Front cover Securing Your Cloud IBM Security for LinuxONE Edi Lopes Alves Klaus Egeler Karen Medhat Fahmy Felipe Cardeneti Mendes Maciej Olejniczak Redbooks International Technical Support Organization Securing Your Cloud: IBM Security for LinuxONE July 2019 SG24-8447-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (July 2019) This edition applies to Version 7, Release 1 of z/VM and the IBM Resource Access Control Facility Security Server for z/VM. © Copyright International Business Machines Corporation 2019. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix Authors. ix Now you can become a published author, too! . .x Comments welcome. .x Stay connected to IBM Redbooks . xi Chapter 1. IBM LinuxONE essentials . 1 1.1 LinuxONE architecture and hardware . 2 1.2 LinuxONE architecture . 2 1.3 IBM LinuxONE servers . 3 1.3.1 IBM LinuxONE Emperor II. 3 1.3.2 IBM LinuxONE Rockhopper II. 6 1.4 LinuxONE as a secure platform . 9 1.4.1 The need for a secure platform. 9 1.4.2 Security with LinuxONE . 9 1.4.3 Using LinuxONE Security to create a secure cloud . 11 1.4.4 IBM Hyper Protect Services overview. 12 Chapter 2. Introduction to security on IBM LinuxONE . 15 2.1 Why security matters. 16 2.2 Hardware security features overview . 16 2.3 Pervasive encryption. 17 2.4 IBM LinuxONE cryptographic hardware features . 18 2.4.1 CP Assist for Cryptographic Function . 18 2.4.2 Crypto-Express6S. 19 2.5 Benefits of hardware crypto . 19 2.6 Using RACF to secure your cloud infrastructure. 20 2.6.1 Principle of best matching profile . 21 2.7 RACF DB organization and structure . 22 2.7.1 Database definition to the system. 22 2.7.2 Internal organization of RACF database specifying class options . 22 Chapter 3. IBM z/VM hypervisor . 25 3.1 Virtualization . 26 3.1.1 Virtualization benefits . 26 3.1.2 Hardware virtualization . 27 3.2 z/VM hypervisor and LinuxONE servers . 27 3.2.1 z/VM 7.1 overview. 28 3.2.2 Single System Image overview. 29 3.2.3 Security settings in an SSI cluster. 31 3.2.4 Controlling the System Operator. 32 3.2.5 System Configuration file . 32 3.2.6 Addressing password security . 35 3.2.7 Implementing CP LOGONBY . 35 3.2.8 Role-based access controls and CP privilege classes . 37 3.3 Device management . 38 © Copyright IBM Corp. 2019. All rights reserved. iii 3.4 Securing the data . 38 3.4.1 Securing your minidisks . 39 3.4.2 Encrypting z/VM page volumes. 39 3.4.3 Securing GUEST LANS and virtual switches . 41 3.5 Securing your communication. 42 3.5.1 Encrypting your communication . 42 3.5.2 z/VM Cryptographic definitions . 44 3.5.3 Checking the cryptographic card definitions in z/VM . 48 3.6 z/VM connectivity . 50 3.6.1 DEVICE and LINK statements . 50 3.6.2 HiperSockets VSWITCH Bridge . 51 3.6.3 Security considerations. 52 3.7 Remote Spooling Communications Subsystem . 52 Chapter 4. IBM Resource Access Control Facility Security Server for IBM z/VM. 55 4.1 RACF z/VM concepts . 57 4.1.1 External security manager . 57 4.1.2 Security policy. 57 4.2 Activating and configuring RACF . 59 4.2.1 Post-activation tasks . 59 4.2.2 Building the RACF enabled CPLOAD MODULE. 77 4.2.3 Updating the RACF database and options . 80 4.2.4 Placing RACF into production. 84 4.2.5 Using HCPRWAC . 85 4.3 RACF management processes . 88 4.3.1 DirMaint changes to work with RACF . 88 4.3.2 RACF authorization concepts . 90 4.3.3 Adding virtual machines and resources to the system and RACF database . 90 4.3.4 Securing your minidisks with RACF . 97 4.3.5 Securing guest LANs and virtual switches with RACF . 99 4.3.6 Labeled security and mandatory access control. 101 4.3.7 Backing up the RACF database . 103 4.3.8 RACF recovery options. ..