Securing Your Cloud: IBM Security for Linuxone

Front cover Securing Your Cloud IBM Security for LinuxONE Edi Lopes Alves Klaus Egeler Karen Medhat Fahmy Felipe Cardeneti Mendes Maciej Olejniczak Redbooks International Technical Support Organization Securing Your Cloud: IBM Security for LinuxONE July 2019 SG24-8447-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (July 2019) This edition applies to Version 7, Release 1 of z/VM and the IBM Resource Access Control Facility Security Server for z/VM. © Copyright International Business Machines Corporation 2019. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix Authors. ix Now you can become a published author, too! . .x Comments welcome. .x Stay connected to IBM Redbooks . xi Chapter 1. IBM LinuxONE essentials . 1 1.1 LinuxONE architecture and hardware . 2 1.2 LinuxONE architecture . 2 1.3 IBM LinuxONE servers . 3 1.3.1 IBM LinuxONE Emperor II. 3 1.3.2 IBM LinuxONE Rockhopper II. 6 1.4 LinuxONE as a secure platform . 9 1.4.1 The need for a secure platform. 9 1.4.2 Security with LinuxONE . 9 1.4.3 Using LinuxONE Security to create a secure cloud . 11 1.4.4 IBM Hyper Protect Services overview. 12 Chapter 2. Introduction to security on IBM LinuxONE . 15 2.1 Why security matters. 16 2.2 Hardware security features overview . 16 2.3 Pervasive encryption. 17 2.4 IBM LinuxONE cryptographic hardware features . 18 2.4.1 CP Assist for Cryptographic Function . 18 2.4.2 Crypto-Express6S. 19 2.5 Benefits of hardware crypto . 19 2.6 Using RACF to secure your cloud infrastructure. 20 2.6.1 Principle of best matching profile . 21 2.7 RACF DB organization and structure . 22 2.7.1 Database definition to the system. 22 2.7.2 Internal organization of RACF database specifying class options . 22 Chapter 3. IBM z/VM hypervisor . 25 3.1 Virtualization . 26 3.1.1 Virtualization benefits . 26 3.1.2 Hardware virtualization . 27 3.2 z/VM hypervisor and LinuxONE servers . 27 3.2.1 z/VM 7.1 overview. 28 3.2.2 Single System Image overview. 29 3.2.3 Security settings in an SSI cluster. 31 3.2.4 Controlling the System Operator. 32 3.2.5 System Configuration file . 32 3.2.6 Addressing password security . 35 3.2.7 Implementing CP LOGONBY . 35 3.2.8 Role-based access controls and CP privilege classes . 37 3.3 Device management . 38 © Copyright IBM Corp. 2019. All rights reserved. iii 3.4 Securing the data . 38 3.4.1 Securing your minidisks . 39 3.4.2 Encrypting z/VM page volumes. 39 3.4.3 Securing GUEST LANS and virtual switches . 41 3.5 Securing your communication. 42 3.5.1 Encrypting your communication . 42 3.5.2 z/VM Cryptographic definitions . 44 3.5.3 Checking the cryptographic card definitions in z/VM . 48 3.6 z/VM connectivity . 50 3.6.1 DEVICE and LINK statements . 50 3.6.2 HiperSockets VSWITCH Bridge . 51 3.6.3 Security considerations. 52 3.7 Remote Spooling Communications Subsystem . 52 Chapter 4. IBM Resource Access Control Facility Security Server for IBM z/VM. 55 4.1 RACF z/VM concepts . 57 4.1.1 External security manager . 57 4.1.2 Security policy. 57 4.2 Activating and configuring RACF . 59 4.2.1 Post-activation tasks . 59 4.2.2 Building the RACF enabled CPLOAD MODULE. 77 4.2.3 Updating the RACF database and options . 80 4.2.4 Placing RACF into production. 84 4.2.5 Using HCPRWAC . 85 4.3 RACF management processes . 88 4.3.1 DirMaint changes to work with RACF . 88 4.3.2 RACF authorization concepts . 90 4.3.3 Adding virtual machines and resources to the system and RACF database . 90 4.3.4 Securing your minidisks with RACF . 97 4.3.5 Securing guest LANs and virtual switches with RACF . 99 4.3.6 Labeled security and mandatory access control. 101 4.3.7 Backing up the RACF database . 103 4.3.8 RACF recovery options. ..

274

Copy Link

Recommended publications

Security on the Mainframe Stay Connected to IBM Redbooks
Front cover Security on the IBM Mainframe Operating system and application security IBM Security Blueprint and Framework IBM mainframe security concepts Karan Singh Lennie Dymoke-Bradshaw Thomas Castiglion Pekka Hanninen Vincente Ranieri Junior Patrick Kappeler ibm.com/redbooks International Technical Support Organization Security on the IBM Mainframe April 2010 SG24-7803-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (April 2010) This edition applies to the IBM System z10 Enterprise Class server, the IBM System z10 Business Class server, and Version 1, Release 11, Modification 0 of z/OS (product number 5694-A01). © Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team who wrote this book . xi Now you can become a published author, too! . xii Comments welcome. xii Stay connected to IBM Redbooks . xiii Part 1. Introduction . 1 Chapter 1. Introduction. 3 1.1 IBM Security Framework. 4 1.1.1 People and identity . 5 1.1.2 Data and information. 5 1.1.3 Application and process . 5 1.1.4 Network, server, and endpoint . 5 1.1.5 Physical Infrastructure . 6 1.2 Framework and Blueprint . 7 1.3 IBM Security Blueprint. 7 Chapter 2. Security of the IBM Mainframe: yesterday and today . 13 2.1 Operating systems . 14 2.1.1 z/OS operating system family . 14 2.1.2 z/VM Hypervisor family .
[Show full text]
IBM Cloud Unit 2016 IBM Cloud Unit Leadership Organization
IBM Cloud Technical Academy IBM Cloud Unit 2016 IBM Cloud Unit Leadership Organization SVP IBM Cloud Robert LeBlanc GM Cloud Platform GM Cloud GM Cloud Managed GM Cloud GM Cloud Object Integration Services Video Storage Offering Bill Karpovich Mike Valente Braxton Jarratt Line Execs Line Execs Marie Wieck John Morris GM Strategy, GM Client Technical VP Development VP Service Delivery Business Dev Engagement Don Rippert Steve Robinson Harish Grama Janice Fischer J. Comfort (GM & CTO) J. Considine (Innovation Lab) Function Function Leadership Leadership VP Marketing GM WW Sales & VP Finance VP Human Quincy Allen Channels Resources Steve Cowley Steve Lasher Sam Ladah S. Carter (GM EcoD) GM Design VP Enterprise Mobile GM Digital Phil Gilbert Phil Buckellew Kevin Eagan Missions Missions Enterprise IBM Confidential IBM Hybrid Cloud Guiding Principles Choice with! Hybrid ! DevOps! Cognitive Powerful, Consistency! Integration! Productivity! Solutions! Accessible Data and Analytics! The right Unlock existing Automation, tooling Applications and Connect and extract workload in the IT investments and composable systems that insight from all types right place and Intellectual services to increase have the ability to of data Property speed learn Three entry points 1. Create! 2. Connect! 3. Optimize! new cloud apps! existing apps and data! any app! 2016 IBM Cloud Offerings aligned to the Enterprise’s hybrid cloud needs IBM Cloud Platform IBM Cloud Integration IBM Cloud Managed Offerings Offerings Services Offerings Mission: Build true cloud platform
[Show full text]
8. IBM Z and Hybrid Cloud
The Centers for Medicare and Medicaid Services The role of the IBM Z® in Hybrid Cloud Architecture Paul Giangarra – IBM Distinguished Engineer December 2020 © IBM Corporation 2020 The Centers for Medicare and Medicaid Services The Role of IBM Z in Hybrid Cloud Architecture White Paper, December 2020 1. Foreword ............................................................................................................................................... 3 2. Executive Summary .............................................................................................................................. 4 3. Introduction ........................................................................................................................................... 7 4. IBM Z and NIST’s Five Essential Elements of Cloud Computing ..................................................... 10 5. IBM Z as a Cloud Computing Platform: Core Elements .................................................................... 12 5.1. The IBM Z for Cloud starts with Hardware .............................................................................. 13 5.2. Cross IBM Z Foundation Enables Enterprise Cloud Computing .............................................. 14 5.3. Capacity Provisioning and Capacity on Demand for Usage Metering and Chargeback (Infrastructure-as-a-Service) ................................................................................................................... 17 5.4. Multi-Tenancy and Security (Infrastructure-as-a-Service) .......................................................
[Show full text]
Tree-Like Distributed Computation Environment with Shapp Library
information Article Tree-Like Distributed Computation Environment with Shapp Library Tomasz Gałecki and Wiktor Bohdan Daszczuk * Institute of Computer Science, Warsaw University of Technology, 00-665 Warsaw, Poland; [email protected] * Correspondence: [email protected]; Tel.: +48-22-234-78-12 Received: 30 January 2020; Accepted: 1 March 2020; Published: 3 March 2020 Abstract: Despite the rapidly growing computing power of computers, it is often insufﬁcient to perform mass calculations in a short time, for example, simulation of systems for various sets of parameters, the searching of huge state spaces, optimization using ant or genetic algorithms, machine learning, etc. One can solve the problem of a lack of computing power through workload management systems used in local networks in order to use the free computing power of servers and workstations. This article proposes raising such a system to a higher level of abstraction: The use in the .NET environment of a new Shapp library that allows remote task execution using fork-like operations from Portable Operating System Interface for UNIX (POSIX) systems. The library distributes the task code, sending static data on which task force is working, and individualizing tasks. In addition, a convenient way of communicating distributed tasks running hierarchically in the Shapp library was proposed to better manage the execution of these tasks. Many different task group architectures are possible; we focus on tree-like calculations that are suitable for many problems where the range of possible parallelism increases as the calculations progress. Keywords: workload management; remote fork; distributed computations; task group communication 1.
[Show full text]
Model to Implement Virtual Computing Labs Via Cloud Computing Services
S S symmetry Article Model to Implement Virtual Computing Labs via Cloud Computing Services Washington Luna Encalada 1,2,* ID and José Luis Castillo Sequera 3 ID 1 Department of Informatics and Electronics, Polytechnic School of Chimborazo, Riobamba 060155, EC, Ecuador 2 Department of Doctorate in Systems Engineering and Computer Science, National University of San Marcos, Lima 15081, Peru; [email protected] 3 Department of Computer Sciences, Higher Polytechnic School, University of Alcala, 28871 Alcala de Henares, Spain; [email protected] * Correspondence: [email protected]; Tel.: +593-032-969-472 Academic Editor: Yunsick Sung Received: 1 May 2017; Accepted: 3 July 2017; Published: 13 July 2017 Abstract: In recent years, we have seen a signiﬁcant number of new technological ideas appearing in literature discussing the future of education. For example, E-learning, cloud computing, social networking, virtual laboratories, virtual realities, virtual worlds, massive open online courses (MOOCs), and bring your own device (BYOD) are all new concepts of immersive and global education that have emerged in educational literature. One of the greatest challenges presented to e-learning solutions is the reproduction of the beneﬁts of an educational institution’s physical laboratory. For a university without a computing lab, to obtain hands-on IT training with software, operating systems, networks, servers, storage, and cloud computing similar to that which could be received on a university campus computing lab, it is necessary to use a combination of technological tools. Such teaching tools must promote the transmission of knowledge, encourage interaction and collaboration, and ensure students obtain valuable hands-on experience.
[Show full text]
Administration Guide Administration Guide SUSE Linux Enterprise High Availability Extension 15 SP1 by Tanja Roth and Thomas Schraitle
SUSE Linux Enterprise High Availability Extension 15 SP1 Administration Guide Administration Guide SUSE Linux Enterprise High Availability Extension 15 SP1 by Tanja Roth and Thomas Schraitle This guide is intended for administrators who need to set up, congure, and maintain clusters with SUSE® Linux Enterprise High Availability Extension. For quick and ecient conguration and administration, the product includes both a graphical user interface and a command line interface (CLI). For performing key tasks, both approaches are covered in this guide. Thus, you can choose the appropriate tool that matches your needs. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006–2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see http://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE
[Show full text]
Cloud Computing Bible Is a Wide-Ranging and Complete Reference
A thorough, down-to-earth look Barrie Sosinsky Cloud Computing Barrie Sosinsky is a veteran computer book writer at cloud computing specializing in network systems, databases, design, development, The chance to lower IT costs makes cloud computing a and testing. Among his 35 technical books have been Wiley’s Networking hot topic, and it’s getting hotter all the time. If you want Bible and many others on operating a terra firma take on everything you should know about systems, Web topics, storage, and the cloud, this book is it. Starting with a clear definition of application software. He has written nearly 500 articles for computer what cloud computing is, why it is, and its pros and cons, magazines and Web sites. Cloud Cloud Computing Bible is a wide-ranging and complete reference. You’ll get thoroughly up to speed on cloud platforms, infrastructure, services and applications, security, and much more. Computing • Learn what cloud computing is and what it is not • Assess the value of cloud computing, including licensing models, ROI, and more • Understand abstraction, partitioning, virtualization, capacity planning, and various programming solutions • See how to use Google®, Amazon®, and Microsoft® Web services effectively ® ™ • Explore cloud communication methods — IM, Twitter , Google Buzz , Explore the cloud with Facebook®, and others • Discover how cloud services are changing mobile phones — and vice versa this complete guide Understand all platforms and technologies www.wiley.com/compbooks Shelving Category: Use Google, Amazon, or
[Show full text]
Understanding the Cloud Computing Landscape
Chapter 1 Understanding the Cloud Computing Landscape Lamia Youseff, Dilma M. Da Silva, Maria Butrico, and Jonathan Appavoo Contents 1.1 Introduction .................................................................................................2 1.2 Cloud Systems Classifications ......................................................................2 1.3 SPI Cloud Classification ...............................................................................2 1.3.1 Cloud Software Systems ...................................................................3 1.3.2 Cloud Platform Systems ....................................................................3 1.3.3 Cloud Infrastructure Systems ...........................................................4 1.4 UCSB-IBM Cloud Ontology .......................................................................4 1.4.1 Applications (SaaS) ...........................................................................5 1.4.2 Cloud Software Environment (PaaS) ................................................7 1.4.3 Cloud Software Infrastructure ..........................................................8 1.4.4 Software Kernel Layer .......................................................................9 1.4.5 Cloud Hardware/Firmware ...............................................................9 1.5 Jackson’s Expansion on the UCSB-IBM Ontology .....................................10 1.6 Hoff’s Cloud Model ...................................................................................11 1.7 Discussion ..................................................................................................13
[Show full text]
BDES-222 IBM Reference Architecture Openshift 200206
IBM Cloud Solution Brief Cloud Security for Hybrid Cloud Implementations with OpenShift Web layer security across all cloud environments with IBM CIS Highlights: OpenShift Flexibility • The Web Application Firewall provides seamless integration The public cloud continues to grow and, according to Gartner, it with security and performance is estimated that “cloud shift” across key enterprise IT markets products including DDoS, Bot will increase to 28% by 2022, up from 19% in 2018. IT organiza- Management, CDN tions are increasingly challenged by a variety of management tools that will only increase in complexity in the coming years. • DDoS protection ensures cloud and on-premise applications are always available CIOs are stretched thin to maintain the SLAs of the past while supporting the latest usage models that employees and • Standardize security SLAs customers are demanding. As a result, enterprises need the across on-premise and multi- right combination of security and flexibility. cloud environments • Global load balancing and Many enterprise data centers depend on Red Hat OpenShift performance optimizations can to manage a variety of business-critical workloads while reduce visitor latency by over 2x providing DevOps the flexibility of deploying containers on any cloud environment. • Simplified DNS management across cloud environments The benefits of hybrid cloud management with IBM Cloud IBM Cloud was designed to support a variety of application workloads and environments, including hybrid cloud models. With IBM, you benefit from an open platform that supports Kubernetes container infrastructure, integrated solutions, and DevOps support. IBM helps with cloud migration, modernization, and cloud-native applications. You get all of this with a resilient networking tier that protects your data from DDoS attacks and handles load balancing to avoid network downtime.
[Show full text]
Introduction to Linux Virtual Server and High Availability
Outlines Introduction to Linux Virtual Server and High Availability Chen Kaiwang [email protected] December 5, 2011 Chen Kaiwang [email protected] LVS-DR and Keepalived Outlines If you don't know the theory, you don't have a way to be rigorous. Robert J. Shiller http://www.econ.yale.edu/~shiller/ Chen Kaiwang [email protected] LVS-DR and Keepalived Outlines Misery stories I Jul 2011 Too many connections at zongheng.com I Aug 2011 Realserver maintenance at 173.com quiescent persistent connections I Nov 2011 Health check at 173.com I Nov 2011 Virtual service configuration at 173.com persistent session data Chen Kaiwang [email protected] LVS-DR and Keepalived Outlines Outline of Part I Introduction to Linux Virtual Server Configuration Overview Netfilter Architecture Job Scheduling Scheduling Basics Scheduling Algorithms Connection Affinity Persistence Template Persistence Granularity Quirks Chen Kaiwang [email protected] LVS-DR and Keepalived Outlines Outline of Part II HA Basics LVS High Avaliablity Realserver Failover Director Failover Solutions Heartbeat Keepalived Chen Kaiwang [email protected] LVS-DR and Keepalived LVS Intro Job Scheduling Connection Affinity Quirks Part I Introduction to Linux Virtual Server Chen Kaiwang [email protected] LVS-DR and Keepalived LVS Intro Job Scheduling Configuration Overview Connection Affinity Netfilter Architecture Quirks Introduction to Linux Virtual Server Configuration Overview Netfilter Architecture Job Scheduling Scheduling Basics Scheduling Algorithms Connection Affinity Persistence Template Persistence Granularity Quirks Chen Kaiwang [email protected] LVS-DR and Keepalived LVS Intro Job Scheduling Configuration Overview Connection Affinity Netfilter Architecture Quirks A Linux Virtual Serverr (LVS) is a group of servers that appear to the client as one large, fast, reliable (highly available) server.
[Show full text]
Keepalived User Guide Release 1.4.3
Keepalived User Guide Release 1.4.3 Alexandre Cassen and Contributors March 06, 2021 Contents 1 Introduction 1 2 Software Design 3 3 Load Balancing Techniques 11 4 Installing Keepalived 13 5 Keepalived configuration synopsis 17 6 Keepalived programs synopsis 23 7 IPVS Scheduling Algorithms 27 8 IPVS Protocol Support 31 9 Configuring SNMP Support 33 10 Case Study: Healthcheck 37 11 Case Study: Failover using VRRP 43 12 Case Study: Mixing Healthcheck & Failover 47 13 Terminology 51 14 License 53 15 About These Documents 55 16 TODO List 57 Index 59 i ii CHAPTER 1 Introduction Load balancing is a method of distributing IP traffic across a cluster of real servers, providing one or more highly available virtual services. When designing load-balanced topologies, it is important to account for the availability of the load balancer itself as well as the real servers behind it. Keepalived provides frameworks for both load balancing and high availability. The load balancing framework relies on the well-known and widely used Linux Virtual Server (IPVS) kernel module, which provides Layer 4 load balancing. Keepalived implements a set of health checkers to dynamically and adaptively maintain and manage load balanced server pools according to their health. High availability is achieved by the Virtual Redundancy Routing Protocol (VRRP). VRRP is a fundamental brick for router failover. In addition, keepalived implements a set of hooks to the VRRP finite state machine providing low-level and high-speed protocol interactions. Each Keepalived framework can be used independently or together to provide resilient infrastructures. In this context, load balancer may also be referred to as a director or an LVS router.
[Show full text]
Ubuntu Server Guide Basic Installation Preparing to Install
Ubuntu Server Guide Welcome to the Ubuntu Server Guide! This site includes information on using Ubuntu Server for the latest LTS release, Ubuntu 20.04 LTS (Focal Fossa). For an offline version as well as versions for previous releases see below. Improving the Documentation If you find any errors or have suggestions for improvements to pages, please use the link at thebottomof each topic titled: “Help improve this document in the forum.” This link will take you to the Server Discourse forum for the specific page you are viewing. There you can share your comments or let us know aboutbugs with any page. PDFs and Previous Releases Below are links to the previous Ubuntu Server release server guides as well as an offline copy of the current version of this site: Ubuntu 20.04 LTS (Focal Fossa): PDF Ubuntu 18.04 LTS (Bionic Beaver): Web and PDF Ubuntu 16.04 LTS (Xenial Xerus): Web and PDF Support There are a couple of different ways that the Ubuntu Server edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- priced support contracts on a per desktop or per-server basis. For more information see the Ubuntu Advantage page. Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions.
[Show full text]