Fast Track Your NonStop Integration with XYGATE and Active Directory
Over the last 15 years, I’ve worked in a variety of environments – from dining room startups with a handful of systems, to multinational corporations with tens of thousands of systems. One thing I could almost always be sure of is Microsoft Active Directory (AD) is somewhere in the mix.
For most organizations, Microsoft Active Directory is the main corporate directory service for managing access to information systems across the enterprise. Active Directory serves as the central authority for network security, distributed resources, systems, users and services. When a user logs into a Windows workstation, their credentials are submitted to and evaluated by AD to determine if they are authorized for access, to which groups they belong, to which resources they have access, which policies are enforced, along with other controls. This process enables a user to have a single set of credentials controlling their access to the system and its resources.
What makes Active Directory even more powerful and a staple in nearly 90% of Fortune 1000 organizations is its extensibility, scalability and integration capabilities. AD can communicate over Lightweight Directory Access Protocol (LDAP) and Kerberos, two standard application protocols. These standards extend AD’s capabilities by integrating non-Windows platforms and enterprise applications. This centralizes user information in a single repository, making it available to multiple platforms and applications.
This central management not only comes with a remarkable reduction in administration costs, but facilitates compliance with security frameworks and enhances overall security right out of the gate. Security is at the forefront of everyone’s mind, therefore centralized user management is one of the necessary steps towards proper risk management.
For years, the HPE Integrity NonStop server has been the box in the corner humming along, reliably and effectively handling its mission critical workload. Identity and access was managed by an administrator who would manually add users to each NonStop system, assign individual user ids and passwords, and manage user updates on a case by case basis. This not only created operational overhead but potentially exposed organizational risk to users, administrators and the enterprise. Users had to remember (or store in an unsecured excel file on their desktop) yet another set of credentials. Administrators were burdened with managing user accounts separate from the rest of their enterprise, and corporate policies had to be enforced on multiple platforms.
The challenge doesn’t stop there. When an employee leaves a company, organizational workflows disable a user’s Active Directory credentials. This in turn disables access to any system or application integrated with AD. In most cases, the NonStop is often still handled via a separate, most often, manual process. Unless the NonStop administrator was notified of the departure and manually acted on the request in a timely fashion, the risk of a valid and active user ID remaining on the system long after the user has been removed from the main corporate directory exists. I don’t think I need to explain why this is a major security concern.
NonStop in the Modern Enterprise
HPE recognized the need for integration of the NonStop server with the rest of the enterprise. To address this evolving requirement, XYPRO and HPE partnered to offer XYGATE User Authentication (XUA) on all HPE Integrity NonStop servers shipped since 2013. XUA enables enterprises to efficiently integrate their NonStop user environment with their Active Directory infrastructure. Other platforms such as Linux, Unix and Windows were already capable of integration with the corporate directory. XUA integration with AD strengthens user authentication on the NonStop and supports enforcement of corporate password policies while reducing the costs of user provisioning and management.
XUA features include:
- Enterprise SSO participation through LDAP and Active Directory client interfaces
- Log-on controls based on ancestor program, requester program, port or IP address, time of day or day of week, or current logged-on user
- User impersonation support to reduce the need for sharing sensitive user passwords, for example—ability to log on as SUPER.SUPER but provide the individual user’s password
- Authentication controls customized at the user or group level
- Enhanced log-on event audit collection and reporting capabilities
- Integration with SIEM solutions through XYGATE Merged Audit
In most environments, the corporate password policy is typically defined through the Active Directory Group Policy Object (GPO) and pushed out to users, systems and applications. Any application integrated with Active Directory will have their password policy governed through this central authority.
With XUA, NonStop userIDs take advantage of the same password policies set in a single location. Active Directory is the system of record for all password policy management.
Active Directory – Getting Started
Preparing Active Directory for NonStop integration requires very little setup on the Active Directory side. There is no client or agent to install. You will only need the following 4 items.
- Domain Controller and LDAPS Connectivity
- LDAPS Certificate
- NonStop Users Container
- LDAP Bind User and Password
Domain Controller and LDAPS Connectivity – Don’t be Lazy!
As tempting and easy as it may seem to use traditional unencrypted LDAP for connectivity – DON’T! Integration as critical as this should always be done using LDAP over SSL (LDAPS). This ensures no credentials are sent from the NonStop to Active Directory in clear text. The default port for unencrypted LDAP is 389, while encrypted LDAPS uses 636. In most cases, LDAPS will already be enabled, but in case it is not, a server with the Certification Authority role is required within your AD environment. LDAPS connectivity can be verified by using an LDAP browser like Softerra or JXplorer.
Once connectivity is verified, you will need an export of the entire certificate chain used for LDAPS. This is typically provided by the Active Directory administrator. This important step enables LDAPS and generates the certificate chain that will be required by the NonStop.
NonStop Users Container
User IDs within Active Directory are organized within Organizational Units (OU) and Containers (CN). This allows for separate GPOs to be assigned to different OUs. The Active Directory administrator will need to identify which CN or OU the NonStop User IDs are located within the directory. For example, to locate the OU for user John Pierce (jpierce), the AD administrator would run the following command in a Windows command prompt
dsquery user -name jpierce
“CN= jpierce,OU=NonStop Users,DC=DOMAIN,DC=COM”
This shows us that our NonStop users are located in the “NonStop Users” OU in the MYDOMAIN.COM Active Directory domain.
LDAP Bind User and Password
The last requirement is to have access to an Active Directory user that will be used for directory lookups. This is typically known as an LDAP BIND user. It is recommended that the bind user be given just enough privileges to perform the required lookups within the directory and nothing more. This should NOT be an administrator account.
HPE NonStop Integration with Active Directory
The installation of XYGATE User Authentication (XUA) on the NonStop is not a difficult task, but one that should be undertaken with the knowledge and understanding of what is being accomplished. XUA is installed as the Safeguard Event Exit Process (SEEP) for authentication events. If an existing authentication SEEP is installed, it must be removed prior to installing XUA.
The following information is required to complete the installation of XUA/Active Directory integration on the NonStop for secure communications:
- The IP address or name of the Domain Controller running the LDAPS service
- The LDAPS service version (must be 3 or later)
- The LDAPS service type (Windows for Active Directory)
- The name of the TCP/IP process on the NonStop to be used for Active Directory communications
- BIND information (outlined above) for fully qualifying user names (i.e. email@example.com)
- The SSL certificate chain
- The port number of the LDAPS service (if different from the default)
- Access to SUPER.SUPER (or an alias) to complete the installation
Once you have this information, run the XUA installation process to capture this information and configure the NonStop configuration.
Additional entries needed if ldap lookup is being used:
LDAP_SEARCH_USER “cn=ldap,cn=Utility Accounts,dc=domain,dc=com”
Once the install process is complete, users can be added to the configuration for optional or required Active Directory authentication.
Confirming and controlling the identity of users accessing your system is crucial to protect your systems and data. The native HPE Integrity NonStop operating system and its Safeguard security infrastructure provide unique identification for users through Guardian user IDs and aliases, both with 64-character—strong password and passphrase support. Until now, they have not offered direct integration into SSO environments.
XYGATE User Authentication (XUA), included with all new HPE Integrity NonStop servers, allows for integration into an enterprise’s Active Directory and SSO environment, simplifying provisioning and management of NonStop users. Users can access all of their authorized systems, including NonStop servers, using a single user ID and password. The user benefits from the simplicity of authentication while the administrator benefits from a reduced user ID and password maintenance burden. Overall, security is improved and costs are reduced for the enterprise with XUA and Active Directory.
Steve Tcherchian, CISSP
Chief Information Security Officer
Steve Tcherchian, CISSP, PCI-ISA, PCI-P is the CISO and SecurityOne Product Manager for XYPRO Technology. Steve is on the ISSA CISO Advisory Board and a member of the ANSI X9 Security Standards Committee. With almost 20 years in the cybersecurity field, Steve is responsible for XYPRO’s new security intelligence product line as well as overseeing XYPRO’s risk, compliance, infrastructure and product security to ensure the best security experience to customers in the Mission-Critical computing marketplace.