Front cover
Securing Your Cloud IBM Security for LinuxONE
Edi Lopes Alves Klaus Egeler Karen Medhat Fahmy Felipe Cardeneti Mendes Maciej Olejniczak
Redbooks
International Technical Support Organization
Securing Your Cloud: IBM Security for LinuxONE
July 2019
SG24-8447-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii.
First Edition (July 2019)
This edition applies to Version 7, Release 1 of z/VM and the IBM Resource Access Control Facility Security Server for z/VM.
© Copyright International Business Machines Corporation 2019. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents
Notices ...... vii Trademarks ...... viii
Preface ...... ix Authors...... ix Now you can become a published author, too! ...... x Comments welcome...... x Stay connected to IBM Redbooks ...... xi
Chapter 1. IBM LinuxONE essentials ...... 1 1.1 LinuxONE architecture and hardware ...... 2 1.2 LinuxONE architecture ...... 2 1.3 IBM LinuxONE servers ...... 3 1.3.1 IBM LinuxONE Emperor II...... 3 1.3.2 IBM LinuxONE Rockhopper II...... 6 1.4 LinuxONE as a secure platform ...... 9 1.4.1 The need for a secure platform...... 9 1.4.2 Security with LinuxONE ...... 9 1.4.3 Using LinuxONE Security to create a secure cloud ...... 11 1.4.4 IBM Hyper Protect Services overview...... 12
Chapter 2. Introduction to security on IBM LinuxONE ...... 15 2.1 Why security matters...... 16 2.2 Hardware security features overview ...... 16 2.3 Pervasive encryption...... 17 2.4 IBM LinuxONE cryptographic hardware features ...... 18 2.4.1 CP Assist for Cryptographic Function ...... 18 2.4.2 Crypto-Express6S...... 19 2.5 Benefits of hardware crypto ...... 19 2.6 Using RACF to secure your cloud infrastructure...... 20 2.6.1 Principle of best matching profile ...... 21 2.7 RACF DB organization and structure ...... 22 2.7.1 Database definition to the system...... 22 2.7.2 Internal organization of RACF database specifying class options ...... 22
Chapter 3. IBM z/VM hypervisor ...... 25 3.1 Virtualization ...... 26 3.1.1 Virtualization benefits ...... 26 3.1.2 Hardware virtualization ...... 27 3.2 z/VM hypervisor and LinuxONE servers ...... 27 3.2.1 z/VM 7.1 overview...... 28 3.2.2 Single System Image overview...... 29 3.2.3 Security settings in an SSI cluster...... 31 3.2.4 Controlling the System Operator...... 32 3.2.5 System Configuration file ...... 32 3.2.6 Addressing password security ...... 35 3.2.7 Implementing CP LOGONBY ...... 35 3.2.8 Role-based access controls and CP privilege classes ...... 37 3.3 Device management ...... 38
© Copyright IBM Corp. 2019. All rights reserved. iii 3.4 Securing the data ...... 38 3.4.1 Securing your minidisks ...... 39 3.4.2 Encrypting z/VM page volumes...... 39 3.4.3 Securing GUEST LANS and virtual switches ...... 41 3.5 Securing your communication...... 42 3.5.1 Encrypting your communication ...... 42 3.5.2 z/VM Cryptographic definitions ...... 44 3.5.3 Checking the cryptographic card definitions in z/VM ...... 48 3.6 z/VM connectivity ...... 50 3.6.1 DEVICE and LINK statements ...... 50 3.6.2 HiperSockets VSWITCH Bridge ...... 51 3.6.3 Security considerations...... 52 3.7 Remote Spooling Communications Subsystem ...... 52
Chapter 4. IBM Resource Access Control Facility Security Server for IBM z/VM. . . . 55 4.1 RACF z/VM concepts ...... 57 4.1.1 External security manager ...... 57 4.1.2 Security policy...... 57 4.2 Activating and configuring RACF ...... 59 4.2.1 Post-activation tasks ...... 59 4.2.2 Building the RACF enabled CPLOAD MODULE...... 77 4.2.3 Updating the RACF database and options ...... 80 4.2.4 Placing RACF into production...... 84 4.2.5 Using HCPRWAC ...... 85 4.3 RACF management processes ...... 88 4.3.1 DirMaint changes to work with RACF ...... 88 4.3.2 RACF authorization concepts ...... 90 4.3.3 Adding virtual machines and resources to the system and RACF database . . . . 90 4.3.4 Securing your minidisks with RACF ...... 97 4.3.5 Securing guest LANs and virtual switches with RACF ...... 99 4.3.6 Labeled security and mandatory access control...... 101 4.3.7 Backing up the RACF database ...... 103 4.3.8 RACF recovery options...... 105
Chapter 5. Security policy management on IBM z/VM...... 107 5.1 User ID management ...... 108 5.1.1 Least privilege principle ...... 108 5.1.2 RACF passwords and password phrases...... 114 5.1.3 Implementing RACF LOGONBY...... 123 5.2 Communication encryption ...... 127 5.3 Single System Image Security ...... 128 5.3.1 Overview ...... 128 5.3.2 Equivalency identifiers ...... 129 5.3.3 Relocation domains ...... 129 5.3.4 RACF in an SSI cluster ...... 130 5.4 Auditing ...... 130 5.4.1 Auditing with journaling ...... 131 5.4.2 Auditing with RACF...... 135
Chapter 6. Securing a cloud in an IBM z/VM environment ...... 157 6.1 Cloud on z/VM components ...... 158 6.2 DirMaint...... 159 6.2.1 DirMaint controls ...... 159 6.2.2 Delegating DirMaint authority ...... 162 iv Securing Your Cloud: IBM Security for LinuxONE 6.3 Systems Management API ...... 167 6.3.1 SFS ...... 167 6.3.2 Other SMAPI user IDs ...... 168 6.3.3 VSMGUARD ...... 169 6.3.4 SMAPI controls ...... 170 6.3.5 Security aspects of SMAPI ...... 170 6.4 z/VM Cloud Manager Appliance ...... 174 6.4.1 Basic requirements and configuration options ...... 175 6.4.2 OpenStack and xCAT Service Deployment Patterns ...... 176 6.4.3 z/VM System Management Architecture...... 176 6.5 CMA Controller node...... 178 6.5.1 DMSSICNF COPY for the controller node ...... 179 6.5.2 DMSSICMO COPY file for the controller node ...... 180 6.6 CMA compute node ...... 182 6.6.1 DMSSICNF COPY file for the compute node ...... 182 6.6.2 DMSSICMO COPY file for the compute node...... 183 6.7 CMA installation ...... 184 6.7.1 Initial set-up...... 186 6.7.2 Installing SMAPI 6.4 on your 7.1 system ...... 186 6.7.3 Installing the CMA files on your z/VM 7.1 system...... 187 6.7.4 Restoring the CMA files ...... 188 6.7.5 Configuring to use CMA 6.4 (Newton) ...... 189 6.8 Securing your cloud components ...... 190 6.8.1 Security considerations inherent in a cloud environment ...... 191 6.8.2 Security tips for the cloud ...... 193
Chapter 7. Securing IBM Cloud Private and Microservices on LinuxONE ...... 195 7.1 Security in DevOps ...... 196 7.2 Introduction to microservices ...... 196 7.2.1 Microservice architecture ...... 197 7.2.2 Service discovery ...... 199 7.2.3 Securing your microservices application...... 200 7.3 Managing containers by using Kubernetes ...... 202 7.3.1 Introduction to containers ...... 202 7.3.2 Containers versus virtual machines ...... 203 7.3.3 Container key points ...... 204 7.3.4 Container orchestration...... 204 7.3.5 Kubernetes ...... 206 7.3.6 Security in Kubernetes ...... 208 7.4 Containers management at scale ...... 213 7.4.1 IBM LinuxONE as the container platform ...... 213 7.4.2 Deployment strategies ...... 214 7.5 IBM Cloud Private overview ...... 216 7.5.1 Key aspects ...... 217 7.5.2 IBM Cloud Private architecture ...... 217 7.5.3 IBM Cloud Private Security ...... 218 7.5.4 IBM Cloud Private features ...... 220 7.6 IBM Cloud Private on LinuxONE...... 223 7.6.1 Security levels for containerized applications on LinuxONE...... 223 7.6.2 IBM Secure Service Container ...... 228 7.6.3 Deploying IBM Cloud Private on LinuxONE ...... 230 7.6.4 IBM Cloud Private hands-on ...... 233 7.6.5 Deploying a Node.js service on top of ICP and LinuxONE ...... 234
Contents v 7.7 IBM Cloud Automation Manager ...... 239 7.7.1 Terraform ...... 240 7.7.2 IBM Cloud Automation Manager on IBM Cloud Private ...... 240 7.7.3 Security in IBM Cloud Automation Manager ...... 242
Chapter 8. IBM z/VM and enterprise security ...... 245 8.1 z/Secure ...... 246 8.2 Lightweight Directory Access Protocol ...... 246 8.2.1 LDAP on z/VM ...... 247 8.2.2 Integration of z/VM LDAP into an enterprise directory ...... 248 8.3 Linux on IBM LinuxONE security ...... 249 8.3.1 Authentication ...... 249 8.3.2 Access control...... 250 8.3.3 User management ...... 251 8.3.4 Update management ...... 251 8.3.5 Data ...... 252 8.3.6 Audit ...... 252 8.3.7 Cryptographic hardware ...... 253 8.3.8 Firewall ...... 254
Related publications ...... 255 Other publications ...... 255 Help from IBM ...... 255
vi Securing Your Cloud: IBM Security for LinuxONE Notices
This information was developed for products and services offered in the US. This material might be available from IBM in other languages. However, you may be required to own a copy of the product or product version in that language in order to access it.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, MD-NC119, Armonk, NY 10504-1785, US
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk.
IBM may use or distribute any of the information you provide in any way it believes appropriate without incurring any obligation to you.
The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Statements regarding IBM’s future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to actual people or business enterprises is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided “AS IS”, without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs.
© Copyright IBM Corp. 2019. All rights reserved. vii Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at http://www.ibm.com/legal/copytrade.shtml
The following terms are trademarks or registered trademarks of International Business Machines Corporation, and might also be trademarks or registered trademarks in other countries.
BigFix® IBM Cloud™ Redpaper™ DB2® IBM LinuxONE™ Redbooks (logo) ® Db2® IBM LinuxONE Emperor™ Storwize® DirMaint™ IBM LinuxONE Emperor II™ System z® ECKD™ IBM LinuxONE Rockhopper™ Terraform® FICON® IBM Spectrum™ Tivoli® GDPS® IBM Z® WebSphere® Geographically Dispersed Parallel IBM z Systems® z Systems® Sysplex™ Interconnect® z/Architecture® Guardium® Parallel Sysplex® z/OS® HiperSockets™ PR/SM™ z/VM® IBM® QRadar® z/VSE® IBM API Connect® RACF® zSecure™ IBM Blue® Redbooks®
The following terms are trademarks of other companies:
Intel, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java, and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Other company, product, or service names may be trademarks or service marks of others.
viii Securing Your Cloud: IBM Security for LinuxONE Preface
As workloads are being offloaded to IBM® LinuxONE based cloud environments, it is important to ensure that these workloads and environments are secure.
This IBM Redbooks® publication describes the necessary steps to secure your environment from the hardware level through all of the components that are involved in a LinuxONE cloud infrastructure that use Linux and IBM z/VM®.
The audience for this book is IT architects, IT Specialists, and those users who plan to use LinuxONE for their cloud environments.
Authors
This book was produced by a team of specialists from around the world working at the International Technical Support Organization, Poughkeepsie Center.
Edi Lopes Alves is a Senior IT Specialist in Brazil working with IBM Z® and LinuxONE for the Global Technical Service team. She has more than 25 years of experience working as a z/VM and Linux on IBM Z specialist. Edi has IBM L2 IT Specialist certification, holds a Mathematics degree and a master’s degree in e-Business from ESPM Sao Paulo. She currently supports z/VM and Linux on Z for the American Express and AIG accounts. She has supported the z/VM environment and cloud initiatives for Banco do Brasil and IBM Global Accounts (IGA) for several years by supporting IBM Green, IBM Blue® Harmony projects, and z/VM Field Test at Endicott Lab lpars. Working across international and diverse teams. Edi has co-authored several IBM Redbooks publications. Edi acquired several professional certifications, and has mentored several professionals at different levels of seniority to progress in their careers. Klaus Egeler is an Senior IT Specialist in IBM’s Research & Development Lab in Boeblingen, Germany. His area of expertise are IBM z/VSE®, z/VM and Linux on z and LinuxONE. Klaus has contributed to several z/VM-related and Linux-related IBM Redbooks and IBM Redpaper™ publications. He also is a presenter and instructor at workshops and customer events on a regular basis.
Karen Medhat Fahmy is an IBM L2 Certified working in IBM Egypt. She received her bachelor’s degree with honors in Computer Engineering in 2012 and her MSc. degree in 2016 in the field of wireless sensor networks, security, and AI from the Faculty of Engineering, Cairo University. She joined IBM in 2013 and she is currently technical team leader in the cloud application innovation team and she has been developing and leading large-scale enterprise applications in several sectors. She has delivered different technical training sessions and courses as part of IBM Skills Academy for university Students across MEA. She has written several publications in the field of AI and IoT. She also received several technical and non-technical awards in IBM. Karen also has acquired several professional certifications, and contributed in developing and authoring IBM Cloud™ and IoT Certification Exams.
Felipe Cardeneti Mendes is an IT specialist with years of experience on distributed platforms and systems integration. His areas of expertise include Cloud, Docker containers, and virtualization across various platforms, including Intel x86, Power, LinuxONE, and IBM Z. Throughout his career, he worked on several integration projects and developed several successful solutions. He also frequently speaks at events and colleges to educate people about the latest Linux, Docker, and LinuxONE technology trends.
© Copyright IBM Corp. 2019. All rights reserved. ix Maciej Olejniczak is an IBM Certified IT Expert. He has over 10 years of experience in IBM, 20 in IT. He is a cross-functional consultant in a collaborative environment, and is skilled in the design and delivery of integrated systems in various industries. He also works across international, diverse teams and is an IBM Redbooks Platinum Author. He excels at support delivery, problem solving, and managing critical situations. He is a member of IBM Academy of Technology and serves as a mentor to IBM employees and new hires. He also works within the IBM Security Team.
Thanks to the following people for their contributions to this project:
Lydia Parziale, Robert Haimowitz IBM Redbooks, Poughkeepsie Center
Thomas Ambrosio, Bill Lamastro IBM Competitive Project Office, Poughkeepsie, NY
William Romney, Scott Coyle, Steve Schultz IBM Endicott Lab
Robert (Jay) Brenneman and Dulce Smith, POK
Guilherme da Silva Nogueira, Felipe Cardeneti Mendes, Sao Paulo IBM Brazil
Now you can become a published author, too!
Here’s an opportunity to spotlight your skills, grow your career, and become a published author—all at the same time! Join an ITSO residency project and help write a book in your area of expertise, while honing your experience using leading-edge technologies. Your efforts will help to increase product acceptance and customer satisfaction, as you expand your network of technical contacts and relationships. Residencies run from two to six weeks in length, and you can participate either in person or as a remote resident working from your home base.
Find out more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our books to be as helpful as possible. Send us your comments about this book or other IBM Redbooks publications in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an email to: [email protected]
x Securing Your Cloud: IBM Security for LinuxONE Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400
Stay connected to IBM Redbooks