WebSphere Application Server Liberty Profile z/OS … · WebSphere Application Server Liberty Profile z/OS ... RACF, CA-ACF2, CA-Top ... A CBIND profile controls which CICS Listener

© 2014 IBM CorporationIBM Advanced Technical Skills

ZCONN1WebSphere Application Server Liberty Profile z/OS

z/OS Connect Security

© 2014 IBM CorporationIBM Americas Advanced Technical SkillsGaithersburg, MD2

Agenda

Features …

Overview of z/OS Connect SecuritySecurity features for designers and architects.

Securing our Lab ImplementationDetails for the security administrator.


Big Picture View of Mobile Environment and z/OSz/OS Connect provides the mobile environment with a secure interface to z/OS applications and data. We anticipate the following to be a common architectural model:

Shift Right…

Internet

Access Clients

Proxy

Server

Proxy

Server

z/OS Connect and Systems

of Record

(e.g. CICS, IMS, Batch

Systems of Engagement(e.g. IBM MobileFirst Platform, WebSphere,etc.)

Firewall Firewall

Linux on System z, z/OS or Other

z/OS

Corporate intranetDMZ


z/OS Connect Security Featuresz/OS Connect and the Liberty Profile utilize z/OS to provide mainframe quality security.

Confidentiality …

Liberty Profile

z/OS Connect

CICSCICS

IMSIMS

BatchBatch

z/OS

SAF

Remote clients include Systems of Engagement like

IBM MobileFirst Platform, other mid-tier devices, or

even other mainframe programs.

Remote

Client

Remote

Client


z/OS Connect Security Features: Confidentiality

Authentication …

SAF

Secure Sockets Layer (SSL)

● SAF keyrings and certificates

● Java-based keyfiles and certificates

“Protecting the conversation between client and server.”

Remote

Client

Remote

Client

Quick and easy.

Under security admin control.

Liberty Profile

z/OS Connect

CICSCICS

IMSIMS

BatchBatchz/OS

Also known as Transport Layer Security (TLS).


z/OS Connect Security Features: Authentication

Registry…

● Client Certificate Authentication

● Trust Association Interceptor (TAI)

“Making the client prove its identity.”

● Basic Authentication

● LTPA TokenWebSphere credentials in a cookie.

Mapping the client's certificate to a local userid.

For customized authentication solutions.

Userid/password in the http header

Liberty Profile

z/OS Connect

CICSCICS

IMSIMS

BatchBatchz/OS

Remote

Client

Remote

Client

SAF


z/OS Connect Security Features: Registries

Authorization …

● SAF

“Where the clients are defined.”

● basicRegistryDefine users, groups in server.xml.Remote

Client

Remote

ClientLiberty Profile

z/OS Connect

CICSCICS

IMSIMS

BatchBatchz/OS

SAF

RACF, CA-ACF2, CA-Top Secret.

LDAP

● LDAPLocal or remote.


z/OS Connect Security Features: Authorization

Authorization …

● EJBROLE

“Controlling what the authenticated client can do.”

● APPL

To use z/OS Connect.

To use z/OS Connect.

● Authorization InterceptorUsing groups for finer grained authority.

Liberty Profile

z/OS Connect

CICSCICS

IMSIMS

BatchBatchz/OS

Remote

Client

Remote

Client

SAF


z/OS Connect Security Features: Authorization

Propagation …

● SERVER

“Controlling what z/OS Connect and CICS can do.”

● CBIND For CICS to register with z/OS Connect's WOLA.

For Liberty Profile to use z/OS authorized services, e.g. SAF authorization, WOLA, etc.

Liberty Profile

z/OS Connect

CICSCICS

IMSIMS

BatchBatchz/OS

SAF

Remote

Client

Remote

Client


z/OS Connect Security Features: Propagation

Audit …

“What identity is passed to CICS?”

● The CICS Link Server task.

Liberty Profile

z/OS Connect

CICSCICS

IMSIMS

BatchBatchz/OS

SAF

Remote

Client

Remote

Client

● An identity asserted by the remote client.

● The remote client.


z/OS Connect Security Features: Audit

Lab so far …

● Liberty log files.

“What record is there of security events?”

Liberty Profile

z/OS Connect

CICSCICS

IMSIMS

BatchBatchz/OS

SAF

Remote

Client

Remote

Client

Authentication, Authorization (EJBROLE, CBIND, APPL, TCICSTRN, SURROGAT).

SMF

● SMF type 80.


A Sample Security ScenarioSecurity requirements vary based upon the nature of the application. This diagram might serve as a starting point for further discussion.

Internet

Auth/Proxy

Server

Auth/Proxy

Server

z/OS Connect and Systems

of Record

(e.g. CICS, IMS, Batch

Systems of Engagement

(e.g. IBM MobileFirst Platform, WebSphere,etc.)

Linux on System z, z/OS or Other

z/OS

Corporate intranetDMZ

SSL

SSL

SSLSSLSSL SSL

IBM® Security Access Manager

for Web

IBM® Security Access Manager

for Mobile

Client cert=ID/PW= LTPA Token=

SSL


Unit 2 Lab…

Securing our Lab Implementation


The RACF Commands from Unit 2 Lab

● In Unit 2 Lab you defined the Server and Angel userids and a guest userid, and groups to own them.

● USER1.WAS.CNTL(ZCRACF1):

Angel and server…

ADDGROUP LIBGRP OMVS(AUTOGID) OWNER(SYS1)

ADDGROUP WSGUESTG OMVS(AUTOGID) OWNER(SYS1)

ADDUSER LIBANGE DFLTGRP(LIBGRP) OMVS(AUTOUID HOME(/u/libange/) -

PROGRAM(/bin/sh)) NAME('LIBERTY ANGEL') NOPASSWORD NOOIDCARD

ADDUSER LIBSERV DFLTGRP(LIBGRP) OMVS(AUTOUID HOME(/u/libserv/) -

PROGRAM(/bin/sh)) NAME('LIBERTY SERVER')

ALTUSER LIBSERV PASSWORD(LIBSERV) NOEXPIRED

ADDUSER FRED DFLTGRP(LIBGRP) OMVS(AUTOUID HOME(/u/fred/) -

PROGRAM(/bin/sh)) NAME('USER FRED')

ADDUSER WSGUEST RESTRICTED DFLTGRP(WSGUESTG) OMVS(AUTOUID -

HOME(/u/wsguest) PROGRAM(/bin/sh)) NAME('UNAUTHENTICATED USER') -

NOPASSWORD NOOIDCARD

Continued on next page....


Liberty Profile Started Tasks The Liberty Profile consists of one or more servers and optionally one Angel.

More Unit 2 …

Angel

The Angel Process runs in an authorized key and provides facilities to Liberty Server Processes to load and access z/OS system services in a way that protects the integrity of the operating system.

Server

Applications like z/OS Connect may need access to z/OS system services like SAF, WLM, dump, and WOLA. Access is not the default.

The Liberty Server is where z/OS Connect runs.

The Angel provides SAF controlled access

to z/OS services.


The RACF Commands from Unit 2 Lab (continued)

● You also assigned the Server and Angel userids to the started procedures.

Unit 3 Lab ...

RDEFINE STARTED BBGZSRV.* UACC(NONE) -

STDATA(USER(LIBSERV) GROUP(LIBGRP) -

PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))

RDEFINE STARTED BBGZANGL.* UACC(NONE) -

STDATA(USER(LIBANGE) GROUP(LIBGRP) -

PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))

SETROPTS RACLIST(STARTED) REFRESH

● After you built the server, you made LIBSERV a PROTECTED userid.

ALTUSER LIBSERV NOPASSWORD NOOIDCARD


The RACF Commands from Unit 3 Lab

● In Unit 3 Lab you permitted the Liberty Server to use several z/OS authorized services protected by SERVER class profiles.

● USER1.WAS.CNTL(ZCRACF2):

More Unit 3…

RDEFINE SERVER BBG.ANGEL UACC(NONE) OWNER(SYS1)

PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(LIBSERV)

RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE) OWNER(SYS1)

PERMIT BBG.AUTHMOD.BBGZSAFM -

CLASS(SERVER) ACCESS(READ) ID(LIBSERV)

RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)

PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED -


RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)

PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM -





● Server class profiles control the use of the Angel, SAF, WLM, RRS, SVC dump, the security prefix and WOLA.

More Unit 3…

RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)

PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS -


RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)

PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP -


RDEFINE SERVER BBG.SECPFX.BBGZDFLT UACC(NONE)

PERMIT BBG.SECPFX.BBGZDFLT -


RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.WOLA UACC(NONE) OWNER(SYS1)

PERMIT BBG.AUTHMOD.BBGZSAFM.WOLA -





● An EJBROLE protects z/OS Connect.

More Unit 3 …

RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.LOCALCOM UACC(NONE) OWNER(SYS1)

PERMIT BBG.AUTHMOD.BBGZSAFM.LOCALCOM -


RDEFINE SERVER BBG.AUTHMOD.BBGZSCFM UACC(NONE) OWNER(SYS1)

PERMIT BBG.AUTHMOD.BBGZSCFM -


RDEFINE SERVER BBG.AUTHMOD.BBGZSCFM.WOLA UACC(NONE) OWNER(SYS1)

PERMIT BBG.AUTHMOD.BBGZSCFM.WOLA -


SETROPTS RACLIST(SERVER) REFRESH

RDEFINE EJBROLE ** OWNER(SYS1) UACC(NONE)

PERMIT ** CLASS(EJBROLE) RESET

SETROPTS RACLIST(EJBROLE) REFRESH




● A CBIND profile controls which CICS Listener Tasks can register with WOLA. An APPL profile protects z/OS Connect.

Hardening z/OS Connect…

RDEFINE CBIND BBG.WOLA.GROUP.NAME2.NAME3 UACC(NONE) OWNER(SYS1)

PERMIT BBG.WOLA.GROUP.NAME2.NAME3 CLASS(CBIND) ACCESS(READ) ID(USER1)

PERMIT BBG.WOLA.GROUP.NAME2.NAME3 CLASS(CBIND) ACCESS(READ) ID(CICSX)

SETROPTS RACLIST(CBIND) REFRESH

RDEFINE APPL BBGZDFLT UACC(NONE) OWNER(SYS1)

PERMIT BBGZDFLT CLASS(APPL) RESET

PERMIT BBGZDFLT CLASS(APPL) ACCESS(READ) ID(WSGUEST)

RALT APPL BBGZDFLT UACC(READ)

SETROPTS RACLIST(APPL) REFRESH


WebSphere Optimized Local Adapter (WOLA) Security

...<zosLocalAdapters wolaGroup="GROUP" wolaName2="NAME2" wolaName3="NAME3" />...

server.xml:

The Liberty Profile defines the WOLA adapter in the server.xml.

The WOLA adapter is protected by a CBIND profile in RACF.

The CBIND profile is based on the WOLA definition.

The Link Server task ID of the CICS partners must be permitted to use the adapter.

The Link Server task ID is the userid which starts the Link Server task.

RACF commands:

RDEFINE CBIND BBG.WOLA.GROUP.NAME2.NAME3 UACC(NONE) OWNER(SYS1) PERMIT BBG.WOLA.GROUP.NAME2.NAME3 CLASS(CBIND) ACCESS(READ) ID(USER1) PERMIT BBG.WOLA.GROUP.NAME2.NAME3 CLASS(CBIND) ACCESS(READ) ID(CICSX) SETROPTS RACLIST(CBIND) REFRESH

Local level …

Liberty Profile

z/OS Connect CICSCICSWOLA


Hardening z/OS Connect with SAF security.

● A SAF keyring/cert for SSL/TLS.

● SAF as the User Registry.

● Enabling Basic or Client Certificate Authentication.

● An EJBROLE to protect z/OS Connect.

● The Authorization Interceptor.

● Passing an Identity to CICS.

SSL …


Using a SAF keyring/cert for SSL/TLSSAF keyrings are under the control of the SAF administrator.

Registry …

<featureManager> . . <feature>ssl-1.0</feature></featureManager>...<keyStore id="defaultKeyStore" password="Liberty"/>...<sslDefault sslRef="DefaultSSLSettings" /> <ssl id="DefaultSSLSettings" keyStoreRef="CellDefaultKeyStore" trustStoreRef="CellDefaultTrustStore" clientAuthenticationSupported="false" clientAuthentication="false"/> <keyStore id="CellDefaultKeyStore" location="safkeyring:///Keyring.LIBERTY" password="password" type="JCERACFKS" fileBased="false" readOnly="true" /> <keyStore id="CellDefaultTrustStore" location="safkeyring:///Keyring.LIBERTY" password="password" type="JCERACFKS" fileBased="false" readOnly="true" />

Liberty Profile

z/OS Connect

CICSCICS

IMSIMS

BatchBatchz/OS

Digital ring information for user LIBSERV: Ring: >Keyring.LIBERTY< Certificate Label Name Cert Owner USAGE ---------------------- ------------------- DefaultCert.LIBERTY ID(LIBSERV) PERSONAL LibertyCA.LIBERTY CERTAUTH CERTAUTH

The Server (LIBSERV) owns the keyring.

server.xml:


Using SAF as the User Registry

Authentication…

<featureManager> . . <feature>zosSecurity-1.0</feature></featureManager>...<basicRegistry id="basic1" realm="zosConnect">

<user name="Fred" password="fredpwd" /></basicRegistry><authorization-roles id="zos.connect.access.roles">

<security-role name="zosConnectAccess"><user name="Fred"/></security-role>

</authorization-roles>...<safRegistry id="saf" /><safAuthorization id="saf" /><safCredentials unauthenticatedUser="WSGUEST"profilePrefix="BBGZDFLT" />

server.xml:

safRegistry uses the SAF database to authenticate clients.

safAuthorization uses the SAF database for role checking using the EJBROLE class.

unauthenticatedUser=”WSGUEST” uses the SAF userid WSGUEST for unauthenticated requests.

profilePrefix=”BBGZDFLT” prefixes EJBROLE profile checks with BBGZDFLT.

The profilePrefix value will also be used as the APPL name for the server. The unauthenticatedUser userid must have READ access to the APPL name.


Enabling Basic or Client Certificate Authentication

Authorization…

...<webAppSecurity allowFailOverToBasicAuth="true" />...<sslDefault sslRef="DefaultSSLSettings" /> <ssl id="DefaultSSLSettings" keyStoreRef="CellDefaultKeyStore" trustStoreRef="CellDefaultTrustStore" clientAuthenticationSupported="false" clientAuthentication="false"/> <keyStore id="CellDefaultKeyStore" location="safkeyring:///Keyring.LIBERTY" password="password" type="JCERACFKS" fileBased="false" readOnly="true" /> <keyStore id="CellDefaultTrustStore" location="safkeyring:///Keyring.LIBERTY" password="password" type="JCERACFKS" fileBased="false" readOnly="true" />

clientAuthenticationSupported=”true” the server prompts for a client cert in the SSL handshake.

clientAuthentication=”true” requires that the client have a client cert, or the SSL handshake will fail, and the conversation end.

allowFailOverToBasicAuth=”true” the server reverts to the userid/password prompt if clientAuthentication=”false” or the client has no certificate.

ClientClient z/OS

Connect

z/OS

Connect

“Client cert, please.”

“Huh?”

server.xml:


An EJBROLE to protect z/OS Connect

<featureManager> . . <feature>zosSecurity-1.0</feature></featureManager>...<authorization-roles id="zos.connect.access.roles">

<security-role name="zosConnectAccess"><user name="Fred"/></security-role>

</authorization-roles>...<safRegistry id="saf" /><safAuthorization id="saf" /><safCredentials unauthenticatedUser="WSGUEST"profilePrefix="BBGZDFLT" />

server.xml:

The z/OS Connect application requires the user have role zosConnectAccess.

The default profilePrefix=”BBGZDFLT”.

The default profile pattern is: %profilePrefix%.%resource%.%role%.

This makes the EJBROLE name: BBGZDFLT.zos.connect.access.roles.zosConnectAccess

To change the profile pattern, see next slide...

RACF commands:

RDEFINE EJBROLE BBGZDFLT.zos.connect.access.roles.zosConnectAccess - OWNER(SYS1) UACC(NONE) PE BBGZDFLT.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) -ID(FRED) ACCESS(READ)

Profile pattern …


Controlling the EJBROLE profile pattern

<featureManager> . . <feature>zosSecurity-1.0</feature></featureManager>...

<safRegistry id="saf" /><safAuthorization id="saf" /><safCredentials unauthenticatedUser="WSGUEST"profilePrefix="BBGZDFLT" /><safRoleMapper profilePattern="%profilePrefix%.%role%" toUpperCase="false" />

server.xml:

The safRoleMapper statement specifies the EJBROLE profile pattern.

The default profile pattern: %profilePrefix%.%resource%.%role%.

The default EJBROLE profile: BBGZDFLT.zos.connect.access.roles.zosConnectAccess

You can control the profile pattern, for example:

RACF commands:

RDEFINE EJBROLE BBGZDFLT.zosConnectAccess OWNER(SYS1) UACC(NONE) PE BBGZDFLT.zosConnectAccess CLASS(EJBROLE) ID(xxxx) ACCESS(READ)

Front door…


The EJBROLE as front door.

● The zosConnectAccess EJBROLE protects the “front door” to z/OS Connect.

● But more access granularity is needed.

RACF commands:

Authorization Interceptor…

zosConnectAccess?

Client

RDEFINE EJBROLE BBGZDFLT.zos.connect.access.roles.zosConnectAccess - OWNER(SYS1) UACC(NONE) PE BBGZDFLT.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) -ID(FRED) ACCESS(READ)

NO

YES

NO Authority

Authority to LIST, START, STOP, INVOKE, get STATISTICS for all RESTful Services.

“All” or “Nothing”


Authorization Interceptor● Provides three levels of authority for users of your z/OS Connect services:

● Administrator: the authority to query services, perform operational tasks on them, and invoke them.

● Operations: the authority to perform tasks on services such as stop, start, etc. but no authority to invoke services.

● Invoke: the authority to invoke services, but no other authority.

●Represented by membership in groups named in the server.xml.

● Defined at the z/OS Connect global level or for individual services.

Global level …


Implementing the Authorization Interceptor

...<zosConnectManager globalAdminGroup="GADMIN" globalOperationsGroup="GOPERS" globalInvokeGroup="GINVOKE" globalInterceptorsRef="interceptorList_g" />

<authorizationInterceptor id="auth" />

<zosConnectInterceptors id="interceptorList_g" interceptorRef="auth,audit"/>

server.xml:

Users in RACF group GADMIN have Administrator authority at the global level.

Users in RACF group GOPERS have Operations authority at the global level.

Users in RACF group GINVOKE have Invoke authority at the global level.

RACF commands:

ADDGROUP GADMIN OMVS(AUTOGID) ADDGROUP GOPERS OMVS(AUTOGID)ADDGROUP GINVOKE OMVS(AUTOGID)CONNECT USER1 GROUP(GADMIN)CONNECT FRED GROUP(GINVOKE)

Service level …

At the global level:


Implementing the Authorization Interceptor

...

<zosConnectService id="CICS" invokeURI="/myCICSBackend" serviceName="CICS-backend" dataXformRef="xformJSON2Byte" serviceRef="wolaCICS" adminGroup="SADMIN" operationsGroup="SOPERS" invokeGroup="SINVOKE" />

server.xml:

Users in RACF group SADMIN have Administrator authority at the local level.

Users in RACF group SOPERS have Operations authority at the local level.

Users in RACF group SINVOKE have Invoke authority at the local level.

RACF commands:

ADDGROUP SADMIN OMVS(AUTOGID) ADDGROUP SOPERS OMVS(AUTOGID)ADDGROUP SINVOKE OMVS(AUTOGID)CONNECT USER1 GROUP(SADMIN)CONNECT FRED GROUP(SINVOKE)

Passing an identity…

At the service level:

Service level takes precedence over Global.


Passing the Client's Identity to CICS

Propagation Checklist…

Starting the Link Server task (BBOC):

z/OS

...SEC=YXTRAN=YESXUSER=YES...

CICS SIP:

Liberty Profile

z/OS Connect CICSCICSWOLA

server.xml:...<zosLocalAdapters useCicsTaskUserId="true" wolaGroup="GROUP" wolaName2="NAME2" wolaName3="NAME3" /> ...

BBOC START_TRUEBBOC START_SRVR RGN=CICSREG DGN=GROUP NDN=NAME2 SVN=NAME3 SVC=* MNC=1 MXC=10 TXN=N SEC=Y REU=N TRC=1

Passes the SAF identity of the z/OS Connect client to CICS.

CICS security enabled.

Transactions protected.

Link Server's userid checked for surrogate authority to the passed userid.

CICS uses the passed userid instead of the Link Server task userid.


RACF Checklist for Passing an Identity to CICS ● The Link Server ID needs:

● READ access to the CBIND profile: BBG.WOLA.GROUP.NAME2.NAME3

● READ access to TCICSTRN profiles BBOC and BBO$ (Link server task)

● READ access to SURROGAT profile <passedid>.DFHSTART

● The identity being flowed/asserted needs:

● READ access to TCICSTRN profile BBO# (Link invocation task)

● READ access to EJBROLE profile: BBGZDFLT.zos.connect.access.roles.zosConnectAccess

Time for Unit 4 Lab…

WebSphere Application Server Liberty Profile z/OS … · WebSphere Application Server Liberty Profile z/OS ... RACF, CA-ACF2, CA-Top ... A CBIND profile controls which CICS Listener

Documents