eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
Certificate Name Filtering SupportSearch Sequence ScenarioAssume the following records exist and all are trusted. They are listed in the order inwhich they are grouped in the search table.CERTMAP(MAP001) ACID(NJDEPT1)IDNFILTR(OU=Verisign Class 1 Individual Subscriber.O=Verisign,Inc.L=Internet)SDNFILTR(OU=DEPT1.OU=NJ.OU=Sales.O=ABC Co)CERTMAP(MAP002) ACID(NJDEPTX)IDNFILTR(O=Verisign,Inc.L=Internet) SDNFILTR(OU=Sales.O=ABC Co)CERTMAP(MAP003) ACID(NYDEPT2)SDNFILTR(OU=DEPT2.OU=NY,OU=Sales.O=ABC Co)CERTMAP(MAP004) ACID(NYDEPT3)SDNFILTR(OU=DEPT3.OU=NY,OU=Sales.O=ABC Co)CERTMAP(MAP005) ACID(ABCDEPT)SDNFILTR(OU=Sales.O=ABC Co)CERTMAP(MAP006) ACID(ABCTECH)SDNFILTR(OU=R&D.O=ABC Co)CERTMAP(MAP007) ACID(MULTIID)IDNFILTR(O=Verisign,Inc.L=Internet) CRITERIA(CNFAPP=&CNFAPP)CRITMAP(CRT001) ACID(ABCCUST)CNFAPP(ABCINET)CRITMAP(CRT002) ACID(ABCDFLT)CNFAPP(*)Assume a certificate is being presented by a user whose distinguished name is:CN=Bill,OU=Dept4,OU=PA,OU=Sales,O=ABC Co. The issuer’s distinguishedname contains information about That we not VeriSign. How would we processthe search for this certificate?The first two entries don’t match, so we get to the section without an IDNF. Weloop through the SDNFs checking for a match. Then, we take off the CN from thecertificate distinguished name and compare the rest of the certificatedistinguished name against the SDNF. The sections starting with OU=Dept4 andOU=PA will not match. However, the section starting with OU=Sales willprovide a match and the ABCDEPT acid is assigned.Assume a user presents a certificate issued by VeriSign but not for ABC Co. Wewould get a match on CERTMAP MAP007, based on the IDNF information. Thenwe would search the CRITMAP records for a matching CNFAPP. If the CNFAPPwas ABCINET, then acid ABCCUST would be assigned. All other applicationswould be assigned the default acid ABCDFLT.1–80 Cookbook
KerberosKerberosetrust CA-Top Secret can be configured to implement Unix Systems ServicesNetwork Authentication and Privacy Service, known as Kerberos. New recordsin the SDT are defined to provide REALM definitions to describe the local andforeign environments, which the local server is expected to recognize. LocalACIDs are equipped with an additional KERB segment, containing Kerberosinformation, and are mapped for fast access in the SDT. Foreign ACIDs arelinked to local ACIDs through additional SDT definitions.In this chapter, the resource HFSSEC is used for UNIX file security. Forgenerality, if the client does not wish to employ eTrust CA-Top Secret HFSSEC,the IBMFAC(SUPERUSER.) resource may be substituted in the examples below.Local Server ConfigurationInstructions for installing the Kerberos Server are provided in the z/OS NetworkAuthentication Service Administration Guide. In order to implement the KerberosServer SKRBKDC, you will need to define a region ACID for this procedure. Usethe following commands:TSS CREATE(SKRBKDC) NAME(‘kerb server acid’) PASS(NOPW,0)DEPT(sysdept) FACILITY(BATCH,STC,OPENMVS) SOURCE(INTRDR)The ACID will need to have a number of permissions and keywords established.Use the following commands:TSS ADD(SKRBKDC) UID(0) HOME(/etc/skrb/home/kdc) OMVSPGM(/bin/sh) GROUP(omvsgrp)DFLTGRP(omvsgrp)TSS PER(SKRBKDC) HFSSEC(/BIN.SH) ACC(READ,EXEC)TSS PER(SKRBDDC) HFSSEC(/ETC.SKRB) ACC(READ)Additional permissions will be needed, depending on the settings of variables inthe configuration file, /var/skrb/home/kdc/envar. Use the followingcommands:TSS PER(SKRBKDC) HFSSEC(nlspath) ACC(READ,EXEC)TSS PER(SKRBKDC) HFSSEC(nlslocale) ACC(READ,EXEC)The installation defaults are:nlspath: /USR.LPP.SKRB.LIB.NLS.MSG.EN_US$IBM$1047.SKRnlslocale: /USR.LIB.NLS.LOCALE.EN_USThis will differ if you apply a different language path (NLSPATH) in theconfiguration environment.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–81
- Page 39 and 40: Using TCP/IPFILE AUDIT OPTIONS—Th
- Page 41 and 42: Using TCP/IPwheresysname is the nam
- Page 43 and 44: Using FTPHow to Secure FTPFTP runs
- Page 45 and 46: Using TELNETTerminal Source Restric
- Page 47 and 48: WebSphere Application Server for z/
- Page 49 and 50: WebSphere Application Server for z/
- Page 51 and 52: WebSphere Application Server for z/
- Page 53 and 54: WebSphere Application Server for z/
- Page 55 and 56: WebSphere Application Server for z/
- Page 57 and 58: Lotus Domino Go Webserver/* PERMITT
- Page 59 and 60: Lotus Domino Go WebserverTo disable
- Page 61 and 62: Lotus Notes and Novell Directory Se
- Page 63 and 64: Digital Certificate SupportGeneral
- Page 65 and 66: Digital Certificate SupportFOR|UNTI
- Page 67 and 68: Digital Certificate SupportDCDSN(re
- Page 69 and 70: Digital Certificate SupportNote: In
- Page 71 and 72: Digital Certificate SupportYou can
- Page 73 and 74: Digital Certificate SupportCase #2.
- Page 75 and 76: Digital Certificate SupportImportan
- Page 77 and 78: Digital Certificate SupportAdding a
- Page 79 and 80: Digital Certificate SupportReconnec
- Page 81 and 82: Digital Certificate SupportTSS LIST
- Page 83 and 84: Certificate Name Filtering SupportT
- Page 85 and 86: Certificate Name Filtering SupportI
- Page 87 and 88: Certificate Name Filtering SupportD
- Page 89: Certificate Name Filtering SupportL
- Page 93 and 94: KerberosThe command syntax for this
- Page 95 and 96: KerberosThe following command creat
- Page 97 and 98: Mapping of Foreign EnvironmentsMapp
- Page 99 and 100: Mapping of Foreign EnvironmentsMapp
- Page 101 and 102: Distributed File Server SMB SUPPORT
- Page 103 and 104: NFS (Network File System)The first
- Page 105 and 106: z/OS and OS/390 Security Server Sup
- Page 107 and 108: z/OS and OS/390 Security Server Sup
- Page 109 and 110: z/OS and OS/390 Security Server Sup
- Page 111 and 112: Chapter2Controlling Access to theHi
- Page 113 and 114: Controlling HFS Using the Native UN
- Page 115 and 116: Controlling HFS Using CA SAF HFS Se
- Page 117 and 118: Securing HFS FunctionsKeywordALLCON
- Page 119 and 120: Securing HFS FunctionsFile Function
- Page 121 and 122: Implementing CA SAF HFS SecurityImp
- Page 123 and 124: HFSSEC Control Option+12—The addr
- Page 125 and 126: HFSSEC Control OptionDiagnosticsThe
- Page 127 and 128: HFSSEC Control OptionUNIX CMDCHMOD(
- Page 129 and 130: HFSSEC Control OptionTSSSUTIL EQUIV
- Page 131 and 132: HFSSEC Control OptionUNIX CMDS ACCE
- Page 133 and 134: HFSSEC Control OptionExample 1// JO
- Page 135 and 136: HFSSEC Control OptionExample 2// JO
- Page 137 and 138: MessagesMessagesCAS2301EEVENT PROCE
- Page 139 and 140: MessagesCAS2306Wxxxxxxxxxxxxxxx EVE
KerberosKerberosetrust <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> can be configured to implement Unix Systems ServicesNetwork Authentication <strong>and</strong> Privacy Service, known as Kerberos. New recordsin the SDT are defined to provide REALM definitions to describe the local <strong>and</strong><strong>for</strong>eign environments, which the local server is expected to recognize. LocalACIDs are equipped with an additional KERB segment, containing Kerberosin<strong>for</strong>mation, <strong>and</strong> are mapped <strong>for</strong> fast access in the SDT. Foreign ACIDs arelinked to local ACIDs through additional SDT definitions.In this chapter, the resource HFSSEC is used <strong>for</strong> UNIX file security. Forgenerality, if the client does not wish to employ <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> HFSSEC,the IBMFAC(SUPERUSER.) resource may be substituted in the examples below.Local Server ConfigurationInstructions <strong>for</strong> installing the Kerberos Server are provided in the z/<strong>OS</strong> NetworkAuthentication Service Administration Guide. In order to implement the KerberosServer SKRBKDC, you will need to define a region ACID <strong>for</strong> this procedure. Usethe following comm<strong>and</strong>s:TSS CREATE(SKRBKDC) NAME(‘kerb server acid’) PASS(NOPW,0)DEPT(sysdept) FACILITY(BATCH,STC,OPENMVS) SOURCE(INTRDR)The ACID will need to have a number of permissions <strong>and</strong> keywords established.Use the following comm<strong>and</strong>s:TSS ADD(SKRBKDC) UID(0) HOME(/etc/skrb/home/kdc) OMVSPGM(/bin/sh) GROUP(omvsgrp)DFLTGRP(omvsgrp)TSS PER(SKRBKDC) HFSSEC(/BIN.SH) ACC(READ,EXEC)TSS PER(SKRBDDC) HFSSEC(/ETC.SKRB) ACC(READ)Additional permissions will be needed, depending on the settings of variables inthe configuration file, /var/skrb/home/kdc/envar. Use the followingcomm<strong>and</strong>s:TSS PER(SKRBKDC) HFSSEC(nlspath) ACC(READ,EXEC)TSS PER(SKRBKDC) HFSSEC(nlslocale) ACC(READ,EXEC)The installation defaults are:nlspath: /USR.LPP.SKRB.LIB.NLS.MSG.EN_US$IBM$1047.SKRnlslocale: /USR.LIB.NLS.LO<strong>CA</strong>LE.EN_USThis will differ if you apply a different language path (NLSPATH) in theconfiguration environment.Implementing <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> in a z/<strong>OS</strong> or <strong>OS</strong>/390 Environment 1–81