z/VM Security Update - z/VM - IBM
z/VM Security Update - z/VM - IBM
z/VM Security Update - z/VM - IBM
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Brian W. Hugenbruch, CISSP<br />
z/<strong>VM</strong> <strong>Security</strong> Design and Development<br />
bwhugen@us.ibm.com<br />
z/<strong>VM</strong> <strong>Security</strong> <strong>Update</strong><br />
with a focus on exploring RACF for z/<strong>VM</strong> Single System Images<br />
© 2013 <strong>IBM</strong> Corporation
Trademarks<br />
The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both.<br />
Not all common law marks used by <strong>IBM</strong> are listed on this page. Failure of a mark to appear does not mean that <strong>IBM</strong> does not use the mark nor does it mean that the product is not<br />
actively marketed or is not significant within its relevant market.<br />
Those trademarks followed by ® are registered trademarks of <strong>IBM</strong> in the United States; all others are trademarks or common law marks of <strong>IBM</strong> in the United States.<br />
For a complete list of <strong>IBM</strong> Trademarks, see www.ibm.com/legal/copytrade.shtml:<br />
*, <strong>IBM</strong> Systems, <strong>IBM</strong> System z10®, <strong>IBM</strong> System Storage® , <strong>IBM</strong> System Storage DS®, <strong>IBM</strong> BladeCenter®, <strong>IBM</strong> System z®, <strong>IBM</strong> System p®, <strong>IBM</strong> System i®,<br />
<strong>IBM</strong> System x®, <strong>IBM</strong> IntelliStation®, <strong>IBM</strong> Power Architecture®, <strong>IBM</strong> SureOne®, <strong>IBM</strong> Power Systems, POWER®, POWER6®, POWER7®, POWER8®, Power ®,<br />
<strong>IBM</strong> z/OS®, <strong>IBM</strong> AIX®, <strong>IBM</strong> i, <strong>IBM</strong> z/VSE®, <strong>IBM</strong> z/<strong>VM</strong> ®, <strong>IBM</strong> i5/OS®, <strong>IBM</strong> zEnterprise®, Smarter Planet ,Storwize®, XIV® , PureSystems, PureFlex,<br />
PureApplication , <strong>IBM</strong> Flex System , Smarter Storage<br />
The following are trademarks or registered trademarks of other companies.<br />
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.<br />
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.<br />
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.<br />
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.<br />
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel<br />
Corporation or its subsidiaries in the United States and other countries.<br />
UNIX is a registered trademark of The Open Group in the United States and other countries.<br />
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.<br />
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.<br />
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.<br />
* All other products may be trademarks or registered trademarks of their respective companies.<br />
Notes:<br />
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard <strong>IBM</strong> benchmarks in a controlled environment. The actual throughput that any user will<br />
experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed.<br />
Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.<br />
<strong>IBM</strong> hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.<br />
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used <strong>IBM</strong> products and the results they may have achieved. Actual<br />
environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.<br />
This publication was produced in the United States. <strong>IBM</strong> may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without<br />
notice. Consult your local <strong>IBM</strong> business contact for information on the product or services available in your area.<br />
All statements regarding <strong>IBM</strong>'s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.<br />
Information about non-<strong>IBM</strong> products is obtained from the manufacturers of those products or their published announcements. <strong>IBM</strong> has not tested those products and cannot confirm the performance,<br />
compatibility, or any other claims related to non-<strong>IBM</strong> products. Questions on the capabilities of non-<strong>IBM</strong> products should be addressed to the suppliers of those products.<br />
Prices subject to change without notice. Contact your <strong>IBM</strong> representative or Business Partner for the most current pricing in your geography.<br />
22<br />
© 2013 <strong>IBM</strong> Corporation
Disclaimer<br />
The information contained in this document has not been submitted to any formal <strong>IBM</strong> test and is<br />
distributed on an "AS IS" basis without any warranty either express or implied. The use of this information<br />
or the implementation of any of these techniques is a customer responsibility and depends on the<br />
customer's ability to evaluate and integrate them into the operational environment. While each item may<br />
have been reviewed by <strong>IBM</strong> for accuracy in a specific situation, there is no guarantee that the same or<br />
similar results will be obtained elsewhere. Customers attempting to adapt these techniques to their own<br />
environments do so at their own risk.<br />
In this document, any references made to an <strong>IBM</strong> licensed program are not intended to state or imply that<br />
only <strong>IBM</strong>'s licensed program may be used; any functionally equivalent program may be used instead.<br />
Any performance data contained in this document was determined in a controlled environment and,<br />
therefore, the results which may be obtained in other operating environments may vary significantly.<br />
Users of this document should verify the applicable data for their specific environments.<br />
It is possible that this material may contain reference to, or information about, <strong>IBM</strong> products (machines<br />
and programs), programming, or services that are not announced in your country. Such references or<br />
information must not be construed to mean that <strong>IBM</strong> intends to announce such <strong>IBM</strong> products,<br />
programming or services in your country.<br />
3<br />
© 2013 <strong>IBM</strong> Corporation
Agenda<br />
z/<strong>VM</strong> <strong>Security</strong> Certifications<br />
<strong>Security</strong> <strong>Update</strong>s for z/<strong>VM</strong> 6.2 and beyond<br />
RACF In a Single System Image (SSI) Cluster<br />
4<br />
© 2013 <strong>IBM</strong> Corporation
z/<strong>VM</strong> <strong>Security</strong> Certifications<br />
5<br />
© 2013 <strong>IBM</strong> Corporation
z/<strong>VM</strong> <strong>Security</strong> Certification Discussion<br />
Common Criteria certification:<br />
– z/<strong>VM</strong> 6.1 certified (BSI-DSZ-CC-0752)<br />
– Target: OSPP-LS at EAL 4+<br />
Federal Information Protection Standards (FIPS)<br />
– z/<strong>VM</strong> 6.1 System SSL is FIPS 140-2 Validated:<br />
• http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2012.htm#1735<br />
• Requires PM43382<br />
z/<strong>VM</strong> 6.2 is “designed to conform to” the Common Criteria and to FIPS 140-2<br />
– Refer to z/<strong>VM</strong> 6.2 Secure Configuration Guide<br />
Help us understand your certification needs<br />
– Comments now, or contact offline.<br />
6<br />
TM: A Certification Mark of NIST, which does not imply product endorsement by NIST,<br />
the U.S. or Canadian Governments.<br />
© 2013 <strong>IBM</strong> Corporation
z/<strong>VM</strong> <strong>Security</strong> Certification Discussion<br />
The Common Criteria evaluated configuration of z/<strong>VM</strong> 6.1 includes:<br />
– z/<strong>VM</strong> Control Program, TCPIP, Telnet, RACF<strong>VM</strong> (included in previous evaluations)<br />
– z/<strong>VM</strong> SSL Server *new*<br />
Evaluated to the Operating System Protection Profile (OSPP)<br />
– Extensions for Labeled <strong>Security</strong> (-LS) and Virtualization (-VIRT)<br />
– Replaces the expired CAPP and LSPP profiles.<br />
A particular configuration of these parts is required<br />
– See the z/<strong>VM</strong> 6.1 Secure Configuration Guide<br />
– Lists associated service to apply<br />
<strong>Security</strong>-related service can be applied without invalidating the configuration<br />
– EAL4 “+” – “Flaw Remediation”<br />
7<br />
© 2013 <strong>IBM</strong> Corporation
FIPS 140-2 Support for z/<strong>VM</strong> 6.1<br />
- PM08418: Upgrade System SSL to z/OS R11<br />
- <strong>VM</strong>64805: Add needed functions to LE<br />
- <strong>VM</strong>64751: Upgrade Binder to z/OS R11<br />
- PM10616: System SSL enablement of FIPS<br />
- PM43382: System SSL Self-Defense<br />
Enablement of support: z/<strong>VM</strong> 6.1 can be configured to comply<br />
to Federal Information Protection Standard (FIPS) 140-2<br />
– Requisite cipher suites assure a level of cryptographic strength<br />
– Creation and validation of certificate database assures trust<br />
Changes to TCPIP, System SSL, the Binder, and the SSL Server are available for<br />
z/<strong>VM</strong> 6.1<br />
Pertains both to the certificate database and the SSL server virtual machine<br />
These changes are bundled in z/<strong>VM</strong> 6.2<br />
8<br />
TM: A Certification Mark of NIST, which does not imply product endorsement by NIST,<br />
the U.S. or Canadian Governments.<br />
© 2013 <strong>IBM</strong> Corporation
<strong>Security</strong> <strong>Update</strong>s<br />
to z/<strong>VM</strong><br />
9<br />
© 2013 <strong>IBM</strong> Corporation
SSL Server Reliability and Scalability<br />
- PK97437: SSLADMIN, TCPRUN and Related Packaging Changes<br />
- PK97438: SSLSERV Module <strong>Update</strong>s<br />
- PK75662: TCPIP Module <strong>Update</strong>s<br />
Internet! Internet!<br />
SSLSERV,<br />
SSLSERV,<br />
a trusted<br />
SSLSERV,<br />
server a trusted<br />
SSLSERV,<br />
server<br />
SSL00001,<br />
a trusted<br />
server a trusted<br />
a pool of commonly<br />
server<br />
configured SSL<br />
virtual machines<br />
TCPIP,<br />
a trusted<br />
server<br />
LINUX01,<br />
a virtual<br />
machine<br />
TCPMAINT,<br />
where you do<br />
your TCPIP and SSL<br />
configuration.<br />
Highly privileged.<br />
GSKADMIN,<br />
where you do<br />
your certificate<br />
management.<br />
LOGONBY ONLY.<br />
System SSL<br />
v1.x*<br />
/etc/gskadm/Database.kdb<br />
z/<strong>VM</strong><br />
CPACF<br />
• Allows for greater scalability and availability<br />
• Shipped as service for z/<strong>VM</strong> 5.4 and 6.1<br />
• http://www.vm.ibm.com/related/tcpip/tcsslspe.html<br />
10<br />
© 2013 <strong>IBM</strong> Corporation
z/<strong>VM</strong> SSL Client Certificate Support<br />
- PM52716: Enable Client Certificate Authentication in z/<strong>VM</strong> SSL<br />
Expansion of SSL/TLS handshaking processes to include checking for a clientpresented<br />
certificate<br />
– Dynamic TN3270 Support only<br />
– Certificate presented by client must match against data in the z/<strong>VM</strong> certificate database<br />
– New INTERNALCLIENTPARMS parameter: CLIENTCERTCHECK<br />
– Required for the z/<strong>VM</strong> 6.1 Common Criteria configuration<br />
APAR available for z/<strong>VM</strong> 6.1 and z/<strong>VM</strong> 6.2<br />
– Will be included in the base of the next z/<strong>VM</strong> release<br />
11<br />
© 2013 <strong>IBM</strong> Corporation
LDAP Support <strong>Update</strong>s<br />
Country==US<br />
Upgrade to z/OS 1.11 ITDS in z/<strong>VM</strong> 6.1<br />
– Support for password change logging<br />
• z/OS uses RACF certificate services<br />
• z/<strong>VM</strong> uses System SSL services<br />
– Password phrases can now be used in an ldap bind<br />
Organization==<strong>IBM</strong><br />
City==Endicott<br />
Upgrade to z/OS 1.12 ITDS in z/<strong>VM</strong> 6.2<br />
– RACF resource change-logging through LDAP<br />
• user, group, and general resource profiles<br />
• an open, remote method of change notification using only LDAP interfaces<br />
• an LDAP client can read the LDAP change log, detect updates to RACF users,<br />
groups, group membership, and general resources, and then retrieve RACF entries.<br />
• LDAP server must be configured to enable the SDBM backend.<br />
– Expanded password management<br />
• Expiry warnings<br />
• Interactively set new passwords<br />
Subject==Brian W. Hugenbruch<br />
12<br />
© 2013 <strong>IBM</strong> Corporation
Crypto Support <strong>Update</strong>s<br />
APAR <strong>VM</strong>64656: z/<strong>VM</strong> support for Crypto Express3 cards<br />
– On the z10: z/<strong>VM</strong> 5.3, z/<strong>VM</strong> 5.4 and z/<strong>VM</strong> 6.1<br />
– On the z196: z/<strong>VM</strong> 5.4 and z/<strong>VM</strong> 6.1<br />
– Accelerator mode (CEX3A) and Coprocessor mode (CEX3C)<br />
APAR <strong>VM</strong>64793: Protected Key CPACF for z/<strong>VM</strong> 5.4 and z/<strong>VM</strong> 6.1<br />
– On both z10 and z196<br />
– Protection of key material when using CPACF, instead of Clear Key operations<br />
• Key does not exist outside of physical hardware<br />
– Not to be confused with Secure Key (for the Crypto Express cards)<br />
– Designed to increase throughput<br />
z/<strong>VM</strong> 6.2:<br />
– QUERY CRYPTO output changes<br />
APAR <strong>VM</strong>65007: zEnterprise EC12 compatibility Support<br />
– Required support in z/<strong>VM</strong> for zEC12<br />
– Includes Crypto Express4S (CEX4S) support<br />
– For z/<strong>VM</strong> 5.4, z/<strong>VM</strong> 6.1 and z/<strong>VM</strong> 6.2<br />
13<br />
© 2013 <strong>IBM</strong> Corporation
RACF <strong>Update</strong>s for z/<strong>VM</strong> 6.2<br />
Multiple Access Ports per Guest<br />
– Can now enable a guest with multiple unique<br />
access ports to the same VSWITCH<br />
– Associates NICs and VSWITCH ports<br />
(Switch not available on NICDEF)<br />
– Ports are associated with VLANs<br />
– Requires explicit CP enablement<br />
•CP SET VSWITCH PORTNUMBER<br />
•CP SET VSWITCH VLANID<br />
LINUX1 4F8<br />
access<br />
1<br />
VLAN<br />
140<br />
LINUX1 4FC<br />
access<br />
2<br />
VLAN<br />
197<br />
RACF Enablement is business-as-usual,<br />
authorizing by VLAN IDs instead of port numbers:<br />
3 OSA<br />
LINUX2 4F8<br />
trunk<br />
– RDEFINE <strong>VM</strong>LAN SYSTEM.SWITCH05 UACC(NONE)<br />
– PERMIT SYSTEM.SWITCH05 CLASS(<strong>VM</strong>LAN) ID(LINUX1 LINUX2) ACCESS(UPDATE)<br />
– RDEFINE <strong>VM</strong>LAN SYSTEM.SWITCH05.0140 UACC(NONE)<br />
– PERMIT SYSTEM.SWITCH05.0140 CLASS(<strong>VM</strong>LAN) ID(LINUX1 LINUX2) ACCESS(UPDATE)<br />
– RDEFINE <strong>VM</strong>LAN SYSTEM.SWITCH05.0197 UACC(NONE)<br />
– PERMIT SYSTEM.SWITCH05.0197 CLASS(<strong>VM</strong>LAN) ID(LINUX1 LINUX2) ACCESS(UPDATE)<br />
– ...<br />
14<br />
© 2013 <strong>IBM</strong> Corporation
RACF <strong>Update</strong>s for z/<strong>VM</strong> 6.2<br />
User Attribute: PROTECTED<br />
– Shields user access from being revoked due to logon failures, inactivity or unsuccessful<br />
access attempts … via any method that uses a supplied password (logon, FTP …)<br />
– Service machines are a good candidate for this attribute<br />
– Any machine without a password or passphrase is Protected by default<br />
– Specify “NOPASSWORD” and “NOPHRASE” on ADDUSER or ALTUSER:<br />
ALTUSER TCPIP10 NOPASSWORD NOPHRASE<br />
– To remove the Protected attribute from a user, add a password or passphrase:<br />
ALTUSER BWHUGEN PHRASE(‘Three measures of Gordons, one of<br />
vodka, half a measure of Kina Lillet’)<br />
– Protected users can still be revoked through REVOKE<br />
15<br />
© 2013 <strong>IBM</strong> Corporation
RACF <strong>Update</strong>s for z/<strong>VM</strong> 6.2<br />
Protecting Real Devices<br />
– Authorization checking based on the <strong>VM</strong>DEV class<br />
• Usual access levels (NONE READ UPDATE CONTROL) apply<br />
– Triggers when Connecting a real device to a virtual machine for exclusive use, or connecting a tape<br />
device to a virtual machine for shared use<br />
• DEDICATE statements in the User Directory<br />
• ATTACH command<br />
• GIVE command<br />
– Device “SYSASCII” used for HMC integrated ASCII console<br />
Define RDEV.(rdevno).sysname to <strong>VM</strong>DEV<br />
– PERMIT RDEV.0456.* CLASS(<strong>VM</strong>DEV) ID(BWHUGEN) ACCESS(UPDATE)<br />
– SETROPTS CLASSACT(<strong>VM</strong>DEV)<br />
Enable an appropriate event:<br />
– RALTER <strong>VM</strong>XEVENT EVENTS1 ADDMEM(RDEVCTRL/CTL)<br />
– SETEVENT REFRESH EVENTS1<br />
16<br />
© 2013 <strong>IBM</strong> Corporation
RACF <strong>Update</strong>s for z/<strong>VM</strong> 6.2<br />
General <strong>Update</strong>s:<br />
High Level Assembler no longer required for most common customizations<br />
– HCPRWAC, for example<br />
ALTER (MW) access for <strong>VM</strong>MDISK no longer conveys the ability to change the access list<br />
for the minidisk<br />
DBUnload requirement for T-Disk removed<br />
– Can use existing minidisk instead<br />
17<br />
© 2013 <strong>IBM</strong> Corporation
RACF <strong>Update</strong>s for z/<strong>VM</strong> 6.2<br />
RPIDIRCT updates:<br />
Create <strong>VM</strong>LAN profiles from NICDEF statements<br />
– Doesn’t cover Multiple Access Ports (no NICDEF support)<br />
Create <strong>VM</strong>DEV profiles from DEDICATE statements<br />
Recognize IDENTITY and SUBCONFIG definitions<br />
Passwords AUTOONLY, LBYONLY, and NOPASS cause user to be Protected<br />
Password NOLOG causes user to be revoked unless required for POSIX<br />
– POSIX users will be Protected<br />
18<br />
© 2013 <strong>IBM</strong> Corporation
RACF <strong>Update</strong>s for z/<strong>VM</strong> 6.2<br />
Enablement and Control of SECUSER and OBSERVER when Mandatory<br />
Access Controls (SECLABELs) are active<br />
– CONSOLE OBSERVER (read-only)<br />
– SET OBSERVER (read-only)<br />
– CONSOLE SECUSER (read-write)<br />
– SET SECUSER (read-write)<br />
– CP SEND.G (read-write)<br />
– CP SEND.C (write-only)<br />
SECLABEL rules for read- and write-access apply:<br />
– “No read up, no write down.”<br />
19<br />
© 2013 <strong>IBM</strong> Corporation
<strong>Security</strong> Label Math<br />
Top Secret<br />
LABEL3<br />
Confidential<br />
LABEL1<br />
Public<br />
LABEL2<br />
LABEL4<br />
Web Application Database Testing<br />
Read-only: Subject must “dominate” object (equal or greater sensitivity, contains all<br />
pertinent categories)<br />
Write-only: Object’s security label must “dominate” the subject<br />
– There are no resources with W/O access<br />
– Only applies to user-to-user (CP MSG)<br />
Read-write: The user’s and the resource’s assigned categories and levels must be<br />
identical<br />
20<br />
© 2013 <strong>IBM</strong> Corporation
RACF In A<br />
Single System Image Cluster<br />
21<br />
© 2013 <strong>IBM</strong> Corporation
z/<strong>VM</strong> SSI Cluster<br />
Member 1<br />
Multiple CTCs for ISFC-based<br />
SSI communications<br />
Member 2<br />
Shared volumes<br />
Member 3<br />
Member 4<br />
Non-shared volumes<br />
Common LAN for guest IP communications<br />
(optionally, with shared SAN for guest FCP<br />
connections)<br />
22<br />
© 2013 <strong>IBM</strong> Corporation
<strong>Security</strong> Settings in an SSI Cluster<br />
A userid has the same password on all systems (Single- or Multi-Configuration)<br />
A Single Configuration Virtual Machine can only log onto one member of the cluster<br />
– Error message just like logging onto a userid on the same system<br />
A Multi-Configuration Virtual Machine is a distinct construct on each system<br />
A userid’s privilege classes are the same on every system<br />
– A common source directory definition<br />
The cluster maintains a single security context for the entire system<br />
– And an ESM, as with stand-alone systems, extends these capabilities<br />
23<br />
© 2013 <strong>IBM</strong> Corporation
RACF in a Single System Image Cluster<br />
When installed in an SSI, RACF creates a single security context for the cluster<br />
– Shared database and definitions<br />
– Handshaking of RACF<strong>VM</strong> instances<br />
– Cluster-aware auditing<br />
RACF for SSI is for the entire cluster, it’s not something you can enable one step at a time.<br />
RPIDIRCT has been updated to handle both single-configuration and multi-configuration<br />
virtual machines<br />
The virtual machines have been modified to operate both in and out of an SSI …<br />
24<br />
© 2013 <strong>IBM</strong> Corporation
RACF Virtual Machines in an SSI cluster<br />
<strong>IBM</strong>USER<br />
Multiple CTCs for ISFC-based<br />
SSI communications<br />
Member 1<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
Member 2<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
Shared volumes<br />
Non-shared volumes<br />
Member 3<br />
Common LAN for guest IP communications<br />
(optionally, with shared SAN for guest FCP<br />
connections)<br />
Member 4<br />
25<br />
© 2013 <strong>IBM</strong> Corporation
RACF Virtual Machines in an SSI cluster<br />
Handshaking and Command Propagation<br />
Each RACF server in the SSI must provide the same consistent security context.<br />
Commands that create broader changes need to be propagated across the cluster<br />
– SETROPTS<br />
– RVARY<br />
– SETEVENT<br />
RACF will suppress “extra” messages and marshal output when executing “remotely.”<br />
Locking done to ensure RVARY submissions are handled sequentially<br />
RACF command sessions don't support command propagation so in an SSI the commands<br />
SETROPTS, RVARY, and SETEVENT will be rejected with message:<br />
–RPITMP0021E 'command-name' RACF COMMAND MUST BE ISSUED WITH RAC<br />
IN A SSI<br />
RAC command, ISPF panels, and R_Admin API (used by LDAP) are interfaces which<br />
support command propagation<br />
26<br />
© 2013 <strong>IBM</strong> Corporation
RACF Virtual Machines in an SSI cluster<br />
Handshaking and Command propagation<br />
The propagated commands output from each RACF server on each system is bracketed by<br />
the lines:<br />
–OUTPUT FROM ON SYSTEM <br />
–END OF OUTPUT<br />
SETROPTS and RVARY commands will be propagated in non-SSI multi-server<br />
environments.<br />
Propagation of MAC cache purge<br />
Purge initiated by specific operands instead of any SETROPTS command:<br />
– RACLIST REFRESH of SECLABEL class<br />
– Activating or inactivating <strong>VM</strong>MAC class<br />
– LOGOPTIONS auditing of <strong>VM</strong>MAC class<br />
– Any MLS change<br />
– MLQUIET<br />
– MLACTIVE(WARNING)<br />
– SECLABELAUDIT<br />
27<br />
© 2013 <strong>IBM</strong> Corporation
The RACF Database in an SSI<br />
<strong>IBM</strong>USER<br />
Multiple CTCs for ISFC-based<br />
SSI communications<br />
Member 1<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
Member 2<br />
RACdb<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
Shared volumes<br />
Non-shared volumes<br />
Member 3<br />
Common LAN for guest IP communications<br />
(optionally, with shared SAN for guest FCP<br />
connections)<br />
Member 4<br />
28<br />
© 2013 <strong>IBM</strong> Corporation
The RACF Database in an SSI<br />
All RACF servers in SSI must share the same RACF database<br />
– Databases are shareable today<br />
– Maintain a single security context; no confusion in security policy<br />
RACF database in SSI must be fullpack minidisk, must support reserve/release<br />
and can't be an FBA device<br />
– Full-pack 3390s for both the primary (200) and backup (300)<br />
– RDEVICE statements for each in the System Configuration file<br />
– Minidisk caching is automatically turned off<br />
RDEVICE 200 TYPE DASD SHARED YES /* Default RACF<strong>VM</strong> db */<br />
RDEVICE 300 TYPE DASD SHARED YES /* Backup RACF<strong>VM</strong> db */<br />
Database synchronization<br />
– When a member joins, CP+RACF will ensure that the joining server has identical<br />
database datasets to those being used and active in the SSI<br />
– Automatic propagation of RVARY commands<br />
29<br />
© 2013 <strong>IBM</strong> Corporation
Auditing RACF<strong>VM</strong> (The Basics)<br />
<strong>IBM</strong>USER<br />
SEND RACF<strong>VM</strong> SMF SWITCH<br />
RACF Database and backup 300<br />
200<br />
RACF<strong>VM</strong><br />
XAUTOLOG RACFSMF<br />
RACFSMF<br />
• RACF<strong>VM</strong>-owned SMF logs<br />
• Controlled by SMF CONTROL<br />
• When disk is full, RACF<strong>VM</strong> XAUTOLOGs<br />
RACFSMF for record storage<br />
• Process can also be triggered manually<br />
• Alternate disk (302) is then used as the<br />
security log<br />
• RACFSMF-owned private disks<br />
• When XAUTOLOGged, will copy data<br />
from the 301/302 disks<br />
•SMFPROF EXEC (profile)<br />
• Data is then erased from the 301 or 302<br />
301<br />
191<br />
302<br />
192<br />
Z<strong>VM</strong>540BH<br />
30<br />
© 2013 <strong>IBM</strong> Corporation
Auditing RACF in a Single System Image cluster<br />
<strong>IBM</strong>USER<br />
IDENT RACFSMF Multiple CTCs for ISFC-based IDENT RACFSMF<br />
SSI communications<br />
Member 1<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
Member 2<br />
200<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACFSMF<br />
IDENT RACF<strong>VM</strong><br />
Shared volumes<br />
IDENT RACFSMF<br />
SYSADMIN<br />
Non-shared volumes<br />
Member 3<br />
Common LAN for guest IP communications<br />
(optionally, with shared SAN for guest FCP<br />
connections)<br />
Member 4<br />
31<br />
© 2013 <strong>IBM</strong> Corporation
Auditing RACF in a Single System Image cluster<br />
RACF<strong>VM</strong> is a multiconfiguration virtual machine<br />
– Shared RACF database<br />
– All other disks are local – including 301 and 302 for auditing<br />
– Separate SMF CONTROL files operating against a single security context<br />
RACFSMF is also multiconfiguration virtual machine<br />
– Separate 191 and 192 disks<br />
– Separate SMFPROF EXEC files<br />
Auditing automation should account for this disparity to gather all pertinent audit<br />
records<br />
– Make sure all SMF CONTROL files are modified as appropriate<br />
– Make sure auditing policy and SMF records are managed accordingly<br />
32<br />
© 2013 <strong>IBM</strong> Corporation
Auditing RACF in a Single System Image cluster<br />
In the case of some commands – the AT command in particular – auditing records<br />
will appear on the destination system<br />
–AT_LOGON<br />
–AT_FROM<br />
–AT_LOGOFF<br />
Auditing distinguishes between local and remote nodes in a cluster, even when<br />
sharing the same security context<br />
– Controlled commands are the same<br />
– Auditing requisites are the same<br />
– Events are the same<br />
…. But the systems are distinct, from the point of view of a virtual machine “in<br />
the know”<br />
33<br />
© 2013 <strong>IBM</strong> Corporation
RACF and Live Guest Relocation<br />
<strong>IBM</strong>USER<br />
Multiple CTCs for ISFC-based<br />
SSI communications<br />
Member 1<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
Member 2<br />
200<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
Shared volumes<br />
SYSADMIN<br />
Non-shared volumes<br />
Member 3<br />
Common LAN for guest IP communications<br />
(optionally, with shared SAN for guest FCP<br />
connections)<br />
Member 4<br />
34<br />
© 2013 <strong>IBM</strong> Corporation
RACF and Live Guest Relocation<br />
Live Guest Relocation<br />
<strong>VM</strong>RELOCATE MOVE USER userid TO sysid<br />
– Class A command<br />
RACF cleans up a user’s presence on the source system, and prepares for the target<br />
system for the relocate-logon of the user<br />
Generate LOGOFF/LOGON auditing events on source/target system, to note the transition<br />
RACF perspective of relocate events:<br />
– User data is created for userid on sysid with all the above<br />
– User resources are allocated on sysid<br />
– Associated authorization calls are approved without a RACF check<br />
– Relocate-logon is requested for userid on sysid when the inbound relocation is complete<br />
35<br />
© 2013 <strong>IBM</strong> Corporation
SSI and Virtual <strong>Security</strong> Zones<br />
<strong>IBM</strong>USER<br />
Multiple CTCs for ISFC-based<br />
IDENT RACF<strong>VM</strong> SSI communications IDENT RACF<strong>VM</strong><br />
Member 1:<br />
Domains Yellow, Green<br />
Member 2:<br />
Domain Green<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
Shared volumes<br />
Non-shared volumes<br />
Member 3:<br />
Domain Yellow<br />
Common LAN for guest IP communications<br />
(optionally, with shared SAN for guest FCP<br />
connections)<br />
Member 4:<br />
Domain Blue<br />
36<br />
© 2013 <strong>IBM</strong> Corporation
SSI and Virtual <strong>Security</strong> Zones<br />
LINUX01<br />
MVSUSR1<br />
Multiple CTCs for ISFC-based<br />
SSI communications<br />
MVSUSR2<br />
LINUX05<br />
Member 1<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
Member 2<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
Shared volumes<br />
LINUX02<br />
LINUX03<br />
LINUX04<br />
Non-shared volumes<br />
Member 3<br />
Common LAN for guest IP communications<br />
(optionally, with shared SAN for guest FCP<br />
connections)<br />
Member 4<br />
37<br />
© 2013 <strong>IBM</strong> Corporation
Migrating to RACF in an SSI<br />
You can have an ESM and still migrate to SSI!<br />
– Step 1: If you don’t have an ESM, get one.<br />
– Line up the shared DASD required for the database; remember that this needs to be a<br />
fullpack minidisk!<br />
– If you’re converting one or more ESM-controlled systems into an SSI:<br />
38<br />
© 2013 <strong>IBM</strong> Corporation
Migrating to SSI: RACF Considerations<br />
<strong>IBM</strong>USER<br />
Multiple CTCs for ISFC-based<br />
SSI communications<br />
SYSTEM1<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
SYSTEM2<br />
RACdb<br />
Shared volumes<br />
Non-shared volumes<br />
Common LAN for guest IP communications<br />
(optionally, with shared SAN for guest FCP<br />
connections)<br />
39<br />
© 2013 <strong>IBM</strong> Corporation
Migrating to RACF in an SSI<br />
You can have an ESM and still migrate to SSI!<br />
– Step 1: If you don’t have an ESM, get one.<br />
– Line up the shared DASD required for the database; remember that this needs to be a<br />
fullpack minidisk!<br />
– If you’re converting one ESM-controlled systems into an SSI:<br />
• Migrate to 6.2 in a non-SSI format<br />
• Convert associated resource profiles to 6.2 format, using RPIDIRCT as necessary<br />
• Take the steps to enable SSI; turn on RACF<strong>VM</strong> as part of the outlined process<br />
– If you’re converting two (or more) distinct ESM-controlled systems to an SSI<br />
40<br />
© 2013 <strong>IBM</strong> Corporation
Migrating to SSI: RACF Considerations<br />
<strong>IBM</strong>USER<br />
Multiple CTCs for ISFC-based<br />
SSI communications<br />
SYSTEM1<br />
IDENT RACF<strong>VM</strong><br />
IDENT RACF<strong>VM</strong><br />
SYSTEM2<br />
RACdb<br />
Shared volumes<br />
RACdb<br />
Non-shared volumes<br />
Common LAN for guest IP communications<br />
(optionally, with shared SAN for guest FCP<br />
connections)<br />
RACdb<br />
41<br />
© 2013 <strong>IBM</strong> Corporation
Migrating to RACF in an SSI<br />
You can have an ESM and still migrate to SSI!<br />
– Step 1: If you don’t have an ESM, get one.<br />
– Line up the shared DASD required for the database; remember that this needs to be a<br />
fullpack minidisk!<br />
– If you’re converting one or more ESM-controlled systems into an SSI:<br />
• Migrate to 6.2 in a non-SSI format<br />
• Convert associated resource profiles to 6.2 format, using RPIDIRCT as necessary<br />
• Take the steps to enable SSI; turn on RACF<strong>VM</strong> as part of the outlined process<br />
– If you’re converting two (or more) distinct ESM-controlled systems to an SSI<br />
• You will need to merge the databases<br />
• You may want to consider which of your 2+ systems has the most complex security<br />
context before choosing which one is the “master” system<br />
• After one system is enabled, make directory and RACF database updates for the<br />
secondary system<br />
42<br />
© 2013 <strong>IBM</strong> Corporation
Summary<br />
Certifications validate the high standard of z/<strong>VM</strong> security<br />
z/<strong>VM</strong> continues to deliver functional updates to keep pace with modern security<br />
requirements<br />
RACF has been adapted to handle the Single System Image clustering technology<br />
z/<strong>VM</strong> continues to secure the road to Smarter Computing<br />
43<br />
© 2013 <strong>IBM</strong> Corporation
For more information …<br />
On the web:<br />
z/<strong>VM</strong> <strong>Security</strong> resources: http://www.<strong>VM</strong>.ibm.com/security<br />
z/<strong>VM</strong> Secure Configuration Guide: http://publibz.boulder.ibm.com/epubs/pdf/hcss0b30.pdf<br />
System z <strong>Security</strong>: http://www.ibm.com/systems/z/advantages/security/<br />
Redbook: z/<strong>VM</strong> <strong>Security</strong>, SG24-7471<br />
• http://www.vm.ibm.com/related/tcpip/vmsslinf.html -- SSL Information and Walk-through<br />
Contact Information:<br />
Brian W. Hugenbruch, CISSP<br />
z/<strong>VM</strong> <strong>Security</strong> Design and Development<br />
bwhugen at us dot ibm dot com<br />
+1 607.429.3660<br />
44<br />
© 2013 <strong>IBM</strong> Corporation
Dank u<br />
Dutch<br />
Merci<br />
French<br />
Спаcибо<br />
Russian<br />
Gracias<br />
Spanish<br />
شكراً<br />
Arabic<br />
Obrigado<br />
Brazilian<br />
Portuguese<br />
Grazie<br />
Italian<br />
धयवाद<br />
Hindi<br />
Dankon<br />
Esperanto<br />
ありがとうございます<br />
Japanese<br />
go raibh maith agat<br />
Gaelic<br />
<br />
Tamil<br />
감사합니다<br />
Korean<br />
תודה רבה<br />
Hebrew<br />
Thank You<br />
Trugarez<br />
Breton<br />
děkuji<br />
Czech<br />
Danke<br />
German<br />
Tack så mycket<br />
Swedish<br />
Tak<br />
Danish<br />
<br />
Thai<br />
谢 谢<br />
Chinese<br />
45<br />
© 2013 <strong>IBM</strong> Corporation