Presentation is loading. Please wait.

Presentation is loading. Please wait.

DB2 9 for z/OS DB2 9 Security Update Best Practices in DB2 Security Jim Pickel, STSM

Published byMaria Bennett Modified over 9 years ago

Similar presentations

Presentation on theme: "DB2 9 for z/OS DB2 9 Security Update Best Practices in DB2 Security Jim Pickel, STSM"— Presentation transcript:

1 DB2 9 for z/OS DB2 9 Security Update Best Practices in DB2 Security Jim Pickel, STSM pickel@us.ibm.com

2 2 Session Agenda  Security Challenges  New Security Features  Best Practices

3 3 DB2 Security Challenges  Need to control administrative tasks –Little control of privileged IDs –Little or no individual accountability –Difficult to manage or audit database changes –Little control of implicit privileges

4 4 DB2 Security Challenges  Need to control application servers –Interactions using common IDs –Diminished user accountability –Over granting of privileges –Managing user credentials

5 5 DB2 Security Challenges An example of current application server security model  In a typical application server model, the middle layer: authenticates users running client applications manages all interactions with DB2  The middle layer use a common user ID and password to authenticate connections with DB2  The common user ID is then used for authorization on behalf of all end-users The Database LayerThe Client LayerThe Middleware Layer Application Server DB2 End-user Authentication Session Management Middle Tier’s User ID and Password Authorization Checking

6 6 Introducing new DB2 security objects  DB2 TRUSTED CONTEXT –A new object used to control users and applications access to DB2  DB2 ROLE –A new object that can be granted privileges or own objects

7 7  Application attributes are verified before associating it with a trusted context such as the system user id and where the request originated  Allows a unique set of privileges to be associated with an application preventing the misuse of privileges when not accessing through the trusted context  Controls what end users can be associated with an application eliminating the need to manage RACF user credential from trusted servers Associating an application with a trusted context

8 8 Using the new ROLE object  A role is a object that can be granted any authority or privilege  A role is only associated with a DB2 process when the application is associated with a trusted context  A role can be the owner of a database object such as a table  A role is not a group!

9 9 Other Security Enhancements  RACF ID propagation –Allows auditing of non-RACF users in both DB2 and RACF logs –Minimal CPU impact –SAF Enterprise Identity Mapping  FIPS compliant network encryption  Auditing Filtering Improvements Satisfies your compliance needs

10 10 How to Create a Trusted Context and a Role SQL CREATE/ALTER/DROP TRUSTED CONEXT SQL CREATE/DROP ROLE

11 11 CREATE TRUSTED CONTEXT  Provide a system ID and connection attributes necessary to associate a trusted context to a connection IP Address or host name of remote application JOBNAME of local application Encryption requirements Enabled or disabled by administrator  Provide optional list of users can be associated with the trusted connection  Provide authentication requirements for users in list of users  Provide optional ROLE to control application privileges  Provide optional RACF SERVAUTH profile to control access by network zones  Provide optional SECURITY LABEL can be associated with the connection

12 12 Trusted Context Example CREATE TRUSTED CONTEXT CTX1 BASED UPON CONNECTION USING SYSTEM AUTHID WASADMIN WITH USE FOR SAM, JOE, PETE, MARY WITHOUT AUTHENTICATION ATTRIBUTES (ADDRESS '9.67.40.219') ENCRYPTION HIGH SECURITY LABEL SAFEZONE ENABLE;

13 13 Establishing a Trusted Connection  An application can be associated with a trusted context using: ► DDF ► RRS Attach ► DSN ASUSER ► BATCH Once established, you can securely switch the user associated with connection without requiring credentials DB2 DB2 Connect DSN RRSAF UserID Cache Switch Users Cached! Switch Users Cached!

14 14 Client Exploitation  New CLI and JDBC Client Driver APIs ► JDBC example: Cookie=getDB2TrustedPooledConnection(authid, pwd, …); getDB2Connection(Cookie, newUser, newPassword, …);  Websphere Application Server ► Database property: propagateClientIdentityUsingTrustedContext

15 15 Special Trusted Context Privileges  Once an application is associated with a trusted context, it can: ► Acquire additional privileges through a ROLE ► Acquire a RACF security label ► Efficiently switch user associated with connection on transaction boundary ► Allow objects created to be owned by the ROLE

16 16 CREATE ROLE  Creates a DB2 database entity that can have one or more privileges granted to it  Role associated with a DB2 process when a connection is associated with a trusted context  Means to acquire context specific privileges  Can own DB2 objects when trusted context is defined with “Role as Object Owner”

17 17 Role Example CREATE ROLE CTXROLE; CREATE TRUSTED CONTEXT CTX1 BASED UPON CONNECTION USING SYSTEM AUTHID ADMIN1 DEFAULT ROLE CTXROLE WITH ROLE AS OBJECT OWNER ATTRIBUTES(ADDRESS'9.67.40.219') ENABLE; GRANT DBADM TO CTXROLE;

18 18 Best Practices using new features  Secure an existing Application Server  Secure DBA Activities  Allow DBA to run as another USER  Allow remote IDs to be included in z/OS audit logs

19 19 Application Server Connect using System Authid Client host IP address 9.10.20.30 Access using APP_ROLE Secure an existing Application Server  Create TRUSTED CONTEXT, ROLE and associate it with an Application Server –Remove privileges associated with the application server ID –Grant needed privileges to a role used by the application –Change object ownership to ROLE using V9 Catmaint utility –Restrict access to connections from the Application Server IP address  No changes needed on the Application Server –Default Current SCHEMA and Current SQL ID set to ROLE Trusted Connections DB2 Server CREATE TRUSTED CONTEXT SYSTEM AUTHID (APP1) ATTRIBUTES (ADDR 9.10.20.30) DEFAULT ROLE APP_ROLE; CREATE ROLE APP_ROLE; GRANT … TO ROLE APP_ROLE; STOP ROGUE APPS

20 20  Security administrator controls the use of DBADM a.Revoking DBA privileges from individual IDs b.Granting special privileges to a DBA role c.Creating trusted context and assign the DBA role to the DBA IDs  When a DBA needs to perform a database change, the security administrator then 1.Start DB2 audit trace 2.Enable trusted context to allow access to sensitive objects 3.DBA can now connect and performs the database change 4.Disable trusted context to protect sensitive objects 5.Stop DB2 audit trace  An auditor can review the audit trace to ensure compliance “ Takes the hassle out of managing changes to our production database ” Secure DBA Activities

21 21 Allow DBA to run as another USER  For example, a DBADM who created view for other IDs can DROP or ALTER a VIEW owned by the another ID //DBAJOBA JOB USER=‘PRODDBA1’ //IKJEFT1B EXEC PGM=IKJEFT1B //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //SYSTSIN DD * DSN SYSTEM(DB1P) ASUSER(PRODOWNR) END //SYSIN DD * ALTER VIEW PRODVIEW REGENERATE; COMMIT ; // CREATE TRUSTED CONTEXT CTXLOCAL BASED UPON CONNECTION USING SYSTEM AUTHID PRODDBA1 ATTRIBUTES (JOBNAME ‘DBAJOB*’) WITH USE FOR PRODOWNR ENABLE; DBA can apply emergency changes on behalf of the owner

22 22 Identity Propagation using Trusted Context  Needed when Non-RACF users access DB2  Non-RACF User IDs included in both DB2 and RACF audit records  Exploits z/OS Security Server user mapping SAF plug- in service –RACF Enterprise Identity Mapping feature (LDAP based) –Retrieves RACF Auth ID for remote Non-RACF user ID –RACF ID is used primary Auth ID –Provides many to one mapping End-to-End Auditing!

23 23 Propagate WAS Identities to DB2 and RACF 1.Configure DB2 to associate a trusted context with WAS 2.Set up EIM WAS user registry (WASUSR1->RACFUSR1) 3.Configure WAS to use a new Trusted Connection API →Database property ‘propagateClientIdentityUsingTrustedContext’ set to ‘true’ →Application parameter ‘TargetRealmName’ is set to the EIM registry name 4.WAS creates a trusted connection pool using DB2PoolConnection API 5.WAS associates WAS end user with SQL requests using getDB2PoolConnection API 6.DB2 maps the WAS end user ID to obtain RACF auth ID using EIM (results cached) 7.DB2 checks if the DB2 RACF ID is allowed to use the trusted connection 8.WAS user ID are recorded in DB2 and RACF audit logs The Database Layer The Client Layer The Middleware Layer WebSphere Application Server DB2 End-user WASUSR1 DB2 Auth ID RACFUSR1 CREATE TRUSTED CONTEXT SYSTEM AUTHID WASAPP1 WITH USE FOR RACFUSR1; EIM: WASUSR1-> RACFUSRS 1 2 4 5 6 7 WAS-system user WASAPP1 3

24 24 Industry standard network security  256bit AES userid and password encryption –Encryption and Decryption runs under DBAT and is zIIP enabled  Secure Socket Layer (SSL) connections –In all client drivers by end of year –z/OS Communication Server AT-TLS feature Configurable using Communication Server Configuration Assistant –Enforced using Trusted Context by setting connection attribute ENCRYPTION to ‘HIGH’ –DDF can be configured to listen on a new secure port –Can have high CPU impact depending on message size  IPSEC is an alternative (e xploits zIIP)

25 25 Filter events when using DB2 Audit Trace  New -START TRACE filtering capabilities that INCLUDE or EXCLUDE audit records based on the following keywords:  USERID – client user ID  WRKSTN – client workstation name  APPNAME– client application name  PKGLOC – package LOCATION name  PKGCOL – package COLLECTION name  PKGPROG – PACKAGE name  CONNID – connection ID  CORRID – correlation ID  ROLE – user’s database ROLE -START TRACE … ROLE(DBA1ROLE, USR1ROLE) -START TRACE … XROLE(DBA2ROLE, USR2ROLE) Less evasive audits by allowing auditor to target what records to write

26 26 Trusted Context and Roles Usage  Better control of application servers  Better control of the use of administrative authorities  Removes the need for a user to own objects  Manage objects owned by other users  Improved auditing of remote users

27 27 DB2 Security Redbook SG24-6480 Updated to include Trusted Context Roles Identity Propagation

28 28 Jim Pickel IBM pickel@us.ibm.com Session Number 1057 Best Practices in DB2 security Things to consider when reviewing your DB2 security processes: 1.Incorporate separation of duties in all security processes. 2.Grant only the authority or privileges necessary to do the job (do not over grant) 3.Control the use of implicit privileges by having roles own objects 4.Enable auditing to tables with sensitive data 5.Limit view of data through the views or security labels 6.Control access to DB2 using RACF DSNR and SERVAUTH classes 7.Control applications access through trusted contexts 8.Limit the use of privileged IDs (administrators) through trusted context 9.Prevent the use common IDs by managing users through trusted context 10.Encrypt sensitive data on the disk and on the network 11.Enable identity propagation to allow auditing of end users 12.Perform periodic audits to verify security plan is working 13.Mask test data Thank You,

Download ppt "DB2 9 for z/OS DB2 9 Security Update Best Practices in DB2 Security Jim Pickel, STSM"

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Introduction to z/OS Security Lesson 4: There’s more to it than RACF

Introduction to z/OS Security Lesson 4: There’s more to it than RACF
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Security Pertemuan 7 Matakuliah: T0413 Tahun: 2009.

Security Pertemuan 7 Matakuliah: T0413 Tahun: 2009.
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.

Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
Database Vault Marco Alamanni

Database Vault Marco Alamanni
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
Database Management System

Database Management System
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Introduction to the new mainframe: Large-Scale Commercial Computing © Copyright IBM Corp., 2006. All rights reserved. Chapter 4: Integrity and security.

Introduction to the new mainframe: Large-Scale Commercial Computing © Copyright IBM Corp., All rights reserved. Chapter 4: Integrity and security.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.

Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Similar presentations

Ads by Google