Front cover Security on the IBM Mainframe Operating system and application security IBM Security Blueprint and Framework IBM mainframe security concepts Karan Singh Lennie Dymoke-Bradshaw Thomas Castiglion Pekka Hanninen Vincente Ranieri Junior Patrick Kappeler ibm.com/redbooks International Technical Support Organization Security on the IBM Mainframe April 2010 SG24-7803-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (April 2010) This edition applies to the IBM System z10 Enterprise Class server, the IBM System z10 Business Class server, and Version 1, Release 11, Modification 0 of z/OS (product number 5694-A01). © Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team who wrote this book . xi Now you can become a published author, too! . xii Comments welcome. xii Stay connected to IBM Redbooks . xiii Part 1. Introduction . 1 Chapter 1. Introduction. 3 1.1 IBM Security Framework. 4 1.1.1 People and identity . 5 1.1.2 Data and information. 5 1.1.3 Application and process . 5 1.1.4 Network, server, and endpoint . 5 1.1.5 Physical Infrastructure . 6 1.2 Framework and Blueprint . 7 1.3 IBM Security Blueprint. 7 Chapter 2. Security of the IBM Mainframe: yesterday and today . 13 2.1 Operating systems . 14 2.1.1 z/OS operating system family . 14 2.1.2 z/VM Hypervisor family . 15 2.1.3 z/VSE family . 15 2.1.4 z/TPF family . 15 2.1.5 Linux . 15 2.2 History of the mainframe . 16 2.2.1 Late 1960s . 16 2.2.2 Early 1970s . 17 2.2.3 Late 1970s . 17 2.2.4 Early 1980s . 18 2.2.5 Late 1980s . 18 2.2.6 Early 1990s . 19 2.2.7 Late 1990s . 19 2.2.8 Early 2000s . 20 2.2.9 Late 2000s . 20 2.3 The mainframe today . 21 2.3.1 Personnel and roles . 21 2.3.2 Role of mainframe. 22 2.3.3 Maintenance and history. 22 2.3.4 Change control and continuous availability. 23 2.4 Statements of integrity . 24 2.5 Certification . 26 2.5.1 Some history . 26 2.5.2 Practical purpose for a Common Criteria evaluation. 27 2.5.3 The Common Criteria evaluation model . 27 2.5.4 The evaluation process. 28 © Copyright IBM Corp. 2010. All rights reserved. iii 2.6 Trusted programs . 29 2.7 Interoperability. 30 2.7.1 An important set of universally adopted standards . 30 2.7.2 The role of the mainframe in a security architecture. 32 Part 2. Technical view. 33 Chapter 3. z/Architecture: hardware and z/OS concepts. 35 3.1 System components . 36 3.1.1 Server components. 36 3.1.2 System assist processor (SAP). 36 3.1.3 Channels. 37 3.1.4 Channel paths. 37 3.1.5 Expanded storage. 37 3.1.6 Crypto . 37 3.1.7 ETR. 37 3.2 z/OS storage concepts . 38 3.2.1 Processor storage overview . 38 3.2.2 The address space concept . 39 3.2.3 System initialization . 51 3.2.4 Hardware registers . 53 3.2.5 Interrupt events . 60 Chapter 4. Virtualization . ..