HPE Community
Operating System - OpenVMS
1753464 Members
4765 Online
108794 Solutions
New Discussion

Re: Cookbook for transition to secure protocols?

 
Mike R Smith
Frequent Advisor

‎07-25-2014 08:29 AM

‎07-25-2014 08:29 AM

Cookbook for transition to secure protocols?

My apologies if this has already been documented and I did not come across it in my search.

 

I am working to put together a plan for transitioning an 8.4 cluster running on Integrity Blades from using protocols like ftp, rsh, telnet, etc... to sftp, ssh, etc...

 

I need to address everything in the plan but from a high level

- Reflections telnet and ftp access

- Batch and interactive ftp, rsh, etc...

- Authentication from Active directory over SSH (not here yet)

- Key files setup

- and the list goes on and on (this includes what I have captured and the stuff I am sure I missed)...

 

I believe some of you out there have been through similar exercises.  I would appreciate any pointers to a cook book, best practice or even "Hey, be sure to look out for this gotcha"

 

Thanks to all for any help you can provide.

0 Kudos
Reply
4 REPLIES 4
Mike R Smith
Frequent Advisor

‎07-25-2014 08:30 AM

‎07-25-2014 08:30 AM

Re: Cookbook for transition to secure protocols?

TCPIP 5.7 Eco 4
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎07-25-2014 11:20 AM

‎07-25-2014 11:20 AM

Re: Cookbook for transition to secure protocols?

 
0 Kudos
Reply
Mike R Smith
Frequent Advisor

‎07-25-2014 11:48 AM

‎07-25-2014 11:48 AM

Re: Cookbook for transition to secure protocols?

Thanks for the tips Steven. 

 

In answer to the question you put forth:

<Communicating with other cluster members, other VMS systems, other
non-VMS systems, ...?>

The answer is yes to all of the above.  Our user base is just shy of 10,000 on a typical day so every scenario you mentioned is happening. 

0 Kudos
Reply
Hoff
Honored Contributor

‎07-28-2014 02:25 PM

‎07-28-2014 02:25 PM

Re: Cookbook for transition to secure protocols?

VMS has no support for secure transports for LAN clustering, SMH, DECnet and any related traffic (if present) is usually firewalled to maintain security and privacy.   SCS is a wide-open LAN protocol, so you really don't want that mixed with any untrusted LAN devices.  I usually recommend a firewall with VMS here.   (While most folks think of Windows clients in this context, these days even network printers aren't all that trustworthy, either.)

 

Various of the higher-level IP networking packages have SSL/TLS and ssh options available (setting up ssh and sftp), and PuTTY has ssh certificate-based login capabilities - above the level of VMS itself, this is more of a generic IP network security question, too.  Put another way, documents on how to secure IP traffic will — more or less — apply to VMS.

 

ssh can accept a command for execution on a remote host, so that can be one way to trigger remote activity.    (Some details)    Triggering via a web server and a CGI script is another.  (Apache on VMS can invoke DCL procedures as CGI scripts, for instance, and these resources can be accessed via SSL/TLS.)   There are (were?) also some distributed process schedulers and job managers around for VMS, too, if you're looking to automate these sorts of activities.

 

I've posted some general notes from OpenVMS LDAP external authentication, but I didn't test the certificate-based access path.  Would have to dig into the details of getting that to work — configuring and troubleshooting the Open Directory LDAP connection was complex more than I'd expected.

 

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.