Protecting JES Resources with RACF - Amazon S3 · Protecting JES Resources with RACF ... Session Topics • Job Control Overview ... CL(JESJOBS) ID(PAYROLL) AC(READ)

SECURITY & COMPLIANCE CONFERENCE 2016

Protecting JES Resources

with RACF

Tony Nix

Professional Services Consultant,

Vanguard Integrity Professionals

BTB-5

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

©2016 Vanguard Integrity Professionals, Inc. 2

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited

license to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University


Legal Notice


CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF

The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.


Session Topics

• Job Control Overview

• Security Tokens

• Controlling Task Input

• Controlling Task Output

• Controlling Access to JES SPOOL Data

• Controlling NJE Security

• Working with the “node” qualifier value



RACF® Related Classes


MVS™/JES

INPUT

JESJOBS

JESINPUT

NODES

SURROGAT

PROPCNTL

FACILITY

BATCH

SUBMIT

RJE/RJP

NJE

TSO

COMMANDS

OPERCMDS

CONSOLE

JESINPUT

SDSF

OUTPUT

WRITER

SPOOL

SYSOUT

JESSPOOL

RJE/RJP

NJE

Line & PSF Printers


Scope of JES Security


• JES Input Processing

• SETR JES(EARLYVERIFY)

• JES Conversion Processing

• JES Execution Processing

• JES Output Processing

• JES Purge Processing


Input and Output Controls

• Input Controls

– Allow control of job names (JESJOBS)

– Allow control of who can use which job classes

– Allow control of who can enter jobs from where

(JESINPUT/NODES)

– Allow control of Surrogate submission (SURROGAT)

– Allow control of propagating a userid (PROPCNTL)

• Output Controls

– Allow control of who can send SYSOUT where (WRITER)

– Allow control of who can access SYSOUT on the spool

(JESSPOOL)



Security Tokens

• Associated with task during input services

– Identifies Submitter of task

– Identifies Owner of task

– Identifies Owner of all resources associated with the task

• SYSIN

• SYSOUT

• Transportable - not associated with a particular

address space



Security Tokens


STOKEN

UTOKEN

RTOKEN

JES INPUT QUEUE

PROCESSING

JES OUTPUT QUEUE

Job Submitter

Job Owner

Resource Owner


Token Format


USERID GROUP EX-NODE POE USERID GROUP SUB-NODE FLAGS ETC.

OWNER SUBMITTER

Surrogate

Privileged

Trusted

Internal/External

Session Type


Who is the Submitter?


From submitting job

UTOKEN

SUBMIT

UTOKEN

????????

Unknown NJE user

UTOKEN

++++++++

Unknown local user

Possible

NODES

translation

for NJE jobs

UTOKEN of the

submitting job/user

is called an STOKEN

SUBMITTER

STOKEN


Who is the Job Owner?


USER= from JOBCARD Propagated USER via INTRDR Undefined User

JES Input Services

RACROUTE VERIFY/X

ACEE

UTOKEN userid

groupid userid

.

.

. SETR JES(BATCHALLRACF)


Determining the Job's Owner


Internal

Reader

Local

Devices

RJE / RJP

Devices

USER / PASSWORD

coded on Job Statement Coded Value Coded Value Coded Value

USER / PASSWORD

not coded on Job

Statement

Submitting

User ID is

propagated

++++++++ ????????


Preventing JES Propagation


CICSPRD

JES

TRNA

//TRNA JOB acctnum,USER=CICSPRD

- - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - -

//TRNA JOB acctnum,

- - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - -

TRNA

ARTM

SETR CLASSACT(PROPCNTL)

RDEF PROPCNTL CICSPRD UA(NONE)

SETR RACLIST(PROPCNTL)

PROPCNTL class profile

CICSPRD UA(NONE)

RACF Database


Control of Job Submission


//Jobname JOB . . .

Which Jobs?

From Who?

From Where?

JES


Steps to Protect Job Input


Decide

Job Name

Standards

Decide

What Jobs

are to be

Restricted

Decide

Who is

Allowed to

Submit

Each Job &

From

Where

Define

Profiles:

JESJOBS

JESINPUT

FACILITY

SURROGAT

Activate

Classes &

Test


‘Nasty Class’ RC=8

Controlling Job Names –

JESJOBS


Job name control based on "who" and "from where"

JES

//VANPAY1 JOB . . .

SUBMIT.node.job.owner UACC Access List

CANCEL.node.owner.job UACC Access List

RACF Database

JESJOBS Profiles

Issue SETR GENERIC(JESJOBS) GENCMD(JESJOBS) before defining any profiles


Defining JESJOBS Class Profiles

• To allow only the PAYROLL group to submit any

VANPAY job from node LVPROD:

• To allow only KAREN to cancel any VANPAY job

from LVPROD:

• To allow anyone to submit and cancel all other jobs:


RDEF JESJOBS SUBMIT.LVPROD.VANPAY*.* UACC(NONE)

PERMIT SUBMIT.LVPROD.VANPAY*.* CL(JESJOBS)

ID(PAYROLL) AC(READ)

RDEF JESJOBS CANCEL.LVPROD.*.VANPAY* UACC(NONE)

PERMIT CANCEL.LVPROD.*.VANPAY* CL(JESJOBS)

ID(KAREN) AC(ALTER)

RDEF JESJOBS ** UACC(READ)


Controlling Job Class –

JESJOBS


JESJOBS profiles determine who can use a certain JOB Class.

FACILITY profiles determine who is checked – Submitter, Owner or NO check made.

JES

//VANPAY1 JOB . . .

JOBCLASS.node.jobclass.jobname UACC Access List

RACF Database

JESJOBS Profiles


// CLASS=X

FACILITY Profiles

JES.JOBCLASS.OWNER UACC N/A

JES.JOBCLASS.SUBMITTER UACC N/A


Defining JESJOBS JOB Class Profiles

User PETERR submits a CLASS=X job named PETERRA with USER=BOB in the

JOBCARD. The local node is VANLV. Of course SURROGAT profile is checked. If

there is a JES.JOBCLASS.OWNER profile in the FACILITY class, a check is made if

user BOB has READ access to JESJOBS profile:

If there is a JES.JOBCLASS.SUBMITTER profile in the FACILITY class, a check is

made if user PETERR has READ access to JESJOBS profile:

If both FACILITY class profiles exist, then PETERR and BOB must both have READ

access to the JESJOBS class profile

Note: The FACILITY class profiles are basically ON/OFF switches


RDEF JESJOBS JOBCLASS.VANLV.X.PETERRA OWNER(SECADMN) UACC(NONE)

PE JOBCLASS.VANLV.X.PETERRA CLASS(JESJOBS) ID(BOB) ACC(R)

RDEF JESJOBS JOBCLASS.VANLV.X.PETERRA OWNER(SECADMN) UACC(NONE)

PE JOBCLASS.VANLV.X.PETERRA CLASS(JESJOBS) ID(PETERR) ACC(R)


Defining JESJOBS JOB Class Profiles

• You probably want to define a backstop profile to allow all users access to all job classes.

• Then define profiles to limit certain classes.

• If JESJOBS was not previously active, be sure to define SUBMIT.** and/or CANCEL.** before activating the class. Remember JESJOBS is a “nasty” class.

• Create the Facility class profiles after the JESJOBS profiles.


RDEF JESJOBS JOBCLASS.** OWNER(SECADMN) UACC(READ)

RDEF JESJOBS JOBCLASS.*.P.* OWNER(SECADMN) UACC(NONE)

PE JOBCLASS.*.P.* CLASS(JESJOBS) ID(PRODJOBS) ACC(R)


Defining GLOBAL JESJOBS Profile

• Optional: Define GLOBAL JESJOBS profile to allow

users to submit and cancel their own jobs without

creating specific SMF records:

• RDEF GLOBAL JESJOBS ADDMEM( +

– CANCEL.*.&RACUID.*/ALTER +

– SUBMIT.*.*.&RACUID/READ +

– SUBMIT.*.&RACUID.&RACUID/READ)



Port-of-Entry Control –

JESINPUT Class


DEVICE JES2 POE NAME JES3 POE NAME

JES reader RDRnn Jname of reader

Disk reader n/a DR member name

RJE/RJP reader Rnnnn.RDn Workstation name

NJE reader Adjacent Nodename NJERDR

Dump Job n/a DUMPJOB

Spool Offload OFFn.JR n/a

Internal Reader INTRDR INTRDR

TSO SUBMIT INTRDR INTRDR

Started tasks STCINRDR STCINRDR

TSO logons TSUINRDR TSO terminal name

RDEF JESINPUT R124.RD1 UACC(NONE)

PE R124.RD1 CL(JESINPUT) ID(PAYROLL) AC(READ)

RDEF JESINPUT ** UA(READ)



Surrogate Job Submission


RDEF SURROGAT JILL.SUBMIT OWNER(SECADMN) UACC(NONE)

PE JILL.SUBMIT CLASS(SURROGAT) ID(JACK) AC(READ)

JES

//jobname JOB USER=JILL

JACK

RACF Database

SURROGAT class profile

JILL.SUBMIT JACK / READ


Steps to Protect Job Output


Decide

Printers to

Protect

Decide

Who Can

Use Which

Printers

Decide

Who Can

View or

Purge

Other

User’s

Spool Data

Define

Profiles:

WRITER

JESSPOOL

Activate

Classes &

Test


Printer Access –

WRITER Class


jesx.LOCAL.devn UACC Access List

jesx.RJE/RJP.devn UACC Access List

RACF Database

WRITER Profiles

JES

JES2 PARMS

PRT(n) . . .

JES3 PARMS

DEVICE JNAME=



Defining WRITER Class Profiles

• To allow only the PAYROLL group to use local printer

PRT45:

• To allow only the PAYROLL group to use the remote printer

R5:

• To allow all users to use all other printers:


RDEF WRITER JES%.LOCAL.PRT45 UACC(NONE)

PE JES%.LOCAL.PRT45 CL(WRITER) ID(PAYROLL) AC(READ)

RDEF WRITER JES%.RJE.R5 UACC(NONE)

PE JES%.RJE.R5 CL(WRITER) ID(PAYROLL) AC(READ)

RDEF WRITER JES%.*.** UACC(READ)


Access Control to SYSOUT –

JESSPOOL


JES

SPOOL

node.user.jobname.job#.Dsid.dsname UACC Access List

RACF Database

JESSPOOL Profiles



Access to SYSOUT


Requirement Auth. JESSPOOL Profile Name

Allow viewing of CAROL's

data for the ACCOUNT

job on LVPROD

READ LVPROD.CAROL.ACCOUNT.**

Allow deletion of all spool

data for the BACKUP job

on LVPROD

ALTER LVPROD.*.BACKUP.**

Allow only FRANK to use

the TSO RECEIVE

command for the

BLKMAIL job, MAILDATA

data set on LVPROD

ALTER LVPROD.FRANK.BLKMAIL.*.*.MAILDATA


Steps to Protect NJE


Control

JOBS /

SYSOUT?

Control

Inbound /

Outbound

Work?

Control

Whose

Work is

Sent and

Received?

Define

Profiles:

WRITER

NODES

Activate

Classes,

RACLIST

& Test


NJE – WRITER and NODES Class


To Control Sending:

WRITER Class

To Control Receipt:

NODES Class

JOBS JES%.NJE.node node.USERJ.userid

node.GROUPJ.groupid

SYSOUT JES%.NJE.node node.USERS.userid

node.GROUPS.groupid

Target node Sending node


Controlling Outgoing Jobs

and SYSOUT


JES%.NJE.VEGAS

NANCY(READ)

RACF Database

USER Profile

NANCY

WRITER Class Profile at Orange

WRITER Class Profile at Vegas

WRITER Class Profile at Dallas

JES%.NJE.DALLAS

NANCY(READ)

RACF Database

USER Profile

NANCY

RACF Database

USER Profile

NANCY

JES%.LOCAL.PRT1

NANCY(READ)

PRT on Dallas

XEQ on Vegas

// ..... JOB

USER=NANCY

ORANGE

Submitting Node

VEGAS

Execution Node

DALLAS

Output Node

Nancy's

Output


Controlling Entry of Jobs –

NODES Class


NODES Class Profile at Vegas

ORANGE.USERJ.NANCY

RACF Database

USER Profile

NANCY

NODES Class Profile at Dallas

RACF Database

USER Profile

NANCY

VEGAS.USERS.NANCY

PRT on Dallas

XEQ on Vegas

// ..... JOB

USER=NANCY

ORANGE

Submitting Node

VEGAS

Execution Node

DALLAS

Output Node

Nancy's

Output


NODES Class Profile – UACC


Requirement Regard for Sending

Node/User ID Needed UACC

No Need to Re-verify

Password on Incoming Jobs

(No Password Needed) TRUSTED CONTROL / UPDATE

Re-verify User ID and

Password on Incoming Jobs

(Password Needed) SEMI-TRUSTED READ

No Jobs Accepted from

Node/User/Group UNTRUSTED NONE


USERID Translation


ORANGE

Submitting Node

VEGAS

User ID Translation

Execution Node

Ricky's

Output

USERID=RICKY

SUSER=RICKY

PRT on Orange

XEQ on Vegas

// ..... JOB

submitted in

Orange

USERID=RICKY

SUSER=RICKY

Output Node

USERID=LUCY

SUSER=RICKY

USERID=&SUSER

= RICKY

SUSER=RICKY

User Profile

RICKY

RACF DB

User Profile

LUCY

RACF DB

RDEF NODES ORANGE.USERJ.RICKY

UA(UPDATE) ADDMEM(LUCY)

RDEF NODES VEGAS.USERS.*

UA(UPDATE) ADDMEM(&SUSER)

Translate userid

RICKY to LUCY

Translate userid

to submit user

=LUCY


Identifying the node name

• Defined in JES initialization parameters

• A node is a specific location in a network

• JES JOB Log can identify the node name



Using RACF Variables

• Used like generic characters in profile names

• Must be defined in the RACFVARS Class

• Only applicable to General Resource Classes not

Dataset profiles

• Profile names must be 1 to 8 characters and must

start with an ampersand (&)

• See RACF Security Administrator’s Guide, Chapter

7 for complete details




• &RACLNDE is a RACF reserved profile name

• Use &RACLNDE profile name to represent multiple

node names in the RACFVARS Class

• RACFVARS is a Group Class not a Member Class

• Allows use of a single profile to represent multiple

nodes in a network where the resource protection is

the same for all nodes

– E.g. ORANGE, VEGAS, DALLAS

• Useful for NODES, JESJOBS, JESSPOOL




RDEF RACFVARS &RACLNDE UA(N) OW(SECADMN)

RALT RACFVARS &RACLNDE +

ADDMEM(ORANGE, VEGAS, DALLAS)

RDEF JESSPOOL &RACLNDE.*.PAY*.**

UA(N) OW(SECADMIN)

PE &RACLNDE.*.PAY*.** CL(JESSPOOL) AC(A) ID(PAYGROUP)

RDEF NODES &RACLNDE.USERJ.ARTM UA(C)

OW(SECADMIN)

SETR RACLIST(RACFVARS JESSPOOL NODES) [REFRESH]



That’s all for JES Folks!


SECURITY & COMPLIANCE CONFERENCE 2016

Documents

Protecting JES Resources with RACF - Amazon S3 · Protecting JES Resources with RACF ... Session Topics • Job Control Overview ... CL(JESJOBS) ID(PAYROLL) AC(READ)