HP OpenVMS Systems

OpenVMS System Software

Security Features in OpenVMS Version 8.4


Global and Local Mapping of LDAP Users

The authentication method for OpenVMS version ACME LDAP agent on Version 8.3 and Version 8.3-1H1 supports only one-to-one mapping for users.

In one-to-one mapping, the user logging in to an OpenVMS system from an LDAP server must have a matching username in the SYSUAF.DAT file. Hence, a user must login with the exact username entry stored in the SYSUAF.DAT file. With OpenVMS Version 8.4 or later, LDAP ACME agent uses the concept of global and local mapping.

Using the global and local mapping:

  • User can enter the user name that is common across the domain, at the login prompt.
  • User name is mapped to a different name in the SYSUAF.DAT file during login.
  • OpenVMS session after login uses the name and the privileges in the SYSUAF.DAT file for all purposes.
  • The SET PASSWORD command has the capability to understand that this is a mapped user and synchronize any password change to the directory server.

Check the “Global and local mapping” section in the new ACME LDAP documentation › provided on OpenVMS V8.4 for details on using the mapping feature.

ACME Documentation Updates

New document is provided for setup and configuration of ACMELDAP on OpenVMS V8.4. The documentation is available at the following location after installing OpenVMS V8.4:


The “Enabling External Authentication” and “Authentication and Credentials Management Extensions (ACME) Subsystem “sections is changed in “HP OpenVMS Guide to System Security” [ PDF › | HTML › ] to provide more details on the ACME environment/agents and the difference between the SYS$ACM and non SYS$ACM enabled logins.

ACME Login restored during Upgrade

The SYS$ACM enabled logins and the ACME environment is restored automatically when a system is upgraded to OpenVMS V8.4. Manual re-configuration is not required.

See “HP OpenVMS Guide to System Security” [ PDF › | HTML › ] for more information on SYS$ACM enabled login and ACME.

HP Code Signing Service (HPCSS)

HP products deliver on "trustworthy and reliable" brand promise. The electronic cryptographic "signature" created for HP code (software, firmware, drivers, applications, patches, solutions, and so forth) provides you an industry standard method to verify the integrity and authenticity of the code you have received from HP before deployment.

Digitally signed code helps you manage the security vulnerability risk from using non-HP versions of our product’s software and firmware, which may fail to meet expectations and, worse, may harbor malicious code (such as a virus or a worm).

Further to comply with the other markets, such as mobile code, firmware in FIPS compliant devices, and increased threats posed by standard firmware interfaces HP products are delivered with this digital sign.

Earlier, OpenVMS followed its own signing mechanism based on Common Data Security Architecture (CDSA). During the installation of the kits, PCSI used the CDSA Validator to verify the signature. Kits created in either sequential (*.PCSI) or compressed (*.PCSI$COMPRESSED) formats were signed. Kits using VMSINSTAL for installation were not signed.

All new OpenVMS kits, which are updated for Version 8.4, including PCSI and VMSINSTAL based kits are signed using HP Code Signing Service (HPCSS). A new companion file, <full kit name>_HPC is created and is provided along with the kit. The kit is then verified using the companion file.

Note: OpenVMS Alpha Version 8.4 CDs are not signed with this mechanism.

From OpenVMS Version 8.4, a new product, HPBinarychecker, will get installed on OpenVMS systems to validate the kits signed using HPCSS. VMSINSTAL and PCSI are enhanced to use the validator. HP supplied Layered Products that use VMSINSTAL will be signed the way in which the PCSI kits were signed.

To validate the signed kit with the _HPC file extension, use the HPBinaryChecker executable. If the HPBinaryChecker is not available, PCSI displays that the HPBinaryChecker is not loaded and prompts you to install the Product. If the _ESW manifest file is present and no _HPC file is present, PCSI uses CDSA to validate the kit. CDSA validation will not be retired.

CDSA signing for OpenVMS Version 8.4 and beyond will be discontinued. For more information on installing the signed kit, see HP OpenVMS Version 8.4 Upgrade and Installation Manual. ›

HP SSL Version 1.4 for OpenVMS

Secure Sockets Layer (SSL) is the open standard security protocol for the secure transfer of sensitive information over the Internet. HP SSL Version 1.4 is based on OpenSSL 0.9.8h and it also includes the latest security updates from OpenSSL.org.

Please check the HP SSL V1.4 “Installation Guide and Release Notes › ” or the “HP OpenVMS Version 8.4 New Features and Documentation Overview › ” for more information on the new features and the Vulnerabilities fixed in HP SSL V1.4.

Note: HP SSL V1.4 is not backward compatible with earlier versions of HP SSL. Please check the “Advisory for HP VMS SSL users on OpenVMS V8.4 for Integrity servers and Alpha platform › ” or visit the “HP SSL for OpenVMS web page › ” for more information.

Security Features in OpenVMS Version 8.3

New Optional SYS$ACM-Enabled LOGINOUT.EXE and SETP0.EXE Images and Two New Authentication and Credentials Management Extension (ACME) Agents

OpenVMS Version 8.3 includes optional SYS$ACM-enabled LOGINOUT.EXE and SETP0.EXE images that use the SYS$ACM system service for user authentication and password changes. When these images are used, login and password change requests are sent to the SYS$ACM service and handled by the ACME_SERVER process's authentication agents. A VMS authentication agent is configured by default to service standard VMS login and password-change requests.

ACME Components:

  • ACME subsystem
  • Provides authentication and persona-based credential services. Applications use these services to enforce authentication policies defined by ACME agents running in the context of the ACME_SERVER process.

  • ACME agents

    • VMS (Standard OpenVMS policy) ACME agent
    • MSV1_0 (Microsoft LAN Manager authentication) ACME agent
    • LDAP ACME agent

      New in Version 8.3, the LDAP ACME agent allows users to log into an OpenVMS system using authentication information held in an LDAP directory, thus allowing common authentication across many platforms.

      LDAP Authentication patch kits  (February 2007)

      New production quality LDAP Authentication patch kits are now available from the IT Resource Center › . Search for VMS83A_ACMELDAP-V0100 for OpenVMS Alpha and VMS83I_ACMELDAP-V0100 for OpenVMS for Integrity servers.

      These kits provide optional login and set password functionality that utilizes the SYS$ACM system service for user authentication and password changes. When this optional functionality is enabled, login and password change requests are sent to the SYS$ACM service and handled by the ACME_SERVER process’s authentication agents. These kits contain an LDAP authentication agent that allows for login and password-change requests to be directed to any LDAP V3 compliant directory server.

      These patch kits have been rigorously tested and are qualified for use in production environments.

      Important: If you plan to use the LDAP ACME kit to authenticate to a Microsoft Active Directory Domain, you must initiate all password changes from a Microsoft platform. OpenVMS Engineering is working on an updated LDAP ACME patch kit that will remove this restriction.

      After the kit is installed, see the LDAP ACME Agent Readme file › for detailed information on how to configure the system. This readme file is also located at SYS$HELP:ACME_DEV_README.TXT. Release notes can be found at SYS$HELP:VMS83x_ACMELDAP-V0100.RELEASE_NOTES.

    • Kerberos ACME agent

      New in Version 8.3, the Kerberos ACME agent provides functionality similar to the pam_krb5 utility on UNIX systems. In previous versions of OpenVMS, Kerberos for OpenVMS users were required to perform multiple login steps: once to log in to OpenVMS itself, and once to obtain Kerberos credentials. This ACME agent automatically acquires all credentials for you.

In addition,customers can create additional ACME agents for custom authentication policies.

Secure Delivery for OpenVMS

OpenVMS Version 8.3 includes Secure Delivery, which uses public key and digital signature technology to implement a system that provides OpenVMS users with the ability to authenticate and validate files from OpenVMS and third-party OpenVMS vendors.

Secure Delivery allows for digital signatures to authenticate the originator and validate the contents of software kits installed on OpenVMS systems. If the kit or manifest has been tampered with in any way, the validation process fails. If the certificates used to sign the file have been revoked, the validation process fails.

Secure Delivery has been integrated into PCSI, which automatically ensures that software installed on OpenVMS was not tampered with prior to installation.

For an overview of Secure Delivery on OpenVMS, and how to invoke its components using CDSA, see the Secure Delivery for OpenVMS documentation in

HP Open Source Security for OpenVMS,
Volume 1: CDSA

[ PDF › | HTML › ].

Encryption for OpenVMS

OpenVMS Version 8.3 integrates the former Encryption for OpenVMS software product into the operating system. This eliminates the requirement for a separate product installation and product license. In addition, OpenVMS Version 8.3 now includes support for the Advanced Encryption Standard (AES) algorithm, which allows OpenVMS users, system managers, security managers, or programmers to secure their files, save sets, or application data with AES encryption.

Encryption is used to convert sensitive or otherwise private data to an unintelligible form called cipher text. This is done for the purpose of data confidentiality. Decryption reverses this process, taking the unintelligible cipher text and converting the data back into its original form, called plain text. Encryption and decryption are also known as encipher and decipher.

For more information, see:

  • Encryption for OpenVMS

    documentation in the Version 8.3 New Features and Documentation Overview [ PDF › | HTML › ].

  • “Encryption” and “Using Encryption” section in the HP OpenVMS Guide to System Security provided with OpenVMS V8.4 [ PDF › | HTML › ].
  • HP OpenVMS Utility Routines Manual [ PDF › | HTML › ].

Many other important security features are included in the base operating system. For more information, see the HP OpenVMS Guide to System Security [PDF › | HTML › ].

HP SSL for OpenVMS

Secure Sockets Layer (SSL) is the open standard security protocol for the secure transfer of sensitive information over the Internet. SSL provides three things: privacy through encryption, server authentication, and message integrity. Client authentication is available as an optional function.

Protecting communication links to OpenVMS applications over a TCP/IP connection can be accomplished through the use of SSL. The OpenSSL APIs establish private, authenticated and reliable communications links between applications.

HP SSL Version 1.4 for OpenVMS › is based on OpenSSL 0.9.8h and includes all of the latest security updates from OpenSSL.org.

For more information about HP SSL for OpenVMS, see the HP SSL Version 1.4 for OpenVMS Installation Guide and Release Notes. › The SSL source code is an open-source project from

opensource.org › , maintained by the OpenSSL Group. ›

OpenSSL derived this software from the industry standard Secure Socket Layer (SSL) V2.0/V3.0 specifications orignally from Netscape, and the Transport Layer Security (TLS) V1.0 specification from IETG. ›

The OpenSSL 0.9.8h baselevel supports the following components:

Note: The OpenVMS port of the Cryptography library does not contain the RC5 and IDEA symmetric ciphers. HP does not have a commercial distribution agreement for these algorithms.

Download HP SSL for OpenVMS

CDSA (Common Data Security Architecture) for OpenVMS

The Common Data Security Architecture (CDSA) is a multiplatform, industry-standard security infrastructure. Starting with Version 7.3-1, CDSA is part of the OpenVMS Alpha base operating system. CDSA is compatible with OpenVMS Alpha Version 7.2-2 and higher.

CDSA provides a stable, standards-based programming interface that enables applications to access operating system security services. With CDSA, developers can create cross-platform, security-enabled applications. Security services, such as cryptography and other public key operations, are available through a dynamically extensible interface to a set of plug-in application programming interface modules (API functions). These modules can be supplemented or changed as business needs and technologies evolve.

For general information about CDSA, see:

For more information about CDSA on OpenVMS, see HP Open Source Security for OpenVMS, Volume 1: CDSA [ PDF › | HTML › ].

CDSA Source CodeFor a binary compilation of the CDSA sources that have been ported to the OpenVMS operating system, see:

Download CDSA source code

Kerberos for OpenVMS

Kerberos for OpenVMS, based on MIT Kerberos V5, is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.

Kerberos Version 3.1 for HP OpenVMS › is based on MIT Kerberos V5 Release 1.4.1. Starting with OpenVMS Version 7.3-2, Kerberos is included with the OpenVMS base operating system. Kerberos Version 3.1 runs on OpenVMS Alpha and Integrity servers Version 8.3 and higher and supports authentication to happen over IPv6. Kerberos Version 3.0 and 2.0 are also available for download.

For more information about Kerberos on OpenVMS, see HP Open Source Security for OpenVMS, Volume 3: Kerberos [ PDF › | HTML › ].

Download Kerberos for OpenVMS

Open Source Tools for OpenVMS

There are many other Open Source tools ported on to OpenVMS. Click here › to find more information on the Open Source tools.

Some of the security tools provided and not listed in this page are:

  • SNORT for OpenVMS
  • Stunnel
  • GnuPG

OpenVMS IPsec

HP TCP/IP Services for OpenVMS IPsec provides an infrastructure to allow secure communications (authentication, integrity, confidentiality) over IP-based networks between systems and devices that implement the IPsec protocol suite.

OpenVMS IPsec › offers protection against replay attacks, packet tampering, and spoofing -- and it keeps others from viewing critical data such as passwords and financial information sent over the Internet.

For more information about OpenVMS IPsec, see

Configuring and Using TCP/IP Services for OpenVMS IPsec [ PDF › ].

Download HP TCP/IP Services for OpenVMS featuring IPsec

SSH for OpenVMS

Secure Shell (SSH) is a combination of client and server software that transparently encrypts and decrypts data flow between hosts on a network. OpenVMS SSH software is based on SSH2 Software from SSH Communications Security › .

SSH functionality is available as part of TCP/IP Services Version 5.4 and higher.

See Ericom Software › and Process Software › for our OpenVMS partners' SSH solutions.

Ericom Software and OpenVMS

Ericom Software provides SSH, SSL, Single Sign On, and Kerberos secure terminal emulation solutions

Ericom® Software and HP have enjoyed a long-standing business and technology relationship since 1996, when Ericom's PowerTerm® terminal emulation solution was included in Pathworks 32.

The number of OpenVMS users who use or are planning to use SSH and SSL support in their operating system continues to grow. Many of these users also require a secure terminal emulator with secure file transfer.

Ericom Software is proud to provide a range of secure solutions for these users. For a complete breakdown of Ericom's PowerTerm host access and Web-to-Host solutions that support SSL, SSH, Single Sign On, and Kerberos security protocols. See:

PointSecure and OpenVMS

PointSecure Provides Security Products for OpenVMS VAX and OpenVMS Alpha with System Detective AO and IS

Security SnapShot

The Security SnapShot provides OpenVMS customers with a fast and easy way to perform a high level assessment of potential security exposures. This non-intrusive tool focuses on user profiles, file security and system/network security.

The Security Snapshot performs sixteen security checks on your system and will provide you with a pass/fail assessment. This will help you determine the strengths and weaknesses of your system.

Your business processes depend on the applications and data that support them - so you need to be sure that your data and systems are secure. This is not always possible because of the rapid changes in business and technology that increase your organization's control and security challenges. The Security Snapshot will allow you to quickly and easily see potential exposures that may affect your strategic business objectives. For a 16-point checkup for OpenVMS systems, see:

Download free PointAudit OpenVMS security snapshot

System Detective AO

System Detective AO is a rules based security and compliance tool designed to enforce user accountability. By monitoring and recording user sessions as well as providing proactive responses to triggered events, System Detective AO helps to maintain the security and integrity of OpenVMS systems.

System Detective IS is an interactive session monitoring tool designed to give administrators the ability to interactively monitor user sessions. This product allows administrators to take action to help users or eliminate unwarranted user activity all in real-time.

PointSecure also provides a PC based auditing tool called PointAudit which analyzes the SYSUAF.lis file and provides a breakdown of user profiles allowing for quick and easy account review. For Additional product information, see:

Migration Advisor

Planning your migration requires a good understanding of what your current environment looks like. Determining what HP layered products and what commercial (3rd party / ISV) or Open Source products are present is a critical initial step in the planning.

PointSecure, working with HP OpenVMS, has created a tool called Migration Advisor that aids in collecting information about your current OpenVMS system environment. For the Migration Advisor FAQ, click here › or for a quick overview, click here › . Migration Advisor can be downloaded from PointSecure at http://www.pointsecure.com/products/MigrationAdvisor.aspx › .

Process Software

Process Software Provides SSH for OpenVMS

SSH server and client provide secure encrypted communications over the Internet and are the defacto standard. In addition, there are some other advantages of SSH for OpenVMS:

  • Multi-protocol support: SSH protocol v1 and v2 server and client(SSH)
  • Provides secure file transfer with Secure Copy Protocol (SCP)
  • Secures numerous applications with port forwarding
  • Provides many authentication and encryption options
  • The SSH server operates with most third-party SSH clients
  • Data compression support saves time and connection fees
  • Supports HP TCP/IP Services for OpenVMS 4.2 or higher

For more information, see

Process Software SSH for OpenVMS

Security is more important now than ever

Companies taking advantage of the tremendous market potential of the information superhighway are daily faced with security risks that may hurt, or even kill, their business.

Today, when business increasingly depends on securedata, a vulnerable company will not last. Potential hazards,from the inside as well as the outside, must be addressed effectively.