Protect Your IBM Eserver iSeries V5R3 Security …€¦ · materials at those Web sites are not...

1

IBM Confidential until Announcement© Copyright IBM Corp. 2004. All rights reserved.

IBM Eserver iSeries Technical Conference

Kuala Lumpur

ibm.com

International Technical Support Organization

Protect Your IBM Eserver iSeries V5R3 Security Enhancements

Thomas BarlenCertified Consulting IT Specialist

IBM [email protected]

EP02

IBM Confidential© 2003/2004 IBM Corporation

ibm.com/redbooksIBM Confidential until Announcement© Copyright IBM Corp. 2004. All rights reserved.

NoticesThis information was developed for products and services offered in the U.S.A.

Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.

2



Trademarks

The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:

The following terms are trademarks of other companies:

Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC.

Other company, product, and service names may be trademarks or service marks of others.

zSeries®IBM®Notes®OS/400®Redbooks (logo)™

Eserver ®ibm.com®iSeries™pSeries®xSeries®



Acknowledgements

This presentation was developed by Thomas Barlen, IBM Germany for the ITSO Forum 2004. The support and help of IBM Rochester development, especially Pat Botz, Tom McBride, Beth Hagemeister, Judy Trousdell as well as Rochester’s User Technologies team is very much appreciated.

3



Agenda

Network security enhancements- New features and functions to protect iSeries network traffic

i5/OS (OS/400) security enhancements- V5R3 enhancements in the areas of authentication, authorization,

integrity, confidentiality, and auditing

- Enhance operating system and applications securityApplication security enhancements



Layered implementation of security

To achieve the highest level of protection, security should be implemented in layers.

Corporate Security

Use

r edu

catio

n

Secu

rity

polic

ies

Physical Security

Network Security

System Security

ApplicationSecurity

SSL, exitprograms

Lock

s, a

cces

s co

ntro

l

UPS

, bac

kup

com

ms

lines

Fire

wal

l, VP

N g

atew

ay

Intr

usio

n de

tect

ion

LAN

inte

rfac

e

Obj

ect a

cces

s

User profile

Should meet security goals

Authentication

Authorization

Integrity

of

Confidentiality

Audit/Logging

4



Notes: Layered implementation of security

Simply implementing a firewall is not enough to prevent unwanted access to confidential data on your systems. Implementing security in your e-business environment must begin with your corporate security plan. After you determine what the security plan entails, you must tailor it to secure your environment at all layers identified.

The implementation of security in various layers should always meet one or more of the following common security goals:• Authentication: Determine that the users are who they claim to be. The most common technique to authenticate is

by user ID and password.

• Authorization: Permit a user to access resources and perform actions on them. An example of authorization is the permissions on OS/400 objects.

• Confidentiality: Only authorized users can view the data. For data that is transmitted through a network, there are two ways to achieve this goal:

– Make sure that only authorized persons can access the network – Encrypt the data

• Integrity: Only authorized users can modify the data, and they can only modify it in approved ways. The data is not changed either by accident or maliciously. For data that is transmitted over a network, there are two ways to achieve this goal: − Make sure that only authorized persons can access the network (not easy to achieve in public networks such

as the Internet) − Digitally sign the data



iSeries security

iSeries brand efforts in security certifications- Common Criteria EAL 3+ certification for SUSE Linux Enterprise

Server 8 with Service Pack 3 on IBM Eserver iSeries, pSeries, zSeries, and xSeries platforms

• First time that EAL 3+ evaluation level was issued for an open source operating system

• Issued January 2004- IBM 4758 PCI Cryptographic Coprocessor

• World's first product to be certified at National Institute of Standards and Technology (NIST) Federal Information Processing Standards 140-1 Level 3

- OS/400 is currently being evaluated for EAL 4 certification

5



Notes: iSeries securityThe iSeries server and its predecessors have always been a platform where the operating system and features are developed with a focus on security. In the past, OS/400 received several security certifications, such as the C2 level in 1995, 1997, and 1998. With new security certification standards being introduced, all IBM Eserver platforms and their operating systems and hardware components are evaluated against these new standards. For certain industry segments, a security certification is just as important as an ISO 9000 certification.

Some of the achievements and current undertakings are listed on the previous chart:- SUSE Linux Enterprise Server V8 with service pack 3, RC4 with certification-sles-eal3-package on IBM Eserver

iSeries, pSeries, zSeries, and xSeries received the Evaluation Assurance Level (EAL) 3 by ALC_FLR.2 (flaw reporting procedures) on 13 January 2004. The certificate was presented to SUSE and IBM at the Linux World in New York on 21 January 2004. You can find the certificate report on the Web at: http://www.bsi.bund.de/zertifiz/zert/reporte/0234a.pdf.

- The IBM 4758 PCI Cryptographic Coprocessor that is available on iSeries, pSeries, xSeries, and older zSeries models was the first product in the market that received certification for the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-1 Level 4. The 4758-023 on iSeries is certified for FIPS 140-1 Level 3.

- Currently, OS/400 is being evaluated by the Common Criteria Evaluation and Validation Scheme (CCEVS) for EAL 4 Augmented ALC_FLR.2; Controlled Access Protection Profile.

You can find more information about the Common Criteria for Information Technology Security Evaluation on the Web at: http://csrc.nist.gov/cc/index.html.



Table of contents

Network security enhancements

OS/400 security enhancements

Application security enhancements

Additional information

6



Virtual private networking (VPN)

New identifier types are added to address dynamic environmentsMy local IP address

- Represents all local IP addresses on an initiator system- No policy filters need to be created- Solves local key server and data endpoint problem on multi-homed systems

IPv4 host name: Can be specified in the following places:- The remote key server identifier type in an Internet Key Exchange Policy - The remote address identifier in the connection's properties - The policy filter definition for a connection group's properties

Confidentiality

IntegrityBusiness PartnerIntranet

BranchOffice

Intranet

CorporateIntranet

VPN Tunnel

Remote Work Force

Internet

Branch Office

Intranet

VPN Tunnel

VPN TunnelVPN

Tunnel

InitiatorRemote Key Server: IPv4 host nameLocal Key Server: My local IP address

ResponderRemote Key Server: IPv4 addressLocal Key Server: IPv4 address



Notes: Virtual private networking

Enhancements to the Version 5 Release 3 (V5R3) VPN function include two new identifier types. You select the two new identifier types when you define the VPN key exchange policies and connection data endpoints. The identifier types include local IP address and IPv4 host name. For additional information, see the online help within iSeries Navigator.

My local IP address- You can select the identifier type, My Local IP Address, to define the local key server type for an Internet Key

Exchange Policy or the local data endpoint in a connection definition. When you select it, VPN uses an available IPv4 address. The selection is done by resolving the IPV4 address from the TCP/IP stack based on the IPv4 address of the remote system to which the VPN connection is going. In a multi-home situation, it gives the system a way to resolve a specific IPv4 address if the one that the system initially used is no longer available. VPN connections, which use this identifier type, must not use a policy filter. In addition, the local system must be the initiator of the connection.

IPv4 host nameThe identifier IPv4 host name can be selected to define a few different parameters:

- The remote key server identifier type in an Internet Key Exchange Policy

- The remote address identifier in the connection's properties

- The policy filter definition for a connection group's properties

The IPv4 host name resolves to the IP address of the host name specified as the identifier type. It is primarily used on the initiator side of the connection. After the host name is resolved into an IP address, the IP address is used during Internet Key Exchange (IKE). This means that you have to define an IKE policy on the responder side that contains an IP address as the remote key server identifier. Otherwise, VPN is not able to look up the proper policy information along with the authentication data (for example, pre-shared key).

7



Secure Sockets Layer (SSL)Default cipher list for Transport Layer Security (TLS) in V5R3 contains two new cipher suites supporting the Advanced Encryption Standard

- TLS_RSA_WITH_AES_128_CBC_SHA • Already supported in V5R1, but needed manual configuration

- TLS_RSA_WITH_AES_256_CBC_SHAThe new cipher suite list used for all SSL-enabled applications is:

- TLS_RSA_WITH_RC4_128_MD5- TLS_RSA_WITH_RC4_128_SHA- TLS_RSA_WITH_AES_128_CBC_SHA- TLS_RSA_WITH_AES_256_CBC_SHA- TLS_RSA_WITH_3DES_EDE_CBC_SHA- TLS_RSA_WITH_DES_CBC_SHA - TLS_RSA_EXPORT_WITH_RC4_40_MD5 - TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

Applications that use a default cipher list now support both new cipher suites without any code change

- You need to change applications that use a configured cipher suite list to use the new cipher suites.

Global Secure ToolKit (GSKit) API version 6B available

Confidentiality

Integrity

Preferred order of cipher suites selected

during an SSL handshake



Notes: Secure Sockets LayerThe System SSL default cipher specification list in V5R3 now includes two Transport Layer Security (TLS) Version 1 Advanced Encryption Standard (AES) ciphers:

- TLS_RSA_WITH_AES_128_CBC_SHA


The TLS_RSA_WITH_AES_128_CBC_SHA cipher has been supported by system SSL on the iSeries since the V5R1M0 release. In previous releases, in order for this supported cipher to be used, an application was required to alter code to specifically allow the use of TLS_RSA_WITH_AES_128_CBC_SHA. Applications designed and coded to use the system SSL default cipher specification list rather than their own configured list did not use cipher TLS_RSA_WITH_AES_128_CBC_SHA in these previous releases. In V5R3, those same applications using the system SSL default cipher specification list now support both cipher TLS_RSA_WITH_AES_128_CBC_SHA and cipher TLS_RSA_WITH_AES_256_CBC_SHA with no code change. V5R3 applications that do not use the system SSL default cipher specification list, but instead configure the list, are required to make a code or configuration change to allow the application to support either TLS_RSA_WITH_AES_128_CBC_SHA or TLS_RSA_WITH_AES_256_CBC_SHA. The AES ciphers are valid only with the TLS Version 1 protocol and when the Cryptographic Access Provider (5722-AC3) product is installed.

The new system SSL default cipher specification list for this combination is: - TLS_RSA_WITH_RC4_128_MD5

- TLS_RSA_WITH_RC4_128_SHA



- TLS_RSA_WITH_3DES_EDE_CBC_SHA

- TLS_RSA_WITH_DES_CBC_SHA

- TLS_RSA_EXPORT_WITH_RC4_40_MD5

- TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

8



Notes: Secure Sockets LayerThe previous system SSL default cipher specification list for this combination was:

- TLS_RSA_WITH_RC4_128_MD5

- TLS_RSA_WITH_RC4_128_SHA

- TLS_RSA_WITH_3DES_EDE_CBC_SHA

- TLS_RSA_WITH_DES_CBC_SHA

- TLS_RSA_EXPORT_WITH_RC4_40_MD5

- TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

The order of the ciphers in the list has meaning when the iSeries acts as the server side of the SSL handshake. The server prefers to negotiate the highest listed cipher in the list that is supported in the peer’s client hello. When the iSeries is the IBM client side for the SSL handshake, this default list is sent in the client hello and the peer server determines the cipher used for the negotiation based on the cipher specification list it is using. The AES ciphers are not positioned first in the system SSL default cipher specification list. To guarantee that only an AES cipher is negotiated, you should code or configure a cipher specification list in an application that contains only the AES ciphers. To increase the likelihood that an AES cipher is negotiated for a server side application, without removing support for the other ciphers, configure a cipher specification list that positions the AES ciphers at the top of the list.The Global Secure ToolKit (GSKit) is a set of programmable interfaces that allow an application to be SSL enabled. It is part of OS/400 V5r3. Just like the SSL_ APIs, GSKit APIs allow you to access SSL and TLS functions from your socketapplication program (they are easier to program in than the previous SSL_APIs).In the previous release, they were based on the GSKit 4D version, while starting with V5R3, they are based on the GSKit6B version.A description of these APIs can be found within the V5R3 Infocenter in the Socket Programming topic under Programming->Communications.



Universal Connection WizardEnhanced Universal Connection environment

- Now requires you to have installed DCM (5722-SS1 option 34) and the Cryptographic Access Provider (5722-AC3).

- All connectivity options are now protected by a VPN.

- iSeries servers or partitions can now access eCare services through another server's modem or Internet connectivity.

Filters to open in a firewallAllow UDP inbound or outbound for port 4500 for VPN gateway addressAllow UDP inbound or outbound for port 500 for VPN gateway address

Allow ESP protocol (Protocol 50) for VPN gateway IP address

9



Notes: Universal Connection WizardIf you previously configured OS/400 service functions to use the AT&T or Multihop connectivity options of the IBM Universal Connection, in V5R3, you need i5/OS option 34 (Digital Certificate Manager) and the Cryptographic Access Provider products (5722-AC3) installed to continue to use those service functions. In previous releases, these were only required when the IBM Universal Connection configuration options established a direct VPN through a customer-provided Internet Service Provider (ISP). Starting with V5R3, all connectivity options are now protected by a VPN.In V5R3, it is now possible for an iSeries server or partition to access IBM electronic customer support services, through another server’s modem or Internet connectivity.



New Linux-based firewall

StoneGate Security SolutionPlanned availability 2Q/04 FW,VPN & IPS

software on Intel-based

hardware IP-based licensing

IBM xSeries

FW & VPNsoftware onIBM zSeriesMainframe

FW & VPNsoftware onIBM iSeries

servers

FW, VPN & IPSappliances

withthroughput-

based licensing

10



Notes: New Linux-based firewall

StoneGate's new iSeries support helps customers consolidate servers while reducing IT complexity and cost. Server consolidation provides organizations with the ability to run virtual networks and multiple servers located inside one physical machine – enabling a significant return on investment – as well as easing the day-to-day management of their network environment. StoneGate Firewall and VPN provides a consolidated iSeries server with the necessary granular security and VPN termination next to the applications between the virtual networks.



StoneGate Firewall & VPN for iSeries

When:- New workloads, new technologies- New iSeries installations- Legacy firewall replacement

What:- Linux powered, advanced security inside

iSeries- Secure server consolidation- Secure network virtualization

Benefits:- Best security and availability over the

Internet- Next-to-application firewall and VPN

security- Easier to manage and maintain- Infrastructure simplification

11



Notes: New Linux-based firewallNeed for Cost EfficiencyServer consolidation – having multiple servers with virtual networks inside one physical machine create significant savings for the customer. In regular server environments, companies have to maintain and support multiple types of hardware, software, and networking components, which not only costs money but also time and effort. Furthermore, having to make sure different components are compatible with different pieces of hardware can become a severe problem for any IT department. With iSeries server consolidation approach there is only one physical machine, where the user has only one machine to maintain and support. Moreover, compatibility issues have been reduced to the minimum.

Need for SecurityHaving a perimeter firewall to protect a machine that can house up to 16 networks inside cannot provide granular and detailed security for the consolidated network. An external firewall can only control access from external networks to the iSeries server’s network segment. The same way as regular internal networks of an organization need internal firewalls for server segments, also the internal virtual networks of an iSeries server need a firewall inside to keep them secure. This raises the need for network and data security for the consolidated data.

Need for Protected Connectivity to Business Critical ApplicationsTerminating VPN close to the applications is a requirement written in many corporate security policies. The closer the encryption is done to the application, the less there is chance that someone can tap into the decrypted information. Many companies today require encryption to be done next to the application in order to prevent leakage of confidential data, and in order not to risk the security of the communication. StoneGate runs inside the iSeries server bringing the VPN termination as close to the application as possible providing better security level than an external firewall.



Notes: New Linux-based firewallNeed for ReliabilityThe iSeries customer is used to having their hardware very robust and reliable. This is also what they are looking for in the applications they install on the iSeries servers. StoneGate High Availability Firewall and VPN is a mature product with a proven, high quality track record on other IBM platforms. The iSeries customers will experience the same StoneGatereliability that they have been used to with the iSeries servers.

Need for PerformanceThe iSeries administrator has the flexibility to move resources within the iSeries server to partitions that need them most as the server can share processors and memory. This is very beneficial for the firewall operating inside the iSeries server as it can scale with the environment. The StoneGate firewall is positioned to meet the demands of growing network environments by providing excellent performance and throughput.

Need for ManageabilityIf you are using an existing internal firewall solution managing multiple system can be a challenge. Every location must be configured separately, and maintained separately. This increases the risk of configuration mistakes, which in turn endangers the security of the system. Furthermore, the difficulty to manage solutions that do not have centralized management means that more administrator resources are needed. StoneGate for iSeries servers is an ideal solution in a distributed environment. With the centralized management even upgrades can be done remotely. All configuration changes are done simultaneously across your networks, increasing the security even further.

12



New Linux-based firewall

Provides- Multi-Layer Inspection

• packet filtering• stateful inspection• application layer inspection

- Standards compliant VPN• IPSec compliant

- Multi-Link Technology- Manageability

Application layer security with Protocol AgentsRemote upgradeableOperating system hardened for firewall and VPN use

- Includes only modules needed by StoneGate- e.g. sshd included in the standard installation – no

telnetd- Read only filesystem (romfs)



Notes: New Linux-based firewall

If you previously configured OS/400 service functions to use the AT&T or Multihop connectivity options of the IBM Universal Connection, in V5R3, you need i5/OS option 34 (Digital Certificate Manager) and the Cryptographic Access Provider products (5722-AC3) installed to continue to use those service functions. In previous releases, these were only required when the IBM Universal Connection configuration options established a direct VPN through a customer-provided Internet Service Provider (ISP). Starting with V5R3, all connectivity options are now protected by a VPN.In V5R3, it is now possible for an iSeries server or partition to access IBM electronic customer support services, through another server’s modem or Internet connectivity.

13



Table of contents







Digital Certificate Manager (DCM): Expiration Check

Function added to DCM to check for certificates to expire

New option under Manage

Certificates

Expiration checkalso availablefrom Fast Path

14



Digital Certificate Manager: Expiration check

Select the type of certificate

Specify the range of daysin which to check

certificate expiration



Digital Certificate Manager: Expiration check

Initiate renewal before actual expiration

15



Notes: Digital Certificate Manager - Expiration check

A new function is added to DCM that allows you to quickly and easily view and manage certificates based on certificate expiration date. You can check certificate expiration for server or client certificates and object signing certificates on the local system. You can also check user certificate expiration. You can do this for a specific user profile, for all user certificates on the system, or for all user certificates in an enterprise when you configure Enterprise Identity Mapping (EIM) on the system.



DCM: LDAP location

With V5R3, an administrator can choose where to store user certificates- Prior to V5R3, user certificates that were created or associated via DCM were

always stored with the OS/400 user profile that signed on to DCM.

- There is a new Lightweight Directory Access Protocol (LDAP) location option available in DCM. When defined, user certificates are stored in an LDAP directory.

- You must configure EIM and associate a target for the user that signed on to DCM.

- DCM can add a certificate to the LDAP directory and EIM association.

Configure EIM Set up X.509registry Add X.509

registry toEIM properties

Set up EIMidentifier and

add targetassociations

Set up LDAPlocation andcreate usercertificates

16



DCM: LDAP location

Set up X.509registry

Add X.509 registry to

EIM properties

Configure EIM



DCM: LDAP location

Set up EIMidentifier and

add targetassociations

Set up LDAPlocation andcreate usercertificates

17



DCM: LDAP location

Target association

EIM identifier

User certificate



Notes: DCM: LDAP locationBy default, DCM stores the user certificates that the local Certificate Authority (CA) issues with OS/400 user profiles. However, if you want to use EIM to manage user certificates as a type of user identity in the enterprise, DCM must store the user certificates in an LDAP location directory. To configure DCM to store user certificates in an LDAP directory, you must define an LDAP location for DCM. Note that DCM cannot store certificates in the LDAP location you define unless the system is configured to participate in EIM.

The following steps summarize the tasks that you need to perform to store user certificates in an LDAP directory:1. Use the Enterprise Identity Mapping wizard to set up EIM.

2. Within iSeries Navigator EIM domain management, create a new X.509 system registry. Note that after the registry is created, there is still no relationship between the new registry and OS/400.

3. Register the new X.509 registry with the EIM domain. Under Enterprise Identity Mapping, right-click Configuration and then specify the X.509 registry name in the EIM configuration properties.

4. For all users who want to create new, or associate existing, user certificates via DCM, add an EIM identifier and a target association for the user profile on the iSeries server.

5. Set up and enable the LDAP location in DCM.

6. Have the users sign on to DCM and create or associate user certificates. The certificates are stored in the LDAP directory specified in the LDAP location. When creating the user certificate, DCM looks up the EIM identifier for the user profile that signed on to DCM. It then creates in the LDAP directory an entry with a common name of the EIM identifier and stores the certificate in the usercertificate attribute. In addition, a source association for the certificate is created for the EIM identifier.

Applications can then use the EIM certificate to user profile mapping for authentication purposes. For example, when using the File Transfer Protocol (FTP) server with certificate-based client authentication, the FTP server looks up the target user profile based on the presented user certificate.

18



DCM: Creating user certificates

New selection list for cryptographic service provider available when creating user certificatesOnly available in Internet Explorer browsersAllows you to select private and public key pair strengthCan use SmartCards and other software providers

List depends on installed cryptographic service providers

in Windows



Notes: DCM – Creating user certificates

V5R3 includes a new option list that allows a user to select a cryptographic service provider when they create a user certificate. A cryptographic service provider specifies the encryption and hashing algorithms as well as supported key lengths that are available for cryptographic operations. In case of creating a user certificate, the service provider defines the key length of the public and private key pair that is being created for a certificate signing request (CSR). The list of CSRs is available only for Internet Explorer browsers. The available items in the list depend on the installed cryptographic service providers in Windows.

Examples of a commonly found cryptographic service providers are:-The Microsoft Base Cryptographic Provider, which supports the following algorithms/key lengths:

384 - 16384 bits / default: 512 bitsPublic key signatureRSA signature

40 bitsEncryptionDES

40 bitsSymmetric EncryptionRC4

384 - 512 bits / default 512 bitsPublic key exchangeRSA key exchange

40 bitsSymmetric EncryptionRC2

Not applicableSSL client authenticationSSL_SHAMD5

Depends on used hash algorithm MDx/SHAMessage authenticationHMAC

Depends on used hash algorithm MDx/SHAMessage authenticationMAC

160 bitsHashSHA / SHA1

128 bitsHashMD5

128 bitsHashMD2

Hash or key sizePurposeName

19



Notes: DCM – Creating user certificates- Microsoft Enhanced Cryptographic Provider, which supports the following algorithms/key lengths:

Always try to select the strongest providers that are available. The longer the RSA keys are, the better the protection strength is. However, RSA key length longer than 2048 bits are rarely supported.

112 bitsSymmetric encryption3DES 112

168 bitsSymmetric encryption3DES

384 - 16384 bits / default 1024 bitsPublic key exchangeRSA key exchange

384 - 16384 bits / default 1024 bitsPublic key signatureRSA signature

56 bitsSymmetric encryptionDES

128 bitsSymmetric encryptionRC4

128 bitsSymmetric encryptionRC2

Not applicableSSL client authenticationSSL_SHAMD5

Depends on used hash algorithm MDx/SHAMessage authenticationHMAC

Depends on used hash algorithm MDx/SHAMessage authenticationMAC

160 bitsHashSHA / SHA1

128 bitsHashMD5

128 bitsHashMD2

Hash or key sizePurposeName



Antivirus scanning

Infrastructure support added for enhanced virus scanning for theIntegrated File System (IFS)Allows third-party vendors to develop antivirus scanning software that plugs into i5/OS (OS/400) Scanning support available to scan for any other purpose when an object is opened or closed

Integrity

Spread virus

W32/Cidu-A

W32/BabyBearA

Phantom 1

Viruses cause significant damage to businesses every year

NetServerFTP, NFS

20



Antivirus scanning

OS/400 keeps track of all changes and only calls the scanning software when files or virus definition files change.

- When independent auxiliary storage pools (IASPs) are used and virus definitions are kept in sync between systems, moving an IASP does not cause a rescan.

- Scanning behavior can be controlled via IFS object attributes and system values.

Only objects with IFS *TYPE2 in /root, QOpenSys and UDFS file systems are scanned.When several open instances exist on an object, scanning is only performed when a close request is received for the last descriptor. No scanning occurs when objects open for write.

Integrity



Antivirus scanning

Virus scanning products can register to the following exit points:- QIBM_QP0L_SCAN_OPEN: Integrated File System Scan on Open Exit Program

- QIBM_QP0L_SCAN_CLOSE: Integrated File System Scan on Close Exit ProgramSystem-wide behaviorcontrolled via two newsystem values

Integrity

System valueQSCANFSCTL

System valueQSCANFS

21



Antivirus scanning

Which files are being scanned can be further controlled via IFS object attributes.The following two new attributes were added and can be set via the Change Attribute (CHGATR) command:

- *CRTOBJSCAN: Specifies whether to scan objects created in a directory

- *SCAN: Specifies whether to scan a specific object

Integrity

CHGATR OBJ('/home/quser/envar') ATR(*SCAN) VALUE(*NO)

File properties



Notes: Antivirus scanningWith PC workstations storing PC data on the iSeries, there is the danger of viruses being stored on and distributed by the iSeries server. Even though PC viruses cannot harm OS/400 and its objects, viruses can spread in to the network via services, such as NetServer, Network Files System (NFS), or FTP. With V5R3, support was added to OS/400 that allows a third-party vendor to write virus scanning software and plug it in to OS/400. For virus scanning to work, the product needs to register itself to the new exit points QIBM_QP0L_SCAN_OPEN and QIBM_QP0L_SCAN_CLOSE. To limit the performance impact of virus scanning, iSeries development has implemented a way to manage scanning operations that is far superior to what you would typically find for Windows-based scanning techniques. With the iSeries server, OS/400 keeps track of scanning activities and file changes. Only when a file changes or the virus definition file is updated, OS/400 calls the exit program (scanning software) to scan files for viruses. Even in an IASP environment where disk subsystems can be moved between systems, scanning statistics are maintained across system boundaries, so that no new scanning has to be done. This requires that the virus definition files are kept in sync on the systems.The new system value QSCANFS controls whether virus scanning is performed. You can set the value to scan for the /root, QOpenSys, and user-defined file systems or to perform no scanning. The second system value QSCANFSCTL is added to control scanning behaviors and properties. Valid QSCANFSCTL parameter values include:

- Default (*NONE specified): This indicates that the system uses the following scanning options when calling the registered exit programs:

• Perform write access upgrades • Fail close request if scan fails during close • Scan on next access after object has been restored

- Scan accesses through file servers only (*FSVRONLY specified): By selecting this option, only accesses from a file server to the iSeries server are scanned. Accesses through the Network File System (NFS) are scanned as well as other file server methods. However, native or direct connections to the iSeries server are not scanned. If this option is not selected, all accesses will be scanned no matter if you connect directly to the iSeries or through a file server.

- Note, do not scan the IFS using iSeries NetServer. Mapping a drive with all object authority exposes the system to virus attack by a PC virus!

• Uses up network resources• Moves data across network in the “clear”• Scanners can go into infinite loops

- Fail request if exit program fails (*ERRFAIL specified): By selecting this option, you are specifying to fail the request or operation which triggered the call to the exit program, if there are errors when the exit program is called. Possible errors may be that the program is not found or the program is not coded properly to handle the exit program request. If this happens, the requested operation receives an indication that the object failed a scan. If this option is not selected, the system will skip the failing exit program and treat the object as if it was not scanned by this exit program.

22



Notes: Antivirus scanning (cont’d)QSCANFSCTL parameter (continued):

- Perform write access upgrades (*NOWRTUPG not specified): By selecting this option (*NOWRTUPG not specified), you are specifying to allow the iSeries system to upgrade the access for the scan descriptor passed to the exit program to include write access, if possible. Use this option if you want the exit program to be able to fix or modify objects even though they were originally opened with read-only access. If this option is not selected, the system will not upgrade the access to include write access.

- Use “only when objects have changed” attribute to control scan (*USEOCOATR specified): By selecting this option, the system will use the specification of the 'object change only' attribute to only scan the object if it has been modified (not also because scan software has indicated an update). If this is not specified, this 'object change only' attribute will not be used, and the object will be scanned after it is modified and when scan software indicates an update.

- Fail close request if scan fails during close (*NOFAILCLO not specified): When this option is selected (*NOFAILCLO not specified), the system will fail the close request if an object failed a scan during close processing. This option only applies to close requests.

If this option is not selected (*NOFAILCLO specified), the system will not fail the close request if an object failed a scan even if the “Fail request if exit program fails option” is selected. For example, if the Fail request if exit program fails option is selected and this option is not selected, the system will not send a failure indication even though an object failed a scan during close processing. However, the object will be marked as failing a scan.

- Scan on next access after object has been restored (*NOPOSTRST not specified): By selecting this option (*NOPOSTRST not specified), objects will be scanned at least once after being restored no matter what its object scan attribute is. If the object scan attribute is that 'the object will not be scanned,' the object will be scanned once after being restored. If the object scan attribute is that 'the object will only be scanned if it has been modified since the last time it was scanned,' the object will be scanned after being restored because the restore will be treated as a modification to the object.

If this option is not selected (*NOPOSTRST specified), objects will not be scanned just because they are restored. Scanning depends on the object's scanning attribute. In general, it is good practice to scan restored objects at least once. However, you may not select this option if you know that the objects being restored were scanned before they were saved or they came from a trusted source.



Notes: Antivirus scanning (cont’d)The following IFS object attributes, on a per-file basis, control whether individual files are scanned at all or under which circumstances they are scanned:

- *CRTOBJSCAN: Specifies whether the objects created in a directory will be scanned when exit programs are registered with any of the integrated file system scan-related exit points. This option can only be specified for directories in the "root" (/), QOpenSys and user-defined file systems. Even though this attribute can be set for*TYPE1 and *TYPE2 directories, only objects which are in *TYPE2 directories will actually be scanned, regardless of the value that is set for this attribute.

- *SCAN: Specifies whether the object is scanned when exit programs are registered with any of the integrated file system scan-related exit points.

There are several circumstances when scanning is not performed. For a complete description of the new scanning support, visit the Information Center.

23



Antivirus scanningCurrently a vendor product is available since V5R1 for virus scanning that does notleverage any of the new V5R3 support:

- StandGuard AntiVirus from Bytware runs on OS/400 V5R1 and higher- Powered by McAfee iSeries native scanning engine- Automatic download of virus definitions direct from McAfee- Scans IFS for viruses and e-mail processed via the mail server framework

• Real-time mail scanning• Scheduled full scan of IFS

- Seamlessly integrates with the iSeries look and feel• 5250 commands and menus for configuration• iSeries Navigator plug-in to set up product

New V5R3 version takes advantage of new OS/400 V5R3 scan exit points-Now provides "On-Access" scanning (open, change, save) -Uses the QIBM_QP0L_SCAN_OPEN, QIBM_QP0L_SCAN_CLOSE exit points-Called by OS/400 only "as needed” (On-Demand)-Updates the file 'Scan status' flag to indicate if the file is good or infected-OS/400 prevents infected files from being opened

Integrity

NEW: StandGuard AntiVirus shipped with every i5/OSUse on Try & Buy basis, get full activation from Bytware



Notes: Antivirus scanningAs mentioned previously, the antivirus scanning capabilities in V5R3 require a third-party vendor product. Currently no such product is available. However, there is, for example, one native OS/400 virus scanning product from Bytware Inc. The product, StandGuard AntiVirus, runs natively in OS/400 and provides scanning services for the IFS. IFS scanning can be scheduled and scans the entire IFS. It can also be configured to plug into the OS/400 mail server framework to scan e-mail for viruses. For more information about the StandGuard AntiVirus product, refer to their Web site at:http://www.bytware.comThe StandGuard Anti-Virus for iSeries product has been available since V5R1. It can be and continues in V5R3 to be able to be scheduled to run automatically using the OS/400 job scheduler, the Advanced Job Scheduler (5722-JS1), or any other third party job scheduling product.A new version will be made available for V5R3 that contains the following enhancements:

- Uses the same virus definitions as McAfee PC versions, so there is no 'lag' time for OS400 support

- Can also configure product to get files from a network path, in case customer already has McAfee .DAT files somewhere on the network

- Can be called by OS/400 exit points (listed on the slide) when file is opened and closed as specified via V5R3 system values and iSeries Navigator file interfaces.

- Uses the same virus definitions as McAfee PC versions, which means there is no 'lag' time for OS400 support when this product isenhanced. You can also configure the product to get files from a network path, in case the customer already has McAfee .DAT files somewhere on the network.

- In addition to being able to be scheduled via the OS400 job schedule, the scan can be performed when the IFS file is opened or changed (“on access”).

- You can optionally scan files as they are saved. For example, if QSCANFSCTL includes *FSVRONLY, then only files accessed through the OS400 file servers will invoke the exit program.

StandGuard Anti-Virus for V5R3 will be available for OS/400 V5R3 upon IBM’s announcement of general availability. Customers with V5R3 systems can request full-featured trials by contacting Bytware directly at http://www.bytware.com or call 775-851-2900.Note: If you are using a PC to scan the IFS, most companies do their scans once a week or only 'as needed' because it takes so long and interferes with normal operations. Note, under a heavy network load, we strongly recommend restricting access to NetServer while scans are running.

24



Notes: Antivirus scanning

With the most recent announcement, StandGuard Anti-Virus for iSeries V5R3 will be shipped with all iSeries servers with i5/OS V5R3, and upgrades to V5R3, and will be available as a try-and-buy offering. Customers can request full-featured trial activation by contacting Bytware at http://www.bytware.com/enableav.html or calling 775.851.2900. Bytware also has expanded its US-based operations to include 18 new partners in 10 time zones worldwide.



Object integrity enhancements

With V5R3, all IBM-shipped code can be checked for integrity.A function was added to verify the code checker function that verifies the system code.

- QydoCheckSystem application programming interface (API) provides OS/400 system integrity verification. It checks *PGM, *SRVPGM, selected *CMD, RSTOBJ command, RSTLIB command, CHKOBJITG command, and the Verify Object API.

If the QAUDLVL system value is set to *AUTFAIL, then the Check System API generates auditing records to report any failures and errors that these commands detect:

- Restore Object (RSTOBJ)

- Restore Library (RSTLIB)

- Check Object Integrity (CHKOBJITG)

CHKOBJITG command is enhanced with the scan file systems (SCANFS) parameter.- Parameter values can be:

• *STATUS: Objects are not scanned, but recent scan failures are logged.• *YES: Objects are scanned according to the rules described in the scan-related exit

programs. Failures are logged.• *NO: Objects are not scanned and no log entries generated.

Integrity

25



Notes: Object integrity enhancements Beginning in V5R2, OS/400 shipped with a code checking function that you use to verify the integrity of signed objects on your system, including all operating system code that IBM ships and signs for your iSeries system. Now in V5R3, you can use a new API to verify the integrity of the code checking function itself and key operating system objects.

To use the new code checker integrity verification function to verify the integrity of your iSeries system, you must have *AUDIT special authority. To verify the code checker function, run the Check System (QydoCheckSystem) API to determine whether any key operating system object changed since it was signed. When you run the API, it checks key system objects, including the programs and service programs and selected command (*CMD) objects in the QSYS library:

- Checks all program (*PGM) objects to which the system entry point table points.

- Checks all service program (*SRVPGM) objects in the QSYS library and verifies integrity of the Verify Object API.

- Runs the Verify Object (QydoVerifyObject) API to verify the integrity of Restore Object (RSTOBJ) command, the Restore Library (RSTLIB) command, and the Check Object Integrity (CHKOBJITG) command.

- Uses the RSTOBJ and RSTLIB commands on a special save file (*SAV) to make sure that errors are reporting correctly. A lack of error messages or the wrong error messages indicate a potential problem.

- Creates a command (*CMD) object that is designed to fail to verify correctly.

- Runs the CHKOBJITG command and the Verify Object API on this special command object to ensure that the CHKOBJITG command and the Verify Object API are reporting errors correctly. A lack of error messages or the wrong error messages indicate a potential problem.

The Check Object Integrity (CHKOBJITG) command checks the objects owned by the specified user profile, the objects that match the specified path name, or all objects on the system to determine if any objects have integrity violations. With V5R3, the new SCANFS parameter was added to the command. It specifies whether to scan objects in the IFS identified by the QSCANFS system value or to return existing scan status. When checking only for the scan status, objects are not scanned. If an object's status indicates it failed the most recent scan operation, a SCANFSFAIL integrity violation is logged.



Enhanced control for audit data

New auditing values provides better control over the amount of data being loggedCan be specified in system value QAUDLVL and QAUDLVL2

- New value QAUDLVL2 extends possible number of auditing values that can be specified- QAUDLVL2 is needed only when more than 16 auditing values need to be specified

Audit/Logging

New

Using QAUDLVL2

Set *AUDLVLin QAUDCTL

Set *AUDLVL2in QAUDLVL

26



Enhanced control for audit data

Network communication (*NETCMN) and security (*SECURITY) auditing values divided into smaller units

Audit/Logging

*NETCMN *SECURITY

*NETBAS: Network base functions*NETCLU: Cluster and cluster

resource groups*NETFAIL: Network failures*NETSCK: Sockets tasks

*NETCMN can still be specified. Ifspecified, it contains all *NETxxx values.

*SECCFG: Security configuration*SECDIRSRV: Directory services*SECIPC: Interprocess communications*SECNAS: Network authentication

service*SECRUN: Security run time functions*SECSCKD: Socket descriptor*SECVFY: Verification function*SECVLDL: Changes to validation list

objects

*SECURITY can still be specified. Ifspecified, it contains all *SECxxx values.



Notes: Enhanced control for audit dataAuditing plays an important role in a security implementation. Without logging information, one can’t tell what happened on a system. You need to have measurements and logging mechanisms in place that allow you to check who performed what activities at which time. The actual data that needs to be collected heavily depends on the individual business needs and security policies that are in place. OS/400 has always provided audit logging capabilities through the use of the audit journal (QAUDJRN). System values (QAUDCTL and QAUDLVL) control the categories for which audit journal entries are created.

With many new functions and services that were introduced over the course of previous OS/400 releases, the amount of data that is journaled has increased significantly. Especially in the areas of networking and security, there are many functions that create journal entries. For better control over the amount of data that is being logged, IBM has introduced a new system value and new auditing values.

Prior to V5R3, the system value QAUDLVL can only store 16 auditing values, which was enough at that time. With the introduction of new auditing values, the new system value QAUDLVL2 is introduced. You use it in conjunction with the QAUDLVL value to store all available auditing values (if necessary).

The networking and security auditing values are divided into smaller categories. However, if you still need to log all information about a networking or security event, you can still specify the existing *NETCMN and *SECURITY values.

27



Changed command authorities

With V5R3, users with *AUDIT special authority (and users with *ALLOBJ) can perform the following commands:

- DSPSECAUD (Display Security Auditing) - PRTADPOBJ (Print Adopting Objects) - DSPAUDJRNE (Display Audit Journal Entries) - PRTPVTAUT (Print Private Authorities) - PRTPUBAUT (Print Publicly Auth Objects) - PRTCMNSEC (Print Communications Security) - PRTJOBDAUT (Print JOBD Authority) - PRTQAUT (Print Queue Authority)- PRTSBSDAUT (Print Subsystem Description)- PRTSYSSECA (Print System Security Attribute)- PRTTRGPGM (Print Trigger Programs) - PRTUSROBJ (Print User Objects) - PRTUSRPRF (Print User Profile)

Prior to V5R3, a user needed *ALLOBJ authority to perform these commands.

Audit/Logging



Notes: Changed command authoritiesPrior to V5R3, the following commands required *ALLOBJ special authority and were shipped with a public authority of *EXCLUDE. Starting in V5R3, the commands are shipped with PUBLIC authority of *USE. A user that only has *AUDIT special authority, and users who have *ALLOBJ and any other required special authorities, can run the commands:

- DSPSECAUD (Display Security Auditing)

- PRTADPOBJ (Print Adopting Objects)

- DSPAUDJRNE (Display Audit Journal Entries)

- PRTPVTAUT (Print Private Authorities)

- PRTPUBAUT (Print Publicly Auth Objects)

- PRTCMNSEC (Print Communications Security)

- PRTJOBDAUT (Print JOBD Authority)

- PRTQAUT (Print Queue Authority)

- PRTSBSDAUT (Print Subsystem Description)

- PRTSYSSECA (Print System Security Attr)

- PRTTRGPGM (Print Trigger Programs)

- PRTUSROBJ (Print User Objects)

- PRTUSRPRF (Print User Profile)

28



OS/400 message handling changes

Active (current) user is now logged in messages in addition to the qualified job nameThe From user can be different from the qualified job name when the thread is swapped to run under a different profile

Audit/Logging

Display Message Details

Message ID . . . . . . : Severity . . . . . : 80Date sent . . . . . . : 03/09/04 Time sent . . . . : 13:50:55 Message type . . . . . : Information From . . . . . . . . . : SWAPTEST CCSID . . . . . . : 65535

From job . . . . . . . . . . . : QPADEV0007 User . . . . . . . . . . . . : BARLEN Number . . . . . . . . . . . : 009340

From program . . . . . . . . . : QCMDEXC To message queue . . . . . . . : QSYSOPR Library . . . . . . . . . . : QSYS

Time sent . . . . . . . . . . : 13:50:55.410288 Bottom

Press Enter to continue.

Active (current)user

Qualified job user



Notes: OS/400 message handlingIn V5R3, the active user profile is stored with each message. The active user profile is the user profile for which the job is doing work. This can be different than the user name from the qualified job name if the job swapped to run under another user profile. Another name for active user is current user.

For job logs, this can mean that the job log wraps or fills up with fewer messages. For standard message queues, this means that a message queue may hold fewer messages before it is full. Many messages do not increase in size. This is because, for standard message queues, the active user name is saved only if it is different than the name in the qualified job name. The From user shown on the Display message (DSPMSG) command, the Work with message (WRKMSG) command, and additional message information screens is now the actual sending user, rather than the user name from the qualified job name of the sending job.

29



User profile management

Two values possible *YES and *NO*YES

- Password can be changed in OS/400

- Same behavior as in V5R2*NO

- Password for user profile set to *NONE

- Password for user profile cannot be changed

- If implemented, password changes are still synchronized with other user registries

• Example: Windows integration with xSeries (Integrated xSeries Server and Integrated xSeries Adapter)

- Users can only sign on without a password• Single signon with Kerberos and EIM

A new parameter allows an administrator to create or change an EIM identifier and association when creating or changing a user profileBy default, no EIM action is performed.If Windows integration is used, a source association for the Windows user can be set up automatically.

Authentication

Two new parameter added to user profilesLocal password management

(LCLPWDMGT)EIM association(EIMASSSOC)

EIM association: EIM identifier . . . . . *NOCHG__ Association type . . . . ________ Association action . . . ________Create EIM identifier . ________



Notes: User profile managementTwo new user profile parameter fields were added in V5R3.

Local password management (LCLPWDMGT) parameter: This parameter specifies whether to manage the user profile password locally. If you do not want to manage the password locally, the password value is still sent to other IBM products that do password synchronization. If you do not manage passwords locally, then the local password is set to *NONE.

EIM association (EIMASSOC) parameter: This parameter allows you to define EIM identifier associations for the specified user profile for the local registry. To use this parameter, you specify the EIM identifier, an action option for the association, the type of identifier association, and whether to create the specified EIM identifier if it does not already exist.

When you use this parameter, you can specify the following information: - EIM identifier name, which can be a new name or an existing identifier name

- An action option for the association, which can be to add (*ADD), to replace (*REPLACE), or to remove (*REMOVE), the association that you specify

Note: Use *ADD to set up new associations. Use the *REPLACE option, for example, if you previously defined associations to the wrong identifier. The *REPLACE option removes any existing associations of the specified type for the local registry to any other identifiers, and then adds the one that is specified for the parameter. Use the *REMOVE option to remove any specified associations from the specified identifier.

- The type of identifier association, which can be target, source, both a target and a source, or an administrative association

- Whether to create the specified EIM identifier if it does not already exist

You typically create a target association for an OS/400 profile, especially in a single signon (SSO) environment. After you use the command to create the needed target association for the user profile (and the EIM identifier, if necessary), you may need to create a corresponding source association. You can use iSeries Navigator to create a source association for a another user identity, such as the Kerberos principal with which the user signs on to the network.

30



OS/400 authorization changes

The default for Authority (AUT) parameter changed for many create commands for configuration objects (for example, DEV, CTL, LIN).The value changed from *LIBCRTAUT to *CHANGE.This solves the problem with the public authority of automatically created configuration objects prior to V5R3.

Authorization

Prior to V5R3

Changing system valueQCRTAUT to *USE or *EXCLUDEcaused problems for automaticallycreated objects, such as devicedescriptions.

No signon is possible with *USE authority for a device.

CPF1110 Not authorized to work station.

V5R3

A system value can be set more easily to a restrictive value without impacting configuration objects.

Automatically created devicedescriptions have the public authority *CHANGE.



Notes: OS/400 authorization changesThe QCRTAUT system value provides the default authority granted to the public when new objects are created that refer to this system value in their command’s authority parameter or via the library default create authority. The default value for the QCRTAUT system value is *CHANGE. This may introduce a higher authority to new objects than what is actually needed. However, prior to V5R3, changing this system value to *USE or *EXCLUDE caused problems for some objects, such as automatically created device descriptions.

In V5R3, the Authority (AUT) parameter for the following commands has changed from *LIBCRTAUT to *CHANGE:CRTCOSD (Create Class-of-Service Description) CRTCTLAPPC (Create Controller Description (APPC)) CRTCTLASC (Create Controller Description (Async)) CRTCTLBSC (Create Controller Description (BSC))CRTCTLFNC (Create Controller Description (Finance)) CRTCTLHOST (Create Controller Description (SNA Host))CRTCTLLWS (Create Controller Description (Local WS)) CRTCTLNET (Create Controller Description (Network))CRTCTLRTL (Create Controller Description (Retail)) CRTCTLRWS (Create Controller Description (Remote WS))CRTCTLTAP (Create Controller Description (Tape)) CRTCTLVWS (Create Controller Description (Virtual WS))CRTDEVAPPC (Create Device Description (APPC)) CRTDEVASC (Create Device Description (Async))CRTDEVASP (Create Device Description (ASP)) CRTDEVBSC (Create Device Description (BSC))CRTDEVCRP (Create Device Description (Crypto)) CRTDEVDKT (Create Device Description (Diskette))CRTDEVDSP (Create Device Description (Display)) CRTDEVFNC (Create Device Description (Finance))CRTDEVHOST (Create Device Description (SNA Host)) CRTDEVINTR (Create Device Description (Intra))CRTDEVMLB (Create Device Description (Media Lib)) CRTDEVNET (Create Device Description (Network))CRTDEVOPT (Create Device Description (Optical)) CRTDEVPRT (Create Device Description (Printer))CRTDEVRTL (Create Device Description (Retail)) CRTDEVSNPT (Create Device Description (SNPT)) CRTDEVSNUF (Create Device Description (SNUF)) CRTDEVTAP (Create Device Description (Tape))CRTLINASC (Create Line Description (Async)) CRTLINBSC (Create Line Description (BSC))CRTLINDDI (Create Line Description (DDI)) CRTLINETH (Create Line Description (Ethernet))CRTLINFAX (Create Line Description (Fax)) CRTLINFR (Create Line Description (Frame Relay))CRTLINPPP (Create Line Description (PPP)) CRTLINSDLC (Create Line Description (SDLC))CRTLINTDLC (Create Line Description (TDLC)) CRTLINTRN (Create Line Description (Token-Ring))CRTLINWLS (Create Line Description (Wireless)) CRTLINX25 (Create Line Description (X.25))CRTMODD (Create Mode Description) CRTNTBD (Create NetBIOS Description)CRTNWIFR (Create Network Interface (FR)) CRTNWSD (Create Network Server Description)

This V5R3 change allows a security administrator to tighten security by changing the QCRTAUT system value without impacting configuration object public authorities.

31



Application administration

New CL command support for iSeries Navigator’s Application Administration functionsAdministrators can set up iSeries Access, iSeries Navigator, andOS/400 application security using CL programs -> Write once -> Run anywhereNew commands

- Work with Function Usage (WRKFCNUSG)- Change Function Usage (CHGFCNUSG)- Display Function Usage (DSPFCNUSG)

Authorization

Work with Function Usage

Type options, press Enter.

2=Change usage 5=Display usage

Function ID Function Name

QIBM_QINAV_WEB_INTERFACE Use of iSeries Navigator Web InterfaceQIBM_QSY_SYSTEM_CERT_STORE *SYSTEM certificate store

5 QIBM_QTMF_CLIENT_REQ_0 Initiate Session QIBM_QTMF_CLIENT_REQ_3 Change DirectoryQIBM_QTMF_CLIENT_REQ_6 Send Files



Application administrationAuthorization

Display Function Usage

Function ID . . . . . . : QIBM_QTMF_CLIENT_REQ_0 Function name . . . . . : Initiate Session Description . . . . . . : Start an FTP Client session. Must be allowed to do other client operations. Product . . . . . . . . : QIBM_QTM_TCPIP Group . . . . . . . . . : QIBM_QTMF_FTP_CLIENT Default authority . . . . . . . . . . . . : *ALLOWED *ALLOBJ special authority . . . . . . . . : *USED

User Type Usage User Type Usage BARLEN User *ALLOWED

32



Notes: Application administrationThe Application Administration interface in iSeries Navigator has been enhanced several times with previous OS/400 releases. It provides an administrator with an interface to manage access to iSeries Access for Windows, iSeries Navigator, and OS/400 and TCP/IP applications. Prior to V5R3, the only way to define access to these applications was through the graphical Application Administration interface.

With V5R3, new CL commands manage access through the 5250 command line interface. They allow the administrator to write CL programs to manage access. Using this approach, an administrator can write a CL program on one system that contains all access policies and restrictions and then distribute the program to other systems in the network. This approach lowers the administration effort when setting up access on multiple systems.



Table of contents





33



New cryptographic APIs

OS/400 Cryptographic Services APIs allow you to ensure:- Privacy of data - Integrity of data - Authentication of communicating parties - Non-repudiation of messages

Several V5R3 APIs are also available for V5R2 - Requires V5R2 PTFs SI10060, SI10105, and MF31101 (available since

December 2003)

Authentication

Confidentiality

Integrity

Create Algorithm Context Destroy Algorithm Context Create Key Context Destroy Key Context Encrypt Data Decrypt Data Translate Data Calculate Signature Verify Signature

Calculate MAC Calculate Hash Calculate HMAC Generate Symmetric Key Generate PKA Key Pair Generate Diffie-Hellman Parameters Generate Diffie-Hellman Key Pair Calculate Diffie-Hellman Secret KeyGenerate Pseudorandom Numbers Add Seed for Pseudorandom Number Generator



Notes: New cryptographic APIsA set of new OS/400 Cryptographic Services APIs is introduced with V5R3 helps you to ensure:

- Privacy of data - Integrity of data - Authentication of communicating parties - Non-repudiation of messages

Because cryptographic functions are export controlled, the iSeries server is shipped with most cryptographic functions disabled. To enable full cryptographic capabilities, install Cryptographic Access Provider 128-bit for iSeries (5722 AC3).

The APIs perform cryptographic functions within the OS/400 or on the 2058 Cryptographic Accelerator for iSeries, as specified by the user.

The Cryptographic Services APIs include:- Encryption and Decryption APIs

• Decrypt Data (QC3DECDT, Qc3DecryptData) restores encrypted data to a clear (intelligible) form. • Encrypt Data (QC3ENCDT, Qc3EncryptData) protects data privacy by scrambling clear data into an unintelligible form. • Translate Data (QC3TRNDT, Qc3TranslateData) translates data from encryption under one key to encryption under another key.

- Pseudorandom Number Generation APIs • Add Seed for Pseudorandom Number Generator (QC3ADDSD, Qc3AddPRNGSeed) allows the user to add seed into the server's

pseudorandom number generator system seed digest. • Generate Pseudorandom Numbers (QC3ADDSD, Qc3GenPRNs) generates a pseudorandom binary stream.

- Cryptographic Context APIs • Create Algorithm Context (QC3CRTAX, Qc3CreateAlgorithmContext) creates a temporary area for holding the algorithm parameters

and the state of the cryptographic operation. • Create Key Context (QC3CRTKX, Qc3CreateKeyContext) creates a temporary area for holding a cryptographic key. • Destroy Algorithm Context (QC3DESAX, Qc3DestroyAlgorithmContext) destroys the algorithm context created with the Create

Algorithm Context (OPM: QC3CRTAX; ILE: Qc3CreateAlgorithmContext) API. • Destroy Key Context (QC3DESKX, Qc3DestroyKeyContext) destroys the key context created with the Create Key Context (OPM:

QC3CRTKX; ILE: Qc3CreateKeyContext) API.

34



Notes: New cryptographic APIs…- Authentication APIs

• Calculate Hash (QC3CALHA, Qc3CalculateHash) uses a one-way hash function to produce a fixed-length output string from a variable-length input string.

• Calculate HMAC (QC3CALHM, Qc3CalculateHMAC) uses a one-way hash function and a secret shared key to produce an authentication value.

• Calculate MAC (QC3CALMA, Qc3CalculateMAC) produces a message authentication code. • Calculate Signature (QC3CALSG, Qc3CalculateSignature) produces a digital signature by

hashing the input data and encrypting the hash value using a public key algorithm (PKA). • Verify Signature (QC3VFYSG, Qc3VerifySignature) verifies that a digital signature is correctly

related to the input data.

- Key Generation APIs • Calculate Diffie-Hellman Secret Key (QC3CALDS, Qc3CalculateDHSecretKey) calculates a

Diffie-Hellman shared secret key. • Generate Diffie-Hellman Key Pair (QC3GENDK, Qc3GenDHKeyPair) generates a Diffie-Hellman

(D-H) private/public key pair needed for calculating a Diffie-Hellman shared secret key. • Generate Diffie-Hellman Parameters (QC3GENDP, Qc3GenDHParms) generates the

parameters needed for generating a Diffie-Hellman key pair. • Generate PKA Key Pair (QC3GENPK, Qc3GenPKAKeyPair) generates a random PKA key pair. • Generate Symmetric Key (QC3GENSK, Qc3GenSymmetricKey) generates a random key value

that can be used with a symmetric cipher algorithm.

Several of the new cryptographic APIs have been made available for V5R2. To use these APIs in V5R2, you need to install PTFs SI10060, SI10105, and MF31101. For more information on the available V5R2 APIs, visit the V5R2 Information Center.



Notes: New cryptographic APIsThe following table lists the algorithms that are supported by software encryption (OS/400) and the 2058 cryptographic accelerator.

NoYesRC4

NoYesAES CBC

NoYesAES ECB

NoYesTDES CFB-64bit

NoYesTDES CFB-8bit

NoYesTDES CFB-1bit

NoYesTDES OFB

YesYesTDES CBC

YesYesTDES ECB

No YesDES CFB-64bit

NoYesDES CFB-8bit

NoYesDES CFB-1bit

NoYesDES OFB

YesYesDES CBC

YesYesDES ECB

Cryptograhic algorithms for APIsQc3EncryptData, Qc3DecryptData, Qc3TranslateData

2058OS/400

35



Notes: New cryptographic APIs

NoYesTDES

NoYesAES

NoYesDES

Qc3CalculateMAC API

NoYesSHA-512

NoYesSHA-384

NoYesSHA-256

NoYesSHA-1

NoYesMD5

Qc3CalculateHash API

NoYesAES

NoYesTDES

NoYesDES

Qc3CalculateMAC API

Yes (1)YesRSA

Cryptograhic algorithms for APIsQc3EncryptData, Qc3DecryptData, Qc3TranslateData

2058OS/400

(1) Block formatting is done in software.



Notes: New cryptographic APIs

NoYesQc3GenDHKeyPair API

YesYesQc3CalculateDHSecretKey API

NoYesQc3GenDHParms API

NoYesQc3GenPKAKeyPair API

YesYesQc3GenSymmetricKey API

Yes (3)YesQc3GenPRNs API

Yes (2)YesQc3CalculateSignature, Qc3VerifySignature APIs

NoYesSHA1

NoYesMD5

Qc3CalculateHMAC API

NoYesSHA-512

NoYesSHA-384

NoYesSHA-256

NoYesSHA-1

NoYesMD5

Qc3CalculateHash API

2058OS/400

(2) Only encryption is done on the 2058. The block formatting and hash functions are done in the software.

(3) If a hardware cryptographic card is available, the OS/400 PRNG automatically uses it to seed the generator.

36



Further API changesAPIs changed that affect swapping user profilesApplications may have to be changedAffected APIs

- Get Profile Handle (QSYGETPH), Get Profile Handle (QsyGetProfileHandle) - Generate Profile Token (QSYGENPT), Generate Profile Token Extended (QsyGenPrfTknE)

When is a program code change required?

You can temporarily deactivate the new paramter requirement in V5R3- Should only be done when receiving message CPF3C3C

- PTF SI14206 can be used up to 180 days

QsyGetProfileHandleQsyGenPrfTknE

QsyGetProfileHandleQsyGenPrfTknE

QSYGETPHQSYGENPT

QSYGETPHQSYGENPT

API

Use the Get Profile Handle No Password (QsyGetProfileHandleNoPwd)/Generate Profile Token (QsyGenPrfTkn) API

YesSpecial values (*NOPWD, *NOPWDCHK, *NOPWDSTS) specified for password

Change API parameter structure to include the password length and password CCSID parameter

YesPassword is specified for API’s password parameter

None Note: The password length and password CCSID parameter are not allowed

NoSpecial values (*NOPWD, *NOPWDCHK, *NOPWDSTS) specified for password

Change API parameter structure to include the password length and password CCSID parameter

YesPassword is specified for API’s password parameter

Required actionsChange required

Function



Notes: Further API changesA method to perform tasks in a program under a different user than the one that started the job is to swap to a different user profile while running a program. You do this by obtaining a profile handle of the user profile to be swapped to. Then use that handle with the set profile API to perform the swap for the running thread. This approach is used in many applications.

With V5R3, it was necessary to change the parameter structure of the APIs that obtain or get the profile handle. These APIs are:

- Get Profile Handle (QSYGETPH)- Get Profile Handle (QsyGetProfileHandle) - Generate Profile Token (QSYGENPT)- Generate Profile Token Extended (QsyGenPrfTknE)

The changes pertain to the password parameter of the APIs. Whether a program has to change depends on the values specified for the password parameter. The table on the previous chart lists the situations where a change is required.

You can find more information about the API changes and parameter structures in the iSeries Information Center under Programming-> APIs-> APIs by category-> Security-> Security-related APIs.

37



Table of contents








iSeries Information Center http://publib.boulder.ibm.com/pubs/html/as400/infocenter.htm

V5R3 iSeries Security Reference, SC41-5302-07

Protect Your IBM Eserver iSeries V5R3 Security …€¦ · materials at those Web sites are not...

Documents

Transcript of Protect Your IBM Eserver iSeries V5R3 Security …€¦ · materials at those Web sites are not...