Hot Topics - Messmer The Brain House

More documents

Recommendations

Info

certified digital certificate hosting services (z/OS V1R5 with RACF). Centralized key management on z/OS, with its management, access controls, and auditability, has been used in production for over a decade. Watch this space In the future, IBM intends to offer outboard encryption for devices in the TotalStorage family, and continue leveraging the key management functions provided by ICSF. Of course, we intend to keep extending our key management facilities, too. After all, why would we start over? A little-LDAP’ll-do-ya BY TOM SIRC AND ASHWIN VENKATRAMAN Consider this scenario: A test environment has three WebSphere Application Server for z/OS cells (a logical grouping of servers and nodes); lets call them T1, T2, and T3. All three cells use a Local operating system (OS) user registry, and each has its own user and group structure because different application development teams are testing their own Java 2 Enterprise Edition (J2EE) application security. An issue comes up — we need to figure out how to share a cell between different application development teams without sacrificing security. The security limitation we describe above is that every application running in a cell must share the user registry. Each user that needs access to an application running on the cell needs to be added to the authorization list for the entire WebSphere Application Server space. This creates the burden of managing user security and violates a security practice because users who should not have access to an application are still given the access to connect to WebSpere Application Server because of another application’s needs. Having multiple WebSphere Application Server cells to provide security isolation is usually the way to deal with this problem. 22 February 2006 z/OS HOT TOPICS Newsletter, Issue 14 For more information See the statement of direction in “IBM System z9— the server built to protect and grow with your on demand enterprise,” IBM United States Hardware Announcement 105-241, dated July 27, 2005. We face other problems when developing an application that exploits form-based authentication on the T2 cell. At one point the T2 cell needs to be down but our development deadline can’t slip. And development and testing of our application has to be completed on the T3 cell even though we have a different set of users for that cell. Our first thought is to give the developers of the application access to the T3 cell. This requires multiple user IDs and Enterprise Java Beans authorization role (EJBROLE) access changes in RACF. We also need to remember to undo these changes after the T2 cell back online. To solve this user management issue, we realized that a little-LDAP’ll-doya! We pointed our T3 cell’s user registry to a Lightweight Directory Access Protocol (LDAP) server that already had the user and group structure for the application. We are able to change this setting in a short amount of time because the environment already exists, and the change won’t leave negative side-effects after the cell is switched back to the Local OS user registry. Using an LDAP authentication scheme in a WebSphere Application Server environment is a simpler, more secure way of allowing multiple development teams to use the same WebSphere Application Server cell without having to provide unnecessary privileges in RACF. For this to happen, J2EE application developers need to add the user-to-role mappings to the enterprise archive (EAR) deployment descriptor because the RACF EJBROLE class no longer handles that function. To add the mappings, first understand the user and group structure in the LDAP directory. Only one application development team can use the WebSpere Application Server cell at any one time. If security is a concern in your environment and you can’t run multiple WebSphere Application Server cells, an LDAP user registry is the alternative to consider!
Questions, please… Unlocking the answers to Encryption Facility for z/OS BY PEGGY ENICHEN, RON EDICK, AND MIKE KELLY Have some questions about Encryption Facility for z/OS? Here are some answers. 1 What kinds of encryption keys can I use to encrypt and decrypt data? You can use the following kinds of keys with Encryption Facility for z/OS: • Clear triple-length TDES key (CLRTDES) • Clear 128-bit AES key (CLRAES128) • Secure TDES triple-length key (ENCTDES). The keywords in parentheses are options that you specify in the job control language (JCL) for Encryption Services encrypt/ decrypt programs. Encryption key and key protection options 2 What kind of performance can I expect with the Encryption Facility? It depends. A number of factors determines the performance of Encryption Facility, including the type of processor and cryptographic coprocessor you have, the types of keys you use to encrypt the data, and your installation security policy. 3 Why should I use CLRTDES instead of ENCTDES—or vice versa? Generally, if your installation security policy requires that the data encryption key never appear in the clear in host storage, using the ENCTDES key provides the best security, but it does have a considerable impact on performance. CLRTDES key used with PASSWORD z800 and z900 z890 and z990 z9 109 CLRTDES key used with RSA key pairs z800 and z900 Processor type CCF Cryptographic hardware z890 and z990 z9 109 CLRAES128 key used with PASSWORD z800 and z900 z890 and z990 z9 109 CLRAES128 key used with RSA key pairs z800 and z900 z890 and z990 z9 109 ENCTDES key with RSA key pairs z800 and z900 z890 and z990 z9 109 1. For RSA modulus-exponent form keys with modulus length less than or equal to 1024 bits 2. For RSA Chinese Remainder Theorem keys with modulus length less than or equal to 1024 bits 3. For RSA keys with up to 2048 bit modulus Figure 1 – Cryptographic keys and hardware requirements CCF CPACF CPACF CCF1 PCICC2 In contrast, if you use the CLRTDES or CLRAES128 keys, Encryption Services generates the keys dynamically. Unlike the ENCTDES key, the CLRTDES and CLRAES128 key values can appear in application storage. However, if Encryption Facility is running on a z890, z990, or IBM System z9 109 server, CSDFILEN encrypts the data using the clear TDES key or clear AES key on the CPACF. This method can give you better performance than using the ENCTDES key option. 4 What hardware supports CLRTDES, CLRAES128, or ENCTDES keys for encryption? Figure 1 provides summary information CCF and PCICC with LIC January 2005 or later and z990 and z890 Enhancements to Cryptographic Support web deliverable (ICSF HCR770B) or later 3 PCIXCC or CEX2C CEX2C CCF CPACF CPACF CCF 1 PCICC 2 CCF and PCICC with LIC January 2005 or later and z990 and z890 Enhancements to Cryptographic Support web deliverable (ICSF HCR770B) or later 3 CCF1 PCICC2 CCF and PCICC with LIC January 2005 or later and z990 and z890 Enhancements to Cryptographic Support web deliverable (ICSF HCR770B) or later 3 PCIXCC or CEX2C CEX2C February 2006 z/OS HOT TOPICS Newsletter, Issue 14 23
Page 1 and 2: February 2006 - Issue 14 HOT TOPICS
Page 3 and 4: Contents FEATURED ARTICLES 4 Missio
Page 5 and 6: DFSMSdss . This enables tapes to b
Page 7 and 8: Tivoli Identity Manager IVS DB2 MQ
Page 9 and 10: can determine why a user or group I
Page 11 and 12: e required because some network job
Page 13 and 14: Figure 1- Baby Oz displays page dat
Page 15 and 16: Figure 1- The create subsystem pane
Page 17 and 18: Seeing the system for the trees The
Page 19 and 20: Figure 3 - Sorting and filtering ev
Page 21: of PDS and PDSE data sets, and data
Page 25 and 26: Security alert: Do you want to proc
Page 27 and 28: Wanted: Your feedback The IBM z/OS
Page 29 and 30: are poking around trying to discove
Page 31 and 32: Dear Short Memory and Exhausted Sto
Page 33 and 34: The show must go on Work to remove
Page 35 and 36: Figure 2 - Connectivity rules for e
Page 37 and 38: = Direct delivery to MAC1 DXCF: 172
Page 39 and 40: HATS fantastic! Integrating host ap
Page 41 and 42: Head to head with benchmarks Consid
Page 43 and 44: Software prerequisite Hardware prob
Page 45 and 46: SystemPac is now on the menu Are yo
Page 47 and 48: Figure 2 - Relationship between the
Page 49 and 50: Storage made easy Answers that won
Page 51 and 52: volume in the connected set meets t
Page 53 and 54: In their own words… Here’s some
Page 55 and 56: Ed Mekeel has been with IBM for 36

Hot Topics - Messmer The Brain House

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?