tag:blogger.com,1999:blog-91156446058333841382024-03-13T21:16:17.380+01:00X de XavierUnos y ceros. A veces, en el orden adecuado.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9115644605833384138.post-4793036752745954102008-11-19T10:56:00.003+01:002008-11-19T11:46:51.502+01:00Certificate-based logon to zOSDCAS (zOS Communications Server's <span style="font-weight: bold;">Digital Certificate Access Server</span>) has come to my rescue. <a href="http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.halg001/f1a1f230282.htm">From the docs</a>:<br /><br /><blockquote>The DCAS can be used by providers of logon and single sign-on services where access to z/OS-based applications is needed. The DCAS is a TCP/IP server that enables clients to connect over the network and obtain a passticket and z/OS user ID from RACF.<br /><br />Clients that connect to DCAS must use the SSL protocol (DCAS supports SSL Version 3). Client authentication is performed.<br /><br />Clients can request a user ID and passticket for an application. The client sends an x.509 certificate. DCAS converts the x.509 certificate to a valid user ID, which is returned. The x.509 certificate must have been mapped to a valid user ID in RACF </blockquote>It's the second time in a few months that DCAS is the solution to the problem that I'm working on; unfortunately, I had forgotten about the first time, so it has taken my a while to get rescued. Not a complete waste of time: if learned a few things about PKI and RACF.<br /><br />The first time it was about a service to generate passtickets (strings that can be used as passwords for a short while). Despite my recommendation, the customer's choice was to not use DCAS and code it from scratch; go figure.<br /><br />Now it is about authenticating to RACF from a application that uses a smartcard reader. I'm looking forward to code the smartcard-based RACF logon, since working with smartcards has been in my wish list for very long.<br /><br />And since google and DCAS don't seem to be big friends, I'm posting this.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-40689873233847189092007-06-23T19:48:00.000+01:002007-06-23T20:17:03.281+01:00Llibres en anglès a BarcelonaVinc d'<a href="http://www.hibernian-books.com/">Hibernian Books</a>, a Gràcia; està la mar de bé i m'he firat un parell de llibres:<br /><ul><li><a href="http://www.schneier.com/book-applied.html">Applied Cryptography</a>, de Bruce Schneier, per 7€</li><li><a href="http://en.wikipedia.org/wiki/Peter_Principle">The Peter Principle</a>, per 4€. M'ha fet molta il·lusió, doncs l'havia llegit en castellà fa una pila d'anys, però ja fa molt que no sé on para.<br /></li></ul>M'han parlat molt bé de <a href="http://www.lfant.biz/">Elephant Book Store</a>.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-8911765269276552032007-02-15T12:05:00.000+01:002007-02-15T22:57:24.851+01:00Intro to security on z/OSI've just read a good article from the <a href="http://www.research.ibm.com/journal/">IBM Systems Journal</a>: <a href="http://www.research.ibm.com/journal/sj/403/guski.html">Security on z/OS: Comprehensive, current, and flexible</a>. About 20 printed pages, from 2001, and written "<span style="font-style: italic;">at a high level, aimed at enterprise decision makers and application architects. The intent is to explain the comprehensive security componentry within z/OS and to show how these techniques and functions are exploited by modern distributed and Internet applications</span>".<br /><br />This is not mentioned in the article, but one thing that in the past has made me feel uneasy about z/OS security was the limited maximum password length (8 chars), giving a very small password-space by today's computing standards. No need to be concerned about this anymore: <a href="http://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=an&subtype=ca&appname=Demonstration&htmlfid=897/ENUS206-190">z/OS V1.8</a> supports <a href="http://pages.citebite.com/a1k0t8o2b8yha">RACF pass phrases from 14 to 100 characters in length</a>.<br /><br />I learned some neat things about the z/OS security capabilities that, as far as I know, are not available in other operating systems, e.g.<br /><ul><li><a href="http://pages.citebite.com/i1y0e8q3q0sgf">access control can be made dependant on time</a>.</li><li>great separation of roles: <a href="http://pages.citebite.com/l1q0x8p2k9bps">admins can administer resources without having access to them</a>, or <a href="http://pages.citebite.com/u1y0v8m3w1lun">admins cannot prevent the auditor from auditing them, while the auditors cannot authorize themselves to resources</a> (<span style="font-weight: bold;">Update:</span> <a href="http://ktn.blogsome.com/">César Gustavo Miramontes</a>, <a href="http://ktn.blogsome.com/category/domino/">Domino</a> for <a href="http://ktn.blogsome.com/category/iseries/">iSeries</a> wizard, pointed to me that iSeries also has this capability).<br /></li></ul>The article mentions that the SSL performance has dramatically increased: from 13 SSL handshakes per second in 1998 to 2,000 in 2001. Likely to be old data, but this <a href="http://pages.citebite.com/b1p0m8l3k4lug">talks about 11,000 SSL handshakes/second</a>.<br /><br />Another introductory article that I liked is <a href="http://www.bcr.com/architecture/intranets/ensuring_security_ibm_mainframes_200604011169.htm">Ensuring Security On IBM Mainframes</a>. Shorter (10 pages), but was useful for me to get a basic understanding of RACF classes and profiles.<br /><br />More <a href="http://www.ibm.com/common/ssi/rep_ca/8/897/ENUS207-018/#Security">security-related goodies comming with z/OS v1.9</a>; dear to me with what is keeping me busy today are support for <a href="http://en.wikipedia.org/wiki/PKCS11">PKCS#11</a> and a Java API for RACF administration.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-50154498374774013962006-11-15T12:34:00.000+01:002006-11-15T12:41:31.038+01:00Alice (heart) BobIf <a href="http://en.wikipedia.org/wiki/Alice_and_Bob">Alice and Bob</a> make you think in cryptography, you'll probably enjoy this strip: <a href="http://xkcd.com/c177.html">http://xkcd.com/c177.html</a><br /><br />via Bruce Schneier's <a href="http://www.schneier.com/crypto-gram-0611.html">Crypto-Gram</a>.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com1