Security - PowerPoint PPT Presentation

1 / 40

About This Presentation

Title:

Security

Description:

Impersonation must be set in the security profile of the Natural RPC Server. ... Validation with Impersonation. Natural RPC server must run under Z/OS in batch mode. ... – PowerPoint PPT presentation

Number of Views:210

Avg rating:3.0/5.0

Slides: 41

Provided by: sagg1

Category:

more less

Transcript and Presenter's Notes

Title: Security

1
Security
Tom Philpott IT Architect Software AG
2
Natural Security

Controls and checks access to the Natural
Environment
Four types of objects
Users
Libraries
DDMs/files
Utilities

3
Types of Users
4
Linking a User to a Library
5
Concept of Environment Protection

A Natural environment is a combination of FNAT,
FUSER, FSEC, and FDIC.
A logon to an environment occurs when a user logs
onto an library in another FUSER.
Both access to the library and authorization to
the environment is checked.

6
Protecting DDMs On Mainframes
7
RPC Service Requests

Protect RPC Services as well as the requests are
handled.
User authentication are possible in two modes
Validation with Impersonation
Validation without Impersonation
Impersonation must be set in the security profile
of the Natural RPC Server.

8
RPC Service Requests

Validation without Impersonation
Logon performed using Natural RPC user ID.
Validation is performed by Natural Security, and
depends on the Logon Option.
N or E, both user ID and password verified
A or S, only user ID is verified, (like
Autoon)
E or S, Natural RPC user ID must be the same
as the EntireX user ID.

9
RPC Service Requests

Validation with Impersonation
Natural RPC server must run under Z/OS in batch
mode.
Natural server front-end passes Natural RPC user
ID to SAF-compliant external security system.
A successful authentication is followed by a
logon according to the Natural Security rules for
that user.
Again, if the Logon Option is set to E or S,
the EntireX user ID must be the same as the
Natural RPC user ID.

10
Natural SAF Security

SAF System Authorization Facility
OS/390, z/OS and compatible operating systems
Integrates ADABAS with SAF compliant security
packages
RACF
CA-ACF2
CA-TopSecret
All your security definitions are in a single
repository
Only need to define User in external SAF system
Group definitions done in both NSC and NSF.
Security mappings done in Natural Security.

11
NDV Requests

User authentication are possible in four modes
Validation with Impersonation Locally
Validation with Impersonation Remotely
Validation with Impersonation
No Validation
The SECURITY_MODE parameter is used to define the
types of authentication

12
NDV Requests

Security_Mode Impersonate_Local
The client credentials are checked against the
Security system of the NDV server
Natural Security treats client as if Autoon is
used.
Security_Mode Impersonate_Remote
The NATUXRFE user exit obtains credentials from
the NDV server
Authenticates using CICS VERIFY PASSWORD

13
Adabas Security
Tom Philpott IT Architect Software AG
14
Adabas Security

Data Encryption
Access/Update Security
Security by Value

15
Adabas Security- Data Encryption

Utilizes pre-specified key to encode Adabas Data
Storage
Encryption is by file, with data compressed and
then encrypted
Data access requires cipher code, usually
inserted through an Adabas User Exit
If you lose the key, you lose the data.

16
Adabas Security- Access/Update Level

Adabas password is really an access/update
profile.
Defined at a file level, as well as fields within
a file.
Threshold protection levels are set for either
the file and/or the field.
Permission levels are attached to a password.

17
File Level Protection
18
Field Level Protection
19
File Level Protection Results
20
Adabas Security- Value Level

Defined for one or more fields on a file.
Different settings for access vs. update.
Can include as many as 99 fields.
Comprise multiple values and/or value ranges per
field.
Can either accept or deny values.

21
Adabas SAF SecurityIntroduction

SAF System Authorization Facility
OS/390, z/OS and compatible operating systems
Integrates ADABAS with SAF compliant security
packages
RACF
CA-ACF2
CA-TopSecret
All your security definitions are in a single
repository
Tamper-proof
components in router and nucleus

22
Adabas SAF SecurityIntroduction

One of a suite of SAF security options
Natural SAF
secure applications
Network SAF
secure remote usage
EntireX Security
secure Broker services

23
Adabas SAF SecurityIntroduction

Two different Adabas SAF licenses
ADAESI compatability
No license charge/no maintenance charge
ADASAF full functionality
No license charge until March 31, 2003
Maintenance charges will apply

24
Adabas SAF SecurityIntroduction

ADASAF limited license
Secure database nucleus, files and commands
Utilities
Operator Commands

25
Adabas SAF SecurityIntroduction

ADASAF full functionality
All of ESI functionality, plus
Cross-level checking
Protection of Transaction Data
Adabas Passwords and Cipher Codes
Protection of AOS
On-line Administration via AOS
Remote User Protection
Adabas SQL Server Protection
Adabas Cluster Services
Adabas Parallel Services

26
Adabas SAF SecurityArchitecture
User
Administrator
ADABAS 1
ADABAS 2
ADASAF
Router (ADASVC) with ADASAF
ADASAF
SAF RACF, CA-ACF2 CA-Top Secret

3 main components
Router/SVC
SAF module
AOS subsystem

Tamperproof runtime code in the router and
database
27
AdaSAF Security Operation
28
AdaSAF Security Operation
29
ADABAS SAF SecurityWhere from
CICS
ADABAS ADASAF
Job ACEE
Router Obtain userids
User 2 ACEE
User 1 ACEE
Check CICS
Check User
ADATRUE
RACF
30
ADABAS SAF SecurityCaching Checks

First call from user
create security environment for user
RACROUTE VERIFY,ENVIRCREATE
File-specific call
check cache if file not found perform SAF check
cache successful checks
CL command or user timeout
delete users security environment and release
cache

31
ADABAS SAF SecuritySecure ADABAS Resources

ADABAS data
commands require read or update access
some commands are ignored
with RACF you only need define sensitive files
option to allow access to any undefined resource
security based on where from as well as who
access allowed from production CICS but not from
test
successful checks cached
optionally across user sessions
ET Data (optional)

32
ADABAS SAF SecuritySecure ADABAS Resources

ADABAS jobs
check that user who submitted nucleus is allowed
to
check also used to establish fail/warn mode
check that user who submitted a utility is
allowed to run that utility against this database
Steve may run ADAREP but not ADASAV
Operator commands
check that this operator command is permitted for
this nucleus
DUQ is allowed, but not STOPU

33
ADABAS SAF SecurityCipher Codes and Passwords

ADASAF
extracts them from RACF file profiles at nucleus
initialization
inserts them into any ADABAS call for the
relevant files
as long as security checks are ok
Advantages
sensitive data now stored in RACF repository
application doesnt have to manage them
no longer transmitted with call, so more secure

34
ADABAS SAF SecurityRACF Definitions

Define and activate the class(es)
ADASEC ICHERCDE CLASSADASEC,
X
ID149,
X
MAXLNTH80,
X
FIRSTANY,
X
OTHERANY,
X
RACLISTALLOWED,
X
GENLISTALLOWED,
X
POSIT35,
X
OPERNO,
X
DFTUACCNONE
SETROPTS CLASSACT(ADASEC)
SETROPTS GENCMD(ADASEC)
SETROPTS GENERIC(ADASEC)

35
ADABAS SAF SecurityRACF Definitions

Make security definitions
define and protect resources
RDEFINE ADASEC CMD00001.FIL01234 UACC(NONE)
PERMIT CMD00001.FIL01234 CLASS(ADASEC)
ACCESS(READ) ID(uid)
RACLIST the profiles for better performance
Ensure that userids under which ADASAF runs are
allowed to issue RACROUTE AUTH/EXTRACT/VERIFY

36
ADABAS SAF SecurityFlexible Customization