z/OS 1.6 security services update / Patrick Kappeler et al.

Format:

Book

Author/Creator:

Kappeler, Patrick.

Contributor:

International Business Machines Corporation. International Technical Support Organization.

Briggs, Jonathan.

Hänninen, Pekka.

Kritchever, Yury.

LaBelle, Peggy.

Series:

IBM redbooks.

IBM redbooks

Language:

English

Subjects (All):

Computer networks--Security measures.

Computer networks.

Operating systems (Computers).

Physical Description:

1 online resource (332 p.)

Place of Publication:

San Jose, CA : IBM, International Support Organization, c2005.

Language Note:

English

Contents:

Front cover

Contents

Figures

Notices

Trademarks

Preface

The team that wrote this redbook

Become a published author

Comments welcome

Chapter 1. Overview of z/OS Security Services

1.1 Packaging of the imbedded Security functions at z/OS 1.6

1.1.1 z/OS Cryptographic Services

1.1.2 z/OS Security Server

1.1.3 z/OS Integrated Security Services

1.1.4 Additional products

Chapter 2. RACF Security Server enhancements

2.1 z/OS UNIX System Services Security and RACF

2.2 HFS ACLs

2.2.1 Managing ACLs

2.2.2 ACLs and RACF

2.2.3 Auditing and reporting

2.2.4 Migration considerations

2.2.5 Examples of ACLs use

2.3 UNIX identity management

2.3.1 Enhancements to the OMVS RACF segment

2.4 RACF enhancements

2.4.1 PADS enhancement

2.4.2 Dynamic CDT

2.4.3 RACROUTE traces

2.5 RACF digital certificates handling enhancements

2.5.1 The PKIX standards

2.5.2 Handling of the X.509 V3 extensions

2.5.3 The RACDCERT GENCERT function

2.5.4 Hardware assistance to certificate generation

2.5.5 Certificate and key export formats

2.5.6 New default CA certificates in the RACF database

2.5.7 RACF certificate management enhancements at z/OS 1.6

2.5.8 The RACDCERT REKEY function

2.5.9 The RACDCERT ROLLOVER function

Chapter 3. Multilevel Security and RACF

3.1 An introduction to MLS

3.1.1 What is Multilevel Security

3.1.2 Why Multilevel Security

3.1.3 Access controls

3.1.4 Introduction to Mandatory Access Control

3.2 Multilevel Security in z/OS with RACF

3.2.1 SECLABELs

3.2.2 Multilevel Security in action

3.2.3 DB2 and Multilevel Security

3.2.4 Before turning on Multilevel Security

3.3 Multilevel Security vocabulary

3.4 Common criteria

3.5 More on security labels

3.5.1 Security labels and data classification policies.

3.5.2 Mandatory Access Control

3.5.3 Discretionary Access Control

3.5.4 Security levels and security categories

3.5.5 Defining security labels

3.5.6 Authorizing users to access security labels

3.5.7 Using security labels

3.5.8 Dominance

3.5.9 Security label authorization checking

3.5.10 Using system-specific security labels in a sysplex

Chapter 4. MLS as applied to TCP/IP communications

4.1 z/OS TCP/IP and the SERVAUTH class

4.1.1 Stack access control

4.1.2 Network access control

4.1.3 The notion of port of entry (POE)

4.2 The MLS networking environment

4.2.1 Some MLS basics (again)

4.3 Setting up MLS for z/OS TCP/IP communications

4.3.1 Our test configuration

4.3.2 Our test

4.4 The big theoretical picture - TCP

4.4.1 Sequence of events

Chapter 5. z/OS Integrated Security Services LDAP

5.1 Some historical data on z/OS LDAP

5.2 z/OS LDAP enhancements

5.2.1 Logging support

5.2.2 z/OS LDAP BIND support

5.2.3 LDAP access control lists

5.2.4 Enhanced groups support

5.3 Changes to LDAP operations

5.3.1 Entry UUID

5.3.2 Modify DN

5.3.3 Alias support

5.3.4 LDAP search performance improvement

5.3.5 LDAP persistent search

5.3.6 Peer-to-peer replication

5.4 Miscellaneous improvements since z/OS 1.4

5.4.1 Incorrect bind DN

5.4.2 RDBM and JNDI removal

5.4.3 SDBM backend

5.4.4 TDBM backend DB2 restart and recovery

5.5 LDAP Client - Miscellaneous improvements

5.5.1 SOCKS V5 support

5.5.2 Enhanced security functions

5.5.3 Extended processing for distinguished names

5.5.4 Extended rebind processing

Chapter 6. RACF Password Enveloping and z/OS LDAP Change Log

6.1 The overall view

6.2 Enablement of Password Enveloping in RACF

6.2.1 What this new RACF function does

6.2.2 Our setup and test

6.3 LDAP Change Notification.

6.3.1 Testing RACF Event Notification

6.3.2 Retrieving the enveloped password

Chapter 7. z/OS Enterprise Identity Mapping (EIM) in a nutshell

7.1 What Enterprise Identity Mapping is

7.1.1 The problem that is addressed

7.1.2 The benefits of the EIM approach

7.1.3 The EIM implementation concepts

7.1.4 EIM components

7.2 The EIM Domain Controller

7.2.1 Overview of EIM interactions

7.2.2 Content of the EIM Domain Controller

7.2.3 Access controls to the EIM Domain Controller and its contents

7.2.4 Setting up the LDAP directory to act as an EIM Domain controller

7.3 The EIM client

7.3.1 Using RACF profiles to keep EIM default parameters

7.4 A simple demonstration of EIM

7.4.1 The eimdemo application

7.4.2 Sample code

7.4.3 Setup of the demo environment

7.5 New EIM features at z/OS 1.6

7.5.1 Registry and domain mapping policies

7.5.2 Digital certificate registries

Chapter 8. z/OS Network Authentication Service (Kerberos)

8.1 A brief reminder on z/OS Network Authentication Service

8.2 z/OS Network Authentication Service enhancements

8.2.1 z/OS 1.2

8.2.2 Network Authentication Service enhancement at z/OS 1.4

8.2.3 Network Authentication Service enhancements in z/OS 1.6

8.3 GSS-API and krb5_ API test programs

8.3.1 Setup

8.3.2 The RACF KDC

8.3.3 The client

8.3.4 The intermediate server

8.3.5 The end-server

8.3.6 Running the test

Chapter 9. z/OS System SSL

9.1 SSL and TLS reminder

9.1.1 The SSL protocol interactions sequence

9.1.2 The sessionID re-use

9.1.3 SSL and TLS

9.1.4 SSL client authentication

9.2 z/OS System SSL

9.2.1 Packaging at z/OS 1.6

9.2.2 Exploiters of System SSL

9.2.3 System SSL history

9.3 System SSL principles of operations

9.4 z/OS System SSL and cryptography

9.4.1 Supported CipherSpecs.

9.4.2 Invocation of the hardware cryptographic coprocessors

9.5 Managing keys and certificates with gskkyman

9.5.1 A reminder

9.5.2 gskkyman enhancements at z/OS 1.4

9.5.3 gskkyman enhancements at z/OS 1.6

9.6 Managing keys and certificates with RACDCERT command

9.7 System SSL Certificate Management Services

9.7.1 Certificate database manipulation API

9.7.2 Certificate database exploitation API

9.7.3 PKCS #7 message API

9.8 System SSL diagnostics facilities

9.8.1 High-level trace

9.8.2 System SSL Component Trace

Chapter 10. z/OS OpenSSH

10.1 SSH and OpenSSH

10.2 OpenSSH

10.2.1 OpenSSH principles of operation

10.2.2 Other OpenSSH features

10.2.3 Positioning OpenSSH vs. SSL/TLS

10.3 z/OS OpenSSH implementation

10.3.1 Functions provided

10.4 z/OS OpenSSH principles of operation

10.4.1 OpenSSH configuration files

10.4.2 Server authentication

10.4.3 Client authentication

10.4.4 z/OS OpenSSH and the syslogd daemon

10.4.5 z/OS OpenSSH restrictions

10.4.6 Supported cryptographic algorithms

10.5 Installing OpenSSH on z/OS

10.5.1 Steps for migrating from downloaded versions

10.5.2 Ordering and install

10.5.3 Setting up and starting the sshd daemon

10.6 Using OpenSSH on z/OS

10.6.1 Using PuTTY with password authentication

10.6.2 Using PuTTY with public key authentication

Appendix A. EIM API demo sample code

List of the EIM APIs as of the writing of this book

Sample code to set up and run the EIM demo

Main program: eimdemo.c

eimdemo2.c

eimdemo3.c

Appendix B. Sample test programs for PADS enhancements and RACF Password Enveloping

PADS enhancement sample code

RACF Password Envelopping sample test

Related publications

IBM Redbooks

Online resources

Help from IBM

Index

Back cover.

Notes:

"July 2005."

"SG24-6448-00."

Includes index.

OCLC:

614894678