Systemz Security Overview (for non-Mainframe folks)

IBM System z

An Overview of Mainframe
Security for
Non-Mainframe Personnel
June 2013

Mike Smith (smithlmi@us.ibm.com)
With thanks to Greg Boyd

© 2013 IBM Corporation

IBM System z

Trademarks
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
IBM*
IBM (logo)*
ibm.com*
AIX*
BladeCenter*
DataPower*
CICS*
DB2*
DS4000*

FICON*
IMS
Lotus*
POWER7
ProtecTIER*
RACF*
Rational*
System Storage
System x*

System z*
System z10
Tivoli*
WebSphere*
XIV*
zEnterprise
z/OS*
z/VM*
z/VSE

* Registered trademarks of IBM Corporation

The following are trademarks or registered trademarks of other companies.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license there from.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
InfiniBand is a trademark and service mark of the InfiniBand Trade Association.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of
Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.

* All other products may be trademarks or registered trademarks of their respective companies.
Notes:
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any
user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the
workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have
achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.
This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to
change without notice. Consult your local IBM business contact for information on the product or services available in your area.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the
performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.

Page 2

Mainframe Security Overview

June 2013


IBM System z

Agenda
 System z, z/OS, and z/VM Security Strategy
– Most Securable System
– Protecting the Borders of System z and its Data
– Extending System z’s Quality of Service (Security) to the Enterprise

 Some of the Current Security Features
– RACF for z/OS and z/VM
– z/OS Communication Server and its Tools for Cybersecurity
– System z Hardware Encryption Features
– Providing Protection for Data in Transit
– Encrypting Data at Rest and Backups

– Managing Digital Certificates with z/OS PKI Services
– Extending Identity Management and Auditing with LDAP (z/OS and z/VM)
Page 3


June 2013


IBM System z

zEnterprise servers preserve and enhance the industry
renown strengths of the IBM Security Framework
without requiring changes of the current core business applications.

IBM continues to leverage and enhance the leading security capabilities provided by the z/OS
and z/VM operating systems to build the tightest IT Security Hub, and further enhance their
enterprise security through new technology in Authentication, Authorization, Encryption,
Auditing, and Administration.
The IBM Security Framework
Security Governance, Risk Management
and Compliance
Security Governance, Risk Management

and Compliance
People and Identity
Data and Information

Common
Best
Security
Practices
(the 5 A’s)

Application and Process
Network, Server, and End-point
Physical Infrastructure

Common Policy, Event Handling and Reporting

Professional
Services

Page 4


Managed
Services

Hardware
& Software

June 2013

PCI-DSS

Compliance and
Legal Requirements
HIPAA

IBM System z

System z Integrity Statements

Designed to help protect your system, data, transactions,
and applications from accidental or malicious modification


System integrity is the inability to bypass the security on system resources



IBM will always take action to resolve if a case is found where the above can be
circumvented
System z integrity statements and the Common Criteria certifications
can be helpful proof points in addressing compliance requirements.
ibm.com/servers/eserver/zseries/zos/racf/zos_integrity_statement.html
ibm.com/servers/eserver/zseries/zos/racf/zos_integrity_statement.html

http://www.vm.ibm.com/security/zvminteg.html
http://www.vm.ibm.com/security/zvminteg.html

First Issued in 1973 – Over 3 decades !!
For System z Security has been a state of mind from design to delivery
IBM’s commitment to z/OS System Integrity reaffirmed in September 2007
Page 5


June 2013


IBM System z

What do you think of the Mainframe (System z)?

Forrester Survey –
“Please rank which operating system category you feel is inherently more
secure?”
April 10, 2007
Operating System Vendors: Do More To Help Users With Server Security
by Jennifer Albornoz Mulligan

Rank
Mainframe
Unix

3

Macintosh

4
Least secure

1
2

Most secure

Linux

5

Windows

Figure 3 - Security Decision-Makers’ Opinions On OSes’ Security



Page 6

Source: Forrester Research, Inc. 41887
Base: 75 decision-makers responsible for server security


June 2013


IBM System z

System z Evaluations & Certifications
z/VM

The Common Criteria
program establishes an
organizational and
technical framework to
evaluate the
trustworthiness of IT
Products and
protection profiles

z/OS

 Common Criteria
 z/VM 5.3, 6.1
• EAL 4+ for CAPP and
LSPP
• System Integrity
Statement

z/OS

• Common Criteria EAL4+
• with CAPP and LSPP
• z/OS 1.7  1.10 + RACF
• z/OS 1.11 + RACF (OSPP)
• Common Criteria EAL5
• z/OS RACF 1.12 (OSPP)
• z/OS 1.10 IPv6 Certification by
JITC
• IdenTrust™ certification for
z/OS PKI Services
• FIPS 140-2
• System SSL z/OS 1.10
1.12 & 1.13
• z/OS ICSF PKCS#11
Services – z/OS 1.11, 1.12,
1.13
• Statement of Integrity

z/VM

Linux on System z

Linux on System z

Virtualization with partitions
Cryptography
• zEnterprise zEC12, z196 & z114
• Common Criteria EAL5+ with specific target of
Evaluation – LPAR: Logical partitions
• Crypto Express2, Crypto Express3 & Crypto
Express4S Coprocessors
- FIPS 140-2 level 4 Hardware Evaluation
- Approved by German ZKA
• CP Assist
- FIPS 197 (AES)
- FIPS 46-3 (TDES)
- FIPS 180-3 (Secure Hash)


June 2013

 Common Criteria
 SUSE SLES10 certified
at EAL4+ with CAPP
 Red Hat EL5 EAL4+
with CAPP and LSPP
 OpenSSL - FIPS 140-2
Level 1 Validated
 CP Assist - SHA-1
validated for FIPS 180-1 DES & TDES validated for
FIPS 46-3


IBM System z

How does System z fulfill its security strategy:
 ENHANCE its own host protection – A continuous process with advancements in digital
certificates, RACF in both z/OS and z/VM, tighter integration between Linux for System z,
z/OS, and z/VM – strengthening its compliance, auditing, and monitoring capabilities.
 PROTECT the host interfaces and boundaries (this includes identities and data passing across
these borders) – Additions of technologies such as the security features of the z/OS
Communication Server, Tivoli Directory Server (LDAP) on both z/OS and z/VM, kerberos
enhancements, and PKI Services for z/OS.
 EXTEND the security Quality of Service into the enterprise – Encryption Facility for z/OS (to
secure data if it has to leave the vault), Network Security Services and Policy Agent (for
managing network security policies), z/VM Guest LANs & Virtual Switches, Linux audit plug-in
as well as the PAM with LDAP, TKLM and Tivoli Insight (IBM’s SOA security is Websphere,
Tivoli, and vendor products, most of which can run on System z).
 SIMPLIFY the design, implementation, administration, and monitoring
Facility (z/OSMF) and IBM Security zSecure for example.

Page 8


June 2013

– z/OS Management


IBM System z

What’s running inside the server
Various Logical
Partitions are
defined to run
multiple instances of
an OS.

System Files
APF Libraries
RACF Database
Master Catalog

Internal resources
like processors and
channels can be
shared among
LPARs. Memory is
NOT shared.

Applications
Programs

Each LPAR is a
separate system.

Data and Databases

There is no leakage
of information from
one LPAR to
another.
Page 9


June 2013


IBM System z

What’s running inside an LPAR?
z/OS Tasks run in Address Spaces. A separate
Address Space is created for each active User,
Batch Job, or Started Task.
Each Address
Space is
assigned an
Access Control
Environment
Element that
describes the
User ID assigned
to the Address
Space.

Page 10


June 2013


IBM System z

How are Address Spaces created?
Transactions
and requests
from other
systems

System Address Spaces are
created at start-up time or as
needed while the system is
up
Started Tasks can be
started by Operations
to perform pre-defined
tasks

Batch jobs are submitted
by users, a job scheduling
system, or other tasks.
When the Address Space is
created, the jobs authority
is validated by RACF.

Users Log-on after
being
authenticated
Page 11


June 2013


IBM System z

One Key to z/OS Security is SAF
 SAF is a component of MVS (z/OS BCP) - NOT part of RACF
 SAF is the System Access Facility element of z/OS. Its purpose is to provide the
interface between those products requesting security services and the external
security manager (RACF or similar) installed on the z/OS system.
 SAF provides an installation with centralized control over system security
processing by using a system service called the SAF router. The SAF router
provides a focal point and a common system interface for all products providing
resource control.
 External security managers (ESMs) provide tables to SAF, which directs specific
calls for security functions to specific routines within the ESM. The use of these
tables allows z/OS to provide support for pluggable ESMs giving the installation
the flexibility to determine which ESM to use..
 SAF and the SAF router are present on all z/OS systems regardless of whether
an ESM is installed.


June 2013


IBM System z

RACF
 RACF is the Resource Access Control Facility. It is NOT an
entitlement of the z/OS operating system, but is a priced feature.
Customers pay extra for RACF.
 RACF provides the capability to uniquely describe resources,
users, and the relationships between them.
 When users attempt to access a resource the system calls RACF
to indicate whether or not that user has the requested access
permissions.
 It is then the system's decision, not RACF's, to allow or deny the
access request.


June 2013


IBM System z

Basic Security Features and Functions

Page 14


June 2013


IBM System z

Resource, user, and group profiles
 A resource is any item on the system that may be exploited by a
user, including address spaces, application and DB systems
(CICS, DB2) and their transactions, data (volumes, data sets),
programs, the IP Stack, etc. etc.
 A user is an exploiter of resources
 A protection profile describes the resource
 A user profile uniquely describes a user to the system
 Users can be grouped together
 Resource protection profiles are grouped together by Class
 Access to resources can be provided to the group


June 2013


IBM System z

Security Features with the z/OS TCP/IP
A view of the protocol stack
Protect the system
z/OS CS TCP/IP applications use SAF to
authenticate users and prevent
unauthorized access to datasets, files, and
SERVAUTH protected resources.

The SAF SERVAUTH class is used to
prevent unauthorized user access to
TCP/IP resources (stack, ports, networks)

Application layer

SAF protection
Application specific
API layer
(sockets plus extensions)

SSL /
TLS

Kerberos

TCP / UDP transport layer

SAF protection

AT-TLS
Intrusion detection services protect
against attacks of various types on the
system's legitimate (open) services. IDS
protection is provided at both the IP and
transport layers.
IP packet filtering blocks out all IP traffic
that this systems doesn't specifically
permit. These can be configured or can
be applied dynamically as "defensive
filters."

Page 16


Intrusion Detection
Services
IP Networking layer

Intrusion Detection
Services
IP Filtering
IPSec
June 2013

Protect data in the network
Examples of application protocols with builtin security extensions are SNMPv3 and
OSPF.
Both Kerberos and SSL/TLS are located as
extensions to the sockets APIs and
applications have to be modified to make
use of these security functions. Both
SSL/TLS and Kerberos are connectionbased and only applicable to TCP (stream
sockets) applications, not UDP.
AT-TLS is TCP/IP stack service that
provides SSL/TLS services at the TCP
transport layer and is transparent to upperlayer protocols. It is available to TCP
applications in all programming languages
except PASCAL.
IP packet filters specify traffic that
requires IPSec
IPSec resides at the networking layer and is
transparent to upper-layer protocols, including
both transport layer protocol and application
protocol.

IBM System z

And, of course, you need to Audit the z/OS TCP/IP
Configuration Definitions as well …
 The z/OS network security policy is implemented via the Configuration Assistance Utility (now
part of zOSMF).
 The network security features that are implemented (IPSec, AT-TLS, etc.) can be viewed via this
tool, as well as the rules for each of these features can be reviewed or printed.
Application
Transparent
TLS policy

Applications

Policy
Agent

IP security
policy

Sockets

Policy
Administration

System SSL calls

TCP
TLS Encrypted

IPSec

IP Networking Layer
Network Interfaces

Page 17

IDS policy

IDS
IDS


IPSec
Encrypted

June 2013


IBM System z

Overview – HW Crypto support in System zEC12
Processor Books

MCM

CPACF

PCIe I/O drawers

Crypto
Express4S

Trusted Key Entry (TKE)

Smart
Smart
Smart
CardSmart
CardSmart
CardSmart
CardSmart
CardSmart
CardSmart
CardSmart
Card
Card
Card

Smart Card
Readers

June 2013

Smart Cards

IBM System z

zEnterprise – Calling The Hardware Crypto
TSO
Terminal

Hardware Crypto

zEC12, z196, z114

Other systems

Clear/Encrypted Data
?

CPACF

?

?

?

...

Master Key

RACF
Crypto instructions

Crypto
Express
2/3/4s

ICSF

IBM Exploiters
Callable
Services
APIs

Encryption/Decryptio
n Key to use

z/OS

Home Grown
Applications

HCR7790
or instructions
in the application

DES keys encrypted
under the crypto
Master Key

TKE Workstation
(optional)

PKDS

CKDS

Asymmetric keys encrypted
under the PKA Master Key

....

TKDS

clear application key
in storage

OPTIONS
DATA
SET

ICSF run-time
options

PKCS11 under the token
Master Key

Access to the cryptographic services and keys can be controlled
by RACF with the CSFSERV and CSFKEYS classes
Page 19


June 2013


IBM System z

Linux on System z Crypto Stack
openssh
Application (ssh, scp, sftp) Apache
(mod_ssl)
Layer

Standard
Crypto
Interfaces

GSKIT

WAS

Cust. SW
Java
JCA/JCE
PKCS11ImplProv

Customer
SW

opencryptoki
(pkcs#11)
ica
token

Ibmca
engine

cca
token

ICA

CCA

Kernel

IPSEC
dm-crypt
Kernel crypto framework
System z backend

zcrypt device driver

CPU

Hardware
clear key
protected key
secure key

NSS

openssl

System z
HW Crypto
Libraries
Operating
System

Apache
(mod_nss) SWGSW

CPACF

(DES/TDES, AES, SHA, PRNG)

Crypto Adapters
Accelerator
(RSA)

Coprocessor

(RSA, RNG, DES/TDES, AES,
ECC)

*Chart from Reinhard Buendgen

June 2013


IBM System z

z/OS Public Key Infrastructure PKI Services Structure
CRL

HTTP Server for z/OS

End User

HTTP / HTTPS

HTTP Daemon

HTTP / HTTPS
OCSP/SCEP
Requester

VSAM

cert
Static Web Pages

PKI
Exit

RACF

Websphere Applicaton
Server
JSP/Servlet

Combined RA/CA process

VSAM

R_PKIServ
Callable
Service

request

cert/CRL

JNI

RACF
DB

Page 21


Issued
Certificate
List

Program Call

OCSP- CMP
- SCEP CGI
PKI
Administrator

z/OS PKI
Services Daemon

RACF Linkage
Assist routine

CGI Scripts

HFS

June 2013

Object
Store

LDAP
Directory

VSAM

SMF

SMF
Extract
Tool

Audit
Records


IBM System z

Other Options for
Identity Translation/Propagation/Synchronization
They may also access
the System z directly
Via TN3270, FTP, etc?

Access to
System z

.Net
Applications

Authenticated
to AD

Windows
Directory
Server

z/OS Resources include IMS, CICS,
DB2, Websphere, MQ,
All protected with RACF meaning
that they have to have a RACF
userid in their ACEE – need a
‘complete’ audit trail
z/OS LDAP installed
z/OS CommServer security features
z/OS PKI Services

Windows
Domain
Controller

Authenticated
to AD

Windows
Directory
Server

Authenticated
to AD

Windows
Domain
Controller

Page 22


Windows
Directory
Server

Windows
Domain
Controller

June 2013


IBM System z

Identify and Access Management
 Imbedded with the z/OS features:
– Tivoli Directory Services (TDS – commonly called LDAP) extending System z
security as well as allowing for propagation of RACF information
– Digital Certificates and z/OS PKI Services
– Kerberos (within the RACF domain and building trust across separate KDC –
WAS & SPNEGO)
– Passtickets
– ID Propagation

 zSecure for Admin and Audit (plus Command Verifier)
 Federating Identities with Tivoli Federated Identity Manager
(TFIM) for web services
 Tivoli Access Manager eb (ebusiness) for web security – bi for
business integration)
 Managing Identities on System z or Across the Enterprise with
Tivoli Identity Manager (TIM)

June 2013


IBM System z

IBM Tivoli Directory Services (LDAP) Overview
USS file

Optional
SSL
LDAP client

any LDAP client
(including JNDI)

Security
Server
Directory
(RACF DB)

CDBM

z/OS

RACF

slapd
daemon

TCP/IP
stack
USS

LDAP V3

SDBM
LDBM
Schema

General purpose
Directory (USS file)

USS file

GDBM
LDAP client

TDBM
DB2

Change log
Directory
(DB2 or USS)

General purpose
Directory (DB2)

z/OS LDAP API for C/C++

Page 24


SSL Key
DB or RACF
keyring

ds.conf

June 2013

ds.envvars


IBM System z

Identity & Access Management
With z/OS Identity
Propagation

z/OS Run-time
security context

System z
RACF

User’s Identity
• DN & Realm

User’s Identity
• RACF user-ID
• DN & Realm

CICS

WebSphere
Application Server
running
remotely or
on System z
DN & Realm
‘propagated’ into z/OS
security context.

Page 25


z/OS

New data areas
 IDID
 ICRX

June 2013

Option to select
RACF user-ID here,
under RACF control

SMF

Audit

Audit Record
 RACF user-ID
 DN & Realm


IBM System z

Host Firewalls
Linux
DMZ

 Physically secure networking

z/OS

Perimeter

 z/OS
 Firewall & IDS

ISS
Proventia

 ISS Proventia Server for Linux

Firewall / IDS

Network

 IDS/IPS & Firewall

Application
Network

 Linux

Protected

Application

z/VM
LPAR

Page 26

External
Network


Firewall

Internet

June 2013


IBM System z

Virtual Network Management
Multiple Security Zones

 Control access
to Virtual Switch
(VSWITCH)

Use z/VM RACF Security Server to control
and audit Linux and other virtual server
access to networks.
web

web

web

web

z/VM
db

db

db

web
app

VSWITCH 1

app

app

 Control and
audit guest
sniffing of virtual
networks

VSWITCH 2

To
outboard
databases

To
internet

Page 27


 Control access
to specific
VLANs on a
VSWITCH

June 2013

 Better control of
multi-tenant
environments


IBM System z

Customer Example of Utilizing RACF zVM and LDAP zVM
z/VM 5.4

Shared
R/O
Linux
Root

Management
Virtual Switch

Presentation

Virtual Switch

SLES 10 Linux
SLES 10 Linux
SLES 10 Linux

Config & Data
RACF VM

Application

RACF VM

Virtual Switch

FAST AR - Guests
SLES 10 Linux

Config & Data
Config & Data
Config & Data
Config & Data

SLES 10 Linux
Database
Virtual Switch
LDAP

LDAP

Linux guest access to a variety of
different virtual switches and
VLANs are controlled by RACF
controls.
Page 28


June 2013


IBM System z

Architecture overview for Identity Management

RACF
Developers

PAM
Linux
Directory

CICS

ITIM
RACF/VM
Agent

WebSphere
App Server

IBM Tivoli
Identity
Manager

z/OS
Services

LDAP
Server

ITIM
Server

Tivoli
Access
Manager
Policy
Server
Master
ACL

DMZ

App 2
DATA
App 3
DATA
App n
DATA

ITIM TAM
Agent

Replica
ACL

Page 29

App 1
DATA

LDAP

ITIM RACF
Agent

WebSeal
WebSeal
WebSeal
WebSeal

e-Business
Users

z/OS

Mgmt/Dev Zone
June 2013

RACF
Database

Other User Registry(s)

TRUSTED Zone

IBM System z

Elements of Enterprise Security
Tape encryption

Disk encryption

Secured Key
Storage &
Management

Crypto Express 3
TS1120
Event Logging
(SMF)

Multilevel security

DS8000
Enterprise Fraud
Solutions

Data Privacy

IBM Tivoli Security
Compliance Insight
Manager
IBM Tivoli zSecure Suite

Certificate Authority

Compliance
and Audit

Extended
Enterprise

DB2 Audit Management Expert

PKI Services

Enterprise Encryption
Services

Tivoli Identity Manager

Tivoli Federated Identity Mgr

Platform Infrastructure
ICSF

Directory Server

Network
Authentication
Service

RACF/SAF
LDAP
Common Criteria
Ratings
Support for
Audit, Authorization, Services and Scalable Enterprise Kerberos V5
Standards
Compliant
Directory
Authentication, and Key Storage for
Key Material
Access Control
Page 30


June 2013

Secured Communications
SSL/TLS,
IPSec

IDS


31

IBM System z

www.ibm.com/security

Page 31


June 2013


Systemz Security Overview (for non-Mainframe folks)

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Systemz Security Overview (for non-Mainframe folks)

Similar a Systemz Security Overview (for non-Mainframe folks) (20)

Último

Último (20)

Systemz Security Overview (for non-Mainframe folks)

Notas del editor