ClearPath Mainframe Servers - Secure Connectivity Identification and Authentication

The first and most basic steps needed to help secure your corporate data assets are identification and authentication. Identification determines who the user is, while authentication provides assurance that the user is who he or she claims to be. These are prerequisites to controlling access to your data and system resources and to maintaining an accurate audit trail of your MCP system’s activity.

We support a full range of user authentication choices:

• User-ids and passwords, managed exclusively by the MCP operating system
• NTLM and NTLMv2 authentication protocols
• Kerberos authentication. Kerberos enables a single sign-on to multiple, heterogeneous systems including MCP systems, Windows servers, Linux servers and UNIX servers.
• Web Transaction Server for ClearPath MCP
• Java and JBoss based applications can use role-based authentication

No matter how your users are authenticated, MCP gives you worry-free protection for your system’s resources, permitting only authorized access that’s based on a user’s authenticated identity and assigned privileges.

Kerberos

Kerberos based open security interfaces let you leverage your investment in open, standards-based network authentication into your MCP environment. Kerberos lets you trust the authentication done by other computers by giving you secure transmission of authentication information. Unisys single sign-on solutions provide full support for Kerberos.

The Kerberos network authentication protocol enables users to securely prove their identity to one another over an unsecured network. This authentication of each other’s identity ensures that messages are being sent to the intended user. In the MCP environment, client and server applications can exchange credentials securely using Kerberos.

Once client and server application credentials and a security context are established and authenticated, encrypted messages between the client and server applications can be sent securely. Kerberos uses both GSS-API and Security Support Provider Interface (SSPI) function calls to exchange credentials and encrypted messages.

Role-based Authentication

ClearPath MCP servers provide role-based authentication for Java, J2EE (Java 2 Enterprise Edition) and JBoss Application Server based environments. This capability makes it easier to manage these types of environments.

MCP provides role-based authentication through the use of:

• Realms.  A user realm is a secure place to store identities, credentials and roles.
• Roles.  A role is task-oriented and represents what you can do. A member of a role has permission to perform a function, regardless of its group affiliation. Roles are also like groups; they both represent a collection of users.
• User-ids.  A user-id is a unique name that identifies the user to the MCP server and also to the Java environment.

User realms and their login modules provide functionality that can be thought of in terms of:

• Authenticating an identity
• Checking whether an authenticated identity is in the user realm
• Determining the roles for an authenticated identity

Authenticating an Identity 

When a user realm is required to authenticate a client identity, it usually involves a user-id and a password credential. Given a user-id and password, the user realm is asked to authenticate a client identity, thus proving who the client says s/he is.

Checking Whether an Authenticated Identity Is in the User Realm 

The MCP security manager presents a subject identity or a credential identity to the login modules and asks whether the identity is in the user realm. The J2EE application specifies its authentication requirement when deployed using JBoss Application Server.

Determining the Roles for an Authenticated Identity 

Roles can be stored and associated with an identity (subject or credential) directly in the user realm. Using MCP Security Center software, an administrator would populate the user realm with identities, credentials and roles. Then at runtime, the user realm retrieves the roles when asked to present them for an authenticated identity. 

Single Sign-on

Unisys single sign-on solutions can save your end users both time and aggravation – and reduce your security administration and helpdesk costs too. These solutions eliminate the need for multiple user-id and password combinations that end users must typically use – and remember!

Multi-factor Authentication

Unisys single sign-on solutions provide full support for NTLM, NTLMv2, Kerberos and the requirement for strong passwords. They are also compatible with these hardware and software identification technologies:

• Smart cards
• Biometrics

Add them all up and get these beneficial results:

• Reduced costs
• Greater security
• Happier users