Pathway Subsystem
This section describes securing the components of the Pathway Subsystem itself. Please refer to the chapters on Application Security for a discussion on securing Pathway Applications.
Pathway is an application platform, under which many NonStop server applications run. It is often the pivotal production platform, therefore requiring a wide range of access throughout a company's enterprise.
The Pathway application is the gateway to many production applications, which:
Provides the interface to the company's database
Is the foundation for the availability of the company's enterprise applications
Determines the security methodology for the enterprise databases
Provides multi-threading and configurable components based upon the application
Pathway is a client-server application model. The Pathway monitor provides the interface for the communication layer and the management layer between the client and server. A Pathway application has two major components:
Requestors A screen program or GUI client component that interacts directly with the terminal. The screen part of the application is written in SCOBOLX or in a GUI language.
Servers The user program running on the host system that interacts with the databases and performs user calculations, etc. The server part of the application can be written in any available language that functions on the HP NonStop server.
The Pathway subsystem components are:
PATHCOM
PATHMON
PATHTCP2
PATHCTL
PATHTCPL
LINKMON
Components of each Pathway Application:
PATHCTL
POBJDIR/POBJCOD
Server Programs
Assigned files and Databases
PATHCOM
PATHCOM is the interactive interface into a Pathway environment for starting, stopping, and modifying the environment. The designated Pathway owner and security controls the ability to perform commands, via PATHCOM or programmatically to affect the environment.
The owner can perform management commands; start and stop the Pathway objects, alter configuration settings, freeze and thaw terminals, etc.
The designated security attribute specifies the users, relative to the Pathway owner, who can perform management commands. Set the SECURITY parameter using the Guardian security values A, G, O, -, N, C, and U. The internal security attribute does not control the security at which the requestor or server programs run. For instance:
Setting the value to "C", allows anyone in the owner's network group to alter the Pathway or start and stop servers.
Setting the value to "O", allows only the local owner to alter the Pathway or start and stop servers.
Non-dedicated terminals are started via the PATHCOM interface, therefore users responsible for stopping and starting Pathway terminals need EXECUTE access to the PATHCOM object file.
AP-FILE-PATHCOM-01 Starting a terminal through the PATHCOM interface is the method used for non-dedicated terminals, therefore users need EXECUTE access to the PATHCOM object file.
RISK The PROGRAM security of "N" allows anyone in the network to start the program. Likewise, the security of "A" allows any local user these privileges.
BP-PATHWAY-CONFIG-01 Pathway security should not allow general access or "N" or "A".
3P-ACCESS-PATHWAY-01 Access to PATHCOM commands can be controlled via a third party product that can secure at the command level.
PATHMON
A Pathway monitor program process pair is started for each Pathway system. A Pathway application is started and then configured with the PATHCOM program. PATHCOM commands are used to configure the Pathway application. Each Pathway Monitor has a unique process name , which has been defined during the start of the PATHMON process.
RISK The Pathway owner is set to the user who starts the Pathway, unless otherwise explicitly set during configuration. Allowing the internal Pathway owner to be defaulted upon startup can configure a Pathway environment to the wrong user.
All TCPs and server processes started by a PATHMON process are run using the PAID of the PATHMON process.
Since the server processes run as the Pathway owner, all databases must be secured to allow appropriate access.
The owner can perform management commands; start and stop the Pathway objects, alter configuration settings, freeze and thaw terminals, etc.
RISK The default for Pathway security is 'N" unless explicitly set after the START Pathway command is issued, which allows network access by default.
AP-FILE-PATHWAY-02 Ensure that application Pathways have adequate internal security. Internal Pathway security should be set to "O" or "U".
RISK Pathway reconfiguration may not be successful if the Pathway owner is not also the userid that restarts the Pathway.
RISK Because PATHCOM defaults to a Pathway named $PM when no other Pathway name is specified, never name a Pathway $PM. Commands from a PATHCOM accidentally started with no name could be applied to the wrong Pathway.
RISK Running application Pathway systems under SUPER.SUPER is not recommended. It allows access to the system as SUPER.SUPER without the need for a password.
RISK Pathway does not interact with CMON when starting server processes for authorization, priority, CPU, etc. CPU selection and priority can be set on the Server configuration within Pathway.
RISK CPU selection and priority can be configured for servers within Pathway. Inappropriate values can harm system performance.
AP-FILE-PATHWAY-03 The Pathway owner should be the same user that started the Pathway environment. PATHMON should not be running as SUPER.SUPER.
AP-FILE-PATHWAY-04 The Pathway owner should always be explicitly set and not defaulted. This does not prevent another user from trying to start the Pathway, but prevents that user from configuring the Pathway after the PATHMON is started. Set the Pathway owner to the user who is designated to start and own the Pathway.
LINKMON
For Pathway applications running via GUI client applications that are remote to the Pathway, Pathway performs the communication via a process called LINKMON. LINKMON establishes communications from the client to the server class. Several methods are in use to perform the communication layer for this function:
Remote Server Call (RSC) software enables personal computers (PCs) and workstations to communicate with Pathway servers and other processes on an HP NonStop server. The security of the access link is not covered in this chapter.
TCP/IP communication channels allow personal computers (PCs) and workstations to communicate with Pathway servers and other processes on an HP NonStop server. The security of the access link is not covered in this chapter.
A typical LINKMON request to Pathway is initiated from a GUI client or Web application via a communication methodology to a PATHMON. Configuration parameters in the PATHMON setup determine accessibility of Pathway to remote clients .
The operating system starts the LINKMON processes (the ROUT program) and names them automatically in each CPU conforming to the name $ZLnn, where nn is the number of the CPU; i.e. $ZL05 is the Linkmon for CPU 5.
LINKMON extended memory is supported by a disk swap file named $SYSTEM.ZLINKMON.ZZLMnn, where nn is the CPU number of the LINKMON process. For example, the LINKMON process $ZL01 in CPU 1 uses the swap file $SYSTEM. ZLINKMON.ZZLM01.
AP-FILE-PATHWAY-05 It is the responsibility of the GUI application and the Pathway server program to successfully handle authorization of the incoming request, both from a security standpoint and a format standpoint.
PATHTCP2
The PATHTCP2 is the terminal control component of the Pathway. This program interprets the POBJCOD and POBJDIR files to run the screen interface. PATHTCP2 is the program for the TCP entity of the Pathway application.
The PATHTCP2 component is often referred to as the TCP. A GUI interface to Pathway does not utilize this component of Pathway. The screen interaction is performed by the GUI application.
The PATHTCPL library is attached to the PATHTCP2 process when it is started. If the PATHTCPL library will be modified for the application, the PATHTCP2 and PATHTCPL files are usually duplicated to an application-specific location so that any other Pathways on the system that use the PATHTCP2 and PATHTCPL code do not get the application-specific code.
AP-FILE-PATHWAY-06 If an application makes extensive use of custom code in the PATHTCPL library, a duplication of PATHTCP2 and PATHTCPL should be made and permit custom changes only to the duplicate, which will then be used solely for the application.
RISK Because duplicated PATHTCP2 and PATHTCPL programs are not stored on the $SYSTEM.SYSnn subvolume, they will not automatically be updated when the sysgen process loads new HP NonStop server software.
PATHCTL
PATHCTL stores the configuration information for the Pathway environment. The Pathway can be shutdown and restarted in a WARM state to return the environment to the previous state. A COLD start initializes the PATHCTL files and it is reconfigured from the PATHCOM commands used.
RISK The Guardian user that starts the Pathway environment must have PURGE access to the PATHCTL and log files that are created during a cold start.
AP-FILE-PATHWAY-07 PATHCTL file should have the same owner and security as the userid running the Pathway.
PATHTCPL
PATHTCPL is a run-time library that is attached to the PATHTCP2 to which user- customized code can be added that will be invoked by SCOBOL routines.
RISK Code entered into the PATHTCPL library will be invoked by the Pathway requestor. If this file is not secured, unauthorized code modifications can occur.
AP-FILE-PATHWAY-08 PATHTCPL file should have the same owner and security as the userid running the Pathway.
POBJDIR / POBJCOD
For Pathway applications running TCP terminal programs, program object files are stored in Pathway managed component files, by default called POBJCOD and POBJDIR.
SCOBOL is an interpretive language. The POBJCOD and POBJDIR contain the interpretive code. Collectively, these files are called the requestor program. The reques-tor object configuration is defined to Pathway as a TCLPROG parameter of the TCP entity.
| Caution | The prefix for the Pathway terminal programs can be user-defined, but the suffix is always 'COD' and 'DIR'. |
The naming convention is <prefix>COD and <prefix>DIR as a matched pair. The name used for the Pathway is defined in the TCP configuration as:
 |
TCLPROG \<node>.$vol.subvolume.POBJT
| |
In the example above, the prefix is POBJT, so the files would be created as the POBJTCOD and POBJTDIR files.
The requestor program is accessed by the PROGRAM entity. The PROGRAM entity maintains an OWNER and SECURITY attribute. The SECURITY attribute determines whether a user running the Pathway can run the program.
AP-FILE-PATHWAY-09 The program owner should be the same as the Pathway owner.
AP-FILE-PATHWAY-10 The program security should be set as required by the application.
Server Programs
The Pathway configuration will point to user-written application server programs. Generally these programs need to be secured in relationship to the overall application security. Additional information is discussed about application in Securing Applications.
Securing Pathway Components
BP-FILE-PATHWAY-01 PATHMON should be secured "UUNU".
BP-OPSYS-OWNER-02 PATHMON should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 PATHMON must reside in $SYSTEM.SYSTEM.
BP-FILE-PATHWAY-02 PATHCOM should be secured "UUNU".
BP-OPSYS-OWNER-02 PATHCOM should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 PATHCOM must reside in $SYSTEM.SYSTEM.
BP-FILE-PATHWAY-03 PATHTCP2 should be secured "UUNU".
BP-OPSYS-OWNER-02 PATHTCP2 should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 PATHTCP2 must reside in $SYSTEM.SYSTEM.
BP-FILE-PATHWAY-04 PATHCTL should be secured "NUUU".
BP-OPSYS-OWNER-02 PATHCTL should be owned by the Pathway owner.
BP-OPSYS-FILELOC-02 PATHCTL should reside in $SYSTEM.SYSTEM.
BP-FILE-PATHWAY-09 PATHTCPL should be secured "UUNU".
BP-OPSYS-OWNER-02 PATHTCPL should be owned by SUPER.SUPER.
BP-PROCESS-ROUT-01 $ZLnn processes should be running.
BP-FILE-PATHWAY-05 ROUT should be secured "UUNU".
BP-OPSYS-OWNER-01 ROUT should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-01 ROUT must reside in $SYSTEM.SYSnn
If available, use Safeguard software or a third party object security product to grant access to Pathway object files to necessary personnel, and deny access to all other users.
BP-SAFE-PATHCOM-01 Add a Safeguard Protection Record to grant appropriate access to the PATHMON object file.
BP-SAFE-PATHCOM-02 Add a Safeguard Protection Record to grant appropriate access to the PATHCOM object file.
BP-SAFE-PATHCOM-03 Add a Safeguard Protection Record to grant appropriate access to the PATHTCP2 object file.
BP-SAFE-PATHCOM-04 Add a Safeguard Protection Record to grant appropriate access to the PATHCTL object file.
BP-SAFE-PATHCOM-05 Add a Safeguard Protection Record to grant appropriate access to the PATHTCPL object file.
BP-SAFE-PATHCOM-06 Update the sysgen process to duplicate PATHTCP2 and PATHTCPL to application specific locations as needed.
| Discovery Questions | Look Here: | |
|---|---|---|
| FILE-POLICY | Is Pathway used for application interfaces? | Policy |
| FILE-POLICY | Are GUI Pathways requiring LINKMON run on this system? | Policy |
| PROCESS-ROUT-01 | Are $ZLnn processes running? | Status |
| OPSYS-OWNER-01 | Who owns the ROUT object file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the PATHMON object file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the PATHCOM object file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the PATHTCP2 object file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the PATHCTL file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the PATHTCPL object file? | Fileinfo |
| FILE-POLICY | Who is allowed to execute PATHMON on secure systems to start a Pathway system? | Policy |
| FILE-PATHWAY-01 SAFE-PATHWAY-01 | Is the PATHMON object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-PATHWAY-02 SAFE-PATHWAY-02 | Is the PATHCOM object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-PATHWAY-03 | Is the PATHTCP2 object file secured correctly? | Fileinfo |
| FILE-PATHWAY-04 | Is the PATHTCP2 object file duplicated to an application-specific location? | Fileinfo |
| FILE-PATHWAY-05 | Is the PATHCTL object file secured correctly? | Fileinfo |
| FILE-PATHWAY-06 | Is the PATHTCPL object file secured correctly? | Fileinfo |
| FILE-PATHWAY-07 | Is the PATHTCPL object file duplicated to an application-specific location? | Fileinfo |
| FILE-PATHWAY-08 | Is the ROUT object file secured correctly? | Fileinfo |
Related Topics
User Administration
Securing Applications
