Pre-Con Ed: CA ACF2 and CA Top Secret – Part 2: Advanced Security Controls

World®’16

CAACF2andCATopSecret– Part2:AdvancedSecurityControls

JohnPinkowski- ProductOwner

MFX39EB

MAINFRAMEANDWORKLOADAUTOMATION

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

ForInformationalPurposesOnlyTermsofthisPresentation

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2016isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.

CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i) affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember1,2016,andissubjecttochangeorwithdrawalbyCAatanytimewithout notice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.

Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.


Abstract

Morethan70percentofcorporatemission-essentialdataresidesonthemainframe.Doyouhaveenoughsecuritycontrolsinplacetoprotectit?ThissessionwilldoadeepdiveintothemostgranularconfigurationandsecuritycontrolsofCATopSecret®andCAACF2™,andprovideawalk-throughofwhyit'sabsolutelynecessarytoimplementgranularsecurityinmainframeenvironments.

JohnPinkowski

CATechnologies


Agenda

CASECAUTRESOURCECLASS

NEWGENCERTGRANULARITYCONTROLS

1

2


WhatIsCASECAUT?


TheCASECAUTResource

§ CAACF2r15introducedthenewpre=definedresorruce clas ofCASECAUT.TheinternalCLASSMAPrecordwithTYPE=AUT.

§ CATopSecretr15introducedthenewresourcedefinitiontable(RDT)classofCASECAUT.


TheCASECAUTResource

§ Supplementsexistingadministrativeauthoritiesbyprovidingtheabilitytoauthorizeuserstoperformadministrativefunctionsoverpasswords,passwordfields,andcertificateswithoutaddinganyhigh-levelprivilegestotheuser.

§ Togranularlycontroladministrativefunctionsinordertopreventusersfromperformingadministrationtasksthattheyshouldnotbeauthorizedtodo.Forinstance,modifyingthepasswordsforuserID’soutsideoftheirscope,likeahigh-levelsecurityadmin.Conversely,CASECAUTcanbeusedtoallowcertainadministrativefunctionsforusebyanIDwhileblockingothers.Forinstance,allowingaHelp-Deskadministratortomodifyanotheruser’spassword,butnotchangeanyofthepasswordrequirements,likenumberofspecialcharactersrequired.


WhatCanIControl?


ChangingPasswordFields(CATopSecret)Thefollowingshowstheauthorizationsneededtochangepassword-relatedfields:

FieldName CASECAUTEntityName ApplicableCommandsforcmd Qualifier

ASUSPEND TSSCMD.USER.cmd.ASUSPEND REMOVE

KERBVIO TSSCMD.USER.cmd.KERBVIO REMOVE

NOPW TSSCMD.USER.cmd.NOPW CREATE,ADDTO,orREMOVE

NOPWCHG TSSCMD.USER.cmd.NOPWCHG CREATE,ADDTO,orREMOVE

PASSWORD TSSCMD.USER.cmd.PASSWORD CREATE,ADDTO,orREPLACE

PHRASE TSSCMD.USER.cmd.PHRASE CREATE,ADDTO,orREPLACE

PSUSPEND TSSCMD.USER.cmd.PSUSPEND ADDTOorREMOVE

SUSPEND TSSCMD.USER.cmd.SUSPEND CREATE,ADDTO,orREMOVE

VSUSPEND TSSCMD.USER.cmd.VSUSPEND ADDTOorREMOVE

XSUSPEND TSSCMD.USER.cmd.XSUSPEND ADDTOorREMOVE


NEWPWRestrictions(CATopSecret)ThefollowingshowstheauthorizationsneededtobypassPWADMINNEWPWrestrictions:

FieldName CASECAUTEntityName ApplicableCommandsforcmd Qualifier

PASSWORD(newpw) TSSCMD.USER.cmd.PWADMIN.NO CREATE,ADDTO,orREPLACE

PASSWORD(newpw) TSSCMD.USER.cmd.PWADMIN.EXP CREATE,ADDTO,orREPLACE

PASSWORD(newpw) TSSCMD.USER.cmd.PWADMIN.INT CREATE,ADDTO,orREPLACE

PASSWORD(newpw) TSSCMD.USER.cmd.PWADMIN.ZEROINT CREATE,ADDTO,orREPLACE

PASSWORD(newpw) TSSCMD.USER.cmd.PWADMIN.HISTBYP ADDTOorREPLACE


DigitalCertificateandKeyringCommands(CATopSecret)Thefollowingshowstheauthorizationsneededtoissuedigitalcertificateandkeyring-relatedcommands:

Command CASECAUTEntityName

ADD TSSCMD.CERTUSER.ADDTO

CHKCERT TSSCMD.CERTUSER.CHKCERT

EXPORT TSSCMD.CERTUSER.EXPORT

GENCERT TSSCMD.CERTUSER.GENCERT

GENREQ TSSCMD.CERTUSER.GENREQ

P11TOKEN TSSCMD.DIGTCRT.P11TOKEN.tokencmd

REKEY TSSCMD.CERTUSER.REKEY

REMOVE TSSCMD.CERTUSER.REMOVE

ROLLOVER TSSCMD.CERTUSER.ROLLOVER


RunningUtilities(CATopSecret)ThefollowingshowstheauthorizationsneededtoexecuteTSSbatchutilities:

Utility CASECAUTEntityName

TSSXTEND CASECAUT(TSSUTILITY.TSSXTEND)

TSSFAR CASECAUT(TSSUTILITY.TSSFAR)

TSSAUDIT CASECAUT(TSSUTILITY.TSSAUDIT)

TSSCHART CASECAUT(TSSUTILITY.TSSCHART)

TSSUTIL CASECAUT(TSSUTILITY.TSSUTIL)

TSSSIM CASECAUT(TSSUTILITY.TSSSIM)

TSSCFILE CASECAUT(TSSUTILITY.TSSCFILE)

TSSTRACK CASECAUT(TSSUTILITY.TSSTRACK)


ControllingPassword/PasswordFieldAdministration(CAACF2)FieldName CASECAUTResource Name

PASSWORD ACFCMD.USER.PASSWORD

PWPHRASE ACFCMD.USER.PWPHRASE

PWP-VIO ACFCMD.USER.PWP-VIO

PSWD-VIO ACFCMD.USER.PSWD-VIO

PSEDCVIO ACFCMD.USER.PSWDCVIO

KERB-VIO ACFCMD.USER.KERB-VIO

CANCEL ACFCMD.USER.CANCEL

SUSPEND ACFCMD.USER.SUSPEND


ControllingCertificateAdministration(CAACF2)Certificate Command Resource Names

CHKCERT ACFCMD.DIGTCERT.CHKCERT

CHANGE ACFCMD.DIGTCERT.ALTER

CONNECT ACFCMD.DIGTCERT.CONNECT

DELETE ACFCMD.DIGTCERT.DELETE

EXPORT ACFCMD.DIGTCERT.EXPORT

EXPORT (KEYRING) ACFCMD.DIGTCERT.EXPORTKEY

GENCERT ACFCMD.DIGTCERT.GENCERT

GENREQ ACFCMD.DIGTCERT.GENREQ



INSERT ACFCMD.DIGTCERT.ADD

INSERT (CERTMAP) ACFCMD.DIGTCERT.ADDMAP

INSERT (KEYRING) ACFCMD.DIGTCERT.ADDRING

LIST ACFCMD.DIGTCERT.LIST

P11TOKEN BIND ACFCMD.DIGTCERT.P11TOKEN.BIND

P11TOKEN IMPORT ACFCMD.DIGTCERT.P11TOKEN.IMPORT

P11TOKEN UNBIND No CASECAUT auth’s required.

REKEY ACFCMD.DIGTCERT.REKEY



REMOVE ACFCMD.DIGTCERT.REMOVE

RENEW ACFCMD.DIGTCERT.RENEW

ROLLOVER ACFCMD.DIGTCERT.ROLLOVER


NewGENCERTGranularitycontrols


GranularCertificateAdministrationToTurnOn/OffGranularAdministration


GranularCertificateAdministration

§ NewCertificate/KeyringAdministration– UseRDATALIBclass– Accessisgiventospecificcertificate/keyring– Rulescanbemasked– Scopingcanbeusedtorestrictaccessfurther– SimilarrulesusedbyR_datalibcallableservice(DataPut,DataRemove)


Questions?


RecommendedSessionsSESSION# TITLE DATE/TIME/ROOM

MFX119S EncryptionandHashingandKeys– Oh,my! 11/16/2016at1:45pmJasmineE

MFX118S HowisBuyingaHomeLikeJustifyingDataSecurityInvestments?DevelopingReturnonSecurityInvestment(ROSI)Analysis 11/16/2016at3:00pmJasmineE

MFX173S TheImportanceofMainframeSecurityEducation 11/16/20163:45pmJasmineE

MFX172S TheKeytoComplyingWithNewRegulationsandStandards:ComprehensiveMainframeSecurity 11/16/2016at4:30pmJasmineE

MFT174S MainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData 11/17/201612:45pmMainframeTheater

MFT175S GapsinYourDefense:HackingtheMainframe 11/17/20163:00pmMainframeTheater


MustSeeTechTalksandDemos– ExpoFloor

MFT53THowCanMainframeSecuritybeMadeEasier?

11/16/2016@12:45pmMainframeTheater

MainframeSecurityandEnterpriseSecurityDemos

SCT38T SCX05EPAMThreatAnalytics

11/17/2016@4:00pmSecurityTheater

GoverningYourPrivilegedUsers

11/16/2016@3:45pmSecurityTheater


Thankyou.

Stayconnectedatcommunities.ca.com

Pre-Con Ed: CA ACF2 and CA Top Secret – Part 2: Advanced Security Controls

Technology