joel tilton may 2016 - · pdf filesecurity with racf. joel is also an active member of the...
TRANSCRIPT
![Page 1: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/1.jpg)
Joel Tilton RACF Engineer
Mainframe Evangelist May 2016
![Page 2: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/2.jpg)
Joel Tilton is a former employee of IBM, where he got his start with mainframes, who continues to champion mainframe security issues and solutions.
Over 20+ years technical IT experience, the majority of which was gained in hands-on technical roles, performing a variety of duties in diverse and complex environments.
The majority of Joel's experience is focused on IBM mainframe systems, where he performs as a Technician and Project Manager. Joel's specialist subject is IT Security, in particular z/OS and associated subsystems (CICS, DB2, MQ, zSecure, etc.) security with RACF.
Joel is also an active member of the Tampa Bay RUG (RACF User Group) which meets jointly with the NY RUG. Joel has a true passion for security and the mainframe. Long live the mainframe!
https://www.linkedin.com/in/joeltilton
702-483-RACF (Google Voice)
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 2
![Page 3: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/3.jpg)
All products, trademarks, and information mentioned are the property of the respective vendors.
Mention of a product does not imply a recommendation. Always test new profiles on a non-production system. Only you can prevent IPLs… The views expressed are his own personal views, and are
not endorsed or supported by, and do not necessarily express or reflect, the views, positions or strategies of his employer
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 3
![Page 4: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/4.jpg)
How do you know who is moving your data around? Or stealing it?
Are you 100% certain EVERY dataset profile is securing your data? UACC(NONE) AUDIT(SUCCESS(UPDATE) FAILURES(READ))
PCI and other standards require an audit trail PCI Requirement 10 A.1.3
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 4
![Page 5: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/5.jpg)
Take your systems programmer out to lunch Find the FTP.DATA dataset or member Depends on where your sysprog decided to put it (ask them! See
previous bullet) Often stored in a parmlib under TCP/IP or SYS1 qualifiers Or search the STARTED class for entries that have FTP in them and go
digging through all your parmlibs to find it ▪ Sr class(started) filter(*ftp*.**) ▪ Yes I assume or hope the proc name will at least have FTP in it somewhere
Now search all proc libs for that proc name ▪ TSO ISRDDN
Then look for the SYSFTPD DD card and note the dataset name While here make note of the dataset specified by the SYSTCPD DD
card as well
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 5
![Page 6: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/6.jpg)
SMF type 119 records rock (yes they really do!) Was the control connection encrypted? Was the data connection encrypted Version of TLS used? ▪ SSL is no longer recommended. See POODLE Virus. ▪ 119 subtype 2 if and if only if using AT TLS policies
IP addresses recorded in IPv6 format only SMF type 118 do not record any of the above
information SMF type 118 records have been “functionally
stabilized”
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 6
![Page 7: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/7.jpg)
Search for all occurrences of “SMF” in the location of the FTP.DATA specified in the SYSFTPD DD card we found earlier.
There are three parameters that should be set for SMF recording to occur: SMF TYPE 119 SMFJES TYPE119 SMFSQL TYPE119
PCI and other standards require an audit trail PCI (Requirement 9 and A.1.3)
Wouldn’t you want to log who’s moving your data around using FTP? Would you care if someone tried to FTP the RACF DB?
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 7
![Page 8: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/8.jpg)
Be extremely careful not to record both type 118 and 119 records Doing so will create a performance problem! “Records of type 118 and type 119 can both be
requested; however, do not do this due to performance implications of writing both record types.” http://publib.boulder.ibm.com/infocenter/zos/v1r1
3/index.jsp?topic=%2Fcom.ibm.zos.r13.halz001%2Fcsmfsta.htm
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 8
![Page 9: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/9.jpg)
SMF TYPE119 Cut one FTP type 119 subtype 70 for every MVS and z/OS
UNIX dataset transferred For PDS cut one SMF record per member of the PDS
SMFSQL TYPE119 SQL commands can be sent directly to your DB2
subsystem via FTP! If the “DB2 subsystem_id” statement is not specified then
the z/OS FTP server assumes a DB2 ssid of simply “DB2” http://publib.boulder.ibm.com/infocenter/zos/v1r13/in
dex.jsp?toic=%2Fcom.ibm.zos.r13.halz001%2Fcsmfsql.htm&path=8_6_20_137
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 9
![Page 10: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/10.jpg)
Some people read the manuals and see “SAF” next to JESINTERFACELEVEL2
They think “SAF” = external security = we’re safe; yes we want this setting
“Sorry wrong answer would you like to go for double Jeopardy where the scores can really chagne?”
When you set JESTINTERFACELEVEL2 you need to be absolutely sure of the security implications
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 10
![Page 11: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/11.jpg)
DO NOT set JESINTERFACELEVEL2 unless: The JESSPOOL class is configured to secure ALL
spool datasets Reminder JESSPOOL is a default RC of 8 class!
The SDSF class is active with the following SAF resources secured appropriately: ISFCMD.DSP.ACTIVE.jesx ISFCMD.DSP.INPUT.jesx ISFCMD.DSP.OUTPUT.jesx ISFCMD.FILTER.OWNER ISFCMD.FILTER.PREFIX Reminder SDSF is a default RC of 4 class!
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 11
![Page 12: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/12.jpg)
Ingenious application developers punch jobs straight to JES via FTP!
Transfer sensitive jobs to your workstation with sensitive data (PCI, HIPAA, payroll, etc.)
If JESSPOOL & SDSF classes are not configured appropriately then JESINTERFACELEVEL should never be set to 2
JESINTERFACELEVEL1 is default! © 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 12
![Page 13: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/13.jpg)
Captures why the FTP logon failed but also… Was it encrypted? With what version of TLS? With what type of algorithm? Helpful for tracking end users still attempting
to use unencrypted FTP Validate someone is not trying to repeatedly
login to breach accounts via FTP Many standards require complete audit trails
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 13
![Page 14: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/14.jpg)
The FTP client SMF type 119 subtype 3 records are configured in the TCP/IP stack
Find the running TCP/IP started task using SDSF, Sysview, etc.
Browse it and do a find for ‘profile’ Should see a message similar to: EZZ0300I OPENED PROFILE FILE DD:PROFILE
Read through the output until you find the PROFILE DD card
Browse that dataset or member Other options: Just use zSecure’s RE.I menu to
validate the entire configuration of TCP/IP including which SMF records are enabled
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 14
![Page 15: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/15.jpg)
Bring up the TCP/IP PROFILE dataset in browse or view mode and do a search for ‘SMFCONFIG’
If nothing is found then TCP/IP is NOT configured to cut ANY SMF records!
PCI and other standards require a complete audit trail
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 15
![Page 16: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/16.jpg)
In order to cut type 119 subtype 3 SMF records for all FTPs where z/OS is the client (or all OUTBOUND FTPs) the following needs to be added to the TCPIP profile parms:
• SMFCONFIG TYPE119 FTPCLIENT • This is a change that of course requires assistance
from systems programming! • Did I mention taking your systems programmer to
lunch? • Can be changed dynamically (OBEY file) or with an
IPL (cycle of TCPIP)
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 16
![Page 17: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/17.jpg)
SMFCONFIG TYPE119 TN3270 CLIENT ▪ Logs outbound telnet connections to other systems
PROFILE ▪ Logs changes to the configuration of the TCP/IP Stack
TCPSTACK ▪ Logs useful information every time a TCP/IP stack is
started or stopped
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 17
![Page 18: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/18.jpg)
SMFCONFIG TYPE119 TCPTERM
▪ Cut a record every time a TCP connection closes ▪ Logs version of TLS used ▪ Logs level of security the server required
And more… Virtual IP Addresses (subtypes 32 – 37) z/OS CS SMTP server (subtypes 48 – 52)
▪ New as of z/OS V1R11 Subtypes 73 – 80 for IPSec UDP Socket close (subtype 10) Others for statistics
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 18
![Page 19: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/19.jpg)
ICETOOL SYS1.TCPIP.AEZASMP1(EZASMF) IBM sample C code to report on type 119 SMF
Assembler SYS1.MACLIB – EZASMF77
IBM Security zSecure Audit Via the EV.I menu automatically processes FTP
records creating reports to tell you if the FTP was encrypted or not and if so using what version of SSL and which algorithm was used
Note: This list might not be all inclusive © 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 19
![Page 20: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/20.jpg)
Table 257 z/OS Communications Server IP Programmer's Guide and Reference
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 20
Off set
Name Description
1 SMF119FT_FSCProtect Security of the control connection
2 SMF119FT_FSDProtect Security of the data connection.
3 SMF119FT_FSLoginMech Was login via password or certificate?
4 SMF119FT_FSProtoLevel Version of TLS Used
12 SMF119FT_FSCipherSpec Encryption algorithm used.
![Page 21: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/21.jpg)
To protect the user ID and password of RACF accounts Person in the middle attack.
It’s the 21st century so why are we still sending passwords around any network (even our internal one) in the clear? Do you really trust that your LAN/WAN is bullet
proof? Would you take that risk?
PCI requires encryption of cardholder data
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 21
![Page 22: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/22.jpg)
Central Processor Assist for Cryptographic Functions Enhances encryption/decryption of clear-key operations Random Number Generate One Way Hash etc.
Must be enabled using a no-charge feature (#3863) Check the HMC (Hardware Management Console) Check the output in the ICSF Address Space: CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
REMINDER: ICSF must come up before PAGENT (AT TLS) or hardware acceleration will not be used
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 22
![Page 23: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/23.jpg)
Both are independent of the other CPACF is a hardware feature enabled at HMC ICSF (Integrated Cryptographic Services
Facility) accelerates encrypt/decrypt operations via CyptoExpress Cards
You do not have to run ICSF address space to make CPACF available
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 23
![Page 24: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/24.jpg)
Saves 1-2% of Overhead On Average 75+ Million SAF calls per SFTP UserID
XFACILIT UACC(NONE) AUDIT(NONE) They simply need to exist
CSF.CSFSERV.AUTH.CSFOWH.DISABLE Bypass SAF call for CSFSERV CSFOWH profile (one way hash)
CSF.CSFSERV.AUTH.CSFRNG.DISABLE Bypass SAF class for CSFSERV CSFRNG profile (random number generation)
Example: SFTP, CSFOWH called for every packet sent & received! Uffda…
Requires HCR77A1 release of ICSF at a minimum
CSFM650I CSFSERV AUTHORIZATION CHECK FOR RANDOM NUMBER GENERATE SERVICES IS DISABLED
CSFM650I CSFSERV AUTHORIZATION CHECK FOR ONE-WAY HASH SERVICES IS DISABLED
© 2016, Joel M. Tilton KDFAES – April 2016 24
![Page 25: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/25.jpg)
In these examples we use the z/OS FTP servers TLS implementation
EXTENSIONS AUTH_TLS Enables the use of TLS by the FTP Server or client Default is off
SECURE_FTP ALLOWED Encrypted FTPs are “ok” Client and server setting
SECURE_FTP REQUIRED Changing this setting DENIES any inbound FTP that is unable to
establish an encrypted session. The goal after mining the type 119 subtype 3 and 70 SMF
records and remediating all unencrypted FTPs is: To be able to changed to REQUIRED with no impact
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 25
![Page 26: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/26.jpg)
SECURE_CTRLCONN CLEAR CLEAR is the default Control port is unencrypted by default! Unless EXTENSIONS AUTH_TLS is specified
SECURE_CTRLCONN PRIVATE The goal after unencrypted FTP remediation is to
be able to change this setting to PRIVATE ▪ Then the z/OS FTP server rejects any FTP session that
can’t establish an encrypted control port connection
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 26
![Page 27: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/27.jpg)
SECURE_DATACONN CLEAR CLEAR is the default Data sent to the z/OS FTP server is not encrypted!
SECURE_DATALCONN PRIVATE The goal after unencrypted FTP remediation is to
be able to change this setting to PRIVATE Then the z/OS FTP server rejects any FTP session
that can’t establish an encrypted data port connection
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 27
![Page 28: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/28.jpg)
SECURE_LOGIN NO_CLIENT_AUTH means we’re not requiring a certificate for
authentication Some auditors get confused by this setting (I did too
at first) NO_CLIENT_AUTH is the default
SECURE_PASSWORD REQUIRED While this may seem to imply encryption all it means
is: We must enter a password to login via FTP REQUIRED is the default
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 28
![Page 29: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/29.jpg)
The default z/OS FTP server cipher is a null cipher That means it’s a cipher that doesn’t actually encrypt
anything!!!! Why? Well that’s how RFC 4346 is written…
Search your FTP parms for a statement that starts with: CIPHERSUITE Note by using cryptography parms that are provided by
the z/OS FTP server we’re using crypto at the application layer
AT TLS offers stronger cryptography (more on that later) ▪ Application Transparent Transport Layer Security ▪ TCP/IP provides encryption & application does not need to know
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 29
![Page 30: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/30.jpg)
CIPHERSUITE SSL_NULL_MD5 ; 01 No encryption or message authentication and RSA key exchange
CIPHERSUITE SSL_NULL_SHA ; 02 No encryption with MD5 message authentication and RSA key
exchange CIPHERSUITE SSL_RC4_MD5_EX ; 03 40-bit RC4 encryption with MD5 message authentication and RSA key
exchange CIPHERSUITE SSL_RC2_MD5_EX ; 06 40-bit RC2 encryption with MD5 message authentication and RSA key
exchange CIPHERSUITE SSL_DES_SHA ; 09 56-bit DES encryption with SHA-1 message authentication and RSA
key exchange
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 30
![Page 31: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/31.jpg)
CIPHERSUITE SSL_RC4_MD5 ; 04 128-bit RC4 encryption with MD5 message
authentication and RSA key exchange MD-5 is now depreciated and won’t pass PCI
standards From Wikipedia, “…a group of researchers used this
technique to fake SSL certificate validity,[7][8] and CMU Software Engineering Institute now says that MD5 "should be considered cryptographically broken and unsuitable for further use",[9] and most U.S. government applications now require the SHA-2 family of hash functions.[10] “
http://en.wikipedia.org/wiki/MD5 © 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 31
![Page 32: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/32.jpg)
NIST Special Publication 800-131A http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-131Ar1.pdf “SHA-1: Federal agencies should stop using
SHA-1 for generating digital signatures, generating time stamps and for other applications that require collision resistance. ”
http://csrc.nist.gov/groups/ST/hash/policy.html NIST comments on cryptanalytic attacks on
SHA-1 http://csrc.nist.gov/groups/ST/hash/statement.html
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 32
![Page 33: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/33.jpg)
By the end of the year SHA-1 will be removed from the certificates in most browsers http://www.zdnet.com/article/as-attacks-near-
microsoft-mulls-banning-sha1-certificates/ What happens if you don’t migrate to SHA-2
certificates?
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 33
![Page 34: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/34.jpg)
Application Transparent Transport Layer Security Encrypt the communication without the
application needing to know Several Advantages: Centralized Configuration Management Single Refresh Command ▪ F PAGENT,REFRESH
Let Communications Server Manage TLS Lin Overby, STSM IBM Communications Server http://www.ibmsystemsmag.com/mainframe/adminis
trator/systemsmanagement/Lighten-your-Administrator-Load-with-AT-TLS-and--C/
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 34
![Page 35: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/35.jpg)
With AT TLS 256 bit AES with SHA-256 & SHA-384
Required for converting RRSF from SNA to TCP/IP
Best available Cipher built into z/OS FTP Server provides AES 256 with SHA-1
CIPHERSUITE SSL_AES_256_SHA ; 35 256-bit AES encryption with SHA-1 message
authentication and RSA key exchange Advanced Encryption Standard is established by the
National Institute of Standards and Technology (NIST).
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 35
![Page 36: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/36.jpg)
TLSMECHANISM ATTLS Both a client and server statement TLSMECHANISM FTP is Default
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.halz001/ftpcastlsmechanism.htm
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 36
![Page 37: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/37.jpg)
Many of the previous settings also apply to the z/OS FTP client z/OS FTP clients use a search order for their settings The order also depends upon whether the TSO or z/OS UNIX FTP client is used If not overridden by the client then it defaults to the TCPIP.DATA dataset
specified in the FTP proc’s SYSTCPD DD card http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?top
ic=%2Fcom.ibm.zos.r13.halz001%2Fcjesint.htm A z/OS FTP client can choose to override the encryption settings by
invoking the FTP with: -a never Which means give me an unencrypted outbound FTP session Enhancement 25972
▪ http://www.ibm.com/developerworks/rfe/execute?use_case=vie wRfe&CR_ID=25972 “z/OS V2R1 Communications Server provides a command exit for the FTP
client. The capability in this requirement can be achieved by using the exit to modify the FTP parameter list to prevent the specification of the "-a never" parameter.”
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 37
![Page 38: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/38.jpg)
Necessary to allow FTP client to automagically use any CERTAUTH certificate that is in TRUST status Alternative: Keying Maintenance Hell!
Otherwise you will have a fun time with keyring maintenance for all of your FTP users You’ll be in RACDCERT CONNECT hell constantly
connecting in certificate authority certificates depending upon where someone needs to FTP.
Activate the RDATALIB class and define to it: CERTIFAUTH.IRR_VIRTUAL_KEYRING.LST Groups all certificate authority certificates with TRUST
status into a “virtual” ring
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 38
![Page 39: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/39.jpg)
Keyring Isolation Required for Virtual Keyrings FACILITY IRR.DIGTCERT.LISTRING READ = See Your Keyring UPDATE = See All Keyrings
RDATALIB Only the users in this exact access list can access
the keyring or its private key Documented in the RACF Callable Services
Manual © 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 39
![Page 40: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/40.jpg)
User A extract User A's own private key READ ICH408I
User A extract User B's private key UPDATE NO ICH408I or type 80
User A extract SITE's private key CONTROL NO ICH408I or type 80
User A extract CERAUTH's private key CONTROL NO ICH408I or type 80
Just because you SETR RACLIST(RDATALIB) REFRESH *does not mean* the RDATALIB profile is installed properly
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 40
![Page 41: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/41.jpg)
For CERTAUTH and SITE certificates: An application can extract the private key from a CERTAUTH or
SITE certificate if the following conditions are met: The certificate is connected to its key ring with the PERSONAL
usage option. One of the following three conditions is true:
▪ The caller's user ID is RACF special regardless of access checking method, or
▪ The caller's user ID has CONTROL authority to the IRR.DIGTCERT.GENCERT resource in the FACILITY class if the access to the key ring is through the checking on IRR.DIGITCERT.LISTRING in the FACILITY CLASS, or
▪ The caller's user ID has CONTROL authority to the: <ringOwner>.<ringName>.LST resource in the
RDATALIB class
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 41
![Page 42: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/42.jpg)
Scenario: NDM actually needs CONTROL to its RDATALIB profile
The R_datalib service has a DataGetFirst and DataGetNext function. It was designed to do all the data pulls up front, loading it all into the workarea so that the DataGetNext calls are much faster. At this point, RACF does not know which of the available private keys are going to be requested.
RACF does not know at the time of access to the certificates keyring is requested what is the intended use of the certificate.
In the case of Connect Direct (NDM), it is up to the product to handle the exception.
Message CSPA202E received. http://www-01.ibm.com/support/docview.wss?uid=swg21554980
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 42
![Page 43: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/43.jpg)
Monitoring all Started Task Access is noisy Recommendation: Monitor <10 violations per STC UserID Monitor all RACF Commands to RDATALIB class Run SMF report nightly or Monitor with SIEM & ISV software live in real time
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 43
![Page 44: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/44.jpg)
SERVAUTH EZB.FTP.sysname.ftpdaemoname.PORTxxxx Controls ability to access FTP server based on SAF
user ID used to log in APPL class still works for this purpose too
SERVAUTH EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS Provides ability to generally restrict FTP user access
to the z/OS UNIX file system https://www.ibm.com/support/knowledgecenter
/SSLTBW_1.13.0/com.ibm.zos.r13.halz002/racf.htm%23racf
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 44
![Page 45: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/45.jpg)
Activate SERVAUTH Class IBM Class Descriptor Table (CDT) SETR classact(SERVAUTH) audit(SERVAUTH) raclist(SERVAUTH) generic(SERVAUTH) ▪ RC of 4 class but be mindful of SYS1.TCPIP.PROFILE
▪ SERVAUTH profiles for DVIPA (Dynamic Virtual IP Address) ▪ EZD1313I -REQUIRED SAF SERVAUTH PROFILE NOT FOUND RACF profile name
RDEFINE RACGLIST SERVAUTH OWNER() IPL will not refresh in-storage RACF profiles Ensure Sysplex Consistency for RACF By Product…Performance Improvement SETR classact(RACGLIST) audit(RACGLIST) SETR RACLIST(…) REFRESH Builds RACGLIST profiles
© 2015, Joel M. Tilton SERVAUTH Port Access – November 2015 45
![Page 46: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/46.jpg)
Protected by profiles with UACC(NONE) AUDIT(ALL(READ))?
Could someone FTP the RACF database? Would you know if this happened? SMF is great but real time notifications are key ▪ SIEMs (Security Information & Event Management) Tool
Is there really any reason for anyone to have even permanent READ to RACF anymore?
Recommend special access group with revoked group connection
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 46
![Page 47: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/47.jpg)
Try not. Do…or do not. There is no try! Master Yoda
How do you tackle any project? One small step at a time…
Get SMF type 119 records cutting Evaluate FTP Parameters Safely migrate to encryption & away from Sha-1 Use AT TLS for stronger cryptography Use Virtual Keyrings Use SERVAUTH class z/OS FTP Security Engage!
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 47
![Page 48: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/48.jpg)
Adam Klinger Amy Miu
John Reale Hayim Sokolsky William Vender
© 2016, Joel M. Tilton KDFAES – April 2016 48
And the Adventure Continues to Boldly Go Where No
Encryption Algorithm Has Gone Before …
![Page 49: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/49.jpg)
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 49
![Page 50: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/50.jpg)
Appendix E of the z/OS Communications Server IP Programmer’s Guide and Reference
http://publibfp.dhe.ibm.com/cgibin/bookmgr/BOOKS/F1A1D3B1/E.0?DT=20120118013946
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 50
![Page 51: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/51.jpg)
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?topic=%2Fcom.ibm.zos.r13.halz001%2Fcjesint.htm
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?topic=/com.ibm.zos.r13.halu001/jesintdiff.htm
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 51
![Page 52: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/52.jpg)
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?topic=/com.ibm.zos.r13.halz001/smfcfg.htm
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?tppic=/com.ibm.zos.r13.halz001/smfcfg.htm
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?topic=/com.ibm.zos.r13.halz002/accounting.htm © 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 52
![Page 53: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/53.jpg)
https://www.ibm.com/support/knowledgecenter/linuxonibm/com.ibm.linux.z.wskc.doc/wskc_c_s02cpacf.html
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 53
![Page 54: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/54.jpg)
http://www.ibm.com/support/knowledgecent
er/SSLTBW_2.1.0/com.ibm.zos.v2r1.ichd100/usgntrdata.htm%23usgntrdata?lang=en
http://publibz.boulder.ibm.com/epubs/pdf/ich2d100.pdf
http://www-01.ibm.com/support/docview.wss?uid=swg21554980
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 54
![Page 55: Joel Tilton May 2016 - · PDF filesecurity with RACF. Joel is also an active member of the Tampa Bay RUG ... per member. of the PDS ... To protect the user ID and password of RACF](https://reader030.vdocuments.net/reader030/viewer/2022012313/5a8492017f8b9a882e8b9f20/html5/thumbnails/55.jpg)
Security for the FTP server https://www.ibm.com/support/knowledgecenter/
SSLTBW_1.13.0/com.ibm.zos.r13.halz002/racf.htm%23racf
Local user access control to TCP/IP resources using SAF https://www.ibm.com/support/knowledgecente
r/SSLTBW_2.1.0/com.ibm.zos.v2r1.halz002/security_tcpip_resrcs_saf.htm
© 2016, Joel M. Tilton Securing the z/OS FTP Client & Server – May 2016 – April 2016 55