Enhancing security

z/OS® Communications Server includes the following security enhancements:
  • IBM zERT Network Analyzer - IBM zERT (z/OS Encryption Readiness Technology) Network Analyzer is a web-based graphical user interface that z/OS network security administrators can use to analyze and report on data reported in zERT Summary records.
    Dependency:
    • You must have installed z/OSMF V2R3 APAR PH03137 to use IBM zERT Network Analyzer.
    • The IBM zERT Network Analyzer task requires either Db2 11 for z/OS or Db2 12 for z/OS.

    When change was introduced: z/OS Management Facility (z/OSMF) V2R3 with the PTF for APAR PH03137

  • z/OS Encryption Readiness Technology (zERT) aggregation - z/OS Communications Server introduced a new function called z/OS Encryption Readiness Technology (zERT). With zERT, the TCP/IP stack acts as a focal point in collecting and reporting the cryptographic security attributes of IPv4 and IPv6 application traffic that is protected using the TLS/SSL, SSH, and IPSec cryptographic network security protocols. The collected connection level data is written to SMF in SMF 119 subtype 11 records. In certain environments, the volume of SMF 119 subtype 11 records can be large. z/OS V2R3 Communications Server provides the zERT aggregation function. The zERT aggregation function provides an alternative SMF view of the collected security session data. This alternate view is written in the form of new SMF 119 subtype 12 records that summarize the use of security sessions by many application connections over time and which are written at the end of each SMF interval. This alternate view condenses the volume of SMF record data while still providing all the critical security information.
    Restrictions:

    The following restrictions apply to both zERT discovery and zERT aggregation functions.

    zERT collects information for TCP and Enterprise Extender (EE) connections. Information is not collected for non-EE UDP traffic or traffic using other IP protocols.

    zERT collects cryptographic security attributes for the TLS, SSL, SSH, and IPSec protocols. No other cryptographic security protocols are supported.

    The following z/OS cryptographic protocol providers are fully enabled for zERT: z/OS Communications Server IPSec and AT-TLS, z/OS Cryptographic Services System SSL, and z/OS OpenSSH. Detailed security attribute data is available for connections using these protocol providers. Other TLS, SSL, and SSH implementations running on z/OS are monitored through stream observation only. A limited amount of security attribute data is available for these connections.

    For information on the specific cases where security attribute data is limited or unavailable, see zERT discovery limitations in z/OS Communications Server: IP Configuration Guide.

    Dependency: To properly monitor IBM Sterling Connect:Direct traffic when it is protected through SecurePlus TLS/SSL support, apply Connect:Direct APAR PI77316.

    When change was introduced: z/OS V2R3 with the PTF for APAR PI83362

  • TN3270E Telnet server ELF support for MFA - The TN3270 Telnet server Express Logon Feature (ELF) is extended to support IBM Multi-Factor Authentication (MFA) for z/OS. With this support, TN3270 clients can experience the same single sign-on behavior that is already offered by the PassTicket-based ELF, but now via an MFA token that is assigned by a SAF-compliant external security manager like IBM Security Server RACF. With the new EXPRESSLOGONMFA parameter in the TN3270E Telnet server profile, ELF attempts to authenticate clients by using their X.509 client certificate through MFA. If no MFA token is available for the user, the authentication fails (although ELF can also be configured to revert back to PassTicket authentication in certain cases where MFA authentication is unsuccessful).
    Dependencies:
    • IBM Security Server RACF APAR OA53002
    • IBM Multi-Factor Authentication for z/OS APAR PI86470 and PI93341

    When change was introduced: z/OS V2R3 with the PTFs for APAR PI85185, RACF APAR OA53002, and IBM MFA for z/OS APARs PI86470 and PI93341

  • AT-TLS currency with system SSL - Application Transparent TLS (AT-TLS) is enhanced to support the following features provided by System SSL.
    • Support for NIST SP800-131A (key length transition recommendations). Add support for higher security strengths (larger key sizes) as defined in NIST SP800-131A, which allows a more secure FIPS 140-2 implementation.
    • Support for NIST SP800-52A Revision 1 (TLS implementation guidelines) which adds new certificate processing controls.
    • Support for several RFCs governing OCSP (RFC 6066, RFC 6277, RFC 6960 and RFC 6961)
    • Support for RFCs regarding Suite B Profile clarifications (RFCs 6460 and 5759)
    • Support for Signaling Cipher Suite Values (SCSV) to protect against protocol downgrade attacks (RFC 7507).

    When change was introduced: z/OS V2R3

  • z/OS Encryption Readiness Technology (zERT) - z/OS Encryption Readiness Technology (zERT) is a new capability provided by the z/OS V2R3 Communications Server. With zERT, the TCP/IP stack acts as a focal point in collecting and reporting the cryptographic security attributes of IPv4 and IPv6 application traffic that is protected using the TLS/SSL, SSH and IPSec cryptographic network security protocols. The collected connection level data is written to SMF in new SMF 119 subtype 11 records for analysis.
    Restrictions:

    zERT collects cryptographic security attributes for TCP and Enterprise Extender (EE) connections. Information is not collected for non-EE UDP traffic or traffic that uses other IP protocols.

    zERT collects cryptographic security attributes for the TLS, SSL, SSH, and IPSec protocols. No other cryptographic security protocols are supported.

    The following z/OS cryptographic protocol providers are fully enabled for zERT: z/OS Communications Server IPSec and AT-TLS, z/OS Cryptographic Services System SSL, and z/OS OpenSSH. Detailed security attribute data is available for connections using these protocol providers. Other TLS, SSL, and SSH implementations running on z/OS are monitored through stream observation only. A limited amount of security attribute data is available for these connections.

    For information on the specific cases where security attribute data is limited or unavailable, see zERT discovery limitations in z/OS Communications Server: IP Configuration Guide.

    Dependency: To properly monitor IBM Sterling Connect:Direct traffic when it is protected through SecurePlus TLS/SSL support, apply Connect:Direct APAR PI77316.

    When change was introduced: z/OS V2R3

  • IBM Health Checker for z/OS FTP ANONYMOUS JES - A new IBM Health Checker for z/OS application health check is provided to help determine whether your FTP server allows anonymous users to submit jobs. When ANONYMOUS is enabled, it is recommended that ANONYMOUSLEVEL be set to 3 and ANONYMOUSFILETYPEJES be set to FALSE. Otherwise, anonymous users can submit jobs to run on the system.
    Dependency: You must start the IBM Health Checker for z/OS to use the new application health check.

    When change was introduced: z/OS V2R3 and with the PTF for APAR PI47637 and OA49668 for z/OS V2R2.

  • IBM Health Checker for z/OS MVRSHD RHOSTS DATA - A new IBM Health Checker for z/OS application health check is provided to help determine whether your MVRSHD server is active and whether RSH clients are using RHOSTS.DATA datasets for authentication. The MVRSHD server supports the RSH and REXEC protocols which transfer user ID and password information in the clear. There is also the potential of weak authentication for RSH clients using RHOSTS.DATA datasets. This authentication method allows remote command execution without requiring the RSH client to supply a password.
    Dependency: You must start the IBM Health Checker for z/OS to use the new application health check.

    When change was introduced: z/OS V2R3 and with the PTF for TCP/IP APAR PI51640 and SNA APAR OA50122 for z/OS V2R2.

  • IBM Health Checker for z/OS SNMP agent public community name - A new IBM Health Checker for z/OS application health check is provided to help determine whether your SNMP agent is configured with a community name of public. Because the SNMP community name of public is a well-known name, it should not be used with community-based security due to security considerations.
    Dependency: You must start the IBM Health Checker for z/OS to use the new application health check.

    When change was introduced: z/OS V2R3 and with the PTF for APAR PI51640 and OA50122 for z/OS V2R2.

  • IBM Health Checker for z/OS SMTPD MAIL RELAY - A new IBM Health Checker for z/OS application health check is provided to help determine whether your SMTP server is configured as a mail relay. Specifying the INBOUNDOPENLIMIT statement to a valid non-zero value or allowing it to default to the value of 256 causes the SMTP server to open a listening port and implicitly become exploitable by remote users as a mail relay.
    Dependency: You must start the IBM Health Checker for z/OS to use the new application health check.

    When change was introduced: z/OS V2R2 with the PTFs for APAR PI51640 and APAR OA50122. The IBM Health Checker for z/OS SMTPD MAIL RELAY is removed in z/OS V2R3.

  • SMF 119 TCP connection termination record (subtype 2) enhanced to provide IP filter information - IP filter information is provided in the SMF 119 TCP connection termination record (subtype 2). The name of the IP filter rules associated with inbound and outbound traffic for a connection are included in a new section of the record, if IP filtering is being done for a connection. The data is also available through the SYSTCPCN real-time network monitoring interface (NMI).
    Restrictions:

    The IP filter section is included if IP filtering is active and an IP filter rule applies to the traffic. The IP filter section is not included for intra-host connections because IP filtering is not done for those connections.

    The filter rule information reflects the IP filter rules in place at the time that the connection is terminated. If IP filter policy changes while a connection is active, only the names of the IP filter rules in place at the time of the termination are included.

    Dependency:

    SMF configuration option TCPTERM must be configured on the SMFCONFIG TCP/IP profile statement for the SMF 119 TCP connection termination record (subtype 2) to be generated.

    The TCPCONNSERVICE parameter must be configured on the NETMONITOR TCP/IP profile statement for the SMF 119 TCP connection termination data to be available through the SYSTCPCN real-time NMI interface.

    When change was introduced: z/OS V2R3 and with the PTF for APAR PI69920 for z/OS V2R2

  • VTAM 3270 intrusion detection services - 3270 data stream intrusion detection services (IDS) is enabled to detect and act on violations of the 3270 data stream protocol. The 3270 IDS function monitors all 3270 data streams for primary logical units (PLUs) that are connected to the z/OS VTAM instance. Specific types of 3270 sessions can be exempted from IDS monitoring at the VTAM or application major node level if IDS monitoring is not needed for those sessions.

    The 3270 IDS function monitors 3270 data streams for any attempt to write past the end of input fields or to modify protected fields. When these types of events are detected, appropriate actions are taken according to the VTAM configuration. The possible actions include logging the event, tracing the relevant inbound and outbound PIUs for later analysis, notifying the PLU of the event with a sense code, and even terminating the SNA session.

    When change was introduced: z/OS V2R3 and with the PTF for APAR OA49911 for z/OS V2R2.

  • AT-TLS enablement for DCAS - The Digital Certificate Access Server (DCAS) is enhanced to use Application Transparent Transport Layer Security (AT-TLS). To use TLSv1.2 to secure the connection, you must define AT-TLS policies for the DCAS. The Configuration Assistant for z/OS Communications Server provides a default AT-TLS policy to simplify defining the AT-TLS policy for DCAS.

    Migrate to AT-TLS to allow the DCAS to use the latest support for SSL/TLS. Configuring TLS/SSL by using the DCAS configuration file is supported, but such support is deprecated and will no longer be enhanced.

    Dependency: The Policy Agent must be active.

    When change was introduced: z/OS V2R2.

  • Network security enhancements for SNMP - The SNMP Agent, the z/OS UNIX snmp command, and the SNMP manager API are enhanced to support the Advanced Encryption Standard (AES) 128-bit cipher algorithm as an SNMPv3 privacy protocol for encryption. The AES 128-bit cipher algorithm is a stronger encryption protocol than the current Data Encryption Standard (DES) 56-bit algorithm. AES is a symmetric cipher algorithm that the National Institute of Standards (NIST) selects to replace DES. RFC 3826, The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model (USM), specifies that Cipher Feedback Mode (CFB) mode is to be used with AES encryption. See Related protocol specifications in z/OS Communications Server: New Function Summary for information about accessing RFCs.
    Dependency: To use AES 128-bit encryption, the z/OS Integrated Cryptographic Services Facility (ICSF) must be configured and started.

    When change was introduced: z/OS V2R2.

  • TLS security enhancements for Policy Agent - Centralized Policy Agent is enabled to support TLSv1.1 and TLSv1.2 with a new set of TLSv1.2 2-byte specific ciphers. In addition, the import services between the Policy Agent and IBM® Configuration Assistant for z/OS Communications Server allow user-defined AT-TLS policies to create a secure SSL connection.

    When change was introduced: z/OS V2R2.

  • TLS security enhancements for sendmail - z/OS UNIX sendmail is enabled to support TLSv1.1 and TLSv1.2 with a new set of TLSv1.2 2-byte specific ciphers.

    When change was introduced: z/OS V2R2.

  • TCPIP profile IP security filter enhancements - The default IP filters as defined in the TCP/IP profile data set are enhanced to support traffic direction specifications, address ranges, port ranges, ranges on relevant type and code values, and MIPv6 and Opaque protocol types.

    When change was introduced: z/OS V2R2

  • AT-TLS certificate processing enhancements - Application Transparent TLS (AT-TLS) is enhanced to support the following features that System SSL provides.
    • RFC 5280 PKIX certificate and CRL profile. With this support, you can perform certificate validation according to RFC 5280.
    • Enhanced certificate revocation capabilities:
      • Retrieval of revocation information through the Online Certificate Status Protocol (OCSP)
      • Retrieval of Certificate Revocation Lists (CRLs) over HTTP
      • More flexible processing of CRLs through LDAP

    When change was introduced: z/OS V2R2

  • Simplified access permissions to ICSF cryptographic functions for IPSec - In prior releases, network applications that are sending or receiving IPSec protected traffic were required to be permitted to certain SAF resource profiles in the CSFSERV class when protection of the ICSF cryptographic operations was requested. The requirement is to be eliminated. You are no longer required to permit all network applications that are sending or receiving IPSec protected traffic to the relevant SAF resources in the CSFSERV class. Only the user ID that is associated with the TCP/IP stack must be permitted to the SAF resource profiles.

    When change was introduced: z/OS V2R2

  • TLS session reuse support for FTP and AT-TLS applications (AT-TLS) - The SIOCTTLSCTL ioctl system call is enhanced to perform the following actions:
    • AT-TLS applications can retrieve the session ID for the secure socket.
    • AT-TLS applications can request that a session is reused on a socket by retrieving and setting the session token.

    When change was introduced: z/OS V2R2

  • TLS session reuse support for FTP and AT-TLS applications (FTP) - FTP is enhanced to support SSL session reuse. When using native SSL or AT-TLS, z/OS FTP supports reusing the SSL session ID of the control connection or a previous data connection on the subsequent data connections within an FTP session without port binding.

    When change was introduced: z/OS V2R2

Reference information: See the following topics in z/OS Communications Server: New Function Summary for detailed descriptions that include any applicable restrictions, dependencies, and steps on using the functions:
  • IBM zERT Network Analyzer
  • z/OS Encryption Readiness Technology (zERT) aggregation
  • TN3270E Telnet server ELF support for MFA
  • AT-TLS currency with system SSL
  • z/OS Encryption Readiness Technology (zERT)
  • IBM Health Checker for z/OS FTP ANONYMOUS JES
  • IBM Health Checker for z/OS MVRSHD RHOSTS DATA
  • IBM Health Checker for z/OS SNMP agent public community name
  • IBM Health Checker for z/OS SMTPD MAIL RELAY
  • SMF 119 TCP connection termination record (subtype 2) enhanced to provide IP filter information
  • VTAM 3270 intrusion detection services
  • AT-TLS enablement for DCAS
  • Network security enhancements for SNMP
  • TLS security enhancements for Policy Agent
  • TLS security enhancements for sendmail
  • TCPIP profile IP security filter enhancements
  • AT-TLS certificate processing enhancements
  • Simplified access permissions to ICSF cryptographic functions for IPSec
  • TLS session reuse support for FTP and AT-TLS applications (AT-TLS)
  • TLS session reuse support for FTP and AT-TLS applications (FTP)