ITSO System z SOA Forum 2006 Powering SOA with IBM ... · ITSO System z SOA Forum 2006 Powering SOA...

20
ITSO System z SOA Forum 2006 ZS05 - Security Overview on z/OS 1 © 2005 IBM Corporation ITSO System z SOA Forum 2006 Powering SOA with IBM Software on System z ZS05-Security overview on z/OS Egide Van Aerschot ITSO – zSeries and z9 center E-mail: [email protected] © 2005 IBM Corporation © 2005 IBM Corporation 2 Notices This information was developed for products and services offered in the U.S.A. Note to U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.

Transcript of ITSO System z SOA Forum 2006 Powering SOA with IBM ... · ITSO System z SOA Forum 2006 Powering SOA...

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 1

© 2005 IBM Corporation

ITSO System z SOA Forum 2006Powering SOA with IBM Software on System z

ZS05-Security overview on z/OS

Egide Van AerschotITSO – zSeries and z9 centerE-mail: [email protected]

© 2005 IBM Corporation

© 2005 IBM Corporation2

NoticesThis information was developed for products and services offered in the U.S.A.

Note to U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 2

© 2005 IBM Corporation

© 2005 IBM Corporation3

TrademarksThe following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:

The following terms are trademarks of other companies:

Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC.

Other company, product, and service names may be trademarks or service marks of others.

Redbooks (logo)™IBM eServer™

ibm.com® z/OS® zSeries® AIX® ClearCase® Cloudscape™ CICS® CICSPlex® DB2 Connect™ DB2® DFS™ DRDA® Informix® IBM® IMS™ MQSeries® MVS™

Perform™ Rational® RACF® S/390® SAA® TME® VTAM® WebSphere®

© 2005 IBM Corporation

© 2005 IBM Corporation4

Agenda

Introduction

z/OS security features overview

Security for z/OS front-end integration

Back-end integration

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 3

© 2005 IBM Corporation

© 2005 IBM Corporation5

What is security?IT security objectives specified in ISO Standard 7498-2:– Identification

• This is the ability to assign an identity to the entity accessing the system.• “user ID”, UID, or “principal” in the J2EE security model

– Authentication• This is the process of validating the identity claimed by the accessing entity.• Authentication information generally called “credentials”: accessor’s name and password, “token”

provided by a trusted party, such as a Kerberos ticket, an x.509 certificate, or LTPA token.– Authorization

• This is the process of checking whether an asserted (already authenticated) identity has access to a requested resource.

– Integrity• Integrity ensures that transmitted or stored information has not been altered in an unauthorized or

accidental manner.– Confidentiality

• This refers to the concept that an unauthorized party cannot obtain the meaning of the transferred or stored data.

– Auditing• With auditing, you capture and record security-related events, so that they can be exposed and analyzed after the fact.

– Non-repudiation• This is a legal term that demands legal evidence that a party performed some action, so that it cannot

reasonably be denied.

© 2005 IBM Corporation

© 2005 IBM Corporation6

Security challengesApplications span more and more tiers and more (cross-platform) communication takes place.

Applications become more and more multi-channel, with the user device usually in a (very) unsecure environment.Security artifacts need to be accessible from multiple places and in many cases from multiple servers/platforms. This calls for security registry solutions that are standardized and accessible both locally and remotely.

Government and coprorate rules have been tightened significantly over the past few years, resulting in:– more and better auditability requirements– strict access management to a company’s assets and information

More and more applications become “self-service” type of applications.– “Untrusted” end-users become the operators of those apps, whilst before

those apps. Were only operated by an employee of the company.• Internet banking!

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 4

© 2005 IBM Corporation

© 2005 IBM Corporation7

Agenda

Introduction

z/OS security features overview– RACF

– LDAP

– UNIX

Security for z/OS front-end integration

Back-end integration

© 2005 IBM Corporation

© 2005 IBM Corporation8

RACF Security Server

RACF – Resource Access Control Facility

The RACF element of the z/OS Security Server is a software tool for use by:– Security administrators– Auditors

RACF is used to implement and monitor the implementation of an installation’s security policies

End use interaction with RACF is minimized by design

z/OS resource Managers invoke or call for security services through a set of architected interfaces on z/OS known as System Authorization Facility or SAF

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 5

© 2005 IBM Corporation

© 2005 IBM Corporation9

RACF objectives

© 2005 IBM Corporation

© 2005 IBM Corporation10

RACF protected resources

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 6

© 2005 IBM Corporation

© 2005 IBM Corporation11

z/OS security server

Digital certificates

– Introduced in OS/390 R2.4

– Base for a complicate certificate authority (CA) on z/OS

Kerberos registry is RACF

UNIX System Services security integrated with RACF with better security than other UNIX systems

Auditing of security events

z/OS V1R5

– Dynamic Templates

– Multi-level security

– Password Synchronization Solution

© 2005 IBM Corporation

© 2005 IBM Corporation12

Using RACF

RACF segments

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 7

© 2005 IBM Corporation

© 2005 IBM Corporation13

LDAP

© 2005 IBM Corporation

© 2005 IBM Corporation14

LDAP server

LDAP server on z/OS is based on a client/server modelThe LDAP server on z/OS has two commonly used back ends.

TDBM back end (based on DB2) SDBM back end (based on Resource Access Control Facility (RACF)

can be configured to provide read/write access to RACFuser, group, and connection profiles using the LDAP protocol.

LDAP servers act as a repository for user and group information

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 8

© 2005 IBM Corporation

© 2005 IBM Corporation15

LDAP Directory Structure

© 2005 IBM Corporation

© 2005 IBM Corporation16

LDAP Server on z/OS...

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 9

© 2005 IBM Corporation

© 2005 IBM Corporation17

Unix Access Permissions on HFS

© 2005 IBM Corporation

© 2005 IBM Corporation18

Agenda

Introduction

WebSphere for z/OS security features overview

Security for z/OS front-end integration– WebSphere

Back-end integration

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 10

© 2005 IBM Corporation

© 2005 IBM Corporation19

Browser HTTPserver

J2EE Appserver

WMQ/WMB

J2Cconnector

DB2

TM1 2 3 4 7 8 9

5

6

Security interaction points

© 2005 IBM Corporation

© 2005 IBM Corporation20

z/OS

user

Browser

HTTPServer

HTTP

WAS

RACF

DBJ2EE

Application

Authentication

Authorization

Authorization

Authentication

HTTPS

HTTP access with HTTP server and WAS on z/OS

Authentication done with HTTP server on z/OSAll authentication mechanisms available in HTTP server can be used

User ID/password, certificates etc.RACF or LDAP can be used as security registrySecurity credentials can be passed from HTTP server to WAS

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 11

© 2005 IBM Corporation

© 2005 IBM Corporation21

z/OS

user

BrowserHTTPServer

HTTP

WAS

RACF

DB

Authentication

HTTP

LDAP

Authorization

J2EEApplication

Native

Authentication

auth

entic

atio

nse

rver

HTTPSHTTPS

External authentication server and LDAP native authentication on z/OS

Authentication server runs outside z/OS, but used LDAP on z/OS for authenticationLDAP on its turn accesses RACF using “native authentication”HTTP server and WAS always receive an already authenticated user IDUser ID is forwarded using LTPA or headers in combination with the trust association

© 2005 IBM Corporation

© 2005 IBM Corporation22

Security Layers

Platform Security

Java Security

WebSphere Security

WebSphere/Application Resources

Operating System Security

JVM 1.4 Security

Java 2 Security

CORBA Security / CSIv2

J2EE Security API

WebSphere Security

HTML,Servlet/JSPs,

EJBs

Naming,Admin

Access Control

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 12

© 2005 IBM Corporation

© 2005 IBM Corporation23

TCP/IP security

Higher importance on – partner authentication

– message authentication

– combating denial-of-service attacks

– Basic concepts of cryptography and digital certificates• Privacy Anyone who can intercept your data might be able to

read it.• Integrity An intermediary might be able to alter your data.• Accountability or non repudiation

© 2005 IBM Corporation

© 2005 IBM Corporation24

What is cryptoTraditionally: to hide meaning of transferred or stored data

but also used to establish:data integrityauthenticationnon repudiation

That is "Security", as described in the ISO 7498-2 Security Framework , and as required by e-business transactions.

Cryptographic algorithms aresymmetric = shared secret key - e.g. DES, Triple-DES, AES, ...asymmetric = Public Key Cryptography - e.g. RSAone way = cryptographic "checksum" - e.g. MD5, SHA-1, ...

They all consume machine cycles !

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 13

© 2005 IBM Corporation

© 2005 IBM Corporation25

CryptoGraphy with WAS

Handshake Asymmetric(Pub/Priv)RSA, DSS, DH

Data IntegrityMD5, SHA-1, SHA-256(z9-109)

SymmetricDES, T-DES, AES-128(z9-109), RC2, RC4

(red has Crypto HW support)

© 2005 IBM Corporation

© 2005 IBM Corporation26

Authentication

Authentication is the process of establishing whether a client is valid in a particular context

– Client can be either an end user, a machine, or an application

An authentication mechanism defines rules about security information and the format of how security information is stored in both credentials and tokens

– Whether a credential is forwardable to another process

Authentication Mechanism uses User (Authentication) Registry (where user ID/password, and other attributes are stored) to check the client authentication

– WebSphere supports several User Registries - Local OS, LDAP and Custom Registry

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 14

© 2005 IBM Corporation

© 2005 IBM Corporation27

Certificate-based Authentication

clientclient-hello (encryption supported, sessionId, random)

server

client-certificate()client-key exchangecertificate verifychange cipher specfinished

RECORD PROTOCOL

(mac, actual, padding)

server-hello X509 certificate or session(resume)certificate requestserver-key exchange()server hello done

change cipher spec finished

HANDSHAKE PROTOCOL

© 2005 IBM Corporation

© 2005 IBM Corporation28

Session security

cell

MVS System or LPAR

ServantCR

Server D

ServantServant

MVS System or LPAR

ServantCR

Server C

ServantServant

SYSBnode 2

ssl

ServantCR

Server D

ServantServant

ServantCR

Server C

ServantServant

SYSAnode 1

ssl

clusterLTPALTPA

Lightweight Third Party Authentication (LTPA)

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 15

© 2005 IBM Corporation

© 2005 IBM Corporation29

Java Cryptography Extension - IBMJCE4758

IBM Implementation of JCE Cryptography using z/OS Common Cryptographic Architecture (CCA) hardware cryptographic devicesAllows a JCE application to take advantage of hardware cryptography without extensive knowledge of hardware cryptography– Digital Signatures via RSA and DSA (z900/z800 only)– Hashing - SHA1, MD2, MD5– Keystore - Symmetric and Asymmetric keys protected by 3DES– Symmetric Algorithms - DES, 3DES, PBE– Asymmetric Algorithms - RSA– HMAC - MD5, SHA1Adds the capability to use SAF based keys/certificates (RACF)– keystore for SAF Digital Certificate (key ring) Support

© 2005 IBM Corporation

© 2005 IBM Corporation30

WebServices security

Transport Security

End to end Security

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 16

© 2005 IBM Corporation

© 2005 IBM Corporation31

WS1 security

© 2005 IBM Corporation

© 2005 IBM Corporation32

Getting an authenticated userID

Authentication

Tranformationto

Plugin

LDAP?

Racf UserID

UserIdAuthorizedforResourceRoleRule

UserIdRoles

RunAS-caller-server-role

SynctoThread

JavaContext

ACEE

get authenticated UserID authorize by role

RunAS selection

LDAP?

RACF?TAI

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 17

© 2005 IBM Corporation

© 2005 IBM Corporation33

J2EE 1.4 Security FeaturesJava 2 Security: Access to System Resources– Enforce access control, based on the location of the code and who signed it – Not

based on the principal – Defined in a set of Policy files– Enforced at runtimeJAAS Security: Authentication and Authorization– Enforce access control based on the current Principle or Subject– Defined in Application Code– Enforced programmatically– Used for any type of Java code – Stand-alone Java application, Applet, EJB,

Servlet, and so onJ2EE Security Roles: Authorization of J2EE application artifacts– Role based security – Roles defined in the J2EE EAR file– Defined in application configuration settings (Deployment Descriptors)– Enforced by runtime, programmatically, or bothCSIv2: Used for Authenticating EJBs

© 2005 IBM Corporation

© 2005 IBM Corporation34

ActualUser/Groups

J2EESecurity

Roles

Securing J2EE Application Artifacts (Roles)

Enterprise Java Bean (EJB)

Web Components

HTML,GIFs, etc.

EJBMethod

EJBMethod

EJBMethodJack

Bob

Mary

Clients

Manager

Teller

Customer

Servlet

JSP

Usually byAssembler or

Developer

Usually byDeployer

SecurityBinding

SecurityPermissions

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 18

© 2005 IBM Corporation

© 2005 IBM Corporation35

Java 2 Security

Provides an access control mechanism to manage the application’s access to system level resources – File I/O, Network Connections

(Sockets), Property files, etc…– Policy-basedPolicies define a set of permissions available from various signers and/or code locations– Stored in Policy filesAll Java code runs under a security policy– Grants access to certain

resources

Java code needs access to certain System Resources

Java code will need to get the permission from Java 2 Access Control

Access Control looks at the Java 2 Policy file(s) to determine if the requesting Java code has the appropriate permission

Java Class

SystemResource

Protection Domain

Java 2 Security Permissions

Security ManagerAccess Controller

Java 2PolicyFiles

JVM

© 2005 IBM Corporation

© 2005 IBM Corporation36

Agenda

Introduction

z/OS security features overview

Security for z/OS front-end integration

Back-end integration

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 19

© 2005 IBM Corporation

© 2005 IBM Corporation37

z/OS

userBrowser

HTTP

RACF

DB

Authentication

HTTP

LDAP

Authorization

Backend System

TransactionCICS/IMS

DB

AuthorizationServer

RACFID1

RACFID1 RACFID1

Authorization

NativeAuthentication

Rev

erse

Pro

xy S

erve

r

HTTPServer

WAS

J2EEApplication

Same….including back-end system access

This scenario is the same as the previous, but with backend system accessUpfront authentication and authorization can be done as explained beforeBack-end system access takes place with a valid RACF user ID and eventual credentials(based on the requirements of the back-end system)

© 2005 IBM Corporation

© 2005 IBM Corporation38

J2EE Connector Architecture

ITSO System z SOA Forum 2006

ZS05 - Security Overview on z/OS 20

© 2005 IBM Corporation

© 2005 IBM Corporation39

Conclusion

z/OS RACF allows for high security

LDAP – access can be extended to RACF

– On z/OS can be accessible by other platforms

z/OS support for Cryptography– Export hardware assist

© 2005 IBM Corporation

© 2005 IBM Corporation40

Thank YouMerci

Grazie

Gracias

Obrigado

Danke

Japanese

English

French

Russian

GermanItalian

Spanish

Brazilian PortugueseArabic

Traditional Chinese

Simplified Chinese

Thai