UniData 8.2.1 Upgrade Essentials: Compliance and Security
Rocket UniData 8.2.1: Part 1 of 5
I wanted to share some important insight on the recent UniData 8.2.1 release. They say a picture is worth a thousand words so let me start with these pictures and follow with more technical detail.
As you can see, we focused a lot of effort on our ‘technical debt’ with the UniData 8.2.1 release, with about 85% of the resolved issues addressing bugs for over 200 of our UniData customers and with the included enhancements, the release satisfied the requests of 300+ UniData customers.
On the enhancements side of the house, we focused our efforts on listening to what customers in the field requested through our Lab Services and Customer Experience teams, and brought over enhanced technology from our UniVerse platform to share with our UniData customers. UniData 8.2.1 offers brand new Audit Logging capabilities to support compliance requirements, enhancements to Replication to meet the continued High Availability and Disaster Recovery needs of our UniData customers and finally, UniData 8.2.1 delivers Python integration so you can extend your existing applications to call any of the over 123,000 open source Python packages and attract new developers who are conversant in Python to write new application logic to compliment your existing Basic code.
So let me take you deeper into the release and talk specifically about some of the new features we did for the wider UniData customer community.
We introduced Audit Logging into UniData 8.2.1 from UniVerse 11.3.1 and made several improvements based on our customer experience with UniVerse and direct interaction with our UniData partners. Audit Logging allows you to comply with regulatory requirements and provide an increased granularity of auditing information, providing the ability to identify all data access and change events without any change to your existing applications.
Audit Logging recording of events is fully configurable, and provides auditing capability at the system, data and user levels, along with audit polices which are defined at global, group or individual event levels. There are also application hooks which allow auditing of user-definable events within a client application.
The Audit Logs are securely encrypted, and multiple output file options are available. Some of the benefits of Audit Logging are:
- Accountability – Provides indisputable evidence that someone accessed or modified certain system objects or performed certain actions on the system.
- Flexible – Flexible policies cover any event. Policy changes can be activated in real-time without any system down-time.
- Performant – Audit Logging supports multiple output files including sequential file logs, significantly improving the performance of Audit Logging.
- Reconstruction – Since the log data was chronologically generated, it can be used as an audit trail, during and after certain instances that triggered the security audit.
Open SSL Upgrades and Agility
UniData 8.2.1 has been enhanced to easily accommodate future OpenSSL updates without having to update UniData itself. Customers only need one executable from Rocket when a new version of OpenSSL becomes available. OpenSSL libraries are released often and our customers need to be able to easily protect their business from the latest security threats, without the need to upgrade all of UniData, which is not an option in the 24-7-365 world our customers operate in today.
UniData 8.2.1 ships with the OpenSSL version 1.0.2h.fips library which has the latest security protocols and algorithms for SHA-2 support.
Federal Information Processing Standards (FIPS 140-2)
UniData 8.2.1 now allows you to arm your business to meet FIPS 140-2 security and compliance, when certifying your application. FIPS 140-2 allows you to validate that you are providing a higher standard of security for your customers, which is becoming a required standard in government, financial and healthcare industries.
UniData 8.2.1 uses an embedded FIPS 140-2-validated cryptographic module from OpenSSL under certificate #1747, per FIPS 140-2 Implementation Guidance, section G.5. When properly configured, UniData performs all crypto-operations securely through the OpenSSL FIPS module.
In FIPS mode, only a subset of crypto-related algorithms are available, specifically Triple-DES and AES for ciphers, and SHA1 and SHA2 series for digests. FIPS mode impacts UniData crypto-operations in the following areas:
- UniBasic programs that call security APIs (i.e. ENCRYPT, ENCODE, DIGEST, SIGNATURE)
- Automatic Data Encryption (ADE) operations
- Connecting to websites or sockets using SSL/TLS, including operations related to SCRs
- External Database Access (EDA) or UniData Data Replication operations that involve connection credentials
- UniData Audit Logging
- Credential ID Wallet operations
- Management of secured configuration files (including the u2audit.config, .unisecurity, and UCI.config files).
- XAdmin performing UniData-specific encryption operations (to secure ADE passwords)
- U2 clients connecting to UniData servers in secure mode
It should be noted that UniData 8.2.1 is FIPS 140-2 capable (i.e. all the tools are provided to ensure FIPS 140-2 compliance) but is not itself FIPS 140-2 certified. For more detail on FIPS and security please refer to a previous blog called ‘Making Your Application More Secure with UniVerse 11.3.1 and UniData 8.2’ which covers the subject in depth.
Token Based Authentication
As customers move to a cloud-based Identity Management (IdM) system for user authentication in their application, the current user ID and password method of connecting to UniData servers is becoming less appropriate or in some cases not even possible. Token-based authentication is available to provide security and future extensibility for IdM systems.
The traditional method requires a user name and password which is then used to validate the legality of the connection using operating system calls. Token-based connections require only username@TOKEN-ID (no password), and if the username and TOKEN-ID are known to the U2 credential manager, the connection will be allowed.
The credential mapping record is a text record that maps a token ID to an O/S user ID.
- The allowed services specify which interfaces can use the mapping record
- UDCS or UVCS (for InterCall servers that support UO, UOJ and UO.NET)
- UDSERVER or UVSERVER (UCI servers support ODBC, OLE DB, and JDBC)
- Telnet and XAdmin connections are not currently supported
The credential wallet is a collection of credential mapping records stored as an O/S-level opaque file that is automatically encrypted and access-controlled.
Access to this wallet is only allowed via the Credential Wallet Manager as described in the Credential Manager (credman) utility and through (reserved) internal calls by UniData Servers.
The credman utility performs additions, deletions, and other necessary management task
In the next segment, I’ll cover UniData 8.2.1 and Python.