VL7 iSeries Security 2 - Freie Universität Security_2.pdf · – CAST-128 (RFC 2451) – RC5 (RFC 2451) – IDEA (RFC 2451) – Blowfish (RFC 2451) – 3DES (RFC 2451) – RC4 –
Post on 20-Apr-2020
19 Views
Preview:
Transcript
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 1
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Lecture 7
iSeries Security – Part 2
Thomas Barlenbarlen@de.ibm.com
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
7.1 Security ImplementationOverview
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 2
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Layered implementation of security
To achieve the highest level of protection, security should be implemented in layers.
Corporate Security
Use
r edu
catio
n
Secu
rity
polic
ies
Physical Security
Network Security
System Security
ApplicationSecurity
SSL, exitprograms
Lock
s, a
cces
s co
ntro
l
UPS
, bac
kup
com
ms
lines
Fire
wal
l, VP
N g
atew
ay
Intr
usio
n de
tect
ion
LAN
inte
rfac
e
Obj
ect a
cces
s
User profile
Should meet security goals
Authentication
Authorization
Integrity
of
Confidentiality
Audit/Logging
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
i5/OS Security Services Overview
Application (Telnet, FTP, etc)
Transport (TCP, UDP)
Network (IP)
Data Link (Ethernet, Token Ring, PPP)
Physical (Hardware, Network Adapter)
SSL/TLS
Physical Locks
L2TP
VPN
RADIUS
Journaling/AuditingExit Programs
IP Filtering
Digital Certificates
Kerberos
The iSeries server offers security in various layers!
OpenSSH
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 3
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Encryption Methods
Symmetric keys Same key is used for encryption and decryption
Asymmetric keys- Public Key Cryptography Standard (PKCS)Encryption and decryption use different keys, a public key and a private key
Encrypt Decrypt7l$wP0^8a'!yUdSLjh^7GVda;0ydh.
Encrypt F9kT*&Ukf987xdf1k*(&uk4789kds0
Decrypt kjk^jd7k%TNw6f7lWlqY#D=l46j0R@9+
Private
Decrypt
EncryptEncrypt
Public
Minnesota in winter is freezing cold, North Carolina is much warmer....
Minnesota in winter is freezing cold, North Carolina is much warmer....
Minnesota in winter is freezing cold, North Carolina is much warmer....
Minnesota in winter is freezing cold, North Carolina is much warmer....
i.e. RSA
i.e. DES, 3DES, AES, RC4
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Example: Signing an e-mail
I will invite you for
one glass of beer !Hash
Algorithm
Hash (message digest)
w#43ldk(&edww*%d3D24fm
e-mail text
Asymmetric EncryptionAlgorithmPrivate
y6^54fa#30(867^mKfAq@gsd
Electronic signature
I will invite you for
one glass of beer !
y6^54fa#30(867^mKfAq@gsd
Signed e-mail Sender
ReceiverAsymmetric EncryptionAlgorithm Public
w#43ldk(&edww*%d3D24fm
Hash (message digest)Hash
Algorithm
Hash (message digest)
w#43ldk(&edww*%d3D24fm Compare
Signing an e-mail involves hashing and encryption
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 4
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
7.2 iSeries Network Layer Security
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Data in a network are subject to be stolenor manipulated anytime – on purpose or unintentionally
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 5
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Protecting data in a network
Internet
Branch office
CorporateNetwork
Branch office
Supplier
VPN tunnel
VPN tunnelVPN tunnel
SSL / TLSSSH tunnel
Several technologies are available that provide:
Authentication Integrity Confidentiality
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
i5/OS VPN Capabilities• Implements the IPSec protocol framework
– Compatible with all major players in the market• Provides host-to-host, host-to-gateway, gateway-to-gateway, and
gateway-to-host connection support• Supported protocols involved are
Authentication Header (AH), Encapsulation Security Payload (ESP), Internet Key Exchange (IKE), sub-protocol IP Compression (IPCOMP)
• pre-shared key or RSA authentication
Applications
TCP/UDP(Transport)
IP(Internetwork)
Data Link
IPSec
IKE
L2TP
• VPN set up through configuration wizard
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 6
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
VPN Requirements• Data Origin Authentication
– Verifies that each datagram was originated by the claimed sender• Data Integrity
– Verifies that the contents of the datagram were not changed in transit, either deliberately or due to random errors
• Data confidentiality– Conceals the clear text of a message, typically by using encryption
• Replay Protection– Assures that an attacker can not intercept a datagram and play it back
at some other time• Key Management
– Assures that your VPN policy can be implemented throughout the extended network with little or no manual configuration
• Performance and Availability– Assures that the VPN does not hinder your business operations, but
rather, grows with as your business grows. Also assures that your VPN can accommodate future technologies as they become available
• Interoperability– Assures that your VPN uses standards based technologies in order to
maintain interoperability with other VPN vendors
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
IPSecurity (IPSec) Protocols• Authentication Header (AH)
– Provides data origin authentication, data integrity, and replay protection– Uses hashed message authentication codes (HMAC) based on shared
secrets– Does not encrypt datagram content– IANA assigned IP protocol number 51
• Encapsulating Security Payload (ESP)– Provides data confidentiality (except for transform NULL)– Encrypts payload of IP packet by using cryptographic keys– Optionally provides data origin authentication, data integrity, and replay
protection– IANA assigned IP protocol number 50
• Internet Key Exchange (IKE) protocol– Dynamically generates and refreshes cryptographic keys– Rekeying occurs while VPN connection is running– Two phase approach protects keys and data
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 7
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Authentication Header (AH)Overview• Provides origin authentication for entire IP
datagram• Provides data integrity and replay protection• IANA assigned IP protocol number 51• IETF standard (RFC 2402)• Uses hashed message authentication codes
(HMAC) based on cryptographic keys• Does not encrypt datagram content• Two modes: Tunnel and Transport
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
AH Transforms supported in i5/OS• Transforms Supported with AH
– Mandatory Authentication Transforms• HMAC-MD5-96 (RFC 2403)• HMAC-SHA-1-96 (RFC 2404)
– Optional Authentication Transforms• DES-MAC
– Obsolete Authentication Transforms• Keyed-MD5 (RFC 1828)
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 8
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Encapsulating Security Payload (ESP)Overview• Encrypts payload of IP packet using cryptographic keys
– Next Header field actually identifies the protocol carried in the payload
• Optional data origin authentication, data integrity, and replay protection– Less cryptographic processor power to detect & reject
packets whose contents have been changed– Reject at IP layer, rather than higher up in the stack
• IANA assigned IP protocol number 50• IETF standard (RFC 2406)
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
ESP Transforms supported in i5/OSTransforms Supported with ESP (i5/OS supported transforms in bold)• Mandatory Encryption Transforms
– DES_CBC (RFC 2405)– NULL (RFC 2410)*
• Optional Encryption Transforms– CAST-128 (RFC 2451)– RC5 (RFC 2451)– IDEA (RFC 2451)– Blowfish (RFC 2451)– 3DES (RFC 2451)– RC4– AES
• Mandatory Authentication Transforms– HMAC-MD5-96 (RFC 2403)– HMAC-SHA-1-96 (RFC 2404)– NULL (RFC 2410)*
• Optional Authentication Transforms– DES-MAC
*NULL cannot be used for encryption and authentication at the same time
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 9
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Internet Key Exchange (IKE)Overview• Key generation and identity authentication• Automatic key refresh• Solves the "first key" problem• Based on ISAKMP framework and Oakley key distribution protocol• IETF standard (RFCs 2408-09, 2411-12)• Built-in protection
– Prevents Denial of Service attacks– Prevents Man-in-the-Middle attacks– Provides Perfect Forward Secrecy
• Must support IKE over UDP, port 500 (4500 typically used with UDP encapsulation)
• Must use strong authentication– Pre-shared keys– Digital signatures (DDS and RSA)– Public key encryption (RSA and revised RSA)
• Two phase approach
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
The Two Phases of IKE
Data policy
Protected by Phase 1Generate cryptographic keys to protect data
Keys are derived, never transmitted Used UDP port 500 for negotiation
IKE Phase 1
IKE Phase 2
Key policy
Establish master secret Generate IKE keys
Protect Phase 2 negotiationsAuthenticate each other
Host 2
Pre-shared 'key' - or - RSA Signatures
Host 1
Pre-shared 'key' - or- RSA Signatures
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 10
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
IKE Modes• Two IKE Phase 1 modes are supported...• 'Main' mode
– also know as 'identity protection' mode– encrypts identities during Phase 1 negotiations
• 'Aggressive' mode– faster– doesn't encrypt identities– Primarily used in a dynamic IP address environment (dial-up) (with pre-
shared keys)• Both modes negotiate a proposal for transforms to be used...
Accept One
Offer SA Proposals
Initiator (A) Responder (B)IP
HeaderUDP
HeaderISAKMPHeader
Transform(for #n)
Proposal#1
Transform(for #1)
IPHeader
UDPHeader
ISAKMPHeader
Proposal#x
Transform(for #x)
(First 2 messages, pre-shared keys - Phase 1 main mode)
...
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Security Associations (SA)• Contains important information about how to use IPSec
– Algorithms (encryption, authentication)– Key lengths and lifetimes– Lifetimes (how long until an SA expires)– Participating parties– Nesting dependencies (inner or outer SA)– Encapsulation modes (transport or tunnel)– This information is cleartext and stored locally
• IKE SA– Protects Phase 1 and Phase 2 IKE
exchanges– Bi-directional– Either side can be Initiator or Responder
• Protocol SA– Protects user traffic– Negotiated during IKE Phase 2– Unidirectional– Requires separate SPI and key for
Initiator and Responder
SA establishment messagesKey exchanges messages
User data
User data
NO ENTRY
NO ENTRYONE WAY
ONE WAY
ISAKMP SA
Protocol SA
Protocol SA
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 11
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
IKE RSA signature: Main modeISAKMPheader SA Proposal Transform(2)Transform(1) ...
ISAKMPheader
ID(responder)
Initiatorto responder
Responderto initiator
Protected
Legend
Proposal and Transform payloads are considered part of SA payload
Certificate Signature(responder)
1
ISAKMPheader SA Proposal Transform2
ISAKMPheader
Keyexchange
Nonce(initiator)
Certificaterequest (1)
Certificaterequest (2) ...3
ISAKMPheader
Keyexchange
Nonce(responder)
Certificaterequest (1) ...4
ISAKMPheader
ID(initiator) Certificate
Signature(initiator)5
6
Both the initiator and responder send one or more Certificate Request (CERT-REQ) payloads for the CAs that they trust• Used by receiving system to help in certificate selection• The iSeries server sends one CERT-REQ for each trusted CA trusted by VPN Key Manager
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
VPN with UDP Encapsulation• Addresses header authentication problems when
NAT is used• UDP encapsulation, a.k.a. "NAT-friendly IPSec"
– For iSeries-initiated access through a NAT system (for example, firewall)
– Encapsulates an entire IPSec datagram into a UDP datagram, thereby allowing NAT to change the IP header in the UDP datagram rather than the hashed IP header in the original IPSec datagram
– Currently, the iSeries can only be the initiator– Example of a datagram using ESP in tunnel
mode
Branch Office
Intranet
Internet
VPN Tunnel
NAT
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 12
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
i5/OS L2TP Support
• Layer 2 Tunneling Protocol provides a virtual end-to-end PPP connection
• i5/OS supports LNS, LAC, and multi-hop connectivity• L2TP does not provide encryption support -> Use IPSec
to secure L2TP connections
ISP
ISP
ISP
ISP
PPP client
L2TPClient
L2TPClient
Internet
LNS
LACLAC = L2TP Access ConcentratorLNS = L2TP Network Server
LAC
LACVoluntary L2TP Tunnel
Compulsory L2TP Tunnel
CorporateNetwork
10.10.100.0/24
154.22.132.1710.10.101.20
66.51.73.11710.10.101.23
10.10.101.31
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Multi-hop tunneling for extranets
L2TP tunnel
L2TP Voluntary Tunnel
Multi-hopgatewayRaleigh
L2TP client Raleigh
L2TP voluntary tunnel
Internet Singapore
PPP connection
Virtual PPP connection(Local call)
IPSec AH IPSec AHL2TP L2TP
PPPIPSec AH/ESP
IP
Optional
Expanding your private network
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 13
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
SSL / TLS• Secure Socket Layer (SSL) / Transport Layer Security (TLS) needs to be
implemented at application layer• SSL V3.0 is the de facto industry standard and today is widely used in many
applications to establish secure connections• TLS V1.0 is the official standard which was defined by the IETF first in
RFC 2246• Provides:
• Data encryption and decryption– Ensures that nobody can read transmitted data while in transit
• Data integrity– Ensures that nobody can manipulate data while in transit– Message Authentication Codes (MACs) are used to provide this service
• Authentication– Allows each communication partner to verify the identity of the other if
required– SSL V2.0 supports server authentication only– SSL V3.0 and TLS V1.0 support server and client authentication– Authentication is optional
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
SSL facts• Implemented on top of the OSI Reference Model layer 4
(transport layer) – Applications must support SSL– Needs additional programming– Special sockets APIs
• SSL is not a single protocol. Instead, it consists of:– SSL record protocol
• Sits on top of the transport layer and is used for encapsulation of various higher level protocols
– SSL handshake protocol• Operates on top of the SSL record layer• Allows the client and server to authenticate each other• Negotiates an encryption algorithm and cryptographic keys
before the application protocol receives or transmits data
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 14
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
SSL Handshake
Handshake
start
Client Server1. Request secure connection and sends supported CipherSuiteList (Client Hello)
Owner:SmithXYZ Corp.
Issuer:USPS
USPS
2. Send server's certificate to client and chosen CipherSuite (Server Hello) Optionally requests client certificate
3. Check trust status of the certificate
4. Optionally sends client certificate to the server
5. Send Server Hello Done and waits for client response
Secure Data FlowApplication Data Application Data
8. Decrypts the premaster secret using server's private key
Secret key
Private
7. Send the encrypted premaster secret to the server
6. Creates a premaster secret and encrypts it using the server's public key
Public
Secret key
04050A090306
050A
Allowedcipher suites
05
Simplified view of an SSL handshake
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
i5/OS Supported SSL Services
Confidentiality Integrity Authentication Authorization Audit/Logging
Telnet Server SSL/TLS SSL/TLS SSL/TLS (DCM), Kerberos, UserProfiles Exit Programs via IP Filtering
Exit Programs
Telnet Client N/A N/A N/A Exit Programs via IP FilteringApplication log.
FTP Server SSL/TLS SSL/TLS SSL/TLS (DCM), UserProfiles
AppAdmin, Exit Programs
via IP FilteringExit Programs
FTP Client SSL/TLS SSL/TLS SSL/TLS (CA Trust) AppAdmin, Exit Programs via IP Filtering
HTTP Server SSL/TLS SSL/TLSSSL/TLS (DCM), UserProfiles Validation Lists, LDAP Directory
HTTP directives via IP FilteringServer logs
LDAP Client SSL/TLS SSL/TLS SSL/TLS (DCM) N/A via IP FilteringAppl. dependent
LDAP Server SSL/TLS SSL/TLS SSL/TLS (DCM), Kerberos, UserProfiles
Access Control Lists (ACLs)
Audit journalChange log
Host ServersiSeries Access SSL/TLS SSL/TLS User profiles
Kerberos AppAdmin via IP Filtering
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 15
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
SSL vs. VPN• SSL / TLS
– SSL-enabled server and client applications required– Application to application– Simple to implement– Typically used for a few applications
or when dealing with users in the Internet
• VPN– Host or Gateway must support VPN– Transparent to application– Requires networking skills– Useful for protecting entire IP traffic between locations and
for applications that do not support SSL
TCP/UDP(Transport)
IP(Internetwork)
Data Link
IPSec
L2TP
-HTTP-TELNET-CA400
sslssl
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Digital CertificatesWhat is a digital certificate?• An electronic form of identification, such as a passport or drivers license• Contains a name
– SubjectDN (such as CN=MyName, OU=FTSS, O=IBM, C=DE)– SubjectAltName (such as IP address, e-mail
address, host name, ...)• Issuer information• Public key• Validity period• Optional usage• Optional CRL locationIssued by a Certificate Authority (CA)Format defined in "Internet X.509 Public Key
Infrastructure and CRL Profile", RFC2459
VersionSerial number
Signature (algorithm)Issuer (X.500 DN)
ValiditySubject (X.500 DN)
Subject Public Key InfoIssuer Unique Identifier (v2)
Subject Unique Identifier (v2)Extensions (v3):
Subject Alternative NameAuthority Key IdentifierSubject Key Identifier
CRL Distribution Points...
Signature AlgorithmSignature Value
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 16
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Usage for digital certificates• Secure transmitted data
– Certificates can be used when establishing secured connections using the Secure Sockets Layer (SSL) protocol
– Data traffic is encrypted (typically, traffic is not encrypted using asymmetric keys)
• Authentication– Better than a user ID and password because
possession of a private key is required– A private key will never be transmitted– One certificate can be used to identify an
entity to many other entities• Signing objects
– Certificates can be used for signing objects, which ensures thatdata transmitted over an untrusted media comes from a trusted source and was not modified.
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Certificate Authority (CA)• A CA is a trusted authority
• Issues certificates
• Performs validation of certificate request data
• Certificates are issued based on the Certification Practice Statement (CPS)
• Distinction between well-known CAs and local (private) CAs
• Many well-known CAs offer different classes of certificates– The class specifies which parts of the certificate request data are
verified– Different costs for certificates of different classes
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 17
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Certificate Authority (cont'd)• Can issue certificates based on the Public Key
Infrastructure X.509 (PKIX) – PKIX CA creates both the private and
the public keys for the requester– PKIX CA holds a copy of the certificate
including its public key – PKIX standards are outlined in RFC 2560
• Can maintain a Certificate Revocation List (CRL)– CRL contains serial numbers, time stamps,
and reason codes of revoked certificates– In most cases, the CRL can be downloaded
from a CA or accessed through LDAP
CRL
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Managing Digital Certificates• i5/OS can act as a local Certificate
Authority (CA)
• i5/OS can use certificates issued by local/private CAs or well-known CAs
• Certificates are managed in i5/OS with the Digital Certificate Manager (DCM)– DCM is a facility that enables you to
manage digital certificates and their use in secure applications on the iSeries server
– Is a browser-based applications
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 18
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
What CA should I use?• Distinction between private/local CAs and public/well-known CAs• What are the advantages / disadvantages and what are reasons
for using a private CA versus a public CA?
Liability is requiredSpecial attribute values are required that are not provided by public CAs
No additional setup required on remote client/server
CA certificate must be deployed to all connected clients/servers for signature verification
Any client or server can use certificate (signature verification)
Additional level of protection (clients also need CA certificate)
Clients or servers are not known in advance or are not under direct control
All clients and servers are in a controlled environment
Charges fee depending on requested certificate type
No external fee associated
Public CAPrivate CA
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Improving SSL Performance with Hardware Cryptography
• Secure connections on high volume Web sites or business application servers with many users put additional load on servers– Handshake and data encryption increase load– Symmetric data encryption is less expensive than asymmetric
encryption (RSA with public/private keys) for authentication
• Hardware cryptography can be used to improve performance for SSL handshake (asymmetric key operations)– offloads work from main CPU
• iSeries provides different hardware options
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 19
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
iSeries Cryptographic Hardware• 2058 e-Business Cryptographic Accelerator
– Improves SSL handshake performance– Simple configuration– Up to four adapters per system
• vary on device to activate• each adapter contains five IBM UltraCipher Cryptographic engines• one adapter supports 1000 RSA operations/second
• 4764 PCI-X Cryptographic Coprocessor (IOP-less)– Designed to meet Federal Information Processing Standard FIPS 140 level 4
certification– Supports EMV 2000 (Europay/MasterCard/Visa) standard– Contains tamper-responding module– Secure key generation and store– Random number generator– Clone a master key securely – Support financial PIN-processing – Generate and validate digital signatures – Encrypt and decrypt data – Improves SSL handshake performance
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
OpenSSH Support in i5/OS• OpenSSH is the free version of the SSH protocol suite
– it does not use any patended components, such as theIDEA encryption algorithm
• OpenSSH also supports the following services and functions:
– X11 forwarding• X11 forwarding allows the encryption of remote X windows traffic
– Port Forwarding• Port forwarding allows forwarding of TCP/IP connections to a
remote system over an encrypted channel– Data Compression
• Uses zlib for compression– Kerberos and AFS Ticket Passing
• Passes tickets for Kerberos and AFS on to the remote machine– Cryptographic functions
• Uses the OpenSSL cryptographic library
Secure SSH channel
ssh clientport 2200
to Server1port 23
Telnet clientDst addr: localhostDst port: 2200
Client Server
Port Forwarding to port23
sshdport 22
Telnetserver
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 20
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
7.3 System Layer Security
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Security System ValuesLocking down security settings
• Security-related system values reflect the implementation of security policies
• Due to the lack of knowledge, many programmers have permissions to change system security settings
• The concept of split responsibilities can prevent high-authority users from changing security system settings
• Security system values can be locked down in System Service Tools (SST)
Work with System Security System: I5OSP3
Type choices, press Enter.
Allow system value security changes . . . . . 2 1=Yes, 2=NoAllow new digital certificates . . . . . . . 1 1=Yes, 2=NoAllow a service tools user ID with a default and expired password to change
its own password . . . . . . . . . . . . . . 2 1=Yes, 2=No
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 21
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Object Signing
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Object Integritiy Issues
• Distributing software via mail can introduce malicious code / trojans to the recipient’s side
• Object signatures enable recipients to check whether the code has been changed since it was sent
• Issues that are not addressed in most companies
Integrity
HeadquarterBP / ISV
Distribute Software to customers, branch offices Branch office
I’m going to modify the program
Oh, new SW from the HQ, I
have to restore it
Deployment process for newapplications or application changes
Tampering with program objectsremains undetected
Programmers can overrideproduction programs anytime
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 22
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
i5/OS Object Signing Support• All IBM operating system, license program, and
PTF objects are shipped digitally signed– Shipped i5/OS has the CA and Signature
Verification certificates internally stored– Therefore even if DCM is not setup and there is no object
signing or verification store, IBM supplied objects can be verified on restore
• i5/OS object signing capabilities can prevent objects from beingrestored when signatures are missing or invalid
• DCM can be used to create and manage certificates for digitally signing objects that will ensure:– The object's integrity– Provide proof of origination
• Signature operations as well as verification errors are logged in theaudit journal
IntegrityAudit/Logging
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Objects that can be signed
Save files (not empty ones)
Programs *PGM *SVRPGM *SQLPKG *JVAPGM *MODULE*CMD
Stream files in the IFSObjects have to be in
a local file system
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 23
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
How to use object signingCreate signature verification store
Receive signer's signature verification
certificate (and CA certificate)
Add application and assign certificate
Define list ofobjects to sign
Sign objects
Create object signing certificate
Create object signingcertificate store
Verify setting of system value QVFYOBJRST
Verify signatures
Restore the application
Verify and package
Ship to customer
Export signing certificate as
verification certificate
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Object signing components
ApplicationDefinitions
*SIGNATUREVERIFICATION Certificate Store
SignedObjects
*OBJECTSIGNINGCertificate Store
Object SigningCertificates
Signature VerificationCertificates
Certificate Authority
Issues Object Signing Cert
CA Certificate
Sign Objects with Object Signing Certificate assigned to the application
Verify ObjectSignatures
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 24
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Check Object Integrity (CHKOBJITG)• The CHKOBJITG command can be used to check the integrity of a single
object, several objects, or all objects on the system• It not only verifies object signatures, but also verifies the integrity based on
checksums• The command flags the verified files with the following flags
– ALTERED The object has been tampered with– BADSIG The object has a digital signature that is not valid– DMN The domain is not correct for the object type– PGMMOD The runnable object has been tampered with
• The database file also logs the following non integrity violations as:– NOSIG Objects that do not have a digital signature but can
be signed or objects that have a signature that cannot be verified due to an untrusted status. Anuntrusted status is when the signature verificationstore does not contain the object signer’s signatureverification certificate.
– NOTCHECKED Objects that could not be checked • Only if violations are found by the CHKOBJITG command, results are
written to a result file1041101183438AS4B *PGM QDFTOWN BADSIG /qsys.lib/payslip.lib/PAYMREPORT.PGM1041101183438AS4B *PGM QDFTOWN PGMMOD /qsys.lib/payslip.lib/PAYRMAIN.PGM1041101183438AS4B *FILE BARLEN NOSIG /qsys.lib/payslip.lib/PAYIFSAPP.FILE
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Verify Object on Restore system value• System value QVFYOBJRST defines the policy for object signature
verification during restore operations– It controls how important signatures are for objects being
restored onto your system• Signatures are verified when:
– Restoring *PGM, *SRVPGM, *MODULE, *SQLPKG, *CMD,*STMF with attached Java programs from media or out of a save file
• Signatures are not verified when:– Restoring a signed save file. Signatures on save files are verified
when you attempt to restore objects from the save file.– Restoring stream files without attached Java programs
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 25
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Verify Object on Restore system valueOptions available1 Do not verify signatures on restore. Restore all objects
regardless of their signature. Be careful when using this value;it allows restore of system-state objects without valid signature.
2 Verify signatures on restore. Restore unsigned user-state objects. Restore signed user-state objects, even if the signatures are not valid.
3 Verify signatures on restore. Restore unsigned user-state objects. Restore signed user-state objects only if the signatures are valid.
4 Verify signatures on restore. Do not restore unsigned user-state objects. Restore signed user-state objects, even if the signatures are not valid.
5 Verify signatures on restore. Do not restore unsigned user-state objects. Restore signed user-state objects only if the signatures are valid.
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Single Signon
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 26
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Typical Environment Today
iSeries
pSeries zSeries
xSeries
Linux
Telnet
DDM
WebSphere z/OS
Windows 2000/2003
AIX
i5/OS
John Smith‘s useru: John Smith pw: my7dogu: jsmith pw: just4uu: smithjo pw: wolf9packu: JoSm99 pw: tar3heel....many more...
For example, back-end access is done using a single OS user, unaware of the end user's authority.
Telnet
Linux
RACF
NetServer
Unix
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
The Problems many companies face• Every server platform has unique mechanisms for managing users
(User Registries), making it complex for administrators• Difficult to keep track of users in all systems• Users have to remember user IDs and passwords to each system
they use• Application developers create their own user registries and use
unsafe techniques for access to back-end systems• Single point of management tools solve the problem for
administrators, but not necessarily for users or ISVs20% to 40% of all calls to a help desk involve forgotten passwords costing a company $14 to $26 per reset.Source: Gartner Group
• Existing single sign-on solutions (distributed authentication, authentication proxy, etc.) store user and password information
• Storing passwords, even encrypted, lowers security – passwords should be hashed
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 27
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Single Signon characteristics• Sign on once to the network using, for example user ID and
password• Subsequent connection requests to application services and
resources are authenticated without prompting for the user ID orpassword– Network authentication protocols, such as
Kerberos, are used to perform authentication • Taking different identities for various
applications for a single entity into consideration is desirable
Vertical SSO
Horizontal SSO
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Enterprise Identity Mapping (EIM)
EIM defined: Identity associations across user registries associated with OS platforms, applications, and middleware.
• Enterprise Identity Mapping (EIM) is a mechanism for mapping (associating) a person or entity to the appropriate user identities in various registries throughout the enterprise
• EIM provides an infrastructure that lowers the expense for application developers to provide single signonsolutions
Windows 2000 Server
kdc1.itso.myco.com
EIM Domain ControllerJsmith
Sjonesrealm = itso.myco.com
iSeriesB.itso.myco.com
iSeriesA.itso.myco.com
zSeriesC.itso.myco.com
EIM IdentifiersJohn Smith Sharon Jones
SjonesSharonjJonesshJoness2
JsmithJohnsSmithjoSmithj
Kerberos principaliSeries A user nameiSeries B user namezSeries C user name
The IBM autonomic computing initiative
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 28
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Enterprise Identity Mapping (EIM) ...cont‘d
• EIM enables Single Signon• Accepts the fact that multiple registries (IBM and non-IBM) will exist in
the enterprise• EIM support on all IBM ̂ platforms
–zSeries (z/OS, Linux)–iSeries (OS/400, i5/OS, Linux, Windows 2000/2003 *1)
•Application support for Telnet (server, PC5250 and Host On-Demand clients), host servers, DDM/DRDA, ODBC, JDBC, NetServer, QFileSvr.400, HTTP server, Management Central, Windows integration
–pSeries (AIX, Linux) NFS–xSeries (Windows 2000/2003/XP, Linux)–Java and C API support
• EIM uses a collection of APIs that access a Directory server to store Domain information
• IBM freely distributes EIM APIs and Java packages for ISVs to bundle with their applications
– Vendor tools exist that exploit the APIs for managing EIM domains
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
EIM Identifier• An EIM identifier represents an actual person or entity in EIM • The identity associations (mappings) are stored in a well-known
location, such as LDAP, with common services across platforms toaccess the mappings
JohnSMSMITH1 JS J SmithJSmithJOHNS Services
z/OSUser
OS/400 User AIX user Kerberos
PrincipleLinux User
DCE User
2000/XPUser
Enterprise User
EIM Identifier
John Smith
local user
Identities
user registries
Identity
mappings
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 29
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
EIM Domain Data• EIM uses a Directory (LDAP Server) for storing identities along
with EIM Domain data• The Directory server also handles access control to the EIM
Domain configuration• A basic Directory configuration is required for creating an EIM
Domain• Available LDAP server functions, such as replication, can be
used to improve availability
Identity Mappings
User Registry
User Registry
EIM Domain Data
Directory root
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
SSO Authentication - Kerberos• Kerberos is a network authentication protocol• Designed to establish secure authentication from client to server
(and vice versa) on an untrusted network• NAS is built on the Kerberos Network Authentication Service
(RFC1510)– Kerberos V5 is required– On iSeries, Kerberos is referred to as Network Authentication
Servíce (NAS)• Network Authentication Service (NAS) enables the operating system
and applications to use Kerberos tickets for authentication instead of a user ID and password
• Applications can identify users and securely pass on the identity to other services
• Widespread throughout the industry, allows for interoperability between platforms
• Simplifies trust management
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 30
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Kerberos Environment
Key Distribution Center(KDC)
"A"
TGT "A"
John
Server A
AS TGS
Service"A"
1
3
4
5
6
1
2
3
4
5
6
as_request:"Hi, I'm John.Can I have a ticket for getting tickets?"
as_reply: "Here's a ticket-granting ticket, encrypted with John's secret key".
tgs_request:"Here is my TGT, could I have a ticket for Service A? "
tgs_reply: "Here's a ticket for Service A."
ap_request:"Here is my ticket; let me use your service. "
ap_reply: "Welcome John! By the way, here's the proof that I'm Service A."
TGT2
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Kerberos Tickets• Ticket: A record that helps a client authenticate itself to a server
or service and establish a session.
• Ticket-granting ticket (TGT): A ticket used for requesting tickets subsequently used for sessions. A TGT is received once the proper credentials are given to the Authentication Server.
• Some other tickets:– Proxiable/Proxy Ticket: Ticket that can be used by servers to
represent the client against a back-end server– Forwardable/Forwarded Ticket: Ticket that delegates the task
of obtaining service tickets on behalf of the client
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 31
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
The 'Ticket'
This structure is the same for all tickets(simplified; see RFC1510 for exact details)
•tkt-vno: Kerberos version used (v.5).•Realm: Name of the realm that issued the ticket.•Sname: Server/Service Name the ticket is intended for.
Version
RealmService
Flags
Session Key
Client Name
Client Realm
Transited
Auth. time
Start Time
End Time
Renew till
Client Address
Auth. data
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Example Session
Shared secret (password) client user Session key client-KDC
KDC (AS)
2. AS_REP
Client
1. AS_REQ
ClientName
Servicekrbtgt
TimeStamp
as_req KU
KU
TGT Session Key
as_repKU
KUK
KUK
KUK
KM
KM
KDC Master key
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 32
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Example Session (cont‘d)
Session key client-KDC Session key client-Service_A Shared secret (password) Service_AService_A
KDC (TGS)
KUK
3. TGS_REQ
TGT Authenticator
tgs_req
ServiceName
KUK
KUS KS
5. AP_REQAuthenticator
ap_req
ServiceTicket
ServiceName KSKUS
KUS
6. AP_REPap_rep
TimeStamp
KUS
4. TGS_REPService
TicketSession Key
tgs_repKUK
KSKUS
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
EIM and Kerberos – Working together
EIM Domain Controller
Registry: User: TypeDomainServer John Smith Kerberos
ServerA JOHNS OS/400ServerB JSMITH RACFIntraNet JohnS AIXSysA JOSMITH OS/400
Key Distribution Center(KDC)
AS TGS
Identifier: John N. Smith
Source ID
Type
Can I have a ticket
for SysA?
Sure. Here's my ticket.
Can you let me in?
Hey, who is this
John Smith ?
I know, that's JOSMITH
Oh. Welcome JOSMITH
1
2
3
45
6
Target ID
Target
TargetTargetID
John
SysARequesting TGT steps not shown
SSL
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 33
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Implementation Prerequisites• iSeries
– Min. OS/400 V5R2 (5722-SS1) or i5/OS V5R3– Including Qshell interpreter (Option 30) and Host Servers (opt.12)– Cryptographic Access Provider 128-bit (5722-AC3)– iSeries Access for Windows (5722-XE1)
• Client– Windows 2000/XP– iSeries Access (Version 5 Release 2 or higher)– iSeries Navigator including the "Network" and "Security" components
(for administration)– Other clients that support Kerberos authentication
• KDC– Supporting Kerberos Version 5 – iSeries KDC support added with i5/OS V5R3– Windows 2000 or Windows 2003 server with Active Directory– Linux KDC (MIT or Heimdal)
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Anti-Virus Scanning
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 34
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Antivirus scanning
• i5/OS contains infrastructure support for enhanced virus scanning for the Integrated File System (IFS)
• Allows third-party vendors to develop antivirus scanning software that plugs into i5/OS (OS/400)
• Scanning support available to scan for any other purpose when an object is opened or closed
Viruses cause significant damage to businesses every year Integrity
Spread virus
W32/Cidu-A
W32/BabyBearA
Phantom 1
NetServerFTP, NFS
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Antivirus scanning• i5/OS keeps track of all changes and only calls the
scanning software when files or virus definition files change.– When independent auxiliary storage pools (IASPs) are used and
virus definitions are kept in sync between systems, moving an IASP does not cause a rescan.
– Scanning behavior can be controlled via IFS object attributes and system values.
• Only objects in /root, QOpenSys and UDFS file systems are scanned.• When several open instances exist on an object, scanning is only
performed when a close request is received for the last descriptor.• By default, no scanning occurs when objects open for write.• Virus scanning products can register to the following exit points:
– QIBM_QP0L_SCAN_OPEN: Integrated File System Scan on Open Exit Program – QIBM_QP0L_SCAN_CLOSE: Integrated File System Scan on Close Exit Program
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 35
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Antivirus scanning
• System-wide behavior controlled via two system values
System valueQSCANFSCTL
System valueQSCANFS
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Antivirus scanning• Which files are being scanned can be further controlled via IFS object
attributes.• The following two new attributes were added and can be set via the Change
Attribute (CHGATR) command:– *CRTOBJSCAN: Specifies whether to scan objects created in a directory– *SCAN: Specifies whether to scan a specific object
CHGATR OBJ('/home/quser/envar') ATR(*SCAN) VALUE(*NO)
File properties
For our command line fans
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 36
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Open Exit - Preconditions• Exit program NOT called if any of the following is true
– No exit program exist for this exit point– QSCANFS has *NONE specified– Object is marked to not to be scanned and a scan is
not required because the object was restored– Object opened for Write access only– Object truncated as part of Open request– Object is the storage for IXS– Object no being accessed from a file server and
QSCANFSCTL has *FSVRONLY specified– Object is in *TYPE1 directory
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Open Exit – additional conditions• If previous conditions met, call exit program if one of the
following conditions is met– Object has never been scanned– Object data has been modified since last scan– CCSID of object has been modified since last scan– To CCSID specified on open request different from
last two To CCSID that were specified and scanned– Object being open in binary and not previously scan
in binary– Updates to scanning software and object was not
marked to be scanned only if object changed
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 37
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Close Exit• Exit program NOT called if any of the following is true
– No exit program exist for this exit point– QSCANFS has *NONE specified– Object is marked to not to be scanned and a scan is
not required because the object was restored– Object being closed was opened for Write access
only– Object is the storage for IXS– Object no being accessed from a file server and
QSCANFSCTL has *FSVRONLY specified– Object is in *TYPE1 directory
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Close Exit – Additional Conditions• If previous conditions met, call exit program if one of the
following conditions is met– Object has never been scanned– Object data has been modified since last scan– CCSID of object has been modified since last scan– To CCSID specified on open request associated with
this close is different from last two To CCSID that were specified and scanned
– Object associated in the close request was being open in binary and not previously scanned in binary
– Updates to scanning software and object was not marked to be scanned only if object changed
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 38
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Lab Preparation and Demo
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Lab Unit 7 Objectives• Lab 1 – Setting up digital certificates
– Verify that the *ADMIN HTTP instance isstarted – required to work with DCM
– Learn how to set up digital certificates underi5/OS for use with SSL-enabled applications
– You will create your own server certificate in the i5/OS *SYSTEM certificate store
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 39
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
iSeries Tasks page
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Enabling SSL for SSL-enabled Apps
Create certificate requestvia DCM (*SYSTEM store)
Send signing request toCA
Receive signed certificateinto *SYSTEM store
Assign certificate toapplication
Modify applicationsettings
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 40
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Lab Unit 7 Objectives (cont‘d)• Lab 2 – Protecting Web traffic with SSL
– You will activate SSL for one application• The application will be an HTTP Web server
– Every student will create her/his own Web server instance
– You are going to use your own certificate withyour server instance
– At the end, you will verify that your serverworks and an SSL session can be established
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
IBM Web Administration for iSeries
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 41
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Assigning a server certificate
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Lab Unit 7 Objectives (cont‘d)• Lab 3 – Authenticating Web users with LDAP
– You will configure your Web server instanceto protect a new resource
– Only authenticated users will be able to access the protected resource
– Authentication is performed through an LDAP-enabled user registry
– Students will create their own organizationalunit and person entries in the LDAP directoryserver
Architecture and Operation of Commercial Application Systems FU Berlin
SoSe 2005 42
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Setting up your LDAP directory entries
© Copyright IBM Corporation 2005Material may not be reproduced in whole or in part without the prior written permission of IBM.
Configuring LDAP authentication
root
o=fuborg
ou=auth001 ou=authXXX
cn=webuserauid=userauserPassword=my5pwd
top related