eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
z/OS and OS/390 Product/Component Naming Conventionz/OS and OS/390 Product/Component Naming ConventionAs each release of an operating system is made generally available, IBM oftenchanges the name of the supplied components or products. The following tablesprovide a reference for these supported releases.ProductTCP/IPCommunications Server IP for OS/390SecureWay Communications Serverfor OS/390Operating System ReleaseOS/390 Version 2 Release 4 and BelowOS/390 Version 2 Release 5 and AboveOS/390 Version 2 Release 8 and AboveProductOpen Edition MVSUNIX System Services for OS/390Operating System ReleaseOS/390 Version 2 Release 5 and BelowOS/390 Version 2 Release 6 and AboveProductInternet Connection Security ServerOperating System ReleaseOS/390 Version 1 Release 3 and BelowLotus Domino Go Webserver OS/390 Version 2 Release 4 & 5SecureWay Application Server forOS/390OS/390 Version 2 Release 8 and AboveProductCICSCICS Transaction ServerOperating System ReleaseMVS 5.1 and BelowMVS/ESA 5.2 and Abovez/OS and OS/390 Release-Specific Security ConcernsSeveral z/OS and OS/390 release-specific eTrust CA-Top Secret securityrequirements exist. In addition to the following information, it is important thatyou review the informational solutions discussed in the Upgrade Solutionssection of this document. These solutions contain the latest z/OS and OS/390release-specific implementation procedures and a list of the latest recommendedeTrust CA-Top Secret maintenance.1–4 Cookbook
z/OS and OS/390 Release-Specific Security Concernsz/OS V1R1 and AboveTwo new resource classes have been introduced by the Websphere ApplicationServer as EJBROLE and GEJBROLE. These classes are used to control access tomethods within Enterprise Java Beans (EJB). eTrust CA-Top Secret now allowsresource names to be in mixed case to support the functioning of these resourceclasses.eTrust CA-Top Secret now supports two new SAF callable services, R_cacheservand R_proxyserv. R_cacheserv is used to request the storage or retrieval ofinformation from a cache. R_proxyserv is used to request the LDAP Server toretrieve information from a directory information tree (DIT).z/OS and OS/390 V2R10 and AboveeTrust CA-Top Secret fully supports the Network and Privacy AuthenticationServer, known as Kerberos. eTrust CA-Top Secret stores and administersinformation about realms and principals for network authentication in the SDTand in the security file.In addition, eTrust CA-Top Secret fully supports the SERVAUTH class. Withz/OS and OS/390 V2R10, TCP/IP uses the SERVAUTH class to protect variousTCP/IP resources from unauthorized access.OS/390 V2R9 and AboveOS/390 V2R9 introduces support for Digital Certificate keyring and filteringfunctionality. Contact eTrust CA-Top Secret Support to obtain the requiredmaintenance for the above new features.OS/390 V2R8 and AboveOS/390 V2R8 introduces support for a more granular approach to securingsuperuser authorities. eTrust CA-Top Secret can be used to grant limited (orselected) subsets of superuser privileges to specific users, rather than having togrant complete superuser authority.OS/390 V2R8 also introduces support for User Limits. With this support you cancontrol the amount of resources consumed by individual OS/390 UNIX users.The BPXPRMxx member of PARMLIB determines resource limits for OS/390UNIX users (global setting). eTrust CA-Top Secret can be used to store supporteduser limit settings for each acid.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–5
- Page 1 and 2: eTrust CA-Top Secret ® Securityfo
- Page 3: Technical UpdatesMay 2003The follow
- Page 6 and 7: Superuser Granularity .............
- Page 8 and 9: WLM (Workload Management)..........
- Page 11 and 12: Chapter1Implementing eTrust CA-TopS
- Page 13: z/OS and OS/390 CompatibilityThe li
- Page 17 and 18: OpenEdition MVS / UNIX System Servi
- Page 19 and 20: OpenEdition MVS / UNIX System Servi
- Page 21 and 22: OpenEdition MVS / UNIX System Servi
- Page 23 and 24: OpenEdition MVS / UNIX System Servi
- Page 25 and 26: OpenEdition MVS / UNIX System Servi
- Page 27 and 28: OpenEdition MVS / UNIX System Servi
- Page 29 and 30: OpenEdition MVS / UNIX System Servi
- Page 31 and 32: Tracing UNIX System Services (OMVS)
- Page 33 and 34: Tracing UNIX System Services (OMVS)
- Page 35 and 36: Tracing UNIX System Services (OMVS)
- Page 37 and 38: Tracing UNIX System Services (OMVS)
- Page 39 and 40: Using TCP/IPFILE AUDIT OPTIONS—Th
- Page 41 and 42: Using TCP/IPwheresysname is the nam
- Page 43 and 44: Using FTPHow to Secure FTPFTP runs
- Page 45 and 46: Using TELNETTerminal Source Restric
- Page 47 and 48: WebSphere Application Server for z/
- Page 49 and 50: WebSphere Application Server for z/
- Page 51 and 52: WebSphere Application Server for z/
- Page 53 and 54: WebSphere Application Server for z/
- Page 55 and 56: WebSphere Application Server for z/
- Page 57 and 58: Lotus Domino Go Webserver/* PERMITT
- Page 59 and 60: Lotus Domino Go WebserverTo disable
- Page 61 and 62: Lotus Notes and Novell Directory Se
- Page 63 and 64: Digital Certificate SupportGeneral
z/<strong>OS</strong> <strong>and</strong> <strong>OS</strong>/390 Release-Specific <strong>Security</strong> Concernsz/<strong>OS</strong> V1R1 <strong>and</strong> AboveTwo new resource classes have been introduced by the Websphere ApplicationServer as EJBROLE <strong>and</strong> GEJBROLE. These classes are used to control access tomethods within Enterprise Java Beans (EJB). <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> now allowsresource names to be in mixed case to support the functioning of these resourceclasses.<strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> now supports two new SAF callable services, R_cacheserv<strong>and</strong> R_proxyserv. R_cacheserv is used to request the storage or retrieval ofin<strong>for</strong>mation from a cache. R_proxyserv is used to request the LDAP Server toretrieve in<strong>for</strong>mation from a directory in<strong>for</strong>mation tree (DIT).z/<strong>OS</strong> <strong>and</strong> <strong>OS</strong>/390 V2R10 <strong>and</strong> Above<strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> fully supports the Network <strong>and</strong> Privacy AuthenticationServer, known as Kerberos. <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> stores <strong>and</strong> administersin<strong>for</strong>mation about realms <strong>and</strong> principals <strong>for</strong> network authentication in the SDT<strong>and</strong> in the security file.In addition, <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> fully supports the SERVAUTH class. Withz/<strong>OS</strong> <strong>and</strong> <strong>OS</strong>/390 V2R10, TCP/IP uses the SERVAUTH class to protect variousTCP/IP resources from unauthorized access.<strong>OS</strong>/390 V2R9 <strong>and</strong> Above<strong>OS</strong>/390 V2R9 introduces support <strong>for</strong> Digital Certificate keyring <strong>and</strong> filteringfunctionality. Contact <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> Support to obtain the requiredmaintenance <strong>for</strong> the above new features.<strong>OS</strong>/390 V2R8 <strong>and</strong> Above<strong>OS</strong>/390 V2R8 introduces support <strong>for</strong> a more granular approach to securingsuperuser authorities. <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> can be used to grant limited (orselected) subsets of superuser privileges to specific users, rather than having togrant complete superuser authority.<strong>OS</strong>/390 V2R8 also introduces support <strong>for</strong> User Limits. With this support you cancontrol the amount of resources consumed by individual <strong>OS</strong>/390 UNIX users.The BPXPRMxx member of PARMLIB determines resource limits <strong>for</strong> <strong>OS</strong>/390UNIX users (global setting). <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> can be used to store supporteduser limit settings <strong>for</strong> each acid.Implementing <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> in a z/<strong>OS</strong> or <strong>OS</strong>/390 Environment 1–5