Security / Adolfo Rodriguez ... [et al.].

Format:

Book

Contributor:

Rodriguez, Adolfo.

International Business Machines Corporation. International Technical Support Organization.

Series:

IBM redbooks.

IBM redbooks

Communications server for z/OS V1R2 TCP/IP implementation guide ; 7

Language:

English

Subjects (All):

Client/server computing.

Communications software.

TCP/IP (Computer network protocol).

z/OS.

Physical Description:

xiv, 454 p. : ill.

Edition:

4th ed.

Place of Publication:

Research Triangle Park, NC : IBM corporation, 2002.

Language Note:

English

Contents:

Front cover

Contents

Notices

Trademarks

Preface

The team that wrote this redbook

Comments welcome

Part 1 Introduction

Chapter 1. Security in a networked world

1.1 Evolution of networking

1.2 Potential problems with electronic message exchange

1.2.1 The request is not really from your customer

1.2.2 The order could have been intercepted and read

1.2.3 The order could have been intercepted and altered

1.2.4 An order is received from your customer, but he denies sending it

Chapter 2. Basic cryptography

2.1 Secret key cryptography

2.2 Public key cryptography

2.2.1 Encryption

2.2.2 Authentication

2.2.3 Public key algorithms

2.2.4 Digital certificates

2.3 Performance issues of cryptosystems

2.4 Message integrity

2.4.1 Message digest (or "hash")

2.4.2 Message authentication codes (MAC)

2.4.3 Digital signatures

Part 2 Securing z/OS with RACF

Chapter 3. UNIX System Services security

3.1 z/OS Security Server (RACF)

3.1.1 Identification and authentication

3.1.2 Alternatives to passwords

3.1.3 Checking authorization

3.1.4 Logging and reporting

3.1.5 RACF and z/OS UNIX System Services

3.2 Security in UNIX systems

3.2.1 Traditional UNIX security mechanisms

3.3 z/OS UNIX System Services security

3.3.1 UNIX level security

3.3.2 z/OS UNIX System Services level security

3.3.3 Why is z/OS UNIX System Services a more secure UNIX?

3.3.4 Access permission to HFS files and directories

3.3.5 Displaying files and directories

3.3.6 UID/GID assignment to a process

3.3.7 Defining UNIX System Services users

3.3.8 Default user

3.3.9 Superuser

3.3.10 Started task user IDs

3.3.11 FACILITY class profile BPX.SUPERUSER

3.3.12 FACILITY class profile BPX.DAEMON

3.3.13 Additional BPX.* FACILITY class profiles.

3.3.14 Programs in the Hierarchical File System

3.3.15 z/OS UNIX kernel address space

3.3.16 z/OS UNIX security considerations for TCP/IP

3.3.17 IBM-supplied daemons

3.3.18 MVS sockets server applications

3.3.19 Summary

Chapter 4. TCP/IP stack resource access

4.1 TCP/IP stack access control

4.1.1 Stack Access overview

4.1.2 Example setup

4.1.3 Transport/stack affinity

4.2 Network access control

4.2.1 Network access control overview

4.2.2 Server considerations

4.2.3 Using NETSTAT for Network Access control

4.2.4 Working example of Network Access control

4.3 Port Access control

4.3.1 The PORT/PORTRANGE SAF keyword

4.3.2 SAF keyword on FTP or any other well-known PORTs

4.3.3 Using NETSTAT to display Port Access control

4.3.4 Scenarios using port access control

Chapter 5. Operations and administration security

5.1 z/OS VARY TCPIP command security

5.1.1 RACF profile details

5.1.2 VARY TCPIP command security scenario

5.2 TSO NETSTAT and UNIX onetstat command security

5.2.1 RACF profile details

5.2.2 NETSTAT security scenario

5.2.3 Further reading

Part 3 Network security

Chapter 6. Firewall concepts

6.1 General guidelines for implementing firewalls

6.2 Firewall categories

6.2.1 Packet filtering

6.2.2 Application-level gateway

6.3 z/OS Firewall Technologies

6.4 The demilitarized zone

Chapter 7. IPSec and virtual private networks (VPN)

7.1 IPSec

7.1.1 Security Associations

7.1.2 Transmitting data with IPSec

Chapter 8. Implementing IPSec with z/OS Firewall Technologies

8.1 Introduction

8.2 Firewall enhancements

8.3 Installation planning

8.4 Installation, configuration and operation

8.5 Interoperability considerations

8.6 Sample configuration files

8.7 RACF considerations

8.7.1 Configuring TCP/IP on the firewall host.

8.8 Configuring and using the configuration server and client (GUI)

8.8.1 Simple configuration scenario

8.8.2 Configuring SSL

8.8.3 Configuring the configuration server (CFGSRV)

8.8.4 Setting up the configuration client on Windows

8.8.5 Accessing the configuration client (GUI)

8.8.6 Tunnel definition

8.8.7 FWTUNNL export file conversion from z/OS and AIX

8.8.8 On-demand dynamic tunnels scenario

Part 4 Application security

Chapter 9. Tools for application security

9.1 Secure Sockets Layer (SSL)

9.1.1 SSL protocol description

9.1.2 Certificates for SSL

9.1.3 System SSL

9.2 TLS protocol

9.3 Kerberos-based security system

9.3.1 Kerberos protocol overview

9.3.2 Inter-realm operation

9.3.3 Some assumptions

9.3.4 Kerberos implementation in z/OS

Chapter 10. Certificate management in z/OS

10.1 Digital certificates in z/OS

10.2 Digital certificate field formats

10.3 RACF RACDCERT command use

10.4 RACF keyrings

10.4.1 RACDCERT command security

10.4.2 RACDCERT command format

10.5 gskkyman command use

10.6 Client certificates

10.7 Server certificates

10.8 Self-signed certificates

10.9 Obtaining certificates

10.9.1 Self-signed certificates

10.9.2 Internal Certificate Authority (CA)

10.9.3 External Certificate Authority (CA)

10.10 Certificate locations example

10.10.1 RACF certificates

10.10.2 gskkyman HFS certificates

Chapter 11. File-related applications

11.1 z/OS FTP server

11.1.1 FTP using Transport Layer Security(TLS)

11.1.2 TLS/SSL scenarios

11.1.3 FTP using Kerberos

11.1.4 FTP and Kerberos scenario

11.2 z/OS TFTP server

11.3 z/OS NFS server

11.3.1 z/OS NFS security levels

11.3.2 Security information exchange between NFS client and server

11.3.3 Access to the HFS

11.3.4 Conclusion

Chapter 12. TN3270 security.

12.1 TN3270 SSL

12.1.1 TN3270 configuration parameters for SSL

12.1.2 Client authentication

12.1.3 TN3270 server SSL configuration scenarios

12.2 Negotiated Telnet security

12.2.1 TN3270 server parameters for negotiated security

12.2.2 TN3270 server configuration scenario

12.2.3 TN3270 client (HOD) negotiated Telnet configuration scenario

12.3 Express Logon Feature (ELF)

12.3.1 Two-tier network design

12.3.2 Three-tier network design

12.3.3 Implementing ELF in a two-tier design

12.3.4 Implementing ELF in a three-tier design

Chapter 13. UNIX remote execution applications

13.1 UNIX Telnet server security

13.1.1 Kerberized UNIX Telnet server support

13.2 UNIX System Services rlogind/rshd/rexecd

13.3 z/OS UNIX rshd Kerberos support

13.3.1 Implementing Kerberos on orshd

Chapter 14. OMPRoute security

14.1 OSPF route update messages security

14.2 OMPRoute configuration

14.2.1 The Area configuration statement

14.2.2 The OSPF_Interface configuration statement

Chapter 15. Network management applications

15.1 z/OS SNMP

15.1.1 SNMP security

15.2 z/OS Policy Agent

15.2.1 SSL with LDAP and Policy Agent

15.2.2 Considerations when opening an SSL connection

Chapter 16. HTTP Server for z/OS

16.1 HTTP Server security

16.2 Server security structure

16.3 Setting up SAF control

16.4 How to protect resources

16.4.1 Access control directives

16.4.2 Protection directives

16.5 Accessing back-end applications

16.6 SSL-related features in the IBM HTTP Server for z/OS

16.6.1 Encryption support

16.6.2 Global Server IDs

16.6.3 Crypto hardware support for SSL

16.7 SSL scenario

16.7.1 Server authentication

16.7.2 Client authentication

16.8 Associating a client certificate with a RACF user ID

16.8.1 RACF digital certificate support.

16.8.2 Install and maintain digital certificates in RACF

16.8.3 Register a certificate using RACDCERT

16.8.4 Certificate self-registration with RACF

16.8.5 Certificate name filtering

16.9 Retrieving LDAP information

16.9.1 Configuring LDAP on IBM HTTP Server

16.9.2 How to use authentication information stored in LDAP

16.9.3 Creating user entries in the z/OS LDAP server

16.10 Conclusion

Chapter 17. Utility applications

17.1 z/OS Lightweight Directory Access Protocol (LDAP)

17.1.1 Authentication with the z/OS LDAP server

17.1.2 Security of the directory

17.1.3 Using SSL communication

17.2 BIND-9 based DNS

17.2.1 TSIG

17.2.2 DNSSEC

17.2.3 Secure your DNS environment

17.3 Syslogd daemon

17.3.1 syslogd isolation

Part 5 Appendixes

Appendix A. VPN planning worksheets

Appendix B. Sample RACF definitions

B.1 RACF settings for UNIX System Services

B.2 RACF settings for TCP/IP applications

B.2.1 RACF configuration for OS/390 UNIX level security

B.2.2 RACF definitions to control the use of the TCP/IP operator commands

B.3 Required RACF definitions to get Firewall Technologies started

B.4 RACF definition to manage certificate in RACF common keyring

Appendix C. Default permissions for HFS files in z/OS UNIX

Appendix D. Digital certificate formats supported by RACDCERT

Related publications

IBM Redbooks

Other resources

Referenced Web sites

How to get IBM Redbooks

IBM Redbooks collections

Index

Back cover.

Notes:

"November 2002."

Includes bibliographical references and index.

OCLC:

842283624