IBM z/OS V2R2 Communications Server TCP/IP Implementation: Volume 4 Security and Policy-Based Networking

Book description

Abstract

For more than 50 years, IBM® mainframes have supported an extraordinary portion of the world's computing work, providing centralized corporate databases, and mission-critical enterprise-wide applications. IBM z® Systems, the latest generation of the IBM distinguished family of mainframe systems, has come a long way from its IBM System/360 heritage. Likewise, its IBM z/OS® operating system is far superior to its predecessors in providing, among many other capabilities, world-class and state-of-the-art support for the TCP/IP Internet protocol suite.

TCP/IP is a large and evolving collection of communication protocols managed by the Internet Engineering Task Force (IETF), an open, volunteer organization. Because of its openness, the TCP/IP protocol suite has become the foundation for the set of technologies that form the basis of the Internet. The convergence of IBM mainframe capabilities with Internet technology, connectivity, and standards (particularly TCP/IP) is dramatically changing the face of information technology and driving requirements for ever more secure, scalable, and highly available mainframe TCP/IP implementations.

The IBM z/OS Communications Server TCP/IP Implementation series provides understandable, step-by-step guidance about how to enable the most commonly used and important functions of z/OS Communications Server TCP/IP.

This IBM Redbooks® publication is for people who install and support z/OS Communications Server. It explains how to set up security for your z/OS networking environment. With the advent of TCP/IP and the Internet, network security requirements have become more stringent and complex. Because many transactions are from unknown users and untrusted networks such as the Internet, careful attention must be given to host and user authentication, data privacy, data origin authentication, and data integrity. Also, because security technologies are complex and can be confusing, we include helpful tutorial information in the appendixes of this book.

For more information about z/OS Communications Server base functions, standard applications, and high availability, see the other following volumes in the series:


  • , SG24-8360

    IBM z/OS V2R2 Communications Server TCP/IP Implementation Volume 1: Base Functions, Connectivity, and Routing

  • , SG24-8361

    IBM z/OS V2R2 Communications Server TCP/IP Implementation Volume 2: Standard Applications

  • , SG24-8362

    IBM z/OS V2R2 Communications Server TCP/IP Implementation Volume 3: High Availability, Scalability, and Performance

  • This book does not duplicate the information in these publications. Instead, it complements those publications with practical implementation scenarios that might be useful in your environment. For more information about at what level a specific function was introduced, see z/OS Communications Server: New Function Summary, GC31-8771.

    Table of contents

    1. Front cover
    2. Notices
      1. Trademarks
    3. Preface
      1. Authors
      2. Now you can become a published author, too!
      3. Comments welcome
      4. Stay connected to IBM Redbooks
    4. Chapter 1. RACF demystified
      1. 1.1 RACF basic concepts
      2. 1.2 Protecting your network resources
      3. 1.3 Protecting your programs
        1. 1.3.1 Authorized Program Facility
        2. 1.3.2 Program protection by RACF resource class PROGRAM
        3. 1.3.3 Program Access Control
        4. 1.3.4 Controlling program access by SYSID
        5. 1.3.5 The sticky bit in the z/OS UNIX environment
      4. 1.4 Associating a user ID with a started task
      5. 1.5 Setting up security for daemons in z/OS UNIX
      6. 1.6 RACF multilevel security for network resources
        1. 1.6.1 Basic MLS concepts
        2. 1.6.2 Security levels
      7. 1.7 Digital certificates in RACF
      8. 1.8 More information
    5. Chapter 2. Protecting network resources
      1. 2.1 SERVAUTH resource class
      2. 2.2 Protecting your TCP/IP stack
        1. 2.2.1 Stack access overview
        2. 2.2.2 Example setup
      3. 2.3 Protecting your network access
        1. 2.3.1 Network access control overview
        2. 2.3.2 SAF audit records
        3. 2.3.3 Server considerations
        4. 2.3.4 Using NETSTAT for network access control
        5. 2.3.5 Working example of network access control
      4. 2.4 Protecting your network ports
        1. 2.4.1 PORT/PORTRANGE SAF keyword
        2. 2.4.2 Using NETSTAT to display Port Access control
      5. 2.5 Protecting the use of socket options
        1. 2.5.1 SO_BROADCAST socket option access control
        2. 2.5.2 IPv6 advanced socket API options
      6. 2.6 Protecting sensitive network commands
        1. 2.6.1 z/OS VARY TCPIP command security
        2. 2.6.2 TSO NETSTAT and UNIX onetstat command security
        3. 2.6.3 Policy agent command security
        4. 2.6.4 IPSec command access control
        5. 2.6.5 EZACMD console command security
        6. 2.6.6 Additional information
      7. 2.7 Protecting FTP
        1. 2.7.1 Restricting certain users from logging into FTP server
        2. 2.7.2 Protecting other FTP related resources
      8. 2.8 Protecting network management resources
        1. 2.8.1 SNMP agent control
        2. 2.8.2 TCP connection information service access control
        3. 2.8.3 CIM provider access control
      9. 2.9 Protecting miscellaneous resources
        1. 2.9.1 Digital Certificate Access Server access control
        2. 2.9.2 MODDVIPA utility program control
        3. 2.9.3 DVIPA activation and movement Control
        4. 2.9.4 Fast Response Cache Accelerator access control
        5. 2.9.5 Real-time SMF information service access control
        6. 2.9.6 TCP/IP packet trace service access control
        7. 2.9.7 TCP/IP stack initialization access control
        8. 2.9.8 RPCBIND application registration control
    6. Chapter 3. Certificate management in z/OS
      1. 3.1 Digital certificates overview
        1. 3.1.1 Digital certificate overview
        2. 3.1.2 How digital certificates work
      2. 3.2 Digital certificate types
        1. 3.2.1 Certificate authority certificates
        2. 3.2.2 User (personal) certificates
        3. 3.2.3 Site certificates
        4. 3.2.4 Obtaining a digital certificate
      3. 3.3 Configuring the utilities to generate certificates in z/OS
        1. 3.3.1 Utilities in z/OS for managing certificates
        2. 3.3.2 Digital certificate field formats
        3. 3.3.3 Using the RACF RACDCERT command
        4. 3.3.4 Using the gskkyman command
      4. 3.4 Using certificates in sample IBM environments
        1. 3.4.1 Host On-Demand and certificates
        2. 3.4.2 Shared site certificate and shared key ring
        3. 3.4.3 Self-signed certificates
        4. 3.4.4 Internal (local) certificate authority
        5. 3.4.5 External (well-known) certificate authority
    7. Chapter 4. Policy agent
      1. 4.1 Policy agent description
        1. 4.1.1 Basic concepts
        2. 4.1.2 Where and how to define policies
      2. 4.2 Implementing PAGENT on z/OS
        1. 4.2.1 Starting PAGENT as started task
        2. 4.2.2 Starting PAGENT from UNIX
        3. 4.2.3 Stopping PAGENT
        4. 4.2.4 Disabling PAGENT policies for IPSec
        5. 4.2.5 Basic configuration
        6. 4.2.6 Coding policy definitions in a configuration file
        7. 4.2.7 Refreshing policies
        8. 4.2.8 Policy infrastructure management
        9. 4.2.9 Verification
        10. 4.2.10 Centralized policy server
        11. 4.2.11 More information
      3. 4.3 Setting up the Traffic Regulation Management daemon
        1. 4.3.1 Starting TRMD using PAGENT
        2. 4.3.2 Setting up the started task procedure
        3. 4.3.3 Starting TRMD from z/OS UNIX
        4. 4.3.4 Defining the security product authorization for TRMD
        5. 4.3.5 TRMDSTAT
      4. 4.4 Configuration Assistant for z/OS Communications Server
        1. 4.4.1 Using z/OSMF Configuration Assistant
        2. 4.4.2 General configuration steps using the Configuration Assistant
        3. 4.4.3 Discovery of TCP/IP profile function
        4. 4.4.4 Common configuration of multiple stacks
      5. 4.5 Connection flooding
      6. 4.6 Backup and migration considerations
        1. 4.6.1 Backing store file
        2. 4.6.2 Migrating backing store files to z/OSMF Configuration Assistant
        3. 4.6.3 Importing (merging) backing store files
        4. 4.6.4 Importing the policy file to Configuration Assistant
      7. 4.7 More information
    8. Chapter 5. Centralized policy server
      1. 5.1 Background
      2. 5.2 Basic concepts
      3. 5.3 Configuring distributed (centralized) policy services
        1. 5.3.1 Configuring base environment with SSL
        2. 5.3.2 Configuring the policy server
        3. 5.3.3 Configuring the policy client
        4. 5.3.4 Correlating the definitions at the policy server and policy client
      4. 5.4 Activating and verifying the policy services environment
      5. 5.5 Diagnosing the centralized policy services environment
      6. 5.6 Configuring the centralized policy server without SSL security
      7. 5.7 More information
    9. Chapter 6. Quality of service
      1. 6.1 Quality of service overview
        1. 6.1.1 Differentiated Services
        2. 6.1.2 QoS with z/OS Communications Server
        3. 6.1.3 PAGENT QoS policies
        4. 6.1.4 Migrating TR QoS policies to intrusion detection services policy function
      2. 6.2 Configuring QoS in the z/OS Communications Server
        1. 6.2.1 Policies
        2. 6.2.2 Differentiated Services rule
        3. 6.2.3 More information
      3. 6.3 QoS implementation
        1. 6.3.1 Using the Configuration Assistant to configure QoS
        2. 6.3.2 Including QoS in the policy agent configuration
      4. 6.4 Verifying and diagnosing the QoS implementation
        1. 6.4.1 Available management tools
        2. 6.4.2 z/OS Communications Server SNMP SLA Subagent
    10. Chapter 7. IP filtering
      1. 7.1 Define IP filtering
        1. 7.1.1 Basic concepts
        2. 7.1.2 IP filter policy types
      2. 7.2 z/OS IP filtering implementation
        1. 7.2.1 Enabling IP Filtering
        2. 7.2.2 Configuring default IP filter policy
        3. 7.2.3 Configuring IP security filter policy using PAGENT
        4. 7.2.4 QDIO acceleration coexistence with IP filtering
        5. 7.2.5 Problem determination
        6. 7.2.6 More information
    11. Chapter 8. IP Security
      1. 8.1 IPSec overview
      2. 8.2 Basic concepts
        1. 8.2.1 Key components
        2. 8.2.2 IP Authentication Header protocol
        3. 8.2.3 IP Encapsulating Security Payload protocol
        4. 8.2.4 Internet Key Exchange protocol: Pre-shared key and RSA signature mode
      3. 8.3 Current IPsec support
        1. 8.3.1 IKE version 2 (IKEv2) support
        2. 8.3.2 IPSec support for certificate trust chains
        3. 8.3.3 IPSec support for certificate revocation lists
        4. 8.3.4 IPSec support for cryptographic currency
        5. 8.3.5 IPSec support for FIPS 140 cryptographic mode
        6. 8.3.6 Improved FIPS 140 diagnostics
        7. 8.3.7 AES cryptographic support for integrated IPSec in a VPN
        8. 8.3.8 Trusted TCP connections
        9. 8.3.9 zIIP Assisted IPSec function
      4. 8.4 Working with the z/OS Communications Server Network Management Interface
      5. 8.5 How IPSec is implemented
        1. 8.5.1 Installing the PAGENT
        2. 8.5.2 Setting up the Traffic Regulation Management daemon
        3. 8.5.3 Updating the TCP/IP stack to activate IPSec
        4. 8.5.4 Restricting the use of the ipsec command
        5. 8.5.5 Installing the IBM Configuration Assistant for z/OS Communications Server
        6. 8.5.6 IPSec scenarios
        7. 8.5.7 Defining the IPSec policies to PAGENT
        8. 8.5.8 Setting up the IKED
        9. 8.5.9 RACF certificate definitions for IKED
        10. 8.5.10 Setting up the system logging daemon (SYSLOGD) to log IKED messages
        11. 8.5.11 Starting the IKED and verifying initialization
        12. 8.5.12 Commands used to administer IP security
      6. 8.6 Configuring IPSec between two z/OS systems: Pre-shared key mode using IKEv2
        1. 8.6.1 Using z/OSMF Configuration Assistant to set up the IPSec policies
        2. 8.6.2 Installing the configuration files
        3. 8.6.3 Verifying IPSec between two z/OS images
      7. 8.7 Configuring IPSec between two z/OS systems: RSA signature mode using IKEv1
        1. 8.7.1 Generating certificates for IKEv1 RSA signature mode
        2. 8.7.2 Creating the IPSec filters and policies for the IPSec tunnel
        3. 8.7.3 Modifying policies to use RSA signature mode
        4. 8.7.4 Verifying IKE with RSA signature mode
        5. 8.7.5 Diagnosing IKE with RSA signature mode
      8. 8.8 More information
    12. Chapter 9. Network Security Services for IPSec clients
      1. 9.1 Basic concepts
        1. 9.1.1 IKED overview
        2. 9.1.2 NSS solution for IKED Clients: IPSec discipline
      2. 9.2 Configuring NSS for the IPSec discipline
        1. 9.2.1 Preliminary tasks overview
        2. 9.2.2 NSS client and NSS server
        3. 9.2.3 Preparing for configuration
        4. 9.2.4 Configuring the NSS environment
        5. 9.2.5 Configuring prerequisites for NSS for an IKED Client
        6. 9.2.6 Configuring authorizations for NSS
        7. 9.2.7 Configuring the NSS server for an IKED Client
        8. 9.2.8 Enabling an IKED NSS client to use NSS
        9. 9.2.9 Creating NSS files for IKED Client using z/OSMF Configuration Assistant
      3. 9.3 Verifying the NSS environment for the IKED Client
        1. 9.3.1 Making NSS configuration and policy files available
        2. 9.3.2 Initializing NSSD and the NSS client
        3. 9.3.3 NSS and IKE displays on SC33 and SC32
      4. 9.4 Diagnosing the NSSD environment
        1. 9.4.1 Resources and guidance
        2. 9.4.2 Examples of logging information for diagnosis
      5. 9.5 Worksheet questions for NSSD implementation (IKED client)
      6. 9.6 More information
    13. Chapter 10. Network Security Services for WebSphere DataPower appliances
      1. 10.1 Basic concepts
        1. 10.1.1 NSS benefits
        2. 10.1.2 Review of DataPower
        3. 10.1.3 The NSS solution for XMLAppliance Clients: SAF service
        4. 10.1.4 NSS solution for XMLAppliance clients: Private key and certificate services
      2. 10.2 Configuring NSS
        1. 10.2.1 NSS configuration for an NSS XMLAppliance Client overview
        2. 10.2.2 Preparing for configuration
        3. 10.2.3 Configuring the NSS environment at z/OS
        4. 10.2.4 Creating NSS Server files for an NSS XMLAppliance Client with IBM Configuration Assistant
        5. 10.2.5 Configuring the NSS environment at the WebSphere DataPower SOA Appliance to support the SAF access service
        6. 10.2.6 Configuring the NSS environment at the Web Services Requester
      3. 10.3 Verifying the NSS configuration with the NSS Client (XML Appliance Discipline)
        1. 10.3.1 Operations with z/OS NSS Server
        2. 10.3.2 Operations with the DataPower appliance and Client
        3. 10.3.3 Operations with the Web Services Requester platform
      4. 10.4 More information
      5. 10.5 NSS configuration worksheet for an NSS XMLAppliance client
    14. Chapter 11. Network Address Translation traversal support
      1. 11.1 Network Address Translation
        1. 11.1.1 One-to-one NAT
        2. 11.1.2 Network Address Port Translation
      2. 11.2 IPSec and NAT incompatibilities
      3. 11.3 NAPT traversal support for integrated IPSec/VPN
        1. 11.3.1 Enabling NAPT traversal support for IPSec
        2. 11.3.2 Testing and verification
    15. Chapter 12. Application Transparent Transport Layer Security
      1. 12.1 AT-TLS overview
        1. 12.1.1 What is AT-TLS
        2. 12.1.2 How AT-TLS works
        3. 12.1.3 Applying AT-TLS
      2. 12.2 AT-TLS Implementation example: REXX socket API
        1. 12.2.1 REXX AT-TLS support
        2. 12.2.2 REXX AT-TLS support configuration
        3. 12.2.3 Activating and verifying REXX AT-TLS support
      3. 12.3 Problem determination for AT-TLS
      4. 12.4 For more information about AT-TLS
    16. Chapter 13. Intrusion detection services
      1. 13.1 Intrusion detection services overview
      2. 13.2 Basic concepts
        1. 13.2.1 Scan policies
        2. 13.2.2 Attack policies
        3. 13.2.3 IPv6 Support
        4. 13.2.4 IDS Reporting
        5. 13.2.5 Traffic regulation policies
      3. 13.3 Implementing IDS
        1. 13.3.1 Installing the policy agent
        2. 13.3.2 z/OSMF Configuration Assistant
        3. 13.3.3 Configuring IDS policy using the z/OSMF Configuration Assistant
        4. 13.3.4 Installing the IDS policy
      4. 13.4 Sample displays
        1. 13.4.1 IDS Support to detect IPv6 attacks
        2. 13.4.2 Port scan
        3. 13.4.3 More information about NetView and z/OS IDS
    17. Chapter 14. IP defensive filtering
      1. 14.1 Defensive filtering overview
      2. 14.2 Basic concepts
        1. 14.2.1 Filter types
        2. 14.2.2 Format of the ipsec command
      3. 14.3 Implementing defensive filtering
        1. 14.3.1 Enabling IPSec filtering in the TCP/IP stack
        2. 14.3.2 Defining SAF (RACF) authorizations for defensive filtering
        3. 14.3.3 Implementing the DMD procedure
        4. 14.3.4 Operations and verification with defensive filtering
        5. 14.3.5 Conclusions
      4. 14.4 More information
    18. Chapter 15. Policy-based routing
      1. 15.1 Policy-based routing concept
      2. 15.2 Routing policy
      3. 15.3 Implementing policy-based routing
        1. 15.3.1 Policy-based routing using job name, protocol, and destination IP address
        2. 15.3.2 Policy-based routing using protocol and port numbers
    19. Chapter 16. Telnet security
      1. 16.1 Conceptual overview of TN3270 security
        1. 16.1.1 What is TN3270 security
        2. 16.1.2 How TN3270 security works
        3. 16.1.3 How TN3270 security can be applied
      2. 16.2 TN3270 native TLS connection security
        1. 16.2.1 Description of TN3270 native connection security
        2. 16.2.2 Configuring TN3270 native connection security
      3. 16.3 Basic native TLS configuration example
        1. 16.3.1 Enabling native TSL/SLL support for TN3270
        2. 16.3.2 Activating and verifying the configuration
      4. 16.4 TN3270 with AT-TLS security support
        1. 16.4.1 Description of TN3270 AT-TLS support
        2. 16.4.2 Configuration of TN3270 AT-TLS support
      5. 16.5 Basic AT-TLS configuration example
        1. 16.5.1 Implementing TN3270 AT-TLS support
        2. 16.5.2 Activating and verifying TN3270 AT-TLS support
      6. 16.6 Problem determination for Telnet server security
      7. 16.7 More information sources for TN3270 AT-TLS support
    20. Chapter 17. Secure File Transfer Protocol
      1. 17.1 Conceptual overview of FTP security
        1. 17.1.1 FTP security overview
        2. 17.1.2 How FTP security works
        3. 17.1.3 How FTP security can be applied
      2. 17.2 FTP client with SOCKS proxy protocol
        1. 17.2.1 SOCKS proxy protocol overview
        2. 17.2.2 Configuration of SOCKS proxy protocol
        3. 17.2.3 Activating and verifying the SOCKS proxy FTP
      3. 17.3 FTP with native TLS support
        1. 17.3.1 FTP native TLS security overview
        2. 17.3.2 Configuring FTP native TLS security
        3. 17.3.3 Activate and verify FTP server without security
        4. 17.3.4 Activate and verify FTP server with TLS security: Internet draft protocols
        5. 17.3.5 Activate and verify FTP server with TLS security: RFC4217 protocols
        6. 17.3.6 Implicit secure TLS login
      4. 17.4 FTP with AT-TLS security support
        1. 17.4.1 FTP AT-TLS support overview
        2. 17.4.2 Configuring FTP AT-TLS support
        3. 17.4.3 Activating and verifying FTP AT-TLS support
      5. 17.5 Migrating from native FTP TLS to FTP AT-TLS
        1. 17.5.1 Migrating policies to a new release of z/OS Communications Server
        2. 17.5.2 Details on migrating from TLS to AT-TLS
      6. 17.6 FTP TLS and AT-TLS problem determination
      7. 17.7 More information
    21. Appendix A. Basic cryptography
      1. A.1 Cryptography background
      2. A.2 Potential problems with electronic message exchange
      3. A.3 Secret key cryptography
      4. A.4 Public key cryptography
      5. A.5 Performance issues of cryptosystems
      6. A.6 Message integrity
    22. Appendix B. Telnet security advanced settings
      1. B.1 Advanced native TLS configuration
      2. B.2 Advanced AT-TLS configuration using client ID groups
    23. Appendix C. Configuring IPSec between z/OS and Windows
      1. C.1 IPSec between z/OS and Windows: Pre-shared Key Mode
      2. C.2 IPSec between z/OS and Windows: RSA mode
      3. C.3 Setting up a Windows IPSec policy for RSA mode
    24. Appendix D. zIIP Assisted IPSec
      1. D.1 Overview
      2. D.2 Configuring zIIP Assisted IPSEC
      3. D.3 Example of zIIP Assisted IPSec implementation
    25. Appendix E. z/OS Communications Server IPSec RFC currency
    26. Appendix F. Implementation environment
      1. F.1 Environment used for all four books
      2. F.2 Our focus for this book
    27. Related publications
      1. IBM Redbooks publications
      2. Other publications
      3. Online resources
        1. Help from IBM
    28. Back cover

    Product information

    • Title: IBM z/OS V2R2 Communications Server TCP/IP Implementation: Volume 4 Security and Policy-Based Networking
    • Author(s): Bill White, Octavio Ferreira, Teresa Missawa, Teddy Sudewo
    • Release date: March 2017
    • Publisher(s): IBM Redbooks
    • ISBN: 9780738442242