This next part (Part 8) builds on the other DB2 Family Security Best Practices blogs which I wrote a while back. (The links for the other seven DB2 Security blogs can be found at the bottom of the page.) This blog talks about adding elements of DB2 security by layering in a z/OS Communication Server to handle all in-coming DB2 application traffic. Adding this extra communication layer provides further configuration flexibility and many different types of security options to fully customize your DB2 security application interactions in many different ways.
Within the Communication Server two different layers of networking security can be configured: more security through Application Transparent Transport Layer Security (AT-TLS) and more filtering through the IP Network Layer. The AT-TLS protects the system from any unwanted, unsecure, and un-encrypted traffic and requires only fully encrypted traffic between any of your systems’ trusted partner configurations. The IP Networking Layer provides flexibility to define and configure different Network Policies for different system interfaces or partners for all types of IP fine-tuned input and packet filtering. This IP and packet filtering is very efficient for restricting access to and for monitoring and restricting data out of the DB2 environment.
Next, for those companies using RESTful JSON or cloud applications, DB2 the mainframe provides many different options for leveraging mobile, social, and Hadoop interface APIs. The DB2 Adapter for z/OS Connect which comes in the DB2 Accessories Suite Version 3.3 provides many different ways these RESTful APIs can be invoked and integrated into your environment and applications. These RESTful APIs provide an industry standard way to access all types of DB2 mainframe environments to all types of cloud, mobile, and OLTP applications while providing the security your company has come to expect within the mainframe environment.
Through the DB2 Adapter for z/OS Connect security configuration, an IBM Liberty Profile started task process is created/used/designated for a single DB2 Catalog on a single LPAR for authentications. Just like any started task, a security model and authentication scheme needs to be planned and implemented. The best scheme is to require a DB2 trusted context configuration. This DB2 trusted context scheme utilizes the DB2 Adapter data source user ID to get a RACF PassTicket for establishing the trusted context access.
Next, RACF, with its many different ways to define unique company or application wide security, is the security industry’s gold standard. All these additional security options are available through RACF and the RACF Security Server configuration that’s utilized through the AT-TLS security authentication support. RACF Security Server provides many different types of security options to make the best application functional security environment and the most convenient choice for managing your DB2 security environment effectively. RACF provides many different ways to define security definitions or profiles such as Distributed Computing Environment (DCE), distributed entities and identities, DFSMS, EIM, Kerberos, Language information, TSO, z/OS UNIX, WORKATTR, digital certificates, NetView, and other custom attributes that can be used to secure any profile Id, resource, application, or environment.
Within RACF there are many different ways to define and use RACF authorization certificates. These RACF certificates can be used in a variety of ways from using one- time certificates to having multiple certificates associated to a single user or process. Also, the RACF certificates’ capabilities can be used to restrict DB2 security access to a particular server or help provide access to a range of resources. These RACF security certificates can be set up in a variety of ways and with a variety of flexibility through all types of passwords and password phrases that can be up to 100 bytes of all types of special and regular characters.
All of these RACF certificates and their associated functionality are detailed in the z/OS Security Server RACF Reference. The documentation for the z/OS Communication Server, Security Server RACF reference, and other DB2 security related software can be found here (http://www-03.ibm.com/systems/z/os/zos/library/bkserv/v2r1pdf/) The RACF reference provides detailed descriptions and documentation on the various RACF capabilities of generating, managing and fully understanding these different RACF and DB2 security definition types, the various options for certificates, and their overall configuration and usage. By using the z/OS Communication Server, DB2 Adapter for z/OS, and a good trusted context RACF security scheme, IBM DB2 continues to provide secure access to all types of applications. Using these new components only enables more applications and API types to reference all their DB2 data.
I authored two CIO DB2 Security Audit white papers and a technical DB2 Security Audit white paper for SEGUS. Also at the link is a webinar talking about the SEGUS security and DB2 audit considerations. The How to establish a Security Audit for DB2 z/OS white paper can be found here (https://www.segus.com/media/wp-security-audit-dba-en.pdf)” and the Is 339° Security Audit Sufficient? White paper is here (https://www.segus.com/media/wp-PSI-339-security-cto-en.pdf) and the Powerpoint webinar discussion presentation with SEGUS is here (https://www.segus.com/events/webinars/db2-for-zos-security-audit-protecting-your-assets/).
Here’s a list with links to other posts that may help you improve your DB2 performance, security, and ease-of-use:
Dave Beulke is a system strategist, application architect, and performance expert specializing in Big Data, data warehouses, and high performance internet business solutions. He is an IBM Gold Consultant, Information Champion, President of DAMA-NCR, former President of International DB2 User Group, and frequent speaker at national and international conferences. His architectures, designs, and performance tuning techniques help organization better leverage their information assets, saving millions in processing costs. Follow him on Twitter here or connect through LinkedIn here.