Function Detail (Realization of Secure Data Transfer)
For secure usage, HCP tools provides functions that ensure confidentiality and integrity of transferred data and authenticate it to identify correct peers of communication.
- Use PKI (Public Key Infrastructure) technologies and authenticate peers of communication by them.
- The international standard of AES (Advanced Encryption Standard) protects transferred data to prevent confidential information from being disclosed.
- Privilege separation and access control list function realizes an appropriate access control.
- Payload validation detects data errors over networks.
- Transfer resuming makes efficient transfer even if unexpected transfer aborting happens.
#
AuthenticationHCP tools supports the following standard authentication functions.
- PAM (Pluggable Authentication Modules) authentication
- Public key authentication
- Windows Logon Authentication
And it provides the following configurations about its authentcation functions.
Type | Confdiguration Item | Description |
---|---|---|
PAM (Pluggable Authenticaton Module) (Linux) | PAMAuthentication | PAM configuration |
RSA (Rivest-Shamir-Adleman cryptosystem) | PubkeyAuthentication | RSA configuration |
LPA (Local Password Authentication) | LocalPasswordAuthentication | LPA configuration |
WLU (Windows Logon User) | WinLogonUserAuthentication | WLU configuration |
PAM authentication of HCP tools also supports LDAP (Lightweight Directory Access Protocol) authentication if the deployment environment can provide it for logind, sshd or other services. In that case, the HCP tools performs the LDAP authentication using the configuration file of /etc/pam.d/hcpd
.
On Windows servers, HCP tools can provide Windows Logon function for clients including the domain authentication by Active Directory (just inserting a domain name before a user name).
Related Options
Command | Short Name | Option Name | Description |
---|---|---|---|
hcp/hsync/hrm/hcp-ls/hmkdir/hpwd/hmv/hln/hchmod/hchown | wss-no-check-certificate | Ignoring server certificate validation on WebSocket SSL/TLS | |
user | Specify username in advance | ||
password | Specify password in advance |
Related Configurations
Category | Configuration Name | Description |
---|---|---|
Server Configuration | LocalPasswordAuthentication | LPA (Local Password Authentication) authentication |
PAMAuthentication | PAM (Pluggable Authenticaton Module) authentication | |
PubkeyAuthentication | RSA (Rivest-Shamir-Adleman cryptosystem) authentication | |
WinLogonUserAuthentication | Windows authentication | |
PerformSystemAuthenticationRegardlessUsers | Control applying system authentication (PAM auth, Windows logon) | |
AuthorizedKeysSearchDir | Specify directory for searching public keys (RSA auth) | |
AuthorizedKeysFile | Specify file for finding a public key (RSA auth) | |
AuthorizedKeysCommand | Specify command for finding a public key (RSA auth) | |
AuthorizedKeysCommandUser | Specify user to run the command (RSA auth) | |
CACertificateFile | Specify file of CA (Certificate Authorities) certificates | |
CACertificatePath | Specify directory including CA (Certificate Authorities) certificates (Reserved) | |
CARevocationFile | Specify file of CRL (Certificate Revocation List) | |
CARevocationPath | Specify directory including CRLs (Reserved) | |
OCSPRevocationEnabled | Control performing OCSP (Online Certificate Status Protocol) on client authentication | |
LocalUserFile | Specify file configuring users hcpd recognizes | |
LocalPasswordFile | Specify file holding credentials of LPA (Local Password Authentication) | |
AllowUsers | Specify user name pattern to allow login | |
AllowGroups | Specify group name pattern to allow login | |
DenyUsers | Specify user name pattern to deny login | |
DenyGroups | Specify group name pattern to deny login | |
Client Configuration | LocalPasswordAuthentication | LPA (Local Password Authentication) authentication |
PAMAuthentication | PAM (Pluggable Authenticaton Module) authentication | |
PubkeyAuthentication | RSA (Rivest-Shamir-Adleman cryptosystem) authentication | |
WinLogonUserAuthentication | Windows authentication | |
PrivateKeySearchDir | Specify directory for searching private keys (RSA auth) | |
PrivateKeyFile | Specify file for finding a private key (RSA auth) | |
PubkeyAuthenticationPrior | Configure priority of RSA authentication |
#
Utilization of PKI (Public Key Infrastructure)HCP tools use PKI function to make secure communication with correct peers.
The tools support the following algorithms and file formats of private keys, public keys and certificates for the secure communicaiton.
The algorithms for the keys are,
- RSA
And the file formats for the keys and certificates are,
- PKCS1
- PKCS8
- X.509 Certificate
- OpenSSH ver.x
- PuTTY ver.2 and ver.3
#
EncryptionIt is important to encrypt transferred data when you make transfer of files over networks.
Encryption is to encode data to another form which any third person cannot read. It reduces risks that data is disclosed by their wiretaping.
HCP tools provides communication security like SSH/TLS. You don't have to make any configuration for that security as usual. However, you can change that configuration on servers and clients to change an encryption algorithm that will be used between them.
Communication Message Encryption
This is a function to encrypt messages transferred between a client and a server.
In HCP tools, you can make configuration of encryption algorithms for encrypting transferred messages and digest algorithms for validating that messages and file payloads. Negotiation of configurations on a client and a server determines a set of algorithms that will be used on actual communication.
Related Configuration
Category | Configuration Name | Description |
---|---|---|
Server Configuration | AcceptableCryptMethod | Encryption method for message communication |
AcceptableDigestMethod | Digest method for validation of message and file data | |
RequireDataIntegrityChecking | Setting requirement of MAC (Message Authentication Code) | |
Client Common Configuration | AcceptableCryptMethod | Encryption method for message communication |
AcceptableDigestMethod | Digest method for validation of message and file data | |
DisableDataIntegrityChecking | Disable MAC or not | |
AcceptDataIntegrityCheckingOnRejection | Acceptance of rejection for disabling MAC |
Communication Security Negotiation
This is a function to negotiate a security of communication method between a client and a server.
HCP tools provides the secure communication between clients and servers based on PKI technology under a security function by server certificates.
A private key for each server certificate will be loaded from the following path in default.
/etc/hcp/key/server.key (Linux.x86)
C:/ProgramData/Clealink/HCP Tools/key/server.key (Windows)
When a public key exits and the file name adds ".pub" to the name of the private key, the server use the keys as a pair for the secure communication. When the public key dose not exist, the server will use a server certificate specified at the configuration of ServerCertificateFile.
In HCP tools, clients will perform validation of the server certificate about the Common Name, the NotBefore/NotAfter, the certificate chain to the root CA (Certificate Authority) and the CRL (Certificate Revocation List).
Related Configuration
Category | Configuration Name | Description |
---|---|---|
Server Configuration | UseServerCertificateSecurity | Enable server certificate security or not |
RequireServerCertificateSecurity | Set requirement of the security to clients | |
ServerKeyFile | Server key path for the server certificate security | |
ServerCertificateFile | Server certificate path for the server certificate security | |
ServerCertificateChainFile | Path of intermediate certificates for the server certificate (one or more) | |
Client Common Configuration | RequireServerCertificateSecurity | Set requirement of the server certificate security to servers |
RejectFallbackServerCertificateSecurity | Disable fallback into communication without the security or not | |
IgnoreCertificateCNInvalid | Ignore the common name of the server certificate in its validation | |
IgnoreCertificateDateInvalid | Ignore fields of NotBefore and NotAfter of the certificate in its validation | |
IgnoreUnknownCA | Ignore validation of CA certificate and intermediates of the certificate | |
IgnoreRevocation | Ignore validation of CRL for the certificate | |
WSSIgnoreCertificateCNInvalid | Same to IgnoreCertificateCNInvalid on Web Socket SSL/TLS | |
WSSIgnoreCertificateDateInvalid | Same to IgnoreCertificateDateInvalid on Web Socket SSL/TLS | |
WSSIgnoreUnknownCA | Same to IgnoreUnknownCA on Web Socket SSL/TLS | |
WSSIgnoreRevocation | Same to IgnoreRevocation on Web Socket SSL/TLS (Reserved) | |
CACertificateFile | File path where CA certificates and intermediates are saved | |
CACertificatePath | Directory path where files including CA certificates and intermediates are saved (Reserved) | |
CARevocationFile | File path where CRL are saved | |
CARevocationPath | Directory path where files including CRL are saved (Reserved) | |
WSSCACertificateFile | Same to CACertificateFile on Web Socket SSL/TLS | |
OCSPRevocationEnabled | Enable OCSP (Online Certificate Status Protocol) or not | |
StrictHostKeyChecking | Server host key's acceptance policy configuration |
#
Access ControlHCP tools provides the following functions to give appropriate access rights authenticated users.
- Privilege Separation
- ACL (Access Control List)
- Admission Control
- Document Points
Related Configuration
Category | Configuration Name | Description |
---|---|---|
Server Configuration | UserDirectoryFallbackAvailable | Fallback control from user home (for backward compatibility) |
RejectOnUserHomeDirectoryNotFound | Access rejection when a directory of user home is not found |
Privilege Separation
This is a function to separate access rights of users from the privilege of root to make safe usage on the users subject its rights.
HCP tools configures privilege separation on a server for its client sessions. Under the privilege separation working, processing in each client session on the server works on a process separated from another process of the server waiting for clients and having the root privilege as usual. On the client process separated from the waiting one, some access rights subject to UID/GID and supplemental groups determined from authentication results will be applied to each processing. If you change that configuration each user, please modify /etc/hcp/users. Applicable supplemental groups are up to 1000. When that groups are over that limitation, they will be ignored (only UID and GUI applied).
If you disable the privilege separation, the client sessions works under the access rights of Linux daemon and Windows service running. And on Windows service, the privilege separation will be not applied when authentication is performed rather than Windows logon, e.g. LPA authentication and RSA authentication.
Related Configuration
Category | Configuration Name | Description |
---|---|---|
Server Configuration | UsePrivilegeSeparation | Set privilege separation |
PrivilegeSeparationMinimumUID | Minimum UID applicable for privilege separated sessions | |
PrivilegeSeparationMinimumGID | Minimum GID applicable for privilege separated sessions | |
PrivilegeSeparationUser | Default user on privilege separation (applied when any user is not determined) | |
PrivilegeSeparationUmask | Umask on privilege separation for authenticated users | |
PrivilegeSeparationUmaskAnonymous | Umask on privilege separation for anonymous | |
ApplyUserPermission | Apply user's access rights to file permissions on destination (not on privilege separation) | |
NoSupplementalGroupInPrivilegeSeparation | Disable supplemental groups |
ACL (Access Control List)
This is a function to control accesses from clients based on network features subject to access control lists.
On HCP tools, the function also provides specification of congestion control of HpFP for the accept rules.
Related Configuration
Category | Configuration Name | Description |
---|---|---|
Server Configuration | AccessList | Define ACL (Access Control List) |
Allow | Define Allow rules on ACL | |
Deny | Define Deny rules on ACL |
Admission Control
This is a function to limit number of connections working at the same time to control and save server resources, e.g. bandwidth, memory and CPU, for communication.
Related Configuration
Category | Configuration Name | Description |
---|---|---|
Server Configuration | MaxTotalConnection | Limit of connections (total) |
MaxTcpConnection | Limit of TCP connections | |
MaxUdpConnection | Limit of UDP (HpFP) connections | |
MaxWsConnection | Limit of Web Socket connections | |
MaxConnectionPerUser | Limit of connections each user | |
MaxConnectionPerSec | Limit of connections to accept each second |
Document Points
This is a function to configure areas on the server file system to which clients are available to access. This function is defined by HCP tools and is configured on its servers. The function provides controls of reading, writing, overwriting and deleting around files and directories to allow or deny that operations.
Related Configuration
Category | Configuration Name | Description |
---|---|---|
Server Configuration | DocPoint | Define a document point |
DocPath | Specify a path on file system on the document point | |
PermitAccessRead | Set reading access configuration | |
PermitAccessWrite | Set writing access configuration | |
PermitAccessOverwrite | Set overwriting access configuration | |
PermitAccessDelete | Set deleting access configuration | |
PermitAccessRandomRead | Set reading in random access configuration (Reserved) | |
PermitAccessRandomWrite | Set writing in random access configuration (Reserved) |
#
Data Integrity ValidationThis is a function to detect unexpected problem over networks during file transfer. The function perform message validation by MAC (Message Authentication Code) and detect data errors over networks or unexpected changes of data across them.
Please use it on being enabled (performing message validation) as usual.
Related Configration
Category | Configuration Name | Description |
---|---|---|
Server Configuration | RequireDataIntegrityChecking | Set requirement of data integrity checking by MAC |
Client Common Configuration | DisableDataIntegrityChecking | Disable the data integrity checking |
AcceptDataIntegrityCheckingOnRejection | Set acceptance of rejection to disabling it |
#
Transfer ResumingThis is a function to make efficient works when unexpected abortion happens on file transfer due to network problems. You can restart the transfer from the position where the previous transfer stopped if it will be aborted due to some reasons.
The hcp command of HCP tools provides an option of --resume (-r in short) to restart by the user operation and another one of --auto-resume to do automatically.
In the --resume option, you should specify a file to which the hcp command records its running results (saved as .hcp.out as usual) to restart it.
In the --auto-resume, the command restart the transfer when its abortion happened due to a network error. When you abort the transfer by a user operation such as Ctrl+C, restarting it will be not initiated and it will be just stopped. When you use a private key for authentication, it is recommended to use private keys without encryption. A passphrase required to decrypt the key will be cached on the memory in the process performing the transfer to avoid interactive operations for re-authentication happening after creating new connections.
And you can change a number of trials and an interval between trials for the --auto-resume option as the client configuration.
Related Option
Command | Short Name | Option Name | Description |
---|---|---|---|
hcp | r | resume | Resume the previous transfer |
auto-resume | Run resuming automatically (when aborted due to network problems) |
Related Configuration
Category | Configuration Name | Description |
---|---|---|
Client Configuration (hcp) | AutoResumeTrials | Number of auto resuming trials |
AutoResumeTrialInterval | Interval time between trials (in seconds) |