Page 1 ® XYGATE Data Protection ™ Reference Manual Abstract XDP optimizes HPE SecureData for NonStop environments. It supports implementation within applications that cannot be changed, via its Intercept Library. It also greatly simplifies the two SecureData APIs, and provides support for all NonStop applications and OS environments, including native and non-native executables, and both Guardian and OSS.
Page 3 Legal and notice information © Copyright 2016 Hewlett Packard Enterprise Development LP Acknowledgments No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett Packard Enterprise. The information contained herein is subject to change without notice. Warranties HEWLETT PACKARD ENTERPRISE MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF...
Page 4 Publication History Software Ver. Description Date 1.01 First publication. Jun. 2014 1.10 Chapter 2, Chapter 3 and Chapter 5 updated significantly; new Chapter 7, “What-if Nov. 2014 Testing”; new App. A: DPCONF keywords: AUDIT_WARNING_FAIL, AUDIT_WARNING_PASS and BACKUPCPU; new App. B: DPACL keywords: AUDIT_WARNING_FAIL and AUDIT_WARNING_PASS;...
Page 5: Table Of Contents
ONTENTS Introduction .................... xiii Feature Highlights ..............xiii XYGATE Data Protection (XDP) Architecture ......... xv XDP Module Components............... xvi XDP Configuration ..............xvii What’s New in this Manual ............xvii General Syntax Notation .............. xviii Chapter 1. Installing XDP ................1 Before You Begin ..............1 1.1.1 Voltage SecureData Management ........
Page 6 ® ™ XYGATE Data Protection Reference Manual Contents 3.1.1 Application Init File..........14 3.1.2 XYGATEDP Installation Location ........15 Run Your Application ............15 Chapter 4. Setting up Tokenization in XDP ............17 Configuring and Enabling SST on the Voltage Console ...... 17 Enabling Voltage SST in XDP ............
Page 7 ® ™ XYGATE Data Protection Reference Manual Contents 6.2.3 C: -or- D: Subject userid and/or Subject Login name ..35 6.2.4 E: Subject System ............ 36 6.2.5 F: Subject Terminal ..........36 6.2.6 G: DP Group ............37 6.2.7 H: Object Name ............38 6.2.8 I: Result (All,S,F,N) ..........
Page 8 ® ™ XYGATE Data Protection Reference Manual Contents 7.11.9 REPEAT ..............62 Appendix A: The DPCONF File ................ 63 The DPCONF File Keywords ............. 63 Sample DPCONF File ............. 64 AUDIT (Filename) ..............67 AUDIT (Process Name or Device) ..........68 AUDIT (IP Process Name) ............
Page 9 ® ™ XYGATE Data Protection Reference Manual Contents ACL ................. 82 ACLGROUP................. 83 AUDIT_ACCESS_FAIL ............. 84 AUDIT_ACCESS_PASS ............. 84 AUDIT_WARNING_FAIL ............85 AUDIT_WARNING_PASS ............85 B10: DESCRIPTION ..............85 B11: DPGROUP ................86 B12: FIELD ................87 B13: FILE................. 87 B14: FILEDEF ................
Page 10 ® ™ XYGATE Data Protection Reference Manual Contents C16: XDP_LIBS_INSTALLED ............109 C17: XDP_LOAD_CONFIG .............109 C18: XDP_MASS_DECRYPT ............110 C19: XDP_MASS_ENCRYPT ............111 C20: XDP_PWCOLD ..............112 C21: XDP_PWSAVE ..............112 C22: XDP_PWSTOP ..............112 C23: XDP_PWWARM ..............112 C24: XDP_REFRESH_ENCRCONFIG ...........112 C25: XDP_REFRESH_VOLTCONFIG ...........113 C26: XDP_REPORT ..............113 C27: XDP_ROLL_AUDIT ..............113 C28: XDP_SHUTDOWN ..............113 C29: XDP_START ...............114...
Page 11 ® ™ XYGATE Data Protection Reference Manual Contents __XYPRO_ENCR_SEND_TO_ENCR_SRV ........139 E10: __XYPRO_ENCR_IO_COMPLETED ..........141 E11: __XYPRO_ENCR_GET_ENCRYPT_DATA ........143 E12: __XYPRO_ENCR_GET_LAST_RQ_TIME .........144 E13: __XYPRO_ENCR_IS_EXT_PROVIDER ...........145 Glossary ................... 147 Index ................... 149 XYPRO Technology Corporation Proprietary and Confidential...
Page 12 ® ™ XYGATE Data Protection Reference Manual Contents XYPRO Technology Corporation Proprietary and Confidential...
Page 13: Introduction
Introduction ® Welcome to the XYGATE Data Protection ™ product software from XYPRO Technology Corporation for the HPE NonStop server. XDP was developed to allow legacy applications to be made Payment Card Industry (PCI) compliant with no source-code changes required. XDP incorporates world class multi-platform encryption technology from Voltage Security ®...
Page 14 ® ™ XYGATE Data Protection Reference Manual Introduction Flexible Auditing of Activities XDP provides an audit mechanism of activities occurring within an XDP system. The auditing is flexible. You can audit all activity or selected activity to audit files, EMS or to a TCP/IP address to an external event sink.
Page 15: Xygate Data Protection (Xdp) Architecture
® ™ XYGATE Data Protection Reference Manual Introduction XDP Provides a Detailed Trace Used only under the direction of XYPRO Support for testing/troubleshooting purposes, XDP provides a detailed “trace” feature. This function captures each intercepted- Guardian call made by an application program, with each input parameter listed, and the final result of the call (condition code or error code) listed along with any output parameters.
Page 16: Xdp Module Components
® ™ XYGATE Data Protection Reference Manual Introduction Guardian I/O routines before doing decryption (reading data) or after data has been encrypted (writing data). XYGATEDP is the monitor process; that is, it oversees and coordinates the activity of the other XDP components. XYGATEDP audits system activity into the various audit files shown.
Page 17: Xdp Configuration
® ™ XYGATE Data Protection Reference Manual Introduction XDPCOM - This is an interactive utility that is used for various purposes by the macros provided with XDP. Do not run this utility unless instructed to do so by XYPRO Support. XDPCPU - A copy of XDPCPU runs in each CPU in the system.
Page 18: General Syntax Notation
® ™ XYGATE Data Protection Reference Manual Introduction • Documentation – revised Appendix D: XDP Error Codes for number 394 and deleted codes number 354 and 389 starting on page 121. • Deleted – API procedures for __XYPRO_ENCR_SAVE_KEY and __XYPRO_ENCR_GET_KEY in Appendix E:. General Syntax Notation The following list summarizes the notation conventions for syntax presentation in this manual.
Page 19 ® ™ XYGATE Data Protection Reference Manual Introduction | Vertical Line. A vertical line separates alternatives in a horizontal list that is enclosed in brackets or braces. For example: INSPECT { OFF | ON | SAVEABEND } … Ellipsis. An ellipsis immediately following a pair of brackets or braces indicates that you can repeat the enclosed sequence of syntax items any number of times.
Page 20 ® ™ XYGATE Data Protection Reference Manual Introduction XYPRO Technology Corporation Proprietary and Confidential...
Page 21: Chapter 1. Installing Xdp
Chapter 1. Installing XDP This chapter describes the methods of installing or upgrading the XYGATEDP files, updating the XYGATE licenses and then guides you through the process of securing your installation. Before You Begin Ensure that you have reviewed and completed the following procedures before you begin installing the XDP software.
Page 22: Installing Xdp Using The Host Install Macro
® ™ XYGATE Data Protection Reference Manual Chapter 1. Installing XDP Downloading Software Components There are two software components of SecureData that you will need to complete the XDP installation. First get a userID from Voltage and then go to their downloads website at https://downloads.voltage.com for the two SecureData components:...
Page 23: Running The Host Install Macro To Install Xdp
® ™ XYGATE Data Protection Reference Manual Chapter 1. Installing XDP Note: If you received a license file from HPE named P99Fnnn (where nnn is either 001 or your customer number), place a copy of the license file P99F001 in the distribution location (DSV) whose default value is $SYSTEM.ZXYPRODP.
Page 24: Creating The Oss Voltage Server
® ™ XYGATE Data Protection Reference Manual Chapter 1. Installing XDP ++ Anytime you update the DPACL and DPCONF files you must do the following to load your new configuration: XDP_COMPILE XDP_LOAD_CONFIG **** PLEASE READ THE SOFTDOC AS PART OF THE INSTALLATION PROCESS **** **** PLEASE READ ALL OF THE ABOVE CAREFULLY TO MAKE SURE YOU HAVE **** **** NO PROBLEMS INSTALLING THIS NEW RELEASE...
Page 25: Completing The Xdp Installation
® ™ XYGATE Data Protection Reference Manual Chapter 1. Installing XDP Example: A Sample LINKNPD run $SYSTEM XDP120 555> RUN LINKNPD Where is XYGATEDP installed ($SYSTEM.XDP120)? What OSS directory contains the Voltage libraries? /usr/local/voltage/lib VOLTNPD successfully built $SYSTEM.XDP120 CODE LAST MODIFIED OWNER RWEP PExt...
Page 26: Uninstalling Xdp Using The Host Uninstall Macro
® ™ XYGATE Data Protection Reference Manual Chapter 1. Installing XDP Run the XDP_FINISH_INSTALL macro. The XDP_FINISH_INSTALL macro checks for the existence of XDPVTnnn in $SYSTEM.ZDLL (on H and J machines) or $SYSTEM.XDLL (on L machines) and does the following: ...
Page 27: Using The Host Install Macro For License Maintenance
® ™ XYGATE Data Protection Reference Manual Chapter 1. Installing XDP --BEGIN XYPRO SIGNATURE PUBLIC-KEY: LICENSE-CREATE: 19991217-140450 CUSTOMER-NAME: XYPRO CUSTOMER-NUMBER: 0026 PRODUCT: XYGATE-DP 20991231 NODE: \ALL 0999 * NODE: \ENCRYPT 0003 * License good VPROC - T9617H01 - (01 FEB 2009) SYSTEM \N1 Date 24 AUG 2013, 22:01:25 Copyright 2004 Hewlett-Packard Development Company, L.P.
Page 28 ® ™ XYGATE Data Protection Reference Manual Chapter 1. Installing XDP XYPRO Technology Corporation Proprietary and Confidential...
Page 29: Chapter 2. Configuring Xdp
Chapter 2. Configuring XDP Configuring XDP involves the following steps: • Review and configure the DPCONF file. • Build your access rules in the DPACL. • Compile CONF files and start XDP. The DPCONF File The DPCONF file is initially configured during installation as described in Chapter 1. This file configures global values, which you can modify or add additional keywords.
Page 30: The Dpacl File
® ™ XYGATE Data Protection Reference Manual Chapter 2. Configuring XDP When all the applications in a subvolume have had their libraries uninstalled, the DPCONFAP file in the application location can be purged to allow the installation of a library from a different installation location or from an installation with a different macro name.
Page 31: Configure For Non-Pan Data Encryption
® ™ XYGATE Data Protection Reference Manual Chapter 2. Configuring XDP The TOKEMETH File: METHODNAME=TOKEN DATAFORMAT=1 ENCRYPTIONTYPE=2 CUSTOMFPENAME= LUHNCHECKSUMOPTION=1 LEADINGUNENCRYPTEDDIGITCOUNT=6 TRAILINGUNENCRYPTEDDIGITCOUNT=4 MINIMUMDIGITCOUNT=3 LENGTHSPECIFICFORMATSETTINGSCOUNT=4 PANLENGTH1=12 LEADINGDIGITS1=6 TRAILINGDIGITS1=0 PANLENGTH2=13 LEADINGDIGITS2=6 TRAILINGDIGITS2=0 PANLENGTH3=14 LEADINGDIGITS3=6 TRAILINGDIGITS3=0 PANLENGTH4=15 LEADINGDIGITS4=6 TRAILINGDIGITS4=0 Voltage previously allowed the creation of encryption formats that were defined “locally”;...
Page 32: Compile The Conf Files
® ™ XYGATE Data Protection Reference Manual Chapter 2. Configuring XDP Example: FILEDEF SSNENCR FILE $WORK1.TEST.FILE1 FIELD SSNFORMT FIELD_POSITION 0:20 For SQL: Follow the SQLCOL keyword (part of the SQLDEF keyword) with the encryption method and column name. Example: SQLDEF TABLE1 TABLE $WORK.TEST.TBL1 SQLCOL TOKEN...
Page 33: Chapter 3. Running Your Xdp Application
Chapter 3. Running Your XDP Application After configuring the DPCONF and DPACL files and starting XDP as described in Chapter 2, you have to install the XDP library to your object program. When you have completed this step, you can then run your application as described below. Install the XDP Library Before running your application, you have to install the XDP library into your object program.
Page 34: Application Init File
® ™ XYGATE Data Protection Reference Manual Chapter 3. Running Your XDP Application • The XYGATEDP installation macro name is different from the value used when the XDP library was previously installed into an application residing in this same application location. Note that the following options below can cause applications to no longer decrypt data that were previously encrypted.
Page 35: Xygatedp Installation Location
® ™ XYGATE Data Protection Reference Manual Chapter 3. Running Your XDP Application 3.1.2 XYGATEDP Installation Location When the XDP library has been installed for the first time into an application location, a DPCONFAP file is also created in the same location. It is a copy of the <xygatedp- loc>.DPCONFAP file ("template application Init file").
Page 36 ® ™ XYGATE Data Protection Reference Manual Chapter 3. Running Your XDP Application In the DPGROUP entity, grant access to the input file and the object file. DPGROUP GUARDIAN The FILEDEFS that are refenced by this DPGROUP. FILEDEF XDPENCR Error code handling that applies to this DPGROUP. TRANSLATE_ERROR_CODES_TO_100 ! The files or sets of files that we are allowed to access.
Page 37: Chapter 4. Setting Up Tokenization In Xdp
Chapter 4. Setting up Tokenization in XYGATE Data Protection supports Voltage Secure Stateless Tokenization (SST) technology as an encryption method. Several configuration steps must be performed prior to using Voltage SST technology in XDP. Users performing the tasks described in this chapter must have a valid login to the Voltage SecureData Management console to be able to access the Voltage configuration application, and also have a valid login ID to the NonStop system to allow them access to the edit files mentioned below.
Page 38: Configuring Voltage Sst In Xdp
® ™ XYGATE Data Protection Reference Manual Chapter 4. Setting up Tokenization in XDP To view tokenization status, enter: /view_feature_status.sh tokenization The script will prompt you to confirm the action when you are enabling tokenization. This change is immediate, and there is no need to restart the Management Console Process.
Page 39: Sstdatafile
® ™ XYGATE Data Protection Reference Manual Chapter 4. Setting up Tokenization in XDP 4.3.3 SSTDATAFILE= The next item to modify is the SSTDATAFILE= line. This line contains the filename of the Voltage SST data file that you previously uploaded from the Voltage SecureData Management console.
Page 40 ® ™ XYGATE Data Protection Reference Manual Chapter 4. Setting up Tokenization in XDP Add FILEDEF MYFILE to a DPGROUP in order for XDP to use it: DPGROUP MYACL DESCRIPTION "My ACL" FILEDEF MYFILE <other security settings> Multiple FILEDEFs can be added to a FILEDEF line in a DPGROUP if the FILEDEF names are separated by commas.
Page 41: Chapter 5. Resolving Issues That Can Occur When Installing The Xdp Library
Chapter 5. Resolving Issues that can Occur when Installing the XDP Library The client interface to XDP is implemented as a run time library that can be attached to an application’s programs or can be bound directly into an application’s programs by a supplied macro.
Page 42: The Library Procedure Call Order Issue
® ™ XYGATE Data Protection Reference Manual Chapter 5. Resolving Issues that can Occur when Installing the XDP Library If you encounter an error message that is emitted by the library attaching macro, read sections 5.1 first to gain an understanding of the possible issues that can occur when combining XDP libraries with other libraries or programs.
Page 43: Xdp I/O Architecture
® ™ XYGATE Data Protection Reference Manual Chapter 5. Resolving Issues that can Occur when Installing the XDP Library 5.1.1 XDP I/O Architecture    Application XDP WRITEX __XYPRO_WRITEX Guardian WRITEX In the above example, reading from left to right: •...
Page 44: If You Want Your Application's Procedures To Be Called First
® ™ XYGATE Data Protection Reference Manual Chapter 5. Resolving Issues that can Occur when Installing the XDP Library 5.2.2 If you want your Application’s Procedures to be Called First Example scenario:    Application Application WRITEX XDP WRITEX Guardian WRITEX The steps to implement this scenario are to rename the WRITEX procedure in the XDP intercept library to something else (such as WRITEXZ), and then the WRITEX...
Page 45: Manually Combining Application Libraries With Xdp Libraries When Procedure Names Collide
® ™ XYGATE Data Protection Reference Manual Chapter 5. Resolving Issues that can Occur when Installing the XDP Library If the error you received from the macro sent you to this section, then you cannot combine the XDP library with your native-mode code 800 library or object. You must rebuild that object using the original link files and combine those link files with one of the link files provided with XDP.
Page 46: Sample Eld Script When The Xdp Library Will Come First, Object Code 800 Programs
® ™ XYGATE Data Protection Reference Manual Chapter 5. Resolving Issues that can Occur when Installing the XDP Library 5.4.2 Sample ELD Script when the XDP Library will Come First, Object Code 800 Programs ELD is used for code 800 files. ELD operates in a totally different way than binder does, so the commands are different between the two utilities.
Page 47 ® ™ XYGATE Data Protection Reference Manual Chapter 5. Resolving Issues that can Occur when Installing the XDP Library & -L $system.system & tmpapplb & $disc.xygatedp.xdp8ext & -allow_duplicate_procs & -export_all & -shared & -verbose & -set interpose_user_library on & -set floattype neutral &...
Page 48 ® ™ XYGATE Data Protection Reference Manual Chapter 5. Resolving Issues that can Occur when Installing the XDP Library XDP Intercepts these procedures And Invokes this procedure name __XYPRO_C8LIB_REWRITE C8LIB^REWRITE __XYPRO_C8LIB_START C8LIB^START __XYPRO_C8LIB_WRITERELINX C8LIB^WRITERELINX __XYPRO_C8LIB_WRITESEQ C8LIB^WRITESEQ CANCEL __XYPRO_CANCEL CANCELREQL __XYPRO_CANCELREQL CLOSE __XYPRO_CLOSE CONTROL...
Page 49 ® ™ XYGATE Data Protection Reference Manual Chapter 5. Resolving Issues that can Occur when Installing the XDP Library XDP Intercepts these procedures And Invokes this procedure name OPEN __XYPRO_OPEN READ __XYPRO_READ READLOCK __XYPRO_READLOCK READLOCKX __XYPRO_READLOCKX READUPDATE __XYPRO_READUPDATE READUPDATELOCK __XYPRO_READUPDATELOCK READUPDATELOCKX __XYPRO_READUPDATELOCKX READUPDATEX...
Page 50 ® ™ XYGATE Data Protection Reference Manual Chapter 5. Resolving Issues that can Occur when Installing the XDP Library XYPRO Technology Corporation Proprietary and Confidential...
Page 51: Chapter 6. Xdp Auditing And Audit Reports
Chapter 6. XDP Auditing and Audit Reports This chapter describes the AUDIT file (keyword) considerations and the interactive XDP_REPORT macro. AUDIT File Considerations This section explains audit file creation and rollover behavior in XDP. The AUDIT keyword determines the type and location of the XDP audit trails. You can have multiple AUDIT entries for each type of audit trail.
Page 52: Process Audit Trails
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports Syntax: Auditing to a diskfile AUDIT <filename> [EXT(pri,sec,max)] [NO_ROLL_MSGS] The following Example will send XDP audits to the file called XDPAUDIT in the subvolume $SECURE.XDPAUDIT. Example 1: How to configure XDP to audit to a diskfile AUDIT $SECURE.XDPAUDIT.XDPAUDIT Refer to the AUDIT (Filename)
Page 53: Running Xdp_Report Interactively
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports Running XDP_REPORT Interactively To generate XDP audit reports, use the XDP_REPORT macro. The macro will display a screen with all the criteria that you can modify in order to limit the audit records to be included in a report.
Page 54: A: Audit File
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports Note: Prompts will show a default value inside a pair of angle brackets <>. Press Enter (  ) without any input to accept the default value shown. 6.2.1 A: Audit file Enter the name of the audit file you want to use to generate the report.
Page 55: C: -Or- D: Subject Userid And/Or Subject Login Name
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports 6.2.3 C: -or- D: Subject userid and/or Subject Login name The subject userid/Login Name is the ID of the person performing the actions and accesses contained in the report. You can enter either the userid or the Login name of the user(s) you want to include in the report but do not enter both.
Page 56: E: Subject System
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports Example 5 below shows that if you enter a string without either a leading or trailing asterisk ( * ), then XDP will only include login names that exactly match the string you have entered.
Page 57: G: Dp Group
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports 6.2.6 G: DP Group You can choose to limit the report to transactions involving selected DPGroups as defined in the DPACL file. If you enter a portion of a DPGroup name, all groups containing the entry will be included in the report.
Page 58: H: Object Name
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports 6.2.7 H: Object Name You can limit a report to a single object or group of objects. Enter a valid object name or an asterisk ( * ) to include all objects. Note that unnamed processes are recorded as $----- in the audit report.
Page 59: I: Result (All,S,F,N)
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports 6.2.8 I: Result (All,S,F,N) You can limit your report to only certain XDP results where “Result type” is the ruling on an access request by XDP. The valid entries are: All types of ruling results will be included in the report.
Page 60 ® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports In the Example below there are two records in the report output. The first record is generated in WARNING mode; therefore, the value of column four is Y. The second record, IGNOREWARNING is ON during testing;...
Page 61: L: Comment Contains
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports 6.2.11 L: Comment contains You can limit the report to only those audit entries with COMMENTs that contain the string in a summary results field. To select the COMMENTs you want included in the report, select L: Selection? L Enter a portion of the Data Protection comment...
Page 62 ® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports If you select CUSTOM, then the following menu items will appear: See below. Custom Columns : Custom Sort :TIME Custom Width :130 Custom Lines Use menu these items R through U to set the custom report fields and layout that you want.
Page 63: P: Operation
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports 6.2.15 P: Operation You can choose to limit the report to transactions involving selected Operations. A comma-separated list of Operations can be specified. If a particular operation has to be eliminated, then the keyword NOT can be used.
Page 64: X: Exit The Report Macro
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports 6.2.18 X: Exit the report macro To CLOSE the Report Selection Screen without executing a report, select X, or press Break or Ctrl-Y to return to your TACL prompt. 6.2.19 Z: Run the audit report When you are satisfied with your selections, press Z to create the report only.
Page 65: Xdp Audit Record Format
® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports Subject System Subject Terminal DP Group Object Name Result (All,S,F,N) :ALL Production/Test results :None Warning/Non-warning results:None Comment contains Suppress comments Output file :$S.#XYGATE.OBJSEC Sort order :OBJECT Operation User specified title Display OSS-PATHNAME...
Page 66 ® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports 02 SUBJECT-LOGIN-NAME PIC X(32). The login name of user performing the action. It can be a Safeguard user name or alias name. 02 SUBJECT-SYSTEM PIC X(8). The node where the subject user was authenticated (logged on).
Page 67 ® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports 02 OBJECT-GROUP PIC X(32). The full name of the DPGroup which determines the access for the target object in question or “~ NO-GROUP-FOUND”. 02 HOME-TERMINAL PIC X(34). The terminal where the requestor program is executing.
Page 68 ® ™ XYGATE Data Protection Reference Manual Chapter 6. XDP Auditing and Audit Reports XYPRO Technology Corporation Proprietary and Confidential...
Page 69: Chapter 7. What-If Testing
Chapter 7. What-if Testing This chapter describes how XDP can be tested before putting it into production. As with Safeguard, XDP can run in WARNING-MODE. The system can be placed in global WARNING_MODE initially to test the new access rules. If the DPCONF keyword WARNING_MODE is set to ON, all access attempts are granted by XDP;...
Page 70 ® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing FILEDEF XDPENCR2,TYPEU,TYPEKPA,FORT2DEC,miketest DESCRIPTION "Test ACL for XDP" TRANSLATE_ERROR_CODES_TO_100 ! The files or sets of files that we are allowed to access. MASK $SYSTEM.XDPTEST.ENCRFILE ! Requestors REQUESTOR $SYSTEM.XYGATEDP.* OPERATION ENCRYPT,DECRYPT ! Access type granted.
Page 71: Auditing In Warning Mode
® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing WARNING_MODE in the DPACL and DPCONF files, setting WARNING_MODE to OFF for access checks during the XDP What-if session. In Example 2 below, IGNOREWARNING is set to ON, and the evaluation yields the expected result.
Page 72: Generating Reports In Warning Mode
® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing Generating Reports in Warning Mode To generate a report only for WARNING MODE, choose option K: Warning/Non- warning results in the XDP_REPORT macro described on page 39. Operation Operation is the action attempted on the target file. The XDP operations are: ENCRYPT, DECRYPT and ENCRYPTDECRYPT Example 1: How to test the ENCRYPT operation on a file $SYSTEM XYGATEDP 326>...
Page 73: User
® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing Note: Guardian format requestors must be fully qualified, without the node. Example 1: How to test Requestor in EXPLAIN mode with process name $SYSTEM.XYGATEDP > Run xygatedp explain Access check:encrypt encryptedfile $SYSTEM.xdpdata.testin $SYSTEM.XYGATEDP.xdpencr:$xyz Objecttype = 00098 (ENCRYPTEDFILE) for $SYSTEM.XDPDATA.TESTIN Operation = 00312 (OPEN) Modifier = 00002 (ENCRYPT)
Page 74: How To Predict A Result And Dpgroup
® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing Access check: ENCRYPT ENCRYPTEDFILE $SYSTEM.XDPDATA.TESTIN $SYSTEM.XYGATEDP.XDPENCR \node1.QAT1.MGR Access result - YES using DPGROUP GUARDIAN Access check: ENCRYPT ENCRYPTEDFILE $SYSTEM.XDPDATA.TESTIN $SYSTEM.XYGATEDP.XDPENCR ALIAS:"QAT1-MGR" Access result - YES using DPGROUP GUARDIAN Access check: ENCRYPT ENCRYPTEDFILE $SYSTEM.XDPDATA.TESTIN $SYSTEM.XYGATEDP.XDPENCR ALIAS:"\NODE1.QAT1-MGR"...
Page 75: How To Run What-If Using Input And Output Files
® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing DPGROUP GUARDIAN Requestor 00003 matched ^\$SYSTEM\.XYGATEDP\..*$ DPGROUP GUARDIAN Mask 00003 matched ^\$SYSTEM\.XDPDATA\.TESTIN$ DPGROUP GUARDIAN Selection criteria satisfied DPGROUP GUARDIAN User(001)/access(001) found DPGROUP GUARDIAN Access YES DPGROUP GUARDIAN Result converted to NORECORD due to warning mode DPGROUP GUARDIAN Replying with access NORECORD Access result - YES (unexpected, NO predicted) using DPGROUP GUARDIAN (unexpected DPGROUP, OSS predicted)
Page 76 ® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing Sample Out File: $SYSTEM XYGATEDP 49> fup copy tstout XYGATEDP XYPRO Technology Corporation \N1 20991231 DPCONF CHECKSUM 1750165851 ($SYSTEM.XYGATEDP.DPCONF) DPACL CHECKSUM 1043931211 ($SYSTEM.XYGATEDP.dpacl) Explain mode on Access check:==This is to test what-if feature - file operations Access check:==Allow encrypt Access check:encrypt encryptedfile $SYSTEM.xdpdata.testin $SYSTEM.XYGATEDP.xdpencr qa.tst...
Page 77: Interactive Keywords
® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing 7.11 Interactive Keywords When run in access mode, XDP issues one of the three results: YES, NO, NORECORD. If EXPLAIN_MODE is ON, a list of the DPGroups that were considered is displayed, too.
Page 78: Comment
® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing YYYY-MM-DD HH:MM:SS R W T Request System Usr Login name Terminal ---------- -------- - - - ----------- ------- ---- --- ---------- ------------ 2014-06-09 10:38:30 S N Y TEST QA.TST $VHS Column 6 shows that the Request was a TEST.
Page 79 ® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing Example 1: In access mode or explain off $SYSTEM XYGATEDP 327> run xygatedp access XYGATEDP XYPRO Technology Corporation \N3 20991231 DPCONF CHECKSUM 1895842882 ($SYSTEM.XYGATEDP.DPCONF) DPACL CHECKSUM 2099448385 ($SYSTEM.XYGATEDP.dpacl) Access check:encrypt encryptedfile $SYSTEM.XYGATEDP.testin $SYSTEM.XYGATEDP.xdpencr Access result - NORECORD using DPGROUP ~NO-GROUP-FOUND Example 2:...
Page 80: Help
® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing 7.11.6 HELP This command causes a HELP message to be displayed. Syntax: HELP Example: How to view the What-if HELP text Access check:HELP Valid commands are one of: AUDIT {on|off|test} Toggles auditing or does an audit test COMMENT Can be used to insert comments...
Page 81: H -Or- History
® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing 7.11.7 H -or- HISTORY This command is used to display your previous commands. To display a specific number of commands, enter a number in the command following HISTORY. Example: How to view the command history of your current What-if session Access check:H 1 EXPLAIN OFF 2 ENCRYPT ENCRYPTEDFILE $SYSTEM.XDPTEST.ENCRFILE $SYSTEM.XYGATEDP.WR...
Page 82: Repeat
® ™ XYGATE Data Protection Reference Manual Chapter 7. What-if Testing 7.11.9 REPEAT This command is used for benchmarking operations. It causes the subsequent operations specified to be performed the specified number of times. Statistics showing elapsed time and messages per second are displayed. Syntax: REPEAT <repeat count>...
Page 83: Appendix A: The Dpconf File
Appendix A: The DPCONF File An edit file named DPCONF, which configures global values, is kept in the same volume and subvolume as the XYGATEDP object file. The DPCONF file contains the keywords that define the external (global) functionality of the XDP process, such as where and what records are audited.
Page 84: A2: Sample Dpconf File
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File ENCRSERVICE <provider> <service-name> INTERNAL ENCRYPT_SEND_TIMEOUT <value> EXPLAIN_LOG <filename> HOMETERM <terminal-name> MACRO_NAME <macro-name> PERUSE_OBJECT <object filename> PRIORITY <priority-value> TRANSLATE_ERROR_CODES_TO_100 { ON | OFF } VOLTAGE_INSTALLATION $<vol>.<subvol> XDP_TRACEFILEMASK $<vol>.<subvol>.<three-character_prefix> Sample DPCONF File The DPCONF file configures global values.
Page 85 ® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File ! The remaining 5 characters following <macro name> will ! be 5 random hex digits when the file is created. !XDP_TRACEFILEMASK $SYSTEM.XPMONIT.XDP ! The next line is the process name prefix of the XDPCPU ! (XDPCP126) processes.
Page 86 ® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File ENCRMETHOD VOLTNPD DATEYTO4 CONFIG_FORMAT "XYDATE" ENCRMETHOD VOLTNPD DATEYTO5 CONFIG_FORMAT "XYDATE" ENCRMETHOD VOLTNPD DATEYTO6 CONFIG_FORMAT "XYDATE" Integer date formats. ENCRMETHOD VOLTNPD XYINT16U CONFIG_FORMAT "XYINT16U" ENCRMETHOD VOLTNPD XYINT16S CONFIG_FORMAT "XYINT16S" ENCRMETHOD VOLTNPD XYINT32U CONFIG_FORMAT "XYINT32U"...
Page 87: A3: Audit (Filename)
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File AUDIT (Filename) This keyword determines the audit file specifications when a filename is defined. Auditing is discussed in more detail in section 6.1, “AUDIT File Considerations” starting on page 31. Syntax: AUDIT <filename>...
Page 88: A4: Audit (Process Name Or Device)
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File AUDIT (Process Name or Device) Any one of the nine available AUDIT positions can be defined as a process audit trail. The most common process audits are EMS and printing to the CONSOLE. Note: XYPRO does not recommend that XYGATEDP be configured to audit its activity to EMS.
Page 89: A5: Audit (Ip Process Name)
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File AUDIT (IP Process Name) Any one of the available AUDIT positions can be defined as an IP address. This section deals with the IP address form of the AUDIT specification. Syntax: AUDIT <IP-process-name>...
Page 90: A6: Audit_Access_Fail
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File In the example below, user QATSTSW.MGR was denied to access the file $SYSTEM.xdptest.encrfile. Hence, the message got prefixed with the text DP_CR. DP_CR 2014-01-09 11:02:43.848864183255QATSTSW.MGR 0.139577$SYSTEM.XDPTEST.ENCRFILE 98ENCRYPTDECRYPT312001NNGUARDIAN \N1.$Y3QP.#IN \N1.$:0:154:499282116 $SYSTEM.XYGATEDP.WR \N1.$:0:154:4992800000203DPGROUP GUARDIAN...
Page 91: A8: Audit_Nonprot_File_Access
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File AUDIT_NONPROT_FILE_ACCESS This keyword controls whether or not XDP audits access to files that are not defined to be protected in the DPACL. Syntax: AUDIT_NONPROT_FILE_ACCESS {ON | OFF} Example: AUDIT_NONPROT_FILE_ACCESS ON AUDIT_NORECORD This keyword determines whether or not XDP will write audits for access requests that...
Page 92: A11: Audit_Warning_Pass
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File A11: AUDIT_WARNING_PASS This keyword determines whether or not XDP will write successful access attempts to the XDP audit logs when WARNING_MODE is ON. Syntax: AUDIT_WARNING_PASS { ON | OFF } If ON, successful access attempts will be audited while in warning mode.
Page 93: A13: Collector
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File A13: COLLECTOR The argument to the COLLECTOR keyword is the name of the spool collector you wish XDP to use for audit reports. Syntax: COLLECTOR <spool collector> The default value is $S. A14: COMPANY_NAME This keyword sets the name of the installation.
Page 94: A16: Encrauthparams
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File A16: ENCRAUTHPARAMS The ENCRAUTHPARAMS keyword configures authorization parameters needed by the encryption server. The number and order of these parameters is critically important. The supplied parameters are for testing purposes only; you will have to supply the actual parameters to the encryption engine that has been installed in your environment.
Page 95: A18: Encrservice
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File A18: ENCRSERVICE The ENCRSERVICE keyword configures the way that XDP communicates with the encryption engine. There are two methods supported: External and Internal. • External uses a server in a Pathway system. •...
Page 96: A19: Encrypt_Send_Timeout
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File A19: ENCRYPT_SEND_TIMEOUT This keyword controls how long XDP will wait for an encryption server to finish an encryption operation before it times out. A value of 0 disables the timeout; values from 5 to 32767 are the number of seconds that XDP will wait before a timeout occurs.
Page 97: A21: Hometerm
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File A21: HOMETERM This keyword defines the XYGATEDP home terminal. The HOMETERM keyword is not required but if it is not specified, XYGATEDP will have the same home terminal as that of the $ZSMP(SAFEGUARD) process.
Page 98: A24: Priority
® ™ XYGATE Data Protection Reference Manual Appendix A: The DPCONF File A24: PRIORITY The PRIORITY keyword specifies the priority at which the XYGATEDP object file is to execute at. This entry is required and will be specified by the user during installation. Syntax: PRIORITY <priority-value>...
Page 99: Appendix B: The Dpacl File
Appendix B: The DPACL File The DPACL file is an edit file located in the same volume and subvolume as the XYGATEDP object file. The DPACL file contains security and encryption settings for the application files that are being protected by XDP. There are three different types of groups in the DPACL file: ACLGroups, DPGroups and ENCRYPTION_Groups.
Page 100 ® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File FILEDEF PBF FILE $DISC.SUBVOL.PBF FIELD FIELD_POSITION 10:16 FILEDEF TLF FILE $DISC.SUBVOL.TLF FIELD FIELD_POSITION 46:16 FILEDEF ILF FILE $DISC.SUBVOL.ILF FIELD FIELD_POSITION 370:16 ACL groups. ACLGROUP $EVERYONE \*.*.* DPGROUPS. DPGROUP BASE24 DESCRIPTION "Sample DPACL for XDP"...
Page 101: B2: The Dpacl File Keywords
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File TRACE controls the built in function trace facility for members of this DPGROUP. You must also have an XDP_TRACEFILEMASK in the DPCONF file for tracing to work. Tracing can generate a huge amount of data and it can expose sensitive information so it should only be enabled when requested to do so by XYPRO support personnel.
Page 102: B3: Limits On Dpacl Entries
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File Limits on DPACL Entries The DPACL file has limits on the amount of data that can be specified in the file. These limits are shown in the following output using the STATS command. $SYSTEM XYGATEDP 303>...
Page 103: Aclgroup
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File Example: DPGROUP OSS MASK $OSS.XDPTEST.* REQUESTOR $system.app.* OPERATION DECRYPT ACL $EVERYONE * PROCESS_AS_ACL AUDIT_ACCESS_PASS ON AUDIT_ACCESS_FAIL ON The Example above shows that every ENCRYPT operation attempt will be failed. XDP will not continue searching for other matches.
Page 104: Audit_Access_Fail
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File AUDIT_ACCESS_FAIL This keyword determines whether or not XDP will write denied access attempts to the XDP audit logs. Syntax: AUDIT_ACCESS_FAIL { ON | OFF } If ON, denied access attempts will be audited. If OFF, denied access attempts will not be audited.
Page 105: B8: Audit_Warning_Fail
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File AUDIT_WARNING_FAIL This keyword determines whether or not XDP will write unsuccessful access attempts to the XDP audit logs when WARNING_MODE is ON. Syntax: AUDIT_WARNING_FAIL { ON | OFF } If ON, unsuccessful access attempts will be audited while in warning mode.
Page 106: B11: Dpgroup
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File B11: DPGROUP DPGroups are where you create the access rules you want to enforce in the DPACL file. XDP processes the DPACL file starting from the top. The DPGroup entries are processed in the order in which they are encountered.
Page 107: B12: Field
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File B12: FIELD The FIELD keyword specifies a data field in a record to encrypt. Each FIELD keyword is required to have three components: an encryption method (ENCRMETHOD), the sub-keyword FIELD_OFFSET, and a byte:length specification.
Page 108: B14: Filedef
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File B14: FILEDEF The FILEDEF object provides one place to define the structure of a file. Syntax: FILEDEF <text name> Example: FILEDEF ENCRFILE FILE $oss.xdptest.encrfile MIXED_RECORD_IDENTIFIER offset 38 FIELD FIELD_POSITION 0:16 FIELD FIELD_POSITION 19:16...
Page 109: B16: Mixed_Record_Identifier
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File B16: MIXED_RECORD_IDENTIFIER This keyword identifies a character string that can match characters at a specified offset in a record. If the string matches characters in the record at the specified offset, then that selects the FIELD(s) immediately below the MIXED_RECORD_IDENTIFIER.
Page 110: B18: Requestor
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File B18: REQUESTOR This keyword specifies the object filename of an application program that is making encrypted file requests, in the form $volume.subvol.filename. You can use an asterisk ( * ) to wildcard parts of the filename, or just use * when any requestor is valid. Otherwise, enter a valid requestor object filename and an optional process name.
Page 111: B21: Writethruxdperror
® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File B21: WRITETHRUXDPERROR Certain applications abend when an XDP error code (350-499) is returned from an encryption operation. The WRITETHRUXDPERROR keyword has been added for Writes (only) so that if an encryption error occurs, the process will receive an error code of 0 on the Write, and unencrypted data will be written.
Page 112 ® ™ XYGATE Data Protection Reference Manual Appendix B: The DPACL File XYPRO Technology Corporation Proprietary and Confidential...
Page 113: Appendix C: Xdp Host Macros
Appendix C: XDP Host Macros Several macros are supplied with the XDP software. These macros provide extra functionality or convenient methods of performing common tasks. Note: Throughout this manual, it is assumed that XDP is the name assigned to XDP at installation.
Page 114 ® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros XDP_EDIT_ACL Provides version control and non real-time editing of the DPACL file. It first creates a copy of the file called NEWDPACL, which you can edit as usual. When you finish, you will choose whether or not to put the new changes into effect by loading the new file.
Page 115 ® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros XDP_MASS_ENCRYPT Creates a TACL input file to execute the encryption program. XDP_PWCOLD Coldstart your XYGATEDP PATHWAY. XDP_PWSAVE Save your XYGATEDP pathway configuration file. XDP_PWSTOP SHUTDOWN your XYGATEDP PATHWAY. XDP_PWWARM Warmstart your XYGATEDP PATHWAY.
Page 116: C2: Xdp_Audit_Report
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros XDP_VERSION Displays information about the XYGATEDP installation. XDP_VOLUME Takes user to the local subvolume where XYGATEDP is installed. XDP_AUDIT_REPORT The XDP_AUDIT_REPORT macro is invoked by the XDP_REPORT macro. It generates the ENFORM report using the criteria selected with the Report Selection screen.
Page 117 ® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros DPGROUP A valid DPGROUP name or for all or a wild carded, comma-separated list. A leading on a DP Group name will match any DP Group names that contain the specified string. A trailing will match any DP Group names that start with the specified string.
Page 118 ® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros These parameters can be strung together on one line as in the following example: Example: Using XDP_AUDIT_REPORT selection criteria for a batch report $SYSTEM XYGATEDP 1> xdp_audit_report 2013-12-5 00:00 2013-12-5 23:59 232,* * * \N1 * * * all $system.xygatedp.audit $s.#xdp.xdpsec user Yes both both 0 * The above command will generate a report for the time period beginning on 05/DEC/2013 at midnight and ending at 05/DEC/2013 at 1 minute to midnight.
Page 119: C3: Xdp_Bounce
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros XDP_BOUNCE This macro will stop and restart the XYGATEDP process. Syntax: XDP_BOUNCE Example: How to bounce the XYATEDP process $SYSTEM XYGATEDP 547> XDP_BOUNCE XDPCOM - XYPRO Data Protection Command Interpreter - (22NOV2013) Use the HELP command for a list of commands.
Page 120: C5: Xdp_Create_Enform
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros XDP_CREATE_ENFORM This macro installs a copy of the ENFORM program and its components in the XYGATEDP installation subvolume and attaches the XDP library to it. Syntax: XDP_CREATE_ENFORM Example: $SYSTEM XYGATEDP 144>...
Page 121: C7: Xdp_Datetime_Make
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros XDP_DATETIME_MAKE This macro will calculate dates to establish a range of dates in the past equal to the number of days into the past you wish to include in the report. That is, 7 would be 7 days into the past.
Page 122: C8: Xdp_Edit_Acl
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros XDP_EDIT_ACL This macro allows you to edit the DPACL file. It first creates a copy of the file called NEWDPACL which you can change using EDIT as usual. When you finish and exit EDIT, you will choose whether or not to put the new changes into effect by loading the new file.
Page 123: C9: Xdp_Explain
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros Last generation is $SYSTEM.XYGATEDP.oldacl01 DPACL file is updated to NEWDPACL contents XYGATEDP XYPRO Technology Corporation \N1 20991231 DPCONF CHECKSUM 1265830165 ($SYSTEM.XYGATEDP.DPCONF) DPACL CHECKSUM 1213811999 ($SYSTEM.XYGATEDP.DPACL) No syntax errors found No syntax warnings found Configuration successfully compiled Load Config request processed in 0.000374 seconds...
Page 124: C10: Xdp_Explain_On|Off
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C10: XDP_EXPLAIN_ON|OFF The XDP_EXPLAIN_ON|OFF macro will send a request to turn EXPLAIN ON or OFF to the running server. Syntax: XDP_EXPLAIN_ON|OFF <filename> Example 1: Turn on explain log $SYSTEM XYGATEDP 346>...
Page 125: C12: Xdp_Install_License
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C12: XDP_INSTALL_LICENSE This macro is supplied to allow the XDP security administrator to check on a newly received license file and optionally load it. If you choose to load the new license, XDP renames the current license file out of the way and moves the new license in.
Page 126: C13: Xdp_Lib_Install
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C13: XDP_LIB_INSTALL The XDP_LIB_INSTALL macro installs XDP as a library of an object program, so that encryption and/or decryption occurs as configured. Additional questions can be asked following the execution of this macro, in order to select the proper XDP library. Syntax: XDP_LIB_INSTALL <object-file>...
Page 127: C14: Xdp_Lib_Uninstall
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C14: XDP_LIB_UNINSTALL XDP_LIB_UNINSTALL remove the XDP module from the specified object file when it is no longer needed. Syntax: XDP_LIB_UNINSTALL [!]<filename> Where: (optional) execute the macro without prompts. is the name of the file that was previously built using XDP_LIB_INSTALL.
Page 128: C15: Xdp_Lib_Uninstall_All
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C15: XDP_LIB_UNINSTALL_ALL XDP_LIB_UNINSTALL_ALL removes the XDP libraries from all of the programs in which they have been installed. It uses the XDPBIND file to determine which programs have had a library bound into it. Example: 6>...
Page 129: C16: Xdp_Libs_Installed
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C16: XDP_LIBS_INSTALLED XDP_LIBS_INSTALLED displays all libraries which have been added to programs. This macro depends on the existence of the XDPBIND file. Without XDPBIND, this macro will not display any information. Example: 4>...
Page 130: C18: Xdp_Mass_Decrypt
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C18: XDP_MASS_DECRYPT Creates a TACL “IN” file to run the decryption program as follows: • Nowaited. • One instance of the program per partition. • Multiple instances space the CPU usage evenly across available CPUs. •...
Page 131: C19: Xdp_Mass_Encrypt
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C19: XDP_MASS_ENCRYPT Creates a TACL “IN” file to run the encryption program as follows: • Nowaited. • One instance of the program per partition. • Multiple instances space the CPU usage evenly across available CPUs. •...
Page 132: C20: Xdp_Pwcold
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C20: XDP_PWCOLD Initializes and Starts your XDP Pathway utilizing the Pathway configuration information contained in the PWIN file in your XYGATEDP subvolume. C21: XDP_PWSAVE The macro will save the latest pathway configuration to the PWCONF file. Syntax: XDP_PWSAVE Example:...
Page 133: C25: Xdp_Refresh_Voltconfig
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C25: XDP_REFRESH_VOLTCONFIG Use this macro to refreshes the Voltage configuration information and the connection to the Voltage key server held by encryption servers. Syntax: XDP_REFRESH_VOLTCONFIG Example: $SYSTEM XYGATEDP 647> XDP_REFRESH_VOLTCONFIG C26: XDP_REPORT Refer to section 6.2,...
Page 134: C29: Xdp_Start
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C29: XDP_START The XDP_START macro is used to start the XYGATEDP monitor process. The STARTUP message is written to the audit logs. Example: $SYSTEM XYGATEDP 8> XDP_START $SYSTEM.XYGATEDP.XYGATEDP/NAME $XDP,TERM $VHSQ,PRI 120,OUT $VHSQ,NOWAIT/ $XDP running.
Page 135: C32: Xdp_Syntax_Check
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C32: XDP_SYNTAX_CHECK The XDP_SYNTAX_CHECK macro processes the contents of the DPACL and the DPCONF files. Each file is checked for compliance with the expected XDP syntax. If errors are found, the error and the line on which the error is found are displayed. You can enter the name of any file where you are creating DP rules before putting them into the production DPACL file.
Page 136: C33: Xdp_Test_Connect
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C33: XDP_TEST_CONNECT The XDP_TEST_CONNECT macro will perform various consistency checks and validation checks of the XDP environment. It be used should to help troubleshoot configuration or connectivity issues with XDP. Syntax: XDP_TEST_CONNECT Example: How to run the XDP_TEST_CONNECT macro...
Page 137 ® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros INFO: \N1.$SYSTEM XYGATEDP.FPEMETH file found. Checking access... SUCCESS: \N1.$SYSTEM XYGATEDP.FPEMETH file was successfully opened. INFO: \N1.$SYSTEM XYGATEDP.TOKMETH file found. Checking access... SUCCESS: \N1.$SYSTEM XYGATEDP.TOKMETH file was successfully opened. ------------------------------------------------------------------------------ |TEST 5: |Checking if encryption methods in configuration are registered with XDP.
Page 138: C34: Xdp_Uninstall
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C34: XDP_UNINSTALL The XDP_UNINSTALL macro completely removes the XDP software from the NonStop server. The macro must be run as the XDP owner ID. You must detach any libraries using the XDP_LIB_UNINSTALL_ALL macro before running the uninstall macro.
Page 139: C35: Xdp_Update_Acl
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros C35: XDP_UPDATE_ACL This macro will load a NEWDPACL file that was created earlier but not put into use. This macro does not give you an opportunity to view or change the contents of the file. If you want to make further changes before loading the file, you must use the XDP_EDIT_ACL macro instead.
Page 140: C37: Xdp_Volume
® ™ XYGATE Data Protection Reference Manual Appendix C: XDP Host Macros $SYSTEM.XYGATEDP.XYGATEDP Binder timestamp: 20NOV2013 12:00:14 Version procedure: T9999D30^P64^XDPMON^100 Target CPU: UNSPECIFIED OCA timestamp: 20NOV2013 12:17:00 VPROC - T9617H01 - (01 FEB 2009) SYSTEM \N1 Date 21 NOV 2013, 08:06:17 Copyright 2004 Hewlett-Packard Development Company, L.P.
Page 141: Appendix D: Xdp Error Codes
Appendix D: XDP Error Codes The XDPERROR program is provided for descriptions of XDP error codes. Run XDPERROR without arguments to display the program syntax. $SYSTEM.XYGATEDP > xdperror XDPERROR - Usage: XDPERROR [ <XDP error number> | -1 ] A value of -1 will list error descriptions of all XDP error codes. XDP error numbers begin at 350 and run through 433.
Page 142 ® ™ XYGATE Data Protection Reference Manual Appendix D: XDP Error Codes Error Error Description Corrective Action Code Cannot use a memory segment Internal error. Contact XYPRO. Encrypted field position is after The field position + length in the DPACL record length exceed the data record's length.
Page 143 ® ™ XYGATE Data Protection Reference Manual Appendix D: XDP Error Codes Error Error Description Corrective Action Code No wait file operation table is full Attempted to initiate more than 15 no wait I/O operations against a file. Unable to locate a completed Internal error.
Page 144 ® ™ XYGATE Data Protection Reference Manual Appendix D: XDP Error Codes Error Error Description Corrective Action Code The file name specified is invalid An invalid file name was specified. Correct the file name. Cannot communicate with the The XDPCPU process in the CPU cannot XDPCPU process be accessed.
Page 145 ® ™ XYGATE Data Protection Reference Manual Appendix D: XDP Error Codes Error Error Description Corrective Action Code The requested feature is not A requested feature of XDP is not currently implemented implemented. Recovery depends on what operation was being attempted. Missing argument If you are using the XDP SDK and you receive this error ensure that you are...
Page 146 ® ™ XYGATE Data Protection Reference Manual Appendix D: XDP Error Codes Error Error Description Corrective Action Code The process pointed to by the The TCP/IP process pointed to by the =TCPIP^PROCESS^NAME define =TCPIP^PROCESS^NAME is not define is not running. running.
Page 147 ® ™ XYGATE Data Protection Reference Manual Appendix D: XDP Error Codes Error Error Description Corrective Action Code The item index number passed The procedure is not the next item number __XYPRO_ENCR_ADD_ENCRYPT_DATA accepts an index value to uniquely identify expected - out of sequence each piece of data that is to be encrypted or decrypted.
Page 148 ® ™ XYGATE Data Protection Reference Manual Appendix D: XDP Error Codes XYPRO Technology Corporation Proprietary and Confidential...
Page 149: Appendix E: Xdp Api Procedures
Appendix E: XDP API Procedures A sample ‘C’ program is included in the XDP XYGATEDP installation subvolume named SDKSAMPC. Please refer to that sample program for a complete example on how to use this SDK. The following #include statements are required somewhere near the top of your program: #include "xdpdecth (declarations)"...
Page 150: E3: __Xypro_Encr_Initialize
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures __XYPRO_ENCR_INITIALIZE short __XYPRO_ENCR_INITIALIZE ((long _far *) encr_ctx); /* input Initializes the encryption API context memory. Use this procedure to initialize the encryption API context for which memory was previously allocated. Returns 0 when successful.
Page 151: E4: __Xypro_Encr_Add_Encr_Method
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures __XYPRO_ENCR_ADD_ENCR_METHOD short __XYPRO_ENCR_ADD_ENCR_METHOD ( encr_init_struct _far *encr_init /* input , char _far *spathmon_name /* input , short npathmon_name_len /* input , char _far *sserverclass_name /* input , short nserverclass_name_len /* input , char _far *sencr_method /* input...
Page 152 ® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures sencr_method The name of the encryption method to be used for encryption. These values are defined in the DPCONF file in the ENCRMETHOD lines; the encryption method name is the third word of those lines. For example: ENCRMETHOD VOLTAGE FPE FPEMETH...
Page 153 ® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures nerror = __XYPRO_ENCR_ADD_ENCR_METHOD ((encr_init_struct _far *) encr_init ,(char _far *) spathmon_name ,(short) strlen(spathmon_name) ,(char _far *) sserverclass_name ,(short) strlen(sserverclass_name) ,(char _far *) sencr_method ,(short) strlen(sencr_method) ,(char _far *) sprovider_name ,(short) strlen(sprovider_name) ,(short _far *) &nserv_index1 ,(short) first_call...
Page 154: E5: __Xypro_Encr_Set_Encr_Provider
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures __XYPRO_ENCR_SET_ENCR_PROVIDER short __XYPRO_ENCR_SET_ENCR_PROVIDER (long _far *encr_ctx /* input , encr_init_struct _far *encr_init /* input Parameters Returns 0 when successful. Refer to the list of error codes in the XDP manual for a description of the error code values.
Page 155: E6: __Xypro_Encr_Add_Encrypt_Data
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures __XYPRO_ENCR_ADD_ENCRYPT_DATA short __XYPRO_ENCR_ADD_ENCRYPT_DATA (long _far *encr_ctx /* input , char _far *pdata /* input , short nlen /* input , short index /* input , char _far *encr_method /* input , short encr_method_len /* input...
Page 156 ® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures Example: /* Global Storage */ char *encr_ctx; Encryption context pointer short nserv_index; Pathway server index /* Local Storage */ short nerror; short nitemindex; Index of data to be encrypted. char splaintextpan1[20] = { "0123456789012345"...
Page 157: E7: __Xypro_Encr_Encrypt
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures __XYPRO_ENCR_ENCRYPT short __XYPRO_ENCR_ENCRYPT (long _far *encr_ctx /* input*/ , short n_encr_key_len /* input , char _far *encr_key /* input , short _far *nencr_error /* output , long unused); Triggers the actual encryption of data previously added using .
Page 158: E8: __Xypro_Encr_Decrypt
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures __XYPRO_ENCR_DECRYPT short __XYPRO_ENCR_DECRYPT (long _far *encr_ctx /* input*/ , short n_encr_key_len /* input , char _far *encr_key /* input , short _far *nencr_error /* output , long unused); Triggers the actual decryption of data previously added using .
Page 159: E9: __Xypro_Encr_Send_To_Encr_Srv
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures __XYPRO_ENCR_SEND_TO_ENCR_SRV short __XYPRO_ENCR_SEND_TO_ENCR_SRV ( long _far *encr_ctx /* input , short serv_index /* input , char _far *op /* input ,[long long _far *process_time] /* output , short n_encr_key_len /* input , char _far *encr_key /* input...
Page 160 ® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures was preserved. Encryption key rolling can also be done on the Voltage key server, and that method is the preferred way to roll the encryption key. nencr_error Returns 0 when successful. Some XDP error codes are generic so a sub error code is also returned describing the error in more detail.
Page 161: E10
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures E10: __XYPRO_ENCR_IO_COMPLETED short __XYPRO_ENCR_IO_COMPLETED (long _far *encr_ctx /* input short nscsend_op_num /* input short serv_index /* input short ncount_read /* input ,[long long _far *process_time] /* I/O short _far *nencr_error /* output char _far *pbuffer /* input...
Page 162 ® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures pbuffer The buffer address returned from AWAITIOX. Example: /* Global Storage */ short nserv_index1; Pathway server index, method 1 char *encr_ctx; Encryption context pointer char *pbuffer; I/O buffer /* Local Storage */ long long process_time = 0ll;...
Page 163: E11
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures E11: __XYPRO_ENCR_GET_ENCRYPT_DATA short __XYPRO_ENCR_GET_ENCRYPT_DATA ((long _far *) encr_ctx /* input ,(char _far *) sencryptedpan /* output ,(short _far *) &nencryptedpanlenret /* output ,(short) nitemindex /* input ,(short _far *) &nencr_error /* output Retrieves the data string that was encrypted or decrypted from the encryption context buffer.
Page 164: E12
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures Example: /* Global Storage */ char *encr_ctx = NULL; Encryption context pointer /* Local Storage */ long long process_time = 0ll; Encr process time in microsends long niotag; I/O tag for send unsigned short ncountret;...
Page 165: E13
® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures E13: __XYPRO_ENCR_IS_EXT_PROVIDER bool __XYPRO_ENCR_IS_EXT_PROVIDER (void); Indicates whether the encryption provider is accessed externally or not. Parameters Returns false if the internal encryption provider is being used. Returns true if the external encryption provider is being used.
Page 166 ® ™ XYGATE Data Protection Reference Manual Appendix E: XDP API Procedures XYPRO Technology Corporation Proprietary and Confidential...
Page 167: Glossary
Glossary DPACL File This is an edit file that contains security and encryption settings for the application files that are being protected by XDP. There are three different types of groups in the DPACL file: ACLGroups, DPGroups and ENCRYPTION_Groups. DPCONF File This is an edit file that configures global values and is kept in the same volume and subvolume as the XYGATEDP object file.
Page 168 ® ™ XYGATE Data Protection Reference Manual Glossary VPINGC This program is run by the xdp_test_connect macro to perform various consistency checks and validation checks of the XDP environment. XDP Init XDP Init is the DPCONFAP file. Refer to DPCONFAP File above and section 2.2, “The DPCONFAP (XDP Init) File”...
Page 169: Index
Index ACL Keyword ..........82 ENFORM Reports........33, 96 PROCESS_AS_ACL........ 82 PROCESS_AS_RULE ......83 Error 100 Codes ..........78 ACLGroups ..........83 Error Codes ..........121 Audit File Considerations ......31 Audit Reports GoldenGate ....See Oracle GoldenGate Interactive ..........33 Guardian I/O Procedures ......22 Auditing Intercepted by XDP ........27...
Page 170 ® ™ XYGATE Data Protection Reference Manual Index Using Input and Output Files ....55 Oracle GoldenGate ....21, 24, 25, 106 OSS Voltage Server ........4 XDP Auditing and Audit Reports ....31 XDP Error Codes ........121 Translated to Error 100 ......78 PAN Data Encryption ......

This manual is also suitable for:

Kv-dz29m61 Kv-dz29m91

Sony KV-DZ29M30 Service Manual

Introduction

Chapter 1. Installing XDP

Chapter 2. Configuring XDP

Chapter 3. Running Your XDP Application

Chapter 4. Setting up Tokenization in XDP

Chapter 5. Resolving Issues that Can Occur When Installing the XDP Library

Chapter 6. XDP Auditing and Audit Reports

Chapter 7. What-If Testing

Appendix A: the DPCONF File

Appendix B: the DPACL File

Appendix C: XDP Host Macros

Appendix D: XDP Error Codes

Appendix E: XDP API Procedures

Glossary

Index

Quick Links

Related Manuals for Sony KV-DZ29M30

Summary of Contents for Sony KV-DZ29M30

This manual is also suitable for:

Table of Contents