Front cover Security on z/VM z/VM in the enterprise security solution - Sample scenarios z/VM security features, LDAP, RACF Cryptography with Linux guests on z/VM Paola Bari Helio Almeida Gary Detro David Druker Marian Gasparovic Manfred Gnirss Jean Francois Jiguet Michel Raicher ibm.com/redbooks International Technical Support Organization Security on z/VM November 2007 SG24-7471-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (November 2007) This edition (SG24-7471-00) applies to the z/VM V5R3. © Copyright International Business Machines Corporation 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team that wrote this book . ix Become a published author . xi Comments welcome. xi Chapter 1. z/VM and security . 1 1.1 Introduction to z/VM virtualization . 2 1.2 z/VM security features. 4 1.2.1 The SIE instruction . 5 1.2.2 System z cryptographic solution . 5 1.2.3 Intrusion detection. 7 1.2.4 Accountability . 7 1.2.5 Certification . 7 1.2.6 Debugging in a virtual environment. 9 1.2.7 Virtual networking . 9 1.2.8 Compliance to policy. 10 1.3 Additional features . 16 1.3.1 The Resource Access Control Facility . 16 1.3.2 LDAP. 17 1.3.3 z/VM VSWITCH networking . 18 Chapter 2. RACF feature of z/VM . 21 2.1 RACF z/VM concepts . 22 2.2 Installing and configuring RACF . 22 2.2.1 Post-installation tasks . 23 2.2.2 Build the RACF enabled CPLOAD MODULE . 33 2.2.3 Update the RACF database and options . 36 2.2.4 Place RACF into production . 40 2.2.5 Using HCPRWAC . 41 2.3 RACF management processes . 44 2.3.1 DirMaint changes to work with RACF . 44 2.3.2 RACF authorization concepts . 48 2.3.3 RACF passwords and password phrases. 48 2.3.4 Adding virtual machines and resources to the system and the RACF database . 54 2.3.5 Implementing LOGONBY with RACF . 61 2.3.6 Managing VSWITCH and Guest LANS. 64 2.3.7 Managing RSCS nodes . 67 2.4 RACF security labels. 72 2.4.1 Security labels overview . 72 2.4.2 Creating a security label . 73 2.4.3 Security label naming restrictions . 73 2.4.4 Security label NONE . 74 2.5 RACF auditing. 74 2.5.1 Enabling auditing . 74 2.5.2 RACF Data Security Monitor Utility (RACDSMON). 76 2.5.3 RACF SMF Data Unload Utility (RACFADU) . 84 © Copyright IBM Corp. 2007. All rights reserved. iii 2.5.4 RACF report writer utility (RACFRW) . 90 2.6 RACF database backup . 96 2.6.1 RACF database verification utility program (IRRUT200) . 96 2.6.2 RACF database Split/Merge/Extend utility program (IRRUT400) . 97 2.6.3 The RACF database unload utility (IRRDBU00) . 104 Chapter 3. z/VM LDAP server . 111 3.1 LDAP terminology . 112 3.1.1 LDIF files. 114 3.2 z/VM LDAP . 115 3.2.1 LDAP client . 115 3.2.2 z/VM LDAP back end services . 116 3.2.3 Native authentication . 117 3.2.4 Multiple back end services . 118 3.2.5 Multiple servers. 118 3.3 Installing z/VM LDAP server . 119 3.3.1 Implementing a new TCP/IP stack . 120 3.3.2 Creating the LDAP server . 123 3.3.3 Creating a BFS file pool VMSERVL . 126 3.3.4 Configuring the LDAP server . 129 Chapter 4. Implementing Pluggable Authentication Modules LDAP for Linux servers. 137 4.1 PAM and Name Service Switch . 138 4.1.1 PAM configuration files . 138 4.1.2 Linux Name Service Switch . 138 4.2 Configuring PAM LDAP and NSS . 138 4.2.1 SUSE Linux. 138 4.2.2 Red Hat Linux . ..
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages348 Page
-
File Size-