Introduction to z/OS Security
Download
Report
Transcript Introduction to z/OS Security
Introduction to z/OS Security
Lesson 4: There’s more to it than RACF
© 2006 IBM Corporation
Objectives
At the completion of this topic the student should be able to
provide a brief overview of the security related elements of the
z/OS operating system
2
© 2006 IBM Corporation
Key terms
3
SAF
ICSF
RACF
OCSF
PKI Services
OCEP
ITDS for z/OS
EIM
© 2006 IBM Corporation
Introduction
This lesson briefly discusses the key elements of z/OS that
address different security needs.
Technologies such as Secure Sockets Layer (SSL), Kerberos V5,
Public Key Infrastructure, multilevel security and exploitation of
IBM mainframe cryptographic features are available in z/OS.
Integrated Cryptographic Service Facility (ICSF) is a part of z/OS
which provides cryptographic functions for data security, data
integrity, personal identification, digital signatures and the
management of cryptographic keys. Together with cryptography
features of System z9 and zSeries servers, z/OS provides highperformance SSL.
4
© 2006 IBM Corporation
Introduction
z/OS provides support for digital certificates, including the ability
to provide full life-cycle management. With Public Key
Infrastructure Services in z/OS, customers can create and
manage digital certificates, leveraging their existing z/OS
mainframe investments.
z/OS, together with DB2 Universal Database™ for z/OS Version
8, provides a solution for multilevel security on the System z
mainframe. This support provides row-level security labeling in
DB2 and protection in z/OS designed to meet the stringent
security requirements of multi-agency access to data. This
solution leverages System z leadership to enable highly secure
single database hosting.
5
© 2006 IBM Corporation
SAF
SAF is the System Access Facility element of z/OS. Its purpose
is to provide the interface between those products requesting
security services and the external security manager installed on
the z/OS system.
SAF is NOT part of RACF
SAF is a component of MVS (z/OS BCP)
SAF provides an installation with centralized control over system
security processing by using a system service called the SAF
router. The SAF router provides a focal point and a common
system interface for all products providing resource control.
External security managers (ESMs) provide tables to SAF which
direct specific calls for security functions to specific routines
within the ESM. The use of these tables allows z/OS to provide
support for pluggable ESMs giving the installation the flexibility to
determine which ESM to use.
SAF and the SAF router are present on all z/OS systems
regardless of whether an ESM is installed
6
© 2006 IBM Corporation
The SAF Router
For each request type
presented to SAF, a
different routine is
accessed.
The location of these
routines are in the SAF
Routing Table
7
© 2006 IBM Corporation
RACF
RACF is the Resource Access Control Facility. It is NOT an
entitlement of the z/OS operating system, but is a priced feature.
Customers pay extra for RACF.
RACF provides the capability to uniquely describe resources,
users, and the relationships between them.
When users attempt to access a resource the system calls RACF
to indicate whether or not that user has the requested access
permissions.
It is then the system's decision, not RACF's, to allow or deny the
access request.
8
© 2006 IBM Corporation
PKI Services
The z/OS PKI Server is a complete Certification Authority
package, always enabled independently of the installed security
manager. The Certification Authority keys are located in a secure
file or within the ESM (like RACF).
The z/OS PKI can be a root CA or an intermediate CA. It provides
these functions to implement and perform full certificate life cycle
management:
–User request driven via customizable Web pages
–Automatic or administrator approval process
–End user / administrator revocation process
With PKI Services, z/OS installations have the capability to
establish a PKI infrastructure and serve as a certificate authority
for internal and external users.
9
© 2006 IBM Corporation
ITDS for z/OS (LDAP)
LDAP defines a standard method for accessing and updating
information in a directory.
LDAP has gained wide acceptance as the directory access
method of the Internet and is therefore also becoming strategic
within corporate intranets.
It is being supported by a growing number of software vendors
and is being incorporated into a growing number of applications.
Netscape and Microsoft Internet Explorer, as well as application
middleware, such as the IBM WebSphere Application Server or
the IBM HTTP server, support LDAP functionality as a base
feature.
10
ITDS = IBM Tivoli Directory
Services
© 2006 IBM Corporation
ICSF
The Integrated Cryptographic Services Facility acts as the device
interface for the cryptographic hardware on z systems.
ICSF provides support for the following:
–The Commercial Data Masking Facility (CDMF), an exportable
version of DES cryptography
–DES and Triple DES encryption for privacy
–The transport of data keys through the use of the RSA public
key algorithm
–The generation and verification of digital signatures through the
use of both the RSA and the Digital Signature Standard (DSS)
algorithm
–The generation of RSA and DSS key.
–The SET Secure Electronic Transaction standard, which was
created by Visa International and MasterCard
–The PKA Encrypt and PKA Decrypt callable services that can
be used to enhance the security and performance of Secure
Sockets Layer (SSL) security protocol applications
11
© 2006 IBM Corporation
System SSL
Secure Sockets Layer (SSL) is a communications protocol that
provides secure communications over an open communications
network (for example, the Internet).
The SSL protocol is a layered protocol that is intended to be used
on top of a reliable transport, such as Transmission Control
Protocol (TCP/IP). SSL provides data privacy and integrity as
well as server and client authentication based on public key
certificates.
Once an SSL connection is established between a client and
server, data communications between client and server are
transparent to the encryption and integrity added by the SSL
protocol.
System SSL supports the SSL V2.0, SSL V3.0 and TLS
(Transport Layer Security) V1.0 protocols. TLS V1.0 is the latest
version of the secure sockets layer protocol.
12
© 2006 IBM Corporation
OCSF
Open Cryptographic Service Facility (OCSF)
These components work together to provide software based
encryption to z/OS
The OCSF Architecture consists of a set of layered security
services and associated programming interfaces designed to
furnish an integrated set of information and communication
security capabilities.
The security services available in the OCSF are defined by the
categories of service provider modules that the architecture
accommodates. These service providers are:
–Cryptographic Services
–Trust Policy Libraries
–Certificate Libraries
–Data Storage Libraries.
13
© 2006 IBM Corporation
OCEP
OCEP consists of two service provider modules (which are also
called "plug-ins") that are intended to be used with the Open
Cryptographic Services Facility (OCSF) Framework:
–Trust Policy
–Data Storage Library
These service provider modules enable applications to use z/OS
Security Server (RACF), or equivalent product, to provide
security functions for digital certificates and key rings.
The OCEP service provider modules implement a subset of the
application programming interfaces (APIs) that are defined by
OCSF. Applications can use these OCEP service provider
modules, and their supported APIs, to retrieve and use digital
certificates and private keys that are stored in the RACF
database on an z/OS system.
In addition to the OCSF Framework, the OCEP service provider
modules are intended to work with the OCSF Certificate Library
and Cryptographic Service Provider modules.
14
© 2006 IBM Corporation
EIM
The problem: Too many Identities
–Today's network environments are made up of a complex
group of systems and applications, resulting in the need to
manage multiple user registries. Dealing with multiple user
registries quickly grows into a large administrative problem that
affects users, administrators, and application developers.
The solution: Enterprise Identity Mapping
–EIM allows administrators and application developers to
address this problem more easily and inexpensively than
previously possible.
–EIM allows one-to-many mappings (in other words, a single
user with more than one user identity in a single user registry).
–EIM also allows many-to-one mappings (in other words,
multiple users mapped to a single user identity in a single user
registry).
15
© 2006 IBM Corporation
Summary
z/OS provides many different elements that address different
security needs.
Installations can use user IDs and passwords, UIDs, and digital
certificates to provide mechanisms to authenticate an identity.
z/OS can be a Certificate Authority, dispensing digital certificate
and the accompanying public and private keys for large scale
secure infrastructures
Hardware and software work together to provide encryption
facilities through ICSF and OCSF, independent of the underlying
cryptographic facilities
Communications can be secured, whether inbound or outbound,
through secure sockets from or to any other platform.
The problem of multiple identities for a single user can be
addressed by mapping the constructs together in a single
application that can be queried from anywhere in the enterprise
16
© 2006 IBM Corporation