Fine-Tune Friday: One 3000 and Two Factors
March 2, 2018
People are sometimes surprised where HP 3000s continue to serve. Even in 2018, mission-critical systems are performing in some Fortune 500 companies. When the death knell sounds for their applications, the axe gets swung sometimes because of security. Two-Factor security authentication is a standard now, serving things like Google accounts, iCloud data, and corporate server access.
Eighteen years ago, one HP 3000 shop was doing two-factor. The work was being coded before smartphones existed. Two-factor was delivered using a security fob in most places. Andreas Schmidt worked for Computer Sciences Corporation, which served the needs of DuPont in Bad Homburg, Germany. CSC worked with RSA Security Dynamics to create an RSA Agent that connected a 3000 to an RSA Server.
Back in that day, authentication was done with fobs like the one above. Now it's a smart device sharing the key. Schmidt summarized the work done for what he calls "the chemical company" which CSC was serving.
Two-Factor Token Authentication is a state-of-the-art process to avoid static passwords. RSA Security Dynamics provides an MPE Agent for this purpose which worked perfectly for us with Security/3000, but also with basic MPE security. The technical approach is not simple, but manageable. The main problems may arise during the rollout because of human behavior in keeping known procedures and avoiding changes, especially for security. But to stay on HP 3000 into the future, the effort is worth it, especially for better security.
The project worked better when it relied on the Security/3000 software installed on the server hosting Order Fulfillment. Two-factor security was just gaining widespread traction when this 3000 utilized it. Schmidt acknowledged that the tech work was not simple, but was manageable. When a 3000 site is faced with the alternative of developing a replacement application away from MPE/iX, or selecting an app off the shelf like SAP, creating two-factor is within the limits of possibility. Plus, it may not be as expensive as scrapping an MPE application.
Schmidt's article covers an Agent Solution created by CSC. Even 18 years ago, remaining on the 3000 was an issue worth exploring. When many outside firms access a 3000, two factor can be key.
NT and MPE were selected as pilots: NT because of the large number of servers running that environment; and MPE because of the thinking that this platform might be different from all others and more difficult to implement. However, the company also recognized the importance of running its 3000-based Order Fulfillment Process with a lot of different outside partners.
RSA’s first attempt to develop an agent for MPE was very simple: A token had to become configured for a combination of MPE-USER-ID.MPE ACCOUNT. This combination could not be reused on another token. It was not possible to use wildcards or to add SESSION-IDs or MPE-GROUP to have a complete logon string. Because of the MPE characteristic to share logons (on all levels of capabilities) this version of the agent was not what we were looking for. (More drastically: This agent could not function for the MPE platform).
The second attempt was much better: everything was changed to the chemical company’s already-existing Security/3000 setup. Now Security/3000 invokes the RSA Agent to contact the RSA Server. It transmits either the SESSION-ID or the MPE-USER-ID as the name of the token. If the token is known and allowed to access the HP 3000, the agent asks the user for the current tokencode plus PIN.
This agent also functions without Security/3000 by adding some lines to the System’s Logon UDC. This drops some additional functions in combination with Security/3000, like verifying a user profile in any case (SESSION-ID,MPE-USER-ID.MPE-ACCOUNT is defined as allowed logon in Security/3000, all others will be refused before starting anything), but it will work.
The project report details show this could be installed even before two-factor took a wide foothold in IT. Schmidt doesn't share the code in his article because it was custom work for a dedicated customer. But the process is worth a look, even if only to prove that custom code brings a 3000 into security compliance.
"One thing is essential," Schmidt wrote. "The RSA Agent for MPE does not replace the MPE password process like it does for Unix or NT. It is activated first when the HELLO string has been entered and the MPE password hurdle has been passed (Account, User, and/or Group Password) and (as an option) the basic check within Security/3000 for profile existence is passed. Now any other logon UDC functions are invoked, and this activates the RSA Agent.
Having Security/3000 in place is a good idea to replace the session passwords (if any) by supplying the tokencode.
Not having session names in place, the RSA Agent will add an additional password. I do not recommend eliminating the MPE password — it’s still a fence around your system and is needed for batch security (depending on the streaming security you have in place).
Complete details are in the NewsWire website's archived Technical Articles. Go forth and secure, if preserving an application is a better choice than locating an app replacement.