Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers

World®’16

CAACF2andCATopSecret– Part1:What’sNewintheEnterpriseSecurityManagers

JohnPinkowski- ProductOwner

MFX39EA

MAINFRAMEANDWORKLOADAUTOMATION

ForInformationalPurposesOnlyTermsofthisPresentation

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2016isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.

CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i) affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember1,2016,andissubjecttochangeorwithdrawalbyCAatanytimewithout notice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.

Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.

Abstract

Businesssuccessintheapplicationeconomydependsonareliableandcost-effectivesecurityinfrastructure.ThissessionwillcoverthelatestenhancementsintheExternalSecurityManagers(ESMs)CATopSecret®andCAACF2™—rangingfromrole-basedaccesscontroltouser-orientedarchitecture—tohelpeaseyourmainframesecurityadministrationandsimplifyyourcomplianceandaudittasks.

JohnPinkowski

CATechnologies

Agenda

EOSDATES

THEOLD

THENEW

SecurityandComplianceManagingSecurity,DataAccessandCompliance

CADataProtection

3rd partyDLPSolution

SIEMCAComplianceEventManager

IBMRACF

CATopSecret

CAACF2

CACleanup

CAAdvancedAuthenticationMainframe

CADataContentDiscovery

CAAuditor

SecuremainframeassetsCaptureeventsaffectingcomplianceandpolicyDiscoversensitivedata

ExtendcomplianceeventdatatoanalyticssolutionsEnablesecuredatainmotionacrosstheenterprise

SecurityAdministrator

BigDataAnalystAuditor

Planned

Available

Non-CAProduct

EOSDates

CATopSecretandCAACF2EOS!

§ …notificationthatwearediscontinuingsupportforCATopSecretVersion14.0,

includingServicePacksbeginningDecember31,2016andVersion15.0beginning

December31,2017.ThiswillallowourDevelopmentorganizationtomore

effectivelyfocusitsresourcesandaddvaluetothenextreleaseofCATopSecret

forz/OS.

CATopSecretandCAACF2EOS!HelpfulLinks

§ http://www.ca.com/us/services-support/ca-support/ca-support-online/product-

content/status/support-life-cycle/indexes/ca-top-secret-product-family-release-

and-support-lifecycle-dates.html

§ http://www.ca.com/us/services-support/ca-support/ca-support-online/product-

content/status/support-life-cycle/indexes/ca-acf2-product-family-release-and-

support-lifecycle-dates.html

CATopSecretandCAACF2EOS!

TheOld

CAACF2r16Enhancement

Need:Ineedtohaveastatusforauserthatremovestheabilitytoaccessasystem,yetnotallowthatusersIDtobereused

Solution:AnuserthenewRETIREstatusforauser.Theuserwilllosetheabilitytologon/accessasystem.Furtherelevatedprivilegesarerequiredtoun-RETIREanuser.

Benefit:- CentralRepositorytoNotAllowingtheRe-UseofID- CompliancewithIRSPub1075

CATopSecretr16Enhancement

Need:Aspartofourauditreview,movingthefacilityinformationtothesecurityfilewouldbeagreatbenefit.

Solution:ActiveFACTOR(YES|NO)tostorethefacilitymatrixinformationonthesecurityfile.

Benefit:- Facilitydefinitionsprotectedfromview- EasiertoadministerandmaintainmultipleLPARcomplexes- SizeoftheTSSPARMSFILEgreatlyreduced

Need:IhaveimplementedarolebasesecurityarchitectureandneedtheabilitytoprovideaLogonIDaccessreportby role

Solution:RolesupportfortheLogonIDAccessreport.AbilitytocontrolthecreationofthereportusingthenewROLEinputparameter.Providingareportsectionforeachroleshowingwhichrulelinesgrantorpreventaccess

Benefit:- Improvedcompliancereportingbyroles- Improvedperformancebenefits

Need:ThereisaneedtogivemoregranularityoveradminscanassignaUID(0)

Solution:FornonMSCAadminsanadditionalauthorizationchecktoCASECAUT(TSSCMD.ADMIN.UID0)isissued.TheadminmusthaveACID(MAINTAIN)authorityandcheckisonlyissuedwhenUID(0)ispresentwithinaTSSADDorREPLACEcommandstring

Benefit:- FurtherrestrictswhocanassignauthorizationforUID(0)- Satisfiescompliancerequirements

CAACF2/CATopSecretr16Enhancement

Need:WehaveanewPCIrequirementtoensurewelimitthedatabeingmadevisibleduringmessageprocessing.Thisdetailedsysteminformationmaybeusedtocreatedenialofserviceinterruptions,orcausesecuritytofailwhenusedbyhackers

Solution:TheACF2MSGOPTSrecordallowstheadministratortocontrolwhichsignonmessageswillbeconvertedtoasinglegenericmessageACF01125LogonCredentialsInvalid.TheTopSecretcontroloptionGENSMSGallowstheadministratortocontroltheissuingofthegenericmessageTSS7099ESignonCredentialsInvalid

Benefit:- PCI6.5.5compliance- Limitedsecurityinformationshared

Need:IwasaskedbyourauditorwhatistheencryptionstrengthsofthepasswordsontheCAACF2andareweatthestrongest

Solution:ActivateAES256-bitencryptionforCAACF2passwordsandpasswordhistory

Benefit:Makesbruteforcepassworddecryptionofpasswordshardertoattain

Need:MystorageteamisaskingifthereareanystorageimprovementsinCAACF2.Moreworkloadsaremovingtothemainframeandwewanttobeinpositiontoscale.

Solution:UpgradetoCAACF2r16.Outoftheboxrulesetswillbemovedtointo64-bitCSA.

Benefit:Potentiallya70-90%savingsinCSAutilizationbelowthebar(ResultsMayVary)

Need:OurauditorswouldlikeustostopusingtheCICSBypassprocessinginourCTSregions

Solution:ExploitthenewCICSfacilitysubfunctionBYPLIST.YoucanstarttoworkwithyourauditorsimplementingBYPLIST(AUDIT)totracktheusageofbypasswithintheregion.OncetheseaccessesareadministrateditisasimpleswitchtoBYPLIST(NO)tonotallowtheuseofbypassinthefuture.

Benefit:- CompletecontrolofCTSresourcesfromCATopSecretpermissions- Improvedauditabilityoftheseresources

TheNew

Need:Iwasaskedbyourauditorifwecanuseourtokenstosignontothemainframe!

Solution:EnterpriseWideAdvancedAuthentication:IntroducingAdvancedAuthenticationMainframeSession:MFX42E

Benefit:Education!

Need:WearelookingtoexploitPasswordPhraseinourenvironmentandwouldliketoensureupperandlowercasecharactersarefollowingcompliancerequirements.

Solution:NewoptionswereintroducedviaPTFRO92400toenablethecontrolofforcingatleaseoneupperorlowercasecharacterinCAACF2.EquivalentsupportisbeingbuiltinCATopSecretifyouareinterestedpleasecontactus!

Benefit:- Greatercontroloverphraseedits- Additionalcomplianceregulationadherence

Need:WeareexploitingtheCAACF2andCATopSecretinformationinwaysthatthetraditionalprintercarriagecontrolcharactersareahindrance.

Solution:TheteamshavedevelopedsolutionsforreportsACFRPTRV,ACFRPTSLandTSSUTILfortherespectiveproducts.Ifyouareinterestedinanyofthesereports,pleaseletusknow.

Benefit:Improvedsortingofdatafromreports

Need:CurrentlyweareusingtheCASECAUTresourcetocontroladministratorsaccesstothecertificateprocess.Weareinterestedinhavingmoregranularcontroloverthisprocess.

Solution:CAACF2nowhassupportforadditionalGranularCertificateAdministration.YoumaynowuseRDATALIBclassrulestocontrolaccesstothespecificcertificateandkeyringcommands.TheexistingCASECAUTrulessimplyallowedaccesstousethecertificatecommandsbutgaveaccesstoallcertificatesownedbyanotheruserorbySITECERTorCERTAUTH.PTF:RO89501

Benefits:Thegranularadministrationallowsyoutocreaterulestoprovideaccesstoaspecificuserscertificateorasub-setofthem

Need:WehaveexploitedtheuseofexitsinCATopSecret.Aspartofserviceabilitywewouldlikethedatasetthattheexitisbeingloadedfromdisplayed.

Solution:JoinoursprintreviewsforCATopSecret.ThisideahasbeenincludedinourcurrentPI(ProgramIncrement).Aninitializationmessagewillbeaddedtoprovideexitinformation.

Benefits:Easeofsupportability

Need:WeareusingtheACFESAGEoutputtohelpconvertinstallationstoaRBACimplementation.Wearelookingtoexploitmoreoftheruntimeinformationinthisprocessandwouldlikeadditionaldatatobeavailableintheunload.

Solution:CAACF2ACFESAGEreportnowincludesadditionalactivesysteminformation:Rundate/time,databasenames,exitinformation,classmapdefinitions,andsomeoptioninformation.PTF:RO92424.

Benefits:AdditionaldatapointsforRBACconversions

Need:ForauditpurposeswewouldliketoseemoreenvironmentalinformationavailableintheTSSCFILErun.

Solution:JoinoursprintreviewsforCATopSecret.ThisideahasbeenincludedinourcurrentPI(ProgramIncrement).AdditionalinformationisscheduledtobeaddedtoTSSCFILE:CreationDate,LPARofTSSCFILErun,andSecurityfilenames.

Benefits:Additionaldatapointsforaudittrail

Need:WewouldlikeCATopSecrettohaveadditionadministrativeeditsaroundDFLTGRPprocessing.

Solution:JoinoursprintreviewsforCATopSecret.ThisideahasbeenincludedinourcurrentPI(ProgramIncrement).AdditionaleditstovalidatetheGROUP,andthatitisassignedtothetargetACID’sGROUPlistandthataGIDisassignedtoit.

Benefits:- Easeofadministration- EnsuresvalidusableUnixSystemServicescredentialareassigned

Questions?

RecommendedSessions

SESSION# TITLE DATE/TIME

MFX39EBPre-ConEd:CAACF2andCATopSecret– Part2:AdvancedSecurityControls 11/14/2016at10:00am

MFX42EEnterpriseWideAdvancedAuthentication:IntroducingAdvancedAuthenticationMainframe 11/14/2016at3:00pm

MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm

MustSeeDemos

Real-TimeDataSecurity&Compliance

CADataContentDiscoveryMainframeTheatre

MainframeSecuritySmartBar

CATopSecretMainframeTheatre

Real-TimeDataSecurity&Compliance

CAComplianceEventManagerMainframeTheatre

MainframeSecuritySmartBar

CAACF2MainframeTheatre

Thankyou.

Stayconnectedatcommunities.ca.com

MainframeandWorkloadAutomation

FormoreinformationonMainframeandWorkloadAutomation,pleasevisit:http://cainc.to/9GQ2JI

Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers

Technology

Transcript of Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers

A AF™, IM® RAF®, A Top Secret® · CA ACF2 “Access ontrol Facility ” aka “AF” –Developed by SKK (Schrager, Klemens and Krueger) in 1978 and marketed by Cambridge –Cambridge

CA Top Secret® for z/OS Top Secret...Using CA Top Secret as a Repository.....169 DCE Security Server Firewall Technologies.....171 LDAP Server.....173 Integrated Cryptographic Contents

CA ACF2 for z/OS Adapter Installation and Configuration GuideFILE/ispim_acf2_book_1.… · IBM Security Privileged Identity Manager CA ACF2 for z/OS Adapter Installation and Conﬁguration

Filling the Holes: Common Configuration Vulnerabilities in · PDF fileFilling the Holes: Common Configuration Vulnerabilities in z/OS ACF2, RACF and Top Secret Phil Emrich Vanguard

CA ACF2™ for z/VM ACF2 for z VM...The subfunction field of a CA ACF2 for z/VM control block is invalid. Check that all CA ACF2 for z/VM control blocks are built correctly and are

ADVANCED ADAPTER for RACF - Cloud Access€¦ · Our Advanced Adapter for RACF acts as a trusted administrator ... • Record & Report Issue Command ... • Echosign • CA-ACF2 •

SEC06: What's New with CA ACF2 and CA Top Secret?

CA ACF2™ and CA Top Secret® Part 1: The Road Leading to r16 and Capabilities added since r15

eTrust CA-ACF2 Security for z/OS Administrator Guide

CA ACF2 15.0 CA RS 1306 Service List · PDF fileCA RS 1306 Service List ... CAS2260E CIARTLGR S0C4 at xxxxxxxx LMOD CIARTLGM CSECT N/A ... which causes ACF2/IMS to pick up 8 bytes

So how do I actually apply DISA STIGs to ACF2, RACF and/or ... · CA ACF2 •Where Now? CA Top Secret . Who are DISA? •Defense Information Systems Agency •Note the eagle... –US

MQ Security with CA ACF2...ACF2 resource rule. The resource type is any user-defined token. You only need to define the resource classes that you want the queue manager to check security

CA Top Secret and CA ACF2 101 - Mainframe Analytics ACF2 101.pdf · CA Top Secret and CA ACF2 101 Reg Harbeck CA Wednesday, August 15, 2007 Session 1784

Release Notes - IBMFILE/ReleaseNotes-ACF2-6.0.24.… · Release Notes CA ACF2 Adapter Contents of this Release Adapter Version Component Version Build Date June 13, 2018 Adapter Version

Oracle Identity Manager Connector Guide for CA ACF2 Advanced · Oracle Identity Manager Connector Guide for CA ACF2 Advanced provides information about integrating Oracle Identity

Oracle Identity Manager Connector Guide for CA ACF2 Advanced

MQ Security with CA ACF2 - MQ Technical Conference · ACF2 resource rule. The resource type is any user-defined token. You only need to define the resource classes that you want the

CA Top Secret Option for DB2 Product Guide - CA Support Top Secret Security Option for... · Step 4: Customize the CA Top Secret Option for DB2 Commands Output File ... CA Top Secret

Pre-Con Ed: CA ACF2 and CA Top Secret – Part 2: Advanced Security Controls

CA Top Secret® for z/OS - ftpdocs.broadcom.com Top Secret Security for … · Troubleshooting Guide r15 CA Top Secret® for z/OS Fourth Edition . This Documentation, which includes