HPE vtemip Security Administration and Operations Guide. For Red Hat Enterprise Linux Server 7.x Release 8.0 Edition 1.0

Transcription

1 HPE vtemip Security Administration and Operations Guide For Red Hat Enterprise Linux Server 7.x Release 8.0 Edition 1.0

2 Notices Legal notice Copyright 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Trademarks Adobe, Acrobat and PostScript are trademarks of Adobe Systems Incorporated. Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Java is trademark of Oracle and/or its affiliates. Microsoft, Windows and Windows NT are U.S. registered trademarks of Microsoft Corporation. Oracle is a registered U.S. trademark of Oracle Corporation, Redwood City, California. UNIX is a registered trademark of The Open Group. X/Open is a registered trademark, and the X device is a trademark of X/Open Company Ltd. in the UK and other countries. EnterpriseDB software is/are the trademark(s) or registered trademark(s) of EnterpriseDB Corporation in the USA and in several other countries. Disclaimer In this document TeMIP, vtemip and TeMIP V8.0 are used interchangeably.

3 Contents iii Contents Notices... ii Disclaimer...ii List of tables...xii List of figures... xiii Preface... xv Intended Audience...xv Software Version...xv Typographical Conventions... xv Associated Documents...xvii Support...xvii Chapter 1: Introduction TeMIP bootstrap environment variables About TeMIP Security TeMIP Security Functions Access Control Access Control View Access Control API Plug-in User Profiles Logging of Commands Central Logging of Commands User Session Logging of Commands TeMIP Security User Concept TeMIP Security Users System Administrator TeMIP Operator TeMIP Security Environment Presentation Modules Security Shell Software Library Tools AC Compiler Graphical User Interfaces Access Control GUI Logging of Commands Configurator GUI TeMIP Commands Browsers Central and User Session LOC Translators Central LOC Monitor Central LOC Backup Facility Global View VE and VEA Tuples The FCL PM Access Control Logging of Commands TeMIP Security and Distribution TeMIP Security and Distribution in non centralized metadata environment TeMIP Security and Distribution in centralized metadata environment...32

4 Contents iv Chapter 2: Access Control Administration Access Control Management Graphical User Interface Getting Started AC GUI Main Window Modal Windows General Functions Main Window Panels User Profiles Panel AC Views/AC Declarations Panel Workspace Panel Using the AC GUI Workspace Panel How to Create a New AC View or a New AC Declaration How to Create an AC View from a Template How to Modify an AC View or an AC Declaration How to Delete an AC View or an AC Declaration How to Compile an AC View or an AC Declaration How to Test an AC View How to Replace an AC View or an AC Declaration AC Views/AC Declarations Panel How to Create AC Views and AC Declarations How to Modify AC Views and AC Declarations How to Delete AC Views and AC Declarations User Profiles Panel How to Create a New User Profile How to Modify a User Profile How to Delete a User Profile Customizing Session Parameters AC Views Directory Workspace Directory AC View Text Editor Initial AC View File Name General Facilities How to Use the Help Facility How to Use the Undo Facility How to Use the Accelerator Facilities How to Export a Selection...47 Chapter 3: Logging of Commands Configuration Logging of Commands Configurator Graphical User Interface Getting Started LOC Configurator GUI Main Window Modal Windows Using the LOC Configurator Graphical User Interface Setting General Logging Parameters How to Set the Central Logging Status How to Set the Logging Status for each User How to Set the Logging Directory Setting LOC Filter Parameters How to Set the LOC Filter File Location How to Log Specific MCC_Call Arguments Setting ASCII String Logging How to Set the ASCII String Logging Status How to Log Specific ASCII Strings... 54

5 Contents v Setting the Raw Data Logging Status Setting Disk Full Behavior How to Set the Disk Full Condition How to Set the Disk Full Fallback Directories How to Set the Disk Full Notification Script Location General Session Manipulation How to Exit a Session How to Quit a Session How to Save a Session How to Reset the Session Customizing the Default Editor General Facilities How to Use the Help Facility How to Use the Undo Facility How to Use the Accelerator Facilities...59 Chapter 4: Logging of Commands Browsing TeMIP Commands Browser Graphical User Interface Getting Started TeMIP Commands Browser Main Window Modal Windows Using the TeMIP Commands Browser Setting Search Criteria How to Display Warning Information How to Display Records in Mode How to Display Records Created Before How to Display Records Created After How to Display Records Created on Host How to Display Records Created by User How to Display Records with Session String How to Display Records with Process String How to Display Records of a Given Type How to Display ASCII Strings of a Given Type How to Display Records Matching a Regular Expression How to Make a Search Saving a Set of Search Criteria How to Save Search Criteria How to Load a Previously Saved Setting How to Delete a Previously Saved Setting How to Make a Search Executing Previously Saved TeMIP Commands Browser Settings TeMIP Commands Browser Results Manipulation How to View TeMIP Commands Browser Results How to Start a New TeMIP Commands Browser Search How to Expand a TeMIP Commands Browser Record General Session Manipulation How to Start a New Session How to Set the Segmented Search Value How to Save the Search Criteria Settings How to Exit a Session How to Quit a Session Setting the LOC Repository Specification How to Make your Repository Specification Changes Effective How to Add a New Directory to the Repository Specification How to Modify a Directory in the Repository Specification...75

6 Contents vi How to Delete a Directory in the Repository Specification How to Get Information about a Directory General Facilities How to Use the Help Facility How to Use the Undo Facility How to Use the Accelerator Facilities...76 Chapter 5: Managing TeMIP Security User Accounts Creating the TeMIP Security Account The Default TeMIP Security Environment The Default User Session LOC Notification Script...78 Chapter 6: Defining an AC View or LOC Filter AC View Control Rules Example - Allow Only Control Rules Example - Disallow Only Declaring Variables Declaring Function Sets Function Set Example Control Rules Example Using a Function Set Function Set Example with Verb Grouping Control Rules Example with Verb and Entity Grouping Declaring Basic Type Variables Importing Data from Other AC Views Commenting the AC View Set Manipulation Union Complement Intersection Members of Domain Compiling an AC View Examples of Compilation Restrictions Performance Considerations...84 Chapter 7: The FCL Presentation Module Displaying Information about the Current FCL PM Session Access Control Strategy Restrictions Scope of Access Control Changing the Security Environment Access Control on the FCL PM Access Control on External Directives Directive Type Non-Wildcarded Directives Wildcard Type Globally Wildcarded Directives Locally Wildcarded Directives Globally and Locally Wildcarded Directives Changing a Managing Director Using the SET command Access Control on Internal Commands Access Control on Command Completion Entity Class Prompting Attribute Prompting Argument Prompting...106

7 Contents vii Event Prompting Logging of Commands FCL PM Session Name Logging of MCC_Calls Logging of ASCII String Information Global Security Strings Denied Access Strings ASCII Strings Input by the User Logging of Prompted Commands Examine Directives Event Directives Modify Directives Action Directives Chapter 8: TeMIP Security Scenario Setting Up the TeMIP Environment AC Views for Different User Levels No Rights AC View TeMIP Observer AC View TeMIP Operator AC View TeMIP Administrator AC View All Rights AC View Compiling the AC Views Defining User Profiles Associated with the AC Views System Default User Profile User Profile for User laughlin User Profile for User satriani User Profile for User johnson User Profile for User wrangler Reloading of Modified User Profiles User Session Examples User wayne User laughlin User satriani User johnson User wrangler Chapter 9: Access Control Administration Using Script Commands Setting Up AC Environments Defining AC Views Compiling AC Views Defining User Profiles Using temip_user_profiles Editing the User Profile File Using the System Default User Profile Using the Root Default User Profile Chapter 10: Logging of Commands Administration Using Script Commands Setting Up the Central LOC Function Central LOC Configuration Central LOC Filter Central LOC Information and Files Using the Central LOC Translator Central LOC Information Displayed Central LOC Translator Command and Options...136

8 Contents viii Central LOC Translator Examples Using the Central LOC Monitor Using the Central LOC Backup Tool Using the TeMIP Security Environment Listing Command Central LOC Fallback Mechanism (Disk Full) Central LOC Fallback Example Central LOC Disk Full Condition Disk Space Calculation Disk Full Translator Records Central LOC File Deletion Translator Records Disk Full Notification Procedure Central LOC Example User Session of User wayne User Session of User martin Monitoring the Users Displaying the Logged Information Central LOC Translator: Default Mode Central LOC Translator: FCL Summary Mode Central LOC Translator: FULL Chronological Output Mode of the Start Records Central LOC Translator: FULL Correlated Output Mode of a Given Command Central LOC Translator: Filtering on the User Name Central LOC Translator: Filtering on the Date Setting Up the User Session LOC Function User Session LOC Management Script User Session LOC Management Option User Session LOC Environment Variables TEMIP_SECURITY_USER TEMIP_LT_DISPLAY_TRACE_FILE_LINE TEMIP_UP_DISPLAY_TRACE_FILE_LINE TEMIP_SESLOC_ENABLED TEMIP_SESLOC_LOGGING_DIR TEMIP_SESLOC_FILTER_FILENAME TEMIP_SESLOC_FILTER_FILE_LOCATION TEMIP_SESLOC_MASK_VALUE TEMIP_SESLOC_STRING_LOGGING_STATUS TEMIP_SESLOC_STRING_MASK_VALUE TEMIP_SESLOC_RAW_DATA_LOGGING_STATUS TEMIP_SESLOC_DISKFULL_MIN_FREE_KB TEMIP_SESLOC_DISKFULL_MIN_FREE_KB_WARN TEMIP_SESLOC_DISKFULL_NOTIF_FILENAME TEMIP_SESLOC_DISKFULL_NOTIF_FILE_LOCATION Defining a User Session LOC Filter User Session LOC Information and Files Using the User Session LOC Translator User Session LOC Information Displayed User Session LOC Translator Command and Options User Session LOC Translator Examples User Session LOC Disk Full Condition Disk Full Translator Records Disk Full Notification Procedure User Session LOC Example Enabling the User Session LOC Function Running Your Application (FCL PM) Displaying the Logged Information...163

9 Contents ix User Session LOC Translator: Default Modes User Session LOC Translator: FCL Summary Mode of ASCII Strings Only User Session LOC Translator: FCL Summary Mode of ASCII Strings that Contain the "Create" String Chapter 11: Overview of TeMIP Operator responsibilities Your User Profile User Session on UNIX Logging of Commands User Session LOC Commands Browser Graphical User Interface User Session LOC Translator Tool The TeMIP PM on UNIX and Windows Access Control Logging of Commands Chapter 12: Access Control and Logging of Commands Running TeMIP Applications Specifying a TeMIP Security Username Setting up the TeMIP Security Environment Displaying the Current TeMIP Security Environment Selecting an AC View AC View Selection Option AC View Selection Script AC View Environment Variables Setting Up the User Session LOC Function User Session LOC Management Script User Session LOC Management Option User Session LOC Environment Variables TEMIP_SECURITY_USER TEMIP_SESLOC_ENABLED TEMIP_SESLOC_LOGGING_DIR TEMIP_SESLOC_FILTER_FILENAME TEMIP_SESLOC_FILTER_FILE_LOCATION TEMIP_SESLOC_MASK_VALUE TEMIP_SESLOC_STRING_LOGGING_STATUS TEMIP_SESLOC_STRING_MASK_VALUE TEMIP_SESLOC_RAW_DATA_LOGGING_STATUS TEMIP_SESLOC_DISKFULL_MIN_FREE_KB TEMIP_SESLOC_DISKFULL_MIN_FREE_KB_WARN TEMIP_SESLOC_DISKFULL_NOTIF_FILENAME TEMIP_SESLOC_DISKFULL_NOTIF_FILE_LOCATION User Session LOC Filter Definition User Session LOC Information and Files Using the User Session LOC Translator User Session LOC Information Displayed User Session LOC Translator Command and Options User Session LOC Translator Examples User Session LOC Disk Full Condition Disk Full Translator Records Disk Full Notification Procedure User Session LOC Example Enabling the User Session LOC Function Running your application (FCL PM) Displaying the Logged Information User Session LOC Translator: Default Modes...182

10 Contents x User Session LOC Translator: FCL Summary Mode of ASCII Strings Only User Session LOC Translator: FCL Summary Mode of ASCII Strings that Contain the "Create" String Chapter 13: Logging of Commands Browsing by TeMIP Operator Chapter 14: Using the TeMIP Client on Windows Security within Real-time Alarm Handling Security within History Alarm Handling Security within Map Viewer Security within Map Editor Security within Management View Security within Entity Browser File Access How disallowed verbs impact the Client GUI Disallow SHOW on OPERATION_CONTEXT Disallow GETEVENT on OPERATION_CONTEXT Disallow SUMMARIZE on all alarms of an OPERATION_CONTEXT Disallow ACKNOWLEDGE on all alarms of an OPERATION_CONTEXT Disallow TERMINATE on all alarms of an OPERATION_CONTEXT Disallow SET OPERATOR NOTE on all alarms of an OPERATION_CONTEXT Disallow NOTIFY on state DOMAIN Disallow OPEN on MAP Disallow SAVE on MAP Disallow SHOW on entities Allow DIRECTORY on entities Chapter 15: Using the FCL PM Displaying Information about the Current FCL Session Access Control on the FCL PM Spawn Command Access to Directives Examine and Event Directives Modify and Action Directives Error Messages Related to Access Control Changes Related to Logging of Commands Chapter 16: Troubleshooting Tracing AC Compiler ACLOC Software Library LOC Tools LOC Translator Interface TeMIP Security Startup Appendix A: Access Control Language A.1 General Structure of an AC View A.2 Importation Part of the AC View A.3 Declaration Part of the AC View A.3.1 Verb Set Declaration A.3.2 Entity Set Declaration A.3.3 Members of Domain A.3.4 Function Set Declaration A.3.5 Restrictions A.4 Control Rule Definition Part of the AC View A.5 Syntax Summary...209

11 Contents xi Appendix B: Access Control Compiler Principles B.1 General Structure of a Compiled AC View B.2 AC Compilation Principles B.2.1 Import Statements B.2.2 Verb Set Declaration B.2.3 Entity Set Declaration B.2.4 Function Set Declaration B.2.5 Basic Control Rule B.2.6 Control Rule with Function Set B.3 Distribution of a Verb Set on an Entity Set B.4 Expanding the Base and Exception VEA Tuples B.4.1 For a Basic Control Rule B.4.2 For a Control Rule with Function Set B.5 Validation Against the TeMIP Dictionary B.5.1 Data Consistency B.5.2 Entity Attributes with no Show Directive B.5.3 Non-Displayable Verbs and Attributes B.6 Global Entity Synonyms B.7 The mcc 0 Entity Name Appendix C: AC Compiler Error Messages C.1 Error Message Format C.2 Multiple Error Messages for a Single Entity C.3 List of Error Messages Appendix D: TeMIP Security Software Error Messages D.1 List of Error Messages Appendix E: VEA Tuples used in the FCL Presentation Module E.1 Synonyms E.2 Alarm Objects and Similar Alarms E.3 Scoped Getevent Appendix F: Glossary...230

12 List of tables Table 1: TeMIP bootstrap environment variables...18 Table 2: General Functions...36 Table 3: User Profiles Panel...37 Table 4: AC Views/AC Declarations Panel...38 Table 5: Workspace Panel Table 6: Central LOC Configurator Window Menu Items...49 Table 7: TeMIP Commands Browser Window Menu Items...61 Table 8: Central LOC Configuration Parameters Table 9: Access Control on Synonyms Table 10: Access Control on Alarm Objects and Similar Alarms Table 11: Access Control on the Scoped Getevent Feature...229

13 List of figures xiii List of figures Figure 1: The Access Control Principle...20 Figure 2: The Access Control Principle...21 Figure 3: TeMIP Access Control Mechanisms Figure 4: The Acloc with Access Control API Plug-in Figure 5: The User Profile Principle...23 Figure 6: The Logging of Commands Principle...23 Figure 7: Presentation Modules in the TeMIP Software Environment...26 Figure 8: TeMIP Security - A Global View...29 Figure 9: VE and VEA Tuples...30 Figure 10: TeMIP Security and Distribution...32 Figure 11: TeMIP Security and Distribution in central metadata environment...33 Figure 12: Access Control Management Warning Window...35 Figure 13: Access Control Management Main Window Figure 14: New AC View Window...39 Figure 15: Compile AC View Window...41 Figure 16: Access Control Management Window with AC Compilation Messages...42 Figure 17: User Profile Definition Window...44 Figure 18: Options Window...45 Figure 19: Workspace Panel Help Window...46 Figure 20: Central LOC Configuration Main Window Figure 21: User Logging Status Window...51 Figure 22: Setting the Logging Directory...52 Figure 23: Setting the LOC Filter File Location...53 Figure 24: Mask Calculator - Logging MCC_Call Arguments of a Given Type...53 Figure 25: Mask Calculator - Logging ASCII Strings of a Given Type...54 Figure 26: Fallback Directories Window...55 Figure 27: Setting the Disk Full Notification Script Location...56 Figure 28: Disk Full Notification Edit Window... 57

14 Figure 29: Options Window...58 Figure 30: Main Window Help Function...59 Figure 31: TeMIP Commands Browser Main Window...61 Figure 32: Setting Search Criteria Window Figure 33: Mask Calculator - Displaying Records of a Given Type...65 Figure 34: Mask Calculator - Displaying ASCII Strings of a Given Type...66 Figure 35: Checking Search Criteria Results Window...67 Figure 36: Load Previously Saved Setting Window...68 Figure 37: Delete Previously Saved Setting Window...69 Figure 38: Displaying TeMIP Commands Browser Settings Figure 39: Viewing TeMIP Commands Browser Results Figure 40: Expand TeMIP Commands Browser Records Window...72 Figure 41: User Session LOC Repository Window...74 Figure 42: Delete Setting Help Window...76 Figure 43: Access Control on the FCL PM...87 Figure 44: Access Control on Examine and Event Directives...88 Figure 45: Access Control on Modify and Action Directives Figure 46: Access Control on Wildcarded Directives...93 Figure 47: Global Wildcard Resolution for an Examine Directive Figure 48: Global Wildcard Resolution for an Action Directive...95 Figure 49: Local Wildcard Resolution for an Examine Directive...99 Figure 50: Local Wildcard Resolution for an Action Directive Figure 51: Global and Local Wildcard Resolution for an Examine Directive Figure 52: The User Profile Principle Figure 53: The Logging of Commands Principle Figure 54: AC Language Wildcard Support Figure 55: Allow Only Access Control Mode Figure 56: Disallow Only Access Control Mode

15 Preface xv Preface The HPE vtemip Security Administration and Operations Guide provides the following information: Chapters 1 to 10 aim to help TeMIP system administrators to develop a security environment for TeMIP and external Presentation Modules (PMs). The information provided describes how to set up different Access Control (AC) views of the network for different operators, by restricting access to user interface facilities and network resources according to a predefined policy. Details of the Logging of Commands (LOC) function are also provided, enabling system administrators and operators to set up and monitor user activity during a given session. Chapters 11 to 15 aim to help Telecommunication Management Information Platform (TeMIP) Operators to use the TeMIP Presentation Modules (PMs) in an integrated security environment, set up using TeMIP Security. The information provided describes how to select an authorized view of the network for a user session, how to log commands and how restricted access can affect the PM displays and output. Intended Audience This guide is intended for: TeMIP Security System Administrators who are responsible for configuring and managing TeMIP Security integrated into TeMIP. TeMIP Operators to use the TeMIP Presentation Modules (PMs) in an integrated security environment set up using TeMIP Security. It is assumed that you are familiar with Telecommunications Network Management (TNM) and the TeMIP, and have a good understanding of the administration and use of the TeMIP Management Platform. Software Version The term UNIX is used as a generic reference to the operating system, unless otherwise specified. RHEL refers to Red Hat Enterprise Linux Server. The supported software referred to in this document is as follows: Product Version Supported Operating Systems HPE vtemip Framework Server 8.0 Red Hat Enterprise Linux 7.x Typographical Conventions Courier Font: Source code and examples of file contents. Commands that you enter on the screen. Pathnames Keyboard key names Italic Text: Filenames, programs and parameters.

16 Preface xvi The names of other documents referenced in this manual. Bold Text: To introduce new terms and to emphasize important words. Convention Description Ctrl/x Ctrl/x indicates that you hold down the Ctrl key while you press another key or mouse button (indicated here by x.) x A lowercase italic x indicates the generic use of a letter. For example, xxx indicates any combination of three alphabetic characters. n A lowercase italic n indicates the generic use of a number. For example, 19nn indicates a 4-digit number in which the last 2 digits are unknown. ::= In BNF syntax, means "can have the form". In BNF syntax, indicates alternatives. {} In BNF syntax, braces indicate required elements. You must choose one of the elements. [] In BNF syntax, brackets indicate optional elements. You can choose none, one, or all of the options. (Brackets are not optional in the syntax of a directory name in a VMS file specification.) () BNF syntax, parentheses delimit the parameter or argument list. italic type Italic type indicates variable information (entity class and entity names, modes, arguments, attributes, states and file names). bold type Bold type in AC language indicates a keyword. mouse The term mouse refers to any pointing device, such as a mouse, a puck, or a stylus. MB1, MB2, MB3 MB1 indicates the left mouse button. MB2 indicates the middle mouse button. MB3 indicates the right mouse button. (Users can redefine the mouse buttons.) nn nnn.nnn nn A space character separates groups of 3 digits in numerals with 5 or more digits. For example, equals ten thousand n.nn A period in numerals signals the decimal point indicator. For example, 1.75 equals one and three fourths. UPPERCASE Words in uppercase indicate a routine name or a logical name. < > In request directive syntax, this symbol indicates that you must enter one of the two possible values for the request. <> In request directive syntax, this symbol indicates that you must enter one of the possible values for the request.

17 Preface Convention Description $ The C-shell prompt, also known as the Bourne shell. Used to comment out remarks in the following: An FCL PM script An AC view A Central LOC configuration file A User Profile file. The UNIX operating system superuser default prompt or a comment in a shell script. # Associated Documents The following documents contain useful reference information: References HPE vtemip Framework Utilities Guide HPE vtemip Deployment Guide HPE vtemip Fault Management Reference Guide For a full list of TeMIP user documentation, refer to Appendix A of the HPE vtemip Solutions Overview Guide. Support Visit HPE Support Center web site at for contact information and details on HPE products, services, and support. The web site includes the following resources: xvii Downloadable Documentation Troubleshooting information Patches and updates Problem reporting Support program information

18 Introduction 18 Chapter 1 Introduction In the world of telecommunications, security considerations are of fundamental importance. Access to network control operations must be strictly controlled in order to protect the network from access violations (accidental or deliberate). Access violations could result in the unauthorized modification of data, theft or unauthorized removal of data, destruction or disclosure of information and interruption of the network services. Unauthorized or accidental access to network control functions must be eliminated or minimized. Accidental access can occur when legitimate users of the system behave in an unintended or unauthorized way. In order to ensure the integrity of a network, an integrated and flexible system of security must be implemented. Additionally, the system adopted should provide tools to monitor and control the security environment operating at a given location. 1.1 TeMIP bootstrap environment variables TeMIP bootstrap environment variables are needed to interact with any TeMIP subsystem processes, to perform TeMIP administrative activities or to invoke TeMIP utilities. These variables will be initialized once at the time of TeMIP director installation and configuration. These are non-settable throughout the life time of a TeMIP director. Shell-specific sourcing scripts are auto generated as part TeMIP installation and should be used to source these environment variables onto a user shell. <TeMIP Release Tree>/temip/boot/.environment.sh <TeMIP Release Tree>/temip/boot/.environment.csh It is highly recommended to add the relevant sourcing scripts to the user shell login scripts, such as.bashrc,.kshrc, or.cshrc for the TeMIP administrator, TeMIP users or operators. For example, If the user shell is Korn or Bourne, add./opt/appl/temip-v80l/temip/boot/.environment.sh to the.kshrc or the.bashrc file. If the user shell is csh or tcsh, add source /opt/appl/temip-v80l/temip/boot/.environment.csh to the.cshrc file. Significance of these environment variables are defined as follows. Table 1: TeMIP bootstrap environment variables Variable name Description Default value Owner TEMIP_BASE Refers to the TeMIP installation directory or TeMIP Release Tree No. To be provided by TeMIP TeMIP administrator administrator. TPP_HOME Refers to the third party product(tpp) installation directory No. To be provided by TeMIP TeMIP administrator administrator.

19 Introduction Variable name Description Default value TEMIP_ROOT_DATA Refers to the TeMIP Data Directory or TeMIP Data Tree No. To be provided by TeMIP TeMIP administrator administrator. TEMIP_TRACE_PATH Refers to the TeMIP logs and <TEMIP_ROOT_DATA>/ trace directory temip/trace TeMIP administrator TNS_ROOT_DATA Refers to the TNS Data Directory or TNS Data Tree <TEMIP_ROOT_DATA>/tns TeMIP administrator PKG_LOCATION Refers to the location where TeMIP Package Utility is installed No. To be provided by TeMIP User with sudo privilege/ administrator. System administrator 19 Owner TeMIP Administrator must have read/write permissions and own the directory, which is set against TEMIP_BASE, TPP_HOME, TEMIP_ROOT_DATA, TEMIP_TRACE_PATH and TNS_ROOT_DATA environment variables. WARNING: Any modification of TeMIP runtime environment sourcing scripts post TeMIP director installation and configuration will lead to undefined behavior. Throughout this document, <TeMIP Release Tree> refers to TEMIP_BASE <TeMIP Data Tree> refers to TEMIP_ROOT_DATA <TNS Data Tree> refers to TNS_ROOT_DATA 1.2 About TeMIP Security TeMIP Security provides integrated and sophisticated security features for TeMIP or external Presentation Modules (PMs), enabling a security environment to be tailored to suit individual client's needs. TeMIP Security has been designed to provide a flexible solution to your security requirements, enabling you to implement a policy based on criteria defined by you, and which suits your particular corporate needs. This flexibility allows for future growth and other changes to your network structure, because as network resources change or increase, you can add new Operators to the authorized list of users, each with their own particular view of network operations. In the user context, TeMIP Security consists of a system of Access Control and Operator Command Logging. 1.3 TeMIP Security Functions The TeMIP Security functions provide added value to your TeMIP environment by ensuring that access to network operations is strictly controlled by the security policy in operation. The functions that allow you to do this are: Access Control mechanisms Access Control (AC) views User Profile management Logging of Commands TeMIP Security enables System Administrators to define specific domains of activity for different users. This limits the degree of access to TeMIP management that Operators have, according to the activities assigned to them. Operators can run TeMIP using their personalized domain(s) of influence.

20 Introduction 20 These domains of activity are represented by an AC view, which is a filter that determines whether an operation is allowed or disallowed. An AC view is a predefined level of access for a given Operator. The Operator ' s overall view can be further defined by the use of User Profiles, see Section User Profiles on page 22. Central and User Session Logging of Commands (LOC) is also available. Logged commands can be viewed centrally by the Administrator and locally by both the Administrator and the Operator, using the browser and translator tools of the TeMIP Security software introduced in Section TeMIP Security Environment on page Access Control Access Control is a set of mechanisms that prevent a given user from accessing part of the management information when running a Presentation Module. Access Control can be applied to either or both of the following: An entity class instance and its associated attributes (TeMIP entity/attribute specification). A verb and its associated arguments (TeMIP directive/argument specification). For example, an Operator could be restricted to the Alarm Handling function, with a single Operation Context (managed object) active, and be denied access to the verbs Create and Delete. The Access Control mechanisms are based on tools that define a security environment consisting of AC views and User Profiles. The combination of AC views and User Profiles can be used to share one or more AC views among several users, and to enable a user to select different (allowed) AC views in concurrent sessions. The principle of Access Control is shown in Figure 1: The Access Control Principle on page 20. Operation Reject Message Access Control Allowed Disallowed Operation Rejected Figure 1: The Access Control Principle Access Control View An AC view is basically a filter that contains a set of rules with a specific syntax (AC language). These rules consist of allowed and disallowed sets of functions, verbs, entities and attributes or arguments. The example of syntax shown below restricts an Operator to the use of two verbs, Show and Directory on the bridges foo and bar: allow only show on bridge foo; directory on bridge foo; show on bridge bar; directory on bridge bar; The principle of the Access Control is shown in Figure 2: The Access Control Principle on page 21.

21 Introduction Operation 21 Allowed Access Control Disallowed Reject Message Operation Rejected Figure 2: The Access Control Principle For use at runtime, AC views must first be compiled using the TeMIP Security Compiler, see Section Compiling an AC View on page Access Control API Plug-in The Access Control Mechanism of TeMIP is one of the value added functions provided by TeMIP to restrict a given user to access a pre-defined set of management information. The TeMIP ACLOC security mechanism which exists today contains an embedded layer to check the authorization of management information (verb, entity, attribute) for a specific user profile. Operation MCC Call Reject Message Access Control Allowed Disallowed Operation Rejected Figure 3: TeMIP Access Control Mechanisms It is possible to augment the internal access control mechanism of TeMIP, or to replace it, by means of plug-in. The TeMIP Access Control API provides the means to use an external security mechanism, in addition (or replacing) that of TeMIP. It leaves the LOC mechanism untouched.

22 Introduction Plugin Present STATUS 22 AC API Plug-in Operator MCC_Call Access Control Command Rejected Message Disallowed Allowed MCC_Call Denied Access Information Information LOC Function Logged Commands Filtered, Masked Information Operator User Interface Activity Information TeMIP Security Translator (String Commands) Figure 4: The Acloc with Access Control API Plug-in The TeMIP Acloc software library groups together all the routines that provide the runtime processing and Access Control services. These routines are called by the Presentation Module applications (PM) when directives are issued at the user interface. This software library provides an API (namely the TeMIP Access Control API), which provides the entry points to the external Access Control service of the software library. At runtime, these routines perform the access checks according to the active AC view (chosen from a User Profile) and the LOC definition. If the commands is allowed it is passed to TeMIP for execution and/or logging. The API header file which is provided is used to build the plug-in. It is located at the <TeMIP Release Tree>/temip/ acloc/include/temip_acapi_plugin.hxx. The section 2.3 describes how to develop an Access Control Plugin and enable it, in addition or in replacement of TeMIP Standard Access Control User Profiles User Profiles are a set of one or more authorized AC views, predefined by the System Administrator for an individual Operator. The AC views contained in a User Profile can represent for example, various levels of access to management information granted to a particular Operator. The Operator can select an authorized AC view from the User Profile just before starting up one of the Presentation Modules. This AC view becomes the Operator's active view of the network; otherwise the default AC view assigned to this Operator is used. A User Profile represents an association between a user and one or more levels of access (AC views) assigned to that user. Figure 5: The User Profile Principle on page 23 shows the principle of User Profiles. In this example, the TeMIP Operator has a User Profile containing four AC views, each AC view granting different levels of access to the TeMIP functionality.

23 Introduction 23 User Profile Access View 1 Access View 2 TeMIP Operator (Selects AC View) Selected AC View Activated Access View 3 Access View 4 Figure 5: The User Profile Principle 1.5 Logging of Commands The LOC function is the operation by which commands entered by the user are logged into a database that can be examined later. The log provides a record of all the commands issued for each active session. Logging of filtered commands can be done on a directive and/or entity basis and the LOC function also allows logging of ASCII strings, raw data commands and denied access commands. The logging filter is defined using the same syntax as the one used to define AC views. After filtering, a mask may be applied to a command, in order to store only a subset of the whole command request/response information. Browser and translator tools are provided to convert the logged commands into a readable format so that the Administrator or Operator can inspect them. The LOC principle is shown in Figure 6: The Logging of Commands Principle on page 23. Command logging can be centralized for all the sessions running on a system, under the control of the Administrator ( Central LOC function) and/or on a per session basis, individually controlled by the Operator (User Session LOC). Both LOC functions can be simultaneously enabled when running a TeMIP or external PM. Operator Operation Access Control MCC_Call Command Rejected Message Allowed MCC_Call Denied Access Disallowed Information Information LOC Function Logged Commands Filtered, Masked Information Operator User Interface Activity Information (String Commands) Figure 6: The Logging of Commands Principle TeMIP Security Translator

24 Introduction Central Logging of Commands The Central LOC applies to all concurrent sessions running on the system. These sessions can be associated with different users. The Central LOC behavior is controlled by the System Administrator and all the generated commands are filtered using the same filter, masked using the same mask and stored in a single central repository. The System Administrator can enable or disable the Central LOC on a per user basis. A disk full detection mechanism is associated with the Central LOC function. This mechanism provides notification and automatic file switching on one or more fallback disk partitions User Session Logging of Commands The User Session LOC applies to a single session associated with a single user. Its behavior can be fully controlled by the TeMIP Operator who can enable or disable the function, and define command filters and masks. Commands are logged in a private repository associated with the session. A user session identifies a specific context of activity, limited in time, and during which a user executes a series of operations. In TeMIP Security, a session identifies one Presentation Module process invocation. 1.6 TeMIP Security User Concept The concept of user is fundamental in TeMIP Security, because it is the starting point for determining the AC and LOC behavior in a running application invocation. A user can be identified in two ways: The first method uses the UNIX system account username. The user logs into the UNIX system account and then inputs the following command to start up an application, in this example the TeMIP Command Line (FCL_PM): % mcc_fcl_pm This is the default method and if the username is for example wayne, access is granted to wayne's personal: User Profile and associated AC views User Session LOC environment TeMIP user environment. The second method uses a shared UNIX system account username (for example, the operator account). This allows different users to log into the same system user account and then use another account when using TeMIP. Users first log into the operator account and then use the -u username option to access their personal: User Profile and associated AC views User Session LOC environment TeMIP user environment. In this case, a precondition is that the users must know the name and password of their personal user environment. For the TeMIP Command Line (FCL_PM) the command sequence is as follows: % mcc_fcl_pm -u wayne % password:xxxxxx Where wayne is the username and xxxxxx is the corresponding password. NOTE: Using the -u wayne option does not mean you log into the UNIX account of user wayne. You are logging into the TeMIP Security environment of user wayne.

25 Introduction TeMIP Security Users The Presentation Modules are designed for users defined as TeMIP Security System Administrators and TeMIP Operators, who use the services of TeMIP to manage and operate the network according to their privileges. The TeMIP Security software ensures that users are only able to view or modify data for which they are authorized System Administrator The System Administrator uses the TeMIP Security software to define a security environment within the general administration of a TeMIP-based management system. The System Administrator is responsible for: Setting up the AC view configuration for each Operator, in particular the definition of which operations are allowed and disallowed for each Presentation Module application. Setting up and controlling the Central LOC function, in particular the definition of which Presentation Module application commands are to be logged. The Administrator can use the LOC tools to examine the stored Central LOC commands. Using the monitoring tool to monitor the available system information. Backing up the Central LOC files. The System Administrator can use the TeMIP Security GUIs to set up the Access Control and Logging of Commands environment for each user and to query the Central and User Session LOC databases and browse the retrieved records. Refer to Access Control Administration on page 34, Logging of Commands Configuration on page 48 and Logging of Commands Browsing on page 60 for further details. In addition, terminal-oriented tools are available that allow these tasks to be performed using script applications to create, modify and delete the AC views and User Profiles by means of interactive commands. These tools are described in TeMIP Security and Logging of Commands Administration Using Script Commands on page TeMIP Operator In the TeMIP Presentation Modules, the user is by default the TeMIP Operator. An Operator can be assigned one or more AC views by the Administrator, who defines the Operator's Access Control rights when running a Presentation Module. By default, TeMIP Operators have no control over the Central LOC function, but can set their own User Session LOC parameters. In simple terms, the TeMIP Operators interface with the Presentation Modules, but have limited access to the TeMIP services. The TeMIP Operator is responsible for: Selecting an AC view from the User Profile (if a choice is given) Configuring a User Session LOC function Using the LOC tools to examine stored User Session LOC commands. TeMIP Operators can use the User Session TeMIP Commands Browser to query the User Session LOC database and browse the retrieved records, see Logging of Commands Browsing on page 60. In addition, terminal-oriented tools are available that allow the Operator to set up the User Session LOC environment using script applications and interactive commands. These tools are described in Logging of Commands Administration Using Script Commands on page 129. Refer to the HPE vtemip Security Operator s Guide for further details. 1.8 TeMIP Security Environment The security features are provided by integration of the TeMIP Security software into the Presentation Modules. Integration consists of making the AC and LOC services available to the Presentation Modules by calling the routines of the software

26 Introduction 26 library. Figure 7: Presentation Modules in the TeMIP Software Environment on page 26 shows how the Presentation Modules fit into the TeMIP software environment Presentation Modules The Presentation Modules are built on top of the TeMIP framework and linked to the software library by means of the application-programming interface (API) Security Shell A security shell application provides the interface between any integrated Presentation Modules and the Operating System environment. This shell transparently provides the Presentation Modules with TeMIP Security features such as: Setting up the Access Control and Logging of Commands environment for a session Running the integrated Presentation Modules in a session under a username different from the operating system user account Software Library The software library groups together all the routines that provide the runtime processing and AC services. These routines are called by the Presentation Module applications when directives are issued at the user interface. TeMIP Security provides a documented API, which provides the entry points to the AC and LOC services of the software library. At runtime, these routines perform the access checks according to the active AC view (chosen from a User Profile) and the LOC definition. If the command is allowed it is passed to TeMIP for execution and/or logging. Security Shell Iconic Map PM TeMIP PM FCL PM PM/ External Application TeMIP Security Software TeMIP FM CALL INTERFACE Access Control Environment Logged Commands TeMIP FM EXECUTIVE TeMIP FM OSI AM FM FM MANAGEMENT INFORMATION REPOSITORY FM N, E, AM N, E, AM N, E, AM Integrated Presentation Modules supplied with TeMIP Security Figure 7: Presentation Modules in the TeMIP Software Environment TeMIP Security Tools

27 Introduction Tools Tools are available to compile AC views and LOC filters, and to translate stored commands into a readable format and display them on a terminal. Session monitoring and backup tools are also available to the Administrator. The tools to create and manage your security environment are as follows: AC Compiler The AC Compiler is used to compile the AC language scripts for both AC and LOC functions. The compiled scripts define the AC environment in the form of AC views Graphical User Interfaces TeMIP Security provides a set of Graphical User Interfaces (GUIs) that simplify the task of setting up the Access Control and Logging of Commands environment. The GUIs are run as stand-alone. The GUIs are as follows: Access Control GUI The Access Control GUI allows you to: Write and compile AC views Test the compiled AC views Use the AC view in a User Profile Create, modify and delete User Profiles. Refer to Access Control Administration on page 34 for details of how to start up and use the AC GUI Logging of Commands Configurator GUI The Logging of Commands Configurator GUI allows you to: Set the Central LOC Configuration File parameters Update the Logging Status for each user Edit the Central LOC Notification Script. Refer to Logging of Commands Configuration on page 48 for details of how to start up and use the LOC Configurator GUI TeMIP Commands Browsers The TeMIP Commands Browsers allow you to: Perform searches on the commands logged in the Central LOC database. Perform searches on the commands logged in the User Session LOC database. Expand one or more of the retrieved records. There is a dedicated GUI for the Central LOC function and one for the User Session LOC function. Refer to Logging of Commands Browsing on page 60 for details of how to start up and use the TeMIP Commands Browsers Central and User Session LOC Translators The Central and User Session LOC Translators are terminal-oriented, interactive tools that fulfill the same functions as the GUIs. If you choose to use the interactive method of viewing the LOC records, the Central and User Session LOC Translators examine the input to the corresponding LOC repositories, decode the logged commands and display them in a readable format.

28 Introduction The Central LOC Translator tool can be accessed only by the Administrator, but the User Session LOC Translator can be accessed by both Administrators and Operators. Arguments (for example user name, time window) can be passed to the application to define which commands to translate and how to display them Central LOC Monitor The Central LOC Monitor tool enables the Administrator to display the current state of the Central LOC, the available free space, and to monitor all the Central LOC sessions opened on the repositories of a given system Central LOC Backup Facility The Central LOC Backup facility enables the Administrator to free Central LOC disk space, without loss of data and without having to exit the attached user sessions currently running. The backup facility copies Central LOC files from one or more repositories to another specified repository. For further information refer to Section Using the Central LOC Backup Tool on page 139. TeMIP Security and Access Control Administration on page 34 describe how to use the tools to build your security environment using interactive commands. 1.9 Global View Figure 8: TeMIP Security - A Global View on page 29 provides a global view of the TeMIP Security environment, showing how Administrators and Operators can set up the security environment and interact with the system on a global basis. 28

29 Introduction System Administrator (AC/CONF GUI) TeMIP Operator TeMIP Operator uses 29 defines defines Security Shell Security Configuration for Current Session PM or External Application Session User Session LOC Configuration Central User LOC Profile Config references references Software Library authorized commands TeMIP FM TeMIP FM CALL INTERFACE FM FM Compiled Compiled User Sess. Central AC view LOC filter LOC filter generates generates EXECUTIVE Mcc FM FM Compiled AC Compiler OSI AM MANAGEMENT INFORMATION REPOSITORY N, E, AM N, E, AM N, E, AM TeMIP User Central Session LOC LOC filter filter AC view Commands to log TeMIP Operator defines defines System TeMIP Operator uses Commands in readable format User Session LOC Browser GUI or Translator User Session LOC file Central LOC Browser GUI or Translator Sorted/ merged commands in readable format Administrator Central LOC Backup uses uses System Administrator Central LOC Repository System Administrator Central LOC Backup Figure 8: TeMIP Security - A Global View 1.10 VE and VEA Tuples Commands are entered at the user interface using a specific syntax. This syntax consists of a verb, entity (VE) or verb, entity, attribute/argument (VEA) tuple. You can use VEA tuples to perform management operations by selecting entities and choosing operations. The operations available depend on the entity chosen and the Presentation Module that is currently running. In the case of the FCL PM, the commands can be typed in using the FCL command line. Figure 9: VE and VEA Tuples on page 30 shows some examples of VEA tuples.

30 Introduction Entity Name (Wildcard on Operation Context) Directive SUSPEND OPERATION CONTEXT* Directive SET 30 Entity Name for a Log OSI BOMBAY LOG 1 Attribute MAX LOG SIZE Figure 9: VE and VEA Tuples Whichever method is used, an operation is initiated at the user interface which influences the behavior of TeMIP. This behavior depends on the VEA tuple used, and by making a particular VE or VEA tuple disallowed, the System Administrator can deny an Operator access to the corresponding function. In this way, the Administrator can build the AC views that together form the User Profile of a given Operator. The AC views can represent levels of access ranging from no access at all up to full rights. The VEA tuples are used in the form of an AC syntax, which uses keywords to create control expressions, and which must be compiled using the TeMIP Security Compiler. The AC syntax is fully described in Defining an AC View or LOC Filter on page 79. VEA tuples expressed in the form of AC syntax can be used to represent a window and any of the functions, managed objects and operations that are available in the window, and to which Access Control can be applied The FCL PM The effects of TeMIP Security in the FCL PM are as follows: Access Control Access Control in the FCL PM is implemented in such a way that only allowed directives are executed and only allowed information is displayed; otherwise an error message is generated. Refer to Section Access Control Strategy on page 86 for details of how Access Control is implemented in the FCL PM Logging of Commands Any MCC_Call initiated by an FCL PM application can be logged in the User Session LOC and Central LOC (provided the corresponding filter is set). Commands input by the user that are allowed are logged as ASCII strings, and all rejected commands with the rejection Code Value Returned (CVR) displayed are logged as denied access ASCII strings, see Section Logging of ASCII String Information on page 108. During a session, all allowed MCC_Calls can be logged, and also some denied access calls. Refer tosectionlogging of Commands on page 107 for details of how the LOC function is implemented in the FCL PM.

31 Introduction TeMIP Security and Distribution TeMIP Security and Distribution in non centralized metadata environment TeMIP Security data and processing is not distributed by the TeMIP distribution mechanisms. Therefore, the scope of TeMIP Security is a director as defined in the TeMIP distribution scheme. The TeMIP Security configuration, that is, Access Control and Logging of Commands must be performed on each director of the distributed TeMIP environment: TeMIP Security users, User Profiles and Access Control views are associated with a given director. Central Logging of Command configuration applies to a given director. Commands are stored in a single central repository located on this director. This mechanism provides flexibility in defining a specific Security configuration per director. However, if the policy is to provide a centralized administration of the Security in a distributed TeMIP environment, the following options are possible: If the distributed TeMIP is running in a Local Area Network (LAN) and Network File System (NFS) environment, you can set up a subset of the TeMIP Security directories in an NFS directory, so that the vtemip directors get a single view of the security environment. Access Control configuration (User Profiles, AC Views. The default is <TeMIP Data Tree>/temip/acloc/ user_profiles Central Logging configuration. The default is <TeMIP Data Tree>/temip/acloc/user/central_logging/ admin Note that you must then ensure that all the directors have the same user accounts. If the distributed TeMIP is running in a Wide Area Network (WAN) environment, and provided all the directors have the same user accounts, you can configure TeMIP Security on a single "reference" director (for example, in the National Center) and propagate the corresponding files to the distributed directors. The default location is <TeMIP Data Tree>/temip/acloc/user_profiles and <TeMIP Data Tree>/temip/acloc/user/ central_logging/admin. This can be done using the temip_synchro_mdata utility. See the HPE vtemip Utilities Guide for further details. In both cases, it is recommended that the Central Logging repositories (by default <TeMIP Data Tree>/temip/ acloc/user/central_logging/files) remain located on each director. The Central LOC backup facility can then be used to export the logged commands from the distributed directors to a single "reference" director, and then transparently examine the logged commands using the TeMIP Commands Browser. Figure 10: TeMIP Security and Distribution on page 32 presents an example of TeMIP Security and distribution.

32 Introduction Regional Center With an independent TeMIP Security configuration AC configuration 2 Central LOC configuration 2 dir F 32 Central LOC AC configuration 1 (Reference) Central LOC configuration 1 (Reference) dir F Central LOC global archive Central LOC backup Central LOC temip_synchro_mdata AC configuration 1 Central LOC configuration 1 dir A server Central LOC local archive National Center Reference for TeMIP Security Config Central LOC global archive Regional Center TeMIP Security configuration imported from National Center and distributed via NFS to the local directors NFS Central LOC backup dir B (PMs) dir C (PMs) Central LOC repositories exported to National Center, via a local archive repository dir D (PMs) Central LOC Figure 10: TeMIP Security and Distribution TeMIP Security and Distribution in centralized metadata environment If the distributed TeMIP is running in a cloudified environment, and provided all the directors have the same user accounts, you can setup central TeMIP Security directories in Distributed File Storage (DFS) volume on cloud, so that all participating vtemip directors get a single view of the security environment. This can be done using the temip_cloudify_mdata utility. Refer to chapter Managing metadata in vtemip in HPE vtemip Director Configuration and Management Guide for more details. NOTE: Ensure that all the directors have the same user accounts. The default locations: Access Control configuration (User Profiles, AC Views) is <TeMIP Data Tree>/temip/acloc/user_profiles Central Logging configuration is <TeMIP Data Tree>/temip/acloc/user/central_logging/admin Central Logging repositories <TeMIP Data Tree>/temip/acloc/user/central_logging/files NOTE: These paths are relative to cloud location paths.

33 Introduction AC configuration, Central LOC configuration and Central LOC logging files are shared across the directors which are configured to use central metadata AC Views and Profiles Dir A Dir B temip_cloudify_mdata temip_cloudify_mdata temip_cloudify_mdata Central LOC Dir B Figure 11: TeMIP Security and Distribution in central metadata environment 33

34 Access Control Administration 34 Chapter 2 Access Control Administration As TeMIP Security System Administrator, you are in charge of administrative operations using the Access Control Management Graphical User Interface (AC GUI). In this role, you are responsible for setting up an AC environment for each TeMIP Operator. This chapter describes how to use the AC GUI to define your AC environment. Only TeMIP Administrator can perform the administrative operations. In TeMIP Security, AC views are implemented as text files written in AC language, and which can be edited using any editor. An example of how to define an AC view using the AC language is given in Defining an AC View or LOC Filter on page 79 and a definition of the AC language is given in Access Control Language on page 200. NOTE: Throughout this chapter the term AC view can also be understood as LOC filter. 2.1 Access Control Management Graphical User Interface The AC GUI is an easy to use graphical interface that allows you to: Write and compile AC views. Transparently test a compiled AC view with the TeMIP FCL PM or the TeMIP PMs. Use the compiled and tested AC views in a User Profile. Create, modify and delete User Profiles. AC views can be split into two types; the AC views that define an Access Control (that is, contain control rules) and the AC declarations that contain declarations only (and which can be imported into an AC view). AC views and AC declarations that are ready for use in a User Profile are displayed in the AC Views/AC Declarations panel. To create or update an AC view (or an AC declaration) it must be moved to the Workspace panel where it can be edited, compiled and tested. Once this has been done, it can be replaced in the AC Views/AC Declarations panel and used in a User Profile Getting Started To run the AC GUI as a stand-alone application, enter the following command at the UNIX operating system prompt: $ temip_ac_management_gui You are prompted to enter a password before you are granted access to the AC GUI. If you are TeMIP Administrator, you already have access rights and no password is required. If any inconsistencies are detected during loading of the AC environment, an Access Control Management Warning window appears showing the different types of inconsistency detected, as shown in Figure 12: Access Control Management Warning Window on page 35.

35 Access Control Administration Figure 12: Access Control Management Warning Window Three types of inconsistency can be detected:.r files in the AC view directory that are not compiled..v files in the AC view directory that have no corresponding.r files..v files that are used in User Profiles, but which do not belong to the AC view directory. Refer to Section How to Create a New AC View or a New AC Declaration on page 39 for further details of.r and.v files. You cannot start the AC GUI session until you have acknowledged the inconsistencies by clicking MB1 on the OK Button. These potentially inconsistent files are ignored during the session AC GUI Main Window When you run the AC GUI, the Access Control Management main window appears as shown in Figure 13: Access Control Management Main Window on page 36. Functions that are not available appear grayed. 35

36 Access Control Administration 36 Figure 13: Access Control Management Main Window Modal Windows Some sub-windows are modal in nature, that is, you cannot perform any operations in the main window until you have closed the sub-window; for example, by clicking MB1 on the OK or Cancel Button. To make this clear, a "No Entry" cursor is displayed if you move the cursor to the main window General Functions The general functions of the main window are shown in Table 2: General Functions on page 36: Table 2: General Functions Button Function View All Click MB1 on the View All Button to display all the available User Profiles, AC views, AC declarations, and the current contents of the Workspace. This function should be used after you have: Created a new User Profile, AC view or AC declaration by external means or Created a new AC view in the Workspace.

37 Access Control Administration Button Function View Dependencies Use the View Dependencies function to: 37 Display all the AC views present in a given User Profile. The default AC view is displayed with the characters + + in front of it. Select a User Profile and click MB1 on the (View Dependencies) Button. The Button is displayed with directional arrowheads this case, the AC Declarations panel is insignificant and remains unchanged. Display all the User Profiles that refer to a given AC view and all the AC declarations directly imported by a given AC view. Select an AC view and click MB1 on the (View Dependencies Button). The Button is displayed with directional arrowheads dependencies. Display all the AC views importing a given AC declaration. Select an AC declaration and click MB1 on the View Dependencies Button. The Button is displayed with directional arrowheads (View Dependencies) to indicate the dependencies. In this case, the User Profiles panel is insignificant and remains unchanged. Quit Quits the AC GUI session. Options... Opens the Options window for you to customize certain parameters, see Section Customizing Session Parameters on page 44 for further details. Help A Help function is available in the main window and for each panel and sub-window Main Window Panels The main window is divided into the following three panels: User Profiles Panel This panel displays a list of existing User Profiles. The panel contains the functions shown in Table 3: User Profiles Panel on page 37: Table 3: User Profiles Panel Button Function New... Allows you to create a new User Profile. Modify... Allows you to modify an existing User Profile. Delete Allows you to delete an existing User Profile. Help Displays a help window related to this panel AC Views/AC Declarations Panel This panel allows you to see which AC views are available for use in a User Profile and which AC declarations can be imported into an AC view. To create or modify an AC view or AC declaration, it must be manipulated in the Workspace. The panel contains the functions shown in Table 4: AC Views/AC Declarations Panel on page 38:

38 Access Control Administration 38 Table 4: AC Views/AC Declarations Panel Button Function Move to Workspace Allows you to move an AC view or AC declaration to the Workspace. Delete Allows you to delete an existing AC View or AC declaration. Help Displays a help window related to this panel Workspace Panel This panel allows you to manipulate AC views and AC declarations. Once you are satisfied with an AC view or an AC declaration, you can replace it in the AC Views/AC Declarations panel and then use the resulting AC view in a User Profile. The panel contains the functions shown in Table 5: Workspace Panel on page 38: Table 5: Workspace Panel Button Function New... Allows you to create a new AC view or AC declaration. Modify... Allows you to modify an existing AC view or AC declaration. Delete Allows you to delete an existing AC view or AC declaration. Compile Allows you to compile an existing AC view or AC declaration using the last defined set of compilation options. Compile... Allows you to compile an existing AC view or AC declaration. You are prompted to supply compilation options. Test... Allows you to test an existing AC view. This Button is only significant for AC views and not LOC filters. Replace Allows you to replace an existing AC view or AC declaration in the AC Views/AC Declarations panel, from where it can be used in a User Profile. Filter Allows you to refresh the Workspace panel after you have created new AC views or AC declarations. Use of this Button is recommended, because the AC GUI is not automatically informed of new files created by sub-processes. Help Displays a help window related to this panel. 2.2 Using the AC GUI This section describes how to use the functions of the AC GUI to set up an AC environment. When creating a new AC environment, the recommended procedure is as follows: Define your specific AC declarations and AC views in the Workspace, see Section How to Create a New AC View or a New AC Declaration on page 39 Compile the AC declarations and AC views in the Workspace, see Section How to Compile an AC View or an AC Declaration on page 41 Test the AC views in the Workspace, see Section How to Test an AC View on page 42 Replace the AC views and AC declarations in the AC Views/AC Declarations panel, see Section How to Replace an AC View or an AC Declaration on page 42 Define User Profiles, see Section How to Create a New User Profile on page 43

39 Access Control Administration 39 When you have completed these tasks, your AC environment is ready for use Workspace Panel This section describes how to manipulate files in the Workspace panel How to Create a New AC View or a New AC Declaration Procedure 1. Click MB1 on the New... Button of the Workspace panel. The New AC View window appears, asking you for an AC view name, see Figure 14: New AC View Window on page 39. The initial value of the File Name field can be customized in the Options window, refer to Section Customizing Session Parameters on page 44 for further details. You are prompted to create this AC view as an AC view with control rules (in this case the extension is automatically set to.r) or as a pure declarations view (in this case the extension is automatically set to.d). 2. Select the option you want, enter a file name and then click MB1 on the OK Button. The text editor defined in the Options window is started for the AC view file name you have set. You can also use this function to write and compile a new LOC filter in the Workspace. However, you cannot use a LOC filter in a User Profile, therefore the User Profile panel is insignificant and should not be used. The LOC filter you have created can be exported to the LOC Configurator GUI for testing and/or use, see Section How to Export a Selection on page 47 for further details. Figure 14: New AC View Window

40 Access Control Administration How to Create an AC View from a Template About this task To enable you to build a new TeMIP Security AC view and User Profile environment, some example AC Views are provided by the installation procedure and are contained in the directory <TeMIP Release Tree>/temip/acloc/examples. The examples are as follows: <TeMIP <TeMIP <TeMIP <TeMIP <TeMIP <TeMIP <TeMIP <TeMIP <TeMIP <TeMIP <TeMIP <TeMIP <TeMIP <TeMIP Release Release Release Release Release Release Release Release Release Release Release Release Release Release Tree>/temip/acloc/examples/example_view_all_rights.r Tree>/temip/acloc/examples/example_view_no_config_rights.r Tree>/temip/acloc/examples/example_view_no_rights.r Tree>/temip/acloc/examples/example_view_temip_administrator.r Tree>/temip/acloc/examples/example_view_temip_observer.r Tree>/temip/acloc/examples/example_view_temip_operator.r Tree>/temip/acloc/examples/example_view_temip_operator_weur_1.r Tree>/temip/acloc/examples/example_view_temip_operator_weur_2.r Tree>/temip/acloc/examples/example_view_temip_operator_weur_3.r Tree>/temip/acloc/examples/example_view_temip_operator_weur_4.r Tree>/temip/acloc/examples/example_view_temip_supervisor.r Tree>/temip/acloc/examples/temip_central_loc_filter.r Tree>/temip/acloc/examples/temip_default_ac_view.r Tree>/temip/acloc/examples/temip_root_default_ac_view.r Procedure 1. Copy the example AC views you want to use to the Workspace directory, by default <TeMIP Data Tree>/temip/ acloc/workspace unless you have changed it. Then modify, compile and test the AC view. 2. When you have completed the new AC view, you can make it effective by clicking on the Replace button. Once in the AC view directory, this AC view can be used to build/update User Profiles How to Modify an AC View or an AC Declaration Procedure 1. Select an AC view or AC declaration in the Workspace and then click MB1 on the Modify... Button. The text editor defined in the Options window is started for the selected AC view; refer to Section Customizing Session Parameters on page 44 for further details. When importing an AC declaration into an AC view, you do not have to give the full path as the AC declaration to be imported is automatically searched for in the Workspace environment. 2. If the AC view or AC declaration you want to modify is not located in the Workspace panel, select it in the AC Views/AC Declarations panel and click MB1 on the Move to Workspace Button to transfer it. When an AC view is moved to the Workspace panel, it is given the prefix ** in the AC Views panel to indicate that it is "reserved" How to Delete an AC View or an AC Declaration Select an AC view or AC declaration in the Workspace and then click MB1 on the Delete Button. You are asked for confirmation that you want to delete the selected AC view or AC declaration. If the AC view or AC declaration you want to delete has been previously moved to the Workspace (signified by the prefix **), it is automatically "unreserved" from the AC Views/ AC Declaration panel and is only deleted from the Workspace panel.

41 Access Control Administration How to Compile an AC View or an AC Declaration Procedure 1. Select the AC view or AC declaration to be compiled in the Workspace panel and then click MB1 on the Compile... Button. The Compile AC View window appears requesting compilation options, see Figure 15: Compile AC View Window on page 41. Figure 15: Compile AC View Window 2. Select the compilation options you want and then click MB1 on the OK Button to start the compilation process. The Compiling AC View window appears as shown in Figure 15: Compile AC View Window on page Click MB1 on the Cancel Button to stop the compilation process or click MB1 on the OK Button to see the compilation messages (if any) and continue the session. The Compile Button performs the same function, but without requesting compilation options; it uses the last defined set of options or the default ones in the case of a first compilation. When the compilation process is complete, compilation messages (including any compilation errors) appear in a new panel at the bottom of the Access Control Management window, as shown in Figure 16: Access Control Management Window with AC Compilation Messages on page Navigate in the AC compilation message panel using the scrollbar. When you have finished looking at the compilation messages, click MB1 on the Close Button.

42 Access Control Administration 42 Figure 16: Access Control Management Window with AC Compilation Messages How to Test an AC View If you select an AC view in the Workspace panel that has been successfully modified and compiled, the Test... Button is allowed and you can select one of the displayed integrated PMs to test it with. Once selected, the PM is started and you can test if the Access Control you have defined in the AC view is as you intended. Test... is only significant for AC views and not for LOC filters. If you want to test a LOC filter, you must first select it using the LOC Configurator GUI and then run the PM and decode the results using the TeMIP Commands Browser, see Logging of Commands Configuration on page 48 and Logging of Commands Browsing on page How to Replace an AC View or an AC Declaration Once the AC declaration has been successfully compiled or the AC view has been successfully compiled and tested, you can move them from the Workspace panel by selecting them and clicking on the Replace Button. They are replaced in the AC Views/ AC Declarations panel. If the AC view or AC declaration has been previously moved to the Workspace panel, the ** symbol is suppressed when it is replaced; otherwise a new element is created in the AC Views/AC Declaration panel. Once a successfully compiled AC view is replaced in the AC Views panel, it can be used in a User Profile definition, see Section User Profiles Panel on page 43.

43 Access Control Administration AC Views/AC Declarations Panel This section describes how to manipulate AC views and AC declarations How to Create AC Views and AC Declarations You cannot create an AC view or an AC declaration directly in the AC Views/AC Declarations panel. You must first create it in the Workspace, compile it, test it (AC view only) and then replace it in the AC Views/AC Declarations panel. Refer to Section Workspace Panel on page 39 for further details How to Modify AC Views and AC Declarations You cannot modify an AC view or an AC declaration directly in the AC Views/AC Declarations panel. You must first move it to the Workspace; to do this, select it in the AC Views/AC Declarations panel list and then click MB1 on the Move to Workspace Button. The element is displayed with the characters ** to indicate that it is "reserved", that is, it has been moved to the Workspace. Refer to Section Workspace Panel on page 39 for further details. When carrying out modifications note the following: When modifying an AC view, all the AC declarations that it imports are automatically copied to the Workspace (if not already present) to allow correct compilation of the AC view in the Workspace environment. When modifying an AC declaration, all the AC views that import it should also be moved to the Workspace for testing. To maintain consistency, you are asked if you want to do this. If you click MB1 on the Yes Button, all the AC views that import this AC declaration are moved to the Workspace and must be recompiled after you have modified the imported AC declaration. If you click MB1 on the No Button, the AC views importing this AC declaration are not moved to the Workspace, but they may be inconsistent after you have replaced the modified AC declaration How to Delete AC Views and AC Declarations Select the AC view or AC declaration, and then click MB1 on the corresponding Delete Button. You are asked for confirmation that you want to delete the selected AC view or AC declaration. NOTE: You cannot delete an AC declaration if it is imported into an AC view; all the AC views that import it should be updated first. To get all the AC views importing an AC declaration, select the AC declaration and click MB1 on the View Dependencies Button or attempt a delete operation and all the AC views importing this AC declaration will be displayed. You cannot delete an AC view if it is used in a User Profile; all the User Profiles that use it should be updated first. To get all the User Profiles using an AC view, select the AC view and click MB1 on the View Dependencies Button or attempt a delete operation and all the User Profiles importing this AC view will be displayed User Profiles Panel This section describes how to manipulate User Profiles How to Create a New User Profile Procedure 1. Click MB1 on the New... Button of the User Profile panel. The User Profile Definition window appears as shown in Figure 17: User Profile Definition Window on page 44.

44 Access Control Administration 44 Figure 17: User Profile Definition Window The cursor is automatically placed on the Username field for you to add the name of the new user. 2. To add an Authorized View for the new user, select an AC view from the AC Views panel list and click MB1 on the left arrow icon. 3. To convert an Authorized View to a Default View, select one of the Authorized Views and click MB1 on the ++ Button. The new default AC view is displayed with the ++ symbol. 4. To suppress an Authorized View, select one of the Authorized Views and click MB1 on the dustbin icon. 5. To save the User Profile, enter a username and click MB1 on the OK Button How to Modify a User Profile Select a User Profile in the User Profiles panel list and click MB1 on the Modify... Button. The User Profile Definition window appears as shown in Figure 17: User Profile Definition Window on page 44. Make your modifications and then click MB1 on the OK Button to make them effective How to Delete a User Profile Select a User Profile in the User Profiles panel list and click MB1 on the Delete Button. You are asked for confirmation that you want to delete this User Profile Customizing Session Parameters This section describes how you can customize certain implicit AC GUI parameters. Click MB1 on the Options... Button of the Access Control Management window to open the Options window, as shown in Figure 18: Options Window on page 45. This window allows you to customize the following parameters:

45 Access Control Administration AC Views Directory This is the directory in which all the AC views and AC declarations are grouped (default value is <TeMIP Data Tree>/ temip/acloc/user_profiles ) Workspace Directory This is the working directory in which the AC views and AC declarations are manipulated prior to replacing them in the AC Views/AC Declarations panel (default value is <TeMIP Data Tree>/temip/acloc/workspace ) AC View Text Editor This is the text editor that is run each time you want to create, read or update an AC view or an AC declaration (default value is dxterm -e vi, which runs the vi editor in a terminal session) Initial AC View File Name This is the name proposed when you want to create an AC view in the Workspace panel. If all your AC views have a similar name, customizing this field can be useful. Click MB1 on the OK Button to make the customization effective for the current session. Click MB1 on the Save Button to make the customization effective for the current session and memorize it for future sessions. Figure 18: Options Window

46 Access Control Administration General Facilities This section describes how to use the general facilities of the AC GUI How to Use the Help Facility At any time during the session, click MB1 on the Help Button to open a Help window. Figure 19: Workspace Panel Help Window on page 46 shows the Workspace panel Help Window as an example. When you have read the help, click MB1 on the OK Button or press Return to continue the session How to Use the Undo Facility Click MB1 on the Cancel Button to undo an action. This closes the window and returns you to the Access Control Management window without changes How to Use the Accelerator Facilities The following operations can be speeded up using the actions described below: When a Button has a double border, it is a default Button. This means that pressing Return has the same effect as selecting it. Double click MB1 on the User Profiles panel to activate the User Profile Definition window for the selected entry. Double click MB1 on the Workspace panel to activate the Compile AC View window for the selected entry. Click MB1 three times on an entry to select the whole entry. Type Ctrl/u on an entry to empty the entry field. Use the left and right arrows to navigate in an entry field, if the entry field is larger than the displayed widget. Figure 19: Workspace Panel Help Window

47 Access Control Administration How to Export a Selection When you click MB1 on the User Profile, AC Views/AC Declarations or Workspace panel, the full path name of the selected file is written to the clipboard (with a.v extension in the case of an AC view) and you can paste the path name into another application; for example, the LOC Configurator GUI. 47

48 Logging of Commands Configuration 48 Chapter 3 Logging of Commands Configuration As TeMIP Security System Administrator, you are in charge of administrative operations using the Logging of Commands Configuration Graphical User Interface (LOC Configurator GUI). In this role, you are responsible for configuring the Central LOC in a windows environment. Only TeMIP Administrator can perform these administrative operations. 3.1 Logging of Commands Configurator Graphical User Interface The LOC Configurator GUI is an easy to use graphical interface that allows you to: Set the Central LOC Configuration file without having to deal with syntax notions, such as how to format parameters. Update the Logging Status of each platform user without having to modify the corresponding User Profiles. Edit directly the Central LOC Notification Script Getting Started To run the LOC Configurator GUI as a launched application, select: TeMIP Central LOC Configuration from the Applications pull-down menu. To run the LOC Configurator GUI as a stand-alone application, enter the following command at the UNIX operating system prompt: $ temip_loc_config_gui In both cases you are prompted to enter a password before you are granted access to the LOC Configurator GUI. If you are TeMIP Administrator, you already have access rights and no password is required LOC Configurator GUI Main Window When you run the LOC Configurator GUI, the Central LOC Configuration main window appears as shown in Figure 20: Central LOC Configuration Main Window on page 49.

49 Logging of Commands Configuration 49 Figure 20: Central LOC Configuration Main Window This window is divided into six panels, one for each set of Central LOC Configuration file parameters, and at the bottom of the window, a panel containing Buttons that provide all the functions available in a LOC Configurator GUI session. The various panel menus are described in Table 6: Central LOC Configurator Window Menu Items on page 49: Table 6: Central LOC Configurator Window Menu Items Panels Function General Logging Panel Enable Central Logging Specifies the Central LOC LOGGING_STATUS parameter Logging Status Off for User Specifies the Central LOC LOGGING_STATUS parameter of each User Profile Logging Directory Specifies the Central LOC LOGGING_DIR parameter LOC Filter Panel LOC Filter File Specifies the Central LOC FILTER_FILE parameter MCC Mask Value Specifies the Central LOC MASK_VALUE parameter String Logging Panel Enable ASCII String Logging Specifies the Central LOC STRING_LOGGING_STATUS parameter ASCII String Mask Specifies the Central LOC STRING_MASK_VALUE parameter Raw Data Logging Panel Enable Raw Data Logging Specifies the Central LOC RAW_DATA_LOGGING_STATUS parameter Disk Full Panel Disk Full Minimum Free Space Specifies the Central LOC DISKFULL_MIN_FREE_KB parameter Disk Full Fallback Directories Specifies the Central LOC DISKFULL_FALLBACK parameter

50 Logging of Commands Configuration Panels Function Disk Full Notification Script Specifies the Central LOC DISKFULL_NOTIF parameter 50 General Buttons Exit Exit and save all the current settings Quit Quit the current session Save Save all the current settings Reset Reset all the settings to the state of the last Save Options... Sets options for the session Help The Help Button activates a help panel on how use the LOC Configurator GUI Modal Windows Some sub-windows are modal in nature, that is, you cannot perform any operations in the main window until you have closed the sub-window, for example, by clicking MB1 on the OK or Cancel Button. To make this clear, a "No Entry" cursor is displayed if you move the cursor to the main window. 3.2 Using the LOC Configurator Graphical User Interface This section describes how to use the functions of the LOC Configurator GUI to set the Central LOC Configuration file Setting General Logging Parameters How to set the General Logging Parameters is described in Section How to Set the Central Logging Status on page 50 to Section How to Set the Logging Directory on page How to Set the Central Logging Status Click MB1 on the Enable Central Logging Button to activate Central Logging. If the Button is not selected, the Central LOC function is not activated How to Set the Logging Status for each User About this task When you click MB1 on the Logging Status Off for User Button, the cursor is automatically placed on the associated entry field and the Set User Status... Button is enabled. You can update this entry directly by entering the list of users, separated by commas, for which you do not want logging to be performed. You can also double click MB1 on the field, or click MB1 on the Set User Status... Button to open the User Logging Status window as shown in Figure 21: User Logging Status Window on page 51:

51 Logging of Commands Configuration 51 Figure 21: User Logging Status Window Procedure 1. Select a User in the Users Logging ON or Users Logging OFF list box and then click MB1 on the Left or Right Arrow Button to change the Logging Status for this User. 2. Click MB1 on the OK or Apply Button to reflect your changes in the main window. If you have not enabled the Central Logging (as described in Section How to Set the Central Logging Status on page 50) the warning message "Central Logging is OFF" is displayed at the top of the User Logging Status window How to Set the Logging Directory Procedure 1. Click MB1 on the Logging Directory entry field to activate it and then enter the location of the Logging Directory. This value could, for example, be copied and pasted from the file browser. 2. Activate the browser by double clicking MB1 on the Logging Directory field or by clicking MB1 on the Browser Button; the browser window opens, see Figure 22: Setting the Logging Directory on page Double click MB1 on the desired directory name or select the desired directory name and click MB1 on the Filter Button to display the directory name in the Selection field. 4. Now click MB1 on the OK Button to place the directory name directly into the Logging Directory field of the Central LOC Configuration main window.

52 Logging of Commands Configuration Figure 22: Setting the Logging Directory Setting LOC Filter Parameters How to set the LOC filter parameters is described in Section How to Set the LOC Filter File Location on page 52 and Section How to Log Specific MCC_Call Arguments on page How to Set the LOC Filter File Location Procedure 1. Click MB1 on the LOC Filter File entry field to activate it and then enter the location of the LOC Filter File. This value could, for example, be copied and pasted from an AC GUI session or by using the browser. 2. Activate the browser by double clicking MB1 on the LOC Filter File field or by clicking MB1 on the Browser Button, see Figure 23: Setting the LOC Filter File Location on page Click MB1 on the desired file to select it and display it in the Selection field. 4. Now click MB1 on the OK Button to place the file name directly into the LOC Filter File field. 52

53 Logging of Commands Configuration 53 Figure 23: Setting the LOC Filter File Location How to Log Specific MCC_Call Arguments Procedure 1. Click MB1 on the MCC Mask Value entry field to activate it, and then update the mask value. You can also double click MB1 on the field, or click MB1 on the Mask Calculator... Button to activate the associated mask calculator. The Mask Calculator window appears as shown in Figure 24: Mask Calculator - Logging MCC_Call Arguments of a Given Type on page 53: Figure 24: Mask Calculator - Logging MCC_Call Arguments of a Given Type 2. Select one or more of the proposed values and click MB1 on the OK or Apply Button to compute the corresponding type mask value.

54 Logging of Commands Configuration Setting ASCII String Logging How to set ASCII string logging is described in SectionHow to Set the ASCII String Logging Status on page 54 and Section How to Log Specific ASCII Strings on page How to Set the ASCII String Logging Status Click MB1 on the Enable ASCII String Logging Button to activate ASCII string logging. If the Button is not selected, the logging of ASCII strings is not activated How to Log Specific ASCII Strings Procedure 1. Click MB1 on the ASCII Strings Mask Value entry field to activate it, and then update the mask value. You can also double click MB1 on the field, or click MB1 on the Mask Calculator... Button to activate the associated mask calculator. The Mask Calculator window appears as shown in Figure 25: Mask Calculator - Logging ASCII Strings of a Given Type on page 54. Figure 25: Mask Calculator - Logging ASCII Strings of a Given Type 2. Click MB1 on the More Button to display the TeMIP Security reserved and other user defined values. 3. Select one or more of the proposed values and click MB1 on the OK or Apply Button to compute the corresponding type mask value Setting the Raw Data Logging Status Click MB1 on the Enable Raw Data Logging Button to activate Raw Data Logging. If the Button is not selected, the Logging of Raw Data is not activated Setting Disk Full Behavior How to set the disk full behavior is described in Section How to Set the Disk Full Condition on page 55 to Section How to Set the Disk Full Notification Script Location on page 56.

55 Logging of Commands Configuration How to Set the Disk Full Condition Click MB1 on the Disk Full Minimum Free Space entry field to activate it and then set the threshold of available space for a disk full condition. The available space in the current Logging Directory is displayed as part of the Disk Full Minimum Free Space label to give you an idea of the required threshold. The available space value is automatically updated if you change the Logging Directory How to Set the Disk Full Fallback Directories Procedure 1. Click MB1 on the Disk Full Fallback Directories entry field to activate it and then set the list of fallback directories, separated by commas. You can also double click MB1 on the field, or click MB1 on the Set Fallback Directories Button to open the Disk Full Fallback Directories window as shown in Figure 26: Fallback Directories Window on page 55. Select a directory from the list and then click MB1 on the OK or Apply Button to add the directory name to the Disk Full Fallback Directories field of the Central LOC Configuration main window. Figure 26: Fallback Directories Window 2. If you click MB1 on the Browser Button, the browser window opens up showing a list of directories, see Figure 26: Fallback Directories Window on page Double click MB1 on the desired directory name or select the desired directory name and click MB1 on the Filter Button to display the directory name in the Selection field. 4. Now click MB1 on the OK Button to transfer the name directly to the Disk Full Fallback Directories field of the Disk Full Fallback Directories window. 5. Click MB1 on the Add Button to add the directory name to the list. 6. Now select the directory and click MB1 on the OK or Apply Button of the Disk Full Fallback Directories window to add the directory name to the Disk Full Fallback Directories field of the Central LOC Configuration main window. How to Add a New Directory to the Fallback Directories List Click MB1 on the Disk Full Fallback Directories entry field to activate it, enter the directory name, and then click MB1 on the Add Button.

56 Logging of Commands Configuration 56 How to Modify a Directory in the Fallback Directories List Select the directory name in the panel list; the name appears in the Disk Full Fallback Directories field. Modify the name and then click MB1 on the Modify Button. If the modified name is correct, it replaces the old name in the panel list. How to Delete a Directory in the Fallback Directories List Select the directory name in the panel list and then click MB1 on the Delete Button. You are asked for confirmation that you want to delete this directory. How to Get Information about a Directory Select a directory in the panel list and click MB1 on the Info Button to display information about the directory. How to Make the Fallback Directories List Effective To make the changes to your Fallback Directories List effective, click MB1 on the OK or Apply Button, the Disk Full Fallback Directories entry of the main window is updated How to Set the Disk Full Notification Script Location Procedure 1. Click MB1 on the Disk Full Notification Script Location entry field to activate it and then enter the location of the Disk Full Notification Script. This value could, for example, be copied and pasted from an AC GUI session or by using the browser, see Figure 27: Setting the Disk Full Notification Script Location on page 56. Figure 27: Setting the Disk Full Notification Script Location 2. You can activate the browser by double clicking MB1 on the Disk Full Notification Script field or by clicking MB1 on the Browser Button. Select the desired notification script and click MB1 on the OK Button to place the script name directly into the Disk Full Notification Script field of the Central LOC Configuration main window. If you click MB1 on the Editor Button, an editing session is started using the default editor you set in the Options window, see Section Setting the Raw Data Logging Status on page 54. The Disk Full Notification Edit window is shown in Figure 28: Disk Full Notification Edit Window on page 57.

57 Logging of Commands Configuration Figure 28: Disk Full Notification Edit Window General Session Manipulation This section describes how to Quit, Exit, Save or Reset a session and how to set session Options How to Exit a Session Click MB1 on the Exit Button to exit the session and save the current settings. That is: If the Logging Status Off for Users Button is selected all the User Profiles are updated The Options settings are saved The Central LOC Configuration file is saved How to Quit a Session Click MB1 on the Quit Button How to Save a Session Click MB1 on the Save Button to save the current settings. That is: If the Logging Status Off for Users Button is selected all the User Profiles are updated The Options settings are saved The Central LOC Configuration file is saved How to Reset the Session Click MB1 on the Reset Button to reset the Central LOC Configuration parameters back to the state of the last Save. 57

58 Logging of Commands Configuration Customizing the Default Editor Procedure 1. Click MB1 on the Options... Button of the main window to open the Options window, as shown in Figure 29: Options Window on page 58. Figure 29: Options Window The text editor that is run each time you want to edit the Disk Full Notification Script is displayed. 2. Click MB1 on the entry field to activate it and then enter the new value. 3. Click MB1 on the OK or Apply Button to make the customization effective for the current session. You must click MB1 on the Save Button of the main window to make the customization effective for a future session General Facilities This section describes how to use the general facilities of the LOC Configurator GUI How to Use the Help Facility At any time during the session, click MB1 on the Help Button to open a Help window. Figure 30: Main Window Help Function on page 59 shows the Main Window Help function as an example.

59 Logging of Commands Configuration 59 Figure 30: Main Window Help Function When you have read the help, click MB1 on the OK Button or press Return to continue the session How to Use the Undo Facility Click MB1 on the Cancel Button to undo an action. This closes the window and returns you to the Central LOC Configurator main window without change How to Use the Accelerator Facilities The following operations can be speeded up using the actions described below: When a Button has a double border, it is a default Button. This means that pressing Return has the same effect as selecting it. Double click MB1 on an entry field with an associated Button to automatically call the Button function. Click MB1 three times on an entry to select the whole entry. Type Ctrl/u on an entry to empty the entry field. Use the left and right arrows to navigate in an entry field, if the entry field is larger than the displayed widget. Click MB2 to paste a selection into an entry.

60 Logging of Commands Browsing 60 Chapter 4 Logging of Commands Browsing As TeMIP Security System, you are in charge of administrative operations using the TeMIP Commands Browser Graphical User Interface (TeMIP Commands Browser). In this role, you are responsible for: Setting up and using the Central LOC function Setting up and using the User Session LOC function (if not done by the TeMIP Operator). TeMIP Administrator can perform these administrative operations. This chapter describes how to use the Central TeMIP Commands Browser and the User Session TeMIP Commands Browser in a windows environment. 4.1 TeMIP Commands Browser Graphical User Interface The TeMIP Commands Browser Graphical User Interface is an interface that allows you to: Query the Central LOC or User Session database using specific search criteria to retrieve commands input by the users. Expand a record retrieved from the Central LOC or User Session database. Save and reload Central or User Session TeMIP Commands Browser settings. Specify the Central LOC or User Session Repository location. Run several Central or User Session TeMIP Commands Browser sessions on the same screen. NOTE: This chapter describes only the Central TeMIP Commands Browser, but the User Session TeMIP Commands Browser is functionally identical; only the names of the windows are changed Getting Started To run the TeMIP Commands Browser as a stand-alone application, enter the following command at the UNIX operating system prompt: temip_central_loc_gui (Central LOC Browser) or temip_session_loc_gui (User Session LOC Browser) If you enter temip_central_loc_gui or temip_session_loc_gui, you are granted direct access to the TeMIP Commands Browser TeMIP Commands Browser Main Window When you run the TeMIP Commands Browser, the TeMIP Commands Browser main window appears as shown in Figure 31: TeMIP Commands Browser Main Window on page 61. Functions that are not available appear grayed:

61 Logging of Commands Browsing 61 Figure 31: TeMIP Commands Browser Main Window The main part of this window is the TeMIP Commands Browser Results panel, where the translation results are displayed. To set and execute the type of LOC translation you want, three menus and two Buttons are available as described in Table 7: TeMIP Commands Browser Window Menu Items on page 61: Table 7: TeMIP Commands Browser Window Menu Items Menu Item/Button Function File Open New... Starts another TeMIP Commands Browser session in a new window Set Logging Repository... Specifies the logging repository for a given TeMIP Commands Browser session Set Segmented Search Value Specifies the number of records displayed each time you click on the More Button. If no value is given, there is no search segmentation. Quit Quits the current session Exit Exits and saves all the current settings. Search Set Search Criteria... Sets and Saves the Search Criteria of the TeMIP Commands Browser. Saved Setting Names Executes the TeMIP Commands Browser with previously recorded settings. Maintenance Load Setting... Loads a previously saved setting

62 Logging of Commands Browsing Menu Item/Button Function Delete Setting... Deletes a previously saved setting Save/Save as... Saves the currently defined setting Save All Current Settings Saves all the current settings of the session. Expand Allows you to view all the records matching a particular expression. More Allows you to view the next set of records translated. Help The Help Button activates a help panel on how use the TeMIP Commands Browser Modal Windows Some sub-windows are modal in nature, that is, you cannot perform any operations in the main window until you have closed the sub-window; for example, by clicking MB1 on the OK or Cancel Button. To make this clear, a "No Entry" cursor is displayed if you move the cursor to the main window. 4.2 Using the TeMIP Commands Browser This section describes how to use the functions of the TeMIP Commands Browser to query the Central or User Session LOC database. You can use the TeMIP Commands Browser to: Set search criteria to display only the information you want and in the format you want, see Section Setting Search Criteria on page 62 Save search criteria and then reload them later for further use; see Section Saving a Set of Search Criteria on page 67 Execute previously saved settings see; Section Executing Previously Saved TeMIP Commands Browser Settings on page 69 Manipulate the results; see Section TeMIP Commands Browser Results Manipulation on page Setting Search Criteria Select the Set Search Criteria... entry of the Search menu to do a search based on specific criteria. The main window displays the settable search criteria in a second panel, as shown in Figure 32: Setting Search Criteria Window on page 63: This window allows you to set the search criteria of the TeMIP Commands Browser. When you click MB1 on any of the Search Criteria Buttons, the cursor is automatically placed on the associated entry field (if applicable).

63 Logging of Commands Browsing Figure 32: Setting Search Criteria Window How to Display Warning Information Click MB1 on the Warning Information Button to display Central LOC warning messages How to Display Records in Mode Procedure 1. Click MB1 on the Records Display Mode Button to activate the entry field, and then click MB1 on the field to display the pop-up menu. 2. Select one of the four mode values: FCL, FCL Summary, Full Chronological or Full Correlated by clicking MB1 on your choice How to Display Records Created Before Click MB1 on the Records Created Before Button, and then set the date in the format indicated by the default value in the associated entry field How to Display Records Created After Click MB1 on the Records Created After Button, and then set the date in the format indicated by the default value in the associated entry field. 63

64 Logging of Commands Browsing How to Display Records Created on Host Click MB1 on the Records Created on Host Button, and then enter a machine name in the associated entry field How to Display Records Created by User Procedure 1. Click MB1 on the Records Created by User Button, and then enter a username in the associated entry field. You can also click MB3 on the entry field or click MB1 on the Users Menu Button to open a pop-up menu that shows all the users that have a User Profile. 2. Select a username from the menu by clicking MB1 on your choice. 3. Click MB1 on the Cancel entry of this menu to close it How to Display Records with Session String Click MB1 on the Records with Session String Button, and then enter a string of characters in the associated entry field (not between " ") How to Display Records with Process String Click MB1 on the Records with Process String Button, and then enter a string of characters in the associated entry field (not between " ") How to Display Records of a Given Type Click MB1 on the Records Type Button, and then update the associated entry field directly. You can also double click MB1 on the field, or click MB1 on the Mask Calculator... Button to activate the associated mask calculator. The Mask Calculator window appears as shown in Figure 33: Mask Calculator - Displaying Records of a Given Type on page 65. Select one or more of the proposed values and click MB1 on the OK or Apply Button to compute the corresponding type mask value.

65 Logging of Commands Browsing 65 Figure 33: Mask Calculator - Displaying Records of a Given Type How to Display ASCII Strings of a Given Type Procedure 1. Click MB1 on the ASCII Strings Type Button, and then update the associated entry field directly. You can also double click MB1 on the field, or click MB1 on the Mask Calculator... Button to activate the associated mask calculator. The Mask Calculator window appears as shown in Figure 34: Mask Calculator - Displaying ASCII Strings of a Given Type on page Click MB1 on the More Button to display the TeMIP Security reserved and other user defined values. 3. Select one or more of the proposed values and click MB1 on the OK or Apply Button to compute the corresponding type mask value.

66 Logging of Commands Browsing 66 Figure 34: Mask Calculator - Displaying ASCII Strings of a Given Type How to Display Records Matching a Regular Expression Click MB1 on the Records Matching Regular Expression Button, and then enter a regular expression in the associated entry field ( not between " ") How to Make a Search Click MB1 on the Search Button to display the TeMIP Commands Browser results in the panel as shown in Figure 35: Checking Search Criteria Results Window on page 67. Check that the results displayed correspond to what you intended. If so, you can save the setting and reuse it later, see Section Saving a Set of Search Criteria on page 67 and Section How to Load a Previously Saved Setting on page 67.

67 Logging of Commands Browsing 67 Figure 35: Checking Search Criteria Results Window Saving a Set of Search Criteria The Maintenance menu allows you to set and save the search criteria you want to use in a search. After you have executed the search, you can check that the results are as you expected and then save the setting for use at a later date. You can also load and reuse, or load and update a previously saved setting How to Save Search Criteria Select the Save or Save as... entry of the Maintenance menu to save a given set of criteria and their associated values. Section Setting Search Criteria on page 62 explains how to set the search criteria How to Load a Previously Saved Setting Procedure 1. Select the Load Setting... entry of the Maintenance menu.

68 Logging of Commands Browsing The Load Setting window opens up as shown in Figure 36: Load Previously Saved Setting Window on page Select a setting and click MB1 on the Load Button or double click on the selection to load it. You can now run the search using the loaded setting or you can modify it, run the search and then resave the setting if required. 3. Click MB1 on the Cancel Button to dismiss the window. Figure 36: Load Previously Saved Setting Window How to Delete a Previously Saved Setting Procedure 1. Select the Delete Setting... entry of the Maintenance menu. The Delete Setting window opens up as shown in Figure 37: Delete Previously Saved Setting Window on page Select a setting and click MB1 on the Delete Button or double click on the selection to delete it. You are asked for confirmation that you want to delete the selected setting. 68

69 Logging of Commands Browsing 69 Note that the setting name is also removed from the saved setting list of the Search menu; see Section Executing Previously Saved TeMIP Commands Browser Settings on page 69 for further details. Click MB1 on the Cancel Button to dismiss the window. Figure 37: Delete Previously Saved Setting Window How to Make a Search Click MB1 on the Search Button to display the Section TeMIP Commands Browser Results Manipulation on page 70 results in the corresponding panel, refer to Section TeMIP Commands Browser Results Manipulation on page 70 for further details Executing Previously Saved TeMIP Commands Browser Settings Each time you save a TeMIP Commands Browser setting, it is added to the Search menu from where you can select it. In this case, the main window changes as shown in Figure 38: Displaying TeMIP Commands Browser Settings on page 70. Only the active criteria of the settings are displayed. You can update their values, but to add new criteria to your search criteria settings, you must select Set Search Criteria... in the Search menu and then update and resave the setting. To run the TeMIP Commands Browser with these settings, click MB1 on the Search Button.

70 Logging of Commands Browsing 70 Figure 38: Displaying TeMIP Commands Browser Settings TeMIP Commands Browser Results Manipulation This section describes how to view TeMIP Commands Browser results, start a new TeMIP Commands Browser search and expand a displayed record How to View TeMIP Commands Browser Results About this task Once a TeMIP Commands Browser search is executing (after you have clicked MB1 on the Search Button), the More Button may be enabled. If enabled, this means that there are still some records resulting from the translation to view. Procedure 1. Click MB1 on the More Button to display more records until the TeMIP Commands Browser process ends. When the process ends, the More Button is disabled (grayed), as shown in Figure 39: Viewing TeMIP Commands Browser Results on page 71. If you want to change some values, you can do so now and perform another TeMIP Commands Browser search by clicking MB1 on the Search Button. For example, in this case you may want to change the mode to FCL and redo the search. 2. Navigate in the TeMIP Commands Browser results with the scrollbar.

71 Logging of Commands Browsing 71 Figure 39: Viewing TeMIP Commands Browser Results How to Start a New TeMIP Commands Browser Search About this task You can start another TeMIP Commands Browser search without waiting for the current one to end. Procedure 1. To do this, change some values (if required) and click MB1 on the Search Button. The TeMIP Commands Browser results panel is emptied, the previous search is stopped, and the new search results are displayed. 2. Navigate in the new results using the scrollbar How to Expand a TeMIP Commands Browser Record If you click on a line in the results panel, the whole record is selected and the Expand Button is enabled. Click MB1 on this Button to open the Expand TeMIP Commands Browser Records window as shown in Figure 40: Expand TeMIP Commands Browser Records Window on page 72. This window allows you to expand the record that you selected. You can choose to view the record in FCL, FCL Summary, Full Chronological or Full Correlated mode by clicking MB1 on the Records Display Mode entry field of the Records Expand window and then selecting a mode from the pop-up menu. Click MB1 on the Cancel Button to close the expansion window.

72 Logging of Commands Browsing 72 Figure 40: Expand TeMIP Commands Browser Records Window General Session Manipulation This section describes how to start or quit a session, how to save search criteria and how to set the Central LOC repository specification How to Start a New Session Select Open New... from the File menu to open a TeMIP Commands Browser session in a new window How to Set the Segmented Search Value Select Set Segmented Search Value... from the File menu, enter the number of records you want retrieved per segment in the Segmented Search Value field, and then click MB1 on the OK Button. If you do not enter a value in the Segmented Search Value field, all the retrieved records are displayed and the More Button is disabled.

73 Logging of Commands Browsing How to Save the Search Criteria Settings If you do not save them, all the search criteria settings you have defined during a session are lost when you leave the session. Select Save All Current Settings from the Maintenance menu to save your settings and the segmented search value How to Exit a Session Select Exit from the File menu to exit the session and save all the current settings and the segmented search value How to Quit a Session Select Quit from the File menu Setting the LOC Repository Specification By default, the TeMIP Commands Browser applies to all the User Session.loc files in your $HOME directory). To apply the TeMIP Commands Browser to any User Session LOC database, select Set Logging Repository... from the File menu. This opens the User Session LOC Repository window as shown in Figure 41: User Session LOC Repository Window on page 74.

74 Logging of Commands Browsing 74 Figure 41: User Session LOC Repository Window Selecting an Existing LOC Repository Name Click MB1 on an entry in the LOC Repository list to select it and then click MB1 on the OK or Apply Button to make this entry the effective LOC Repository. Enter a new LOC Repository name directly into the Logging Repository Specification field and click MB1 on the Add Button to add the repository name to the list. Click MB1 on the OK or Apply Button to make this entry the effective LOC Repository. Selecting a LOC Repository Name Using the Browser You can also copy and paste a LOC Repository name using the browser. Click MB1 on the Browser Button to activate the browser window, see Figure 41: User Session LOC Repository Window on page 74. Double click MB1 on the desired repository name or select the desired repository name and click MB1 on the Filter Button to display the name in the Selection field. Now click MB1 on the OK Button to dismiss the browser window and place the repository name directly into the Logging Repository Specification field of the LOC Repository window.

75 Logging of Commands Browsing 75 Click MB1 on the Add Button to add the repository name to the list. Click MB1 on the OK or Apply Button to make this entry the effective LOC Repository How to Make your Repository Specification Changes Effective To make the changes to your Repository Specification effective, click MB1 on the OK or Apply Button after one of the operations described below How to Add a New Directory to the Repository Specification Enter the directory name in the Logging Repository specification field, and then click MB1 on the Add Button How to Modify a Directory in the Repository Specification Select the directory name in the panel list: the name appears in the directory field. Modify the name and then click MB1 on the Modify Button. If the modified name is correct, it replaces the old name in the panel list How to Delete a Directory in the Repository Specification Select the directory name in the panel list and then click MB1 on the Delete Button. You are asked for confirmation that you want to delete this directory How to Get Information about a Directory Select a directory in the panel list and click MB1 on the Info Button to display information about the directory General Facilities How to Use the Help Facility At any time during the session, click MB1 on the Help Button to open a Help window. Figure 42: Delete Setting Help Window on page 76 shows the Delete Setting Help Window as an example. When you have read the help, click MB1 on the OK Button or press Return to continue the session.

76 Logging of Commands Browsing 76 Figure 42: Delete Setting Help Window How to Use the Undo Facility Click MB1 on the Cancel Button to undo an action. This closes the window and returns you to the TeMIP Commands Browser window without change How to Use the Accelerator Facilities The following operations can be speeded up using the actions described below: When a Button has a double border, it is a default Button. This means that pressing Return has the same effect as selecting it. Double click MB1 on the Records Type or ASCII Strings Type entry fields to call the corresponding mask calculator. Double click MB1 on the selection in the Load Setting/Delete Setting window to Load/ Delete a selection. Click MB1 three times on an entry to select the whole entry. Click MB1 or MB2 on an entry field to automatically select the associated Search Criteria option. Type Ctrl/u on an entry to empty the entry field. Use the left and right arrows to navigate in an entry field, if the entry field is larger than the displayed widget.