Front cover -- Contents -- Notices -- Trademarks -- Preface -- The team that wrote this redbook -- Comments welcome -- Part 1 Introduction -- Chapter 1. Security in a networked world -- 1.1 Evolution of networking -- 1.2 Potential problems with electronic message exchange -- 1.2.1 The request is not really from your customer -- 1.2.2 The order could have been intercepted and read -- 1.2.3 The order could have been intercepted and altered -- 1.2.4 An order is received from your customer, but he denies sending it -- Chapter 2. Basic cryptography -- 2.1 Secret key cryptography -- 2.2 Public key cryptography -- 2.2.1 Encryption -- 2.2.2 Authentication -- 2.2.3 Public key algorithms -- 2.2.4 Digital certificates -- 2.3 Performance issues of cryptosystems -- 2.4 Message integrity -- 2.4.1 Message digest (or "hash") -- 2.4.2 Message authentication codes (MAC) -- 2.4.3 Digital signatures -- Part 2 Securing z/OS with RACF -- Chapter 3. UNIX System Services security -- 3.1 z/OS Security Server (RACF) -- 3.1.1 Identification and authentication -- 3.1.2 Alternatives to passwords -- 3.1.3 Checking authorization -- 3.1.4 Logging and reporting -- 3.1.5 RACF and z/OS UNIX System Services -- 3.2 Security in UNIX systems -- 3.2.1 Traditional UNIX security mechanisms -- 3.3 z/OS UNIX System Services security -- 3.3.1 UNIX level security -- 3.3.2 z/OS UNIX System Services level security -- 3.3.3 Why is z/OS UNIX System Services a more secure UNIX? -- 3.3.4 Access permission to HFS files and directories -- 3.3.5 Displaying files and directories -- 3.3.6 UID/GID assignment to a process -- 3.3.7 Defining UNIX System Services users -- 3.3.8 Default user -- 3.3.9 Superuser -- 3.3.10 Started task user IDs -- 3.3.11 FACILITY class profile BPX.SUPERUSER -- 3.3.12 FACILITY class profile BPX.DAEMON -- 3.3.13 Additional BPX.* FACILITY class profiles.

3.3.14 Programs in the Hierarchical File System -- 3.3.15 z/OS UNIX kernel address space -- 3.3.16 z/OS UNIX security considerations for TCP/IP -- 3.3.17 IBM-supplied daemons -- 3.3.18 MVS sockets server applications -- 3.3.19 Summary -- Chapter 4. TCP/IP stack resource access -- 4.1 TCP/IP stack access control -- 4.1.1 Stack Access overview -- 4.1.2 Example setup -- 4.1.3 Transport/stack affinity -- 4.2 Network access control -- 4.2.1 Network access control overview -- 4.2.2 Server considerations -- 4.2.3 Using NETSTAT for Network Access control -- 4.2.4 Working example of Network Access control -- 4.3 Port Access control -- 4.3.1 The PORT/PORTRANGE SAF keyword -- 4.3.2 SAF keyword on FTP or any other well-known PORTs -- 4.3.3 Using NETSTAT to display Port Access control -- 4.3.4 Scenarios using port access control -- Chapter 5. Operations and administration security -- 5.1 z/OS VARY TCPIP command security -- 5.1.1 RACF profile details -- 5.1.2 VARY TCPIP command security scenario -- 5.2 TSO NETSTAT and UNIX onetstat command security -- 5.2.1 RACF profile details -- 5.2.2 NETSTAT security scenario -- 5.2.3 Further reading -- Part 3 Network security -- Chapter 6. Firewall concepts -- 6.1 General guidelines for implementing firewalls -- 6.2 Firewall categories -- 6.2.1 Packet filtering -- 6.2.2 Application-level gateway -- 6.3 z/OS Firewall Technologies -- 6.4 The demilitarized zone -- Chapter 7. IPSec and virtual private networks (VPN) -- 7.1 IPSec -- 7.1.1 Security Associations -- 7.1.2 Transmitting data with IPSec -- Chapter 8. Implementing IPSec with z/OS Firewall Technologies -- 8.1 Introduction -- 8.2 Firewall enhancements -- 8.3 Installation planning -- 8.4 Installation, configuration and operation -- 8.5 Interoperability considerations -- 8.6 Sample configuration files -- 8.7 RACF considerations -- 8.7.1 Configuring TCP/IP on the firewall host.

8.8 Configuring and using the configuration server and client (GUI) -- 8.8.1 Simple configuration scenario -- 8.8.2 Configuring SSL -- 8.8.3 Configuring the configuration server (CFGSRV) -- 8.8.4 Setting up the configuration client on Windows -- 8.8.5 Accessing the configuration client (GUI) -- 8.8.6 Tunnel definition -- 8.8.7 FWTUNNL export file conversion from z/OS and AIX -- 8.8.8 On-demand dynamic tunnels scenario -- Part 4 Application security -- Chapter 9. Tools for application security -- 9.1 Secure Sockets Layer (SSL) -- 9.1.1 SSL protocol description -- 9.1.2 Certificates for SSL -- 9.1.3 System SSL -- 9.2 TLS protocol -- 9.3 Kerberos-based security system -- 9.3.1 Kerberos protocol overview -- 9.3.2 Inter-realm operation -- 9.3.3 Some assumptions -- 9.3.4 Kerberos implementation in z/OS -- Chapter 10. Certificate management in z/OS -- 10.1 Digital certificates in z/OS -- 10.2 Digital certificate field formats -- 10.3 RACF RACDCERT command use -- 10.4 RACF keyrings -- 10.4.1 RACDCERT command security -- 10.4.2 RACDCERT command format -- 10.5 gskkyman command use -- 10.6 Client certificates -- 10.7 Server certificates -- 10.8 Self-signed certificates -- 10.9 Obtaining certificates -- 10.9.1 Self-signed certificates -- 10.9.2 Internal Certificate Authority (CA) -- 10.9.3 External Certificate Authority (CA) -- 10.10 Certificate locations example -- 10.10.1 RACF certificates -- 10.10.2 gskkyman HFS certificates -- Chapter 11. File-related applications -- 11.1 z/OS FTP server -- 11.1.1 FTP using Transport Layer Security(TLS) -- 11.1.2 TLS/SSL scenarios -- 11.1.3 FTP using Kerberos -- 11.1.4 FTP and Kerberos scenario -- 11.2 z/OS TFTP server -- 11.3 z/OS NFS server -- 11.3.1 z/OS NFS security levels -- 11.3.2 Security information exchange between NFS client and server -- 11.3.3 Access to the HFS -- 11.3.4 Conclusion -- Chapter 12. TN3270 security.

12.1 TN3270 SSL -- 12.1.1 TN3270 configuration parameters for SSL -- 12.1.2 Client authentication -- 12.1.3 TN3270 server SSL configuration scenarios -- 12.2 Negotiated Telnet security -- 12.2.1 TN3270 server parameters for negotiated security -- 12.2.2 TN3270 server configuration scenario -- 12.2.3 TN3270 client (HOD) negotiated Telnet configuration scenario -- 12.3 Express Logon Feature (ELF) -- 12.3.1 Two-tier network design -- 12.3.2 Three-tier network design -- 12.3.3 Implementing ELF in a two-tier design -- 12.3.4 Implementing ELF in a three-tier design -- Chapter 13. UNIX remote execution applications -- 13.1 UNIX Telnet server security -- 13.1.1 Kerberized UNIX Telnet server support -- 13.2 UNIX System Services rlogind/rshd/rexecd -- 13.3 z/OS UNIX rshd Kerberos support -- 13.3.1 Implementing Kerberos on orshd -- Chapter 14. OMPRoute security -- 14.1 OSPF route update messages security -- 14.2 OMPRoute configuration -- 14.2.1 The Area configuration statement -- 14.2.2 The OSPF_Interface configuration statement -- Chapter 15. Network management applications -- 15.1 z/OS SNMP -- 15.1.1 SNMP security -- 15.2 z/OS Policy Agent -- 15.2.1 SSL with LDAP and Policy Agent -- 15.2.2 Considerations when opening an SSL connection -- Chapter 16. HTTP Server for z/OS -- 16.1 HTTP Server security -- 16.2 Server security structure -- 16.3 Setting up SAF control -- 16.4 How to protect resources -- 16.4.1 Access control directives -- 16.4.2 Protection directives -- 16.5 Accessing back-end applications -- 16.6 SSL-related features in the IBM HTTP Server for z/OS -- 16.6.1 Encryption support -- 16.6.2 Global Server IDs -- 16.6.3 Crypto hardware support for SSL -- 16.7 SSL scenario -- 16.7.1 Server authentication -- 16.7.2 Client authentication -- 16.8 Associating a client certificate with a RACF user ID -- 16.8.1 RACF digital certificate support.

16.8.2 Install and maintain digital certificates in RACF -- 16.8.3 Register a certificate using RACDCERT -- 16.8.4 Certificate self-registration with RACF -- 16.8.5 Certificate name filtering -- 16.9 Retrieving LDAP information -- 16.9.1 Configuring LDAP on IBM HTTP Server -- 16.9.2 How to use authentication information stored in LDAP -- 16.9.3 Creating user entries in the z/OS LDAP server -- 16.10 Conclusion -- Chapter 17. Utility applications -- 17.1 z/OS Lightweight Directory Access Protocol (LDAP) -- 17.1.1 Authentication with the z/OS LDAP server -- 17.1.2 Security of the directory -- 17.1.3 Using SSL communication -- 17.2 BIND-9 based DNS -- 17.2.1 TSIG -- 17.2.2 DNSSEC -- 17.2.3 Secure your DNS environment -- 17.3 Syslogd daemon -- 17.3.1 syslogd isolation -- Part 5 Appendixes -- Appendix A. VPN planning worksheets -- Appendix B. Sample RACF definitions -- B.1 RACF settings for UNIX System Services -- B.2 RACF settings for TCP/IP applications -- B.2.1 RACF configuration for OS/390 UNIX level security -- B.2.2 RACF definitions to control the use of the TCP/IP operator commands -- B.3 Required RACF definitions to get Firewall Technologies started -- B.4 RACF definition to manage certificate in RACF common keyring -- Appendix C. Default permissions for HFS files in z/OS UNIX -- Appendix D. Digital certificate formats supported by RACDCERT -- Related publications -- IBM Redbooks -- Other resources -- Referenced Web sites -- How to get IBM Redbooks -- IBM Redbooks collections -- Index -- Back cover.