ZOS
ZOS
Cryptography
Karan Singh
Rui Feio
Oerjan Lundgren
Bob McCormack
Rita Pleus
Paul Rogers
ibm.com/redbooks
International Technical Support Organization
August 2014
SG24-6986-01
Note: Before using this information and the product it supports, read the information in “Notices” on
page vii.
This edition applies to Version 1, Release 7 of z/OS (5694-A01), Version 1 Release 7 of z/OS.e (5655-G52),
and to all subsequent releases and modifications until otherwise indicated in new editions.
© Copyright International Business Machines Corporation 2008, 2014. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Now you can become a published author, too! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .x
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Stay connected to IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Contents v
vi ABCs of IBM z/OS System Programming Volume 6
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or imply that only that IBM product,
program, or service may be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to
evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The
furnishing of this document does not grant you any license to these patents. You can send license inquiries, in
writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time
without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any
manner serve as an endorsement of those websites. The materials at those websites are not part of the
materials for this IBM product and use of those websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring
any obligation to you.
Any performance data contained herein was determined in a controlled environment. Therefore, the results
obtained in other operating environments may vary significantly. Some measurements may have been made
on development-level systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been estimated through
extrapolation. Actual results may vary. Users of this document should verify the applicable data for their
specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the sample
programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,
cannot guarantee or imply reliability, serviceability, or function of these programs.
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX® NetView® System z®
CICS® OS/390® Tivoli®
DB2® OS/400® VTAM®
Domino® Parallel Sysplex® WebSphere®
eServer™ PowerPC® z/Architecture®
GDPS® RACF® z/OS®
Geographically Dispersed Parallel Redbooks® z/VM®
Sysplex™ Redbooks (logo) ® z9®
IBM® Resource Measurement Facility™ zEnterprise®
IMS™ RMF™ zSecure™
Language Environment® S/390®
MVS™ System z9®
Intel, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered trademarks of Intel
Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other
countries, or both.
Java, and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its
affiliates.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, or service names may be trademarks or service marks of others.
The ABCs of IBM® z/OS® System Programming is an 11-volume collection that provides an
introduction to the z/OS operating system and the hardware architecture. Whether you are a
beginner or an experienced system programmer, the ABCs collection provides the
information that you need to start your research into z/OS and related subjects. If you want to
become more familiar with z/OS in your current environment or if you are evaluating platforms
to consolidate your e-business applications, the ABCs collection can serve as a powerful
technical tool.
Authors
This book was produced by a team of specialists from around the world working at the IBM
International Technical Support Organization (ITSO), Poughkeepsie Center.
Rui Feio is an IT Specialist working at IBM Portugal. He has six years of experience in the
IBM MVS™, IBM OS/390®, and z/OS fields. He provides support to IBM customers in
Portugal. His areas of expertise include RACF, DFSMS, JES2, TSO, MVS, and UNIX System
Services. He holds a BSc in Computer Science.
Rita Pleus is a Senior IT Specialist in IBM Global Services in IBM Germany. She has IT
experience since 1986 in a variety of areas, including systems programming and operations
management. Before joining IBM in 2001, she worked for a German IBM S/390® customer.
Rita holds a degree in Computer Science from the University of Applied Sciences in
Dortmund. Her areas of expertise include z/OS, its subsystems, and systems management.
She was one of the authors of ABCs of z/OS System Programming Volume 3, SG24-6983.
Paul Rogers is a Consulting IT Specialist at the ITSO, Poughkeepsie Center, and has worked
for IBM for 39 1/2 years. He writes extensively and teaches IBM classes worldwide on various
aspects of z/OS, JES3, Infoprint Server, and z/OS UNIX. Before joining the ITSO 19 1/2 years
ago, Paul worked in the IBM Installation Support Center in Greenford, England, providing
OS/390 and JES support for IBM EMEA and in the Washington Systems Center in
Gaithersburg, Maryland.
Thanks to Paola Bari, ITSO, Poughkeepsie Center, for contributions to this project.
Thanks to the authors of the IBM Redbooks publication, System z Cryptographic Services
and z/OS PKI Services:
Jonathan Barney
Jean Marc Darees
Pekka Hanninen
Robert Herman
Guillaume Hoareau
Patrick Kappeler
Nikhil V Kapre
MuHyun Kim
Gerard Laumay
Joel Porterie
Vicente Ranieri Jr.
Dominique Richard
Daniel Turkenkopf
Thanks to Gregory P. Boyd, Advanced Technical Support, IBM, for his comments.
Find out more about the residency program, browse the residency index, and apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our books to be as helpful as possible. Send us your comments about this book or
other IBM Redbooks publications in one of the following ways:
Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
Send your comments in an email to:
[email protected]
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400
Preface xi
xii ABCs of IBM z/OS System Programming Volume 6
1
With estimates of over 80% of corporate data residing or originating on mainframes, security
and data integrity are on top of the list of critical business requirements. Thus, organizations
need to deliver advanced security features with an array of user identification, authentication,
auditing, and administration capabilities, combined with advancements in data encryption,
intrusion detection, and overall system integrity. These capabilities are designed to sustain
customer-facing, high-volume transaction rates at high service levels.
In this book, we explain how IBM System z is designed with built-in security capabilities to
help protect your business and what IBM software is used to achieve this purpose.
Traditionally, when we think of security, we often think of home security—keeping the doors
closed and locked, controlling access by limiting the number and distribution of keys, installing
burglar alarms to detect physical intrusion, and installing smoke and carbon monoxide alarms
to detect intrusion by other harmful substances. In many ways, IT security works in a similar
fashion. You need systems that are designed to control access to the system, to detect and
prevent intrusion into the system by unauthorized users, and to protect the system from
corruption by unauthorized programs and viruses. In other words, you need to close and lock
the doors and install a rigid and comprehensive set of fences and alarms to help protect
against various types of intrusion.
It is a very complex environment that tries to interface into the z/OS and we must also deploy
measures to protect communications to and from z/OS. IBM software on z/OS has this
capability. We cover encryption, the use of certificates, key handling, and other measures
such as auditing in this publication.
This chapter provides a brief overview of z/OS basic security and the additional security
services under z/OS. z/OS security services comprise various security-related products, which
are broadly grouped into three elements with some additional products, which we explain in
detail in the following chapters. See Figure 1-1 on page 2 for z/OS basic security facilities.
Integrity
- System authorization Facility (SAF)
- Program property table (PPT)
- Authorized program facility (APF)
- Authorized programs
Auditing
- Logs (hardcopy, system)
- Generalized trace facility
- System management facility (SMF)
Figure 1-1 z/OS basic security facilities
The z/OS operating system is designed, implemented, and maintained to protect itself
against unauthorized access, and thus security controls that are specified for that system
cannot be compromised. Thus, there is no way for any unauthorized program, using any
system interface, defined or undefined to:
Bypass store or fetch protection
Bypass the operating system password, VSAM password, or z/OS Security Server
Resource Access Control Facility (RACF) checking
Obtain control in an authorized state
Programs with the NOPASS parameter are able to bypass password protection for password
protected data sets and, thus, also bypass all RACF protection for RACF protected resources.
Therefore, it can read any data set on the system.
Important: You need to verify that only those programs that are authorized to bypass
password protection are, in fact, able to do so. Such programs are normally communication
and database control programs or other system control programs. You can also verify that
only those programs that need to run in a system key are authorized to do so.
Authorized programs
Many system functions are sensitive (for example restricted SVCs). Therefore, these sensitive
functions can be used only by authorized programs. An authorized program can virtually do
anything it wants. You could consider it an extension of the operating system. Therefore, care
is needed; such authorization must be given in a diligent manner and be monitored.
Auditing
z/OS has the following basic functions that provide information useful for auditing purposes:
Logs (hardcopy and system)
Generalized trace facility (GTF)
System management facility (SMF)
An auditor needs to look closely at the security settings on the z/OS system. Most auditors
have a good checklist to cover the areas where there is a need for vigilance and control.
Some examples of this include:
User entries in the PPT with bypass password protection (NOPASS) need to be verified
and checked if still required.
Determining whether the load libraries in the APF are all adequately protected.
z/OS Security
RESOURCE Server
ACCESS RACF
CONTROL
FACILITY
RACF helps meet your needs for security by providing the following abilities:
Identify and verify users
Authorize users to access the protected resources
Control the means of access to resources
Log and report attempts to access protected resources
Administer security to meet an installation’s security goals
RACF provides these functions when the installation defines the users and the resources to
be protected.
Integrated Security Services is supplied as a base element of the z/OS operating system. It is
not a single product but consists of the components described in the remainder of this
section.
Network Authentication Service for z/OS provides Kerberos security services without
requiring that you purchase or use a middleware product such as Distributed Computing
Environment (DCE). These services include native Kerberos application programming
interface (API) functions, as well as the Generic Security Service application programming
interface (GSS-API) functions.
Network Authentication Service for z/OS supports the following encryption types:
56-bit DES, referred to specifically as DES
56-bit DES with key derivation, referred to specifically as DESD
168-bit DES, referred to specifically as DES3
128-bit AES, referred to specifically as AES128
256-bit AES, referred to specifically as AES256
Notes:
The Distributed Computing Environment (DCE) Security Server component was
removed from the z/OS operating system with z/OS V1R13. An IBM Redbooks
publication entitled DCE Replacement Strategies SG24-6935 has been written to show
how it can be replaced.
The LDAP server component was removed from the z/OS operating system with z/OS
V1R11. It was replaced by IBM Tivoli® Directory Server for z/OS.
The Firewall Technologies component was removed from the system with z/OS V1R8.
Cryptography is the transformation of data to conceal its meaning. In z/OS, the base element
Cryptographic Services provides the following cryptographic functions:
Data secrecy
Data integrity
Personal identification
Digital signatures
The management of cryptographic keys
This base element supports keys as long as 56 bits. Keys longer than 56 bits are supported
by the optional feature z/OS Security Level 3.
The application calls ICSF for a cryptographic function and provides the data to be processed
along with the cryptographic key to be used.
ICSF drives the cryptographic operations at the coprocessors and transmits and receives the
processed data and the encrypted application key. Access to ICSF callable services and
application keys can be controlled by RACF profiles.
Thus, it provides a means for applications to directly access security services through the
ICSF security application programming interface or indirectly access security services via
layered security services and tools implemented over the OCSF API.
The other set of APIs (Certificate Management) provides the ability to use functions other
than the SSL protocols. These functions include the ability to create and manage key
database files in a similar fashion to the SSL Certificate Management utility. They also include
the ability to use certificates stored in a key database file, SAF key ring, or z/OS PKCS #11
token for purposes other than SSL and basic PKCS #7 message support. This provides
application writers with a mechanism to communicate with another application through the
PKCS #7 standard. This is a client-server protocol, with the client explicitly requesting an SSL
communication.
Server applications running on z/OS can use this function to verify certificates that other
network entities (for example, users and other servers) present. PKI Services or other
certificate authorities might have issued these certificates.
This comprises a number of unpriced z/OS features, each having their own SMP/E function
modification identifier (FMID). It permits the z/OS security services to conduct encryption with
keys greater than 56 bits. However, its export is subject to US export regulations.
Figure 1-6 shows the IBM Tivoli Directory Server for the z/OS component.
Figure 1-6 IBM Tivoli Directory Server for the z/OS component
LDAP server
The z/OS Lightweight Directory Access Protocol (LDAP) server, part of the IBM Tivoli
Directory Server for z/OS product, is based on a client/server model that provides client
access to an LDAP server. An LDAP directory provides an easy way to maintain directory
information in a central location for storage, update, retrieval, and exchange.
SAF supports the use of control points across products and across systems. Applications and
system components call these control points in order to interface with the ESM. Security on
z/OS is therefore centralized on SAF and the installed ESM. z/OS does not contain an ESM,
although there are several software products that act as an ESM. In this book, we only
discuss the ESM that is available from IBM for z/OS called Resource Access Control Facility
(RACF), which itself is part of the IBM security server.
When there is no ESM installed, SAF creates the security constructs needed by system
services. However, in reality it would be mandatory to have an ESM installed to meet today’s
exacting security requirements.
SAF provides an installation with centralized control over system security processing by using
a system service called the SAF router. The SAF router provides a focal point and a common
system interface for all products providing resource control.
SAF router: A service that provides a focal point for all resource control.
External security managers provide tables to SAF, which directs specific calls for security
functions to specific routines within the ESM. The use of these tables allows z/OS to provide
support for ESMs, thus giving the installation the flexibility to determine which ESM to use.
Figure 2-1 on page 10 highlights the major discussion points for SAF.
Note: SAF and the SAF router are present on all z/OS systems, regardless of whether an
ESM is installed or not.
What is SAF
How does it work
Auditing
Figure 2-1 SAF major points
What is SAF?
It is a z/OS component supplied within the base of z/OS and is used by resource managers
within z/OS to determine if an access is to be permitted. The System Authorization Facility
can function on its own. It does not require another product as a prerequisite. However,
overall security of z/OS is greatly enhanced when SAF works with another component to
resolve these security questions. SAF rarely works on its own.
The z/OS operating system refers to these points as control points. Examples include:
Determining the validity of identity credentials
Determining the authority of an identity to access a known resource
Determining the nature of auditing actions
Figure 2-2 shows the security flow when a user is authenticated and validated.
z/OS
User ID
Access Control
External
SAF Security
Application z/OS Manager
or z/OS Resource
component Manager
Event Logging
System Security
Management Database
Event
Facility
Logs
Control points pass control to the SAF Router using the RACROUTE service (the name of
this service shows its heritage in the early releases of RACF). SAF usually passes control to
the z/OS feature, which is IBM’s ESM and is called Resource Access Control Facility (RACF).
Alternatively, SAF can be configured to pass control to another external security manager.
There are alternate independent software vendor software offerings available that can be
used in place of RACF. RACF and each of these other offerings are known as external
security manager.
Figure 2-2 on page 10 shows the control flow when a user is authenticated and validated. It
starts with the application (or z/OS component) communicating with a z/OS resource
manager (for example, IBM IMS™), which makes a request to SAF via the RACROUTE
service to verify a user ID. SAF passes this request to its ESM, which consults its database
and passes the results back via the SAF to the application. You will see the logging of this
activity via the System Management Facility (SMF) log records, which creates an audit trail.
Auditing
We audit to record what security-related activities are occurring. A common example is when
a user is authenticated to a system (they are logging on). A requirement may exist to log all
users entering the system. In addition, as this user interacts within the system we may want to
know what resources were accessed or more importantly what accesses failed.
We must also consider tracking when commands on the system are issued to change
security information. It would be a serious flaw if you could not identify who altered security to
permit access.
A feature of z/OS is the component called System Management Facility (SMF). This feature
operates in a similar manner to the SAF resource managers. There are control points with the
z/OS operating system where SMF records are written. In some cases, it will not be possible
to bypass the controls over writing of these records.
In these examples here, we would see the z/OS operating system using what commonly is
called the SAF router, but technically we say that the z/OS system service is using the
RACROUTE REQUEST=AUDIT service to perform logging.
Note: In any z/OS operating system instance that has serious security requirements, the
SMF security records are all selected to be written and the security messages are not
suppressed.
SAF router
Resource manager
Validating identity credentials
Figure 2-3 Detailed actions using SAF
SAF router
How do these programs perform system services access SAF from their control points? They
use an authorized programming interface (API) to make this call. The actual program code
used depends on the programming language used. But typically in this interface at the lowest
level, it uses code that is created by the assembler macro called RACROUTE. Here we use
the term RACROUTE service, but its programming implementation may well use another
name as we see shortly.
SAF is accessed through the RACROUTE service. RACROUTE provides the services to
authenticate a user ID, interrogate access permissions, perform security event logging, and
obtain a security context for address spaces and tasks running on the system. Regardless of
the ESM installed, applications and system services use the RACROUTE service.
The RACROUTE service in z/OS removes the need for the application requesting security
services to understand the underlying system security infrastructure implemented by the
installation. The application does not need to know which ESM is installed, or indeed if one is
present at all.
The SAF router uses the routing table to associate the correct ESM programs with the related
RACROUTE call, as illustrated in Figure 2-4 on page 13.
Authorize
RACROUTE
SAF
Audit
Authorize
Get Information
Routing
Table
Get Status
Usually, when a user tries to access your system, whether through UNIX shell applications,
FTP, a web page, some other network application, or even through TN3270 and TSO,
authentication all uses a RACROUTE service. Understanding security on z/OS means
understanding how programs interface with the external security manager. Independent of the
ESM installed, applications need to initiate a RACROUTE service call or have one initiated on
their behalf in order to gather the information needed for subsequent authorization checks.
Audit Record events in SMF type 80 records, and issue messages to the
network security administrator.
FastAuth Verify access to resources whose protection profiles have been brought
into main storage by the RACROUTE REQUEST=LIST service.
The user requires a security context to access z/OS resources. The WebSphere Application
Server issues a pthread_security_np() to create the thread level security for the user. The
pthread_security_np() resolves, deep down in the dark recesses of z/OS as a RACROUTE
REQUEST=VERIFY, ENVIR=CREATE service call. Example 2-1 shows an authentication
check using the RACROUTE REQUEST=VERIFY service call. This example only shows
what the source code would look like in the assembler. It would be different using other
programming languages such as C++, or even Java; using the binder, the executable form of
this example would be available to the application that needs to establish a security context.
Example 2-1 Example in source code of using the RACROUTE service call to verify a user ID
label RACROUTE REQUEST=VERIFY,ENVIR=CREATE,USERID=USERDATA,PASSWRD=USRPASS,RELEASE=2.2,MF=S
This example assumes that USERDATA and USRPASS have been defined.
Resource managers
Resource managers might be independent sections of program code or they may be
embedded into other modules and routines. It is usual for resource managers to reside in
authorized code. (However, in certain situations it is possible for a resource manager to
perform satisfactorily without the code being authorized.) The role of a resource manager is to
control access to a resource. So, for example, in the case of an attempt to access a data set,
this is performed in the OPEN SVC routine in z/OS.
Each time that a data set is accessed for the purposes of reading or writing, the OPEN SVC is
used first. Only after this OPEN SVC has completed without error can a program perform
read and write operations to the data set. So this OPEN SVC is started by the program to
prepare the data set for access, and also (via its resource manager) to check that the user
running the program has the necessary access to the data set.
When the resource manager performs this check, it uses the RACROUTE REQUEST=AUTH
or RACROUTE REQUEST=FASTAUTH service. If an external security manager is present,
this results in a check being made that is based on the following types of questions:
Who is attempting the access?
What is the class of the resource?
What is the name of the resource?
What type of access is being requested (for example, READ or WRITE)?
When RACROUTE passes control back to the resource manager, the resource manager can
examine the return code and reason code values and can then decide based on those codes.
It should be emphasized here that it is the resource manager that makes decisions about
access using the information extracted from the external security manager.
Any program that performs the role of validating identity credentials should not be capable of
being subverted in any way. Therefore, for the protection of such programs they can hold data
in a storage key other than key 8. This requires that they be authorized either by running in
supervisor state, being specified to run in a non-user key (that is, not key 8), or running with
APF authorization. In practice most of these applications run with APF authorization and then
move into a system key or supervisor state as necessary.
The software performing this process of identity verification uses a system service called
RACROUTE REQUEST=VERIFY. It passes to these RACROUTE service items, such as:
Name of the user ID whose identity is being established
Associated terminal identification or port of entry
Identity verification credentials (for example, password, password phrase, PassTicket)
The application also has access to other information such as the time of day, the date, and
other environmental information. After the call to the ESM (through SAF) the authenticating
component uses the extracted data to either permit the authentication (such as permitting a
logon) or to deny the access.
RACF helps meet the needs for security by providing the following abilities:
Identify and verify users
Authorize users to access the protected resources
Control the means of access to resources
Log and report attempts to access protected resources
Administer security to meet an installation's security goals
RACF provides these functions when the installation defines the users and the resources to
be protected.
A specific RACF user, called the security administrator, has the responsibility to define users
and resources to RACF. The security administrator also specifies the rules that RACF uses to
control access to the resources.
The responsibility to implement the guidelines falls to the system programmer, who provides
technical support for RACF. The system programmer installs RACF on the system and
maintains the RACF database. This person oversees the programming aspects of system
protection and provides technical input on the feasibility of the implementation plan. In
addition, the technical support person can write and implement RACF installation exit
routines to extend the security infrastructure. RACF retains information about the users,
resources, and access authorities in profiles in the RACF database and refers to the profiles
when deciding which users are permitted access to a protected system resource. The auditor
monitors the security controls and checks that the security goals are met.
What is RACF?
RACF, Resource Access Control Facility is an ESM product to implement
and control the installation's security policies on z/OS systems.
Access to protected resources is controlled by rules.
RACF
What is RACF?
RACF is an optional external security manager (ESM) software product that provides basic
security to a z/OS system. Other security software products are also available. RACF as a
component of z/OS Security Server is included as part of the base z/OS system but requires
a separate license to be activated.
RACF provides the ability to implement the security policies that you choose on your system.
Note: Your system will not be secure by simply installing RACF. The quality of the system
protection depends on the way that you use the RACF functions.
RACF Functions
User identification
and authentication
RACF
Resource authorization
checking and system
access control
RACF
Security administration
(local or remote)
OMVS
Resource
CICS Managers
TSO
RACF protects resources by granting access only to authorized users of the protected
resources. To enforce your security policy, RACF gives you the ability to accomplish the tasks
described in this section.
RACF also has the concept of GROUPs, where users may be connected to a GROUP in
order to gain access to the resource. This greatly simplifies the matter as the security
administrator does not have to grant every individual user access to a particular resource by
defining a rule for each user, but instead a simple connection to an appropriate group (which
has access to the required resource) will suffice.
RACF will also permit identity propagation from other systems. Identity propagation is the
capability whereby a non z/OS identity, a distributed identity, is propagated into the z/OS
environment and is then used to provide credentials for authorization by being mapped to an
existing RACF user ID and is available throughout the z/OS Sysplex for auditing and
reporting.
Important: The RACF Report Writer was stabilized at the RACF 1.9.2 level. It cannot
produce reports for new SMF records available beyond that release.
Sending Messages: RACF sends messages “real time” to the security console and, if
implemented, to RACF defined TSO users as well.
Security administration
RACF can be administered either in a centralized or decentralized manner. In a centralized
approach, the RACF administrator (user attribute SPECIAL) controls the access to all users,
groups, and resources.
RACF database
RACF holds information about the users, groups, resources, and access authorities in profiles
that are stored in the RACF database and refers to the profiles when deciding if users are
permitted access to protected system resources. Applications can request RACF services.
Most of these services can only be requested by authorized applications.
RACF processing uses the information from the database each time a RACF defined user
enters a system and each time a user wants to access a RACF protected resource. Some of
this information can be cached in storage.
You maintain the RACF database through commands, assembled macros, and utilities.
RACF allows you to provide a backup database to which you can switch without a restart in
case your primary RACF database fails. A backup RACF database reflects the contents of
the primary database. After the installation has created the backup database, RACF can
maintain it automatically. In addition, the RACF database can be shared between other z/OS
and z/VM systems.
Figure 3-3 on page 22 shows the RACF primary Interactive System Productivity Facility
(ISPF) panel.
5 SYSTEM OPTIONS
The Interactive System Productivity Facility (ISPF) primary menu displays. From this menu,
choose option R for RACF.
Note: Although this method is the usual way to access RACF panels, your installation
might have this implemented through a different path.
The RACF panel interface is similar in use to all other ISPF panel options. Therefore, we do
not go into detail here on to how to use it.
You can access help information for the RACF panels. Help panels exist for each individual
panel. If you have a question about the information that you should provide on the panel,
either press PF1 or type HELP on the command line. The help panels give more information
about the terms on the panel and the information that you need to enter.
Users
Groups
Connect
Data sets (Files)
General resources:
- programs, transactions,
- databases, etc.
Group profile
When you define a group to RACF, you create a group profile in the RACF database. A group
profile consists of segments: a base segment and optionally, CSDATA, DFP, OMVS, OVM,
and TME segments. Each segment of a group profile consists of fields. When you define a
group’s profile (using the ADDGROUP command) or change a group’s profile (using the ALTGROUP
command), you can specify the information contained in each field of each segment.
Connect profile
This is created as a by-product of creating other profile entries as it establishes linkages
between RACF objects. For example, a connection profile is created when a user is
connected to a group.
Each RACF defined resource has a profile, though you can optionally use single profile to
protect multiple resources.
RACF commands or the RACF ISPF panels can be used to create and modify general
resource profiles.
RACF provides discrete, generic, and grouped resource profiles for both data sets and
general resources, as follows:
Discrete Discrete profiles have a one-for-one relationship with a resource: one profile
for each resource. Discrete profiles provide very specific levels of control.
Use them for sensitive resources. They protect only the one identified data
set that is on the specified volume or that spans specific volumes. For
example, a single data set can be defined with a discrete profile to allow
access by one user.
Generic Generic profiles have a one-for-many relationship. One profile controls
access to one or more resources whose names contain patterns or character
strings that RACF uses to associate them with each other. They contain a list
of the authorized users and the access authority of each user. A single
generic profile can protect many data sets that have a similar naming
structure. For example, all data sets that have a high-level qualifier of SMITH
and the characters DATA as a second-level qualifier can be controlled with
one generic profile.
Grouped Another type of RACF profile is the grouped profile. There might be no way to
associate the resources with a common access list based on patterns in the
resource names. In this case, the many resource names can be associated
with a single RACF profile by using a grouping profile that contains the
names of the associated resources.
Some subsystems with high performance requirements, such as IMS and
CICS, have the profiles resident in the subsystem address space. These
subsystems can save main storage by using grouped profiles.
Figure 3-5 on page 25 shows a list of RACF commands.
For administration:
RACF
GENERAL
FUNCTION USER GROUP DATASET
RESOURCE
DEFINE ADDUSER ADDGROUP ADDSD RDEFINE
ALTER ALTUSER ALTGROUP ALTDSD RALTER
LIST LISTUSER LISTGROUP LISTDSD RLIST
DELETE DELUSER DELGROUP DELDSD RDELETE
Administration
For each type of entity in RACF, a set of commands is available to define, modify, list, and
delete them.
Note: We say almost because RACF has another authority named AUDITOR, who can
uniquely display certain statistical data. A SPECIAL user can create AUDITOR authority,
so the SPECIAL user remains the ultimate controller of RACF.
You can get online help for RACF commands. To get online help for a command, type:
HELP command-name
For example, to see online help for the PERMIT command, enter:
HELP PERMIT
To limit the information displayed, use the SYNTAX operand on the HELP command:
HELP command-name SYNTAX
For example, to see only the syntax of the PERMIT command, enter:
HELP PERMIT SYNTAX
Where the following command LISTDSD (LD) lists the generic profile MARTIN and its access
list:
LD DA('MARTIN.*') AUTHUSER
And, the following command LISTUSER (LU) displays the basic RACF data for the user ID
MARTIN:
LU MARTIN
User authentication
logon Resource
logon user ID
manager
password /
password phrase
OID CARD
RACF
RACF DB
So how would a user be allowed to gain access to resources on a z/OS operating system? A
typical check to authorize a user for access to a particular resource would follow these steps:
A user is identified and verified to the RACF protected system.
A user wants to modify or access an existing RACF protected resource. This will typically
be in their interaction with a subsystem we call a resource manager. For example, they are
interacting with IBM DB2®.
The system resource manager (such as DB2) processes the request.
The resource manager issues a RACROUTE request, which travels via SAF into RACF to
ask if the user is permitted to perform their action.
Note: The resource manager is responsible for initiation of the authorization check.
RACF checks one profile to verify that the user can access the resource and to determine
whether the user has the required authorization to modify the contents.
RACF returns via SAF the results of this check to the resource manager.
The resource manager, based on what RACF indicates, makes the decision to either grant
or deny the request. So, you can see that the resource managers that make the
RACROUTE request to SAF must be deemed trusted in order to perform their functions.
RACF - Classes
New Class?
Profile
Product
XYZ
RACF stores information about users, groups, and resources in the RACF database. The
information is normally kept in storage to enhance performance. The drawback is that this
data must be refreshed when data is changed; updating the in-storage copy is done through
the SETROPTS command.
RACF: Administrator
To protect resources, the RACF Administrator needs to know in which classes a resource
manager keeps the RACF information. This information is normally documented in the z/OS
Security Server RACF reference manuals.
The RACF administrator defines user profiles in the RACF class USER, group profiles in the
class GROUP, resource profiles for data sets in the class DATASET, and resource profiles for
tapes in the class TAPEVOL.
It is possible to define additional classes. You can do this by modifying the dynamic class
descriptor table (CDT) and then activating the updated table. You can find the general
resource classes in the supplied CDT. It can be found in Appendix A of z/OS Security Server
RACF Security’s Administrator’s Guide, SA23-2289.
The administrator is a user with the SPECIAL user attribute. As a security administrator, you
are the focal point for planning security and maintaining security at your installation. You need
to:
Determine which RACF functions to use and how these functions are to be used
Identify the level of RACF protection
Identify what resources RACF is to protect
Identify administrative structures (centralized or decentralized)
Decide on naming conventions (for example for groups and user IDs)
A RACF security administrator performs the tasks that we describe in this section.
When defining a user it is mandatory to name the default group of the user. Each RACF
defined user belongs at least to his default group, but can be a member of multiple groups.
Furthermore it is necessary to have an owner of the user profile. Normally the default group is
chosen as owner.
Define groups
A user is connected to one or more groups. The information about the group is stored in the
group profile. A RACF group normally contains a number of users who share common
access requirements. It is important to consider the basic purpose of a group, for example
whether it is an administrative group, a holding group, a data control group, a functional group,
or a user group? Beyond this consideration, it is necessary to specify the owner of the group.
The SPECIAL, AUDITOR, and OPERATION attributes are also applicable at the group level.
The authority of the group-SPECIAL, group-AUDITOR, and group-OPERATIONS users is
limited to the resources that are within the scope of the group.
Important: The owner in RACF relates to the profile. The owner of a profile can update the
profile.
Note: In most cases, multiple resources are protected with a single profile, referred to as
generic profiles.
The RACF operator commands allow you to perform functions in the RACF subsystem. You
can enter these commands from an operator console. These commands allow a z/OS
operator to perform certain RACF operations in the RACF subsystem. The RACF subsystem
prefix in front of the command identifies the RACF subsystem as the processing environment.
Many RACF commands can be entered using TSO/E. RACF commands can also be issued
from security-related software products such as IBM Security zSecure Admin. This is a
powerful tool to perform small and large-scale RACF commands.
User Identification
- User ID = string of characters uniquely
identifying a user to a system
- Uniqueness allows individual accountability
- Digital Certificate
User Verification
- Via something the user knows - password
- Via something the user has - magnetic card, smart card,
biometrics
- RACF installation exits can augment
All users must be defined to RACF directly or indirectly in the case of identity propagation,
where a RACF user ID is mapped to one or more distributed user identities. Users who are
not defined to RACF may use the system virtually without verification, unless, of course, they
attempt to access data to which they are unauthorized.
User identification
RACF uses an alphanumeric user ID for its user identification. The user ID identifies the
person to the system as a RACF user. From a security point of view, the user ID is unique and
must not be shared by different users. This uniqueness provides individual accountability.
Normally, when you define a user to RACF, you assign a user ID and a temporary password.
This then requires the user to change the password upon their first use. There are exceptions
to this and RACF provides the RESTRICTED parameter, which we explain in 3.12, “RACF user
attributes” on page 36.
Furthermore, you can have RACF installation exits that expand user verification.
Note: It is the installation’s responsibility to accomplish and monitor security guidelines (for
example, unique user IDs and password rules).
security
user ID owner password attributes groups
classification
Each segment of a user profile consists of fields. When you define a user’s profile (using the
ADDUSER command) or change a user’s profile (using the ALTUSER command), you can specify
the information contained in each field of each segment of the profile.
RACF base segment
The base segment of a user profile contains basic information that is needed to define a user
to RACF. Some of the more important fields are listed here:
User ID The user ID is at the same time the name of the profile.
Name The name of the user.
Owner The owner of the profile has the authority to change the profile.
Every profile in RACF needs an owner.
Password The password entry is one-way encrypted. It is not possible to
decrypt the password. If a user forgets the password phase or
password, the administrator has to set a new temporary password
and the user must change this at the next logon.
Attributes This field contains extraordinary attributes. The attributes
SPECIAL, OPERATIONS, and AUDITOR should be given only to a
few selected user IDs. Further information is provided in 3.12,
“RACF user attributes” on page 36.
DFLTGRP A user ID belongs at least to his default group, but can be a
member of more groups. This field contains the default group that it
is assigned to.
CERTLABEL The certificate labels for the profiles in the DIGTCERT class that
are associated with this RACF user ID.
SECLEVEL User’s installation-defined security level. It is where we can use the
idea of levels to control access, that is, a user’s level must be at
least equal to or higher than the resource level it is trying to access.
Figure 3-13 on page 36 shows RACF user attributes.
AT GROUP
SYSTEM WIDE
LEVEL
User attributes
User attributes are extraordinary capabilities, limitations, or environments that can be
assigned to a user either system wide or when the user is connected to a specific group or
groups. When an attribute is to apply system wide, it is specified at the system level and is
called a user attribute. When an attribute is to apply only to a specified group or groups, it is
specified at the group level and is called a group-related user attribute.
User attributes that you specify in an ADDUSER or ALTUSER command are stored in the user’s
profile and are in effect regardless of the group to which the user is connected. However,
attributes that you specify in a CONNECT command are valid only for this group.
Note: Users with the SPECIAL attribute do not have access to all
resources, but they can use commands to give themselves access to all
resources. Because any user can access an unprotected resource, users
who have the SPECIAL attribute should take care to protect their own
data sets because they can contain sensitive information.
Note: Users with the AUDITOR attribute have the authority to specify
logging options on the ALTDSD, ALTUSER, RALTER, and SETROPTS
commands. In addition, the auditor can list auditing information using the
LISTDSD, RLIST, LISTUSER, LISTGRP, and SEARCH commands, as well as the
IRRUT100 utility.
OPERATIONS A user who has the system-wide OPERATIONS attribute has full access
authorization to all RACF protected resources in the classes DATASET,
DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD,
VMMDISK, VMNODE, and VMRDR classes. (The last five classes in this
list relate to RACF on z/VM.)
You can assign the OPERATIONS attribute at the group level. When you
do, the group-OPERATIONS user’s authority is limited to resources within
the scope of that group.
REVOKE You can prevent a RACF user from entering the system by assigning the
REVOKE attribute. This attribute is useful when you want to prevent a user
from entering the system, but you can or will not use the DELUSER
command because the user still owns RACF resource profiles.
You can also assign the REVOKE attribute on a group level by using the
CONNECT command. If the user has the REVOKE attribute for a group,
the user cannot enter the system by connecting to that particular group or
access resources as a member of that group.
Note: RACF allows you to specify a future date for a REVOKE to occur
(at both the system and the group level). You can also specify a future
date to remove the REVOKE attribute by using the RESUME parameter on
the ALTUSER command (for example, when you want to inhibit a user
from entering the system during a long absence). If no date is specified
on the RESUME parameter, the user is resumed immediately.
CLAUTH Users receive the CLAUTH attribute on a class-by-class basis. You cannot
assign the CLAUTH attribute at the user or group level.
If a user has the CLAUTH attribute in a class, RACF allows the user to
define profiles in that class.
RESTRICTED You can prevent RACF users from gaining access to protected resources
that they are not specifically authorized to access by assigning the
RESTRICTED attribute on the ADDUSER or ALTUSER command.
GRPCC A user with this GROUP ACCESS attribute can define a group data set
profile and as a consequence, other members of the group that this user
belongs to have access to this profile.
Note: The group whose name is used as the high-level qualifier of the
data set name is given UPDATE authority to the data set.
ADSP This is the automatic data set protection (ADSP) attribute. When you create
a permanent data set or a tape data set, RACF automatically creates a
discrete profile for it. It should be used sparingly because most data sets
are protected by generic profiles.
Figure 3-14 shows RACF user segments.
The base RACF segment is the part of the RACF profile that contains the fundamental
information about a user, group, or resource and is common to several applications.
The following information is kept in the RACF base segment of the user profile:
USERID User’s identification
NAME User’s name
OWNER Owner of the user’s profile
DFLTGRP User’s default group
AUTHORITY User’s authority in the default group
PASSWORD User’s password (one-way encrypted)
NOPASSWORD Gives the user the PROTECTED attribute when the user has the
NOPHRASE and NOOIDCARD attributes
PHRASE Optionally a Password Phrase (one-way encrypted)
NOPHRASE Indicates that the user cannot enter the system using a password
phrase and when the user also has the NOPASSWORD and
NOOIDCARD attributes, gives the user the PROTECTED attribute
REVOKE Date on which RACF prevents the user from having access to the
system
RESUME Date on which RACF lets the user have access to the system again
UACC Default universal access authority for resources that the user defines
WHEN Days of the week and hours of the day during which the user has
access to the system
ADDCATEGORY User’s installation-defined security category
SECLEVEL User’s installation-defined security level
Password management
- Allows user to select own password phrase and/or password
- Only user knows his password phrase and/or password
- Security administrator cannot read, but can reset password and
password phrase
Password and password phrase control
- Interval, history, syntax rules, expiration
- warning, suppression
- Last logon message
- Revoke invalid attempts
- DES one-way encryption
- EXIT - check or generate passwords
Alternates to password verification
Figure 3-15 RACF user ID and password
User identification is achieved using the user ID, which is a string of characters that uniquely
identifies a user to a system.
In RACF, users select their own password (and optionally a password phrase) and only the
user knows these values. If a password or password phrase needs to be reset, the security
administrator either resets it to the default or sets a temporary password (and optionally a
password phrase). This profile is normally in an expired state, thus forcing the user to enter a
new password or password phrase on the first logon.
You can set a variety of rules for forming valid passwords, using the SETROPTS command (for
system-wide settings) or the PASSWORD command (to affect only one user). You can change
such things as the number of days a password is valid, how long to maintain password history
to prevent the user from reusing the same password again, and so on. There is a detailed
explanation of setting up a rule in, “SETROPTS PASSWORD(RULE1(LENGTH(8)
VOWEL(1,3,5:8) NUMERIC(2,4)))” on page 79.
The password and password phrase is one-way encrypted using a Data Encryption Standard
(DES) algorithm. The key being used is the password itself. The encrypted password and
password phrase are stored in the user profile. Remember that RACF never looks at the raw
password, for checking it compares the encrypted forms. This way the only individual that
knows the raw password is the user.
To give the user feedback each time that they log on to TSO/E, they receive information when
they last logged on. The user checks to see if this is correct because it might indicate an
invalid use of their user ID. They will see this message:
ICH70001I USER001 LAST ACCESS AT 11:28:24 ON TUESDAY, JULY 23, 2013
Figure 3-16 on page 43 shows the process of adding a new user to the RACF database.
The command adds a profile for the new user to the RACF database and creates a connect
profile that connects the user to whichever default group you specify. The user profile consists
of a RACF base segment and, optionally, other segments such as a TSO segment, a DFP
segment, or an OMVS segment. You can use this command to define information in any
segment of the user’s profile.
Figure 3-16 shows sample output from the following ADDUSER command when the LISTUSER
is issued:
ADDUSER JAMES NAME('BROWN JAMES') DFLTGRP(MFG)
OWNER(ADMUSERS) PASSWORD(NEW2DAY)
This command adds a new user ID, JAMES, into default group, MFG.
U
USER=JAMES NAME=BROWN JAMES OWNER=ADMUSERS CREATED=13.205
DEFAULT-GROUP=MFG PASSDATE=00.000 PASS-INTERVAL= 90 PHRASEDATE=N/A
ATTRIBUTES=REVOKED Å this user has been revoked
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=UNKNOWN
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
O NO-MODEL-NAME
U LOGON ALLOWED (DAYS) (TIME)
---------------------------------------------
T
ANYDAY ANYTIME
P GROUP=MFG AUTH=USE CONNECT-OWNER=ADMUSERS CONNECT-DATE=13.205
U CONNECTS= 00 UACC=NONE LAST-CONNECT=UNKNOWN
T CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
A system administrator is often asked to reset a user’s password. There are two common
reasons for resetting a password:
1. The user forgot the password (or made too many errors when attempting to change it).
2. The user ID was REVOKED for some other reason, for example, revoked while on
vacation.
You can use the RACF ISPF panels to reset passwords but it is easier to use the following
commands:
PASSWORD When used to reset another user’s password, the only option is to set the
password equal to the user’s default group name. The default group name
is often SYS1. So, if the PASSWORD command is used to reset a user’s
password, the password is probably SYS1, which has obvious security
consequences.
ALTUSER You set the password phrase or the password. You can also specify
whether the user must specify the passwords again. This is indicated by
EXPIRED or NOEXPIRED.
In both cases, the password is marked automatically as expired, by default. Thus, the user is
forced to select a new password when logging on to the system the next time. With the ALU
command, you can also set an unexpired password, which is the password that the user can
use until changing it for some other reason.
You need to tell Martin the new password that you assigned. Martin needs the new password
to log on but is forced to change the password immediately to a password of his own selection
(unless you used the NOEXPIRED option). The PASSWORD NOINTERVAL command prevents this
user’s password from ever expiring and sets the password to the user ID’s default group
name, which is a possible security exposure and should be avoided. You need SPECIAL
authority to issue these commands.
When the panel that is shown in Figure 3-18 displays, carry on from this point.
Use the ALTUSER command to change the information in a user’s profile, including the user’s
system-wide attributes and authorities. The user profile consists of a RACF base segment
and, optionally, other segments such a TSO segment or a DFP segment. You can use this
command to change information in any segment of the user’s profile.
When you change a user’s level of authority in a group (using the AUTHORITY parameter),
RACF updates the appropriate group profile. When you change a user’s default universal
access authority for a group (using the UACC operand), RACF changes the appropriate
connect profile. For all other changes, RACF changes the user’s profile.
Note: If the user is currently logged on, changes to the attributes (except for OWNER and
AUTHORITY) do not take effect until the next time the user logs on, even though the
LISTUSER command shows the new values.
Figure 3-19 shows sample output from the following ALTUSER command, which adds the
attribute of AUDITOR to the user ID JAMES:
ALTUSER JAMES AUDITOR
Figure 3-20 on page 47 shows the process of changing a user password interval.
The interval indicates the number of days during which a password remains valid. The range
is from one through 254 days.
The value that you specify here cannot exceed the value, if any, that your installation has
specified using the INTERVAL operand on the SETROPTS command. The initial system default
after RACF initialization is 30 days.
If you specify INTERVAL on the PASSWORD command without a change-interval value, RACF
uses the system interval value (if any) that your installation specified or the system default.
Figure 3-20 shows sample output from the following PASSWORD command, which sets the
password expiration date for user ID James to 60 days:
PASSWORD USER(JAMES) INTERVAL(60)
To override the current system default password expiry interval, you would use the SETROPTS
command and specify a new value using the INTERVAL parameter.
Figure 3-21 on page 48 shows the process of deleting a user from the RACF database.
Use the DELUSER command to delete a user from RACF. This command removes the user’s
profile and all user-to-group connections for the user. (The connect profiles define the user’s
connections to various RACF groups.)
There are, however, other places in the RACF database where the user’s user ID might still
appear. The DELUSER command does not delete the user ID from all these places. Specifically,
the user could be the owner of a group, the owner of a user’s profile, the owner of a group
data set, or in an access list for any resource. Before issuing DELUSER, you must first issue
the REMOVE command to assign new owners for any group data sets the user owns in groups
other than his default group. You can use the RACF Remove ID utility (IRRRID00) to remove
all of the occurrences of a user ID. For information about using the RACF Remove ID utility,
see z/OS Security Server RACF Security’s Administrator’s Guide, SA23-2289.
To use the DELUSER command, at least one of the following scenarios must be true:
You must have the SPECIAL attribute.
The user profile to be deleted must be within the scope of a group in which you have the
group-SPECIAL attribute.
You must be the owner of the user’s profile.
Figure 3-21 shows sample output from the following DELUSER command, which deletes the
user ID James.
DELUSER JAMES
ADDUSER
ALTUSER
CONNECT
DELUSER
REMOVE
LISTUSER
PERMIT
PASSWORD
RACMAP
You define users to RACF by issuing RACF commands that include various user attributes, as
well as other control information that RACF uses. You might use some of the following
commands in your user-definition tasks:
ADDUSER Add a user profile to RACF.
ALTUSER Change a user’s RACF profile.
CONNECT Connect a user to a group.
DELUSER Delete a user profile from RACF and remove connection to a group.
REMOVE Remove a user from a group and assign a new owner for group data
sets owned by the removed user.
LISTUSER Display the contents of a user’s profile.
PERMIT Permit a user to access a resource (or deny access to a resource).
PASSWORD Change a user’s password.
RACMAP Create and maintain a mapping association between a RACF user ID
and one or more distributed user identities.
In addition to defining individual users, you can define groups of users. Group members can
share common access authorities to a protected resource.
RACF groups
With RACF, all defined users belong to at least one group. You can think of the groups forming
a hierarchical, or “tree” structure, where each group is owned by a superior group. Groups
can also own resources as well as users in another group.
Group administrators, to whom you give CONNECT (but not JOIN) authority, can connect the
appropriate users to the groups under their control and change the user’s default group name
as appropriate. This technique allows the installation to assign correct account numbers (in
TSO segment) and control other installation considerations while allowing flexibility in the
grouping of the user population:
Data Control You can create a group to act as a control point for the protection of
data. For example, by using the group SYS1, you can determine which
users are permitted to protect the SYS1 data sets. Only users with
CREATE authority or higher in this group can protect system data sets.
At your location, you might consider defining one such group for every
high level qualifier representing data that is to be protected.
Functional A group can represent a functional area of the installation for the
purpose of data sharing. For example, a financial analyst might need
to access various resources across many groups, such as accounting,
payroll, marketing, and others. Of course, the owners of each resource
SYS1
PROD DEVELOP
POU KGN
- TOM (with group special
attribute)
The group structure of RACF can be mapped to the organizational structure that exists at
your installation. That is, RACF conforms naturally to a tree structure of groups, where each
group (except SYS1, which is predefined as the highest group) has a superior, or owning,
group. Groups can correspond directly to business entities such as divisions, departments,
and projects. Users can be connected to one or more groups.
When you define a group, consider the basic purpose of the group. Is it an administrative
group, a holding group, a data control group, a functional group, or a user group? When
setting up RACF groups, keep in mind that the maximum number of users that you can
connect to any one group is approximately 5900.
You should map your groups to your organization’s structure and arrange them hierarchically,
with the IBM supplied SYS1 group as the highest group so that each group is a subgroup of
another group.
A user can be connected in more than one group (in Figure 3-24, SALLY is connected to MFG
and TEST groups).
In Figure 3-24, DESIGN, TEST, and MFG are all owned by group POU. Tom is connected to
group POU as SPECIAL, which gives Tom (who is the RACF administrator) control over all
POU resources DESIGN, TEST, and MFG.
Add a group:
- ADDGROUP EXPED OWNER(ADMGRPS) SUPGROUP(POU)
List the group:
- LISTGRP EXPED
Use the ADDGROUP command to define a new group to RACF. The command adds a profile for
the new group to the RACF database. It also establishes the relationship of the new group to
the superior group that you specify.
Group profiles consist of a RACF base segment and, optionally, other segments such as DFP
and OMVS. You can use this command to specify information in any segment of the profile.
To use the ADDGROUP command, you must meet at least one of the following conditions:
Have the SPECIAL attribute
Have the group-SPECIAL attribute and the superior group is within your group-SPECIAL
scope
Be the owner of the superior group
Have JOIN authority in the superior group
Figure 3-25 shows sample output from the ADDGROUP command, adds a new group named
EXPED, and is a subgroup to group POU:
ADDGROUP EXPED OWNER(ADMGRPS) SUPGROUP(POU)
Figure 3-26 on page 54 shows sample output from the ALTGROUP command.
Alter a group:
- ALTGROUP EXPED SUPGROUP(KGN)
List the group:
- LISTGRP EXPED
Use the ALTGROUP command to change various fields within the segments in the selected
profile:
The superior group of a group
The owner of a group
The terminal indicator for a group
A model profile name for a group
The installation-defined data associated with a group
The default segment information for a group (for example, DFP or OMVS)
To change the superior group of a group, you must meet at least one of the following
conditions:
You must have the SPECIAL attribute
All the following group profiles must be within the scope of a group in which you have the
group-SPECIAL attribute:
– The group whose superior group you are changing
– The current superior group
– The new superior group
You must be the owner of, or have JOIN authority in, both the current and the new superior
groups.
Note: You can have JOIN authority in one group and be the owner of, or have the
group-SPECIAL attribute in, the other group.
Figure 3-26 shows sample output from the ALTGROUP command, which moves the group
named EXPED from being a subgroup of group POU to a subgroup to group KGN:
ALTGROUP EXPED SUPGROUP(KGN)
Figure 3-27 on page 55 shows sample output from the DELGROUP command.
Delete a group:
- DELGROUP EXPED
List the group:
- LISTGRP EXPED
O
U
T
NAME NOT FOUND IN RACF DATA SET
P
U
T
Use the DELGROUP command to delete a group and its relationship to its superior group from
RACF.
There are, however, other places in the RACF database where the group name might appear,
and DELGROUP processing does not delete these other occurrences of the group name. For
example, the group name could be in the access list for any resource. You can use the RACF
Remove ID utility (IRRRID00) to remove all occurrences of a group name. For information
about using the RACF Remove ID utility, see z/OS Security Server RACF Security’s
Administrator’s Guide, SA23-2289.
Figure 3-27 shows sample output from the DELGROUP command, which deletes the EXPED
group:
DELGROUP EXPED
Figure 3-28 on page 56 shows sample output from the CONNECT command.
Use the CONNECT command to connect a user to a group, modify a user’s connection to a
group, or assign the group-related user attributes. If you are creating a connection, defaults
are available as stated for each operand. If you are modifying an existing connection, no
defaults apply.
To use the CONNECT command, one of the following conditions must be true:
The SPECIAL attribute
The group-SPECIAL attribute in the group
The ownership of the group
JOIN or CONNECT authority in the group
Figure 3-28 shows sample output from the CONNECT command, which connects user James to
group TEST:
CONNECT JAMES GROUP(TEST)
Figure 3-29 on page 57 shows sample output from the following REMOVE command.
You can use the REMOVE command to remove a user from a group, and to assign a new owner
to any group data set profiles that the user owns on behalf of that group.
To use the REMOVE command, one of the following conditions must be true:
The SPECIAL attribute
The group-SPECIAL attribute in the group
The ownership of the group
JOIN or CONNECT authority in the group
Figure 3-29 shows sample output from the following REMOVE command:
REMOVE JAMES GROUP(TEST)
RACF protected resources can be divided into two categories: Data sets and general
resources. General resources are all of the resources that are defined in the class descriptor
table. For example, general resources include DASD and tape volumes, load modules
(programs), terminals, and others.
RACF allows the installation to set its own rules for controlling the access to its resources by
defining what is controlled at what level. The installation can tailor RACF to interact with its
present operating environment and assign security responsibilities either on a system-wide or
a group-wide basis.
Your installation can add new CDT entries or modify or delete existing entries that you have
added in the installation-defined class descriptor table (ICHRRCDE). When you define a new
resource class, you can optionally designate that class as either a resource group class or a
resource member class. For a resource group class, each user or group of users that is
permitted access to that resource group is permitted access to all members of the resource
group. For each resource group class that you create, you must also create a second class
that represents the members of the group.
Types of profiles
We have seen what components and some of the fields we can find in a profile. We now look
at the profile and the general resource that it is protecting:
Generic This a profile where we use a masking character to allow one profile to
protect many resources. For example, if we had many data sets on the
system, which were called FEDERAL.ACCOUNTS.* we use that name
to make a generic profile to protect all those data sets.
Discrete This is where we want to protect a specific resource. This would be
used in special circumstances because many discrete profiles would
add to the administrative overhead.
Group A resource group profile where the resources to be protected are
added to this group profile via the ADDMEM parameter. This group profile
name does not need to match the resources that it protects but it has a
list of resources it does protect.
Figure 3-31 describes resource profiles.
Profiles contain:
- The owner of the profile
- The auditing parameters
- The Universal Access authority
- An access list with users and groups
- A "warning" indicator
- A security classification
- A real-time notification information
- An erase-on-scratch indication for data sets
- A volume & a unit (if data set)
- A security retention period (if tape data set)
Resource profiles are different from user profiles because resource profiles need to hold
characteristic information about the resources they protect. Here is a selected number of
fields from this type of profile to show its characteristics:
The profile owner This could be a user or a group name. This group could well be the
profile associated with a specific application. This enables us to
arrange data set protection on a functional basis.
Auditing parameters Here we specify what access attempts and also access level attempts
that we want records. Access levels come into use when we use
access levels to govern access.
Resource-to-Profile Matching
- Rule (if generic is active for the class):
• Discrete profile - If it does not exist
• Fully qualified generic profile - If it does not exist the most specific
generic profile
- Example : SALES.YEARLY.QUOTA data set => profile
1. Discrete profile
SALES.YEARLY.QUOTA
SALES.YEARLY.QUOTA ?
However, we need to consider the impact of global access checking. A user can create or
access a data set only if the data set is RACF protected by either a discrete or generic profile,
or the access is allowed by global access checking (if activated for that resource class that is
under scrutiny). RACF will use global access checking before other kinds of access authority
checks such as security label checking or access list checking.
See z/OS Security Server (RACF) Security Administrator’s Guide, SA23-2289, for more
details about how this process works.
Some of the generic profile naming for general resources has been enhanced with some of
the same concepts as generics for data set profiles as valid generic characters, as follows:
* You can have an asterisk (*) within a profile name, representing one qualifier of a
resource name, or specify * in the profile name to match more than one character in
the same position of the resource name.
** You can also use a double asterisk (**) to represent zero or more qualifiers within a
general resource generic profile or at the end of such a profile, or specify ** in the
profile name to match more than one character in the same position of the resource
name. Use of the double asterisk (**) in general resource generic profiles is not
controlled by the SETROPTS EGN option, which applies only to the data set profiles.
EGN means enhanced generic naming.
% Specify % for any single non-blank character (except a period) in the same position of
the resource name.
Use a RACF variable in a profile name to define one general resource profile to protect many
resources with dissimilar names when no resource grouping class is available. RACF
variables can be used for general resource profiles only. You cannot use them in data set
profile names. A profile that contains a RACF variable in its name is considered a generic
profile.
In Figure 3-32 on page 61, a resource manager issues a security check for the data set
SALES.YEARLY.QUOTA. Three different types of profiles can be defined in the RACF
database:
A discrete profile
A fully qualified generic profile
The most specific generic profile
The example shows that RACF looks for a profile in the order shown. If no discrete profile is
found, check for a fully qualified generic profile. If not found, find the most specific generic
profile, which is the second one in the example, SALES.YEARLY.%%%%%.
You can create a profile with a generic name when the following is true for the class of the
profile:
SETROPTS GENERIC(DATASET) option is in effect.
This option allows the creation of generic profiles and also causes RACF to use generic
profiles during authorization checking.
The ADDSD command adds a profile for the data set to the RACF database to control access to
the data set. It also places the user ID on the access list and gives ALTER authority to the
user ID unless SETROPTS NOADDCREATOR is in effect.
Each data set profile defined to RACF requires a RACF defined user or group as the owner of
the profile. The owner (if a user) has full control over the profile, including the access list.
Ownership of data set profiles is assigned when the profiles are defined to RACF. Note that
ownership of a data set profile does not mean that the owner can automatically access that
data set. To access a data set, the owner must still be authorized in the profile’s access list,
unless the high-level qualifier of the profile name is the owner’s user ID.
To allow users to have access to the data set, the PERMIT command shown specifies that
user ID JANE has only READ access to the data set, ACCESS(READ). User ID JANE now
exists in the access list for the data set profile using the PERMIT command.
Figure 3-34 on page 65 shows the data set profile access list.
• CONTROL
R
• ALTER
Meaning of each access level depends on the resource
type
Figure 3-34 Data set profile access list
How does a user ID or its group get on an access list for a resource? Normally we would use
the RACF PERMIT command to maintain a list of users and groups authorized to access a
particular resource. RACF provides two types of access lists:
Standard The standard access list includes the user IDs and group names
authorized to access the resource and the level of access granted to
each.
Conditional The conditional access list includes the user and group names
authorized to access the resource and the level of access granted to
each when a certain condition is met, such as the name of a program,
or the system it is running on matches an SMF ID.
A separate PERMIT command is needed to establish an entry in each list.
O AUDITING
--------
U
FAILURES(READ)
T
P
NOTIFY
U
--------
T NO USER TO BE NOTIFIED
NO INSTALLATION DATA
The descriptions of naming conventions are followed by rules for protecting and allocating
user and group data sets.
By default, RACF expects a data set name (and the data set profile name) to consist of at
least two qualifiers. RACF also expects the high-level qualifier of the data set profile name to
be either a RACF defined user or a RACF defined group name.
This command added a generic profile for data sets with a high-level qualifier of JAMES.*. The
asterisk (*) character is a valid generic character for more than one character in this position.
ADDSD 'JAMES.*'
Figure 3-36 on page 68 shows a sample output from the LISTDSD command, which shows the
auditing options as:
SUCCESS(UPDATE),FAILURE(READ)
O AUDITING
--------
U
SUCCESS(UPDATE),FAILURES(READ)
T
P Auditing options have
NOTIFY changed
U
--------
T NO USER TO BE NOTIFIED
NO INSTALLATION DATA
Figure 3-36 shows the output for the following command to alter the auditing options for the
previously created data set, JAMES.*:
ALTDSD'JAMES.*' AUDIT(S(U),F(R))
The command also specifies which new access attempts you want to log to the SMP data set:
SUCCESS S(U) Indicates that you want to log authorized accesses to UPDATE,
CONTROL, and ALTER.
FAILURES F(R) Indicates that you want to log detected unauthorized access attempts
at any level.
Figure 3-37 on page 69 shows how to list a data set profile matching a mask.
O
U JAMES.PRIVATE.RECORDS
discrete
T JAMES.PRIVATE.* (G)
P JAMES.* (G)
U generic
T
MASK specifies the strings of alphanumeric characters used to search the RACF database.
This data defines the range of profile names selected. The two-character strings together
must not exceed 44 characters for a tape or DASD data set name, or, for general resource
classes, the length specified in the class descriptor table.
The visual shows a SEARCH command with the search criteria, MASK.
SEARCH MASK(JAMES) CLASS(DATASET)
This command allows RACF to list profiles starting with the MASK, in this case JAMES.
A second example allows RACF to list all profiles containing the filter string.
SEARCH FILTER(JAM*.*) CLASS(DATASET)
The parameter DSNS specifies that you want to list the cataloged data sets protected by the
profile specified in the DATASET parameter. This is a usual command to show all the cataloged
data sets for the profile.
This command allows user ID Bill and the DESIGN group update access to the files protected
by the James.* data set profile. Mark, Laurie, and Walt part of the DESIGN group will have
UPDATE access, unless the access list contains their user ID with another level of access.
PERMIT 'JAMES.*' ID(PAT) ACCESS(READ)
User ID Pat now has read access to the files that are protected by the JAMES.* profile. In
Figure 3-39, we see the AUTHUSER parameter on the LISTDSD command. This provides
additional information including access statistics (if any) on the output.
INSTALLATION DATA
-----------------
NONE
The command RLIST (RL) in Figure 3-40 is used to display information of this resource profile.
Figure 3-41 on page 73 shows how to change universal access authority.
INSTALLATION DATA
-----------------
NONE
The universal access authority (UACC) is the default access to a resource if the user or group
is not specifically permitted access to the resource. The RALTER command has set the default
access to MYMUSIC to READ.
The command RLIST (RL) shows the resource profile for MYMUSIC where its class is
PROGRAM.
CLASS NAME
----- ----
PROGRAM MYMUSIC
Despite the UACC(READ) on the resource profile, MARVIN cannot access the resource
because NONE is specified in the access list. MARVIN identifies the user ID or group name,
who are RACF defined users or groups and whose authority to access the resource you are
removing.
SETROPTS command
RACF provides many system-wide options for controlling the way it works on your system.
You specify most of these options by issuing the SETROPTS command with the appropriate
operands. One example is to set the system-wide valid password interval:
SETROPTS PASSWORD INTERVAL(30)
The INTERVAL suboperand specifies the system default for the number of days that the
user’s password is to remain valid; this is the maximum change interval. The example
specifies that each user’s password remains valid for 30 days. This is an example how an
enterprise-wide policy on password expiry can be implemented.
CLASSACT parameter
When you install a new RACF system, initially only a few RACF classes are active (for
example USER, GROUP, and DATASET); other classes (for example TAPEVOL and
TSOPROC) are inactive. For example, if you want your tape volumes to be protected by
RACF, you have to activate the TAPEVOL class using the following command:
SETROPTS CLASSACT(TAPEVOL)
The classes that CLASSACT specifies must already be defined by entries in the class
descriptor table for which RACF protection is to be in effect. So, TAPEVOL must already be in
the CDT.
The following example updates the profile in the class TSOPROC dynamically:
SETROPTS RACLIST(TSOPROC) REFRESH
Note: For further information about the required authority, refer to z/OS Security Server
RACF Command Language Reference, SA23-2292. The description for each RACF
command contains a heading called Authorization required.
The following pages show some examples (but not all) of system-wide settings. They are
grouped to:
STATISTIC-related options
PASSWORD options
Data set related options
CLASS-related options
AUTHORIZATION Checking options
TAPE-related options
Other initial setup-related options
When a new RACF database is initialized, the default is STATISTICS off (NOSTATISTICS) for
all classes.
Tip: It is recommended that you keep STATISTICS off until your installation has had an
opportunity to evaluate the need for STATISTICS versus the potential impact on
performance.
For details, see z/OS Security Server RACF System Programmer’s Guide, SA23-2287.
INITSTATS is required if your installation wants to take advantage of the following options:
SETROPTS INACTIVE option
SETROPTS PASSWORD option with parameter REVOKE, HISTORY, and WARNING
If you issue the SETROPTS INACTIVE(30) command and if a user has not done any of the
following activities in 31 days, that user is considered revoked:
Logged on
Submitted a job
Changed the user’s password by any method
Attempted an unsuccessful logon
Received a directed command or output from RACF
The INACTIVE option applies also to new RACF defined user IDs if the new user ID is not
used within the number of days specified by SETROPTS INACTIVE.
Note: The user is not actually revoked. RACF revokes the user the next time the user
attempts to enter the system.
SETROPTS PASSWORD
- Allowing mixed-case passwords
- Establishing syntax rules
- Setting the maximum and minimum change interval
- Extending password and user ID processing
• warning in relation to change interval
• password and password phrase history
• revoking user IDs using consecutive incorrect passwords
or password phrases
Figure 3-45 3.43, “Password-related options” on page 78
The examples in this section show some of the SETROPTS PASSWORD suboperand, which
gives you the possibility to specify system-wide options regarding passwords. An optional
password phrase can be used. Most of the information for the password also applies to
password phrases.
Attention:
If you want to allow mixed-case passwords, be sure that mixed-case content is
permitted by your password syntax rules.
z/OS 1.7 is the first release that supports mixed-case passwords. If you share the
RACF database with earlier systems that do not support mixed-case RACF passwords
or if you use a mix of applications that do and do not support mixed-case passwords, do
not activate the SETROPTS PASSWORD(MIXEDCASE) option.
The command establishes syntax rule RULE1. Syntax rule RULE1 specifies that new
passwords must be eight characters in length, must contain vowels in positions 1, 3, 5, 6, 7,
and 8, and must contain numbers in positions 2 and 4. Thus, the password A2E9DEOM
follows the rule, and C3DFFER5 does not.
The syntax rules for password phrases are “hardcoded” but can be controlled by use of an
exit such as ICHPWX11.
Note: Your changes take effect for current users only when they change their passwords.
For new users, the changes take effect when the new user logs on for the first time.
Note: z/OS 1.7 is the first release that supports MINCHANGE. The installation default is
zero (0) days for minimum change interval. The value MINCHANGE(0) allows users to
change passwords more than once each day.
The HISTORY suboperand specifies the number of previous passwords (in the following
example, 10) that RACF saves and compares with an intended new password:
SETROPTS PASSWORD(HISTORY(10))
REVOKE specifies how many consecutive password verification attempts RACF permits
before it revokes a user ID on the next attempt:
SETROPTS PASSWORD(REVOKE(3))
Note: IBM strongly recommends that you do not deactivate enhanced generic naming
after data set profiles have been created while enhanced generic naming was active.
Note: Before activating this option, activate generic profile checking also for the DATASET
class as shown in the following command:
SETROPTS GENERIC(DATASET)
PROTECTALL also has a warning option that allows the request even though the data set is
not protected but sends a warning message to the user and the z/OS console. For example:
SETROPTS PROTECTALL(WARNING)
For further considerations on the PROTECTALL option, see z/OS Security Server RACF
Security’s Administrator’s Guide, SA23-2289.
Note: We recommend the NOADSP option because it reduces the number of data set
profiles in the RACF database. Using generic data set profiles is generally more efficient.
You can change the installation default using the following command:
SETROPTS NOADSP
Note: Because of the big impact this option can have on data processing, it might be
reasonable to specify CATDSNS(WARNING) before you plan to activate it in failure mode.
RACF internally modifies single-qualifier names by adding the high-level qualifier (in this case
myhlq) when it processes requests for the data set. The prefix must be an existing group
name and cannot be the name used as the high-level qualifier of any actual data sets or data
set profiles.
You can use the SECLEVEL suboperand to control this erase process further. This tells the
data management to erase all scratched data sets that have a security level equal to or
greater than the security level that you have, albeit indirectly. SECLEVEL suboperand is a
name and that name must be in the SECLEVEL profile in the SECDATA class. This is where
the actual security level number is obtained.
The ERASE option applies to DASD data sets only, not tape data sets, unless you set the
TAPEAUTHDSN option in the DEVSUPxx member of SYS1.PARMLIB. See “Erasing
Scratched or Release Data (ERASE Option)” in z/OS Security Server RACF Security’s
Administrator’s Guide, SA23-2289, for more information.
In these cases, if the TEMPDSN class is active, only users with the OPERATIONS attribute
can scratch any residual DFP-managed temporary data sets remaining on a volume.
Note: The user with the OPERATIONS attribute can access the data set only to scratch the
data set. No other access is allowed (such as would be allowed by READ or UPDATE
access authority to the data set).
Important: Plan carefully when to activate the TEMPDSN class to avoid a situation where
current users or jobs are using temporary data sets. Otherwise, you might cause users or
jobs to receive an ABEND.
When you share the RACF database with a downlevel system running z/OS V1R12 or
earlier, avoid activating the TEMPDSN class when current users or jobs are using
temporary data sets. It might cause users or jobs on the downlevel system to receive an
ABEND as their current access is removed.
This access check will be based solely on the user’s z/OS user ID, meaning that superuser
authority will not be used or influence the outcome of this access control check. This check is
intended to be coarse grained, in that if the user is not authorized to this profile, no further
checking will be performed. If the user is authorized to the z/OS UNIX zFS file system
container profile, the file permission bits and access control lists (ACLs) that are associated
with the individual z/OS UNIX file system objects will then govern the access to the file or
directory, as it is done today.
This coarse grained access check provides an easy means to prove during compliance audits
that a user does not have access to sensitive data that may reside within the z/OS UNIX zFS
file systems.
For a more detailed explanation, see z/OS Security Server RACF Security’s Administrator’s
Guide, SA23-2289.
Generic profile command processing is activated automatically for all classes for which
generic profile checking is activated. It is strange, but the SETROPTS GENERIC command
implicitly turns on GENCMD for the stated class.
NOGENERIC and NOGENCMD are in effect when a RACF database is first initialized using
IRRMIN00.
Tip: We recommend that you use generic profiles, if possible, to protect multiple resources
and, thus, to ease the administration. Consider issuing SETROPTS GENERIC(*) so that
generic profiles and generic command processing are usable in all classes.
If you want to perform maintenance on the generic profiles in the RACF database, you might
want to temporarily deactivate generic profile checking but allow RACF command processors
to update generic profiles. You can specify this environment with the NOGENERIC and
GENCMD operands of the SETROPTS command. The following example shows how to
specify this environment for the DATASET class.
SETROPTS NOGENERIC(DATASET) GENCMD(DATASET)
For more information about this topic, see z/OS Security Server RACF Security’s
Administrator’s Guide, SA23-2289.
For further consideration before activation of global access checking, see z/OS Security
Server RACF Security’s Administrator’s Guide, SA23-2289.
Activate in-storage profile processing (RACLIST and GENLIST)
In-storage profiles can help the administrator maximize performance of the RACF database.
RACF provides processing to activate in-storage profiles both generic and discrete, for the
classes specified. The SETROPTS operands are GENLIST and RACLIST.
Note: RACF does not allow you to specify SETROPTS GENLIST and SETROPTS
RACLIST for the same general resource class at the same time.
The RACLIST operand on the SETROPTS command copies the base segments of generic
and discrete profiles from the RACF database into storage. The profile copies are put in their
own data space.
Note: A general resource class must be active before you can activate SETROPTS
GENLIST or SETROPTS RACLIST processing for that class.
To activate refreshing of SETROPTS RACLIST processing for the TSOPROC and TSOAUTH
classes, use this command:
SETROPTS RACLIST(TSOPROC TSOAUTH) REFRESH
Restricting the creation of general resource profiles (GENERICOWNER)
RACF provides the possibility to restrict the creation of profiles in general resource classes. It
prevents the creation of a more specific profile than an existing profile. You must issue the
SETROPTS GENERICOWNER command and define a double asterisk (**) profile for the class with
yourself as the owner.
Note: We recommend that you use the NOADDCREATOR option. If the creating user
needs access to the profile being defined, access to the profile should be done separately,
and if possible, by specifying a group and not an individual user ID. This will not apply for
the DATASET and TAPEVOL classes created through RACROUTE REQUEST=DEFINE.
The user ID of any profile creator is placed on the new profile’s access list with ALTER
authority.
Note: If list-of-groups checking is activated and if a user is in more than one group and
tries to access a resource, RACF uses the highest authority that is allowed by the user’s list
of groups and the resource’s access list.
For example, if list-of-groups processing (SETROPTS GRPLIST option) is active, and user
JAMES is connected to groups MFG and DESIGN, and MFG group is permitted access to
FILE1.ACCOUNTS with ACCESS(NONE), DESIGN group is permitted with
ACCESS(READ), and JAMES is not explicitly permitted, then JAMES’s effective access to
FILE1.ACCOUNTS is READ.
Tip: We recommend that you use the GRPLIST option because it eases administration
and minimizes the number of times the user might have to log off and log back on to
access resources.
When program control is active, RACF provides access control to load modules, and program
access to data sets and SERVAUTH resources.
Access control to load modules allows only authorized users to load and execute specified
load modules (programs). RACF uses profiles in the PROGRAM general resource class to
control access to programs. By protecting load modules, the installation can establish controls
over who can run certain programs. A program protected by a profile in the PROGRAM class
is called a controlled program.
Program access to data sets allows an authorized user or group of users to access specified
data sets with the user’s authority to execute a certain program. That is, some users can
access specified data sets at a specified access level only while executing a certain program.
Program access to SERVAUTH class resources allows an authorized user or a group of users
to access certain IP addresses with the user’s authority to execute a certain program. That is,
some users can access specified IP addresses at a specified access level only while
executing a certain program.
Note: We recommend that you implement the general resource class PROGRAM from a
security point of view. There are many system programmer-related programs, for example
AMASPZAP or some RACF utilities, which should not be used by unauthorized users.
For details about program control, see z/OS Security Server RACF Security’s Administrator’s
Guide, SA23-2289.
The following command sets the TERMINAL class of resource in RACF to an active,
system-wide status:
SETROPTS CLASSACT(TERMINAL) TERMINAL(READ)
All subsystems that use RACF to control access to terminals now have terminal checking
active when this command is issued. The READ option of the TERMINAL operand indicates
how RACF is to view terminals that are not defined to RACF. READ indicates that if RACF
cannot find a profile for that terminal, access to the terminal is to be allowed.
Attention: Before you specify NONE, be sure that you define some terminals to RACF and
give the appropriate users and groups proper authorization to use them. Otherwise, no one
can log on to your system.
If your installation uses dynamic IP addresses instead of static VTAM defined terminal names,
it is not easy to administer profiles in the RACF class TERMINAL.
RACF allows you to establish access requirements for both tape data sets and tape volumes.
NOTAPEDSN is in effect when a RACF database is first initialized using IRRMIN00. In this
case, RACF cannot protect individual tape data sets, although it can protect tape volumes.
If both the TAPEVOL class and TAPEDSN are active, RACF maintains profiles in both the
TAPEVOL and DATASET classes. Data fields within these two profiles (data set name in the
TAPEVOL profile and volume serial in a discrete data set profile) link the two profiles to each
other. The following example shows how to activate tape volume protection:
SETROPTS CLASSACT(TAPEVOL)
Note: If your installation has a tape management system, you might consider running with
TAPEDSN active and TAPEVOL inactive. In this case, your tape management system, not
RACF, maintains tape volume security and controls access to tape volumes.
The RACF security retention period is stored in the data set profile (specified using the
RETPD operand on the ADDSD or ALTDSD command). If the data set profile does not contain a
security retention period, look at one of the following:
1. For discrete profiles, RACF uses the creation date stored in the TVTOC and the default
security retention period established by your installation using the RETPD operand on the
SETROPTS command.
2. For generic profiles, RACF uses a zero value. This results in the data set being expired.
For generic profiles, the default security retention period is not checked. Therefore, you
must ensure that all generic profiles that protect tape data sets include a retention period.
(Make sure to specify the RETPD operand on the ADDSD command for generic profiles.)
The security retention period (RETPD) for a tape data set is a number that you specify; nnnnn
must be one to five digits in the range of 0 - 65533. To indicate a data set that never expires,
specify nnnnn as 99999.
Figure 3-50 on page 90 shows RVARY and other options for initial setup.
Authorization required
Unlike the SETROPTS command, the RVARY command needs no special user attribute for the
submitting user ID. However, the operator (at the operator console or security console) must
approve the RVARY command unless it is an RVARY LIST before RACF allows the command
to complete.
If the RVARY command changes RACF or its database status (ACTIVE/INACTIVE), RACF
issues an informational message, and the operator is required to enter the password that is
defined by SETROPTS RVARYPW STATUS(status-pw) to authorize the change.
If the RVARY command switches the RACF data sets (SWITCH) or changes the RACF
operating mode (DATASHARE/NODATASHARE), RACF issues an informational message,
RACF allows you to specify separate passwords for switching the databases and for changing
RACF status. The following example specifies HAPPY as the switch password and RABBIT as
the status password:
SETROPTS RVARYPW(SWITCH(HAPPY) STATUS(RABBIT))
When RACF is first initialized, the switch password and the status password are both set to
YES. Most auditors know to test if the installation has changed these passwords.
These are important settings to impose controls on entities submitting jobs for processing on
z/OS. From forcing all incoming users to be validly present on the system to assigning a value
to those undefined users that attempt access (instead of “++++++++” you could have them
reported as “UNKNOWN” because this may be more useful).
This section describes the auditor control options that refer to security events with RACF
commands.
You deactivate logging for a class by using the NOAUDIT operand. NOAUDIT(*) is in effect
when RACF is using a newly initialized database.
Note: If you activate auditing for a class using SETROPTS AUDIT, RACF activates auditing
for all classes in the class descriptor table that have the same POSIT value as the class
you specify. For details, see z/OS Security Server RACF Command Language Reference,
SA23-2292.
If you decide to bypass logging of all violations that are detected by RACF commands (except
RVARY and SETROPTS, which are always logged) during RACF command processing, you
can specify the NOCMDVIOL operand on the SETROPTS command as shown in the following
example:
SETROPTS NOCMDVIOL
Tip: We recommend that you specify SAUDIT because of the powerful commands a
SPECIAL user can submit. You can then use the RACF report writer to produce audit
reports.
If you decide to bypass this logging (for example, if you are concerned only with how
SPECIAL users change profiles and you have AUDIT(*) in effect), you can use the following
command:
SETROPTS NOSAUDIT
Tip: OPERAUDIT might be useful if you decide to remove the OPERATIONS attribute and
give those users access through the normal access list. You can then use the RACF report
writer or other auditing tools to produce a report on this event.
In this case, auditing is done every time that a user logs on at any terminal on the system,
regardless of whether that terminal is protected by a profile and regardless of whether that
profile specifies auditing. You can specify that auditing be done for the following conditions:
ALWAYS All attempts to access resources protected by the class are audited.
NEVER No attempts to access resources protected by the class are audited. (All
auditing is suppressed.)
SUCCESSES All successful attempts to access resources protected by the class are
audited.
FAILURES All failed attempts to access resources protected by the class are audited.
DEFAULT Auditing is controlled by the profile protecting the resource, if a profile exists.
You can specify DEFAULT for all classes by specifying an asterisk (*) with
DEFAULT.
Note:
The SUCCESSES and FAILURES operands result in auditing in addition to any
auditing that is specified in profiles in the class. In contrast, the ALWAYS and NEVER
operands override any auditing specified in profiles in the class.
When RACF grants access to a resource because of an entry in the global access
checking table, RACF does not log the event even if you request logging.
If RACF is enabled for sysplex communication and the system is in read-only mode, users on
that system can issue the SETROPTS LIST command. All other operands are ignored.
You must have the RACF SPECIAL, AUDITOR, group-SPECIAL, or group-AUDITOR attribute
to enter the LIST operand.
If you have the SPECIAL or group-SPECIAL attribute, and not the AUDITOR or
group-AUDITOR, RACF displays all operands except the auditing-related operands.
RACF monitoring
Security Server RACF routes system operator messages to a system console or a security
console. The message suffix indicates if an action is required:
1. A: An action is required, the operator must perform a specific action.
2. D: A decision is required, the operator must choose an alternative.
3. E: An eventual action is needed to be done.
4. I: This is an informational message and no action is required.
5. W: It is a wait, and processing for this task stops until action is determined and performed.
The example in Figure 3-55 on page 99 shows a sample RACF message on the system
console. Because the number of violations for a large network can be high due to misspelled
passwords, transaction codes, and commands, you can specify a threshold for notification.
The master terminal is not notified until the specified number of violations occurs without a
valid input from a given terminal. You specify one to three invalid entries as the violation limit,
eliminating or reducing the number of notifications that are caused merely by operator error,
while still providing evidence of real attempts to avoid security safeguards.
Immediate
Immediate notification
notification ofof security
security events
events
Examples
Examples::
This message is issued when RACF detects an unauthorized request (a violation) made by a
user or job. The user and group indicated in the first line of the ICH408I message are the
execution user ID and group ID under which the job was to run.
The message in Figure 3-56 shows who the user ID is. If the user ID is shown as the form of
“**nnxxxx”, such as “**01XUSR”, the user ID identifies an identity context reference, not a
RACF user ID.
For the “what”, we look at the explanatory text within the message, which shows these causes:
1. User ID JAMES entered an invalid password at a terminal
2. User ID JAMES exceeded the number of times an invalid password entry is permitted and
is revoked
3. User ID JAMES tried to access a data set to read it but was not allowed to do so
Detailed information about the violation is available in the SMF type 80 record that RACF
produces at the same time as this message.
Examples:
- Invalid RACF operations:
ICH408I USER(JAMES ) GROUP(MFG ) NAME(BROWN JAMES )
FULL VIOLATION ON COMMAND ALTDSD
This message alerts a RACF user that an access violation has occurred against the indicated
resource. This message is routed to the user specified in the NOTIFY field of the resource
profile that denied the access.
Auditing Tools:
- SMF Data Unload Utility (IRRADU00)
- RACF Report Writer (RACFRW)
- Data Security Monitor (DSMON)
- RACF Data Unload Utility (IRRDBU00)
Figure 3-58 RACF auditing tools
These security log records are commonly called SMF records; some types include:
Type 80 Produced during RACF processing.
Type 81 Produced at the completion of RACF initialization and from the
SETROPTS command.
Type 83 Produced during RACF and z/OS component processing. The type 83
record is also generated under the following circumstances:
SETROPTS MLACTIVE is in effect and a RACF command (ADDSD,
ALTDSD, DELDSD) has been issued that changed the security label of a
data set profile. Also, from security events detected by non RACF
components.
You can list the contents of these records to help you to detect possible security exposures or
threats and verify the security of the system.
You can process complex inquiries and generate custom-tailored reports from the output of
the SMF data unload utility. These reports can be useful in identifying suspicious patterns of
access by authorized users that another program might miss. Because data is more often
misused by authorized users than stolen by unauthorized users, reports such as this are
essential to security.
If the OUTDD format is not suitable, see the z/OS Security Server RACF Auditor’s Guide,
SA23-2290, about how to set up XMLFORM DD (output data in XML format) or XMLOUT
(output data in compressed XML format), and other information about this data unload utility.
MAN2 is the active SMF data set. The output file in this example is
KEWITT.RACF.IRRADU00.
Note: Due to restrictions of the SMF dump utilities, IRRADU00 and IRRADU86 must
reside in an APF-authorized library.
Note: The report writer is no longer the recommended utility for processing RACF audit
records. The RACF SMF data unload utility is the preferred reporting utility. The report
writer does not support all of the audit records introduced after RACF 1.9.2.
.../...
The RACF report writer can also be run from the TSO command line using the RACFRW
command. In the example shown in Figure 3-63, the SMF data is to be found in the RSMFIN
DD statement.
Figure 3-64 on page 106 shows the RACF data security monitor (DSMON).
RACF auditors can use the DSMON reports to evaluate the level of security at the installation
and to compare the actual level of security at an installation with the planned level of security.
If the installation has not defined ICHDSM00 (DSMON) as a controlled program, you must
have the AUDITOR attribute to run DSMON.
DSMON reports
DSMON produces the reports that are shown in Figure 3-65 on page 107.
The job control to produce these reports is straightforward. You can specify DSMON control
statements to produce the reports that you want and control the number of lines per page for
each report. The output from DSMON consists of a message data set and an output data set
for the reports. This is shown in the JCL in Figure 3-67 on page 108, which produced a
system report. Refer to z/OS Security Server RACF Auditor’s Guide, SA23-2290, for the full
description.
1 SYS1 (IBMUSER )
|
2 | AOPADMIN (ROGERS )
|
2 | AOPOPER (ROGERS )
|
2 | ARADMIN (ARUN )
Figure 3-68 Small portion of the FUNCTION RACGRP report
You can use the program properties table report to verify that only those programs that the
installation has authorized to bypass password protection are, in fact able to do so. Such
programs are normally communication and database control programs and other system
control programs. These are what are called trusted resource managers.
You can also verify that only those programs that the installation has authorized are able to
run in a system key. So if we use a FUNCTION SYSPPT control statement, we obtain the
report as shown in Figure 3-69 on page 109.
You can use this report to verify that only those programs that are supposed to be authorized
to modify an ACEE (accessor environment element) are able to issue a REQUEST=VERIFY.
This verification is a particularly important security requirement because the ACEE contains a
description of the current user. This description includes the user ID, the current connect
group, the user attributes, and the group authorities. A program that is authorized to issue
REQUEST=VERIFY could alter the ACEE to simulate any user.
You can also use this report to verify that only those programs that are supposed to be
authorized to access profiles are able to issue REQUEST=LIST. Because profiles contain
complete descriptions of the characteristics that are associated with RACF defined entities,
you must carefully control access to them.
Note: IBM does not recommend using the RACF authorized caller table.
You can use the class descriptor table report to determine which classes (in addition to
DATASET) are defined to RACF and active and, therefore, can contain resources that RACF
protects. So if we use a FUNCTION RACCDT control statement, we obtain the report as
shown in Figure 3-70 on page 110.
It should be noted in this report that none of the active classes are being audited. Normally it
would be expected that auditing is active for these classes.
You can use the RACF exits report to verify that the only active exit routines are those that
your installation has defined. The existence of any other exit routines might indicate a system
security exposure because RACF exit routines can be used to bypass RACF security
checking. Similarly, if the length of an exit routine module differs from the length of the module
when it was defined by your installation, the module might have unauthorized modifications.
Because global access checking allows anyone to access the resource at the associated
access authority, you should verify that each entry has an appropriate level of access
authority.
For started procedures, RACF generates two reports about the started procedures table.
If the STARTED class is active, the report uses the STARTED class profiles and contains the
TRACE attribute. The trace uses module ICHDSM00.
The reports list the procedure name, the user ID, and group name to be associated with the
procedure, and whether the procedure is privileged or trusted.
You can use the report to determine which started procedures are defined to RACF, and
which have the privileged attribute. If a started procedure is privileged or trusted, it bypasses
all REQUEST=AUTH processing (unless the CSA or PRIVATE operand was specified on
REQUEST=AUTH), including checks for security classification of users and data.
You can use this report to verify that only those users who need to be authorized to perform
certain functions have been assigned the corresponding attribute.
So if we use a FUNCTION RACUSR control statement the following report is also produced
as shown in Figure 3-75.
You can use the selected data sets report to determine which of these data sets are protected
by RACF and, which are not. You can also check whether the UACC associated with each of
the data sets is compatible with your installation's resource access control requirements.
The available Selected Data Sets Reports reports are listed here:
SYSLNK All LNKLSTxx data set members of the SYS1.PARMLIB library.
SYSAPF Current Link List Data Set Report showing authorized program facility
(APF) libraries.
SYSCAT Selected Data Sets listing the Report Master catalog and all user
catalogs.
RACDST Report showing primary and backup RACF databases.
SYSSDS Selected system data sets.
USRDSN Selected user data sets report (used with USEROPTS control
statement).
Figure 3-76 on page 114 shows the RACF database unload utility.
The output file from the database unload utility can be:
Viewed directly
Used as input to your own programs
Manipulated with sort and merge utilities
Used as input to a database management system
You can use the DB2 load utility or its equivalent to process the records that are produced by
the database unload utility. The definition and control statements for loading the database
unload utility output into a DB2 table space is shipped with z/OS in the
SYS1.SAMPLIB(RACDBUTB) member.
When the utility runs, it writes a log of its activities to SYSPRINT, as shown in Figure 3-77 on
page 115.
The data written to the sequential file can be viewed directly as shown in Figure 3-79.
JAMES MFG
JAMES MFG 2013-07-24 ADMUSERS NONE 00000 NO NO
JAMES 2013-07-24 ADMUSERS NO NO NO YES NO 090 BROWN JAMES
Figure 3-79 Small extract from database unload sequential data set
RACF authorization checking processes the dynamic CDT as a logical extension of the static
CDT. The following tasks are used for adding and changing dynamic classes:
Use the RDEFINE and RALTER commands to define and modify attributes of CDT class
profiles.
You use the SETROPTS RACLIST(CDT) and SETROPTS RACLIST(CDT) REFRESH
commands to build entries in the dynamic CDT.
These commands effectively transform CDT profiles into RACF classes. The names of RACF
classes created in this way (dynamic classes) can be used in RACF commands and the
RACROUTE macro, just as you would use any other RACF class name.
When adding entries, the choice is to share a position ID with an existing entry or creating a
unique position ID. When a POSIT value is shared between two or more classes, certain
RACF processing options are controlled in the same manner (simultaneously) for all classes
with the shared POSIT value.
For example in Figure 3-81, either one of the following commands to refresh RACLISTed
profiles in both the HORSES8 and PONIES8 classes will perform both actions as they both
have the same POSIT value.
@GILL
MYCLASS
MYCLAS8
NEWCLASS
WBEM
Figure 3-82 CDT profiles listed
A clean environment is one in which only programs defined in the PROGRAM class have run.
For the functions listed above, except for simple controls, RACF requires a clean
environment.
You can specify the mode through the IRR.PGMSECURITY profile in the FACILITY class.
Define the profile and specify the APPLDATA operand as:
“BASIC” for RACF to operate in BASIC program security mode.
“ENHANCED” for RACF to operate in ENHANCED program security mode.
Empty, or any value other than “BASIC” or “ENHANCED”, for RACF to operate in
ENHANCED-WARNING program security mode.
If you do not define this profile, RACF operates in BASIC program security mode.
To restrict a user’s ability to run programs, you might need to protect the program library so
the user cannot read from it. In some cases, you do not need to provide special protection for
the program library, other than ensuring that general users cannot update it.
To restrict a user or a group from executing a particular program, you can define a profile for
that program in the PROGRAM class and issue the PERMIT command to specify an access
level of NONE for the program. You can then grant access to those users who actually need to
execute the program READ access to the profile protecting the program.
To restrict a user or group from reading or copying a program but allow execution of a
program, you can grant the user or group EXECUTE authority in the access list for the
program library.
Let us look at authorization checking for access control to data sets. The normal authorization
checks apply in RACF:
Is the UACC sufficiently high?
Is this user’s ID on the access list for the data set profile with sufficient authority?
If a user is not granted access via normal authorization checks and program control is
active, further checks are made. RACF authorizes the user to open the program-accessed
data set with the currently executing program if all of the following conditions are met:
– The conditional access list contains the name of the currently running program, the
name of the first program currently running in the current task (TCB), or the name of
the first program currently running in a parent task, with the requested level of access
or higher.
First we consider the open case. Typically this would be at the start of an application. Some
programs may well expect the data set to be open already and rely on earlier processes to
have done so. When the request to open an execute-controlled library is made if EXECUTE is
the highest access authority given to the dataset, RACF deems the request a failure. But the
system will not fail it and allows the open to proceed. Then it sets a flag in the data set’s
control block that the user only had EXECUTE access authority.
Now the user can attempt to execute the program (or the program is fetched) from the
execute-controlled data set:
RACF checks if it is a controlled environment. If not, RACF does not allow a program to be
fetched into such an environment.
If ENHANCED mode is in use, further checks are undertaken such as ensuring the
initiating program in this address space has the correct attributes and thus is not an
interloper.
Note: EXECUTE access authority has meaning only for a partitioned data set that is used
as a program library. If you specify EXECUTE for any other type of data set (such as a
CLIST or EXEC), effectively the user will have an access authority of NONE.
Program signing
RACF provides the capability to check if a program has undergone any unauthorized
changes. It does require the program to be built in a special way and for a number of setup
steps for RACF for this capability to be operational.
Note: RACF supports program signing and verification only for program objects, which are
modules stored as members of a partitioned data set extended (PDSE) library.
The developers of an application might want to protect against any chance of their load
modules (programs) being altered. By using the process of signing their programs, they can
ensure only valid, unchanged versions of the programs are being executed.
It is a reasonably complex process from the supply of the certificate, setting up specific RACF
profiles and then creating the program object. It many cases this may well be done by
independent software vendors (ISVs).
Again, the process is non-trivial and does require use of certificates and addition of profiles.
We see that for signed programs, the PROGRAM profile will have a SIGVER segment
containing signature verification options. We need to consider what actions are to flow if a
signed program is not able to be verified. If it is a critical business application, it would be
prudent to have a tested recovery procedure to minimize the impact.
To understand this program signing process in a detailed manner, see z/OS Security Server
RACF Security’s Administrator’s Guide, SA23-2289.
In a multisystem RRSF, one of the z/OS systems is called the main system as this will receive
the bulk of the RRSF traffic; the others are called nonmain systems. This is depicted in
Figure 3-86 on page 122.
Within RRSF, a local node is a node in relation to how the description of the activity is stated.
A security administrator on system MVSX will refer to NODEX as their local RRSF node and
other nodes are deemed remote nodes. This is also shown in Figure 3-86.
User ID associations
User ID associations can be established to other RRSF nodes across the RRSF network.
They can perform the following functions:
Link or associate two user profiles on the same RRSF node or different RRSF nodes.
Enable password association between user IDs on local and remote RRSF nodes that
have the same owner and user.
Direct commands (most but not all RACF commands) to run on other user IDs for which
directing user IDs has an appropriate association.
Various types of user ID associations can exist between user IDs, such as:
Peer The peer user ID association is between two user IDs on the RRSF
network. Either can issue RACF commands under the authority of the
other. Password synchronization is allowed in peer associations and
either user ID can delete the association.
Managed The managed user ID association is where one user ID is the
manager. The manager user ID can direct RACF commands to
managed user IDs. It is a one-way communication. However, these
user IDs run these commands under their authority not of the
managing user ID. Password synchronization is not permitted and any
of the user IDs can delete the association.
A peer user ID association is shown in Figure 3-87.
Command direction
Command direction allows you to maintain remote RACF databases by using the AT keyword
on specific RACF TSO commands. After a user ID association is established, RACF users
can use the AT keyword to direct specific RACF TSO commands. These commands run in the
RACF subsystem address space of the specified target node under the authority of the
specified target user ID. Output produced by the command is captured by RRSF and written
to the RRSFLIST user data set of the user ID that issued the command.
Tip: The naming convention for RRSFLIST data set is USERID.RRSFLIST. If ADMINA is
the user ID, the RRSF data set name is ADMINA.RRSFLIST. For each user ID, RACF
creates such a data set or uses a pre-allocated data set, if it exists.
Before RRSF sends the command to the target node, RACF checks whether the command
issuer is authorized to run command direction for the specified target node. This process uses
the RRSFDATA RACF class.
Figure 3-88 shows how the command issued by a user ID from RRSF node (Node A) to
remote RRSF node (Node B) is sent. It also shows how the output is returned to the user ID
that issued the command. There is no point issuing a remote command if the output is not
returned showing the output from the command invocation.
1 z/OS UNIX System Services: RRSF makes UNIX System Services socket API calls to
TCP/IP.
2 TCP/IP: The communication vehicle for exchanging data between the RRSF nodes.
4 Secure Sockets Layer (SSL): AT-TLS uses SSL to authenticate the RRSF nodes.
5 RACF: The resources used for RRSF are protected by RACF profiles.
7 RRSF itself.
Setting up RRSF over TCP/IP consists of the following steps:
1. Enable the RACF component of the z/OS Security Server.
2. Activate the RACF subsystem address space.
3. Requires the use of sockets, which requires UNIX System Services, to use TCP protocol.
Add the following objects:
a. OMVS segment and UID to RACF subsystem user ID
b. OMVS segment and GID to the default group of RACF subsystem user ID
The details mentioned here are explained in great detail in z/OS Security Server RACF
Security’s Administrator’s Guide, SA23-2289.
The first point would be to ensure that all batch jobs have RACF identification. So, any batch
job will require an explicit user ID and password on the JOB statement or it is supplied
through a propagated user ID (for example, the user ID who submitted the job). This RACF
command will ensure that this checking will occur. See Figure 3-91.
SETROPTS JES(BATCHALLRACF)
Figure 3-91 RACF command to ensure a check RACF identification
RACF groups would be used to assign personnel to functional groups that would cover:
Who can issue JES commands.
Assign users to specific terminals, so a shift operator could use the MCS console.
Who can update system data sets owned by JES.
In Figure 3-92, there is no explicit JOB, PASSWORD, and GROUP parameter, so the RACF
user ID who submitted this job will be a propagated user ID for the purposes of checking
access authorization.
In the example shown in Figure 3-93, we have an explicit user ID and password. This pair will
be used to authenticate and authorize access.
Note: This does not cover SMS data classes; they do not require RACF protection.
1. Initially, we would activate these specific SMS general resources in RACF. See
Figure 3-94.
2. Use the RDEFINE command to define the required RACF SMS classes to create the
protective profiles. In our example, SMS has an SMS storage class called STORE1, so we
define and ensure no ordinary user can access with a UACC(NONE). See Figure 3-95.
3. Now we can permit access. In this case, we allow GROUP KGN read access. See
Figure 3-96.
An alternative approach would be to define the STORE1 profile with a UACC(READ) and the
use the PERMIT command to exclude access.
Performance issues are now considered. We have choices based on the likely number of
requests to RACF for access for the SMS classes. So for SMS resource classes that you want
access to by all users, create an entry in the global access checking table as depicted in
Figure 3-97.
You can, of course reduce I/O to the RACF database by using the SETROPTS RACLIST
command to keep this information in storage. This is demonstrated in Figure 3-98.
Let us see how we can explain this interaction. The DFP segment in the data set profile holds:
An SMS data class value with attributes about the data set allocation.
An SMS management class with attributes about migration and backup of the data set.
An SMS storage class with attributes related to space, device, and volume.
So how can we map that to user and group profiles? In each DFP segment for these types of
profiles, we have:
DATAAPPL This is an identifier for a DFP data application identifier
DATACLAS Default data class
MGMTCLAS Default management class
STORCLAS Default storage class
Note: RACF does not control access for DATAAPPL or DATACLAS. However, the values
you specify in these fields should be defined for use on your system.
This is shown in this group list (Figure 3-100) using the LISTGRP with the DFP parameter.
DFP INFORMATION
---------------
MGMTCLASS= SECURE
STORCLASS= PRIME
DATACLAS= ACCOUNTS
DATAAPPL= FINANCE
Figure 3-100 DFP segment listed
The ability to add DFP segment data is covered in the RACF commands that deal with users
and groups. They are ADDUSER, ALTERUSER, ADDGROUP, and ALTGROUP. When adding
MGMTCLAS and STORCLAS values into a DFP segment, remember they must already be
defined as profiles in their matching general resource classes. There we must have profiles
for SECURE and PRIME defined.
This is shown here with this command in Figure 3-101. We created a data set profile with a
RESOWNER value.
A display of the group and the DFP segment shows the value of ENGINE1 in Figure 3-102.
Do not confuse the owner of the profile DESIGN with the RESOWNER, which indicates the
entity who represents the data set owner for data set allocation purposes.
AUDITING
--------
FAILURES(READ)
NOTIFY
--------
NO USER TO BE NOTIFIED
NO INSTALLATION DATA
DFP INFORMATION
---------------
RESOWNER= ENGINE1
Figure 3-102 List of group and its DFP segment
SMS needs to be told to use RACF to acquire DFP segment data and this is performed by
settings in SYS1.PARMLIB. Refer to z/OS DFSMSdfp Storage Administration, SC23-6860 for
information about how to accomplish this.
SMS calls RACF to determine the owner of an SMS-managed data set and acquire the DFP
attributes and uses them as input to the automatic class selection (ACS) routines if
performing an allocation of the data set. It will also check that the owner (RESOWNER) has
read access to (that is, allowed to read) the MGMTCLAS and STORCLAS RACF classes.
RACF can be set up also to control access at the field level and this can be applied to fields in
the DFP segment. Figure 3-103 on page 131 shows an example for the RESOWNER field in
the DFP segment.
Additionally RACF can be used to protect SMS resources, as the operation of SMS does
require only authorized users to perform its functions. Refer to z/OS DFSMSdfp Storage
Administration, SC23-6860, and z/OS DFSMSdfp Storage Administration, SC23-6870.
TSO/E
For a TSO user, they need to have a user ID in the RACF database and in addition a TSO
segment defined as well. We use the term TSO in this text rather than TSO/E.
Note: Without RACF, TSO users normally required an entry in the SYS1.UADS data set.
RACF replaces that requirement. However, some user IDs (for example, IBMUSER) should
be retained in SYS1.UADS for those times when RACF is inactive.
We have several areas within TSO to protect using RACF. Now that we have a TSO segment
with the USER profile, we must consider protecting the general resource CLASS that they
refer to:
TSOPROC To protect from users modifying the defined logon procedures
ACCTNUM No change allowed to the account number unless authorized to do so
PERFGRP Control over the assigned performance group
TSOAUTH Exercise some control over what TSO authority can be exercised
To bring this to an active state, we would issue the command shown in Figure 3-104.
As an example, let us assume we want user ID JAMES to be able to use a specific TSO logon
procedure and no one else is allowed. This is a logon procedure created for one specific user
ID. We add a profile LOGJAMES to the TSOPROC CLASS and ensure no other access
permitted by ordinary users by having a UACC(NONE), shown here in Figure 3-105 with a
refresh of the TSOPROC class in-storage.
This should map to the TSOPROC field in the TSO segment for the user ID JAMES, as shown
in Figure 3-106 on page 132, which was produced by the command LISTUSER JAMES TSO.
Using the command in Figure 3-108, we are shown how the OMVS segment has been
updated to hold the UID value along with the initial directory path name and the program
path name.
And in Figure 3-110, we see the contents of the OMVS segment using the LISTGRP
command.
Note: It is recommended that the same GID value not be assigned to more than one
group. This is important because within z/OS UNIX security checks all groups with the
same GID are treated the same and therefore any security difference between the groups
is lost.
RACF can be deployed to prevent the occurrence of shared UIDs and GIDs as they result
in the loss of user accountability and decreased security. In order to do this RACF is used
to establish a checking process, a list capability, and an automatic assignment of unique
IDs:
– Define a SHARED.IDS profile in the UNIXPRIV class and ensure it has RACLIST
issued against it, as in Figure 3-111.
– As an exception, you can create a shared ID (for example, for UID 0) but you must use
the SHARED parameter when adding to altering a user or group. An example for user
– Use the RACF command to search for specific UID or GIDs, as the example in
Figure 3-113 shows.
– RACF will automatically generate and assign a unique UID for each user and a unique
GID for a group. This can be done in several ways:
• An explicit action to assign a unique UNIX identifier is performed by the use of
OMVS(AUTOUID) and OMVS(AUTOGUID) parameters in RACF commands for
users and groups respectively as illustrated in Figure 3-114 along with the
subsequent message showing the new UID value being assigned.
• In the case where users are requesting z/OS UNIX services and do not have an
OMVS segment, when their user security environment is being built, RACF can
assign a unique UNIX identity. This does require a reasonable amount of setup;
references to this are in z/OS Security Server RACF Security’s Administrator’s
Guide, SA23-2289.
– Resource names within the UNIXPRIV class are associated with z/OS UNIX privileges.
By defining profiles in the UNIXPRIV class, you can protect these resources by
requiring a RACF authorization to allow the grant of such z/OS privileges. In addition,
this gives flexibility to the security administrator, who may allocate such z/OS UNIX
privileges as needed without having to resort to assign superuser authority.
• Essentially you create these resource profiles within the UNIXPRIV class and then
map groups and users to them so they only have required privileges. As an
example, consider how we can give certain users or group the ability to change the
owner ID or group ID associated with a file in z/OS UNIX. The example shown in
Figure 3-115 authorizes users associated with group MFG to transfer ownership of
any file.
Authentication
Authentication is one of the primary requirements to establish trust in e-business
transactions. The industry is looking for strong authentication and for standardization of the
authentication mechanisms. Strong authentication uses cryptography. Two prevalently
mechanisms exist today for strong authentication in a distributed environment. They differ by
the kind of cryptographic algorithms that they use, which is also their domain of application.
Cryptography
Security in communications over a non-secure network requires the use of cryptographic
procedures. If you send data in the clear over a network that is not completely under your
control from the receiver to the sender, you cannot assure the following security functions:
Privacy: Anyone who is able to intercept your data might be able to read it.
Integrity: An intermediary might be able to alter your data.
Accountability or non-repudiation: It might be impossible to determine the originator of a
message with confidence, and the person who sent the message can disclaim being the
originator.
Security functions such as identification and authentication are also impacted because if
authentication data such as passwords is sent without integrity and privacy, they can be
intercepted in transit between sender and receiver, making the authentication compromised
and worthless.
With these ciphers, it can be assumed that a brute-force attack is the only means of breaking
the cipher. Therefore, the work factor depends on the length of the key. If the key length is n
bits, the work factor is proportional to 2**(n-1).
Asymmetric encryption algorithms, commonly called Public Key Cryptosystems, are based on
mathematical algorithms. The basic idea is to find a mathematical problem that is very hard to
solve.
Note: Diffie-Hellman keys cannot be stored RACF but can be retrieved from a PKCS #11
token. PKCS means Public Key Cryptographic Standard.
Digital signatures
Digital signatures are an extension to data integrity. While data integrity only ensures that the
data received is identical to the data sent, digital signatures go a step further. Digital
signatures provide non-repudiation, which means that the sender of a message (or the signer
of a document) cannot deny authorship, similar to signatures on paper.
Digital certificates
The application of public-key technology requires the user of a public key to be confident that
the public key belongs to the correct remote person or system with which an encryption or
digital signature mechanism is used. This confidence is obtained by using public-key
certificates. A digital certificate is analogous to a passport: the passport certifies the bearer’s
identity, address, and citizenship. The concepts behind passports and other identification
documents, such as drivers licenses, are very similar to those that are used for digital
certificates.
Identification documents are issued by a trusted authority, such as the government passport
office or Department of Motor Vehicles. A passport is not issued unless the person who
requests it can prove identity and citizenship to the authority. Specialized equipment is used
in the creation of passports to make it very difficult to alter the information in it or to forge a
passport altogether. Other authorities, for example the border police in other countries, can
verify a passport’s authenticity. If they trust the authority that issued the document, the
information contained in it is accepted as true.
The digital signature of the certificate authority serves the same purpose as the special
measures taken for the security of passports, such as laminating pages with plastic material,
which allows others to verify the authenticity of the certificate. Using the public key of the
certificate authority, the MIC can be decrypted. The message digest can be re-created. If it is
identical to the decrypted MIC, the certificate is authentic.
Trust is a very important concept in passports as well as in digital certificates. In the same
way as, for example, a passport that is issued by some governments, even if recognized to be
authentic, might not be trusted by US authorities. Therefore, each organization or user must
determine which certificate authorities can be accepted as trustworthy.
Authorize -
Request fulfillment of
request
Fulfillment
Revoke Used by
or owner
Renew
Figure 3-118 Overview of digital certificate
When compared to other known means of strong authentication, digital certificates (and the
underlying public key cryptography algorithm) appear to be probably the best solution to the
However, the use of digital certificates, over the Internet or in an intranet environment,
requires a supporting public key infrastructure (PKI), which is the set of services, tools, and
policies that enable the use of public key cryptography and management of keys and
certificates in a PKI domain. The certificates and the associated key pairs are expected to
have a lifecycle as described in Figure 3-118 on page 138.
During its normal lifecycle, a certificate is set to expire after a certain validity period that is
indicated in the certificate at its creation. The supporting PKI must then provide a way to
renew the certificate, keeping the same certificate but with a new validity period and a new
certificate serial number. This is the renewal phase.
But how does a certificate on z/OS in a client/server application on z/OS, where z/OS can be
either client or server, provide for a secure connection?
Each end of the application has their own certificate with a matching private key and a list
of trusted CA certificates.
The client needs to authenticate itself to the server and the server might also want to
authenticate itself to the client.
An exchange of certificates takes place.
Client and server separately validate the other’s certificate:
– Checks if signature is valid
– Subject name in the certificate is correct
– And the certificate was signed by a trusted certificate authority
Key sizes
Key sizes are a rather complex mix of issues as we deal with different key lengths depending
on the algorithm used to create the private keys. Also, United States government export
regulations impose a maximum key size. This can be controlled by RACF and non-RACF
code in z/OS.
Normally the key length is an indicator of strength of a key, strength being the ability to deny
anyone from using cryptanalysis to decode any encrypted data without using the private key.
With newer algorithms, a shorter key length of the elliptical curve cryptography (ECC) is
possible.
As an example, an RSA 1024 bit key size is comparable to an ECC 192-bit key size.
When RACF signs a certificate, it needs to use a secure hashing algorithm. This is done to
produce a shorter piece of text, which is a unique identifier for the certificate. This provides us
with the ability to see if the certificate has been tampered with.
RACDCERT command
This is a very powerful command and has many parameters to perform a large number of
functions. We try to show by example many of them here:
LIST RACDCERT can list the contents of certificates from your user ID, other
user IDs or a site certificate, or a certificate authority certificate. The
certificate to be displayed can be selected by user ID, its type (for SITE
or CERTAUTH), its label, its serial number, or issuer’s distinguished
name. The example in Figure 3-121 shows the command to be issued
looking for the certificate with a specific label, which is a SITE
certificate.
Label: serverecc
Certificate ID: 2QiJmZmiiaOFg6KFmaWFmYWDg0BA
Status: TRUST
Start Date: 2011/04/22 00:00:00
End Date: 2012/04/22 23:59:59
Serial Number:
>02<
Issuer's Name:
>CN=ca.O=itso.C=us<
Subject's Name:
>CN=server.O=itso.C=us<
Signing Algorithm: sha512ECDSA
Key Usage: HANDSHAKE, KEYAGREE
Key Type: NIST ECC
Key Size: 521
Private Key: YES
PKDS Label: SRVITSOECC
Ring Associations:
Ring Owner: RODOLFI
Ring:
>serverecc<
Figure 3-121 List of a SITE Certificate along with RACDCERT command
Finding Finding a certificate requires several approaches. If you know the user
ID the certificate belongs to or if it is a CA or SITE certificate, use the
RACDCERT LIST command. Alternatively, you can examine profiles that
contain certificates or list the key rings for certificates. In the example
shown in Figure 3-123, we list the profiles to obtain a list of certificates.
SEARCH CLASS(DIGTCERT)
...
0D8B4FEEAAD2185BF4756A9D29E17FFB.OU=Class¢1¢Public¢Primary¢Certification¢Author
ity.O=VeriSign,¢Inc..C=US
[email protected]=Thawte¢Personal¢Basic¢CA.OU=Certification¢Servi
ces¢Division.O=Thawte¢Consulting.L=Cape¢Town.SP=Western¢Cape.C=ZA
Figure 3-123 Extract of a list of profiles with certificates using the SEARCH command
ALTER Use the RACDCERT ALTER command to change the status or the label of
a digital certificate for the specified user ID, certificate authority
certificate or site certificate, or its trust status. The rest of data fields
are fixed due to the nature of how the certificate is sued. To make this
change, if the user has more than one certificate, we need to use its
label in the command. If the user has only one certificate, using the
user ID is sufficient. The TRUST status in a certificate indicates if a
certificate is valid and its private key has not been compromised. In
the example shown in Figure 3-124 on page 145, the RACDCERT ALTER
command alters the TRUST status to TRUST. We also list a small
portion of the certificate displaying the TRUST status. The user that
executes this command needs to have authority to issue it. They
require UPDATE access to the resource IRR.DIGTCERT.ALTER in the
FACILITY class.
Label: clientecc
Certificate ID: 2QfZ1sTW08bJg5OJhZWjhYOD
Status: TRUST
Start Date: 2011/04/22 00:00:00
End Date: 2012/04/22 23:59:59
DELETE The RACDCERT command can be used to delete user, site, and CA
certificates. The user to issue the RACDCERT DELETE command requires
UPDATE access to the IRR.DIGTCERT.ALTER profile in the FACILITY
class for user certificates. For site and CA certificates, the access
required will have to be CONTROL. If the certificate belongs to a key
ring, it will be removed from that key ring during the delete process.
The only artifact that will remain is when a certificate is in a PKCS #11
token it will not be deleted from the token because ICSF manages
these tokens. The criteria to select the certificate uniquely is its label
or serial number and issuer’s distinguishing name. In the example
shown in Figure 3-125, we use the certificate label to remove a
certificate.
RACDCERT DELETE(LABEL('CLIENTECC'))
Figure 3-125 Delete a user certificate
CHECKCERT RACDCERT can examine a file and if one or more certificates are
present, it displays the certificate information. If the user is not
authorized or the certificate is not in RACF, no RACF information is
displayed. The command is shown in Figure 3-126 on page 146 to see
what certificates are present in the data set ‘RRSF.SC75.OK.CERT’.
In this figure you are told that the file has two certificates and they are
not in RACF. It also states the chain is complete because we have both
the user and its CA certificate.
Certificate 2:
Ring:
>ACCOUNT<
*** No certificates connected ***
Figure 3-128 List a key ring belonging to a specific user ID.
By using RACDCERT CONNECT, we can add a certificate to the key ring. In our example in
Figure 3-130, we place a certificate owned by user ID SMITHRL into a key ring owned by
user ID JAMES.
RACDCERT LIST enables us to list the certificates present in a key ring. The command
format is displayed in Figure 3-131.
Ring:
>ACCOUNT<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
clientecc ID(SMITHRL) PERSONAL NO
RACDCERT DELRING allows the removal of a key ring. It does not remove certificates; it just
removes their membership in a key ring as shown in Figure 3-132.
Create CERTIFICATE In our example, we create a certificate and then raise a certificate
request. The latter entity can then be sent to be signed by a CA,
returned and imported back into RACF. RACF can also perform the
same CA function as well should it be required.
Label: FREIGHTOUT
Certificate ID: 2QbC1sLUw8PG2cXJx8jj1uTj
Status: TRUST
Start Date: 2013/08/05 00:00:00
End Date: 2014/08/05 23:59:59
Serial Number:
>00<
Issuer's Name:
>CN=acme.test.com.O=ACME TEST Corp.L=BEACON.SP=NEW YORK.C=US<
Subject's Name:
>CN=acme.test.com.O=ACME TEST Corp.L=BEACON.SP=NEW YORK.C=US<
Signing Algorithm: sha1RSA
Key Type: RSA
Key Size: 1024
Private Key: YES
Ring Associations:
*** No rings associated ***
Figure 3-135 List a certificate built using the RACDCERT GENCERT command
REQUEST Having the certificate, we now want to create a certificate request from
it as the next step. This is indicated in Figure 3-136 on page 150.
IRRZSGG0 : Entering
IRRZSGG0 : Import key: Keylen=635
IRRZSGG0 : Set Digest alg: keyType=1 keySize=1024
IRRZSGG0 : Generate Signature: signMode=7 txtLen=319 sigLen=2048
IRRZSGG0 : Signature status=0x80
Figure 3-137 Example of using the DEBUG parameter showing output
DIGTCERT
Authority to use the prime administrative tool for digital certificates (RACDCERT) is controlled
through resources in the FACILITY class:
DIGTCERT Profiles in this class contain information about a certificate, the
certificate itself, and the private key (if applicable).
DIGTRING Profiles in this class contain information about key rings and the
certificates in the key ring.
DIGTNMAP In this class, we hold information about certificate name filters.
USER In this class, we hold what information on digital certificates is
associated with this user ID.
The preceding overview is a very bare outline but was listed to give a general picture of where
the parts are before going deeper:
DIGTCERT Normally in RACF we are used to seeing short and reasonably
intelligent names. However, with the name of a DIGTCERT profile we
find a combination of the certificate’s serial number and the issuer’s
distinguished name. It is rather lengthy and is shown in Figure 3-138
Note: Do not enable generic profile checking for DIGTCERT directly by SETROPTS
GENERIC(DIGTCERT) or indirectly by STROPTS GENERIC(*). This is because the profile
names due to their construction might have generic characters.
SEARCH CLASS(DIGTCERT)
...
0D8B4FEEAAD2185BF4756A9D29E17FFB.OU=Class¢1¢Public¢Primary¢Certification¢Author
ity.O=VeriSign,¢Inc..C=US
Figure 3-138 Show a profile name in the DIGTCERT class
A field in this profile is the APPLDATA which holds the RACF user ID
associated with this certificate. The UACC field is used to hold the
TRUST status.
The DIGTCERT class should be placed in storage to assist such
applications as WebSphere Application Server as a performance
measure, as listed in Figure 3-139. If you change a certificate, do not
forget to issue the SETROPTS command with the REFRESH parameter.
Restriction: Profiles within the DIGTCERT, DIGTRING, and DIGTNMAP are maintained
automatically from the RACDCERT commands. The normal RACF commands that impact
on profiles such as RDEFINE, RALTER, and RDELETE cannot be used to administer
them. SEARCH FILTER and RLIST might not work as these profile names contain
lowercase characters.
RACF comes with three user IDs defined in the user profiles. These are fixed and cannot be
defined. They are used to anchor specific profiles in the DIGTCERT and DIGTRING class:
User ID irrcerta When you add a user certificate with RACDCERT ADD command and use
the CERTAUTH option, they are automatically associated with this
user ID irrcerta.
User ID irrsitec This user ID would be associated with those user certificates added
using the RACDCERT ADD with the SITE option.
User ID irrmulti This user ID gets associated with the certificate name filters added
with the RACDCERT MAP command
Note: These special user IDs are mostly immune to RACF commands. Even if you delete
them, they are added automatically at RACF initialization. Being all lowercase using the
SEARCH command to find them is problematical.
This will permit more than one user to share the same RACF user ID. For example, this RACF
user ID could be a functional user ID, such as ACCOUNT or TELLER. We can use the
RACDCERT MAP command to associate a user ID to each filter we define. Why? When the
certificate arrives from a client, we can match the certificate to a certificate name filter and if
we match an operational user ID is now known.
We will need to have the DIGTNMAP class active as it stores the certificate name filter
(mapping) profiles and the associated user ID. Following are the name filters in use:
Issuer’s name filter Contains a full or partial issuer's distinguished name.
Subject’s name filter Contains a full or partial subject's distinguished name.
If a certificate should match both filters, the filter chosen will have the most specific details. It
should be noted that certificate processing will first search the DIGTCERT class for an exact
match using the certificate’s serial number and issuer’s distinguished name. If no match
occurs, the DIGTNMAP class is searched for a match on a certificate name filter.
Key rings
A key ring is a logical way to connect together a number of certificates. The key ring has one
owner and the certificates connected to the key ring do not necessarily have to belong to the
key ring owner.
Now a virtual key ring is the set of all certificates owned by one user ID. The most typical use
of this would be a client/server application, where this application validates the certificate of
others and has no need for its own certificate and private key.
DIGTRING
This is a general resource class. This class holds profiles for key rings. These profiles will
have references to those certificates that are part of the key ring. A profile name is made up
of:
userid.key-ring-name
This class will need to be active before key rings are used. This class can be processed by
the STEROPTS RACLIST command for performance reasons.
The same restriction for generic profile checking for DIGTCERT also applies to the
DIGTRING class.
So, how is this used? If we look at the RACDCERT ADDRING command, we need to specify a
ring-name up to 237 characters (we exclude ampersand, asterisk and percent sign
characters), and a user ID to be the ring-owner.
RACDCERT ADDRING(FInanceMonthlyDataRing) ID(ACCOUNT)
User ID ACCOUNT wants to add a key ring. The certificates that will be connected to this new
ring will be shared by multiple users and this ring will represent the installation’s trust policy
for access and use of the FinanceMonthlyData application.
TOKENS
A container holding a certificate and keys is called a token. z/OS supports PKSC #11 tokens
but the tokens are managed by ICSF. However, RACF can be used to maintain specific
certificate objects such as certificates, public keys, and private keys.
Because other applications can use functions provided by ICSF, changes could be made to
tokens without RACF becoming aware of them. Similarly, if RACF made changes to a
certificate that is bound to a token, this may well not be communicated to ICSF to maintain its
token information.
ICSF considerations
How does ICSF interact with RACF? ICSF does several things:
It provides APIs to the cryptographic hardware (this is the hardware cryptographic
coprocessor). Using hardware to perform encryption and decryption is a far more efficient
and timely process than performing the same function in software.
It provides the best solution for storage of private keys with hardware protection.
It makes sure that private keys are stored in an encrypted form using its master key and
stored in the ICSF PKA key data set (PKDS).
RACF plays a role by providing general resources in the CSFKEYS and CSFSERV class.
Also, moving non-ICSF private keys to ICSF can be accomplished by using the RACDCERT ADD
command with certain functions.
Note: Because private keys stored in ICSF can be recovered in clear form, use of
RACDCERT EXPORT of a certificate into a PKSC #12 form is not possible. An exception
would be if the destination is z/OS and it has the same ICSF PKA master key.
Introduction to Kerberos
Kerberos is a network authentication protocol that was developed in the 1980s by
Massachusetts Institute of Technology (MIT), in cooperation with IBM and Digital Equipment
Corporation. Data Encryption Standard (DES) cryptography and Advanced Encryption
Standard (AES) are used to provide data privacy, especially for the sensitive data, such as a
password to log in to a server.
The Kerberos authentication is based heavily on shared secrets, which are passwords stored
on the Kerberos server. Those passwords are encrypted with a symmetrical cryptographic
algorithm, which is DES and AES in this case, and decrypted when needed. This fact implies
that a decrypted password is accessed by the Kerberos server, which is not usually required
in an authentication system that uses public key cryptography. Therefore, the servers must be
placed in secure locations with physical security to prevent an attacker from stealing a
password.
For a complete description of the supported Request for Comments (RFCs), see the following
site:
http://www.ietf.org
For a list of supported RFCs, see z/OS V2R1.0 Integrated Security Services Network
Authentication Service Administration, SC23-6786.
R_kerbinfo
(AS)
Authenticates
Authentication Users
R_ticketserv Server Grants TGTs
R_usermap Ticket
(TGS)
Granting Generates Session Keys
Server Grants service tickets based on TGT
SKRBKDC
kerberos
enabled ticket from client
application
Hardware
Cryptography
Kerberos terminology
Kerberos terminology includes:
Realm: The Kerberos domain that is the set of entities, which authenticate using that
Kerberos key distribution center (KDC).
Principal: A client or an application server in a Kerberos domain.
Instance: Additional distinction between principals names.
Kerberos name: principal_name.instance@realm.
Kerberos ticket: The ticket is encrypted under a key that is only known to the Kerberos
KDC and the end server. The ticket includes the following components:
– Client’s identity
– A dynamically created session key
– A time stamp
– A lifetime for the ticket
– A service name
A ticket can be reused during its lifetime.
Authenticator: Client’s name and IP address as well as a time stamp. Issued with each
client’s request. The authenticator must be different for each request and is used for replay
protection.
Log Me In
Ticket Granting
Client Server
Application Ticket to server B
Ticket to server B
KDC interacts with both a client and server to accept the client’s request to authenticate its
identity, and to issue tickets to it.
The domain served by a single KDC is referred to as a realm. A principal identifier is used to
identify each client and server in a realm. The principal name is uniquely assigned for all
clients and servers by the Kerberos administrator. All principals must be known to the KDC.
Kerberos realms can interoperate by establishing trust relationships, sharing secret keys,
between them.
All entities in the network, clients, and servers, have their own secret symmetric key. A copy of
all the keys is kept in the Kerberos Key Distribution Center. Clients’ keys are derived from their
password.
Kerberos is intended for corporate networks or intranets because the scalability of the
protocol is directly related to the number of secret keys that can be managed in a KDC.
Although the Kerberos protocol consists of several subprotocols, three exchanges are
particularly interesting to most readers. The first-phase exchange takes place between a
Upon receiving the ticket-granting ticket, the client sends a request that contains the
ticket-granting ticket, for a service ticket to the ticket-granting server, and waits for a service
ticket to be returned. Having the session ticket (service ticket) ready, the client is allowed to
communicate with the server that is providing a service that he wants to use. Optionally, the
application server can perform further authentication processing against the client.
Message encoding defined in Kerberos Version 5 is described using the Abstract Syntax
Notation 1 (ASN.1) syntax, in accordance with ISO standards 8824 and 8825.
In the remainder of this chapter, we describe the interactions in more detail. We use the
following notations:
Kx: X’s symmetric encryption key
Kx,y: Encryption key shared by X and Y (for example, a session key)
Kx{data}: A message that contains data encrypted with X’s key
Kerberos Server
Log Me In 2
Authentication
Server Kerberos The user's password does
Database not flow over the network!
Client Authentication
Ticket 3 Ticket Granting
Server
login Authorize Me
to target server
Ticket to server
Ticket to server
Application Application
Client Targer Server
User
1
1. Log
1.Log in toinapplication
to application username,password
username,password
2.Request: Kuser{timestamp},"username","ticket_granting_server"
2. Request: Kuser{timestamp},"username","ticket_granting_server"
3.Response: Kuser{Ksession1},TGT
3. Response: Kuser{Ksession1},TGT
where TGT = KTGS{"username",Ksession1}
where TGT = KTGS{"username",Ksession1}
Kuser is derived from user's password, which is known from the Kerberos
KDC
KuserKsession1 is created
is derived from user'sdynamically by Kerberos
password, which is known from the Kerberos KDC
KTGS is known
Ksession1 onlydynamically
is created from the Kerberos Server
by Kerberos
KTGS is known only from the Kerberos Server
Figure 4-4 Get a ticket-granting ticket
The authentication service exchange is initiated by a client when it wants to get authentication
credentials for an application server but currently holds no credentials. Two messages are
exchanged between the client and the Kerberos authentication server, then credentials for a
ticket-granting server are given to the client. These credentials are the so-called
ticket-granting ticket, which is used subsequently to obtain credentials for other services.
This exchange is used for other services, such as the password-changing service, as well.
When you log in to a client system and enter your password, a client sends the Kerberos
authentication server a message that includes a user name in plain text (“Alice”), the current
time encrypted with her secret key, and the identity of the server for which the client is
requesting credentials.
Upon receiving the request from the client, the authentication server looks up the client name
and the service name (the ticket-granting service in this case) in the Kerberos database, and
obtains an encryption key for each of them, KAlice and KKDC.
The authentication server then generates a response back to the client, which contains the
ticket-granting ticket and a session key KAlice,KDC, which is used in the subsequent secure
communication between the client and KDC. The ticket-granting ticket includes the session
key KAlice,KDC, the identities of the server and the client, lifetime, and some other information.
The authentication server then encrypts the ticket using its own key KKDC. This produces a
sealed ticket. The session key KAlice,KDC is also encrypted using the client’s key KAlice with
some other information, such as nonce.
The encrypted current time is also known as the authenticator because the receiver can
assure that the sender knows the correct shared secret KAlice, which is the client’s encryption
key derived from her password (this key is also referred to as Alice’s long-term key), by
decrypting it and validating what is inside. Because the authentication server knows Alice’s
secret key, it can evaluate the time decrypted from the received authenticator.
Tip: You might have noticed that the clocks on the client system and the KDC must be
reasonably synchronized with each other. You can use a network time service to
synchronize the clocks.
Nonce is information used to identify a pair of the Kerberos request and response. You can use
a time stamp or a random number generated by a client.
Tgs is the server’s identification, which is the Kerberos ticket-granting server in this case.
Because KAlice is known exclusively by Alice and the KDC, no one but Alice can extract the
critical information from the response message, such as the session key KAlice,KDC used in
the next phase.
When the client receives the authentication server’s response, it decrypts it using its secret
key KAlice and checks to see if the nonce matches the specific request. If the nonce matches,
Kerberos Server
Log Me In
Authentication
Server Kerberos
Database
Client Authentication
Ticket
4 Ticket Granting
Server
login Authorize Me
to target server
5
Ticket to server
User
4. Request: Ksession1{timestamp},TGT,"target_server"
4. Request: Ksession1{Ksession2,"target_server"},ticket
5. Response: Ksession1{timestamp},TGT,"target_server"
to server where ticket
5. Response:
to server Ksession1{Ksession2,"target_server"},ticket to server
= Kserver{"username",Ksession2}
where ticket to server = Kserver{"username",Ksession2}
Conversation is encrypted with Ksession1
TGS gets Ksession1 from TGT, that it can read
Conversation
Client is getting is encrypted
Ksession2 value with Ksession1
Kserver isTGS
knowngets Ksession1
only fromserver
from target TGT,and
thatKerberos
it can read
KDC
Client is getting K
Figure 4-5 Request a service ticket
i 2 value
When the ticket-granting server receives the message from the client, it first deciphers the
sealed ticket using its encryption key KKDC. From the deciphered ticket, the ticket-granting
server obtains the session-key KAlice,KDC. It uses this session key to decipher the
authenticator.
The validity checks that performed by the ticket-granting server include verifying the following
components:
The client name and its realm in the ticket match the same fields in the authenticator.
The address from which this message originates is found in the address field in the ticket,
which specifies addresses from which the ticket can be used.
The user-supplied checksum in the authenticator matches the contents of the request.
This procedure guarantees the integrity of the message.
Finally, it checks the current time in the authenticator to make certain the message is recent.
Again, this requires that all the clients and servers maintain their clocks within some
prescribed tolerance.
The ticket-granting server now looks up the server name from the message in the Kerberos
database, and obtains the encryption key KBob for the specified service.
The ticket-granting server forms a new random session key KAlice,Bob for the benefit of the
client (Alice) and the server (Bob), and then creates a new ticket tkt_to_Bob that includes:
The session key KAlice,Bob
Identities of the service and the client
Lifetime
Note: The format of the ticket for a particular service is identical to one of the
ticket-granting tickets.
The ticket-granting server then assembles and sends a message to the client.
Kerberos Server
Log Me In Authentication
Server Kerberos
Database
Client Authentication
Ticket Ticket Granting
Server
login Authorize Me
to target server
Ticket to server
User 7
The client/server authentication exchange is performed by the client and the server to
authenticate each other. The client has been issued credentials for the server using the
authentication service or ticket-granting service exchange before the client/server exchange
is initiated.
After receiving the ticket-granting server exchange response from the ticket-granting server,
the client deciphers it using the ticket-granting server session key KAlice,KDC that is exclusively
known by the client and the ticket-granting server. From this message it extracts a new
session key KAlice,Bob that is shared with the server (Bob) and the client (Alice). The sealed
ticket included in the response from the ticket-granting server cannot be deciphered by the
client, because it is enciphered using the server/s secret key KBob.
Then the client builds an authenticator and seals it using the new session key KAlice,Bob.
Finally, it sends a message containing the sealed ticket and the authenticator to the server
(Bob) to request its service.
When the server (Bob) receives this message, it first deciphers the sealed ticket using its
encryption key KBob, which is kept in secret between Bob and the KDC. It then uses the new
session key KAlice,Bob contained in the ticket to validate the authenticator in the same way as
the ticket-granting server does in the ticket-granting server exchange.
After the server has authenticated a client, an option exists for the client to validate the server
(this procedure is called mutual authentication). This prevents an intruder from impersonating
the server.
If mutual authentication is required by the client, the server has to send a response message
back to the client. The message must contain the same time stamp value as one in the client’s
request message. This message is enciphered using the session key KAlice,Bob that was
passed from the client to the server.
If the response is returned, the client decrypts it using the session key KAlice,Bob and verifies
that the time stamp value matches one in the authenticator that was sent by the client in the
preceding client/server exchange. If it matches, then the client is assured that the server is
genuine.
When the client/server exchange has completed successfully, an encryption key is shared by
the client and server and can be used for the on-going application protocol to provide data
confidentiality.
z/OS Realm
z/OS
9-MVS userid
DB2
Server
Ticket Granting
Server
DB2
Client 3- I'd rather go to the OS/390 realm
KDC
2- I recognize you, here is a TGT Authentication
Server
login
1- This is me
By establishing inter-realm keys, the administrators of two realms can allow a client
authenticated in one realm to use its credentials in the other realm. The exchange of
inter-realm keys registers the ticket-granting service of each realm as a principal in the other
realm. A client is then able to obtain a ticket-granting ticket for the remote realm’s
ticket-granting service from its local ticket-granting service. Tickets issued to a service in the
remote realm indicate that the client was authenticated from another realm.
Realms are typically organized hierarchically. Each realm shares a key with its parent and a
different key with each child. If an inter-realm key is not directly shared by two realms, the
hierarchical organization allows an authentication path to be easily constructed. If a
hierarchical organization is not used, it might be necessary to consult some database to
construct an authentication path between realms.
Authentication
Server
TCP/IP
Ticket
Granting
Server
R_kerbinfo
(AS)
Authenticates
Authentication Users
R_ticketserv Server Grants TGTs
R_usermap
Ticket
(TGS)
Granting Generates Session Keys
Server Grants service tickets based on
TGT
SKRBKDC
kerberos
enabled ticket from client
application
Hardware
Cryptography
This section details the setup of this UNIX daemon and the required configuration files. It
assumes that RACF is the incumbent ESM.
2. Define a group for the started task user ID, with an OMVS segment with a GID value:
ADDGROUP SKRBGRP OWNER(STCGROUP) SUPGROUP(STCGROUP) +
DATA('GROUP FOR KERBEROS SKRBKDC User ID') OMVS(GID(20))
The owner that we specify in our examples is for our installation only. You might want to
change this owner according to your installation standards.
To verify that the group is defined correctly, display the group with all the attributes as
follows:
LISTGRP SKRBGRP OMVS
OMVS INFORMATION
----------------
GID= 0000000020
Figure 4-11 Display of Group SKRBGRP and its OMVS segment
3. Define a started task user ID with an OMVS segment with the following values:
– UID value: 0
– HOME (directory) value: /etc/skrb/home/kdc
– PROGRAM value: /bin/sh
Setting up the Kerberos environment variable files is shown in Figure 4-12 on page 170.
Authentication
Server
TCP/IP
Ticket
Granting
/etc/skrb/krb5.conf
Server
libdefaults¨
default_realm =KRB390.IBM.COM
realms¨
/etc/skrb/home/kdc/skrbkdc.envar KRB390.IBM.COM = {
kdc = wtsc57.krb390.ibm.com:88
kpasswd_server = wtsc57.krb390.ibm.comc:464
SKDC_DATABASE=SAF
SKDC_PORT=88
SKDC_KPASSWD_PORT=464
KERBERW2K.MOPWIN.IBM.COM = {
SKDC_NETWORK_THREADS=15
kdc =kerbsrv.kerberwin2k.mopwin.ibm.com:88
SKDC_LOCAL_THREADS=15
kpasswd_server =
SKDC_LOGIN_AUDIT=FAILURE
kerbsrv.kerberwin2k.mopwin.ibm.com:464
The next step is to configure the environment variable file /etc/skrb/home/kdc/envar with the
required changes for your environment.
The defaults in this file are usually fine, except perhaps the time zone and the required
logging that you want to perform for the Kerberos server (SKRBKDC). The
SKDC_DATABASE value of SAF implies that RACF (and possibly any other ESM) is to
provide a registry function. This is what IBM recommends unless it is necessary to share the
Kerberos registry with other KDC instances on other operating systems.
The environment variable SKDC_TKT_ENCTYPES processes the list of encryption types from left
to right until requirements are met. KDC attempts to use the same encryption algorithm for
the service ticket as was used for the ticket granting ticket.
Example 4-2 shows an example of the environment variable definitions for the Kerberos
server.
#
# Message/debug options
#
_EUV_SVC_MSG_LOGGING=STDOUT_LOGGING
_EUV_SVC_MSG_IDENTITY=SKRBKDC
_EUV_SVC_MSG_FACILITY=AUTH
_EUV_SVC_DBG_MSG_LOGGING=1
_EUV_SVC_DBG=KRB_KDC.8,KRB_KDB.8
_EUV_EXC_ABEND_DUMP=0
This completes the setup for the Kerberos server, but before you start the Kerberos server,
some additional RACF definitions are required.
Setting up hierarchical file system (HFS) for Kerberos cache files is shown in Figure 4-13 on
page 173.
Authentication
Server
TCP/IP
Ticket
Granting
Server
The /var/skrb/creds directory permission bits should be set to 777 using the chmod command:
chmod 777 /var/skrb/creds
If SAF is selected, RACF provides the functions to customize and access data for use with
Kerberos. Then, the z/OS Network Authentication Service server maintains registry of
principal and global information, which is stored using RACF through User and General
Resource Profiles.
You can administer the Network Authentication Service server through the RACF panels and
commands and obtain this information through an SAF callable service. Kerberos application
servers can use SAF callable services to parse Kerberos tickets to obtain principal names,
and to map from principal to RACF user and vice versa.
Local Kerberos principals are defined as RACF users with a KERB segment. The information
about the local and foreign realms are defined in the RACF class REALM in specific profiles.
The profiles contain:
Local realm information, the name, key, and ticket lifetime (MIN, MAX, and DEFAULT in
seconds).
Foreign realm trust relationships. These are defined in pairs, which also include a key.
RACF maps foreign Kerberos principals using the KERBLINK class profiles.
The Kerberos principal’s password and the RACF user password are integrated. The
Kerberos password is subject to RACF SETROPTS rules and installation-defined rules.
Principals must keep their secret keys secret. If an intruder steals a principal’s key, it can then
masquerade as that principal or impersonate any server to the legitimate principal.
RACF Remote Sharing Facility (RRSF) must be defined in local mode to generate the
corresponding Kerberos secret key whenever the user changes their password. Kerberos
uses RRSF services to make sure this happens.
Some RRSF RACF functions require a previously established user ID association. A user ID
association is an association between two or more user IDs on the same or different RRSF
nodes.
To use the password synchronization and command direction functions, you need to activate
and define profiles in to the RRSFDATA class.
3. Modify the RACF procedure in SYS1.PROCLIB to process the updated RACF parameter
library by adding PARM=’OPT=01’ to the EXEC statement. Add the RACFPARM ddname to
point to SYS1.PARMLIB to identify the library that contains the RRSF parameters.
Example 4-4 shows the RACF procedure in SYS1.PROCLIB.
4. For these changes to take effect, refresh by taking the following steps:
a. Refresh the RACF subsystem by stopping and restarting the RACF started task using
the locally defined RACF subsystem prefix. This would be used only when considering
configuring a new main system in a multisystem node due to its complex nature.
Issue the MVS START command, specifying RACF as the procedure name:
S RACF,SUB=MSTR
b. Normally you would issue the command on the affected z/OS system:
SET INCLUDE(xx) where XX is the suffix of the IRROPTxx member
3. A user must have access to the SKRBKDC application in order to use the kpasswd
command to change their password. By using the RACF RDEFINE command, you can define
the SKRBKDC application to the RACF APPL class:
RDEFINE APPL SKRBKDC OWNER(SYS1) UACC(READ) +
DATA(‘KERBEROS APPLID’)
Tip: Alternately, you can set the universal access to NONE and explicitly authorize
individual groups or users to the SKRBKDC application.
4. Define your local realm to the REALM class, using the RACF RDEFINE command to define
the KERBDFLT profile reflecting the default REALM and policy:
RDEFINE REALM KERBDFLT KERB(KERBNAME(KRB390.IBM.COM) PASSWORD(password) +
MINTKTLFE(15) DEFTKTLFE(36000) MAXTKTLFE(86400)
Use the RACF RLIST command to display the KERBDFLT profile in the REALM class:
RLIST REALM KERBDFLT KERB
CLASS NAME
----- ----
REALM KERBDFLT
KERB INFORMATION
----------------
KERBNAME= KRB390.IBM.COM
MINTKTLFE= 0000000015
Attention: You need the password that is defined here later when you define the same
trust relationship on the Windows 2000 domain. This password is not associated with
any user ID and is not constrained to any SETROPTS rules for passwords.
6. Define Kerberos port 88 for the KDC and port 464 for the password server to your TCP/IP
profile to reflect the use of these ports, as shown in Example 4-5.
Example 4-5 Define Kerberos post 88 for the KDC and port 464 for the password server
88 TCP OMVS SAF KERB88 ; Kerberos Server
464 TCP OMVS SAF KERB464 ; Kerberos Server
7. Depending on your installation, you might or might not have started with the protection of
TCP/IP ports using the RACF SERVAUTH class. Accordingly, you should authorize the
SKRBKDC Started Task User ID to port 88 and 464, using the following commands:
PERMIT EZB.PORTACCESS.SC57.ITCPIP.KERB88 CLASS(SERVUATH) +
ID(SKRBKDC) ACCESS(READ)
PERMIT EZB.PORTACCESS.SC57.ITCPIP.KERB464 CLASS(SERVUATH) +
ID(SKRBKDC) ACCESS(READ)
The SKRBKDC started task also requires access to the TCP/IP stack itself, using a new
profile in the RACF SERVAUTH class:
PERMIT EZB.STACKACCESS.SC57.ITCPIP CLASS(SERVAUTH) ID(SKRBKDC) + ACCESS(READ)
As an alternative if SERVAUTH is not used to protect TCP/IP ports, it should be
considered that the Communications Server profile member be updated to reserve the
ports for KDC (usually 88), KPASSWD (usually 464), and KADMIN (usually 749). While
the profile is used to reserve ports, entries in the Communications Server /etc/services
Important: Upper and lowercase letters are accepted and maintained in the case in which
they are entered.
Restriction: You can define the local principal name that you specify only once. If you try
to define it to two RACF user IDs, you receive the following error message:
IRR52165I The value for the KERB segment KERBNAME operand must be unique.
Command processing ends.
A local principal’s key is revoked whenever the user’s RACF user ID is revoked or the RACF
password is considered expired. If the user’s key is revoked, the server rejects ticket requests
from this user.
You can change a user’s password so that a key can be generated using the ALTUSER
command with the NOEXPIRED option, for example:
ALTUSER GRAAFF PASSWORD(new1pw) NOEXPIRED
Attention:
Do not use the NOPASSWORD option on the ALTUSER command.
You must specify a password value so that a key can be generated. All characters of the
password are folded to uppercase.
Important: The RACF address space must be started for the password change to
complete and the key to be generated.
Password change requests from applications that encrypt the password before calling
RACF do not result in usable keys.
The KERBLINK profile maps the local principal name to the user’s RACF user ID. The name
of the KERBLINK profile for a local principal is the principal name specified as the
KERBNAME value with the ADDUSER or ALTUSER command. We show the KERBLINK profile for
user ID graaff in Example 4-8 as it was defined in Example 4-7 on page 179.
You can see in the profile Paul¢de¢Graaff that blanks are indeed replaced by the ¢ character.
If you list the profile, you notice a little quirk in the RACF command processing where it does
not accept mixed-case profile names, as shown in Example 4-9.
Blanks are not permitted as a part of a RACF profile name. Therefore, when building the
KERBLINK profile name, as a result of specifying KERBNAME with the ADDUSER or ALTUSER
command, RACF command processing replaces each blank with the X'4A' character (which
often resolves to the ¢ symbol), as shown in the output from the RLIST KERBLINK *
command shown in Example 4-8 on page 180, and in the output from the RACF database
unload utility (IRRDBU00).
Restriction: RACF command processing also prevents the X'4A' character from being
specified as part of the actual local principal name.
RDEFINE
Define KERBLINK
foreign /.../foreign_realm/foreign_principal APPLDATA('racf_user')
principals
maps single principal to a RACF user
- RDEFINE KERBLINK /.../foreign_realm/foreign_principal APPLDATA('racf_user')
RDEFINE KERBLINK /.../foreign_realm/ APPLDATA('racf_user')
• maps single principal to a RACF user
Maps all principals for a single realm to a RACF userid
- RDEFINE KERBLINK /.../foreign_realm/ APPLDATA('racf_user')
• Maps all principals for a single realm to a RACF userid
RACF will map the Windows DB2 user Kerberos principal name LAMBDA to
RACF userid CLIENT1
Figure 4-16 Kerberos principals: Foreign principals
RACF user IDs that map to foreign principals do not need KERB segments. These user IDs
are intended to be used only to provide local z/OS identities to associate with access
privileges for local resources that are under the control of an z/OS application server, such as
DB2.
Each mapping profile in the KERBLINK class is defined and modified using the RDEFINE and
RALTER commands. The name of the KERBLINK profile for a foreign principal contains the
principal name, fully qualified with the name of the foreign realm.
If you want to map a unique RACF user ID to each foreign principal, you must specify the
foreign realm name and the foreign principal name. If you want to map the same RACF user
ID to every foreign principal in the foreign realm, you need only specify the foreign realm
name. In each case, you specify the local user ID using the APPLDATA keyword of the
RDEFINE or RALTER command.
Attention: All characters of the foreign realm name and the foreign principal name are
folded to uppercase.
kinit
klist
kdestroy
keytab
ksetup
kpasswd
kvno
kadmin
Figure 4-17 Kerberos user commands
To use these commands, you must update your PATH statement in your .profile with the full
path name of the directory (/usr/lpp/skrb/bin) containing the Kerberos commands. It also
requires updates to the NLSPATH statement to reflect the Kerberos message catalog.
Example 4-11 displays the required changes to your .profile.
kinit -s example
To obtain a ticket-granting ticket for a Kerberos principal, you can either use RACF services to
obtain the principal associated or use a so-called key table. The kinit -s command obtains a
ticket-granting ticket for the current signed-on RACF user ID, as shown in Example 4-12 on
page 184.
When we issue the kinit -s command for the current signed-on RACF user ID GRAAFF, we
receive an error that the service key is not available. When we define the local principal for
user ID GRAAFF, a key is not generated for the local principal. When we issue the LU
GRAAFF KERB command, no key is generated, as shown in Example 4-13.
Keys get generated only when a RACF password change occurs. So after we change the
password for the RACF user ID GRAAFF, we receive a key generated, as shown in
Example 4-14.
We can now try again to get a ticket-granting ticket issued, using the kinit -s command, as
shown in Example 4-15.
Example 4-17 Using the kinit command when a credential cache does exist
GRAAFF @ SC57:/u/graaff>kinit
EUVF06017R Enter password:
GRAAFF @ SC57:/u/graaff>
Important: You must enter the password here in uppercase letters. RACF accepts only
uppercase passwords.
kinit -k example
We then tested the use of a key table with the kinit command rather than using RACF. For
this example, we assume a principal is defined called [email protected]. Example 4-18
shows using a key table with the kinit command, by using the -k keyword.
When using the -k keyword, you do not need to specify the name and location of the key table
if you want to use the default key table. The default key table name is obtained from the
default_keytab_name configuration file (krb5.conf) entry. The default name is
/etc/skrb/krb5.keytab.
Tip: You can also change the default key table name using the environment variable
KRB5_KTNAME.
klist example
When you issue the klist command without any keywords, it is as though you had issued a
klist -c command. Example 4-19 on page 186 shows the output of a klist command after
a ticket-granting ticket is obtained.
klist -e example
The klist -e command displays the encryption type for the session key and the ticket, as
shown in Example 4-20.
klist -f example
The klist -f command displays the ticket flags, as shown in Example 4-21.
klist -k example
The klist -k command lists the entries in a key table, as shown in Example 4-22.
klist -k -K example
The klist -k -K command lists the entries in a key table and displays the encryption key
value for each key table entry, as shown in Example 4-23 on page 187.
The -e option causes the kdestroy command to check all of the credentials cache files in the
default cache directory (/etc/skrb/var/creds). Any file that contains only expired tickets that
have expired for the time delta value are deleted. The time delta is expressed as nwndnhnmns,
where:
n Represents a number
w Indicates weeks
d Is days
h Is hours
m Is minutes
s Indicates seconds
The components must be specified in this order, but any component can be omitted (for
example, 4h5m represents 4 hours and 5 minutes, and 1w2h represents 1 week and 2 hours). If
only a number is specified, the default is hours.
Important: To delete a credentials cache, the user must be the owner of the file or must be
a root user (uid 0).
Example 4-24 shows an example of the kdestroy command that deletes the credentials
cache of principal Paul de Graaff.
To define the local principal graaff to the default key table, issue the keytab command, as
shown in Example 4-25 on page 188.
You can now obtain a ticket-granting ticket using the key table instead of RACF. Next, issue
the kinit command to obtain a ticket-granting ticket using the key table, as shown in
Example 4-26.
Example 4-26 Using the kinit command to obtain a ticket-granting ticket using the key table
GRAAFF @ SC57:/u/graaff>kinit -k paul
EUVF06014E Unable to obtain initial credentials.
Status 0x96c73a06 - Client principal is not found in security registry.
After you run this command, an error indicates that the client principal is not found in the
security registry. So, what really happened here? When you look at the trace of the kinit
command, the issue becomes clear, as shown in Example 4-27.
As shown in the trace output, it states no RACF user was found for paul. Local Kerberos
principals are always defined in RACF, and foreign principals in their respective REALM
(KDC). The messages here indicate that the Kerberos server tried to map the local principal
to a RACF user ID and could not find a local principal named paul.
The next step is to define a RACF user ID with a KERB segment and a KERBNAME of paul.
We change the RACF user ID GRAAFF to reflect the local Kerberos principal paul, as shown
in Example 4-28.
The password that we use to add the principal must match the RACF password for the RACF
user ID to which it is mapped. So, we must redefine the local principal in the key table using
the correct (RACF) password. To redefine the local principal, delete and add the principal as
shown in Example 4-30 on page 189.
We can now issue the kinit -k paul command again. Example 4-31 shows that we still
receive a password error because we added the principal with the correct password, but
using lowercase letters.
Again we need to redefine the principal, as shown in Example 4-30, but we now add the
(RACF) password in uppercase. We obtain a ticket-granting ticket successfully, as shown in
Example 4-32.
Server: krbtgt/[email protected]
Valid 2001/06/15-14:22:42 to 2001/06/16-00:22:42
Where:
-r realm Specifies the Kerberos administration realm. If this option is not specified, the
realm is obtained from the principal name. This option is meaningful only if the
administration server supports multiple realms.
-p principal Specifies the administrator principal. If this option is not specified, the string
/admin is appended to the principal name obtained from the default credentials
cache. If there is no credentials cache, the string /admin is appended to the
name obtained from the USER environment variable, or if the USER
environment variable is not defined, it is appended to the name obtained from
the getpwuid() function. The local realm is used if an explicit realm is not part
of the principal name.
-k keytab Specifies the key table that contains the password for the administrator
principal. The user is prompted to enter the password if neither the -k or the -w
option is specified. The principal name is host or host name unless the -p
Note: Subcommand options start with a minus (-) character and principal attributes start
with a plus (+) character or a minus (-) character.
The kadmin command imposes no other restrictions on the characters used in names or
passwords, although it is recommended that you do not use any of the EBCDIC variant
characters. The Kerberos administration server can impose additional restrictions.
Time units
You can use time units such as dates that are displayed as day-of-week, month,
day-of-month, hour:minute:second, time zone, or year using the local time zone, as specified
by the TZ environment variable. Durations are displayed as days-hours:minutes:seconds.
The kadmin command supports a number of date and duration formats and some examples
are as follows:
"15 minutes" - "7 days" - "1 month" - "2 hours" - "400000 seconds" - "next year" -
"this Monday"
Subcommands
The following subcommand descriptions assume that the administration server is using the
standard MIT Kerberos database for the registry. Other database implementations might not
support all of the subcommand options and attributes.
Principal-related commands
Note: In the subcommands that we describe in this section, name specifies a Kerberos
principal.
There is a long list of options that you can use in defining a principal, such as the types of
tickets that it can use, what services it can provide, what encryption types are supported
for this principal, and what pre-authentication steps might be required.
Policy-related commands
list_policies [expression]
The list_policies (also known as listpols) subcommand lists all of the policies in the
Kerberos database that match the specified search expression. All policies are listed if no
search expression is provided. You must have LIST authority.
get_policy name
The get_policy (also known as getpol) subcommand displays information for a single
policy entry. You must have GET authority or the policy must be associated with your own
principal entry.
add_policy [options] name
The add_policy (also known as addpol) subcommand adds a new policy to the Kerberos
database. The options can be specified before or after the policy name and can be
specified in any order. You must have ADD authority.
The principal option specifies the principal whose password is to be changed. The principal is
obtained from the default credentials cache if the principal is not specified on the command
line.
Note: You cannot change the password for a ticket-granting service principal (krbtgt/realm)
using the kpasswd command.
The principal option specifies the principal whose current key version number is to be
displayed. The principal is obtained from the default credentials cache if the principal is not
specified on the command line.
Figure 4-18 on page 193 shows success and failure events for auditing.
Auditing
SMF Type 80 records are created for login requests (Kerberos initial ticket requests). Both
success and failure events can be logged as determined by the SKDC_LOGIN_AUDIT
environment variable. The event code is 68 and the record includes relocate sections 333
(Kerberos principal name), 334 (request source), and 335 (KDC error code).
Figure 4-18 shows the smf records (truncated) generated for the kinit commands issued in
Example 4-31 on page 189 and Example 4-32 on page 189. The first record shown in
Figure 4-18 indicates an error code of 24, which means that the reauthentication (password)
failed.
Windows 2000/NT
NetServer
iSeries
WebSphere NDS
LINUX
Overview of EIM
Today’s network environments are made up of a complex group of systems and applications,
resulting in the need to manage multiple user registries. Dealing with multiple user registries
quickly grows into a large administrative problem that affects users, administrators, and
application developers. Consequently, many companies are struggling to securely manage
authentication and authorization for systems and applications. Enterprise Identity Mapping
(EIM) is an IBM eServer™ infrastructure technology that allows administrators and
application developers to address this problem more easily and inexpensively than previously
possible.
EIM offers a new approach to enable inexpensive solutions to easily manage multiple user
registries and user identities in an enterprise. EIM is an architecture for describing the
relationships between individuals or entities (such as file servers and print servers) in the
enterprise and the many identities that represent them within an enterprise. In addition, EIM
provides a set of APIs that allow applications to ask questions about these relationships.
For example, given a person’s user identity in one user registry, you can determine which user
identity in another user registry represents that same person. If the user has authenticated
with one user identity and you can map that user identity to the appropriate identity in another
user registry, the user does not need to provide credentials for authentication again. You know
who the user is and only need to know which user identity represents that user in another
user registry. Therefore, EIM provides a generalized identity mapping function for the
enterprise.
EIM allows one-to-many mappings (that is, a single user with more than one user identity in a
single user registry). However, the administrator does not need to have specific individual
mappings for all user identities in a user registry. EIM also allows many-to-one mappings (that
is, multiple users mapped to a single user identity in a single user registry).
The ability to map between a user’s identities in different user registries provides many
benefits. Primarily, it means that applications may have the flexibility of using one user
The use of identity mapping requires that administrators do the following tasks:
1. Create EIM identifiers that represent people or entities in their enterprise.
2. Create EIM registry definitions that describe the existing user registries in their enterprise.
3. Define the relationship between the user identities in those registries to the EIM identifiers
that they created.
4. Create policy associations.
No code changes are required to existing user registries. The administrator does not need to
have mappings for all identities in a user registry. EIM allows one-to-many mappings (that is,
a single user with more than one user identity in a single user registry). EIM also allows
many-to-one mappings (that is, multiple users sharing a single user identity in a single user
registry, which although supported, is not advised). An administrator can represent any user
registry of any type in EIM.
EIM is an open architecture that administrators can use to represent identity mapping
relationships for any registry. It does not require copying existing data to a new repository and
trying to keep both copies synchronized. The only new data that EIM introduces is the
relationship information. Administrators manage this data in an LDAP directory, which
provides the flexibility of managing the data in one place and having replicas wherever the
information is used. On z/OS, an LDAP directory is provided by the product Tivoli Directory
Server for z/OS. Ultimately, EIM gives enterprises and application developers the flexibility to
easily work in a wider range of environments with less cost than would be possible without
this support.
EIM concepts
A conceptual understanding of how EIM works is necessary to fully understand how you can
use EIM in your enterprise. Although the configuration and implementation of EIM APIs can
differ among server platforms, EIM concepts are common across IBM eServer servers.
Figure 4-20 provides an EIM implementation example in an enterprise. Three servers act as
EIM clients and contain EIM-enabled applications that request EIM data using lookup
operations. The domain controller stores information about the EIM domain, which includes
an EIM identifier, associations between these EIM identifiers and user identities, and EIM
registry definitions.
Currently, you can configure a number of IBM platforms to act as an EIM domain controller.
Any system that supports the EIM APIs can participate as a client in the domain. These client
systems use EIM APIs to contact an EIM domain controller to perform EIM lookup operations.
The location of the EIM client determines whether the EIM domain controller is a local or
remote system. The domain controller is local if the EIM client is running on the same system
EIM domain
An EIM domain is a directory within an LDAP server that contains EIM data for an enterprise.
An EIM domain is the collection of all the EIM identifiers, EIM associations, and user
registries that are defined in that domain. Systems (EIM clients) participate in the domain by
using the domain data for EIM lookup operations.
An EIM domain is different from a user registry. A user registry defines a set of user identities
that are known to and trusted by a particular instance of an operating system or application. A
user registry also contains the information needed to authenticate the user of the identity.
Additionally, a user registry often contains other attributes such as user preferences, system
privileges, or personal information for that identity.
In contrast, an EIM domain refers to user identities that are defined in user registries. An EIM
domain contains information about the relationship between identities in various user
registries (user name, registry type, and registry instance) and the actual people or entities
that these identities represent. Because EIM tracks relationship information only, there is
nothing to synchronize between user registries and EIM.
The right side of Figure 4-20 on page 196 shows the data that is stored within an EIM
domain. This data includes EIM identifiers, EIM registry definitions, and EIM associations.
EIM data defines the relationship between user identities and the people or entities that these
identities represent in an enterprise.
After you create your EIM identifiers, registry definitions, and associations, you can begin
using EIM to more easily organize and work with user identities within your enterprise.
EIM identifier
An EIM identifier represents a person or entity in an enterprise. A typical network consists of
various hardware platforms and applications and their associated user registries. Most
platforms and many applications use platform-specific or application-specific user registries.
These user registries contain all of the user identification information for users who work with
those servers or applications.
When you create an EIM identifier and associate it with the various user identities for a
person or entity, it becomes easier to build heterogeneous, multitier applications (for example,
a single sign-on environment). When you create an EIM identifier and associations, it also
becomes easier to build and use tools that simplify the administration involved with managing
every user identity that a person or entity has within the enterprise.
For example, an LDAP directory contains bind distinguished names, passwords, and access
controls to data that is stored in LDAP. Other examples of common user registries are a
Kerberos key distribution center (KDC) and the IBM i user profiles registry.
You can also define user registries that exist within other user registries. Some applications
use a subset of user identities within a single instance of a user registry. For example, the
z/OS Security Server database can contain specific user registries that are a subset of users
within the overall RACF user registry. To model this behavior, EIM allows administrators to
create two kinds of EIM registry definitions:
System registry definitions
Application registry definitions
EIM registry definitions provide information regarding those user registries in an enterprise.
The administrator defines these registries to EIM by providing the following information:
A unique, arbitrary EIM registry name
The type of user registry
Each registry definition represents a specific instance of a user registry. Consequently, you
need to choose an EIM registry definition name that helps you to identify the particular
instance of the user registry. For example, you could choose the TCP/IP host name for a
system user registry, or the host name combined with the name of the application for an
application user registry. You can use any combination of alphanumeric characters, mixed
case, and spaces to create unique EIM registry definition names.
Note: Although the predefined registry definition types cover most operating system user
registries, you might need to create a registry definition for which EIM does not include a
predefined registry type. You have two options in this situation. You can either use an
existing registry definition that matches the characteristics of your user registry, or you can
define a private user registry type.
For example, in Figure 4-21 on page 200, the administrator followed the process required
and defined the type of registry as WebSphere Third-Party Authentication (LTPA) for the
System_A_WAS application registry definition.
In Figure 4-21 on page 200, the administrator creates EIM registry definitions for user
registries representing System A, System B, and System C and a Windows Active Directory
that contains users’ Kerberos principals with which users log in to their desk top workstations.
In addition, the administrator created an application registry definition for WebSphere
Lightweight Third Party Authentication (LTPA), which runs on System A.
The registry definition name that the administrator uses helps to identify the specific
occurrence of the type of user registry. For example, an IP address or host name is often
sufficient for many types of user registries. In this example, the administrator identifies the
specific user registry instance by using System_A_WAS as the registry definition name to
identify this specific instance of the WebSphere LTPA application. In addition to the name, the
administrator also provides the type of registry as System_A.
You can also define user registries that exist within other user registries. For example, the
z/OS Security Server (RACF) registry can contain specific user registries that are a subset of
users within the overall RACF user registry. A RACF user profile can contain an EIM segment,
which points to a profile in the LDAPBIND class, this latter profile contains the name of the
EIM Domain and bind information needed to establish a connection with the EIM Domain.
EIM associations
An EIM association is an entry that you create in an EIM domain to define a relationship
between user identities in different user registries. The type of association that you create
determines whether the defined relationship is direct or indirect. You can create one of two
types of associations in EIM: identifier associations and policy associations. You can use
policy associations instead of, or in combination with, identifier associations. How you use
associations depends on your overall EIM implementation plan.
When an application or operating system uses this API, the application or operating system
must supply these pieces of information:
A user identity as the source or starting point of the operation.
The EIM registry definition name for the source user identity.
The EIM registry definition name that is the target of the EIM lookup operation. This
registry definition describes the user registry that contains the user identity that the
application is seeking.
Within z/OS, the calling application that is using the eimGetTargetFromIdentifier API can be
running in system key or supervisor state, or:
The RACF user ID of the caller's address space has READ authority to the BPX.SERVER
profile in the FACILITY class.
The current RACF user ID has READ authority to the IRR.RGETINFO.EIM profile in the
FACILITY class.
And the FACILITY class must be active and RACLISTed before unauthorized (problem
program state and keys) will be granted the authority to use this SAF service.
For a user identity to be returned as the target of either type of EIM lookup operation, the user
identity must have a target association defined for it. This target association can be in the
form of an identifier association or a policy association.
The supplied information is passed to EIM and the lookup operation searches for and returns
any target user identities, by searching EIM data in the following order:
1. Identifier target association for an EIM identifier. The EIM identifier is identified in one of
two ways: It is supplied by the eimGetTargetFromIdentifier API. Alternatively, the EIM
identifier is determined from information supplied by the eimGetTargetFromSource API.
2. Certificate filter policy association.
3. Default registry policy association.
4. Default domain policy association.
The lookup operation, illustrated in Figure 4-22, searches flows in this manner:
1. The lookup operation checks whether mapping lookups are enabled. The lookup operation
determines whether mapping lookups are enabled for the specified source registry, the
specified target registry, or both specified registries. If mapping lookups are not enabled
for one or both of the registries, the lookup operation ends without returning a target user
identity.
2. The lookup operation checks whether there are identifier associations that match the
lookup criteria. If an EIM identifier was provided, the lookup operation uses the specified
EIM identifier name. Otherwise, the lookup operation checks whether there is a specific
identifier source association that matches the supplied source user identity and source
registry. If there is one, the lookup operation uses it to determine the appropriate EIM
identifier name. The lookup operation then uses the EIM identifier name to search for an
identifier target association for the EIM identifier that matches the specified target EIM
registry definition name. If there is an identifier target association that matches, the lookup
operation returns the target user identity defined in the target association.
3. The lookup operation checks whether the use of policy associations are enabled. The
lookup operation checks whether the domain is enabled to allow mapping lookups using
policy associations. The lookup operation also checks whether the target registry is
enabled to use policy associations. If the domain is not enabled for policy associations or
the registry is not enabled for policy associations, the lookup operation ends without
returning a target user identity.
4. The lookup operation checks for certificate filter policy associations. The lookup operation
checks whether the source registry is an X.509 registry type. If it is an X.509 registry type,
the lookup operation checks whether there is a certificate filter policy association that
When an application supplies a user identity as the source, the application also must supply
the EIM registry definition name for the source user identity and the EIM registry definition
name that is the target of the EIM lookup operation. To be used as the source in a EIM lookup
operation, a user identity must have a source association defined for it.
When an application supplies an EIM identifier as the source of the EIM lookup operation, the
application must also supply the EIM registry definition name that is the target of the EIM
lookup operation. For a user identity to be returned as the target of either type of EIM lookup
operation, the user identity must have a target association defined for it.
The supplied information is passed to the EIM domain controller, where all EIM information is
stored and the EIM lookup operation searches for the source association that matches the
supplied information. Based on the EIM identifier (supplied to the API or determined from the
source association information), the EIM lookup operation then searches for a target
association for that identifier that matches the target EIM registry definition name.
This source information is passed to the EIM domain controller and the EIM lookup operation
finds a source association that matches the information. Using the EIM identifier name, the
EIM lookup operation searches for a target association for the johnday identifier that matches
the target EIM registry definition name for System_B. When the matching target association
is found, the EIM lookup operation returns the jsd1 user identity to the application.
EIM mapping policy support provides a means of enabling and disabling the use of policy
associations for the entire domain, as well as for each specific target user registry. EIM also
allows you to set whether a specific registry can participate in mapping lookup operations in
general. Consequently, you can use mapping policy support to more precisely control how
mapping lookup operations return results.
The default setting for each individual registry is that mapping lookup participation is enabled
and the use of policy associations is disabled. When you enable the use of policy
associations for an individual target registry, you must also ensure that this setting is enabled
for the domain.
You can configure mapping lookup participation and the use of policy associations for each
registry in one of the following ways:
Mapping lookup operations cannot be used for the specified registry at all. In other words,
an application that performs a mapping lookup operation involving that registry will fail to
return results.
Mapping lookup operations can use specific identifier associations between user identities
and EIM identifiers only. Mapping lookups are enabled for the registry, but the use of policy
associations is disabled for the registry.
Mapping lookup operations can use specific identifier associations when they exist and
policy associations when specific identifier associations do not exist (all settings are
enabled).
EIM access controls allow a user to perform specific administrative tasks or EIM lookup
operations. Only users with EIM administrator access are allowed to grant or revoke
authorities for other users. EIM access controls are granted only to user identities that are
known to the EIM domain controller.
The following sections provide brief descriptions of the functions that each EIM access control
group can perform.
LDAP administrator
This access control allows the user to configure a new EIM domain. A user with this access
control can perform the following functions:
Create and delete a domain
Create and remove EIM identifiers
Create and remove EIM registry definitions
Create and remove source, target, and administrative associations
Perform EIM lookup operations
Retrieve associations, EIM identifiers, and EIM registry definitions
Add, remove, and list EIM authority information
EIM administrator
This access control allows the user to manage all of the EIM data within this EIM domain. A
user with this access control can perform the following functions:
Delete a domain
Figure 4-24 on page 207 shows setting up an EIM configuration that involves z/OS.
Steps for installing and configuring the EIM domain controller on z/OS
Note: For the Tivoli Directory Server for z/OS, the following requirements must be met:
Tivoli Directory Server must be configured to use the TDBM back end. A TDBM is a
general purpose back end that can store any type of directory information. It uses a
DB2 database to do this. If a TDBM is not used, an LDBM must be used, which is a
z/OS UNIX System Services file system. This is a file-based back end to store directory
information.
An optional back end called the SDBM, which is the RACF database.
Attention:
An EIM domain must be updated using the EIM APIs or administrative
applications that use the EIM APIs. We do not recommend using the LDAP
utilities and LDAP client APIs to update information in an EIM domain.
Do not alter the EIM schema definitions unless directed to do so by your IBM
service representative during problem diagnosing.
2. Consider the options that you have for setting up an EIM domain that includes z/OS:
a. Use Tivoli Directory Server on z/OS as the domain controller. (z/OS and non-z/OS
applications could access the data.) The Tivoli Directory Server on z/OS must be
configured with the TDBM back end. If you plan to use RACF user IDs and passwords
for the bind credentials, configure the server with the SDBM and the TDBM back ends.
b. Set up the Tivoli Directory Server on z/OS in multi-server mode. This configuration has
multiple LDAP servers sharing the TDBM back end store, which is useful if you want to
balance the work load between your LDAP servers.
c. The z/OS EIM application can access a domain controller that is on another platform.
Figure 4-25 lists important directories for EIM installation. Your system programmer should
review the rightmost column of this table, crossing out any defaults that have changed and
recording the correct directory names.
Tip: An EIM administrator who uses the eimadmin utility might want that the directory for
the eimadmin utility be placed in the PATH environment variable. This enables the ability to
run the utility without having to specify the path when issuing the command (or changing to
the /usr/lpp/eim/bin directory before issuing the command). The PATH environment
variable can be modified to include the EIM programs directory by issuing the following
command from a shell prompt:
export PATH=$PATH:/usr/lpp/eim/bin
This adds the EIM program’s directory to the end of the list of directories to search for
programs. Add the export command to a user’s .profile file so that each time the user
enters a shell, the PATH is updated.
Note: This assumes that the o=IBM,c=US objects are defined in the LDAP Directory.
2. Give an EIM administrator authority to the domain by entering a command such as the
following command from the z/OS shell:
eimadmin
-aC
-d domainDN
-c ADMIN
-q accessUser
-f accessUserType
-h ldapHost
-b bindDN
-w bindPassword
The parameter following -c is the accessType parameter. In this situation, the value must
be ADMIN. The bindDN must be the distinguished name for the LDAP administrator.
The following command can be issued by the LDAP administrator to give the EIM
administrator, cn=eim administrator,ou=dept20,o=IBM,c=US, authority to administer the
EIM domain:
eimadmin
-aC
-d ’ibm-eimDomainName=My Domain,o=IBM,c=US’
-c ADMIN
-q ’cn=eim administrator,ou=dept20,o=IBM,c=US’
-f DN
-h ldap://some.ldap.host
-b ’cn=ldap administrator’
-w secret
3. Add registries to the EIM domain by entering a command such as the following command
from the z/OS shell:
eimadmin
-aR
-d domainDN
-r registryName
-y registryType
-n description
-h ldapHost
-b bindDN
-w bindPassword
The following command adds a RACF registry to the EIM domain named My Domain:
eimadmin
-aR
-d ’ibm-eimDomainName=My Domain,o=IBM,c=US’
-r ’RACF Pok1’
-y RACF
-n ’the RACF Registry on Pok System 1’
-h ldap://some.ldap.host
-b ’cn=eim administrator,ou=dept20,o=IBM,c=US’
-w secret
The following command adds an IBM i registry to the EIM domain named My Domain:
eimadmin
-aR
-d ’ibm-eimDomainName=My Domain,o=IBM,c=US’
-r ’OS400 RCH1’
-y OS400
-n ’the OS400 Registry on Rochester System 1’
-h ldap://some.ldap.host
Note: You can create associations only after registries and identifiers are in place.
The command creates only two associations. Conversely, you can create multiple
associations by specifying a file name as standard input to the eimadmin command.
Specifying a file name indicates using a file of associations as input for batch
processing of multiple associations.
Your LDAP server configuration and security requirements determine which method you
choose. The examples in this section illustrate how you can use these methods with the
eimadmin utility.
This information explains how the bind credentials specified correspond to the distinguished
name that LDAP uses for access checking. Your access to EIM data is determined by the
authority groups of which the distinguished name is a member. The exception is the
distinguished name for the LDAP administrator that has unrestricted access.
Note: Unless an SSL session has been established, the password is sent over the network
in plain text, making this method the least secure. The distinguished name that you specify
is the one LDAP uses for access checking.
Note: LDAP uses the client certificate’s subject distinguished name for access checking.
Using Kerberos
To bind using a Kerberos identity, specify connect type GSSAPI on the eimadmin command.
No other credential information is required, but the default Kerberos credential must be
established through a service such as kinit before entering the command, as follows:
kinit [email protected]
eimadmin
-lD
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-S GSSAPI
For access checking, LDAP considers a distinguished name formed by prefixing the Kerberos
principal name with ibm-kgn= or distinguished names located through special mapping or
searches.
The strength of SSL is that data transferred over the connection is encrypted, including the
password for a SIMPLE bind. The eimadmin utility recognizes the need for an SSL connection
Managing registries
A domain typically contains multiple registries. User identities for a particular system are
associated with a system registry, while a subset of identities might be associated with an
application registry.
Note: After you define an application registry, you can refer to it by name in EIM APIs and
eimadmin commands without having to identify it as an application-type registry.
Listing a registry
You can list any registry using a command similar to the following:
eimadmin
-lR
-r ’App1’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
Removing a registry
To remove a registry, issue the following command:
eimadmin
-pR
-r ’App1’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
Attention: EIM refuses to remove a system registry if any application registries depend on
it.
You can find the dependents that you must remove by searching for all occurrences of the
system registry name in the output from the following command, which lists all registries:
eimadmin
-lR
-r ’*’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
Rule: When defining or referencing a registry alias, you must specify an associated
registry type.
Assigning an alias
Enter the following command to assign an alias name to an existing registry:
eimadmin
-mR
-r ’RACF Test Pok1’
-x ’z/OS’
-z ’RACF’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
This example defines the alias z/OS (of type RACF) for registry RACF Test Pok1.
Listing an alias
You can list the registry and its aliases using the following command:
eimadmin
-lR
-r ’RACF Test Pok1’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
Removing an alias
You can delete an alias for a registry using the following command:
eimadmin
-eR
-r ’RACF Test Pok1’
-x ’z/OS’
-z ’RACF’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
Enter the following two commands to reassign alias z/OS from registry RACF Test Pok1 to
registry RACF Pok1:
eimadmin
-mR
-r ’RACF Pok1’
-x ’z/OS’
-z ’RACF’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
eimadmin
-eR
-r ’RACF Test Pok1’
-x ’z/OS’
-z ’RACF’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
Adding an identifier
When you create a new EIM identifier, it is assigned a name that is unique within the domain.
The eimadmin utility requires that you specify a unique name (unlike the eimAddIdentifier
API option that generates a unique name for you).
You can assign an alternate name, or alias, to multiple identifiers. This non-unique name can
be used to further describe the represented individual or to serve as an alternative identifier
for lookup operations.
Enter the following command to add a new identifier John S. Day with two aliases:
eimadmin
-aI
-i ’John S. Day’
-j ’654321’
-j ’Contractor’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
You can list the new identifier using the unique name.
You can also list the new identifier using an alias name.
The utility returns all entries having Contractor defined as an alternative name, as follows:
eimadmin
-lI
-j ’Contractor’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
Adding associations
You can register the system and application user IDs assigned to the individual by defining
EIM associations between the identifier and the corresponding registries.
Enter the following command to create source and target associations for user ID JD in
registry RACF Pok1:
eimadmin
-aA
-i ’John S. Day’
-r ’RACF Pok1’
-u ’JD’
-t source
-t target
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
Listing associations
Enter the following command to list all associations for John S. Day:
eimadmin
-lA
-i ’John S. Day’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
If you only need to reflect the deletion of a user ID from a registry, simply remove the
corresponding EIM associations.
Removing associations
Enter the following command to remove the source and target associations for user ID JD in
registry RACF Pok1:
eimadmin
-pA
-i ’John S. Day’
-r ’RACF Pok1’
-u ’JD’
-t source
-t target
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
Removing an identifier
Enter the following command to remove an identifier and its associations, including identifier
aliases:
eimadmin
-pI
-i ’John S. Day’
-d ’ibm-eimDomainName=MyDomain,o=IBM,c=US’
-h ldap://some.ldap.host
-b ’cn=eimadministrator,ou=dept20,o=IBM,c=US’
-w secret
Suppose that a user has registry administrator authority over a specific registry, and your task
is to switch the user’s authority to a different registry. You can accomplish this task in two
steps:
1. Add the user to the new registry administrator group.
2. Remove the user from the prior group.
Tip: Issuing these commands is optional. However, setting up your system this way can
eliminate the need for individual applications to handle EIM domain and bind information.
The default domain and bind information can be specified in one of three places:
1. The user ID that the application runs under has the name of an LDAPBIND class profile in
its USER profile
2. The IRR.EIM.DEFAULTS profile in the LDAPBIND class
3. The IRR.PROXY.DEFAULTS profile in the FACILITY class
These RACF profiles can be set up in such a way as to control the access that the application
has to the EIM domain:
New connections with an EIM domain can be enabled or disabled by using keywords on
the RDEFINE or RALTER commands.
Bind credentials can be specific to the server or administrator who uses them.
The EIM APIs try to retrieve the information from a profile if the application does not explicitly
supply the information to the EIM APIs using parameters. Applications or other services that
use EIM can instruct their callers to define a profile in the LDAPBIND class profile.
Storing LDAP bind information in a profile is shown in Figure 4-29 on page 224.
Before you begin, use the decision table shown in Figure 4-29 to determine which profile to
use.
Setting up a registry name for your local RACF registry is shown in Figure 4-30 on page 225.
Figure 4-30 Setting up a registry name for your local RACF registry
Many of the EIM APIs require the name of a registry. For example, if you are adding a registry
to an EIM domain, know the name of the new registry. However, you can use the lookup APIs
(such as eimGetTargetFromSource, eimGetIdentifierFromSource, and
eimGetAssociatedIdentifiers) to convert:
1. A user ID to its equivalent RACF user ID
2. A local RACF user ID to an enterprise identifier
For such applications, you can eliminate the requirement for providing the RACF registry
name or its alias on the local system. You do this by giving a name to the local RACF registry.
To set up EIM so that you do not need a registry name on every lookup, follow the instructions
in this section. To define the local registry, enter the following RACF command in which
registryName is the name of the local registry:
RDEFINE FACILITY IRR.PROXY.DEFAULTS EIM(LOCALREGISTRY(registryName))
Note: EIM does not look for the registry name in an LDAPBIND class profile.
You can also configure the system with a Kerberos registry name and an X.509 registry
name. Issue the following commands to define default Kerberos and X.509 registries for the
configured EIM domain:
RALTER FACILITY IRR.PROXY.DEFAULTS EIM(KERBREGISTRY(registry name) +
X509REGISTRY(registry name))
Note: You need to define these registry names in the configured EIM domain.
If you want to disable a server (rather than a system) from using a configured EIM domain,
enter the following command:
RALTER LDAPBIND ldapbind_profile EIM(OPTIONS(DISABLE))
This command applies only to a server that has an ldapbind class profile specified for its user
ID.
Tip: To disable a system-wide default EIM domain (rather than a server) that default
profiles use, enter one of the following commands:
RALTER FACILITY IRR.PROXY.DEFAULTS EIM(OPTIONS(DISABLE))
RALTER LDAPBIND IRR.EIM.DEFAULTS EIM(OPTIONS(DISABLE))
Using output from the RACF database unload utility and eimadmin
to prime your EIM domain with information
You can start to put EIM information (identifiers, RACF user IDs, and associations) into your
EIM domain by using output from DBUNLOAD and eimadmin.
For large installations, priming the EIM domain with identifiers and associations can involve a
lot of work. To make the task of getting started with EIM easier, the eimadmin utility accepts as
input a file containing a list of identifiers and associations.
The section explores the steps for setting up an EIM domain based on user information
contained in a RACF database. The initial assumptions are that the EIM domain, World Wide
Domain, has been created and an SAF system registry, SAF user IDs, is defined in the
domain. The LDAP host name for the domain is ldap://some.big.host. The EIM
administrator uses the bind distinguished name of cn=EIM Admin,o=My Company,c=US and the
password is secret. The EIM administrator bind distinguished name has been given EIM
administrator authority and can perform all of the steps that we list here.
A user with other types of EIM authority, such as the following types of authority, can perform
a subset of the following steps:
EIM identifier administrator authority only works with identifiers and source and target
associations.
EIM registries administrator authority only works with target associations.
EIM registry-specific administrator authority for the SAF registry only works with target
associations in the SAF registry.
To set up an EIM domain based on user information contained in a RACF database, follow
these steps:
1. Request from your RACF security administrator a file containing a copy of the user profiles
in the RACF database. The RACF security administrator can:
a. Run the database unload utility (IRRDBU00) to create the sequential file.
b. Run the file through a sort program, such as DFSORT or DFSORT ICETOOL to extract
just the user profiles and wanted fields. The User Basic Data Record (0200) contains
the user ID and the programmer name. In this example, the programmer name is used
for the EIM identifier.
Tip: At a minimum, a user who is looking for a mapping in the EIM domain needs to have
EIM mapping operations authority. In most cases, the application has one set of
credentials for connect to an EIM domain, and those credentials are shared by all users.
However, if individual access is needed, a bind distinguished name needs to be defined for
each of the users and given EIM mapping operations authority.
Open Cryptographic Enhanced Plug-ins are shown in Figure 4-31 on page 229.
What a plug-in is
The supplied modules are called plug-ins because they are logically slotted into specific
locations in the OCSF framework. OCEP supplies two service provider modules, which are
called plug-ins. They are used within the OCSF Framework. In other words, they are actual
implementations using the OCSF Framework.
Within this framework, these service provider modules are used within these two areas:
Trust Policy (TP module) is deployed to verify trust in a certificate, so the most crucial action
by a TP module would be “Is this certificate trusted for this action”.
Data Storage Library (DL module) is a data storage library module (DL) that is involved in
handling certificates and CRLs. It covers:
Secure storage
Persistent storage
Retrieval: recovery of certificates and CRLs
An OCSF framework showing the location of OCEP plug-ins is shown in Figure 4-32 on
page 230.
In general terms, the presence of these modules allows an application to use the z/OS
Security Server (RACF) to provide security functions for digital certificates. Within this
framework, these two service provider modules will also work with Certificate Library (CL
modules) and Cryptographic Service Provider (CSP modules).
Remember that the OCSF Framework will handle interactions between the modules and the
applications that use them. This is best described in Figure 4-32, where the two supplied
modules are the OCEP Service Provider modules.
n t i a l
n f i de
Co
Figure 5-1 Introduction to cryptography
Introduction to cryptography
The word cryptography literally means secret writing. Throughout history, information has
been an asset that provides the owner a competitive advantage.
Failure to adequately protect information has had significant consequences for countries.
Today, If an enterprise does not exercise due care in protecting sensitive information about
others, it risks losing its competitive advantage and market share through industrial
espionage or losses due to lawsuits.
Cryptography is the only known practical method of protecting information that is transmitted
electronically through communication networks. It can also be an economical way to protect
stored information. As computing systems become increasingly exposed through increased
computer literacy and reliance on distributed computing, the pervasiveness of cryptography
will increase as industry seeks ways to protect their information assets.
Cryptographic capabilities:
- Data confidentiality
- Data integrity
- Authentication and
- Identification
- Electronic signature
Cryptographic capabilities
The use of cryptography provides many data-handling capabilities, such as data
confidentiality, data integrity, authentication, and electronic signatures.
Data confidentiality
Traditionally, cryptography is a data scrambling method used to conceal the information
content of a message. When a message is encrypted, the input plain text (unencrypted text)
is transformed by an algorithm into enciphered text that hides the meaning of the message.
This process involves a secret key that is used to encrypt and (later) decrypt the data. Without
this secret key, the encrypted data is meaningless. To conceal a message without using
cryptography, a secure physical communication line is required. With cryptography, only the
secret data encryption key has to be transmitted by a secure method. The encrypted text can
be sent using any public mechanism.
Data integrity
Although cryptography is best known for its ability to protect the confidentiality of data, it is
also used to protect the integrity of data. For example, a cryptographic checksum, such as a
message authentication code (MAC), can be calculated on arbitrary user-supplied text. The
text and MAC are then sent to the receiver. The receiver of the message can verify the MAC
appended to a message by recalculating the MAC for the message using the appropriate
secret key and verifying that it matches the received MAC exactly.
Electronic signature
In normal business, a legal transaction is completed by a verifiable authorized signature (just
sign on the dotted line). An analogous process is required by new electronic applications,
such as Electronic Data Interchange (EDI). A digital signature is a means of achieving this by
using cryptographic mechanisms. It assures the recipient that the message is authentic and
Their fundamental difference is in how keys are used with these encryption methods.
We discuss these algorithms in the next sections (5.4, “Symmetric encryption algorithms” on
page 235, and 5.5, “Asymmetric encryption algorithms” on page 236).
Encryption Decryption
message algorithm Internet algorithm message
Key
Most symmetric ciphers are block ciphers. They operate on a fixed number of characters at a
time, usually 8 bytes. Following are some frequently used algorithms:
Data Encryption Standard (DES): Developed in the 1970s by IBM scientists, DES uses
an 8-byte key; however, one bit in each byte is used as a parity bit; so, the key length is
56 bits. Stronger versions called Triple DES, which uses three operations in sequence,
have been developed:
– 2-key Triple DES encrypts with key 1, decrypts with key 2, and encrypts again with key
1. The effective key length is 112 bits.
– 3-key Triple DES encrypts with key 1, decrypts with key 2, and encrypts again with key
3. The effective key length is 168 bits.
Advanced Encryption Standard (AES): Sometimes known as Rijndael, AES is a block
cipher adopted as an encryption standard by the US government. It is considered the
successor to DES and TDES and is expected to be used worldwide. AES uses a larger
block size than DES and TDES do. While DES uses a block size of 8 bytes (64 bits), AES
uses a block size of 16 bytes (128 bits) along with the capability of using longer keys than
DES or TDES. This block size should be acceptable for messages of up to 256 exabytes of
data, and the bigger length of the keys delays for quite a few years the possibility of finding
the key value using brute force.
Commercial Data Masking Facility (CDMF): A version of the DES algorithm that is used
for export from the US and uses 56-bit keys; however, 16 bits of the key are known. So, the
effective key length is 40 bits.
RC2: Developed by Ron Rivest for RSA Data Security, Inc., RC2 is a block cipher with
variable key length operating on 8-byte blocks. Key lengths of 40 bits, 64 bits, and 128 bits
are used.
RC4: Developed by Ron Rivest for RSA Data Security, Inc., RC4 is a stream cipher with
variable key length. Stream ciphers operate on each byte, not on blocks of data. Key
lengths of 40 bits, 64 bits, and 128 bits are used.
With these ciphers, it can be assumed that a brute-force attack is the only means of breaking
the cipher; therefore, the work factor depends on the length of the key. If the key length is n
bits, the work factor is proportional to 2**(n-1).
Encryption Decryption
message algorithm Internet algorithm message
Asymmetric encryption algorithms, commonly called Public Key Cryptosystems (PKCS), are
based on mathematical algorithms. The basic idea is to find a mathematical problem that is
very hard to solve. Only one algorithm, RSA, is in widespread use today. However, some
companies have begun to implement public-key cryptosystems based on so-called elliptic
curve algorithms. The following list provides a brief overview of asymmetric algorithms:
RSA: RAS was invented in 1977 by Rivest, Shamir, and Adleman (who formed RSA Data
Security, Inc.). The idea behind RSA is that integer factorization of very large numbers is
extremely hard to do. Key lengths of public and private keys are typically 512 bits, 1024
bits, or 2048 bits.
Elliptic Curve: Public-key cryptosystems based on elliptic curves use a variation of the
mathematical problem to find discrete logarithms. It has been stated that an elliptic curve
cryptosystem implemented over a 160-bit field has roughly the same resistance to attack
as RSA with a 1024-bit key length.
Elliptic curve cryptosystems are said to have performance advantages over RSA in
decryption and signing.
Uses of cryptosystems
Cryptosystems, both symmetric and asymmetric, are used for data privacy, data integrity, and
digital signatures.
Different solutions exist in different environments, and we list a few of these solutions in the
following sections.
If tamper-resistant hardware is used, this solution can fulfill the highest security requirements
and can also be made secure against insider attacks. The amount of administrative effort and
cost, however, would be prohibitive for many environments.
Users (principals) are authenticated by a central authentication server (the DCE Security
Server) using the Kerberos V.5 third-party authentication method. All client and server
During authentication, the security server can send information to the client encrypted under
the client's Master Key (password). A client who wants to communicate with an application
server needs a ticket for this application server from the security server. A ticket is a collection
of information about the client, encrypted by the security server with the Master Key of the
application server. The client cannot read or modify the ticket, which can be compared to a
sealed envelope that the client can forward to the server as a method for identify but which
the user cannot open, read, or modify.
The security server creates a random session key that the client and the application server
can use to encrypt the data that they send to each other. This session key is included in the
ticket and is also sent to the client encrypted under the client’s Master Key.
The authentication and key management method used by DCE can create a highly secure
client/server environment. If all security features provided by DCE are used, a network can be
made impenetrable even to sophisticated intruders. A hacker would need a computer that is
defined in the registry with a valid Master Key to even be able to attempt to log in and make a
guess at a principal’s password.
The use of symmetric encryption causes the overhead for the security functions, although too
large to be neglected to be tolerable.
The downside is that all clients need to be defined and administered in the registry. This is
adequate for client/server computing within an enterprise but does not scale well into a user
population made up of large numbers of suppliers and customers on the Internet.
The recipient uses the private key to decrypt the DES, RC2, or RC4 key and uses this key to
decrypt the data and recover the plain text. This method works very well and has reasonable
performance because RSA is used to encrypt or decrypt only small amounts of data. The
length of symmetric keys is typically 8 - 32 bytes.
The problem with this method arises from the question: How can someone publish a public
key in a secure manner? If I send you my public key, pretending it is the public key of
someone else (for example, Jack Jones), and trick you into believing me, you will then send
encrypted data to the person who you believe is Jack Jones, and I can decrypt that data. This
situation is one where digital certificates and a public key infrastructure (PKI), a hierarchy of
authorities that issue certificates and attest to their authenticity, can help.
MACs rely on the same secret key that is used by both the sender (to create the MAC) and
the receiver (to verify the MAC). Since the MAC is derived from a secret key known only to the
sender and receiver the MAC can be sent in the clear. An adversary sitting between the
sender and the receiver (a so-called “person-in-the-middle” attack) can alter the message but
cannot forge the MAC because the key to create the MAC is unknown. The mathematical
principle behind using the MAC is that finding a message that fits a certain MAC is as difficult
as breaking DES encryption.
The sender of a message (block of data) uses an algorithm (for example SHA-1) to create a
message digest from the message. The message digest is sent together with the message.
The receiver runs the same algorithm over the message and compares the resulting
message digest to the one sent with the message. If both match, the message is unchanged.
The message digest cannot be sent in the clear. Because the algorithm is well known and no
key is involved, a person-in-the-middle can forge the message and can also replace the
message digest with that of the forged message, making it impossible for the receiver to
detect the forgery. Depending on the application and the key management used, either
symmetric cryptosystems or public-key cryptosystems can be used to encrypt the message
digest.
Because a message digest is a relatively small amount of data, it is especially well-suited for
public-key encryption.
Digital signatures
Figure 5-8 Digital signatures
Digital signatures
Digital signatures are an extension of data integrity. While data integrity only ensures that the
data received is identical to the data that is sent, digital signatures go a step further. They
provide non-repudiation, which means that the sender of a message (or the signer of a
document) cannot deny authorship (similar to signatures on paper).
The receiver uses the sender’s public key to decrypt the message digest and sender’s
identification. The receiver then uses the message digesting algorithm to compute the
message digest from the data. If this message digest is identical to the one recovered after
With digital signatures, only public-key encryption can be used. If symmetric cryptosystems
are used to encrypt the signature, it is very difficult to make sure that the receiver (having the
key to decrypt the signature) could not misuse this key to forge a signature of the sender. The
private key of the sender is not known to anyone else. So, nobody can forge the sender’s
signature.
The difference between encryption using public key cryptosystems and digital signatures
includes:
With encryption, the sender uses the receiver’s public key to encrypt the data, and the
receiver decrypts the data with a private key. Thus, everybody can send encrypted data to
the receiver that only the receiver can decrypt.
With digital signatures, the sender uses the private key to encrypt the signature, and the
receiver decrypts the signature with the sender’s public key. Thus, only the sender can
encrypt the signature, but anyone who receives the signature can decrypt and verify it.
The tricky thing with digital signatures is the trustworthy distribution of public keys.
CCA was introduced in October 1989 with the IBM Transaction Security System and the IBM
Integrated Cryptographic Facility (IBM ICSF) with its supporting Integrated Cryptographic
Services Facility/MVS (ICSF/MVS).
These products and their follow-ons conform to the IBM CCA application programming
interface.
CCA API
The IBM CCA cryptographic API definition uses a common key management approach and
contains a set of consistent callable services. (A callable service is a routine that receives
control when an application program issues a CALL statement.)
Common key management ensures that all products that conform to the architecture allow
users to share cryptographic keys in a consistent manner. The definition of key management
provides methods for initializing keys on systems and networks, and also supports methods
for the generation, distribution, exchange, and storage of keys.
Table 5-1 shows most of the categories of CCA callable services and some of the services in
each category. The service pseudonym is the descriptive name for a service, while the service
name is the formal name for the service and the name by which the service is called from a
program.
Figure 5-10 on page 245 shows a cryptographic overview of IBM System zEC12.
TKE Workstation
ISPF panels (optional)
System zEC12
Other systems
Clear/Encrypted Data
? ? ? ? z /OS
Master Key RACF
CPACF Crypto
instructions ICSF
Crypto Encryption/
Decryption IBM Exploiters
Express 4s Callable
Key to use Services
APIs
Home Grown
Applications
or MSA instructions
Application-managed
in the application key
OPTIONS
CKDS PKDS TKDS DATA
SET
Applications' symmetric Applications' RSA PKCS#11 objects
keys in clear text or secure ICSF run-time
keys in clear text or
key form secure key form. options
The CPACF features are usable only when explicitly enabled through Feature Code 3863,
except for the CPACF SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 functions, which
are always enabled.
To fully use the zEC12 cryptographic features requires the Integrated Cryptographic Service
Facility (ICSF), which is the support program for the cryptographic features CPACF, CEX4C,
CEX4P, CEX4A, CEX3C, and CEX3A. ICSF is integrated into z/OS.
Additionally, the optional TKE workstation feature is part of a customized solution for using the
Integrated Cryptographic Service Facility for z/OS licensed program to manage cryptographic
keys of a System zEC12 that has CEX4C, CEX4P, or CEX3C features installed and intended
for the use of DES and PKA with secure cryptographic keys.
Figure 5-10 on page 245 describes the overall hardware and software layout of the hardware
cryptography in a System zEC12 and z/OS, as follows:
The exploiters of the cryptographic services call the ICSF API. Some functions are
performed by the ICSF software without invoking the cryptographic coprocessor; other
functions result in ICSF going into routines containing the cryptographic instructions. The
cryptographic instructions to drive CEX4C and CEX3C are IBM proprietary and are not
disclosed; the cryptographic instructions to interface with CPACF are published in
z/Architecture Principles of Operation, SA22-7832.
These instructions are executed by a CPU engine and, if not addressing the CPACF
functions, result in a work request being generated for a cryptographic coprocessor.
Note: The encryption or decryption keys are themselves encrypted and, therefore,
unusable when residing outside of the cryptographic coprocessor.
Physically, these keys can be stored in ICSF-managed VSAM data sets and pointed to by
the application using the label they are stored under. The Cryptographic Key Data Set
(CKDS) is used to store the symmetric keys in their encrypted form, and the Public Key
Data Set (PKDS) is used to store the asymmetric keys. The application also has the
capability of providing an encrypted encryption key or a clear encryption key directly in
memory (that is to use as is) to the coprocessor.
For high-speed access to symmetric cryptographic keys, the keys in the CKDS are
duplicated into an ICSF-owned data space.
Figure 5-11 on page 247 shows hardware implementation of CP Assist for Cryptographic
Functions.
CP CP CP ... CEX3
CEX4
CPACF CPACF CPACF ... I/O Cage or
I/O Drawer
CPACF operates with a specific set of machine instructions, the Message-Security Assist
(MSA) instructions, which are problem state instructions and therefore available to all
applications. Alternatively, these functions can also be called through the Integrated
Cryptographic Service Facility (ICSF) component of z/OS by an ICSF-aware application. The
MSA instructions are described in z/Architecture Principles of Operation, SA22-7832.
The MSA instructions are all executed synchronously regarding the CP instruction stream,
contrary to the operations executed on the Crypto Express cards, which execute
asynchronously. The CPACF operations are therefore quite fast and can be used to support a
high volume of cryptographic requests. Because the CPACF instructions are available on
every PU within a System zEC12 and because the CPACF operates with clear keys only,
there is no notion of logical partition sharing or cryptographic domains with CPACF.
The CPACF provides the MSA instruction set on every CP of a zEC12 and zBC12 server.
Each of these instructions can perform several functions. Therefore, the MSA basic facility
supplies a query function with each instruction so that the programmer can determine
whether a given function is available on a given processor. If a programmer attempts to use a
On the zEC12 and zBC12, the MSA instruction set always includes the following functions:
KIMD-SHA-1, KIMD-SHA-256, KIMD-SHA-512 and KIMD-GHASH
KLMD-SHA-1, KLMD-SHA-256 and KLMD-SHA-512
Because the CPACF cryptographic functions are implemented in each CP, the potential
throughput scales with the number of CPs in the server.
The hardware of the CPACF that performs encryption operations and SHA functions operates
synchronous to the CP operations. The CP cannot perform any other instruction execution
while a CPACF cryptographic operation is being executed. The CP internal code performs
data fetches and stores resultant data while cryptographic operations are executed in the
CPACF hardware on a unit basis as defined by the hardware.
These modes can be configured by using the Support Element, and the PCIe adapter must
be configured offline to change the mode.
The Crypto Express4S uses the IBM 4765 PCIe Coprocessor. The Crypto Express4S feature
does not have external ports and does not use fiber optic or other cables. It does not use
channel-path identifiers (CHPIDs), but requires one slot in the PCIe I/O drawer and one
physical channel ID (PCHID) for each PCIe cryptographic adapter. Removal of the feature or
card zeroizes its content. The zEC12 supports a maximum of 16 Crypto Express4S features.
Access to the PCIe cryptographic adapter is controlled through the setup in the image profiles
on the SE.
Integrated/Duplicate Processors
2 boards
Reliably runs Common Crypto Arch (CCA)
CPU
CPU
FLASH
FLASH
Tamper
Tamper
SP
SP Detection
Detection
Separate CPUCPU
CPU
Service
DRAM
DRAM
Processor-
CPU +AES
Concurrent CPU
DRAM Core Functions
Core Functions +RSA
user code DRAM
update
RTC
RTC
BBRAM
BBRAM
I/F Logic
Logic Secure
Secure
Boundary
Boundary
Core
+SHA
New Interface USB
USB PCI express
express
PCI
PCI x I/F
Serial
Serial
x4 Interface change to PCI-e
Each Crypto Express3 PCI Express adapter can have one of these configurations:
Secure coprocessor (CEX3C) for Federal Information Processing Standard (FIPS) 140-2
Level 4 certification. This configuration includes secure key functions, and is optionally
programmable to deploy more functions and algorithms by using UDX.
Accelerator (CEX3A) for acceleration of public key and private key cryptographic
operations that are used with SSL/TLS processing.
These modes can be configured by using the Support Element. The PCIe adapter must be
configured offline to change the mode.
The Crypto Express3 feature is designed to complement the functions of CPACF. This feature
is tamper-sensing and tamper-responding. Unauthorized removal of the adapter or feature
zeroizes its content. It provides dual processors that operate in parallel, supporting
cryptographic operations with high reliability.
The CEX3 uses the 4765 PCIe Coprocessor. It holds a secured subsystem module, batteries
for backup power, and a full-speed USB 2.0 host port available through a mini-A connector.
On System z, these USB ports are not used. The securely encapsulated subsystem contains
two 32-bit IBM PowerPC® 405D5 RISC processors that run in lockstep with cross-checking to
The Crypto Express3 feature does not have external ports, and does not use fiber optic or
other cables. It does not use CHPIDs, but requires one slot in the I/O cage and one PCHID for
each PCIe cryptographic adapter. Removal of the feature or card zeroizes the content.
The zEC12 supports a maximum of eight Crypto Express3 features on a carry-forward basis,
offering a combination of up to 16 coprocessors and accelerators. Access to the PCIe
cryptographic adapter is controlled through the setup in the image profiles on the Support
Element (SE).
Each zEC12 supports up to eight Crypto Express3 features, which means a maximum of 16
PCIe cryptographic adapters.
Master key
All other keys that are encrypted under a master key are stored outside the protected area of
the cryptographic hardware; they cannot be attacked because the master key used to encrypt
them is itself secure inside the tamper-protected cryptographic hardware and is zeroized if
there is any attempted attack. This is an effective way to protect many keys while needing to
provide physical security for only a master key.
When the cryptographic hardware is a CEX3C/CEX4C, the master key is called the
Symmetric-keys Master Key (SYM-MK). In a z/OS environment, the SYM-MK is 128 bits
(16 bytes) long.
Table 5-2 shows some of the key types supported by the CCA.
CIPHER A 64-bit or 128-bit key used in the Encipher or Decipher callable service.
DATA A 64-bit, 128-bit, or 192-bit key used in the Encipher, Decipher, MAC generate, or
MAC verify callable service.
DATAC A 128-bit key used in the Encipher or Decipher callable service, but not in the MAC
generate or MAC verify callable service.
DATAM 128-bit key used in the MAC generate or MAC verify callable service.
DECIPHER A 64-bit or 128-bit key used only to decrypt data. DECIPHER keys cannot be used
in the Encipher callable service.
ENCIPHER A 64-bit or 128-bit key used only to encrypt data. ENCIPHER keys cannot be used
in the Decipher callable service.
EXPORTER A 128-bit key-encrypting key used to convert a key from the operational form into
exportable form.
IMPORTER A 128-bit key-encrypting key used to convert a key from the importable form into
operational form.
MAC A 64-bit or 128-bit key used in the MAC generate or MAC verify callable service.
MACVER A 64-bit or 128-bit key used in the MAC verify callable service but not in the MAC
generate callable service.
Each type of key (except the master key) has a unique control vector associated with it. The
bits in a control vector specify the possible uses of the key in great detail. For example, there
are bits that specify the key type, the key subtype, whether the key can be exported, and
Whenever the master key is used to encrypt a key, the cryptographic hardware produces a
variation of the master key according to the type of key that is being enciphered. These
variations are called master key variants. The cryptographic hardware creates a master key
variant by exclusive ORing a control vector with the master key. For example, when the
master key is used to encipher a DATA key, the cryptographic hardware produces the master
key DATA variant by XORing the master key with the control vector for DATA keys. After
creating the master key DATA variant, the cryptographic hardware encrypts the DATA key by
using the master key DATA variant as the key for the encryption algorithm. See Figure 5-15.
Encryption request 1
"DATA
key"
Control Encrypted
vector C key K
plaintext ciphertext
Control vector
2 checking
DES 5
Master key
encryption
3
4
Master key variant: DES
DATA keys decryption
Unencrypted
DATA key
CEX4C secure boundary
DES encryption
In Figure 5-15, we formulate a request to encrypt some plaintext using a DATA key K that has
already been encrypted under the SYM-MK master key of the CEX4C (1). K has an
associated control vector C. C is examined to see if it has attributes that qualify it to be used
in the called service in the requested way (2). If it does not, the service invocation fails. If C is
valid, execution of the requested service continues. The CEX4C XORs the master key with
the DATA Control Vector to produce a master key variant (3). Next, it uses the master key
variant to decrypt our DATA key K (4). Finally, it performs the requested encryption using the
decrypted DATA key (5).
Notice that each key K is encrypted in such a way that the value of the master key and the
control vector C (associated with K) must be specified to recover the key.
The conversion from one key form to another key form is considered to be a one-way flow:
importable operational exportable. An operational key form cannot be turned back into
an importable key form, and an exportable key form cannot be turned back into an operational
or importable key form.
Operational keys are accessed either directly by value in an internal key token or indirectly by
a key label.
Internal key token
The key_identifier parameter, which is found in most of the cryptographic API callable
services, allows the programmer to pass keys to the service either directly by value or
indirectly through a key label.
A key in importable or exportable form is kept in an external key token. The external key token
contains the encrypted key and its associated control vector; see Figure 5-16 on page 254.
Alice's system
Key Export
CEX4C
Master DES
key A encryption
DES DES
decryption decryption
DATA
control
vector
Unencrypted Unencrypted
DATA key EXPORTER key
After the manual installation of these initial key-encrypting keys, all subsequent key
distribution can be done electronically. For example, Alice can execute the key export service
to convert the information for K found in its internal key token to an exportable key in an
external key token. The external key token contains K encrypted under the exporter key
(instead of the master key) and Ks that are associated control vector. The key is encrypted
under the key-encrypting key that exists on Alice’s sending system as an exporter key and on
Bob’s receiving system as an importer key. See where Alice sends a DATA key to Bob.
Note: Because the key-export service is performed in the CEX4C, the clear value of the
key to be exported is not revealed. Also, note that if the content of the control vector is
changed either accidentally or intentionally, the correct key value will not be recovered
because the value of the encrypted key is cryptographically coupled to the control vector.
Bob's system
Key Import
CEX4C
Master DES
key B encryption
DES DES
decryption decryption
DATA
control
vector
Unencrypted Unencrypted
DATA key IMPORTER key
Almost all private keys that are encrypted under a master key are stored outside the protected
area of the cryptographic hardware; they cannot be attacked because the master key used to
encrypt them is itself secure inside the tamper-protected cryptographic hardware and will be
zeroized if there is any attempted attack.
There is one exception to the rule that private keys are stored outside the cryptographic
hardware. CCA supports retained RSA keys, in which the RSA key pair is generated inside the
secure cryptographic hardware, and only the public key is ever allowed to leave the secure
environment. The private key remains inside the secure hardware and is never allowed to
leave in any form. This key is designed to meet the strict demands of some standards, which
require assurance that the private key can exist only in a single cryptographic module. This
rule greatly strengthens non-repudiation. If a private key can exist only in one cryptographic
device, it provides assurance that any digital signature computed using that private key can
have originated only at the system in which that device is installed. In the PCIXCC, retained
RSA private keys are stored in the flash memory inside the secure module. Similar to all CCA
data stored in that memory, they are securely encrypted under a TDES key that is destroyed if
there is any attempt to tamper with the device.
Conceptually, the master key used to protect DES keys could have also been used to protect
PKA private keys. However, the CCA designers chose to use a different master key as
follows:
When the cryptographic hardware is a PCICC or PCIXCC/CEX2C/CEX3C/CEX4C, the
192-bit master key is called the Asymmetric-keys Master Key (ASYM-MK).
When the cryptographic hardware is a CCF, there are two PKA master keys:
– The Key Management Master Key (KMMK) is a 192-bit key that is used to protect
private keys that are used in both digital signature generation and decryption of secret
(symmetric) keys.
– The Signature Master Key (SMK) is a 192-bit key that is used to protect private keys
that are used only in digital signature generation.
Operational keys are accessed either directly by value in an internal key token or indirectly by
a key label:
Internal key token
The format of an RSA private internal key token differs from the format of a DSS private
internal key token; we only discuss the former. As shown in Figure 5-19, an RSA private
internal key token contains several sections:
– R indicates that the section is required
– O indicates that the section is optional
In Figure 5-19 and succeeding figures:
– d represents the RSA private exponent
– e represents the public exponent
– n represents the modulus
An access control system can use the private key name to verify that the calling
application is entitled to use the key.
Random number r
Random number r-1 Blinding information sub-section
X'00' padding to get a multiple of 8 bytes
Figure 5-20 1024-bit modulus exponent form for CEX2C
Key label
A key label indirectly identifies an internal key token stored in key storage. (An example of
key storage in the z/OS environment is the ICSF Public Key Data Set, a VSAM data set
often called the PKDS).
The key_identifier parameter found in most of the cryptographic API callable services
allows the programmer to pass keys to the service either directly by value or indirectly through
a key label.
A private key in importable or exportable form is kept in an external key token. The format of
an RSA private external key token differs from the format of a DSS private external key token;
we only discuss the former. As shown in Figure 5-21, an RSA private external key token
contains several sections. Again, R indicates that the section is required and O indicates that
the section is optional.
You can use the PKA Key Import callable service to do either of the following tasks:
Get a private key deciphered from an importer key and enciphered by the ASYM-MK.
Get a clear, unenciphered private key enciphered by the ASYM-MK.
So far we have only discussed tokens for RSA private keys. The CCA also defines a token for
RSA public keys. Because public keys are meant to be shared, the format of an RSA public
key token is rather simple:
Header containing a token identifier of X’1E’ (indicating an external token)
RSA public key section containing the public exponent e and the modulus n in cleartext.
CCA callable services can use PKA public key tokens directly in the external form.
Figure 5-23 on page 262 provides a schematic view of the hardware cryptography
implementation in the System z environment.
Hardware Crypto
CEX4C z/OS
Symmetric-keys
Master Key RACF
Plaintext Appl
Asymmetric-keys ICSF
Master Key Ciphertext
Segment 3
Crypto instruction Callable
Segment 2 services CALL
CSNxxxx
Segment 1 APIs
Segment 0
Key to use
or instructions
in the application
Options
ICSF also provides key repositories in the form of two VSAM data sets, where keys can be
kept in key tokens in clear value or encrypted under a KEK or under the coprocessors master
keys. The VSAM data sets are the CKDS and the PKDS. The key tokens in the CKDS and the
PKDS are given a user-defined or system-defined label that is used for their retrieval and
maintenance.
Note: The hardware cryptography technology that we discuss here is available on the IBM
System z9 and eServer zSeries 990 and 890 platforms. The zSeries 800 and 900 host
other, although functionally compatible, types of cryptographic coprocessors.
If ICSF decides to use cryptographic hardware, it gives control to its routines that contain the
crypto instructions. (The cryptographic instructions that drive the CPACF are listed in 5.11,
“CP Assist for Cryptographic Functions” on page 247.) ICSF routes the request to the CEX4C
and if the request is, say, a request to encrypt data, the ICSF started task provides the
CEX4C with the data to be encrypted and the key to be used by the encryption algorithm.
Recall that the key is encrypted, in this case under a variant of the SYM-MK stored in the
CEX4C. The request proceeds as shown previously in Figure 5-15 on page 253.
The interactions between the functional blocks shown in Figure 5-23 on page 262 are as
follows:
ICSF is a z/OS started task that offers cryptographic APIs to applications and drives the
requests to the Crypto Express4S Coprocessor (CEX4C).
The CEX4C is a “secure” coprocessor in that it contains a master key used to encrypt keys
to be kept in storage or in the PKDS data set. The master key resides in the coprocessor
hardware only and is used to decrypt internally to the coprocessor the secure keys that
are provided so that they can be used to encrypt or decrypt data.
ICSF needs other data sets to operate. The CKDS for the use of cryptographic hardware,
and an options data set that contains the ICSF started task startup parameters. ICSF
requires a PKDS as well. The PKDS does not need to contain any records, or even be
initialized, but it does need to be allocated by ICSF.
Installing and maintaining the secret master key is a task that security officers can perform
from TSO/E terminals or from an optional TKE workstation, the latter for a very high
security level of the interactions between the security officers and the CEX4C.
If there is more than one secure coprocessor to which ICSF has access, all coprocessors
must have been set with the same master key value.
The CPACF operates only with clear keys.
The keys can be stored in ICSF-managed VSAM data sets and pointed to by the application
program by using the label under which they are stored. The CKDS is used to store the
symmetric keys in their encrypted form, and the PKDS is used to store the asymmetric keys.
If the level of ICSF that you are using is HCR7720 or higher, you can also store keys in the
CKDS in clear (unencrypted) form.
We consider the publications that we list in this section particularly suitable for a more
detailed discussion of the topics that we cover in this book.
Other publications
These publications are also relevant as further information sources:
z/OS Integrated Security Services Network Authentication Service Administration,
SC23-6786
z/OS Integrated Security Services Network Authentication Service Programming,
SC23-6787
z/OS Cryptographic Services PKI Services Guide and Reference, SA23-2286
z/OS Security Server RACF Auditor’s Guide, SA23-2290
z/OS Security Server RACF Callable Services, SA23-2293
z/OS Security Server RACF Command Language Reference, SA23-2292
z/OS Security Server RACF Data Areas, GA32-0885
z/OS Security Server RACF Diagnosis Guide, GA32-0886
z/OS Security Server RACF General User’s Guide, SA23-2298
z/OS Security Server RACF Macros and Interfaces, SA23-2288
z/OS Security Server RACF Messages and Codes, SA23-2291
z/OS Security Server RACF Security Administrator’s Guide, SA23-2289
z/OS Security Server RACF System Programmer’s Guide, SA23-2287
z/OS Security Server RACROUTE Macro Reference, SA23-2294
z/OS Integrated Security Services Enterprise Identity Mapping (EIM) Guide and
Reference, SA23-2297
z/OS OCSF Service Provider Module Developer’s Guide and Reference, SC14-7514
z/OS Open Cryptographic Services Facility (OCSF) Application Programming, SC14-7513
z/OS Cryptographic Services ICSF Administrator’s Guide, SA22-7521
z/OS Cryptographic Services ICSF Application Programmer’s Guide, SA22-7522
z/OS Cryptographic Services ICSF Messages, SA22-7523
z/OS Cryptographic Services ICSF Overview, SA22-7519
z/OS Cryptographic Services ICSF System Programmer’s Guide, SA22-7520
z/OS Cryptographic Services ICSF TKE PCIX Workstation User’s Guide, SC14-7511
z/OS Cryptographic Services System SSL Programming, SC14-7495
Security on z/OS The ABCs of IBM z/OS System Programming is an 11-volume collection that
provides an introduction to the z/OS operating system and the hardware INTERNATIONAL
RACF and SAF architecture. Whether you are a beginner or an experienced system
programmer, the ABCs collection provides the information that you need to
TECHNICAL
start your research into z/OS and related subjects. SUPPORT
Cryptography ORGANIZATION
Following are the contents of the volumes:
Volume 1: Introduction to z/OS and storage concepts, TSO/E, ISPF, JCL,
SDSF, and z/OS delivery and installation
Volume 2: z/OS implementation and daily maintenance, defining
subsystems, JES2 and JES3, LPA, LNKLST, authorized libraries, IBM BUILDING TECHNICAL
Language Environment, and SMP/E INFORMATION BASED ON
Volume 3: Introduction to DFSMS, data set basics, storage management PRACTICAL EXPERIENCE
hardware and software, VSAM, System-managed storage, catalogs, and
DFSMStvs IBM Redbooks are developed
Volume 4: Communication Server, TCP/IP, and IBM VTAM by the IBM International
Volume 5: Base and IBM Parallel Sysplex, System Logger, Resource Technical Support
Recovery Services (RRS), global resource serialization (GRS), z/OS system Organization. Experts from
operations, automatic restart management (ARM), and IBM Geographically IBM, Customers and Partners
Dispersed Parallel Sysplex (IBM GDPS) from around the world create
timely technical information
Volume 6: Introduction to security, IBM RACF, digital certificates and PKI,
based on realistic scenarios.
Kerberos, cryptography and IBM z9 integrated cryptography, LDAP, and EIM Specific recommendations
Volume 7: Printing in a z/OS environment, Infoprint Server, and Infoprint are provided to help you
Central implement IT solutions more
Volume 8: An introduction to z/OS problem diagnosis effectively in your
Volume 9: z/OS UNIX System Services environment.
Volume 10: Introduction to IBM z/Architecture, IBM System z processor
design, System z connectivity, LPAR concepts, HCD, and HMC
Volume 11: Capacity planning, performance management, WLM, IBM RMF,
and SMF For more information:
ibm.com/redbooks