UCF Submission for ASIS
4.9. ASISUT Processor
A Unisys supplied administrative utility processor named ASISUT provides a command line interface to some of the administrative functions previously described. The
processor object module is installed by SOLAR in SYS$LIB$*ASIS-UTIL.ASISUT and can be called by entering @ASISUT. It allows batch or demand access to a subset of the ASIS administration functions without sites providing their own utility.
Normally, ASISUT users are expected to have SERVER$CTRL call interface capabilities and SSAUTHNTICAT privileges. This enables ASISUT to determine the Exec’s current view of ASIS before proceeding with command processing. The N option enables a user to request ASISUT command processing without issuing SERVER$CTRL, which avoids the need for SERVER$CTRL. Processing of the STATUS ASISUT command without the SERVER$CTRL capability results in a slightly different report (see 4.9.3).
The ASISUT commands SHUTDOWN and PURGE cannot be used without
SERVER$CTRL capability (see msg-id 01113 in Table 4–5). The N option should not be used if the caller intends to issue those commands. If the user does not have SERVER$CTRL capability when it is required, ASISUT aborts with a “Security Err Abort.” SSAUTHNTICAT is required with the N option only if the particular
administrative function requires it; for example, BRKPT or DUMP. If a user does not have SSAUTHNTICAT privileges when it is required, an error message is displayed (see msg-id 01112 in Table 4–5) and the ASISUT program aborts.
The Test Modes function cannot be used because SSAUTHNTICAT privileges are not given to the user. For more information about this function, see the API portion of Section 6.
The subset of administration functions not provided by ASISUT are those related to reading or writing the ADA. See the API portion of Section 6 for information on how ASISUT uses the following administrative API functions:
• Dump ASIS
• Shutdown ASIS
• Warning Screen Update
• Get Status and Statistics
• Authentication Type Information
• Breakpoint Print
• Test Modes
ASISUT supports a simple command line interface and does not provide a full-screen interface to demand users. The ASISUT processor call syntax is the same for batch or demand. For batch or demand break-pointed callers, ASISUT echoes all input
commands back to the print file.
4.9.1. ASISUT Processor Call Syntax
@ASISUT[,options]
where options is:
N
No SERVER$CTRL calls are issued while processing ASISUT commands, which means that no SERVER$CTRL call privilege is required of the caller. The
SHUTDOWN and PURGE commands are not allowed if this option is used.
X
Error terminate batch run if an error is encountered.
The ASISUT processor displays the following information before reading any input commands:
• ASISUT processor-id line
• Reminder of how to get HELP
• Current Status and Statistics report on ASIS (see 4.9.3) Following are the legal input commands:
EXIT BRKPT DUMP HELP or ? PURGE REFRESH
SHUTDOWN [DRAIN] [DUMP] [PURGE] [QUIET] [<errorcode>]
STATUS
TESTMODES [[+|-]DEBUG] [[+|-]SINGLE] [<trace level>]
TYPES
WARNSCREEN [PURGE]
Any numeric operand on the SHUTDOWN command is interpreted as an octal error code. Using error codes is optional and the values are defined by the site.
If the optional plus ( + ) or minus ( - ) prefix is omitted from the TESTMODES command operands, + is the default. The + prefix means enable the mode, and the - prefix means disable it. The trace level on the TESTMODES command is a numeric field ranging from 0 to 15. Zero disables nearly all ASIS tracing. The higher the trace level value, the more detail appears in the trace file.
Note: If the trace level is set to 14 or higher, security sensitive information like passwords may appear in the ASIS*ASIS$TRACE$ file.
4.9.2. ASISUT Commands
The commands listed previously correspond to a subset of the administrative API functions described in detail in the API portion of Section 6. Table 4–4 briefly explains each command, identifies the corresponding function, and refers to this guide for further details.
Table 4–4. ASISUT Commands
Command Purpose API Function Reference
EXIT Exit the ASISUT
processor.
N/A 4.9.1
BRKPT Command ASIS to
@BRKPT PRINT$. Breakpoint Print 6.1.11
DUMP Command ASIS to
HELP Display ASISUT
processor and
PURGE Purge ASIS awareness
from the Exec.
REFRESH Trigger the ASIS subsystem to
reexamine the system configuration.
Refresh Config 6.1.13
SHUTDOWN Shut down ASIS. Shutdown ASIS 6.1.3
STATUS Report status and statistics on ASIS.
Get Status and Statistics
6.1.9, 4.9.3
TESTMODES Enable or disable ASIS internal debug modes.
Test Modes 6.1.12
Table 4–4. ASISUT Commands
Command Purpose API Function Reference
TYPES Report on
authentication types ASIS is handling.
Authentication Type Information
6.1.10, 4.9.3
WARNSCREEN Command ASIS to scan updated warning screen file or purge an existing warning screen.
Warning Screen
Update 6.1.8
4.9.3. ASISUT Reports Status and Statistics
Following is a sample report:
Current Exec View of ASIS State: <ACTIVE | DRAINING | UNAVAILABLE | NOT PRESENT>
Current ASIS version: ASIS 3R1 (date/time ASIS created)
Current ASIS State: <INACTIVE | INITIALIZING | ACTIVE | DRAINING | TERMINATING>
Test Modes: DEBUG <on|off> SINGLE-THREAD <on|off> TRACE LEVEL ##
Authentication Server Activities: <nn>
Totals accumulated since ASIS initialization on <mm/dd/yy> at <hh:mm:ss>:
Total authentication attempts: <n> Exec: <n> API: <n>
AUTH_USER: <n>
AUTH_CONTEXT: <n>
Exec Successful: <n> Rejected: <n> Declined: <n> Aborted: <n>
API Successful: <n> Rejected: <n> Declined: <n> Aborted: <n>
Continued: <n>
Total Successful: <n> Rejected: <n> Declined: <n> Aborted: <n>
API calls currently waiting in hacker frustration: <n>
API hacker frustration records: <n>
RUNID USERID TRIES DELAY STATUS EXPIRATION
<rrrr> <uuuuuuuuu> <n> <n> <ssssss> yyyy-mm-dd hhmm:ss Authentications queued in Exec: <n>
Note: If the Exec state displayed on the first line of this report is UNAVAILABLE or NOT PRESENT, the remaining lines are not displayed except for Authentications queued in the Exec.
If the N option was used to call the ASISUT processor, the first line of the report (Current Exec View of ASIS State) and the last line (Authentications queued in Exec) are not displayed. If the N option was used and ASIS was unavailable for retrieving the statistics, the message (No status available) is displayed.
If hacker frustration records are shown
run-id is the generated run-id of the run that called AUTH_USER.
user-id is the last user-id that failed authentication for this run.
Delay is the current delay in seconds.
Waiting status
indicates an activity is currently being held in the ASIS subsystem due to the hacker delay.
Expiration is when this delay expires.
Inactive status
indicates a hacker record exists, and the run may experience a delay in the future, but there is currently no activity of this run in the ASIS subsystem.
Note: Exec Successful: <n> Rejected: <n> Declined: <n> Aborted: <n>
The values for the above output line have the following meaning:
When the Authentication Type (AT) field in the 2200 user-id record has a value of binary zero and the signon credentials are the traditional typed-in userid/password, then that authentication is counted as “Declined” even if the Exec’s authentication is successful. This means that the ASIS subsystem declined to process the
authentication and the authentication was forwarded to the Exec for traditional userid/password processing.
When the Authentication Type field in the 2200 user-id record has a non-zero value and there are no Authentication Modules (AMs) installed to handle that type, then that authentication fails and is also added to the “Declined” count. Otherwise, if an AM does successfully pass the authentication it is reported as “Successful”.
If for some reason any authentication was aborted before completion, that
authentication is added to the “Aborted” count. For example, maybe a $$OPEN or
$$CLOSE was entered before the authentication completed.
If any authentication fails, that authentication is added to the “Rejected” count.