tag:blogger.com,1999:blog-91156446058333841382024-03-13T21:16:17.380+01:00X de XavierUnos y ceros. A veces, en el orden adecuado.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-9115644605833384138.post-39690952712862145292008-11-19T12:06:00.004+01:002008-11-19T12:37:00.896+01:00ABCs of z/OS System ProgrammingOne of the side effects of <a href="http://xdexavier.blogspot.com/2008/11/certificate-based-logon-to-zos.html">my recent research</a> has been to learn that the famous <span style="font-weight: bold;"><span class="blsp-spelling-error" id="SPELLING_ERROR_0">ABCs</span> of System Programming</span> <span class="blsp-spelling-error" id="SPELLING_ERROR_1">redbooks</span> have been updated and have gone from 5 volumes to... 11!!<br /><br /><a href="http://twitter.com/XavierVerges/status/1009933178">I've been browsing</a> <a href="http://www.redbooks.ibm.com/abstracts/sg246986.html">Volume 6: Security on z/OS, <span class="blsp-spelling-error" id="SPELLING_ERROR_2">RACF</span>, and <span class="blsp-spelling-error" id="SPELLING_ERROR_3">LDAP</span>. <span class="blsp-spelling-error" id="SPELLING_ERROR_4">Kerberos</span> and <span class="blsp-spelling-error" id="SPELLING_ERROR_5">PKI</span>. Cryptography and <span class="blsp-spelling-error" id="SPELLING_ERROR_6">EIM</span>.</a> and it has been quite useful (though, in fact, it did not point me where I needed to go). Not all the volumes have been published as today. The pages for all the volumes list them all.<br /><ul><li><a href="http://www.redbooks.ibm.com/abstracts/sg246981.html">Link to volume 1</a>. <span style="text-decoration: underline;"></span></li><li><span style="text-decoration: underline;"></span><a href="http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=abcs&SearchOrder=4&SearchFuzzy=">Link to a search that should list all that have been published</a>.</li></ul>-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-4793036752745954102008-11-19T10:56:00.003+01:002008-11-19T11:46:51.502+01:00Certificate-based logon to zOSDCAS (zOS Communications Server's <span style="font-weight: bold;">Digital Certificate Access Server</span>) has come to my rescue. <a href="http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.halg001/f1a1f230282.htm">From the docs</a>:<br /><br /><blockquote>The DCAS can be used by providers of logon and single sign-on services where access to z/OS-based applications is needed. The DCAS is a TCP/IP server that enables clients to connect over the network and obtain a passticket and z/OS user ID from RACF.<br /><br />Clients that connect to DCAS must use the SSL protocol (DCAS supports SSL Version 3). Client authentication is performed.<br /><br />Clients can request a user ID and passticket for an application. The client sends an x.509 certificate. DCAS converts the x.509 certificate to a valid user ID, which is returned. The x.509 certificate must have been mapped to a valid user ID in RACF </blockquote>It's the second time in a few months that DCAS is the solution to the problem that I'm working on; unfortunately, I had forgotten about the first time, so it has taken my a while to get rescued. Not a complete waste of time: if learned a few things about PKI and RACF.<br /><br />The first time it was about a service to generate passtickets (strings that can be used as passwords for a short while). Despite my recommendation, the customer's choice was to not use DCAS and code it from scratch; go figure.<br /><br />Now it is about authenticating to RACF from a application that uses a smartcard reader. I'm looking forward to code the smartcard-based RACF logon, since working with smartcards has been in my wish list for very long.<br /><br />And since google and DCAS don't seem to be big friends, I'm posting this.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-8911765269276552032007-02-15T12:05:00.000+01:002007-02-15T22:57:24.851+01:00Intro to security on z/OSI've just read a good article from the <a href="http://www.research.ibm.com/journal/">IBM Systems Journal</a>: <a href="http://www.research.ibm.com/journal/sj/403/guski.html">Security on z/OS: Comprehensive, current, and flexible</a>. About 20 printed pages, from 2001, and written "<span style="font-style: italic;">at a high level, aimed at enterprise decision makers and application architects. The intent is to explain the comprehensive security componentry within z/OS and to show how these techniques and functions are exploited by modern distributed and Internet applications</span>".<br /><br />This is not mentioned in the article, but one thing that in the past has made me feel uneasy about z/OS security was the limited maximum password length (8 chars), giving a very small password-space by today's computing standards. No need to be concerned about this anymore: <a href="http://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=an&subtype=ca&appname=Demonstration&htmlfid=897/ENUS206-190">z/OS V1.8</a> supports <a href="http://pages.citebite.com/a1k0t8o2b8yha">RACF pass phrases from 14 to 100 characters in length</a>.<br /><br />I learned some neat things about the z/OS security capabilities that, as far as I know, are not available in other operating systems, e.g.<br /><ul><li><a href="http://pages.citebite.com/i1y0e8q3q0sgf">access control can be made dependant on time</a>.</li><li>great separation of roles: <a href="http://pages.citebite.com/l1q0x8p2k9bps">admins can administer resources without having access to them</a>, or <a href="http://pages.citebite.com/u1y0v8m3w1lun">admins cannot prevent the auditor from auditing them, while the auditors cannot authorize themselves to resources</a> (<span style="font-weight: bold;">Update:</span> <a href="http://ktn.blogsome.com/">César Gustavo Miramontes</a>, <a href="http://ktn.blogsome.com/category/domino/">Domino</a> for <a href="http://ktn.blogsome.com/category/iseries/">iSeries</a> wizard, pointed to me that iSeries also has this capability).<br /></li></ul>The article mentions that the SSL performance has dramatically increased: from 13 SSL handshakes per second in 1998 to 2,000 in 2001. Likely to be old data, but this <a href="http://pages.citebite.com/b1p0m8l3k4lug">talks about 11,000 SSL handshakes/second</a>.<br /><br />Another introductory article that I liked is <a href="http://www.bcr.com/architecture/intranets/ensuring_security_ibm_mainframes_200604011169.htm">Ensuring Security On IBM Mainframes</a>. Shorter (10 pages), but was useful for me to get a basic understanding of RACF classes and profiles.<br /><br />More <a href="http://www.ibm.com/common/ssi/rep_ca/8/897/ENUS207-018/#Security">security-related goodies comming with z/OS v1.9</a>; dear to me with what is keeping me busy today are support for <a href="http://en.wikipedia.org/wiki/PKCS11">PKCS#11</a> and a Java API for RACF administration.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0