itso system z soa forum 2006 powering soa with ibm ... · itso system z soa forum 2006 powering soa...
TRANSCRIPT
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 1
© 2005 IBM Corporation
ITSO System z SOA Forum 2006Powering SOA with IBM Software on System z
ZS05-Security overview on z/OS
Egide Van AerschotITSO – zSeries and z9 centerE-mail: [email protected]
© 2005 IBM Corporation
© 2005 IBM Corporation2
NoticesThis information was developed for products and services offered in the U.S.A.
Note to U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 2
© 2005 IBM Corporation
© 2005 IBM Corporation3
TrademarksThe following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
The following terms are trademarks of other companies:
Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC.
Other company, product, and service names may be trademarks or service marks of others.
Redbooks (logo)™IBM eServer™
ibm.com® z/OS® zSeries® AIX® ClearCase® Cloudscape™ CICS® CICSPlex® DB2 Connect™ DB2® DFS™ DRDA® Informix® IBM® IMS™ MQSeries® MVS™
Perform™ Rational® RACF® S/390® SAA® TME® VTAM® WebSphere®
© 2005 IBM Corporation
© 2005 IBM Corporation4
Agenda
Introduction
z/OS security features overview
Security for z/OS front-end integration
Back-end integration
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 3
© 2005 IBM Corporation
© 2005 IBM Corporation5
What is security?IT security objectives specified in ISO Standard 7498-2:– Identification
• This is the ability to assign an identity to the entity accessing the system.• “user ID”, UID, or “principal” in the J2EE security model
– Authentication• This is the process of validating the identity claimed by the accessing entity.• Authentication information generally called “credentials”: accessor’s name and password, “token”
provided by a trusted party, such as a Kerberos ticket, an x.509 certificate, or LTPA token.– Authorization
• This is the process of checking whether an asserted (already authenticated) identity has access to a requested resource.
– Integrity• Integrity ensures that transmitted or stored information has not been altered in an unauthorized or
accidental manner.– Confidentiality
• This refers to the concept that an unauthorized party cannot obtain the meaning of the transferred or stored data.
– Auditing• With auditing, you capture and record security-related events, so that they can be exposed and analyzed after the fact.
– Non-repudiation• This is a legal term that demands legal evidence that a party performed some action, so that it cannot
reasonably be denied.
© 2005 IBM Corporation
© 2005 IBM Corporation6
Security challengesApplications span more and more tiers and more (cross-platform) communication takes place.
Applications become more and more multi-channel, with the user device usually in a (very) unsecure environment.Security artifacts need to be accessible from multiple places and in many cases from multiple servers/platforms. This calls for security registry solutions that are standardized and accessible both locally and remotely.
Government and coprorate rules have been tightened significantly over the past few years, resulting in:– more and better auditability requirements– strict access management to a company’s assets and information
More and more applications become “self-service” type of applications.– “Untrusted” end-users become the operators of those apps, whilst before
those apps. Were only operated by an employee of the company.• Internet banking!
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 4
© 2005 IBM Corporation
© 2005 IBM Corporation7
Agenda
Introduction
z/OS security features overview– RACF
– LDAP
– UNIX
Security for z/OS front-end integration
Back-end integration
© 2005 IBM Corporation
© 2005 IBM Corporation8
RACF Security Server
RACF – Resource Access Control Facility
The RACF element of the z/OS Security Server is a software tool for use by:– Security administrators– Auditors
RACF is used to implement and monitor the implementation of an installation’s security policies
End use interaction with RACF is minimized by design
z/OS resource Managers invoke or call for security services through a set of architected interfaces on z/OS known as System Authorization Facility or SAF
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 5
© 2005 IBM Corporation
© 2005 IBM Corporation9
RACF objectives
© 2005 IBM Corporation
© 2005 IBM Corporation10
RACF protected resources
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 6
© 2005 IBM Corporation
© 2005 IBM Corporation11
z/OS security server
Digital certificates
– Introduced in OS/390 R2.4
– Base for a complicate certificate authority (CA) on z/OS
Kerberos registry is RACF
UNIX System Services security integrated with RACF with better security than other UNIX systems
Auditing of security events
z/OS V1R5
– Dynamic Templates
– Multi-level security
– Password Synchronization Solution
© 2005 IBM Corporation
© 2005 IBM Corporation12
Using RACF
RACF segments
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 7
© 2005 IBM Corporation
© 2005 IBM Corporation13
LDAP
© 2005 IBM Corporation
© 2005 IBM Corporation14
LDAP server
LDAP server on z/OS is based on a client/server modelThe LDAP server on z/OS has two commonly used back ends.
TDBM back end (based on DB2) SDBM back end (based on Resource Access Control Facility (RACF)
can be configured to provide read/write access to RACFuser, group, and connection profiles using the LDAP protocol.
LDAP servers act as a repository for user and group information
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 8
© 2005 IBM Corporation
© 2005 IBM Corporation15
LDAP Directory Structure
© 2005 IBM Corporation
© 2005 IBM Corporation16
LDAP Server on z/OS...
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 9
© 2005 IBM Corporation
© 2005 IBM Corporation17
Unix Access Permissions on HFS
© 2005 IBM Corporation
© 2005 IBM Corporation18
Agenda
Introduction
WebSphere for z/OS security features overview
Security for z/OS front-end integration– WebSphere
Back-end integration
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 10
© 2005 IBM Corporation
© 2005 IBM Corporation19
Browser HTTPserver
J2EE Appserver
WMQ/WMB
J2Cconnector
DB2
TM1 2 3 4 7 8 9
5
6
Security interaction points
© 2005 IBM Corporation
© 2005 IBM Corporation20
z/OS
user
Browser
HTTPServer
HTTP
WAS
RACF
DBJ2EE
Application
Authentication
Authorization
Authorization
Authentication
HTTPS
HTTP access with HTTP server and WAS on z/OS
Authentication done with HTTP server on z/OSAll authentication mechanisms available in HTTP server can be used
User ID/password, certificates etc.RACF or LDAP can be used as security registrySecurity credentials can be passed from HTTP server to WAS
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 11
© 2005 IBM Corporation
© 2005 IBM Corporation21
z/OS
user
BrowserHTTPServer
HTTP
WAS
RACF
DB
Authentication
HTTP
LDAP
Authorization
J2EEApplication
Native
Authentication
auth
entic
atio
nse
rver
HTTPSHTTPS
External authentication server and LDAP native authentication on z/OS
Authentication server runs outside z/OS, but used LDAP on z/OS for authenticationLDAP on its turn accesses RACF using “native authentication”HTTP server and WAS always receive an already authenticated user IDUser ID is forwarded using LTPA or headers in combination with the trust association
© 2005 IBM Corporation
© 2005 IBM Corporation22
Security Layers
Platform Security
Java Security
WebSphere Security
WebSphere/Application Resources
Operating System Security
JVM 1.4 Security
Java 2 Security
CORBA Security / CSIv2
J2EE Security API
WebSphere Security
HTML,Servlet/JSPs,
EJBs
Naming,Admin
Access Control
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 12
© 2005 IBM Corporation
© 2005 IBM Corporation23
TCP/IP security
Higher importance on – partner authentication
– message authentication
– combating denial-of-service attacks
– Basic concepts of cryptography and digital certificates• Privacy Anyone who can intercept your data might be able to
read it.• Integrity An intermediary might be able to alter your data.• Accountability or non repudiation
© 2005 IBM Corporation
© 2005 IBM Corporation24
What is cryptoTraditionally: to hide meaning of transferred or stored data
but also used to establish:data integrityauthenticationnon repudiation
That is "Security", as described in the ISO 7498-2 Security Framework , and as required by e-business transactions.
Cryptographic algorithms aresymmetric = shared secret key - e.g. DES, Triple-DES, AES, ...asymmetric = Public Key Cryptography - e.g. RSAone way = cryptographic "checksum" - e.g. MD5, SHA-1, ...
They all consume machine cycles !
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 13
© 2005 IBM Corporation
© 2005 IBM Corporation25
CryptoGraphy with WAS
Handshake Asymmetric(Pub/Priv)RSA, DSS, DH
Data IntegrityMD5, SHA-1, SHA-256(z9-109)
SymmetricDES, T-DES, AES-128(z9-109), RC2, RC4
(red has Crypto HW support)
© 2005 IBM Corporation
© 2005 IBM Corporation26
Authentication
Authentication is the process of establishing whether a client is valid in a particular context
– Client can be either an end user, a machine, or an application
An authentication mechanism defines rules about security information and the format of how security information is stored in both credentials and tokens
– Whether a credential is forwardable to another process
Authentication Mechanism uses User (Authentication) Registry (where user ID/password, and other attributes are stored) to check the client authentication
– WebSphere supports several User Registries - Local OS, LDAP and Custom Registry
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 14
© 2005 IBM Corporation
© 2005 IBM Corporation27
Certificate-based Authentication
clientclient-hello (encryption supported, sessionId, random)
server
client-certificate()client-key exchangecertificate verifychange cipher specfinished
RECORD PROTOCOL
(mac, actual, padding)
server-hello X509 certificate or session(resume)certificate requestserver-key exchange()server hello done
change cipher spec finished
HANDSHAKE PROTOCOL
© 2005 IBM Corporation
© 2005 IBM Corporation28
Session security
cell
MVS System or LPAR
ServantCR
Server D
ServantServant
MVS System or LPAR
ServantCR
Server C
ServantServant
SYSBnode 2
ssl
ServantCR
Server D
ServantServant
ServantCR
Server C
ServantServant
SYSAnode 1
ssl
clusterLTPALTPA
Lightweight Third Party Authentication (LTPA)
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 15
© 2005 IBM Corporation
© 2005 IBM Corporation29
Java Cryptography Extension - IBMJCE4758
IBM Implementation of JCE Cryptography using z/OS Common Cryptographic Architecture (CCA) hardware cryptographic devicesAllows a JCE application to take advantage of hardware cryptography without extensive knowledge of hardware cryptography– Digital Signatures via RSA and DSA (z900/z800 only)– Hashing - SHA1, MD2, MD5– Keystore - Symmetric and Asymmetric keys protected by 3DES– Symmetric Algorithms - DES, 3DES, PBE– Asymmetric Algorithms - RSA– HMAC - MD5, SHA1Adds the capability to use SAF based keys/certificates (RACF)– keystore for SAF Digital Certificate (key ring) Support
© 2005 IBM Corporation
© 2005 IBM Corporation30
WebServices security
Transport Security
End to end Security
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 16
© 2005 IBM Corporation
© 2005 IBM Corporation31
WS1 security
© 2005 IBM Corporation
© 2005 IBM Corporation32
Getting an authenticated userID
Authentication
Tranformationto
Plugin
LDAP?
Racf UserID
UserIdAuthorizedforResourceRoleRule
UserIdRoles
RunAS-caller-server-role
SynctoThread
JavaContext
ACEE
get authenticated UserID authorize by role
RunAS selection
LDAP?
RACF?TAI
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 17
© 2005 IBM Corporation
© 2005 IBM Corporation33
J2EE 1.4 Security FeaturesJava 2 Security: Access to System Resources– Enforce access control, based on the location of the code and who signed it – Not
based on the principal – Defined in a set of Policy files– Enforced at runtimeJAAS Security: Authentication and Authorization– Enforce access control based on the current Principle or Subject– Defined in Application Code– Enforced programmatically– Used for any type of Java code – Stand-alone Java application, Applet, EJB,
Servlet, and so onJ2EE Security Roles: Authorization of J2EE application artifacts– Role based security – Roles defined in the J2EE EAR file– Defined in application configuration settings (Deployment Descriptors)– Enforced by runtime, programmatically, or bothCSIv2: Used for Authenticating EJBs
© 2005 IBM Corporation
© 2005 IBM Corporation34
ActualUser/Groups
J2EESecurity
Roles
Securing J2EE Application Artifacts (Roles)
Enterprise Java Bean (EJB)
Web Components
HTML,GIFs, etc.
EJBMethod
EJBMethod
EJBMethodJack
Bob
Mary
Clients
Manager
Teller
Customer
Servlet
JSP
Usually byAssembler or
Developer
Usually byDeployer
SecurityBinding
SecurityPermissions
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 18
© 2005 IBM Corporation
© 2005 IBM Corporation35
Java 2 Security
Provides an access control mechanism to manage the application’s access to system level resources – File I/O, Network Connections
(Sockets), Property files, etc…– Policy-basedPolicies define a set of permissions available from various signers and/or code locations– Stored in Policy filesAll Java code runs under a security policy– Grants access to certain
resources
Java code needs access to certain System Resources
Java code will need to get the permission from Java 2 Access Control
Access Control looks at the Java 2 Policy file(s) to determine if the requesting Java code has the appropriate permission
Java Class
SystemResource
Protection Domain
Java 2 Security Permissions
Security ManagerAccess Controller
Java 2PolicyFiles
JVM
© 2005 IBM Corporation
© 2005 IBM Corporation36
Agenda
Introduction
z/OS security features overview
Security for z/OS front-end integration
Back-end integration
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 19
© 2005 IBM Corporation
© 2005 IBM Corporation37
z/OS
userBrowser
HTTP
RACF
DB
Authentication
HTTP
LDAP
Authorization
Backend System
TransactionCICS/IMS
DB
AuthorizationServer
RACFID1
RACFID1 RACFID1
Authorization
NativeAuthentication
Rev
erse
Pro
xy S
erve
r
HTTPServer
WAS
J2EEApplication
Same….including back-end system access
This scenario is the same as the previous, but with backend system accessUpfront authentication and authorization can be done as explained beforeBack-end system access takes place with a valid RACF user ID and eventual credentials(based on the requirements of the back-end system)
© 2005 IBM Corporation
© 2005 IBM Corporation38
J2EE Connector Architecture
ITSO System z SOA Forum 2006
ZS05 - Security Overview on z/OS 20
© 2005 IBM Corporation
© 2005 IBM Corporation39
Conclusion
z/OS RACF allows for high security
LDAP – access can be extended to RACF
– On z/OS can be accessible by other platforms
z/OS support for Cryptography– Export hardware assist
© 2005 IBM Corporation
© 2005 IBM Corporation40
Thank YouMerci
Grazie
Gracias
Obrigado
Danke
Japanese
English
French
Russian
GermanItalian
Spanish
Brazilian PortugueseArabic
Traditional Chinese
Simplified Chinese
Thai