surviving an ims security audit did you lock up? surviving an ims security... · surviving an ims...

1

5.1

GSE Belgium June 20, 2014

Surviving an IMS Security Audit

Did you lock up?

Maida [email protected]

2

2GSE Belgium June 20, 2014

© Copyright IBM Corporation [current year]. All rights reserved.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES

ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE

INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENT

PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE

RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, NOR SHALL HAVE THE EFFECT OF, CREATING ANY WARRANTIES OR

REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCTS AND/OR

SOFTWARE.

IBM, the IBM logo, ibm.com, DB2, CICS, RACF and IMS are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms

are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may

also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

Other company, product, or service names may be trademarks or service marks of others.

Disclaimer

3


Agenda

IMS resources

Security facilities

Locking up

Some things to consider

4


IMS Resources

� IMS online system itself

� Commands

� Transactions

� Datasets

� Coupling Facility Structures

� Databases– records, segments, fields

� Programs (PSBs)

� Terminals (Logical, Physical)

� IMSPlex and XCF group membership

At least one form of protection is available for each resource.

In many cases multiple security facilities may be used to protect a single resource.

Coupling facility structures might contain message queues or lock structures.

5


What security facilities are available?

6


Security Facilities – IMS Default Security

IMS Default Security

� Program Specification Block (PSB)

� Encryption

� VSAM password protection

� Application-based security

� Physical security

� Exits

� RACF (or other SAF product)

IMS commands are very powerful. Commands may be used to start the system, stop the system, and

alter critical system resources. If an installation does not implement IMS command security, IMS

automatically provides a type of command security commonly referred to as 'default' security to

limit the commands users may enter.

7



� What does it protect?– Protects only IMS Type 1 commands

� Is based on command source of entry

� How is it activated? – when you do not specify any command security for commands entered from

that source

� How is it deactivated?– by specifying command security for commands entered from that source

Default security applies to IMS commands. Default security does not affect other IMS resources such

as transactions, databases, terminals, programs, etc.

Default security allows only a subset of the IMS commands to be entered. The subset of commands

allowed when default security is active depends on where the command is entered (the source of

entry). For example, the subset of IMS commands that may be entered from a static terminal is

different than the subset of IMS commands that may be entered from an APPC device.

When command security is not specified, IMS automatically provides default 'command' security. In

this respect, default security is not optional. It may be deactivated by specifying another form of

command security.

When the Command Authorization Exit Routine has been included in the IMS system, default security

is deactivated.

The sample exit provides the same command defaults as default security.

The default subset of commands allowed for each source is documented in the IMS Command

Reference Vol 1.

8



Commands can be entered from many different sources

– Static terminals Master terminal, system console, TCO scripts, and user terminal

– ETO devices/terminals

– APPC/LU 6.2 devices

– OTMA clients

– AO transaction program DL/I CMD call, DL/I ICMD call

– MCS/E-MCS consoles

– Operations Manager (OM)

IMS commands may be entered from various sources.

•The master terminal or system console

•IMS terminals that have been statically defined

•Time Controlled Operations (TCO) scripts

•Extended Terminal Operations (ETO) terminals which are dynamically defined to IMS

•Advanced Program-to-Program Communications (APPC) or LU 6.2 devices

•Open Transaction Manager Access (OTMA) clients

•Automated operator (AO) programs that issue commands using either the DL/I CMD call or the DL/I

ICMD call

•Multiple Console Support/Extended Multiple Console Support (MCS/E-MCS). SDSF is an example of

an E-MCS console.

•Operations Manager (OM) Single Point of Control (SPOC) applications

When default security has been activated, the command set that may be issued from each of these

environment may be different.

9



You gave everyone access to the IMS DISPLAY command

RDEF CIMS DIS UACC(READ)

Why can’t some people do /DIS?

10



How did the user access IMS?OTMA client

The OTMA “window” was not lockedOTMASE=N

Since no security was specified for OTMA, default command security was in effect.

OTMASE is the IMS parameter used to specify whether you want OTMA security. OTMA=N says you

don’t want any OTMA security.

11



Commands allowed by default when OTMA is the source of command entry:

/LOCK /LOG

/RDISPLAY

When IMS has been started without command security specified for commands entered from OTMA

clients, default security is enforced. In order for default command security to take effect for commands

entered from OTMA clients:

•RACF security checking must be inactive for the OTMA environment and

•DFSCCMD0 is omitted from the IMS system; or if included, it is the unmodified sample exit

RACF security checking is inactive in the OTMA environment when IMS has been started using the

IMS start up parameter OTMASE=N or when the /SECURE OTMA NONE command has been issued

after IMS start up.

If DFSCCMD0 has been included in the IMS system, it will be used to authorize commands entered

from OTMA clients. The unmodified DFSCCMD0 sample exit routine allows only the default

commands shown.

When neither RACF nor DFSCCMD0 is used to authorize commands, default command security is

enabled automatically by IMS for commands entered from OTMA clients and only the commands

shown may be entered.

12


Security Facilities – PSB

� IMS default security

Program Specification Block (PSB)

� Encryption




� Exits


Before executing an application program under IMS, you must describe that program and its use of

logical terminals and logical data structures through a program specification block (PSB)

generation. The PSB generation statements supply the identification and characteristics of the IMS

resources to be used. These program communication blocks (PCBs) represent message

destinations and databases used by the application program. In addition, there must be a

statement supplying characteristics of the application program itself. There must be one PSB for

each message, batch, or Fast Path program.

13


Security Facilities – PSB

� PSB provides database security – Data sensitivity (SENSEG, SENFLD) describes application view of database

– Processing options (PROCOPT) define what application can do (e.g. read or update)

� PSB should be coded to facilitate security requirements – Define only the segments and fields needed

– Use only the processing option needed

� PSB is a trusted resource– IMS makes no security calls for hard coded resources in a PSB– A user authorized to submit a transaction using the PSB is also authorized to submit a

transaction to a destination hard coded in the alternate PCB.

The PSBGEN process may be considered a security facility of IMS because it is a mechanism for restricting the application programs logical view of the data it is allowed to access. The PSBGEN process is used to generate a

program specification block (PSB). Once generated, the PSB provides database security. A PSB contains one or more program communication blocks (PCBs).

A database program communication block (DB PCB) defines an application program's view of the database. An

application program often needs to process only some of the segments in a database. A PCB defines which of the segments in the database the program is allowed to access (the segments which the program is sensitive to). The

data structures that are available to the program contain only segments to which the program is sensitive..

The PCB also defines how the application program is allowed to process the segments in the data structure:

whether the program can only read the segments, or whether it can update them as well. To obtain the highest

level of data security, your PCBs should request the fewest number of sensitive segments and the least capability needed to complete the task.

14


Security Facilities - Encryption



Database encryption




� Exits


When preventing access to the data is difficult or impractical, encryption can protect data that is in files

or data that is being communicated in a network. IMS offers some file encryption capability

(through IMS Segment Edit/Compression exit routines, for example) but no communication

encryption capability.

15


Security Facilities – Database Encryption

Database encryption may be performed by

� zSeries and S/390 Crypto Hardware features

� z/OS Cryptographic Services Integrated Cryptographic Service Facility (ICSF), a component of

z/OS Cryptographic Services, is the software interface to the crypto hardware

� Segment Edit/Compression Exit Routine (DFSCMPX0) – can invoke user supplied encryption routine – can call ICSF or other product – can invoke IBM Data Encryption for IMS and DB2 Databases

tool (5655-P03) – can be different for each segment

File encryption of the physical database keeps unauthorized individuals from looking at the data when the physical disk pack containing the database is removed from its usual area. File encryption support extends to VSAM physical databases. Communications encryption supports ACF/VTAM supported terminals.

You can encrypt DL/I segments using your own encryption routine, a software product that performs encryption, or hardware encryption; entered at the Segment Edit/Compression Exit Routine (DFSCMPX0).

Before segments are written on the database, IMS passes control to your routine, which encrypts them. Then, each time they are retrieved, they are decrypted by your routine before presentation to the application program.

You can use the DFSCMPX0 facility on segment data in full function databases and Fast Path DEDBs. You write the routine that actually manipulates the data in the segment. The IMS code gives your edit routine information about the segment's location and assists in moving the segment back and forth between the buffer pool and the application program's I/O area.

16



Data Encryption for DB2 and IMS Databases tool:

� requires the IBM optional Crypto Express2 (CEX2) hardware feature

� requires ICSF, the software interface to the crypto hardware

� requires the standard CP Assist for Crypto Function (CPACF) be enabled and active if the clear key exit is used

� is recommended over roll your own solutions as extensive testing has been

done to ensure the product works with all the product interfaces

The Programmed Cryptographic Facility, program number 5640-XY5, provides file and

communications encryption under MVS. File encryption of the physical hierarchical database keeps

unauthorized individuals/programs from looking at the data. The program can be called from the

Segment Edit/Compression Exit Routine to perform the encryption.

17



NAME

ADDRESS PAYROLL

Sample PAYROLL Database

SEGM …,COMPRTN=(routinename,DATA,INIT,MAX)

Requires no changes to applications!Just change the DBD to name the exit routine.

You can use the Segment/Edit Compression Exit Routine to provide data encryption. By including the IBM Programmed Cryptographic Facility within your exit routine, you can reduce your programming effort. The facility is executed via assembler macro calls. Segments are encrypted before being placed in the database buffer pool. The SEGM control statement in the IMS DBDGEN includes a keyword, COMPTRN, to specify the name of this exit routine.

You can use ICSF/CCA APIs in the IMS DB Segment Edit/Compression exit. IMS supports the Programmed Cryptographic Facility (PCF) interface transparently through the ICSF/CCA interface. Programs that are written to the PCF interface run, without modification, through the ICSF/CCA interface. If you want your PCF programs to use the ICSF/CCA APIs, however, you must modify those PCF programs.

The ICSF/CCA interface has two PCF compatibility modes.

•ICSF mode COMPAT(YES) means that programs written to the Programmed Cryptographic Facility interface run without change, as well as calls made directly to the ICSF/CCA API. There are some limitations for dynamic master key change in this mode.

•ICSF mode COMPAT(NO) means only programs coded to the CCA API run.

18


Security Facilities – VSAM Password Protection



� Encryption

VSAM password protection



� Exits


19


Security Facilities - VSAM Password Protection

VSAM password protection for IMS databases in batch environments

� prevents accidental access of IMS databases by non-IMS programs

� used in conjunction with VSAM CONTROLPW specification on VSAM DEFINE statements

� specify PASSWD=YES/NO on DBD

� ignored in IMS Online (DB/DC) environment

� in IMS Batch, causes operator to be prompted for password each time data set opened

You can take advantage of VSAM password protection to prevent non-IMS programs from reading

VSAM data sets on which you have your IMS databases.

This method is useful in the batch environment because VSAM password checking is bypassed

entirely in IMS online systems.

In the batch environment, operator password prompting occurs if PASSWD=NO is specified and the

data set is password protected at the control level (CONTROLPW) with passwords not equal to

DBDNAME. If you specify PASSWD=NO, the default, on the DBD statement, the console operator is

prompted to provide a password to VSAM each time the data set is opened.

20


Security Facilities – Application-based security



� Encryption


Application-based security


� Exits


21


Security Facilities - Application-based security

� Application program can perform its own security checks

� Security rules could be stored in

– Internal table in program

– Database

– RACF

Application program issues DL/I AUTH call

• Database

• Field

• Segment

• Other

� Application program grants or denies resource access based on user ID of the

user who entered the transaction

An AUTH call verifies a user's security authorization. It determines whether a user is authorized to

access the resources specified on the AUTH call. The AUTH call gives application programs access to

the RACF database classes security profile data. Thus, application programs can obtain the security

information about a particular resource and the user requesting access to the resource.

A4 status code if not authorized

22


Security Facilities – Physical Security



� Encryption



Physical security

� Exits


23


Security Facilities – Physical Security

Physical security

Controlled access to and from the computer area

Authorization of DP operations and non-operations personnel in certain terminal areas

Separately controlled areas for media such as tapes, disks, cards, or files

Control of computer forms and printed output

24


Security Facilities - Exits



� Encryption




� Exits


25



� Can be used alone or with RACF

� Can override the RACF result– Called after RACF

� May provide more granularity than the RACF profile

� If an exit cannot be explicitly specified, IMS will invoke it if it exists

� If an exit is explicitly specified, IMS will abend if it does not exist

IMS will abend during initialization with U718 if you specify the use of an exit and the exit does not

exist.

26


Security Facilities – Exits

� Sign on/off verification– DFSCSGN0– DFSSGNX0– DFSSGFX0

� Transaction authorization– DFSCTRN0– DFSCTSE0 (reverify)– DFSBSEX0 (build security env)

� Command authorization– DFSCCMD0 – DSPDCAX0 (DBRC)– OM user exits

� RAS (dependent region/thread)– DFSRAS00

� Other– DFSYRTUX (OTMA)– DFSTCNT0 (TCO)– DFSCMPX0 (encryption)– DFSFLGE0 (log edit)– DFSMSCE0 (MSC)– HWSAUTH0 (ODBM) – IMSLSECX (IMS Connect)

DFSCTRN0 is generally not invoked unless RACF return code is 0 or 4. DFSCTSE0 (reverification

entry point of DFSCTRN0) is always invoked for CHNG, AUTH calls no matter what the RACF

return code is.

When an exit cannot be explicitly requested (e.g. APPCSE), it is invoked if it exists. When an exit

is explicitly requested (e.g. AOIS=A), it must exist or IMS will fail to initialize with U0718

DFSBSEX0 was offered to improve performance: allowing you to control if and when a security

environment is dynamically built in cases where it does not exist (for example, “back end” IMS or

user signed off)

Exits can be used to override RACF decisions. Exits can be used to do more granular or

conditional checking than the RACF resource class may offer.

As of IMS13, DFSCSGN0, DFSCTRN0 and DFSCTSE0 are removed from the nucleus, bound

separately and loaded from STEPLIB (if present) into 31-bit storage. New DFS1937I message

indicates which of these user exits have been loaded.

Since the DFSCTRN0, DFSCTSE0 and DFSCSGN0 user exits were removed from the nucleus in

IMS 13, consideration must be given to maintaining their ability to communicate with one another.

There are two options for this: treating the exits as standalone modules and using the new

parameter to share the storage obtained during IMS initialization (recommended), or binding the

modules together using ALIASing. In either case, the modules should be bound as re-entrant and

also as AMODE/RMODE 31 to prevent them from being loaded multiple times. As a review, a re-

entrant module can be used by multiple callers simultaneously in which concurrent activity is taking

place. It is written so that none of its code is modifiable (no values are changed) and it does not

keep track of anything. The callers keep track of their own progress (variables, flags, etc.), thus one

copy of the re-entrant routine can be shared by any number of callers.

27



RACF rejected a command but IMS did it anyway!

Why?

28



15:36:21.32 STC00761 00000281 ICH408I USER(IMSUSRA ) GROUP(IMSOPRL ) NAME(#####785 00000281 ASS CL(CIMS ) 785 00000281 INSUFFICIENT ACCESS AUTHORITY 785 00000281 ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )

DFS058I 15:36:21 ASSIGN COMMAND COMPLETED

1) RACF determined user is not authorized.

2) IMS called the Command Authorization Exit (DFSCCMD0) after RACF.

3)The exit determined user is authorized.

4) IMS allowed the command.

There is no way to explicitly request the Command Authorization Exit for commands from static and

dynamic terminals. Therefore the exit will be invoked if it exists in RESLIB.

RACF issued the ICH408I message because IMS called RACF with LOG=ASIS.

29



Results when the exit was removed or changed:

15:36:21.32 STC00761 00000281 ICH408I USER(IMSUSRA ) GROUP(IMSOPRL ) NAME(#####

785 00000281 ASS CL(CIMS ) 785 00000281 INSUFFICIENT ACCESS AUTHORITY 785 00000281 ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )

DFS3662W 16:23:58 COMMAND REJECTED BY RACF; USER NOT AUTH ; RC= 0008

30





� Encryption




� Exits


31


Think of this house as the IMS online system.

This is a picture of Kykuit, a 40-room house in Westchester County, New York, built by John D. Rockefeller in 1913.

32


The APPL Gate

Think of this as the gate that protects the IMS online system.

33


Locking the Gate

RACF APPL class

� Restrict terminal users' access to applications (TSO, IMS, CICS, etc.) – Define a RACF profile for sapplid in APPL class– Specify sapplid in DFSDCxxx– sapplid defaults to imsid

� Control ATTACH requests

– Protect conversations between partner LUs

� Control which dependent regions can connect to IMS

– This check is only made if RAS security is active (ISIS=R|A)

– Examples of dependent regions: BMP, CICS, DB2 stored procedure

– Define a RACF profile for imsid in the APPL class

To restrict access to an IMS control region to just those users of the system who are authorized by the nature of their jobs to access it, you must activate the APPL class in RACF.

When the user attempts to sign on, IMS uses RACF to verify the user's identity and his authority to access the specific IMS control region. IMS passes the application identifier for IMS on the RACROUTE REQUEST=VERIFY macro using the APPL= parameter.

RACF does an authorization check to determine the user's authorization to the IMS identified by the APPL= parameter on the RACROUTE request.

You can also use the APPL resource class to protect conversations between partner LUs. This support provides

the ability to grant or deny access on the basis of the identity of both the user and the logical unit (LU) from which

the user's request originated.

When RAS security is activated (ISIS), you can use the APPL class to control access to IMS by dependent

regions such as MPP,BMP,CICS,JBP,JMP,IFP,DB2 stored procedures, etc.

34


Locking IMS Doors and Windows

35


How are they trying to get in?

There’s an IMS lock for that.

36


IMS Windows and Doors: How IMS Messages Get In

SNA Terminal (static or ETO) System Console (WTOR)IMS Master terminalMCS or E-MCS device OTMA (IMS Connect, MQ, distributed environment, etc)ODBA (DB2 stored procedure, distributed environment)Operations Manager (OM)APPC/LU6.2MSC linkISC link (LU6.1)TCO scriptDBRC utilityDependent region (BMP, CICS, DB2 stored procedure, etc.)AOI program

37


Each “Window” Has a Lock

How is the message getting in ? What is the IMS lock? Where is the IMS lock?

SNA Terminal (static or ETO) RCF DFSPBxxx

TCO script (special case of static terminal) TCORACF and RCF DFSPBxxx

MCS or E-MCS console CMDMCS DFSPBxxx

Dependent region (MPP,BMP,CICS, etc.) ISIS DFSPBxxx

AOI program (tran issues CMD call) AOI1 DFSPBxxx

AOI program (tran issues ICMD call) AOIS DFSPBxxx

DBRC CMDAUTH RECON

OTMA (ex. IMS Connect, MQ) OTMASE DFSPBxxx

ODBA (ex. DB2 stored procedure) ODBASE DFSPBxxx

Operations Manager (OM) CMDSEC CSLOIxxx

DFSCGxxx

APPC/LU6.2 APPCSE DFSPBxxx

MSC link MSCSEC DFSDCxxx

38


A programmer with no access to production,

accidentally updated production data!

How can this happen?

Programmer was not authorized to sign onto the production IMS online.

Programmer’s user ID was not authorized to access the production databases.

39


You should ask:

How did the user access IMS?

User submitted a BMP

Dependent region “window” was not locked. ISIS=N

Programmer submitted a BMP from TSO and accidentally specified production IMS. The BMP ran with

the programmer’s user ID inherited from TSO.

Although the programmer himself could not have signed on to IMS because he was not authorized to

the production imsid in the RACF APPL class, (“user not authorized to application”), the BMP does not

go through that APPL check unless RAS security is activated.

As for the user having no access to production databases, in the online environment it is DL/I that

needs access to the databases, not the user.

40


Dependent Region Security Options

� RACF– RACF APPL check when dependent region tries to connect– RACF resource check every dependent region scheduling

– PSB (IIMS/JIMS)– Transaction (TIMS/GIMS)– LTERM (LIMS/MIMS)

� DFSRAS00 exit– Can be used for security rules alone or in addition to, RACF

– Can be used to customize the type of checking

• exempt certain dependent regions from this security check • connection check only

• resource check only

• etc.

� RACF followed by DFSRAS00

� No security

41


Dependent Region User ID

RAS security needs a user ID for the dependent regions.

� For started tasks (MPP,IFP,CICS,etc.)– Started task user ID assigned via RACF STARTED class

� For BMP

– USER= coded on JOB statement of BMP

– TSO user ID if submitted from TSO– BMPUSID= in DFSDCxxx

– PSB

� For DB2 stored procedures– User ID of user who submitted the procedure, if available

– User ID of the ODBA address space

user ID

If running in a non-message-driven region, the value is dependent on the specification of the

BMPUSID= keyword in the DFSDCxxx PROCLIB member:

If BMPUSID=user ID is specified, the value from the USER= keyword on the JOB statement is used.

If USER= is not specified on the JOB statement, the program's PSB name is used.

If BMPUSID=PSBNAME is specified, or if BMPUSID= is not specified at all, the program's PSB name

is used.

42


Sample Implementation of RAS Security with RACF

� Protect IMS in the APPL class

and/or

� Define resources you want to protect

– IIMS/JIMS for PSB

– TIMS/GIMS for transaction

– LIMS/MIMS for LTERM

� Define all region user IDs to RACF as users

– BMPs, MPPs, IFPs, DB2 stored procedures, CICS, etc.

� Permit region user IDs to access appropriate resources

� Permit region user IDs to access IMS if imsid is protected in the APPL class

� Set ISIS= R

The checks made for RAS security are similar to the checks made for an SNA terminal user.

A check is made when the region tries to connect (sign on) to IMS that the region’s user ID is

authorized to IMS protected in the APPL class. Then every time the region does work (is

scheduled), a check is made that the region’s user ID is authorized to the resource (PSB, TRAN,

LTERM).

If IMS is protected in the RACF APPL class, when you activate RAS (ISIS=R or A) IMS will call

RACF to check that the dependent region user ID is authorized to access IMS when the dependent

region requests to connect to IMS. This “connection check” is not done unless RAS security is

activated.

To implement RAS security you want to either protect IMS in the APPL class or protect IMS

resources or both.

43


User IDs

And

Passwords

44


An IMS User Can Be………

� A person

� Transaction

� Command

� Logical terminal (LTERM)

� Jobs and Started Tasks

� PSB

� TCO (Time Controlled Operations) script

� IMS Master terminal

� System Console WTOR

45


IMS Jobs and Started Tasks as Users

To allow IMS and its address spaces to access resources

� When IMS resources are protected by RACF – IMS needs a user ID – DLI/SAS needs a user ID– DBRC needs a user ID – Dependent regions may need a user IDs

� The user IDs are needed for – Access to system resources and data sets

eg: system dump data set – Access to IMS protected data sets

eg: RECON dataset and program libraries– Access to IMS resources as the default user ID

� User IDs can be created using RACF STARTED class

If systems resources are RACF protected, then IMS will need to be assigned a user ID that has access

to the required resources. Such resources could include system dump data sets or logs.

Similarly, the DLI/SAS region may need to be authorized to access IMS databases and DBRC will

need to be authorized to access the RECON data set.

RACF user IDs are created for IMS, DL/I, DBRC and optionally for dependent regions using the normal

process of defining users in RACF, the ADDUSER command.

If the IMS procedure is associated with a RACF user ID (with sufficient authority), the IMS control

region can open a RACF-protected data set. If an association does not exist, the IMS control region is

not allowed to open a RACF-protected data set that does not allow universal access for the requested

authority level.

If the DLI/SAS procedure is associated with a RACF user ID, it overrides the RACF user ID for the IMS

procedure. If an association does not exist, the RACF user ID associated with the IMS procedure is

used for RACF access checking.

46


IMS Logical Terminals as Users

If a static terminal cannot (or will not) sign on

� Define the static terminal in IMS with AUTOSIGN option– IMS assigns logical terminal name (LTERM) as user ID

� Add the LTERM name as user ID in RACF

� Add the LTERM user ID to the appropriate access lists

If a static terminal cannot or will not sign on, you can simulate a sign on and assign a user ID by specifying OPTIONS=AUTOSIGN on the TYPE or TERMINAL macro in the IMSGEN.

The first LTERM name will be assigned as the user ID.

47


IMS TCO Scripts as Users

To allow a TCO script to issue transactions and/or commands:

� Add a /SIGN statement to the script with user ID and password

� Define the TCO user ID and password to RACF

� Add the TCO user ID to the appropriate access lists

IMS views commands and transactions in a TCO script as coming from a static terminal.

At this time, there is no facilityt to use the AUTOSIGN option for TCO.

The password will appear in the script in clear text.

Some customers decide that RACF protection on the dataset that contains the TCO scripts is sufficient security

for TCO. They protect the script dataset and specify TCORACF=N so that the TCO script does not require a

/SIGN ON statement and no TCO user ID or password is required.

48


IMS Master and System Console WTOR as Users

To allow the Master (MTO) or system console (WTOR) to issue transactions:

� Define user IDs in IMS DFSDCxxxMTOUSID=

WTORUSID=

� Define the user IDs to RACF– NOPASSWORD: IMS calls RACF to VERIFY the ID with PASSCHK=NO

� Add the user IDs to the appropriate access lists

IMS does not call RACF for command authorization• All commands are allowed from MTO and WTOR

• If necessary, commands could be restricted by an IMS exit

You cannot use the AUTOSIGN option for MTO and WTOR

The Master Terminal and the Console used to reply to the IMS Outstanding WTOR both have unrestricted

access to IMS commands. And they are not forced to sign on. However, they can issue transactions and if not

signed on, the user ID used for transaction security will be the IMS Control Region’s user ID. The SPE for the

AUTOSIGN function also addresses this issue. The DFSDCxxx PROCLIB member can specify the user IDs to

be used for transaction security when transactions are entered at the MTO or via the outstanding WTOR, and

the user has not signed on. The DFSDCxxx parameters are MTOUSID and WTORUSID.

49


Passwords/Passphrases

� IMS supports mixed case RACF passwords

� RACF password phrases can now be used with– IMS TMRA – IMS Connect– /SIGN command– VTAM logon user data

� RACF password phrases– More robust

• Up to 100 bytes • Can contain mixed-case letters, numbers and

special characters– Easier to remember

Users of TM Resource Adapter, IMS Connect, the /SIGN command and VTAM are now able to sign/log onto IMS using RACF password phrases that are a minimum of 9 bytes and a maximum of 100 bytes. Password phrases are superior to 8-byte passwords since they are easier to remember, and are more robust. Use of a passphrase is optional, as 8-byte passwords can continue to be used.

If RACF password phrases are used, the new default DFSGMSG0 MFS panel that supports passphrases can start being used, and the DFSCSGN0 and DFSLGNX0 exits will need to be updated so they can handle passphrases being passed to them.

The IMS /SIGN command has been enhanced to support passphrases. Two new flavors of this command are now available: /SIGN ONP and /SIGN ONQ.

The use of /SIGN ONP is most appropriate with an MFS panel, since this command requires a passphrase that is 100 bytes.

The use of /SIGN ONQ is most appropriate when a user is entering signon credentials from a terminal. There is no requirement for the passphrase to be 100 bytes when this command is used and involves the use of single quotes.

Logon user data passed to VTAM also now supports the use of passphrases. The entire DATA( ) parameter containing the logon credentials is encapsulated in single quotes, and the passphrase itself is encapsulated in double quotes.

Use of mixed case passwords is specified by PSWDC parameter in DFSDCxxx member of PROCLIB.

PSWDC=M | U | R

Specifies whether mixed-case passwords are supported.

M - IMS supports the use of mixed-case passwords. If you intend to support mixed-case passwords, be aware of this support wherever you manipulate passwords, such as in exit routines.

U - IMS forces all password to uppercase.

R - IMS uses whatever is defined for mixed-case passwords in RACF®. If mixed-case passwords are active in RACF (which is done through the SETROPTS command) then IMS uses it. If mixed-case passwords are not active in RACF, then IMS uses uppercase passwords. Whenever there are changes to the mixed-case password definition in RACF, IMS adjusts without requiring a restart. R is the default.

50Copyright IBM Corp.2013 50


Passtickets

Provides an encrypted alternative to sending a password

� One-time-only password

� Passwords not sent across the network in clear text

� Generated/interpreted by an algorithm using:

� user ID,Application identifier (sapplid), Timestamp, Secured

signon key for encryption

� The client environment generates the PassTicket

� IMS calls RACF to interpret/validate the PassTicket

� RACF uses PTKTDATA profile definition

� Profile name matches sapplid name

51


IMS Access

from / to Remote Environments

viaIMS Connect

As IMS expands its strategic role in the world of web services, enterprise mobility, and the cloud, a

greater focus has been placed on ensuring reliability and security. This section includes an overview

of how security is handled within the context of evolving technologies.

Access from remote environments like SOAP Gateway, Microsoft .NET, WAS, etc. use Open

Transaction Manager Access (OTMA) “window” for access to transactions and the Open Database

Access (ODBA/ODBM) “window” for access to data.



Security Points in an Integrated World

Access to TXN

Access to DB

IMSODBMIMS

Connect

Access to

PSB

Client-Bid

ICAL

SAF/RACF secure environment

IMS security:

User validation

to access IMS

resources

IMS Soap

Gateway

IMS TMRA

JEE e.g., WAS

Access to

IMS/OTMA

SSL

AT/TLS

(user ID/PW/group):EIS signon can be�Container-managed�Component-managed

GU,IOP

Can pass user ID

outbound

-user ID/PW Authentication- PassTicket- Trusted user- Default User

Exit routines

RACF=Y|NOTMASE=

Message retrievalSecurity (user ID)

Resume TPIPE

Resume TPIPEsecurity

(OTMA)

SSL

SSL

HTTPS(http overSSL/TLS)

Transport levelAuthentication:�Client�Server�Basic (callout)

(user ID/PW/group: �Per web-svc

(connection bundle)�Per web-msg

(WS-security)

WS-security

HTTPS,SSL...

* Other servers connecting to IMS Connect provide similar capabilities

Msg-level

IMS

universaldrivers

user ID/PW

JCASecurity

architecture

Transport level

Authentication

WS-security...

ISRT,ALT

53


Multiple Levels of Security

� OTMA– Validates whether an OTMA member (IMS Connect) can

communicate with IMS– Implements transaction and command security

� user ID that flows in on a message against the IMS resource- Supports callout to web services

� ODBM– Passes security information to IMS for database access

� IMS Connect– Supports the authentication of user IDs, groups, passwords and

passes the utoken to IMS with the message– Additionally extends the security authentication

� PassTicket support� Trusted User support

� Network – connection security and encryption– SSL – TLS– AT-TLS

Based on user ID access to the IMS resource (e.g. transaction, command, PSB, DB, etc.)

Control blocks that represent the secured user can be

- ACEE – Accessor Environment Element created by SAF

- User Token 80 byte value used to build ACEE

- RACO – RACF Environment Object, a “flattened” ACEE which can be reconstituted into an ACEE

These can be created by components, e.g., IMS Connect, where authentication takes place



IMS Connect Security (cont)

� OTMA

– OTMA Client Bid security

� Determines whether an OTMA client can connect to IMS

� Client’s authorization to join XCF group

- OTMA Message security

� IMS setting determines level of checking for each message

� OTMASE=

� /SECURE OTMA

� ODBM

– Allocate PSB (APSB) security

• IMS setting determines checking

– ODBASE=

– ISIS=

Client Bid security determines whether an OTMA client, e.g., IMS Connect, MQ, etc., can connect to

OTMA.

When IMS Connect initializes, a "Client-bid" message is sent to IMS using the user ID associated with

IMS Connect.

If OTMA security is enabled (OTMASE=something other than NONE), the IMS Connect user ID must

have READ access to the RACF facility classes: IMSXCF.xcfgrp.ims connect-member-name

OTMA Message security determines the level of checking for each message from the end user.

OTMASE = option (in DFSPBxx member of IMS.PROCLIB)

Where option can be set to NONE, CHECK, FULL, or PROFILE.

NONE says no RACF but the Transaction Authorization Exit or the Command Authorization Exit is

invoked if it exists and can enforce security

CHECK, FULL, or PROFILE - OTMA builds a user ID Hash Table for OTMA Clients (TMEMBERs)

and a table to hold RACF ACEEs for verified users

Resume TPIPE security is an authorization check by IMS when a message is retrieved from the hold

queue. It checks that the user/group can access the TPIPE using RACF (RIMS class) and or the

OTMA Resume TPIPE Security exit routine (DFSYRTUX). The DFSYRTUX exit routine runs in the

IMS control region.



IMS Connect Security

� Accessing IMS transactions from a remote client

– Remote TCP/IP Client provides user ID, Password, Group in message

header

– IMS Connect verifies the user ID/password

• Configuration values for IMS Connect (HWSCFGxx)

• RACF = Y | N and RACFID = user ID (default)

• Issues RACROUTE calls to verify user if RACF=Y

– Message exits can call user-written routine before any SAF/RACF calls:

• IMSLSECX –security exit routine for transactions and commands

• HWSAUTH0 – security exit routine for DB requests

– Default RACFID

• If the inbound request does not carry a user ID

• Does not provide an override for requests that carry a blank user ID

from the IMS TM resource adapter (e.g., WAS environment)

You can set a default RACF user ID for IMS Connect to use when the input message either does not

contain a user ID in the header or the field is blank. When the default RACF user ID is used, IMS

Connect passes it in the OMSECUID field of the input message to OTMA. When OTMA security

checking is enabled, OTMA uses the RACF user ID for authorizing commands, transactions, and

RESUME TPIPE calls with RACF. When both a default RACF user ID is defined and the incoming

message header user ID field is not blank, IMS Connect uses the user ID value in the message

header.



Securing Access to IMS Connect

� Accessing IMS transactions from a remote client

– Basic security

• Security requests flow in the clear

• No encryption

– Alternatives

• IMS Connect Security enhancements

• Passtickets

• Trusted User Support

• SSL

• AT-TLS

SSL – is a protocol standard developed by Netscape Communications Corp that uses encryption to

provide confidentiality and authentication between two TCP/IP applications. It provides a private

channel between client and server that ensures privacy of data, authentication of partners, and

message integrity.

TLS - Transport Layer Security – an evolution from SSL As SSL gained in popularity, the IETF

formally standardized SSL, made a few improvements and changed the name to Transport Layer

Security (TLS).

ATLS Application Transparent TLS (AT-TLS) is a unique usage of TLS on z/OS. Instead of having

the application itself (IMS Connect) be aware of TLS, establishing the TLS connection is pushed

down the stack into the TCP layer. Remote clients cannot distinguish between "normal" TLS (where

the z/OS server application does the socket calls necessary for TLS) and AT-TLS (where the TCP

layer handles the connection).

Application on z/OS can run without even being aware that the underlying connection to the remote

client is using TLS

AT-TLS is activated by specifying the TTLS option in the TCPCONFIG statement block in the TCP/IP

profile data



Why choose to use AT-TLS?

� Participation in AT-TLS is transparent to IMS Connect

– IMS Connect can rely on the z/OS TCPIP stack

• to perform the handshaking protocol

• to perform the required authentications and encryption

� Supports multiple ports

– SSL support in IMS Connect is limited to a single port for the IMS

Connect instance

� No additional configuration specifications in IMS Connect

58


Open DB Security

� IMS TM Resource Adapter is used to access IMS transaction and

command resources using OTMA

� The IMS Universal DB resource adapter (driver) provides JDBC SQL

access to IMS data in a JEE environment such as WebSphere Application

Server (WAS) on any platform

– Access to IMS DBs use IMS Connect and ODBM� IMS Connect provides authentication of the user ID/password

sent in by the IMS Universal drivers on WAS

59


Open DB Security

� IMS Connect to ODBM– RACF=Y

� IMS Connect authenticates the user ID/Password/Group� Passes a RACF Object (RACO) to ODBM

� ODBM uses this information for security- RACF=N

� IMS Connect bypasses authentication; does not pass a RACO

� ODBM uses the ODBM Job user ID/Group

� ODBM to IMS

– RACO from IMS Connect

– if no RACO then the user ID/group from the ODBM jobcard

60


Open DB Security...

� ODBM and RRS=Y– ODBM uses the ODBA interface to IMS

• Creates and passes ACEE in the Thread TCB

– In IMS, ODBASE determines security• ODBASE=Y invokes APSB security

• IMS calls RACF using the AIMS or Axxxxxxx resource class

• The ISIS parameter is not used

• ODBASE=N invokes RAS• IMS uses the ISIS parameter to determine security using the IIMS or

Ixxxxxxx resource class• ISIS=N – No RACF checking• ISIS=R – RACF call

• ISIS=C – DFSRAS00 exit• ISIS=A – RACF call and DFSRAS00 exit

61


Open DB Security...

� ODBM and RRS=N

– ODBM uses the CCTL interface to IMS (like CICS)• Pass user ID/Group in PAPL

– In IMS, the ISIS parameter determines RAS security using IIMS or Ixxxxxxx resource class

• ISIS=N – No RACF checking

• ISIS=R – RACF call• ISIS=C – DFSRAS00 exit

• ISIS=A – RACF call and DFSRAS00 exit

IIMS (or Ixxxxxxx) resource class is used for

6262


RACF Event Notification Facility (ENF) Support

� Background– IMS Connect V12 provided the option to cache RACF UserIDs

(UIDs) along with a command to refresh them

� IMS Connect V13: RACF ENF Support for Cached UserIDs

(UID)– Automatically refreshes cached UIDs by listening to RACF events

(ENF signals) indicating that a change has been made to a UID • RACF commands: CONNECT, REMOVE, and ALTUSER REVOKE

– NOTE: This function applies only when RACF UID caching has been enabled in IMS Connect

� Benefit– Allows IMS Connect to listen for certain RACF events indicating

that a change has been made to a specific UserID• Avoids manual intervention

IMS Connect V12 enabled RACF UserID Caching by defining the parameter UIDCACHE=Y in the

HWS statement in the HWSCFGx configuration or via the type-2 command UPDATE IMSCON

TYPE(CONFIG) SET(UIDCACHE(ON)); the WTOR command SETUIDC OFF; or the z/OS command

UPDATE MEMBER TYPE(IMSCON) SET(UIDCACHE(OFF)). Additionally, these cached useridscould be refreshed based on an aging value or manually by issuing: a WTOR (xx,REFRESH RACFUID..), a z/OS Modify (F hws,UPDATE RACFUID NAME..OPTION(REFRESH)) or a

Type-2 command (UPDATE IMSCON TYPE (RACFUID)).

The RACF Event Notification Facility (ENF) Support for Cached UserIDs (UID) allows notification of

changes to UIDs affected by the following RACF commands: CONNECT, REMOVE, and ALTUSER

REVOKE. IMS Connect has been enhanced to listening for the type 71 ENF signals produced by

these RACF commands, and act on that signal to refresh the affected UID. This new capability is

applicable only when RACF UID caching has been enabled in IMS Connect.

63


How can you tell if you locked up?

64


Determining the Security in Effect

The security in effect for a given input message is determined by ...

� IMS system definition (IMSGEN)

� IMS JCL overrides

� IMS PROCLIB overrides– DFSPBxxx– DFSDCxxx– CSLOIxxx– DFSCGxxx

� IMS commands and restart options– Example: /SECURE APPC FULL

� Source of the input message

� RACF definitions

� Exits� Program Specification Block (PSB)

� Database Definition Block (DBD) – encryption

� IMS Connect parameters

IMS13 removed the SECURITY macro from the IMSGEN because all SECURITY macro parameters

can now be specified in PROCLIB. There are other security-related macros in the IMSGEN.

65


Other Things to Consider

� Who Needs Database Dataset access? – Rule of Thumb: “Whoever has the DD card must have the authority.”

� The user ID that needs authorization is based on data set type.– VSAM

• Online environment – DLISAS or IMS control region

• Batch – user ID that submitted job

– OSAM

• Online – DLISAS

• Batch – user ID that submitted the job

– Fast path DEDB

• Online – IMS control region

• Batch – Not applicable

The following describes the access requirements for different data set types:

VSAM

•In an online environment, if a user ID is used for the DLISAS started procedure, it requires

authorization. If a user ID is not used for DLISAS, the control region's user ID is utilized.

•In a batch environment, the user ID submitting the job requires authorization.

OSAM

•In an online environment, the DLISAS started task user ID requires access.

•In a batch environment, the user ID submitting the job requires access.

Fast Path DEDBs

•In an online environment, the control region's started task user ID requires access.

•DEDBs are not applicable in batch environments.

66


Other Things to Consider (cont)

� How much authority does IMS itself really need?

– IMS, DLI and DBRC need access to their datasets• JCL defined• Dynamically allocated

– IMS does not normally need to access transactions or commands• If a user ID is not available, RACF uses the IMS user ID for

authorization

– IMS does not need to be defined as privileged or trusted

67



� Protect copies of databases – Image Copy datasets

� Be aware of tape exposures – Bypass Label option

• Can override dataset name to a name without security

– Access as foreign tape– Move tape outside production library– ALTER tape content– Shared tape pool– RACF profiles belong to tape management

Even with RACF dataset protection, a user can bypass dataset name verification

(LABEL=EXPDT=98000). Permission to use this option needs to be granted carefully.

The RACF profiles to protect this belong to the RMM/Tape managment system.

Some users might have ALTER access to tape content and could alter or destroy the data on the tape

putting recovery at risk.

Once a tape is moved outside the production tape library, there is no guarantee of protection.

A user with development system access to foreign tape permissions could then read a production

tape. Production tapes should remain in the production tape pool.

Bypass Label option for jobs reading tapes is protected by a facility class profile ICHBLP

assuming the Resource class TAPEVOL is active. It allows the tape to be read overriding the

dataset name, possibly to a name the user does have RACF access to.

Databases

IMS database data is readable by IMS batch jobs run outside of the online system ( DL/I Batch ), and

by standard system utilities such as IDCAMs. Dataset access controls on database datasets

are critical.

Image copies are copies of database data for recovery purposes. They contain the same data as

the databases. DF/DSS makes internal RACF checks against STGADMIN.ADR in class FACILITY.

.

68



� OM audit log should be enabled

� Users should be required to sign on

� Secure log data – Can remove sensitive data from logs if necessary

• DFSFLGE0 exit or various IMS tools

ETO terminals are always required to sign on (it’s not an option).

Static SNA terminals (including TCO) can be required to sign on by specifying SIGNON=ALL in the

DFSDCxxx member of PROCLIB

If a user does not sign on, the IMS Control Region user ID is used for authorization. Forcing all

terminals to signon, and not allowing the IMS Control Region user ID access to transactions and

commands protects against unauthorized static terminal users. The AUTOSIGN option can take care

of static terminals that cannot or will not sign on.

Consider activating the Audit Log for Operations Manager to log command processing.

IMS log data can be accessed for statistical purposes, required by vendors for diagnostic purposes,

used to build test scripts, etc.

Log data can be encrypted and/or scrubbed with the Log Edit Exit (DFSFLGE0) when transmitting logs

to vendors.

.

69


Summary

IMS resources

Security facilities

Locking up

Some things to consider

70


Write to us!

If you have any IMS questions:

Maida Snapper

[email protected]

To ask about IMS security services, please contact

Jeff Hook [email protected]

surviving an ims security audit did you lock up? surviving an ims security... · surviving an ims...

Documents