File Access Restrictions for Reflection X Advantage Files that Contain Sensitive Information
Technical Note 2597
Last Reviewed 20-Feb-2014
Applies To
Reflection X Advantage
Summary

Reflection X Advantage uses files that may contain sensitive information. These files are created with access restrictions that help ensure the protection of this information. This technical note provides a summary of these files and their recommended access restrictions.

Overview

Some files used by Reflection X Advantage contain information that might pose a security risk if acquired or modified by a malicious user. When files with sensitive data are created, they are given file permissions that minimize this risk. You should not change these default permissions, as doing so creates an increased security risk. Depending on how you install and configure Reflection X Advantage, you may have files that contain the following sensitive information:

  • Private keys used to authenticate a user to a remote X client host. Depending on your configuration, these files may be on your file system or stored within the Reflection X Advantage database.
  • Saved passwords. Passwords are saved to the Reflection X Advantage database. Passwords in the database are not encrypted. The security of this information is maintained by the access restrictions on the database files.
  • Reflection X Service settings identifying the nodes in a distributed Reflection X Advantage configuration, and the ports used by those nodes.
  • Private keys used by Reflection X Advantage to authenticate programs and users during session sharing and use of remote session services.

Log File Warnings

When a Reflection X Advantage program or service uses a file that should be configured for restricted access and the file permissions have been modified in a way that presents a potential security risk, the program or service continues to use that file, but also logs a warning to the appropriate log file. (See "logging" in the Reflection X Advantage Help for information about where to locate log files.)

For example, the following xmanager.log entry shows that the private key demokey, which was used to authenticate to an X client host, has insufficient access restrictions:

[ WARN]: Permissions incorrect for C:\Users\Joe\Documents\demokey. The permissions should be set to only allow Joe access.

Files with Access Restrictions

The files in the table below are created using the recommended access restrictions shown in the table. These permission settings should not be modified.

Note: Beginning in version 5.0, Mac OS is no longer supported.

Files
Location
Access Restrictions
Secure Shell user keys
User-defined.
Note: It is recommended that you put user keys in a directory that is owned by the user, however placing keys in a shared location does not generate a warning as long as the keys themselves use the default access restrictions..

Readable and writable only by the user.
Stand-alone X Manager database (on the computer running X Manager)
Windows:
C:\ProgramData\.attachmate\rx\db
-or-
C:\Documents and Settings\All Users\.attachmate\rx\db

UNIX:
$HOME/.attachmate/rx/db

Mac (Reflection X Advantage 4.2 or earlier):
/Users/<user>/.attachmate/rx/db

Readable and writable only by the user
Domain database (on the computer running the Domain Controller)
Windows:
C:\ProgramData\.attachmate\rx\db
-or-
C:\ Documents and Settings\All Users \.attachmate\rx\db

UNIX:
$HOME/.attachmate/rx/db

Mac (Reflection X Advantage 4.2 or earlier):
/Users/<user>/.attachmate/rx/db

Readable and writable only by administrator
Reflection X Service configuration files:

domains.xml
domain-nodes.xml
host-nodes.xml

Windows:
C:\ProgramData\.attachmate\rx\conf
-or-
C:\ Documents and Settings\All Users \.attachmate\rx\conf

UNIX:
<rxa_installation_directory>/conf

Mac (Reflection X Advantage 4.2 or earlier):
<rxa_installation_directory>/conf

Writable only by administrator
Reflection X Service identity files:

service.address
root-<port>
domain-<port>
node-<port>

Windows:
C:\ProgramData\.attachmate\rx\conf
-or-
C:\ Documents and Settings\All Users \.attachmate\rx\conf

UNIX:
<rxa_installation_directory>/conf

Mac (Reflection X Advantage 4.2 or earlier):
<rxa_installation_directory>/conf

Readable and writable only by administrator
X Manager application and user private keys (not user-generated; these are used by X Manager for session sharing):

root
domain
RSA-2048

Windows:
C:\ProgramData\.attachmate\rx\identity
-or-
C:\Documents and Settings\All Users\.attachmate\rx\identity

UNIX:
$HOME/.attachmate/rx/identity

Mac (Reflection X Advantage 4.2 or earlier):
/Users/<user>/.attachmate/rx/identity

Readable and writable only by the user

Related Technical Notes
2234 Reflection X Advantage Technical Notes

Did this technical note answer your question?

           



Need further help? For technical support, please contact Support.