Front cover -- Contents -- Figures -- Notices -- Trademarks -- Preface -- The team that wrote this redbook -- Become a published author -- Comments welcome -- Chapter 1. Overview of z/OS Security Services -- 1.1 Packaging of the imbedded Security functions at z/OS 1.6 -- 1.1.1 z/OS Cryptographic Services -- 1.1.2 z/OS Security Server -- 1.1.3 z/OS Integrated Security Services -- 1.1.4 Additional products -- Chapter 2. RACF Security Server enhancements -- 2.1 z/OS UNIX System Services Security and RACF -- 2.2 HFS ACLs -- 2.2.1 Managing ACLs -- 2.2.2 ACLs and RACF -- 2.2.3 Auditing and reporting -- 2.2.4 Migration considerations -- 2.2.5 Examples of ACLs use -- 2.3 UNIX identity management -- 2.3.1 Enhancements to the OMVS RACF segment -- 2.4 RACF enhancements -- 2.4.1 PADS enhancement -- 2.4.2 Dynamic CDT -- 2.4.3 RACROUTE traces -- 2.5 RACF digital certificates handling enhancements -- 2.5.1 The PKIX standards -- 2.5.2 Handling of the X.509 V3 extensions -- 2.5.3 The RACDCERT GENCERT function -- 2.5.4 Hardware assistance to certificate generation -- 2.5.5 Certificate and key export formats -- 2.5.6 New default CA certificates in the RACF database -- 2.5.7 RACF certificate management enhancements at z/OS 1.6 -- 2.5.8 The RACDCERT REKEY function -- 2.5.9 The RACDCERT ROLLOVER function -- Chapter 3. Multilevel Security and RACF -- 3.1 An introduction to MLS -- 3.1.1 What is Multilevel Security -- 3.1.2 Why Multilevel Security -- 3.1.3 Access controls -- 3.1.4 Introduction to Mandatory Access Control -- 3.2 Multilevel Security in z/OS with RACF -- 3.2.1 SECLABELs -- 3.2.2 Multilevel Security in action -- 3.2.3 DB2 and Multilevel Security -- 3.2.4 Before turning on Multilevel Security -- 3.3 Multilevel Security vocabulary -- 3.4 Common criteria -- 3.5 More on security labels -- 3.5.1 Security labels and data classification policies.

3.5.2 Mandatory Access Control -- 3.5.3 Discretionary Access Control -- 3.5.4 Security levels and security categories -- 3.5.5 Defining security labels -- 3.5.6 Authorizing users to access security labels -- 3.5.7 Using security labels -- 3.5.8 Dominance -- 3.5.9 Security label authorization checking -- 3.5.10 Using system-specific security labels in a sysplex -- Chapter 4. MLS as applied to TCP/IP communications -- 4.1 z/OS TCP/IP and the SERVAUTH class -- 4.1.1 Stack access control -- 4.1.2 Network access control -- 4.1.3 The notion of port of entry (POE) -- 4.2 The MLS networking environment -- 4.2.1 Some MLS basics (again) -- 4.3 Setting up MLS for z/OS TCP/IP communications -- 4.3.1 Our test configuration -- 4.3.2 Our test -- 4.4 The big theoretical picture - TCP -- 4.4.1 Sequence of events -- Chapter 5. z/OS Integrated Security Services LDAP -- 5.1 Some historical data on z/OS LDAP -- 5.2 z/OS LDAP enhancements -- 5.2.1 Logging support -- 5.2.2 z/OS LDAP BIND support -- 5.2.3 LDAP access control lists -- 5.2.4 Enhanced groups support -- 5.3 Changes to LDAP operations -- 5.3.1 Entry UUID -- 5.3.2 Modify DN -- 5.3.3 Alias support -- 5.3.4 LDAP search performance improvement -- 5.3.5 LDAP persistent search -- 5.3.6 Peer-to-peer replication -- 5.4 Miscellaneous improvements since z/OS 1.4 -- 5.4.1 Incorrect bind DN -- 5.4.2 RDBM and JNDI removal -- 5.4.3 SDBM backend -- 5.4.4 TDBM backend DB2 restart and recovery -- 5.5 LDAP Client - Miscellaneous improvements -- 5.5.1 SOCKS V5 support -- 5.5.2 Enhanced security functions -- 5.5.3 Extended processing for distinguished names -- 5.5.4 Extended rebind processing -- Chapter 6. RACF Password Enveloping and z/OS LDAP Change Log -- 6.1 The overall view -- 6.2 Enablement of Password Enveloping in RACF -- 6.2.1 What this new RACF function does -- 6.2.2 Our setup and test -- 6.3 LDAP Change Notification.

6.3.1 Testing RACF Event Notification -- 6.3.2 Retrieving the enveloped password -- Chapter 7. z/OS Enterprise Identity Mapping (EIM) in a nutshell -- 7.1 What Enterprise Identity Mapping is -- 7.1.1 The problem that is addressed -- 7.1.2 The benefits of the EIM approach -- 7.1.3 The EIM implementation concepts -- 7.1.4 EIM components -- 7.2 The EIM Domain Controller -- 7.2.1 Overview of EIM interactions -- 7.2.2 Content of the EIM Domain Controller -- 7.2.3 Access controls to the EIM Domain Controller and its contents -- 7.2.4 Setting up the LDAP directory to act as an EIM Domain controller -- 7.3 The EIM client -- 7.3.1 Using RACF profiles to keep EIM default parameters -- 7.4 A simple demonstration of EIM -- 7.4.1 The eimdemo application -- 7.4.2 Sample code -- 7.4.3 Setup of the demo environment -- 7.5 New EIM features at z/OS 1.6 -- 7.5.1 Registry and domain mapping policies -- 7.5.2 Digital certificate registries -- Chapter 8. z/OS Network Authentication Service (Kerberos) -- 8.1 A brief reminder on z/OS Network Authentication Service -- 8.2 z/OS Network Authentication Service enhancements -- 8.2.1 z/OS 1.2 -- 8.2.2 Network Authentication Service enhancement at z/OS 1.4 -- 8.2.3 Network Authentication Service enhancements in z/OS 1.6 -- 8.3 GSS-API and krb5_ API test programs -- 8.3.1 Setup -- 8.3.2 The RACF KDC -- 8.3.3 The client -- 8.3.4 The intermediate server -- 8.3.5 The end-server -- 8.3.6 Running the test -- Chapter 9. z/OS System SSL -- 9.1 SSL and TLS reminder -- 9.1.1 The SSL protocol interactions sequence -- 9.1.2 The sessionID re-use -- 9.1.3 SSL and TLS -- 9.1.4 SSL client authentication -- 9.2 z/OS System SSL -- 9.2.1 Packaging at z/OS 1.6 -- 9.2.2 Exploiters of System SSL -- 9.2.3 System SSL history -- 9.3 System SSL principles of operations -- 9.4 z/OS System SSL and cryptography -- 9.4.1 Supported CipherSpecs.

9.4.2 Invocation of the hardware cryptographic coprocessors -- 9.5 Managing keys and certificates with gskkyman -- 9.5.1 A reminder -- 9.5.2 gskkyman enhancements at z/OS 1.4 -- 9.5.3 gskkyman enhancements at z/OS 1.6 -- 9.6 Managing keys and certificates with RACDCERT command -- 9.7 System SSL Certificate Management Services -- 9.7.1 Certificate database manipulation API -- 9.7.2 Certificate database exploitation API -- 9.7.3 PKCS #7 message API -- 9.8 System SSL diagnostics facilities -- 9.8.1 High-level trace -- 9.8.2 System SSL Component Trace -- Chapter 10. z/OS OpenSSH -- 10.1 SSH and OpenSSH -- 10.2 OpenSSH -- 10.2.1 OpenSSH principles of operation -- 10.2.2 Other OpenSSH features -- 10.2.3 Positioning OpenSSH vs. SSL/TLS -- 10.3 z/OS OpenSSH implementation -- 10.3.1 Functions provided -- 10.4 z/OS OpenSSH principles of operation -- 10.4.1 OpenSSH configuration files -- 10.4.2 Server authentication -- 10.4.3 Client authentication -- 10.4.4 z/OS OpenSSH and the syslogd daemon -- 10.4.5 z/OS OpenSSH restrictions -- 10.4.6 Supported cryptographic algorithms -- 10.5 Installing OpenSSH on z/OS -- 10.5.1 Steps for migrating from downloaded versions -- 10.5.2 Ordering and install -- 10.5.3 Setting up and starting the sshd daemon -- 10.6 Using OpenSSH on z/OS -- 10.6.1 Using PuTTY with password authentication -- 10.6.2 Using PuTTY with public key authentication -- Appendix A. EIM API demo sample code -- List of the EIM APIs as of the writing of this book -- Sample code to set up and run the EIM demo -- Main program: eimdemo.c -- eimdemo2.c -- eimdemo3.c -- Appendix B. Sample test programs for PADS enhancements and RACF Password Enveloping -- PADS enhancement sample code -- RACF Password Envelopping sample test -- Related publications -- IBM Redbooks -- Online resources -- Help from IBM -- Index -- Back cover.