Security on Z/VM

Security on Z/VM

Front cover Security on z/VM z/VM in the enterprise security solution - Sample scenarios z/VM security features, LDAP, RACF Cryptography with Linux guests on z/VM Paola Bari Helio Almeida Gary Detro David Druker Marian Gasparovic Manfred Gnirss Jean Francois Jiguet Michel Raicher ibm.com/redbooks International Technical Support Organization Security on z/VM November 2007 SG24-7471-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (November 2007) This edition (SG24-7471-00) applies to the z/VM V5R3. © Copyright International Business Machines Corporation 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team that wrote this book . ix Become a published author . xi Comments welcome. xi Chapter 1. z/VM and security . 1 1.1 Introduction to z/VM virtualization . 2 1.2 z/VM security features. 4 1.2.1 The SIE instruction . 5 1.2.2 System z cryptographic solution . 5 1.2.3 Intrusion detection. 7 1.2.4 Accountability . 7 1.2.5 Certification . 7 1.2.6 Debugging in a virtual environment. 9 1.2.7 Virtual networking . 9 1.2.8 Compliance to policy. 10 1.3 Additional features . 16 1.3.1 The Resource Access Control Facility . 16 1.3.2 LDAP. 17 1.3.3 z/VM VSWITCH networking . 18 Chapter 2. RACF feature of z/VM . 21 2.1 RACF z/VM concepts . 22 2.2 Installing and configuring RACF . 22 2.2.1 Post-installation tasks . 23 2.2.2 Build the RACF enabled CPLOAD MODULE . 33 2.2.3 Update the RACF database and options . 36 2.2.4 Place RACF into production . 40 2.2.5 Using HCPRWAC . 41 2.3 RACF management processes . 44 2.3.1 DirMaint changes to work with RACF . 44 2.3.2 RACF authorization concepts . 48 2.3.3 RACF passwords and password phrases. 48 2.3.4 Adding virtual machines and resources to the system and the RACF database . 54 2.3.5 Implementing LOGONBY with RACF . 61 2.3.6 Managing VSWITCH and Guest LANS. 64 2.3.7 Managing RSCS nodes . 67 2.4 RACF security labels. 72 2.4.1 Security labels overview . 72 2.4.2 Creating a security label . 73 2.4.3 Security label naming restrictions . 73 2.4.4 Security label NONE . 74 2.5 RACF auditing. 74 2.5.1 Enabling auditing . 74 2.5.2 RACF Data Security Monitor Utility (RACDSMON). 76 2.5.3 RACF SMF Data Unload Utility (RACFADU) . 84 © Copyright IBM Corp. 2007. All rights reserved. iii 2.5.4 RACF report writer utility (RACFRW) . 90 2.6 RACF database backup . 96 2.6.1 RACF database verification utility program (IRRUT200) . 96 2.6.2 RACF database Split/Merge/Extend utility program (IRRUT400) . 97 2.6.3 The RACF database unload utility (IRRDBU00) . 104 Chapter 3. z/VM LDAP server . 111 3.1 LDAP terminology . 112 3.1.1 LDIF files. 114 3.2 z/VM LDAP . 115 3.2.1 LDAP client . 115 3.2.2 z/VM LDAP back end services . 116 3.2.3 Native authentication . 117 3.2.4 Multiple back end services . 118 3.2.5 Multiple servers. 118 3.3 Installing z/VM LDAP server . 119 3.3.1 Implementing a new TCP/IP stack . 120 3.3.2 Creating the LDAP server . 123 3.3.3 Creating a BFS file pool VMSERVL . 126 3.3.4 Configuring the LDAP server . 129 Chapter 4. Implementing Pluggable Authentication Modules LDAP for Linux servers. 137 4.1 PAM and Name Service Switch . 138 4.1.1 PAM configuration files . 138 4.1.2 Linux Name Service Switch . 138 4.2 Configuring PAM LDAP and NSS . 138 4.2.1 SUSE Linux. 138 4.2.2 Red Hat Linux . ..

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    348 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us