Introduction to z/OS Security Lesson 4: There’s more to it than RACF

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Encrypting Wireless Data with VPN Techniques
ICS 434 Advanced Database Systems
Chapter 17: WEB COMPONENTS
CP3397 ECommerce.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Active Directory: Final Solution to Enterprise System Integration
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Principles of Information Security, 2nd edition1 Cryptography.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Chapter 8 Web Security.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Secure Socket Layer (SSL)
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Web Security : Secure Socket Layer Secure Electronic Transaction.
Module 9: Fundamentals of Securing Network Communication.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Building Security into Your System Bill Major Gregory Ponto.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
® Gradient Technologies, Inc. Inter-Cell Interworking Access Control Across the Boundary Open Group Members Meeting Sand Diego, CA USA April 1998 Brian.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST
Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Creating and Managing Digital Certificates Chapter Eleven.
Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Introduction to z/OS Security Lesson 4: There’s more to it than RACF
Goals Introduce the Windows Server 2003 family of operating systems
Public Key Infrastructure from the Most Trusted Name in e-Security
Cengage Learning: Computer Networking from LANs to WANs
Building Security into Your System
Unit 8 Network Security.
Presentation transcript:

Introduction to z/OS Security Lesson 4: There’s more to it than RACF

Objectives At the completion of this topic the student should be able to provide a brief overview of the security related elements of the z/OS operating system

Key terms SAF RACF PKI Services ITDS for z/OS ICSF OCSF OCEP EIM

Introduction This lesson briefly discusses the key elements of z/OS that address different security needs. Technologies such as Secure Sockets Layer (SSL), Kerberos V5, Public Key Infrastructure, multilevel security and exploitation of IBM mainframe cryptographic features are available in z/OS. Integrated Cryptographic Service Facility (ICSF) is a part of z/OS which provides cryptographic functions for data security, data integrity, personal identification, digital signatures and the management of cryptographic keys. Together with cryptography features of System z9 and zSeries servers, z/OS provides high-performance SSL.

Introduction z/OS provides support for digital certificates, including the ability to provide full life-cycle management. With Public Key Infrastructure Services in z/OS, customers can create and manage digital certificates, leveraging their existing z/OS mainframe investments. z/OS, together with DB2 Universal Database™ for z/OS Version 8, provides a solution for multilevel security on the System z mainframe. This support provides row-level security labeling in DB2 and protection in z/OS designed to meet the stringent security requirements of multi-agency access to data. This solution leverages System z leadership to enable highly secure single database hosting.

SAF SAF is the System Access Facility element of z/OS. Its purpose is to provide the interface between those products requesting security services and the external security manager installed on the z/OS system. SAF is NOT part of RACF SAF is a component of MVS (z/OS BCP) SAF provides an installation with centralized control over system security processing by using a system service called the SAF router. The SAF router provides a focal point and a common system interface for all products providing resource control. External security managers (ESMs) provide tables to SAF which direct specific calls for security functions to specific routines within the ESM. The use of these tables allows z/OS to provide support for pluggable ESMs giving the installation the flexibility to determine which ESM to use. SAF and the SAF router are present on all z/OS systems regardless of whether an ESM is installed

The SAF Router For each request type presented to SAF, a different routine is accessed. The location of these routines are in the SAF Routing Table

RACF RACF is the Resource Access Control Facility. It is NOT an entitlement of the z/OS operating system, but is a priced feature. Customers pay extra for RACF. RACF provides the capability to uniquely describe resources, users, and the relationships between them. When users attempt to access a resource the system calls RACF to indicate whether or not that user has the requested access permissions. It is then the system's decision, not RACF's, to allow or deny the access request.

PKI Services The z/OS PKI Server is a complete Certification Authority package, always enabled independently of the installed security manager. The Certification Authority keys are located in a secure file or within the ESM (like RACF). The z/OS PKI can be a root CA or an intermediate CA. It provides these functions to implement and perform full certificate life cycle management: User request driven via customizable Web pages Automatic or administrator approval process End user / administrator revocation process With PKI Services, z/OS installations have the capability to establish a PKI infrastructure and serve as a certificate authority for internal and external users.

ITDS for z/OS (LDAP) LDAP defines a standard method for accessing and updating information in a directory. LDAP has gained wide acceptance as the directory access method of the Internet and is therefore also becoming strategic within corporate intranets. It is being supported by a growing number of software vendors and is being incorporated into a growing number of applications. Netscape and Microsoft Internet Explorer, as well as application middleware, such as the IBM WebSphere Application Server or the IBM HTTP server, support LDAP functionality as a base feature. ITDS = IBM Tivoli Directory Services

ICSF The Integrated Cryptographic Services Facility acts as the device interface for the cryptographic hardware on z systems. ICSF provides support for the following: The Commercial Data Masking Facility (CDMF), an exportable version of DES cryptography DES and Triple DES encryption for privacy The transport of data keys through the use of the RSA public key algorithm The generation and verification of digital signatures through the use of both the RSA and the Digital Signature Standard (DSS) algorithm The generation of RSA and DSS key. The SET Secure Electronic Transaction standard, which was created by Visa International and MasterCard The PKA Encrypt and PKA Decrypt callable services that can be used to enhance the security and performance of Secure Sockets Layer (SSL) security protocol applications

System SSL Secure Sockets Layer (SSL) is a communications protocol that provides secure communications over an open communications network (for example, the Internet). The SSL protocol is a layered protocol that is intended to be used on top of a reliable transport, such as Transmission Control Protocol (TCP/IP). SSL provides data privacy and integrity as well as server and client authentication based on public key certificates. Once an SSL connection is established between a client and server, data communications between client and server are transparent to the encryption and integrity added by the SSL protocol. System SSL supports the SSL V2.0, SSL V3.0 and TLS (Transport Layer Security) V1.0 protocols. TLS V1.0 is the latest version of the secure sockets layer protocol.

OCSF Open Cryptographic Service Facility (OCSF) These components work together to provide software based encryption to z/OS The OCSF Architecture consists of a set of layered security services and associated programming interfaces designed to furnish an integrated set of information and communication security capabilities. The security services available in the OCSF are defined by the categories of service provider modules that the architecture accommodates. These service providers are: Cryptographic Services Trust Policy Libraries Certificate Libraries Data Storage Libraries.

OCEP OCEP consists of two service provider modules (which are also called "plug-ins") that are intended to be used with the Open Cryptographic Services Facility (OCSF) Framework: Trust Policy Data Storage Library These service provider modules enable applications to use z/OS Security Server (RACF), or equivalent product, to provide security functions for digital certificates and key rings. The OCEP service provider modules implement a subset of the application programming interfaces (APIs) that are defined by OCSF. Applications can use these OCEP service provider modules, and their supported APIs, to retrieve and use digital certificates and private keys that are stored in the RACF database on an z/OS system. In addition to the OCSF Framework, the OCEP service provider modules are intended to work with the OCSF Certificate Library and Cryptographic Service Provider modules.

EIM The problem: Too many Identities Today's network environments are made up of a complex group of systems and applications, resulting in the need to manage multiple user registries. Dealing with multiple user registries quickly grows into a large administrative problem that affects users, administrators, and application developers. The solution: Enterprise Identity Mapping EIM allows administrators and application developers to address this problem more easily and inexpensively than previously possible. EIM allows one-to-many mappings (in other words, a single user with more than one user identity in a single user registry). EIM also allows many-to-one mappings (in other words, multiple users mapped to a single user identity in a single user registry).

Summary z/OS provides many different elements that address different security needs. Installations can use user IDs and passwords, UIDs, and digital certificates to provide mechanisms to authenticate an identity. z/OS can be a Certificate Authority, dispensing digital certificate and the accompanying public and private keys for large scale secure infrastructures Hardware and software work together to provide encryption facilities through ICSF and OCSF, independent of the underlying cryptographic facilities Communications can be secured, whether inbound or outbound, through secure sockets from or to any other platform. The problem of multiple identities for a single user can be addressed by mapping the constructs together in a single application that can be queried from anywhere in the enterprise

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.