Front cover Security for Linux on System z Learn about the new cryptography functions in the CEX3C Deploy security-related technologies in Linux on System z Understand protected key cryptography Lydia Parziale Jonathan Barney Vic Cross William Johnston Eduardo Kienetz Eric Marins Nilesh Patel Sri Venkatesen ibm.com/redbooks International Technical Support Organization Security for Linux on System z January 2013 SG24-7728-01 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. Second Edition (January 2013) This edition applies to Version 6, Release 2, RSU 1101 of z/VM, SUSE Linux Enterprise Server version 11 Service Pack 2 and Red Hat Enterprise Linux version 6.2. © Copyright International Business Machines Corporation 2010, 2013. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team who wrote this book . xii Now you can become a published author, too! . xiii Comments welcome. xiii Stay connected to IBM Redbooks . xiv Chapter 1. Introduction. 1 1.1 Hardware configuration . 2 1.2 z/VM configuration . 2 1.3 Other software used . 2 1.4 Disk storage configurations. 2 Chapter 2. The z/VM security management support utilities . 3 2.1 The need for security management in z/VM . 4 2.1.1 Scaling up the proof-of-concept . 4 2.2 External security management . 4 2.2.1 z/VM internal security . 4 2.2.2 Reasons to use an ESM . 5 2.2.3 Selective enablement of an ESM . 7 2.3 User directory management . 7 2.3.1 User management . 7 2.3.2 Disk management . 8 2.4 Securing console access to z/VM virtual machines . 9 2.4.1 The role of console management in securing your environment . 9 2.4.2 The z/VM LOGONBY function . 9 2.4.3 Using a console management utility . 11 2.5 Securing network access to z/VM . 14 2.5.1 X.509v3 digital certificates and trust hierarchies. 15 2.5.2 z/VM Telnet server . 16 2.5.3 z/VM FTP server . 25 2.6 Securing z/VM resources . 27 2.6.1 Built-in security features . 27 2.6.2 Securing z/VM resources with RACF . 30 2.6.3 Securing TCP/IP service machines with RACF . 32 2.6.4 Centralized authentication . 32 2.6.5 Centralized audit . 33 2.7 z/VM Directory Maintenance Facility (DirMaint) . 41 2.7.1 DirMaint features. 41 2.7.2 Customizing DirMaint . 42 2.7.3 Using DirMaint . 48 2.8 Other ESM and directory manager security observations in this book . 50 Chapter 3. Configuring and using the System z LDAP servers . 51 3.1 The z/VM and z/OS LDAP servers . 52 3.1.1 z/VM LDAP server backends . 52 3.1.2 The relationship between the LDAP servers and RACF. 53 © Copyright IBM Corp. 2010, 2013. All rights reserved. iii 3.2 Setting up the z/OS LDAP server . 53 3.2.1 Using dsconfig . 53 3.3 Setting up the z/VM LDAP server . 55 3.3.1 Activating the z/VM LDAP server . 55 3.3.2 Adding schema supplied by IBM to LDBM . 59 3.4 Extending the LDBM schema . 59 3.4.1 LDAP schema dependencies for Linux. 60 3.4.2 Extending the schema of the z/VM LDAP server . 61 3.5 LDBM and native authentication . 66 3.5.1 LDBM record with the userPassword attribute . 66 3.5.2 Creating a RACF account for an LDAP user. 67 3.5.3 Identifying the RACF account corresponding to the LDAP object. 67 3.6 Access control lists . 67 3.6.1 ACL permissions. 68 3.6.2 ACL format . 68 3.6.3 Propagating ACLs. 69 3.6.4 Updating ACLs . 70 3.7 Linux authentication using the z/VM LDAP server . 71 3.7.1 Using YaST to enable LDAP on SLES 11 SP2. 71 3.7.2 Enabling LDAP authentication on RHEL 6 . 74 3.7.3 Mapping the LDAP account to RACF . 76 3.7.4 Password management with Linux and the z/VM LDAP server . 81 3.8 Using an OpenLDAP server with the z/VM LDAP server . 86 3.8.1 The OpenLDAP rewrite-remap overlay. 86 3.8.2 Configuring OpenLDAP to authenticate using z/VM LDBM . 86 3.8.3 Configuring OpenLDAP to authenticate using z/VM SDBM . 88 3.8.4 RACF password management with OpenLDAP slapo_rwm. 92 3.9 Centralizing Linux audit information with z/VM RACF. 92 3.9.1 Enabling extended operations support in z/VM LDAP server . 93 3.9.2 RACF configuration. 94 3.9.3 Adding the @LINUX class to RACF . 95 3.9.4 Linux configuration . ..