Z/OS & zSeries Security Security Home Page RACF Home Page
-
Upload
rafe-mccoy -
Category
Documents
-
view
228 -
download
4
Transcript of Z/OS & zSeries Security Security Home Page RACF Home Page
z/OS & zSeries SecuritySecurity Home Page
http://www.ibm.com/servers/eserver/zseries/zos/security
RACF Home Page
http://www.ibm.com/servers/eserver/zseries/zos/racf/
2zCPO zClass Introduction to z/OS
TrademarksThe following are trademarks of International Business Machines Corporation.
ACF/VTAMAD/CycleADSMAdvanced Function PrintingAFPAIX*AIX/ESAAOEXPERT/MVSAutomated Operations Expert/MVSCICS/ESADataHubDATABASE 2DataTradeDB2*DFDSMDFSMSDFSMS/MVSDFSMdfpDFSMSdssDFSMShsmDFSMSrmmDistributed Relational Database ArchitectureDRDAEnterprise Systems Architecture/370Enterprise Systems Architecture/390Enterprise System/3090
Note: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled
environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming
in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an
individual user will achieve throughput improvements equivalent to the performance ratios stated here.
Actual performance and environmental costs will vary depending on individual customer configurations and conditions.
Note: IBM hardware products are manufactured from new parts, or new and used parts. Regardless, our warranty terms apply.
Open BlueprintOpenEdition*OSAOSA 1OSA 2OS/2*OS/390OS/400*Parallel SysplexPower PrestigePR/SMPS/2*Processor Resource/Systems ManagerRISC System/6000S/360S/370S/390SAASAP R3Sysplex TimerSystem/370System/390Systems Application Architecture*SystemViewVM/ESAVSE/ESAVTAM3090
Enterprise System/4381Enterprise System/9000Enterprise Systems Connection ArchitectureES/3090ES/4381ES/9000ESA/370ESA/390ESCONFASTService*FlowMarkHardware Configuration DefinitionHiperbatchHipersorting*HiperspaceIBM*IBM S/390 Parallel Enterprise ServerIBM S/390 Parallel Enterprise Server - Generation 3IMS/ESALANRESMicro Channel*MQ SeriesMVS/DFPMVS/ESANetView*NQS/MVSOPC
3zCPO zClass Introduction to z/OS
Objectives
In this chapter you will learn to: Explain security and integrity concepts Explain RACF and its interface with the operating system Authorize a program Discuss integrity concepts Explain the importance of change control Explain the concept of risk assessment
4zCPO zClass Introduction to z/OS
Alphabet SoupDefinitions:
RACF: Resource Access Control Facility
LDAP : Lightweight Directory Access Protocol
DCE : Distributed Computing Environment
OCEP: Open Cryptographic Enhanced Plug-ins =>Extensions to Open Cryptographic Services Facility of z/OS Base
CDSA : Common Data Security Architecture => Standard API definition for crypto functions, certificate management and storage. Cross-industry. Cross platform. Intel and many vendors.
Industry Standard Names
5zCPO zClass Introduction to z/OS
z/OS security architecture
Authenticate users and other accessors UserID and Password Digital Certificate PassTicket Kerberos Token
Protect resources from unauthorized usage Access checking and Authorization points imbedded within z/OS All accesses to all resources checked for user's authority Link Pack Area (LPA) is write protected even from privileged programs
Address spaces are isolated from each other Resources
Business data, databases, transaction systems, programs, batch jobs, operator functions, user commands, networks, print facilities, UNIX…
6zCPO zClass Introduction to z/OS
Introduction
An installation’s data and programs are among its most valuable assets and must be protected
At one time data was secure because no one knew how to access it As more people become computer literate and able to use simple tools,
unprotected data is becoming more accessible Data security is now more important than ever and includes the
prevention of inadvertent destruction
7zCPO zClass Introduction to z/OS
Why security
Any system security must allow authorized users the access they need and prevent unauthorized access.
Many companies’ critical data is now on computer and is easily stolen if not protected
SecureWay security server provides a framework of services to protect data
8zCPO zClass Introduction to z/OS
RACF
RACF (part of Security Server) and the other available packages are add-on products which provide the basic security framework on a z/OS mainframe. They:
Identify and authenticate users Authorize users to access protected resources Log and report attempted unauthorized access Control means of access to resources
9zCPO zClass Introduction to z/OS
RACF functions overview
Security administration
Resource authorizationchecking and system control
User identificationand authorization
Audit and integrity reportsviolation alerts
RACFRACF
RACFdatabase
10zCPO zClass Introduction to z/OS
Identification and verification of users
RACF uses a user ID and system encrypted password to perform its user identification and verification
The user ID identifies the person to the system The password verifies the user’s identity Passwords should not be trivial and exits can be used to
enforce policies.
11zCPO zClass Introduction to z/OS
Protection Levels
RACF works on a hierarchical structure ALLOC allows data set creation and destruction CONTROL allows VSAM repro WRITE allows update of data READ allows read of data NONE no access
A higher permission implies all those below
12zCPO zClass Introduction to z/OS
Protecting a dataset
A data set profile is built and stored in the database It will give users or groups an access level A universal access level will also be set The profile can be specific or generic, with or without wild
cards
13zCPO zClass Introduction to z/OS
RACF typical display
INFORMATION FOR DATASET SYS1.*.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- --------- ------- -------- ------ 00 SYS1 READ NO NO AUDITING -------- FAILURES(READ) NOTIFY -------- NO USER TO BE NOTIFIED YOUR ACCESS CREATION GROUP DATASET TYPE -------------------- --------------------- ------------- ALTER SYS1 NON-VSAM
14zCPO zClass Introduction to z/OS
RACF access list for SYS1.*.** ID ACCESS -------- -------SYS1 ALTER KARRAS ALTER WANDRER ALTER SCHUBER ALTER KURTKR UPDATE KURTKR2 UPDATE KURTKR3 NONE CICSRS1 ALTER CICSRS2 ALTER HEISIG UPDATE JUSTO UPDATE GERALD READ
15zCPO zClass Introduction to z/OS
Protecting general resources
Many system resources can be protected DASD volumes Tapes CICS or IMS transactions JES spool datasets System commands Application resources and many more
RACF is flexible and more can be added
16zCPO zClass Introduction to z/OS
System Authorization Facility
SAF is part of z/OS Uses RACF if it is present Can also use an optional exit routine SAF is a system service and is a common focal point for all
products providing resource control. SAF is invoked at control points within the code of the
resource manager
17zCPO zClass Introduction to z/OS
RACF Structure
Userid Group
Every userid belongs to at least one group Group structures are often used for access to resources
Resource Resource classes Class descriptor table – used to customize
18zCPO zClass Introduction to z/OS
RACF Functions
Security administration
Resource authorizationchecking and system control
User identificationand authorization
Audit and integrity reportsviolation alerts
RACFRACF
RACFdatabase
19zCPO zClass Introduction to z/OS
User Identification
RACF identifies you when you logon Userid and password are required Each RACF userid has a unique password Password is one way encrypted so no one else can get
your password not even the administrator Userid is revoked after a preset number of invalid password
attempts
20zCPO zClass Introduction to z/OS
Logging and reporting
RACF maintains statistical information RACF writes a security log when it detects:
Unauthorized attempts to enter the system Access to resources
− This depends on the settings for the resource− For example AUDIT(ALL(UPDATE) will record all updates to a
resource Issuing of commands
21zCPO zClass Introduction to z/OS
Security Administration
Interpret the security policy to: Determine which RACF functions to use Identify the level of RACF protection Identify which data to protect Identify administrative structures and users
22zCPO zClass Introduction to z/OS
RACF sysplex data sharing and RRSF
If many systems share a RACF database there can be contention problems
RACF will propagate commands throughout a sysplex RACF can use a coupling facility in a parallel sysplex to
improve performance RRSF can be used to keep distributed RACF databases in
line
23zCPO zClass Introduction to z/OS
Authorized programs
Authorized tasks running authorized programs are allowed to access sensitive system functions
Unauthorized programs may only use standard functions to avoid integrity problems
24zCPO zClass Introduction to z/OS
Authorized Program Facility
SYS1.LINKLIBSYS1.LPALIBSYS1.SVCLIB
+
List of installation defined libraries
Authorized libraries
APF
25zCPO zClass Introduction to z/OS
Authorized Libraries
A task is authorized when the executing program has the following characteristics: It runs in supervisor state It runs in PSW key 0 to 7 All previous programs in the same task were APF programs The module was loaded from an APF library
26zCPO zClass Introduction to z/OS
Problem Programs
Normal programs are known as problem programs as they run in problem state (as opposed to supervisor state)
They run in the problem key – 8 They may or may not be in an APF library
27zCPO zClass Introduction to z/OS
APF Libraries
Authorized libraries are defined by the APF list in SYS1.PARMLIB SYS1.LINKLIB, SYS1.SVCLIB and SYS1.LPALIB are automatically
authorized Installation libraries are defined in PROGxx By default all libraries in the linklist are authorized but many
installations set LNKAUTH=APFTAB, often prompted by auditors, so that this is no longer the case and only those in the list are authorized
28zCPO zClass Introduction to z/OS
Authorizing a program
The first, and only the first, load module of the program must be linked with the authorization code AC=1
It and all subsequent modules must be loaded from an authorized library
APF libraries must be protected so that only authorized users can store programs there
29zCPO zClass Introduction to z/OS
Authorizing libraries
Authorized libraries:SYS1.LINKLIBSYS1.LPALIBSYS1.SVCLIBList of installation defined libraries
APFauthorizedprograms
non-authorizedprograms
System programs usually:reside in APF-authorized librariesexecute in supervisor stateuse storage key 0 to through 7
Unauthorized ibraries.
Application programs usually:reside in non-authorized librariesexecute in problem stateuse storage key 8
30zCPO zClass Introduction to z/OS
Operator Console Security
Consoles are assigned authority levels in CONSOLxx parmlib member
Commands are grouped: INFO informational commands SYS system control commands IO I/O commands CONS console control commands MASTER master console commands
Each console may have one or more levels
31zCPO zClass Introduction to z/OS
Consoles
At least one console must have master authority In a sysplex consoles are shared It is possible to require logon to consoles using RACF All extended MCS consoles should require a logon
32zCPO zClass Introduction to z/OS
Security Roles
Systems programmer sets up RACF Systems administrator implements the policies Security Manager sets the policies Separation of duties is required to prevent uncontrolled
access
33zCPO zClass Introduction to z/OS
Alphabet SoupDefinitions:
RACF: Resource Access Control Facility
LDAP : Lightweight Directory Access Protocol
DCE : Distributed Computing Environment
OCEP: Open Cryptographic Enhanced Plug-ins =>Extensions to Open Cryptographic Services Facility of z/OS Base
CDSA : Common Data Security Architecture => Standard API definition for crypto functions, certificate management and storage. Cross-industry. Cross platform. Intel and many vendors.
Industry Standard Names
34zCPO zClass Introduction to z/OS
z/OS security architecture
Authenticate users and other accessors UserID and Password Digital Certificate PassTicket Kerberos Token
Protect resources from unauthorized usage Access checking and Authorization points imbedded within z/OS All accesses to all resources checked for user's authority Link Pack Area (LPA) is write protected even from privileged programs
Address spaces are isolated from each other Resources
Business data, databases, transaction systems, programs, batch jobs, operator functions, user commands, networks, print facilities, UNIX, Consoles
35zCPO zClass Introduction to z/OS
zSeries “Security” Architecture
Hardware storage isolation: helps protect programs from each other Storage protect keys Address spaces Data Spaces
Program execution states: helps protect operating system from unauthorized program actions
Hardware Logical Partitions (LPAR): allows multiple operating system images within one processor box A complete, isolated, operating system image space
36zCPO zClass Introduction to z/OS
Basics of z/OS Security
WildCard
General Resources
Datasets
RACFDATABASE
Profiles
SystemIntegrity
z/OS
Users
SpecialAuditor
Operations
Groups
z/OS Res MgrSAF Request?
MVS Task/ApplRACFGroup
STC?Trusted?Special?
RACFUseridSegments
37zCPO zClass Introduction to z/OS
z/OS Security z/OS provides more security features than most
people realize. You can run a firewall on z/OS (if you wanted to) PKI services are fully supported (you can create a
digital certificate if you wanted to) Kerberos can be used as an authentication server. LDAP server and client are supported. There is a security server called RACF (Resource
Access Control Facility) There is thread level access support and more…
38zCPO zClass Introduction to z/OS
z/OS …and more
SSL is supported… IBM has a communication server a.k.a TCP/IP that is
honestly probably the best overall TCP implementation in the industry.
From a security standpoint Dynamic VPN, IPSec, and VIPA are supported.
Supports cross platform identity mapping Called EIM – Enterprise Identity Mapping
MLS – Multi-Level Security RACF Controls Unix Super User functions
39zCPO zClass Introduction to z/OS
RACF the Security Server RACF is used for the basic identification,
authentication, access and audit control functions. It is more than that, but hold on for a bit…
With RACF you can do at least the following: Local or remote security administration User identification and authentication Resource authorization checking and system access
control Audit reports and integrity reports Violation reporting
40zCPO zClass Introduction to z/OS
RACF has changed brand names
It confuses me what is what… It started out as RACF Went to OS/390 Security Server Then morphed to SecureWay Security Server for
OS/390 Now it might SecureWay Security Server for z/OS
(RACF) To me it is RACF…
41zCPO zClass Introduction to z/OS
RACF User Identification & Authentication for USS
z/OS UNIX user identification RACF user profile with OMVS segment RACF group profile with OMVS segment no /etc/passwd file
User authentication RACF password RACF PassTicket
z/OS UNIX logon TSO r_login, telnet
OMVS
User profile
UID
HOME
PROGRAM
42zCPO zClass Introduction to z/OS
From Resource Managers to RACF and back for USS
Shell
commands
z/OS UNIXApplication
z/OS UNIXUtility
Kernel
RACFCallableServices
RACF
- UID/GID/Userid- Type of access- Security packet SMF
SAF
43zCPO zClass Introduction to z/OS
RACF Control of Superuser Functions Better security through RACF control instead of
superuser authority BPX.FILEATTR.*
Less need for superuser authority through RACF control Class UNIXPRIV
Improved accountability by switching into superuser mode only when needed
BPX.SUPERUSER also used by SMP/E
44zCPO zClass Introduction to z/OS
RACF Control of User Identity Changes
BPX.DAEMON Ability to validate and assume RACF identities Dæmon programs can only change identity if authorized
BPX.SERVER Surrogate assignment for POSIX threads Daemons can create threads with surrogate Userids if
authorized:− UPDATE: client needs access authority to MVS resources− READ: client and server both need access authority
45zCPO zClass Introduction to z/OS
Protection of Daemons Against Modification and Misuse
Dæmon programs typically run with UID 0 (Superuser) Switch Userids (UIDs) or authenticate user identities Open TCP/IP ports below 1024 Invoke system commands of functions
If code can be modified or modules can be replaced, daemons can be misused
Modules are loaded from MVS search order (STEPLIB, LPA, LNKLSTxx, ...) if sticky bit is set in HFS executable
Critical functions can only be performed if program environment is controlled: Modules loaded from library defined with RACF Program Control Modules loaded from HFS files with PROGCTL attribute set
46zCPO zClass Introduction to z/OS
More Secure than UNIX - USS
BPX.DAEMON - restricts the use of sensitive services BPX.DEBUG - allows debugging of authorized programs BPX.FILEATTR.APF - controls marking files authorized BPX.FILEATTR.PROGCTL - controls marking files program controlled BPX.SERVER - restricts the use of sensitive services BPX.SMF - allows the writing of SMF records BPX.STOR.SWAP - controls making address spaces non-swappable BPX.WLMSERVER - controls access to WLM interface BPX.SAFFASTPATH - improves performance but prevents auditing of
successful events
47zCPO zClass Introduction to z/OS
UNIXPRIV Resource Names
Resource Name Privilege Access Req'd
SUPERUSER.FILESYSRead any HFS file; read and search any HFS directory
READ
SUPERUSER.FILESYSWrite any HFS file; also privileges of READ access
UPDATE
SUPERUSER.FILESYSWrite any HFS directory; also privileges of UPDATE access
CONTROL
48zCPO zClass Introduction to z/OS
UNIXPRIV for Mount and Quiesce
Mount and Quiesce File Systems SUPERUSER.FILESYS.MOUNT
− READ : Mount or unmount file system with nosetuid attribute− UPDATE : Mount or unmount file system with setuid attribute
SUPERUSER.FILESYS.QUIESCE− READ : Quiesce or unquiesce a file system mounted with nosetuid− UPDATE : Quiesce or unquiesce a file system mounted with setuid
49zCPO zClass Introduction to z/OS
UNIXPRIV for other file actions
SUPERUSER.FILESYS.CHOWN READ : Use chown to change owner of any file
SUPERUSER.FILESYS.PFSCTL READ : Allows use of the pfsctl() service
SUPERUSER.FILESYS.VREGISTER READ : Allows use of vreg() service to register as a VFS file
server
50zCPO zClass Introduction to z/OS
Program Controlled Environment
RACF program controlledlibrary
Web server address space
Web serverdæmon
(execute-controlled library)
? (uncontrolled program)
TCB
51zCPO zClass Introduction to z/OS
Process & Thread Security
Platforms such as UNIX and Windows NT can assign different user identities to processes Threads within a process all run under the same user identity To change the identity, a child process must be forked Process creation and deletion requires considerable overhead
z/OS can assign different user identities (Userids) to processes and threads Processes are address spaces Medium- and heavyweight threads run with their own TCB (Task
Control Block) Overhead for thread creation is much lower than for process User Identities can be assigned at the task (thread) level Access control is performed against the thread-level Userid
52zCPO zClass Introduction to z/OS
Web Serving Security On other platforms, web server runs under a Userid, e.g. "Nobody"
This user needs access to all files served to users User authentication against password file Access control against mask (Userid, IP address) Access control through web server configuration file
On z/OS, web server uses surrogate Userids User authentication in RACF Access control against surrogate or client Userid Access control rules can be much more fine-grained Errors in web server configuration file can be caught if file system is
properly set up Use z/OS if user-based access control is needed
53zCPO zClass Introduction to z/OS
z/OS Web Server Protection Directives
Protection itso_only {
Authtype Basic
ServerID ITSO_SERVER
PasswdFile %%SAF%%
Mask All}
Protect /itsodata/* itso-only %%CLIENT%%
Unique identifier for server
Authtype Basic is the only valid value; indicates to encode (but not encrypt) passwords.
Name of password file for authentication of client. %%SAF%% indicates to use RACF.
Server accepts only valid, authenticated UserIDs defined in the password file (RACF).
Server does SetUID to client's ID before serving request.
54zCPO zClass Introduction to z/OS
RACF Certificate Support Protection Directive using certificate verification
SSLClientAuth On
......
Protection confidential {
Authtype Basic
ServerID Conf_Server
PasswdFile %%SAF%%
UserID %%CERTIF%%
Mask Anybody
}
Name of password file for authentication of client. %%SAF%% indicates to use RACF.
Enables client authentication for all SSL sessions
Tells web server to ask RACF for UserID associated with client certificate
If "Mask All" is used, user is prompted for UserID/password additionally
55zCPO zClass Introduction to z/OS
Web Server Extensions for RACF
Web server for z/OS allows the use of SAF authentication in place of the password file Specify %%SAF%% as password file Access to files (HFS and MVS) under normal RACF control Subsequent functions under control also (CGI, ICAPI, GWAPI))
Authority can be based on client Userid Can specify a surrogate Userid
Surrogate IDs can have limited access Can be less administrational overhead for large numbers of users
All UserIds (surrogate or client) need a valid UID Individual OMVS segment or default UID/GID
More effective access control within an enterprise
56zCPO zClass Introduction to z/OS
Z/OS Security – Some basics
Superior hardware and system integrity User identification and authentication through RACF RACF control of superuser functions RACF control of user identity changes Daemon protection against modification and misuse Thread-level security environment
57zCPO zClass Introduction to z/OS
Hardware and System Integrity
zArchitecture LPAR function provides B2-level (ITSEC-E4) isolation between system images
zArchitecture Supervisor/Program states and storage keys isolate Trusted Computing Base from applications
Tight control of Authorized Program Facility (APF) Link Pack Area (LPA) is write protected even from privileged programs Address spaces are isolated from each other Fetch protected storage can only be read from programs with same storage
key Formal commitment to System Integrity since 1973, "Statement of System
Integrity" since 1981
58zCPO zClass Introduction to z/OS
Workload Isolation
RACF
IBM z990 Server
CICS
DB2
RACF
LPAR A LPAR B
Corporate Network
(Intranet?)
LPAR ALPAR AProductionProduction
LPAR BLPAR BIsolatedIsolated
SecureSecure
CapacityCapacity
Increased / Increased / Decreased Decreased DynamicallyDynamically
IMS
IntranetInternet
IBM
HT
TP
Ser
ver
for
z/O
S
59zCPO zClass Introduction to z/OS
RACF Interface
60zCPO zClass Introduction to z/OS
First Security Basics
Identification The user identifies themselves to the system; usually done with a userid.
Authentication Authenticating you are who you say you are, usually done with a
password associated with the userid. Authorization
After being identified and authenticated, you are authorized access, or entry or…
Authorization is usually associated with resources, some real, some abstract (the abstraction relates to a resource)
− A file is real.
− The user may be part of a group and the system/application developers can include a authorization check in their code to see if execution can continue.
61zCPO zClass Introduction to z/OS
PKI Services on z/OS What are PKI Services?
New component of the z/OS Security Server Always enabled but closely tied to RACF
Complete Certificate Authority (CA) package Full certificate life cycle management
User request driven via customizable web pages− Browser or server certificates
Automatic or administrator approval process Administered using same web interface
− End user / administrator revocation process Certificate validation service for z/OS applications
Manual - "z/OS Security Server PKI Services Guide and Reference“ Available with z/OS 1.3
62zCPO zClass Introduction to z/OS
Kerberos on z/OS
Kerberos registry integrated into the RACF registry Kerberos integrated using SAF Kerberos KDC (Key Distribution Center) executes within z/OS address
space The authentication server (AS)
− Authenticates Users− Grants TGTs
TheE Ticket Granting Server (TGS)− Generates Session Keys− Grants service tickets based on TGT
OS/390 KDC behaves like any other Kerberos "Realm" Kerberos Realm to Realm function is supported Kerberos: efficient for relatively small number of users, individually
defined to security manager, e.g. enterprise employees via Intranet Digital Certificates: Support very large numbers of users who are not
individually defined to security manager, e.g. Web e-business customers via Internet
63zCPO zClass Introduction to z/OS
Enterprise Identity Problems
Client Linux Z/OS
Arragon Swordman Warrior
Can have different identities at each tier and even within a tier
64zCPO zClass Introduction to z/OS
The problem is…
Many userids may represent an enterprise user Operating systems with different registries Application specific user identification schemes
− USERID/Password vs Digital Certificate Distributed technologies for user identification
− Different Registries• RACF vs LDAP vs Kerberos
System/application specific authorization mechanisms Managing the enterprise user
Creating / changing / deleting
65zCPO zClass Introduction to z/OS
New EIM Support New eServer cross-platform initiative
Infrastructure component New services and API (C/C++)
LDAP extensions Allows development of servers and administrative applications
to Transform user IDs as work flows across systems Administer multi-system, cross-platform ID mappings
EIM provides a foundation to solve the Enterprise User problems
RACF support in z/OS R4: new EIM segment,
66zCPO zClass Introduction to z/OS
Restricted Utilities Restricted Utilities are programs that have the capability of by
passing normal security controls, like : Backup/Recovery Tools: ADRDSSU, FDR ZAPPERS: AMASPZAP, IMASPZAP, IRRUT300 Initialization routines: IEHINITT, Tape INIT Utilities
67zCPO zClass Introduction to z/OS
z/OS Access Control - Concept
ACEERACF
Pgm
Pgm
User access
User address space
UserIDGroupIDDefaults
z/OSSAF
RACF DB
z/OS
Data
68zCPO zClass Introduction to z/OS
Same Idea for USS
User Address Space
Shell
USS
Kernel
Kernel AS
RACF
RACFdatabase
User and group profiles
ACEE USP
shell scriptor utility
command
application
69zCPO zClass Introduction to z/OS
Z/OS Unix System Services UNIX environment is integrated into z/OS
Hybrid security mechanisms UNIX UIDs and GIDs used as well as file permissions Users and Groups defined in RACF, not in etc/security/passwd UNIX API calls like getpwnam() or __passwd() are implemented
Security services are performed by RACF UNIX security strengthened by RACF functions
SMF used for logging Control of Superuser functionality Control of security context switching
Applications can use UNIX and MVS functions
70zCPO zClass Introduction to z/OS
USS HFS FSP Files in Hierarchical File System are not protected with RACF profiles
RACF classes for UNIX System Services resources exist, but are only used for global auditing options
File Security Packet (FSP) contains permission bits FSP for each file exists in directory (as in other UNIX systems where
FSP is in INODE) Access to file is not sufficient; user also needs access to directories from
root down When a file is created, FSP is created. UMASK determines permission
bits in new FSP FSP concept lacks flexibility; Access Control Lists (ACLs) will be
implemented in the future
71zCPO zClass Introduction to z/OS
Superusers In UNIX systems, superuser can access any file and switch to any other
user's identity In z/OS USS, superuser can access any USS file, but: Superuser cannot switch into other user's identity without knowing user's
password or SURROGAT authorization Functions such as setting extended attributes require access to FACILITY
class profile, not superuser Users with access to BPX.SUPERUSER can switch into superuser mode
Administrators and system programmers do not use UID=0 unless needed
Improved accountability Supported by SMP/E since OS/390 V2R7
72zCPO zClass Introduction to z/OS
USS Security >> Unix Security
No /passwd file RACF is used for user authentication Benefit: /passwd file-based hacker attacks won't work
Superuser - UNIX Superusers (uid=0) Have Complete Authority Over UNIX Systems. In z/OS Their Use Is Minimized and Controlled. RACF controls Users' ability to enter Superuser state A user can be given a subset of Superuser privileges Superuser privileges apply only to USS resources Superuser privileges do not bypass access checks for non-USS
resources (e.g., z/OS datasets) Benefit:
No need to distribute root userid and password to multiple people Finer granularity in granting of user capabilities Superuser cannot bypass security for "traditional" z/OS resources
73zCPO zClass Introduction to z/OS
More USS Security Advantages
Associates a user identity with all processes and activities Requires user authentication for all commands including TCP/IP
commands No trusted hosts, (hosts.equiv) or trusted remote hosts (.rhosts) support
− No rlogin without authentication No remote execution /etc/rexecd file.
− No command execution without authentication Benefit: Provides superior auditing/logging/accountability
RACF provides extensive controls on what is audited Benefit: Better intrusion detection
Control of server code authenticity Servers can be required to load only protected programs from HFS or
from program controlled MVS load libraries Benefit: Reduced ability to create trojan-horse servers
74zCPO zClass Introduction to z/OS
USS and RACF
'Protected' Userids for Started Procedures and Daemons No Logon, No SU, No Revoked userid from Password Guessing
'Restricted' Userids for 'guest' Users Access Authorities Must be Explicitly Granted to User or Group No 'default' Access Authority Surprises
A Userid can be Both Restricted and Protected
75zCPO zClass Introduction to z/OS
zSeries “Security” Architecture
Hardware storage isolation: helps protect programs from each other Storage protect keys Address spaces Data Spaces
Program execution states: helps protect operating system from unauthorized program actions
Hardware Logical Partitions (LPAR): allows multiple operating system images within one processor box A complete, isolated, operating system image space
76zCPO zClass Introduction to z/OS
RACF the Security Server RACF is used for the basic identification, authentication, access
and audit control functions. It is more than that, but hold on for a bit…
With RACF you can do at least the following: Local or remote security administration User identification and authentication Resource authorization checking and system access control Audit reports and integrity reports Violation reporting
77zCPO zClass Introduction to z/OS
RACF has changed brand names
It confuses me what is what… It started out as RACF Went to OS/390 Security Server Then morphed to SecureWay Security Server for OS/390 Now it might SecureWay Security Server for z/OS (RACF) To me it is RACF…
78zCPO zClass Introduction to z/OS
RACF User Identification & Authentication for USS
z/OS UNIX user identification RACF user profile with OMVS segment RACF group profile with OMVS segment no /etc/passwd file
User authentication RACF password RACF PassTicket
z/OS UNIX logon TSO r_login, telnet
OMVS
User profile
UID
HOME
PROGRAM
79zCPO zClass Introduction to z/OS
From Resource Managers to RACF and back for USS
Shell
commands
z/OS UNIXApplication
z/OS UNIXUtility
Kernel
RACFCallableServices
RACF
- UID/GID/Userid- Type of access- Security packet SMF
SAF
80zCPO zClass Introduction to z/OS
RACF Control of Superuser Functions
Better security through RACF control instead of superuser authority BPX.FILEATTR.* Less need for superuser authority through RACF control Class UNIXPRIV Improved accountability by switching into superuser mode only when
needed BPX.SUPERUSER also used by SMP/E
81zCPO zClass Introduction to z/OS
RACF Control of User Identity Changes
BPX.DAEMON Ability to validate and assume RACF identities Dæmon programs can only change identity if authorized
BPX.SERVER Surrogate assignment for POSIX threads Daemons can create threads with surrogate Userids if
authorized:− UPDATE: client needs access authority to MVS resources− READ: client and server both need access authority
82zCPO zClass Introduction to z/OS
Protection of Daemons Against Modification and Misuse
Dæmon programs typically run with UID 0 (Superuser) Switch Userids (UIDs) or authenticate user identities Open TCP/IP ports below 1024 Invoke system commands of functions
If code can be modified or modules can be replaced, daemons can be misused
Modules are loaded from MVS search order (STEPLIB, LPA, LNKLSTxx, ...) if sticky bit is set in HFS executable
Critical functions can only be performed if program environment is controlled: Modules loaded from library defined with RACF Program Control Modules loaded from HFS files with PROGCTL attribute set
83zCPO zClass Introduction to z/OS
More Secure than UNIX - USS BPX.DAEMON - restricts the use of sensitive services BPX.DEBUG - allows debugging of authorized programs BPX.FILEATTR.APF - controls marking files authorized BPX.FILEATTR.PROGCTL - controls marking files program controlled BPX.SERVER - restricts the use of sensitive services BPX.SMF - allows the writing of SMF records BPX.STOR.SWAP - controls making address spaces non-swappable BPX.WLMSERVER - controls access to WLM interface BPX.SAFFASTPATH - improves performance but prevents auditing of
successful events
84zCPO zClass Introduction to z/OS
UNIXPRIV Resource NamesResource Name Privilege Access Req'd
SUPERUSER.FILESYSRead any HFS file; read and search any HFS directory
READ
SUPERUSER.FILESYSWrite any HFS file; also privileges of READ access
UPDATE
SUPERUSER.FILESYSWrite any HFS directory; also privileges of UPDATE access
CONTROL
85zCPO zClass Introduction to z/OS
UNIXPRIV for Mount and Quiesce Mount and Quiesce File Systems
SUPERUSER.FILESYS.MOUNT− READ : Mount or unmount file system with nosetuid attribute− UPDATE : Mount or unmount file system with setuid attribute
SUPERUSER.FILESYS.QUIESCE− READ : Quiesce or unquiesce a file system mounted with nosetuid− UPDATE : Quiesce or unquiesce a file system mounted with setuid
86zCPO zClass Introduction to z/OS
UNIXPRIV for other file actions
SUPERUSER.FILESYS.CHOWN READ : Use chown to change owner of any file
SUPERUSER.FILESYS.PFSCTL READ : Allows use of the pfsctl() service
SUPERUSER.FILESYS.VREGISTER READ : Allows use of vreg() service to register as a VFS file
server
87zCPO zClass Introduction to z/OS
Program Controlled Environment
RACF program controlledlibrary
Web server address space
Web serverdæmon
(execute-controlled library)
? (uncontrolled program)
TCB
88zCPO zClass Introduction to z/OS
Process & Thread Security Platforms such as UNIX and Windows NT can assign different user
identities to processes Threads within a process all run under the same user identity To change the identity, a child process must be forked Process creation and deletion requires considerable overhead
z/OS can assign different user identities (Userids) to processes and threads Processes are address spaces Medium- and heavyweight threads run with their own TCB (Task
Control Block) Overhead for thread creation is much lower than for process User Identities can be assigned at the task (thread) level Access control is performed against the thread-level Userid
89zCPO zClass Introduction to z/OS
Web Serving Security On other platforms, web server runs under a Userid, e.g. "Nobody"
This user needs access to all files served to users User authentication against password file Access control against mask (Userid, IP address) Access control through web server configuration file
On z/OS, web server uses surrogate Userids User authentication in RACF Access control against surrogate or client Userid Access control rules can be much more fine-grained Errors in web server configuration file can be caught if file system is
properly set up Use z/OS if user-based access control is needed
90zCPO zClass Introduction to z/OS
z/OS Web Server Protection Directives
Protection itso_only {
Authtype Basic
ServerID ITSO_SERVER
PasswdFile %%SAF%%
Mask All}
Protect /itsodata/* itso-only %%CLIENT%%
Unique identifier for server
Authtype Basic is the only valid value; indicates to encode (but not encrypt) passwords.
Name of password file for authentication of client. %%SAF%% indicates to use RACF.
Server accepts only valid, authenticated UserIDs defined in the password file (RACF).
Server does SetUID to client's ID before serving request.
91zCPO zClass Introduction to z/OS
RACF Certificate Support Protection Directive using certificate verification
SSLClientAuth On
......
Protection confidential {
Authtype Basic
ServerID Conf_Server
PasswdFile %%SAF%%
UserID %%CERTIF%%
Mask Anybody
}
Name of password file for authentication of client. %%SAF%% indicates to use RACF.
Enables client authentication for all SSL sessions
Tells web server to ask RACF for UserID associated with client certificate
If "Mask All" is used, user is prompted for UserID/password additionally
92zCPO zClass Introduction to z/OS
Web Server Extensions for RACF
Web server for z/OS allows the use of SAF authentication in place of the password file Specify %%SAF%% as password file Access to files (HFS and MVS) under normal RACF control Subsequent functions under control also (CGI, ICAPI, GWAPI))
Authority can be based on client Userid Can specify a surrogate Userid
Surrogate IDs can have limited access Can be less administrational overhead for large numbers of users
All UserIds (surrogate or client) need a valid UID Individual OMVS segment or default UID/GID
More effective access control within an enterprise
93zCPO zClass Introduction to z/OS
Z/OS Security – Some basics Superior hardware and system integrity User identification and authentication through RACF RACF control of superuser functions RACF control of user identity changes Daemon protection against modification and misuse Thread-level security environment
94zCPO zClass Introduction to z/OS
Hardware and System Integrity
zArchitecture LPAR function provides B2-level (ITSEC-E4) isolation between system images
zArchitecture Supervisor/Program states and storage keys isolate Trusted Computing Base from applications
Tight control of Authorized Program Facility (APF) Link Pack Area (LPA) is write protected even from privileged programs Address spaces are isolated from each other Fetch protected storage can only be read from programs with same storage
key Formal commitment to System Integrity since 1973, "Statement of System
Integrity" since 1981
95zCPO zClass Introduction to z/OS
Workload Isolation
RACF
IBM z990 Server
CICS
DB2
RACF
LPAR A LPAR B
Corporate Network
(Intranet?)
LPAR ALPAR AProductionProduction
LPAR BLPAR BIsolatedIsolated
SecureSecure
CapacityCapacity
Increased / Increased / Decreased Decreased DynamicallyDynamically
IMS
IntranetInternet
IBM
HT
TP
Ser
ver
for
z/O
S
96zCPO zClass Introduction to z/OS
RACF Interface
97zCPO zClass Introduction to z/OS
First Security Basics
Identification The user identifies themselves to the system; usually done with a userid.
Authentication Authenticating you are who you say you are, usually done with a
password associated with the userid. Authorization
After being identified and authenticated, you are authorized access, or entry or…
Authorization is usually associated with resources, some real, some abstract (the abstraction relates to a resource)
− A file is real.
− The user may be part of a group and the system/application developers can include a authorization check in their code to see if execution can continue.
98zCPO zClass Introduction to z/OS
PKI Services on z/OS What are PKI Services?
New component of the z/OS Security Server Always enabled but closely tied to RACF
Complete Certificate Authority (CA) package Full certificate life cycle management
User request driven via customizable web pages− Browser or server certificates
Automatic or administrator approval process Administered using same web interface
− End user / administrator revocation process Certificate validation service for z/OS applications
Manual - "z/OS Security Server PKI Services Guide and Reference“ Available with z/OS 1.3
99zCPO zClass Introduction to z/OS
Kerberos on z/OS
Kerberos registry integrated into the RACF registry Kerberos integrated using SAF Kerberos KDC (Key Distribution Center) executes within z/OS address
space The authentication server (AS)
− Authenticates Users− Grants TGTs
TheE Ticket Granting Server (TGS)− Generates Session Keys− Grants service tickets based on TGT
OS/390 KDC behaves like any other Kerberos "Realm" Kerberos Realm to Realm function is supported Kerberos: efficient for relatively small number of users, individually
defined to security manager, e.g. enterprise employees via Intranet Digital Certificates: Support very large numbers of users who are not
individually defined to security manager, e.g. Web e-business customers via Internet
100zCPO zClass Introduction to z/OS
Enterprise Identity Problems
Client Linux Z/OS
Arragon Swordman Warrior
Can have different identities at each tier and even within a tier
101zCPO zClass Introduction to z/OS
The problem is…
Many userids may represent an enterprise user Operating systems with different registries Application specific user identification schemes
− USERID/Password vs Digital Certificate Distributed technologies for user identification
− Different Registries• RACF vs LDAP vs Kerberos
System/application specific authorization mechanisms Managing the enterprise user
Creating / changing / deleting
102zCPO zClass Introduction to z/OS
New EIM Support New eServer cross-platform initiative
Infrastructure component New services and API (C/C++)
LDAP extensions Allows development of servers and administrative applications
to Transform user IDs as work flows across systems Administer multi-system, cross-platform ID mappings
EIM provides a foundation to solve the Enterprise User problems
RACF support in z/OS R4: new EIM segment,
103zCPO zClass Introduction to z/OS
Restricted Utilities
Restricted Utilities are programs that have the capability of by passing normal security controls, like : Backup/Recovery Tools: ADRDSSU, FDR ZAPPERS: AMASPZAP, IMASPZAP, IRRUT300 Initialization routines: IEHINITT, Tape INIT Utilities
104zCPO zClass Introduction to z/OS
z/OS Access Control - Concept
ACEERACF
Pgm
Pgm
User access
User address space
UserIDGroupIDDefaults
z/OSSAF
RACF DB
z/OS
Data
105zCPO zClass Introduction to z/OS
Same Idea for USS
User Address Space
Shell
USS
Kernel
Kernel AS
RACF
RACFdatabase
User and group profiles
ACEE USP
shell scriptor utility
command
application
106zCPO zClass Introduction to z/OS
Z/OS Unix System Services UNIX environment is integrated into z/OS
Hybrid security mechanisms UNIX UIDs and GIDs used as well as file permissions Users and Groups defined in RACF, not in etc/security/passwd UNIX API calls like getpwnam() or __passwd() are implemented
Security services are performed by RACF UNIX security strengthened by RACF functions
SMF used for logging Control of Superuser functionality Control of security context switching
Applications can use UNIX and MVS functions
107zCPO zClass Introduction to z/OS
USS HFS FSP Files in Hierarchical File System are not protected with RACF profiles
RACF classes for UNIX System Services resources exist, but are only used for global auditing options
File Security Packet (FSP) contains permission bits FSP for each file exists in directory (as in other UNIX systems where
FSP is in INODE) Access to file is not sufficient; user also needs access to directories from
root down When a file is created, FSP is created. UMASK determines permission
bits in new FSP FSP concept lacks flexibility; Access Control Lists (ACLs) will be
implemented in the future
108zCPO zClass Introduction to z/OS
Superusers In UNIX systems, superuser can access any file and switch to any other
user's identity In z/OS USS, superuser can access any USS file, but: Superuser cannot switch into other user's identity without knowing user's
password or SURROGAT authorization Functions such as setting extended attributes require access to FACILITY
class profile, not superuser Users with access to BPX.SUPERUSER can switch into superuser mode
Administrators and system programmers do not use UID=0 unless needed
Improved accountability Supported by SMP/E since OS/390 V2R7
109zCPO zClass Introduction to z/OS
USS Security >> Unix Security
No /passwd file RACF is used for user authentication Benefit: /passwd file-based hacker attacks won't work
Superuser - UNIX Superusers (uid=0) Have Complete Authority Over UNIX Systems. In z/OS Their Use Is Minimized and Controlled. RACF controls Users' ability to enter Superuser state A user can be given a subset of Superuser privileges Superuser privileges apply only to USS resources Superuser privileges do not bypass access checks for non-USS
resources (e.g., z/OS datasets) Benefit:
No need to distribute root userid and password to multiple people Finer granularity in granting of user capabilities Superuser cannot bypass security for "traditional" z/OS resources
110zCPO zClass Introduction to z/OS
More USS Security Advantages Associates a user identity with all processes and activities
Requires user authentication for all commands including TCP/IP commands
No trusted hosts, (hosts.equiv) or trusted remote hosts (.rhosts) support− No rlogin without authentication
No remote execution /etc/rexecd file.− No command execution without authentication
Benefit: Provides superior auditing/logging/accountability RACF provides extensive controls on what is audited
Benefit: Better intrusion detection Control of server code authenticity
Servers can be required to load only protected programs from HFS or from program controlled MVS load libraries
Benefit: Reduced ability to create trojan-horse servers
111zCPO zClass Introduction to z/OS
USS and RACF
'Protected' Userids for Started Procedures and Daemons No Logon, No SU, No Revoked userid from Password Guessing
'Restricted' Userids for 'guest' Users Access Authorities Must be Explicitly Granted to User or Group No 'default' Access Authority Surprises
A Userid can be Both Restricted and Protected
112zCPO zClass Introduction to z/OS
Enterprise Security Has Become a Key Business Requirement
2006 Deloitte Security Survey
More than 1,100 Department of Commerce laptop computers were lost, stolen or missing in the last 5 years with personal data - CNET 09-22-2006
ChoicePoint will pay $10 M in civil penalties and $5M million in consumer redress to settle FTC privacy charges - FTC release 1/26/06
During the past 12 months companies reported 331 attempted and 39 successful breaches per company- InfoWorld survey 10/20/2006
113zCPO zClass Introduction to z/OS
Questions Auditors Might Ask
RACF
Do you know if anyone attempted an attack on the mainframe?
Communication server
Tivoli FederatedIdentity Mgr
Tivoli Identity Manager
How do you prevent unauthorized access?
Platform Infrastructure
Compliance and Audit
Data Privacy Extended Enterprise
ConsulInSight
ConsulSystem z Tools
DB2 Audit Management Expert
Can your DB2 auditors get at the information they need?
Are you reporting consistently across the enterprise?
Do you know if administrators are abusing privileges?
How do you know that only authorized users are given user accounts?
How did you protect your Web services applications?
How do you know your archival customer data is protected?
Tape Encryption
114zCPO zClass Introduction to z/OS
Enterprise Security Needs Many Elements
Platform Infrastructure
Compliance and Audit
Data Privacy
ExtendedEnterprise
Multilevel securityKey management
TS1120
Tape encryption
Common Criteria Ratings
Support for standards
Supports VPns etc
PKI services
Provides audit, authorization, authentication
and access
RACF
Network intrusion detection
Communications Server
Consul InSight
Consul System z Tools
DB2 Audit Management Expert
Tivoli Identity Manager
Tivoli Federated Identity Mgr
Crypto Cards
System z SMF
115zCPO zClass Introduction to z/OS
z/OS 1.8 is in evaluation at EAL4+
z/VM 5.1 + RACF at EAL3+
Common Criteria Certifications Show System z Platform Security Leads the Industry
What is Common Criteria?
Common Criteria is an accepted standard for evaluating the inherent security of a computing system
Common Criteria is based on a set of functional and assurance
requirements
A higher EAL rating is more secure
The security requirements in Common Criteria have gained support as “best practices”
IBM System z holds the highest EAL grades in Common Criteria!
HiperSockets
Logical Partition
Logical Partition
Logical Partition
z/OS 1.8
underevaluation for EAL 4
z/OS 1.7
z/VM 5.1 EAL3+
Linux
Linux Guest VM
System z
EAL 4+
Red Hat EL3
EAL 4+
Linux
Linux Guest VM
SUSE LES9
EAL 4+
System z LPAR’s EAL 5
116zCPO zClass Introduction to z/OS
System z is a hacker’s nightmare!
Allows customers to run multiple workloads on single image
Stops viruses and worms from disrupting operations
Security Begins with System z Secure Processing
Workload Isolation − Isolation of users in a separate address space− Processing integrity with LPAR separation− System programs separated from user programs
Not Harmed by malware− Viruses cannot be readily introduced
Communications− Internal HiperSocket communications not easily
intercepted
Authorized Program Facility (APF)− Executable code can be invoked only by
authorized users− Cross memory services prevents unauthorized
access
System Integrity Statement− IBM accepts responsibility for integrity exposures
found by customers
117zCPO zClass Introduction to z/OS
RACF* – At the Heart of System z Security
RACF controls authorization and authentication
Identifies and authorizes users Controls access to resources Authenticates users through passwords or
(PKI) digital certificates Provides auditing and logging Enables central administration of several
systems
RACF structure is enforced automatically
System blocks unauthorized attempts You cannot bypass RACF
RACF is integrated with System z Middleware
Transaction monitors, DB2 CICS, IMS, WebSphere
* Resource Access Control Facility
These resources are protected by RACF
DB2 VSAM IMS CICS TSO Disk Tape Print
JES 2 & 3 Console VTAM SDSF WebSphere MQ Programs Keys
Integrated Security across the platform
118zCPO zClass Introduction to z/OS
Banco do Brasil Banco do Brasil saves an estimated saves an estimated $16 M$16 M a year in a year in digital certificate digital certificate costs by using the costs by using the digital certificate digital certificate services offered free services offered free with System zwith System z
A digital certificate is an electronic identifier that establishes your credentials on the Web
Recently digital certificate use has grown to help meet compliance requirements
z/OS automatically provides support for digital certificate services (PKI)
Uses System z cryptographic processor No need for extra infrastructure Processes thousands of certificates at low cost
The mainframe can serve as a certificate authority - an authority that manages provisioning of digital certificates. This eliminates fees to third parties ($5 - $7 per
certificate) for issuing certificates
Authenticate at Low Cost with Digital Certificate Services
119zCPO zClass Introduction to z/OS
Intrusion Detection from Communications Server enables detection of network traffic attacks
Automatic application of defensive mechanisms Evaluates inbound encrypted data for
suspect activity Policy controls connection limits,
packet discard Detects anomalies in real-time Avoids overhead of per packet
evaluation against known attacks
Scan detection and reporting Can map the target of an attempted
attack
Integrates with Tivoli Security Operations Manager
Protects against network attacks even for
encrypted data
Comm Server
Application Layer
IP Layer
Data Link Layer
Deny Traffic Filter
PermitTraffic
Network traffic filtered for extra protection
Built in Security to Defend Against Network Attacks
120zCPO zClass Introduction to z/OS
Provide Cryptographic Protection without Changing Application Code
Application Transparent Transport Layer Security TLS * provides cryptographic protection between clients and servers
Configure encryption via the communication server
Application can also issue AT-TLS calls to receive user identity information based on client certificate
AT-TLS uses an optimized infrastructure that outperforms native SSL/TLS
*Transport Layer Security (TLS) is based on Secure Socket Layer
Network Interfaces
IP Networking Layer
TCP
Sockets
Applications
System SSL calls Encryption performed at TCP layer
Policy Agent
Securing Applications with AT-TLS
121zCPO zClass Introduction to z/OS
Enterprise Security Needs Many Elements
Secured database access
Multilevel securityKey management
Archive Data TS1120
Tape encryption
Common Criteria Ratings PKI services RACF Communications Server
DB2 Audit Management Expert
Tivoli Identity Manager
Tivoli Federated Identity Mgr
Crypto Cards
Tamper proof process For offline storage
Consul InSight
Consul System z Tools
System z SMF
Platform Infrastructure
Compliance and Audit
Data Privacy
ExtendedEnterprise
122zCPO zClass Introduction to z/OS
Free - CP Assist for Cryptographic Function (CPACF) Each system processor has hardware assist on the chip for cryptography CPACF provides cryptographic functions for encryption and decryption of data
Used for SSL, VPN, and data storing applications includes DES, T-DES, AES, SHA-1 and SHA-256 hashing
Priced Feature - Crypto Hardware Processor Card Crypto Express 2 High performance, tamper proof environment for secure key cryptography 6000 Secure Socket Layer handshakes per second Key is encrypted in hardware and never exposed
Integrated Cryptographic Service Facility (ICSF) Provides API’s for encryption via CPACF or
Crypto Express2 Routes work to the appropriate crypto
processing resource Included in z/OS Used to administer the cryptographic
hardware and keys
The Foundation of Data Privacy is Encryption
ICSF
CPACFCrypto
Express 2
encrypt/decrypt
123zCPO zClass Introduction to z/OS
Encryption Protects Data Privacy on the Network
z/OS Router Router z/OS
Encrypted “end to end”
IPSec
CommunicationsServer
IPSec
End to end network encryption is needed to meet Payment Card Industry requirements
System z Communication Server encrypts network data end-to-end Supports IPSec protocol for virtual private networks across the internet Announced support for use of zIIP specialty engine for IPSec traffic
New support for encrypting data on the mainframe before sending to printers IPSec support installed in new printers LAN printers can now print confidential material on secured printers
Router based encryption is not enough May expose data in the clear
CommunicationsServer
124zCPO zClass Introduction to z/OS
application
encrypted by column or row
Data in channel
Data on disk, dump or archived files
Data in Buffer pools z/OS
in the clear
encrypted
encrypted
encrypted
DB2
DB2 Encryption Protects Data Privacy in the Database
Encrypted by DB2 Table and Index encryption Image copies encrypted Logs/archives encrypted Data encrypted in buffers Data sent by DRDA Data not exposed!
DB2 uses encryption to protect the data: Column level encryption
− Enabled by the application Row level encryption
− IBM Encryption Tool for DB2− Optional feature
125zCPO zClass Introduction to z/OS
High performance tape encryption Standard feature on all new TS1120 Tape Drives Cost effectively encrypt all tape data Offload host processing encryption overhead Minimize impact to existing processes and applications
Leverages System z Key management So you won’t lose the key
1. Load tape cartridge, provide Key Labels
4. Encrypted keystransmitted to tape drive
2. Tape drive requests key
3. Encryption Key manager generates a key; Encrypts with key
5. Tape drive writes encrypted data. Stores encrypted key on cartridge
Storage Based
Optional Ability to Automatically Encrypt All Data on Tape
126zCPO zClass Introduction to z/OS
Encryption Facility Makes Encryption Accessible to Business Partners
Encryption and compression of dump data sets
Offers decryption and decompression during restore
Leverages System z key management, cryptography and compression
For encryption and decryption of files
Uses Public Key/Private keys or passwords
Leverages System z key management, cryptography and compression
Now enhanced to support OpenPGP standard
Use Encryption Facility for z/OS or if non-z/OS use Encryption Client (Java code)
Feature
Feature
Web Download
Encryption Services Encryption Facility Client DFSMSdss Encryption
IBM Encryption Facility for z/OS
127zCPO zClass Introduction to z/OS
Keep Your Key Safe with System z Key Management
Encryption Key Manager (EKM) Java program that transparently generates, serves, stores, and
maintains encryption keys
Helps protect and manage keys Generate and serves keys to tape drives Utilizes tamper-resistant crypto cards to store “secure keys” Obtains the required keys from key stores including Integrated
Cryptographic Service Facility (ICSF)
Provides a single point of control Simplified recovery of keys Auditable through RACF Over a decade of proven production use Available at no additional charge
Enables you to share tapes with business partners
128zCPO zClass Introduction to z/OS
With DB2 Multi Level Security data can be consolidated onto a single database, restricting access to only authorized users
. Single image of data is sharable by multiple enterprise
departments with different levels of “need to know”
SECURITYClassification Revenue Area Loss
Executive 234 USA 3%
Finance Secret 198 Ohio 13%
Executive 2 Maine 29%
Finance Confidential
234 USA 11%
Finance Secured
87 Texas 14%
Finance Secured
23 New York 20%
Audit Confidential
223 USA 10%
Finance Secured
45 Canada 29%
Executive Risk Analyst
Bank analyst
Internal auditor
DB2 Multi Level SecurityGoals of Compartmentalized Data Same database used by
organizations with a different need to know
Prevent unauthorized individuals from accessing information at a higher classification than authorized
Prevent unauthorized declassification of information
DB2 Multi Level Security Restricts row level access to
those with appropriate security clearance
Mix low and high security data in the same database
129zCPO zClass Introduction to z/OS
Enterprise Security Needs Many ElementsMultilevel securityKey management
TS1120
Tape encryption
Common Criteria Ratings PKI services RACF Communications Server
Compliance reporting
Audit monitoring and reportingDB2 Audit Management Expert
Tivoli Identity Manager
Tivoli Federated Identity Mgr
Crypto Cards
Comprehensive logging
Eliminate manual auditing process
Consul InSight
Consul System z Tools
System z SMF
Compliance and Audit
Data Privacy
ExtendedEnterprise
Platform Infrastructure
130zCPO zClass Introduction to z/OS
Evolving Regulations Point to the Need for More Automated Compliance Reporting
Basel II HIPAA Sarbanes-Oxley Gramm Leach-Bliley AML - Patriot Act
Sec
ured
Dat
a
Sec
ured
Sto
rage
Man
agem
ent
Enc
rypt
ed d
ata
Wor
kflo
w
Ris
k A
sses
smen
t
Rep
ortin
g
IBM Service Management Market Needs Study, March 2006
Regulatory Impact
131zCPO zClass Introduction to z/OS
System z SMF provides comprehensive logging across the sysplex
Consistent record formats help simplify compliance needs
Audit records report access to protected resources
New log continuity from Consul validates logs have been maintained
Consul uses the log system event records from multiple sources including System z
Can examine activities of a specific user
With distributed systems, customers typically have to manually piece together logs
The Foundation of Audit and Compliance is Comprehensive Logging
132zCPO zClass Introduction to z/OS
Consul InSight Strengthens the Compliance Process
Detects security violations
Captures security audit data from multiple systems
Correlates data to identify audit risks who, what, on what, where, when, from where, to where
Analysis engine for deep analysis of collected data Determine who was the last person to touch a particular file
Flexible reporting related to specific compliance issues
Checks for log continuity ensure that log collection is carried out
137zCPO zClass Introduction to z/OS
Consul’s InSight Suite Helps Address Regulatory Challenges
demo
Helps accelerate clients’ policy and regulatory compliance initiatives
Supports RACF records and other input sources
Provides customized reports to assist with regulatory compliance
Uses patent pending “W7” methodology for detailed analysis
138zCPO zClass Introduction to z/OS
Enterprise Security Needs Many ElementsMultilevel securityKey management
TS1120
Tape encryption
Common Criteria Ratings PKI services RACF Communications Server
DB2 Audit Management Expert
Provisioning of users & workflow
Tivoli Identity Manager
Authentication
Tivoli Federated Identity Mgr
Crypto Cards
Consul InSight
Consul System z Tools
System z SMF
Compliance and Audit
Data Privacy
ExtendedEnterprise
Platform Infrastructure
139zCPO zClass Introduction to z/OS
Provision Users with Tivoli Identity Manager for z/OS 75-80% of help desk calls are for password reset or other trivial
items Tivoli Identity Manager can eliminate this problem Provides self service password management Can provision user accounts for your entire enterprise
Provides workflow for automating approval processes
Searches for out-of-policy changes
Provides email notification of changes
140zCPO zClass Introduction to z/OS
Propagates the identity of the original requester in a web services environment Provides single sign-on for web
services Maintains identity of the original user Credentials can be propagated from
the portal to RACF for end-to-end security
− Uses PassTickets issued by RACF
Enable trusted transactions between business partners
Supports industry standards − SAML, Liberty, WS-Federation SSO
PortalServer
CICS Customer
Management
IMS Billing System
SAP Financial Management
Portal
Portlet
WebServices
TFIM can provide single sign-on for the Service Oriented Finance Car
Loan Solution
RACFLDAP
Single Sign-on: Tivoli Federated Identity Manager
141zCPO zClass Introduction to z/OS
Authenticating End to End Transaction is passed through a reverse proxy to authenticate the user Proxy authenticates to WAS on behalf of the user passing his/her credentials In WebSphere Java invokes a login module that in turn invokes TFIM trust services
to obtain a userid and PassTicket The mainframe userid and password is supplied through CICS TG in this example Security credentials of one partner are transformed and exchanged with the identity
infrastructure of another partner Also map distributed user IDs to z/OS RACF user IDs and associated PassTickets
The RACF ID can connect to z/OS resources using individual user identities
DB2Reverse Proxy
WebSphereApplicationServer
TAI JCA
JMSJAAS
Appl CICS
CIC
S T
G
TFIMSTS
DMZ
z/OS
RACF
App server
Enterprise serverProxy
Authentication Pattern
Database
142zCPO zClass Introduction to z/OS
Tivoli Directory Integrator Enables Consistent Identity Management
Maintain data consistency across multiple identity repositories to synchronize user information quickly and efficiently
Most customers have multiple directory structures in place – no single version of the truth
Cost-effective synchronization of identity data sources
Links data residing across IBM and non-IBM directories, databases, password stores, and applications
Uses data flows called Assembly Lines to coordinate changes
Automatically detects directory changes and pushes modifications out Triggers:
− e-mails, database/ directory updates, SOAP messages
Uses a browser based administrative interface
144zCPO zClass Introduction to z/OS
Summary
System z Security provides A secure platform infrastructure Data privacy Compliance and audit Security across the extended enterprise
Thanks!
The End