9.4 File Access Restrictions for Files With Sensitive Information

Some files used by Reflection X Advantage contain information that might pose a security risk if acquired or modified by a malicious user. When files with sensitive data are created, they are given file permissions that minimize this risk. You should not change these default permissions, as doing so creates an increased security risk. Depending on how you install and configure Reflection X Advantage, you may have files that contain the following sensitive information:

  • Private keys used to authenticate a user to a remote X client host. Depending on your configuration, these files may be on your file system or stored within the Reflection X Advantage database.

  • Saved passwords. Passwords are saved to the Reflection X Advantage database. Passwords in the database are not encrypted. The security of this information is maintained by the access restrictions on the database files.

  • Reflection X Service settings identifying the nodes in a distributed Reflection X Advantage configuration, and the ports used by those nodes.

  • Private keys used by Reflection X Advantage to authenticate programs and users during session sharing and use of the Remote Session Services feature.

Log File Warnings

When a Reflection X Advantage program or service uses a file that should be configured for restricted access and the file permissions have been modified in a way that presents a potential security risk, the program or service continues to use that file, but also logs a warning to the appropriate log file. See Logging for information about where to locate log files.

For example, the following xmanager.log entry shows that the private key demokey, which was used to authenticate to an X client host, has insufficient access restrictions:

[ WARN]: Permissions incorrect for C:\Users\Joe\Documents\demokey. The permissions should be set to only allow Joe access.

Files with Access Restrictions

The files in the table below are created using the recommended access restrictions shown in the table. These permission settings should not be modified.

Files

Location

Access Restrictions

Secure Shell user keys

User-defined. Note: It is recommended that you put user keys in a directory that is owned by the user; however, placing keys in a shared location does not generate a warning as long as the keys themselves use the default access restrictions.

Readable and writable only by the user.

Stand-alone X Manager database (on the computer running X Manager)

Windows:

%UserProfile%\Documents\Micro Focus\Reflection\db\

Linux:

$HOME/.microfocus/reflection/db/

Readable and writable only by the user

Domain database (on the computer running the Domain Controller)

Windows:

%AllUsersProfile%\.attachmate\rx\db

Linux:

/opt/rxadvantage/rx/db

Readable and writable only by administrator

Reflection X Service configuration files:

  • domains.xml
  • domain-nodes.xml
  • host-nodes.xml 

Windows:

%AllUsersProfile%\.attachmate\rx\conf

Linux:

<rxa_installation_directory>/conf

Writable only by administrator

Reflection X Service identity files:

Windows:

%AllUsersProfile%\.attachmate\rx\identity

Linux:

<rxa_installation_directory>/identity

Readable and writable only by administrator

X Manager application and user private keys (not user-generated; these are used by X Manager for session sharing):

Windows:

%UserProfile\Documents\Micro Focus\Reflection\identity

Linux:

$HOME/.microfocus/reflection/identity

Readable and writable only by the user