book

Security on IBM z/VSE

by Ingo Franzki Helmut Hellner Antoinette Kaschner, Joerg Schmidbauer, Heiko Schnell, Klaus-Dieter Wacker

June 2018

Intermediate to advanced

452 pages

11h 41m

English

IBM Redbooks

Read now

Unlock full access

Trademarks
AuthorsNow you can become a published author, too!Comments welcomeStay connected to IBM Redbooks
June 2018, Fourth EditionNovember 2011, Third EditionOctober 2009, Second Edition
1.1 Introducing the z/VSE parts1.1.1 Using z/VSE1.1.2 How z/VSE stores data1.2 z/VSE security features1.2.1 Online security1.2.2 Batch security1.2.3 Basic Security Manager1.2.4 Single sign-on and LDAP1.2.5 System z cryptographic solution1.2.6 CICS Web Support1.2.7 Connector security1.2.8 TCP/IP security1.2.9 Secure FTP1.2.10 Intrusion detection1.2.11 Compliance to policy
2.1 BSM concept2.1.1 System Authorization Facility2.1.2 Security files2.1.3 Security server partition2.1.4 BSM processing2.1.5 Common startup for BSM and ESM2.2 Installing and customizing BSM2.3 BSM administration2.3.1 Security system settings2.3.2 Defining a User2.3.3 Group definition2.3.4 Resource profile definition2.3.5 Batch resource administration2.3.6 Generating BSM cross-reference reports2.4 BSM auditing2.4.1 Enabling auditing for resources defined in the BSM control file2.4.2 Enabling auditing for resources defined in the DTSECTAB2.4.3 DMF setup2.4.4 BSM report writer (BSTRPWTR)2.5 BSM backups2.5.1 VSAM backups2.5.2 BSM backup and migration with BSTSAVER
3.1 LDAP and z/VSE3.2 Risks of the current situation3.3 LDAP terminology3.3.1 Overview and terms3.3.2 LDIF files3.4 z/VM LDAP server3.5 LDAP sign-on of z/VSE3.5.1 LDAP user mapping file3.5.2 Strict mode3.5.3 LDAP password cache3.6 Configure and activate LDAP sign-on support3.6.1 LDAP configuration example skeleton3.6.2 Sign on to z/VSE with active LDAP sign-on support3.7 Administering the LDAP user mapping file3.7.1 Using the Maintain LDAP user profiles dialog3.8 LDAP sample setup3.8.1 Modifying the LDAP configuration phase3.8.2 Mapping an intranet user ID to a z/VSE user ID3.8.3 Modifying the TCP/IP setup3.8.4 Setting up for SSL3.8.5 Observations
4.1 Cryptography introduction4.1.1 Modern cryptography4.1.2 Encryption modes4.1.3 Verifying the identity of communication partners4.1.4 Ensuring data integrity4.1.5 Secure Sockets Layer and Transport Layer Security4.1.6 Use of certificates4.1.7 Comparison of key sizes4.1.8 Password-based encryption4.1.9 Public key encryption4.2 Configuring cryptographic hardware4.2.1 Hardware overview4.2.2 Planning your crypto configuration4.2.3 Configuring LPAR activation profile4.2.4 CPC cryptographic configuration4.2.5 LPAR cryptographic configuration4.2.6 Hardware crypto device driver in z/VSE4.2.7 Disabling a crypto device4.2.8 Cryptography for guests on z/VM4.2.9 Cryptography when using an external security manager4.2.10 Changing the status of hardware-based encryption4.2.11 AP-queue Adapter Interruption Facility4.3 Hardware-based tape encryption with z/VSE4.3.1 Encrypting data4.3.2 Decrypting data4.3.3 z/VSE considerations4.3.4 Hardware and software requirements4.3.5 Writing and reading encrypted data in z/VSE4.3.6 Recognizing an encrypted tape4.3.7 More information about using hardware-based tape encryption4.4 Example of TS1120 installation4.4.1 Installing the prerequisite programs4.4.2 Setting up the TS11204.4.3 Setting up the EKM4.4.4 z/VSE considerations4.4.5 Observations4.5 Software-based encryption with Encryption Facility for z/VSE V1R14.5.1 Performance considerations4.5.2 Password-based encryption4.5.3 Public key encryption4.6 Software-based encryption with Encryption Facility for z/VSE V1R24.6.1 Prerequisites4.6.2 Differences in Encryption Facility between z/VSE V1R1 and V1R24.6.3 Downloading the prerequisite programs4.6.4 Usage hints4.6.5 Flexible support of record and stream data4.6.6 Considerations on compression4.6.7 Password-based encryption4.6.8 Public key encryption4.6.9 Advanced encryption options4.6.10 Observation4.7 z/VSE Navigator GUI for Encryption Facility
5.1 Generating the server key and certificates5.1.1 Defining the properties of the z/VSE system5.1.2 Creating the z/VSE key and certificates5.2 SSL setup for Java-based connector5.2.1 Setting up z/VSE Connector Server for SSL5.2.2 Setting up z/VSE Navigator for SSL5.2.3 Connecting to z/VSE by using SSL server authentication5.2.4 Considerations with client authentication5.2.5 Using encryption with AES-2565.3 SSL setup for web browsers5.3.1 Setting up SSL native mode with HTTPD5.3.2 Considerations on $WEB user5.3.3 Connecting to HTTPD by using a web browser5.3.4 Configuring ciphers in Internet Explorer5.4 Debugging SSL/TLS connections5.4.1 Tracing on z/VSE5.4.2 Tracing in Java
6.1 Introduction6.2 Setting up CWS6.2.1 Defining the TCP/IP service6.2.2 Connecting to CWS6.3 Setting up secure CWS6.3.1 Configuring the TCP/IP service for SSL6.3.2 Configuring the CICS system initialization parameters6.3.3 Configuring OpenSSL6.4 Client setup with Mozilla Firefox6.4.1 Importing the z/VSE certificates during session establishment6.4.2 Manually importing the z/VSE certificates into Firefox6.4.3 Configuring cipher suites in Firefox6.4.4 Starting a secure session with Firefox6.4.5 Displaying SSL properties in Mozilla Firefox6.5 Client setup with Microsoft Internet Explorer6.5.1 Importing the z/VSE certificates during session establishment6.5.2 Manually importing the z/VSE certificates into Internet Explorer6.5.3 Configuring cipher suites in Internet Explorer6.5.4 Starting a secure session with Internet Explorer6.6 Setting up for client authentication6.6.1 Using Internet Explorer6.6.2 Client authentication with user ID mapping6.7 Observations6.7.1 Abend AKEA in DFHSOSE6.7.2 Abend code x'080C' in module DFHSOSE

7.1 Java-based connector security7.1.1 Security features of the Java-based connector7.2 z/VSE script connector security7.2.1 Security features of the z/VSE script connector7.2.2 Non-SSL setup with client on workstation7.2.3 Non-SSL setup with a client on z/VSE7.2.4 General SSL setup7.2.5 SSL setup with client on z/VSE7.2.6 Observations7.2.7 Debugging hints7.3 Web service security when using SOAP7.3.1 Transport Layer Security and message layer security7.3.2 Web service security features with z/VSE as the SOAP server7.3.3 Web service security features with z/VSE as the SOAP client7.4 z/VSE Database Connector (DBCLI)7.4.1 z/VSE DBCLI security features
8.1 TCP/IP security concept8.1.1 Control the security functions with the SECURITY command8.2 Defining user IDs8.2.1 Explicitly defining user IDs8.3 Security exit points and security managers8.3.1 Flow of a security request8.3.2 Using Basic Security Manager with TCP/IP
9.1 Introduction9.2 Setting up a Telnet daemon, TELNETD9.3 z/VSE host setup for secure Telnet9.3.1 Setting up pass-through mode with a TLSD9.3.2 Setting up SSL native mode9.3.3 Setting up a Telnet listener daemon9.4 Client setup with Personal Communications9.4.1 Importing the z/VSE certificates into Personal Communications9.4.2 Starting a secure session9.4.3 Setting up for client authentication9.4.4 Taking a Personal Communications trace9.5 Client setup with Attachmate EXTRA! X-treme9.5.1 Importing certificates into the Windows certificate store9.5.2 Attachmate EXTRA! session setup9.5.3 Viewing the log9.5.4 Setting up for client authentication
10.1 Introduction10.2 z/VSE as FTP server10.2.1 Set up and start the z/VSE FTP server10.2.2 z/VM considerations10.2.3 Connect to z/VSE by using an FTP client10.2.4 Transferring the certificate to the client side10.3 z/VSE as FTP client10.3.1 Sample setup with FileZilla server10.3.2 Sample setup with vsftpd server on Linux10.4 Considerations for firewalls10.4.1 Passive versus active FTP mode10.4.2 Restricting the port range on the server side10.4.3 Restricting the port range on the client side10.4.4 Considerations on the DATAPORT parameter10.4.5 Firewall configuration10.5 Observations10.5.1 Cannot submit a VSE/POWER job with Keyman/VSE10.5.2 SSL handshaking fails
11.1 Introduction11.2 Installing WebSphere MQ11.2.1 MQ installation on z/VSE11.2.2 Maintaining security profiles11.2.3 MQ installation on Windows11.3 Configuring WebSphere MQ11.3.1 MQ configuration on z/VSE11.3.2 MQ configuration on Windows11.3.3 Testing the setup11.4 Configuring for SSL11.4.1 Creating the keys and certificates11.4.2 SSL configuration on z/VSE11.4.3 SSL configuration on Windows11.5 Implementing SSL client authentication11.5.1 Configuring for client authentication on z/VSE11.5.2 Configuring for client authentication on Windows11.6 Using SSL peer attributes11.6.1 Example 1: Specifying matching peer attributes11.6.2 Example 2: Specifying peer attributes that do not match11.7 Configuring a z/VSE queue manager remotely11.7.1 What you can do remotely11.7.2 Preparing the z/VSE side for PCF11.7.3 Defining more queues11.7.4 Defining the MQ Explorer reply model queue11.7.5 Defining a server-connection channel11.7.6 Defining a remote queue manager11.7.7 Exchanging test messages11.7.8 Defining SSL11.8 Observations11.8.1 Message sequence number error11.8.2 RC=2092 when sending a test message to Windows11.8.3 Open of file MQFADMN failed11.8.4 No space available for PUT request
A.1 Client-side Java APIsA.2 Host-side APIs
B.1 Keyman/VSEB.2 Installing the prerequisite programsB.3 Initial Keyman/VSE set-upB.4 Basic characteristics of RSA keysB.5 Relationship to TCP/IP utilitiesB.6 KeystoresB.7 Using Keyman/VSEB.8 Selected Keyman/VSE functionsB.9 Observation
IBM Redbooks publicationsIBM Knowledge CenterOnline resourcesHow to get IBM Redbooks publicationsHelp from IBM

Overview

Abstract

One of a firm’s most valuable resources is its data: client lists, accounting data, employee information, and so on. This critical data must be securely managed and controlled, and simultaneously made available to those users authorized to see it.

The IBM® z/VSE® system features extensive capabilities to simultaneously share the firm’s data among multiple users and protect them. Threats to this data come from various sources. Insider threats and malicious hackers are not only difficult to detect and prevent, they might be using resources with the business being unaware.

This IBM Redbooks® publication was written to assist z/VSE support and security personnel in providing the enterprise with a safe, secure and manageable environment.

This book provides an overview of the security that is provided by z/VSE and the processes for the implementation and configuration of z/VSE security components, Basic Security Manager (BSM), IBM CICS® security, TCP/IP security, single sign-on using LDAP, and connector security.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9780738456911Purchase book

Security on IBM z/VSE

by Ingo Franzki Helmut Hellner Antoinette Kaschner, Joerg Schmidbauer, Heiko Schnell, Klaus-Dieter Wacker

Overview

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like