book

Security on IBM z/VSE

by Helmut Hellner, Ingo Franzki, Antoinette Kaschner, Joerg Schmidbauer, Heiko Schnell

November 2011

Intermediate to advanced

460 pages

11h 26m

English

IBM Redbooks

Read now

Unlock full access

Trademarks
The team who wrote this bookNow you can become a published author, too!Comments welcomeStay connected to IBM Redbooks
November 2011, Third EditionOctober 2009, Second Edition
1.1 Introducing the z/VSE parts1.1.1 Using z/VSE1.1.2 How z/VSE stores data1.2 z/VSE security features1.2.1 Online security1.2.2 Batch security1.2.3 Basic Security Manager1.2.4 Single sign-on and LDAP1.2.5 System z cryptographic solution1.2.6 CICS Web Support1.2.7 Connector security1.2.8 TCP/IP security1.2.9 Secure FTP1.2.10 Intrusion detection1.2.11 Compliance to policy
2.1 BSM concept2.1.1 System Authorization Facility2.1.2 Security files2.1.3 Security server partition2.1.4 BSM processing2.1.5 Common startup for BSM and ESM2.2 Installing and customizing BSM2.3 BSM administration2.3.1 Security system settings2.3.2 User definition2.3.3 Group definition2.3.4 Resource profile definition2.3.5 Generating BSM cross reference reports2.4 BSM auditing2.4.1 Enabling auditing for resources defined in the BSM control file2.4.2 Enabling auditing for resources defined in the DTSECTAB2.4.3 DMF setup2.4.4 BSM report writer (BSTRPWTR)2.5 BSM backups2.5.1 VSAM backups2.5.2 BSM backup and migration with BSTSAVER
3.1 LDAP and z/VSE3.2 Risks of the current situation3.3 LDAP terminology3.3.1 Overview and terms3.3.2 LDIF files3.4 The z/VM LDAP server3.5 LDAP sign-on of z/VSE3.5.1 LDAP user mapping file3.5.2 Strict mode3.5.3 LDAP password cache3.6 Configure and activate LDAP sign-on support3.6.1 LDAP configuration example skeleton3.6.2 Sign on to z/VSE with active LDAP sign-on support3.7 Administering the LDAP user mapping file3.8 LDAP sample setup3.8.1 Modifying the LDAP configuration phase3.8.2 Mapping an intranet user ID to a z/VSE user ID3.8.3 Modifying the TCP/IP setup3.8.4 Setting up for SSL3.8.5 Observations
4.1 Cryptography introduction4.1.1 Modern cryptography4.1.2 Cipher block chaining4.1.3 Verifying the identity of communication partners4.1.4 Ensuring data integrity4.1.5 Combining the advantages of these algorithms4.1.6 Using certificates4.1.7 Comparison of key sizes4.1.8 Password-based encryption4.1.9 Public key encryption4.2 Hardware-based encryption with z/VSE4.2.1 Hardware overview4.2.2 Planning your crypto configuration4.2.3 LPAR cryptographic configuration4.2.4 Operator commands4.2.5 Cryptography for guests on z/VM4.2.6 Available algorithms and key lengths4.2.7 Changing the status of hardware-based encryption4.2.8 Updates with z10 BC and EC4.2.9 Updates with z/VSE V4R24.2.10 Updates with z/VSE V4R34.3 Hardware-based tape encryption with z/VSE4.3.1 Encrypting data4.3.2 Decrypting data4.3.3 z/VSE considerations4.3.4 Hardware and software requirements4.3.5 Writing and reading encrypted data in z/VSE4.3.6 Recognizing an encrypted tape4.3.7 Additional hints to use hardware-based tape encryption4.4 Example of TS1120 installation4.4.1 Installing the prerequisite programs4.4.2 Setting up the TS11204.4.3 Setting up the EKM4.4.4 z/VSE considerations4.4.5 Observations4.5 Software-based encryption with Encryption Facility for z/VSE V1R14.5.1 Performance considerations4.5.2 Password-based encryption4.5.3 Public key encryption4.6 Software-based encryption with Encryption Facility for z/VSE V1R24.6.1 Prerequisites4.6.2 Differences of Encryption Facility between z/VSE V1R1 and V1R24.6.3 Downloading the prerequisite programs4.6.4 Usage hints4.6.5 Flexible support of record and stream data4.6.6 Considerations on compression4.6.7 Password-based encryption4.6.8 Public key encryption4.6.9 Advanced encryption options4.6.10 Observations4.7 z/VSE Navigator GUI for Encryption Facility
5.1 Generating the server key and certificates5.1.1 Defining the properties of the z/VSE system5.1.2 Creating the z/VSE key and certificates5.2 SSL setup for Java-based connector5.2.1 Setting up z/VSE Connector Server for SSL5.2.2 Setting up z/VSE Navigator for SSL5.2.3 Connecting to z/VSE using SSL server authentication5.2.4 Considerations with client authentication5.2.5 Using encryption with AES-2565.3 SSL setup for web browsers5.3.1 Setting up SSL native mode with HTTPD5.3.2 Considerations on $WEB user5.3.3 Connecting to HTTPD using a web browser5.3.4 Configuring ciphers in Internet Explorer5.4 Debugging SSL/TLS connections5.4.1 Tracing on z/VSE5.4.2 Tracing in Java
6.1 Introduction6.2 Setting up CWS6.2.1 Defining the TCP/IP service6.2.2 Connecting to CWS6.3 Setting up secure CWS6.3.1 Configuring the TCP/IP service for SSL6.3.2 Configuring the CICS system initialization parameters6.4 Client setup with Mozilla Firefox6.4.1 Importing the z/VSE certificates during session establishment6.4.2 Manually importing the z/VSE certificates into Firefox6.4.3 Configuring cipher suites in Firefox6.4.4 Starting a secure session with Firefox6.4.5 Displaying SSL properties in Mozilla Firefox6.5 Client setup with Microsoft Internet Explorer6.5.1 Importing the z/VSE certificates during session establishment6.5.2 Manually importing the z/VSE certificates into Internet Explorer6.5.3 Configuring cipher suites in Internet Explorer6.5.4 Starting a secure session with Internet Explorer6.6 Setting up for client authentication6.6.1 Using Internet Explorer6.6.2 Client authentication with user ID mapping6.7 Observations6.7.1 Abend AKEA in DFHSOSE6.7.2 Abend code x'080C' in module DFHSOSE

7.1 Java-based connector security7.1.1 Security features of the Java-based connector7.2 z/VSE script connector security7.2.1 Security features of the z/VSE script connector7.2.2 Non-SSL setup with client on workstation7.2.3 Non-SSL setup with a client on z/VSE7.2.4 General SSL setup7.2.5 SSL setup with client on z/VSE7.2.6 Observations7.2.7 Debugging hints7.3 Web service security when using SOAP7.3.1 Transport Layer Security and message layer security7.3.2 Web service security features with z/VSE as the SOAP server7.3.3 Web service security features with z/VSE as the SOAP client
8.1 TCP/IP security concept8.1.1 Control the security functions with the SECURITY command8.2 Defining user IDs8.2.1 Explicitly defining user IDs8.3 Security exit points and security managers8.3.1 Flow of a security request8.3.2 Using Basic Security Manager (BSM) with TCP/IP
9.1 Introduction9.2 Setting up a Telnet daemon, TELNETD9.3 z/VSE host setup for secure Telnet9.3.1 Setting up pass-through mode with a TLSD9.3.2 Setting up SSL native mode9.3.3 Setting up a Telnet listener daemon9.4 Client setup with IBM Personal Communications9.4.1 Importing the z/VSE certificates into PCOMM9.4.2 Starting a secure session9.4.3 Setting up for client authentication9.4.4 Taking a PCOMM trace9.5 Client setup with Attachmate EXTRA! X-treme9.5.1 Import certificates into the Windows certificate store9.5.2 Attachmate EXTRA! session setup9.5.3 Viewing the log9.5.4 Setting up for client authentication
10.1 Introduction10.2 z/VSE as FTP server10.2.1 Set up and start the z/VSE FTP server10.2.2 z/VM considerations10.2.3 Connect to z/VSE using an FTP client10.2.4 Transfer the certificate to the client side10.3 z/VSE as FTP client10.3.1 Sample setup with FileZilla server10.3.2 Sample setup with vsftpd server on Linux10.4 Considerations on firewalls10.4.1 Passive versus active FTP mode10.4.2 Restricting the port range on the server side10.4.3 Restricting the port range on the client side10.4.4 Considerations on the DATAPORT parameter10.4.5 Firewall configuration10.5 Observations10.5.1 Cannot submit a VSE/POWER job with Keyman/VSE10.5.2 SSL handshaking fails
11.1 Introduction11.2 Installing WebSphere MQ11.2.1 MQ installation on z/VSE11.2.2 Maintaining security profiles11.2.3 MQ installation on Windows11.3 Configuring WebSphere MQ11.3.1 MQ configuration on z/VSE11.3.2 MQ configuration on Windows11.3.3 Testing the setup11.4 Configuring for SSL11.4.1 Creating the keys and certificates11.4.2 SSL configuration on z/VSE11.4.3 SSL configuration on Windows11.5 Implementing SSL client authentication11.5.1 Configuring for client authentication on z/VSE11.5.2 Configuring for client authentication on Windows11.6 Using SSL peer attributes11.6.1 Example 1: Specifying matching peer attributes11.6.2 Example 2: Specifying peer attributes which do not match11.7 Configuring a z/VSE queue manager remotely11.7.1 What you can do remotely11.7.2 Preparing the z/VSE side for PCF11.7.3 Defining additional queues11.7.4 Defining the MQ Explorer reply model queue11.7.5 Defining a server-connection channel11.7.6 Defining a remote queue manager11.7.7 Exchanging test messages11.7.8 Defining SSL11.8 Observations11.8.1 Message sequence number error11.8.2 RC=2092 when sending a test message to Windows11.8.3 Open of file MQFADMN failed11.8.4 No space available for PUT request
A.1 Client-side Java APIsA.2 Host-side APIs
B.1 Keyman/VSEB.2 Installing the prerequisite programsB.3 Initial Keyman/VSE setupB.4 Some basic characteristics of RSA keysB.5 Relationship to TCP/IP utilitiesB.6 KeystoresB.7 Using Keyman/VSEB.8 Some selected Keyman/VSE functionsB.9 Observations
IBM Redbooks publicationsOther publicationsOnline resourcesHow to get IBM Redbooks publicationsHelp from IBM

Content preview from Security on IBM z/VSE

Preface

One of a firm's most valuable resources is its data: client lists, accounting data, employee information, and so on. This critical data has to be securely managed and controlled, and simultaneously made available to those users authorized to see it. The IBM® z/VSE® system has extensive capabilities to simultaneously share the firm's data among multiple users and protect them. Threats to this data come from a variety of sources. Insider threats, as well as malicious hackers, are not only difficult to detect and prevent—they could have been using resources without the business even being aware that they are there.

This IBM Redbooks® publication was written to assist z/VSE support and security personnel in providing the enterprise with a ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 0738436100Purchase book

Security on IBM z/VSE

by Helmut Hellner, Ingo Franzki, Antoinette Kaschner, Joerg Schmidbauer, Heiko Schnell

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like