Integrated Kerberos Security for the Enterprise - Natural Conference

triangledriprockInternet and Web Development

Aug 7, 2012 (5 years and 3 months ago)

496 views

© Copyright Covariant Inc 2008

Integrated Kerberos Security for
the Enterprise

Securing your middleware

across
Windows, UNIX and z/OS platforms


Boston 2008

Covariant Inc

© Copyright Covariant Inc 2008

Part 1: Introduction

© Copyright Covariant Inc 2008

Security requirements


Authentication of legitimate users


Prevent unauthorized access to resources


Accountability and reliable audit trail


Satisfy regulatory requirements


© Copyright Covariant Inc 2008

Heterogeneous challenge


No longer simple security requirement, single
environment, TP monitor, language and DBMS


Extensible platforms: Windows, UNIX, z/OS,
.NET, Web services and SOA


Integration connects separate application
components executing on different platforms


Different user ID password on each platform
such as Windows, UNIX and z/OS

© Copyright Covariant Inc 2008

Down side of security



Additional cost to deploy applications


Inconvenience and lost time for users


Cost of security administration


Effort required for successful audit



Constant risk of security compromise..


© Copyright Covariant Inc 2008

Down side of passwords


Different user ID password on each system


Application must prompt for user ID password


Passwords written down or stored unencrypted


Passwords sometimes hard coded in applications


Even encrypted passwords can be intercepted


Administrator time for resetting passwords


Risk of user ID password being compromised..


© Copyright Covariant Inc 2008

Down side of certificates


Digital certificates can provide an alternative
to user ID and password, but…


Digital certificates require PKI infrastructure


Administration associated with user certificates


Additional burden to revoke certificates and
provide a replacement, when necessary


Certificate deployment for z/OS based application
components must be coordinated with system
down time


© Copyright Covariant Inc 2008

Part 2: Kerberos

© Copyright Covariant Inc 2008

What is Kerberos


A network authentication service


MIT, Heimdal, Microsoft implementations


Authentication over
un
-
trusted

network


Kerberos issues tickets for authentication and
optionally provides session key for encryption


Kerberos KDC has the following components


Authentication Server (AS)


Ticket Granting Server (TGS)


Database (KDB)

© Copyright Covariant Inc 2008

Why is Kerberos interesting..


Method to establish authentication without sending
user ID password (user already authenticated locally)


Uses one time ticket, valid only for a finite period


Ticket gives access to just one particular
service


Authentication between separate Kerberos realms


Kerberos suitable for heterogeneous environments

© Copyright Covariant Inc 2008

Overview of Kerberos



Client

Application

Server

Application

Authentication
Server

Ticket
Granting
Server

(1) User ID password

(2) ticket granting ticket (TGT)

(4) service ticket, optional session key

service ticket

KDC

(5) ticket verification request

Information flow for client server in same Kerberos realm

(3) service principal name

Overview of Kerberos



Client

Application

Server

Application

AS

(1) User ID password

(2) Ticket Granting Ticket (TGT)

(3) service principal name

KDC
-
1

TGS

AS

KDC
-
2

TGS

(5) ticket verification request

Realm
-
1
--

has trust relationship with
--

Realm2

Information flow for client server in different Kerberos realms

© Copyright Covariant Inc 2008

(4) service ticket, optional session key

service ticket

© Copyright Covariant Inc 2008

Kerberos on z/OS


IBM Network Authentication Service


Integration with RACF/ACF2/Top Secret
enables authorization and audit functionality


RACF/ACF2/Top Secret contain user ID
mappings between different platforms


RACF/ACF2/Top Secret contain the trust
relationships between different Kerberos
realms

© Copyright Covariant Inc 2008

Kerberos on z/OS



Client

Application

Server

Application

(1) User ID password

(2) Ticket Granting Ticket (TGT)

(3) service principal name

Microsoft

Windows
Domain
Controller

IBM Network
Authentication
Service

(5) ticket verification request

Trust relationship

Information flow for client server from Windows to z/OS

RACF


ACF2,TSS

(4) service ticket, optional session key

Service ticket

Kerberos enabled servers z/OS


IBM DB2 V7 and above (authentication)


Websphere application server (authentication)


FTP (authentication and encryption)


Telnet (authentication and encryption)


LDAP (authentication)


Rshd (authentication and encryption)

© Copyright Covariant Inc 2008

Kerberos benefits


Authentication across Windows, UNIX, z/OS


Authorization and audit can be added, for
example using RACF/ACF2/Top Secret



Ability to generate session keys (encryption)


Applicable to any heterogeneous application



Solution now exists for EntireX Broker…


© Copyright Covariant Inc 2008

Part 3: H
-
Trust


The Kerberos solution for EntireX Broker

© Copyright Covariant Inc 2008

Existing EntireX Security


Application components must provide user ID
password in terms of Broker kernel platform,
where authorization checks made, e.g. z/OS


Requires applications changes to prompt for
user ID password


except for trusted user ID
which is available for ADASVC transport only


Considerations both for client and server
application components

© Copyright Covariant Inc 2008

Existing EntireX Security



RACF

ACF2

TSS

Broker Kernel

+

EntireX Security

Batch job

CICS


region

z/OS LPAR

Windows domain comprising
W2003 server / workstations


Window App

Windows

workstation

Windows

workstation

Stub+EntireX

Security


Window App

Stub+EntireX

Security

message

userid + pwd

+

Stub+EntireX

Security


Stub+EntireX

Security


Window App

Windows 2003
Server

Stub+EntireX

Security

© Copyright Covariant Inc 2008

H
-
Trust: solution for EntireX


Kerberos credentials obtained automatically, since
user is already logged onto Windows, z/OS, etc.


Authentication is achieved without user ID password


Broker stub transmits Kerberos credentials to Broker
kernel where verification is performed


Authorization and audit integrated with host security
system (for z/OS based Broker kernels)


IBM Network Authentication Service maps network
ID to RACF/ACF2/Top Secret user ID



© Copyright Covariant Inc 2008

H
-
Trust: solution for EntireX



RACF

ACF2

TSS

IBM network


authentication


service

Domain


Controller

H
-
trust

Broker

Kernel

Batch job

CICS


region

z/OS LPAR

Windows domain comprising
W2003 server / workstations


Window App

Windows

workstation

Windows

workstation

Trust relationship

Windows
2003 Server

Stub

H
-
trust


Window App

Stub

H
-
trust

message

Kerberos ticket

+

Stub


Stub

H
-
trust

H
-
trust

H
-
Trust: features


Kerberos
service



Broker Kernel (z/OS)


Access to different Broker Kernels controlled at the
Windows user or Domain level


Authorization checks for class/server/service are
performed against RACF/ACF2/Top Secret


Windows users can individually be granted access to
EntireX Broker instances


through RACF/ACF2/Top
Secret definitions


User ID mappings maintained in RACF/ACF2/Top
Secret


© Copyright Covariant Inc 2008

H
-
Trust: benefits for EntireX


Transparent implementation, no application changes


Available for EntireX Broker V731 and above


Supports all Broker ACI versions ( Kerberos: ACI >= 2)


Warn mode and reporting facilities


Provides compatibility with


User ID password authentication


New password / password change


ADASVC based trusted user ID available


Client user ID exposed to server application


H
-
Trust: future directions


Apply to other heterogeneous enterprise
applications


Leverage public key extensions e.g. SPKM
-
3
and LIPKEY


SOAP and Web services integration


Kerberized internet server / application server


Active Directory/Federated Services (AD/FS)


Simple Authentication and Security layer (SASL)

Summary


Kerberos provides a solution to securing your
middleware

across heterogeneous platforms


H
-
Trust solution available for EntireX Broker


Covariant Inc.: 75 years accumulated systems
software and systems engineering experience


Expertise in design, building and configuration
of Kerberos based security solutions for the
enterprise



http://www.covariant
-
systems.com