PCI-DSS Compliance for an HP-UX Host

8.2 In addition to assigning a unique ID employ one of the following

methods to authenticate all users

 Something you know, such as a password or passphrase

 Something you have, such as a token device or smart card

 Something you are, such as a biometric

Requirement 8.1 and 8.2, deals with ensuring that every person accessing the cardholder data is identified uniquely

and authenticated.

Unique user IDs can be assigned to user using the basic HP-UX command useradd or through HP-UX Directory

Server (HPDS).

A global directory service, HPDS provides an industry-standard, centralized directory service on which to build your

intranet or extranet. Your HP-UX servers and other directory-enabled applications use the directory server as a

common, network accessible location for storing shared data such as user and group identification, server

identification, and access control information. In addition, you can extend the HPDS to support your entire

enterprise with a global directory service that enables centralized management of all enterprise resource

information.

HPDS includes enterprise-class features, including multi-master replication, encryption, authentication and access

control, remote administration, on-line backup, and numerous other features.

The LDAP-UX client can be used as client for the HP-UX Directory server. The LDAP-UX Integration enables the LDAP

directory to be used as a central service for HP-UX authentication and authorization and a central repository for

service configuration including integrated account and group management.

For more information about HP-UX DS and LDAP-UX, see Appendix A.

8.3 Incorporate two-factor authentication for remote access (network-

level access originating from outside the network) to the network by

employees, administrators, and third parties. (For example, remote

authentication and dial-in service (RADIUS) with tokens; terminal access

controller access control system)

Two-factor authentication is a strong authentication mechanism, in which user provides two means of

identification, out of the 3 factors like something known, something possessed and something unique about a

person.

The HP-UX AAA server provides two-factor authentication through one time password (OTP). OTP can be used in

addition to password to authenticate the user to obtain access to a network. OTP is generally used for two-factor

authentication. For example, in large organizations, VPN access often requires the use of user-name, password, and

OTP for remote user two-factor authentication. Added security is provided when an OTP is used for authentication,

because a user must enter a different OTP each time to authenticate to a validation server.

The HP-UX AAA Server utilizes the industry standard Remote Authentication Dial-In User Service (RADIUS) protocol

and Extensible Authentication Protocol (EAP) to provide standards-based user authentication, authorization, and

accounting services to network devices and software applications and can be utilized for securing wired and

wireless LAN access.

The HP-UX AAA Server supports the Open Authentication (OATH) standards sequence-based OTP authentication.

The HP-UX AAA Server supports only the following EAP authentication methods for OTP authentication:

 PEAP (EAP-GTC and EAP-MS-CHAPv2)

 TTLS (PAP , MS-CHAPv2, and EAP-MSCHAPv2)

For more information on configuring users for two-factor authentication, configuring OTP actions and configuring

the EAP method, see the “OATH Standards-Based OTP Authentication” chapter in the HP-UX AAA Server

Administrator Guide.

For more information about HP-UX AAA Server, see Appendix A.