proper configuration and setup of db2 security for racf · proper configuration and setup of db2...
Post on 10-Apr-2018
317 Views
Preview:
TRANSCRIPT
SECURITY & COMPLIANCE CONFERENCE 2016
Proper Configuration and
Setup of DB2 Security for
RACF
Jim McNeill
Vanguard Professional Services
BTB6
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
©2016 Vanguard Integrity Professionals, Inc. 2
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
©2016 Vanguard Integrity Professionals, Inc. 3
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.
VANGUARD SECURITY & COMPLIANCE 2016
Topics
• Started Task protection
• Dataset protection
• Subsystem protection
• DB2® Secondary Authorization IDs
• Using RACF® external security for DB2
©2016 Vanguard Integrity Professionals, Inc. 4
VANGUARD SECURITY & COMPLIANCE 2016
Started Task protection
RACF
Data Base
?
USER Profile
GROUP Profile
DB2PDIST
DB2PIRLM
DB2PSPAS
DB2PDBM1
DB2PMSTR
DB2PWLMx
DB2PADMT
©2016 Vanguard Integrity Professionals, Inc. 5
VANGUARD SECURITY & COMPLIANCE 2016
Started Task protection
DB2P
DB2T
PRODUCTION
TEST
DB2PDBM1 DB2PMSTR DB2PIRLM DB2PDIST DB2PSPAS DB2PWLMx DB2PADMT
DB2TDBM1 DB2TMSTR DB2TIRLM DB2TDIST DB2TSPAS DB2TWLMx DB2TADMT
©2016 Vanguard Integrity Professionals, Inc. 6
VANGUARD SECURITY & COMPLIANCE 2016
Started Task protection
RDEF STARTED DB2PMSTR.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PDBM1.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PIRLM.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PDIST.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PWLM*.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PSPAS.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PADMT.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2TMSTR.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) RDEF STARTED DB2TDBM1.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) RDEF STARTED DB2TIRLM.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) RDEF STARTED DB2TDIST.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) RDEF STARTED DB2TWLM*.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2TSPAS.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) RDEF STARTED DB2TADMT.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) - OR – RDEF STARTED ** STDATA(USER(=MEMBER) GROUP(STCGROUP))
©2016 Vanguard Integrity Professionals, Inc. 7
VANGUARD SECURITY & COMPLIANCE 2016
Dataset Protection
TABLESPACES
& INDEXSPACES
INSTALL
LIBRARIES
OTHER
GENERAL
DATASETS
DSNB10.DBBG.LOGCOPY1.DS01
DSNB10.DBBG.LOGCOPY1.DS02
DSNB10.DBBG.ARCLOG1.D14299.T0302409.A0000040
DSNB10.DBBG.ARCLOG1.D14299.T0302409.B0000040 DSNB10.DBBG.BSDS01
DSNB10.DBBG.BSDS02
DSNB10.DSNDBC.ADBDCH.ADBCHKX1.I0001.A001
DSNB10.DSNDBC.ADBDCH.ADBCKPTX.I0001.A001
DSNB10.DSNDBD.DSN8D11P.XDSPTXT1.J0001.A001
DSNB10.DSNDBD.DSN8D11P.XMAPRTBL.I0001.A001
DSNB10.DBBG.SDSNEXIT
DSNB10.SDSNLOAD DSNB10.DBBG.TASKLIST
ACTIVE LOGS ARCHIVE LOGS BOOTSTRAP DATASETS
MSTR (ALTER) MSTR (ALTER)
DBM1 (ALTER)
MSTR (UPDATE)
ADMT (UPDATE) ALL (READ)
©2016 Vanguard Integrity Professionals, Inc. 8
VANGUARD SECURITY & COMPLIANCE 2016
Dataset Protection
Notes:
If CEE.SCEERUN or equivalent is not in LINKLIST, all started tasks will need READ
DB2PIRLM will probably need READ access to DSNB10.SDXRRESL
DB2 System programmers may need access to all datasets for backup/restore
and maintenance tasks.
DB2PWLMx tasks may need access to other datasets:
CBC.SCCNCMP C compiler
DSNB10.DBBG.DBRMLIB.DATA
DSNB10.SDSNCLST
check with the DB2 System programmer for others
©2016 Vanguard Integrity Professionals, Inc. 9
VANGUARD SECURITY & COMPLIANCE 2016
Subsystem protection
Name UACC Access List
DB2P.SASS NONE CICSPRD(READ)
DB2P.BATCH NONE PRODID(READ)
DB2T.BATCH NONE PGMRGRP(READ)
DB2T.SASS NONE CICSTST(READ)
CICSPRD
CICSTST
DSNR Class Profiles
X
PGMRGRP
DB2P
Keep Out
©2016 Vanguard Integrity Professionals, Inc. 10
VANGUARD SECURITY & COMPLIANCE 2016
Subsystem protection
RDEF DSNR (DB2P.SASS, DB2P.BATCH) OW(DBADMIN) UA(NONE)
RDEF DSNR (DB2T.SASS, DB2T.BATCH) OW(DBADMIN) UA(NONE)
PE DB2P.SASS CL(DSNR) ID(CICSPRD) AC(READ)
PE DB2P.BATCH CL(DSNR) ID(PRODID) AC(READ)
PE DB2T.SASS CL(DSNR) ID(CICSTST) AC(READ)
PE DB2T.BATCH CL(DSNR) ID(PGMRGRP) AC(READ)
©2016 Vanguard Integrity Professionals, Inc. 11
VANGUARD SECURITY & COMPLIANCE 2016
Subsystem protection
Profile syntax is subsystem.environment. If subsystem was DB2P, profiles would be:
DB2P.MASS - for IMS™ (including MPP, BMP, Fast Path & DL/1 Batch)
DB2P.SASS - for CICS® (connection processing only)
DB2P.DIST - for Distributed Data Facility
DB2P.RRSAF - for Recoverable Resource Manager Services Attachment Facility
DB2P.BATCH - for all others including TSO, batch, all utility jobs, and requests via the
Call-Attach facility.
RECOMMENDATIONS
Only subsystem user ID needs access to MASS and SASS profiles.
Restrict access to test subsystems to keep unauthorized user from experimenting.
If separate test and prod subsystems, restrict test CICS and IMS from production DB2
subsystems.
Access to BATCH profile may need to be given to personal user IDs as well as to
special user IDs (i.e. scheduler id, other subsystems, etc.)
Determine easiest way to give users access (i.e. consider RACF group for DB2
subsystem enrollment).
©2016 Vanguard Integrity Professionals, Inc. 12
VANGUARD SECURITY & COMPLIANCE 2016
Subsystem protection
DL/1
BATCH
CICS
START-UP
JES-
INITIATED
BATCH TSO
STARTED
TASK
DB2
UTILITIES
IMS
CONTROL
REGION
OBTAIN PRIMARY ID
VERIFY BY RACF ID ACCESS TO SUB-SYSTEM
RUN CONNECTION EXIT ROUTINE
STEP 1
STEP 2
STEP 3
NOT AUTHORIZED;
REJECT REQUEST
©2016 Vanguard Integrity Professionals, Inc. 13
VANGUARD SECURITY & COMPLIANCE 2016
DB2 Secondary Authorization IDs
DSN3@ATH Default Exit
DSN3SATH Sample Exit
DSN3SSGN Sample Exit
DSN3@SGN Default Exit
DSNB10.SDSNLOAD
DSNB10.DBBG.SDSNEXIT
©2016 Vanguard Integrity Professionals, Inc. 14
VANGUARD SECURITY & COMPLIANCE 2016
DB2 Secondary Authorization IDs
// ..... JOB DSNTIJEX
Assemble and Link-Edit
DSNB10.DBBG.SDSNEXIT
DSN3@ATH
DSN3@SGN
DSNB10.SDSNSAMP
DSN3SATH
DSN3SSGN
©2016 Vanguard Integrity Professionals, Inc. 15
VANGUARD SECURITY & COMPLIANCE 2016
DB2 Secondary Authorization IDs
USER01
RACF GROUPS
TEST
PROD
DB2AP
DB2PY
DSN3@ATH SECONDARY IDS
SQL ID
USER01
USER01
PRIMARY ID
TEST
PROD
DB2AP
DB2PY
ACEE
1012 Limit
©2016 Vanguard Integrity Professionals, Inc. 16
VANGUARD SECURITY & COMPLIANCE 2016
DB2 Secondary Authorization IDs
CICSPRD
RACF GROUPS
GRP1
GRP2
GRP3
GRP4
DSN3@SGN SECONDARY IDS
SQL ID
CICSPRD
CICSPRD
PRIMARY ID
GRP1
GRP2
GRP3
GRP4
1012 Limit
ACEE
©2016 Vanguard Integrity Professionals, Inc. 17
VANGUARD SECURITY & COMPLIANCE 2016
• Everything up to now has been available and
recommended for a very long time.
• And now for something NEW (relatively)
©2016 Vanguard Integrity Professionals, Inc. 18
VANGUARD SECURITY & COMPLIANCE 2016
Using RACF external security for DB2
DB2 Subsystem Authorization Exit
Initialization Authorization Checking Termination
RACF
DB2 Start up Access to DB2 Objects DB2 Shutdown
DSNX@XAC
RACF Database
Data Space
Data Space
©2016 Vanguard Integrity Professionals, Inc. 19
VANGUARD SECURITY & COMPLIANCE 2016
Steps To Implement DSNX@XAC Exit
1. Obtain the RACF Access Control Module – From DSNB10.SDSNSAMP(DSNXRXAC) – starting with DB2 V8
2. Copy to a private library with name of DSNX@XAC 3. Specify the exit options (optional)
– &CLASSOPT – &CLASSNMT – &CHAROPT – &ERROROPT
4. Define DB2 classes in CDT (if exit modified) 5. Define RACF profiles - RDEFINE, RALTER, PERMIT 6. Activate the DB2 classes 7. Assemble and link edit the sample exit
– Modify JEX0003 step of DB2 install job – Run JEX0003 job
8. Start DB2
©2016 Vanguard Integrity Professionals, Inc. 20
VANGUARD SECURITY & COMPLIANCE 2016
Single or Multi-subsystem Scope?
• Multi-Subsystem Scope Classes – Default
– First qualifier is DB2 subsystem name
– No changes to CDT
• Single Subsystem Scope Classes – Optional
– DB2 subsystem name not in profile
– Add classes to CDT
©2016 Vanguard Integrity Professionals, Inc. 21
VANGUARD SECURITY & COMPLIANCE 2016
? ? ?
&CLASSOPT &CLASSNMT &CHAROPT &ERROROPT
DSNX@XAC Exit
Security Administrator
System Programmer
I need to know: Class scope Pattern of DB2 class names Format of RACF profile names
Customizing the DSNX@XAC Exit
©2016 Vanguard Integrity Professionals, Inc. 22
VANGUARD SECURITY & COMPLIANCE 2016
Customization Options for DSNX@XAC
&CLASSOPT Class Scope 1 = Single-subsystem scope 2 = Multi-subsystem scope &CLASSNMT Class Name Root 1 to 4 characters ‘DSN’ is the default Only for &CLASSOPT=2 Example: MDB2PTB# &CHAROPT Class Name Suffix Last character of classname 0 - 9, #, @, $ Default is ‘1’ Example: MDB2PTB#
©2016 Vanguard Integrity Professionals, Inc. 23
VANGUARD SECURITY & COMPLIANCE 2016
Customization Options for DSNX@XAC
&ERROROPT 1 = Defer to DB2 when an unexpected error occurs 2 = Instruct DB2 to terminate when an unexpected error occurs An unexpected error is:
• DSNX@XAC abends • DSNX@XAC returns an unexpected return code • DSNX@XAC instructs DB2 to not call it again
©2016 Vanguard Integrity Professionals, Inc. 24
VANGUARD SECURITY & COMPLIANCE 2016
Multi-Subsystem Scope Options
Class for DB2 Authorities DSNADM
Example of using the default settings: Exit options &CLASSOPT = 2 &CLASSNMT = DSN Classes for DB2 Objects MDSNTB GDSNTB MDSNPN GDSNPN Etc. Profile names must be prefixed with DB2 subsystem name
©2016 Vanguard Integrity Professionals, Inc. 25
VANGUARD SECURITY & COMPLIANCE 2016
Multi-Subsystem Scope (Default)
DB2P.U01.TAB123.SELECT
MDSNTB Class
RACF Database
DB2T.U49.TABXYZ.ALTER
DB2T
RACF CDT (No Change)
U01.TAB123
DB2P
. . . . MDSNTB GDSNTB . . . . .
SELECT
MDSNTB Class
U49.TABXYZ ALTER
TABLE
TABLE
©2016 Vanguard Integrity Professionals, Inc. 26
VANGUARD SECURITY & COMPLIANCE 2016
Single-Subsystem Scope Options
Class for DB2 Authorities DB2PADM# DB2TADM#
Example of installation-defined classes Exit options &CLASSOPT = 1 &CLASSNMT = Not Applicable &CHAROPT = # Classes for DB2 Objects MDB2PTB# MDB2TTB# GDB2PTB# GDB2TTB# MDB2PPN# MDB2TPN# GDB2PPN# GDB2TPN# Etc. Etc. Profile names are not prefixed with DB2 subsystem name Class names must contain DB2 subsystem name
©2016 Vanguard Integrity Professionals, Inc. 27
VANGUARD SECURITY & COMPLIANCE 2016
Dynamic CDT
RDEFINE CDT MDB2PTB# CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA,NUMERIC,NATIONAL,SPECIAL) OTHER(ALPHA,NUMERIC,NATIONAL,SPRCIAL) MAXLNTH(100) MAXLENX(246) GROUP(GDB2PTB#) OPER(N0) DEFAULTRC(4) POSIT(526) SIGNAL(YES) RACLIST(DISALLOWED)) RDEFINE CDT GDB2PTB# CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA,NUMERIC,NATIONAL,SPECIAL) OTHER(ALPHA,NUMERIC,NATIONAL,SPRCIAL) MAXLNTH(100) MAXLENX(246) MEMBER(MDB2PTB#) OPER(N0) DEFAULTRC(4) POSIT(526) SIGNAL(YES) RACLIST(DISALLOWED))
©2016 Vanguard Integrity Professionals, Inc. 28
VANGUARD SECURITY & COMPLIANCE 2016
Single-Subsystem Scope
U01.TAB123.SELECT
MDB2PTB# Class
RACF Database
U49.TABXYZ.ALTER
DB2T
U01.TAB123
DB2P
SELECT
MDB2TTB# Class
U49.TABXYZ ALTER
. . MDB2PTB# GDB2PTB# . . . MDB2TTB# GDB2TTB# . .
RACF CDT ICHRRCDE
TABLE
TABLE
©2016 Vanguard Integrity Professionals, Inc. 29
VANGUARD SECURITY & COMPLIANCE 2016
RACF Classes For DB2 Objects
• Bufferpool • Collection • Database • Global Variables • JAR - Java Archive File • Package • Plan • Schema • Sequence • Storage Group • Stored Procedure • System • Table / Index / View • Table Space • User Defined Distinct Type • User Defined Function
MDSNBP GDSNBP MDSNCL GDSNCL MDSNDB GDSNDB MDSNGV GDSNGV MDSNJR GDSNJR MDSNPK GDSNPK MDSNPN GDSNPN MDSNSC GDSNSC MDSNSQ GDSNSQ MDSNSG GDSNSG MDSNSP GDSNSP MDSNSM GDSNSM MDSNTB GDSNTB MDSNTS GDSNTS MDSNUT GDSNUT MDSNUF GDSNUF
DB2 Object Type Member Grouping
©2016 Vanguard Integrity Professionals, Inc. 30
VANGUARD SECURITY & COMPLIANCE 2016
Authorization Exit Example
DB2P Subsystem
Does the user ARTH have INSERT
privilege to the table PAYID.EMPL in
the PAYDB database?
Check Privilege
DBADM Authority?
SYSDBADM Authority?
SYSADM Authority?
Set RC 8
Check
RC
DSNADM Class
DSNADM Class
DSNADM Class
DB2 Security
RC=4
RC=0
RC=8
Allow
Deny
Yes
No
RACF Data space
RC
RC
RC=0
RC=0
Yes
No
RC
Owner? ARTH = PAYID
RC=0 Yes
No
Access Control Module
MDSNTB Class
DB2P.PAYID.EMPL.INSERT
UA(NONE) PHILE(READ)
8
8
8
DB2P.SYSADM
UA(NONE) JULIE(READ)
RC
RC=0 Yes
8
DB2P.SYSDBADM
UA(NONE) BOBS(READ)
No
DATAACCESS Authority? DB2P.DATAACCESS
UA(NONE) FRED(READ)
DB2P.PAYDB.DBADM
UA(NONE) JOHNH(READ)
No
DSNADM Class
RC=0
RC
8
©2016 Vanguard Integrity Professionals, Inc. 31
VANGUARD SECURITY & COMPLIANCE 2016
DB2 to RACF Migration Tool
DB2 Authorization Tables SYSIBM . SYSCOLAUTH SYSIBM . SYSDBAUTH SYSIBM . SYSPACKAUTH SYSIBM . SYSPLANAUTH SYSIBM . SYSRESAUTH SYSIBM . SYSROUTINEAUTH SYSIBM . SYSSEQUENCEAUTH SYSIBM . SYSSCHEMAAUTH SYSIBM . SYSTABAUTH SYSIBM . SYSUSERAUTH SYSIBM . SYSVARIABLEAUTH
RACFDB2 Utility JCL EXEC Documentation
Output
RCF.RACFDB2.CONVCLST
RDEF …….... RALT …….... PERMIT …... RDEF ………. PERMIT …... RDEF ………. ……………….
DB2 Subsystem RACF Database
DSNADM Class
MDSNTB Class
MDSNPN Class
©2016 Vanguard Integrity Professionals, Inc. 32
VANGUARD SECURITY & COMPLIANCE 2016
DB2 Release Considerations
• On August 3, 2010, IBM® announced the End of Service (EOS) for DB2 8 for IBM z/OS®. The effective EOS date is April 30, 2012.
• On February 7, 2012, IBM announced the End of Service (EOS) for DB2 9 for z/OS. The effective EOS date is June 27, 2014.
• On October 19, 2010, IBM announced General Availability for DB2 10 for z/OS as of October 22, 2010.
• On October 1, 2013, IBM announced DB2 11 for z/OS with planned availability on October 25, 2013.
©2016 Vanguard Integrity Professionals, Inc. 33
VANGUARD SECURITY & COMPLIANCE 2016
Questions
©2016 Vanguard Integrity Professionals, Inc. 34
top related