O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Securing Your Cloud: IBM z/VM Security for IBM z Systems and LinuxONE

Book Description

As workloads are being offloaded to IBM® z Systems™ based cloud environments, it is important to ensure that these workloads and environments are secure.

This IBM Redbooks® publication describes the necessary steps to secure your environment for all of the components that are involved in a z Systems cloud infrastructure that uses IBM z/VM® and Linux on z Systems.

The audience for this book is IT architects and those planning to use z Systems for their cloud environments.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. IBM Redbooks promotions
  4. Preface
    1. Authors
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  5. Chapter 1. Introduction to security on IBM z Systems
    1. 1.1 Why security matters
    2. 1.2 A brief overview of hardware security features
    3. 1.3 Principles of RACF operations
      1. 1.3.1 Principle of best matching profile
    4. 1.4 Why you should use RACF to secure your cloud infrastructure
    5. 1.5 RACF DB organization and structure
      1. 1.5.1 Database definition to the system
      2. 1.5.2 Internal organization of RACF database specifying class options
  6. Chapter 2. IBM z/VM hypervisor
    1. 2.1 z/VM hypervisor
      1. 2.1.1 Single System Image overview
      2. 2.1.2 Security settings in an SSI cluster
      3. 2.1.3 Controlling the System Operator
      4. 2.1.4 The System Configuration file
      5. 2.1.5 Addressing password security
      6. 2.1.6 Implementing CP LOGONBY
      7. 2.1.7 Role-based access controls and CP privilege classes
    2. 2.2 Device management
    3. 2.3 Securing the data
      1. 2.3.1 Securing your minidisks
      2. 2.3.2 Securing GUEST LANS and virtual switches
    4. 2.4 Securing your communication
      1. 2.4.1 Encrypting your communication
      2. 2.4.2 z/VM Cryptographic definitions
      3. 2.4.3 Checking the cryptographic card definitions in z/VM
    5. 2.5 z/VM connectivity
      1. 2.5.1 DEVICE and LINK statements
      2. 2.5.2 HiperSockets VSWITCH Bridge
      3. 2.5.3 Security considerations
    6. 2.6 Remote Spooling Communications Subsystem
  7. Chapter 3. IBM Resource Access Control Facility Security Server for IBM z/VM
    1. 3.1 RACF z/VM concepts
      1. 3.1.1 External security manager
      2. 3.1.2 Security policy
    2. 3.2 Activating and configuring RACF
      1. 3.2.1 Post-activation tasks
      2. 3.2.2 Building the RACF enabled CPLOAD MODULE
      3. 3.2.3 Updating the RACF database and options
      4. 3.2.4 Placing RACF into production
      5. 3.2.5 Using HCPRWAC
    3. 3.3 RACF management processes
      1. 3.3.1 DirMaint changes to work with RACF
      2. 3.3.2 RACF authorization concepts
      3. 3.3.3 Adding virtual machines and resources to the system and the RACF database
      4. 3.3.4 Securing your minidisks with RACF
      5. 3.3.5 Securing guest LANs and virtual switches with RACF
      6. 3.3.6 Labeled security and mandatory access control
      7. 3.3.7 Backing up the RACF database
      8. 3.3.8 RACF recovery options
  8. Chapter 4. Security Policy Management on IBM z/VM
    1. 4.1 User ID management
      1. 4.1.1 Least privilege principle
      2. 4.1.2 RACF passwords and password phrases
      3. 4.1.3 Implementing RACF LOGONBY
    2. 4.2 Communication encryption
    3. 4.3 Single System Image Security
      1. 4.3.1 Overview
      2. 4.3.2 Background information
      3. 4.3.3 Relocation domains
      4. 4.3.4 RACF in an SSI cluster
    4. 4.4 Auditing
      1. 4.4.1 Auditing with journaling
      2. 4.4.2 Auditing with RACF
  9. Chapter 5. Securing a Cloud on IBM z/VM environment
    1. 5.1 Cloud on z/VM components
    2. 5.2 DirMaint
      1. 5.2.1 DirMaint controls
      2. 5.2.2 Delegating DirMaint authority
    3. 5.3 Systems Management API
      1. 5.3.1 SFS
      2. 5.3.2 Looking at other SMAPI user IDs
      3. 5.3.3 VSMGUARD
      4. 5.3.4 SMAPI controls
      5. 5.3.5 Security aspects involving SMAPI
    4. 5.4 z/VM Cloud Manager Appliance
      1. 5.4.1 Basic requirements and configuration options
    5. 5.5 Controller node
      1. 5.5.1 DMSSICNF COPY for the controller node
      2. 5.5.2 DMSSICMO COPY file for the controller node
    6. 5.6 Compute node
      1. 5.6.1 DMSSICNF COPY file for the compute node
      2. 5.6.2 DMSSICMO COPY file for the compute node
    7. 5.7 Securing your cloud components
  10. Chapter 6. IBM z/VM and enterprise security
    1. 6.1 z/Secure
    2. 6.2 LDAP
      1. 6.2.1 LDAP on z/VM
      2. 6.2.2 Integration of z/VM LDAP into an enterprise directory
    3. 6.3 Linux on z Systems security
      1. 6.3.1 Authentication
      2. 6.3.2 Access control
      3. 6.3.3 User management
      4. 6.3.4 Update management
      5. 6.3.5 Data
      6. 6.3.6 Audit
      7. 6.3.7 Cryptographic hardware
      8. 6.3.8 Firewall
  11. Related publications
    1. Other publications
    2. Help from IBM
  12. Back cover