Patrick Kappeler (pkappeler@wanadoo.fr) is a former IBM - GSE Belux

Patrick Kappeler (pkappeler@wanadoo.fr) is a former IBM technical expert in the domain of IBM System z 

eBusiness Security. 

He practiced for the last decade both as an IBM Certified Consulting I/T Specialist in the Montpellier (France) 

European Products and Solutions Support Center (PSSC) and as an IBM Redbooks® co-author and 

project leader for the International Technical Support Organization (ITSO) in the IBM Poughkeepsie (USA) 

Laboratory. 

Patrick is now providing worldwide independent consultancy and education on IBM mainframes Security, 

covering areas such as System z integrated hardware cryptography, RACF, Public Key Infrastructure, 

secure protocols, IP Security, LDAP, etc … 

Trademarks 

See url http://www.ibm.com/legal/copytrade.shtml for a current list of IBM-owned trademarks. 

Redbooks® is registered trademark of International Business Machines Corporation 

Java and all Java-based trademarks are trademarks of Sun Microsystems Inc. 

All other products may be trademarks or registered trademarks of their respective 

companies 

Layouts and artworks in the slides herein are property of Patrick Kappeler Consulting 

Patrick Kappeler Consulting – Dec 2011 

2

Agenda 

● z/OS Security Services and APIs 

● z/OS Cryptographic Services 

● z/OS Security Server 

● z/OS Integrated Security Services 

● z/OS LDAP Status 

● IBM Health Checker for z/OS 

● z/OS Communications Server Security services 

● OpenSSH for z/OS 


3

Implementing 

Security 


4

Implementing Security 

Confidentiality* 

Identification 

Authentication 

Integrity 

checking 

Access 

Control 

Real or virtual 

computing environment 

Accept 

request 

The foundation: 

Hardware and OS built-in 

Security 

Transaction Level Security 

Network Level Security 

Platform Level Security 

Auditing 

* aka « Privacy » 


5

z/OS V1R13 Security Services and APIs 

Network 

level 

Security 

IP Filtering 

IPSec VPNs 

Intrusion 

Detection Services 

AT-TLS 

FTP, TN3270, 

HTTP Server 

WAS for z/OS 

CICS/TS 

WebSphere 

MQ 

... 

Middleware 

Security 

JAVA 

J2EE 

WSS 

SAML 

OpenSSH…. 

z/OS 

LDAP 

Directory 

Server 

and 

client 

z/OS 

PKI 

Services 

z/OS 

Kerberos 

Key 

Distribution 

Center 

z/OS 

System SSL 

Network Authentication 

Service 

Transaction 

Level 

Security 

Enterprise Identity 

Mapping (EIM) 

ICSF 

OCSF/OCEP 

Platform 

level 

Security 

z/OS Security Server (RACF) 

DCE Security Server 

RACF 


6

z/OS V1R13 Security Services and APIs 

As per the July 2010 IBM Statement of Direction, z/OS V1.12 was the last release to 

include z/OS Distributed Computing Environment (DCE) and Distributed Computing 

Environment Security Server (DCE Security Server). 

IBM recommends the IBM WebSphere Application Server, the IBM Network 

Authentication Service, and the IBM Directory Server as replacements. See the DCE 

Replacement Strategies Redbook for more details 

http://www.redbooks.ibm.com/redbooks/pdfs/sg246935.pdf 

DCE FMIDs HMB3190 and JMB319J have been removed at z/OS V1R13 


7

z/OS V1R13 Security Services and APIs – Supported Standards

z/OS Security Services and APIs – Packaging 

z/OS Cryptographic Services 

ICSF (Integrated Cryptographic Service Facility) 

OCSF (Open Cryptographic Services Facility) 

System SSL (Secure Socket Layer) 

PKI Services (Public Key Infrastructure Services) 

pkitp (PKI Trust Policy) 

z/OS Security Server 

z/OS Integrated Security Services 

RACF (* license required) (Resource Access Control facility) 

OCEP (Open Cryptography Enhanced Plug-in) 

Network Authentication Service 

Enterprise Identity Mapping (EIM) 

Remote Services - Identity Cache 

IBM Tivoli Directory Server 

for z/OS (ITDS) 

LDAP server and client (Lightweight Directory Access Protocol) 

Communications Server 

IP Security: IPSec, IP Filtering 

Intrusion Detection Services 

AT-TLS (Application Transparent TLS) 

IBM Health Checker For z/OS 

z/OS automated configuration and setup 

checks 

IBM Ported Tools For z/OS 

OpenSSH For z/OS 

unpriced feature – z/OS Implementation 

of the OpenSSH protocol and services 

for Unix System Services users 


9

z/OS Security Services and APIs – Cryptography Export Control 

Security Level 3 FMIDs 

Unpriced features, worldwide exportable subject to U.S. export regulations 

Required for the z/OS security services to perform encryption with > 56-bit keys 

z/OS V1R13 Security Level 3 

• Tivoli Directory Server for z/OS Security Level 3 

• OCSF Security Level 3 

• Network Authentication Service Level 3 

• System SSL Security Level 3 

z/OS V1R13 Communications Server Security Level 3 

See details in “z/OS Planning for Installations “, GA22-7504. 

Java cryptography requires to download the « unrestricted policy files » from 

http://www.ibm.com/developerworks/java/jdk/security/index.html. 


10

z/OS 

Cryptographic Services 

ICSF (Integrated Cryptographic Service Facility) 

OCSF (Open Cryptographic Services Facility) 

System SSL (Secure Socket Layer) 

PKI Services (Public Key Infrastructure Services) 


11

z/OS Cryptographic Services - ICSF 

ASM 

PL/I 

C/C++ 

COBOL 

FORTRAN 

Applications 

C/C++ 

C/C++ 

System SSL 

OCSF (CDSA) 

z/OS 

IBM CCA and PKCS#11 API 

Integrated Cryptographic Services Facility 

Note ; no coprocessor required 

for PKCS#11 services with ICSF 

HCR7770 and later 

Crypto 

Express 3 

CPACF 

Hardware 


12

z/OS Cryptographic Services – ICSF Releases 

ICSF FMID 

Web deliverable Name 

z/OS V1R10 HCR7750 Included in base 

HCR7751 Cryptographic Support for z/OS V1R8-R10 

HCR 7770 Cryptographic Support for z/OS V1R9-R11 

HCR 7780 Cryptographic Support for z/OS V1R10-R12 





Z/OS V1R12 HCR7770 Included in base 





As of September 2011: HCR7790 is available for download at 

http://www-03.ibm.com/systems/z/os/zos/downloads/ 

« Cryptographic Support for z/OS V1R11-V1R13 » (ICSF web deliverable #11) 


13


The full story about what is new in HCR7790 

Refer to http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10760 

Some functional trends and directions …. 

Finer access control to keys in and out of cryptographic key data sets – HCR7751 (2008) 

Enforcement of FIPS 140-2 level 1 standard (optional – PKCS#11 only) – HCR7770 (2009) 

Catching up with « new » standards 

● 

Elliptic Curve Cryptography (ECC) 

● 

Introduced as a PKCS#11 service – Clear keys - Hardware is optional – HCR7770 (2009) 

● 

Secure ECC keys (in PKDS) for CCA services (zEnterprise only, with CEX3C) – HCR7780 (2010) 

● 

Advanced Encryption Standard (AES) 

● 

Secure AES introduced in HCR7751 (2008) - For data encryption/decryption only 

● 

Secure AES for key export/import (zEnterprise only, with CEX3C)– HCR7790 (2011) 

● 

Hash-based Message Authentication Code (HMAC) 

● 

Secure HMAC introduced in HCR7780 (2010) 

● 

ANSI TR-31 key block (zEnterprise only, with CEX3C) 

● 

Introduced in HCR7790 (2011) - CCA tokens conversion for key exchange 

Usability 

● Coordinated KDS Master Key Change and Refresh in HCR7790 (2011) 


14


Some enhancements at HCR7790 >>>>Available on zEnterprise only - require CEX3C


Some enhancements at HCR7790 >>>> without hardware dependencies

z/OS Cryptographic Services - OCSF 

z/OS Open Cryptographic Service Facility 

OS/390 implementation of Common Data Security Architecture 

(CDSA) Intel/IBM Security framework 

Application 

OCSF Security API 

CSP 

Manager 

TP 

Manager 

CL 

Manager 

DL 

Manager 

OCSF Framework 

CSP = Cryptographic Services Provider 

TP = Trust Policy 

CL = Certificate Library 

DL = Data Library 

SPI = Service Provider Interface 

OCEP = Open Cryptographic Enhanced Plug-in 

pkitp = PKI Trust Policy 

SP 

I 

CSP 

Providers 

ICSF 

TP 

I 

TP 

Providers 

OCEP 

Trust 

Policy 

CL 

I 

CL 

Providers 

OCEP 

Data 

Library 

DL 

I 

DL 

Providers 

LDAP 

Services 

Providers APIs 

Service Providers 

pkitp 

RACF 

z/OS OCSF Framework stabilized since z/OS V1R3 


17

z/OS Cryptographic Services – z/OS System SSL 

•A set of C/C++ functions for 

establishing and using SSL/TLS 

socket connections as an SSL/TLS 

server or client 

TCP/IP 

Certificate 

Revocation 

List 

System SSL DLLs 

Application 

•A set of C/C++ functions for applications to 

•manipulate keys and certificates 

databases and PKCS#11 tokens 

•exploit keys and certificates 

stored in databases and PKCS#11 tokens 

•build and process PKCS#7 messages 

•A key and certificates management 

shell-based facility (gskkyman) 

recv() 

send() 

LDAP client 

Handshake 

Certificate validation 

Encrypt/decrypt 

data 

Hardware crypto 

calls 

ICSF 

CPACF 

API 

API 

SSL/TLS 

API 

Certificate 

Management 

Services 

API 

SSL/TLS-protected 

communications 

Keys and certficates in 

HFS key database 

OR 

SSL=Secure Socket Layer 

TLS= Transport Layer Security 

Keys and certficates in 

RACF keyring 

ICSF PKCS11 Tokens 

ICSF PKDS 


18


Some functional trends and directions … 


● 

TLS V1.1 and TLS extensions (RFC 4366) – z/OS V1R11 

● 

Support of certificates as defined by RFC3280 (vs.RFC 2459) – z/OS V1R11 

● 

Staged ECC support (*) 

● 

Support ECC-based digital signature and certificates with the CMS API – clear keys only -z/OS V1R12 

● 

Full support of ECC keys and certificates, EC Diffie Hellman supported for handshake – Can 

use secure ECC keys – z/OS V1R13 

Enforcement of FIPS 140-2 level 1 standard (optional) – z/OS V1R11 

● 

See restrictions when in FIPS Mode in « System Secure Sockets Layer Programming » SC24-5901 

* System SSL always calls ICSF for ECC cryptography 


19


Enhancements at z/OS V1R13 

Extension of the ECC support provided in V1R12 with 

● 

ECC Certificate Creation with gskkyman and the CMS API 

● 

Can specify NIST or BP (Brainpool) curves – 160-521 bit key 

● 

Certificates can be signed using ECC 

● 

Key usage can be : 

● 

Digital signature (with certficate and CRL sign for CA certificates) 

● 

Key agreement 

● 

Both 

● 

Update to the TLS handshake cipherspecs for ECC with ECDH key agreement 

● 

Fixed or ephemeral ECC keys 

● 

ECDSA or RSA for partner's authentication 

● 

Can use ECDSA with private keys stored in the PKDS (zEnterprise only) 

● 

The SSL started task « Display Crypto » command is enhanced to show ECC availability 

Toleration APAR OA34156 is needed on

z/OS Cryptographic Services – z/OS PKI Services 

•User requests and receives 

certificate via browser interface or 

CMP (Certificate Management Protocol) 

•User can generate key pair 

or z/OS PKI Services can generate and 

archive key pairs 

•Client can get a certificate via 

SCEP (Simple Certificate 

Enrolment Protocol) 

•Certificate Revocation List 

published in LDAP directory 

and HTTP files 

•Support for OCSP (Online 

Certificate Status Protocol) 


21


Some functional trends and directions ... 

Expanding z/OS PKI Services fonctionalities 

● 

User options for key generation and archival at z/OS PKI Services (z/OS V1R11) * 

● 

Full support for Mozilla based browsers (z/OS V1R13) 


● 

SHA 2 for certificate hash (z/OS V1R11 - V1R12) 

● 

CMP (RFC 4210) support (z/OS V1R12) – subset of CMP messages only 

● 

ECC certificates and keys support (z/OS V1R12 - V1R13) * 

Technology updates 

● 

JSP front end alternative to REXX CGI (z/OS V1R11) 

● 

ActiveX alternative to Microsoft CAPICOM API (z/OS V1R13) 

Usability 

● 

Multi-byte character support (z/OS V1R11) 

● 

Long distinguished name (z/OS V1R12) 

● 

Enhancements to supported certificate extensions (z/OS V1R12) 

● 

Alternate store (DB2) for requests and issued certificates (z/OS V1R13) 

● 

Longer CRLs support (z/OS V1R13) 

● 

Optional Issuing Distribution Point extension in CRL (z/OS V1R13) 

* Key generation or use of ECC require ICSF to be active 


22


Enhancements at z/OS V1R13 (1/2) 

Exploitation of Hardware secure ECC CA key (zEnterprise only, with CEX3C and ICSF HCR7780)) 

● 

● 

Was previously a clear ECC key support via the ICSF PKCS#11 API 

Can use ICSF secure ECC key support at z/OS V1R13 

Optional exploitation of local DB2 to backup requests, issued certificates and CRLs 

● 

● 

By default use dedicated VSAM data sets 

Can migrate to use a local DB2 instead (DB2 V9 or above) 

● 

● 

Via PKI Services re-configuration - DB2 and VSAM uses are exclusive 

vsam2db2 utility - Cannot migrate backward 

Improved support for smart card use with for IE and Mozilla browsers 

● 

● 

PKI services support Microsoft IE or Mozilla-based browsers 

Smart card is used at the browser's to generate keys and certificate request 

● 

● 

Smart card support was only available for IE, using a deprecated API (CAPICOM) 

At z/OS V1R13 PKI Services supports smart card use in 

● 

● 

Mozilla based browsers (in Windows or Linux) 

IE using CAPICOM or the PKI Services-provided alternate ActiveX program 


23



Miscellaneous improvements 

● 

Larger CRL support 

● 

● 

Intermediate staging of CRLs to be posted to LDAP used a VSAM data set with a record limit of 32KB 

Staging can now optionally be configured to happen in HFS/zFS – No record length limit 

● 

Optional Issuing Distribution Point extension in CRL 

● 

● 

As per the standards the extension should be critical but exploiters are not required to support it 

● 

● 

Was always present in z/OS PKI Services-generated CRLs 

Potentially leads non-conforming applications to ignore certificates in the CRL 

At z/OS V1R13 the presence of the extension in CRLs created by PKI Services is optional 


24

z/OS 

Security Server 

(RACF) 


25

z/OS Security Server - The Many Faces of RACF

z/OS Security Server - RACF 


Enhancing RACF functions 

● 

ID Propagation - « End-to-end security identity consistency and auditing » (z/OS V1R11 – z/OS V1R13) 

● 

Program signature generation and verification (z/OS V1R11) 

● 

RACDCERT enhancements (z/OS V1R11 – V1R12 - V1R13) 


● 

Support for ECC keys and certificates (z/OS V1R12 – V1R13) 

Technology update 

● 

TCP/IP support by RRSF (z/OS V1R13) 

Usability 

● 

Automatic UID/GID assignment (BPX.UNIQUE.USER) (z/OS V1R11) 

● 

LDAP interface for general resources administration and SETROPTS (z/OS V1R11) 

● 

ICSF segment in general resource classes for finer access control to cryptographic keys (z/OS 

V1R11 - V1R12) 


27


Enhancements at z/OS V1R13 

Enhancements to Identity Propagation (ID Propagation 2) 

● 

Extension to services R_usermap (new QUERY service) and R_cacheserv (allow re-usable ICRX) 

● 

Extension to the RACMAP command (new query function) 

● 

Normalization of the Distributed Identity Filter Name if it is in X.500 format 

● 

May require to re-create pre-R13 IDIDMAP class profiles 

● 

Installable via APARs OA34258 and OA34259 on R11 and R12 systems 

RRSF support of TCP/IP communications (see next slides) 

● 

In addition to the original VTAM and APPC support 

● 

Exploits TLS security via z/OS Communications Server AT-TLS (stronger encryption) 

Enhancements to the RACDCERT command 

● 

Support for hardware ECC keys (zEnterprise only, with CEX3C and ICSF HCR7780) 

● 

R_datalib enhanced accordingly (key type X'00000009') 

● 

Re-structuration of key types designations 

● 

NISTECC / NISTECC(PKDS) 

● 

BPECC / BPECC(PKDS) 

● 

RSA / RSA(PKDS) 

● 

DSA 

Z/OS V1R13 is the last release to support the FACILITY class profile BPX.DEFAULT.USER 

Use BPX.UNIQUE.USER instead – See the dedicated session today 


28


Enhancements at z/OS V1R13 – RRSF TCP/IP Support 

RACF Remote Sharing Facility initially designed to use VTAM APPC for communications between involved RACF 

subsystems for 

● 

User IDs association with password synchronization 

● 

Remote administration 

● 

Mirroring of databases (automatic command direction/password synchronization) 

Data are encrypted with an IBM weak algorithm (CDMF) 

Can also alternatively use TCP/IP beginning with z/OS V1R13 

● 

IPv4 only 

● 

Use SSL/TLS-secured communications 

● 

The RACF subsystem is both an SSL/TLS server and client (with client authentication) 

● 

SSL/TLS cipherspecs are user selectable 

● 

Messages still protected with CDMF when residing 

in queue data sets 

● 

New TARGET operator command parameter/option 

● 

Dynamic protocol conversion process (both directions) 

VTAM APPC 

● 

Can be mixed protocol peer systems in MSN 

Single-system or mulri-system nodes (MSN) 

TCP/IP 

TCP/IP 

VTAM APPC 

New SET TRACE(RRSF) operator command 

e.g. Pre-R13 system 


29


RRSF TCP/IP Setup Overview (RACF Security Administrator's Guide and Programmer's Guide) 

RACF Address Space exploits the z/OS Communications Server AT-TLS function (ApplicationTransparent TLS) 

● 

RACF subsystem user ID setup as a UNIX user (OMVS segment to USER and GROUP)) 

● 

Build and connect digital certificates and keys to the RACFsubsystem keyring 

● 

Dedicated internal CA is simpler 

● 

Can also use external CA – Additional controls available 

« AT-TLS aware » 

● 

● 

● 

Build and enable the AT-TLS policy required for RRSF 

connections (sample provided in SAMPLIB) 

● 

The RACF subsystem TCP port number (default is 18136) 

● 

The cipherspecs algorithms to use with SSL/TLS 

● 

Client authentication is required 

+ setup RACF profiles to control use of involved resources 

● 

Eventhough the RACf subsystem runs TRUSTED or PRIVILEGED 

Use the RACF TARGET command to 

● 

Start a TCP listener on the local node 

● 

To reach a remote node by specififying an IP address 

and the communication protocol (TCP) 

AT-TLS API 

System 

SSL 

Keys 

And 

certificate 

RACF subsystem 

Communications 

Server 

AT-TLS 

Clear data 

(port 18136) 

AT-TLS 

Policy 

SSL/TLS-protected 

communications 


30


RRSF TCP/IP Operations – The TARGET command 

Two enhancements to the TARGET command 

● 

● 

Value TCP (with sub-parameters) for the PROTOCOL parameter 

LISTPROTOCOL option 

New messages for TCP/IP – No one-to-one correspondence with APPC messages – More detailed information 

Examples 

TARGET NODE(LOCNODE) PROTOCOL(APPC(LUNAME(MF1AP001))) PREFIX(LOCNODE.WORK) - 

WORKSPACE(VOLUME(TEMP01) FILESIZE(500)) LOCAL 

TARGET NODE(LOCNODE) PROTOCOL(TCP) OPERATIVE 

IRRC054I (

z/OS 

Integrated 

Security Services 

(a.k.a. ISS) 

Network Authentication Service (NAS) 

Enterprise Identity Mapping (EIM) 

Remote Services - Identity Cache 


32

z/OS ISS - Network Authentication Service (NAS) 

Kerberos support for z/OS KDC or applications 

•DB2 V7 and above (authentication) 

•WebSphere Application Server (authentication) 

•FTP client and server (authentication, optional encryption) 

•Telnet server (authentication, optional encryption) 

•LDAP client and server (authentication) 

•rshd server (authentication, optional encryption ) 

•NFS server (authentication) 

Using tickets issued 

by 

the z/OS KDC 

z/OS 

RACF 

KDC 

Kerberos 

enabled 

service 

Using tickets issued by 

the Active Directory KDC 

interrealm 

key 

z/OS - RACF KDC 

Active 

Directory 

Kerberos 

enabled 

service 

inter-realm 

key 

Windows 

2000/XP 

SPKM-3 and LIPKEY Support (z/OS V1R9) 

Simple Public-Key Mechanism 

Low Infrastructure Public Key Mechanism 

Windows 

2000/XP 

All mechanisms supported by the z/OS implementation of GSS-API 


33

z/OS ISS - Network Authentication Service (NAS) 



● 

Compliance with RFC 4120 (obsoletes RFC 1510) – (z/OS V1R12) 

● 

Compliance with RFC 4120 - server optional address validation in ticket prior to use (new field in 

RACF KERB segment for the local realm) (z/OS V1R13) 

● 

RFC 4537 support for client-server encryption type negotiation (z/OS V1R13) 


● 

Kerberos keys can be generated from RACF password phrase instead of password (z/OS V1R10) 

● 

Sysplex distributed VIPA specific support for an application server to accept AP-REQs for another 

instance of the same application server – Under RACF control (z/OS V1R12) 

● 

Usability 

● 

keytab merge option for importation of other platforms-originated keys (z/OS V1R11) 

● 

Keytab check option for checking keytab entries validity (z/OS V1R11) 

z/OS V1R13 items : see the specific session from the Poughkeepsie lab today 


34

z/OS ISS - Enterprise Identity Mapping (EIM) 

An LDAP-based facility for mapping installation identities to local OS (Windows, AIX, z/OS, etc …) Identities 

LDAP 

EIM Domain Controller 

Identifier: John N. Smith 

Registry: User: Type Association 

DomServer John Smith Kerberos Source 

ServerB JSMITH RACF Target 

IntraNet JohnS AIX Target 

SysA JS50852 OS/400 Target 

Server B (z/OS) 

Key Distribution 

Center 

(KDC) 

AS 

TGS 

SysA? 

4 

5 

IntraNet Server (AIX) 

EIM 

Client API 

C/C++ 

Java 

I know, that's JS50852 

Can I have a ticket 

for SysA? I am John Smith. 

Sure. 

1 

2 

Domain Authenticated Server A on as OS/400 « John N. Smith » 

Requesting TGT steps not shown 

John 

Hey, who is this Kerberos user 

John Smith in DomServer on 

Here's my ticket. 

Can you let me in? 

3 

Oh. Welcome JS50852 

6 

System A (OS/400) 

A set of LDAP-based RACF remote services provided by z/OS : 

● 

Remote Authorization 

● 

Remote Auditing 

● 

Identity Cache 

No changes since z/OS V1R10 


35

z/OS 

LDAP Status 


36

IBM Tivoli Directory Server for z/OS (ITDS) 

z/OS 

Basic auth 

SSL/TLS 

Kerberos 

CRAM-MD5 

Digest-MD5 

z/OS 

UNIX 

LDAP 

Server 

backend 

backend 

backend 

LDAP client 

ldapsearch 

ldapmodify 

ldapdelete 

ldapmodrdn 

ldapcompare 

TCP/IP 

stack 

LDAP client 

config 

S 

L 

A 

P 

I 

Plug-in 

Plug-in 

Applications 

OMVS shell 

TSO 

ldapsearch 

ldapmodify 

ldapdelete 

ldapmodrdn 

ldapcompare 

Available in z/OS V1R8 and above – The original z/OS LDAP Server is removed at z/OS V1R11 


37

ITDS for z/OS – z/OS-provided backends and plug-ins 

Backends 

TDBM: General purpose directory data stored in DB2 database - 

User-provided schemas 

LDBM: General purpose directory data stored in HFS/zFS files - 

User-provided schemas 

SDBM: LDAP externalization of RACF users, groups, usergroup 

connections, and general resources profiles - Fixed 

schema provided by IBM 

GDBM: change log - log data stored in DB2 database or 

HFS/zFS - Fixed schema provided by IBM 

EXOP: extended operations – Server-specific services 

Any use of an LDAP directory 

(e.g. user registry) 

Support RACF Native Authentication 

RACF remote administration 

and LDAP users/groups/ 

general resources 

Changes logging for SDBM 

TDBM, LDBM, CDBM and 

Schema 

Directories synchronization 

CDBM (at z/OS V1R11) 

Used to store configuration and policies information tion 

Data stored in HFS/zFS files 

Fixed schema provided by IBM 

Advanced replication 

configuration information 

Password policy 

IBM Plug-ins 

ICTX plug-in 

● 

RACF remote authorization 

● 

RACF remote auditing 

● 

RACF identity cache 

HCD plug-in 

To process update requests against existing IODF configuration data 

Cannot be used to build an IODF or to perform dynamic activation 


38

IBM Tivoli Directory Server for z/OS 


Expanding LDAP use on z/OS 

● 

Remote administration of RACF general ressource profiles – with change log entry - (z/OS V1R11) 

● 

Remote access to some SETROPTS options (z/OS V1R11) 

Catching up with other platforms' ITDS functionalities 

● 

Advanced replication options (z/OS V1R11) 

● 

Configurable password policy (z/OS V1R12) 

● 

Compatibility updates to schemas (z/OS V1R12) 

● 

Paged and sorted search results (RFCs 2696 and 2891) (z/OS V1R13) 


● 

SHA-2 support (z/OS V1R13) 


● 

WLM classification and health services for sysplex distribution to LDAP servers (z/OS V1R11) 

● 

Dynamically filtered access control (z/OS V1R12) 

● 

64-bit addressing mode for DB2-based backends (z/OS V1R13) 

● 

z/OS LDAP client to operate with Active Directory with Kerberos (z/OS V1R13) 

Usability 

● 

New configuration backend (CDBM) (z/OS V1R11) 

● 

Definition of an administrative group – Members with predefined roles (z/OS V1R13) 

● 

Group search limit (z/OS V1R13) 


39



Server compatibility level is « 7 » 

Optional 64-bit addressing mode for DB2-based backends 

− New DLLs : GLDBTD64 (TDBM), GLDBGD64 (GDBM) – require the 64-bit server (GLDSRV64) to be operating 

− TDBM unload and bulkload utilities updated (ds2ldif – ldif2ds) 

− DB2 V9 with PTF UK50918 and UK55577, and above 

− 

Paged and sorted search results can be optionnally provided on LDAP Search (RFCs 2696 and 2891) 

− Server-based paging capabilities for receiving a subset of search results at a time 

● Requested by client (LDAP control extension) – Page size and page time 

● New attributes in server's configuration 

Paged search requests enabled (ibm-slapdPagedResLmt) 

Allowed to non-administrators (ibm-slapdPagedResAllowNonAdmin) 

− Search results sent by server based on client-provided sort keys 

● Requested by client (LDAP control extension) – Sort key 

● New attributes in server's configuration 

Sorted search results enabled (ibm-slapdSortKeyLimit) 

Allowed to non-administrators (ibm-slapdSortSrchAllowNonAdmin) 

− The z/OS LDAP client API and ldapsearch utility support paged and sorted search results 


40



Can define an Administrative Group and add members (i.e. Administrators) with pre-defined roles/authorities 

− Server Configuration 

− Directory Data administrator 

− No administrator 

− Operational administrator 

− Password administrator 

− Replication administrator 

− Root administrator 

− Schema administrator 

− 

The administrative group is available when the ibm-slapdAdminGroupEnabled configuration attribute is set to TRUE 

cn=AdminGroup,cn=Configuration 

The role can be assigned to the administrative group member 

By using the ibm-slapdAdminRole attribute in the ibm-slapdAdminGroupMember objects 

Or using RACF profiles in the LDAP class 

The administrator DN should resolve to a RACF userID 

The RACF userID has READ access to profiles in the LDAP class with name 

.ADMINROLE. 

must match the ibm-slapdSAFSecurityDomain attribute value in the server 

configuration 


41



The administrator can restrict search data volume on an LDAP group basis (LDBM and TDBM) 

− Already a sizeLimit and timeLimit in server's configuration 

− New attrbutes in the group entry to override the server's limits 

● Maximum number of entries to return from search requests (ibm-searchSizeLimit) 

● Maximum number of seconds to spend on search requests (ibm-searchTimeLimit) 

Limits do not apply to administrator(s) 

SHA-2 and salted SHA-2 support for one-way password encryption (TDBM, LDBM , CDBM) 

− New values for pwEncryption configuration option 

● SHA224, SSHA224, SHA256, SSHA256, SHA384, SSHA384, SHA512, SSHA512 

● Requires ICSF to operate (no crypto hardware needed) 

● All servers sharing the backend should be at compatibility level 7 

New explicit listen options for the server to listen on all configured interfaces 

− INADDR_ANY and in6addr_any – Finding available interfaces is left to Communications Server 

− 

Kerberos client internal updates 

− Fix z/OS LDAP client bind to Active Directory Server – Internal fix only 


42

z/OS 

Health Checker 


43

Health Checker for z/OS 

A continuously running task that periodically executes checks programs developed by IBM, independent software vendors 

or users - Intended to detect common z/OS configuration and setup error 

New IBM checks and updates coming with new z/OS releases 

IBM health checks for ICSF AND RACF at z/OS V1R13 

ICSF checks 

● 

● 

● 

● 

Presence of retained keys in the CEX2C/CEX3C coprocessors 

PKDS record size should fit the 4096-bit RSA tokens length 

Degradation in the state of a coprocessor or accelerator (check installed with HCR7790) 

Use of services that will not be supported in subsequent releases (check installed with HCR7790) 

RACF checks 

● 

● 

● 

● 

● 

● 

RACF’s serialization requests should not be altered by global resource serialization resource name lists (RNLs) 

No non-LPA entries in the RACF Authorized Caller Table (ICHAUTAB) 

Key system resources have a proper baseline set of protections (UACC, WARNING, ID(*),User) 

Check is performed for FACILITY, OPERCMDS, TAPEVOL, TEMPDSN, TSOAUTH, UNIXPRIV classes being 

active 

IBMUSER should be revoked 

Migration check – BPX.DEFAULT.USER (check installed with OA37164) 

IBM Health Checker for z/OS User’s Guide - SA22-7994 


44

A Very Brief 

Overview of the z/OS 

Communications Server 

Security 


45

z/OS Communications Server At z/OS V1R13 

Application Layer 

SAF/RACF 

Application Specific Security 

API Layer 

System SSL NAS Kerberos 

No change at z/OS V1R13 

Application Transparent – TLS (AT-TLS) 

● 

SSL/TLS performed by the TCP/IP stack on behalf 

of the application 

● 

Strategic direction for SSL/TLS support by TCP/IP 

applications 

TCP/UDP Transport 

SAF protection 

AT-TLS 

IDS 

Change at R13 

Change at R13 

IP filtering 

● 

Static filtering 

● 

Short term defensive filters with z/OS V1R10 

IP Network 

IDS 

IP Filtering 

IPSec 

Change at R13 

Change at R13 


IDS = Intrusion Detection Services 

46

z/OS Communications Server – IPSec VPNs 

Key negotiation (Phase 1) 

IKEv1 

● 

Initial implementation in OS/390 V2R8 

● 

Pre-shared key – RSA 

● 

SWSA (Sysplex-Wide Security Association) at z/OS V1R4 

● 

NAT traversal (z/OS V1R7 and R8) 

● 

Optional FIPS 140-2 mode (z/OS V1R11) 

IKEv2 

● 

Implemented at z/OS V1R12 – Co-exists with IKEv1 

● 

Pre-shared key – RSA – ECDSA 

● 

Optional FIPS 140-2 mode 

● 

NAT traversal (RFC5996) (z/OS V1R13) 

● 

IKEv2 SWSA (z/OS V1R13) 

Data encryption and authentication (phase2) 

IPSec payload encryption 

DES 

3DES 

AES_CBC 128 

AES_CBC 256 

AES_GCM_16 128 

AES_GCM_16 256 

IPSec packet authentication 

Hardware cryptography assisted 

Optional offload to zIIp at z/OS V1R9 

HMAC_MD5 

HMAC_SHA1 

AES128_XCBC_96 

HMAC_SHA2_256_128 

HMAC_SHA2_384_192 

HMAC_SHA2_512_256 

AES_GMAC_128 

AES_GMAC_256 


47

z/OS Communications Server – Intrusion Detection Services 

● 

● 

● 

● 

Host based network IDS 

● 

Installed in network and transport layers of the stack 

● 

Not signature driven - Built-in pre-defined detection 

Initially implemented at z/OS V1R2 – IPv4 only 

Detection of 

● 

Ports scan 

● 

Attacks (pre-defined) 

Traffic Regulation 

● 

Denial of Service protection 

● Malformed packet 

● ICMP redirect restrictions 

● UDP perpetual echo 

● Flood (both interface flood and TCP SYN flood) 

● IP fragment restrictions 

● IP protocol restrictions 

● IP option restrictions 

● Outbound RAW restrictions 

Z/OS V1R13 

● 

● 

IPv6 support 

● 

Except for IP fragment restriction 

Additional attacks detected 

● TCP queue size 

● Hiden data 

● Global TCP stall 

● Enterprise Extender (EE) attacks 

● 

EE malformed packet 

● 

EE XID flood 

● 

EE LDLC check 

● 

EE port check 


48

z/OS Communications Server Security At z/OS V1R13 – SAF 

Password phrase support for FTP and TN3270E 

● 

● 

● 

● 

FTP and TN3270E users are prompted for password or password phrase 

FTCHKPWD FTP user exit is changed for password phrase support 

FTP implicit password phrase supported for anonymous user 

TN3270E support is for solicitor screen only 

New SERVAUTH profiles to control access to application specific DVIPAs 

● 

● 

Allow an application to create/remove its own DVIPAs but prevent it from interfering with other 

applications’ DVIPAs ranges 

Prevent an application from inadvertently removing another application’s DVIPA 

EZB.BINDDVIPARANGE.sysname.tcpname.resname 

EZB.MODDVIPA.sysname.tcpname.resname 


49

Additional Unpriced 

Product 

OpenSSH for z/OS 


50


OpenSSH – suite of network connectivity tools that provide secure encrypted communications between two 

untrusted hosts over an insecure network. 

Program product: IBM Ported Tools for z/OS (5655-M23) - unpriced, runs on z/OS V1R4 or higher. 

Use the SSH protocol for 

Secure remote login (ssh) 

Secure copy program (scp) 

Secure FTP (sftp) 

With a « TCP Port Forwarding » capability 

e.g. z/OS, Putty, ... 

end user 

ssh = secure rlogin 

ssh scp = secure rcp 

SSH 

SSH client 

client 

port 22 

SSH 

server 

secure remote login 

secure rsh 

sftp 

sftp = secure ftp 

TCP protocol port forwarding 

TCP Port 

forwarding 

Encrypted tunnel, with data integrity 

and mutual authentication 


51


V1R2 release 

Supported on z/OS V1R10 and later (V1R1 was supported on z/OS V1R4 and later) 

Contains contains updated levels of OpenSSH, OpenSSL, and zlib: 

● 

OpenSSH 5.0p1 

● 

OpenSSL 0.9.8k 

● 

Zlib 1.2.3 

● 

Provides RACF key ring support for RSA and DSA keys 

IBM Ported Tools for z/OS: OpenSSH User's Guide - SA23-2246 


52


53

Appendix 


54

Bibliography - Resources 

www.ibm.com/security 

IBM Redbooks: 

• Stay Coll on OS/390 : Installing Firewall Technologies - SG24-2046 

• S/390 Cryptography - SG24-5455 

• S/390 PCI Crypto Coprocessor SG24-5942 

• zSeries Crypto Update SG24-6870 

• z990 Crypto SG24-7070 

• Ready for ebusiness: OS/390 Security Server Enhancements SG24-5158 

• OS/390 Security Server 1999 Update SG24-5629, SG24-5627 

• Putting the Latest z/OS Security Features to work SG24-6540 

• Implementing VPNs in a z/OS Environment SG24-6530 

• z/OS TCPIP Security SG24-5383 

• z/OS 1.6 Security Update SG24-6448 

•z9 Crypto and TKE V5.0 Update SG24-7123 

• z/OS R7 Sysplex Security SG24-7150 

• Encryption Facility for z/OS SG24-7318 

• Encryption Facility for z/OS – OpenPGP Support SG24-7434 

•System z Cryptographic Services and z/OS PKI Services SG24-7470 

•Java Security on z/OS - The Complete View SG24-7610 

•Security on the IBM Mainframe SG24-7610 

•Designing for Solution-Based Security on z/OS SG24-7344 


55


•UNIX System Services 

–GA22-7800 : UNIX System Services Planning 

•MLS 

–GA22-7509 : Planning for MultiLevel Security and Common Criteria 

•EIM 

–SA22-7875 : Integrated Security Services EIM Reference 

•z/OS Open Cryptographic Services Facility 

–SC24-5899 : OCSF Developer's Guide and Reference 

•z/OS System SSL 

–SC24-5901 : System SSL Programming Guide and Reference 

•z/OS Network Authentication Services 

–z/OS Security Server Network Authentication Service Administration - SC24-5926 


56


•z/OS PKI Services 

–SA22-7693 : Cryptographic Services PKI Services Guide and Reference 

–z/OS Communications Server 

–z/OS Communications Server IP Configuration Guide , SC31-8775 

–z/OS Communications Server IP Configuration Reference, SC31-8776 

–IBM Tivoli Directory Server for z/OS 

–IBM Tivoli Directory Server Administration and Use for z/OS(SC23-5191) 

–IBM Tivoli Directory Server Messages and Codes for z/OS (SA23-2262) 

–IBM Tivoli Directory Server Plug-in Reference for z/OS (SA76-0148) 

–IBM Tivoli Directory Server Client Programming for z/OS (SA23-2214) 

– 


57


ICSF 

z/OS Cryptographic Services ICSF Overview, SA22-7519 

z/OS Cryptographic Services ICSF Administrator's Guide, SA22-7521 

z/OS Cryptographic Services ICSF System Programmer's Guide, SA22-7520 

z/OS Cryptographic Services ICSF Application Programmer's Guide, SA22-7522 

z/OS Cryptographic Services ICSF Messages, SA22-7523 

z/OS Cryptographic Services ICSF TKE Workstation User's Guide, SA23-2211 

z/OS ICSF Overview; SA22-7519 

z/OS ICSF Writing PKCS#11 Applications,SA23-2231 


58

Patrick Kappeler (pkappeler@wanadoo.fr) is a former IBM - GSE Belux

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?