1
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Two-Factor Authentication
on z/OS with Rocket Strong
Authentication Expert
Joris Cornette
t: +49 (0) 2159 69 97 14 • m: +49 (0) 160 96 46 93 27 • e: [email protected]
www.rocketsoftware.com
2
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Agenda
Rocket Software
Management Questions
Rocket Strong Authentication Expert Overview
• How does SAE work?
• How do you get SAE operational?
• Authentication
Some considerations
Questions and Answers
3
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Who are we?
4
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved. 4 4
5
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved. 5 5
6
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Questions from the Management
7
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Questions from your Chief Security Officer
“Are our system administrators still logging in to the mainframe with passwords that change only once per month?”
• Especially stolen administrator passwords open the front door
“Are there production scripts that use hard coded non-changing passwords to access the mainframe?”
• FTP is a good (bad) example
“Are you ready for an audit for regulatory compliance?”
• Or maybe you just had one and must take action now …
8
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Strong Authentication Expert
How does it work?
9
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
How does SAE work?
Requirement:
• Critical mainframe access (logon) should use a two-factor authentication system (with help of tokens, cards or key fobs) instead of a single static password
SAE is a solution based on 2 architectural components: • z/OS authentication requestor
The SAE started tasks
• One of these external two-factor authentication managers
RSA ACE/Server
RADIUS
o e.g. SafeNet Authentication Manager
10
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE Architecture
SAE RUNAGENT +
SAE RUNRAZA / R SAE VTAM
Application
SAE External
Security Manager
Interface
(TSO, FTP etc.)
SAE CICS API
SAE ASM API
Authentication
Manager
z/OS Platform
RACF* Database
Distributed Platform
* RACF or ACF2 or TopSecret
11
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE Operation Modes
ESM mode (External Security Management) • SAE activates RACF Exit Points
• SAE thus sees every authentication attempt to the mainframe environment
Regardless of access method (as long as it passes thru RACF)
VTAM mode • SAE allows administrators to insert a two-factor authentication
screen into the VTAM logon process using the SAE VTAM application
When logon is successful, the site dependent Post-Authentication menu will appear (e.g. a Session Manager panel)
Any RACF (e.g. for TSO and FTP) logon is left unaffected
ESM mode and VTAM mode are not compatible on one LPAR
12
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE Process Flow for ESM Mode
ICHRIX01
ICHRIX02
13
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE Process Flow for VTAM Mode
14
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE ESM Mode Components
Exploits ESM-specific exit programs for RACF
Agent main started task
• Checks user provisioning
When STC not running or user is not provisioned in SAE,
authentication will proceed as before (native RACF)
• Communicates with the RACF exit programs and the Protocol
Handler
Protocol Handler started task
• Communicates with external authentication manager (like
ACE/Server or RADIUS)
2 versions depending upon whether ACE/Server or RADIUS is used
• Ensure that this Protocol Handler starts first after IPL
15
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE Recap
SAE allows access to two-factor authentication on
z/OS using:
• Something you know (PIN)
• Something you possess (temporary tokencode)
2 Points of integration on z/OS
• External Security Manager (ESM) to exploit RACF
• VTAM Application for online applications
16
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Strong Authentication Expert
How to get it operational?
17
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE Installation
Install SAE using SMP/E
• Base Install followed by RECEIVE – APPLY – ACCEPT
Integrate SAE in RACF and z/OS
Run Setup option of the RAZMAIN rexx to
• Create the runtime environment for SAE
Several VSAM settings files
• Configure SAE
• Set up SAE preferences
Perform additional steps depending on ESM mode or VTAM mode
• Integrates in ACE/Server
• Integrates in RADIUS
SAE requires 2 z/OS started tasks
• RUNAGENT (Core agent)
• One of these:
RUNRAZA (ACE/Server Protocol Handler)
RUNRAZR (RADIUS Protocol Handler)
18
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE RACF and z/OS Integration (1)
Copy members RAZLIX01 and RAZLIX02 from SRAZLOAD into a z/OS LPALIB
• Rename these members to ICHRIX01 and ICHRIX02
ICHRIX01 (RACINIT preprocessing exit routine) is used before user identification, user verification and terminal authorization checking
ICHRIX02 (RACINIT postprocessing exit routine) is used after user identification, user verification and terminal authorization checking
• If identical exits already in use, glue code is required and Rocket Support will help
• Concatenate this LPALIB with the exits to the LPA list
Use SRAZPARM member RAZIEALP as a guide to updating existing LPALSTxx member
Practice?
19
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE RACF and z/OS Integration (2)
Add RAZLALU to the Authorized Command List
• Use SRAZPARM member RAZIKJTS as a guide for
updating existing IKJTSOxx PARMLIB member
Add the SRAZLOAD PDS to the active LINKLIST
and APF authorize this PDS
• Use SRAZPARM member RAZPRG13 as a guide to
updating your existing PROGxx PARMLIB member
20
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE Configuration and Administration Tool
21
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE authentication system SETUP
22
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE authentication system SETUP
This is where the z/OS
installer wants help
23
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE RACF User Provisioning Process
Users are provisioned thru the Provisioning option of the RAZMAIN rexx • A provisioned user is a user who will be processed by SAE
A non-provisioned user follows the normal traditional logon process
• Only an SAE admin can provision users
• The first user of RAZMAIN to do the SAE Setup becomes the first SAE admin and can define other SAE admins
• JCL is provided for batch provisioning of users
Provisioning is only needed for ESM Mode • Provisioning is not used for VTAM Mode – seeing the SAE VTAM screen is
clear sign that you will go to the Authentication Server
24
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE RACF User Provisioning
25
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE RACF User Provisioning Details
Associate Mainframe RACF ID with • RADIUS logon name or
• ACE/Server logon name
Set PIN value and length • PIN value might be left blank and will be set at first logon (even preferred)
Setup a Fallback Preference • Specifies whether the user can fall back and use regular RACF
authentication if there is a problem with the authentication by the authentication server
• At least one admin user should be allowed fallback (?)
This exploits the RACF User Segment in the RACF data base
26
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Provisioned users must also be known in RSA
Define the user on ACE/Server as
having a user defined PIN, but not
set it to anything: when the user
logs in for the first time, they will be
prompted to set their PIN - In ESM
mode, the default TSO new
password field is used for this.
27
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Strong Authentication Expert
Authentication
28
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE RACF Authentication
SAE exit code sees every logon attempt • User logs in as normally via TSO, FTP etc
For provisioned users (e.g. for RSA/RADIUS Tokens or Key Fobs) • User enters the first 2 characters of the PIN followed by the temporary
tokencode generated by the device
SAE automatically fills in the rest of their PIN as long as the first 2 are correct
Together this is the password
• Exit code puts user credentials through the SAE alternative processing
Exit code ICHRIX01 controls with help of the ACE/Server or RADIUS server whether user is allowed to logon
• You can only retry logon when a new tokencode is displayed
For non-provisioned users • Exit code passes control back to the ESM for normal RACF processing flow
• User uses regular RACF password
29
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE Process Flow (ESM and ACE/Server)
User is
provisioned
?
PIN
matched?
RACF
Fallback
enabled in
SAE
?
ACE says
OK
?
Return YES to RACF
No Further Processing
Return to RACF
Regular Processing
Return NO to RACF
No Further Processing
Return to RACF
Regular Processing
SAE sends request to ACE/Server
(User ID, PIN and token code)
Y Y
Y
Y
N N N
N
30
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE VTAM Authentication
Preparatory actions • Create new VTAM Application ID for SAE e.g. RAZNET
• Register this VTAM Application ID during rexx processing at installation time e.g. RAZNET
2 possibilities: • Simple: Use a LOGON APPLID(RAZNET) command
• More complex: Use VTAMLST and TCPIP PARMS to have the SAE APPLID automatically opened on specific 3270 connections
The SAE Logon screen is presented • User enters userid and PIN+Token
• Once authenticated, next step is configurable (samples are provided)
Forward to Menu
Directly open specific application such as TSO
31
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
SAE VTAM Integration
Enforcing the SAE VTAM Application on 3270
connections (also known as assigning terminal
ownership to the Rocket SAE in VTAM)
• Specify LUNAME
• Specify IP Address/Hostname
• Specify Port
• Contact Technical Support for the details
32
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Process Flow for VTAM logon
33
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
The SAE ASM API
34
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Strong Authentication Expert
Considerations
35
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Considerations (1)
FTP user ids
• Should userids used for FTP be subject to two-factor
authentication?
Possibly but …
o When the FTP process starts the token is maybe no longer valid
Better:
o Set up special non-provisioned userids for FTP who are only capable of
FTP processing
Experiences?
Best practices?
36
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Considerations (2)
Session Managers • Session Managers normally provide transparent logon to the
sessions
SAE ESM will interrupt the transparency for provisioned users and will expect PIN+Token for each session logon
o Note: only for provisioned users
Alternative:
o Implement the VTAM mode and request the PIN+Token for the VTAM application
o However, because you can not have VTAM mode and ESM mode simultaneously, this protects the front door but leaves the windows open
But the userid used for VTAM mode can be enforced on the next panel
We feel it is better to use the ESM mode for the sessions
o Toggling between sessions remains transparent
Experiences?
Best practices?
37
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Considerations (2)
38
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Considerations (3)
Strong Authentication in the DR case
• If you decide for two-factor authentication, make sure that
you can reach the ACE/Server or RADIUS environments
from the DR center to avoid general fallback
Experiences?
Best practices?
Users must be trained …
• To avoid their userids being revoked
Especially when the same RSA device is used for mainframe and
distributed logon
• In setting/obtaining a new PIN with SAE in ESM or VTAM
mode
39
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Strong Authentication Expert
Questions and Answers
40
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.
Questions?
41
© 2014 Rocket Software, Inc. All Rights Reserved.
© 2014 Rocket Software Inc. All Rights Reserved.