Replacement of SMU Security KBC

1
Replacement of SMU Security _at_ KBC

• Johan Vanermen
• IMS/DB2 GSE Workgroup Meeting
• December 6, 2007

2
IMS _at_ KBC

• IMS V9
• DB/DC
• DB2 V8
• z/OS 1.7
• RACF
• No Shared Queues
• No CSL

3
Agenda

• How did KBC replace SMU ?
• Understand IMS security
• Determine which SMU security types are in use
• Work out and implement a replacement plan for
  every SMU security type
• General remarks and experiences

4
Agenda

• How did KBC replace SMU ?
• Understand IMS security
• SMU
• RACF
• IMS security parameters
• IMS security exits
• Determine which SMU security types are in use
• Work out and implement a replacement plan for
  every SMU security type
• General remarks and experiences

5
1.Understand IMS security 1. SMU

• SMU input statements describe the desired
  security
• the MATRIX tables are used by IMS

Input Statements )( CTRANS TCOMMAND )(
SIGNSTERM
IMS.MATRIX tables
SecurityMaintenanceUtility (DFSISMP0)
6
1.Understand IMS security 1. SMU

• SMU provides five security types
• LTERM security
• Defines the commands and transactions that can be
  used from a given terminal
• )( TERMINAL LTERM854
• COMMAND DISPLAY
• TRANSACT TRAN01
• Also used for
• TCO security ( TERMINAL DFSTCF(I) )
• MSC Link Receive security ( TERMINAL msname
  )
• Only for static nodes

7
1.Understand IMS security 1. SMU

• Password security
• Limits the use of a specified IMS resource to
  someone who supplies the correct password

• )( PASSWORD PSWD1
• COMMAND START
• )( PASSWORD PSWD2
• DATABASE DB1
• )( PASSWORD PSWD3
• PROGRAM PSB109
• )( PASSWORD PSWD4
• PTERM NODE871
• )( PASSWORD PSWD5
• TERMINAL LTERM001
• )( PASSWORD PSWD6
• TRANSACT PAYTRAN

8
1.Understand IMS security 1. SMU

• Resource access security (RAS)
• Limits IMS resources that can be used by
  dependent regions
• )( AGN TEST
• AGPSB DDLTBP01
• AGTRAN TRAN13
• AGLTERM DD3270L4

9
1.Understand IMS security 1. SMU

• Transaction-command security
• Limits the use of IMS commands in programs (using
  CMD call)
• )( CTRANS TRAN25
• TCOMMAND DIS
• TCOMMAND STA

10
1.Understand IMS security 1. SMU

• Signon verification security
• Requires users of nodes to first sign on before
  executing transactions or commands
• )( SIGN
• STERM NODE12
• STERM NODE14
• Only for static nodes

11
1.Understand IMS security 2. RACF

• Learn how to explore RACF
• Learn (a bit) how RACF works
• Resource classes
• Profiles and grouping profiles
• Learn how IMS uses RACF
• IMS resource classes
• No qualifying profiles resource not secured

Example transaction profiles Non-grouping
Profile (Class) Access list XTPIBH1 (TIMS) UACC
(READ) XTPIB (TIMS) user2(READ) Grouping
Profile Members (Class) Access list SYST1
XTPIB01 (GIMS) userx(READ) XTPIB02 XTPIB1
Resource Non-grouping Grouping Command
CIMS DIMS Transaction TIMS GIMS PSB
IIMS JIMS LTERM LIMS MIMS
IMS or value of RCLASS parameter
12
1.Understand IMS security 3. IMS security
parameters

• Which security types are active ?
• ? determined by resolution of IMS security
  parameters
• Security parameters can be specified (more than
  once) in
• SYSGEN macros
• IMSGEN
• COMM
• SECURITY
• PROCLIB members (DFSPBxxx, DFSDCxxx)
• EXEC parameter control region
• /NRE or /ERE COLDSYS

Example
Low
Order of precedence
NOAGN
ISIS2
ISIS1
High
13
1.Understand IMS security 3. IMS security
parameters

• Also interaction between parameters
• Example
• TERMNLYES (SECURITY macro)
• RCFN ? SMU LTERM security for commands
  and(DFSPBxxx) transactions
• RCFY ? SMU LTERM security not used for
  transactions (RACF is used)
• RCFA ? SMU LTERM security not used for
  commands and transactions (RACF is used)

Specifies that the terminal security
specifications established by the Security
Maintenance utility are in effect
14
1.Understand IMS security 4. IMS security
exits

• Some security parameters specify that an exit
  must be called
• E.g. TRANEXIT, SIGNEXIT, AGNEXIT, ISIS2,
• Interaction with IMS exits
• Example
• SMU input
• )( SIGN
• STERM ALL all nodes must sign on
• and AOI Exit
• traps IMS start completed message and resets
  signon required flag for some nodes

15
Agenda

• How did KBC replace SMU ?
• Understand IMS security
• Determine which SMU security types are in use
• Examine SMU input statements
• Interpret IMS security parameters
• Conclusion
• Work out and implement a replacement plan for
  every SMU security type
• General remarks and experiences

16
2. Which SMU security types are in use 1.
Examine SMU input statements

• Build an inventory of used SMU input statements
• Which types of statements are present ?
• including flavours of security optionse.g. TCO
  security, MSC Link Receive Security,
• Count the number of statements for each type
• Gives an idea of the replacement effort
• Can be a trigger to plan a preliminary cleanup

17
2. Which SMU security types are in use 1.
Examine SMU input statements

• Example overview of SMU input statements

18
2. Which SMU security types are in use 2.
Interpret IMS security parameters

• Example
• () if not overridden by other parameters

19
2. Which SMU security types are in use 2.
Interpret IMS security parameters

• Example after interpretation of IMS parameters

RCFA
/
RCFY
/
ISIS0
/
20
2. Which SMU security types are in use 3.
Conclusion

• SMU security types in use at KBC
• LTERM security (TERMINAL-COMMAND)
• TCO security
• Signon verification security
• Resource access security
• Transaction-command security

21
Agenda

• How did KBC replace SMU ?
• Understand IMS security
• Determine which SMU security types are in use
• Work out and implement a replacement plan for
  every SMU security type
• 0. Preliminary actions
• LTERM security
• SIGNON security
• Resource Access Security
• Transaction command security
• General remarks and experiences

22
3.Work out a replacement plan 0. Preliminary
actions

• Understand the possible methods to replace the
  different SMU security types
• Enhancements introduced in IMS V9
• Define new RACF resource classes
• IIMS, JIMS PSB
• LIMS, MIMS LTERM

23
3.Work out a replacement plan 1. LTERM security

• Terminal-command security (except TCO)
• Clean up unused static nodes
• Almost all static nodes were eliminated
• Check if the remaining LTERMs have SMU input
  statements
• There were no LTERMs left with SMU input
  statements
• ? no replacement of LTERM security needed
• Align security with dynamic nodes
• Change RCFY ? RCFA

RACF used for transaction authorisation for
static and ETO terminal command authorisation
RACF used for transaction authorisation for
ETO terminal command authorisation
24
3.Work out a replacement plan 1. LTERM security

• TCO security
• Policy
• TCO scripts reside in protected datasets.No
  further security checks are needed.
• Actions
• Specify TCORACFN (new IMS V9 parameter)
• RACF is not called for authorisation checks of
  commands in TCO scripts (requires RCFA/S/R/B)
• Note
• with TCORACFY, you need to code /SIGN ON
  tcousid tcopwd and /SIGN OFF in the script

25
3.Work out a replacement plan 1. LTERM security

• Stop loading terminal security tables from MATRIX
  dataset
• Change TERMNLYES ? TERMNL NO

26
3.Work out a replacement plan 2. SIGNON
verification security

• Actions
• Determine if all static nodes must sign on? not
  all nodes must sign on
• Specify SIGNONSPECIFIC
• new IMS V9 parameter (DFSDCxxx)
• (Note with SIGNONALL all nodes (except SLU1,
  MTO, 3284,) must sign on)
• Specify OPTIONSSIGNON in TERMINAL or TYPE macro
  of nodes that must sign on
• Ex. TYPE UNITYPE(3270,LOCAL),EDIT(),OPTIONS(
  ,SIGNON)
• Stop loading signon verification tables from
  MATRIX dataset
• Change
• RCFA ? RCFB
• SGNZ ? SGNX
• TRNY ? TRNX

Individual static terminals might be required
to sign on (terminals specified by
OPTIONSSIGNON, or by SMU )( SIGN definitions)
27
3.Work out a replacement plan 3. Resource access
security (RAS)

• Rules for RAS security
• In MPP regions
• Region userid must be authorised to use all
  transactions scheduled in the MPP region
• In BMP regions
• Region userid must be authorised to use
• PSB
• Transaction specified on IN or OUT parameter
• LTERM specified on OUT parameter

28
3.Work out a replacement plan 3. Resource access
security (RAS) A. MPP regions

• MPP regions
• RAS with SMU _at_ KBC
• ? check in RACF if region userid is allowed to
  use AGN
• ? check if transactions run in the region belong
  to AGN

MPP region Region userid STCDBMS AGNSPATP
SMU AGN TABLE )( AGN SPATP AGTRAN ALL )( AGN

?
All transactions belong to SPATP
?
RACF Class AIMS Profile SPATP Access
list STCDBMS
29
3.Work out a replacement plan 3. Resource access
security (RAS) A. MPP regions

• RAS with RACF
• Actions
• Put MPP region userids on the access list (with
  READ) of all transaction profiles in RACF

30
3.Work out a replacement plan 3. Resource access
security (RAS) B. BMP regions

• BMP regions
• RAS with SMU _at_ KBC
• ? check in RACF if region userid is allowed to
  use AGN
• ? check if resources used belong to AGN

• 2 AGN groups
• 1 for system
• 1 for business
• Automatically generated

BMP Region userid userx AGNAGNSYST
PSBPIBC3 IN XTPIBC3 OUTLTERM1
All batch PSBs with name starting with E, PI or Z
SMU AGN TABLE )( AGN AGNSYST AGPSB PIBC3
AGTRAN XTPIBC3 AGLTERM ALL )( AGN
AGNBUS AGPSB D9BBF AGTRAN JTD9BBF AGLTERM
ALL
?
?
Transactions linked to system batch PSBs
RACF Class AIMS Profile AGNSYST Access
list userx usery Profile AGNBUS Access
list userA userB
All LTERMs allowed
All other batch PSBs
Transactions linked to business batch PSBs
All LTERMs allowed
31
3.Work out a replacement plan 3. Resource access
security (RAS) B. BMP regions

• RAS with RACF
• Actions
• To secure PSBs
• Define 2 PSB profiles in resource class JIMS
• One for System PSBs (name starts with E, PI or Z)
• One for all other PSBs
• Copy access list from corresponding AGN-profiles
• Profile members (Class) Access
• --------------------------------------------------
  ------------
• SYSTEM E (JIMS) UACC(NONE) userx
• Z usery
• PI
• BUSINESS (JIMS) UACC(NONE) userA
• userB

Access list of AGNSYST
Access list of AGNBUS
32
3.Work out a replacement plan 3. Resource access
security (RAS) B. BMP regions

• To secure transactions
• Define 2 transaction profiles in resource class
  GIMS
• One for transactions linked to system batch PSBs
• One for transactions linked to business batch
  PSBs
• Copy access list from corresponding AGN-profiles
• Profile members (Class) Access
• --------------------------------------------------
  ----
• BMPSYS XTPIBC3 (GIMS) UACC(NONE) userx
• usery
• BMPBUS JTD9BBF (GIMS) UACC(NONE) userA
• userB

Access list of AGNSYST
Access list of AGNBUS
33
3.Work out a replacement plan 3. Resource access
security (RAS) B. BMP regions

• To secure LTERMs
• OUTlterm normally not used at KBC
• Define 1 LTERM profile in resource class LIMS
• With Allow all accesses WARNING Yes
• Profile (Class) Access
• --------------------------------------------------
  ----
• (LIMS) UACC(NONE)
• WARNING(YES)

34
3.Work out a replacement plan 3. Resource access
security (RAS) C. Activation

• Activation of RAS with RACF
• Change
• ISIS1 ? ISISR

resource access security checking using RACF is
to be performed
35
3.Work out a replacement plan 4.
Transaction-Command A. Rule

• Rule with RACF
• A BMP or MPP can execute a command (using
  CMD-call) if
• the corresponding TRANSACT macro contains
  AOIYES TRAN CMD
• and
• If AOIYES the userid must have READ access on
  the command
• If AOITRAN the transaction (defined as a user
  in RACF) must have READ access on the command
• If AOICMD the command (defined as a user in
  RACF) must have READ access on the transaction
• May be the program name if a Get Unique call
  has not yet happened

36
3.Work out a replacement plan 4.
Transaction-Command B. Implementation

• ImplementationPreferred choice AOITRAN
• Most intuitive
• With AOICMD too much interaction with existing
  user-transaction security
• Example
• Profile members (Class) Access
• ------------------------------------------------
  
• TRANBNK TRAN1 (GIMS) UACC(READ) TRAN2
• With AOIYES must give too much authorisation
  on commands to users

How specify that TRAN1 is not allowed to execute
all commands ?
37
3.Work out a replacement plan 4.
Transaction-Command B. Implementation

• Actions
• Build cross reference from SMU input
• which transactions may execute which commands
• Clean up unused transactions from cross reference
  
• Define remaining transactions as users in RACF
  and give access on commands
• Add AOITRAN to all TRANSACTION macros
• Activation
• AOI1 ? AOI1R (DFSPBxxx)
• TRANCMDYES ? TRANCMDNO (SECURITY macro)

38
3.Work out a replacement plan 4.
Transaction-Command B. Implementation

• More detailed

• Transactions assigned to 1 of 4 RACF groups
• TRXLO may only execute level 1 commands
• TRXML may execute level 1 and 2 commands
• TRXMH may execute level 1, 2 and 3 commands
• TRXHI may execute all commands

• Commands divided into 4 levels
• CMDLO low level commands
• CMDML
• CMDMH
• CMDHI high level commands

Command profiles in DIMS class Profile members
Access list ------------------------------------
------------- CMDLO BRO UACC(READ) CAN
CMDML ASS TRXML CLS TRXMH
TRXHI CMDMH DBR TRXMH STA TRXHI STO
CMDHI TRXHI
39
Agenda

• How did KBC replace SMU ?
• Understand IMS security
• Determine which SMU security types are in use
• Work out and implement a replacement plan for
  every SMU security type
• General remarks and experiences

40
4. General remarks and experiences

• Roll-out actions spread over several releases
• To simplify fallback
• Continue SMU generation and keep matrix datasets
  filled
• Deactivate SMU types with DFSPBxxx / EXEC
  parameters, E.g. ISIS, RCF , AOI1
• After all phases have completed stop SMU
  generation and clear matrix datasets
• SMU conversion utilities not used
• With RAS security with RACF
• When region userid has no access to APPLimsid
  DFS2854A 08C--FAILED SECURITY CHECK
• If AOI-parameter not specified in TRANSACT macro
  
• CMD-call not allowed, even if AOI1N ( no
  security checking)
• MATRIX datasets must be present in CTL region
  JCL, even if they are empty

41
Questions ?

• ?