You are previewing Security on IBM z/VSE.
O'Reilly logo
Security on IBM z/VSE

Book Description

One of a firm's most valuable resources is its data: client lists, accounting data, employee information, and so on. This critical data has to be securely managed and controlled, and simultaneously made available to those users authorized to see it. The IBM® z/VSE™ system has extensive capabilities to simultaneously share the firm's data among multiple users and protect them. Threats to this data come from a variety of sources. Insider threats, as well as malicious hackers, are not only difficult to detect and prevent—they could have been using resources without the business even being aware that they are there.

This IBM Redbooks® publication was written to assist z/VSE support and security personnel in providing the enterprise with a safe, secure and manageable environment.

This book provides an overview of the security provided by z/VSE and the processes for the implementation and configuration of z/VSE security components, Basic Security Manager (BSM), IBM CICS® security, TCP/IP security, single sign-on using LDAP, and connector security.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. The team who wrote this book
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Summary of changes
    1. November 2011, Third Edition
    2. October 2009, Second Edition
  5. Chapter 1. z/VSE and security
    1. 1.1 Introducing the z/VSE parts
      1. 1.1.1 Using z/VSE
      2. 1.1.2 How z/VSE stores data
    2. 1.2 z/VSE security features
      1. 1.2.1 Online security
      2. 1.2.2 Batch security
      3. 1.2.3 Basic Security Manager
      4. 1.2.4 Single sign-on and LDAP
      5. 1.2.5 System z cryptographic solution
      6. 1.2.6 CICS Web Support
      7. 1.2.7 Connector security
      8. 1.2.8 TCP/IP security
      9. 1.2.9 Secure FTP
      10. 1.2.10 Intrusion detection
      11. 1.2.11 Compliance to policy
  6. Chapter 2. z/VSE Basic Security Manager
    1. 2.1 BSM concept
      1. 2.1.1 System Authorization Facility
      2. 2.1.2 Security files
      3. 2.1.3 Security server partition
      4. 2.1.4 BSM processing
      5. 2.1.5 Common startup for BSM and ESM
    2. 2.2 Installing and customizing BSM
    3. 2.3 BSM administration
      1. 2.3.1 Security system settings
      2. 2.3.2 User definition
      3. 2.3.3 Group definition
      4. 2.3.4 Resource profile definition
      5. 2.3.5 Generating BSM cross reference reports
    4. 2.4 BSM auditing
      1. 2.4.1 Enabling auditing for resources defined in the BSM control file
      2. 2.4.2 Enabling auditing for resources defined in the DTSECTAB
      3. 2.4.3 DMF setup
      4. 2.4.4 BSM report writer (BSTRPWTR)
    5. 2.5 BSM backups
      1. 2.5.1 VSAM backups
      2. 2.5.2 BSM backup and migration with BSTSAVER
  7. Chapter 3. LDAP sign-on support
    1. 3.1 LDAP and z/VSE
    2. 3.2 Risks of the current situation
    3. 3.3 LDAP terminology
      1. 3.3.1 Overview and terms
      2. 3.3.2 LDIF files
    4. 3.4 The z/VM LDAP server
    5. 3.5 LDAP sign-on of z/VSE
      1. 3.5.1 LDAP user mapping file
      2. 3.5.2 Strict mode
      3. 3.5.3 LDAP password cache
    6. 3.6 Configure and activate LDAP sign-on support
      1. 3.6.1 LDAP configuration example skeleton
      2. 3.6.2 Sign on to z/VSE with active LDAP sign-on support
    7. 3.7 Administering the LDAP user mapping file
    8. 3.8 LDAP sample setup
      1. 3.8.1 Modifying the LDAP configuration phase
      2. 3.8.2 Mapping an intranet user ID to a z/VSE user ID
      3. 3.8.3 Modifying the TCP/IP setup
      4. 3.8.4 Setting up for SSL
      5. 3.8.5 Observations
  8. Chapter 4. Cryptography on z/VSE
    1. 4.1 Cryptography introduction
      1. 4.1.1 Modern cryptography
      2. 4.1.2 Cipher block chaining
      3. 4.1.3 Verifying the identity of communication partners
      4. 4.1.4 Ensuring data integrity
      5. 4.1.5 Combining the advantages of these algorithms
      6. 4.1.6 Using certificates
      7. 4.1.7 Comparison of key sizes
      8. 4.1.8 Password-based encryption
      9. 4.1.9 Public key encryption
    2. 4.2 Hardware-based encryption with z/VSE
      1. 4.2.1 Hardware overview
      2. 4.2.2 Planning your crypto configuration
      3. 4.2.3 LPAR cryptographic configuration
      4. 4.2.4 Operator commands
      5. 4.2.5 Cryptography for guests on z/VM
      6. 4.2.6 Available algorithms and key lengths
      7. 4.2.7 Changing the status of hardware-based encryption
      8. 4.2.8 Updates with z10 BC and EC
      9. 4.2.9 Updates with z/VSE V4R2
      10. 4.2.10 Updates with z/VSE V4R3
    3. 4.3 Hardware-based tape encryption with z/VSE
      1. 4.3.1 Encrypting data
      2. 4.3.2 Decrypting data
      3. 4.3.3 z/VSE considerations
      4. 4.3.4 Hardware and software requirements
      5. 4.3.5 Writing and reading encrypted data in z/VSE
      6. 4.3.6 Recognizing an encrypted tape
      7. 4.3.7 Additional hints to use hardware-based tape encryption
    4. 4.4 Example of TS1120 installation
      1. 4.4.1 Installing the prerequisite programs
      2. 4.4.2 Setting up the TS1120
      3. 4.4.3 Setting up the EKM
      4. 4.4.4 z/VSE considerations
      5. 4.4.5 Observations
    5. 4.5 Software-based encryption with Encryption Facility for z/VSE V1R1
      1. 4.5.1 Performance considerations
      2. 4.5.2 Password-based encryption
      3. 4.5.3 Public key encryption
    6. 4.6 Software-based encryption with Encryption Facility for z/VSE V1R2
      1. 4.6.1 Prerequisites
      2. 4.6.2 Differences of Encryption Facility between z/VSE V1R1 and V1R2
      3. 4.6.3 Downloading the prerequisite programs
      4. 4.6.4 Usage hints
      5. 4.6.5 Flexible support of record and stream data
      6. 4.6.6 Considerations on compression
      7. 4.6.7 Password-based encryption
      8. 4.6.8 Public key encryption
      9. 4.6.9 Advanced encryption options
      10. 4.6.10 Observations
    7. 4.7 z/VSE Navigator GUI for Encryption Facility
  9. Chapter 5. Secure Sockets Layer with z/VSE
    1. 5.1 Generating the server key and certificates
      1. 5.1.1 Defining the properties of the z/VSE system
      2. 5.1.2 Creating the z/VSE key and certificates
    2. 5.2 SSL setup for Java-based connector
      1. 5.2.1 Setting up z/VSE Connector Server for SSL
      2. 5.2.2 Setting up z/VSE Navigator for SSL
      3. 5.2.3 Connecting to z/VSE using SSL server authentication
      4. 5.2.4 Considerations with client authentication
      5. 5.2.5 Using encryption with AES-256
    3. 5.3 SSL setup for web browsers
      1. 5.3.1 Setting up SSL native mode with HTTPD
      2. 5.3.2 Considerations on $WEB user
      3. 5.3.3 Connecting to HTTPD using a web browser
      4. 5.3.4 Configuring ciphers in Internet Explorer
    4. 5.4 Debugging SSL/TLS connections
      1. 5.4.1 Tracing on z/VSE
      2. 5.4.2 Tracing in Java
  10. Chapter 6. CICS Web Support security
    1. 6.1 Introduction
    2. 6.2 Setting up CWS
      1. 6.2.1 Defining the TCP/IP service
      2. 6.2.2 Connecting to CWS
    3. 6.3 Setting up secure CWS
      1. 6.3.1 Configuring the TCP/IP service for SSL
      2. 6.3.2 Configuring the CICS system initialization parameters
    4. 6.4 Client setup with Mozilla Firefox
      1. 6.4.1 Importing the z/VSE certificates during session establishment
      2. 6.4.2 Manually importing the z/VSE certificates into Firefox
      3. 6.4.3 Configuring cipher suites in Firefox
      4. 6.4.4 Starting a secure session with Firefox
      5. 6.4.5 Displaying SSL properties in Mozilla Firefox
    5. 6.5 Client setup with Microsoft Internet Explorer
      1. 6.5.1 Importing the z/VSE certificates during session establishment
      2. 6.5.2 Manually importing the z/VSE certificates into Internet Explorer
      3. 6.5.3 Configuring cipher suites in Internet Explorer
      4. 6.5.4 Starting a secure session with Internet Explorer
    6. 6.6 Setting up for client authentication
      1. 6.6.1 Using Internet Explorer
      2. 6.6.2 Client authentication with user ID mapping
    7. 6.7 Observations
      1. 6.7.1 Abend AKEA in DFHSOSE
      2. 6.7.2 Abend code x'080C' in module DFHSOSE
  11. Chapter 7. Connector security
    1. 7.1 Java-based connector security
      1. 7.1.1 Security features of the Java-based connector
    2. 7.2 z/VSE script connector security
      1. 7.2.1 Security features of the z/VSE script connector
      2. 7.2.2 Non-SSL setup with client on workstation
      3. 7.2.3 Non-SSL setup with a client on z/VSE
      4. 7.2.4 General SSL setup
      5. 7.2.5 SSL setup with client on z/VSE
      6. 7.2.6 Observations
      7. 7.2.7 Debugging hints
    3. 7.3 Web service security when using SOAP
      1. 7.3.1 Transport Layer Security and message layer security
      2. 7.3.2 Web service security features with z/VSE as the SOAP server
      3. 7.3.3 Web service security features with z/VSE as the SOAP client
  12. Chapter 8. TCP/IP security
    1. 8.1 TCP/IP security concept
      1. 8.1.1 Control the security functions with the SECURITY command
    2. 8.2 Defining user IDs
      1. 8.2.1 Explicitly defining user IDs
    3. 8.3 Security exit points and security managers
      1. 8.3.1 Flow of a security request
      2. 8.3.2 Using Basic Security Manager (BSM) with TCP/IP
  13. Chapter 9. Secure Telnet
    1. 9.1 Introduction
    2. 9.2 Setting up a Telnet daemon, TELNETD
    3. 9.3 z/VSE host setup for secure Telnet
      1. 9.3.1 Setting up pass-through mode with a TLSD
      2. 9.3.2 Setting up SSL native mode
      3. 9.3.3 Setting up a Telnet listener daemon
    4. 9.4 Client setup with IBM Personal Communications
      1. 9.4.1 Importing the z/VSE certificates into PCOMM
      2. 9.4.2 Starting a secure session
      3. 9.4.3 Setting up for client authentication
      4. 9.4.4 Taking a PCOMM trace
    5. 9.5 Client setup with Attachmate EXTRA! X-treme
      1. 9.5.1 Import certificates into the Windows certificate store
      2. 9.5.2 Attachmate EXTRA! session setup
      3. 9.5.3 Viewing the log
      4. 9.5.4 Setting up for client authentication
  14. Chapter 10. Secure FTP
    1. 10.1 Introduction
    2. 10.2 z/VSE as FTP server
      1. 10.2.1 Set up and start the z/VSE FTP server
      2. 10.2.2 z/VM considerations
      3. 10.2.3 Connect to z/VSE using an FTP client
      4. 10.2.4 Transfer the certificate to the client side
    3. 10.3 z/VSE as FTP client
      1. 10.3.1 Sample setup with FileZilla server
      2. 10.3.2 Sample setup with vsftpd server on Linux
    4. 10.4 Considerations on firewalls
      1. 10.4.1 Passive versus active FTP mode
      2. 10.4.2 Restricting the port range on the server side
      3. 10.4.3 Restricting the port range on the client side
      4. 10.4.4 Considerations on the DATAPORT parameter
      5. 10.4.5 Firewall configuration
    5. 10.5 Observations
      1. 10.5.1 Cannot submit a VSE/POWER job with Keyman/VSE
      2. 10.5.2 SSL handshaking fails
  15. Chapter 11. WebSphere MQ with SSL
    1. 11.1 Introduction
    2. 11.2 Installing WebSphere MQ
      1. 11.2.1 MQ installation on z/VSE
      2. 11.2.2 Maintaining security profiles
      3. 11.2.3 MQ installation on Windows
    3. 11.3 Configuring WebSphere MQ
      1. 11.3.1 MQ configuration on z/VSE
      2. 11.3.2 MQ configuration on Windows
      3. 11.3.3 Testing the setup
    4. 11.4 Configuring for SSL
      1. 11.4.1 Creating the keys and certificates
      2. 11.4.2 SSL configuration on z/VSE
      3. 11.4.3 SSL configuration on Windows
    5. 11.5 Implementing SSL client authentication
      1. 11.5.1 Configuring for client authentication on z/VSE
      2. 11.5.2 Configuring for client authentication on Windows
    6. 11.6 Using SSL peer attributes
      1. 11.6.1 Example 1: Specifying matching peer attributes
      2. 11.6.2 Example 2: Specifying peer attributes which do not match
    7. 11.7 Configuring a z/VSE queue manager remotely
      1. 11.7.1 What you can do remotely
      2. 11.7.2 Preparing the z/VSE side for PCF
      3. 11.7.3 Defining additional queues
      4. 11.7.4 Defining the MQ Explorer reply model queue
      5. 11.7.5 Defining a server-connection channel
      6. 11.7.6 Defining a remote queue manager
      7. 11.7.7 Exchanging test messages
      8. 11.7.8 Defining SSL
    8. 11.8 Observations
      1. 11.8.1 Message sequence number error
      2. 11.8.2 RC=2092 when sending a test message to Windows
      3. 11.8.3 Open of file MQFADMN failed
      4. 11.8.4 No space available for PUT request
  16. Appendix A. Security APIs
    1. A.1 Client-side Java APIs
    2. A.2 Host-side APIs
  17. Appendix B. Setting up and using Keyman/VSE
    1. B.1 Keyman/VSE
    2. B.2 Installing the prerequisite programs
    3. B.3 Initial Keyman/VSE setup
    4. B.4 Some basic characteristics of RSA keys
    5. B.5 Relationship to TCP/IP utilities
    6. B.6 Keystores
    7. B.7 Using Keyman/VSE
    8. B.8 Some selected Keyman/VSE functions
    9. B.9 Observations
  18. Related publications
    1. IBM Redbooks publications
    2. Other publications
    3. Online resources
    4. How to get IBM Redbooks publications
    5. Help from IBM
  19. Back cover