Security on IBM z/VSE

Book description

Abstract

One of a firm’s most valuable resources is its data: client lists, accounting data, employee information, and so on. This critical data must be securely managed and controlled, and simultaneously made available to those users authorized to see it.

The IBM® z/VSE® system features extensive capabilities to simultaneously share the firm’s data among multiple users and protect them. Threats to this data come from various sources. Insider threats and malicious hackers are not only difficult to detect and prevent, they might be using resources with the business being unaware.

This IBM Redbooks® publication was written to assist z/VSE support and security personnel in providing the enterprise with a safe, secure and manageable environment.

This book provides an overview of the security that is provided by z/VSE and the processes for the implementation and configuration of z/VSE security components, Basic Security Manager (BSM), IBM CICS® security, TCP/IP security, single sign-on using LDAP, and connector security.

Table of contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. Authors
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Summary of changes
    1. June 2018, Fourth Edition
    2. November 2011, Third Edition
    3. October 2009, Second Edition
  5. Chapter 1. z/VSE and security
    1. 1.1 Introducing the z/VSE parts
      1. 1.1.1 Using z/VSE
      2. 1.1.2 How z/VSE stores data
    2. 1.2 z/VSE security features
      1. 1.2.1 Online security
      2. 1.2.2 Batch security
      3. 1.2.3 Basic Security Manager
      4. 1.2.4 Single sign-on and LDAP
      5. 1.2.5 System z cryptographic solution
      6. 1.2.6 CICS Web Support
      7. 1.2.7 Connector security
      8. 1.2.8 TCP/IP security
      9. 1.2.9 Secure FTP
      10. 1.2.10 Intrusion detection
      11. 1.2.11 Compliance to policy
  6. Chapter 2. z/VSE Basic Security Manager
    1. 2.1 BSM concept
      1. 2.1.1 System Authorization Facility
      2. 2.1.2 Security files
      3. 2.1.3 Security server partition
      4. 2.1.4 BSM processing
      5. 2.1.5 Common startup for BSM and ESM
    2. 2.2 Installing and customizing BSM
    3. 2.3 BSM administration
      1. 2.3.1 Security system settings
      2. 2.3.2 Defining a User
      3. 2.3.3 Group definition
      4. 2.3.4 Resource profile definition
      5. 2.3.5 Batch resource administration
      6. 2.3.6 Generating BSM cross-reference reports
    4. 2.4 BSM auditing
      1. 2.4.1 Enabling auditing for resources defined in the BSM control file
      2. 2.4.2 Enabling auditing for resources defined in the DTSECTAB
      3. 2.4.3 DMF setup
      4. 2.4.4 BSM report writer (BSTRPWTR)
    5. 2.5 BSM backups
      1. 2.5.1 VSAM backups
      2. 2.5.2 BSM backup and migration with BSTSAVER
  7. Chapter 3. LDAP sign-on support
    1. 3.1 LDAP and z/VSE
    2. 3.2 Risks of the current situation
    3. 3.3 LDAP terminology
      1. 3.3.1 Overview and terms
      2. 3.3.2 LDIF files
    4. 3.4 z/VM LDAP server
    5. 3.5 LDAP sign-on of z/VSE
      1. 3.5.1 LDAP user mapping file
      2. 3.5.2 Strict mode
      3. 3.5.3 LDAP password cache
    6. 3.6 Configure and activate LDAP sign-on support
      1. 3.6.1 LDAP configuration example skeleton
      2. 3.6.2 Sign on to z/VSE with active LDAP sign-on support
    7. 3.7 Administering the LDAP user mapping file
      1. 3.7.1 Using the Maintain LDAP user profiles dialog
    8. 3.8 LDAP sample setup
      1. 3.8.1 Modifying the LDAP configuration phase
      2. 3.8.2 Mapping an intranet user ID to a z/VSE user ID
      3. 3.8.3 Modifying the TCP/IP setup
      4. 3.8.4 Setting up for SSL
      5. 3.8.5 Observations
  8. Chapter 4. Cryptography on z/VSE
    1. 4.1 Cryptography introduction
      1. 4.1.1 Modern cryptography
      2. 4.1.2 Encryption modes
      3. 4.1.3 Verifying the identity of communication partners
      4. 4.1.4 Ensuring data integrity
      5. 4.1.5 Secure Sockets Layer and Transport Layer Security
      6. 4.1.6 Use of certificates
      7. 4.1.7 Comparison of key sizes
      8. 4.1.8 Password-based encryption
      9. 4.1.9 Public key encryption
    2. 4.2 Configuring cryptographic hardware
      1. 4.2.1 Hardware overview
      2. 4.2.2 Planning your crypto configuration
      3. 4.2.3 Configuring LPAR activation profile
      4. 4.2.4 CPC cryptographic configuration
      5. 4.2.5 LPAR cryptographic configuration
      6. 4.2.6 Hardware crypto device driver in z/VSE
      7. 4.2.7 Disabling a crypto device
      8. 4.2.8 Cryptography for guests on z/VM
      9. 4.2.9 Cryptography when using an external security manager
      10. 4.2.10 Changing the status of hardware-based encryption
      11. 4.2.11 AP-queue Adapter Interruption Facility
    3. 4.3 Hardware-based tape encryption with z/VSE
      1. 4.3.1 Encrypting data
      2. 4.3.2 Decrypting data
      3. 4.3.3 z/VSE considerations
      4. 4.3.4 Hardware and software requirements
      5. 4.3.5 Writing and reading encrypted data in z/VSE
      6. 4.3.6 Recognizing an encrypted tape
      7. 4.3.7 More information about using hardware-based tape encryption
    4. 4.4 Example of TS1120 installation
      1. 4.4.1 Installing the prerequisite programs
      2. 4.4.2 Setting up the TS1120
      3. 4.4.3 Setting up the EKM
      4. 4.4.4 z/VSE considerations
      5. 4.4.5 Observations
    5. 4.5 Software-based encryption with Encryption Facility for z/VSE V1R1
      1. 4.5.1 Performance considerations
      2. 4.5.2 Password-based encryption
      3. 4.5.3 Public key encryption
    6. 4.6 Software-based encryption with Encryption Facility for z/VSE V1R2
      1. 4.6.1 Prerequisites
      2. 4.6.2 Differences in Encryption Facility between z/VSE V1R1 and V1R2
      3. 4.6.3 Downloading the prerequisite programs
      4. 4.6.4 Usage hints
      5. 4.6.5 Flexible support of record and stream data
      6. 4.6.6 Considerations on compression
      7. 4.6.7 Password-based encryption
      8. 4.6.8 Public key encryption
      9. 4.6.9 Advanced encryption options
      10. 4.6.10 Observation
    7. 4.7 z/VSE Navigator GUI for Encryption Facility
  9. Chapter 5. Secure Sockets Layer with z/VSE
    1. 5.1 Generating the server key and certificates
      1. 5.1.1 Defining the properties of the z/VSE system
      2. 5.1.2 Creating the z/VSE key and certificates
    2. 5.2 SSL setup for Java-based connector
      1. 5.2.1 Setting up z/VSE Connector Server for SSL
      2. 5.2.2 Setting up z/VSE Navigator for SSL
      3. 5.2.3 Connecting to z/VSE by using SSL server authentication
      4. 5.2.4 Considerations with client authentication
      5. 5.2.5 Using encryption with AES-256
    3. 5.3 SSL setup for web browsers
      1. 5.3.1 Setting up SSL native mode with HTTPD
      2. 5.3.2 Considerations on $WEB user
      3. 5.3.3 Connecting to HTTPD by using a web browser
      4. 5.3.4 Configuring ciphers in Internet Explorer
    4. 5.4 Debugging SSL/TLS connections
      1. 5.4.1 Tracing on z/VSE
      2. 5.4.2 Tracing in Java
  10. Chapter 6. CICS Web Support security
    1. 6.1 Introduction
    2. 6.2 Setting up CWS
      1. 6.2.1 Defining the TCP/IP service
      2. 6.2.2 Connecting to CWS
    3. 6.3 Setting up secure CWS
      1. 6.3.1 Configuring the TCP/IP service for SSL
      2. 6.3.2 Configuring the CICS system initialization parameters
      3. 6.3.3 Configuring OpenSSL
    4. 6.4 Client setup with Mozilla Firefox
      1. 6.4.1 Importing the z/VSE certificates during session establishment
      2. 6.4.2 Manually importing the z/VSE certificates into Firefox
      3. 6.4.3 Configuring cipher suites in Firefox
      4. 6.4.4 Starting a secure session with Firefox
      5. 6.4.5 Displaying SSL properties in Mozilla Firefox
    5. 6.5 Client setup with Microsoft Internet Explorer
      1. 6.5.1 Importing the z/VSE certificates during session establishment
      2. 6.5.2 Manually importing the z/VSE certificates into Internet Explorer
      3. 6.5.3 Configuring cipher suites in Internet Explorer
      4. 6.5.4 Starting a secure session with Internet Explorer
    6. 6.6 Setting up for client authentication
      1. 6.6.1 Using Internet Explorer
      2. 6.6.2 Client authentication with user ID mapping
    7. 6.7 Observations
      1. 6.7.1 Abend AKEA in DFHSOSE
      2. 6.7.2 Abend code x'080C' in module DFHSOSE
  11. Chapter 7. Connector security
    1. 7.1 Java-based connector security
      1. 7.1.1 Security features of the Java-based connector
    2. 7.2 z/VSE script connector security
      1. 7.2.1 Security features of the z/VSE script connector
      2. 7.2.2 Non-SSL setup with client on workstation
      3. 7.2.3 Non-SSL setup with a client on z/VSE
      4. 7.2.4 General SSL setup
      5. 7.2.5 SSL setup with client on z/VSE
      6. 7.2.6 Observations
      7. 7.2.7 Debugging hints
    3. 7.3 Web service security when using SOAP
      1. 7.3.1 Transport Layer Security and message layer security
      2. 7.3.2 Web service security features with z/VSE as the SOAP server
      3. 7.3.3 Web service security features with z/VSE as the SOAP client
    4. 7.4 z/VSE Database Connector (DBCLI)
      1. 7.4.1 z/VSE DBCLI security features
  12. Chapter 8. TCP/IP security
    1. 8.1 TCP/IP security concept
      1. 8.1.1 Control the security functions with the SECURITY command
    2. 8.2 Defining user IDs
      1. 8.2.1 Explicitly defining user IDs
    3. 8.3 Security exit points and security managers
      1. 8.3.1 Flow of a security request
      2. 8.3.2 Using Basic Security Manager with TCP/IP
  13. Chapter 9. Secure Telnet
    1. 9.1 Introduction
    2. 9.2 Setting up a Telnet daemon, TELNETD
    3. 9.3 z/VSE host setup for secure Telnet
      1. 9.3.1 Setting up pass-through mode with a TLSD
      2. 9.3.2 Setting up SSL native mode
      3. 9.3.3 Setting up a Telnet listener daemon
    4. 9.4 Client setup with Personal Communications
      1. 9.4.1 Importing the z/VSE certificates into Personal Communications
      2. 9.4.2 Starting a secure session
      3. 9.4.3 Setting up for client authentication
      4. 9.4.4 Taking a Personal Communications trace
    5. 9.5 Client setup with Attachmate EXTRA! X-treme
      1. 9.5.1 Importing certificates into the Windows certificate store
      2. 9.5.2 Attachmate EXTRA! session setup
      3. 9.5.3 Viewing the log
      4. 9.5.4 Setting up for client authentication
  14. Chapter 10. Secure File Transfer Protocol
    1. 10.1 Introduction
    2. 10.2 z/VSE as FTP server
      1. 10.2.1 Set up and start the z/VSE FTP server
      2. 10.2.2 z/VM considerations
      3. 10.2.3 Connect to z/VSE by using an FTP client
      4. 10.2.4 Transferring the certificate to the client side
    3. 10.3 z/VSE as FTP client
      1. 10.3.1 Sample setup with FileZilla server
      2. 10.3.2 Sample setup with vsftpd server on Linux
    4. 10.4 Considerations for firewalls
      1. 10.4.1 Passive versus active FTP mode
      2. 10.4.2 Restricting the port range on the server side
      3. 10.4.3 Restricting the port range on the client side
      4. 10.4.4 Considerations on the DATAPORT parameter
      5. 10.4.5 Firewall configuration
    5. 10.5 Observations
      1. 10.5.1 Cannot submit a VSE/POWER job with Keyman/VSE
      2. 10.5.2 SSL handshaking fails
  15. Chapter 11. WebSphere MQ with SSL
    1. 11.1 Introduction
    2. 11.2 Installing WebSphere MQ
      1. 11.2.1 MQ installation on z/VSE
      2. 11.2.2 Maintaining security profiles
      3. 11.2.3 MQ installation on Windows
    3. 11.3 Configuring WebSphere MQ
      1. 11.3.1 MQ configuration on z/VSE
      2. 11.3.2 MQ configuration on Windows
      3. 11.3.3 Testing the setup
    4. 11.4 Configuring for SSL
      1. 11.4.1 Creating the keys and certificates
      2. 11.4.2 SSL configuration on z/VSE
      3. 11.4.3 SSL configuration on Windows
    5. 11.5 Implementing SSL client authentication
      1. 11.5.1 Configuring for client authentication on z/VSE
      2. 11.5.2 Configuring for client authentication on Windows
    6. 11.6 Using SSL peer attributes
      1. 11.6.1 Example 1: Specifying matching peer attributes
      2. 11.6.2 Example 2: Specifying peer attributes that do not match
    7. 11.7 Configuring a z/VSE queue manager remotely
      1. 11.7.1 What you can do remotely
      2. 11.7.2 Preparing the z/VSE side for PCF
      3. 11.7.3 Defining more queues
      4. 11.7.4 Defining the MQ Explorer reply model queue
      5. 11.7.5 Defining a server-connection channel
      6. 11.7.6 Defining a remote queue manager
      7. 11.7.7 Exchanging test messages
      8. 11.7.8 Defining SSL
    8. 11.8 Observations
      1. 11.8.1 Message sequence number error
      2. 11.8.2 RC=2092 when sending a test message to Windows
      3. 11.8.3 Open of file MQFADMN failed
      4. 11.8.4 No space available for PUT request
  16. Appendix A. Security APIs
    1. A.1 Client-side Java APIs
    2. A.2 Host-side APIs
  17. Appendix B. Setting up and using Keyman/VSE
    1. B.1 Keyman/VSE
    2. B.2 Installing the prerequisite programs
    3. B.3 Initial Keyman/VSE set-up
    4. B.4 Basic characteristics of RSA keys
    5. B.5 Relationship to TCP/IP utilities
    6. B.6 Keystores
    7. B.7 Using Keyman/VSE
    8. B.8 Selected Keyman/VSE functions
    9. B.9 Observation
  18. Related publications
    1. IBM Redbooks publications
    2. IBM Knowledge Center
    3. Online resources
    4. How to get IBM Redbooks publications
    5. Help from IBM
  19. Back cover

Product information

  • Title: Security on IBM z/VSE
  • Author(s): Ingo Franzki Helmut Hellner Antoinette Kaschner, Joerg Schmidbauer, Heiko Schnell, Klaus-Dieter Wacker
  • Release date: June 2018
  • Publisher(s): IBM Redbooks
  • ISBN: 9780738456911