IBM 890 manual RACF enhancements, Multilevel Security

Page 70

Once a user is authenticated, RACF and the resource managers control the interaction between that user and the objects it tries to gain access to. These objects include: commands, datasets, programs, tape volumes, terminals and objects that you defi ne. RACF supports fl ex- ibility in auditing access attempts and changes to security controls. To audit security-relevant events, you can use the RACF system management unload utility and a variety of reporting tools.

With one command, a security administrator can update remote RACF databases without logging on to remote sys- tems. Throughout the enterprise, RACF commands can be sent automatically to synchronize multiple databases. In addition, RACF can automatically propagate RACF data- base updates made by applications. With RACF, users can keep passwords synchronized for specifi c user IDs. When you change one password, RACF can change passwords for your user ID on different systems and for several user IDs on the same system. Also, passwords can be changed automatically for the same user ID on different systems. This way, several RACF databases can be kept synchro- nized with the same password information.

RACF enhancements:

Digital Certifi cates can be automatically authenticated without administrator action

Administrative enhancements enable defi nition of pro- fi les granting partial authority. Handling of new pass- words and removal of class authority are simplifi ed.

On demand applications require a way to associate more users under a RACF Group defi nition, so RACF allows the creation of a new kind of Group that can con- tain an unlimited number of users

RACF now allows you to perform RACF installation class updates without an IPL, which can help improve availability

RACF facilitates enterprise password synchronization through RACF password enveloping and notifi cation of password changes using z/OS LDAP

Improved user accountability through RACF’s enforce- ment of unique z/OS UNIX UIDs and GIDs

Improved access control fl exibility and granularity for z/OS UNIX fi les with access control lists

Multilevel security support

Multilevel Security

z/OS 1.5 is the fi rst and only IBM operating system to pro- vide multilevel security. This technology can help improve the way government agencies and other organizations share critical classifi ed information. Combined with IBM’s DB2 UDB for z/OS Version 8, z/OS provides multilevel security on the zSeries mainframe to help meet the strin- gent security requirements of government agencies and

nancial institutions, and can help open up new hosting opportunities. Multilevel security technology allows IT administrators to give users access to information based on their need to know, or clearance level. It is designed to pre- vent individuals from accessing unauthorized information and to prevent individuals from declassifying information.

With multilevel security support in IBM’s z/OS 1.5 and DB2 V8, customers can enable a single repository of data to be managed at the row level and accessed by individuals based on their need to know.

SSL

Secure Socket Layer (SSL) is a public key cryptography- based extension to TCP/IP networking which helps to enable private communications between parties on the Internet. z/OS provides fast and highly secure SSL sup- port, with increased performance when coupled with zSeries server cryptographic capabilities.

70

Page 69 Page 71
Image 70
Page 69 Page 71
Contents IBM zSeries 890 and z/OS Reference Guide JanuaryTable of Contents zSeries Overview What does an on demand company look like?The New zSeries from IBM Tools for Managing e-businessz/Architecture z/Architecture Operating System Supportz/Arch IBM zSeriesOperating System 31-bitNumber of CPs BaseEstimated Ratio z890 Design and Technology The z890 supports LPAR mode only basic mode is no longer supported z890 Performance Comparison z890 Family ModelsIBM On/Off Capacity on Demand for z890 Page On/Off CoD Test z800 to z890 and z890 Model Upgradesz800 z890 z890 Performance Comparisons z890 Cage Layout z890 I/O Subsystemz890s Positioning in the zSeries Family CEC I/O CagePhysical Channel IDs PCHIDs SubSystem Greater than 15 Logical Partitions LPARsUp to 30 Logical Partitions Logical Channel SubSystem LCSS SpanningUp to 420 ESCON Channels z890 Channels and I/O ConnectivityChannel Spanning Up to 40 FICON Express ChannelsIntegrated Cluster Bus-3 ICB-3 Up to 80 FICON Express2 ChannelsInterSystem Channel-3 ISC-3 Integrated Cluster Bus-4 ICB-4Native FICON Channels Fibre Channel ConnectivityFICON CTC function FICON Support for Cascaded Directors FICON ConnectivityFCP Channels FCP Full fabric connectivity Preview - FCP LUN Access ControlFICON Express enhancements for Storage Area Networks FICON purge path extended FICON Express2 LX A New Generation for SANs - FICON Express2FICON Express2 Doubles the Channel Capacity FICON Express2 SXModes of Operation Concurrent UpdateContinued Support of Spanned Channels and LPARs CascadingConcurrent LIC update Layer OSA-Express2 Gigabit EthernetOSA-Express2 10 Gigabit Ethernet LR Queued Direct Input/Output QDIO One port per featureLarge send for TCP/IP traffic New functions in OSA-Express2Improved virtualization - now 640 TCP/IP stacks OSA-Express2 large send for the z/OS environment previewOSA-Express2 concurrent LIC update - an availability enhancement Layer 2 support - ideal for server consolidationTCP/IP stack utilization improvement for OSA-Express Open Systems Adapter-Express Features OSA-Expressz890 OSA-Express 1000BASE-T Ethernet Queued Direct Input/Output QDIO OSA-Integrated Console Controllerz890 OSA-Express Gigabit Ethernet z890 OSA-Express Token-Ring NON-QDIO operational modeNote Statement of Direction IPv6 Support Server to User connectionsLPAR Support of OSA-Express Performance enhancements for virtual serversHiperSockets LCSS1 z/VMLCSS0 HiperSockets CHPIDCryptography HiperSockets Network ConcentratorLogical Partitions zSeries Security Certification Cryptographyz890/z990 PCIXCC Designed for FIPS 140-2 level 4 certifi cation Operating Systems Common Criteria Certifi cation SUSE LINUX on zSeriesThe Crypto Express2 feature supports the following Cryptographic support for 19-digit PANs Enabling use of less than 512-bit keys for clear key RSA operations2048-bit key RSA management for PCICC on z800, z900 TKE 4.2 and Smart Card Reader Support TKE 4.2 codeAvailability z890 Capacity Upgrade on Demand CUoDz890 Server Capacity BackUp CBU Plan Ahead and Concurrent ConditioningOn/Off CoD Testing Automatic Enablement of CBU for GDPSz890 Customer Initiated Upgrade CIU Order Staging for CIU-Express and On/Off CoDAdvanced Availability Functions Concurrent MaintenanceConcurrent Capacity BackUp Downgrade CBU Undo Transparent SparingParallel Sysplex Cluster Technology Coupling Facility Configuration Alternatives System-Managed CF Structure Duplexing Route A Parallel Sysplex Coupling ConnectivityGDPS/PPRC Cross Site Parallel Sysplex distance Extended to 100 km Route BConnectivity z890 and z990 Theoretical Maximum Coupling Link SpeedOptions LPAR CPU Management Intelligent Resource DirectorzSeries IRD Scope Dynamic Channel Path ManagementParallel Sysplex Professional Services Channel Subsystem Priority QueuingGDPS GPDS/PPRC HyperSwap Re-IPL in place of failing operating system images GDPS/PPRC and GDPS/XRC FlashCopy SupportGDPS/PPRC Multiplatform Resiliency for zSeries Site takeover/failover of a complete production siteGDPS/Global Mirror - preview Automatic Enablement of CBU for GDPSconfigurations Performance enhancements for GDPS/PPRC and GDPS/XRCSysplex Continuous Availability Recommended Configuration for ParallelFacilities Components and assumptionsKey attributes can include z890 Support for LinuxLinux on zSeries IBM Middleware Integrated Facility for Linux IFL Linux Distribution Partnersz/VM Version 4 and Version OSA-Express Ethernet for LinuxOSA-Express Enhancements for Linux HiperSocketsCryptographic Support for Linux Fibre Channel Protocol FCP channel Support for LinuxLinux Support Processor Memory zSeries 890 Family Configuration DetailProcessor Unit Assignments Channelsz890 Frame and I/O Configuration Content Planning for I/O Cryptographic FeaturesOSA-Express Features General Informationz890 Dimensions Physical Characteristicsz890 Power/Heating/Cooling System Power Consumption 50/60 Hz, KVA Coupling Facility - CF Level of SupportFiber-Optic Cabling and System Connectivity Integrated system services z/OSz/OS.e Support for 64-bit real memory and 64-bit virtual storage64-bit Support zSeries Application Assist Processorz/OS Scalability LPAR CPU Management Dynamic Channel Path Managementz/OS Version 1 Release 6 optional priced features System ServicesAutomation Support z/OS Version 1 Release 6 base elementsWLM Improvements for WebSphere Sense and Respond with Workload ManagerData Management with DFSMS Parallel Sysplex CICS/VSAM enabled for 24x7 availabilityJES2 and JES3 Console Enhancements System Management ServicesEnhancements Advanced System Automation Security ServicesSMP/E RACFRACF enhancements Multilevel SecurityICSF LDAPa restriction where the private key had to reside in the RACF database Network Authentication Service PKI ServicesFirewall Language Environment Application Enablement ServicesC/C++ Unicode Communication ServicesJava REXX FunctionsSysplex Distributor Intrusion Detection Services IDSDynamic Virtual IP Address Takeover IPv6HiperSockets z/OS UNIXHighlights UNIX System Services benefits can includeDistributed Computing Services zSeries File System zFSDistributed File Services DFS Server Message Block SMB Internet ServicesPrint Services Infoprint CentralSoftcopy Publications Support Integrated TestingLibrary Center Publicationsz/OS 1.6 is supported on the following IBM servers Installation ConsiderationsMigration/Coexistence zSeries Bimodal Support for z/OS Migration, installation and customization enhancementsWizards z/VM Order z/OS through the Internetz/VM Version 3 z/VM Version 4Exploiting New Technology Systems Management New technological enhancements in z/VM V4.4 provideManagement and control of VLAN topology by the z/VM virtual switch Application EnablementNetworking with z/VM C/C++ for z/VM Compiler 5654-A22z/VM Version 5 Virtualization Technology and Linux Enablement Engine-based Value Unit PricingEnhancements in z/VM V5.1 include Value Unit Pricing helps you toNetwork Virtualization and Security Systems Management Improvements Technology ExploitationFor further information see the z/VM Reference Guide, GM13-0137 VSE/ESA VSE/ESAz/VSE To learn more Endnotes
Related manuals
Manual 28 pages 54.75 Kb
Top Page Image Contents