caworld Web cookbook

donkeycheerfulInternet and Web Development

Aug 7, 2012 (4 years and 10 months ago)

500 views


Web Cookbook

Free
-
for
-
All

SONORAN USER GROUP
MEETING 11/07/2001

The Software That Manages eBusiness ™

Topics of Discussion


USS Support



Implementing USS Products


Using TCP/IP


Using FTP


Using Telnet


WebSphere Application Server

The Software That Manages eBusiness ™

Topics of Discussion


Newer Features in OS/390


Relationship to External Security
Manager


Administrative Setup Steps


Questions

The Software That Manages eBusiness ™

USS Support



Implementing security


Controlling access to USS


Controlling access to the Hierarchical File
System (HFS)


Defining OMVS as a started task




The Software That Manages eBusiness ™

USS Support



Implementing security


Daemons


Thread
-
level security


OMVS shell


Logging, auditing, and reporting



The Software That Manages eBusiness ™

USS Support



Controlling access to USS


Define USS MVS users


Superusers


Superuser granularity support



The Software That Manages eBusiness ™

USS Support



Controlling access to USS


OMVS user profile


UID
-

numeric value 0 to 2, 147, 483, 647


HOME
-

initial directory path name


PROGRAM
-

path name of user’s

shell program


OMVS group profile


Recommend unique numbers


GID
-

numeric value 0 to 2, 147, 483, 647

The Software That Manages eBusiness ™

USS Support



Controlling access to USS


Default OMVS UID and GID


For users without user or group profile
information

The Software That Manages eBusiness ™

USS Support



Controlling access to HFS


UNIX model


File access based on user category


User that owns file


Group that owns file


All other users


CA security solution


Based on standard permissions

The Software That Manages eBusiness ™

USS Support



Define OMVS


Create USS kernel STC userid/ACID and
user/group profile


Create BPXOINIT STC userid/ACID and
user/group profile


Create BPXAS STC userid/ACID and
user/group profile


May need additional userids/ACIDS


TCPIP, INETD, RMFGAT

The Software That Manages eBusiness ™

USS Support



Controlling access to daemons


Long
-
running unattended process


Similar to MVS started task


Performs continuous or periodic functions


CRON
-

timed application start


INETD
-

on demand application starts


RLOGIND
-

start shell session on request


Define the BPXROOT userid


Allow OMVS access to facility resource
BPX.DAEMON


The Software That Manages eBusiness ™

USS Support



Thread
-
level security for servers


OMVS pthread_security_np service


Allows server to establish a security context


Similar to task level ACEE


Allows server access to resources using


identity of user (client)


Define access Facility BPX.SERVER


UPDATE allows complete use of service


Read access allows controlled use of service using
SURROGAT BPX.SRV.userid



The Software That Manages eBusiness ™

USS Support



OMVS shell


Interprets text as commands


May operate on an input stream


May prompt and read commands from

a terminal


ISHELL support


BPXWIRAC
-

REXX exec interface


BPXISEC1
-

CLIST containing initial
commands to set up required USS definitions

The Software That Manages eBusiness ™

USS Support



Logging OMVS security calls


Uses standard logging and reporting
mechanisms


Auditing USS


OMVS service fails (RC not zero)


Trace flag on userid


When file audit bit is on

The Software That Manages eBusiness ™

Implementing USS Products



Lotus Notes Server


email on OS/390 environment


Require DOMINO console interface


Identified by DOMCON


Facilitates sending of commands to

UNIX server


Requires userid and user, group, and
LNOTES profiles

The Software That Manages eBusiness ™

Implementing USS Products



Novell Directory Services (NDS)


Shares resources among workstations


Map NDS application user identity to
logonid/ACID


Requires special userids/ACIDs for
processing


NWROOT, NWUSER, NOBODY


Requires user, group, and LNOTES
profiles










The Software That Manages eBusiness ™

Implementing USS Products



Network File System (NFS)


Remote access to data sets and HFS files


Security interface
-

site attribute


NONE
-

no restriction; no MVS logonid
required


EXPORTS
-

restrict by client IP address; no
SAF check.


SAF
-

require MVS logonid and password


SAFEXP
-

combination of EXPORTS and SAF

The Software That Manages eBusiness ™

Implementing USS Products



Network File System (NFS)


DataCaching(Y/N)


First user validated; rest allowed


CHKLIST DD


Files or directories bypass security checking


The Software That Manages eBusiness ™

Implementing USS Products



Network File System (NFS)


Create STC userids


MVSNFS
-

NFS server


MVSNFSC
-

NFS client


MVSNLM
-

NFS lock manager


MVSNSM
-

NFS network status monitor


Create user profiles for each started task


The Software That Manages eBusiness ™

TCP/IP



TCP/IP implementation


Now called Communication Server IP


Relies on UNIX system services


Create OMVS normal credentials of
userid/ACID and user and group profiles



The Software That Manages eBusiness ™

Using FTP



USS application facilitates file transfers


Executes under FTPD started task


Create FTP userid as STC with UID and
group profiles


Allow access to BPX Facility resources


BPX.DAEMON


BPX.SUPERUSER

The Software That Manages eBusiness ™

Using FTP



ANONYMOUS logon feature


FTPDATA configuration file



ANONYMOUS userid and password


Default => ANONYMOU


Terminal source restriction


Generated from originating IP address


Translated into hexadecimal value of node


141.202.201.56 = 8DCAC938

The Software That Manages eBusiness ™

Using Telnet



TCP/IP feature allows users terminal access


Under USS


RLOGIN runs under ID specified in configuration
file (/etc/inetd.conf); usually OMVSKERN


Securing Telnet for USS


Define OMVSKERN logonid


Create USS credentials


Allow Telnet access to BPX.DAEMON facility




The Software That Manages eBusiness ™

WebSphere Application
Server



WebSphere Application Server

for OS/390


Lotus/Domino Go Webserver


OS/390 Internet Connection Server


Mainframe’s Web server


Managed as USS application


Requires OMVS, TCP/IP setup

The Software That Manages eBusiness ™

WebSphere



Security requirements


Create TCP/IP, OMVS, INETD
logonids/ACIDs


Create user profile and group records


Create credentials for required
userids/ACIDs


WebSphere requires STC userid/ACID


Requires Web administrator


Define suggested surrogates userids/ACIDs

The Software That Manages eBusiness ™

WebSphere



Security requirements


Allow access to BPX Facility resources


BPX.DAEMON



BPX.SERVER


Surrogate
-

BPX.SRV.


INTERNAL


PRIVATE


PUBLIC


WEBADM


Allow users access to required MVS libraries























The Software That Manages eBusiness ™

OMVS Initialization


FASTAUTH processing does not use
external security


BPX.SAFFASTPATH Facility resource


Prevent condition

The Software That Manages eBusiness ™

User Profile


Profile support for user limit overrides


Additional fields/resources added to user
profile or ACID record


CPUTIME overrides MAXCPUTIME


ASSIZE overrides MAXASSIZE


FILEPROC overrides MAXFILEPROC


PROCUSER overrides MAXPROCUSER


THREADS overrides MAXTHREADS


MMAPAREA overrides MAXMMAPAREA

The Software That Manages eBusiness ™

OS/390 Print Server Support


Consolidation of print files onto

one server


Two OMVS groups required


AOPOPER
-

start and stop print interface


AOPADMIN
-

printer inventory and
controls administration


Limit access through facility class
resource AOPADMIN

The Software That Manages eBusiness ™

Digital Certificates


Digital certificate support


Certificating Authority (CA)


Certificate in MVS data set


CERTDATA profiles

The Software That Manages eBusiness ™

Digital Certificates


Automatic registration of certificates


Common Gateway Interface (CGI)
program


OS/390 UNIX callable service


Allow access to facility resources


IRR.DIGTCERT.ADD


IRR.DIGTCERT.DELETE

The Software That Manages eBusiness ™

Digital Certificates


Certificate Name Filtering (CNF)


Many
-
to
-
one mapping


Digital certificate key rings


Assign multiple certificates to a
userid/ACID

The Software That Manages eBusiness ™

DCE Security Server Support


Authentication services for DCE applications


Server holds user credentials in

security registry


DCE segment


DCE
-
specific user information


Encryption keys


DCE server retrieves information using SAF

The Software That Manages eBusiness ™

DCE Security Server Support


DCE segment fields


UUID
-

DCE user identifier


DCENAME
-

principal name of user


HOMEUUID
-

user’s home cell UUID


HOMECELL
-

home cell name


AUTOLOG
-

automatic signon

The Software That Manages eBusiness ™

DCE Security Server Support


Import and export utilities


MVSEXPT exports from DCE to MVS


Edit macro


MVSIMPT imports from MVS to DCE


Unload utility

The Software That Manages eBusiness ™

DCE Security Server Support


OS/390 DCE server


Define STC userid/ACID for

DCEKERN daemon


Define user and group profiles


Allow DCEKERN access to Facility
resource userid.START.REQUEST


Disable automatic logon in DCE

variable files

The Software That Manages eBusiness ™

Component Broker Series


SOMobjects


Create STC userid needed by
SOMobjects


SOM, server, appserver


Create user and group profiles


Allow access to required data sets


The Software That Manages eBusiness ™

Component Broker Series


New class types

SERVER

Access to SOM subsystem

CBIND


Access to server

SOMDOBJ

Access to SOMobject method

The Software That Manages eBusiness ™

Component Broker Series


Classes


Describes an object and its attributes


Methods


Defines operations that can be performed
on the object


Object
-
oriented methodology

The Software That Manages eBusiness ™

LDAP Server Support


Define STC userid/ACID for LDAP server


Define user and group profiles


Allow LDAP access to Facility resources


BPX.DAEMON


BPX.SERVER


Allow access to data set for LDAP server


CA
-
LDAP server offered as part of CA
security solutions

The Software That Manages eBusiness ™

Firewall Technologies


OS/390 provides ability to run under UNIX
System Services


Define logonids/ACIDs for firewall STC
userid/ACID (FWKERN) and associated STCs


Define profiles (UID and GID)


Allow access to required facility resources


Allow access to read
-

TCP/IP data sets

The Software That Manages eBusiness ™

Integrated Cryptographic

Service Facility (ICSF)


OS/390 applications use cryptography


Management of keys


Secure encryption keys


CSFKEYS class


Encryption services


CFSSERV class


Allow resource access for these classes

The Software That Manages eBusiness ™

Sample Resource Names

CSFCTT

Cipher text translate callable service

CSFCTT1

Cipher text translate (with ALET) callable service

CSFDCO

Decode callable service

CSFDEC

Decipher callable service

CSFDEC1

Decipher (with ALET) callable service

CSFDKEF

Clear master key entry panel service

CSFDKX

Data key export callable service

CSFDSG

Digital signature generate callable service

CSFDSV

Digital signature verify callable service

The Software That Manages eBusiness ™

Sample Resource Names

CSFECO

Encode callable service

CSFEDC

Compatibility service for the CUSP or PCF CIPHER

macro

CSFEMK

Compatibility service for the CUSP or PCF EMK

macro

CSFENC

Encipher callable service

CSFENC1

Encipher (with ALET) callable service

CSFGKC

Compatibility service for the CUSP or PCF


GENKEY macro

CSFKEX

Key export callable service

CSFKGN

Key generate callable service

The Software That Manages eBusiness ™

Session Summary


CA
-
ACF2 and CA
-
Top Secret provide full
support of all components and features
of OS/390


OMVS


HFS


TCP/IP


FTP


WebSphere

The Software That Manages eBusiness ™

Session Summary


Components


Digital certificates


Component broker series


LDAP server


Firewall technologies


ICSF

The Software That Manages eBusiness ™

CA Education


CA Education helps companies quickly transform the
potential of Computer Associates software into a
measurable performance advantage by providing a
faster, easier, better approach to training.



Stop by the CA Education Booth for your
free 2001 Course Catalog and Schedule


Visit us on the Web at
ca.com/education
,
or contact us at 1
-
800
-
237
-
9273

Making CA Clients Successful with CA Software