ten things you should not forget in mainframe security
TRANSCRIPT
Ten Things You Should not Forget in Mainframe Security
Pete Garza
Mainframe
Zions Bank
Senior Information Security Architect
MFX47S
#CAWorld
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Terms of this Presentation
© 2015 All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA World
2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references
relate to customer's specific use and experience of CA products and solutions so actual results may vary.
For Informational Purposes Only
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
Given the current state of security and breaches in the news every day, you won’t want to miss this session. We will cover the top 10 areas that you should be reviewing as a security practitioner that most organizations overlook. With the knowledge taken from this session, you will be able to better educate your staff and auditors about how to take security to the next level for your business and protect z/OS®.
Pete Garza -Sr. Information Security Architect
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
ARE YOU SECURE? WHERE DO YOU START?
ENTERPRISE SECURITY MANAGER (ESM)
STATIC IDS / PASSTICKETS / OSMF / CICS
SHOULD I BE CONCERNED WHEN AN EXTERNAL MF SECURITY AUDIT IS DONE
CONFIGURATION BEST PRACTICES
DRP THINGS TO WORRY ABOUT
1
2
3
4
5
6
5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How Secure is Your Mainframe VM secure platform for virtual environments and workloads
Security is built into every level of the System z structure
– Processor - Hypervisor- Operating system – Communications – Storage - Applications
Security features designed specifically to help users
– Comply with security related regulatory requirements
– Identity and access management
– Hardware and software encryption
– Communication security capabilities
– Extensive logging and reporting of security events
– Security certifications based on Common Criteria and FIPS 140
6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How Secure is Your Mainframe Mainframes are extremely secure, there is still a variety of attack vectors that can
result in a breach.
There can be too much trust in mainframe security
– Historically, risk may seem low but the recent increase in mainframe connectivity means
mainframes need the same attention to security as any other device on the network
– However, between the above trust and scarcity of qualified mainframe security resources
There is typically an underinvestment in mainframe security.
There needs to be a common, enterprise-wide approach to security
– Security groups and z/OS teams need to work together in pursuing this common
approach
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How Secure is Your MF Most reported attacks point to exploits of misconfigurations and a large
percentage are initiated by inside
The security policy may be sound but implementation does not match the policy
Distributed decision following its policy can result in contradicting access policy
e.g. Open access to resources
– Inadequate Policy
e.g. Legacy practices and standards mainframe
– Misconfiguration can be predictable
– Unix System Services often is not secured
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Where do I start?
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Process Definition
Take a Look at
10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Teachability
Repeatability
Measurability
Manageability
Fire-prevention versus fire-fighting
Ending dependency on superstars
Achieving CMM Level 3
High rate of return
Benefits of Documenting Processes
11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Guidelines - Managerial parameters concerning either processes
(intended objectives) or products (desired attributes).
Definition of Guidelines
12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Definition of a Process
This includes:
• Efforts of people
• Equipment guided by guidelines
• Standards
• Procedures
Process - The work effort that produces a product.
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Process Life Cycle: Define the Process
Does the process satisfy its stated requirements/goals?
Are the entry points of the process understandable and reasonable?
Are the deliverables of the process clearly stated?
Does the process point to or include a description of each deliverable’s purpose, form and content?
Is the flow complete, logical and consistent with the task descriptions?
Are the task descriptions complete, logical, and consistent with the flow for the process?
Does the process clearly indicate potential exceptions; does it provide guidance for how to handle them?
Do the recommendations clearly indicate the methods of performing each task?
Is the RACI expressed in the process consistent with the process flow and task descriptions?
Are the exit criteria for the process properly defined and understandable?
Process Acceptance Checklist Yes or No
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
List your security processes and identify missing processes
Setup meetings to discuss current and missing process
By setting up meetings you should be able to identify gaps
Define process owners and scope
Prioritize
Create a Security Central Repository
Next Steps
15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
MF Security Project Process FlowExample of how MF security should be involved supporting projects
16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Where do I start?
CA ACF2 (or CA Top Secret or IBM RACF) – CA ACF2 Daily Reports
– CA ACF2 Clean up Weekly report
– Weekly Show commands reports
– Follow ups
Nightly Security– Nightly problems production control/scheduling
– Nightly problems test/development
At the beginning…
17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Enterprise Security Manager (ESM)
Daily reports– System entry – ACFRPTPW
– Restricted ID – ACFRPTJL
– Dataset Rules –ACFRPTDS
– Resource rules – ACFRPTRV
– Logonid Modification - ACFRPTLL
– Rule change log – ACFRPTRL
– Resource change log – ACFRPTEL
CA ACF2 REPORTING - Know what they are saying
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Enterprise Security Manager (ESM)
Daily reports process– Audit Daily report process
Document process
Demonstrate process
Log process
– Auditors review most often
User cleanup upon termination process
Justification for rule and resource modification
– DATA field in rules point to ticket
CA ACF2 REPORTING
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Enterprise Security Manager (ESM)
20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Many of todays system hacks are internal
Denial of service starts at system entry
A Journey In Information Security
Why do we do this?
21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Three VSAM key-sequenced datasets
Logonid 1024 bytes
Access rules 4K records
InfoStorage 4K records
SMF recording 230 record #
Backup controls
Recovery ability
CA ACF2 Control Databases
22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
LPARApplication
CICS Region
Validation 1Validation ?
System Entry
23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Logonid InfoStorage
UADS
z/OSOperating System
CA-ACF2
CA-ACF2
CA
-AC
F2
CA
-AC
F2
Behind the Scenes
24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
TSO
Batch
One ID verse many
Started Tasks (STC)
Know what they do
CICS
How many regions
MRO
FTP
Where is System Entry Processing Done?
25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Supplied by user:
Logonid
Password
Source
Date and time
Access Privileges
Logonid DB
z/OS Security Controls
System Entry Validation Process
26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA-ACF2
Access Rules:
Option ===> TSO ACF--------------------ACFSET NORULES
Controlled Sharing of Resources
27 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Auditors are coming –Should I be concerned?
28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Should I Be Concerned
Be prepared
Common requests– Security Policy
– Security Standards
– Display of current options selected
Show ACF2
– ACFFDR
– Change Control policy
– APF list
– Various CA ACF2 reports
When a MF Audit is done
29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Should I Be Concerned
CA Auditor will lessen the concern
CA Auditor is a good tool with more than just auditing
Create procedures to audit your physical IT environment.
External review every two years
Helps maintain z/OS integrity through timely identification of z/OS customization and modifications
Helps verify internal compliance to change control procedures
Helps users learn z/OS
You should constantly audit your mainframe z/OS system
30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Auditor Design Philosophy
Functionality was a critical issue in designing
Addresses the needs of a wide range of data processing personnel with varied technical backgrounds
Provides uncompromised accuracy of information
Sets new levels of ease of use
Is virtually self-installing and easy to maintain
Does not impact system performance
31 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CA Auditor Audience
Auditors
Programming managers
Data security managers
Quality assurance personnel
Data center managers
Technical support and systems personnel
32 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
-------------- CA-Examine Auditing - MANAGEMENT INFORMATION ----------- OPTION
===>
1 OVERVIEW - Display z/OS or OS/390 version, level, IPL date, etc.
2 HARDWARE - See and scan hardware configuration
3 ERRORS - Show hardware error rate for disk and tape
4 CONSOLE - Display information about operator consoles
5 SMF - Analyze and search the System Management Facility
CA AuditorManagement Information Menu
33 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
-- CA-Examine Auditing - z/OS and OS/390 SYSTEM INSTALLATION CHOICES ---
OPTION ===>
1 PARMLIB - Analyze z/OS and OS/390 parameter library
2 APF - Analyze Authorized Program Facility
3 SMP - Analyze z/OS and OS/390 libraries using SMP/E
4 KEY - Show key z/OS and OS/390 libraries
5 TSO - Analyze TSO user attribute file (UADS)
6 CATALOGS - List z/OS and OS/390 system catalogs
z/OS and OS/390 System Installation Choices MenuScreens that you can use to examine z/OS and OS/390 installation options
34 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
------ CA-Examine Auditing - z/OS AND OS/390 TECHNICAL INFORMATION ----- OPTION ===>
1 SUBSYSTEMS - Display information about z/OS and OS/390 subsystems
2 APPENDAGES - User Input/output appendage display and status review
3 EXITS - z/OS and OS/390 system exit display and status review
4 LPA - Link Pack Area display and library search
5 FLPA/MLPA - Detailed FLPA, MLPA, and selected PLPA Analysis
6 PPT - Program Properties Table analysis and library search
7 SVC - Supervisor call analysis display
z/OS and OS/390 Technical Information Menu
35 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Configuration Best Practices
36 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
ACF Field Definition Record
ACFFDR
– Supervisor Call (SVC) numbers
– Definition on VSAM files (acf2 DB’s)
– SMF recording number
– Product and site defined fields
CFDE’s macros
Logonid dsect
37 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Configuration Best Practices
A configured ACFFDR module should have multiple instances of the @DDSN macro with each instance defining a different group of security files.
Specifying two @DDSN groups – One named PRIMARY,
– A second named ALT
Switch Command– Aid in applying maintenance to your Primary
– F ACF2,SWITCH
– OPTS GSO record
SWTCHKEY(key) eight byte character field upper case
ACFFDR Database Specification
38 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Configuration Best Practices
Command Propagation Facility (CPF) and password synchronization
– Mirror CA ACF2 commands
Business Value:
– CPF and password synchronization simplifies administrative processing by keeping security record contents synchronized across multiple systems.
Additional Considerations:
– Use the CPF password synchronization feature to share updates to passwords and password suspensions among two or more distributed CA ACF2 systems.
Logical CA ACF2 Database Sharing with CPF
39 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Configuration Best Practices
Security System Interface – Loaded and activated via CA Cleanup main task.
The Interface: – Represents a small extension to the normal security check process and
executes as each security check completes
Is passive and performs monitoring only
– Contains abend protection that immediately ends CA Cleanup monitoring in the event of any problem
– Produces no measurable overhead
– Is loaded in common memory so all users can execute it
CA CLEANUP for ACF2
40 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Configuration Best Practices
Report and Command Generator Authority
A batch utility program: – Produces reports showing unreferenced (or referenced) security file
entries.
– Creates the command files to perform security file cleanup.
– Optionally creates a file of cleanup commands.
– Optionally creates a file to back out change if executed
– A report summary for an UNREF report.
CA CLEANUP for ACF2
41 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
DRP’s
42 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
DRP’s
Check for CA ACF2 errors messages when the system is coming up
Verify access to CA ACF2 system in the DR environment
Compare CA ACF2 active status with the active status of the DR CA ACF2 system Mode(ABORT)
List the release level of the DR CA ACF2 system and ensure that it is equal to the current production CA ACF2 used.
Ensure that the security configuration parameters for all Lpars are equal– Create a list on each LPAR to ensure that the configuration settings are correct.
Test options by comparing them to the previous day/month setting
Ensure availability of CA ACF2 Reporting
Ensure that you can create / delete / modify CA ACF2 records
43 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
DRP’s
ACF79001 ACFFDR COULD NOT BE FOUND - ACF2 TERMINATING
Reason:
The CA ACF2 Field Definition Record (ACFFDR) is required for CA ACF2 processing. You must define the ACFFDR field definition module in a linklist data set. An error occurred in the CA ACF2 installation process.
Action: Notify your CA ACF2 maintenance personnel of this error.
Check for CA ACF2 errors messages when the system is coming up ACF79 Main Task message
44 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
DRP’s
ACF79002 ACFINT COULD NOT BE FOUND - ACF2 TERMINATING
Reason: The CA ACF2 initialization routine cannot find the CA ACF2 rule interpreter. The CA ACF2 rule interpreter is required for CA ACF2 processing. An error occurred in the CA ACF2 installation process.
Action: Notify your CA ACF2 maintenance personnel of this error.
Check for CA ACF2 errors messages when the system is coming up ACF79 Main Task message
45 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
DRP’s
ACF79018 UNABLE TO LOCATE ACF2 CVT POINTER IN SSVT
Reason: The CA ACF2 initialization task cannot locate the anchor word for the CA ACF2 CVT. An error occurred while installing the CA ACF2 CVT locator routine ACF$GCVT (CSECT $ACFGCVT).
Action: Contact CA ACF2 Technical Support.
Check for CA ACF2 errors messages when the system is coming up ACF79 Main Task message
46 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
DRP’s Verify access to CA ACF2 system in the DR environment
– Just try and logon
Not running in the same mode as production will bring the system up, but puts your company as risk– Compare CA ACF2 active status with the active status of the DR CA
ACF2 system. Mode(ABORT)
Proper DR testing will ensure – Include things like loss of database
– Recover a CICS region
SHOW ALL or SHOW ACF
47 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Review use of Static ID’s
48 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Static ID’s
All Mainframe address spaces require Logonids– Users – user password managed by user
– Applications – static id and static password
– Production jobs – static id and no password
Work loads on the MF accountability lost when not associated to end user. This makes resolving problems difficult
The user already has been authenticated on the system making the request– Duplicated authentication
Create the id as part of network access (automate
– Make all requests with a single ID
Pass the ID and use passtickets
– Passtickets with Application ID with passwords
The Concerns
49 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
User logon
Application Id
or
JAVAGenerate Passticket
User logonid
Application ID
A
PPA
PPA
PPA
PP
CICS WEB SERVICES
C
I
C
S
Static ID Flow
50 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How to Review a New Static ID Request
51 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Passtickets, XREF, Resource Rules
52 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Passtickets
53 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Passtickets
Building recordsYou can build via batch – ACFBATCHTSO using ACF2 command
SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
INSERT cicswebservice.appid sskey(1234567812345678) mult-use INSERT cicswebservice.appid.userlid sskey(8765432187654321) mult-use
F ACF2,REBUILD(PTK),CLASS(P)
Building Records - PTKDATA
54 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Passtickets
Building recordsYou can build via batch – ACFBATCHTSO using ACF2 command
SET XREF(RGP) SYSID(****)
INSERT APPIDRGP INCLUDE(CCCC CCCC CCCC CCCC) RESOURCE TYPE(CKC)F ACF2,NEWXREF,TYPE(RGP)
Building Records – Resource Group
55 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Passtickets
Building recordsYou can build via batch – ACFBATCHTSO using ACF2 command
SET RESOURCE(CKC) COMPILE *$KEY(APPIDRGP) TYPE(CKC) ROLESETUSER(APPID) ALLOW
STORE
Building Records – Resource Rule
56 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
OSMF How do I put in the Security?
57 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Convert into CA ACF2 Commands
/* Create the z/OSMF Administrators group */ Call RacfCmd "ADDGROUP IZUADMIN OMVS(GID(9003))"
/* Create the z/OSMF Users group */ Call RacfCmd "ADDGROUP IZUUSER OMVS(GID(9004))"
/* Create the z/OSMF Administrator UserID */ /* The home directory is created in the -prime step. If automount managed, pre-create it before the -prime step */
Call RacfCmd "ADDUSER ZOSMFAD DFLTGRP(IZUADMIN) OMVS(UID(9001) HOME(/u/zosmfad) PROGRAM(/bin/sh)) NOPASSWORD NOOIDCARD " Call RacfCmd "ALU ZOSMFAD TSO(PROC(IKJTDA) ACCTNUM(TSO) SIZE(2096128)) OMVS(ASSIZEMAX(2147483647) MEMLIMIT(2G))"
/* Assign a password to the Administrator UserID before using it */ /* This is an example only - it is not recommended to insert passwords in this file */ /* Call RacfCmd "ALU ZOSMFAD PASSWORD(InsertAValidPassword) NOEXPIRED" */
/* Connect the z/OSMF Administrator UserID to the WebSphere Application Server Administrators Group */ Call RacfCmd "CONNECT ZOSMFAD GROUP(WSCFG1)"
58 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
59 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What is the ACF2 setup for z/OSMF?
Products
o CA ACF2 for z/OS & CA ACF2 Option for DB2
Releases - CA ACF2 for z/OS: Release:15+
Components - CA ACF2 for z/OS
Description:
There is a IBM supplied REXX EXEC izudflt.cfg.rexx to generate RACF commands for z/OSMF configuration. This is the ACF2 conversion of the REXX EXEC.
Solution:
This is the z/OSMF IZUCONFIG.CFG.REXX conversion to ACF2 commands.
Document ID: TEC614236
60 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Create the z/OSMF Administrator default group IZUADMIN and z/OSMF
Step 1: User group IZUUSER
ACF
SET PROFILE(GROUP) DIV(OMVS)
INSERT IZUADMIN GID(9003)
INSERT IZUUSER GID(9004)
F ACF2,REBUILD(GRP),CLASS(P)
61 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Create the z/OSMF Administrator default group IZUADMIN and z/OSMF
Step 2. Create the z/OSMF Administrator UserID ZOSMFAD:
SET LID
INSERT ZOSMFAD NAME(Z/OSMF ADMINISTRATOR) MAXDAYS(0) LIDZMAX GROUP(IZUADMIN)
UID(9001) HOME(/u/zosmfad) PROGRAM(/bin/sh) PASSWORD(xxxxxxxx)
Step 3. Connect the z/OSMF Administer UserID and z/OSMF Users to Core:
SET RESOURCE(APL)
RECKEY BBNBASE ADD(- UID(uid string for ZOSMFAD) SERVICE(READ) ALLOW)
RECKEY BBNBASE ADD(- UID(uid string for IZUUSERs) SERVICE(READ) ALLOW)
F ACF2,REBUILD(APL)
62 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Create the z/OSMF Administrator default group IZUADMIN and z/OSMFStep 5. SyncToOSThread permits:
SET RESOURCE(FAC) RECKEY BBO ADD(SYNC.BBNBASE.BBNC001 UID(uid string for WSCRU1) ALLOW) F ACF2,REBUILD(FAC)
Step 5.1 Define resource class ZMFAPLA:
SET C(GSO) SYSID(appropriate sysid) INSERT CLASMAP.ZMFAPLA RESOURCE(ZMFAPLA) RSRCTYPE(ZMF) F ACF2,REFRESH(CLASMAP)
Step 5.2 Add Resource type ZMF to INFODIR: CHA INFODIR TYPES(R-RZMF) ADD F ACF2,REFRESH(INFODIR)
63 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Create the z/OSMF Administrator default group IZUADMIN and z/OSMFStep 5.3 Set up Core rules:
SET RESOURCE(ZMF) RECKEY BBNBASE ADD(ZOSMF.- UID(uid string for ZOSMFAD) SERVICE(READ) ALLOW) RECKEY BBNBASE ADD(ZOSMF.- UID(uid string for IZUUSERs) SERVICE(READ) ALLOW) RECKEY BBNBASE ADD(ZOSMF.ADMINTASKS.- UID(uid string for IZUUSERs)) RECKEY BBNBASE ADD(ZOSMF.SETTINGS.-.MODIFY UID(uid string for IZUUSERs)) RECKEY BBNBASE ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.MODIFY UID(uidstring for IZUUSERs)) RECKEY BBNBASE ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.INSTALL UID(uid string for IZUUSERs)) RECKEY BBNBASE ADD(ZOSMF.CAPACITY_PROVISIONING.CAPACITY_PROVISIONING.EDIT UID(uid string for IZUUSERs))RECKEY BBNBASE ADD(ZOSMF.SOFTWARE_DEPLOYMENT.DATA. UID(uid string for ZOSMFAD) ALLOW) RECKEY BBNBASE ADD(ZOSMF.SOFTWARE_DEPLOYMENT.DATA. UID(uid string for IZUUSERs) ALLOW) RECKEY BBNBASE ADD(ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE-.PRODUCT_INFO_FILE. UID(uid string for IZUUSERs)) F ACF2,REBUILD(ZMF)
64 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CICS Security
65 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
FHPA1101 MYREGION DFHSIT42 IS BEING LOADED.
ACFAE040 Phase 0 Initialization Started
ACFAE300 Setting DFHSIT value SEC=YES
ACFAE000 ACF2 PARAMETERIZATION IN PROGRESS
ACFAE309 Setting DFHSIT value XFCT=YES
ACFAE303 Setting DFHSIT value XPCT=YES
ACFAE304 Setting DFHSIT value XTRAN=YES
ACFAE301 Setting DFHSIT value RESSEC=ALWAYS
ACFAE301 Setting DFHSIT value RESSEC=ALWAYS
ACFAE302 Setting DFHSIT value CMDSEC=ALWAYS
ACFAE311 Setting DFHSIT value DFLTUSER=CICSDFT
ACFAE350 Setting DFHSIT value XAPPC=NO
ACFAE351 Setting DFHSIT value XUSER=YES
ACFAE320 Setting DFHSIT value XEJB=YES
ACFAE321 Setting DFHSIT value EJBROLEPRFX=
ACFAE322 Setting DFHSIT value SNSCOPE=NONE
ACFAE353 Setting DFHSIT value XHFS=YES
ACFAE041 Phase 0 Initialization Ended
CICS SECURITYCICS INITIALIZATION
66 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
ACFAE044 Phase 2 Initialization Started ACFAE075 Storage manager subtask has been attached ACFAE050 Signon Manager Subtask is active ACFAE051 Attaching 005 Signon Server Subtasks ACFAE076 Program manager subtask has been attached ACF04057 GLOBAL DIRECTORY RMTP ALREADY EXISTSACF04057 GLOBAL DIRECTORY RMTP ALREADY EXISTS ACFAE123 Global directory.. Ensure console reload was performedACF04057 GLOBAL DIRECTORY RCFC ALREADY EXISTS ACFAE123 Global directory.. Ensure console reload was performedACF04057 GLOBAL DIRECTORY RCKC ALREADY EXISTS ACFAE123 Global directory.. Ensure console reload was performed+ACFF9003 CICSSSUB PROCESS INITIALIZATION STARTED +ACFF9014 CICSSSUB PROCESS INITIALIZATION COMPLETED +ACFF9003 CICSLSUB PROCESS INITIALIZATION STARTED +ACFF9014 CICSLSUB PROCESS INITIALIZATION COMPLETED ACFAE045 Phase 2 Initialization Ended ACFAE047 Security Initialization Complete
CICS SECURITYCICS INITIALIZATION
67 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CICS SECURITY
You can load CA ACF2 parms one of two ways– Startup JCL
– CA ACF2 Information Storage records
C-CIC Records
CICS INITIALIZATION
68 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CICS SECURITY - ACFM-Function Summary• AM-Access Rule Maintenance
• Inspects, modifies, and stores access rule sets under the CICS interface. • CP-CA ACF2 Command Processor
• Executes the ACF command and supports most of the standard ACF command facilities. • EN, ES, and EV-End of Session
• Terminates ACFM sessions. • HM-Help General Menu Display
• Displays a list of all functions that are available in ACFM. • OD/OM-System Option Display and Modification
• Displays (OD) and modifies (OM) the CICS interface security subsystem options currently in effect.
• RC-Resource Control • Adds USERKEYs, reloads directories for CICSKEYs and USERKEYs, and resets CA ACF2
validations for session caches. • RM-Resource Rule Maintenance
• Inspects, modifies, and stores resource rule sets under the CICS interface.
69 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CICS SECURITY - ACFM-Function Summary SD-CICS Interface System Status Display
– Contains secondary functions that display the status of the CICS interface system:
• CACHE
• DIRECT
• ENVIRON
• GENERAL
• LOOK
• SUBTASK
• WINDOW
• MRO - MRO, ISC, IRC
• IRC inter region
communications
• ISC intersystem
communications
• MRO Multiple Region Option
70 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
CICS SECURITY – ACFEWho is on the Region?
ACFE=WHOSON
<<< List of USERS in Region: CICSSEC >>>
Signon Signon SignonUserid Netname Applid Mode Type Time Date
<<------------------------------------------------------------------------------------->>
71 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Don’t
Be convinced that you are secure because your infrastructure has advanced monitoring and protection
Cripple the business with cumbersome processes they will find a way to circumvent
Remember
You are only as secure as your least secure vendor (none are too small to consider)
Do
Be aware of recent breaches and ensure you raise the bar for attackers
Consider all paths into the Mainframe.
SummaryA Few Words to Review
72 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
73 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Follow Conversations in the Mainframe Content Center
CA Data Content Discovery
CA ACF2 ™ for z/OS
CA Top Secret® for z/OS
CA Cleanup
CA Auditor
Identify and Control Security Risk
Discover regulated data on z Systems™ and maintain a secure infrastructure
Advanced Authentication –Nov 18th @ 4:30pm
The Known Unknown -
Nov 19th @ 12:15pm
74 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15