Securing Your Cloud: IBM Security for Linuxone
Total Page:16
File Type:pdf, Size:1020Kb
Front cover Securing Your Cloud IBM Security for LinuxONE Edi Lopes Alves Klaus Egeler Karen Medhat Fahmy Felipe Cardeneti Mendes Maciej Olejniczak Redbooks International Technical Support Organization Securing Your Cloud: IBM Security for LinuxONE July 2019 SG24-8447-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (July 2019) This edition applies to Version 7, Release 1 of z/VM and the IBM Resource Access Control Facility Security Server for z/VM. © Copyright International Business Machines Corporation 2019. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix Authors. ix Now you can become a published author, too! . .x Comments welcome. .x Stay connected to IBM Redbooks . xi Chapter 1. IBM LinuxONE essentials . 1 1.1 LinuxONE architecture and hardware . 2 1.2 LinuxONE architecture . 2 1.3 IBM LinuxONE servers . 3 1.3.1 IBM LinuxONE Emperor II. 3 1.3.2 IBM LinuxONE Rockhopper II. 6 1.4 LinuxONE as a secure platform . 9 1.4.1 The need for a secure platform. 9 1.4.2 Security with LinuxONE . 9 1.4.3 Using LinuxONE Security to create a secure cloud . 11 1.4.4 IBM Hyper Protect Services overview. 12 Chapter 2. Introduction to security on IBM LinuxONE . 15 2.1 Why security matters. 16 2.2 Hardware security features overview . 16 2.3 Pervasive encryption. 17 2.4 IBM LinuxONE cryptographic hardware features . 18 2.4.1 CP Assist for Cryptographic Function . 18 2.4.2 Crypto-Express6S. 19 2.5 Benefits of hardware crypto . 19 2.6 Using RACF to secure your cloud infrastructure. 20 2.6.1 Principle of best matching profile . 21 2.7 RACF DB organization and structure . 22 2.7.1 Database definition to the system. 22 2.7.2 Internal organization of RACF database specifying class options . 22 Chapter 3. IBM z/VM hypervisor . 25 3.1 Virtualization . 26 3.1.1 Virtualization benefits . 26 3.1.2 Hardware virtualization . 27 3.2 z/VM hypervisor and LinuxONE servers . 27 3.2.1 z/VM 7.1 overview. 28 3.2.2 Single System Image overview. 29 3.2.3 Security settings in an SSI cluster. 31 3.2.4 Controlling the System Operator. 32 3.2.5 System Configuration file . 32 3.2.6 Addressing password security . 35 3.2.7 Implementing CP LOGONBY . 35 3.2.8 Role-based access controls and CP privilege classes . 37 3.3 Device management . 38 © Copyright IBM Corp. 2019. All rights reserved. iii 3.4 Securing the data . 38 3.4.1 Securing your minidisks . 39 3.4.2 Encrypting z/VM page volumes. 39 3.4.3 Securing GUEST LANS and virtual switches . 41 3.5 Securing your communication. 42 3.5.1 Encrypting your communication . 42 3.5.2 z/VM Cryptographic definitions . 44 3.5.3 Checking the cryptographic card definitions in z/VM . 48 3.6 z/VM connectivity . 50 3.6.1 DEVICE and LINK statements . 50 3.6.2 HiperSockets VSWITCH Bridge . 51 3.6.3 Security considerations. 52 3.7 Remote Spooling Communications Subsystem . 52 Chapter 4. IBM Resource Access Control Facility Security Server for IBM z/VM. 55 4.1 RACF z/VM concepts . 57 4.1.1 External security manager . 57 4.1.2 Security policy. 57 4.2 Activating and configuring RACF . 59 4.2.1 Post-activation tasks . 59 4.2.2 Building the RACF enabled CPLOAD MODULE. 77 4.2.3 Updating the RACF database and options . 80 4.2.4 Placing RACF into production. 84 4.2.5 Using HCPRWAC . 85 4.3 RACF management processes . 88 4.3.1 DirMaint changes to work with RACF . 88 4.3.2 RACF authorization concepts . 90 4.3.3 Adding virtual machines and resources to the system and RACF database . 90 4.3.4 Securing your minidisks with RACF . 97 4.3.5 Securing guest LANs and virtual switches with RACF . 99 4.3.6 Labeled security and mandatory access control. 101 4.3.7 Backing up the RACF database . 103 4.3.8 RACF recovery options. ..