Connectivity to zOS using DB2 Connect with Kerberos Authentication Davy Goethals

1
Connectivity to z/OS using DB2 Connect with
Kerberos Authentication Davy Goethals

• GSE CICS and IMS/DB2 working group
  11/10/2007 Zemst

2
Agenda

• Introduction
• Use of DB2 connect at Sidmar
• What is Kerberos authentication ?
• Practical Implementation
• Current status Future

3
Introduction

• Kerberos is an authentication protocol developed
  in the late 1980 to secure a distributed
  client-server environment
• User wants to be sure to connect to the right
  server
• Server wants to be sure that the user is who he
  claims to be
• Part of DCE (promoted by OSF) initially in the
  Unix world
• Based on encryption
• Insecure client machines
• Insecure networks
• Locally secured servers can interchange reliable
  information

4
Introduction

• Kerberos can be used in a DB2 connect environment
  to create a single logon environment
• No need anymore to provide a mainframe
  user/password to DB2 on z/OS

5
Use of DB2 connect at Sidmar
MAINFRAME
DB2 for z/OS
DB2 Connect EE
SQL and stored procedures
UNIX Servers
Windows clients
Windows Servers
DB2 Connect PE TCP/IP
SAP
VB ODBC OLE DB .NET
6
Use of DB2 connect at Sidmar

• User has to provide mainframe userid/password
• Or application uses hardcoded generic userid with
  non-expiring passwords
• To avoid declaration of RACF users
• To avoid password problems
• To allow /restrict authorities
• Problems
• Management of passwords (helpdesk)
• Super users with known passwords
• Accountability
• Use of trusted clients ?

7
What is Kerberos ?
Kerberos (Cerberus) was the mythological
three-headed dog that guarded the entrance to the
underworld. Unless you could get past Kerberos,
you could not leave the underworld
8
What is Kerberos ?

• Securely authenticate a user in an unsecured
  network environment
• Three tier architecture
• Client
• Kerberos Key Distribution Center (KDC) trusted
  third party
• Application server
• Use of encrypted tickets (credentials) instead of
  userid/password over the network
• Provided by KDC
• Limited lifetime
• Only understood by client and server

9
What is Kerberos ?

• KDC is a central repository
• Knows all clients (with principal identifier)
• Knows all application servers (with principal
  identifier)
• REALM set of clients and servers served by a
  single KDC (domain)
• KDC and clients/servers use a private encryption
  key to encrypt data over the network
• Principal needs to verify its identity only once
  in the REALM
• Kerberos allows the client to validate the
  identity of the server (mutual authentication)

10
What is Kerberos ?

• Phase 1 authentication service exchange
• Client authenticates himself providing username
  and gets ticket granting ticket
• Phase 2 ticket granting service exchange
• Client asks service ticket to use in
  communication with server
• Phase 3 client/server authentication exchange
• Client and server authenticate each other
• Share a encryption key to exchange encrypted
  messages

11
What is Kerberos ?

• Inter REALM operation
• Client from one REALM can communicate with
  server from other REALM
• REALMs have TRUST relationships and share secret
  inter-realm keys
• Ex Windows domain and z/OS domain
• Multiple, hierarchical realms are possible
• Client has to authenticate only once to his local
  REALM

12
What is Kerberos ?

• Windows Kerberos is integrated in the Windows OS
• KDC is part of Directory Server
• Definitions in Domain Controller DNS
• Z/OS Kerberos is integrated with RACF
• KDC is part of RACF database
• All administration is done by RACF commands
• Special Kerberos started task to communicate with
  client

13
DB2 connect and Kerberos
DB2 uses SAF services
MAINFRAME
- Ticket validation - Maps Kerberos principal in
the ticket to RACF userid
DB2 for z/OS
RACF KDC
GSS protocol Do you support Kerb?
Windows Domain Controller DNS KDC
DB2 Connect PE
ticket
Windows clients
Windows userid
authentication
14
Practical implementation

• Workstation
• Db2 connect database directory
• KSETUP command
• Windows domain
• Define trust with host realm
• Add entries in DNS
• z/OS
• Create host realm
• Define trust with windows realm
• Define DB2 as Kerberos application
• Start Kerberos started task
• Map window users to RACF userids

15
Practical implementation on workstation

• DB2 Connect database directory
• Add database entries with
• Authentication KERBEROS
• Principal name db2service/host_at_hostREALM
• Command
• Db2 catalog database dbname at node nodename
  authentication kerberos target principal
  db2service/hostname_at_hostREALM

16
Practical implementation on workstation

• Database 4 entry
• Database alias DB2P
• Database name DB2P
• Node name DB2P
• Database release level a.00
• Comment DB2
  productie
• Directory entry type Remote
• Authentication SERVER
• Catalog database partition number -1
• Alternate server hostname
• Alternate server port number

• Database 11 entry
• Database alias DB2PD
• Database name DB2P
• Node name DB2P
• Database release level a.00
• Comment DB2
  productie d
• Directory entry type Remote
• Authentication KERBEROS
• Principal name
  db2/omvsdb2p_at_ES1.SIDMAR.AGN
• Catalog database partition number -1
• Alternate server hostname
• Alternate server port number

Applications use DB2PD instead of DB2P in
connection string and no longer provide a
user/password
17
Practical implementation on workstation
db2 gt connect to DB2P user siddago Enter current
password for siddago Database Connection
Information Database server DB2 OS/390
8.1.5 SQL authorization ID SIDDAGO Local
database alias DB2P db2 gt connect to
DB2P SQL30082N Attempt to establish connection
failed with security reason "3" ("PASSWORD
MISSING"). SQLSTATE08001 db2 gt connect to
DB2PD Database Connection Information
Database server DB2 OS/390 8.1.5 SQL
authorization ID SIDDAGO Local database
alias DB2PD db2 gt connect to DB2PD user
siddago Enter current password for
siddago SQL30082N Attempt to establish
connection failed with security reason
"36" ("CLIENT SECURITY PLUGIN ERROR").
SQLSTATE08001 db2 gt

18
Practical implementation on workstation

• KSETUP command to define the host realm on each
  workstation
• KSETUP //addkdc hostREALM KDCname
• Ex KSETUP //addkdc ES1.SIDMAR.AGN
  kerberos.es1.sidmar.agn
• Ksetup.exe can be downloaded from Microsoft
  support websites

19
Practical implementation on Windows domain

• Define host realm as trusted domain (TRUST) in
  Windows domain controller
• Add entries in DNS for host realm including
  password

20
Practical implementation on z/OS

• Create host REALM
• RDEFINE REALM KERBDFLT KERB(KERBNAME( host realm
  name) PASSWORD() ticket lifetime parameters
• Ex rdefine realm kerbdflt kerb(kerbname(es1.sidm
  ar.agn) password mintktlfe(15)
  deftklte(36000) maxtktlfe(86400))
• Add KERBDFLT profile in REALM RACF class for
  local realm

21
Practical implementation on z/OS

• Add Kerberos trust definitions (in pairs)
• RDEFINE REALM /../ host realm /krbtgt/ windows
  realm KERB(PASSWORD())
• Ex rdefine realm //es1.sidmar.agn/krbtgt/sidmar
  .be Kerb(password())
• RDEFINE REALM /../ windows realm /krbtgt/ host
  realm KERB(PASSWORD())
• Ex rdefine realm //sidmar.be/krbtgt/es1.sidmar.
  agn Kerb(password())

22
Practical implementation on z/OS

• Define each DB2 as a local Kerberos principal
• ALTUSER db2stc userid PASSWORD() NOEXPIRED
  KERB(KERBNAME( db2/db2stc userid))
• Ex altuser omvsdb2p password(..) noexpired
  kerb(kerbname(db2/omvsdb2p))
• KERBNAME local principal name
• Principal is defined as RACF user with KERBEROS
  segment

23
Practical implementation on z/OS

• Start Kerberos started task SKRBKDC

//
//

// Procedure for starting the Kerberos
Security Server //

//
//SKRBKDC
PROC REGSIZE256M,OUTCLASS'R'
//--------------------------------
------------------------------------ //GO
EXEC PGMEUVFSKDC,REGIONREGSIZE,TIME1440,
// PARM('ENVAR("LANGEn_US.IBM-
1047"),TERM(DUMP) X //
/ 1gtDDSTDOUT 2gtDDSTDERR')
//STEPLIB DD
DISPSHR,DSNEUV.SEUVFLNK
//STDOUT DD SYSOUTOUTCLASS,DCBLRECL
250, //
FREEEND,SPINUNALLOC
//STDERR DD
SYSOUTOUTCLASS,DCBLRECL250,
// FREEEND,SPINUNALLOC
//SYSOUT
DD SYSOUTOUTCLASS,
// FREEEND,SPINUNALLOC

//CEEDUMP DD SYSOUTOUTCLASS,
// FREEEND,SPINUNALL
OC
24
Practical implementation on z/OS

• Start Kerberos started task SKRBKDC

EUVF04001I Security server version 3.16, Service
level 0000000. EUVF04002I Security
runtime version 3.16, Service level 0000000.
EUVF04158I Kerberos KDC services are enabled.
EUVF04069I Listening for
requests on network interface 176.132.15.8.
EUVF04069I Listening for requests on network
interface 176.132.15.20. EUVF04069I Listening
for requests on network interface 176.132.15.25.
EUVF04069I Listening for requests on network
interface 176.132.15.7. EUVF04069I Listening
for requests on network interface 176.132.15.23.
EUVF04069I Listening for requests on network
interface 176.132.15.16. EUVF04069I Listening
for requests on network interface 176.132.15.24.
EUVF04069I Listening for requests on network
interface 176.132.15.6. EUVF04069I Listening
for requests on network interface 176.132.38.8.
EUVF04069I Listening for requests on network
interface 176.132.35.1. EUVF04069I Listening
for requests on network interface 176.133.8.24.
EUVF04069I Listening for requests on network
interface 176.132.8.1. EUVF04058I System SYSM
has joined the Kerberos security server group.
EUVF04058I System SYSE has joined the Kerberos
security server group.
25
Practical implementation on z/OS

• Map windows users to RACF userids used as
  primary authorization- id in DB2
• -RDEFINE KERBLINK //foreign realm name /foreign
  principal name APPLDATA(racf userid)
• Ex rdefine kerblink //sidmar.be/siddago
  appldata(siddago) ))
• KERBLINK foreign principal
• Local Principal is defined as RACF user with
  KERBEROS segment

26
Practical implementation on z/OS

• Map windows users to RACF userids
• each time the racf password changes, a new key
  is generated to be used in the encrypted ticket

27
STATUS today

• Workstations
• New Db2 connect package distributed with
  additional database entries
• KSETUP.exe executed at login
• Windows domain
• Host REALM defined as trusted realm
• DNS entries added
• z/OS
• host realm created
• Trusted pair with windows realm
• Different DB2s defined as local Kerberos
  principals
• Kerberos started task running
• Map window users to RACF userids

28
Next

• Inform developers and end users about new DB2
  data sources
• Convert applications with hardcoded
  userid/password
• Change connection string
• Add db2 authorizations to tables
• Define new racf userids with kerberos segment
• Revoke DB2 connect application users
• Use Kerberos also for ftp

29
More info .

• RACF documentation
• DB2 Connect documentation
• SHARE presentation Paul de Graaff OS/390
  Security Server (RACF) Interoperability with
  Windows 2000 Case Studies
• IBM redbook SG24-6540-00 Putting the Latest
  z/OS Security Features to Work

30
Questions ?

• Email

davy.goethals_at_arcelormittal.com