PCI-DSS Compliance for an HP-UX Host
21
to make any changes. The EVS mode supports all disk file systems. Data in EVFS volumes is encrypted using
symmetric encryption keys. A number of symmetric key algorithms like 128-bit, 192-bit, and 256-bit key AES-CBC,
128-bit, 192-bit, and 256-bit key AES CFB are supported by EVFS. These encryption keys are again wrapped using a
public or private keypair. 1024-bit, 1536-bit, and 2048-bit RSA keys are supported for this purpose. These keys are
for authentication for administrative access and during startup. Once the volumes are created and made
operational, users and applications continue to function normally, and are not required to do anything out of the
ordinary for accessing their data. An administrator must perform the following procedure to create a new EVS
volume.
Configure an EVS volume
Create and Mount a file system on the EVS volume.
Verify configuration
Migrate existing data to the EVS volume
Backup your configuration
Detailed instructions are available in the Administrator’s guide referenced below. It is also possible to convert an
existing volume to an EVS volume using the inline encryption feature. For more information, see Administrator
guide.
The Encrypted File System mode of EVFS allows users to enable or disable encryption at the file or directory level.
An administrator creates the Encrypted File System. Users can then login to an EVFS secure session using their keys
and enable or disable encryption attributes on their files or directories. EVFS supports encryption of regular files
only.
For more information about the HP-UX EVFS, see EVFS Support Manuals.
Click to download HP-UX EVFS.
HP-UX IPSec
HP-UX IPSec provides an infrastructure to allow secure communications (authentication, integrity, confidentiality)
over IP-based networks between systems and devices that implement the IPsec protocol suite.
Some of the benefits of HP-UX IPSec are:
Adheres to all relevant IPSec standards, including IKEv1 (Internet Key Exchange version 1) and IKEv2 (Internet Key
Exchange version 2).
Host-based authentication:
o Pre-shared keys
o Digital certificates
Focused on end-system IPSec. HP-UX IPSec can communicate with other end-systems (transport mode) or VPN
gateways (tunnel mode).
Crypto performance is optimized for HP-UX Integrity processors.
Provides a logging feature and an audit trail for accountability and intrusion alerts
IPSEC policies can be configured such that data can be encrypted either at the level of a particular IP address or at
the subnet level using different encryption methods.
IPSEC has a set of policies, which specify the behavior for IP packets sent or received by the local system as an end
host. Each host IPSEC policy includes address specifications used to select the host IPSEC policy for a packet, and
the action to be taken for the said packet. The actions can be: pass the packets in clear text, discard the packets, and
apply an IPSEC transform (AH or ESP) to the packet.
IPSEC provides ipsec_config batch file to configure IPSEC policies.
For more information about HP-UX IPSec, see HP-UX IPSec Support Manuals.
Click to download HP-UX IPSec.
HP-UX Software Assistant
For more information about HP-UX SWA, see HP-UX SWA Support Manuals.
Click to download HP-UX Software Assistant.
HP-UX RBAC
HP-UX RBAC allows creation of roles, authorizations, and user-role mapping. An access request is granted or denied
based on a set of configuration files that define user-to-role and role-to-authorization mappings.