HPE Community
Operating System - HP-UX
1847457 Members
3859 Online
110265 Solutions
New Discussion

Rational Apex and Trusted Mode HP 11.00

 
SOLVED
Go to solution
Larry Snider
Occasional Contributor

‎03-25-2004 05:50 AM

‎03-25-2004 05:50 AM

Rational Apex and Trusted Mode HP 11.00

Does anyone have experience running Rational Apex on an HP-UX 11.00 in trusted mode?

We may have to convert a few systems to trusted mode that have Apex installed and we are worried that our development environment might break because of this paragraph in the HP-UX Security White Paper:

"Because Trusted Mode has some HP proprietary extensions to the relatively unsecure industry-standard definition of UNIX, occasionally applications that interact directly with the standard UNIX security APIs or data structures will not work with Trusted Mode HP-UX. Applications or development tools which use the available Trusted Mode APIs are interoperable with no modifications. Applications that do not access user accounts, passwords, etc. are interoperable with no modifications."

Rational Apex appears to make extensive use of user and group permissions as well as ACLs.
0 Kudos
Reply
3 REPLIES 3
Jeff Schussele
Honored Contributor

‎03-25-2004 06:19 AM

‎03-25-2004 06:19 AM

Solution

Re: Rational Apex and Trusted Mode HP 11.00

Hi Larry,

If all it uses is perms & ACLs, I don't believe you'll have trouble. What that excerpt is telling you is that IF the app makes use of any PAM (Pluggable Authentication Modules - see /usr/lib/security) APIs or calls, that converting to Trusted may cause a problem. PAM APIs are used to authenticate a user upon access or for specific applications or utilities such as CIFS, DCE, kerberos, etc.

But what you do have to watch out for when you convert to Trusted is PWs. When the system converts ONLY the first 8 chars of a PW are converted & placed in the TCB (Trusted Computing Base) entry for the user. So when a user types in their 10 char PW it will be rejected even though the first 8 chars were correct. The system will evaluate all 10 chars. Now if the user types ONLY the first 8 chars, then it will be accepted. So users should be told ahead of time to make sure their PWs are <=8 chars prior to conversion. Or users should be forced to change PWs post-converion.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
Colin Topliss
Esteemed Contributor

‎03-26-2004 05:25 AM

‎03-26-2004 05:25 AM

Re: Rational Apex and Trusted Mode HP 11.00

If you have anything which utilises a client/server authenticated connection, then you will see problems. The API changes with trusted (C2) mode. If the client side of your application is not C2 aware, then it will be unable to authenticate.

The call to get the password entry (getpwent) changes to getprpwent. Some vendors don't take this into account.

As for passwords, ensure that they are compliant BEFORE converting to C2. Once you've converted, if the original password was not compliant it refuses to allow you to change it (not sure if that has been patched since I last did this).

Tried it, caused no end of problems, took it out.... :-)

Col.
Reply
Larry Snider
Occasional Contributor

‎03-26-2004 11:25 AM

‎03-26-2004 11:25 AM

Re: Rational Apex and Trusted Mode HP 11.00

Thank you, gentlemen. Your input has helped a lot.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.