CICS Transaction Server V 3 1 Security Enhancements

Скачать презентацию CICS Transaction Server V 3 1 Security Enhancements

17f90aae8fcec75ec46a6868ba664f9f.ppt

Количество слайдов: 30

CICS Transaction Server V 3. 1 Session Agenda § Support for Transport Layer Security (TLS) § Support for mixed case passwords § Cipher suites – Support for AES cipher suites – Specification of minimum and maximum encryption level § Changes to revocation processing – EXEC CICS VERIFY processing – Certificate revocation lists § Performance enhancements – SSL caching support – Support for increased number of secure connections 5 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 CICS support for Transport Layer Security § Latest version of the Secure Sockets Layer protocol – Specification documented in RFC 2246 § z/OS 1. 4 System SSL incorporates: – SSL 2. 0 – SSL 3. 0 – TLS 1. 0 § CICS now uses new System SSL APIs – Those used in CICS TS 2. 3 are now deprecated by z/OS 7 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 CICS support for Mixed Case Passwords § Will require z/OS 1. 7 – Mixed case support is mentioned in z/OS 1. 7 preview § CESN enhancements – Will not translate password field to upper case • Similar to CEDA – Will issue appropriate caution messages • DFHCE 3540 Ensure that passwords are entered in the correct case. 9 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Cipher Suites § Support for AES cipher suites – 128 -bit and 256 -bit encryption § Specification of cipher suites to be used for encryption – Allows for a minimum and maximum level of encryption • If partner doesn’t support the selected choices no connection will be established • Specified on: – TCPIPSERVICE for inbound HTTP and IIOP requests – CORBASERVER for outbound IIOP requests – URIMAP for outbound HTTP requests 11 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Cipher Suites… § Range of available cipher suites for CICS to use is specified in the SIT – ENCRYPTION={STRONG | MEDIUM | WEAK} • For compatibility – ENCRYPTION=NORMAL will be treated as ENCRYPTION=MEDIUM § Selection of cipher suites and order of preference – Specified in CIPHERS attribute • 2 digit code indicating cipher suite • Order determines preference – e. g. CIPHERS(352 F 0 A 0504) • Replaces PRIVACY parameter 13 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Changes to Revocation Processing § Current releases of CICS – Do not check the revoked status of a USERID for: • EXEC CICS VERIFY • ATTACHSEC(VERIFY) • START with USERID – Do not check if a connection to a GROUP was revoked § Revoked status of a user ID or a user’s group connection now honored by CICS 3. 1 21 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Certificate Revocation Lists § Digital Certificates – Are used in the process of validating signed data or securely transmitting encryption keys – Have a limited lifetime • Specified in the certificate’s contents • Can be explicitly revoked 23 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Certificate Revocation Lists § Digital Certificates… – General certificate validation flow is as follows: • The recipient of signed data verifies that the claimed identity of the user is in accordance with the identity contained in the certificate • The recipient validates that no certificate in the path is revoked and that all certificates are within their validity periods • The recipient verifies that the data has not been altered since signing, by using the public key in the certificate 25 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Certificate Revocation Lists § A Certificate Revocation List (CRL) is a file that lists all invalid and revoked certificates for a specific Certificate Authority (CA) § CAs periodically update their CRLs and make them available for others to publish in local Lightweight Directory Access Protocol (LDAP) directories – Available for download – Retrieved information stored in an LDAP server – z/OS 1. 4 Security Server LDAP Server Administration and Use – z/OS 1. 5 Cryptographic Services PKI Guide and Reference 27 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Configuring the LDAP server for CRLs § § Configuration file is /etc/ldap/slapd. conf admin. DN is administrator’s distinguished name admin. PW is administrator’s password suffix specifies one or more partial distinguished names that are roots of the naming hierarchies contained in the LDAP server § You will need one suffix for each CA for which you want to store CRLs suffix O=Verisign\, Inc suffix O=Thawte Consulting, C=ZA § Note that two backslashes are required to escape special characters in suffix 29 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Configuring the LDAP server for CRLS - Notes The LDAP server’s configuration file contains many directives, but the ones of interest are admin. DN and admin. PW, which are the authentication credentials of the LDAP administrator. These credentials are needed to perform an update of the LDAP server. Each of the LDAP distinguished name hierarchies has to be identified by a suffix configuration directive. Before a distinguished name entry to contain a Certificate Authority’s certificate revocation list entry can be created, there has to be a suffix entry for that Certificate Authority’s name. 30 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Certificate Revocation Lists § New SIT parameter, CRLPROFILE – Specifies the name of a RACF profile in the LDAPBIND general resource class where LDAP bind information is stored – The profile contains a PROXY segment, which contains the following fields: • LDAPHOST – Specifies the name of the LDAP server where the certificate revocation lists are stored • BINDDN – The LDAP distinguished name of a user who is allowed to access certificate revocation lists in the LDAP server • BINDPW – A password that authenticates the BINDDN § Note: this parameter is introduced in APAR PK 04622 31 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Certificate Revocation Lists § CICS provides a utility transaction to download a CRL – CCRL transaction • Can be invoked from a terminal – CCRL url-list > e. g. CCRL http: //crl. verisign. com/ATTClass 1 Individual. crl • Can be invoked as a started task – EXEC CICS START TRANSID(CCRL) FROM(’http: //crl. verisign. com/ATTClass 1 Individual. crl’) LENGTH(92) INTERVAL(960000) 33 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 LDAP authentication data § The CCRL transaction will prompt you for the admin. DN and admin. PW when entered from a terminal § When used from a program, insert an admin scheme URL into the URL list: admin: //admindn: adminpw 35 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 LDAP authentication data - Notes Write access to the LDAP server usually requires you to provide the LDAP administrator’s authentication data; admin. DN and admin. PW. The CCRL transaction will prompt you for these if you execute it at a terminal. Otherwise you will have to provide the special “admin” scheme URL whose only purpose is to provide this information in the URL list that is processed by CCRL. This fake URL has the format: admin: //admindn: adminpw where admindn and adminpw are replaced by the actual values from the slapd. configuration file. 36 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Performance Enhancements § CICS support for SSL caching – Allows session ID information to be shared across the sysplex § OTE exploitation by CICS SSL connection management – New SP mode TCB • Reduces system storage requirements – Existing S 8 TCBs • Now only allocated for the duration of the SSL requests • Provides for increased number of simultaneous SSL sessions 37 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Performance Enhancements § SSL Sysplex Caching – Today the SSL session id is cached local to every CICS region • If the same client connects to a different CICS region a full SSL handshake is required – Impacts cloned CICS listener regions z/OS 1 z/OS 2 CICS Listener 1 Listener 2 SSL Client 39 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Performance Enhancements § SSL Sysplex Caching… – Makes server session information across a sysplex • Requires all systems in the sysplex to use the same ESM • Requires SSL Started Task (GSKSRVR) to be implemented – Supports TLS 1. 0 and SSL 3. 0 protocols – GSKSRVR Environment Variables > GSK_LOCAL_THREADS: number of threads > GSK_SIDCACHE_SIZE: sysplex session cache size in megabytes > GSK_SIDCACHE_TIMEOUT: session cache entry timeout in minutes • Enable CICS to use sysplex caching – SIT parameter > SSLCACHE={CICS | SYSPLEX } 41 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 SSL Open Transaction Environment Exploitation § Current SSL implementation – Uses a separate S 8 TCB for each SSL requests • Fixed pool size – Specified by SSLTCBS • Each TCB has its own LE enclave • S 8 TCB is assigned for the duration of the requesting task 43 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 SSL Open Transaction Environnent Exploitation… § OTE implementation – SP TCB • Created when KEYRING is specified in the SIT • Owns the LE enclave and SSL cache – S 8 TCBs • Variable pool size – Controlled by MAXSSLTCBS parameter • Runs as a UNIX pthread • Assigned for the duration of the request 45 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Monitoring § Changed monitoring group DFHTASK – New monitoring fields • MAXSTDLY – The elapsed time in which the user task waited to obtain a CICS SSL TCB (S 8 mode), because the CICS system had reached the limit set by the system initialization parameter MAXSSLTCBS – Changed monitoring fields • DSCHMDLY – The elapsed time the user task waited for re-dispatch after a CICS Dispatcher change-TCB mode request was issued by or on behalf of the user task. Now applies any TCB processing. 47 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Statistics § Sample Statistics Report TCB Mode TCBs Attached Current Op. System Waits Peak Op. System Wait Time Total TCB Dispatch Time Total TCB DS TCB CPU/Disp CPU Time Ratio _________________________________________________________ QR 1 1, 339 00: 36: 52. 76362 00: 03. 83933 00: 03. 11027 00: 00. 12582 RO 1 1 11 01: 02: 05. 45171 00: 00. 30343 00: 00. 02823 00: 00. 00045 CO 1 1 2 01: 05: 22. 12533 00: 00. 00008 00: 00: 00. 00014 SZ 1 1 2 00: 27: 20. 17500 00: 00. 00005 00: 00: 00. 09742 RP 0 00: 00: 00. 00000 FO 1 1 15 01: 03: 41. 17645 00: 00. 74589 00: 00. 07492 00: 00. 00040 SL 1 1 2 01: 02: 22. 85484 00: 00. 00031 00: 00. 00036 00: 00. 00002 SO 1 1 0 00: 00: 00. 00000 SP 1 1 0 00: 00: 00. 00000 D 2 0 00: 00: 00. 00000 JM 0 00: 00: 00. 00000 S 8 25 25 0 00: 00: 00. 00000 L 8 1 1 6 00: 00. 01315 00: 00. 35665 00: 00. 00177 00: 00. 00004 J 8 0 00: 00: 00. 00000 J 9 1 1 4 00: 00. 03895 00: 04. 41789 00: 01. 21668 00: 00. 00024 X 8 0 00: 00: 00. 00000 X 9 49 1 0 00: 00: 00. 00000 81. 0% 00: 00. 00000 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Statistics… § Sample Statistics Report TCB Pool. . . . : SSL Current TCBs attached in this TCB Pool. . : 1 Current TCBs in use in this TCB Pool. . . : 0 Peak TCBs attached in this TCB Pool. . : 1 Peak TCBs in use in this TCB Pool. . . . : 0 Max TCB Pool Limit (MAXSSLTCBS). . . : 22 Times at Max TCB Pool Limit (MAXSSLTCBS). . . : 0 Requests Delayed by Max TCB Pool Limit. . : 0 Current Requests Delayed by Max TCB Pool Limit : 0 Total Max TCB Pool Limit delay time. . : 00: 00. 00000 Peak Requests Delayed by Max TCB Pool Limit. . : 0 Average Max TCB Pool Limit delay time. . . : 00: 00. 00000 Total Delay time for current delayed. . . : 00: 00. 00000 Average Delay time for current delayed. . : 00: 00. 00000 Total number of TCB Mismatch Waits. . : 0 Current TCB Mismatch waits. . : 0 Total TCB Mismatch wait time. . . . : 00: 00. 00000 Peak TCB Mismatch waits. . . : 0 Average TCB Mismatch wait time. . . : 00: 00. 00000 Total Wait time for current Mismatch Waits. . : 00: 00. 00000 Average Wait time for current Mismatch Waits. : 00: 00. 00000 Requests Delayed by MVS storage constraint : 0 Total MVS storage constraint delay time. . : 00: 00. 00000 Average MVS storage constraint delay time. : 00: 00. 00000 51 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Statistics… § Sample Statistics Report TCP/IP ______ TCP/IP Status. . . . . : OPEN SSLCACHE setting. . . . . : CICS Active SSL TCBs. . . . . : 0 Maximum SSL TCBs (MAXSSLTCBS). . . : 22 Max IP Sockets (MAXSOCKETS) limit. . . : 1, 500 Number of times the MAXSOCKETS limit was reached. . : 0 Current Active IP Sockets. . . . : 4 Current number of inbound sockets. . . : 7 Peak number of inbound sockets. . . : 7 Current number of non-persistent outbound sockets. . : 0 Peak number of non-persistent outbound sockets. . . : 0 Current number of persistent outbound sockets. . . : 0 Peak number of persistent outbound sockets. . . . : 0 Number of inbound sockets created. . . : 0 Number of outbound sockets closed. . . : 0 Total number of inbound and outbound sockets created. . : 0 Number of create socket requests delayed by MAXSOCKETS. : 0 Total MAXSOCKETS delay time. . . . : 00: 00. 00000 Average MAXSOCKETS delay time. . . : 00: 00. 00000 Number of create requests that timed-out at MAXSOCKETS. : 0 Current create socket requests delayed by MAXSOCKETS. . : 0 Peak create socket requests delayed by MAXSOCKETS. . : 00: 00. 00000 Average delay time for current create requests delayed. : 53 0 Total delay time for current create requests delayed. . : 00: 00. 00000 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Systems Programming Interface § INQUIRE TCPIPSERVICE, CORBASERVER and URIMAP – CIPHERS – NUMCIPHERS § INQUIRE TCPIP – CRLSERVER – SSLCACHE § INQUIRE and SET DISPATCHER – MAXSSLTCBS – ACTSSLTCBS 55 © 2005 IBM Corporation

CICS Transaction Server V 3. 1 Summary § Support for TLS 1. 0 § Mixed case password support § Support for cipher suites – New AES 128 and 256 encodings – Specification of minimum and maximum encryption level § New Certificate Revocation Lists utility transaction § Performance enhancements – SSL session id caching – OTE exploitation 57 © 2005 IBM Corporation