IBM Security zSecure support for Multi-Factor Authentication for z/OS
JeroenTiggelman 27000186A5 Visits (14011)
On February 16, 2016 IBM announced authentication enhancements including a new product IBM Multi-Factor Authentication for z/OS (5655-162), with a planned availability date of March 25, 2016. z/OS Security Server RACF provided enabling infrastructure updates for z/OS V2R1 and V2R2. Supporting service stream enhancements to zSecure 2.1, 2.1.1, and 2.2 were made available around the same time. Multi-Factor Authentication (MFA) raises the level of assurance of mission-critical systems. It is particularly important to strongly authenticate users with elevated privileges.
The most common method for authenticating users to IBM z/OS systems is by the use of passwords or password phrases. Unfortunately, passwords can be compromised or shared. Multi-Factor Authentication for z/OS helps security administrators enforce a policy that requires authentication with multiple factors during the logon process. Each authentication factor must be from a separate category of credential types: 1) Something you know (e.g. a password), 2) Something you have (e.g. an ID badge), 3) Something you are (e.g. a fingerprint). A more extensive discussion can be found in the Introduction provided in the technote made available for RACF APAR OA48359.
Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting z Systems. When an access check occurs in a resource manager (i.e., a program that must make an access decision about the use of certain resources) the application programming interface (API) known as the System Authorization Facility (SAF) is called. If the system is protected by RACF, then SAF will forward the question to that External Security Manager (ESM) and return the answer (allowed/protection undefined/denied).
IBM Multi-Factor Authentication for z/OS is designed to provide support for authenticating with different factors and to centralize the specific knowledge of how to handle an authentication factor centralized within the product. It is designed to work with IBM z/OS Security Server RACF to centralize the information of valid factors within RACF. The design of this integrated solution is intended to help clients accelerate deployment, simplify management with existing infrastructure, and be able to more simply achieve regulatory compliance and reduce risk to critical applications and data.
IBM Security zSecure suite helps protect z Systems in various ways. IBM Security zSecure Admin boosts productivity for RACF administrators. While it usually generates RACF commands to make updates, the CKGRACF component can also directly update the RACF database; for example to set a password back to a user-defined default password in case of a lost password (so that the administrator does not know it). The RACF Offline component of zSecure Admin allows making updates to a RACF database that is not active, so as to be able to analyze the effective security after reorganizing security rules before activating them. IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting log records from the System Management Facilities (SMF) and by displaying global RACF security settings (SETROPTS configurations). IBM Security zSecure CICS Toolkit helps with RACF administration from a Customer Information Control System (CICS) environment. IBM Security zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands. IBM Security zSecure Visual provides a user interface for RACF administration from Windows. IBM Security zSecure Alert is a real-time monitor for security events. IBM Security zSecure Adapters for QRadar SIEM send enriched SMF information to IBM Security QRadar SIEM. With the exception of zSecure Visual and zSecure CICS Toolkit, updates have been provided to all of these, though in the case of zSecure Alert and zSecure Adapters this is limited to the availability of more extensive information in SMF output. As a corollary, all the IBM
The IBM MFA function benefits and the effective updates to the RACF infrastructure are summarized in a technote from the RACF team.
Note that the ISPF panels and TSO helps are not updated for the new RACF command operands with RACF APAR OA48359.
Likewise, the zSecure components have not generally been adapted to generate new RACF command operands.
zSecure has provided the following:
* Updates to profile display functions in zSecure Admin and zSecure Audit to select on and show the available MFA data.
* Updates to the display of SETROPTS settings in menu options AU.S and RA.S to show that MFA support is available.
* Updates to SMF processing for zSecure Audit, zSecure Alert, and zSecure Adapters for QRadar SIEM (authentication method used)
* Updates to the Access Monitor component of zSecure Admin (authentication method used)
* Understanding of new RACF command keywords in zSecure Command Verifier and new policy profiles to protect them
* Updates to the RACF-Offline component of zSecure Admin
* The CARLa Auditing and Reporting Language (CARLa) has been extended with new NEWLIST fields for TYPE=ACCESS, TYPE=RACF, and TYPE=SYSTEM. Several fields in TYPE=SMF have been enhanced.
Documentation has been provided in a technote from the zSecure team.
Note the restrictions for handling MFA information through RACF-Offline.
To fully benefit from these enhancements, you must run RACF under z/OS V2R1 or V2R2, and you must run zSecure 2.1, 2.1.1, or 2.2.
Support is provided via various PTFs for the various product components and levels. The initial set of APARs for RACF and zSecure can be found below under "Relevant APARs"; other updates can be identified through the MFA/K function keyword as explained in the Migration section below
The following aids are available to assist in planning for and applying all relevant maintenance at once:
zSecure on z/OS: OA49576 (RACF-Offline toleration), OA50012 (Command Verifier), OA50011 (Command Veri
If you have any questions, please post them here or on the zSecure forum. You can also visit the zSecure community and wiki. The I