IBM z/OS V1R12 Communications Server TCP/IP Implementation: Volume 4 Security and Policy-Based Networking

IBM z/OS V1R12 Communications Server TCP/IP Implementation: Volume 4 Security and Policy-Based Networking

by Mike Ebbers, Rama Ayyar, Octavio L. Ferreira, Gazi Karakus, Yukihiko Miyamoto, Joel Porterie, Andi Wijaya
Released July 2011
Publisher(s): IBM Redbooks
ISBN: None

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

For more than 40 years, IBM® mainframes have supported an extraordinary portion of the world’s computing work, providing centralized corporate databases and mission-critical enterprise-wide applications. The IBM System z® provides world class and state-of-the-art support for the TCP/IP Internet protocol suite.

TCP/IP is a large and evolving collection of communication protocols managed by the Internet Engineering Task Force (IETF), an open, volunteer, organization. Because of its openness, the TCP/IP protocol suite has become the foundation for the set of technologies that form the basis of the Internet. The convergence of IBM mainframe capabilities with Internet technology, connectivity, and standards (particularly TCP/IP) is dramatically changing the face of information technology and driving requirements for ever more secure, scalable, and highly available mainframe TCP/IP implementations.

The IBM z/OS® Communications Server TCP/IP Implementation series provides understandable, step-by-step guidance about how to enable the most commonly used and important functions of z/OS Communications Server TCP/IP. This IBM Redbooks® publication explains how to set up security for the z/OS networking environment. Network security requirements have become more stringent and complex. Because many transactions come from unknown users and untrusted networks, careful attention must be given to host and user authentication, data privacy, data origin authentication, and data integrity. We also include helpful tutorial information in the appendixes of this book because security technologies can be quite complex,

For more specific information about z/OS Communications Server base functions, standard applications, and high availability, refer to the other volumes in the series.

Table of contents

  1. Figures (1/2)
  2. Figures (2/2)
  3. Tables
  4. Examples (1/2)
  5. Examples (2/2)
  6. Notices
    1. Trademarks
  7. Preface
    1. The team who wrote this book
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  8. Part 1: SAF-based security
  9. Chapter 1: RACF demystified
    1. RACF basic concepts
    2. Protecting your network resources
    3. Protecting your programs
      1. Authorized Program Facility
      2. Program protection by RACF resource class PROGRAM
      3. Program Access Control
      4. Controlling program access by SYSID
      5. The sticky bit in the z/OS UNIX environment
    4. Associating a user ID with a started task
    5. Setting up security for daemons in z/OS UNIX
    6. RACF multilevel security for network resources
      1. Basic MLS concepts
    7. Digital certificates in RACF
    8. Additional information
  10. Chapter 2: Protecting network resources
    1. The SERVAUTH resource class
    2. Protecting your TCP/IP stack
      1. Stack access overview
      2. Example setup
    3. Protecting your network access
      1. Network access control overview
      2. Server considerations
      3. Using NETSTAT for network access control
      4. Working example of network access control
    4. Protecting your network ports
      1. The PORT/PORTRANGE SAF keyword
      2. Using NETSTAT to display Port Access control
    5. Protecting the use of socket options
      1. SO_BROADCAST socket option access control
      2. IPv6 advanced socket API options
    6. Protecting sensitive network commands
      1. z/OS VARY TCPIP command security
      2. TSO NETSTAT and UNIX onetstat command security
      3. Policy agent command security
      4. IPSec command access control
      5. Additional information
    7. Protecting FTP
      1. Restrict certain users from logging into FTP server
      2. Protect other FTP related resources
    8. Protecting network management resources
      1. SNMP agent control
      2. TCP connection information service access control
      3. CIM provider access control
    9. Protecting miscellaneous resources
      1. Digital Certificate Access Server access control
      2. MODDVIPA utility program control
      3. Fast Response Cache Accelerator access control
      4. Real-time SMF information service access control
      5. TCP/IP packet trace service access control
      6. TCP/IP stack initialization access control
      7. RPCBIND application registration control
  11. Part 2: Managing security
  12. Chapter 3: Certificate management in z/OS
    1. Digital certificates overview
      1. What is a digital certificate
      2. How digital certificates work
    2. Digital certificate types
      1. Certificate Authority certificates
      2. User (personal) certificates
      3. Site certificates
      4. How a digital certificate can be obtained
    3. Configuring the utilities to generate certificates in z/OS
      1. Utilities in z/OS for managing certificates
      2. Digital certificate field formats
      3. Using the RACF RACDCERT command
      4. Using the gskkyman command
    4. Using certificates in sample IBM environments
      1. Host On-Demand and certificates
      2. Shared site certificate and shared key ring
      3. Self-signed certificates (1/3)
      4. Self-signed certificates (2/3)
      5. Self-signed certificates (3/3)
      6. Internal (local) Certificate Authority
      7. External (well-known) Certificate Authority (1/3)
      8. External (well-known) Certificate Authority (2/3)
      9. External (well-known) Certificate Authority (3/3)
  13. Part 3: Policy-based networking
    1. Centralizing security services
  14. Chapter 4: Policy agent
    1. Policy agent description
      1. Basic concepts
      2. The policy model
    2. Implementing PAGENT on z/OS
      1. Starting PAGENT as started task
      2. Starting PAGENT from UNIX
      3. Stopping PAGENT
      4. Disabling PAGENT policies for IPSec
      5. Basic configuration
      6. Coding policy definitions in a configuration file
      7. Refreshing policies
      8. Policy infrastructure management
      9. Verification
      10. For additional information
    3. The IBM Configuration Assistant for z/OS Communication Server
      1. Downloading and installing the IBM Configuration Assistant
      2. Using IBM Configuration Assistant for z/OS Communication Server
      3. Configuring a specific technology using the IBM Configuration Assistant
      4. Preparing PAGENT for configuration file import requests
      5. Configuration file import services
    4. Backup and migration considerations
      1. The backing store file
      2. Role of the Centralized Policy Server
      3. Merging (importing) backing store files
      4. Migration considerations
    5. Setting up the Traffic Regulation Management Daemon
      1. Setting up the started task procedure
      2. Starting TRMD from z/OS UNIX
      3. Defining the security product authorization for TRMD
      4. TRMDSTAT
    6. Additional information
  15. Chapter 5: Central Policy Server
    1. Background
    2. Basic concepts
    3. Configuring distributed (centralized) policy services
      1. Configuring the base environment with SSL (1/2)
      2. Configuring the base environment with SSL (2/2)
      3. Configuring the policy server (1/2)
      4. Configuring the policy server (2/2)
      5. Configuring the policy client
      6. Correlating the definitions at the policy server and policy client
    4. Activating and verifying the policy services environment
    5. Diagnosing the centralized policy services environment
    6. Configuring the Central Policy Server without SSL Security
    7. Additional information
  16. Chapter 6: Quality of Service
    1. Quality of Service definition
      1. Differentiated Services
      2. QoS with z/OS Communications Server
      3. PAGENT QoS policies
      4. Migrating Traffic Regulation QoS policies to intrusion detection services policy function
    2. Configuring QoS in the z/OS Communications Server
      1. Policies
      2. Differentiated Services rule
      3. For additional information
    3. Including QOS in the policy agent configuration
      1. Using IBM Configuration Assistant to configure QoS
    4. Verifying and diagnosing the QoS implementation
      1. Available management tools
      2. z/OS Communications Server SNMP SLA Subagent
  17. Chapter 7: IP filtering
    1. Define IP filtering
      1. Basic concepts
      2. For additional information
    2. z/OS IP filtering implementation
      1. Configuring IPSec statements in the TCP/IP stack profile
      2. Configuring IP Filtering from IPSec and Pagent
      3. FTP and Telnet IP filtering scenario (1/2)
      4. FTP and Telnet IP filtering scenario (2/2)
      5. Implementation steps for the FTP connectivity rule (1/2)
      6. Implementation steps for the FTP connectivity rule (2/2)
      7. Verify the new policies
  18. Chapter 8: IP Security
    1. IPSec description
    2. Basic concepts
      1. Key components
      2. IP Authentication Header protocol
      3. IP Encapsulating Security Payload protocol
      4. Internet Key Exchange protocol: Pre-shared key and RSA signature mode
    3. IPsec support currency
      1. IKE version 2 support
      2. IPSec support for certificate trust chains
      3. IPSec support for certificate revocation lists
      4. IPSec support for cryptographic currency
      5. IPSec support for FIPS 140 cryptographic mode
      6. zIIP Assisted IPSec function
    4. Working with the z/OS Communications Server Network Management Interface
    5. How IPSec is implemented
      1. Installing the PAGENT
      2. Setting up the Traffic Regulation Management Daemon
      3. Updating the TCP/IP stack to activate IPSec
      4. Restricting the use of the ipsec command
      5. Installing the IBM Configuration Assistant for z/OS Communications Server
      6. Description of the IPSec scenarios
      7. Defining the IPSec policies to PAGENT
      8. Setting up the IKE daemon (1/2)
      9. Setting up the IKE daemon (2/2)
      10. Setting up the system logging daemon (SYSLOGD) to log IKED messages
      11. Starting the IKE daemon and verifying initialization
      12. Commands used to administer IP security
    6. Configuring IPSec between two z/OS systems: Pre-shared Key Mode
      1. Using IBM Configuration Assistant for z/OS to set up the IPSec policies (1/2)
      2. Using IBM Configuration Assistant for z/OS to set up the IPSec policies (2/2)
      3. Installing the configuration files
      4. Verifying IPSec between two z/OS images (1/2)
      5. Verifying IPSec between two z/OS images (2/2)
    7. Configuring IPSec between two z/OS systems: RSA signature mode for IKEv1
      1. Generating certificates for IKEv1 RSA signature mode
      2. Configuring the IKE daemon
      3. Creating the IPSec filters and policies for the IPSec tunnel
      4. Modifying existing policies to use RSA signature mode
      5. Verifying IKE with RSA signature mode
      6. Diagnosing IKE with RSA signature mode
    8. Additional information
  19. Chapter 9: Network Security Services for IPSec clients
    1. Basic concepts
      1. Review of IKED
      2. The NSS solution for IKED Clients: IPSec discipline (1/2)
      3. The NSS solution for IKED Clients: IPSec discipline (2/2)
    2. Configuring NSS for the IPSec discipline
      1. Overview of preliminary tasks
      2. NSS client and NSS server
      3. Preparing for configuration
      4. Configuring the NSS environment
      5. Configuring prerequisites for NSS for an IKED Client (1/2)
      6. Configuring prerequisites for NSS for an IKED Client (2/2)
      7. Configuring authorizations for NSS (1/2)
      8. Configuring authorizations for NSS (2/2)
      9. Configuring the NSS server for an IKED Client (1/2)
      10. Configuring the NSS server for an IKED Client (2/2)
      11. Enabling an IKED NSS client to use NSS
      12. Creating NSS files for an IKED Client with IBM Configuration Assistant (1/7)
      13. Creating NSS files for an IKED Client with IBM Configuration Assistant (2/7)
      14. Creating NSS files for an IKED Client with IBM Configuration Assistant (3/7)
      15. Creating NSS files for an IKED Client with IBM Configuration Assistant (4/7)
      16. Creating NSS files for an IKED Client with IBM Configuration Assistant (5/7)
      17. Creating NSS files for an IKED Client with IBM Configuration Assistant (6/7)
      18. Creating NSS files for an IKED Client with IBM Configuration Assistant (7/7)
    3. Verifying the NSS environment for the IKED Client
      1. Make available NSS configuration and policy files
      2. Initialize NSSD and the NSS client
      3. NSS and IKE displays on SC33 and SC32 (1/4)
      4. NSS and IKE displays on SC33 and SC32 (2/4)
      5. NSS and IKE displays on SC33 and SC32 (3/4)
      6. NSS and IKE displays on SC33 and SC32 (4/4)
    4. Diagnosing the NSSD environment
      1. Examples of logging information for diagnosis
    5. Worksheet questions for NSSD implementation (IKED Client)
    6. Additional information
  20. Chapter 10: Network Security Services for WebSphere DataPower appliances
    1. Basic concepts
      1. NSS benefits
      2. Review of DataPower
      3. The NSS solution for XMLAppliance Clients: SAF service
      4. The NSS solution for XMLAppliance clients: Private Key and Certificate services
    2. Configuring NSS
      1. Overview of NSS configuration for an NSS XMLAppliance Client
      2. Preparing for configuration
      3. Configuring the NSS environment at z/OS (1/5)
      4. Configuring the NSS environment at z/OS (2/5)
      5. Configuring the NSS environment at z/OS (3/5)
      6. Configuring the NSS environment at z/OS (4/5)
      7. Configuring the NSS environment at z/OS (5/5)
      8. Creating NSS Server files for an NSS XMLAppliance Client with IBM Configuration Assistant (1/3)
      9. Creating NSS Server files for an NSS XMLAppliance Client with IBM Configuration Assistant (2/3)
      10. Creating NSS Server files for an NSS XMLAppliance Client with IBM Configuration Assistant (3/3)
      11. Configuring the NSS environment at the WebSphere DataPower SOA Appliance to support the SAF access service (1/7)
      12. Configuring the NSS environment at the WebSphere DataPower SOA Appliance to support the SAF access service (2/7)
      13. Configuring the NSS environment at the WebSphere DataPower SOA Appliance to support the SAF access service (3/7)
      14. Configuring the NSS environment at the WebSphere DataPower SOA Appliance to support the SAF access service (4/7)
      15. Configuring the NSS environment at the WebSphere DataPower SOA Appliance to support the SAF access service (5/7)
      16. Configuring the NSS environment at the WebSphere DataPower SOA Appliance to support the SAF access service (6/7)
      17. Configuring the NSS environment at the WebSphere DataPower SOA Appliance to support the SAF access service (7/7)
      18. Configuring the NSS environment at the Web Services Requester
    3. Verifying the NSS configuration with the NSS Client (XML Appliance Discipline)
      1. Operations with z/OS NSS Server
      2. Operations with the DataPower appliance and Client
      3. Operations with the Web Services Requester platform
    4. Additional information
    5. NSS configuration worksheet for an NSS XMLAppliance client
  21. Chapter 11: Network Address Translation traversal support
    1. Network Address Translation
      1. One-to-one NAT
      2. Network Address Port Translation
    2. IPSec and NAT incompatibilities
    3. NAPT traversal support for integrated IPSec/VPN
      1. Enabling NAPT traversal support for IPSec
      2. Testing and verification
  22. Chapter 12: Application Transparent Transport Layer Security
    1. Conceptual overview of AT-TLS
      1. What is AT-TLS
      2. How AT-TLS works
      3. How AT-TLS can be applied
    2. AT-TLS Implementation Example: REXX socket API
      1. Description of REXX AT-TLS support (1/4)
      2. Description of REXX AT-TLS support (2/4)
      3. Description of REXX AT-TLS support (3/4)
      4. Description of REXX AT-TLS support (4/4)
      5. Activation and verification of REXX AT-TLS support
    3. Problem determination for AT-TLS
    4. Additional information sources for AT-TLS
  23. Chapter 13: Intrusion detection services
    1. What is intrusion detection services
    2. Basic concepts
      1. Scan policies
      2. Attack policies
      3. Attack policy tracing
      4. Traffic Regulation policies
    3. How IDS is implemented
      1. Installing the policy agent
      2. The IBM Configuration Assistant for z/OS Communication Server
      3. Requirements and download instructions
      4. Configuring IDS policy using the GUI
      5. Installing the IDS policy
      6. Checking that things are working
      7. Additional information
  24. Chapter 14: IP defensive filtering
    1. Overview of defensive filtering
    2. Basic concepts
      1. Filter types
      2. Format of the ipsec command
    3. Implementing defensive filtering
      1. Enabling IPSec filtering in the TCP/IP stack
      2. Defining SAF (RACF) authorizations for defensive filtering
      3. Implementing the DMD procedure
      4. Operations and verification with defensive filtering (1/2)
      5. Operations and verification with defensive filtering (2/2)
      6. Conclusions
    4. Additional information
  25. Chapter 15: Policy-based routing
    1. Policy-based routing concept
    2. Routing policy
    3. Implementing policy-based routing
      1. Policy-based routing using jobname, protocol, and destination IP address
      2. Policy-based routing using protocol and port numbers (1/3)
      3. Policy-based routing using protocol and port numbers (2/3)
      4. Policy-based routing using protocol and port numbers (3/3)
  26. Part 4: Application-based security
  27. Chapter 16: Telnet security
    1. Conceptual overview of TN3270 security
      1. What is TN3270 security
      2. How TN3270 security works
      3. How TN3270 security can be applied
    2. TN3270 native TLS connection security
      1. Description of TN3270 native connection security
      2. Configuring TN3270 native connection security
    3. Basic native TLS configuration example
      1. Enabling native TSL/SLL support for TN3270
      2. Activating and verifying the configuration
    4. TN3270 with AT-TLS security support
      1. Description of TN3270 AT-TLS support
      2. Configuration of TN3270 AT-TLS support
    5. Basic AT-TLS configuration example
      1. Implementing TN3270 AT-TLS support (1/3)
      2. Implementing TN3270 AT-TLS support (2/3)
      3. Implementing TN3270 AT-TLS support (3/3)
      4. Activating and verifying TN3270 AT-TLS support (1/2)
      5. Activating and verifying TN3270 AT-TLS support (2/2)
    6. Problem determination for Telnet server security
    7. Additional information sources for TN3270 AT-TLS support
  28. Chapter 17: Secure File Transfer Protocol
    1. Conceptual overview of FTP security
      1. What is FTP security
      2. How FTP security works
      3. How FTP security can be applied
    2. FTP client with SOCKS proxy protocol
      1. Description of the SOCKS proxy protocol
      2. Configuration of SOCKS proxy protocol
      3. Activation and verification of the SOCKS proxy FTP
    3. FTP with native TLS security support
      1. Description of FTP native TLS security
      2. Configuration of FTP native TLS security (1/2)
      3. Configuration of FTP native TLS security (2/2)
      4. Activation and verification of FTP server without security (1/2)
      5. Activation and verification of FTP server without security (2/2)
      6. Activation and verification of the FTP server with TLS security: Internet draft protocols (1/3)
      7. Activation and verification of the FTP server with TLS security: Internet draft protocols (2/3)
      8. Activation and verification of the FTP server with TLS security: Internet draft protocols (3/3)
      9. Activation and verification of FTP server with TLS security: RFC4217 protocols (1/2)
      10. Activation and verification of FTP server with TLS security: RFC4217 protocols (2/2)
      11. Implicit secure TLS login (1/2)
      12. Implicit secure TLS login (2/2)
    4. FTP with AT-TLS security support
      1. Description of FTP AT-TLS support
      2. Configuration of FTP AT-TLS support (1/5)
      3. Configuration of FTP AT-TLS support (2/5)
      4. Configuration of FTP AT-TLS support (3/5)
      5. Configuration of FTP AT-TLS support (4/5)
      6. Configuration of FTP AT-TLS support (5/5)
      7. Activation and verification of FTP AT-TLS support (1/2)
      8. Activation and verification of FTP AT-TLS support (2/2)
    5. Backing up the backing store file and policies
    6. Migrating from native FTP TLS to FTP AT-TLS
      1. Migrating policies to a new release of z/OS Communications Server
      2. Details on migrating from TLS to AT-TLS
    7. FTP TLS and AT-TLS problem determination
    8. Additional information
  29. Part 5: Appendixes
  30. Appendix A: Basic cryptography
    1. Cryptography background
    2. Potential problems with electronic message exchange
      1. The request is not really from your client
      2. The order could have been intercepted and read
      3. The order could have been intercepted and altered
      4. An order is received from your client, but he denies sending it
    3. Secret key cryptography
    4. Public key cryptography
      1. Encryption
      2. Authentication
      3. Public key algorithms
      4. Digital certificates
    5. Performance issues of cryptosystems
    6. Message integrity
      1. Message digest (or hash)
      2. Message authentication codes
      3. Digital signatures
  31. Appendix B: Telnet security advanced settings
    1. Advanced native TLS configuration
      1. Implementation tasks
      2. Activation and verification (1/2)
      3. Activation and verification (2/2)
    2. Advanced AT-TLS configuration using client ID groups
      1. Implementation tasks (1/3)
      2. Implementation tasks (2/3)
      3. Implementation tasks (3/3)
      4. Activation and verification (1/2)
      5. Activation and verification (2/2)
  32. Appendix C: Configuring IPSec between z/OS and Windows
    1. IPSec between z/OS and Windows: Pre-shared Key Mode
      1. Set up the IKE daemon
      2. Set up the z/OS IPSec policy
      3. Set up a Windows IPSec policy for pre-shared key mode (1/3)
      4. Set up a Windows IPSec policy for pre-shared key mode (2/3)
      5. Set up a Windows IPSec policy for pre-shared key mode (3/3)
      6. Verify that things are working
    2. IPSec between z/OS and Windows: RSA mode
      1. Set up the IKE daemon
      2. Set up the x.509 certificates for RSA mode
      3. Export the Certificates from RACF Database
      4. Set up the z/OS IPSec policy for RSA
    3. Set up a Windows IPSec policy for RSA mode
      1. Import the z/OS certificates into Windows XP
      2. Create the IP security policy
      3. Verify that things are working
  33. Appendix D: zIIP Assisted IPSec
    1. Background
    2. Configuring zIIP Assisted IPSEC
    3. Example of zIIP Assisted IPSec implementation (1/2)
    4. Example of zIIP Assisted IPSec implementation (2/2)
      1. zIIP performance projection (1/2)
      2. zIIP performance projection (2/2)
  34. Appendix E: AES-256 and trusted TCP connections
    1. AES cryptographic support for integrated IPSec/VPN
    2. Trusted TCP connections
  35. Appendix F: z/OS Communications Server IPSec RFC currency
  36. Appendix G: Our implementation environment
    1. The environment used for all four books
      1. Our focus for this book
  37. Related publications
    1. IBM Redbooks publications
    2. Other publications
    3. Online resources
    4. How to get IBM Redbooks publications
    5. Help from IBM
  38. Index (1/3)
  39. Index (2/3)
  40. Index (3/3)
  41. Back cover

Product information

  • Title: IBM z/OS V1R12 Communications Server TCP/IP Implementation: Volume 4 Security and Policy-Based Networking
  • Author(s): Mike Ebbers, Rama Ayyar, Octavio L. Ferreira, Gazi Karakus, Yukihiko Miyamoto, Joel Porterie, Andi Wijaya
  • Release date: July 2011
  • Publisher(s): IBM Redbooks
  • ISBN: None