unisys ClearPath Enterprise Servers TCP/IP for MCP v3 Networks Implementation and Operations Guide ClearPath MCP 18.0 April

Transcription

1 unisys ClearPath Enterprise Servers TCP/IP for MCP v3 Networks Implementation and Operations Guide ClearPath MCP 18.0 April

2 NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information described herein is only furnished pursuant and subject to the terms and conditions of a duly executed agreement to purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the products described in this document are set forth in such agreement. Unisys cannot accept any financial or other responsibility that may be the result of your use of the information in this document or software material, including direct, special, or consequential damages. You should be very careful to ensure that the use of this information and/or software material complies with the laws, rules, and regulations of the jurisdictions with respect to which it is used. The information contained herein is subject to change without notice. Revisions may be issued to advise of such changes and/or additions. Notice to U.S. Government End Users: This software and any accompanying documentation are commercial items which have been developed entirely at private expense. They are delivered and licensed as commercial computer software and commercial computer software documentation within the meaning of the applicable acquisition regulations. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys standard commercial license for the products, and where applicable, the restricted/limited rights provisions of the contract data rights clauses. Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, are trademarks or registered trademarks of Unisys Corporation. All other trademarks referenced herein are the property of their respective owners.

3 Contents Section 1. Overview Documentation Updates Section 2. Setting Up and Configuring MCP v3 Networking Designating and Naming Network Processors for MCP Networking Establishing an MCP Host Name Using DHCP and Dynamic DNS Running the Configuration Program Updating a Simple Configuration Adding TCPIP Option Settings to a Simple Configuration Section 3. Using Advanced Configuration Techniques Managing Networking Using Operations Interface (OI) Commands Advanced Management and the Configuration Program Managing with Program Agents Section 4. Working with BNA and MCP v3 Networking BNA Over IP (BIP) BNA Over TCP/IP (BOT) Native BNA Section 5. Understanding Security Protocols Using Secure Sockets Layer (SSL) SSL Certificates Enabling SSL on an MCP system Using Secure Shell (SSH) Public Keys and User Accounts for SSH Enabling SSH on the MCP Environment Using Internet Protocol Security (or IPsec) IPsec Keys and IPsec Policies Enabling IPsec on an MCP system iii

4 Contents Appendix A. Migrating from Traditional TCP/IP iv

5 Figures 4 1. MCP Host Acting as a BNA Router v

6 Figures vi

7 Section 1 Overview This guide describes the required software and hardware components of a TCP/IP network and provides procedures for configuring, operating, and troubleshooting TCP/IP software on ClearPath MCP servers. Audience This guide is intended for network administrators and system operators. Prerequisites This guide assumes that you are familiar with the following: System operations Networking concepts and operations BNA operations Security protocols What is MCP v3 Networking? MCP v3 Networking is an implementation of TCP/IP for use on I/O Architecture (IOA) systems. The following list emphasizes key features and attributes of MCP v3 Networking, and highlights the advantages of MCP v3 Networking over traditional TCP/IP: Network interface card (NIC) ports are represented as I/O units. The data path from the TCPIPSUPPORT library to the MCP, I/O processor, and NIC is substantially simplified and optimized. TCP checksum, IP checksum, segmentation on output, and segment aggregation on input are offloaded to the I/O processor (IOP). When these features are supported by the NIC, they are offloaded by the IOP to the NIC. BNA over IP (BIP) between systems that both use MCP v3 Networking uses TCP/IP (rather than IP without TCP). This is referred to as BNA over TCP/IP (BOT). Compared to traditional TCP/IP, performance is greatly improved. Compared to traditional TCP/IP, MCP central processing module (CPM) overhead is greatly reduced

8 Overview Compared to BIP, BOT is much faster and is much more resilient to LAN congestion. Compared to native BNA, BOT is significantly faster in nearly every instance. Latency might be slightly reduced on a BNA message which fits in a single LAN packet. Representation of NIC ports as I/O units allows existing, unit-based management mechanisms to interrogate and manipulate them. For example, the OL and SC ODT commands. Representation of NIC ports as I/O units allows existing, unit-based performance measurement tools to report network I/O performance in the same way that disk and tape I/O performance is reported. Management of MCP v3 Networking is substantially simplified. Documentation Updates This document contains all the information that was available at the time of publication. Changes identified after release of this document are included in problem list entry (PLE) To obtain a copy of the PLE, contact your Unisys representative or access the current PLE from the Unisys Product Support website: Note: If you are not logged into the Product Support site, you will be asked to do so

9 Section 2 Setting Up and Configuring MCP v3 Networking You can configure a new system, or a newly reinstalled system, to run MCP v3 Networking. If you are migrating from traditional TCP/IP to MCP v3 Networking, refer to Appendix A, Migrating from Traditional TCP/IP, for more information. The following topics will help you configure your system to run MCP v3 Networking: Designating and Naming Network Processors for MCP Networking Establishing an MCP Host Name Running the Configuration Program Designating and Naming Network Processors for MCP Networking Note: Designating and naming network processors can be done either before or after establishing the MCP Quick Install derived halt/load unit. System Editor a part of the MCP Console can be used to designate and name network processors (NPs) for MCP networking. The I/O configuration of the system, which is managed by System Editor, is stored in a Peripheral Configuration Diagram (PCD). Network interface cards (NICs) that are available for MCP use as NP units are presented by System Editor. Each NP unit is presented with its own channel. NICs that are reserved for other functions are not presented by the System Editor. Note: Ensure that the NICs and their respective channels are selected for use in System Editor. You can change the automatically assigned Device Numbers in System Editor if they do not match your preferences. See the MCP Console Help for more information on using System Editor to designate NPs. Establishing an MCP Host Name For both new and newly reinstalled systems, the default MCP host name must be specified. It is recommend that you use CPMCP1 as the default host name for your system, however, you can modify it to a name that is appropriate for the intended use of the MCP system within your organization

10 Setting Up and Configuring MCP v3 Networking With the MCP system running, do the following to change the MCP host name: 1. Open an ODT window and enter the command: HN=<desired host name> 2. Then, enter the following command to halt/load the system:??phl The host name is changed. Using DHCP and Dynamic DNS You can use Dynamic Host Control Protocol (DHCP) to automatically obtain IP addresses for NPs for your entire system, or for a specific set of NPs. If you use DHCP and have identified the system by a host name, you should also enable Dynamic DNS (DDNS). For more information on DHCP and DDNS support, see the TCP/IP Implementation and Operations Guide. To obtain IP addresses from a DHCP server and enable DDNS for your entire system, do the following: 1. Open an ODT window and enter the NW TCPIP OPTION DHCP + command. 2. Enter the NW TCPIP OPTION DNS + command. To enable DHCP and DDNS for a new NP, or a new set of NPs, do the following: 1. Open an ODT window. 2. Enter NW TCPIP ID ADD NP <np number> LINE <line number> DHCP+ DNS+. To modify an existing NP, or an existing set of NPs, to use DHCP and DDNS for a new or new set of NPs, do the following: 1. Open an ODT window. 2. Enter NW TCPIP ID MODIFY NP <np number> LINE <line number> DHCP+ DNS+. For more information on DHCP and DDNS, see the TCP/IP Implementation and Operations Guide and the Networking Commands and Inquires Help. Running the Configuration Program MCP v3 Networking can be configured by using the program SYSTEM/CONFIGURE/TCPIP. This program enables a user to establish, maintain, and update a simple configuration. Once a configuration is established, it is saved to a configuration file, which is a script that runs at a system startup or MCP Networking initialization

11 Setting Up and Configuring MCP v3 Networking Notes: Before you begin, ensure that you have selected all NPs that you want the MCP to use by adding them to the PCD in System Editor. For many users, a simple configuration is sufficient. However, if a more complex configuration is needed, the SYSTEM/CONFIGURE/TCPIP program can be used to create an initial, simple configuration and that can then be edited through the traditional TCP/IP configuration process. 1. With the MCP system running, open an ODT window and enter the command??marc. The LOGON Menu-Assisted Resource Control Welcome screen is displayed. 2. Perform the following actions: a. Enter Administrator in the Please enter your usercode field. b. Enter Administrator in the password field. Note: This privileged account is pre-installed on both new systems and newly reinstalled systems. If you have modified this privileged account or have established other privileged accounts, log on to any account that has administrator privileges. 3. Press Enter. The MARC MENU-ASSISTED RESOURCE CONTROL screen is displayed. 4. Enter RUN SYSTEM/CONFIGURE/TCPIP in the Choice field and press Enter. The RUN EXECUTION OF A TASK screen is displayed. 5. Press Enter. An initial greeting screen is displayed with an overview of the program. 6. Press Enter to transmit the CONTINUE response. If a default configuration exists for your system type, the next screen offers to automatically apply it. The default configuration includes IPv4 addresses for NP units for system use. 7. Press Enter to automatically apply the default configuration. A screen is displayed identifying the NPs that use default IPv4 addresses, NPs that use existing IPv4 addresses, and NPs that do not have IPv4 addresses. 8. Optionally, to manually configure an NP, type the number of the NP you wish to configure and press Enter. Perform one of the following actions, as desired: To specify an IPv4 address for the NP, type one of the following and press Enter: <address> <address>/<mask length> <address>/<mask> To make the IPv4 address unspecified, type IPv4- and press Enter. To automatically assign an IPv6 address, type IPv6+ and press Enter. To return to the display of NP numbers, press Enter. Repeat this process to configure all desired NP IP addresses

12 Setting Up and Configuring MCP v3 Networking 9. Optionally, type SHOW and press Enter to view details of the current configuration. Continue to press Enter to page through the configuration details. 10. Type NEXT and press Enter. 11. Specify at least one router also called gateways to enable communication beyond local subnets. Note: When multiple routers are specified, their use is determined by their level of priority. For example, a router with a priority of 1 is used before a router with a priority of 2, and so on. To add a router with a priority of 1, type the IPv4 address and press Enter. To add a router with a priority other than 1, type the IPv4 address followed by an number between 1 and 255. To remove a router, type a minus sign ( ) followed by the IPv4 address of the router. For example, Type NEXT and press Enter. 13. Specify a Domain Name Service (DNS) name for your system by entering the suffix that you want to follow your MCP host name. The suffix you enter must begin with a period (.). Notes: It is recommended that the first node of the DNS name be your MCP host name. To enable domain name resolution, you must configure MCP Resolver. For more information, see the TCP/IP Distributed Systems Services Operations Guide. 14. Type NEXT and press Enter. 15. Specify the administrative privileges to be used to manage MCP networking. Note: The default privileges presented should be adequate for systems with simple configurations. To add or modify an administrative privilege, type <usercode> = <option> and then press Enter. (For example, ADMIN = INQUIRY.) The usercode is the individual to whom you are assigning administrative privilege. You can specify any of the following options: INQUIRY SYSTEMCONTROL NETWORKCONTROL SECURITY For more information on administrative privileges, refer to the Networking Commands and Inquires Help. Note: The SECURITY option has full administrative privileges. The other options have fewer privileges. To delete an administrative privilege, type <usercode> and then press Enter. (For example, ADMIN). 16. Type NEXT and press Enter. A message is displayed indicating that all of the configuration steps are complete

13 Setting Up and Configuring MCP v3 Networking 17. Optionally, type SHOW and press Enter to review your configuration. 18. Type DONE and press Enter to write configuration files. A message is displayed identifying your host name and the network configuration file names. 19. Press Enter to transmit the CONTINUE response. A message is displayed enabling you to set your new configuration as the system configuration. 20. Perform one of the following actions: Type YES and press Enter. If you select YES, the configuration becomes active the next time the system restarts or networking restarts. Press Enter to transmit the CONTINUE response until the MARC RUN screen is displayed. Type NO and press Enter. The MARC RUN screen is displayed. 21. In the Action field, type??odt and then press Enter. The ODT screen is displayed. Your configuration is complete. 22. If networking is running, you must restart it. For example, use the??phl command to halt/load the MCP. Updating a Simple Configuration To update a simple configuration, ensure that networking is running and use the following guidelines: Type the SYSTEM/CONFIGURE/TCPIP command to run the configuration program. As you proceed through the SYSTEM/CONFIGURE/TCPIP program, settings from the current, running configuration are pre-loaded. You can modify them as desired. Save your data to configuration files and designate those files for use. If you save your data to configuration files and designate those files for use, you are provided with instructions that outline how to restart networking. Changes to a configuration do not take effect until networking is restarted. Adding TCPIP Option Settings to a Simple Configuration The TCPIP OPTION (OPT) command enables you to configure TCP/IP options to control various network features. These option settings can be added to the stored networking configuration so that they will run at a networking startup

14 Setting Up and Configuring MCP v3 Networking To add a TCPIP option setting to the stored networking configuration, do the following: 1. Ensure that networking is running. 2. Open an ODT window and enter the NW TCPIP OPTION command to establish the desired option settings in the running configuration. At this point, the changes made to the option settings will be lost if networking is restarted. 3. Type the SYSTEM/CONFIGURE/TCPIP command to run the configuration program. Complete the program without modifying the running configuration. 4. Save the changed data to configuration files and designate those files for use. Networking does not need to be restarted for the changes to take effect. At this point, the changed option settings are preserved if networking restarts. See the Networking Commands and Inquiries Help and the TCP/IP Implementation and Operations Guide for more information on using the TCPIP OPTION command

15 Section 3 Using Advanced Configuration Techniques The following additional methods can be used to manage your MCP v3 Networking configuration: Managing Networking Using Operations Interface (OI) Commands Advanced Management and the Configuration Program Managing with Program Agents Managing Networking Using Operations Interface (OI) Commands Most Operations Interface (OI) commands and their associated settings function identically on traditional TCP/IP and MCP v3 Networking. The following exceptions apply to MCP v3 Networking NP units. The NW TCPIP OPTION USERFCMTU setting default value is disabled. This is the recommended setting. The NW TCPIP OPTION TCPWINDOWSCALEFACTOR setting default value is 5. This is the recommended setting. The NW TCPIP LANRESILTIMER setting is ignored. The IOA I/O processor (IOP) unconditionally checks the physical connection status of MCP v3 Networking NP units every three seconds. The NW TCPIP ALLOWPINGFLOOD setting default value is disabled. An NP unit does not have an associated CONNECTION or CONNECTIONGROUP. OI commands that add, modify, or delete CONNECTION or CONNECTIONGROUP are not supported for MCP v3 Networking NP units and result in exception responses. For each NP unit, an associated CONNECTION name and CONNECTIONGROUP name are automatically generated. These names can be used to enter query OI commands which specify a CONNECTION or CONNECTIONGROUP. The names are: - CONNECTION name: CC_TCPV3_<NP Device Number> - CONNECTIONGROUP name: CG_ICPV3_<NP Device Number> To make changes to the stored configuration, which is used after a system or networking restart, you can edit the TCP/IP configuration file directly

16 Using Advanced Configuration Techniques The Network Administrative Utility (NAU) can be used to generate a stored configuration. However, this is approach is not recommended. For each system that is to use MCP v3 Networking, on the NAU APPLICATION HOST ATTRIBUTES (145) screen, set the Use TCPv3 option. See the TCP/IP Implementation and Operations Guide and the Networking Commands and Inquiries Help for more information. Advanced Management and the Configuration Program To better understand the functionality of the configuration program, it is helpful to consider the system as containing two separate networking configurations. These two configurations are: The stored configuration, which is used after a system or networking restart. This configuration is represented by NW commands that are stored in configuration files, which are scripts of commands to be run at a networking startup. The running configuration, which is represented by data structures within the networking support libraries. While networking is running and as NW commands commands that alter settings are entered, the running configuration diverges from the stored configuration. Note: Program Agents also can alter settings. When the configuration program SYSTEM/CONFIGURE/TCPIP is run, it collects configuration information from GETSTATUS invocations that correspond to the OL NP ODT command. The SYSTEM/CONFIGURE/TCPIP program also collects configuration information from interfaces to networking support libraries. In this way, the program is able to propagate some of the running configuration settings to the new stored configuration being generated. For networking settings propagated by the configuration program, you can modify the settings in the permanent configuration using the following steps: 1. Use ODT NW commands to establish the desired settings in the running configuration. 2. Run the SYSTEM/CONFIGURE/TCPIP program and complete the steps of the program by accepting the defaults. 3. Save your data to configuration files and designate those files for use. Networking does not need to be restarted for the changes to take effect

17 Using Advanced Configuration Techniques Networking Settings Propagated by the Configuration Program The following networking settings are propagated by the SYSTEM/CONFIGURE/TCPIP program: NW TCPIP OPTION NW TCPIP MULTICASTDEFAULTADDRESS NW TCPIP BROADCASTFILTER Networking Settings Not Propagated by the Configuration Program The following networking settings are not propagated by the SYSTEM/CONFIGURE/TCPIP program: NW TCPIP ADDRESSSELECTIONPOLICY NW TCPIP ARP NW TCPIP DEBUG NW TCPIP DISPLAY NW TCPIP DYNAMICINIT NW TCPIP FILTERFRAMES NW TCPIP LANRESILTIMER NW TCPIP MAPPING NW TCPIP MONITOREVENTS NW TCPIP NEIGHBOR NW TCPIP RIP RIPAUTHENTICATION NW TCPIP ROUTE (when DEFAULT is not specified) VLAN specifications for NPs NW SNMP Networking Settings That Conflict with the Configuration Program If any of the following network setting specifications are present in the running configuration, the SYSTEM/CONFIGURE/TCPIP program displays the respective error message and terminates. Multiple IPv4 addresses for a single NP unit Static IPv6 addresses RAA (RIPv2 authentication) specifications ROUTE for IPv

18 Using Advanced Configuration Techniques Managing with Program Agents Program agents can be used to automate operational and administrative tasks by issuing Networking OI commands. Most program agent features function identically on traditional TCP/IP and MCP v3 Networking, though the following exceptions apply to MCP v3 Networking NP units. The NW TCPIP OPTION USERFCMTU setting default value is disabled. This is the recommended setting. The NW TCPIP OPTION TCPWINDOWSCALEFACTOR setting default value is 5. This is the recommended setting. The NW TCPIP LANRESILTIMER setting is ignored. The IOA I/O processor (IOP) unconditionally checks the physical connection status of MCP v3 Networking NP units every three seconds. An NP unit does not have an associated CONNECTION or CONNECTIONGROUP. OI commands that add, modify, or delete CONNECTION or CONNECTIONGROUP are not supported for MCP v3 Networking NP units and result in exception responses. An associated CONNECTION name and CONNECTIONGROUP name are automatically generated. These names can be used to enter query OI commands which specify a CONNECTION or CONNECTIONGROUP. The names are: - CONNECTION name: CC_TCPV3_<NP Device Number> - CONNECTIONGROUP name: CG_ICPV3_<NP Device Number> See the Networking User Program Agent Programming Guide and the Networking Encoded Messages Programming Reference Manual for more information on managing with Program Agents

19 Section 4 Working with BNA and MCP v3 Networking BNA is a Unisys networking architecture that allows certain MCP features such as the WFL COPY [NFT] statement to function across MCP systems that are connected by networking. There are three modes of BNA connectivity between MCP systems that are supported by MCP v3 Networking: BNA Over IP (BIP) BNA Over TCP/IP (BOT) Native BNA MCP systems must use the same mode of BNA connectivity to communicate directly. MCP systems that do not use the same mode of BNA connectivity can still communicate if the intermediate MCP systems to which they are connected are configured to use both BNA modes that are attempting to communicate. The intermediate MCP systems act as BNA routers. When an MCP system, acting as a BNA router, forwards BNA traffic, the types of BNA modes involved do not need to match. For example, in Figure 4 1, Host1 (using BIP) can communicate with Host3 (using Native BNA) because intermediate HOST2 (using both BIP and Native BNA) acts as a BNA router. The following figure illustrates an MCP host acting as a BNA router. Figure 4 1. MCP Host Acting as a BNA Router

20 Working with BNA and MCP v3 Networking BNA Over IP (BIP) BNA over IP works over MCP v3 Networking NP units without requiring configuration changes or affecting the functionality of the NP. If the same IP addresses are used when migrating from BIP over traditional TCP/IP to BIP over MCP v3 Networking, the BNA configuration file can remain as-is. BIP has the following characteristics: IP datagrams with IP Protocol 49 are used. The TCP protocol and the UDP protocol are not used. Paired MCP systems do not need to be on the same subnet. The IP datagrams used are properly routed by standard network routers. Response to network congestion is poor relative to BOT. Performance is reduced relative to BOT. BNA Over TCP/IP (BOT) BNA over TCP/IP (BOT) is used when an explicitly configured BIP connection exists between two MCP systems that have MCP v3 Networking NP units. BOT has the following characteristics: BOT uses TCP port IP datagrams with IP Protocol 49 are used during the initial BNA greeting handshake. A TCP/IP circuit is opened, and all further data transfers use TCP/IP. If the connection is lost, recovery is through a greeting handshake over IP Protocol 49. Paired MCP systems do not need to be on the same subnet. The IP datagrams used are properly routed by standard network routers. Use of BOT is negotiated through the greeting handshake. BOT uses a single TCP/IP circuit to exchange data between two neighbors, minimizing MCP Environment overhead and maximizing the effectiveness of the offload functionality of TCP/IP for MCP v3 Networking. If multiple pairs of IP addresses are declared between two neighbors, all attempt a greeting handshake. The first pair that succeeds is used to open a TCP/IP circuit; the rest suspend the greeting handshake Note: The NW NEI command can be used to deduce which NP units are in use. If an in-use BOT TCP/IP circuit fails or times out, the greeting handshake is restarted on all declared pairs of IP addresses. When large message sizes are being used, BOT throughput is more efficient than BIP or native BNA. BOT latency is slightly less than BIP latency and slightly greater than native BNA latency, with messages that fit in a single network packet. Response to network congestion is comparable to other TCP/IP traffic

21 Working with BNA and MCP v3 Networking Native BNA Native BNA is a legacy protocol which does not use IP. Characteristics of native BNA include: Reduced throughput when compared to BOT. Paired MCP systems must be on the same subnet. The BNA datagrams used by native BNA are not understood by standard network routers. Native BNA and MCP v3 Networking cannot share NIC ports. Use of native BNA and MCP v3 Networking on the same MCP system is supported, but discouraged. Configuring Native BNA If you use Native BNA in your environment, you must install Network Services and configure BNA connections. Refer to the following documents for detailed information on configuring Native BNA on your system: Network Services Implementation Guide BNA/CNS Network Implementation Guide, Volume 1: Planning BNA/CNS Network Implementation Guide, Volume 2: Configuration In general, to configure Native BNA, you must: 1. Obtain the latest Network Services emim Update package for your system from the Product Support site. 2. Install the software as described in the documentation provided with the installation package. 3. From the MCP Console, halt the MCP. 4. Open System Editor and add the resources presented by Network Services to the PCD. Note: When Network Services and TCP/IP for MCP v3 Networking are both installed, System Editor displays duplicate NP entries. Network Services presents NPs using the formula: NP instance number = (<IOP number>) + <slot number> 5. Select the Network Services NPs that you want to use for Native BNA connections. Note: Ensure that the NPs you select are not already in use by TCP/IP for MCP v3 Networking. For example, ensure that you do not select the EVLAN NP, 210/0. 6. Create a new connection group for BNA connections. 7. Create a BNA initialization file. 8. From the MCP Console, load the MCP

22 Working with BNA and MCP v3 Networking

23 Section 5 Understanding Security Protocols The following security protocols can be used with MCP v3 Networking: Using Secure Sockets Layer (SSL) Using Secure Shell (SSH) Using Internet Protocol Security (or IPsec) See the Security Overview and Best Practices Guide for your system and the MCP Security Overview and Implementation Guide for detailed information. Using Secure Sockets Layer (SSL) Secure Sockets Layer (also known as Transport Layer Security or TLS) is an applicationlevel security protocol that converts a standard TCP connection to a secure TCP connection. TLS servers are authenticated as part of the handshake process through the use of X.509 certificates. TLS clients can also be authenticated through certificates, if desired. Data sent across TLS connections is encrypted and message integrity is verified. For more information on available features and for details on the current functionality of TLS in the ClearPath MCP environment, refer to the MCP Security Overview and Implementation Guide. In order to use SSL/TLS for the ClearPath MCP environment, there must be at least one cryptography engine available on the MCP environment. For detailed installation instructions and for more information on hardware requirements, refer to the MCP Security Overview and Implementation Guide. Certificates are managed through the MCP Cryptographic Services Manager module of Security Center. Refer to the Security Center Help for details on how to manage certificates in the ClearPath MCP environment

24 Understanding Security Protocols Many distributed system services can use TLS to provide secure connections to remote clients in the ClearPath MCP environment. WebTS for ClearPath MCP is the web server for the ClearPath MCP environment. For detailed instructions on how to enable TLS, refer to the following documents: - The topic, Security with Web Transaction Server and WEBPCM of the MCP Security Overview and Implementation Guide. - The topic ClearPath Secure Transport (SSL) Support of the Web Transaction Server for ClearPath MCP Administration and Programming Guide. - The topic SSL (ClearPath Secure Transport) Tasks in the section Running Site Manager of the Web Transaction Server for ClearPath MCP Site Manager Help. FTPSUPPORT is the file transfer service library for the ClearPath MCP environment. For instructions on how to enable TLS for both server and client refer to the topic Managing Secure File Transfer in the section File Transfer Protocol (FTP) Administration of the TCP/IP Distributed System Services Operations Guide. TELNETSUPPORT is the service library that provides incoming TELNET connections. Instructions on how to enable TLS called Secure Telnet can be found in the section Telnet Server of the TCP/IP Distributed System Services Operations Guide. ClearPath MCP programs that use the TCPIPNATIVESERVICE port file or BSD Sockets Service interfaces can also use TLS for client and server functionality. For more information on how to enable TLS in ClearPath MCP programs and to view working examples, refer to the section Secure Sockets Layer in the Security Software Development Kit (SDK). SSL Certificates The ClearPath MCP environment does not trust any certificate by default. Programs using TLS must ensure that the certificates being used are trusted by the system. Refer to the topic How SSL Establishes Trust in the MCP Security Overview and Implementation Guide for guidance on how to establish trusted certificates in the ClearPath MCP environment. Also, the topic Basic Concept of Keys and Certificates in the Security Center Help provides additional information on certificates and trust. Certificates stored on the ClearPath MCP system are managed through the MCP Cryptographic Services Manager module of Security Center. Refer to the topic MCP Trusted Stores in the section MCP Cryptographic Services Manager of the Security Center Help for details on how to manage certificates in the ClearPath MCP environment. Enabling SSL on an MCP system To use SSL/TLS for the ClearPath MCP environment, there must be at least one cryptography engine available on the MCP environment

25 Understanding Security Protocols In order to store X.509 certificates in the ClearPath MCP environment, Security Center must be installed and configured for use. Refer to the topic Installing Security Center in the section Introduction to Security Center of the MCP Security Overview and Implementation Guide for more information on installing and configuring the Security Center. For additional information, see the Security Center Help. Perform the following actions to enable SSL on an MCP system: Install the MCP cryptographic services and the corresponding run-time key. Refer to the topic Installation in the section Network Security and Cryptography Services of the MCP Security Overview and Implementation Guide for more information. Install the SSL run-time key. Set the TCPIP SSL option by adding NW TCPIP OPTION + SSL to the TCPIP initialization file. Also, see the Adding TCPIP Option Settings to a Simple Configuration found earlier in this guide, for more information. Using Secure Shell (SSH) Secure Shell (SSH) is a network protocol architecture, which provides secure communication channels over TCP connections. For example, file transfers and terminals are offered as secure services through the SSH protocol suite. SSH services are authenticated through public keys, while SSH clients are authenticated through user names and passwords, or public keys. Whether an SSH client is authenticated through a user name or public keys and passwords is an attribute that can be configured. Data sent across SSH connections is encrypted and message integrity is verified. For more information on available features and for details on the current functionality of SSH in the ClearPath MCP environment, refer to: the topic Secure File Transfer Protocol (SFTP) in the section Network Security of the MCP Security Overview and Implementation Guide. the subtopic Secure Shell (SSH) of the MCP Security Overview and Implementation Guide. the subtopic How SSH Establishes Trust of the MCP Security Overview and Implementation Guide. MCP systems also include two SSH applications: FTPSUPPORT and SSHCLIENT. FTPSUPPORT is the file transfer service library for the ClearPath MCP environment. For instructions on how to enable SFTP the SSH file transfer protocol for both client and server refer to the following sections of the TCP/IP Distributed System Services Operations Guide. File Transfer Protocol (FTP) Batch Client Interface File Transfer Protocol (FTP) Interactive FTP Client The topic Secure File Transfer in the section File Transfer Protocol (FTP) Server The subtopic Managing Secure Shell (SSH) in the section File Transfer Protocol (FTP) Administration

26 Understanding Security Protocols SSHCLIENT is a utility that can be used to establish SSH sessions on remote systems and then send commands to the established sessions. More details can be found in the topic SSH Utility of the System Software Services Utilities Operations Reference Manual. Public Keys and User Accounts for SSH Public keys are managed through the MCP Cryptographic Services Manager module of Security Center. Refer to the topic Trusted Keys in the section MCP Cryptographic Services Manager of the Security Center Help for more details how to manage public keys in the ClearPath MCP environment. User names and passwords are managed through the MCP User Account Management module of Security Center. Refer to the topic Usercode Account in the section MCP Account Management of the Security Center Help for more details how to manage user names and passwords in the ClearPath MCP environment. Enabling SSH on the MCP Environment In order to use SSH for the ClearPath MCP environment, there must be at least one cryptography engine available in the MCP environment. For detailed installation instructions and for more information on hardware requirements, refer to the topic Installation in the section Network Security and Cryptography Services of the MCP Security Overview and Implementation Guide. In order to store public keys in the ClearPath MCP environment, Security Center must be installed and configured. Refer to the topic Installing Security Center in the MCP Security Overview and Implementation Guide. Additional information can be found in the topic Initializing MCP Cryptographic Services in the Security Center Help. In general, the following guidelines must be followed to enable SSH in the MCP environment. The SSH run-time key must be installed. The TCPIP option SSH must be set. You can do this by adding the command NW TCPIP OPTION + SSH to the TCPIP initialization file. See the topic Adding TCPIP OPTION Settings to a Simple Configuration, found earlier in this guide, for more information. Using Internet Protocol Security (or IPsec) Internet Protocol Security (IPsec) is a network-layer protocol that can both authenticate and encrypt network traffic based on policies that are defined to the ClearPath MCP system. Applications using IP or TCP/IP do not require any changes to work over IPsec, regardless of the IP or TCP/IP protocol used. Currently, IPsec is only supported across IPv6 networks. For more information on available features and for details on the current functionality of IPsec on ClearPath MCP systems, refer to the topic Internet Protocol Security (IPsec) in Network Security of the MCP Security Overview and Implementation Guide

27 Understanding Security Protocols IPsec Keys and IPsec Policies On the ClearPath MCP environment, there are no IPsec policies by default. Therefore, if IPsec is enabled but not configured, no IPv6 traffic reaches the ClearPath MCP environment. Refer to the MCP Security Overview and Implementation Guide for instructions on how to configure IPsec. IPsec keys are configured through the MCP Cryptographic Services Manager of Security Center. Refer to the Security Center Help for more information regarding the configuration of IPsec keys. IPsec policies are configured through the MCP Security Policy Manager of Security Center. Refer to the Security Center Help for more information regarding the configuration of IPsec keys. Enabling IPsec on an MCP system Use the following guidelines to enable IPsec on an MCP system: To use IPsec for the ClearPath MCP environment, there must be at least one cryptography engine available on the MCP environment. For detailed installation instructions and for more information on hardware requirements, refer to the MCP Security Overview and Implementation Guide. To create IPsec keys and IPsec policies in the ClearPath MCP environment, Security Center must be installed and set up. Refer to the MCP Security Overview and Implementation Guide. Also, refer to the Security Center Help for additional information. Install the IPsec run-time key. Install the IPv6 run-time key. Set the TCPIP option IPSEC by adding the command NW TCPIP OPTION + IPSEC to the TCPIP initialization file. See the topic Adding TCPIP OPTION Settings to a Simple Configuration earlier in this guide for more information

28 Understanding Security Protocols

29 Appendix A Migrating from Traditional TCP/IP Libra 6400/8400, MCP Gold, and newer systems use TCP/IP for MCP v3 Networks by default. Most systems running on MCP Release 17.0 use traditional TCP/IP by default; however, a firmware update might be available for your system to support TCP/IP for MCP v3 Networks. If a firmware update is available for your system, use one of the following procedures depending on your network configuration. The method used to migrate from traditional TCP/IP to MCP v3 Networks is dependent on the type of BNA already in use on your system. If you use native BNA, some additional steps are required to migrate to TCP/IP for MCP v3 Networks. Migrating Without Native BNA If you do not use native BNA, or you only use BNA over IP, perform the following steps to migrate to MCP v3 Networking: 1. Install the latest firmware package. The IOP and console firmware must be up-todate. 2. Install the latest update of MCP and networking Interim Corrections (ICs). 3. In the MCP Console, edit the Peripheral Configuration Program (PCD) using System Editor and perform the following actions. a. Clear all traditional NP/Line combinations. For example, the following table illustrates the correspondence between traditional NP/Line combinations and default MCP v3 Networking NP numbers for a Libra 6300 System. ISM Traditional NP/ Line MCP v3 Networking NP Use ISM-0 210/0 150 EVLAN 210/1 151 eportal 210/2 152 JProcessor1 210/3 153 JProcessor3 ISM-1 220/0 160 EVLAN 220/1 161 eportal 220/2 162 JProcessor2 220/3 163 JProcessor A 1

30 Migrating from Traditional TCP/IP Note: If you uninstall Unisys Network Firmware from the IOPs, the traditional NP/Line combinations do not appear in the System Editor. b. Select the desired channel/np unit combinations. c. Save the PCD and make it active. 4. Load the MCP, and ACQUIRE the NP units. At this point, the presence of NP units automatically causes TCPIPSUPPORT to run in MCP v3 Networking mode. 5. Refer to the topic Running the Configuration Program found earlier in this guide to create and activate an appropriate TCP/IP configuration. If your desired configuration is too complex for a simple configuration, refer to the topic Advanced Management Techniques and the Configuration Program also found earlier in this guide. Alternately, you can modify your existing TCP/IP configuration file by editing the NP and LINE entries in the NW TCPIP ID commands. Note: You must delete CONNECTION with NetworkLayerEntity assigned to IP as they cause exception responses. You can also manually delete corresponding CONNECTIONGROUP specifications, but they are automatically ignored if you do not. Migrating With Native BNA If you currently use native BNA, perform the following actions to migrate to MCP v3 Networking: Modify the Migrating Without Native BNA procedure by leaving the NP/Line combinations that you want to use for Native BNA selected. Do not uninstall Unisys Network Firmware from the IOP. If Unisys Network Firmware is uninstalled, the traditional NP/Line combinations that are needed for use by native BNA will not appear. Configure and manage native BNA using the traditional tools. 1. Install the latest firmware package. The IOP and console firmware must be up-todate. 2. Install the latest update of MCP and networking Interim Corrections (ICs). 3. In the MCP Console, edit the Peripheral Configuration Diagram (PCD) using System Editor and perform the following actions. a. Clear all traditional NP/Line combinations to be used for MCP v3 Networking. b. Select the channel/np unit combinations to be used for MCP v3 Networking. c. Save the PCD and make it active. A

31 Migrating from Traditional TCP/IP 4. Load the MCP, and ACQUIRE the NP units and their channels. At this point, presence of NP units automatically causes TCPIPSUPPORT to run in MCP v3 Networking mode. 5. Refer to the topic Running the Configuration Program, found earlier in this guide, to create and activate an appropriate TCP/IP configuration. If your desired configuration is too complex for a simple configuration, refer to the topic Advanced Management Techniques and the Configuration Program also found earlier in this guide. Alternately, you can modify your existing TCP/IP configuration file by editing the NP and LINE entries in the NW TCPIP ID commands. Note: You must delete CONNECTION with NetworkLayerEntity assigned to IP as they cause exception responses. You can also manually delete corresponding CONNECTIONGROUP specifications, but they are automatically ignored if you do not A 3

32 Migrating from Traditional TCP/IP A

33 .

34 Copyright 2017 Unisys Corporation. All rights reserved. * *