Security

Overview

UPSTREAM offers unique security features for a product of its type. All UPSTREAM functions require a security clearance. UPSTREAM security is controlled centrally on the UPSTREAM Storage Server using the z⁄OS security system (e.g., CAACF2, IBMRACF, CATopSecret). For the UPSTREAM Reservoir it is be Active Directory, or native UNIX security.

Using central security, there are two different levels of security. The lowest security level (security level 1) is comparable to a simple logon. Level 1 allows you access to UPSTREAM data storage. Level 1 security is recommended for environments where minimal security checks are sufficient.

Level 2 security allows you to perform comprehensive security checks. You can allow or not allow individual users access to data that is stored in particular backup profiles.

See the UPSTREAM Storage Server User guide for more information concerning setting and maintaining data set security.

Requests of local UPSTREAM services can also be secured. This section discusses these methods.

User IDs and Passwords#

The most common form of security protection for computer systems is a combined user ID and password. For UPSTREAM Client, there are user ID and password fields on all screens that communicate with the UPSTREAM Storage Server.

When you type the user ID, the text is displayed; when you type the password, the cursor moves but the characters you type are not displayed.

When you save a parameter file that contains a password, it is stored to disk encrypted with a special algorithm that assures that none of the characters end up as control characters that avoids issues like errant line feeds and end of file markers.

The unattended nature of UPSTREAM requires that passwords be stored. If you wish to not store your password, there is an UPSTREAM Advanced Configurator option Do Not Save Passwords to Parameter Files that suppresses this feature.

Passwords must always be entered once when running in attended mode. This assures maximum security in attended mode and that changed passwords are reflected in unattended mode.

If you wish, you can specify a password unencrypted using the parameter entry schemes; this includes the parameter file, the command line, and the environment. UPSTREAM codes a flag with encrypted passwords so that it can tell when a password is unencrypted.

Thus, if you wish to integrate UPSTREAM with a security package of your own, or you wish to type a different password when you run the UPSTREAM program, you can do this. For example, to start UPSTREAM with a different password than in the default data file (say TEST1), you could type:

uscmd PASSWORD=TEST1

Personalization#

The personalization facility is an UPSTREAM Configurator function that allows an administrator to limit access to specific UPSTREAM functions. See Chapter 14 “Management and Reporting” for more details.

Some of the powerful features include:

  • Check-boxes to limit the access to virtually every UPSTREAM function.
  • Restrict only for PC Initiated: If you specify this, all the personalization check boxes apply only to workstation/server initiated functions; all UPSTREAM Storage Server initiated functions are accepted.
  • Load User Personalizations: If you check this box, you must have separate personalization files for each user, activated when they log in. The personalization file name is the user’s UPSTREAM Storage Server login name with .ser extension in the work path directory. This is particularly useful for enforcing security on a multi-user system when running a single copy of UPSTREAM.
  • Time-out Host Security Login: If you check this box, a user’s login times out after 30 minutes of inactivity.
  • No dest. Changes: If you check this box, a user cannot redirect a restore to a different drive or directory. This allows your system’s existing security system to enforce access to files. When possible, the Universal Naming Convention (UNC) name for the device is used to keep users from redirecting drives under the covers.
  • Preset Backup Profile: Allows you to specify a specific backup profile, thus keeping the user from viewing or restoring data that they do not have permission to access.
  • Password: Each copy of UPSTREAM can be locally password protected.
  • Specific Directory: You can limit backups/restores to a specific directory (and below). This assures that your users are restricted to access to their home directories.

Since the personalization facility can be a powerful way to limit access to specific functions, we highly recommend its use.

Remote access security within Personalization is discussed in Section “Remote Security”.

Remote Security#

UPSTREAM typically must run as the “super-user” on your system to be able to perform backups, restores, run jobs, etc. This leaves a security hole that should be filled.

The most powerful facility in Personalization is available when you press the Remote Security button in the Personalization dialog in the non-Windows Configurator or Feature Config (and scroll down to Remote Request Security) in the Windows Configurator. The Remote Security features in UPSTREAM allow you to secure your machine against unauthorized accesses.

Feature ConfiguratorUPSTREAM_Client_Security_image325.gifimage2021-9-7_13-51-48.png

You are not required to use these options and all existing functions work with your current personalization files.

Also note that most of these features require that the Client be run as a super-user (root for UNIX or Administrator for Windows).

Accept Requests From Frame

The Accept Requests From frame indicates which systems remote requests can be accepted and processed from. If you do not check either of the boxes, requests are accepted from any system (subject to login considerations specified in the right hand frame). Otherwise, requests can only be:

UPSTREAM Storage Server

UPSTREAM accepts remote requests from the system defined in the UPSTREAM Configurator.

IP/DNS

Allows specification of which systems UPSTREAM accept remote requests from. When you check this radio button the edit field and the list box below are activated.

To add systems to include/exclude, enter the IP or DNS address (in either dotted decimal, or DNS name server form) in the edit field and press the Add button. To remove systems, highlight the system in the list and press the Delete button.

Remote Users

This button is activated when you select the UPSTREAM Storage Server Address or IP/DNS Address options. If you have selected IP/DNS Address the dialog affects the system highlighted in the list box. This button displays a dialog that allows you to specify/modify additional options specific to this remote system (see below).

Frames in Default Security Frame

The other two frames address the local system authorization that the user has after being granted access to UPSTREAM.

Use default security

If this button is checked, then the default security is set by the fields below. Otherwise, the security must be set in the Remote User definitions.

UPSTREAM supports impersonation for remote users. Since UPSTREAM must generally run as the super-user, supervisor, administrator, etc., you can require that users perform a login (the User must enter user ID/password option) and then work under the restrictions of this login.

For example, if you require that the user login and they wish to restore files in a location where they have no rights, the operating system denies access to these files. This is particularly important for running jobs, as, by default, the jobs run under UPSTREAM security.

The default for both the Storage Server and Client (workstation/server) system requests is the Run under UPSTREAM account option. This is to allow maximum accessibility for test environments.

These frames specify defaults when you have not defined specific attributes for a specific users/systems in the Remote Users dialog (below).

The Remote Server Requests (local login) frame specifies the security that remote requests from the system configured for the UPSTREAM Storage Server work under. The Remote Client Requests (local login) frame specifies the security that remote requests from any other system work under.

We strongly recommend that in production environments that you select in the Remote Client Requests (local login) frame the User must enter user ID/password option for maximum security protection.

Remote Users

You can press the Remote Users button when you select the UPSTREAM Storage Server only or Specific LU/IP Address options. If you have selected Specific LU/IP Address the dialog affects the system highlighted in the list box. This button displays a dialog that allows you to specify/modify additional options specific to this remote system:

Remote User Settings

UPSTREAM_Client_Security_image327.gifimage2021-9-7_13-54-52.png

The user that is referred to in this dialog is the user currently logged onto the remote system:

Any user

Press this radio button if you wish to allow all users on the remote system access to UPSTREAM.

Include Only Listed Users

Press this radio button to specify the remote users you wish to allow UPSTREAM access on this system.

Exclude Only Listed Users

Press this radio button to allow all remote users access to UPSTREAM but modify the login type of specific users.

Remote Users Radio Buttons

If you check Include Only Listed Users or Exclude Only Listed Users, then the edit field, the list box and the slider become active. In the edit field, enter the name of the user on the remote system who you wish to specify access attributes and press the Add button.

The slider allows you to modify the login requirements for the highlighted user:

Default local login for remote type

The login for this user is as specified in the Remote Request Security dialog for the system type the user is connecting from (Client or z/OS).

UPSTREAM account

This user runs under the UPSTREAM account.

Enter user ID/password

This user must login.

You can remove a user from the list by highlighting the user and pressing the Delete button.

When you have completed your user changes press the Save button to save your changes in the personalization file.

There are several overall parameter file parameters for Remote Request Security:

  • LOCALPASSWORD - The password of the remote user who wishes to login to this system. There is no default.
  • LOCALUSER - The local user name of the remote user who wishes to login to this system. For Windows, you can specify domain/user. There is no default.

There are a number of differences in the way that Remote Request Security is processed within UPSTREAM for each operating system. These include:

Windows

If you enable Remote Request Security you must enable the Login as a batch job privilege for the UPSTREAM user in the Windows User Manager.
By default, the login uses the local account database. To specify a login to any given domain (including the local one), specify for the user:

Domain/userBesides setting the Login as a batch job privilege (set in Administrative Tools/Local Security Policy/User Rights Assignment), you also may need to go into Security Options in Local Security Policy and:

  • Enable the User Rights Assignment – Restore files and directories privilege.
  • Disable the Accounts – Limit local account use of blank passwords to console login only privilege.

Unix

No special considerations.

End-User Restores and the Request Remote Function dialog includes fields for entry of the remote login name and password.

You should secure the us.ser Personalization file with operating system security so that the Personalization options are not modified by users.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*