Front cover Designing for Solution-Based Security on z/OS A comprehensive overview of z/OS-provided security services A discussion of z/OS security, Tivoli products, and On Demand Expert considerations on implementation and use Patrick Kappeler Rama Ayyar Christian Chateauvieux Arnauld Desprets Gillian Gainsford Pedro Siena Neto Alain Roessle Mohinze Tidjani Mark Womack ibm.com/redbooks International Technical Support Organization Designing for Solution-Based Security on z/OS October 2008 SG24-7344-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (October 2008) This edition applies to Version 1, Release 9 of z/OS (product number 5694-A01). © Copyright International Business Machines Corporation 2008. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team that wrote this book . xi Become a published author . xiii Comments welcome. xiii Chapter 1. Some security basics - today’s challenges . 1 1.1 Heterogeneity everywhere . 2 1.2 Security challenges in today’s installations . 2 1.2.1 More on installation security policies. 3 1.2.2 A word about security architecture . 4 1.3 The end-to-end security challenges in the on-demand world . 4 1.3.1 The concepts of SOA . 5 1.3.2 What it means to go to SOA from the security standpoint . 5 1.4 Some technical assets for implementing end-to-end security. 5 1.4.1 A high-level definition of what the required security services are . 6 1.4.2 An important set of universally adopted standards . 7 1.5 Today’s obstacles to the implementation of end-to-end security . 9 1.5.1 Islands of non-standardization . 9 1.5.2 The end-to-end accountability problem. 10 1.5.3 Approaches for possible solutions . 10 1.6 The role of the mainframe in a security architecture . 11 Chapter 2. System z platform security and certifications . 13 2.1 The heritage . 14 2.1.1 Synergy between hardware and software. 14 2.2 Virtualized environments and security . 15 2.2.1 Security and virtualization . 15 2.2.2 Certification of virtualized environment security . 16 2.2.3 z/VM certification. 17 2.2.4 PR/SM certification . 18 2.3 The System z operating system security . 18 2.3.1 z/OS . 18 2.3.2 z/VM . 19 2.3.3 z/VSE . 22 2.3.4 Linux for System z . 23 Chapter 3. z/OS security services . 25 3.1 The overall views . 25 3.2 z/OS security services and APIs . 27 3.2.1 z/OS Cryptographic Services . 27 3.2.2 z/OS Integrated Security Services . 29 3.2.3 IBM Tivoli Directory Server for z/OS . 31 3.2.4 z/OS Security Level 3 optional feature . 35 3.2.5 Security functions in the z/OS Communications Server . 36 3.2.6 Communications Server Security Level 3 optional feature . 37 3.2.7 Additional product - OpenSSH for z/OS . 37 © Copyright IBM Corp. 2008. All rights reserved. iii 3.3 A word on authorized programs and the z/OS APF facility . 37 3.4 A word about auditing . 38 3.4.1 RACF auditing data. 38 3.4.2 Syslog daemon (syslogd) . 39 Chapter 4. Focusing on the z/OS Security Server (RACF) . 41 4.1 What is RACF . 41 4.1.1 The RACF infrastructure for identification, authentication, and authorization. 42 4.1.2 Sharing or synchronization of the RACF data base . 44 4.2 RACF security functions . 44 4.2.1 Identification and authentication . 45 4.2.2 User identity mapping for digital certificates . 46 4.2.3 User identity mapping for Kerberos tickets . 47 4.2.4 Resource access control. 47 4.2.5 X.509 digital certificate management . 49 4.2.6 RACF as a Kerberos user registry . 49 4.2.7 Remote security services via the z/OS LDAP server . 49 4.2.8 Support of the J2EE security model . 50 4.3 RACF auditing. 51 4.3.1 The RACF auditing infrastructure . 51 4.3.2 RACF auditing controls . 53 4.3.3 Exploitation of RACF auditing SMF records . 56 4.4 Accessing RACF from Java applications . 58 4.4.1 Java API for RACF services in the IBM JDK. 58 4.4.2 Java APIs in z/OS for RACF services. 58 4.5 Accessing RACF using the LDAP protocol . 59 4.5.1 Administering the RACF users and groups through LDAP . 60 4.5.2 LDAP Change Log for changes in RACF USER and GROUP profiles and users-to-groups connections . 61 4.5.3 RACF Password Enveloping. 63 4.5.4 RACF remote services at z/OS V1R8. 64 4.6 Complementing z/OS RACF . 69 4.6.1 IBM Tivoli zSecure administration products . 70 4.6.2 IBM Tivoli zSecure CICS Toolkit. 72 4.6.3 Risk and compliance products . 73 Chapter 5. A brief reminder about System z integrated hardware cryptography . 79.