z/os & zseries security security home page racf home page

z/OS & zSeries SecuritySecurity Home Page

http://www.ibm.com/servers/eserver/zseries/zos/security

RACF Home Page

http://www.ibm.com/servers/eserver/zseries/zos/racf/

http://www.ibm.com/servers/eserver/zseries/zos/security

http://www.ibm.com/servers/eserver/zseries/zos/racf/

2zCPO zClass Introduction to z/OS

TrademarksThe following are trademarks of International Business Machines Corporation.

ACF/VTAMAD/CycleADSMAdvanced Function PrintingAFPAIX*AIX/ESAAOEXPERT/MVSAutomated Operations Expert/MVSCICS/ESADataHubDATABASE 2DataTradeDB2*DFDSMDFSMSDFSMS/MVSDFSMdfpDFSMSdssDFSMShsmDFSMSrmmDistributed Relational Database ArchitectureDRDAEnterprise Systems Architecture/370Enterprise Systems Architecture/390Enterprise System/3090

Note: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled

environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming

in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an

individual user will achieve throughput improvements equivalent to the performance ratios stated here.

Actual performance and environmental costs will vary depending on individual customer configurations and conditions.

Note: IBM hardware products are manufactured from new parts, or new and used parts. Regardless, our warranty terms apply.

Open BlueprintOpenEdition*OSAOSA 1OSA 2OS/2*OS/390OS/400*Parallel SysplexPower PrestigePR/SMPS/2*Processor Resource/Systems ManagerRISC System/6000S/360S/370S/390SAASAP R3Sysplex TimerSystem/370System/390Systems Application Architecture*SystemViewVM/ESAVSE/ESAVTAM3090

Enterprise System/4381Enterprise System/9000Enterprise Systems Connection ArchitectureES/3090ES/4381ES/9000ESA/370ESA/390ESCONFASTService*FlowMarkHardware Configuration DefinitionHiperbatchHipersorting*HiperspaceIBM*IBM S/390 Parallel Enterprise ServerIBM S/390 Parallel Enterprise Server - Generation 3IMS/ESALANRESMicro Channel*MQ SeriesMVS/DFPMVS/ESANetView*NQS/MVSOPC


Objectives

In this chapter you will learn to: Explain security and integrity concepts Explain RACF and its interface with the operating system Authorize a program Discuss integrity concepts Explain the importance of change control Explain the concept of risk assessment


Alphabet SoupDefinitions:

RACF: Resource Access Control Facility

LDAP : Lightweight Directory Access Protocol

DCE : Distributed Computing Environment

OCEP: Open Cryptographic Enhanced Plug-ins =>Extensions to Open Cryptographic Services Facility of z/OS Base

CDSA : Common Data Security Architecture => Standard API definition for crypto functions, certificate management and storage. Cross-industry. Cross platform. Intel and many vendors.

Industry Standard Names


z/OS security architecture

Authenticate users and other accessors UserID and Password Digital Certificate PassTicket Kerberos Token

Protect resources from unauthorized usage Access checking and Authorization points imbedded within z/OS All accesses to all resources checked for user's authority Link Pack Area (LPA) is write protected even from privileged programs

Address spaces are isolated from each other Resources

Business data, databases, transaction systems, programs, batch jobs, operator functions, user commands, networks, print facilities, UNIX…


Introduction

An installation’s data and programs are among its most valuable assets and must be protected

At one time data was secure because no one knew how to access it As more people become computer literate and able to use simple tools,

unprotected data is becoming more accessible Data security is now more important than ever and includes the

prevention of inadvertent destruction


Why security

Any system security must allow authorized users the access they need and prevent unauthorized access.

Many companies’ critical data is now on computer and is easily stolen if not protected

SecureWay security server provides a framework of services to protect data


RACF

RACF (part of Security Server) and the other available packages are add-on products which provide the basic security framework on a z/OS mainframe. They:

Identify and authenticate users Authorize users to access protected resources Log and report attempted unauthorized access Control means of access to resources


RACF functions overview

Security administration

Resource authorizationchecking and system control

User identificationand authorization

Audit and integrity reportsviolation alerts

RACFRACF

RACFdatabase


Identification and verification of users

RACF uses a user ID and system encrypted password to perform its user identification and verification

The user ID identifies the person to the system The password verifies the user’s identity Passwords should not be trivial and exits can be used to

enforce policies.


Protection Levels

RACF works on a hierarchical structure ALLOC allows data set creation and destruction CONTROL allows VSAM repro WRITE allows update of data READ allows read of data NONE no access

A higher permission implies all those below


Protecting a dataset

A data set profile is built and stored in the database It will give users or groups an access level A universal access level will also be set The profile can be specific or generic, with or without wild

cards


RACF typical display

INFORMATION FOR DATASET SYS1.*.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- --------- ------- -------- ------ 00 SYS1 READ NO NO AUDITING -------- FAILURES(READ) NOTIFY -------- NO USER TO BE NOTIFIED YOUR ACCESS CREATION GROUP DATASET TYPE -------------------- --------------------- ------------- ALTER SYS1 NON-VSAM


RACF access list for SYS1.*.** ID ACCESS -------- -------SYS1 ALTER KARRAS ALTER WANDRER ALTER SCHUBER ALTER KURTKR UPDATE KURTKR2 UPDATE KURTKR3 NONE CICSRS1 ALTER CICSRS2 ALTER HEISIG UPDATE JUSTO UPDATE GERALD READ


Protecting general resources

Many system resources can be protected DASD volumes Tapes CICS or IMS transactions JES spool datasets System commands Application resources and many more

RACF is flexible and more can be added


System Authorization Facility

SAF is part of z/OS Uses RACF if it is present Can also use an optional exit routine SAF is a system service and is a common focal point for all

products providing resource control. SAF is invoked at control points within the code of the

resource manager


RACF Structure

Userid Group

Every userid belongs to at least one group Group structures are often used for access to resources

Resource Resource classes Class descriptor table – used to customize


RACF Functions

Security administration

Resource authorizationchecking and system control

User identificationand authorization

Audit and integrity reportsviolation alerts

RACFRACF

RACFdatabase


User Identification

RACF identifies you when you logon Userid and password are required Each RACF userid has a unique password Password is one way encrypted so no one else can get

your password not even the administrator Userid is revoked after a preset number of invalid password

attempts


Logging and reporting

RACF maintains statistical information RACF writes a security log when it detects:

Unauthorized attempts to enter the system Access to resources

− This depends on the settings for the resource− For example AUDIT(ALL(UPDATE) will record all updates to a

resource Issuing of commands


Security Administration

Interpret the security policy to: Determine which RACF functions to use Identify the level of RACF protection Identify which data to protect Identify administrative structures and users


RACF sysplex data sharing and RRSF

If many systems share a RACF database there can be contention problems

RACF will propagate commands throughout a sysplex RACF can use a coupling facility in a parallel sysplex to

improve performance RRSF can be used to keep distributed RACF databases in

line


Authorized programs

Authorized tasks running authorized programs are allowed to access sensitive system functions

Unauthorized programs may only use standard functions to avoid integrity problems


Authorized Program Facility

SYS1.LINKLIBSYS1.LPALIBSYS1.SVCLIB

+

List of installation defined libraries

Authorized libraries

APF


Authorized Libraries

A task is authorized when the executing program has the following characteristics: It runs in supervisor state It runs in PSW key 0 to 7 All previous programs in the same task were APF programs The module was loaded from an APF library


Problem Programs

Normal programs are known as problem programs as they run in problem state (as opposed to supervisor state)

They run in the problem key – 8 They may or may not be in an APF library


APF Libraries

Authorized libraries are defined by the APF list in SYS1.PARMLIB SYS1.LINKLIB, SYS1.SVCLIB and SYS1.LPALIB are automatically

authorized Installation libraries are defined in PROGxx By default all libraries in the linklist are authorized but many

installations set LNKAUTH=APFTAB, often prompted by auditors, so that this is no longer the case and only those in the list are authorized


Authorizing a program

The first, and only the first, load module of the program must be linked with the authorization code AC=1

It and all subsequent modules must be loaded from an authorized library

APF libraries must be protected so that only authorized users can store programs there


Authorizing libraries

Authorized libraries:SYS1.LINKLIBSYS1.LPALIBSYS1.SVCLIBList of installation defined libraries

APFauthorizedprograms

non-authorizedprograms

System programs usually:reside in APF-authorized librariesexecute in supervisor stateuse storage key 0 to through 7

Unauthorized ibraries.

Application programs usually:reside in non-authorized librariesexecute in problem stateuse storage key 8


Operator Console Security

Consoles are assigned authority levels in CONSOLxx parmlib member

Commands are grouped: INFO informational commands SYS system control commands IO I/O commands CONS console control commands MASTER master console commands

Each console may have one or more levels


Consoles

At least one console must have master authority In a sysplex consoles are shared It is possible to require logon to consoles using RACF All extended MCS consoles should require a logon


Security Roles

Systems programmer sets up RACF Systems administrator implements the policies Security Manager sets the policies Separation of duties is required to prevent uncontrolled

access


Alphabet SoupDefinitions:

RACF: Resource Access Control Facility

LDAP : Lightweight Directory Access Protocol

DCE : Distributed Computing Environment

OCEP: Open Cryptographic Enhanced Plug-ins =>Extensions to Open Cryptographic Services Facility of z/OS Base

CDSA : Common Data Security Architecture => Standard API definition for crypto functions, certificate management and storage. Cross-industry. Cross platform. Intel and many vendors.

Industry Standard Names


z/OS security architecture

Authenticate users and other accessors UserID and Password Digital Certificate PassTicket Kerberos Token

Protect resources from unauthorized usage Access checking and Authorization points imbedded within z/OS All accesses to all resources checked for user's authority Link Pack Area (LPA) is write protected even from privileged programs

Address spaces are isolated from each other Resources

Business data, databases, transaction systems, programs, batch jobs, operator functions, user commands, networks, print facilities, UNIX, Consoles


zSeries “Security” Architecture

Hardware storage isolation: helps protect programs from each other Storage protect keys Address spaces Data Spaces

Program execution states: helps protect operating system from unauthorized program actions

Hardware Logical Partitions (LPAR): allows multiple operating system images within one processor box A complete, isolated, operating system image space


Basics of z/OS Security

WildCard

General Resources

Datasets

RACFDATABASE

Profiles

SystemIntegrity

z/OS

Users

SpecialAuditor

Operations

Groups

z/OS Res MgrSAF Request?

MVS Task/ApplRACFGroup

STC?Trusted?Special?

RACFUseridSegments


z/OS Security z/OS provides more security features than most

people realize. You can run a firewall on z/OS (if you wanted to) PKI services are fully supported (you can create a

digital certificate if you wanted to) Kerberos can be used as an authentication server. LDAP server and client are supported. There is a security server called RACF (Resource

Access Control Facility) There is thread level access support and more…


z/OS …and more

SSL is supported… IBM has a communication server a.k.a TCP/IP that is

honestly probably the best overall TCP implementation in the industry.

From a security standpoint Dynamic VPN, IPSec, and VIPA are supported.

Supports cross platform identity mapping Called EIM – Enterprise Identity Mapping

MLS – Multi-Level Security RACF Controls Unix Super User functions


RACF the Security Server RACF is used for the basic identification,

authentication, access and audit control functions. It is more than that, but hold on for a bit…

With RACF you can do at least the following: Local or remote security administration User identification and authentication Resource authorization checking and system access

control Audit reports and integrity reports Violation reporting


RACF has changed brand names

It confuses me what is what… It started out as RACF Went to OS/390 Security Server Then morphed to SecureWay Security Server for

OS/390 Now it might SecureWay Security Server for z/OS

(RACF) To me it is RACF…


RACF User Identification & Authentication for USS

z/OS UNIX user identification RACF user profile with OMVS segment RACF group profile with OMVS segment no /etc/passwd file

User authentication RACF password RACF PassTicket

z/OS UNIX logon TSO r_login, telnet

OMVS

User profile

UID

HOME

PROGRAM


From Resource Managers to RACF and back for USS

Shell

commands

z/OS UNIXApplication

z/OS UNIXUtility

Kernel

RACFCallableServices

RACF

- UID/GID/Userid- Type of access- Security packet SMF

SAF


RACF Control of Superuser Functions Better security through RACF control instead of

superuser authority BPX.FILEATTR.*

Less need for superuser authority through RACF control Class UNIXPRIV

Improved accountability by switching into superuser mode only when needed

BPX.SUPERUSER also used by SMP/E


RACF Control of User Identity Changes

BPX.DAEMON Ability to validate and assume RACF identities Dæmon programs can only change identity if authorized

BPX.SERVER Surrogate assignment for POSIX threads Daemons can create threads with surrogate Userids if

authorized:− UPDATE: client needs access authority to MVS resources− READ: client and server both need access authority


Protection of Daemons Against Modification and Misuse

Dæmon programs typically run with UID 0 (Superuser) Switch Userids (UIDs) or authenticate user identities Open TCP/IP ports below 1024 Invoke system commands of functions

If code can be modified or modules can be replaced, daemons can be misused

Modules are loaded from MVS search order (STEPLIB, LPA, LNKLSTxx, ...) if sticky bit is set in HFS executable

Critical functions can only be performed if program environment is controlled: Modules loaded from library defined with RACF Program Control Modules loaded from HFS files with PROGCTL attribute set


More Secure than UNIX - USS

BPX.DAEMON - restricts the use of sensitive services BPX.DEBUG - allows debugging of authorized programs BPX.FILEATTR.APF - controls marking files authorized BPX.FILEATTR.PROGCTL - controls marking files program controlled BPX.SERVER - restricts the use of sensitive services BPX.SMF - allows the writing of SMF records BPX.STOR.SWAP - controls making address spaces non-swappable BPX.WLMSERVER - controls access to WLM interface BPX.SAFFASTPATH - improves performance but prevents auditing of

successful events


UNIXPRIV Resource Names

Resource Name Privilege Access Req'd

SUPERUSER.FILESYSRead any HFS file; read and search any HFS directory

READ

SUPERUSER.FILESYSWrite any HFS file; also privileges of READ access

UPDATE

SUPERUSER.FILESYSWrite any HFS directory; also privileges of UPDATE access

CONTROL


UNIXPRIV for Mount and Quiesce

Mount and Quiesce File Systems SUPERUSER.FILESYS.MOUNT

− READ : Mount or unmount file system with nosetuid attribute− UPDATE : Mount or unmount file system with setuid attribute

SUPERUSER.FILESYS.QUIESCE− READ : Quiesce or unquiesce a file system mounted with nosetuid− UPDATE : Quiesce or unquiesce a file system mounted with setuid


UNIXPRIV for other file actions

SUPERUSER.FILESYS.CHOWN READ : Use chown to change owner of any file

SUPERUSER.FILESYS.PFSCTL READ : Allows use of the pfsctl() service

SUPERUSER.FILESYS.VREGISTER READ : Allows use of vreg() service to register as a VFS file

server


Program Controlled Environment

RACF program controlledlibrary

Web server address space

Web serverdæmon

(execute-controlled library)

? (uncontrolled program)

TCB


Process & Thread Security

Platforms such as UNIX and Windows NT can assign different user identities to processes Threads within a process all run under the same user identity To change the identity, a child process must be forked Process creation and deletion requires considerable overhead

z/OS can assign different user identities (Userids) to processes and threads Processes are address spaces Medium- and heavyweight threads run with their own TCB (Task

Control Block) Overhead for thread creation is much lower than for process User Identities can be assigned at the task (thread) level Access control is performed against the thread-level Userid


Web Serving Security On other platforms, web server runs under a Userid, e.g. "Nobody"

This user needs access to all files served to users User authentication against password file Access control against mask (Userid, IP address) Access control through web server configuration file

On z/OS, web server uses surrogate Userids User authentication in RACF Access control against surrogate or client Userid Access control rules can be much more fine-grained Errors in web server configuration file can be caught if file system is

properly set up Use z/OS if user-based access control is needed


z/OS Web Server Protection Directives

Protection itso_only {

Authtype Basic

ServerID ITSO_SERVER

PasswdFile %%SAF%%

Mask All}

Protect /itsodata/* itso-only %%CLIENT%%

Unique identifier for server

Authtype Basic is the only valid value; indicates to encode (but not encrypt) passwords.

Name of password file for authentication of client. %%SAF%% indicates to use RACF.

Server accepts only valid, authenticated UserIDs defined in the password file (RACF).

Server does SetUID to client's ID before serving request.


RACF Certificate Support Protection Directive using certificate verification

SSLClientAuth On

......

Protection confidential {

Authtype Basic

ServerID Conf_Server

PasswdFile %%SAF%%

UserID %%CERTIF%%

Mask Anybody

}


Enables client authentication for all SSL sessions

Tells web server to ask RACF for UserID associated with client certificate

If "Mask All" is used, user is prompted for UserID/password additionally


Web Server Extensions for RACF

Web server for z/OS allows the use of SAF authentication in place of the password file Specify %%SAF%% as password file Access to files (HFS and MVS) under normal RACF control Subsequent functions under control also (CGI, ICAPI, GWAPI))

Authority can be based on client Userid Can specify a surrogate Userid

Surrogate IDs can have limited access Can be less administrational overhead for large numbers of users

All UserIds (surrogate or client) need a valid UID Individual OMVS segment or default UID/GID

More effective access control within an enterprise


Z/OS Security – Some basics

Superior hardware and system integrity User identification and authentication through RACF RACF control of superuser functions RACF control of user identity changes Daemon protection against modification and misuse Thread-level security environment


Hardware and System Integrity

zArchitecture LPAR function provides B2-level (ITSEC-E4) isolation between system images

zArchitecture Supervisor/Program states and storage keys isolate Trusted Computing Base from applications

Tight control of Authorized Program Facility (APF) Link Pack Area (LPA) is write protected even from privileged programs Address spaces are isolated from each other Fetch protected storage can only be read from programs with same storage

key Formal commitment to System Integrity since 1973, "Statement of System

Integrity" since 1981


Workload Isolation

RACF

IBM z990 Server

CICS

DB2

RACF

LPAR A LPAR B

Corporate Network

(Intranet?)

LPAR ALPAR AProductionProduction

LPAR BLPAR BIsolatedIsolated

SecureSecure

CapacityCapacity

Increased / Increased / Decreased Decreased DynamicallyDynamically

IMS

IntranetInternet

IBM

HT

TP

Ser

ver

for

z/O

S


RACF Interface


First Security Basics

Identification The user identifies themselves to the system; usually done with a userid.

Authentication Authenticating you are who you say you are, usually done with a

password associated with the userid. Authorization

After being identified and authenticated, you are authorized access, or entry or…

Authorization is usually associated with resources, some real, some abstract (the abstraction relates to a resource)

− A file is real.

− The user may be part of a group and the system/application developers can include a authorization check in their code to see if execution can continue.


PKI Services on z/OS What are PKI Services?

New component of the z/OS Security Server Always enabled but closely tied to RACF

Complete Certificate Authority (CA) package Full certificate life cycle management

User request driven via customizable web pages− Browser or server certificates

Automatic or administrator approval process Administered using same web interface

− End user / administrator revocation process Certificate validation service for z/OS applications

Manual - "z/OS Security Server PKI Services Guide and Reference“ Available with z/OS 1.3


Kerberos on z/OS

Kerberos registry integrated into the RACF registry Kerberos integrated using SAF Kerberos KDC (Key Distribution Center) executes within z/OS address

space The authentication server (AS)

− Authenticates Users− Grants TGTs

TheE Ticket Granting Server (TGS)− Generates Session Keys− Grants service tickets based on TGT

OS/390 KDC behaves like any other Kerberos "Realm" Kerberos Realm to Realm function is supported Kerberos: efficient for relatively small number of users, individually

defined to security manager, e.g. enterprise employees via Intranet Digital Certificates: Support very large numbers of users who are not

individually defined to security manager, e.g. Web e-business customers via Internet


Enterprise Identity Problems

Client Linux Z/OS

Arragon Swordman Warrior

Can have different identities at each tier and even within a tier


The problem is…

Many userids may represent an enterprise user Operating systems with different registries Application specific user identification schemes

− USERID/Password vs Digital Certificate Distributed technologies for user identification

− Different Registries• RACF vs LDAP vs Kerberos

System/application specific authorization mechanisms Managing the enterprise user

Creating / changing / deleting


New EIM Support New eServer cross-platform initiative

Infrastructure component New services and API (C/C++)

LDAP extensions Allows development of servers and administrative applications

to Transform user IDs as work flows across systems Administer multi-system, cross-platform ID mappings

EIM provides a foundation to solve the Enterprise User problems

RACF support in z/OS R4: new EIM segment,


Restricted Utilities Restricted Utilities are programs that have the capability of by

passing normal security controls, like : Backup/Recovery Tools: ADRDSSU, FDR ZAPPERS: AMASPZAP, IMASPZAP, IRRUT300 Initialization routines: IEHINITT, Tape INIT Utilities


z/OS Access Control - Concept

ACEERACF

Pgm

Pgm

User access

User address space

UserIDGroupIDDefaults

z/OSSAF

RACF DB

z/OS

Data


Same Idea for USS

User Address Space

Shell

USS

Kernel

Kernel AS

RACF

RACFdatabase

User and group profiles

ACEE USP

shell scriptor utility

command

application


Z/OS Unix System Services UNIX environment is integrated into z/OS

Hybrid security mechanisms UNIX UIDs and GIDs used as well as file permissions Users and Groups defined in RACF, not in etc/security/passwd UNIX API calls like getpwnam() or __passwd() are implemented

Security services are performed by RACF UNIX security strengthened by RACF functions

SMF used for logging Control of Superuser functionality Control of security context switching

Applications can use UNIX and MVS functions


USS HFS FSP Files in Hierarchical File System are not protected with RACF profiles

RACF classes for UNIX System Services resources exist, but are only used for global auditing options

File Security Packet (FSP) contains permission bits FSP for each file exists in directory (as in other UNIX systems where

FSP is in INODE) Access to file is not sufficient; user also needs access to directories from

root down When a file is created, FSP is created. UMASK determines permission

bits in new FSP FSP concept lacks flexibility; Access Control Lists (ACLs) will be

implemented in the future


Superusers In UNIX systems, superuser can access any file and switch to any other

user's identity In z/OS USS, superuser can access any USS file, but: Superuser cannot switch into other user's identity without knowing user's

password or SURROGAT authorization Functions such as setting extended attributes require access to FACILITY

class profile, not superuser Users with access to BPX.SUPERUSER can switch into superuser mode

Administrators and system programmers do not use UID=0 unless needed

Improved accountability Supported by SMP/E since OS/390 V2R7


USS Security >> Unix Security

No /passwd file RACF is used for user authentication Benefit: /passwd file-based hacker attacks won't work

Superuser - UNIX Superusers (uid=0) Have Complete Authority Over UNIX Systems. In z/OS Their Use Is Minimized and Controlled. RACF controls Users' ability to enter Superuser state A user can be given a subset of Superuser privileges Superuser privileges apply only to USS resources Superuser privileges do not bypass access checks for non-USS

resources (e.g., z/OS datasets) Benefit:

No need to distribute root userid and password to multiple people Finer granularity in granting of user capabilities Superuser cannot bypass security for "traditional" z/OS resources


More USS Security Advantages

Associates a user identity with all processes and activities Requires user authentication for all commands including TCP/IP

commands No trusted hosts, (hosts.equiv) or trusted remote hosts (.rhosts) support

− No rlogin without authentication No remote execution /etc/rexecd file.

− No command execution without authentication Benefit: Provides superior auditing/logging/accountability

RACF provides extensive controls on what is audited Benefit: Better intrusion detection

Control of server code authenticity Servers can be required to load only protected programs from HFS or

from program controlled MVS load libraries Benefit: Reduced ability to create trojan-horse servers


USS and RACF

'Protected' Userids for Started Procedures and Daemons No Logon, No SU, No Revoked userid from Password Guessing

'Restricted' Userids for 'guest' Users Access Authorities Must be Explicitly Granted to User or Group No 'default' Access Authority Surprises

A Userid can be Both Restricted and Protected


zSeries “Security” Architecture

Hardware storage isolation: helps protect programs from each other Storage protect keys Address spaces Data Spaces

Program execution states: helps protect operating system from unauthorized program actions

Hardware Logical Partitions (LPAR): allows multiple operating system images within one processor box A complete, isolated, operating system image space


RACF the Security Server RACF is used for the basic identification, authentication, access

and audit control functions. It is more than that, but hold on for a bit…

With RACF you can do at least the following: Local or remote security administration User identification and authentication Resource authorization checking and system access control Audit reports and integrity reports Violation reporting


RACF has changed brand names

It confuses me what is what… It started out as RACF Went to OS/390 Security Server Then morphed to SecureWay Security Server for OS/390 Now it might SecureWay Security Server for z/OS (RACF) To me it is RACF…


RACF User Identification & Authentication for USS

z/OS UNIX user identification RACF user profile with OMVS segment RACF group profile with OMVS segment no /etc/passwd file

User authentication RACF password RACF PassTicket

z/OS UNIX logon TSO r_login, telnet

OMVS

User profile

UID

HOME

PROGRAM


From Resource Managers to RACF and back for USS

Shell

commands

z/OS UNIXApplication

z/OS UNIXUtility

Kernel

RACFCallableServices

RACF

- UID/GID/Userid- Type of access- Security packet SMF

SAF


RACF Control of Superuser Functions

Better security through RACF control instead of superuser authority BPX.FILEATTR.* Less need for superuser authority through RACF control Class UNIXPRIV Improved accountability by switching into superuser mode only when

needed BPX.SUPERUSER also used by SMP/E


RACF Control of User Identity Changes

BPX.DAEMON Ability to validate and assume RACF identities Dæmon programs can only change identity if authorized

BPX.SERVER Surrogate assignment for POSIX threads Daemons can create threads with surrogate Userids if

authorized:− UPDATE: client needs access authority to MVS resources− READ: client and server both need access authority


Protection of Daemons Against Modification and Misuse

Dæmon programs typically run with UID 0 (Superuser) Switch Userids (UIDs) or authenticate user identities Open TCP/IP ports below 1024 Invoke system commands of functions

If code can be modified or modules can be replaced, daemons can be misused

Modules are loaded from MVS search order (STEPLIB, LPA, LNKLSTxx, ...) if sticky bit is set in HFS executable

Critical functions can only be performed if program environment is controlled: Modules loaded from library defined with RACF Program Control Modules loaded from HFS files with PROGCTL attribute set


More Secure than UNIX - USS BPX.DAEMON - restricts the use of sensitive services BPX.DEBUG - allows debugging of authorized programs BPX.FILEATTR.APF - controls marking files authorized BPX.FILEATTR.PROGCTL - controls marking files program controlled BPX.SERVER - restricts the use of sensitive services BPX.SMF - allows the writing of SMF records BPX.STOR.SWAP - controls making address spaces non-swappable BPX.WLMSERVER - controls access to WLM interface BPX.SAFFASTPATH - improves performance but prevents auditing of

successful events


UNIXPRIV Resource NamesResource Name Privilege Access Req'd

SUPERUSER.FILESYSRead any HFS file; read and search any HFS directory

READ

SUPERUSER.FILESYSWrite any HFS file; also privileges of READ access

UPDATE

SUPERUSER.FILESYSWrite any HFS directory; also privileges of UPDATE access

CONTROL


UNIXPRIV for Mount and Quiesce Mount and Quiesce File Systems

SUPERUSER.FILESYS.MOUNT− READ : Mount or unmount file system with nosetuid attribute− UPDATE : Mount or unmount file system with setuid attribute

SUPERUSER.FILESYS.QUIESCE− READ : Quiesce or unquiesce a file system mounted with nosetuid− UPDATE : Quiesce or unquiesce a file system mounted with setuid


UNIXPRIV for other file actions

SUPERUSER.FILESYS.CHOWN READ : Use chown to change owner of any file

SUPERUSER.FILESYS.PFSCTL READ : Allows use of the pfsctl() service

SUPERUSER.FILESYS.VREGISTER READ : Allows use of vreg() service to register as a VFS file

server


Program Controlled Environment

RACF program controlledlibrary

Web server address space

Web serverdæmon

(execute-controlled library)

? (uncontrolled program)

TCB


Process & Thread Security Platforms such as UNIX and Windows NT can assign different user

identities to processes Threads within a process all run under the same user identity To change the identity, a child process must be forked Process creation and deletion requires considerable overhead

z/OS can assign different user identities (Userids) to processes and threads Processes are address spaces Medium- and heavyweight threads run with their own TCB (Task

Control Block) Overhead for thread creation is much lower than for process User Identities can be assigned at the task (thread) level Access control is performed against the thread-level Userid


Web Serving Security On other platforms, web server runs under a Userid, e.g. "Nobody"

This user needs access to all files served to users User authentication against password file Access control against mask (Userid, IP address) Access control through web server configuration file

On z/OS, web server uses surrogate Userids User authentication in RACF Access control against surrogate or client Userid Access control rules can be much more fine-grained Errors in web server configuration file can be caught if file system is

properly set up Use z/OS if user-based access control is needed


z/OS Web Server Protection Directives

Protection itso_only {

Authtype Basic

ServerID ITSO_SERVER

PasswdFile %%SAF%%

Mask All}

Protect /itsodata/* itso-only %%CLIENT%%

Unique identifier for server

Authtype Basic is the only valid value; indicates to encode (but not encrypt) passwords.


Server accepts only valid, authenticated UserIDs defined in the password file (RACF).

Server does SetUID to client's ID before serving request.


RACF Certificate Support Protection Directive using certificate verification

SSLClientAuth On

......

Protection confidential {

Authtype Basic

ServerID Conf_Server

PasswdFile %%SAF%%

UserID %%CERTIF%%

Mask Anybody

}


Enables client authentication for all SSL sessions

Tells web server to ask RACF for UserID associated with client certificate

If "Mask All" is used, user is prompted for UserID/password additionally


Web Server Extensions for RACF

Web server for z/OS allows the use of SAF authentication in place of the password file Specify %%SAF%% as password file Access to files (HFS and MVS) under normal RACF control Subsequent functions under control also (CGI, ICAPI, GWAPI))

Authority can be based on client Userid Can specify a surrogate Userid

Surrogate IDs can have limited access Can be less administrational overhead for large numbers of users

All UserIds (surrogate or client) need a valid UID Individual OMVS segment or default UID/GID

More effective access control within an enterprise


Z/OS Security – Some basics Superior hardware and system integrity User identification and authentication through RACF RACF control of superuser functions RACF control of user identity changes Daemon protection against modification and misuse Thread-level security environment


Hardware and System Integrity

zArchitecture LPAR function provides B2-level (ITSEC-E4) isolation between system images

zArchitecture Supervisor/Program states and storage keys isolate Trusted Computing Base from applications

Tight control of Authorized Program Facility (APF) Link Pack Area (LPA) is write protected even from privileged programs Address spaces are isolated from each other Fetch protected storage can only be read from programs with same storage

key Formal commitment to System Integrity since 1973, "Statement of System

Integrity" since 1981


Workload Isolation

RACF

IBM z990 Server

CICS

DB2

RACF

LPAR A LPAR B

Corporate Network

(Intranet?)

LPAR ALPAR AProductionProduction

LPAR BLPAR BIsolatedIsolated

SecureSecure

CapacityCapacity

Increased / Increased / Decreased Decreased DynamicallyDynamically

IMS

IntranetInternet

IBM

HT

TP

Ser

ver

for

z/O

S


RACF Interface


First Security Basics

Identification The user identifies themselves to the system; usually done with a userid.

Authentication Authenticating you are who you say you are, usually done with a

password associated with the userid. Authorization

After being identified and authenticated, you are authorized access, or entry or…

Authorization is usually associated with resources, some real, some abstract (the abstraction relates to a resource)

− A file is real.

− The user may be part of a group and the system/application developers can include a authorization check in their code to see if execution can continue.


PKI Services on z/OS What are PKI Services?

New component of the z/OS Security Server Always enabled but closely tied to RACF

Complete Certificate Authority (CA) package Full certificate life cycle management

User request driven via customizable web pages− Browser or server certificates

Automatic or administrator approval process Administered using same web interface

− End user / administrator revocation process Certificate validation service for z/OS applications

Manual - "z/OS Security Server PKI Services Guide and Reference“ Available with z/OS 1.3


Kerberos on z/OS

Kerberos registry integrated into the RACF registry Kerberos integrated using SAF Kerberos KDC (Key Distribution Center) executes within z/OS address

space The authentication server (AS)

− Authenticates Users− Grants TGTs

TheE Ticket Granting Server (TGS)− Generates Session Keys− Grants service tickets based on TGT

OS/390 KDC behaves like any other Kerberos "Realm" Kerberos Realm to Realm function is supported Kerberos: efficient for relatively small number of users, individually

defined to security manager, e.g. enterprise employees via Intranet Digital Certificates: Support very large numbers of users who are not

individually defined to security manager, e.g. Web e-business customers via Internet


Enterprise Identity Problems

Client Linux Z/OS

Arragon Swordman Warrior

Can have different identities at each tier and even within a tier


The problem is…

Many userids may represent an enterprise user Operating systems with different registries Application specific user identification schemes

− USERID/Password vs Digital Certificate Distributed technologies for user identification

− Different Registries• RACF vs LDAP vs Kerberos

System/application specific authorization mechanisms Managing the enterprise user

Creating / changing / deleting


New EIM Support New eServer cross-platform initiative

Infrastructure component New services and API (C/C++)

LDAP extensions Allows development of servers and administrative applications

to Transform user IDs as work flows across systems Administer multi-system, cross-platform ID mappings

EIM provides a foundation to solve the Enterprise User problems

RACF support in z/OS R4: new EIM segment,


Restricted Utilities

Restricted Utilities are programs that have the capability of by passing normal security controls, like : Backup/Recovery Tools: ADRDSSU, FDR ZAPPERS: AMASPZAP, IMASPZAP, IRRUT300 Initialization routines: IEHINITT, Tape INIT Utilities


z/OS Access Control - Concept

ACEERACF

Pgm

Pgm

User access

User address space

UserIDGroupIDDefaults

z/OSSAF

RACF DB

z/OS

Data


Same Idea for USS

User Address Space

Shell

USS

Kernel

Kernel AS

RACF

RACFdatabase

User and group profiles

ACEE USP

shell scriptor utility

command

application


Z/OS Unix System Services UNIX environment is integrated into z/OS

Hybrid security mechanisms UNIX UIDs and GIDs used as well as file permissions Users and Groups defined in RACF, not in etc/security/passwd UNIX API calls like getpwnam() or __passwd() are implemented

Security services are performed by RACF UNIX security strengthened by RACF functions

SMF used for logging Control of Superuser functionality Control of security context switching

Applications can use UNIX and MVS functions


USS HFS FSP Files in Hierarchical File System are not protected with RACF profiles

RACF classes for UNIX System Services resources exist, but are only used for global auditing options

File Security Packet (FSP) contains permission bits FSP for each file exists in directory (as in other UNIX systems where

FSP is in INODE) Access to file is not sufficient; user also needs access to directories from

root down When a file is created, FSP is created. UMASK determines permission

bits in new FSP FSP concept lacks flexibility; Access Control Lists (ACLs) will be

implemented in the future


Superusers In UNIX systems, superuser can access any file and switch to any other

user's identity In z/OS USS, superuser can access any USS file, but: Superuser cannot switch into other user's identity without knowing user's

password or SURROGAT authorization Functions such as setting extended attributes require access to FACILITY

class profile, not superuser Users with access to BPX.SUPERUSER can switch into superuser mode

Administrators and system programmers do not use UID=0 unless needed

Improved accountability Supported by SMP/E since OS/390 V2R7


USS Security >> Unix Security

No /passwd file RACF is used for user authentication Benefit: /passwd file-based hacker attacks won't work

Superuser - UNIX Superusers (uid=0) Have Complete Authority Over UNIX Systems. In z/OS Their Use Is Minimized and Controlled. RACF controls Users' ability to enter Superuser state A user can be given a subset of Superuser privileges Superuser privileges apply only to USS resources Superuser privileges do not bypass access checks for non-USS

resources (e.g., z/OS datasets) Benefit:

No need to distribute root userid and password to multiple people Finer granularity in granting of user capabilities Superuser cannot bypass security for "traditional" z/OS resources


More USS Security Advantages Associates a user identity with all processes and activities

Requires user authentication for all commands including TCP/IP commands

No trusted hosts, (hosts.equiv) or trusted remote hosts (.rhosts) support− No rlogin without authentication

No remote execution /etc/rexecd file.− No command execution without authentication

Benefit: Provides superior auditing/logging/accountability RACF provides extensive controls on what is audited

Benefit: Better intrusion detection Control of server code authenticity

Servers can be required to load only protected programs from HFS or from program controlled MVS load libraries

Benefit: Reduced ability to create trojan-horse servers


USS and RACF

'Protected' Userids for Started Procedures and Daemons No Logon, No SU, No Revoked userid from Password Guessing

'Restricted' Userids for 'guest' Users Access Authorities Must be Explicitly Granted to User or Group No 'default' Access Authority Surprises

A Userid can be Both Restricted and Protected


Enterprise Security Has Become a Key Business Requirement

2006 Deloitte Security Survey

More than 1,100 Department of Commerce laptop computers were lost, stolen or missing in the last 5 years with personal data - CNET 09-22-2006

ChoicePoint will pay $10 M in civil penalties and $5M million in consumer redress to settle FTC privacy charges - FTC release 1/26/06

During the past 12 months companies reported 331 attempted and 39 successful breaches per company- InfoWorld survey 10/20/2006


Questions Auditors Might Ask

RACF

Do you know if anyone attempted an attack on the mainframe?

Communication server

Tivoli FederatedIdentity Mgr

Tivoli Identity Manager

How do you prevent unauthorized access?

Platform Infrastructure

Compliance and Audit

Data Privacy Extended Enterprise

ConsulInSight

ConsulSystem z Tools

DB2 Audit Management Expert

Can your DB2 auditors get at the information they need?

Are you reporting consistently across the enterprise?

Do you know if administrators are abusing privileges?

How do you know that only authorized users are given user accounts?

How did you protect your Web services applications?

How do you know your archival customer data is protected?

Tape Encryption


Enterprise Security Needs Many Elements



Data Privacy

ExtendedEnterprise

Multilevel securityKey management

TS1120

Tape encryption

Common Criteria Ratings

Support for standards

Supports VPns etc

PKI services

Provides audit, authorization, authentication

and access

RACF

Network intrusion detection

Communications Server

Consul InSight

Consul System z Tools



Tivoli Federated Identity Mgr

Crypto Cards

System z SMF


z/OS 1.8 is in evaluation at EAL4+

z/VM 5.1 + RACF at EAL3+

Common Criteria Certifications Show System z Platform Security Leads the Industry

What is Common Criteria?

Common Criteria is an accepted standard for evaluating the inherent security of a computing system

Common Criteria is based on a set of functional and assurance

requirements

A higher EAL rating is more secure

The security requirements in Common Criteria have gained support as “best practices”

IBM System z holds the highest EAL grades in Common Criteria!

HiperSockets

Logical Partition

Logical Partition

Logical Partition

z/OS 1.8

underevaluation for EAL 4

z/OS 1.7

z/VM 5.1 EAL3+

Linux

Linux Guest VM

System z

EAL 4+

Red Hat EL3

EAL 4+

Linux

Linux Guest VM

SUSE LES9

EAL 4+

System z LPAR’s EAL 5


System z is a hacker’s nightmare!

Allows customers to run multiple workloads on single image

Stops viruses and worms from disrupting operations

Security Begins with System z Secure Processing

Workload Isolation − Isolation of users in a separate address space− Processing integrity with LPAR separation− System programs separated from user programs

Not Harmed by malware− Viruses cannot be readily introduced

Communications− Internal HiperSocket communications not easily

intercepted

Authorized Program Facility (APF)− Executable code can be invoked only by

authorized users− Cross memory services prevents unauthorized

access

System Integrity Statement− IBM accepts responsibility for integrity exposures

found by customers


RACF* – At the Heart of System z Security

RACF controls authorization and authentication

Identifies and authorizes users Controls access to resources Authenticates users through passwords or

(PKI) digital certificates Provides auditing and logging Enables central administration of several

systems

RACF structure is enforced automatically

System blocks unauthorized attempts You cannot bypass RACF

RACF is integrated with System z Middleware

Transaction monitors, DB2 CICS, IMS, WebSphere

* Resource Access Control Facility

These resources are protected by RACF

DB2 VSAM IMS CICS TSO Disk Tape Print

JES 2 & 3 Console VTAM SDSF WebSphere MQ Programs Keys

Integrated Security across the platform


Banco do Brasil Banco do Brasil saves an estimated saves an estimated $16 M$16 M a year in a year in digital certificate digital certificate costs by using the costs by using the digital certificate digital certificate services offered free services offered free with System zwith System z

A digital certificate is an electronic identifier that establishes your credentials on the Web

Recently digital certificate use has grown to help meet compliance requirements

z/OS automatically provides support for digital certificate services (PKI)

Uses System z cryptographic processor No need for extra infrastructure Processes thousands of certificates at low cost

The mainframe can serve as a certificate authority - an authority that manages provisioning of digital certificates. This eliminates fees to third parties ($5 - $7 per

certificate) for issuing certificates

Authenticate at Low Cost with Digital Certificate Services


Intrusion Detection from Communications Server enables detection of network traffic attacks

Automatic application of defensive mechanisms Evaluates inbound encrypted data for

suspect activity Policy controls connection limits,

packet discard Detects anomalies in real-time Avoids overhead of per packet

evaluation against known attacks

Scan detection and reporting Can map the target of an attempted

attack

Integrates with Tivoli Security Operations Manager

Protects against network attacks even for

encrypted data

Comm Server

Application Layer

IP Layer

Data Link Layer

Deny Traffic Filter

PermitTraffic

Network traffic filtered for extra protection

Built in Security to Defend Against Network Attacks


Provide Cryptographic Protection without Changing Application Code

Application Transparent Transport Layer Security TLS * provides cryptographic protection between clients and servers

Configure encryption via the communication server

Application can also issue AT-TLS calls to receive user identity information based on client certificate

AT-TLS uses an optimized infrastructure that outperforms native SSL/TLS

*Transport Layer Security (TLS) is based on Secure Socket Layer

Network Interfaces

IP Networking Layer

TCP

Sockets

Applications

System SSL calls Encryption performed at TCP layer

Policy Agent

Securing Applications with AT-TLS


Enterprise Security Needs Many Elements

Secured database access

Multilevel securityKey management

Archive Data TS1120

Tape encryption

Common Criteria Ratings PKI services RACF Communications Server




Crypto Cards

Tamper proof process For offline storage

Consul InSight


System z SMF



Data Privacy

ExtendedEnterprise


Free - CP Assist for Cryptographic Function (CPACF) Each system processor has hardware assist on the chip for cryptography CPACF provides cryptographic functions for encryption and decryption of data

Used for SSL, VPN, and data storing applications includes DES, T-DES, AES, SHA-1 and SHA-256 hashing

Priced Feature - Crypto Hardware Processor Card Crypto Express 2 High performance, tamper proof environment for secure key cryptography 6000 Secure Socket Layer handshakes per second Key is encrypted in hardware and never exposed

Integrated Cryptographic Service Facility (ICSF) Provides API’s for encryption via CPACF or

Crypto Express2 Routes work to the appropriate crypto

processing resource Included in z/OS Used to administer the cryptographic

hardware and keys

The Foundation of Data Privacy is Encryption

ICSF

CPACFCrypto

Express 2

encrypt/decrypt


Encryption Protects Data Privacy on the Network

z/OS Router Router z/OS

Encrypted “end to end”

IPSec

CommunicationsServer

IPSec

End to end network encryption is needed to meet Payment Card Industry requirements

System z Communication Server encrypts network data end-to-end Supports IPSec protocol for virtual private networks across the internet Announced support for use of zIIP specialty engine for IPSec traffic

New support for encrypting data on the mainframe before sending to printers IPSec support installed in new printers LAN printers can now print confidential material on secured printers

Router based encryption is not enough May expose data in the clear

CommunicationsServer


application

encrypted by column or row

Data in channel

Data on disk, dump or archived files

Data in Buffer pools z/OS

in the clear

encrypted

encrypted

encrypted

DB2

DB2 Encryption Protects Data Privacy in the Database

Encrypted by DB2 Table and Index encryption Image copies encrypted Logs/archives encrypted Data encrypted in buffers Data sent by DRDA Data not exposed!

DB2 uses encryption to protect the data: Column level encryption

− Enabled by the application Row level encryption

− IBM Encryption Tool for DB2− Optional feature


High performance tape encryption Standard feature on all new TS1120 Tape Drives Cost effectively encrypt all tape data Offload host processing encryption overhead Minimize impact to existing processes and applications

Leverages System z Key management So you won’t lose the key

1. Load tape cartridge, provide Key Labels

4. Encrypted keystransmitted to tape drive

2. Tape drive requests key

3. Encryption Key manager generates a key; Encrypts with key

5. Tape drive writes encrypted data. Stores encrypted key on cartridge

Storage Based

Optional Ability to Automatically Encrypt All Data on Tape


Encryption Facility Makes Encryption Accessible to Business Partners

Encryption and compression of dump data sets

Offers decryption and decompression during restore

Leverages System z key management, cryptography and compression

For encryption and decryption of files

Uses Public Key/Private keys or passwords

Leverages System z key management, cryptography and compression

Now enhanced to support OpenPGP standard

Use Encryption Facility for z/OS or if non-z/OS use Encryption Client (Java code)

Feature

Feature

Web Download

Encryption Services Encryption Facility Client DFSMSdss Encryption

IBM Encryption Facility for z/OS


Keep Your Key Safe with System z Key Management

Encryption Key Manager (EKM) Java program that transparently generates, serves, stores, and

maintains encryption keys

Helps protect and manage keys Generate and serves keys to tape drives Utilizes tamper-resistant crypto cards to store “secure keys” Obtains the required keys from key stores including Integrated

Cryptographic Service Facility (ICSF)

Provides a single point of control Simplified recovery of keys Auditable through RACF Over a decade of proven production use Available at no additional charge

Enables you to share tapes with business partners


With DB2 Multi Level Security data can be consolidated onto a single database, restricting access to only authorized users

. Single image of data is sharable by multiple enterprise

departments with different levels of “need to know”

SECURITYClassification Revenue Area Loss

Executive 234 USA 3%

Finance Secret 198 Ohio 13%

Executive 2 Maine 29%

Finance Confidential

234 USA 11%

Finance Secured

87 Texas 14%

Finance Secured

23 New York 20%

Audit Confidential

223 USA 10%

Finance Secured

45 Canada 29%

Executive Risk Analyst

Bank analyst

Internal auditor

DB2 Multi Level SecurityGoals of Compartmentalized Data Same database used by

organizations with a different need to know

Prevent unauthorized individuals from accessing information at a higher classification than authorized

Prevent unauthorized declassification of information

DB2 Multi Level Security Restricts row level access to

those with appropriate security clearance

Mix low and high security data in the same database


Enterprise Security Needs Many ElementsMultilevel securityKey management

TS1120

Tape encryption


Compliance reporting

Audit monitoring and reportingDB2 Audit Management Expert



Crypto Cards

Comprehensive logging

Eliminate manual auditing process

Consul InSight


System z SMF


Data Privacy

ExtendedEnterprise



Evolving Regulations Point to the Need for More Automated Compliance Reporting

Basel II HIPAA Sarbanes-Oxley Gramm Leach-Bliley AML - Patriot Act

Sec

ured

Dat

a

Sec

ured

Sto

rage

Man

agem

ent

Enc

rypt

ed d

ata

Wor

kflo

w

Ris

k A

sses

smen

t

Rep

ortin

g

IBM Service Management Market Needs Study, March 2006

Regulatory Impact


System z SMF provides comprehensive logging across the sysplex

Consistent record formats help simplify compliance needs

Audit records report access to protected resources

New log continuity from Consul validates logs have been maintained

Consul uses the log system event records from multiple sources including System z

Can examine activities of a specific user

With distributed systems, customers typically have to manually piece together logs

The Foundation of Audit and Compliance is Comprehensive Logging


Consul InSight Strengthens the Compliance Process

Detects security violations

Captures security audit data from multiple systems

Correlates data to identify audit risks who, what, on what, where, when, from where, to where

Analysis engine for deep analysis of collected data Determine who was the last person to touch a particular file

Flexible reporting related to specific compliance issues

Checks for log continuity ensure that log collection is carried out


Consul’s InSight Suite Helps Address Regulatory Challenges

demo

Helps accelerate clients’ policy and regulatory compliance initiatives

Supports RACF records and other input sources

Provides customized reports to assist with regulatory compliance

Uses patent pending “W7” methodology for detailed analysis


Enterprise Security Needs Many ElementsMultilevel securityKey management

TS1120

Tape encryption



Provisioning of users & workflow


Authentication


Crypto Cards

Consul InSight


System z SMF


Data Privacy

ExtendedEnterprise



Provision Users with Tivoli Identity Manager for z/OS 75-80% of help desk calls are for password reset or other trivial

items Tivoli Identity Manager can eliminate this problem Provides self service password management Can provision user accounts for your entire enterprise

Provides workflow for automating approval processes

Searches for out-of-policy changes

Provides email notification of changes


Propagates the identity of the original requester in a web services environment Provides single sign-on for web

services Maintains identity of the original user Credentials can be propagated from

the portal to RACF for end-to-end security

− Uses PassTickets issued by RACF

Enable trusted transactions between business partners

Supports industry standards − SAML, Liberty, WS-Federation SSO

PortalServer

CICS Customer

Management

IMS Billing System

SAP Financial Management

Portal

Portlet

WebServices

TFIM can provide single sign-on for the Service Oriented Finance Car

Loan Solution

RACFLDAP

Single Sign-on: Tivoli Federated Identity Manager


Authenticating End to End Transaction is passed through a reverse proxy to authenticate the user Proxy authenticates to WAS on behalf of the user passing his/her credentials In WebSphere Java invokes a login module that in turn invokes TFIM trust services

to obtain a userid and PassTicket The mainframe userid and password is supplied through CICS TG in this example Security credentials of one partner are transformed and exchanged with the identity

infrastructure of another partner Also map distributed user IDs to z/OS RACF user IDs and associated PassTickets

The RACF ID can connect to z/OS resources using individual user identities

DB2Reverse Proxy

WebSphereApplicationServer

TAI JCA

JMSJAAS

Appl CICS

CIC

S T

G

TFIMSTS

DMZ

z/OS

RACF

App server

Enterprise serverProxy

Authentication Pattern

Database


Tivoli Directory Integrator Enables Consistent Identity Management

Maintain data consistency across multiple identity repositories to synchronize user information quickly and efficiently

Most customers have multiple directory structures in place – no single version of the truth

Cost-effective synchronization of identity data sources

Links data residing across IBM and non-IBM directories, databases, password stores, and applications

Uses data flows called Assembly Lines to coordinate changes

Automatically detects directory changes and pushes modifications out Triggers:

− e-mails, database/ directory updates, SOAP messages

Uses a browser based administrative interface


Summary

System z Security provides A secure platform infrastructure Data privacy Compliance and audit Security across the extended enterprise

Thanks!

The End

z/os & zseries security security home page racf home page

Documents

system z v1

nqsmvsopcswg cpo intro

storage configuration

actual performance

actual throughput

racf home pagehttp

standard ibm benchmarks

open blueprintopenedition