Front cover

ABCs of z/OS System

Programming
Volume 6
Security on z/OS, RACF, and LDAP

Kerberos and PKI

Cryptography and EIM

Paul Rogers
Rui Feio
Oerjan Lundgren
Rita Pleus
Karan Singh

ibm.com/redbooks
International Technical Support Organization

ABCs of z/OS System Programming Volume 6

August 2008

SG24-6986-00
 Note: Before using this information and the product it supports, read the information in “Notices” on
page vii.

First Edition (August 2008)

This edition applies to Version 1, Release 7 of of z/OS (5694-A01), Version 1 Release 7 of z/OS.e (5655-G52),
and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 2008. All rights reserved.

Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Contents

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Chapter 1. Introduction to z/OS security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 z/OS basic security facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 z/OS Security Server Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Integrated Security Services components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Cryptographic Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2. z/OS Security Server RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.1 What is RACF? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 RACF functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3 RACF ISPF panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 RACF profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.5 RACF commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.6 User authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.7 Resource managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.8 System Authorization Facility (SAF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.9 RACF classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.10 Security administration with RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.11 RACF user identification and verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.12 RACF user profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.13 RACF user attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.14 RACF user segments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.15 RACF user ID and password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.16 Adding a new user to RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.17 Reset a user password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.18 Alter a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.19 Change a user’s password interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.20 Delete a user ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.21 User related RACF commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.22 RACF groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.23 RACF group structure example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.24 RACF group related commands: Add a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.25 RACF group related commands: Alter a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.26 RACF group related commands: Delete a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.27 Connect a user to a group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.28 Remove a user from a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.29 Data sets and general resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.30 Data sets and general resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.31 Data set profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.32 Defining data set profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.33 Data set profile access list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.34 Add a data set profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

© Copyright IBM Corp. 2008. All rights reserved. iii

 2.35 Alter a data set profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.36 Search RACF database using a mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
2.37 Data set related commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
2.38 Data set related commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
2.39 General resources related commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
2.40 General resources related commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
2.41 General resources related commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
2.42 SET RACF system options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
2.43 Statistic related options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.44 Password related options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.45 Data set related options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.46 Class related options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.47 Authorization checking related options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.48 Tape related options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.49 RVARYPW and other options for initial setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
2.50 Auditor related options(1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
2.51 Auditor related options(2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
2.52 SETROPTS: Display options (LIST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
2.53 RACF monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
2.54 RACF monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
2.55 RACF monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
2.56 RACF auditing tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
2.57 RACF auditing - IRRADU00 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.58 RACF auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
2.59 RACF auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
2.60 RACF auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
2.61 RACF auditing - DSMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
2.62 RACF auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
2.63 RACF auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
2.64 RACF auditing - IRRDBU00 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Chapter 3. Digital certificates and PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

3.1 The authentication problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
3.2 Overview of digital certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
3.3 The public key cryptography trust model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
3.4 Elements of PKI in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
3.5 The PKIX standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
3.6 The RSA public key cryptography standards (PKCS) . . . . . . . . . . . . . . . . . . . . . . . . . 124
3.7 The PKCS-10 certificate request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
3.8 The X.509 certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
3.9 X.509 certificate revocation list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
3.10 X.509 V3 certificate: Standard extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
3.11 Contents of the digital certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
3.12 Browser certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
3.13 Server certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
3.14 z/OS PKI services architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
3.15 Get PKI up and running. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
3.16 Setting up RACF environment for PKI prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . 137
3.17 Add RACF groups for PKI services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
3.18 RACF for PKI Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
3.19 Prepare and configure the UNIX System Services environment. . . . . . . . . . . . . . . . 160
3.20 Setting up the Web servers for PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
3.21 Setting up the LDAP server for PKI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

iv ABCs of z/OS System Programming Volume 6

3.22 Setting up the PKI Services task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
3.23 Configure OCSF and OCEP to work with PKI Services . . . . . . . . . . . . . . . . . . . . . . 177
3.24 Configure the PKI Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
3.25 PKI exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
3.26 Test for scenario one . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
3.27 Starting and stopping PKI Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Chapter 4. Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

4.1 Introduction to Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
4.2 Kerberos terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
4.3 Kerberos protocol overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
4.4 Get a ticket-granting ticket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
4.5 Request a service ticket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
4.6 Authenticate to target server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
4.7 Kerberos inter-realm trust relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
4.8 Some assumptions to Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
4.9 Implementing Network Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
4.10 Setting up the Kerberos environment variable files. . . . . . . . . . . . . . . . . . . . . . . . . . 211
4.11 Setting up HFS for Kerberos cache files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
4.12 Kerberos integrated with RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
4.13 Define Kerberos local principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
4.14 Define Kerberos foreign principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
4.15 Kerberos user commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
4.16 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Chapter 5. Cryptographic Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

5.1 Introduction to cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
5.2 Cryptographic capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
5.3 Symmetric and asymmetric encryption algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
5.4 Symmetric encryption algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
5.5 Asymmetric encryption algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
5.6 Use of cryptosystems: Data privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
5.7 Use of cryptosystems: Data integrity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
5.8 Use of cryptosystems: Digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
5.9 IBM Common Cryptographic Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
5.10 IBM System z9: Cryptographic overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
5.11 CP Assist for Cryptographic Functions (CPACF) . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
5.12 Crypto Express 2 feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
5.13 PCIXCC hardware overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
5.14 PCIXCC software overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
5.15 DES key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
5.16 DES encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
5.17 DES key forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
5.18 Key distribution: Key export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
5.19 Key distribution: Key import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
5.20 PKA key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
5.21 ICSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Chapter 6. LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

6.1 What is LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
6.2 What is a directory service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
6.3 LDAP directory structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
6.4 How LDAP works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
6.5 LDAP functional model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Contents v
 6.6 LDAP servers on z/OS (Integrated Security Server LDAP
plus IBM Tivoli Directory Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
6.7 LDAP server back ends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
6.8 Capabilities of the Tivoli Directory Server LDAP server (1/2) . . . . . . . . . . . . . . . . . . . 294
6.9 Capabilities of the Tivoli Directory Server LDAP server (2/2) . . . . . . . . . . . . . . . . . . . 297
6.10 LDAP configuration by utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
6.11 Utility ldapcnf restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
6.12 Utility dsconfig restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
6.13 Utility invocation and outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
6.14 Configuration roles and responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
6.15 The LDAP schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
6.16 Schema attribute types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
6.17 LDAP directory schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
6.18 Authentication with an LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
6.19 LDAP authentication with RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
6.20 z/OS LDAP server native authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
6.21 Enabling LDAP native authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
6.22 Native authentication configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
6.23 More native authentication configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
6.24 LDAP server-side Kerberos bind. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
6.25 LDAP Kerberos configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
6.26 LDAP Kerberos directory schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
6.27 LDAP Kerberos: Mapping algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
6.28 LDAP Kerberos: LDBM and TDBM mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
6.29 Configuring access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
6.30 How to set up a Kerberos directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
6.31 Access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
6.32 Access evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
6.33 Managing ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
6.34 Running the LDAP server in z/OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
6.35 Referrals and replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
6.36 LDAP change logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Chapter 7. EIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

7.1 Overview of EIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
7.2 EIM concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
7.3 Setting up EIM in z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
7.4 Installing and configuring EIM on z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
7.5 Domain authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
7.6 EIM additional administration tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
7.7 RACF support for EIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
7.8 Storing LDAP binding information in a profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
7.9 Setting up a registry name for your local RACF registry . . . . . . . . . . . . . . . . . . . . . . . 394

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
How to get IBM Redbooks publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

vi ABCs of z/OS System Programming Volume 6

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or imply that only that IBM product,
program, or service may be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to
evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The
furnishing of this document does not give you any license to these patents. You can send license inquiries, in
writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time
without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring
any obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the sample
programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,
cannot guarantee or imply reliability, serviceability, or function of these programs.

© Copyright IBM Corp. 2008. All rights reserved. vii

Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines
Corporation in the United States, other countries, or both. These and other IBM trademarked terms are
marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US
registered or common law trademarks owned by IBM at the time this information was published. Such
trademarks may also be registered or common law trademarks in other countries. A current list of IBM
trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml

The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX® MVS™ S/390®
CICS® NetView® System z™
DB2® OS/390® System z9®
DFSMS™ OS/400® Tivoli®
DFSORT™ Parallel Sysplex® TotalStorage®
Domino® PowerPC® VTAM®
eServer™ RACF® WebSphere®
IBM® RDN™ z/Architecture®
IMS™ Redbooks® z/OS®
Language Environment® Redbooks (logo) ® z9™
Lotus® REXX™ zSeries®
MQSeries® RMF™

The following terms are trademarks of other companies:

PostScript, and Portable Document Format (PDF) are either registered trademarks or trademarks of Adobe
Systems Incorporated in the United States, other countries, or both.

Novell, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States and other
countries.

SAP, and SAP logos are trademarks or registered trademarks of SAP AG in Germany and in several other
countries.

Active Directory, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United
States, other countries, or both.

Intel, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered trademarks of Intel
Corporation or its subsidiaries in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

viii ABCs of z/OS System Programming Volume 6

Preface

The ABCs of z/OS® System Programming is an 11-volume collection that provides an

introduction to the z/OS operating system and the hardware architecture. Whether you are a
beginner or an experienced system programmer, the ABCs collection provides the
information that you need to start your research into z/OS and related subjects. If you want to
become more familiar with z/OS in your current environment or if you are evaluating platforms
to consolidate your e-business applications, the ABCs collection can serve as a powerful
technical tool.

The contents of the volumes are:

 Volume 1: Introduction to z/OS and storage concepts, TSO/E, ISPF, JCL, SDSF, and z/OS
delivery and installation
 Volume 2: z/OS implementation and daily maintenance, defining subsystems, JES2 and
JES3, LPA, LNKLST, authorized libraries, Language Environment®, and SMP/E
 Volume 3: Introduction to DFSMS™, data set basics, storage management hardware and
software, VSAM, System-managed storage, catalogs, and DFSMStvs
 Volume 4: Communication Server, TCP/IP, and VTAM®
 Volume 5: Base and Parallel Sysplex®, System Logger, Resource Recovery Services
(RRS), global resource serialization (GRS), z/OS system operations, automatic restart
management (ARM), and Geographically dispersed Parallel Sysplex (GPDS)
 Volume 6: Introduction to security, RACF®, Digital certificates and PKI, Kerberos,
cryptography and z9™ integrated cryptography, LDAP, and Enterprise Identity Mapping
(EIM).
 Volume 7: Printing in a z/OS environment, Infoprint Server and Infoprint Central
 Volume 8: An introduction to z/OS problem diagnosis
 Volume 9: z/OS UNIX® System Services
 Volume 10: Introduction to z/Architecture®, System z™ processor design, System z
connectivity, LPAR concepts, HCD, and HMC
 Volume 11: Capacity planning, performance management, WLM, RMF™, and SMF

The team that wrote this book

This book was produced by a team of specialists from around the world working at the
International Technical Support Organization (ITSO), Poughkeepsie Center.

Paul Rogers is a is a Consulting IT Specialist at the ITSO, Poughkeepsie Center, and has
worked for IBM® for 39 1/2 years. He writes extensively and teaches IBM classes worldwide
on various aspects of z/OS, JES3, Infoprint Server, and z/OS UNIX. Before joining the ITSO
19 1/2 years ago, Paul worked in the IBM Installation Support Center in Greenford, England,
providing OS/390® and JES support for IBM EMEA and in the Washington Systems Center in
Gaithersburg, Maryland.

Rui Feio is an IT Specialist working at IBM Portugal. He has six years of experience in the
MVS™, OS/390, and z/OS fields. He provides support to IBM customers in Portugal. His

© Copyright IBM Corp. 2008. All rights reserved. ix

 areas of expertise include RACF, DFSMS, JES2, TSO, MVS, and UNIX System Services. He
holds a BSc in Computer Science.

Oerjan Lundgren joined IBM in 1969 and has focused on performance and security related
topics. Oerjan was on assignment in Poughkeepsie for three years during the 1980s and has
since participated in a number of IBM Redbooks® publication projects. Since 2000, Oerjan
has been working for Pulsen Systems AB, which is an IBM Business Partner in Sweden, as a
senior consultant in infrastructure design projects. Oerjan frequently teaches WLM and RMF
workshops for ITSO around the world and also all System z related courses for customers as
well as for universities.

Rita Pleus is a Senior IT Specialist in IBM Global Services in IBM Germany. She has IT
experience since 1986 in a variety of areas, including systems programming and operations
management. Before joining IBM in 2001, she worked for a German S/390® customer. Rita
holds a degree in Computer Science from the University of Applied Sciences in Dortmund.
Her areas of expertise include z/OS, its subsystems, and systems management. She was
one of the authors of ABCs of z/OS System Programming Volume 3, SG24-6983.

Karan Singh is a Project Leader with the ITSO, Poughkeepsie Center. He was formerly a
mainframe systems programmer with IBM Global Services with over 10 years of experience.
He holds an M.S. degree in the Teaching of English.

Thanks to the following people for their contributions to this project:

Paola Bari
ITSO, Poughkeepsie Center

Thanks to the authors of the IBM Redbooks publication, System z Cryptographic Services
and z/OS PKI Services:
 Patrick Kappeler
 Jonathan Barney
 Jean Marc Darees
 Pekka Hanninen
 Robert Herman
 Guillaume Hoareau
 Nikhil V Kapre
 MuHyun Kim
 Gerard Laumay
 Joel Porterie
 Vicente Ranieri Jr.
 Dominique Richard
 Daniel Turkenkopf

Thanks to the following for their comments:

Gregory P. Boyd
Advanced Technical Support, IBM

x ABCs of z/OS System Programming Volume 6

Become a published author
Join us for a two- to six-week residency program! Help write a book dealing with specific
products or solutions, while getting hands-on experience with leading-edge technologies. You
will have the opportunity to team with IBM technical professionals, Business Partners, and
Clients.

Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you
will develop a network of contacts in IBM development labs, and increase your productivity
and marketability.

Find out more about the residency program, browse the residency index, and apply online at:
ibm.com/redbooks/residencies.html

Comments welcome
Your comments are important to us!

We want our books to be as helpful as possible. Send us your comments about this book or
other IBM Redbooks in one of the following ways:
 Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
 Send your comments in an e-mail to:
[email protected]
 Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400

Preface xi
xii ABCs of z/OS System Programming Volume 6
 1

Chapter 1. Introduction to z/OS security

In today’s on demand environment, downtime is both unwelcome and costly. If your
applications are not consistently available, your business can suffer. IBM System z, along with
IBM software and the IBM TotalStorage® Resiliency family of offerings, provides a
comprehensive set of products and solutions to help address specific business resiliency
needs and to help protect your data, transactions, and the reputation of your business.

With estimates of over 80% of corporate data residing or originating on mainframes, security
and data integrity are on top of the list of critical business requirements. Thus, organizations
need to deliver advanced security features with an array of user identification, authentication,
auditing, and administration capabilities, combined with advancements in data encryption,
intrusion detection, and overall system integrity. These capabilities are designed to sustain
customer-facing, high-volume transaction rates at high service levels.

In this book, we explain how IBM System z is designed with built-in security capabilities to
help protect your business.

Traditionally, when we think of security, we often think of home security—keeping the doors
closed and locked, controlling access by limiting the number and distribution of keys, installing
burglar alarms to detect physical intrusion, and installing smoke and carbon monoxide alarms
to detect intrusion by other harmful substances. In many ways, IT security works in a similar
fashion. You need systems that are designed to control access to the system, to detect and
prevent intrusion into the system by unauthorized users, and to protect the system from
corruption by unauthorized programs and viruses. In other words, you need to close and lock
the doors and install a rigid and comprehensive set of fences and alarms to help protect
against various types of intrusion.

This chapter provides a brief overview of z/OS basic security and the additional Security
Services under z/OS. z/OS security services comprise a variety of security-related products,
which are grouped into three elements, which we explain in detail in the following chapters:
 Chapter 2, “z/OS Security Server RACF” on page 9, an optional feature of z/OS
 Integrated security services:
– Chapter 4, “Kerberos” on page 193
– Chapter 6, “LDAP” on page 283
– Chapter 7, “EIM” on page 357
 Chapter 5, “Cryptographic Services” on page 237, a base element

© Copyright IBM Corp. 2008. All rights reserved. 1

1.1 z/OS basic security facilities

Integrity
Program property table (PPT)
Authorized program facility (APF)
Authorized programs
System authorization facility (SAF)
Auditing
Logs (hardcopy, system)
Generalized trace facility (GTF)
System management facility (SMF)

Figure 1-1 z/OS basic security facilities

z/OS operating system

The operating system z/OS is designed, implemented, and maintained to protect itself
against unauthorized access, and thus security controls that are specified for that system
cannot be compromised. Thus, there is no way for any unauthorized program, using any
system interface, defined or undefined to:
 Bypass store or fetch protection
 Bypass the operating system password, VSAM password, or z/OS Security Server
Resource Access Control Facility (RACF) checking
 Obtain control in an authorized state

Program property table

The program properties table (PPT) contains a list of programs that require special attributes.
Among other things, the special attributes specify whether the programs can or cannot bypass
security protection (password protection and RACF) and whether they run in a system key.
Programs with the NOPASS parameter are able to bypass password protection for password
protected data sets and, thus, also bypass all RACF protection for RACF-protected
resources.

2 ABCs of z/OS System Programming Volume 6

The system key parameter indicates whether the program is authorized to run in a system key
(keys 0 through 7) and is thus able to bypass system security controls.

Important: You need to verify that only those programs that are authorized to bypass
password protection are, in fact, able to do so. Such programs are normally communication
and database control programs or other system control programs. You can also verify that
only those programs that need to run in a system key are authorized to do so.

Authorized program facility

Authorized program facility (APF) is a feature that allows system and user programs to use
sensitive system functions. To authorize a program, the following steps are required:
1. The program load module must be marked as authorized by the binder or have the APF
indicator if the program resides in a UNIX System Services file system.
2. If loaded from a load module library the load library must be flagged as authorized.
3. When the program is fetched, no non-authorized library can be part of the JOBLIB or
STEPLIB concatenation.

Authorized programs
Many system functions are sensitive (for example restricted SVCs). Therefore, these sensitive
functions can be used only by authorized programs. A program is authorized if one of the
conditions is true:
 Program runs in supervisor state (bit 15 in PSW=0).
 Program runs in system protection key (bits 8-11 in PSW contains key 0-7).
 Program runs as part of an authorized job step task (JSCBAUTH=1). This task is set if the
initial program is marked AC=1 and if it is loaded from an APF authorized library or from
the LPA.

System authorization facility

The system authorization facility (SAF) is part of the operating system. SAF is available
whether or not an additional security product such as RACF is installed. The different
resource managers contact SAF. If an additional security product is installed, SAF routes the
questions using the SAF router to the security product and routes the answer back to the
resource manager. Thus, SAF builds the interface between the resource managers and the
security product. The final decision, whether access will be granted, is made by the resource
manager, not by SAF or the security product. See also “System Authorization Facility (SAF)”
on page 21.

Auditing
z/OS has the following basic functions that provide information useful for auditing purposes:
 Logs (hardcopy and system)
 Generalized trace facility (GTF)
 System management facility (SMF)

Chapter 1. Introduction to z/OS security 3

1.2 z/OS Security Server Components

z/OS Security Server RACF

RESOURCE z/OS Security

Server
ACCESS RACF
CONTROL
FACILITY

Figure 1-2 z/OS Security Server components

z/OS Security Server RACF

Prior to z/OS V1R5, the z/OS Security Server consisted of several components. Now, RACF
is the only component.

The z/OS Security Server RACF is an optionally priced feature that allows an installation to
control access to protected resources.

RACF helps meet your needs for security by providing the ability to:
 Identify and verify users
 Authorize users to access the protected resources
 Control the means of access to resources
 Log and report attempts to access protected resources
 Administer security to meet an installation’s security goals

RACF provides these functions when the installation defines the users and the resources to
be protected.

4 ABCs of z/OS System Programming Volume 6

1.3 Integrated Security Services components

IBM Tivoli Directory Server (LDAP Server)

Network Authentication Service (Kerberos)

Enterpise identity mapping (EIM)

Open Cryptographic Enhanced Plug-ins (OCEP)

DCE Security Server

Figure 1-3 Integrated Security Services components

Integrated Security Services

The basic security functions are shipped as two separate parts:
 The Security Server (that is RACF)
 The Integrated Security Services

The Integrated Security Services consists of the components described in the remainder of
this section.

LDAP Server
The LDAP function was shipped originally as the base function of the z/OS Directory Server.
A new base element, IBM Tivoli® Directory Server for z/OS, was introduced in z/OS V1R8. It
contains a rewritten LDAP server, an LDAP client, and LDAP client utilities. The LDAP server
in Integrated Security Services continues to exist in V1R8 and later. However, the LDAP client
and LDAP client utilities do not. In V1R8 and later, they are only in IBM Tivoli Directory Server
for z/OS.

The LDAP server is required to maintain information about Public Key Infrastructure (PKI)
Services certificates in a centralized location. The z/OS LDAP server is preferred, but you can
use a non-z/OS LDAP server if it can support the object classes and attributes that PKI
Services requires. Typical PKI Services usage requires an LDAP directory server that
supports the LDAP (Version 2) protocol (and the PKIX schema), such as the z/OS LDAP

Chapter 1. Introduction to z/OS security 5

 server. If you intend to use the z/OS LDAP server, you must configure it to use the TDBM
back end. We explain LDAP in more detail in Chapter 6, “LDAP” on page 283.

Network Authentication Service

Network Authentication Service for z/OS provides Kerberos security services without
requiring that you purchase or use a middleware product such as Distributed Computing
Environment (DCE). These services include native Kerberos application programming
interface (API) functions, as well as the Generic Security Service Application Programming
Interface (GSS-API) functions. Network Authentication Service uses the DES algorithm for
encryption. Before z/OS V1R2, this component was named Network Authentication and
Privacy Service.

Enterprise Identity Mapping EIM

This component allows you to map a user’s identity on one system to the user’s identity on
another system. Chapter 7, “EIM” on page 357 provides more information about this topic.

Open Cryptographic Services Facility OCEP

OCEP provides an application interface for managing server certificates and also helps
protect server private keys in a uniform and secure way. Applications that comply with
Common Data Security Architecture (CDSA) standard interfaces can use OCEP.
OpenCryptographic Services Facility, a base z/OS element, provides these interfaces.
Application developers and independent software vendors using OCEP can find it easier to
develop and port applications to the System z platform. It helps customers apply consistent
security rules to e-business applications that use digital certificates and helps protect server
private keys.

DCE Security Server

DCE Base Services is an exclusive, base element that provides services for developing and
running client/server applications, including remote procedure call, directory, security, and
distributed time services. DCE Base Services uses the limited DES algorithm for encryption.
This element is at the Open Group Open Software Foundation (OSF) DCE 1.2.2 level.

Note: The Firewall Technologies component was removed from the system with z/OS
V1R8.

6 ABCs of z/OS System Programming Volume 6

1.4 Cryptographic Services

Integrated Cryptographic Service Facility (ICSF)

Open Cryptographic Services Facility (OCSF)

Public Key Infrastructure (PKI) Services

System Secure Sockets Layer (SSL)

Figure 1-4 Cryptographic Services

Cryptographic Services
Cryptography is the transformation of data to conceal its meaning. In z/OS, the base element
Cryptographic Services provides the following cryptographic functions:
 Data secrecy
 Data integrity
 Personal identification
 Digital signatures
 The management of cryptographic keys

This base element supports keys as long as 56 bits. Keys longer than 56 bits are supported
by the optional feature z/OS Security Level 3.

Chapter 5, “Cryptographic Services” on page 237 provides more information about

cryptography.

Integrated Cryptographic Service Facility

Integrated Cryptographic Service Facility (ICSF) provides application programs with callable
service interfaces to support the encryption and decryption of data using the cryptographic
hardware in the IBM System z servers. ICSF adds support for callers running in 64-bit
addressing mode.

The application calls ICSF for a cryptographic function and provides the data to be processed
along with the cryptographic key to be used.

Chapter 1. Introduction to z/OS security 7

 ICSF drives the cryptographic operations at the coprocessors and transmits and receives the
processed data and the encrypted application key. Access to ICSF callable services and
application keys can be controlled by RACF profiles.

Open Cryptographic Services Facility

Open Cryptographic Services Facility (OCSF) is the z/OS implementation of Common Data
Security Architecture (CDSA) API from Intel®. OCSF actually uses ICSF to get access to the
cryptographic hardware coprocessor.

Public Key Infrastructure services

Digital certificates, in widespread use today, are becoming increasingly important as a means
of helping to secure transactions on the Internet. As such, digital certificates add capabilities
far superior to mere password protection. PKI provides a trusted infrastructure that can
manage and support the use of digital certificates. PKI services are provided as part of z/OS,
so you can act as your own Certificate Authority (CA). As a CA, you have the power to create,
approve or reject, and manage the life cycle of digital certificates. Using PKI can represent
significant savings to businesses currently purchasing digital certificates from third-party
vendors.

Chapter 3, “Digital certificates and PKI” on page 111 explains this topic.

System Secure Sockets Layer

Secure Sockets Layer (SSL) is a client-server protocol, with the client explicitly requesting an
SSL communication. The client initiates the “handshake” piece of the SSL communication.

System SSL invokes the hardware cryptographic coprocessor, if present on the system, to
assist in performing the asymmetric and symmetric cryptographic algorithms.

8 ABCs of z/OS System Programming Volume 6

 2

Chapter 2. z/OS Security Server RACF

The operating system provides integrity. By using a Security Server, in this case Resource
Access Control Facility (RACF), you can protect resources by defining which resources are
protected and which groups of users or which individual users have access to the defined
resources. The definitions are kept in the RACF database. A RACF administrator defines
users, user groups, and resources together with rules for how these resources can be used.
RACF is “invisible” for most users if a good security structure is put in place. Most companies
have well-documented policies for Information Security. All RACF definitions need to be
based on these policies.

RACF helps meet the needs for security by providing the ability to:
 Identify and verify users
 Authorize users to access the protected resources
 Control the means of access to resources
 Log and report attempts to access protected resources
 Administer security to meet an installation's security goals

RACF provides these functions when the installation defines the users and the resources to
be protected.

A specific RACF user, called the security administrator, has the responsibility to define users
and resources to RACF. The security administrator also specifies the rules that RACF uses to
control access to the resources.

The responsibility to implement the guidelines falls to the system programmer, who provides
technical support for RACF. The system programmer installs RACF on the system and
maintains the RACF database. This person oversees the programming aspects of system
protection and provides technical input on the feasibility of the implementation plan. In
addition, the technical support person can write and implement RACF installation exit
routines to extend the security infrastructure. RACF retains information about the users,
resources, and access authorities in profiles in the RACF database and refers to the profiles
when deciding which users are permitted access to a protected system resources. The
auditor monitors the security controls and examines that the security goals are met.

© Copyright IBM Corp. 2008. All rights reserved. 9

2.1 What is RACF?

RACF is an add-on product to RACF

implement and control the

installation's security policies on
z/OS systems.
Access to protected resources is
controlled by rules.
Access to resources are logged and
can easily be monitored by an
Auditor. RACF
Users, groups, and resources
together with access rules are
administrated by an administrator.

SECURITY
POLICIES

Figure 2-1 What is RACF?

What is RACF
RACF is an add-on software product that provides the basic security to a z/OS system. Other
security software products are available, such as from Computer Associates, ACF2, and Top
Secret. RACF is included as part of the base z/OS system but requires a separate licence to
be activated.

RACF provides the ability to implement the security policies that you choose on your system.

Note: Your system will not be secure by simply installing RACF. The quality of the system
protection depends on the way that you use the RACF functions.

10 ABCs of z/OS System Programming Volume 6

2.2 RACF functions

User identification
and authentication

Resource authorization
RACF checking and system
access control

RACF
Security administration
(local or remote)

RACF database
Audit reports Primary and backup Security console
integrity reports Local and remote sharing Violation reporting

Figure 2-2 RACF functions

RACF functions
RACF protects resources by granting access only to authorized users of the protected
resources. To accomplish this, RACF gives you the ability to accomplish the tasks described
in this section.

Identify and authenticate users

User authentication is validation of the user requesting access. The first step is to identify the
person who is trying to gain access to the system, and the second is to authenticate that the
user is really that person. The standard approach to RACF user identification is achieved by
the use of a user ID and password phrase or password to perform user identification and
authentication. Other options are available, such as digital certificate and smart card.

Resource authorization
Having identified and verified the user, RACF then controls interaction to the system
resources. RACF must authorize the users who can access resources and also the way users
can access them, which depends on the purpose of each user (for example, reading or
updating). RACF can also authorize when a user can access resources, by either time or day.

Chapter 2. z/OS Security Server RACF 11

 Log and report access to protected resources
RACF provides the ability to log information, such as an attempted access to a resource and
to generate reports containing that information which allows identification of users who
attempt to access resources. The logging and reporting functions are:
 Logging: RACF writes records to the system management facility (SMF) data set for
unauthorized attempts to enter the system and optionally RACF writes records to SMF for
authorized attempts. Other events can also be logged.
 Reporting: The SMF records can be analyzed by the RACF Report Writer or be
translated and followed up by other reporting packages such as DB2®.
 Sending Messages: RACF sends messages “real time” to the security console and, if
implemented, to RACF-defined TSO users as well.

Security administration
RACF can be administered either in a centralized or decentralized manner. In a centralized
approach, the RACF administrator (user attribute SPECIAL) controls the access to all users,
groups and resources.

In a decentralized approach, RACF administration can be delegated to administrators only at

a group level. These administrators have the group-SPECIAL attribute, which enables them
to control access only to their group or to be more precise to their scope of the group. The
scope of control of a group-level attribute percolates down through a group-ownership
structure from group to subgroup to subgroup and so on. Percolation is halted (and, therefore,
the scope of control of the group-level attribute is ended) when a subgroup is owned by a user
instead of a superior group.

Another way to implement decentralized administration is by use of class authorization. To do

this an administrator is authorized only for specific types of profiles, for example for user
profiles. In this case, the administrator can administrate user IDs but cannot define which user
IDs, how resources are protected, or who should have access to resources.

Control the means of access to resources

RACF retains information about the users, groups