In today’s on demand environment, downtime is both unwelcome and costly. If your applications are not consistently available, your business can suffer. IBM System z, along with IBM software and the IBM TotalStorage® Resiliency family of offerings, provides a comprehensive set of products and solutions to help address specific business resiliency needs and to help protect your data, transactions, and the reputation of your business.

With estimates of over 80% of corporate data residing or originating on mainframes, security and data integrity are on top of the list of critical business requirements. Thus, organizations need to deliver advanced security features with an array of user identification, authentication, auditing, and administration capabilities, combined with advancements in data encryption, intrusion detection, and overall system integrity. These capabilities are designed to sustain customer-facing, high-volume transaction rates at high service levels.

In this book, we explain how IBM System z is designed with built-in security capabilities to help protect your business.

Traditionally, when we think of security, we often think of home security—keeping the doors closed and locked, controlling access by limiting the number and distribution of keys, installing burglar alarms to detect physical intrusion, and installing smoke and carbon monoxide alarms to detect intrusion by other harmful substances. In many ways, IT security works in a similar fashion. You need systems that are designed to control access to the system, to detect and prevent intrusion into the system by unauthorized users, and to protect the system from corruption by unauthorized programs and viruses. In other words, you need to close and lock the doors and install a rigid and comprehensive set of fences and alarms to help protect against various types of intrusion.

This chapter provides a brief overview of z/OS basic security and the additional Security Services under z/OS. z/OS security services comprise a variety of security-related products, which are grouped into three elements, which we explain in detail in the following chapters:

The operating system z/OS is designed, implemented, and maintained to protect itself against unauthorized access, and thus security controls that are specified for that system cannot be compromised. Thus, there is no way for any unauthorized program, using any system interface, defined or undefined to:

The program properties table (PPT) contains a list of programs that require special attributes. Among other things, the special attributes specify whether the programs can or cannot bypass security protection (password protection and RACF) and whether they run in a system key.

Programs with the NOPASS parameter are able to bypass password protection for password protected data sets and, thus, also bypass all RACF protection for RACF-protected resources.

The system key parameter indicates whether the program is authorized to run in a system key (keys 0 through 7) and is thus able to bypass system security controls.

Authorized program facility (APF) is a feature that allows system and user programs to use sensitive system functions. To authorize a program, the following steps are required:

Many system functions are sensitive (for example restricted SVCs). Therefore, these sensitive functions can be used only by authorized programs. A program is authorized if one of the conditions is true:

The system authorization facility (SAF) is part of the operating system. SAF is available whether or not an additional security product such as RACF is installed. The different resource managers contact SAF. If an additional security product is installed, SAF routes the questions using the SAF router to the security product and routes the answer back to the resource manager. Thus, SAF builds the interface between the resource managers and the security product. The final decision, whether access will be granted, is made by the resource manager, not by SAF or the security product. See also “System Authorization Facility (SAF)” on page 21.

z/OS has the following basic functions that provide information useful for auditing purposes:

Prior to z/OS V1R5, the z/OS Security Server consisted of several components. Now, RACF is the only component.

The z/OS Security Server RACF is an optionally priced feature that allows an installation to control access to protected resources.

RACF helps meet your needs for security by providing the ability to:

RACF provides these functions when the installation defines the users and the resources to be protected.

The basic security functions are shipped as two separate parts:

The Integrated Security Services consists of the components described in the remainder of this section.

The LDAP function was shipped originally as the base function of the z/OS Directory Server. A new base element, IBM Tivoli® Directory Server for z/OS, was introduced in z/OS V1R8. It contains a rewritten LDAP server, an LDAP client, and LDAP client utilities. The LDAP server in Integrated Security Services continues to exist in V1R8 and later. However, the LDAP client and LDAP client utilities do not. In V1R8 and later, they are only in IBM Tivoli Directory Server for z/OS.

The LDAP server is required to maintain information about Public Key Infrastructure (PKI) Services certificates in a centralized location. The z/OS LDAP server is preferred, but you can use a non-z/OS LDAP server if it can support the object classes and attributes that PKI Services requires. Typical PKI Services usage requires an LDAP directory server that supports the LDAP (Version 2) protocol (and the PKIX schema), such as the z/OS LDAP server. If you intend to use the z/OS LDAP server, you must configure it to use the TDBM back end. We explain LDAP in more detail in Chapter 6, “LDAP” on page 283.

Network Authentication Service for z/OS provides Kerberos security services without requiring that you purchase or use a middleware product such as Distributed Computing Environment (DCE). These services include native Kerberos application programming interface (API) functions, as well as the Generic Security Service Application Programming Interface (GSS-API) functions. Network Authentication Service uses the DES algorithm for encryption. Before z/OS V1R2, this component was named Network Authentication and Privacy Service.

This component allows you to map a user’s identity on one system to the user’s identity on another system. Chapter 7, “EIM” on page 357 provides more information about this topic.

OCEP provides an application interface for managing server certificates and also helps protect server private keys in a uniform and secure way. Applications that comply with Common Data Security Architecture (CDSA) standard interfaces can use OCEP. OpenCryptographic Services Facility, a base z/OS element, provides these interfaces. Application developers and independent software vendors using OCEP can find it easier to develop and port applications to the System z platform. It helps customers apply consistent security rules to e-business applications that use digital certificates and helps protect server private keys.

DCE Base Services is an exclusive, base element that provides services for developing and running client/server applications, including remote procedure call, directory, security, and distributed time services. DCE Base Services uses the limited DES algorithm for encryption. This element is at the Open Group Open Software Foundation (OSF) DCE 1.2.2 level.

Cryptography is the transformation of data to conceal its meaning. In z/OS, the base element Cryptographic Services provides the following cryptographic functions:

This base element supports keys as long as 56 bits. Keys longer than 56 bits are supported by the optional feature z/OS Security Level 3.

Chapter 5, “Cryptographic Services” on page 237 provides more information about cryptography.

Integrated Cryptographic Service Facility (ICSF) provides application programs with callable service interfaces to support the encryption and decryption of data using the cryptographic hardware in the IBM System z servers. ICSF adds support for callers running in 64-bit addressing mode.

The application calls ICSF for a cryptographic function and provides the data to be processed along with the cryptographic key to be used.

ICSF drives the cryptographic operations at the coprocessors and transmits and receives the processed data and the encrypted application key. Access to ICSF callable services and application keys can be controlled by RACF profiles.

Open Cryptographic Services Facility (OCSF) is the z/OS implementation of Common Data Security Architecture (CDSA) API from Intel®. OCSF actually uses ICSF to get access to the cryptographic hardware coprocessor.

Digital certificates, in widespread use today, are becoming increasingly important as a means of helping to secure transactions on the Internet. As such, digital certificates add capabilities far superior to mere password protection. PKI provides a trusted infrastructure that can manage and support the use of digital certificates. PKI services are provided as part of z/OS, so you can act as your own Certificate Authority (CA). As a CA, you have the power to create, approve or reject, and manage the life cycle of digital certificates. Using PKI can represent significant savings to businesses currently purchasing digital certificates from third-party vendors.

Chapter 3, “Digital certificates and PKI” on page 111 explains this topic.

Secure Sockets Layer (SSL) is a client-server protocol, with the client explicitly requesting an SSL communication. The client initiates the “handshake” piece of the SSL communication.

System SSL invokes the hardware cryptographic coprocessor, if present on the system, to assist in performing the asymmetric and symmetric cryptographic algorithms.