proper configuration and setup of db2 security for racf · proper configuration and setup of db2...

SECURITY & COMPLIANCE CONFERENCE 2016

Proper Configuration and

Setup of DB2 Security for

RACF

Jim McNeill

Vanguard Professional Services

BTB6

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

©2016 Vanguard Integrity Professionals, Inc. 2

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited

license to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University


Legal Notice


CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF

The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.


Topics

• Started Task protection

• Dataset protection

• Subsystem protection

• DB2® Secondary Authorization IDs

• Using RACF® external security for DB2



Started Task protection

RACF

Data Base

?

USER Profile

GROUP Profile

DB2PDIST

DB2PIRLM

DB2PSPAS

DB2PDBM1

DB2PMSTR

DB2PWLMx

DB2PADMT




DB2P

DB2T

PRODUCTION

TEST

DB2PDBM1 DB2PMSTR DB2PIRLM DB2PDIST DB2PSPAS DB2PWLMx DB2PADMT

DB2TDBM1 DB2TMSTR DB2TIRLM DB2TDIST DB2TSPAS DB2TWLMx DB2TADMT




RDEF STARTED DB2PMSTR.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PDBM1.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PIRLM.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PDIST.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PWLM*.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PSPAS.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2PADMT.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2TMSTR.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) RDEF STARTED DB2TDBM1.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) RDEF STARTED DB2TIRLM.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) RDEF STARTED DB2TDIST.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) RDEF STARTED DB2TWLM*.* STDATA(USER(DBPUSER) GROUP(DB2SYS)) RDEF STARTED DB2TSPAS.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) RDEF STARTED DB2TADMT.* STDATA(USER(DBTUSER) GROUP(DB2SYS)) - OR – RDEF STARTED ** STDATA(USER(=MEMBER) GROUP(STCGROUP))



Dataset Protection

TABLESPACES

& INDEXSPACES

INSTALL

LIBRARIES

OTHER

GENERAL

DATASETS

DSNB10.DBBG.LOGCOPY1.DS01

DSNB10.DBBG.LOGCOPY1.DS02

DSNB10.DBBG.ARCLOG1.D14299.T0302409.A0000040

DSNB10.DBBG.ARCLOG1.D14299.T0302409.B0000040 DSNB10.DBBG.BSDS01

DSNB10.DBBG.BSDS02

DSNB10.DSNDBC.ADBDCH.ADBCHKX1.I0001.A001

DSNB10.DSNDBC.ADBDCH.ADBCKPTX.I0001.A001

DSNB10.DSNDBD.DSN8D11P.XDSPTXT1.J0001.A001

DSNB10.DSNDBD.DSN8D11P.XMAPRTBL.I0001.A001

DSNB10.DBBG.SDSNEXIT

DSNB10.SDSNLOAD DSNB10.DBBG.TASKLIST

ACTIVE LOGS ARCHIVE LOGS BOOTSTRAP DATASETS

MSTR (ALTER) MSTR (ALTER)

DBM1 (ALTER)

MSTR (UPDATE)

ADMT (UPDATE) ALL (READ)



Dataset Protection

Notes:

If CEE.SCEERUN or equivalent is not in LINKLIST, all started tasks will need READ

DB2PIRLM will probably need READ access to DSNB10.SDXRRESL

DB2 System programmers may need access to all datasets for backup/restore

and maintenance tasks.

DB2PWLMx tasks may need access to other datasets:

CBC.SCCNCMP C compiler

DSNB10.DBBG.DBRMLIB.DATA

DSNB10.SDSNCLST

check with the DB2 System programmer for others



Subsystem protection

Name UACC Access List

DB2P.SASS NONE CICSPRD(READ)

DB2P.BATCH NONE PRODID(READ)

DB2T.BATCH NONE PGMRGRP(READ)

DB2T.SASS NONE CICSTST(READ)

CICSPRD

CICSTST

DSNR Class Profiles

X

PGMRGRP

DB2P

Keep Out




RDEF DSNR (DB2P.SASS, DB2P.BATCH) OW(DBADMIN) UA(NONE)

RDEF DSNR (DB2T.SASS, DB2T.BATCH) OW(DBADMIN) UA(NONE)

PE DB2P.SASS CL(DSNR) ID(CICSPRD) AC(READ)

PE DB2P.BATCH CL(DSNR) ID(PRODID) AC(READ)

PE DB2T.SASS CL(DSNR) ID(CICSTST) AC(READ)

PE DB2T.BATCH CL(DSNR) ID(PGMRGRP) AC(READ)




Profile syntax is subsystem.environment. If subsystem was DB2P, profiles would be:

DB2P.MASS - for IMS™ (including MPP, BMP, Fast Path & DL/1 Batch)

DB2P.SASS - for CICS® (connection processing only)

DB2P.DIST - for Distributed Data Facility

DB2P.RRSAF - for Recoverable Resource Manager Services Attachment Facility

DB2P.BATCH - for all others including TSO, batch, all utility jobs, and requests via the

Call-Attach facility.

RECOMMENDATIONS

Only subsystem user ID needs access to MASS and SASS profiles.

Restrict access to test subsystems to keep unauthorized user from experimenting.

If separate test and prod subsystems, restrict test CICS and IMS from production DB2

subsystems.

Access to BATCH profile may need to be given to personal user IDs as well as to

special user IDs (i.e. scheduler id, other subsystems, etc.)

Determine easiest way to give users access (i.e. consider RACF group for DB2

subsystem enrollment).




DL/1

BATCH

CICS

START-UP

JES-

INITIATED

BATCH TSO

STARTED

TASK

DB2

UTILITIES

IMS

CONTROL

REGION

OBTAIN PRIMARY ID

VERIFY BY RACF ID ACCESS TO SUB-SYSTEM

RUN CONNECTION EXIT ROUTINE

STEP 1

STEP 2

STEP 3

NOT AUTHORIZED;

REJECT REQUEST



DB2 Secondary Authorization IDs

DSN3@ATH Default Exit

DSN3SATH Sample Exit

DSN3SSGN Sample Exit

DSN3@SGN Default Exit

DSNB10.SDSNLOAD





// ..... JOB DSNTIJEX

Assemble and Link-Edit


DSN3@ATH

DSN3@SGN

DSNB10.SDSNSAMP

DSN3SATH

DSN3SSGN




USER01

RACF GROUPS

TEST

PROD

DB2AP

DB2PY

DSN3@ATH SECONDARY IDS

SQL ID

USER01

USER01

PRIMARY ID

TEST

PROD

DB2AP

DB2PY

ACEE

1012 Limit




CICSPRD

RACF GROUPS

GRP1

GRP2

GRP3

GRP4

DSN3@SGN SECONDARY IDS

SQL ID

CICSPRD

CICSPRD

PRIMARY ID

GRP1

GRP2

GRP3

GRP4

1012 Limit

ACEE



• Everything up to now has been available and

recommended for a very long time.

• And now for something NEW (relatively)



Using RACF external security for DB2

DB2 Subsystem Authorization Exit

Initialization Authorization Checking Termination

RACF

DB2 Start up Access to DB2 Objects DB2 Shutdown

DSNX@XAC

RACF Database

Data Space

Data Space



Steps To Implement DSNX@XAC Exit

1. Obtain the RACF Access Control Module – From DSNB10.SDSNSAMP(DSNXRXAC) – starting with DB2 V8

2. Copy to a private library with name of DSNX@XAC 3. Specify the exit options (optional)

– &CLASSOPT – &CLASSNMT – &CHAROPT – &ERROROPT

4. Define DB2 classes in CDT (if exit modified) 5. Define RACF profiles - RDEFINE, RALTER, PERMIT 6. Activate the DB2 classes 7. Assemble and link edit the sample exit

– Modify JEX0003 step of DB2 install job – Run JEX0003 job

8. Start DB2



Single or Multi-subsystem Scope?

• Multi-Subsystem Scope Classes – Default

– First qualifier is DB2 subsystem name

– No changes to CDT

• Single Subsystem Scope Classes – Optional

– DB2 subsystem name not in profile

– Add classes to CDT



? ? ?

&CLASSOPT &CLASSNMT &CHAROPT &ERROROPT

DSNX@XAC Exit

Security Administrator

System Programmer

I need to know: Class scope Pattern of DB2 class names Format of RACF profile names

Customizing the DSNX@XAC Exit



Customization Options for DSNX@XAC

&CLASSOPT Class Scope 1 = Single-subsystem scope 2 = Multi-subsystem scope &CLASSNMT Class Name Root 1 to 4 characters ‘DSN’ is the default Only for &CLASSOPT=2 Example: MDB2PTB# &CHAROPT Class Name Suffix Last character of classname 0 - 9, #, @, $ Default is ‘1’ Example: MDB2PTB#



Customization Options for DSNX@XAC

&ERROROPT 1 = Defer to DB2 when an unexpected error occurs 2 = Instruct DB2 to terminate when an unexpected error occurs An unexpected error is:

• DSNX@XAC abends • DSNX@XAC returns an unexpected return code • DSNX@XAC instructs DB2 to not call it again



Multi-Subsystem Scope Options

Class for DB2 Authorities DSNADM

Example of using the default settings: Exit options &CLASSOPT = 2 &CLASSNMT = DSN Classes for DB2 Objects MDSNTB GDSNTB MDSNPN GDSNPN Etc. Profile names must be prefixed with DB2 subsystem name



Multi-Subsystem Scope (Default)

DB2P.U01.TAB123.SELECT

MDSNTB Class

RACF Database

DB2T.U49.TABXYZ.ALTER

DB2T

RACF CDT (No Change)

U01.TAB123

DB2P

. . . . MDSNTB GDSNTB . . . . .

SELECT

MDSNTB Class

U49.TABXYZ ALTER

TABLE

TABLE



Single-Subsystem Scope Options

Class for DB2 Authorities DB2PADM# DB2TADM#

Example of installation-defined classes Exit options &CLASSOPT = 1 &CLASSNMT = Not Applicable &CHAROPT = # Classes for DB2 Objects MDB2PTB# MDB2TTB# GDB2PTB# GDB2TTB# MDB2PPN# MDB2TPN# GDB2PPN# GDB2TPN# Etc. Etc. Profile names are not prefixed with DB2 subsystem name Class names must contain DB2 subsystem name



Dynamic CDT

RDEFINE CDT MDB2PTB# CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA,NUMERIC,NATIONAL,SPECIAL) OTHER(ALPHA,NUMERIC,NATIONAL,SPRCIAL) MAXLNTH(100) MAXLENX(246) GROUP(GDB2PTB#) OPER(N0) DEFAULTRC(4) POSIT(526) SIGNAL(YES) RACLIST(DISALLOWED)) RDEFINE CDT GDB2PTB# CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA,NUMERIC,NATIONAL,SPECIAL) OTHER(ALPHA,NUMERIC,NATIONAL,SPRCIAL) MAXLNTH(100) MAXLENX(246) MEMBER(MDB2PTB#) OPER(N0) DEFAULTRC(4) POSIT(526) SIGNAL(YES) RACLIST(DISALLOWED))



Single-Subsystem Scope

U01.TAB123.SELECT

MDB2PTB# Class

RACF Database

U49.TABXYZ.ALTER

DB2T

U01.TAB123

DB2P

SELECT

MDB2TTB# Class

U49.TABXYZ ALTER

. . MDB2PTB# GDB2PTB# . . . MDB2TTB# GDB2TTB# . .

RACF CDT ICHRRCDE

TABLE

TABLE



RACF Classes For DB2 Objects

• Bufferpool • Collection • Database • Global Variables • JAR - Java Archive File • Package • Plan • Schema • Sequence • Storage Group • Stored Procedure • System • Table / Index / View • Table Space • User Defined Distinct Type • User Defined Function

MDSNBP GDSNBP MDSNCL GDSNCL MDSNDB GDSNDB MDSNGV GDSNGV MDSNJR GDSNJR MDSNPK GDSNPK MDSNPN GDSNPN MDSNSC GDSNSC MDSNSQ GDSNSQ MDSNSG GDSNSG MDSNSP GDSNSP MDSNSM GDSNSM MDSNTB GDSNTB MDSNTS GDSNTS MDSNUT GDSNUT MDSNUF GDSNUF

DB2 Object Type Member Grouping



Authorization Exit Example

DB2P Subsystem

Does the user ARTH have INSERT

privilege to the table PAYID.EMPL in

the PAYDB database?

Check Privilege

DBADM Authority?

SYSDBADM Authority?

SYSADM Authority?

Set RC 8

Check

RC

DSNADM Class

DSNADM Class

DSNADM Class

DB2 Security

RC=4

RC=0

RC=8

Allow

Deny

Yes

No

RACF Data space

RC

RC

RC=0

RC=0

Yes

No

RC

Owner? ARTH = PAYID

RC=0 Yes

No

Access Control Module

MDSNTB Class

DB2P.PAYID.EMPL.INSERT

UA(NONE) PHILE(READ)

8

8

8

DB2P.SYSADM

UA(NONE) JULIE(READ)

RC

RC=0 Yes

8

DB2P.SYSDBADM

UA(NONE) BOBS(READ)

No

DATAACCESS Authority? DB2P.DATAACCESS

UA(NONE) FRED(READ)

DB2P.PAYDB.DBADM

UA(NONE) JOHNH(READ)

No

DSNADM Class

RC=0

RC

8



DB2 to RACF Migration Tool

DB2 Authorization Tables SYSIBM . SYSCOLAUTH SYSIBM . SYSDBAUTH SYSIBM . SYSPACKAUTH SYSIBM . SYSPLANAUTH SYSIBM . SYSRESAUTH SYSIBM . SYSROUTINEAUTH SYSIBM . SYSSEQUENCEAUTH SYSIBM . SYSSCHEMAAUTH SYSIBM . SYSTABAUTH SYSIBM . SYSUSERAUTH SYSIBM . SYSVARIABLEAUTH

RACFDB2 Utility JCL EXEC Documentation

Output

RCF.RACFDB2.CONVCLST

RDEF …….... RALT …….... PERMIT …... RDEF ………. PERMIT …... RDEF ………. ……………….

DB2 Subsystem RACF Database

DSNADM Class

MDSNTB Class

MDSNPN Class



DB2 Release Considerations

• On August 3, 2010, IBM® announced the End of Service (EOS) for DB2 8 for IBM z/OS®. The effective EOS date is April 30, 2012.

• On February 7, 2012, IBM announced the End of Service (EOS) for DB2 9 for z/OS. The effective EOS date is June 27, 2014.

• On October 19, 2010, IBM announced General Availability for DB2 10 for z/OS as of October 22, 2010.

• On October 1, 2013, IBM announced DB2 11 for z/OS with planned availability on October 25, 2013.



Questions


proper configuration and setup of db2 security for racf · proper configuration and setup of db2...

Documents