BMC Mainframe: TCP/IP Security in a z/OS Environment using Policy Agent & RACF

Why secure the TCP/IP network
What is required of a security system?
IBM's Resource Access Control Facility (RACF)
Main RACF - z/OS components
How does RACF work?
RACF profiles: Group profiles, User profiles, Dataset profiles, General resource profiles
Resource classes
RACF commands

RACF group structure
RACF group types
RACF group structure
Dataset profile ownership
Concept of profile ownership
RACF administration delegation

Benefits of RACF groups
Defining RACF groups
Group CONNECT authority
Group profile segments
Group related commands

Information on users
RACF user information
Segment information: TSO segment information, NetView segment information, CICS segment information, OMVS segment information
Defining a new user
User- related commands
User attributes

Classifying users and data
Security categories and levels
Creating a Security Category
Creating a Security Level
How Security Categories and Levels are used
Security labels

Dataset related commands
Dataset protection: Discrete profiles, Generic profiles, Rules for defining dataset profiles
Dataset profile ownership
Defining generic profiles

Access authority to datasets
Adding dataset profiles – ADDSD
PERMIT command
Building access lists (PERMIT)

General Resource related commands
Class Descriptor Table (CDT)
IBM-defined Resource Classes
Steps for defining General Resource profiles

Granting access to a General Resource
Global Access Table (GAT)
Setting up the Global Access Table (GAT)

Tasks that need protection with SERVAUTH Class
Policy based networking
SERVAUTH Resource Class responsibilities
SERVAUTH Resource Class
Protecting the TCPIP stack
Protecting your network access
Application considerations when using NETACCESS
Using the NETSTAT and PING commands to check protection
Protecting your network ports
RACF definitions for protecting network ports

Using the NETSTAT command to check PORT access
Protecting the use of socket options
What are network commands
Protecting network commands - z/OS TCPIP commands
Protecting network commands - NETSTAT and ONESTAT commands
Protecting network commands - EZACMD REXX program
Protecting FTP access
Other FTP profiles
Protecting TN3270 Secure Telnet Port
Protecting the MODDVIPA command

overview
What is a digital certificate?
Public key & certificate
Uses for certificates in applications
Secure Sockets Layer (SSL)
Secret key cryptography
Ciphers used in secret key cryptography
Notes on secret key ciphers
Public key cryptography
Public key ciphers
Message integrity
Message digest algorithms
Message Authentication Codes
Using the ciphers
Ciphers

SSL protocol
How SSL works
SSL Session ID
The SSL layer
System SSL
System SSL on z/OS
Why TLS
Hardware cryptography on System Z
Crypto support in z/OS
SSL and Crypto devices
Three types of encryption keys
Clear Key processing
Secure Key processing
Master Keys and Key Data Sets
Protected Key/Wrapping Key

SSHD UNIX files
SSHD - Using ICSF and /dev/random)
SSHD - Creating configuration files
SSHD - Creating SSHD server keys
SSHD- Set up SSHD server userids
SSHD - Create SSHD server started task
SSHD - TCP configuration

SSHD - Verify z/OS DNS / Resolver operation
The FTP server
FTPS and SFTP
Pros and cons of FTPS and SFTP
Customizing the FTP.DATA dataset
Customizing the PROFILE & SERVICES datasets
Starting FTP

Cryptography in Internet applications
Public key cryptography overview
What is a digital certificate?
Public key & certificate
Uses for certificates in applications
Secure Sockets Layer (SSL)
Digital certificates and RACF
How RACF uses digital certificates
RACF classes & commands
RACDCERT
RACF certificate generation
RACDCERT command
Creating a certificate
Gencert examples
Key rings
RACDCERT ring functions
Certification installation
RACDCERT ADD examples
Certification installation
Certificate management

Exploiters of certificates
Exporting a certificate
Certificates are packaged in formats
Steps for migrating a certificate and its ICSF private key in the PKDS
KEYXFER Utility
Miscellaneous issues
Renew a certificate
Examples of REKEY and ROLLOVER
Certificate mapping
RACF Key Rings
Global FACILITYclass profiles
Sharing a private key
RDATALIB Class
RACDCERT granular administration
RACDCERT granular control
Listing, removing & deleting
Password enveloping
How does password enveloping work?
Password enveloping - exceptions

What is TN3270 security?
How native TN3270 security can be applied with TLS
Description of TN3270 native connection security
Dependencies for Telnet server native connection security
Example of definitions
Encryption algorithms (cipher suites)

RACF permissions
What is FTP security?
Software and hardware prerequisites
Configuring FTP native TLS security
Logging onto the Server with FileZilla

Introduction to policy based networking
The Policy Agent
RACF and PAGENT
Define a User for PAGENT
Give authorized users access to start and stop PAGENT
Securing the pasearch command and initialising PAGENT before TCPIP
Other address spaces that will need RACF profiles
Central policy server
SERVAUTH authorisation for Policy Client
Basic configuration

Defining the TcpImage statements
Image definitions
Logging
PAGENT commands
Traffic Regulation
Management Daemon
Policy infrastructure management services
Implementation and operations
Parameters for policy infrastructure management services

z/OSMF and Network Configuration Assistant
z/OSMF desktop and Network Configuration Assistant
Backing store
Creation of z/OS groups
Creation of z/OS images and TCPIP stack
TCPIP connectivity rules
Creating your own Requirement Map
Advanced Settings
Advanced Settings – parameters
Current backing store
Installation of configuration files

PAGENT requirements
CSFSERV resource class
Example for AT-TLS
Example of Intrusion Detection Services
Example of IP filtering
Example of IP Security
Example of Network Address Translation
Example of IKE protocols
Example of Quality of Service
SNMP overview
SNMP in operation

Setting up IPSec on z/OS
Defining IPSec with Network Configuration Assistant
IPSec Traffic Descriptors
IPSec Security Levels
IPSec Advanced Settings
IPSec address groups
IPSec Requirement Maps
IPSec Reusable Rules

Setting up IKED
The IKED catalogued procedure and configuration file
Reserve the ports and RACF changes
Digital certificates for IKED
Authorizing Callable Services
Other actions for IPSec
Commands for IPSec
Using the IPSec policy in z/OS

Basic concepts
Scan policies
There are different types of scan events
Attack policies
Attack policy notification
Traffic regulation policies
TCP traffic regulation
UDP traffic regulation
Implementing IDS
Creating the IDS policy
IDS traffic descriptors
IDS Requirement Maps
Creating a new IDS Requirement Map
IDS scans

Scan Levels
Modify IDS scans
IDS Traffic Regulation
z/OSMF selection of requirement map
Defensive filtering overview
Simulate mode
Installation of defensive filtering
Filter types
Defense Manager Daemon installation
DMD Configuration File
DMD started procedure
Ipsec F command
The Ipsec -t command

Why secure the TCP/IP network
What is required of a security system?
IBM's Resource Access Control Facility (RACF)
Main RACF - z/OS components
How does RACF work?
RACF profiles: Group profiles, User profiles, Dataset profiles, General resource profiles
Resource classes
RACF commands

RACF group structure
RACF group types
RACF group structure
Dataset profile ownership
Concept of profile ownership
RACF administration delegation

Benefits of RACF groups
Defining RACF groups
Group CONNECT authority
Group profile segments
Group related commands

Information on users
RACF user information
Segment information: TSO segment information, NetView segment information, CICS segment information, OMVS segment information
Defining a new user
User- related commands
User attributes

Classifying users and data
Security categories and levels
Creating a Security Category
Creating a Security Level
How Security Categories and Levels are used
Security labels

Dataset related commands
Dataset protection: Discrete profiles, Generic profiles, Rules for defining dataset profiles
Dataset profile ownership
Defining generic profiles

Access authority to datasets
Adding dataset profiles – ADDSD
PERMIT command
Building access lists (PERMIT)

General Resource related commands
Class Descriptor Table (CDT)
IBM-defined Resource Classes
Steps for defining General Resource profiles

Granting access to a General Resource
Global Access Table (GAT)
Setting up the Global Access Table (GAT)

Tasks that need protection with SERVAUTH Class
Policy based networking
SERVAUTH Resource Class responsibilities
SERVAUTH Resource Class
Protecting the TCPIP stack
Protecting your network access
Application considerations when using NETACCESS
Using the NETSTAT and PING commands to check protection
Protecting your network ports
RACF definitions for protecting network ports

Using the NETSTAT command to check PORT access
Protecting the use of socket options
What are network commands
Protecting network commands - z/OS TCPIP commands
Protecting network commands - NETSTAT and ONESTAT commands
Protecting network commands - EZACMD REXX program
Protecting FTP access
Other FTP profiles
Protecting TN3270 Secure Telnet Port
Protecting the MODDVIPA command

overview
What is a digital certificate?
Public key & certificate
Uses for certificates in applications
Secure Sockets Layer (SSL)
Secret key cryptography
Ciphers used in secret key cryptography
Notes on secret key ciphers
Public key cryptography
Public key ciphers
Message integrity
Message digest algorithms
Message Authentication Codes
Using the ciphers
Ciphers

SSL protocol
How SSL works
SSL Session ID
The SSL layer
System SSL
System SSL on z/OS
Why TLS
Hardware cryptography on System Z
Crypto support in z/OS
SSL and Crypto devices
Three types of encryption keys
Clear Key processing
Secure Key processing
Master Keys and Key Data Sets
Protected Key/Wrapping Key

SSHD UNIX files
SSHD - Using ICSF and /dev/random)
SSHD - Creating configuration files
SSHD - Creating SSHD server keys
SSHD- Set up SSHD server userids
SSHD - Create SSHD server started task
SSHD - TCP configuration

SSHD - Verify z/OS DNS / Resolver operation
The FTP server
FTPS and SFTP
Pros and cons of FTPS and SFTP
Customizing the FTP.DATA dataset
Customizing the PROFILE & SERVICES datasets
Starting FTP

Cryptography in Internet applications
Public key cryptography overview
What is a digital certificate?
Public key & certificate
Uses for certificates in applications
Secure Sockets Layer (SSL)
Digital certificates and RACF
How RACF uses digital certificates
RACF classes & commands
RACDCERT
RACF certificate generation
RACDCERT command
Creating a certificate
Gencert examples
Key rings
RACDCERT ring functions
Certification installation
RACDCERT ADD examples
Certification installation
Certificate management

Exploiters of certificates
Exporting a certificate
Certificates are packaged in formats
Steps for migrating a certificate and its ICSF private key in the PKDS
KEYXFER Utility
Miscellaneous issues
Renew a certificate
Examples of REKEY and ROLLOVER
Certificate mapping
RACF Key Rings
Global FACILITYclass profiles
Sharing a private key
RDATALIB Class
RACDCERT granular administration
RACDCERT granular control
Listing, removing & deleting
Password enveloping
How does password enveloping work?
Password enveloping - exceptions

What is TN3270 security?
How native TN3270 security can be applied with TLS
Description of TN3270 native connection security
Dependencies for Telnet server native connection security
Example of definitions
Encryption algorithms (cipher suites)

RACF permissions
What is FTP security?
Software and hardware prerequisites
Configuring FTP native TLS security
Logging onto the Server with FileZilla

Introduction to policy based networking
The Policy Agent
RACF and PAGENT
Define a User for PAGENT
Give authorized users access to start and stop PAGENT
Securing the pasearch command and initialising PAGENT before TCPIP
Other address spaces that will need RACF profiles
Central policy server
SERVAUTH authorisation for Policy Client
Basic configuration

Defining the TcpImage statements
Image definitions
Logging
PAGENT commands
Traffic Regulation
Management Daemon
Policy infrastructure management services
Implementation and operations
Parameters for policy infrastructure management services

z/OSMF and Network Configuration Assistant
z/OSMF desktop and Network Configuration Assistant
Backing store
Creation of z/OS groups
Creation of z/OS images and TCPIP stack
TCPIP connectivity rules
Creating your own Requirement Map
Advanced Settings
Advanced Settings – parameters
Current backing store
Installation of configuration files

PAGENT requirements
CSFSERV resource class
Example for AT-TLS
Example of Intrusion Detection Services
Example of IP filtering
Example of IP Security
Example of Network Address Translation
Example of IKE protocols
Example of Quality of Service
SNMP overview
SNMP in operation

Setting up IPSec on z/OS
Defining IPSec with Network Configuration Assistant
IPSec Traffic Descriptors
IPSec Security Levels
IPSec Advanced Settings
IPSec address groups
IPSec Requirement Maps
IPSec Reusable Rules

Setting up IKED
The IKED catalogued procedure and configuration file
Reserve the ports and RACF changes
Digital certificates for IKED
Authorizing Callable Services
Other actions for IPSec
Commands for IPSec
Using the IPSec policy in z/OS

Basic concepts
Scan policies
There are different types of scan events
Attack policies
Attack policy notification
Traffic regulation policies
TCP traffic regulation
UDP traffic regulation
Implementing IDS
Creating the IDS policy
IDS traffic descriptors
IDS Requirement Maps
Creating a new IDS Requirement Map
IDS scans

Scan Levels
Modify IDS scans
IDS Traffic Regulation
z/OSMF selection of requirement map
Defensive filtering overview
Simulate mode
Installation of defensive filtering
Filter types
Defense Manager Daemon installation
DMD Configuration File
DMD started procedure
Ipsec F command
The Ipsec -t command

Workflow Orchestration

Mainframe Simplification

Popular destinations

BMC Mainframe: TCP/IP Security in a z/OS Environment using Policy Agent & RACF

Major release:

Recommended Prerequisites:

Good for:

Course Delivery:

Course Modules

Understanding RACF Network Security

RACF Group Structure

Defining Users to RACF

Dataset Profiles

Defining General Resources

Protecting Network Resources

Cryptography, SSL, Ciphers & Digital Certificates

SSHD and SFTP using SSL

RACF & Digital Certificates

Secured TN3270 and FTPS

Introduction to Policy Agent

z/OSMF and Network Configuration Assistant

IP Security

Intrusion Detection Services & Defense Manager Daemon

Course Modules

Understanding RACF Network Security

RACF Group Structure

Defining Users to RACF

Dataset Profiles

Defining General Resources

Protecting Network Resources

Cryptography, SSL, Ciphers & Digital Certificates

SSHD and SFTP using SSL

RACF & Digital Certificates

Secured TN3270 and FTPS

Introduction to Policy Agent

z/OSMF and Network Configuration Assistant

IP Security

Intrusion Detection Services & Defense Manager Daemon

Let us know how we can help

Sales & Pricing

Help & Support

Popular destinations

BMC Mainframe: TCP/IP Security in a z/OS Environment using Policy Agent & RACF

Major release:

Recommended Prerequisites:

Good for:

Course Delivery:

Course Modules

Understanding RACF Network Security

RACF Group Structure

Defining Users to RACF

Dataset Profiles

Defining General Resources

Protecting Network Resources

Cryptography, SSL, Ciphers & Digital Certificates

SSHD and SFTP using SSL

RACF & Digital Certificates

Secured TN3270 and FTPS

Introduction to Policy Agent

z/OSMF and Network Configuration Assistant

IP Security

Intrusion Detection Services & Defense Manager Daemon

Course Modules

Understanding RACF Network Security

RACF Group Structure

Defining Users to RACF

Dataset Profiles

Defining General Resources

Protecting Network Resources

Cryptography, SSL, Ciphers & Digital Certificates

SSHD and SFTP using SSL

RACF & Digital Certificates

Secured TN3270 and FTPS

Introduction to Policy Agent

z/OSMF and Network Configuration Assistant

IP Security

Intrusion Detection Services & Defense Manager Daemon

Related Learning Paths