92: ...cified in the DPCONF file with the BACKUPCPU setting If the primary process of XYGATEDP is started in the same CPU that is specified for the backup process then a warning is issued and the system is searched for another CPU to use beginning at CPU 0 If the backup CPU is not available when XYGATEDP starts then a CPU search is done for another CPU to use beginning at CPU 0 BACKUPCPU must be present ...

Page 93: ...cro sets the COMPANY_NAME value to the name of the company specified in the XYPRO license for XDP Syntax COMPANY_NAME string Example How to include your company name in XDP report headers COMPANY_NAME Bank of Cochran Road The company name string must be enclosed by double quotation marks A15 DO_TRANSACTION_TIMING This keyword controls whether or not XDP times the encryption request If DO_TRANSACTI...

Page 94: ...LTAGE host skyblue com ENCRAUTHPARAMS VOLTAGE https voltage pp 0000 skyblue voltage com policy clientPolicy xml ENCRAUTHPARAMS VOLTAGE voltage123 ENCRAUTHPARAMS VOLTAGE SharedSecret A17 ENCRMETHOD The ENCRMETHOD keyword configures the encryption methods offered by XDP Each encryption method describes an encryption algorithm that can be specified in your DPACL file to encrypt individual fields The ...

Page 95: ...he DPCONF file service name A name to identify the service Each configured encryption service must have a unique name SERVER A keyword that indicates this service uses Pathsend to perform encryption pathway The process name of the Pathmon that is sent to by the XDP library server The server class name in the Pathway that is sent to by the XDP library Example External ENCRSERVICE voltage vsrv1 SERV...

Page 96: ...uding the DPGroup rules applied to this log The argument to this keyword is the name of the file where these explanations will be written Important The EXPLAIN_LOG must be a filename You cannot write the EXPLAIN_LOG to a SPOOLER If you write to a SPOOLER a deadlock can occur hanging the system XYPRO does not recommend the use of an Explain Log XDP will write to the LOG file you specified in the DP...

Page 97: ... installation This value is used for subsequent updates of the XDP product This entry is required and will be created during installation Syntax MACRO_NAME macro name Note You must re install XDP to change the MACRO_NAME value because this is compiled into the XDP TACLSEG as part of the installation process A23 PERUSE_OBJECT The PERUSE_OBJECT keyword is used only in the DPCONF file It designates t...

Page 98: ...o all be translated to error 100 which is normally not returned from disk activity If this option is OFF then the XDP error codes in the 300 range will be returned to the application Syntax TRANSLATE_ERROR_CODES_TO_100 ON OFF A26 VOLTAGE_INSTALLATION The VOLTAGE_INSTALLATION keyword sets the location of the VOLTAGE library It must come before the ENCRAUTHPARAMS value Syntax VOLTAGE_INSTALLATION vo...

Page 99: ...because if a match is found the search stops B1 Sample DPACL File The following is the full text of the DPACLSAM file which is a sample DPACL file DPACL Sample ACL configuration file for XYGATEDP Global file definitions Use a FILEDEF name in the DPGROUP to identify files that belong to the DPGROUP FILEDEF DATAFILE FILE DISC SUBVOL DATAFILE FIELD FPE FIELD_POSITION 0 16 This FILEDEF will allow writ...

Page 100: ...AFILE DATAFIL2 FILEDEF CAF PBF ILF TLF SQLDEF SQLDEF1 The files or sets of files that we are allowed to access MASK DISC SUBVOL MASK DISC2 SUBVOL Requestors REQUESTOR DISCA PROGOBJS REQUESTOR DISCB PROGOBJS The only operations allowed are ENCRYPT DECRYPT If a program does not have DECRYPT access it can still read an encrypted file but it will read encrypted data If a program does not have ENCRYPT ...

Page 101: ... so by XYPRO support personnel TRACE OFF B2 The DPACL File Keywords The following is a list of the keywords available in the DPACL file ACL user specification operation permission ACLGROUP Group name User list NOT user list AUDIT_ACCESS_FAIL ON OFF AUDIT_ACCESS_PASS ON OFF AUDIT_WARNING_FAIL ON OFF AUDIT_WARNING_PASS ON OFF DESCRIPTION 64 character string DPGROUP group name FIELD method FIELD_POSI...

Page 102: ...98 Audits 3 9 288 864 Segment 3MB 100MB 3860880 B4 ACL To establish access rules you must define the users who will have access to the objects defined by the selection criteria for the DPGroup and grant them the necessary access authorities Syntax ACL user specification operation permission Example 1 below gives ENCRYPT DECYPT privileges to everyone Example 1 ACL EVERYONE ENCRYPT DECRYPT To DENY a...

Page 103: ...XDPTEST REQUESTOR system app OPERATION DECRYPT ACL EVERYONE PROCESS_AS_RULE AUDIT_ACCESS_PASS ON AUDIT_ACCESS_FAIL ON The Example above shows that every ENCRYPT operation attempt will be failed XDP will search for the next DPGroup to find a match B5 ACLGROUP ACLGroups Access Control List Groups are entries that allow profiling of users by job function thus providing an efficient mechanism for orga...

Page 104: ...roup entries in the DPACL file B7 AUDIT_ACCESS_PASS This keyword determines whether or not XDP will write successful access attempts to the XDP audit logs Syntax AUDIT_ACCESS_PASS ON OFF If ON successful access attempts will be audited If OFF successful access attempts will not be audited The default value is OFF Note This value is set in the DPCONF file during installation but can be overridden b...

Page 105: ...sed B9 AUDIT_WARNING_PASS This keyword determines whether or not XOS will write successful access attempts to the XDP audit logs when WARNING_MODE is ON Syntax AUDIT_WARNING_PASS ON OFF If ON successful access attempts will be audited while in warning mode If OFF successful access attempts will not be audited while in warning mode The default value is OFF Note If present in a DPGroup entry this ke...

Page 106: ...vidual userid has access requirements different from the rest of his or her group that individual userid must be listed first In general the rules you want at the top of the file are the rules that are accessed most often Note The exclamation point can be used to start a comment anywhere in a line the comment will continue for the remainder of the line DPGroup entries can be quite complex XYPRO re...

Page 107: ...ber Where method is an associated encryption method such as FPE defined by the ENCRMETHOD keyword FIELD_POSITION number number specifies the location of data that should be encrypted in a record and is defined as a zero based offset and a length that is 0 16 The Example below shows how to define a field in a record and assign it an encryption method Example FIELD FPE FIELD_POSITION 0 16 B13 FILE T...

Page 108: ...MASK is the DPGROUP security enforcement It is the template that identifies the objects to be secured MASKs can include explicit exact filenames Guardian style wildcards or Unix compatible regular expressions XDP assumes Guardian style wildcards unless the entry is preceded by RE to indicate that the MASK is a regular expression Refer to the XYGATE Regular Expressions manual for information about ...

Page 109: ...trailer record are written to a file Syntax MIXED_RECORD_IDENTIFIER text OFFSET number Where OFFSET is a sub keyword and number is the zero based offset in the record where the text to identify the record exists Example MIXED_RECORD_IDENTIFIER abc offset 38 B17 OPERATION The operation being requested is determined from the ACCESS parameter that was passed to the FILE_OPEN_ call in the requesting p...

Page 110: ...ECORD result if none of the DPGroups in the DPACL file above the one containing the RESULT_NORECORD match the criteria If the ruling is Yes the result is converted to NORECORD If the ruling is No then NO is returned The RESULT_NORECORD keyword allows XDP to scan the DPACL file and immediately return a NORECORD result rather than reading through the entire DPACL and attempting to make a ruling B20 ...

Page 111: ...ode of 0 on the Write and unencrypted data will be written Warning messages will be sent to both the EMS collector 0 and the audit file when this happens To use this keyword turn it ON in the DPACL file The default is OFF if the keyword is omitted so that XDP errors will be reported to the application but unencrypted data will not be written to the database Note Your application can encounter unen...

Page 112: ...XYGATE Data Protection Reference Manual Appendix B The DPACL File XYPRO Technology Corporation 92 Proprietary and Confidential ...

Page 113: ... standard XYPRO help message for XDP but this file can be customized for your site using EDIT Syntax XDPHELP Example SYSTEM XYGATEDP XDPHELP XDP_AUDIT_REPORT A single line batch oriented method of generating an audit report XDP_BOUNCE Stops and restarts the XYGATEDP process XDP_COMPILE Creates a compiled file called DPCONFB which is compiled from the files DPACL and DPCONF XDP_CREATE_ENFORM Instal...

Page 114: ... encryption or decryption for various conditions XDP_EXPLAIN_ON filename Will send a request to turn EXPLAIN ON to the running server When the filename is specified indicates the name of the explain file to be used When filename is not included the name EXPLAIN will be used XDP_EXPLAIN_OFF Will send a request to turn EXPLAIN OFF to the running server XDP_FINISH_INSTALL Will progid the XYGATEDP obj...

Page 115: ...trail XDP_SHUTDOWN Stop the XYGATEDP monitor process and stop the XYGATEDP pathway environment XDP_STATUS Displays the status of the XYGATEDP process XDP_START Start the XYGATEDP process XDP_STOP Stop the XYGATEDP process XDP_SYNTAX_CHECK Reads the specified DPACL file to ensure that the entries are syntactically correct XDP_TEST_CONNECT Performs various consistency checks and validation checks of...

Page 116: ... earliest date to be included in the report Enter in YYYY MM DD format from time The earliest time on the from date to be included in the report Enter in HH MM format to date The last date included in the report Enter in YYYY MM DD format to time The last time on the to date to be included in the report Enter in HH MM format subject user The subject user is the user making the access Can be any of...

Page 117: ...mple S XYGATE XDPSEC sort order USER LOGINNAME TIME OBJECT COUNTS SESSION CUSTOM ELAPSED If CUSTOM is selected additional values are required beginning with Custom Columns Custom Sort etc as shown below in this table delete comments Enter YES if you want to suppress comments otherwise enter NO Production Test Result Type of Results Production P Test T or BOTH B warning mode Enter W to include Warn...

Page 118: ...ed All comments will be included All result type will be included The audit file to use is SYSTEM XYGATEDP AUDIT The report will be written to S XDP XDPSEC The report is sorted by USER Both test and production results will be included If desired use the TACL syntax to separate command lines for legibility Or in a TACL macro use brackets to enclose all the selection criteria and list them one per l...

Page 119: ...process XDP was opened XDP has been shut down XDP not running SYSTEM XYGATEDP XYGATEDP NAME XDP TERM VHSQ PRI 120 OUT VHSQ NOWAIT XDP running C4 XDP_COMPILE This macro will create the compiled configuration file called DPCONFB which is compiled from the DPCONF and DPACL files Syntax XDP_COMPILE Example How to compile the XDP configuration SYSTEM XYGATEDP 2 XDP_COMPILE XYGATEDP XYPRO Technology Cor...

Page 120: ...d Development Company L P DUP SYSTEM SYSTEM ENFORM SYSTEM XYGATEDP PURGE SOURCEDATE FILES DUPLICATED 1 GIVE SYSTEM XYGATEDP ENFORM 232 44 DUP SYSTEM SYSTEM QP SYSTEM XYGATEDP PURGE SOURCEDATE FILES DUPLICATED 1 GIVE SYSTEM XYGATEDP QP 232 44 DUP SYSTEM SYSTEM ENFORMMK SYSTEM XYGATEDP PURGE SOURCEDATE FILES DUPLICATED 1 GIVE SYSTEM XYGATEDP ENFORMMK 232 44 C6 XDP_CREATE_SQLCI This macro installs a ...

Page 121: ... of days in past Example How to set sliding start and end date ranges for batch reports tacl macro frame push t_from_date t_to_date compute date 7 days back XDP_datetime_make 7 put date computed and time of 00 00 into t_from_date set t_from_date XDP_dt_year4 XDP_dt_month XDP_dt_day t_to_date is empty compute date and time 1 day back XDP_datetime_make 1 put computed end date into t_to_date set t_to...

Page 122: ...re nnn is an incrementing three digit number Twenty iterations of the OLDACLnnn file will be saved in the XDP subvolume Example How to use the XDP_EDIT_ACL macro to alter the DPACL file SYSTEM XYGATEDP 3 XDP_EDIT_ACL SYSTEM XYGATEDP 716 This file edits the current XYGATE DATA PROTECTION list It will create a file named SYSTEM XYGATEDP NEWDPACL from the current SYSTEM XYGATEDP DPACL file These are ...

Page 123: ...ist of the DPGROUP that were considered Syntax XDP_EXPLAIN Example How to do What ifs in Explain Mode SYSTEM XYGATEDP 329 xdp_explain XYGATEDP XYPRO Technology Corporation N1 20991231 DPCONF CHECKSUM 693136747 SYSTEM XYGATEDP DPCONF DPACL CHECKSUM 675938595 SYSTEM XYGATEDP dpacl Explain mode on Access check encrypt encryptedfile SYSTEM xdpdata testin SYSTEM XYGATEDP xdpencr Objecttype 00098 ENCRYP...

Page 124: ...ned on N1 SYSTEM XYGATEDP EXPLOG Note The default file name is EXPLAIN when no file name specified Example 2 Turn off explain log SYSTEM XYGATEDP 10 345 xdp_explain_off XDPCOM XYPRO Data Protection Command Interpreter 28APR2014 Monitor process XDP was opened Explain_log turned off C11 XDP_FINISH_INSTALL The XDP_FINISH_INSTALL macro is designed to let the system manager finish the XYGATGEDP install...

Page 125: ... 20991231 XYPRO Technology Corporation P64 0026 20991231 N3 047 N2 100 N1 007 BEGIN XYPRO SIGNATURE PUBLIC KEY LICENSE CREATE 20130711 175307 CUSTOMER NAME XYPRO Technology Corporation CUSTOMER NUMBER 0026 PRODUCT XYGATE DP 20991231 20130711 NODE N3 0047 00 0 00 NODE N2 0100 00 0 00 NODE N1 0007 00 0 00 License good Do you want to install this license file YES FILES DUPLICATED 1 New license instal...

Page 126: ...that has XDP installed any XDP library that was previously installed must be first uninstalled then installed again after installing the library Otherwise when it comes time to upgrade either the application or the XDP library the XDP library uninstall will fail because the application library will have changed since the XDP library was installed XYPRO currently supports the installation of XDP li...

Page 127: ... from SYSTEM XYGATEDP XDP64961 Example 2 SYSTEM XYGATEDP 42 XDP_LIB_UNINSTALL PA SYSTEM XYGATEDP PA SYSTEM XYGATEDP XDP08004 ADDRTL SYSTEM XYGATEDP LB1S116 212310312042742159 SYSTEM XYGATEDP ZZ070357 Purged Restored SYSTEM XYGATEDP PA from SYSTEM XYGATEDP XDP08004 When the library is uninstalled the entry in the XDPBIND file is eliminated Note When an object has the XDP library attached it will be...

Page 128: ...XDPLIB Should all the above libraries be uninstalled No y SYSTEM XDPTEST XDPLIB1 SYSTEM XDPTEST XDP59677 ADDRTL SYSTEM XYGATEDP XDPLIB 21225 1833262055503 Restored SYSTEM XDPTEST XDPLIB1 from SYSTEM XDPTEST XDP59677 SYSTEM XDPTEST XDPLIB2 SYSTEM XDPTEST XDP57194 ADDRTL SYSTEM XYGATEDP XDPLIB 2122 51833360398650 Restored SYSTEM XDPTEST XDPLIB2 from SYSTEM XDPTEST XDP57194 SYSTEM XDPTEST XDPLIB3 SYS...

Page 129: ...TEDP XDP21980 BINDRTL XDPLIB C17 XDP_LOAD_CONFIG The XDP_LOAD_CONFIG macro displays the time taken to process the load config request Syntax XDP_LOAD_CONFIG Example 1 How to tell the XDP server s to reload the configuration SYSTEM XYGATEDP 8 XDP_LOAD_CONFIG Load Config request processed in 0 000011 seconds SYSTEM XYGATEDP 9 If the DPCONFB file has not been compiled since the last time DPCONF or DP...

Page 130: ...on When the TARGET file does not exist the TACL IN file created will include commands to create it like the SOURCE file without AUDIT BUFFERED or alternate key files When the keyword PROMPT is included the user will be prompted for partition locations for creating TARGET file Syntax XDP_MASS_DECRYPT source file target file TACL in file PROMPT Example 1 SYSTEM XYGATEDP 6 XDP_MASS_DECRYPT SOURCE TAR...

Page 131: ...n When the TARGET file does not exist the TACL IN file created will include commands to create it like the SOURCE file without AUDIT BUFFERED or alternate key files When the keyword PROMPT is included the user will be prompted for partition locations for creating the TARGET file Syntax XDP_MASS_ENCRYPT source file target file TACL in file PROMPT Example 1 SYSTEM XYGATEDP6 XDP_MASS_ENCRYPT SOURCE T...

Page 132: ...XDP_PWSTOP Freezes and stops your Serverclasses and stops the PATHMON process using the PATHCOM shutdown command It also saves your Pathway configuration information in the PWCONF file which is later used when restarting your Pathway Syntax XDP_PWSTOP Example SYSTEM XYGATEDP 647 XDP_PWSTOP Pathway settings saved in SYSTEM XYGATEDP PWCONF SYSTEM SYSTEM PATHCOM NAME XDPP shutdown2 mode im until done...

Page 133: ...LL_AUDIT This macro allows users to roll over all configured XDP audit files manually as shown in the example below Syntax XDP_ROLL_AUDIT Example SYSTEM XYGATEDP 347 xdp_roll_audit Renamed SYSTEM XYGATEDP AUDIT to SYSTEM XYGATEDP AUD00000 SYSTEM XYGATEDP 348 C28 XDP_SHUTDOWN The macro XDP_SHUTDOWN will stop the XYGATEDP process and shutdown the associated pathway environment Syntax XDP_SHUTDOWN Ex...

Page 134: ...acro is used to display the status of the XYGATEDP pathway and XYGATEDP monitor process names Example SYSTEM XYGATEDP 529 XDP_STATUS Pathway XDPP running SERVER RUNNING ERROR INFO VOLTNPD 126 3 VOLTNPD 126 00 3 VOLTNPD 126 01 3 VOLTSRV 126 3 VOLTSRV 126 00 3 VOLTSRV 126 01 3 XYGATEDP XDP running C31 XDP_STOP The XDP_STOP macro stops the XYGATEDP monitor process The SHUTDOWN message is written to t...

Page 135: ...oduction DPACL file Syntax XDP_SYNTAX_CHECK DPACL filename DPCONF filename Example 1 How to syntax check a DPACL file SYSTEM XYGATEDP 18 XDP_SYNTAX_CHECK DPACL DPCONF XYGATEDP XYPRO Technology Corporation N1 20991231 DPCONF CHECKSUM 323452687 SYSTEM XYGATEDP DPCONF XDP DPACL syntax warning at line 17 ACLGROUP EVERYONE has an invalid entry TESTGROUP DPACL CHECKSUM 726552862 SYSTEM XYGATEDP DPACL No...

Page 136: ...2 Checking if the Pathway systems defined in the DPCONF file are running INFO VSRV1 service is set up to use N1 XDPP Pathway SUCCESS N1 XDPP is running TEST 3 Checking that encryption server classes in Pathway system are accessible INFO 3 Encryption provider s found VOLTAGE serverclass VOLTSRV for encryption method FPE VOLTAGE serverclass VOLTSRV for encryption method TOKEN VOLTNPD serverclass VOL...

Page 137: ...ethod is registered with XDP SUCCESS FPE encryption method is registered with XDP SUCCESS SSN encryption method is registered with XDP TEST 6 Checking that data can be encrypted using selected encryption methods INFO Encrypting using the external Pathway encryption engine INFO Found the TOKEN encryption method defined in the DPACL and found an encryption provider for that encryption method VOLTAGE...

Page 138: ...LSEG file which was open because the segment had to be attached in order to run the XDP_UNINSTALL macro you will have to remove a file manually marked in red below in order to complete the uninstall Example 1 How to uninstall the XDP software SYSTEM XYGATEDP 5 XDP_UNINSTALL This procedure will totally remove all files in your XYGATEDP installation If you want to make copies of any of your configur...

Page 139: ...ATEDP DPACL No syntax errors found No syntax warnings found Configuration successfully compiled Load Config request processed in 0 000004 seconds C36 XDP_VERSION The XDP_VERSION macro displays information about the XDP product including the version number the nodes for which the product is licensed the license expiration date and a VPROC of the XDP server Syntax XDP_VERSION Example How to determin...

Page 140: ...PECIFIED OCA timestamp 20NOV2013 12 16 59 VPROC T9617H01 01 FEB 2009 SYSTEM N1 Date 21 NOV 2013 08 06 17 Copyright 2004 Hewlett Packard Development Company L P SYSTEM XYGATEDP XDPCOM Binder timestamp 20NOV2013 11 33 06 Version procedure T9999D30 P64 XDPCOM 100 Target CPU UNSPECIFIED OCA timestamp 20NOV2013 12 17 00 VPROC T9617H01 01 FEB 2009 SYSTEM N1 Date 21 NOV 2013 08 06 17 Copyright 2004 Hewle...

Page 141: ...f these error codes have other error codes that will be associated with them such as error 362 Error 362 is the general error and you should refer to the other suberror code to determine what is wrong Error information is usually written to the Audit file so always examine it for additional information for each error Error Code Error Description Corrective Action 0 No error 350 Cannot access inter...

Page 142: ...363 Cannot position on a file with a mixed rec spec Attempt was made to use KEYPOSITION KEYPOSITIONX or FILE_SETKEY_ on a file with multiple record formats defined 364 Operation not supported Requested conversion operation is not supported for encrypted data 365 Encryption method specified for a field is unknown The encryption method specified is unknown Ensure that the encryption method has been ...

Page 143: ...tact XYPRO 379 No data has been loaded into the encryption API __XYPRO_ENCR_ENCRYPT or __XYPRO_ENCR_DECRYPT was called prior to data being added by __XYPRO_ENCR_ADD_ENCRYPT_DATA 380 A requested SQL data conversion is not yet implemented SQL MP requires various types of data conversions that are done within XDP Each conversion requires specific coding This error indicates that a necessary conversio...

Page 144: ... XDP monitor process One or both of these are missing 392 Unable to access the configuration file for an encryption method Certain encryption methods have an associated configuration file Either the file is not found or there is a syntax error in it Check the AUDIT file for additional information 393 Encryption engine failed to initialize XDP was unable to initialize the encryption engine Check th...

Page 145: ..._PREFIX is correct in the DPCONF file 403 Unable to open a configuration file Unable to open the DPCONF file Ensure that the DPCONFAP exists on the same subvolume where the XDP library exists and that it is secured so that the application can access it 404 Beginning encryption position is before a key field and spans into the key area A field in the record is defined with a position length that ov...

Page 146: ...r the SQL table Ensure that all column names specified in the DPACL exist An attempt was made to register the metadata for a table as it is defined in the DPACL using column names that don t exist in the physical table 420 A data field that was processed by encryption won t fit in the output field s space In certain circumstances data can shrink or grow when it s encrypted This error means that th...

Page 147: ...use the data to expand 427 The encryption API is too full to accept the new field The encryption API has the capacity to hold approximately 31k of data An attempt was made to add an item that would have exceeded this data limit This error is usually only seen by users of the XDP SDK Recovery is to encrypt the data that is already held by the encryption API which will then free up space to add addi...

Page 148: ...XYGATE Data Protection Reference Manual Appendix D XDP Error Codes XYPRO Technology Corporation 128 Proprietary and Confidential ...

Page 149: ...CR_MEMBLK_SIZE long __XYPRO_ENCR_MEMBLK_SIZE void Returns the number bytes of memory needed by the Encryption API for context The value returned should be used to allocate memory for the Encryption context Example Global Storage char encr_ctx NULL Encryption context pointer Local Storage long nmem_size nmem_size __XYPRO_ENCR_MEMBLK_SIZE encr_ctx char malloc nmem_size E2 __XYPRO_ENCR_SEND_BUF_SIZE ...

Page 150: ...sly allocated Returns 0 when successful Refer to the list of error codes in the XDP manual for a description of the error code values encr_ctx A pointer to the previously allocated context area refer to __XYPRO_ENCR_MEMBLK_SIZE on page 129 Example Global Storage char encr_ctx NULL Encryption context pointer Local Storage short nerror long nmem_size Allocate memory for the Encryption context nmem_s...

Page 151: ...ant only when there is more than one encryption provider Since the only encryption provider currently defined is VOLTAGE any value returned in the nserv_index parameter from a call to __XYPRO_ENCR_ADD_ENCR_METHOD can be passed to __XYPRO_ENCR_SEND_TO_ENCR_SRV and everything will work as expected Parameters Returns 0 when successful Refer to the list of error codes in the XDP manual for a descripti...

Page 152: ...utput parameter that is returned from the procedure __XYPRO_ADD_ENCR_METHOD to indicate which encryption provider to invoke The returned value is important only when there is more than one encryption provider defined since there currently is only one encryption provider defined you can simply pass any value returned in this field to __XYPRO_ENCR_SEND_TO_ENCR_SRV binitial_call A Boolean value This ...

Page 153: ...ame char _far sencr_method short strlen sencr_method char _far sprovider_name short strlen sprovider_name short _far nserv_index1 short first_call first_call FALSE strcpy sencr_method FPE nerror __XYPRO_ENCR_ADD_ENCR_METHOD encr_init_struct _far encr_init char _far spathmon_name short strlen spathmon_name char _far sserverclass_name short strlen sserverclass_name char _far sencr_method short strle...

Page 154: ... description of the error code values encr_ctx A pointer to the previously allocated context area refer to __XYPRO_ENCR_MEMBLK_SIZE on page 129 encr_init The encryption initialization structure previously populated by __XYPRO_ENCR_ADD_ENCR_METHOD Populates the Encryption context encr_ctx with content from the encr_init structure Example Global Storage char encr_ctx NULL Encryption context pointer ...

Page 155: ... error codes in the XDP manual for a description of the error code values encr_ctx A pointer to the previously allocated context area refer to __XYPRO_ENCR_MEMBLK_SIZE on page 129 pdata A pointer to the data to be encrypted or decrypted nlen The length of the data pointed to by pdata index The index of the data item being added The value should be 0 on the first call and incremented on each subseq...

Page 156: ...the sample card data to the encryption API specifying the encryption method to be used nitemindex 0 nerror __XYPRO_ENCR_ADD_ENCRYPT_DATA long _far encr_ctx char _far splaintextpan1 short strlen splaintextpan1 short nitemindex char _far sencr_method short strlen sencr_method short _far nserv_index if nerror 0 Error handling Add the second sample card data to the encryption API specifying the encryp...

Page 157: ...ryption key it is a value that is passed to the encryption provider to reference the actual database key For the VOLTAGE encryption provider it is a string in the format YYYYMMDDHHMNSSZ This is a date time string that is expressed in UTC as indicated by the trailing Z Changing this value is one way to roll the encryption key but all data previously encrypted using a different date time value then ...

Page 158: ...ryption key it is a value that is passed to the encryption provider to reference the actual database key For the VOLTAGE encryption provider it is a string in the format YYYYMMDDHHMNSSZ This is a date time string that is expressed in UTC as indicated by the trailing Z Changing this value is one way to roll the encryption key but all data previously encrypted using a different date time value then ...

Page 159: ...K_SIZE on page 129 serv_index An index value returned from the __XYPRO_ENCR_ADD_ENCR_DATA procedure If there is only one encryption provider defined then any of the values returned from __XYPRO_ENCR_ADD_ENCR_DATA can be used process_time The microseconds needed by the encryption server to encrypt the data This parameter is an optional parameter and is only returned by this procedure if a waited se...

Page 160: ...nscsend_op_num The operation number returned by the initiation of this send function This value or 1 can be used in the file number parameter for a subsequent AWAITIOX call in order to complete the I O operation and it can be used for calling FILE_GETINFO_ to get error information This parameter can be omitted if a waited send operation is performed Example include xdpdecth declarations Global Sto...

Page 161: ...first completion will be lost This function is not needed if the program uses the WAITed functions __XYPRO_ENCR_ENCRYPT or __XYPRO_ENCR_DECRYPT Parameters Returns 0 when successful Refer to the list of error codes in the XDP manual for a description of the error code values encr_ctx A pointer to the previously allocated context area refer to __XYPRO_ENCR_MEMBLK_SIZE on page 129 nscsend_op_num The ...

Page 162: ...ives error codes nencr_error Encryption API detailed error code nfilenum 1 File number for AWAITIOX char _far pbufaddrret NULL Buf ptr from AWAITIOX _cc_status cc CC for AWAITIOX Wait for a completion An application would specify an I O tag when it initiated the send operation that could later be identified and associated with this send In this sample program we use 1234 cc AWAITIOX nfilenum __int...

Page 163: ... successful Refer to the list of error codes in the XDP manual for a description of the error code values encr_ctx A pointer to the previously allocated context area refer to __XYPRO_ENCR_MEMBLK_SIZE on page 129 sencryptedpan The string of data retrieved by this call and containing the encrypted or decrypted data depending on the operation that had been performed nencryptedpanlenret The length of ...

Page 164: ... _far encr_ctx char _far sencryptedpan short _far nencryptedpanlenret short nitemindex nencr_error E12 __XYPRO_ENCR_GET_LAST_RQ_TIME long long __XYPRO_ENCR_GET_LAST_RQ_TIME long _far encr_ctx input Returns the amount of time taken in microseconds one millionth of a second for the most recent encryption activity Parameters Returns 0 when successful Refer to the list of error codes in the XDP manual...

Page 165: ...RO_ENCR_IS_EXT_PROVIDER bool __XYPRO_ENCR_IS_EXT_PROVIDER void Indicates whether the encryption provider is accessed externally or not Parameters Returns false if the internal encryption provider is being used Returns true if the external encryption provider is being used Example include xdpdecth declarations If __XYPRO_ENCR_IS_EXT_PROVIDER ...

Page 166: ...XYGATE Data Protection Reference Manual Appendix E XDP API Procedures XYPRO Technology Corporation 146 Proprietary and Confidential ...

Page 167: ...of the same format For example using FPE you can encrypt a 16 digit plaintext credit card number into a 16 digit ciphertext number The ciphertext will have exactly the same format as the plaintext being encrypted without sacrificing encryption strength No database schema changes and minimal application changes are required Voltage Voltage Security Inc is the developer of the encryption technology ...

Page 168: ...he XDP Run Time Library Refer to the architectural diagram shown on page xv in the Introduction for more information XDPCOM This is a utility that is used to query and make changes to the XDP environment by the XDP macros XDPENCR This is the standalone encryption program It is used when installing XDP to encrypt the application s data for XDP XDPERROR This program is used for the descriptions of X...

Page 169: ... 79 Voltage Tokenization Configuration 19 DPCONF File xvi 3 9 Keywords 63 Location 63 Sample File 64 DPCONFAP File 3 9 Manually Purging 14 15 DPGroups 86 E ENFORM Reports 33 96 Error 100 Codes 78 Error Codes 121 G GoldenGate See Oracle GoldenGate Guardian I O Procedures 22 Intercepted by XDP 27 H Host INSTALL Macro License Maintenance 7 Running the macro 3 I Installing the Voltage Library 5 Instal...

Page 170: ... Keywords 57 Reports in Warning Mode 52 Testing Access Rules in Warning Mode 49 Using Input and Output Files 55 X XDP Auditing and Audit Reports 31 XDP Error Codes 121 Translated to Error 100 78 XDP I O Architecture 23 XDP Init File 9 XDP Library xvi and subsequent installations 15 Installation Issues 21 Installing 13 Procedure Name Conflicts 22 Resolving Installation Issues 22 Uninstallation 15 X...

Reviews:

No comments