U2 Extensible Administration Tool - Rocket...

U2 Extensible AdministrationTool

Version JAN2015

January 2015DBT-JAN2015-XA-AM-02

2

NoticesEdition

Publication date: January 2015Book number: DBT-JAN2015-XA-AM-02Product version: Version JAN2015

Copyright© Rocket Software, Inc. or its affiliates 2005-2015. All Rights Reserved.

Trademarks

Rocket is a registered trademark of Rocket Software, Inc. For a list of Rocket registered trademarks goto: www.rocketsoftware.com/about/legal. All other products or services mentioned in this documentmay be covered by the trademarks, service marks, or product names of their respective owners.

Examples

This information might contain examples of data and reports. The examples include the names ofindividuals, companies, brands, and products. All of these names are fictitious and any similarity tothe names and addresses used by an actual business enterprise is entirely coincidental.

License agreement

This software and the associated documentation are proprietary and confidential to Rocket Software,Inc. or its affiliates, are furnished under license, and may be used and copied only in accordance withthe terms of such license.

Note: This product may contain encryption technology. Many countries prohibit or restrict theuse, import, or export of encryption technologies, and current use, import, and export regulationsshould be followed when exporting this product.

http://www.rocketsoftware.com/about/legal

3

Corporate informationRocket Software, Inc. develops enterprise infrastructure products in four key areas: storage, networks,and compliance; database servers and tools; business information and analytics; and applicationdevelopment, integration, and modernization.

Website: www.rocketsoftware.com

Rocket Global Headquarters77 4th Avenue, Suite 100Waltham, MA 02451-1468USA

To contact Rocket Software by telephone for any reason, including obtaining pre-sales informationand technical support, use one of the following telephone numbers.

Country Toll-free telephone number

United States 1-855-577-4323Australia 1-800-823-405Belgium 0800-266-65Canada 1-855-577-4323China 800-720-1170France 0800-180-0882Germany 08-05-08-05-62Italy 800-878-295Japan 0800-170-5464Netherlands 0-800-022-2961New Zealand 0800-003210South Africa 0-800-980-818United Kingdom 0800-520-0439

Contacting Technical Support

The Rocket Customer Portal is the primary method of obtaining support. If you have currentsupport and maintenance agreements with Rocket Software, you can access the Rocket CustomerPortal and report a problem, download an update, or find answers to in the U2 Knowledgebase.To log in to the Rocket Customer Portal or to request a Rocket Customer Portal account, go towww.rocketsoftware.com/support.

In addition to using the Rocket Customer Portal to obtain support, you can send an email [email protected] or use one of the following telephone numbers.

Country Telephone number

North America +1 800 729 3553United Kingdom/France +44 (0) 800 773 771 or +44 (0) 20 8867 3691Europe/Africa +44 (0) 20 8867 3692Australia +1 800 707 703 or +61 (0) 29412 5450New Zealand +0800 505 515

http://www.rocketsoftware.com

http://www.rocketsoftware.com/support

mailto:[email protected]

4

Contents

Notices................................................................................................................................................................................... 2

Corporate information......................................................................................................................................................... 3

Chapter 1: Getting started................................................................................................................................................... 6Welcome to XAdmin help.........................................................................................................................................6Installing and updating the DBTools using the Eclipse Update Manager.............................................................6XTOOLSUB................................................................................................................................................................. 6

Installing XTOOLSUB for UniData on Windows.......................................................................................... 7Installing XTOOLSUB for UniVerse on Windows......................................................................................... 8Installing XTOOLSUB for UNIX/Linux for UniData...................................................................................... 9Installing XTOOLSUB for UNIX/Linux on UniVerse..................................................................................... 9Installing XTOOLSUB on Windows............................................................................................................ 10

Chapter 2: XAdmin overview..............................................................................................................................................12Starting XAdmin...................................................................................................................................................... 12XAdmin workspace................................................................................................................................................. 12Establishing server connections............................................................................................................................ 13

U2 server definitions.................................................................................................................................. 13Creating U2 server definitions................................................................................................................... 13

Viewing or editing advanced settings of a U2 server definition.......................................................................... 14Specifying a command to run on connection.......................................................................................... 15

Editing U2 server definitions..................................................................................................................................15Connecting to U2 servers.......................................................................................................................................15Disconnecting from U2 servers..............................................................................................................................16Deleting U2 server definitions............................................................................................................................... 16

Chapter 3: Administering U2 accounts............................................................................................................................. 17U2 accounts overview............................................................................................................................................ 17Initiating Accounts tasks........................................................................................................................................ 17Adding or viewing U2 accounts............................................................................................................................. 17Creating a U2 account............................................................................................................................................17

Chapter 4: Managing disk space........................................................................................................................................19Disk space usage.................................................................................................................................................... 19Initiating disk space tasks......................................................................................................................................19Viewing disk space usage.......................................................................................................................................19

Chapter 5: Managing Secure Sockets Layer (SSL)............................................................................................................21Secure Sockets Layer (SSL) technology................................................................................................................21Initiating SSL tasks................................................................................................................................................. 21Setting up and managing SSL............................................................................................................................... 21Generating certificate signing requests................................................................................................................ 22

Starting the Generate Certificate Signing Request wizard...................................................................... 22Specifying a file and algorithm for the CSR..............................................................................................22Defining properties of the CSR.................................................................................................................. 22Selecting a key pair option........................................................................................................................ 23Supplying key pair parameters................................................................................................................. 23Entering a password for the private key file............................................................................................ 24Verifying the status of generating the certificate.....................................................................................24

Generating SSL certificates....................................................................................................................................25Starting the Generate SSL Certificate wizard........................................................................................... 25Specifying a certificate file name.............................................................................................................. 25Setting the validity period for a new certificate.......................................................................................26Selecting a certificate type........................................................................................................................ 26

Contents

5

Optional: Defining certificate extensions..................................................................................................26Selecting required files to generate a certificate................................................................................................. 27

Selecting the private key file of the CSR...................................................................................................27Selecting the signing certificate file and private key file......................................................................... 27Entering the password for the private key file......................................................................................... 28

Creating security context records......................................................................................................................... 28Starting the Security Context Record wizard........................................................................................... 29Specifying the record ID and protocol...................................................................................................... 29Selecting server or client usage................................................................................................................ 29Setting authentication properties............................................................................................................. 30

Setting server authentication properties......................................................................................30Setting client authentication properties.......................................................................................31Adding trusted peer names........................................................................................................... 32

Selecting the certificate path rule.............................................................................................................32Associating certificates to the security context........................................................................................33

Associating server/client certificates to a security context......................................................... 33Associating a server certificate to a security context...................................................................33Optional: Associating a client certificate to a security context................................................... 34Selecting the private key file for the server or client certificate..................................................34Optional: Associating CA certificates to a security context record..............................................35

Selecting or generating a random file...................................................................................................... 35Optional: Generating a random file.............................................................................................. 36Adding seed source files................................................................................................................ 36

Optional: Specifying ciphers...................................................................................................................... 36Optional: Specifying a certificate revocation list..................................................................................... 37Setting a password for the SCR.................................................................................................................37Verifying the status of generating the SCR............................................................................................... 37

Configuring SSL for U2 servers.............................................................................................................................. 38

Chapter 6: Managing data encryption.............................................................................................................................. 39Automatic data encryption (ADE) operations.......................................................................................................39Initiating data encryption tasks............................................................................................................................ 39Administering data encryption.............................................................................................................................. 39Managing encryption keys..................................................................................................................................... 40

Opening the Keys tool................................................................................................................................40Creating encryption keys........................................................................................................................... 40Viewing encryption key details..................................................................................................................40Deleting encryption keys............................................................................................................................41

6

Chapter 1: Getting started

Welcome to XAdmin helpThe help provides conceptual, task-based, and reference information about XAdmin.

You can search for a word or phrase in these help topics by selecting the Search tab and entering yoursearch topic. To narrow the search results to an exact phrase, enclose the phrase within quotationmarks, for example, “dictionary files.”

Additional resources

For additional information about U2 products, training, and technical resources go to http://www.rocketsoftware.com/brand/rocket-u2.

Installing and updating the DBTools using the EclipseUpdate Manager

You can update and install any of the U2 DBTools using the Update Manager in Eclipse.

Find the latest information about updates for U2 DBTools at http://updates.rocketsoftware.com/u2.

Procedure

1. Launch any U2 DBTools or base Eclipse installations (beginning with Galileo) on your computer.2. From the Eclipse Help menu, select Help → Install New Software.3. Click Add, enter a name for the site, such as U2 Update Site, and in the Work with field enter

http://updates.rocketsoftware.com/u2. Click OK.4. Allow the repository to load and then expand the tree for U2 DBTools. Select the updates that you

want to apply. You can also choose to install any other U2 DBTools into your existing workspace.5. Click Next and follow the installation wizard to complete the installation of updates.6. Updates will take effect the next time an updated tool is launched.

Note: Only tools that are installed through separate InstallShield installations will appear onthe Start menu. Tools installed using the Eclipse Update Manager are installed as individualperspectives in a single Eclipse instance. You can access the different perspectives by selectingWindow → Open Perspective and then selecting the appropriate tool.

Note: You can check for updates to the DBTools by selecting Help → Check for Updates. To usethis option, you must have previously defined the http://updates.rocketsoftware.com/u2 locationin the Install New Software dialog, as described in step 3.

XTOOLSUBThis topic describes the XTOOLSUB program and how to upgrade to the latest version of XTOOLSUBon various operating systems.

http://www.rocketsoftware.com/brand/rocket-u2

http://www.rocketsoftware.com/brand/rocket-u2

http://updates.rocketsoftware.com/u2



Installing XTOOLSUB for UniData on Windows

7

Updating the XTOOLSUB Program

The XTOOLSUB program is a U2 database server-side BASIC program used by various U2 Client Tools.This includes U2 DataVu, U2 Web DE, Basic Developer's Toolkit (BDT), Extensible Administration Tool(XAdmin), Web Services Developer, and more. It also includes any tool that uses the U2 Resource View.

XTOOLSUB updates itself automatically. However, if something happens to the XTOOLSUB programyou can download the latest version from the public Tech Note site at:

https://u2tc.rocketsoftware.com/documentation/1410028.asp

The XTOOLSUB program contains several zip and tar files, and includes three or four files, dependingon the environment. The XTOOLSUB program is used by all the tools, but the other files included areonly used for the Basic Developer's Toolkit (BDT).

The XTOOLSUB_EXECPRE/XTOOLSUB_XPRE programs are for pre-execution functionality andXTOOLSUB_EXECPOST/XTOOLSUB_XPST are for post-execution functionality. These programs arediscussed further in the related public Tech Note, BDT Extensibility Details. If you have added your owncode to the pre- and post-functionality, copy those modified programs to the older database versionsrather than the pre- and post- files located here.

The files included for UniData are:

▪ XTOOLSUB▪ XTOOLSUB_EXECPRE▪ XTOOLSUB_EXECPOST▪ EDAMAPSUB (UniData 6.1 and lower)

The files included for UniVerse are:

▪ XTOOLSUB▪ XTOOLSUB_XPRE▪ XTOOLSUB_XPST▪ EDAMAPSUB (UniVerse 10.3 and lower)

Do not catalog the EDAMAPSUB subroutine when using UDT 7.1 or UV 11.1 and higher. This programalready exists on those versions.

There is a difference between the databases because UniVerse's catalog environment is a type 1 fileand has a 14–character file name limit.

Only extract the file that is needed for the database server/version and OS type you are using.The ...UX.tar (Unix) files come from AIX. You will need to run fnuxi/convcode if you use other UNIX/Linux operating systems. Files are not included for all operating systems in order to avoid unnecessaryconfusion. The files in the zip/tar files are the object code for the given programs; do not open them ina text editor.

Note: Log in as a root or administrator user when doing these steps to avoid any permissionserrors. If an overwrite message occurs, select "yes" to overwrite the file in question.

Installing XTOOLSUB for UniData on Windows

The XTOOLSUB program is installed and updated automatically through the U2 DBTools updates.However, if your version of XTOOLSUB somehow becomes unusable, you can install a new version.



8

Procedure

1. Download the latest version of XTOOLSUB from the public Tech Note site at https://u2tc.rocketsoftware.com/documentation/1410028.asp.

2. Copy the XTOOLSUB_UDT_NT.zip or XTOOLSUB_UDT_61_NT.zip file to a temporary directory onyour server (for example, c:\temp).

3. Extract the file to the c:\u2\ud##\sys\SYS_BP (where ## refers to the UniData major version. Forexample, 61, 71, 72, etc.) directory using your preferred unzipping utility. If UniData is installed inanother location, change the path accordingly.

4. Log in to the sys account using telnet or execute a udt shell command in the sys directory on theserver.

5. Catalog the three XTOOLSUB programs, as follows:

▪ CATALOG SYS_BP XTOOLSUB FORCE▪ CATALOG SYS_BP XTOOLSUB_EXECPRE FORCE▪ CATALOG SYS_BP XTOOLSUB_EXECPOST FORCE

Note: If you are using UniData 6.1 or lower, also run the CATALOG SYS_BP EDAMAPSUBFORCE command.

6. Connect with your U2 client tool to the U2 database server.

Installing XTOOLSUB for UniVerse on Windows


Procedure

1. Download the latest version of XTOOLSUB from the public Tech Note site at https://u2tc.rocketsoftware.com/documentation/1410028.asp

2. Copy the XTOOLSUB_UV_NT.zip or XTOOLSUB_UV_103_NT.zip file to a temporary directory onyour server. For example, c:\temp.

3. Extract the file to the c:\u2\uv\BP.O directory using your preferred unzipping utility. If UniVerse isinstalled in another location, change the path accordingly.

4. Log in to the UV home account via Telnet. The account name is UV or uv in the UV.ACCOUNT file.5. Catalog the three XTOOLSUB programs, as follows:


Note: You will receive a catalog error if you try to catalog all three programs on the samecommand line.

6. If you are using UniVerse 10.3 or later, also run CATALOG BP *EDAMAPSUB FORCE command.7. Connect with your U2 client tool to the U2 database server.





Installing XTOOLSUB for UNIX/Linux for UniData

9

Installing XTOOLSUB for UNIX/Linux for UniData


The $UDTBIN referenced below is an environment variable pointing to your UniData bin directory, forexample, /usr/ud##/bin (where ##, is 61,71,72, etc.). If this variable is not set, then reference the fullpath to the UniData bin directory in the commands.

Procedure

1. Download the latest version of XTOOLSUB from the public Tech Note site at https://u2tc.rocketsoftware.com/documentation/1410028.asp.

2. Copy the XTOOLSUB_UDT_UX.tar or XTOOLSUB_UDT_61_UX.tar file to a temporary directory onyour server (for example, /tmp). If transferring using ftp, remember to use binary format.

3. Extract the file to the $UDTHOME/sys/SYS_BP directory.

a. To install using UniData 6.1 or earlier, the commands will be:cd $UDTHOME/sys/SYS_BPtar -xvf /tmp/XTOOLSUB_UDT_61_UX.tar

b. To install UniData 7.1 or later, the commands will be:cd $UDTHOME/sys/SYS_BPtar -xvf /tmp/XTOOLSUB_UDT_UX.tar

4. If you are using a non-AIX operating system, run the convcode command, as shown: $UDTHOME/sys/SYS_BP: $UDTBIN/convcode .

Note: The convcode command includes a period at the end of the line. This will converteverything in the SYS_BP file to the current format. All files report that they were converted,but this is the default answer for convcode. The existing files should already be in the correctformat.

5. Change directories to the $UDTHOME/sys directory and then and execute the UDT command, asshown:

a. CD $UDTHOME/sysb. $UDTBIN/udt





Installing XTOOLSUB for UNIX/Linux on UniVerse





10

Procedure


2. Copy the XTOOLSUB_UV_UX.tar or XTOOLSUB_UDT_UV_103_UX.tar file to a temporary directoryon your server (for example, /tmp). If transferring files using FTP, remember to use binary fileformat.

3. Extract the file to the /usr/uv/BP.O directory. If UniVerse is installed in another location, changethe path accordingly. Use 'cat /.uvhome' to find the path if needed.

Note: `cat /.uvhome` references include single backward quotation marks. This commandretrieves the current value for the UniVerse home directory before running the command.

a. To install using UniVerse 10.3 or earlier, the commands to use are:cd `cat /.uvhome`/BP.Otar -xvf /tmp/XTOOLSUB_UV_103_UX.tar

b. To install using UniVerse 11.1 or later, the commands to use are:cd `cat /.uvhome`/BP.Otar -xvf /tmp/XTOOLSUB_UV_UX.tar

4. If you are using a non-AIX operating system, run the convcode command, as shown:`cat /.uvhome`/bin/fnuxi XTOOLSUB*

5. Change directories to the UniVerse home directory and then and run the UV command, as shown:

a. cd `cat /.uvhome`b. bin/uv

6. Click Escape to exit the menu.7. Catalog the three XTOOLSUB programs, as follows:


Note: You will see a catalog error if you try to catalog all three programs on the samecommand line.

8. If you are using UniVerse 10.3 or earlier, also run the CATALOG BP *EDAMAPSUB FORCEcommand.


Installing XTOOLSUB on Windows


Procedure


2. Copy the XTOOLSUB_UDT_NT.zip or XTOOLSUB_UDT_61_NT.zip file to a temporary directory onyour server (for example, c:\temp).





Installing XTOOLSUB on Windows

11

3. Extract the file to the c:\u2\ud##\sys\SYS_BP (where ## refers to the UDT major version, i.e. 61, 71,72, etc.) directory using your preferred unzipping utility. If UniData is installed in another location,change the path accordingly.

4. Log into the sys account using telnet or execute a udt shell command in the sys directory on theserver.





12

Chapter 2: XAdmin overviewThe U2 Extensible Administration Tool (XAdmin) is an Eclipse-based interface for administering theUniData or UniVerse (U2) database server. It is the successor to the UniAdmin tool.

The XAdmin workspace contains multiple panes, or views. From these views, you can performadministration tasks, view reports, and monitor the performance of U2 processes in real time.

What makes XAdmin “extensible”? After gaining expertise with the standard interface, you cancustomize the tool by adding your own tasks. You can also contribute menus to call your own UniBasicor UniVerse BASIC programs.

To begin, you can start XAdmin and become familiar with the workspace in the standard interface.After that, you can create a U2 server definition, connect to the U2 server, and select an administrationtask to perform.

A screen resolution of 1280x1024 or higher and a text setting of 100% is recommended for all U2Eclipse-based applications.

Starting XAdminBefore you can perform UniData or UniVerse administration tasks, you must start the U2 ExtensibleAdministration Tool (XAdmin).

Prerequisite▪ XAdmin must be running on a Microsoft Windows computer that is on the same network as the

server computer running UniData or UniVerse.▪ Make sure that UniData or UniVerse services are currently running on the server computer.

Procedure

▪ On the taskbar of the Windows computer on which XAdmin is installed, select Start > All Programs> Rocket U2 > Extensible Administration Tool.

Next step

Creating U2 server definitions, on page 13

XAdmin workspaceThe XAdmin workspace contains multiple panes, called views. Views structure the workspace andserve as a device to organize similar items inside a defined work area.

▪ U2 Resource view▪ Admin Tasks view▪ Performance Monitor views

By default, the workspace is arranged in a standard layout, but you can move or resize views. Eachview contains its own controls for minimizing and maximizing the space consumed within the XAdminworkspace. Alternatively, you can drag the border of a view to increase or decrease its size.

A view may contain just one item or tabs for multiple items. Each view or tab within the view has aClose (X) button to close the entire pane or to close a tab within the pane.

Establishing server connections

13

You can do no damage in experimenting with the workspace. If you close a view and want to show itagain later, you can select it from the Window menu. Otherwise, if you want to reset the main windowto show all views in their default locations, you can select Window > Reset.

Establishing server connections

U2 server definitions

The U2 tool interface does not detect the presence of UniData or UniVerse (U2) database servers onthe network or let you connect to them by default. To work with UniData or UniVerse accounts anddata, you must enable the computer to connect to the server on which the accounts and data reside.The client computer requires a U2 server definition to make a connection with the server.

A U2 server definition is stored on the client computer on which it was created, and is not sharedacross a network. One or several users can create multiple U2 server definitions on the same clientcomputer.

U2 server is the term for a defined connection to a server computer on which U2 accounts and dataare stored. All existing U2 servers on the client computer are listed in the U2 Resource view. You canconnect to any U2 server in the U2 Resource list.

Creating U2 server definitions

To administer UniData or UniVerse accounts and data, you must create a U2 server definition thatenables the client computer to connect to the U2 database server on which the accounts and data arestored.

Prerequisite

Starting XAdmin, on page 12

Procedure

1. To start the Create a New U2 Server wizard, right-click the U2 Servers node in the U2 Resourceview, and click New U2 Server.

2. In the Name field, enter a unique name to identify the U2 server definition.The name cannot contain a slash (/) or backslash (\) character.

3. In the Host field, enter the name or IP address of the computer on which UniData or UniVerse isrunning.

4. From the U2 database server options, select UniData or UniVerse.5. Optional: To view or edit the protocol, port number, and other advanced settings defining the

connection, click Advanced.

Go to Viewing or editing advanced settings of a U2 server definition, on page 14.

Tip: The default values for advanced settings work best in most situations. Alter thesesettings only if necessary.

6. To save the U2 server definition, click Finish.XAdmin creates a directory for the U2 server, registering the server definition so the tool can findit in future sessions. The name of the new U2 server is added to the list in the U2 Resource view.

Chapter 2: XAdmin overview

14

Next step

Connecting to U2 servers, on page 15

Viewing or editing advanced settings of a U2 serverdefinition

On the advanced settings page of the server definition, you can view or edit the protocol, port number,and other advanced settings that define the connection. You can also specify commands to run whenyou connect to the U2 server. The default values for advanced settings work best in most situations.Alter these settings only if necessary.

Prerequisite

Creating U2 server definitions, on page 13 or Editing U2 server definitions, on page 15

Procedure

1. The Protocol Type field displays TCP/IP as the communications protocol used by the UniData orUniVerse to access the internet.At this time, the only supported protocol is TCP/IP, and this setting cannot be changed.

2. In the RPC Port # field, enter the port number of the UniRPC server running on the host.The default port number is 31438.

3. In the RPC Service Name field, enter the name of the remote procedure call (RPC) service on thesystem.For UniData, the name is normally udcs; for UniVerse, the name is normally uvcs.

4. In the Login Account field, enter the full path to the account folder on the server running UniDataor UniVerse.You can enter just the account name if the account is defined in the UD.ACCOUNT or UV.ACCOUNThash file.

5. If you run a RetrieVe command, a saved paragraph, or a globally cataloged program every timeyou connect to the U2 server, you can save time by entering the command in the U2 serverdefinition. To enter a command to run on connection, click Add in the Commands to Executegroup box.See Specifying a command to run on connection, on page 15.

6. In the Specify the session to run/debug your BASIC program on server side group box, enterdetails for connecting to the server in a debug session.

a. From the Protocol options, select the network protocol to use when you connect to the U2server in a debug session: Telnet or SSH (Secure Shell).

b. In the Port Number field, enter the port number on which the Telnet or SSH service runs onthe server computer. The default Telnet port number is 23; the default SSH port number is22.

c. If device licensing is supported on the server, select the Use Device License check box toconserve license usage in the debug session.

While running or debugging BASIC programs, you may use multiple server connections to browsefiles, check data, update records, or perform other tasks. If device licensing is disabled, the debugsession consumes one U2 license for each connection. With device licensing enabled, the sessionconsumes one U2 license and one device license for up to 10 connections from a single device.

Specifying a command to run on connection

15

Tip: If you are unable to establish a Telnet or SSH connection with the Use Device Licensecheck box selected, clear the check box and try again.

7. To save changes to advanced settings and return to the main page, click Finish.

Specifying a command to run on connection

You can run a RetrieVe command, a saved paragraph, or a globally cataloged program every timeyou connect to the U2 server. Rather than type the same command each time you connect, you canincrease efficiency and save time by entering the command in the U2 server definition.

1. In the Specify a command field, enter a RetrieVe command, the name of a saved paragraph, orthe name of a globally cataloged program to run when you connect to the U2 server.

2. To save the changes and return to the details page, click OK.

Editing U2 server definitionsYou can modify the details of an existing U2 server definition, with one exception. It is not possible tochange the name of the U2 server. However, you can create the U2 server again with a new name.

Prerequisite


Procedure

1. To start the Edit U2 Server Definition wizard, right-click the name of the U2 server definition in theU2 Resource view, and click Properties.

2. In the Host field, enter the name or IP address of the computer on which UniData or UniVerse isrunning.

3. From the U2 database server options, select UniData or UniVerse.4. Optional: To view or edit the protocol, port number, and other advanced settings defining the

connection, click Advanced.

Go to Viewing or editing advanced settings of a U2 server definition, on page 14.

Tip: The default values for advanced settings work best in most situations. Alter thesesettings only if necessary.

5. To save the U2 server definition, click Finish.XAdmin creates a directory for the U2 server, registering the server definition so the tool can findit in future sessions. The name of the new U2 server is added to the list in the U2 Resource view.

Connecting to U2 serversYou must open a U2 server connection to work with the accounts stored on the associated UniDataor UniVerse (U2) database server computer. You can connect to any U2 server that is listed in the U2Resource view.

Chapter 2: XAdmin overview

16

Prerequisite


Procedure

1. To start the Connect to a U2 Server wizard, double-click the name of the U2 server in the U2Resource view.

2. In the User ID field, enter the administrator user name or the user name of a valid user on theserver computer running UniData or UniVerse.

3. In the Password field, enter the password for the administrator or user on the server computer.4. To store the password for future connections, select the Remember me check box.

With this check box selected, Microsoft Windows stores the encrypted password on the clientcomputer.

5. If you are using a proxy server, select the Use Proxy Server check box.

a. In the Proxy Host field, enter the name or IP address of the computer on which the proxyserver is running.

b. In the Proxy Port field, enter the number of the port on which the proxy server listens forcommunication from UniData or UniVerse.

6. To connect to the U2 server, click Connect.When the connection is established, the U2 Resource view displays a tree view of the U2 accountsand catalog programs on the U2 database server to which you are connected.

Disconnecting from U2 serversAfter completing tasks for a U2 account, you can disconnect from the U2 server. Disconnecting onlycloses the connection to the U2 server. It does not delete the U2 server definition or remove the U2server from the list in the U2 Resource view.

▪ In the U2 Resource view, right-click the name of the U2 server from which you want to disconnect,and click Disconnect.

Deleting U2 server definitionsIf you no longer require access to the U2 accounts and catalog programs on a U2 database server, youcan delete the associated U2 server definition. It is not possible to change the name of an existing U2server. However, you can delete the U2 server definition and create it again using a new name.

▪ In the U2 Resource view, right-click the name of the U2 server you want to delete, and click Delete.The name of the U2 server and folders for its U2 accounts and catalog programs are removed fromthe list in the U2 Resource view.

17

Chapter 3: Administering U2 accounts

U2 accounts overviewA UniData or UniVerse (U2) account is a virtual container used to organize a collection of related filesand data for a specific business purpose or activity. For example, a business organization may create aU2 account for use in tracking and managing data on the Sales function of the business.

More technically, a U2 account is a UNIX or Windows directory in hashed format that contains avocabulary (VOC) file and other U2 system files that provide the environment in which to run U2tools and applications. An account can be configured to meet the needs of one user, a job function, adepartment, or an entire company.

A U2 account is associated to a specific U2 server definition. The U2 account name must be unique tothe U2 server.

Initiating Accounts tasksAccounts administration tasks are performed in the editor view, which you can open from the AdminTasks view in XAdmin.

Prerequisite


Procedure

▪ To open the Accounts editor, in the Admin Tasks list, double-click Accounts.

Adding or viewing U2 accountsA UniData or UniVerse (U2) account serves as a container for a collection of files and data for a relatedbusiness purpose or activity. In this task, you can create a U2 account or view the list of existing U2accounts.

1. To create a U2 account, click Add.See Creating a U2 account, on page 17.

2. To view a list of U2 accounts, check information in the grid:Account Name lists the unique name of each U2 account.

Path displays the full path of the U2 account.3. Optional: To sort the data for all U2 accounts in the list, click any column heading to sort on that

column.4. Optional: To filter the results, enter a string in the Filters field above any column.

Creating a U2 accountIn this task, you can define a new U2 account as the container for a collection of related files for abusiness purpose or activity.

Chapter 3: Administering U2 accounts

18

1. From the Select U2 server list, select the name of the U2 server to be associated to the new U2account.

2. In the Account Name field, enter a name for the new U2 account. This name must be unique tothe U2 server.

3. In the Account Path field, enter the full path for the U2 account, or click Browse to search for thelocation in which to create the account.To create the account in a path that does not already exist, select the Create the account path ifit does not exist check box.

4. To create the U2 account, click Finish.The Create New U2 Account wizard closes. The new U2 account is listed in the grid in the Accountseditor. The U2 account is stored on the U2 database server.

19

Chapter 4: Managing disk space

Disk space usageThe Disk Space tool enables you to view statistics on a U2 file system's current disk space usage,helping you gauge whether the file system is working optimally—or is overloaded, or is allocated toomuch space.

The total amount of disk space available, the amount of free space, and the percentage of disk spacecurrently in use are all factors that help you determine whether to make adjustments.

Initiating disk space tasksDisk Space administration tasks are performed in the editor view, which you can open from the AdminTasks view in XAdmin.

Prerequisite


Procedure

▪ To open the Disk Space tool, in the Admin Tasks list, double-click Disk Space.

Viewing disk space usageThe Disk Space tool enables you to view current data on the disk space usage of U2 file systems,helping you determine whether a file system needs space adjustments. In this task, you can viewstatistics on disk space usage, sort or filter the data, and refresh the display.

Prerequisite

Initiating disk space tasks, on page 19

Procedure

1. From the Block Size options, select a block size for expressing units of disk space: 512 bytes or1024 bytes.

2. To view statistics on disk space usage for U2 file systems, check information in the grid:

File System lists the full path of each U2 file system.

Total Size displays the total amount of disk space allocated to the file system.

Free Space displays the remaining amount of disk space available for use by the file system.

% in Use displays the percentage of total disk space currently in use by the file system.

Free Space displays the remaining amount of disk space available for use by the file system.



Chapter 4: Managing disk space

20

3. Optional: To sort the data for all U2 file systems in the list, click any column heading to sort onthat column.

4. Optional: To filter the results, in the Filters field above any column, select an operator (=, >, or <)from the drop-down list and enter a string in the associated field.

5. Optional: To refresh the results with current disk space usage data, click Refresh.

21

Chapter 5: Managing Secure Sockets Layer (SSL)

Secure Sockets Layer (SSL) technologySSL is a transport layer protocol that provides a secure channel between two communicatingprograms over which arbitrary application data can be sent safely. It is by far the most widelydeployed security protocol on the World Wide Web.

SSL provides server authentication, encryption, and message integrity. It can also support clientauthentication.

UniData and UniVerse currently support CallHTTP and the Sockets API. SSL is important to both ofthese internet APIs, providing the means to deploy commercial applications and securely processsensitive data, such as credit card transactions.

Although the term “SSL” is used exclusively in this help system, U2 also supports the more recentTransport Layer Security (TLS) protocol. TLS is an expanded version of SSL published by theInternational Engineering Task Force (IETF) standards body. TLS provides support for more public keyalgorithms and cipher suites.

If you need a more detailed overview of public key cryptography and SSL, see information on thesesubjects on the World Wide Web.

Initiating SSL tasksAll SSL setup and configuration tasks are performed in the editor view, which you can open from theAdmin Tasks view in XAdmin.

Prerequisite


Procedure

▪ To open the Configure SSL for Servers editor, in the Admin Tasks list, double-click SSLConfiguration.

Setting up and managing SSLTo use the Secure Sockets Layer (SSL) protocol, you must perform some initial setup to createcertificates and configure SSL for the U2 server. You can set up and manage SSL certificates andconfiguration details on an ongoing basis using the editor tool inside XAdmin.

Complete the following tasks:

▪ Generating certificate signing requests, on page 22▪ Generating SSL certificates, on page 25▪ Creating security context records, on page 28▪ Configuring SSL for U2 servers, on page 38


22

Generating certificate signing requestsBefore you can obtain or create an SSL certificate, you must generate an X.509-compliant certificatesigning request (CSR) containing a digital signature. You can send the CSR to a third-party certificateauthority (CA) to obtain a certificate, or use the CSR as input to generate a certificate with the wizardin XAdmin.

Starting the Generate Certificate Signing Request wizard

The Generate Certificate Signing Request wizard leads you through the process of generating a CSR.You can start the wizard from the editor view.

1. In the Configure SSL for Servers editor, click the Certificate Signing Request tab.2. To start the Generate Certificate Signing Request wizard, click Generate a Certificate Request.

The Generate Certificate Signing Request dialog box contains an introduction to this task.3. To continue, click Next.

Specifying a file and algorithm for the CSR

In this child task of generating a certificate signing request, you can specify the file to contain the CSRand select the algorithm to use in generating the digital signature for the CSR.

1. In the Certificate Signing Request File field, enter the full path of the operating system-level fileto contain the certificate signing request, or click Browse to search for the file location.

2. From the Digest Algorithm options, select the algorithm to use in generating the digital signaturefor the certificate signing request:

▪ SHA1 – SHA1 cryptographical hash function▪ SHA224 — SHA2 cryptographical hash function (available for UniData 8.1 or later or UniVerse

11.2.4 or later)▪ SHA256 — SHA2 cryptographical hash function (available for UniData 8.1 or later or UniVerse



11.2.4 or later)▪ MD5 – MD5 cryptographical hash function

3. To continue, click Next.

Defining properties of the CSR

In this child task of generating a certificate signing request, you can enter required and optionalproperties to define the CSR.

1. In the Request Properties dialog box, from the C (Country Code) list, select the two-letter codefor the country in which the requesting organization is located.

2. Optional: In the ST (Province) field, enter the full name of the state or province of theorganization requesting the SSL certificate.Example: Massachusetts.

Selecting a key pair option

23

3. Optional: In the L (Locality) field, enter the full name of the city or locality of the requestingorganization.Example: Newton.

4. In the O (Organization) field, enter the full legal name of the company or person requesting thecertificate, as legally registered in the locality.Example: Rocket Software, Inc.

5. Optional: In the OU (Organization Unit) field, enter the name of the requesting business unit orbranch within the organization. Example: Information Technologies

6. In the CN (Common Name) field, enter the fully qualified domain name (FQDN) for which you arerequesting the certificate.

7. Optional: In the Email field, enter the e-mail address of the primary contact requesting thecertificate.


Selecting a key pair option

In this child task of generating a certificate signing request, you can choose to use an existing key pairor generate a new key pair for the CSR.

1. In the Key Pair Selection dialog box, select one of the following key pair options:

▪ Use existing key pair▪ Generate new key pair


Supplying key pair parameters

The tool needs several pieces of information to generate a new key pair or find an existing key pair.

In this child task of generating a certificate signing request, you will either:

▪ Select the format and private key file of an existing key pair, or▪ Select the parameters required to generate a new key pair.

1. In the Key Pair Info dialog box, from the Key Algorithm options, select the algorithm to use ingenerating a new key pair or the algorithm that was used to generate an existing key pair:

▪ RSA – RSA key algorithm▪ DSA – Digital signature algorithm

2. The Key Length list is enabled only if you selected the Generate new key pair option in theprevious task. From this list, select the length of the key in bits.This is the primary measure of the cryptographic strength of the key. Valid values are multiples of64, ranging from 512 to 16384.

Note: The stronger the key, the longer it takes to create the key. For example, a key strengthof 16384 can take up to ten minutes to create. We recommend that keys have a minimumlength of 2048.

3. From the Key File Format options, select the format for private and public key files:


24

▪ PEM – Privacy Enhanced Mail format▪ DER – Distinguished Encoding Rules format

4. The Parameter File field is enabled only if you selected DSA as the Key Algorithm option.

▪ For a new key pair, enter the full path of an existing parameter file, or click Browse to searchfor the file location. The UniData or UniVerse (U2) data server uses the selected parameter fileto generate the key pair. If you leave this field blank, the U2 database server uses its defaultparameters table to generate the key pair.

▪ For an existing key pair, enter the full path or browse for the parameter file that was used togenerate the key pair.

5. In the Private Key File field, enter the name of the file to contain the private key, or click Browseto search for an existing private key file.

6. The Public Key File field is enabled only if you selected the Generate new key pair option in theprevious task. In this field, enter the name of the file to contain the public key, or click Browse tosearch for an existing public key file.


Entering a password for the private key file

The private key file must be password-protected to maintain its security.

In this child task of generating a certificate signing request, you will:

▪ Enter the password previously established for an existing private key file, or▪ Create a password for a new private key file.

1. In the Password for Private Key field, enter the password for the private key file.XAdmin does not enforce password length or strength rules on this password; however, as a bestpractice, create a strong password to protect the private key.

2. In the Confirm Password field, enter the password again for verification.The wizard now has all the information required to generate the certificate signing request file.

3. To generate the CSR file, click Next.Otherwise, to review selections or make changes, click Back.

Verifying the status of generating the certificate

In this child task of generating an SSL certificate, you can check the status message to see whether thecertificate was generated successfully. If it was not, you can go back to make corrections.

1. In the Review Status and Finish dialog box, check the message indicating the status of generatingthe certificate.If the certificate was created successfully, the dialog box contains the message “Certificate wasgenerated successfully.” If the process did not generate a certificate, the dialog box contains themessage “Failed to create certificate.” To return to previous dialog boxes and correct the error,click Back.

2. To close the Generate SSL Certificate wizard and return to the Configure SSL for Servers editor,click Finish.

Generating SSL certificates

25

Generating SSL certificatesUsing a wizard, you can create three types of X.509 SSL certificate:

A certificate is used to bind the name of an entity with its public key. It is used as a means ofdistributing a public key. A certificate always contains three pieces of information:

▪ Name▪ Public key▪ Digital signature signed by a trusted third party, called a certificate authority (CA), with its private

key

If you have the public key of the CA (contained in the CA certificate), you can verify that the certificateis authentic.

SSL protocol specifies that when two parties start a handshake, the server must send its certificateto the client for authentication. It may also require the client to send its certificate to the server forauthentication. U2 servers that act as HTTP clients are not required to maintain a client certificate. U2applications that act as SSL socket servers must install a server certificate. UniObjects for Java serversand Telnet servers also require a server certificate.

There can be only one server/client certificate per security context record. Adding a new certificateautomatically replaces an existing certificate. However, for issuer certificates, the U2 data serverchains a new one with existing certificates so U2 applications can perform chained authentication.

If the issuer certificate is in PEM format, it can contain multiple certificates by concatenatingcertificates together.

All certificates that form an issuer chain must be of the same type.

▪ Self-signed root certificate▪ Intermediate CA certificate▪ Server or client certificate

You can also use the wizard to view the details of existing SSL certificates stored on the computer.

Starting the Generate SSL Certificate wizard

The Generate SSL Certificate wizard leads you through the process of generating or viewing an SSLcertificate. You can start the wizard from the editor view.

Procedure

1. In the Configure SSL for Servers editor, click the Certificate tab.2. To start the Generate SSL Certificate wizard, click Generate a Certificate.

The Generate SSL Certificate dialog box contains an introduction to this task.3. To continue, click Next.

Specifying a certificate file name

In this child task of generating an SSL certificate, you can specify the name for a new certificate file.Alternatively, you can use the wizard to select the name of an existing certificate file and view itsdetails.


26

1. In the Certificate File field, enter a unique name or full path for a new certificate file, or clickBrowse to search for the location of an existing certificate file.

2. The appropriate action in this step depends on whether you entered a new file name or selectedan existing file name.

▪ To continue with creating a new certificate, click Next.▪ To view the details of an existing certificate, click Show. When you finish viewing the

certificate details, you can close the wizard and perform another task.

Setting the validity period for a new certificate

An SSL certificate is valid only for a specified time period. In this child task of generating an SSLcertificate, you will set the number of days for which the new certificate is valid.

1. From the Validity Period list, select the number of days for which the new SSL certificate is to bevalid.The certificate is valid starting from the current date until the specified number of days elapses.The default value is 365 days.


Selecting a certificate type

An X.509 SSL certificate can be one of three types, depending on the purpose it serves. In this childtask of generating an SSL certificate, you can select the type of certificate to create.

1. From the Certificate Type options, select the type of SSL certificate to create:

▪ Self-signed root certificate▪ Intermediate CA certificate▪ Server/Client certificate

2. From the Signing Algorithm options, select a signing algorithm. The default selection is SHA1.3. To continue, click Next.

Next step

The next step depends on the certificate type you selected:

▪ Self-signed root certificate: Selecting the private key file of the CSR, on page 27▪ Intermediate CA certificate or Server/Client certificate: Optional: Defining certificate extensions, on

page 26

Optional: Defining certificate extensions

Extensions can be used to further define the purpose or provide identifiers for an intermediate CAcertificate or server/client certificate. In this child task of creating a certificate of either type, you havethe option of defining relevant certificate extensions.

Procedure

1. In the X.509 v3 Certificate Extensions dialog box, select the check box for each certificateextension that you want to define for the new certificate:

Selecting required files to generate a certificate

27

▪ Subject Alt Name – The subject alternative name extension allows additional identities to bebound to the subject of the certificate.

▪ Key Usage – This extension defines the purpose of the key contained in the certificate and canbe used to put certain restrictions on key usage.

▪ Basic Constraints – This extension indicates whether the subject of the certificate is acertificate authority (CA).

▪ Subject Key Identifier – This extension provides a means of identifying certificates thatcontain a particular public key.

▪ Authority Key Identifier – This extension identifies the public key corresponding to theprivate key used to sign the certificate.

When you select an extension, help text for that extension is displayed in the lower half of thedialog box, along with the relevant options for defining the extension.

If no extensions are relevant, leave all check boxes cleared.


Selecting required files to generate a certificate

Selecting the private key file of the CSR

A private key was used to generate the certificate signing request (CSR) you selected in a previousstep. In this child task of creating a self-signed root certificate, you will select the private key file of theCSR associated with the new certificate.

Prerequisite

Selecting a certificate type, on page 26

Procedure

1. In the Private Key File field, enter the full path of the private key file used to generate thecertificate signing request associated with the new certificate, or click Browse to search for thefile location.


Next step

Entering the password for the private key file, on page 28

Selecting the signing certificate file and private key file

In this child task of creating an SSL certificate, you will select the signing certificate file to use insigning the new certificate and the private key file of the signing certificate.

Two files are required as input to generate an intermediate CA certificate or server/client certificate:

▪ A signing certificate file to use in signing the new SSL certificate.▪ A private key file that was used to generate the signing certificate file.


28

Prerequisite

Optional: Defining certificate extensions, on page 26

1. In the Signing Certificate File field, enter the full path of the certificate file to use in signing thenew certificate, or click Browse to search for the file location.

2. In the Private Key File field, enter the full path of the private key file that was used to generatethe signing certificate file, or click Browse to search for the file location.


Entering the password for the private key file, on page 28

Entering the password for the private key file

A private key file is password-protected. In this child task of generating an SSL certificate, you willenter the password for the private key file you selected in the previous step.

Prerequisite

The prerequisite task depends on the type of certificate you are creating:

▪ Self-signed root certificate:Selecting the private key file of the CSR, on page 27▪ Intermediate CA certificate or Server/Client certificate: Selecting the signing certificate file and

private key file, on page 27

Procedure

1. In the Password for Private Key field, enter the password for the private key file selected in theprevious step, as follows:

▪ For a Self-signed root certificate, enter the password for the private key file used to generatethe certificate signing request file.

▪ For an Intermediate CA certificate or Server/Client certificate, enter the password for theprivate key file used to generate the signing certificate file.

2. In the Confirm Password field, reenter the password for verification.The wizard now has all the information required to generate the certificate.

3. To generate the new certificate, click Next.Otherwise, to review selections or make changes, click Back.

Next step

Verifying the status of generating the certificate, on page 24

Creating security context recordsA security context record (SCR) is a data structure that holds the security properties that theapplication associates with a secured connection. The Security Context Record wizard leads youthrough the steps of creating or modifying an SCR, which the application requires for securedcommunication through SSL.

Starting the Security Context Record wizard

29

Starting the Security Context Record wizard

The Security Context Record wizard leads you through the procedure of creating a new securitycontext record (SCR). You can start the wizard from the editor view.

Prerequisite

Generating SSL certificates, on page 25

Procedure

1. In the Configure SSL for Servers editor, select the Security Context Record tab.2. From the SCR Database list, select the database account in which to create or view the security

context record. The full path of the selected database account is populated in the Path field.

Note: If the database account you want to use is not shown in the list, you can add it usingthe XAdmin Accounts option, as described in Adding or viewing U2 accounts, on page 17.

3. To start the Security Context Record wizard, click Add.The Security Context Record (SCR) dialog box contains an introduction to the task of creating anSCR. Make sure you have generated the necessary keys and certificates before proceeding.


Specifying the record ID and protocol

A unique record ID is used to identify each security context record (SCR), and one of several transportlayer protocols can be used to generate the SCR. In this child task of creating a security context record,you will assign a record ID to the SCR and select the protocol to use in generating the new SCR.

1. In the Security Context Record ID field, enter a unique ID for the security context record.2. From the SSL/TLS Version list, select the appropriate transport layer protocol version to use in

generating the security context record. Valid versions are:

▪ SSLv2▪ SSLv3▪ TLSv1▪ TLSv1.2 (available for UniData 8.1 or later or UniVerse 11.2.4 or later)▪ TLSv1.2 (available for UniData 8.1 or later or UniVerse 11.2.4 or later)

Tip: For increased security, select TLSv1.2 or TLSv1. Use of either protocol is recommended asa best practice.


Selecting server or client usage

Either a server or a client accesses the security context record (SCR) to get the properties to associatewith a secured connection. In this child task of creating a security context record, you will select anoption indicating whether the new SCR is to be used by a server or a client.


30

1. From the SCR Usage Type options, select an option indicating how the security context record isto be used:

▪ SCR for server – The security context record is to be used by a server▪ SCR for client – The security context record is to be used by a client


Setting authentication properties

The server or the client must authenticate the validity of certificates during handshake negotiations. Inthis child task of creating a security context record, you will set the parameters that the server or theclient uses to authenticate certificates.

▪ For an SCR for server, go to Setting server authentication properties, on page 30.▪ For an SCR for client, go to Setting client authentication properties, on page 31.

Setting server authentication properties

With an SCR for server, the server must verify the validity of incoming certificates during handshakenegotiations. In this child task of creating a security context record, you will set the parameters thatthe server uses to authenticate certificates.

Prerequisite

Selecting server or client usage, on page 29

Procedure

1. In the Server Authentication Properties dialog box, from the Authentication Depth list, selecta value to indicate the level of verification the UniData or UniVerse (U2) database server is toperform before determining that a certificate is not valid.Depth is the maximum number of intermediate issuer certificates, or CA certificates, the U2database server must examine while verifying an incoming certificate. A depth of 0 indicates thatthe certificate must be self-signed. A depth of 1 means that the incoming certificate can be eitherself-signed or signed by a CA known to the security context record. The default value is 3.

2. Optional: In the Trusted Peer Names field, you can add one or more trusted peer names, asexplained here.

The U2 database server uses this list of peer names to determine whether to trust a peer inhandshake negotiations. Trusted server/client names are stored in the security context record.

If no trusted peer name is set, any peer is considered legitimate.

To add trusted peer names, click Add. For steps, go to Adding trusted peer names, on page 32.3. From the Authentication Strength options, select the level of security to be used in the

authentication process:

▪ Generous – The certificate need only contain the subject name (common name) that matchesone specified by “PeerName” to be considered valid.

▪ Strict – The incoming certificate must pass a number of checks, including signature check,expiry check, purpose check, and issuer check.

Tip: Use the Generous option for development or testing purposes only, and the Strictoption for any other purpose.

Setting client authentication properties

31

4. If the server is to use client authentication during the handshake, select the ClientAuthentication check box.With this check box selected, the server sends a client authentication request to the client duringthe initial handshake. The server also receives the client certificate and performs authenticationaccording to the issuer’s certificate (or certificate chain) set in the security context record.


Next step

Selecting the certificate path rule, on page 32

Setting client authentication properties

With an SCR for client, the client must verify the validity of certificates during handshake negotiations.In this child task of creating a security context record, you will set the parameters that the client usesto authenticate certificates.

Prerequisite

Selecting server or client usage, on page 29

1. In the Client Authentication Properties dialog box, from the Authentication Depth list, selecta value to indicate the level of verification the client is to perform before determining that acertificate is not valid.Depth is the maximum number of intermediate issuer certificates, or CA certificates, the clientmust examine while verifying an incoming certificate. A depth of 0 indicates that the certificatemust be self-signed. A depth of 1 means that the incoming certificate can be either self-signed orsigned by a CA known to the security context record. The default value is 3.

2. Optional: In the Trusted Peer Names field, you can add one or more trusted peer names, asexplained here.

The client uses this list of peer names to determine whether to trust a peer in handshakenegotiations. Trusted server/client names are stored in the security context record.

If no trusted peer name is set, any peer is considered legitimate.

To add trusted peer names, click Add. For steps, go to Adding trusted peer names, on page 32.3. From the Authentication Strength options, select the level of security to be used in the

authentication process:

Note: Use the Generous option for development or testing purposes only, and the Strictoption for any other purpose.

The Client Authentication check box is not applicable to an SCR for client, so it is unavailable inthis client dialog box.


Next step



32

Adding trusted peer names

The U2 database server client uses a list of peer names to determine whether to trust a peer inhandshake negotiations. Trusted server/client names are stored in the security context record. In thischild task of setting authentication properties, you can add the names of trusted peers.

Prerequisite

The prerequisite task depends on the authentication method you selected:

▪ Server authentication: Setting server authentication properties, on page 30▪ Client authentication: Setting client authentication properties, on page 31

Procedure

1. In the Peer Name field, enter one or more trusted peer names in a comma-separated list.

Note: The trust names can be either fully specified names like [email protected], orwildcard names. There are two wildcard characters: ‘%’ can be used to match ANY characterstrings, while ‘_’ (underscore) can be used to match a single character. For example,%@us.xyz.com matches both [email protected] and [email protected].

2. To save the changes and return to the parent task, click OK.

Selecting the certificate path rule

When loading a certificate to establish an SSL connection, the UniData or UniVerse (U2) databaseserver retrieves the certificate from its registered full path by default. In this child task of creatinga security context record, you can select a certificate path rule to specify the default path or analternative location in which to search for certificates.

Prerequisite

Setting authentication properties, on page 30

Procedure

1. From the Certificate Path Rule options, select a certificate path rule to specify the search path:

▪ Default – When you add a certificate to a security context record, the full path for thatcertificate is registered in the security context record. This path is derived from the currentdirectory in which U2 is running. When the certificate is loaded into memory to establish theSSL connection, the U2 database server by default uses the registered full path to retrieve thecertificate.

▪ Relative – With this option, the U2 database server looks for the certificate in the currentdirectory in which U2 is running. Be aware that some processes, such as the Telnet server, runfrom the system directory.

▪ Path – With this option, the U2 database server uses the path you specify here to load thecertificate. You can enter either an absolute path or a relative path, or click Browse to searchfor the path.

▪ Env – If you select this option, enter an environment variable name in the Env field. With thisoption, the U2 process first obtains the value of the environment variable you specify, andthen uses that value as the path to load the certificate.

Associating certificates to the security context

33

The U2 database server evaluates the environment variable only when the first SSL connection ismade. The value is cached for later reference.


Associating certificates to the security context

A certificate is used to bind the name of an entity with its public key.

It is used as a means of distributing a public key. A certificate always contains three pieces ofinformation:

▪ Name▪ Public key▪ Digital signature signed by a trusted third party, called a certificate authority (CA), with its private

key

If you have the public key of the CA (contained in the CA certificate), you can verify that the certificateis authentic.

SSL protocol specifies that when two parties start a handshake, the server must send its certificateto the client for authentication. It may also require the client to send its certificate to the server forauthentication. U2 servers that act as HTTP clients are not required to maintain a client certificate. U2applications that act as SSL socket servers must install a server certificate. UniObjects for Java serversand Telnet servers also require a server certificate.

There can be only one server/client certificate per security context record. Adding a new certificateautomatically replaces an existing certificate. However, for issuer certificates, the U2 data serverchains a new one with existing certificates so U2 applications can perform chained authentication.

If the issuer certificate is in PEM format, it can contain multiple certificates by concatenatingcertificates together.

All certificates that form an issuer chain must be of the same type.

Associating server/client certificates to a security context

You can select an existing certificate to associate to the security context. This certificate is used aseither the server certificate or the client certificate in handshake negotiations.

▪ For an SCR for servers, go to Associating a server certificate to a security context, on page 33.▪ For an SCR for clients, go to Optional: Associating a client certificate to a security context, on page

34.

Associating a server certificate to a security context

When you use an SCR for server, the server sends its certificate to the client in handshake negotiations.In this child task of creating a security context record, you can load a server certificate to the securitycontext. Only one server certificate can be associated with a security context. If you add a newcertificate, it automatically replaces an existing certificate.

Prerequisite



34

Procedure

1. In the Server Certificate File field, enter the full path of the file containing the server certificate,or click Browse to search for the file location.

2. From the Certificate File Format options, select the file format for the server certificate:

▪ PEM – Base64 encoded format▪ DER – ASN.1 binary format▪ PKCS #12 – Public-Key Cryptography Standards format


Next step

Selecting the private key file for the server or client certificate, on page 34

Optional: Associating a client certificate to a security context

When you use an SCR for client, the client may be requested to send its certificate to the server inhandshake negotiations. In this child task of creating a security context record, you can associate aclient certificate to the security context. Only one client certificate can be associated with a securitycontext. If you add a new certificate, it automatically replaces an existing certificate.

Prerequisite


Procedure

1. In the Client Certificate File field, enter the full path of the file containing the client certificate, orclick Browse to search for the file location.

2. From the Certificate File Format options, select the file format for the client certificate:



Next step

Selecting the private key file for the server or client certificate, on page 34

Selecting the private key file for the server or client certificate

A private key file protects the security of the server or client certificate. In this child task of associatinga server or client certificate to a security context record, you can select the private key file of theselected server or client certificate.

Prerequisite

Associating a server certificate to a security context, on page 33 or Optional: Associating a clientcertificate to a security context, on page 34

1. In the Private Key File field, enter the full path of the file that contains the private key associatedwith the server or client certificate, or click Browse to search for the file location.

Optional: Associating CA certificates to a security context record

35

2. In the Password for Private Key field, enter the password for the private key file.3. In the Confirm Password field, reenter the password for verification.4. From the Private Key Format options, select the format of the private key file:



Optional: Associating CA certificates to a security context record

A certificate authority (CA) certificate is used to sign other certificates. If a CA certificate is associatedto a security context, it can be used to verify incoming certificates. In this optional child task ofcreating a security context record, you can associate one or more CA certificates to the securitycontext.

1. In the CA Certificates dialog box, click Add.2. The Add CA Certificate dialog box allows you to associate CA certificates to the security context,

one at a time. In the Certificate File field, enter the full path of the CA certificate file, or clickBrowse to search for the file location.

3. From the Format options, select the format of the CA certificate:


4. To add the CA certificate to the security context, click OK.The full path of the selected CA certificate is populated in the CA Certificates dialog box.

5. Repeat steps 1-4 for each CA certificate to be added to the security context.6. To continue, click Next.

Selecting or generating a random file

The UniData or UniVerse (U2) database server uses a random (.rnd) file to perform every securedoperation, from generating keys to creating certificates and certificate signing requests. In this childtask of creating a security context record, you can select a random file or generate a new random fileto associate to the security context.

Procedure

1. In the Random File dialog box, use one of the following three methods to select or generate arandom file for use in the security context:

▪ By default, the U2 database server uses the random (.rnd) file in the current account. To usethe default random file, leave the Random File field blank.

Tip: The strength of cryptographic functions depends on the true randomness of keys. Asa rule, the default random file in the current account is the best means to achieve a secureenvironment.


36

▪ To use an alternative random file, in the Random File field enter the full path of an existingrandom file, or click Browse to search for the file location.

▪ Otherwise, to generate a new random file from seed source files, click New Random File. Goto Optional: Generating a random file, on page 36.


Next step

Optional: Specifying ciphers, on page 36

Optional: Generating a random file

In some cases, you can choose not to associate the default random file or an existing random file tothe security context. Alternatively, you can build a new random file from scratch. In this optional childtask of creating a security context record, you can generate a new random file from seed source files.

Remember: The strength of cryptographic functions depends on the true randomness of keys.As a rule, the default .rnd file in the current account is the best means to achieve a secureenvironment.

1. In the File Name field, enter a name for the new random file, or click Browse to select the filelocation.

2. From the File Length list, select a file length for the new random file.3. In the Random Seed Source Files box, populate a list of one or more seed source files to use in

generating the new random file. To select a file, click Add. Go toAdding seed source files, on page 36.

4. Repeat step 3 for each seed source file to be added.5. When you have finished adding seed source files, click OK.

The Random File dialog box is redisplayed. The name of the newly generated random file ispopulated in the Random File field.

Adding seed source files

A seed source file contains the data used to generate random keys. In this child task of generating arandom file, you can select one or more seed source files.

1. In the File Name field, enter the full path of a file to be used as a seed source file in generating thenew random file, or click Browse to search for the seed source file location.

2. To continue, click OK.The New Random File dialog box is redisplayed. The selected random seed source file ispopulated in Random Seed Source Files list.

Optional: Specifying ciphers

The cipher parameters determine which cipher suites and public key algorithms are supported duringthe handshake and subsequent data exchanges in the security context. In this child task of creating asecurity context record, you can specify the ciphers to associate to the security context.

Optional: Specifying a certificate revocation list

37

Prerequisite

Selecting or generating a random file, on page 35

Procedure

1. In the Ciphers field, enter the CipherSpecs parameter for the cipher suite to use in the securitycontext.

The CipherSpecs parameter is a string containing cipher-spec separated by colons. An SSL cipherspecification in cipher-spec is composed of four major attributes and several less significantattributes. For detailed information about cipher specifications, see UniData or UniVerse SecurityFeatures.

Note: The security context's cipher suites are set automatically to SSLv3 suites supported bythe SSL version you selected.


Optional: Specifying a certificate revocation list

A certificate revocation list (CRL) is a list of the serial numbers of certificates that have been revoked.In this child task of creating a security context record, you can select one or more files containing acertificate revocation list to use in the security context.

1. In the Certificate Revocation List dialog box, populate the list with one or more certificaterevocation files to use in the security context. To select a file, click Add.Go to Optional: Specifying a certificate revocation list, on page 37.

2. Repeat step 1 for each certificate revocation file to be added.3. To continue, click Next.

Setting a password for the SCR

A security context record (SCR) must be password-protected to safeguard its security. In this child taskof creating a security context record, you can set a password for the SCR.

1. In the Password for SCR field, enter a password for the security context record.2. In the Confirm Password field, enter the password again for verification.3. To create the security context record, click Next.

Verifying the status of generating the SCR

In this child task of generating a security context record, you can check the status message to seewhether the SCR was generated successfully. If it was not, you can go back to make corrections.

1. In the Review Status and Finish dialog box, check the message indicating the status of generatingthe security context record.If the security context record was created successfully, the dialog box contains the message, “SCRrecord was added/updated successfully.” If the process did not generate an SCR, the message


38

“Failed to save SCR” is displayed. To return to previous dialog boxes and correct the error, clickBack.

2. To close the Security Context Record wizard and return to the Configure SSL for Servers editor,click Finish.

Configuring SSL for U2 serversA security context record contains all SSL-related properties necessary for the UniData or UniVerse(U2) server to establish a secured connection with an SSL client. After creating a security contextrecord, you can configure SSL for a U2 server to process requests by various U2 clients, includingUniObjects (UO), UniObjects for Java (UOJ), ODBC, OLEDB, wIntegrate, and others. In this child taskof configuring SSL for U2 servers, you can configure a UniData or UniVerse (U2) database server for aselected security context record (SCR).

Prerequisite

Creating security context records, on page 28

Procedure

1. From the Service Name list, select the name of the U2 service for the U2 database server.2. From the SCR Database list, select the database account in which the security context record to

be configured is stored.3. In the Path field, the full path of the selected database account is displayed. Verify that this is the

correct path for the security context record.4. From the SCR Record list, select the security context record for this SSL configuration entry.5. In the Password Seed field, enter the password for this SSL configuration record.6. In the Confirm Password field, enter the password again for verification.7. To add the SSL configuration entry, click OK.

The new configuration record is listed in the Server Configuration tab of the Configure SSL forServers editor.

39

Chapter 6: Managing data encryption

Automatic data encryption (ADE) operationsThe UniData and UniVerse (U2) database servers offer automatic data encryption (ADE) as an optionalfeature for securing data-at-rest. ADE is an integrated solution built into the U2 database architecture,providing comprehensive data security with no extra licensing required.

The ADE model hinges on a password-protected master key, which it employs in all encryptionoperations. It uses the master key to derive encryption keys, which are used to encrypt and decryptthe content of U2 data files and index files. When encrypting a file, you must associate an encryptionkey and an encryption algorithm for each object to encrypt. ADE gives you the ability to encrypt anentire record or just specified fields in the record.

The U2 database server automatically encrypts data when it writes records to a U2 file. Itautomatically decrypts data when it reads records from a U2 file. The data read and write operationsmay be initiated directly by the U2 database server or through UniBasic or UniVerse BASIC commands.

The U2 automatic data encryption feature supports Federal Information Processing Standards (FIPS)encryption algorithms, including Data Encryption Standard (DES) and Advanced Encryption Standard(AES) algorithms. ADE uses these industry-standard algorithms to produce strong encryption keys thatprotect the content of U2 data stores.

ADE has many advantages, but be aware that it adds to system overhead. When using automatic dataencryption, system performance might decrease somewhat due to encryption operations, and moredisk space might be required. However, the benefits of securing data-at-rest in most cases outweighthe disadvantages.

Initiating data encryption tasksAll tasks related to automatic data encryption (ADE) are performed in the editor view, which you canopen from the Admin Tasks view in XAdmin.

Prerequisite


Procedure

▪ To open the Data Encryption editor, in the Admin Tasks list double-click Data Encryption.

Administering data encryptionThe Data Encryption tools inside XAdmin assist you with creating keys, encrypting and decrypting files,managing the key store, setting password policies, and performing associated tasks to administer day-to-day data encryption activities.

Before administering data encryption, see Initiating data encryption tasks, on page 39, thencomplete the tasks in Managing data encryption, on page 39.

Chapter 6: Managing data encryption

40

Managing encryption keysThe U2 automatic data encryption (ADE) feature uses encryption keys to encrypt, decrypt, and re-encrypt individual U2 files. Encryption keys are derived from the master key, so their security dependslargely on password protection of the master key and safe storage of the master key file. Using theKeys tool inside the Data Encryption editor, you can create and delete encryption keys, view details ofencryption keys, grant or revoke user and group access to keys, and change passwords for keys.

Opening the Keys tool

All tasks associated with managing encryption keys are performed in the Keys tool of the DataEncryption editor. Opening the Keys tool is the starting point of all encryption key tasks.

▪ In the Data Encryption editor, click the Keys tab.The Keys tool opens. All existing encryption keys are listed in the left pane. Details of the selectedencryption key are shown in the right pane.

Creating encryption keys

The automatic data encryption (ADE) feature uses an encryption key to encrypt, decrypt, and re-encrypt individual files. In this task, you can create an encryption key and optionally set a passwordfor the key.

1. In the Keys tool, click Add.2. In the New Encryption Key dialog box Key Name field, enter a unique name for the new

encryption key.3. Optional: In the Password field, enter a password for the encryption key.

If you set a password for the encryption key, the current password is required later to change thepassword for the key or to delete the key.

4. If you set a password for the encryption key, in the Confirm Password field, enter the passwordagain for verification.

5. To create the encryption key, click Finish.

Viewing encryption key details

All existing encryption keys that have been created for use in encrypting U2 files are listed in the leftpane of the Keys tool. In this task, you can select a key and view its details.

1. In the left pane of the Keys tool, select the name of the encryption key for which you want to viewdetails.

2. In the New Encryption Key dialog box Key Name field, enter a unique name for the newencryption key. Check the details for the selected encryption key in the right pane, as follows:

▪ Key Name displays the unique name of the selected encryption key.▪ Creator contains the user ID of the person who created the encryption key.▪ Date Created displays the month, day, and year (MM/DD/YYYY) on which the encryption key

was created.▪ Time Created displays the time (HH:MM am|pm) at which the encryption key was created.

Deleting encryption keys

41

▪ Date Password Changed displays the month, day, and year (MM/DD/YYYY) on which thepassword for the encryption key was last updated. If the key is not password-protected, thisfield contains the date on which the encryption key was created.

▪ Time Password Changed displays the time (HH:MM am|pm) at which the password for theencryption key was last updated. If the key is not password-protected, this field contains thetime at which the encryption key was created.

▪ Grantees lists the names of users and groups who are granted access to the encryption key.▪ References lists the U2 files and fields that reference the selected encryption key.

Deleting encryption keys

If an encryption key is no longer used or is not needed, you can delete it from the key store.

1. In the Keys tool, select the name of the encryption key to be deleted and click Delete.2. If the selected encryption key is password-protected, in the Password field, enter the current

password for the encryption key.3. If you set a password for the encryption key, in the Confirm Password field, enter the password

again for verification.4. To delete the encryption key, click Finish.

In the Keys page, the name of the encryption key is removed from the list. In the UniData orUniVerse database, the associated key file is deleted from the key store.

Date post:	07-Feb-2018
Category:	Documents
Upload:	phungthien
View:	220 times
Download:	2 times

U2 Extensible Administration Tool - Rocket...

Documents