Connectivity to z/OS using DB2 Connect with Kerberos
Download
Report
Transcript Connectivity to z/OS using DB2 Connect with Kerberos
Connectivity to z/OS using DB2 Connect with Kerberos
Authentication
Davy Goethals
GSE CICS and IMS/DB2 working group
11/10/2007 Zemst
Agenda
•
•
•
•
•
Introduction
Use of DB2 connect at Sidmar
What is Kerberos authentication ?
Practical Implementation
Current status & Future
17/07/2015
1
Introduction
• Kerberos is an authentication protocol developed in the late
1980 to secure a distributed client-server environment :
– User wants to be sure to connect to the right server
– Server wants to be sure that the user is who he claims to be
– Part of DCE (promoted by OSF) initially in the Unix world
• Based on encryption :
– Insecure client machines
– Insecure networks
– Locally secured servers can interchange reliable information
17/07/2015
2
Introduction
• Kerberos can be used in a DB2 connect environment to create a
single logon environment
• No need anymore to provide a mainframe user/password to
DB2 on z/OS
17/07/2015
3
Use of DB2 connect at Sidmar
MAINFRAME
DB2 for z/OS
DB2 Connect
EE
SQL and stored procedures
UNIX Servers
Windows clients
DB2 Connect
PE
TCP/IP
Windows
Servers
SAP
VB
17/07/2015
ODBC
OLE DB
.NET
4
Use of DB2 connect at Sidmar
• User has to provide mainframe userid/password
• Or application uses hardcoded generic userid with non-expiring passwords
– To avoid declaration of RACF users
– To avoid password problems
– To allow /restrict authorities
• Problems :
– Management of passwords (helpdesk)
– Super users with known passwords
– Accountability
• Use of trusted clients ?
17/07/2015
5
What is Kerberos ?
Kerberos (Cerberus)
was the mythological
three-headed
dog that guarded the
entrance to the
underworld.
Unless you could get
past Kerberos, you
could not leave the
underworld
17/07/2015
6
What is Kerberos ?
• Securely authenticate a user in an unsecured network environment
• Three tier architecture:
– Client
– Kerberos Key Distribution Center (KDC) – trusted third party
– Application server
• Use of encrypted tickets (credentials) instead of userid/password over the
network
– Provided by KDC
– Limited lifetime
– Only understood by client and server
17/07/2015
7
What is Kerberos ?
KDC is a central repository :
– Knows all clients (with principal identifier)
– Knows all application servers (with principal identifier)
– REALM : set of clients and servers served by a single KDC (domain)
• KDC and clients/servers use a private encryption key to encrypt data over
the network
• Principal needs to verify it’s identity only once in the REALM
• Kerberos allows the client to validate the identity of the server (mutual
authentication)
17/07/2015
8
What is Kerberos ?
• Phase 1 : authentication service exchange
– Client authenticates himself providing username and gets ticket
granting ticket
• Phase 2 : ticket granting service exchange
– Client asks service ticket to use in communication with server
• Phase 3 : client/server authentication exchange
– Client and server authenticate each other
– Share a encryption key to exchange encrypted messages
17/07/2015
9
What is Kerberos ?
• Inter REALM operation
– Client from one REALM can communicate with server from
other REALM
– REALMs have TRUST relationships and share secret interrealm keys
– Ex: Windows domain and z/OS domain
– Multiple, hierarchical realms are possible
• Client has to authenticate only once to his local REALM
17/07/2015
10
What is Kerberos ?
• Windows Kerberos is integrated in the Windows OS
– KDC is part of Directory Server
– Definitions in Domain Controller & DNS
• Z/OS Kerberos is integrated with RACF
– KDC is part of RACF database
– All administration is done by RACF commands
– Special Kerberos started task to communicate with client
17/07/2015
11
DB2 connect and Kerberos
DB2 uses SAF services :
MAINFRAME
DB2 for z/OS
- Ticket validation
- Maps Kerberos principal
in the ticket to RACF
userid
RACF KDC
GSS protocol
Do you support Kerb?
DB2 Connect
PE
ticket
Windows
userid
Windows clients
17/07/2015
Windows
Domain Controller
DNS KDC
authentication
12
Practical implementation
• Workstation :
– Db2 connect database directory
– KSETUP command
• Windows domain
– Define trust with host realm
– Add entries in DNS
• z/OS
– Create host realm
– Define trust with windows realm
– Define DB2 as Kerberos application
– Start Kerberos started task
– Map window users to RACF userids
17/07/2015
13
Practical implementation on workstation
• DB2 Connect database directory :
– Add database entries with
• Authentication = KERBEROS
• Principal name = db2service/host@hostREALM
– Command :
“Db2 catalog database dbname at node nodename
authentication kerberos target principal
db2service/hostname@hostREALM “
17/07/2015
14
Practical implementation on workstation
• Database 4 entry:
•
Database 11 entry:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Database alias
= DB2PD
Database name
= DB2P
Node name
= DB2P
Database release level
= a.00
Comment
= DB2 productie d
Directory entry type
= Remote
Authentication
= KERBEROS
Principal name
=
db2/[email protected]
Catalog database partition number = -1
Alternate server hostname
=
Alternate server port number
=
Database alias
= DB2P
Database name
= DB2P
Node name
= DB2P
Database release level
= a.00
Comment
= DB2 productie
Directory entry type
= Remote
Authentication
= SERVER
Catalog database partition number = -1
Alternate server hostname
=
Alternate server port number
=
•
•
•
Applications use DB2PD instead of DB2P in connection string and no longer
provide a user/password
17/07/2015
15
Practical implementation on workstation
db2 => connect to DB2P user siddago
Enter current password for siddago:
Database Connection Information
Database server
= DB2 OS/390 8.1.5
SQL authorization ID = SIDDAGO
Local database alias = DB2P
db2 => connect to DB2P
SQL30082N Attempt to establish connection failed with security reason "3"
("PASSWORD MISSING"). SQLSTATE=08001
db2 => connect to DB2PD
Database Connection Information
Database server
= DB2 OS/390 8.1.5
SQL authorization ID = SIDDAGO
Local database alias = DB2PD
db2 => connect to DB2PD user siddago
Enter current password for siddago:
SQL30082N Attempt to establish connection failed with security reason "36"
("CLIENT SECURITY PLUGIN ERROR"). SQLSTATE=08001
db2 =>
17/07/2015
16
Practical implementation on workstation
• KSETUP command to define the host realm on each workstation
:
• KSETUP //addkdc hostREALM KDCname
– Ex : KSETUP //addkdc ES1.SIDMAR.AGN
kerberos.es1.sidmar.agn
• Ksetup.exe can be downloaded from Microsoft support websites
17/07/2015
17
Practical implementation on Windows domain
• Define host realm as trusted domain (TRUST) in Windows
domain controller
• Add entries in DNS for host realm including password
17/07/2015
18
Practical implementation on z/OS
• Create host REALM
– RDEFINE REALM KERBDFLT KERB(KERBNAME( host
realm name) PASSWORD(…) ticket lifetime parameters
• Ex : rdefine realm kerbdflt kerb(kerbname(es1.sidmar.agn) password
mintktlfe(15) deftklte(36000) maxtktlfe(86400))
– Add KERBDFLT profile in REALM RACF class for local realm
17/07/2015
19
Practical implementation on z/OS
• Add Kerberos trust definitions (in pairs)
– RDEFINE REALM /../ host realm /krbtgt/ windows realm
KERB(PASSWORD(……))
• Ex : rdefine realm /…/es1.sidmar.agn/krbtgt/sidmar.be
Kerb(password(…))
– RDEFINE REALM /../ windows realm /krbtgt/ host realm
KERB(PASSWORD(……))
• Ex : rdefine realm /…/sidmar.be/krbtgt/es1.sidmar.agn
Kerb(password(…))
17/07/2015
20
Practical implementation on z/OS
• Define each DB2 as a local Kerberos principal
– ALTUSER db2stc userid PASSWORD(…) NOEXPIRED
KERB(KERBNAME( db2/db2stc userid))
• Ex : altuser omvsdb2p password(..) noexpired
kerb(kerbname(db2/omvsdb2p))
– KERBNAME = local principal name
– Principal is defined as RACF user with KERBEROS segment
17/07/2015
21
Practical implementation on z/OS
• Start Kerberos started task SKRBKDC :
//*********************************************************************
//*
*
//* Procedure for starting the Kerberos Security Server
*
//*
*
//*********************************************************************
//SKRBKDC PROC REGSIZE=256M,OUTCLASS='R'
//*-------------------------------------------------------------------//GO
EXEC PGM=EUVFSKDC,REGION=®SIZE,TIME=1440,
// PARM=('ENVAR("LANG=En_US.IBM-1047"),TERM(DUMP)
//
/ 1>DD:STDOUT 2>DD:STDERR')
//**STEPLIB DD DISP=SHR,DSN=EUV.SEUVFLNK
//STDOUT DD SYSOUT=&OUTCLASS,DCB=LRECL=250,
// FREE=END,SPIN=UNALLOC
//STDERR DD SYSOUT=&OUTCLASS,DCB=LRECL=250,
// FREE=END,SPIN=UNALLOC
//SYSOUT DD SYSOUT=&OUTCLASS,
// FREE=END,SPIN=UNALLOC
//CEEDUMP DD SYSOUT=&OUTCLASS,
// FREE=END,SPIN=UNALLOC
17/07/2015
X
22
Practical implementation on z/OS
• Start Kerberos started task SKRBKDC :
EUVF04001I Security server version 3.16, Service level 0000000.
EUVF04002I Security runtime version 3.16, Service level 0000000.
EUVF04158I Kerberos KDC services are enabled.
EUVF04069I Listening for requests on network interface 176.132.15.8.
EUVF04069I Listening for requests on network interface 176.132.15.20.
EUVF04069I Listening for requests on network interface 176.132.15.25.
EUVF04069I Listening for requests on network interface 176.132.15.7.
EUVF04069I Listening for requests on network interface 176.132.15.23.
EUVF04069I Listening for requests on network interface 176.132.15.16.
EUVF04069I Listening for requests on network interface 176.132.15.24.
EUVF04069I Listening for requests on network interface 176.132.15.6.
EUVF04069I Listening for requests on network interface 176.132.38.8.
EUVF04069I Listening for requests on network interface 176.132.35.1.
EUVF04069I Listening for requests on network interface 176.133.8.24.
EUVF04069I Listening for requests on network interface 176.132.8.1.
EUVF04058I System SYSM has joined the Kerberos security server group.
EUVF04058I System SYSE has joined the Kerberos security server group.
17/07/2015
23
Practical implementation on z/OS
• Map windows users to RACF userids used as primary
authorization- id in DB2
• -RDEFINE KERBLINK /…/foreign realm name /foreign principal
name APPLDATA(‘racf userid’)
• Ex : rdefine kerblink /…/sidmar.be/siddago appldata(‘siddago’) ))
– KERBLINK = foreign principal
– Local Principal is defined as RACF user with KERBEROS
segment
17/07/2015
24
Practical implementation on z/OS
• Map windows users to RACF userids
– each time the racf password changes, a new key is
generated to be used in the encrypted ticket
17/07/2015
25
STATUS today
• Workstations :
– New Db2 connect package distributed with additional database entries
– KSETUP.exe executed at login
• Windows domain
– Host REALM defined as trusted realm
– DNS entries added
• z/OS
– host realm created
– Trusted pair with windows realm
– Different DB2’s defined as local Kerberos principals
– Kerberos started task running
– Map window users to RACF userids
17/07/2015
26
Next
• Inform developers and end users about new DB2 data sources
• Convert applications with hardcoded userid/password :
– Change connection string
– Add db2 authorizations to tables
– Define new racf userids with kerberos segment
– Revoke DB2 connect application users
• Use Kerberos also for ftp
17/07/2015
27
More info ….
• RACF documentation
• DB2 Connect documentation
• SHARE presentation Paul de Graaff : OS/390 Security Server
(RACF) Interoperability with Windows 2000 Case Studies
• IBM redbook SG24-6540-00 : Putting the Latest z/OS Security
Features to Work
17/07/2015
28
Questions ?
• Email :
[email protected]
17/07/2015
29