Patrick Kappeler (pkappeler@wanadoo.fr) is a former IBM - GSE Belux
Patrick Kappeler (pkappeler@wanadoo.fr) is a former IBM - GSE Belux
Patrick Kappeler (pkappeler@wanadoo.fr) is a former IBM - GSE Belux
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Patrick</strong> <strong>Kappeler</strong> (<strong>pkappeler@wanadoo</strong>.<strong>fr</strong>) <strong>is</strong> a <strong>former</strong> <strong>IBM</strong> technical expert in the domain of <strong>IBM</strong> System z<br />
eBusiness Security.<br />
He practiced for the last decade both as an <strong>IBM</strong> Certified Consulting I/T Special<strong>is</strong>t in the Montpellier (France)<br />
European Products and Solutions Support Center (PSSC) and as an <strong>IBM</strong> Redbooks® co-author and<br />
project leader for the International Technical Support Organization (ITSO) in the <strong>IBM</strong> Poughkeepsie (USA)<br />
Laboratory.<br />
<strong>Patrick</strong> <strong>is</strong> now providing worldwide independent consultancy and education on <strong>IBM</strong> main<strong>fr</strong>ames Security,<br />
covering areas such as System z integrated hardware cryptography, RACF, Public Key In<strong>fr</strong>astructure,<br />
secure protocols, IP Security, LDAP, etc …<br />
Trademarks<br />
See url http://www.ibm.com/legal/copytrade.shtml for a current l<strong>is</strong>t of <strong>IBM</strong>-owned trademarks.<br />
Redbooks® <strong>is</strong> reg<strong>is</strong>tered trademark of International Business Machines Corporation<br />
Java and all Java-based trademarks are trademarks of Sun Microsystems Inc.<br />
All other products may be trademarks or reg<strong>is</strong>tered trademarks of their respective<br />
companies<br />
Layouts and artworks in the slides herein are property of <strong>Patrick</strong> <strong>Kappeler</strong> Consulting<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
2
Agenda<br />
● z/OS Security Services and APIs<br />
● z/OS Cryptographic Services<br />
● z/OS Security Server<br />
● z/OS Integrated Security Services<br />
● z/OS LDAP Status<br />
● <strong>IBM</strong> Health Checker for z/OS<br />
● z/OS Communications Server Security services<br />
● OpenSSH for z/OS<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
3
Implementing<br />
Security<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
4
Implementing Security<br />
Confidentiality*<br />
Identification<br />
Authentication<br />
Integrity<br />
checking<br />
Access<br />
Control<br />
Real or virtual<br />
computing environment<br />
Accept<br />
request<br />
The foundation:<br />
Hardware and OS built-in<br />
Security<br />
Transaction Level Security<br />
Network Level Security<br />
Platform Level Security<br />
Auditing<br />
* aka « Privacy »<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
5
z/OS V1R13 Security Services and APIs<br />
Network<br />
level<br />
Security<br />
IP Filtering<br />
IPSec VPNs<br />
Intrusion<br />
Detection Services<br />
AT-TLS<br />
FTP, TN3270,<br />
HTTP Server<br />
WAS for z/OS<br />
CICS/TS<br />
WebSphere<br />
MQ<br />
...<br />
Middleware<br />
Security<br />
JAVA<br />
J2EE<br />
WSS<br />
SAML<br />
OpenSSH….<br />
z/OS<br />
LDAP<br />
Directory<br />
Server<br />
and<br />
client<br />
z/OS<br />
PKI<br />
Services<br />
z/OS<br />
Kerberos<br />
Key<br />
D<strong>is</strong>tribution<br />
Center<br />
z/OS<br />
System SSL<br />
Network Authentication<br />
Service<br />
Transaction<br />
Level<br />
Security<br />
Enterpr<strong>is</strong>e Identity<br />
Mapping (EIM)<br />
ICSF<br />
OCSF/OCEP<br />
Platform<br />
level<br />
Security<br />
z/OS Security Server (RACF)<br />
DCE Security Server<br />
RACF<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
6
z/OS V1R13 Security Services and APIs<br />
As per the July 2010 <strong>IBM</strong> Statement of Direction, z/OS V1.12 was the last release to<br />
include z/OS D<strong>is</strong>tributed Computing Environment (DCE) and D<strong>is</strong>tributed Computing<br />
Environment Security Server (DCE Security Server).<br />
<strong>IBM</strong> recommends the <strong>IBM</strong> WebSphere Application Server, the <strong>IBM</strong> Network<br />
Authentication Service, and the <strong>IBM</strong> Directory Server as replacements. See the DCE<br />
Replacement Strategies Redbook for more details<br />
http://www.redbooks.ibm.com/redbooks/pdfs/sg246935.pdf<br />
DCE FMIDs HMB3190 and JMB319J have been removed at z/OS V1R13<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
7
z/OS V1R13 Security Services and APIs – Supported Standards
z/OS Security Services and APIs – Packaging<br />
z/OS Cryptographic Services<br />
ICSF (Integrated Cryptographic Service Facility)<br />
OCSF (Open Cryptographic Services Facility)<br />
System SSL (Secure Socket Layer)<br />
PKI Services (Public Key In<strong>fr</strong>astructure Services)<br />
pkitp (PKI Trust Policy)<br />
z/OS Security Server<br />
z/OS Integrated Security Services<br />
RACF (* license required) (Resource Access Control facility)<br />
OCEP (Open Cryptography Enhanced Plug-in)<br />
Network Authentication Service<br />
Enterpr<strong>is</strong>e Identity Mapping (EIM)<br />
Remote Services - Identity Cache<br />
<strong>IBM</strong> Tivoli Directory Server<br />
for z/OS (ITDS)<br />
LDAP server and client (Lightweight Directory Access Protocol)<br />
Communications Server<br />
IP Security: IPSec, IP Filtering<br />
Intrusion Detection Services<br />
AT-TLS (Application Transparent TLS)<br />
<strong>IBM</strong> Health Checker For z/OS<br />
z/OS automated configuration and setup<br />
checks<br />
<strong>IBM</strong> Ported Tools For z/OS<br />
OpenSSH For z/OS<br />
unpriced feature – z/OS Implementation<br />
of the OpenSSH protocol and services<br />
for Unix System Services users<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
9
z/OS Security Services and APIs – Cryptography Export Control<br />
Security Level 3 FMIDs<br />
Unpriced features, worldwide exportable subject to U.S. export regulations<br />
Required for the z/OS security services to perform encryption with > 56-bit keys<br />
z/OS V1R13 Security Level 3<br />
• Tivoli Directory Server for z/OS Security Level 3<br />
• OCSF Security Level 3<br />
• Network Authentication Service Level 3<br />
• System SSL Security Level 3<br />
z/OS V1R13 Communications Server Security Level 3<br />
See details in “z/OS Planning for Installations “, GA22-7504.<br />
Java cryptography requires to download the « unrestricted policy files » <strong>fr</strong>om<br />
http://www.ibm.com/developerworks/java/jdk/security/index.html.<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
10
z/OS<br />
Cryptographic Services<br />
ICSF (Integrated Cryptographic Service Facility)<br />
OCSF (Open Cryptographic Services Facility)<br />
System SSL (Secure Socket Layer)<br />
PKI Services (Public Key In<strong>fr</strong>astructure Services)<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
11
z/OS Cryptographic Services - ICSF<br />
ASM<br />
PL/I<br />
C/C++<br />
COBOL<br />
FORTRAN<br />
Applications<br />
C/C++<br />
C/C++<br />
System SSL<br />
OCSF (CDSA)<br />
z/OS<br />
<strong>IBM</strong> CCA and PKCS#11 API<br />
Integrated Cryptographic Services Facility<br />
Note ; no coprocessor required<br />
for PKCS#11 services with ICSF<br />
HCR7770 and later<br />
Crypto<br />
Express 3<br />
CPACF<br />
Hardware<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
12
z/OS Cryptographic Services – ICSF Releases<br />
ICSF FMID<br />
Web deliverable Name<br />
z/OS V1R10 HCR7750 Included in base<br />
HCR7751 Cryptographic Support for z/OS V1R8-R10<br />
HCR 7770 Cryptographic Support for z/OS V1R9-R11<br />
HCR 7780 Cryptographic Support for z/OS V1R10-R12<br />
z/OS V1R11 HCR7751 Included in base<br />
HCR7770 Cryptographic Support for z/OS V1R9-R11<br />
HCR7780 Cryptographic Support for z/OS V1R10-R12<br />
HCR7790 Cryptographic Support for z/OS V1R11-R13<br />
Z/OS V1R12 HCR7770 Included in base<br />
HCR7780 Cryptographic Support for z/OS V1R10-R12<br />
HCR7790 Cryptographic Support for z/OS V1R11-R13<br />
z/OS V1R13 HCR7780 Included in base<br />
HCR7790 Cryptographic Support for z/OS V1R11-R13<br />
As of September 2011: HCR7790 <strong>is</strong> available for download at<br />
http://www-03.ibm.com/systems/z/os/zos/downloads/<br />
« Cryptographic Support for z/OS V1R11-V1R13 » (ICSF web deliverable #11)<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
13
z/OS Cryptographic Services – ICSF Releases<br />
The full story about what <strong>is</strong> new in HCR7790<br />
Refer to http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10760<br />
Some functional trends and directions ….<br />
Finer access control to keys in and out of cryptographic key data sets – HCR7751 (2008)<br />
Enforcement of FIPS 140-2 level 1 standard (optional – PKCS#11 only) – HCR7770 (2009)<br />
Catching up with « new » standards<br />
●<br />
Elliptic Curve Cryptography (ECC)<br />
●<br />
Introduced as a PKCS#11 service – Clear keys - Hardware <strong>is</strong> optional – HCR7770 (2009)<br />
●<br />
Secure ECC keys (in PKDS) for CCA services (zEnterpr<strong>is</strong>e only, with CEX3C) – HCR7780 (2010)<br />
●<br />
Advanced Encryption Standard (AES)<br />
●<br />
Secure AES introduced in HCR7751 (2008) - For data encryption/decryption only<br />
●<br />
Secure AES for key export/import (zEnterpr<strong>is</strong>e only, with CEX3C)– HCR7790 (2011)<br />
●<br />
Hash-based Message Authentication Code (HMAC)<br />
●<br />
Secure HMAC introduced in HCR7780 (2010)<br />
●<br />
ANSI TR-31 key block (zEnterpr<strong>is</strong>e only, with CEX3C)<br />
●<br />
Introduced in HCR7790 (2011) - CCA tokens conversion for key exchange<br />
Usability<br />
● Coordinated KDS Master Key Change and Re<strong>fr</strong>esh in HCR7790 (2011)<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
14
z/OS Cryptographic Services – ICSF Releases<br />
Some enhancements at HCR7790 >>>>Available on zEnterpr<strong>is</strong>e only - require CEX3C
z/OS Cryptographic Services – ICSF Releases<br />
Some enhancements at HCR7790 >>>> without hardware dependencies
z/OS Cryptographic Services - OCSF<br />
z/OS Open Cryptographic Service Facility<br />
OS/390 implementation of Common Data Security Architecture<br />
(CDSA) Intel/<strong>IBM</strong> Security <strong>fr</strong>amework<br />
Application<br />
OCSF Security API<br />
CSP<br />
Manager<br />
TP<br />
Manager<br />
CL<br />
Manager<br />
DL<br />
Manager<br />
OCSF Framework<br />
CSP = Cryptographic Services Provider<br />
TP = Trust Policy<br />
CL = Certificate Library<br />
DL = Data Library<br />
SPI = Service Provider Interface<br />
OCEP = Open Cryptographic Enhanced Plug-in<br />
pkitp = PKI Trust Policy<br />
SP<br />
I<br />
CSP<br />
Providers<br />
ICSF<br />
TP<br />
I<br />
TP<br />
Providers<br />
OCEP<br />
Trust<br />
Policy<br />
CL<br />
I<br />
CL<br />
Providers<br />
OCEP<br />
Data<br />
Library<br />
DL<br />
I<br />
DL<br />
Providers<br />
LDAP<br />
Services<br />
Providers APIs<br />
Service Providers<br />
pkitp<br />
RACF<br />
z/OS OCSF Framework stabilized since z/OS V1R3<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
17
z/OS Cryptographic Services – z/OS System SSL<br />
•A set of C/C++ functions for<br />
establ<strong>is</strong>hing and using SSL/TLS<br />
socket connections as an SSL/TLS<br />
server or client<br />
TCP/IP<br />
Certificate<br />
Revocation<br />
L<strong>is</strong>t<br />
System SSL DLLs<br />
Application<br />
•A set of C/C++ functions for applications to<br />
•manipulate keys and certificates<br />
databases and PKCS#11 tokens<br />
•exploit keys and certificates<br />
stored in databases and PKCS#11 tokens<br />
•build and process PKCS#7 messages<br />
•A key and certificates management<br />
shell-based facility (gskkyman)<br />
recv()<br />
send()<br />
LDAP client<br />
Handshake<br />
Certificate validation<br />
Encrypt/decrypt<br />
data<br />
Hardware crypto<br />
calls<br />
ICSF<br />
CPACF<br />
API<br />
API<br />
SSL/TLS<br />
API<br />
Certificate<br />
Management<br />
Services<br />
API<br />
SSL/TLS-protected<br />
communications<br />
Keys and certficates in<br />
HFS key database<br />
OR<br />
SSL=Secure Socket Layer<br />
TLS= Transport Layer Security<br />
Keys and certficates in<br />
RACF keyring<br />
ICSF PKCS11 Tokens<br />
ICSF PKDS<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
18
z/OS Cryptographic Services – z/OS System SSL<br />
Some functional trends and directions …<br />
Catching up with « new » standards<br />
●<br />
TLS V1.1 and TLS extensions (RFC 4366) – z/OS V1R11<br />
●<br />
Support of certificates as defined by RFC3280 (vs.RFC 2459) – z/OS V1R11<br />
●<br />
Staged ECC support (*)<br />
●<br />
Support ECC-based digital signature and certificates with the CMS API – clear keys only -z/OS V1R12<br />
●<br />
Full support of ECC keys and certificates, EC Diffie Hellman supported for handshake – Can<br />
use secure ECC keys – z/OS V1R13<br />
Enforcement of FIPS 140-2 level 1 standard (optional) – z/OS V1R11<br />
●<br />
See restrictions when in FIPS Mode in « System Secure Sockets Layer Programming » SC24-5901<br />
* System SSL always calls ICSF for ECC cryptography<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
19
z/OS Cryptographic Services – z/OS System SSL<br />
Enhancements at z/OS V1R13<br />
Extension of the ECC support provided in V1R12 with<br />
●<br />
ECC Certificate Creation with gskkyman and the CMS API<br />
●<br />
Can specify NIST or BP (Brainpool) curves – 160-521 bit key<br />
●<br />
Certificates can be signed using ECC<br />
●<br />
Key usage can be :<br />
●<br />
Digital signature (with certficate and CRL sign for CA certificates)<br />
●<br />
Key agreement<br />
●<br />
Both<br />
●<br />
Update to the TLS handshake cipherspecs for ECC with ECDH key agreement<br />
●<br />
Fixed or ephemeral ECC keys<br />
●<br />
ECDSA or RSA for partner's authentication<br />
●<br />
Can use ECDSA with private keys stored in the PKDS (zEnterpr<strong>is</strong>e only)<br />
●<br />
The SSL started task « D<strong>is</strong>play Crypto » command <strong>is</strong> enhanced to show ECC availability<br />
Toleration APAR OA34156 <strong>is</strong> needed on
z/OS Cryptographic Services – z/OS PKI Services<br />
•User requests and receives<br />
certificate via browser interface or<br />
CMP (Certificate Management Protocol)<br />
•User can generate key pair<br />
or z/OS PKI Services can generate and<br />
archive key pairs<br />
•Client can get a certificate via<br />
SCEP (Simple Certificate<br />
Enrolment Protocol)<br />
•Certificate Revocation L<strong>is</strong>t<br />
publ<strong>is</strong>hed in LDAP directory<br />
and HTTP files<br />
•Support for OCSP (Online<br />
Certificate Status Protocol)<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
21
z/OS Cryptographic Services – z/OS PKI Services<br />
Some functional trends and directions ...<br />
Expanding z/OS PKI Services fonctionalities<br />
●<br />
User options for key generation and archival at z/OS PKI Services (z/OS V1R11) *<br />
●<br />
Full support for Mozilla based browsers (z/OS V1R13)<br />
Catching up with « new » standards<br />
●<br />
SHA 2 for certificate hash (z/OS V1R11 - V1R12)<br />
●<br />
CMP (RFC 4210) support (z/OS V1R12) – subset of CMP messages only<br />
●<br />
ECC certificates and keys support (z/OS V1R12 - V1R13) *<br />
Technology updates<br />
●<br />
JSP <strong>fr</strong>ont end alternative to REXX CGI (z/OS V1R11)<br />
●<br />
ActiveX alternative to Microsoft CAPICOM API (z/OS V1R13)<br />
Usability<br />
●<br />
Multi-byte character support (z/OS V1R11)<br />
●<br />
Long d<strong>is</strong>tingu<strong>is</strong>hed name (z/OS V1R12)<br />
●<br />
Enhancements to supported certificate extensions (z/OS V1R12)<br />
●<br />
Alternate store (DB2) for requests and <strong>is</strong>sued certificates (z/OS V1R13)<br />
●<br />
Longer CRLs support (z/OS V1R13)<br />
●<br />
Optional Issuing D<strong>is</strong>tribution Point extension in CRL (z/OS V1R13)<br />
* Key generation or use of ECC require ICSF to be active<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
22
z/OS Cryptographic Services – z/OS PKI Services<br />
Enhancements at z/OS V1R13 (1/2)<br />
Exploitation of Hardware secure ECC CA key (zEnterpr<strong>is</strong>e only, with CEX3C and ICSF HCR7780))<br />
●<br />
●<br />
Was previously a clear ECC key support via the ICSF PKCS#11 API<br />
Can use ICSF secure ECC key support at z/OS V1R13<br />
Optional exploitation of local DB2 to backup requests, <strong>is</strong>sued certificates and CRLs<br />
●<br />
●<br />
By default use dedicated VSAM data sets<br />
Can migrate to use a local DB2 instead (DB2 V9 or above)<br />
●<br />
●<br />
Via PKI Services re-configuration - DB2 and VSAM uses are exclusive<br />
vsam2db2 utility - Cannot migrate backward<br />
Improved support for smart card use with for IE and Mozilla browsers<br />
●<br />
●<br />
PKI services support Microsoft IE or Mozilla-based browsers<br />
Smart card <strong>is</strong> used at the browser's to generate keys and certificate request<br />
●<br />
●<br />
Smart card support was only available for IE, using a deprecated API (CAPICOM)<br />
At z/OS V1R13 PKI Services supports smart card use in<br />
●<br />
●<br />
Mozilla based browsers (in Windows or Linux)<br />
IE using CAPICOM or the PKI Services-provided alternate ActiveX program<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
23
z/OS Cryptographic Services – z/OS PKI Services<br />
Enhancements at z/OS V1R13 (2/2)<br />
M<strong>is</strong>cellaneous improvements<br />
●<br />
Larger CRL support<br />
●<br />
●<br />
Intermediate staging of CRLs to be posted to LDAP used a VSAM data set with a record limit of 32KB<br />
Staging can now optionally be configured to happen in HFS/zFS – No record length limit<br />
●<br />
Optional Issuing D<strong>is</strong>tribution Point extension in CRL<br />
●<br />
●<br />
As per the standards the extension should be critical but exploiters are not required to support it<br />
●<br />
●<br />
Was always present in z/OS PKI Services-generated CRLs<br />
Potentially leads non-conforming applications to ignore certificates in the CRL<br />
At z/OS V1R13 the presence of the extension in CRLs created by PKI Services <strong>is</strong> optional<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
24
z/OS<br />
Security Server<br />
(RACF)<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
25
z/OS Security Server - The Many Faces of RACF
z/OS Security Server - RACF<br />
Some functional trends and directions ...<br />
Enhancing RACF functions<br />
●<br />
ID Propagation - « End-to-end security identity cons<strong>is</strong>tency and auditing » (z/OS V1R11 – z/OS V1R13)<br />
●<br />
Program signature generation and verification (z/OS V1R11)<br />
●<br />
RACDCERT enhancements (z/OS V1R11 – V1R12 - V1R13)<br />
Catching up with « new » standards<br />
●<br />
Support for ECC keys and certificates (z/OS V1R12 – V1R13)<br />
Technology update<br />
●<br />
TCP/IP support by RRSF (z/OS V1R13)<br />
Usability<br />
●<br />
Automatic UID/GID assignment (BPX.UNIQUE.USER) (z/OS V1R11)<br />
●<br />
LDAP interface for general resources admin<strong>is</strong>tration and SETROPTS (z/OS V1R11)<br />
●<br />
ICSF segment in general resource classes for finer access control to cryptographic keys (z/OS<br />
V1R11 - V1R12)<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
27
z/OS Security Server - RACF<br />
Enhancements at z/OS V1R13<br />
Enhancements to Identity Propagation (ID Propagation 2)<br />
●<br />
Extension to services R_usermap (new QUERY service) and R_cacheserv (allow re-usable ICRX)<br />
●<br />
Extension to the RACMAP command (new query function)<br />
●<br />
Normalization of the D<strong>is</strong>tributed Identity Filter Name if it <strong>is</strong> in X.500 format<br />
●<br />
May require to re-create pre-R13 IDIDMAP class profiles<br />
●<br />
Installable via APARs OA34258 and OA34259 on R11 and R12 systems<br />
RRSF support of TCP/IP communications (see next slides)<br />
●<br />
In addition to the original VTAM and APPC support<br />
●<br />
Exploits TLS security via z/OS Communications Server AT-TLS (stronger encryption)<br />
Enhancements to the RACDCERT command<br />
●<br />
Support for hardware ECC keys (zEnterpr<strong>is</strong>e only, with CEX3C and ICSF HCR7780)<br />
●<br />
R_datalib enhanced accordingly (key type X'00000009')<br />
●<br />
Re-structuration of key types designations<br />
●<br />
NISTECC / NISTECC(PKDS)<br />
●<br />
BPECC / BPECC(PKDS)<br />
●<br />
RSA / RSA(PKDS)<br />
●<br />
DSA<br />
Z/OS V1R13 <strong>is</strong> the last release to support the FACILITY class profile BPX.DEFAULT.USER<br />
Use BPX.UNIQUE.USER instead – See the dedicated session today<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
28
z/OS Security Server - RACF<br />
Enhancements at z/OS V1R13 – RRSF TCP/IP Support<br />
RACF Remote Sharing Facility initially designed to use VTAM APPC for communications between involved RACF<br />
subsystems for<br />
●<br />
User IDs association with password synchronization<br />
●<br />
Remote admin<strong>is</strong>tration<br />
●<br />
Mirroring of databases (automatic command direction/password synchronization)<br />
Data are encrypted with an <strong>IBM</strong> weak algorithm (CDMF)<br />
Can also alternatively use TCP/IP beginning with z/OS V1R13<br />
●<br />
IPv4 only<br />
●<br />
Use SSL/TLS-secured communications<br />
●<br />
The RACF subsystem <strong>is</strong> both an SSL/TLS server and client (with client authentication)<br />
●<br />
SSL/TLS cipherspecs are user selectable<br />
●<br />
Messages still protected with CDMF when residing<br />
in queue data sets<br />
●<br />
New TARGET operator command parameter/option<br />
●<br />
Dynamic protocol conversion process (both directions)<br />
VTAM APPC<br />
●<br />
Can be mixed protocol peer systems in MSN<br />
Single-system or mulri-system nodes (MSN)<br />
TCP/IP<br />
TCP/IP<br />
VTAM APPC<br />
New SET TRACE(RRSF) operator command<br />
e.g. Pre-R13 system<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
29
z/OS Security Server - RACF<br />
RRSF TCP/IP Setup Overview (RACF Security Admin<strong>is</strong>trator's Guide and Programmer's Guide)<br />
RACF Address Space exploits the z/OS Communications Server AT-TLS function (ApplicationTransparent TLS)<br />
●<br />
RACF subsystem user ID setup as a UNIX user (OMVS segment to USER and GROUP))<br />
●<br />
Build and connect digital certificates and keys to the RACFsubsystem keyring<br />
●<br />
Dedicated internal CA <strong>is</strong> simpler<br />
●<br />
Can also use external CA – Additional controls available<br />
« AT-TLS aware »<br />
●<br />
●<br />
●<br />
Build and enable the AT-TLS policy required for RRSF<br />
connections (sample provided in SAMPLIB)<br />
●<br />
The RACF subsystem TCP port number (default <strong>is</strong> 18136)<br />
●<br />
The cipherspecs algorithms to use with SSL/TLS<br />
●<br />
Client authentication <strong>is</strong> required<br />
+ setup RACF profiles to control use of involved resources<br />
●<br />
Eventhough the RACf subsystem runs TRUSTED or PRIVILEGED<br />
Use the RACF TARGET command to<br />
●<br />
Start a TCP l<strong>is</strong>tener on the local node<br />
●<br />
To reach a remote node by specififying an IP address<br />
and the communication protocol (TCP)<br />
AT-TLS API<br />
System<br />
SSL<br />
Keys<br />
And<br />
certificate<br />
RACF subsystem<br />
Communications<br />
Server<br />
AT-TLS<br />
Clear data<br />
(port 18136)<br />
AT-TLS<br />
Policy<br />
SSL/TLS-protected<br />
communications<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
30
z/OS Security Server - RACF<br />
RRSF TCP/IP Operations – The TARGET command<br />
Two enhancements to the TARGET command<br />
●<br />
●<br />
Value TCP (with sub-parameters) for the PROTOCOL parameter<br />
LISTPROTOCOL option<br />
New messages for TCP/IP – No one-to-one correspondence with APPC messages – More detailed information<br />
Examples<br />
TARGET NODE(LOCNODE) PROTOCOL(APPC(LUNAME(MF1AP001))) PREFIX(LOCNODE.WORK) -<br />
WORKSPACE(VOLUME(TEMP01) FILESIZE(500)) LOCAL<br />
TARGET NODE(LOCNODE) PROTOCOL(TCP) OPERATIVE<br />
IRRC054I (
z/OS<br />
Integrated<br />
Security Services<br />
(a.k.a. ISS)<br />
Network Authentication Service (NAS)<br />
Enterpr<strong>is</strong>e Identity Mapping (EIM)<br />
Remote Services - Identity Cache<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
32
z/OS ISS - Network Authentication Service (NAS)<br />
Kerberos support for z/OS KDC or applications<br />
•DB2 V7 and above (authentication)<br />
•WebSphere Application Server (authentication)<br />
•FTP client and server (authentication, optional encryption)<br />
•Telnet server (authentication, optional encryption)<br />
•LDAP client and server (authentication)<br />
•rshd server (authentication, optional encryption )<br />
•NFS server (authentication)<br />
Using tickets <strong>is</strong>sued<br />
by<br />
the z/OS KDC<br />
z/OS<br />
RACF<br />
KDC<br />
Kerberos<br />
enabled<br />
service<br />
Using tickets <strong>is</strong>sued by<br />
the Active Directory KDC<br />
interrealm<br />
key<br />
z/OS - RACF KDC<br />
Active<br />
Directory<br />
Kerberos<br />
enabled<br />
service<br />
inter-realm<br />
key<br />
Windows<br />
2000/XP<br />
SPKM-3 and LIPKEY Support (z/OS V1R9)<br />
Simple Public-Key Mechan<strong>is</strong>m<br />
Low In<strong>fr</strong>astructure Public Key Mechan<strong>is</strong>m<br />
Windows<br />
2000/XP<br />
All mechan<strong>is</strong>ms supported by the z/OS implementation of GSS-API<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
33
z/OS ISS - Network Authentication Service (NAS)<br />
Some functional trends and directions ...<br />
Catching up with « new » standards<br />
●<br />
Compliance with RFC 4120 (obsoletes RFC 1510) – (z/OS V1R12)<br />
●<br />
Compliance with RFC 4120 - server optional address validation in ticket prior to use (new field in<br />
RACF KERB segment for the local realm) (z/OS V1R13)<br />
●<br />
RFC 4537 support for client-server encryption type negotiation (z/OS V1R13)<br />
Technology update<br />
●<br />
Kerberos keys can be generated <strong>fr</strong>om RACF password phrase instead of password (z/OS V1R10)<br />
●<br />
Sysplex d<strong>is</strong>tributed VIPA specific support for an application server to accept AP-REQs for another<br />
instance of the same application server – Under RACF control (z/OS V1R12)<br />
●<br />
Usability<br />
●<br />
keytab merge option for importation of other platforms-originated keys (z/OS V1R11)<br />
●<br />
Keytab check option for checking keytab entries validity (z/OS V1R11)<br />
z/OS V1R13 items : see the specific session <strong>fr</strong>om the Poughkeepsie lab today<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
34
z/OS ISS - Enterpr<strong>is</strong>e Identity Mapping (EIM)<br />
An LDAP-based facility for mapping installation identities to local OS (Windows, AIX, z/OS, etc …) Identities<br />
LDAP<br />
EIM Domain Controller<br />
Identifier: John N. Smith<br />
Reg<strong>is</strong>try: User: Type Association<br />
DomServer John Smith Kerberos Source<br />
ServerB JSMITH RACF Target<br />
IntraNet JohnS AIX Target<br />
SysA JS50852 OS/400 Target<br />
Server B (z/OS)<br />
Key D<strong>is</strong>tribution<br />
Center<br />
(KDC)<br />
AS<br />
TGS<br />
SysA?<br />
4<br />
5<br />
IntraNet Server (AIX)<br />
EIM<br />
Client API<br />
C/C++<br />
Java<br />
I know, that's JS50852<br />
Can I have a ticket<br />
for SysA? I am John Smith.<br />
Sure.<br />
1<br />
2<br />
Domain Authenticated Server A on as OS/400 « John N. Smith »<br />
Requesting TGT steps not shown<br />
John<br />
Hey, who <strong>is</strong> th<strong>is</strong> Kerberos user<br />
John Smith in DomServer on<br />
Here's my ticket.<br />
Can you let me in?<br />
3<br />
Oh. Welcome JS50852<br />
6<br />
System A (OS/400)<br />
A set of LDAP-based RACF remote services provided by z/OS :<br />
●<br />
Remote Authorization<br />
●<br />
Remote Auditing<br />
●<br />
Identity Cache<br />
No changes since z/OS V1R10<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
35
z/OS<br />
LDAP Status<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
36
<strong>IBM</strong> Tivoli Directory Server for z/OS (ITDS)<br />
z/OS<br />
Basic auth<br />
SSL/TLS<br />
Kerberos<br />
CRAM-MD5<br />
Digest-MD5<br />
z/OS<br />
UNIX<br />
LDAP<br />
Server<br />
backend<br />
backend<br />
backend<br />
LDAP client<br />
ldapsearch<br />
ldapmodify<br />
ldapdelete<br />
ldapmodrdn<br />
ldapcompare<br />
TCP/IP<br />
stack<br />
LDAP client<br />
config<br />
S<br />
L<br />
A<br />
P<br />
I<br />
Plug-in<br />
Plug-in<br />
Applications<br />
OMVS shell<br />
TSO<br />
ldapsearch<br />
ldapmodify<br />
ldapdelete<br />
ldapmodrdn<br />
ldapcompare<br />
Available in z/OS V1R8 and above – The original z/OS LDAP Server <strong>is</strong> removed at z/OS V1R11<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
37
ITDS for z/OS – z/OS-provided backends and plug-ins<br />
Backends<br />
TDBM: General purpose directory data stored in DB2 database -<br />
User-provided schemas<br />
LDBM: General purpose directory data stored in HFS/zFS files -<br />
User-provided schemas<br />
SDBM: LDAP externalization of RACF users, groups, usergroup<br />
connections, and general resources profiles - Fixed<br />
schema provided by <strong>IBM</strong><br />
GDBM: change log - log data stored in DB2 database or<br />
HFS/zFS - Fixed schema provided by <strong>IBM</strong><br />
EXOP: extended operations – Server-specific services<br />
Any use of an LDAP directory<br />
(e.g. user reg<strong>is</strong>try)<br />
Support RACF Native Authentication<br />
RACF remote admin<strong>is</strong>tration<br />
and LDAP users/groups/<br />
general resources<br />
Changes logging for SDBM<br />
TDBM, LDBM, CDBM and<br />
Schema<br />
Directories synchronization<br />
CDBM (at z/OS V1R11)<br />
Used to store configuration and policies information tion<br />
Data stored in HFS/zFS files<br />
Fixed schema provided by <strong>IBM</strong><br />
Advanced replication<br />
configuration information<br />
Password policy<br />
<strong>IBM</strong> Plug-ins<br />
ICTX plug-in<br />
●<br />
RACF remote authorization<br />
●<br />
RACF remote auditing<br />
●<br />
RACF identity cache<br />
HCD plug-in<br />
To process update requests against ex<strong>is</strong>ting IODF configuration data<br />
Cannot be used to build an IODF or to perform dynamic activation<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
38
<strong>IBM</strong> Tivoli Directory Server for z/OS<br />
Some functional trends and directions ...<br />
Expanding LDAP use on z/OS<br />
●<br />
Remote admin<strong>is</strong>tration of RACF general ressource profiles – with change log entry - (z/OS V1R11)<br />
●<br />
Remote access to some SETROPTS options (z/OS V1R11)<br />
Catching up with other platforms' ITDS functionalities<br />
●<br />
Advanced replication options (z/OS V1R11)<br />
●<br />
Configurable password policy (z/OS V1R12)<br />
●<br />
Compatibility updates to schemas (z/OS V1R12)<br />
●<br />
Paged and sorted search results (RFCs 2696 and 2891) (z/OS V1R13)<br />
Catching up with « new » standards<br />
●<br />
SHA-2 support (z/OS V1R13)<br />
Technology update<br />
●<br />
WLM classification and health services for sysplex d<strong>is</strong>tribution to LDAP servers (z/OS V1R11)<br />
●<br />
Dynamically filtered access control (z/OS V1R12)<br />
●<br />
64-bit addressing mode for DB2-based backends (z/OS V1R13)<br />
●<br />
z/OS LDAP client to operate with Active Directory with Kerberos (z/OS V1R13)<br />
Usability<br />
●<br />
New configuration backend (CDBM) (z/OS V1R11)<br />
●<br />
Definition of an admin<strong>is</strong>trative group – Members with predefined roles (z/OS V1R13)<br />
●<br />
Group search limit (z/OS V1R13)<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
39
<strong>IBM</strong> Tivoli Directory Server for z/OS<br />
Enhancements at z/OS V1R13 (1/3)<br />
Server compatibility level <strong>is</strong> « 7 »<br />
Optional 64-bit addressing mode for DB2-based backends<br />
− New DLLs : GLDBTD64 (TDBM), GLDBGD64 (GDBM) – require the 64-bit server (GLDSRV64) to be operating<br />
− TDBM unload and bulkload utilities updated (ds2ldif – ldif2ds)<br />
− DB2 V9 with PTF UK50918 and UK55577, and above<br />
−<br />
Paged and sorted search results can be optionnally provided on LDAP Search (RFCs 2696 and 2891)<br />
− Server-based paging capabilities for receiving a subset of search results at a time<br />
● Requested by client (LDAP control extension) – Page size and page time<br />
● New attributes in server's configuration<br />
Paged search requests enabled (ibm-slapdPagedResLmt)<br />
Allowed to non-admin<strong>is</strong>trators (ibm-slapdPagedResAllowNonAdmin)<br />
− Search results sent by server based on client-provided sort keys<br />
● Requested by client (LDAP control extension) – Sort key<br />
● New attributes in server's configuration<br />
Sorted search results enabled (ibm-slapdSortKeyLimit)<br />
Allowed to non-admin<strong>is</strong>trators (ibm-slapdSortSrchAllowNonAdmin)<br />
− The z/OS LDAP client API and ldapsearch utility support paged and sorted search results<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
40
<strong>IBM</strong> Tivoli Directory Server for z/OS<br />
Enhancements at z/OS V1R13 (2/3)<br />
Can define an Admin<strong>is</strong>trative Group and add members (i.e. Admin<strong>is</strong>trators) with pre-defined roles/authorities<br />
− Server Configuration<br />
− Directory Data admin<strong>is</strong>trator<br />
− No admin<strong>is</strong>trator<br />
− Operational admin<strong>is</strong>trator<br />
− Password admin<strong>is</strong>trator<br />
− Replication admin<strong>is</strong>trator<br />
− Root admin<strong>is</strong>trator<br />
− Schema admin<strong>is</strong>trator<br />
−<br />
The admin<strong>is</strong>trative group <strong>is</strong> available when the ibm-slapdAdminGroupEnabled configuration attribute <strong>is</strong> set to TRUE<br />
cn=AdminGroup,cn=Configuration<br />
The role can be assigned to the admin<strong>is</strong>trative group member<br />
By using the ibm-slapdAdminRole attribute in the ibm-slapdAdminGroupMember objects<br />
Or using RACF profiles in the LDAP class<br />
The admin<strong>is</strong>trator DN should resolve to a RACF userID<br />
The RACF userID has READ access to profiles in the LDAP class with name<br />
.ADMINROLE.<br />
must match the ibm-slapdSAFSecurityDomain attribute value in the server<br />
configuration<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
41
<strong>IBM</strong> Tivoli Directory Server for z/OS<br />
Enhancements at z/OS V1R13 (3/3)<br />
The admin<strong>is</strong>trator can restrict search data volume on an LDAP group bas<strong>is</strong> (LDBM and TDBM)<br />
− Already a sizeLimit and timeLimit in server's configuration<br />
− New attrbutes in the group entry to override the server's limits<br />
● Maximum number of entries to return <strong>fr</strong>om search requests (ibm-searchSizeLimit)<br />
● Maximum number of seconds to spend on search requests (ibm-searchTimeLimit)<br />
Limits do not apply to admin<strong>is</strong>trator(s)<br />
SHA-2 and salted SHA-2 support for one-way password encryption (TDBM, LDBM , CDBM)<br />
− New values for pwEncryption configuration option<br />
● SHA224, SSHA224, SHA256, SSHA256, SHA384, SSHA384, SHA512, SSHA512<br />
● Requires ICSF to operate (no crypto hardware needed)<br />
● All servers sharing the backend should be at compatibility level 7<br />
New explicit l<strong>is</strong>ten options for the server to l<strong>is</strong>ten on all configured interfaces<br />
− INADDR_ANY and in6addr_any – Finding available interfaces <strong>is</strong> left to Communications Server<br />
−<br />
Kerberos client internal updates<br />
− Fix z/OS LDAP client bind to Active Directory Server – Internal fix only<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
42
z/OS<br />
Health Checker<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
43
Health Checker for z/OS<br />
A continuously running task that periodically executes checks programs developed by <strong>IBM</strong>, independent software vendors<br />
or users - Intended to detect common z/OS configuration and setup error<br />
New <strong>IBM</strong> checks and updates coming with new z/OS releases<br />
<strong>IBM</strong> health checks for ICSF AND RACF at z/OS V1R13<br />
ICSF checks<br />
●<br />
●<br />
●<br />
●<br />
Presence of retained keys in the CEX2C/CEX3C coprocessors<br />
PKDS record size should fit the 4096-bit RSA tokens length<br />
Degradation in the state of a coprocessor or accelerator (check installed with HCR7790)<br />
Use of services that will not be supported in subsequent releases (check installed with HCR7790)<br />
RACF checks<br />
●<br />
●<br />
●<br />
●<br />
●<br />
●<br />
RACF’s serialization requests should not be altered by global resource serialization resource name l<strong>is</strong>ts (RNLs)<br />
No non-LPA entries in the RACF Authorized Caller Table (ICHAUTAB)<br />
Key system resources have a proper baseline set of protections (UACC, WARNING, ID(*),User)<br />
Check <strong>is</strong> performed for FACILITY, OPERCMDS, TAPEVOL, TEMPDSN, TSOAUTH, UNIXPRIV classes being<br />
active<br />
<strong>IBM</strong>USER should be revoked<br />
Migration check – BPX.DEFAULT.USER (check installed with OA37164)<br />
<strong>IBM</strong> Health Checker for z/OS User’s Guide - SA22-7994<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
44
A Very Brief<br />
Overview of the z/OS<br />
Communications Server<br />
Security<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
45
z/OS Communications Server At z/OS V1R13<br />
Application Layer<br />
SAF/RACF<br />
Application Specific Security<br />
API Layer<br />
System SSL NAS Kerberos<br />
No change at z/OS V1R13<br />
Application Transparent – TLS (AT-TLS)<br />
●<br />
SSL/TLS performed by the TCP/IP stack on behalf<br />
of the application<br />
●<br />
Strategic direction for SSL/TLS support by TCP/IP<br />
applications<br />
TCP/UDP Transport<br />
SAF protection<br />
AT-TLS<br />
IDS<br />
Change at R13<br />
Change at R13<br />
IP filtering<br />
●<br />
Static filtering<br />
●<br />
Short term defensive filters with z/OS V1R10<br />
IP Network<br />
IDS<br />
IP Filtering<br />
IPSec<br />
Change at R13<br />
Change at R13<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
IDS = Intrusion Detection Services<br />
46
z/OS Communications Server – IPSec VPNs<br />
Key negotiation (Phase 1)<br />
IKEv1<br />
●<br />
Initial implementation in OS/390 V2R8<br />
●<br />
Pre-shared key – RSA<br />
●<br />
SWSA (Sysplex-Wide Security Association) at z/OS V1R4<br />
●<br />
NAT traversal (z/OS V1R7 and R8)<br />
●<br />
Optional FIPS 140-2 mode (z/OS V1R11)<br />
IKEv2<br />
●<br />
Implemented at z/OS V1R12 – Co-ex<strong>is</strong>ts with IKEv1<br />
●<br />
Pre-shared key – RSA – ECDSA<br />
●<br />
Optional FIPS 140-2 mode<br />
●<br />
NAT traversal (RFC5996) (z/OS V1R13)<br />
●<br />
IKEv2 SWSA (z/OS V1R13)<br />
Data encryption and authentication (phase2)<br />
IPSec payload encryption<br />
DES<br />
3DES<br />
AES_CBC 128<br />
AES_CBC 256<br />
AES_GCM_16 128<br />
AES_GCM_16 256<br />
IPSec packet authentication<br />
Hardware cryptography ass<strong>is</strong>ted<br />
Optional offload to zIIp at z/OS V1R9<br />
HMAC_MD5<br />
HMAC_SHA1<br />
AES128_XCBC_96<br />
HMAC_SHA2_256_128<br />
HMAC_SHA2_384_192<br />
HMAC_SHA2_512_256<br />
AES_GMAC_128<br />
AES_GMAC_256<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
47
z/OS Communications Server – Intrusion Detection Services<br />
●<br />
●<br />
●<br />
●<br />
Host based network IDS<br />
●<br />
Installed in network and transport layers of the stack<br />
●<br />
Not signature driven - Built-in pre-defined detection<br />
Initially implemented at z/OS V1R2 – IPv4 only<br />
Detection of<br />
●<br />
Ports scan<br />
●<br />
Attacks (pre-defined)<br />
Traffic Regulation<br />
●<br />
Denial of Service protection<br />
● Malformed packet<br />
● ICMP redirect restrictions<br />
● UDP perpetual echo<br />
● Flood (both interface flood and TCP SYN flood)<br />
● IP <strong>fr</strong>agment restrictions<br />
● IP protocol restrictions<br />
● IP option restrictions<br />
● Outbound RAW restrictions<br />
Z/OS V1R13<br />
●<br />
●<br />
IPv6 support<br />
●<br />
Except for IP <strong>fr</strong>agment restriction<br />
Additional attacks detected<br />
● TCP queue size<br />
● Hiden data<br />
● Global TCP stall<br />
● Enterpr<strong>is</strong>e Extender (EE) attacks<br />
●<br />
EE malformed packet<br />
●<br />
EE XID flood<br />
●<br />
EE LDLC check<br />
●<br />
EE port check<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
48
z/OS Communications Server Security At z/OS V1R13 – SAF<br />
Password phrase support for FTP and TN3270E<br />
●<br />
●<br />
●<br />
●<br />
FTP and TN3270E users are prompted for password or password phrase<br />
FTCHKPWD FTP user exit <strong>is</strong> changed for password phrase support<br />
FTP implicit password phrase supported for anonymous user<br />
TN3270E support <strong>is</strong> for solicitor screen only<br />
New SERVAUTH profiles to control access to application specific DVIPAs<br />
●<br />
●<br />
Allow an application to create/remove its own DVIPAs but prevent it <strong>fr</strong>om interfering with other<br />
applications’ DVIPAs ranges<br />
Prevent an application <strong>fr</strong>om inadvertently removing another application’s DVIPA<br />
EZB.BINDDVIPARANGE.sysname.tcpname.resname<br />
EZB.MODDVIPA.sysname.tcpname.resname<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
49
Additional Unpriced<br />
Product<br />
OpenSSH for z/OS<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
50
OpenSSH for z/OS<br />
OpenSSH – suite of network connectivity tools that provide secure encrypted communications between two<br />
untrusted hosts over an insecure network.<br />
Program product: <strong>IBM</strong> Ported Tools for z/OS (5655-M23) - unpriced, runs on z/OS V1R4 or higher.<br />
Use the SSH protocol for<br />
Secure remote login (ssh)<br />
Secure copy program (scp)<br />
Secure FTP (sftp)<br />
With a « TCP Port Forwarding » capability<br />
e.g. z/OS, Putty, ...<br />
end user<br />
ssh = secure rlogin<br />
ssh scp = secure rcp<br />
SSH<br />
SSH client<br />
client<br />
port 22<br />
SSH<br />
server<br />
secure remote login<br />
secure rsh<br />
sftp<br />
sftp = secure ftp<br />
TCP protocol port forwarding<br />
TCP Port<br />
forwarding<br />
Encrypted tunnel, with data integrity<br />
and mutual authentication<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
51
OpenSSH for z/OS<br />
V1R2 release<br />
Supported on z/OS V1R10 and later (V1R1 was supported on z/OS V1R4 and later)<br />
Contains contains updated levels of OpenSSH, OpenSSL, and zlib:<br />
●<br />
OpenSSH 5.0p1<br />
●<br />
OpenSSL 0.9.8k<br />
●<br />
Zlib 1.2.3<br />
●<br />
Provides RACF key ring support for RSA and DSA keys<br />
<strong>IBM</strong> Ported Tools for z/OS: OpenSSH User's Guide - SA23-2246<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
52
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
53
Appendix<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
54
Bibliography - Resources<br />
www.ibm.com/security<br />
<strong>IBM</strong> Redbooks:<br />
• Stay Coll on OS/390 : Installing Firewall Technologies - SG24-2046<br />
• S/390 Cryptography - SG24-5455<br />
• S/390 PCI Crypto Coprocessor SG24-5942<br />
• zSeries Crypto Update SG24-6870<br />
• z990 Crypto SG24-7070<br />
• Ready for ebusiness: OS/390 Security Server Enhancements SG24-5158<br />
• OS/390 Security Server 1999 Update SG24-5629, SG24-5627<br />
• Putting the Latest z/OS Security Features to work SG24-6540<br />
• Implementing VPNs in a z/OS Environment SG24-6530<br />
• z/OS TCPIP Security SG24-5383<br />
• z/OS 1.6 Security Update SG24-6448<br />
•z9 Crypto and TKE V5.0 Update SG24-7123<br />
• z/OS R7 Sysplex Security SG24-7150<br />
• Encryption Facility for z/OS SG24-7318<br />
• Encryption Facility for z/OS – OpenPGP Support SG24-7434<br />
•System z Cryptographic Services and z/OS PKI Services SG24-7470<br />
•Java Security on z/OS - The Complete View SG24-7610<br />
•Security on the <strong>IBM</strong> Main<strong>fr</strong>ame SG24-7610<br />
•Designing for Solution-Based Security on z/OS SG24-7344<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
55
Bibliography - Resources<br />
•UNIX System Services<br />
–GA22-7800 : UNIX System Services Planning<br />
•MLS<br />
–GA22-7509 : Planning for MultiLevel Security and Common Criteria<br />
•EIM<br />
–SA22-7875 : Integrated Security Services EIM Reference<br />
•z/OS Open Cryptographic Services Facility<br />
–SC24-5899 : OCSF Developer's Guide and Reference<br />
•z/OS System SSL<br />
–SC24-5901 : System SSL Programming Guide and Reference<br />
•z/OS Network Authentication Services<br />
–z/OS Security Server Network Authentication Service Admin<strong>is</strong>tration - SC24-5926<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
56
Bibliography - Resources<br />
•z/OS PKI Services<br />
–SA22-7693 : Cryptographic Services PKI Services Guide and Reference<br />
–z/OS Communications Server<br />
–z/OS Communications Server IP Configuration Guide , SC31-8775<br />
–z/OS Communications Server IP Configuration Reference, SC31-8776<br />
–<strong>IBM</strong> Tivoli Directory Server for z/OS<br />
–<strong>IBM</strong> Tivoli Directory Server Admin<strong>is</strong>tration and Use for z/OS(SC23-5191)<br />
–<strong>IBM</strong> Tivoli Directory Server Messages and Codes for z/OS (SA23-2262)<br />
–<strong>IBM</strong> Tivoli Directory Server Plug-in Reference for z/OS (SA76-0148)<br />
–<strong>IBM</strong> Tivoli Directory Server Client Programming for z/OS (SA23-2214)<br />
–<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
57
Bibliography - Resources<br />
ICSF<br />
z/OS Cryptographic Services ICSF Overview, SA22-7519<br />
z/OS Cryptographic Services ICSF Admin<strong>is</strong>trator's Guide, SA22-7521<br />
z/OS Cryptographic Services ICSF System Programmer's Guide, SA22-7520<br />
z/OS Cryptographic Services ICSF Application Programmer's Guide, SA22-7522<br />
z/OS Cryptographic Services ICSF Messages, SA22-7523<br />
z/OS Cryptographic Services ICSF TKE Workstation User's Guide, SA23-2211<br />
z/OS ICSF Overview; SA22-7519<br />
z/OS ICSF Writing PKCS#11 Applications,SA23-2231<br />
<strong>Patrick</strong> <strong>Kappeler</strong> Consulting – Dec 2011<br />
58