Upload
hakhuong
View
216
Download
0
Embed Size (px)
Citation preview
1
5.1
GSE Belgium June 20, 2014
Surviving an IMS Security Audit
Did you lock up?
Maida [email protected]
2
2GSE Belgium June 20, 2014
© Copyright IBM Corporation [current year]. All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES
ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE
INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENT
PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE
RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES OR
REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCTS AND/OR
SOFTWARE.
IBM, the IBM logo, ibm.com, DB2, CICS, RACF and IMS are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms
are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may
also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
Other company, product, or service names may be trademarks or service marks of others.
Disclaimer
3
3GSE Belgium June 20, 2014
Agenda
IMS resources
Security facilities
Locking up
Some things to consider
4
4GSE Belgium June 20, 2014
IMS Resources
� IMS online system itself
� Commands
� Transactions
� Datasets
� Coupling Facility Structures
� Databases– records, segments, fields
� Programs (PSBs)
� Terminals (Logical, Physical)
� IMSPlex and XCF group membership
At least one form of protection is available for each resource.
In many cases multiple security facilities may be used to protect a single resource.
Coupling facility structures might contain message queues or lock structures.
6
6GSE Belgium June 20, 2014
Security Facilities – IMS Default Security
IMS Default Security
� Program Specification Block (PSB)
� Encryption
� VSAM password protection
� Application-based security
� Physical security
� Exits
� RACF (or other SAF product)
IMS commands are very powerful. Commands may be used to start the system, stop the system, and
alter critical system resources. If an installation does not implement IMS command security, IMS
automatically provides a type of command security commonly referred to as 'default' security to
limit the commands users may enter.
7
7GSE Belgium June 20, 2014
IMS Default Security
� What does it protect?– Protects only IMS Type 1 commands
� Is based on command source of entry
� How is it activated? – when you do not specify any command security for commands entered from
that source
� How is it deactivated?– by specifying command security for commands entered from that source
Default security applies to IMS commands. Default security does not affect other IMS resources such
as transactions, databases, terminals, programs, etc.
Default security allows only a subset of the IMS commands to be entered. The subset of commands
allowed when default security is active depends on where the command is entered (the source of
entry). For example, the subset of IMS commands that may be entered from a static terminal is
different than the subset of IMS commands that may be entered from an APPC device.
When command security is not specified, IMS automatically provides default 'command' security. In
this respect, default security is not optional. It may be deactivated by specifying another form of
command security.
When the Command Authorization Exit Routine has been included in the IMS system, default security
is deactivated.
The sample exit provides the same command defaults as default security.
The default subset of commands allowed for each source is documented in the IMS Command
Reference Vol 1.
8
8GSE Belgium June 20, 2014
IMS Default Security
Commands can be entered from many different sources
– Static terminals Master terminal, system console, TCO scripts, and user terminal
– ETO devices/terminals
– APPC/LU 6.2 devices
– OTMA clients
– AO transaction program DL/I CMD call, DL/I ICMD call
– MCS/E-MCS consoles
– Operations Manager (OM)
IMS commands may be entered from various sources.
•The master terminal or system console
•IMS terminals that have been statically defined
•Time Controlled Operations (TCO) scripts
•Extended Terminal Operations (ETO) terminals which are dynamically defined to IMS
•Advanced Program-to-Program Communications (APPC) or LU 6.2 devices
•Open Transaction Manager Access (OTMA) clients
•Automated operator (AO) programs that issue commands using either the DL/I CMD call or the DL/I
ICMD call
•Multiple Console Support/Extended Multiple Console Support (MCS/E-MCS). SDSF is an example of
an E-MCS console.
•Operations Manager (OM) Single Point of Control (SPOC) applications
When default security has been activated, the command set that may be issued from each of these
environment may be different.
9
9GSE Belgium June 20, 2014
IMS Default Security
You gave everyone access to the IMS DISPLAY command
RDEF CIMS DIS UACC(READ)
Why can’t some people do /DIS?
10
10GSE Belgium June 20, 2014
IMS Default Security
How did the user access IMS?OTMA client
The OTMA “window” was not lockedOTMASE=N
Since no security was specified for OTMA, default command security was in effect.
OTMASE is the IMS parameter used to specify whether you want OTMA security. OTMA=N says you
don’t want any OTMA security.
11
11GSE Belgium June 20, 2014
IMS Default Security
Commands allowed by default when OTMA is the source of command entry:
/LOCK /LOG
/RDISPLAY
When IMS has been started without command security specified for commands entered from OTMA
clients, default security is enforced. In order for default command security to take effect for commands
entered from OTMA clients:
•RACF security checking must be inactive for the OTMA environment and
•DFSCCMD0 is omitted from the IMS system; or if included, it is the unmodified sample exit
RACF security checking is inactive in the OTMA environment when IMS has been started using the
IMS start up parameter OTMASE=N or when the /SECURE OTMA NONE command has been issued
after IMS start up.
If DFSCCMD0 has been included in the IMS system, it will be used to authorize commands entered
from OTMA clients. The unmodified DFSCCMD0 sample exit routine allows only the default
commands shown.
When neither RACF nor DFSCCMD0 is used to authorize commands, default command security is
enabled automatically by IMS for commands entered from OTMA clients and only the commands
shown may be entered.
12
12GSE Belgium June 20, 2014
Security Facilities – PSB
� IMS default security
Program Specification Block (PSB)
� Encryption
� VSAM password protection
� Application-based security
� Physical security
� Exits
� RACF (or other SAF product)
Before executing an application program under IMS, you must describe that program and its use of
logical terminals and logical data structures through a program specification block (PSB)
generation. The PSB generation statements supply the identification and characteristics of the IMS
resources to be used. These program communication blocks (PCBs) represent message
destinations and databases used by the application program. In addition, there must be a
statement supplying characteristics of the application program itself. There must be one PSB for
each message, batch, or Fast Path program.
13
13GSE Belgium June 20, 2014
Security Facilities – PSB
� PSB provides database security – Data sensitivity (SENSEG, SENFLD) describes application view of database
– Processing options (PROCOPT) define what application can do (e.g. read or update)
� PSB should be coded to facilitate security requirements – Define only the segments and fields needed
– Use only the processing option needed
� PSB is a trusted resource– IMS makes no security calls for hard coded resources in a PSB– A user authorized to submit a transaction using the PSB is also authorized to submit a
transaction to a destination hard coded in the alternate PCB.
The PSBGEN process may be considered a security facility of IMS because it is a mechanism for restricting the application programs logical view of the data it is allowed to access. The PSBGEN process is used to generate a
program specification block (PSB). Once generated, the PSB provides database security. A PSB contains one or more program communication blocks (PCBs).
A database program communication block (DB PCB) defines an application program's view of the database. An
application program often needs to process only some of the segments in a database. A PCB defines which of the segments in the database the program is allowed to access (the segments which the program is sensitive to). The
data structures that are available to the program contain only segments to which the program is sensitive..
The PCB also defines how the application program is allowed to process the segments in the data structure:
whether the program can only read the segments, or whether it can update them as well. To obtain the highest
level of data security, your PCBs should request the fewest number of sensitive segments and the least capability needed to complete the task.
14
14GSE Belgium June 20, 2014
Security Facilities - Encryption
� IMS default security
� Program Specification Block (PSB)
Database encryption
� VSAM password protection
� Application-based security
� Physical security
� Exits
� RACF (or other SAF product)
When preventing access to the data is difficult or impractical, encryption can protect data that is in files
or data that is being communicated in a network. IMS offers some file encryption capability
(through IMS Segment Edit/Compression exit routines, for example) but no communication
encryption capability.
15
15GSE Belgium June 20, 2014
Security Facilities – Database Encryption
Database encryption may be performed by
� zSeries and S/390 Crypto Hardware features
� z/OS Cryptographic Services Integrated Cryptographic Service Facility (ICSF), a component of
z/OS Cryptographic Services, is the software interface to the crypto hardware
� Segment Edit/Compression Exit Routine (DFSCMPX0) – can invoke user supplied encryption routine – can call ICSF or other product – can invoke IBM Data Encryption for IMS and DB2 Databases
tool (5655-P03) – can be different for each segment
File encryption of the physical database keeps unauthorized individuals from looking at the data when the physical disk pack containing the database is removed from its usual area. File encryption support extends to VSAM physical databases. Communications encryption supports ACF/VTAM supported terminals.
You can encrypt DL/I segments using your own encryption routine, a software product that performs encryption, or hardware encryption; entered at the Segment Edit/Compression Exit Routine (DFSCMPX0).
Before segments are written on the database, IMS passes control to your routine, which encrypts them. Then, each time they are retrieved, they are decrypted by your routine before presentation to the application program.
You can use the DFSCMPX0 facility on segment data in full function databases and Fast Path DEDBs. You write the routine that actually manipulates the data in the segment. The IMS code gives your edit routine information about the segment's location and assists in moving the segment back and forth between the buffer pool and the application program's I/O area.
16
16GSE Belgium June 20, 2014
Security Facilities – Database Encryption
Data Encryption for DB2 and IMS Databases tool:
� requires the IBM optional Crypto Express2 (CEX2) hardware feature
� requires ICSF, the software interface to the crypto hardware
� requires the standard CP Assist for Crypto Function (CPACF) be enabled and active if the clear key exit is used
� is recommended over roll your own solutions as extensive testing has been
done to ensure the product works with all the product interfaces
The Programmed Cryptographic Facility, program number 5640-XY5, provides file and
communications encryption under MVS. File encryption of the physical hierarchical database keeps
unauthorized individuals/programs from looking at the data. The program can be called from the
Segment Edit/Compression Exit Routine to perform the encryption.
17
17GSE Belgium June 20, 2014
Security Facilities – Database Encryption
NAME
ADDRESS PAYROLL
Sample PAYROLL Database
SEGM …,COMPRTN=(routinename,DATA,INIT,MAX)
Requires no changes to applications!Just change the DBD to name the exit routine.
You can use the Segment/Edit Compression Exit Routine to provide data encryption. By including the IBM Programmed Cryptographic Facility within your exit routine, you can reduce your programming effort. The facility is executed via assembler macro calls. Segments are encrypted before being placed in the database buffer pool. The SEGM control statement in the IMS DBDGEN includes a keyword, COMPTRN, to specify the name of this exit routine.
You can use ICSF/CCA APIs in the IMS DB Segment Edit/Compression exit. IMS supports the Programmed Cryptographic Facility (PCF) interface transparently through the ICSF/CCA interface. Programs that are written to the PCF interface run, without modification, through the ICSF/CCA interface. If you want your PCF programs to use the ICSF/CCA APIs, however, you must modify those PCF programs.
The ICSF/CCA interface has two PCF compatibility modes.
•ICSF mode COMPAT(YES) means that programs written to the Programmed Cryptographic Facility interface run without change, as well as calls made directly to the ICSF/CCA API. There are some limitations for dynamic master key change in this mode.
•ICSF mode COMPAT(NO) means only programs coded to the CCA API run.
18
18GSE Belgium June 20, 2014
Security Facilities – VSAM Password Protection
� IMS default security
� Program Specification Block (PSB)
� Encryption
VSAM password protection
� Application-based security
� Physical security
� Exits
� RACF (or other SAF product)
19
19GSE Belgium June 20, 2014
Security Facilities - VSAM Password Protection
VSAM password protection for IMS databases in batch environments
� prevents accidental access of IMS databases by non-IMS programs
� used in conjunction with VSAM CONTROLPW specification on VSAM DEFINE statements
� specify PASSWD=YES/NO on DBD
� ignored in IMS Online (DB/DC) environment
� in IMS Batch, causes operator to be prompted for password each time data set opened
You can take advantage of VSAM password protection to prevent non-IMS programs from reading
VSAM data sets on which you have your IMS databases.
This method is useful in the batch environment because VSAM password checking is bypassed
entirely in IMS online systems.
In the batch environment, operator password prompting occurs if PASSWD=NO is specified and the
data set is password protected at the control level (CONTROLPW) with passwords not equal to
DBDNAME. If you specify PASSWD=NO, the default, on the DBD statement, the console operator is
prompted to provide a password to VSAM each time the data set is opened.
20
20GSE Belgium June 20, 2014
Security Facilities – Application-based security
� IMS default security
� Program Specification Block (PSB)
� Encryption
� VSAM password protection
Application-based security
� Physical security
� Exits
� RACF (or other SAF product)
21
21GSE Belgium June 20, 2014
Security Facilities - Application-based security
� Application program can perform its own security checks
� Security rules could be stored in
– Internal table in program
– Database
– RACF
Application program issues DL/I AUTH call
• Database
• Field
• Segment
• Other
� Application program grants or denies resource access based on user ID of the
user who entered the transaction
An AUTH call verifies a user's security authorization. It determines whether a user is authorized to
access the resources specified on the AUTH call. The AUTH call gives application programs access to
the RACF database classes security profile data. Thus, application programs can obtain the security
information about a particular resource and the user requesting access to the resource.
A4 status code if not authorized
22
22GSE Belgium June 20, 2014
Security Facilities – Physical Security
� IMS default security
� Program Specification Block (PSB)
� Encryption
� VSAM password protection
� Application-based security
Physical security
� Exits
� RACF (or other SAF product)
23
23GSE Belgium June 20, 2014
Security Facilities – Physical Security
Physical security
Controlled access to and from the computer area
Authorization of DP operations and non-operations personnel in certain terminal areas
Separately controlled areas for media such as tapes, disks, cards, or files
Control of computer forms and printed output
24
24GSE Belgium June 20, 2014
Security Facilities - Exits
� IMS default security
� Program Specification Block (PSB)
� Encryption
� VSAM password protection
� Application-based security
� Physical security
� Exits
� RACF (or other SAF product)
25
25GSE Belgium June 20, 2014
Security Facilities - Exits
� Can be used alone or with RACF
� Can override the RACF result– Called after RACF
� May provide more granularity than the RACF profile
� If an exit cannot be explicitly specified, IMS will invoke it if it exists
� If an exit is explicitly specified, IMS will abend if it does not exist
IMS will abend during initialization with U718 if you specify the use of an exit and the exit does not
exist.
26
26GSE Belgium June 20, 2014
Security Facilities – Exits
� Sign on/off verification– DFSCSGN0– DFSSGNX0– DFSSGFX0
� Transaction authorization– DFSCTRN0– DFSCTSE0 (reverify)– DFSBSEX0 (build security env)
� Command authorization– DFSCCMD0 – DSPDCAX0 (DBRC)– OM user exits
� RAS (dependent region/thread)– DFSRAS00
� Other– DFSYRTUX (OTMA)– DFSTCNT0 (TCO)– DFSCMPX0 (encryption)– DFSFLGE0 (log edit)– DFSMSCE0 (MSC)– HWSAUTH0 (ODBM) – IMSLSECX (IMS Connect)
DFSCTRN0 is generally not invoked unless RACF return code is 0 or 4. DFSCTSE0 (reverification
entry point of DFSCTRN0) is always invoked for CHNG, AUTH calls no matter what the RACF
return code is.
When an exit cannot be explicitly requested (e.g. APPCSE), it is invoked if it exists. When an exit
is explicitly requested (e.g. AOIS=A), it must exist or IMS will fail to initialize with U0718
DFSBSEX0 was offered to improve performance: allowing you to control if and when a security
environment is dynamically built in cases where it does not exist (for example, “back end” IMS or
user signed off)
Exits can be used to override RACF decisions. Exits can be used to do more granular or
conditional checking than the RACF resource class may offer.
As of IMS13, DFSCSGN0, DFSCTRN0 and DFSCTSE0 are removed from the nucleus, bound
separately and loaded from STEPLIB (if present) into 31-bit storage. New DFS1937I message
indicates which of these user exits have been loaded.
Since the DFSCTRN0, DFSCTSE0 and DFSCSGN0 user exits were removed from the nucleus in
IMS 13, consideration must be given to maintaining their ability to communicate with one another.
There are two options for this: treating the exits as standalone modules and using the new
parameter to share the storage obtained during IMS initialization (recommended), or binding the
modules together using ALIASing. In either case, the modules should be bound as re-entrant and
also as AMODE/RMODE 31 to prevent them from being loaded multiple times. As a review, a re-
entrant module can be used by multiple callers simultaneously in which concurrent activity is taking
place. It is written so that none of its code is modifiable (no values are changed) and it does not
keep track of anything. The callers keep track of their own progress (variables, flags, etc.), thus one
copy of the re-entrant routine can be shared by any number of callers.
27
27GSE Belgium June 20, 2014
Security Facilities – Exits
RACF rejected a command but IMS did it anyway!
Why?
28
28GSE Belgium June 20, 2014
Security Facilities – Exits
15:36:21.32 STC00761 00000281 ICH408I USER(IMSUSRA ) GROUP(IMSOPRL ) NAME(#####785 00000281 ASS CL(CIMS ) 785 00000281 INSUFFICIENT ACCESS AUTHORITY 785 00000281 ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
DFS058I 15:36:21 ASSIGN COMMAND COMPLETED
1) RACF determined user is not authorized.
2) IMS called the Command Authorization Exit (DFSCCMD0) after RACF.
3)The exit determined user is authorized.
4) IMS allowed the command.
There is no way to explicitly request the Command Authorization Exit for commands from static and
dynamic terminals. Therefore the exit will be invoked if it exists in RESLIB.
RACF issued the ICH408I message because IMS called RACF with LOG=ASIS.
29
29GSE Belgium June 20, 2014
Security Facilities – Exits
Results when the exit was removed or changed:
15:36:21.32 STC00761 00000281 ICH408I USER(IMSUSRA ) GROUP(IMSOPRL ) NAME(#####
785 00000281 ASS CL(CIMS ) 785 00000281 INSUFFICIENT ACCESS AUTHORITY 785 00000281 ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
DFS3662W 16:23:58 COMMAND REJECTED BY RACF; USER NOT AUTH ; RC= 0008
30
30GSE Belgium June 20, 2014
Security Facilities - Exits
� IMS default security
� Program Specification Block (PSB)
� Encryption
� VSAM password protection
� Application-based security
� Physical security
� Exits
� RACF (or other SAF product)
31
31GSE Belgium June 20, 2014
Think of this house as the IMS online system.
This is a picture of Kykuit, a 40-room house in Westchester County, New York, built by John D. Rockefeller in 1913.
32
32GSE Belgium June 20, 2014
The APPL Gate
Think of this as the gate that protects the IMS online system.
33
33GSE Belgium June 20, 2014
Locking the Gate
RACF APPL class
� Restrict terminal users' access to applications (TSO, IMS, CICS, etc.) – Define a RACF profile for sapplid in APPL class– Specify sapplid in DFSDCxxx– sapplid defaults to imsid
� Control ATTACH requests
– Protect conversations between partner LUs
� Control which dependent regions can connect to IMS
– This check is only made if RAS security is active (ISIS=R|A)
– Examples of dependent regions: BMP, CICS, DB2 stored procedure
– Define a RACF profile for imsid in the APPL class
To restrict access to an IMS control region to just those users of the system who are authorized by the nature of their jobs to access it, you must activate the APPL class in RACF.
When the user attempts to sign on, IMS uses RACF to verify the user's identity and his authority to access the specific IMS control region. IMS passes the application identifier for IMS on the RACROUTE REQUEST=VERIFY macro using the APPL= parameter.
RACF does an authorization check to determine the user's authorization to the IMS identified by the APPL= parameter on the RACROUTE request.
You can also use the APPL resource class to protect conversations between partner LUs. This support provides
the ability to grant or deny access on the basis of the identity of both the user and the logical unit (LU) from which
the user's request originated.
When RAS security is activated (ISIS), you can use the APPL class to control access to IMS by dependent
regions such as MPP,BMP,CICS,JBP,JMP,IFP,DB2 stored procedures, etc.
36
36GSE Belgium June 20, 2014
IMS Windows and Doors: How IMS Messages Get In
SNA Terminal (static or ETO) System Console (WTOR)IMS Master terminalMCS or E-MCS device OTMA (IMS Connect, MQ, distributed environment, etc)ODBA (DB2 stored procedure, distributed environment)Operations Manager (OM)APPC/LU6.2MSC linkISC link (LU6.1)TCO scriptDBRC utilityDependent region (BMP, CICS, DB2 stored procedure, etc.)AOI program
37
37GSE Belgium June 20, 2014
Each “Window” Has a Lock
How is the message getting in ? What is the IMS lock? Where is the IMS lock?
SNA Terminal (static or ETO) RCF DFSPBxxx
TCO script (special case of static terminal) TCORACF and RCF DFSPBxxx
MCS or E-MCS console CMDMCS DFSPBxxx
Dependent region (MPP,BMP,CICS, etc.) ISIS DFSPBxxx
AOI program (tran issues CMD call) AOI1 DFSPBxxx
AOI program (tran issues ICMD call) AOIS DFSPBxxx
DBRC CMDAUTH RECON
OTMA (ex. IMS Connect, MQ) OTMASE DFSPBxxx
ODBA (ex. DB2 stored procedure) ODBASE DFSPBxxx
Operations Manager (OM) CMDSEC CSLOIxxx
DFSCGxxx
APPC/LU6.2 APPCSE DFSPBxxx
MSC link MSCSEC DFSDCxxx
38
38GSE Belgium June 20, 2014
A programmer with no access to production,
accidentally updated production data!
How can this happen?
Programmer was not authorized to sign onto the production IMS online.
Programmer’s user ID was not authorized to access the production databases.
39
39GSE Belgium June 20, 2014
You should ask:
How did the user access IMS?
User submitted a BMP
Dependent region “window” was not locked. ISIS=N
Programmer submitted a BMP from TSO and accidentally specified production IMS. The BMP ran with
the programmer’s user ID inherited from TSO.
Although the programmer himself could not have signed on to IMS because he was not authorized to
the production imsid in the RACF APPL class, (“user not authorized to application”), the BMP does not
go through that APPL check unless RAS security is activated.
As for the user having no access to production databases, in the online environment it is DL/I that
needs access to the databases, not the user.
40
40GSE Belgium June 20, 2014
Dependent Region Security Options
� RACF– RACF APPL check when dependent region tries to connect– RACF resource check every dependent region scheduling
– PSB (IIMS/JIMS)– Transaction (TIMS/GIMS)– LTERM (LIMS/MIMS)
� DFSRAS00 exit– Can be used for security rules alone or in addition to, RACF
– Can be used to customize the type of checking
• exempt certain dependent regions from this security check • connection check only
• resource check only
• etc.
� RACF followed by DFSRAS00
� No security
41
41GSE Belgium June 20, 2014
Dependent Region User ID
RAS security needs a user ID for the dependent regions.
� For started tasks (MPP,IFP,CICS,etc.)– Started task user ID assigned via RACF STARTED class
� For BMP
– USER= coded on JOB statement of BMP
– TSO user ID if submitted from TSO– BMPUSID= in DFSDCxxx
– PSB
� For DB2 stored procedures– User ID of user who submitted the procedure, if available
– User ID of the ODBA address space
user ID
If running in a non-message-driven region, the value is dependent on the specification of the
BMPUSID= keyword in the DFSDCxxx PROCLIB member:
If BMPUSID=user ID is specified, the value from the USER= keyword on the JOB statement is used.
If USER= is not specified on the JOB statement, the program's PSB name is used.
If BMPUSID=PSBNAME is specified, or if BMPUSID= is not specified at all, the program's PSB name
is used.
42
42GSE Belgium June 20, 2014
Sample Implementation of RAS Security with RACF
� Protect IMS in the APPL class
and/or
� Define resources you want to protect
– IIMS/JIMS for PSB
– TIMS/GIMS for transaction
– LIMS/MIMS for LTERM
� Define all region user IDs to RACF as users
– BMPs, MPPs, IFPs, DB2 stored procedures, CICS, etc.
� Permit region user IDs to access appropriate resources
� Permit region user IDs to access IMS if imsid is protected in the APPL class
� Set ISIS= R
The checks made for RAS security are similar to the checks made for an SNA terminal user.
A check is made when the region tries to connect (sign on) to IMS that the region’s user ID is
authorized to IMS protected in the APPL class. Then every time the region does work (is
scheduled), a check is made that the region’s user ID is authorized to the resource (PSB, TRAN,
LTERM).
If IMS is protected in the RACF APPL class, when you activate RAS (ISIS=R or A) IMS will call
RACF to check that the dependent region user ID is authorized to access IMS when the dependent
region requests to connect to IMS. This “connection check” is not done unless RAS security is
activated.
To implement RAS security you want to either protect IMS in the APPL class or protect IMS
resources or both.
44
44GSE Belgium June 20, 2014
An IMS User Can Be………
� A person
� Transaction
� Command
� Logical terminal (LTERM)
� Jobs and Started Tasks
� PSB
� TCO (Time Controlled Operations) script
� IMS Master terminal
� System Console WTOR
45
45GSE Belgium June 20, 2014
IMS Jobs and Started Tasks as Users
To allow IMS and its address spaces to access resources
� When IMS resources are protected by RACF – IMS needs a user ID – DLI/SAS needs a user ID– DBRC needs a user ID – Dependent regions may need a user IDs
� The user IDs are needed for – Access to system resources and data sets
eg: system dump data set – Access to IMS protected data sets
eg: RECON dataset and program libraries– Access to IMS resources as the default user ID
� User IDs can be created using RACF STARTED class
If systems resources are RACF protected, then IMS will need to be assigned a user ID that has access
to the required resources. Such resources could include system dump data sets or logs.
Similarly, the DLI/SAS region may need to be authorized to access IMS databases and DBRC will
need to be authorized to access the RECON data set.
RACF user IDs are created for IMS, DL/I, DBRC and optionally for dependent regions using the normal
process of defining users in RACF, the ADDUSER command.
If the IMS procedure is associated with a RACF user ID (with sufficient authority), the IMS control
region can open a RACF-protected data set. If an association does not exist, the IMS control region is
not allowed to open a RACF-protected data set that does not allow universal access for the requested
authority level.
If the DLI/SAS procedure is associated with a RACF user ID, it overrides the RACF user ID for the IMS
procedure. If an association does not exist, the RACF user ID associated with the IMS procedure is
used for RACF access checking.
46
46GSE Belgium June 20, 2014
IMS Logical Terminals as Users
If a static terminal cannot (or will not) sign on
� Define the static terminal in IMS with AUTOSIGN option– IMS assigns logical terminal name (LTERM) as user ID
� Add the LTERM name as user ID in RACF
� Add the LTERM user ID to the appropriate access lists
If a static terminal cannot or will not sign on, you can simulate a sign on and assign a user ID by specifying OPTIONS=AUTOSIGN on the TYPE or TERMINAL macro in the IMSGEN.
The first LTERM name will be assigned as the user ID.
47
47GSE Belgium June 20, 2014
IMS TCO Scripts as Users
To allow a TCO script to issue transactions and/or commands:
� Add a /SIGN statement to the script with user ID and password
� Define the TCO user ID and password to RACF
� Add the TCO user ID to the appropriate access lists
IMS views commands and transactions in a TCO script as coming from a static terminal.
At this time, there is no facilityt to use the AUTOSIGN option for TCO.
The password will appear in the script in clear text.
Some customers decide that RACF protection on the dataset that contains the TCO scripts is sufficient security
for TCO. They protect the script dataset and specify TCORACF=N so that the TCO script does not require a
/SIGN ON statement and no TCO user ID or password is required.
48
48GSE Belgium June 20, 2014
IMS Master and System Console WTOR as Users
To allow the Master (MTO) or system console (WTOR) to issue transactions:
� Define user IDs in IMS DFSDCxxxMTOUSID=
WTORUSID=
� Define the user IDs to RACF– NOPASSWORD: IMS calls RACF to VERIFY the ID with PASSCHK=NO
� Add the user IDs to the appropriate access lists
IMS does not call RACF for command authorization• All commands are allowed from MTO and WTOR
• If necessary, commands could be restricted by an IMS exit
You cannot use the AUTOSIGN option for MTO and WTOR
The Master Terminal and the Console used to reply to the IMS Outstanding WTOR both have unrestricted
access to IMS commands. And they are not forced to sign on. However, they can issue transactions and if not
signed on, the user ID used for transaction security will be the IMS Control Region’s user ID. The SPE for the
AUTOSIGN function also addresses this issue. The DFSDCxxx PROCLIB member can specify the user IDs to
be used for transaction security when transactions are entered at the MTO or via the outstanding WTOR, and
the user has not signed on. The DFSDCxxx parameters are MTOUSID and WTORUSID.
49
49GSE Belgium June 20, 201449
Passwords/Passphrases
� IMS supports mixed case RACF passwords
� RACF password phrases can now be used with– IMS TMRA – IMS Connect– /SIGN command– VTAM logon user data
� RACF password phrases– More robust
• Up to 100 bytes • Can contain mixed-case letters, numbers and
special characters– Easier to remember
Users of TM Resource Adapter, IMS Connect, the /SIGN command and VTAM are now able to sign/log onto IMS using RACF password phrases that are a minimum of 9 bytes and a maximum of 100 bytes. Password phrases are superior to 8-byte passwords since they are easier to remember, and are more robust. Use of a passphrase is optional, as 8-byte passwords can continue to be used.
If RACF password phrases are used, the new default DFSGMSG0 MFS panel that supports passphrases can start being used, and the DFSCSGN0 and DFSLGNX0 exits will need to be updated so they can handle passphrases being passed to them.
The IMS /SIGN command has been enhanced to support passphrases. Two new flavors of this command are now available: /SIGN ONP and /SIGN ONQ.
The use of /SIGN ONP is most appropriate with an MFS panel, since this command requires a passphrase that is 100 bytes.
The use of /SIGN ONQ is most appropriate when a user is entering signon credentials from a terminal. There is no requirement for the passphrase to be 100 bytes when this command is used and involves the use of single quotes.
Logon user data passed to VTAM also now supports the use of passphrases. The entire DATA( ) parameter containing the logon credentials is encapsulated in single quotes, and the passphrase itself is encapsulated in double quotes.
Use of mixed case passwords is specified by PSWDC parameter in DFSDCxxx member of PROCLIB.
PSWDC=M | U | R
Specifies whether mixed-case passwords are supported.
M - IMS supports the use of mixed-case passwords. If you intend to support mixed-case passwords, be aware of this support wherever you manipulate passwords, such as in exit routines.
U - IMS forces all password to uppercase.
R - IMS uses whatever is defined for mixed-case passwords in RACF®. If mixed-case passwords are active in RACF (which is done through the SETROPTS command) then IMS uses it. If mixed-case passwords are not active in RACF, then IMS uses uppercase passwords. Whenever there are changes to the mixed-case password definition in RACF, IMS adjusts without requiring a restart. R is the default.
50Copyright IBM Corp.2013 50
50GSE Belgium June 20, 2014
Passtickets
Provides an encrypted alternative to sending a password
� One-time-only password
� Passwords not sent across the network in clear text
� Generated/interpreted by an algorithm using:
� user ID,Application identifier (sapplid), Timestamp, Secured
signon key for encryption
� The client environment generates the PassTicket
� IMS calls RACF to interpret/validate the PassTicket
� RACF uses PTKTDATA profile definition
� Profile name matches sapplid name
51
51GSE Belgium June 20, 2014
IMS Access
from / to Remote Environments
viaIMS Connect
As IMS expands its strategic role in the world of web services, enterprise mobility, and the cloud, a
greater focus has been placed on ensuring reliability and security. This section includes an overview
of how security is handled within the context of evolving technologies.
Access from remote environments like SOAP Gateway, Microsoft .NET, WAS, etc. use Open
Transaction Manager Access (OTMA) “window” for access to transactions and the Open Database
Access (ODBA/ODBM) “window” for access to data.
52Copyright IBM Corp.2013 52
52GSE Belgium June 20, 2014
Security Points in an Integrated World
Access to TXN
Access to DB
IMSODBMIMS
Connect
Access to
PSB
Client-Bid
ICAL
SAF/RACF secure environment
IMS security:
User validation
to access IMS
resources
IMS Soap
Gateway
IMS TMRA
JEE e.g., WAS
Access to
IMS/OTMA
SSL
AT/TLS
(user ID/PW/group):EIS signon can be�Container-managed�Component-managed
GU,IOP
Can pass user ID
outbound
-user ID/PW Authentication- PassTicket- Trusted user- Default User
Exit routines
RACF=Y|NOTMASE=
Message retrievalSecurity (user ID)
Resume TPIPE
Resume TPIPEsecurity
(OTMA)
SSL
SSL
HTTPS(http overSSL/TLS)
Transport levelAuthentication:�Client�Server�Basic (callout)
(user ID/PW/group: �Per web-svc
(connection bundle)�Per web-msg
(WS-security)
WS-security
HTTPS,SSL...
* Other servers connecting to IMS Connect provide similar capabilities
Msg-level
IMS
universaldrivers
user ID/PW
JCASecurity
architecture
Transport level
Authentication
WS-security...
ISRT,ALT
53
53GSE Belgium June 20, 2014
Multiple Levels of Security
� OTMA– Validates whether an OTMA member (IMS Connect) can
communicate with IMS– Implements transaction and command security
� user ID that flows in on a message against the IMS resource- Supports callout to web services
� ODBM– Passes security information to IMS for database access
� IMS Connect– Supports the authentication of user IDs, groups, passwords and
passes the utoken to IMS with the message– Additionally extends the security authentication
� PassTicket support� Trusted User support
� Network – connection security and encryption– SSL – TLS– AT-TLS
Based on user ID access to the IMS resource (e.g. transaction, command, PSB, DB, etc.)
Control blocks that represent the secured user can be
- ACEE – Accessor Environment Element created by SAF
- User Token 80 byte value used to build ACEE
- RACO – RACF Environment Object, a “flattened” ACEE which can be reconstituted into an ACEE
These can be created by components, e.g., IMS Connect, where authentication takes place
54Copyright IBM Corp.2013 54
54GSE Belgium June 20, 2014
IMS Connect Security (cont)
� OTMA
– OTMA Client Bid security
� Determines whether an OTMA client can connect to IMS
� Client’s authorization to join XCF group
- OTMA Message security
� IMS setting determines level of checking for each message
� OTMASE=
� /SECURE OTMA
� ODBM
– Allocate PSB (APSB) security
• IMS setting determines checking
– ODBASE=
– ISIS=
Client Bid security determines whether an OTMA client, e.g., IMS Connect, MQ, etc., can connect to
OTMA.
When IMS Connect initializes, a "Client-bid" message is sent to IMS using the user ID associated with
IMS Connect.
If OTMA security is enabled (OTMASE=something other than NONE), the IMS Connect user ID must
have READ access to the RACF facility classes: IMSXCF.xcfgrp.ims connect-member-name
OTMA Message security determines the level of checking for each message from the end user.
OTMASE = option (in DFSPBxx member of IMS.PROCLIB)
Where option can be set to NONE, CHECK, FULL, or PROFILE.
NONE says no RACF but the Transaction Authorization Exit or the Command Authorization Exit is
invoked if it exists and can enforce security
CHECK, FULL, or PROFILE - OTMA builds a user ID Hash Table for OTMA Clients (TMEMBERs)
and a table to hold RACF ACEEs for verified users
Resume TPIPE security is an authorization check by IMS when a message is retrieved from the hold
queue. It checks that the user/group can access the TPIPE using RACF (RIMS class) and or the
OTMA Resume TPIPE Security exit routine (DFSYRTUX). The DFSYRTUX exit routine runs in the
IMS control region.
55Copyright IBM Corp.2013 55
55GSE Belgium June 20, 2014
IMS Connect Security
� Accessing IMS transactions from a remote client
– Remote TCP/IP Client provides user ID, Password, Group in message
header
– IMS Connect verifies the user ID/password
• Configuration values for IMS Connect (HWSCFGxx)
• RACF = Y | N and RACFID = user ID (default)
• Issues RACROUTE calls to verify user if RACF=Y
– Message exits can call user-written routine before any SAF/RACF calls:
• IMSLSECX –security exit routine for transactions and commands
• HWSAUTH0 – security exit routine for DB requests
– Default RACFID
• If the inbound request does not carry a user ID
• Does not provide an override for requests that carry a blank user ID
from the IMS TM resource adapter (e.g., WAS environment)
You can set a default RACF user ID for IMS Connect to use when the input message either does not
contain a user ID in the header or the field is blank. When the default RACF user ID is used, IMS
Connect passes it in the OMSECUID field of the input message to OTMA. When OTMA security
checking is enabled, OTMA uses the RACF user ID for authorizing commands, transactions, and
RESUME TPIPE calls with RACF. When both a default RACF user ID is defined and the incoming
message header user ID field is not blank, IMS Connect uses the user ID value in the message
header.
56Copyright IBM Corp.2013 56
56GSE Belgium June 20, 2014
Securing Access to IMS Connect
� Accessing IMS transactions from a remote client
– Basic security
• Security requests flow in the clear
• No encryption
– Alternatives
• IMS Connect Security enhancements
• Passtickets
• Trusted User Support
• SSL
• AT-TLS
SSL – is a protocol standard developed by Netscape Communications Corp that uses encryption to
provide confidentiality and authentication between two TCP/IP applications. It provides a private
channel between client and server that ensures privacy of data, authentication of partners, and
message integrity.
TLS - Transport Layer Security – an evolution from SSL As SSL gained in popularity, the IETF
formally standardized SSL, made a few improvements and changed the name to Transport Layer
Security (TLS).
ATLS Application Transparent TLS (AT-TLS) is a unique usage of TLS on z/OS. Instead of having
the application itself (IMS Connect) be aware of TLS, establishing the TLS connection is pushed
down the stack into the TCP layer. Remote clients cannot distinguish between "normal" TLS (where
the z/OS server application does the socket calls necessary for TLS) and AT-TLS (where the TCP
layer handles the connection).
Application on z/OS can run without even being aware that the underlying connection to the remote
client is using TLS
AT-TLS is activated by specifying the TTLS option in the TCPCONFIG statement block in the TCP/IP
profile data
57Copyright IBM Corp.2013 57
57GSE Belgium June 20, 2014
Why choose to use AT-TLS?
� Participation in AT-TLS is transparent to IMS Connect
– IMS Connect can rely on the z/OS TCPIP stack
• to perform the handshaking protocol
• to perform the required authentications and encryption
� Supports multiple ports
– SSL support in IMS Connect is limited to a single port for the IMS
Connect instance
� No additional configuration specifications in IMS Connect
58
58GSE Belgium June 20, 2014
Open DB Security
� IMS TM Resource Adapter is used to access IMS transaction and
command resources using OTMA
� The IMS Universal DB resource adapter (driver) provides JDBC SQL
access to IMS data in a JEE environment such as WebSphere Application
Server (WAS) on any platform
– Access to IMS DBs use IMS Connect and ODBM� IMS Connect provides authentication of the user ID/password
sent in by the IMS Universal drivers on WAS
59
59GSE Belgium June 20, 2014
Open DB Security
� IMS Connect to ODBM– RACF=Y
� IMS Connect authenticates the user ID/Password/Group� Passes a RACF Object (RACO) to ODBM
� ODBM uses this information for security- RACF=N
� IMS Connect bypasses authentication; does not pass a RACO
� ODBM uses the ODBM Job user ID/Group
� ODBM to IMS
– RACO from IMS Connect
– if no RACO then the user ID/group from the ODBM jobcard
60
60GSE Belgium June 20, 2014
Open DB Security...
� ODBM and RRS=Y– ODBM uses the ODBA interface to IMS
• Creates and passes ACEE in the Thread TCB
– In IMS, ODBASE determines security• ODBASE=Y invokes APSB security
• IMS calls RACF using the AIMS or Axxxxxxx resource class
• The ISIS parameter is not used
• ODBASE=N invokes RAS• IMS uses the ISIS parameter to determine security using the IIMS or
Ixxxxxxx resource class• ISIS=N – No RACF checking• ISIS=R – RACF call
• ISIS=C – DFSRAS00 exit• ISIS=A – RACF call and DFSRAS00 exit
61
61GSE Belgium June 20, 2014
Open DB Security...
� ODBM and RRS=N
– ODBM uses the CCTL interface to IMS (like CICS)• Pass user ID/Group in PAPL
– In IMS, the ISIS parameter determines RAS security using IIMS or Ixxxxxxx resource class
• ISIS=N – No RACF checking
• ISIS=R – RACF call• ISIS=C – DFSRAS00 exit
• ISIS=A – RACF call and DFSRAS00 exit
IIMS (or Ixxxxxxx) resource class is used for
6262
62GSE Belgium June 20, 201462
RACF Event Notification Facility (ENF) Support
� Background– IMS Connect V12 provided the option to cache RACF UserIDs
(UIDs) along with a command to refresh them
� IMS Connect V13: RACF ENF Support for Cached UserIDs
(UID)– Automatically refreshes cached UIDs by listening to RACF events
(ENF signals) indicating that a change has been made to a UID • RACF commands: CONNECT, REMOVE, and ALTUSER REVOKE
– NOTE: This function applies only when RACF UID caching has been enabled in IMS Connect
� Benefit– Allows IMS Connect to listen for certain RACF events indicating
that a change has been made to a specific UserID• Avoids manual intervention
IMS Connect V12 enabled RACF UserID Caching by defining the parameter UIDCACHE=Y in the
HWS statement in the HWSCFGx configuration or via the type-2 command UPDATE IMSCON
TYPE(CONFIG) SET(UIDCACHE(ON)); the WTOR command SETUIDC OFF; or the z/OS command
UPDATE MEMBER TYPE(IMSCON) SET(UIDCACHE(OFF)). Additionally, these cached useridscould be refreshed based on an aging value or manually by issuing: a WTOR (xx,REFRESH RACFUID..), a z/OS Modify (F hws,UPDATE RACFUID NAME..OPTION(REFRESH)) or a
Type-2 command (UPDATE IMSCON TYPE (RACFUID)).
The RACF Event Notification Facility (ENF) Support for Cached UserIDs (UID) allows notification of
changes to UIDs affected by the following RACF commands: CONNECT, REMOVE, and ALTUSER
REVOKE. IMS Connect has been enhanced to listening for the type 71 ENF signals produced by
these RACF commands, and act on that signal to refresh the affected UID. This new capability is
applicable only when RACF UID caching has been enabled in IMS Connect.
64
64GSE Belgium June 20, 2014
Determining the Security in Effect
The security in effect for a given input message is determined by ...
� IMS system definition (IMSGEN)
� IMS JCL overrides
� IMS PROCLIB overrides– DFSPBxxx– DFSDCxxx– CSLOIxxx– DFSCGxxx
� IMS commands and restart options– Example: /SECURE APPC FULL
� Source of the input message
� RACF definitions
� Exits� Program Specification Block (PSB)
� Database Definition Block (DBD) – encryption
� IMS Connect parameters
IMS13 removed the SECURITY macro from the IMSGEN because all SECURITY macro parameters
can now be specified in PROCLIB. There are other security-related macros in the IMSGEN.
65
65GSE Belgium June 20, 2014
Other Things to Consider
� Who Needs Database Dataset access? – Rule of Thumb: “Whoever has the DD card must have the authority.”
� The user ID that needs authorization is based on data set type.– VSAM
• Online environment – DLISAS or IMS control region
• Batch – user ID that submitted job
– OSAM
• Online – DLISAS
• Batch – user ID that submitted the job
– Fast path DEDB
• Online – IMS control region
• Batch – Not applicable
The following describes the access requirements for different data set types:
VSAM
•In an online environment, if a user ID is used for the DLISAS started procedure, it requires
authorization. If a user ID is not used for DLISAS, the control region's user ID is utilized.
•In a batch environment, the user ID submitting the job requires authorization.
OSAM
•In an online environment, the DLISAS started task user ID requires access.
•In a batch environment, the user ID submitting the job requires access.
Fast Path DEDBs
•In an online environment, the control region's started task user ID requires access.
•DEDBs are not applicable in batch environments.
66
66GSE Belgium June 20, 2014
Other Things to Consider (cont)
� How much authority does IMS itself really need?
– IMS, DLI and DBRC need access to their datasets• JCL defined• Dynamically allocated
– IMS does not normally need to access transactions or commands• If a user ID is not available, RACF uses the IMS user ID for
authorization
– IMS does not need to be defined as privileged or trusted
67
67GSE Belgium June 20, 2014
Other Things to Consider (cont)
� Protect copies of databases – Image Copy datasets
� Be aware of tape exposures – Bypass Label option
• Can override dataset name to a name without security
– Access as foreign tape– Move tape outside production library– ALTER tape content– Shared tape pool– RACF profiles belong to tape management
Even with RACF dataset protection, a user can bypass dataset name verification
(LABEL=EXPDT=98000). Permission to use this option needs to be granted carefully.
The RACF profiles to protect this belong to the RMM/Tape managment system.
Some users might have ALTER access to tape content and could alter or destroy the data on the tape
putting recovery at risk.
Once a tape is moved outside the production tape library, there is no guarantee of protection.
A user with development system access to foreign tape permissions could then read a production
tape. Production tapes should remain in the production tape pool.
Bypass Label option for jobs reading tapes is protected by a facility class profile ICHBLP
assuming the Resource class TAPEVOL is active. It allows the tape to be read overriding the
dataset name, possibly to a name the user does have RACF access to.
Databases
IMS database data is readable by IMS batch jobs run outside of the online system ( DL/I Batch ), and
by standard system utilities such as IDCAMs. Dataset access controls on database datasets
are critical.
Image copies are copies of database data for recovery purposes. They contain the same data as
the databases. DF/DSS makes internal RACF checks against STGADMIN.ADR in class FACILITY.
.
68
68GSE Belgium June 20, 2014
Other Things to Consider (cont)
� OM audit log should be enabled
� Users should be required to sign on
� Secure log data – Can remove sensitive data from logs if necessary
• DFSFLGE0 exit or various IMS tools
ETO terminals are always required to sign on (it’s not an option).
Static SNA terminals (including TCO) can be required to sign on by specifying SIGNON=ALL in the
DFSDCxxx member of PROCLIB
If a user does not sign on, the IMS Control Region user ID is used for authorization. Forcing all
terminals to signon, and not allowing the IMS Control Region user ID access to transactions and
commands protects against unauthorized static terminal users. The AUTOSIGN option can take care
of static terminals that cannot or will not sign on.
Consider activating the Audit Log for Operations Manager to log command processing.
IMS log data can be accessed for statistical purposes, required by vendors for diagnostic purposes,
used to build test scripts, etc.
Log data can be encrypted and/or scrubbed with the Log Edit Exit (DFSFLGE0) when transmitting logs
to vendors.
.
69
69GSE Belgium June 20, 2014
Summary
IMS resources
Security facilities
Locking up
Some things to consider
70
70GSE Belgium June 20, 2014
Write to us!
If you have any IMS questions:
Maida Snapper
To ask about IMS security services, please contact
Jeff Hook [email protected]