DOCSLIB.ORG

Security on the Mainframe Stay Connected to IBM Redbooks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security on the Mainframe Stay Connected to IBM Redbooks Front cover Security on the IBM Mainframe Operating system and application security IBM Security Blueprint and Framework IBM mainframe security concepts Karan Singh Lennie Dymoke-Bradshaw Thomas Castiglion Pekka Hanninen Vincente Ranieri Junior Patrick Kappeler ibm.com/redbooks International Technical Support Organization Security on the IBM Mainframe April 2010 SG24-7803-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (April 2010) This edition applies to the IBM System z10 Enterprise Class server, the IBM System z10 Business Class server, and Version 1, Release 11, Modification 0 of z/OS (product number 5694-A01). © Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team who wrote this book . xi Now you can become a published author, too! . xii Comments welcome. xii Stay connected to IBM Redbooks . xiii Part 1. Introduction . 1 Chapter 1. Introduction. 3 1.1 IBM Security Framework. 4 1.1.1 People and identity . 5 1.1.2 Data and information. 5 1.1.3 Application and process . 5 1.1.4 Network, server, and endpoint . 5 1.1.5 Physical Infrastructure . 6 1.2 Framework and Blueprint . 7 1.3 IBM Security Blueprint. 7 Chapter 2. Security of the IBM Mainframe: yesterday and today . 13 2.1 Operating systems . 14 2.1.1 z/OS operating system family . 14 2.1.2 z/VM Hypervisor family . 15 2.1.3 z/VSE family . 15 2.1.4 z/TPF family . 15 2.1.5 Linux . 15 2.2 History of the mainframe . 16 2.2.1 Late 1960s . 16 2.2.2 Early 1970s . 17 2.2.3 Late 1970s . 17 2.2.4 Early 1980s . 18 2.2.5 Late 1980s . 18 2.2.6 Early 1990s . 19 2.2.7 Late 1990s . 19 2.2.8 Early 2000s . 20 2.2.9 Late 2000s . 20 2.3 The mainframe today . 21 2.3.1 Personnel and roles . 21 2.3.2 Role of mainframe. 22 2.3.3 Maintenance and history. 22 2.3.4 Change control and continuous availability. 23 2.4 Statements of integrity . 24 2.5 Certification . 26 2.5.1 Some history . 26 2.5.2 Practical purpose for a Common Criteria evaluation. 27 2.5.3 The Common Criteria evaluation model . 27 2.5.4 The evaluation process. 28 © Copyright IBM Corp. 2010. All rights reserved. iii 2.6 Trusted programs . 29 2.7 Interoperability. 30 2.7.1 An important set of universally adopted standards . 30 2.7.2 The role of the mainframe in a security architecture. 32 Part 2. Technical view. 33 Chapter 3. z/Architecture: hardware and z/OS concepts. 35 3.1 System components . 36 3.1.1 Server components. 36 3.1.2 System assist processor (SAP). 36 3.1.3 Channels. 37 3.1.4 Channel paths. 37 3.1.5 Expanded storage. 37 3.1.6 Crypto . 37 3.1.7 ETR. 37 3.2 z/OS storage concepts . 38 3.2.1 Processor storage overview . 38 3.2.2 The address space concept . 39 3.2.3 System initialization . 51 3.2.4 Hardware registers . 53 3.2.5 Interrupt events . 60 Chapter 4. Virtualization . ..
Load more

Recommended publications
  • IBM Security Access Manager Version 9.0.7 June 2019: Advanced Access Control Configuration Topics Contents
    IBM Security Access Manager Version 9.0.7 June 2019 Advanced Access Control Configuration topics IBM IBM Security Access Manager Version 9.0.7 June 2019 Advanced Access Control Configuration topics IBM ii IBM Security Access Manager Version 9.0.7 June 2019: Advanced Access Control Configuration topics Contents Figures .............. vii Configuring authentication ........ 39 Configuring an HOTP one-time password Tables ............... ix mechanism .............. 40 Configuring a TOTP one-time password mechanism 42 Configuring a MAC one-time password mechanism 45 Chapter 1. Upgrading configuration ... 1 Configuring an RSA one-time password mechanism 46 Upgrading external databases with the dbupdate tool Configuring one-time password delivery methods 50 (for appliance at version 9.0.0.0 and later) .... 2 Configuring username and password authentication 54 Upgrading a SolidDB external database (for Configuring an HTTP redirect authentication appliance versions earlier than 9.0.0.0) ...... 3 mechanism .............. 56 Upgrading a DB2 external runtime database (for Configuring consent to device registration .... 57 appliance versions earlier than 9.0.0.0) ...... 4 Configuring an End-User License Agreement Upgrading an Oracle external runtime database (for authentication mechanism ......... 59 appliance versions earlier than 9.0.0.0) ...... 5 Configuring an Email Message mechanism .... 60 Setting backward compatibility mode for one-time HTML format for OTP email messages .... 62 password ............... 6 Configuring the reCAPTCHA Verification Updating template files ........... 6 authentication mechanism ......... 62 Updating PreTokenGeneration to limit OAuth tokens 7 Configuring an Info Map authentication mechanism 64 Reviewing existing Web Reverse Proxy instance point Embedding reCAPTCHA verification in an Info of contact settings ............ 8 Map mechanism ............ 66 Upgrading the signing algorithms of existing policy Available parameters in Info Map .....
    [Show full text]
  • 8. IBM Z and Hybrid Cloud
    The Centers for Medicare and Medicaid Services The role of the IBM Z® in Hybrid Cloud Architecture Paul Giangarra – IBM Distinguished Engineer December 2020 © IBM Corporation 2020 The Centers for Medicare and Medicaid Services The Role of IBM Z in Hybrid Cloud Architecture White Paper, December 2020 1. Foreword ............................................................................................................................................... 3 2. Executive Summary .............................................................................................................................. 4 3. Introduction ........................................................................................................................................... 7 4. IBM Z and NIST’s Five Essential Elements of Cloud Computing ..................................................... 10 5. IBM Z as a Cloud Computing Platform: Core Elements .................................................................... 12 5.1. The IBM Z for Cloud starts with Hardware .............................................................................. 13 5.2. Cross IBM Z Foundation Enables Enterprise Cloud Computing .............................................. 14 5.3. Capacity Provisioning and Capacity on Demand for Usage Metering and Chargeback (Infrastructure-as-a-Service) ................................................................................................................... 17 5.4. Multi-Tenancy and Security (Infrastructure-as-a-Service) .......................................................
    [Show full text]
  • Pdf/Idm Tech Wp 11G R1.Pdf
    Oracle® Fusion Middleware Integration Overview for Oracle Identity Management Suite 11g Release 1 (11.1.1) E15477-03 August 2012 Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite, 11g Release 1 (11.1.1) E15477-03 Copyright © 2010, 2012, Oracle and/or its affiliates. All rights reserved. Primary Author: Vinaye Misra Contributors: Sidhartha Das, Ellen Desmond, Subbu Devulapalli, Sandy Lii, Kavya Muthanna, Sanjay Rallapalli, Vinay Shukla, Olaf Stullich, Lyju Vadassery, Mark Wilcox This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • - -:§';'§: ISG PROGRAM INDEX (Alphabetic)
    --- - Do not reproduce without written permission PI.1 ------ ---- Jan 84 :: - -:§';'§: ISG PROGRAM INDEX (Alphabetic) Program Name Number Available Type Page No. A Departmental Reporting System II (ADRS) 5796-PLN Now IUP 5796-PLK.1 A8CS Format Distribution Services - 4700 5799-8QZ Now PRPQ 5799-8QZ.1 Access Method Services Cryptographic Option Re1.1.0 5740-AM8 Now PP 5740-AM8.1 Accounting Applications - 5120 - Accounts Payable 5721-X83 Now PP 5721-X81.1 Accounting Applications - 5120 - Accounts Receivable 5721-X84 Now PP 5721-XB1.1 Accounting Applications - 5120 - Billing 5721-XB1 Now PP 5721-XB1.1 Accounting Applications - 5120 - General Ledger 5721-XB6 Now PP 5721-XB1.1 Accounting Applications - 5120 - Inventory Reporting 5721-XB5 Now PP 5721-XB1.1 Accounting Applications - 5120 - Payroll 5721-XB2 Now PP 5721-XB1.1 Account Network Management Programs - CICS/DOS/VS 5798-DAT Now FDP 5798-DAP.1 Account Network Management Programs - CICS/OS/VS 5798-DAQ Now FDP 5798-DAP.1 Account Network Management Program - IMS/VS 5798-DBP Now FDP 5798-DBJ.1 Accounts Payable 5798-CAC Now FDP 5798-BCT.1 Accounts Receivable 5798-CAE Now FDP 5798-BCT.1 ACF/NCP Version 2 5735-XX9 Now PP 5735-XX9.1 ACF/NCP Version 2 for the 3275 5735-XX9 Now PP 5735-XX9.1 ACF/NCP Version 3 for 3705/3725 5667-124 4/84 PP 5667-124.1 ACF/NCP/VS Releases 1, 2, 2.1 & 3 5735-XX1 Now PP 5735-XX1.1 ACF/NCP/VS Releases 2,2.1 & 3 Sys. Supp. Prog. 5735-XX3 Now PP 5735-XX3.1 ACF/System Support Programs V2 5735-XXA Now PP 5735-XXA.1 ACF /System Support Programs V2 R1.1 5735-XXA Now PP 5735-XXA.1
    [Show full text]
  • Understanding SOA Security Design and Implementation
    Front cover Understanding SOA Security Design and Implementation Introducing an SOA security reference architecture Implementing scenarios based on the IBM SOA Foundation Deploying SOA using IBM Tivoli security solutions Axel Buecker Paul Ashley Martin Borrett Ming Lu Sridhar Muppidi Neil Readshaw ibm.com/redbooks International Technical Support Organization Understanding SOA Security Design and Implementation November 2007 SG24-7310-01 Note: Before using this information and the product it supports, read the information in “Notices” on page xi. Second Edition (November 2007) This edition applies to Version 6.0 of IBM Tivoli Access Manager for e-business, Version 6.1.1 of IBM Tivoli Federated Identity Manager, and Version 6.0 of IBM Tivoli Directory Server. We are also discussing several other IBM software products in the context of hands-on scenarios. © Copyright International Business Machines Corporation 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .xi Trademarks . xii Preface . xiii The team that wrote this IBM Redbook . xiii Become a published author . xvi Comments welcome. xvi Summary of changes . xvii November 2007, Second Edition . xvii Part 1. Business context and foundation . 1 Chapter 1. Business context . 3 1.1 Business scenarios . 4 1.1.1 Service creation at an insurance company . 4 1.1.2 Service connectivity at a government department . 5 1.1.3 Interaction and collaboration at a telecommunications company . 5 1.2 Service orientation in SOA . 6 1.2.1 More than componentization. 7 1.2.2 A focus on reuse .
    [Show full text]
  • IBM Tivoli Security Solutions for Microsoft Software Environments
    Front cover IBM Tivoli Security Solutions for Microsoft Software Environments Explaining common architecture and standards Deploying on Microsoft operating systems Securing Microsoft software environments Axel Buecker Neil Readshaw ibm.com/redbooks Redpaper International Technical Support Organization IBM Tivoli Security Solutions for Microsoft Software Environments September 2008 REDP-4430-00 Note: Before using this information and the product it supports, read the information in “Notices” on page v. First Edition (September 2008) This document created or updated on September 18, 2008. © Copyright International Business Machines Corporation 2008. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .v Trademarks . vi Preface . vii The team that wrote this paper . vii Become a published author . viii Comments welcome. viii Chapter 1. Architecture and standards . 1 1.1 IBM Security Framework. 2 1.2 IBM Service Management strategy . 3 1.2.1 Visibility . 3 1.2.2 Controls. 3 1.2.3 Automation . 3 1.3 Security standards . 4 1.3.1 LDAP. 4 1.3.2 Kerberos . 4 1.3.3 SPNEGO. 4 1.3.4 SSL and TLS. 5 1.3.5 Service-oriented architecture and Web Services Security . 5 1.4 Conclusion . 9 Chapter 2. IBM Tivoli Security Solutions using Microsoft operating systems and middleware . 11 2.1 Microsoft products that we discuss in this chapter . 12 2.1.1 Operating systems . 12 2.1.2 Middleware . 12 2.2 Support summary by IBM Tivoli Security product . 13 2.2.1 IBM Tivoli Directory Server .
    [Show full text]
  • Cloud Access Manager Overview Updated - November 2018 Version - 8.1.4 Contents
    Cloud Access Manager 8.1.4 Overview Copyright 2018 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC . The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice.
    [Show full text]
  • CA ACF2 for Z/OS Quick Reference Guide
    CA ACF2™ for z/OS Quick Reference Guide r12 Third Edition This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational purposes only and are subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be used or disclosed by you except as may be permitted in a separate confidentiality agreement between you and CA. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
    [Show full text]
  • IBM Zenterprise 114 Technical Guide
    Front cover IBM zEnterprise 114 Technical Guide Explains virtualizing and managing the heterogenous infrastructure Describes the zEnterprise System and related features and functions Discusses zEnterprise hardware and software capabilities Bill White Octavian Lascu Erik Bakker Parwez Hamid Fernando Nogal Frank Packheiser Vicente Ranieri Jr. Karl-Erik Stenfors Esra Ufacik Chen Zhu ibm.com/redbooks International Technical Support Organization IBM zEnterprise 114 Technical Guide September 2011 SG24-7954-00 Note: Before using this information and the product it supports, read the information in “Notices” on page xiii. First Edition (September 2011) This edition applies to the IBM zEnterprise 114. © Copyright International Business Machines Corporation 2011. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . xiii Trademarks . xiv Preface . .xv The team who wrote this book . .xv Now you can become a published author, too! . xviii Comments welcome. xviii Stay connected to IBM Redbooks publications . xviii Chapter 1. Introducing the IBM zEnterprise 114 . 1 1.1 zEnterprise 114 highlights. 3 1.1.1 Models . 4 1.1.2 Capacity on Demand . 5 1.2 zEnterprise 114 models . 5 1.2.1 Model upgrade paths . 6 1.2.2 Concurrent processor unit conversions. 7 1.3 System functions and features . 7 1.3.1 Overview . 7 1.3.2 Processor . 8 1.3.3 Memory subsystem and topology . 9 1.3.4 Processor drawer . 9 1.3.5 I/O connectivity, PCIe, and InfiniBand . 10 1.3.6 I/O subsystems . 10 1.3.7 Cryptography .
    [Show full text]
  • Database Machines in Support of Very Large Databases
    Rochester Institute of Technology RIT Scholar Works Theses 1-1-1988 Database machines in support of very large databases Mary Ann Kuntz Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Kuntz, Mary Ann, "Database machines in support of very large databases" (1988). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Rochester Institute of Technology School of Computer Science Database Machines in Support of Very large Databases by Mary Ann Kuntz A thesis. submitted to The Faculty of the School of Computer Science. in partial fulfillment of the requirements for the degree of Master of Science in Computer Systems Management Approved by: Professor Henry A. Etlinger Professor Peter G. Anderson A thesis. submitted to The Faculty of the School of Computer Science. in partial fulfillment of the requirements for the degree of Master of Science in Computer Systems Management Approved by: Professor Henry A. Etlinger Professor Peter G. Anderson Professor Jeffrey Lasky Title of Thesis: Database Machines In Support of Very Large Databases I Mary Ann Kuntz hereby deny permission to reproduce my thesis in whole or in part. Date: October 14, 1988 Mary Ann Kuntz Abstract Software database management systems were developed in response to the needs of early data processing applications. Database machine research developed as a result of certain performance deficiencies of these software systems.
    [Show full text]
  • IBM Highlights, 1985-1989 (PDF, 145KB)
    IBM HIGHLIGHTS, 1985 -1989 Year Page(s) 1985 2 - 7 1986 7 - 13 1987 13 - 18 1988 18 - 24 1989 24 - 30 February 2003 1406HC02 2 1985 Business Performance IBM’s gross income is $50.05 billion, up nine percent from 1984, and its net earnings are $6.55 billion, up 20 percent from the year before. There are 405,535 employees and 798,152 stockholders at year-end. Organization IBM President John F. Akers succeeds John R. Opel as chief executive officer, effective February 1. Mr. Akers also is to head the Corporate Management Board and serve as chairman of its Policy Committee and Business Operations Committee. PC dealer sales, support and operations are transferred from the Entry Systems Division (ESD) to the National Distribution Division, while the marketing function for IBM’s Personal Computer continues to be an ESD responsibility. IBM announces in September a reorganization of its U.S. marketing operations. Under the realignment, to take effect on Jan. 1, 1986, the National Accounts Division, which markets IBM products to the company’s largest customers, and the National Marketing Division, which serves primarily medium-sized and small customer accounts, are reorganized into two geographic marketing divisions: The North-Central Marketing Division and the South-West Marketing Division. The National Distribution Division, which directs IBM’s marketing efforts through Product Centers, value-added remarketers, and authorized dealers, is to merge its distribution channels, personal computer dealer operations and systems supplies field sales forces into a single sales organization. The National Service Division is to realign its field service operations to be symmetrical with the new marketing organizations.
    [Show full text]
  • Using IBM System Z As the Foundation for Your Information Management Architecture
    Front cover Using IBM System z As the Foundation for Your Information Management Architecture Redguides for Business Leaders Alex Louwe Kooijmans Willie Favero Fabricio Pimentel Information management challenges Strengths of IBM System z for information management Exploring the IBM Smart Analytics Optimizer for DB2 for z/OS V1.1 Executive overview Many companies have built data warehouses (DWs) and have embraced business intelligence (BI) and analytics solutions. Even as companies have accumulated huge amounts of data, however, it remains difficult to provide trusted information at the right time and in the right place. The amount of data collected and available throughout the enterprise continues to grow even as the complexity and urgency of receiving meaningful information continues to increase. Producing meaningful and trusted information when it is needed can only be achieved by having an adequate information architecture in place and a powerful underlying infrastructure. The amounts of data to mine, cleanse, and integrate are becoming so large that increasingly the infrastructure is becoming the bottleneck. This results in low refresh rates of the data in the data warehouse and in not having the information available in time where it is needed. And even before information can become available in a BI dashboard or a report, many preceding steps must take place: the collection of raw data; integration of data from multiple data stores, business units or geographies; transformation of data from one format to another; cubing data into data cubes; and finally, loading changes to data in the data warehouse. Combining the complexity of the information requirements, the growing amounts of data, and multiple layers of the information architecture requires an extremely powerful infrastructure.
    [Show full text]