Function Detail (Realization of Secure Data Transfer)
For secure usage, HCP tools provides functions that ensure confidentiality and integrity of transferred data and authenticate it to identify correct peers of communication.
- Use PKI (Public Key Infrastructure) technologies and authenticate peers of communication by them.
- The international standard of AES (Advanced Encryption Standard) protects transferred data to prevent confidential information from being disclosed.
- Privilege separation and access control list function realizes an appropriate access control.
- Payload validation detects data errors over networks.
- Transfer resuming makes efficient transfer even if unexpected transfer aborting happens.
Authentication#
HCP tools supports the following standard authentication functions.
- PAM (Pluggable Authentication Modules) authentication
- Public key authentication
- Windows Logon Authentication
And it provides the following configurations about its authentcation functions.
| Type | Confdiguration Item | Description |
|---|---|---|
| PAM (Pluggable Authenticaton Module) (Linux) | PAMAuthentication | PAM configuration |
| RSA (Rivest-Shamir-Adleman cryptosystem) | PubkeyAuthentication | RSA configuration |
| LPA (Local Password Authentication) | LocalPasswordAuthentication | LPA configuration |
| WLU (Windows Logon User) | WinLogonUserAuthentication | WLU configuration |
PAM authentication of HCP tools also supports LDAP (Lightweight Directory Access Protocol) authentication if the deployment environment can provide it for logind, sshd or other services. In that case, the HCP tools performs the LDAP authentication using the configuration file of /etc/pam.d/hcpd.
On Windows servers, HCP tools can provide Windows Logon function for clients including the domain authentication by Active Directory (just inserting a domain name before a user name).
Related Options
| Command | Short Name | Option Name | Description |
|---|---|---|---|
| hcp/hsync/hrm/hcp-ls/hmkdir/hpwd/hmv/hln/hchmod/hchown | user | Specify username in advance | |
| password | Specify password in advance |
Related Configurations
| Category | Configuration Name | Description |
|---|---|---|
| Server Configuration | LocalPasswordAuthentication | LPA (Local Password Authentication) authentication |
| PAMAuthentication | PAM (Pluggable Authenticaton Module) authentication | |
| PubkeyAuthentication | RSA (Rivest-Shamir-Adleman cryptosystem) authentication | |
| WinLogonUserAuthentication | Windows authentication | |
| PerformSystemAuthenticationRegardlessUsers | Control applying system authentication (PAM auth, Windows logon) | |
| AuthorizedKeysSearchDir | Specify directory for searching public keys (RSA auth) | |
| AuthorizedKeysFile | Specify file for finding a public key (RSA auth) | |
| AuthorizedKeysCommand | Specify command for finding a public key (RSA auth) | |
| AuthorizedKeysCommandUser | Specify user to run the command (RSA auth) | |
| CACertificateFile | Specify file of CA (Certificate Authorities) certificates | |
| CACertificatePath | Specify directory including CA (Certificate Authorities) certificates (Reserved) | |
| CARevocationFile | Specify file of CRL (Certificate Revocation List) | |
| CARevocationPath | Specify directory including CRLs (Reserved) | |
| OCSPRevocationEnabled | Control performing OCSP (Online Certificate Status Protocol) on client authentication | |
| LocalUserFile | Specify file configuring users hcpd recognizes | |
| LocalPasswordFile | Specify file holding credentials of LPA (Local Password Authentication) | |
| AllowUsers | Specify user name pattern to allow login | |
| AllowGroups | Specify group name pattern to allow login | |
| DenyUsers | Specify user name pattern to deny login | |
| DenyGroups | Specify group name pattern to deny login | |
| Client Configuration | LocalPasswordAuthentication | LPA (Local Password Authentication) authentication |
| PAMAuthentication | PAM (Pluggable Authenticaton Module) authentication | |
| PubkeyAuthentication | RSA (Rivest-Shamir-Adleman cryptosystem) authentication | |
| WinLogonUserAuthentication | Windows authentication | |
| PrivateKeySearchDir | Specify directory for searching private keys (RSA auth) | |
| PrivateKeyFile | Specify file for finding a private key (RSA auth) | |
| PubkeyAuthenticationPrior | Configure priority of RSA authentication |
Utilization of PKI (Public Key Infrastructure)#
HCP tools use PKI function to make secure communication with correct peers.
The tools support the following algorithms and file formats of private keys, public keys and certificates for the secure communicaiton.
The algorithms for the keys are,
- RSA
And the file formats for the keys and certificates are,
- PKCS1
- PKCS8
- X.509 Certificate
- OpenSSH ver.x
- PuTTY ver.2
Encryption#
It is important to encrypt transferred data when you make transfer of files over networks.
Encryption is to encode data to another form which any third person cannot read. It reduces risks that data is disclosed by their wiretaping.
HCP tools provides communication security like SSH/TLS. You don't have to make any configuration for that security as usual. However, you can change that configuration on servers and clients to change an encryption algorithm that will be used between them.
Communication Message Encryption
This is a function to encrypt messages transferred between a client and a server.
In HCP tools, you can make configuration of encryption algorithms for encrypting transferred messages and digest algorithms for validating that messages and file payloads. Negotiation of configurations on a client and a server determines a set of algorithms that will be used on actual communication.
Related Configuration
| Category | Configuration Name | Description |
|---|---|---|
| Server Configuration | AcceptableCryptMethod | Encryption method for message communication |
| AcceptableDigestMethod | Digest method for validation of message and file data | |
| RequireDataIntegrityChecking | Setting requirement of MAC (Message Authentication Code) | |
| Client Common Configuration | AcceptableCryptMethod | Encryption method for message communication |
| AcceptableDigestMethod | Digest method for validation of message and file data | |
| DisableDataIntegrityChecking | Disable MAC or not | |
| AcceptDataIntegrityCheckingOnRejection | Acceptance of rejection for disabling MAC |
Communication Security Negotiation
This is a function to negotiate a security of communication method between a client and a server.
HCP tools provides the secure communication between clients and servers based on PKI technology under a security function by server certificates.
A private key for each server certificate will be loaded from the following path in default.
/etc/hcp/key/server.key (Linux.x86)
C:/ProgramData/Clealink/HCP Tools/key/server.key (Windows)
When a public key exits and the file name adds ".pub" to the name of the private key, the server use the keys as a pair for the secure communication. When the public key dose not exist, the server will use a server certificate specified at the configuration of ServerCertificateFile.
In HCP tools, clients will perform validation of the server certificate about the Common Name, the NotBefore/NotAfter, the certificate chain to the root CA (Certificate Authority) and the CRL (Certificate Revocation List).
Related Configuration
| Category | Configuration Name | Description |
|---|---|---|
| Server Configuration | UseServerCertificateSecurity | Enable server certificate security or not |
| RequireServerCertificateSecurity | Set requirement of the security to clients | |
| ServerKeyFile | Server key path for the server certificate security | |
| ServerCertificateFile | Server certificate path for the server certificate security | |
| ServerCertificateChainFile | Path of intermediate certificates for the server certificate (one or more) | |
| Client Common Configuration | RequireServerCertificateSecurity | Set requirement of the server certificate security to servers |
| RejectFallbackServerCertificateSecurity | Disable fallback into communication without the security or not | |
| IgnoreCertificateCNInvalid | Ignore the common name of the server certificate in its validation | |
| IgnoreCertificateDateInvalid | Ignore fields of NotBefore and NotAfter of the certificate in its validation | |
| IgnoreUnknownCA | Ignore validation of CA certificate and intermediates of the certificate | |
| IgnoreRevocation | Ignore validation of CRL for the certificate | |
| CACertificateFile | File path where CA certificates and intermediates are saved | |
| CACertificatePath | Directory path where files including CA certificates and intermediates are saved (Reserved) | |
| CARevocationFile | File path where CRL are saved | |
| CARevocationPath | Directory path where files including CRL are saved (Reserved) | |
| OCSPRevocationEnabled | Enable OCSP (Online Certificate Status Protocol) or not | |
| StrictHostKeyChecking | Server host key's acceptance policy configuration |
Access Control#
HCP tools provides the following functions to give appropriate access rights authenticated users.
- Privilege Separation
- ACL (Access Control List)
- Admission Control
- Document Points
Related Configuration
| Category | Configuration Name | Description |
|---|---|---|
| Server Configuration | UserDirectoryFallbackAvailable | Fallback control from user home (for backward compatibility) |
| RejectOnUserHomeDirectoryNotFound | Access rejection when a directory of user home is not found |
Privilege Separation
This is a function to separate access rights of users from the privilege of root to make safe usage on the users subject its rights.
HCP tools configures privilege separation on a server for its client sessions. Under the privilege separation working, processing in each client session on the server works on a process separated from another process of the server waiting for clients and having the root privilege as usual. On the client process separated from the waiting one, some access rights subject to UID/GID and supplemental groups determined from authentication results will be applied to each processing. If you change that configuration each user, please modify /etc/hcp/users. Applicable supplemental groups are up to 1000. When that groups are over that limitation, they will be ignored (only UID and GUI applied).
If you disable the privilege separation, the client sessions works under the access rights of Linux daemon and Windows service running. And on Windows service, the privilege separation will be not applied when authentication is performed rather than Windows logon, e.g. LPA authentication and RSA authentication.
Related Configuration
| Category | Configuration Name | Description |
|---|---|---|
| Server Configuration | UsePrivilegeSeparation | Set privilege separation |
| PrivilegeSeparationMinimumUID | Minimum UID applicable for privilege separated sessions | |
| PrivilegeSeparationMinimumGID | Minimum GID applicable for privilege separated sessions | |
| PrivilegeSeparationUser | Default user on privilege separation (applied when any user is not determined) | |
| PrivilegeSeparationUmask | Umask on privilege separation for authenticated users | |
| PrivilegeSeparationUmaskAnonymous | Umask on privilege separation for anonymous | |
| ApplyUserPermission | Apply user's access rights to file permissions on destination (not on privilege separation) | |
| NoSupplementalGroupInPrivilegeSeparation | Disable supplemental groups |
ACL (Access Control List)
This is a function to control accesses from clients based on network features subject to access control lists.
On HCP tools, the function also provides specification of congestion control of HpFP for the accept rules.
Related Configuration
| Category | Configuration Name | Description |
|---|---|---|
| Server Configuration | AccessList | Define ACL (Access Control List) |
| Allow | Define Allow rules on ACL | |
| Deny | Define Deny rules on ACL |
Admission Control
This is a function to limit number of connections working at the same time to control and save server resources, e.g. bandwidth, memory and CPU, for communication.
Related Configuration
| Category | Configuration Name | Description |
|---|---|---|
| Server Configuration | MaxTotalConnection | Limit of connections (total) |
| MaxTcpConnection | Limit of TCP connections | |
| MaxUdpConnection | Limit of UDP (HpFP) connections | |
| MaxConnectionPerUser | Limit of connections each user | |
| MaxConnectionPerSec | Limit of connections to accept each second |
Document Points
This is a function to configure areas on the server file system to which clients are available to access. This function is defined by HCP tools and is configured on its servers. The function provides controls of reading, writing, overwriting and deleting around files and directories to allow or deny that operations.
Related Configuration
| Category | Configuration Name | Description |
|---|---|---|
| Server Configuration | DocPoint | Define a document point |
| DocPath | Specify a path on file system on the document point | |
| PermitAccessRead | Set reading access configuration | |
| PermitAccessWrite | Set writing access configuration | |
| PermitAccessOverwrite | Set overwriting access configuration | |
| PermitAccessDelete | Set deleting access configuration | |
| PermitAccessRandomRead | Set reading in random access configuration (Reserved) | |
| PermitAccessRandomWrite | Set writing in random access configuration (Reserved) |
Data Integrity Validation#
This is a function to detect unexpected problem over networks during file transfer. The function perform message validation by MAC (Message Authentication Code) and detect data errors over networks or unexpected changes of data across them.
Please use it on being enabled (performing message validation) as usual.
Related Configration
| Category | Configuration Name | Description |
|---|---|---|
| Server Configuration | RequireDataIntegrityChecking | Set requirement of data integrity checking by MAC |
| Client Common Configuration | DisableDataIntegrityChecking | Disable the data integrity checking |
| AcceptDataIntegrityCheckingOnRejection | Set acceptance of rejection to disabling it |
Transfer Resuming#
This is a function to make efficient works when unexpected abortion happens on file transfer due to network problems. You can restart the transfer from the position where the previous transfer stopped if it will be aborted due to some reasons.
The hcp command of HCP tools provides an option of --resume (-r in short) to restart by the user operation.
In the --resume option, you should specify a file to which the hcp command records its running results (saved as .hcp.out as usual) to restart it.
Related Option
| Command | Short Name | Option Name | Description |
|---|---|---|---|
| hcp | r | resume | Resume the previous transfer |