16-a as400 architecture & security - kuyperkuypers.nl · • ernst & young “technical...

1

Leen van Rij

kpmg IRM

vrije Universiteit amsterdam

31 March 2003

File 16-A AS400 architecture & security © 2003

PART 16-A

AS/400 ARCHITECTURE & SECURITY

AS/400 architecture & security 2

LvR/VU MAR/2003Contents

CONTENTS• History• Architecture• Application and Operating System/400

(AS/400 and OS/400)• Physical security levels• Logical security levels• Object management• Security implementation• Special security feature• Auditing• (Part X. Only for the AS/400 auditor)

NoteAS/400 = hardware OS/400 = operating system

2


LvR/VU MAR/2003Contents ...

Contents Group structureLiterature Object header authority Highlights Object data authority History Object authority GroupingArchitecture Public authorizationCommunication support Private authorityMachine Interface AS/400 Authorization listDatabase System Authorization Check flowIntegrated File System Adopted securitySingle level storage Dedicated service toolsObject oriented Journaling Object types Security definition interface Physical security ONLY FOR THE AS/400 AUDITOR:Logical security levels Limited users Integrity checking Library security Special authorizations Physical versus logical file security User classes Authority holder Pre-defined user profiles Adopted securityUser profile JournalingGroup profile


LvR/VU MAR/2003Optional literature

OPTIONAL LITERATURE

• IBM “AS/400 System Concepts”

• IBM “AS/400 Security Concepts & Planning”

• IBM “AS/400 Guide to enabling C2 security”

• IBM “Application System/400 Technology”

• Ernst & Young “A practical approach to logical access control” McGraw-Hill (1993) (see chapter “AS/400 access control”)

• Ernst & Young “Technical reference series: Audit, Control and Security of the IBM AS/400” (1994) (description, control objectives, audit questions)

• Fred de Koning e.a. “Beveiliging en controle in een AS/400-omgeving”Paardekooper & Hoffman (1995)

3


LvR/VU MAR/2003Optional literature . . .

STRUCTURE OF: Ernst&

Young

AS/400Audit

Reference

• Overview• Hardware• Software• Logical access path• Utilities• Backup and Recovery• Objects• Libraries• Initial menus and programs

• System security» system keylock» system values» authorities» user and group profiles» authorization lists» etc.

• Procedural and administrative controls

• Control Concerns• Examples


LvR/VU MAR/2003Security topology

Network security

Security in system/service

Security in application

Operating system

Computingcenter staff

Physicalsecurity of thecomputing center

End user

‘Frontdoor’

Trusted ComputingBase (TCB - certifiedusing US Departmentof Defense standards)

Measures depend upon securityobjectives and the enterprise’ssecurity strategy

TOPOLOGY OF SECURITY LAYERS

Note: The security measures in the network, services and applications may use the ‘Access Control’ in the TCB. Although this access control mechanism may have been classified in accordance with the US DoD standards, the actual security depends upon how the security facilities are used.

Hardware

DATA

Access control

4


LvR/VU MAR/2003Access path within AS/400 (MEY model)

OS/400 communication functionsOS/400 communication functions

User profilesUser profiles

Command processors

Command processors

Application softwareApplication software Tools & utilitiesTools & utilities

OS/400 data base management functionsOS/400 data base management functions

DATA

End users MIS personnel

Obj

ect s

ecur

ityO

bjec

t sec

urity

Initial menuInitial menu

AS/400 model, see Ernst & Young book

on logical access control

OS/

400


LvR/VU MAR/2003Highlights

HIGHLIGHTS FOR THE EDP AUDITOR

1. Apropriate security levels active

2. Identification, Authentication (User and Group profiles)

3. Special Authorizations

4. Public and Specific Authorization (including Authorization list)

5. Dedicated Service Tools

6. Journaling

5


LvR/VU MAR/2003History of AS/400

HISTORY OF APPLICATION SYSTEM/400 (AS/400)

System/34System/34

System/38System/38

1974

1978

1982

1987

1995AS/400-Y10

System/36System/36

Data Base includedin OS

PowerPC AS/400PowerPC AS/400

AS/400AS/400


LvR/VU MAR/2003

BCUBCUBCUBCU

Architecture AS/400

Display

DASD

Communication

SystemprocessorSystem

processorMain

storageMain

storage

BCUBCU

IOBUIOBUIOBUIOBU IOBUIOBU

IOBUIOBU

BEU

BEU

BEU

BEU

Printer

DASD = Direct Access Storage Device (disks)BCU = Bus Control UnitIOBU = I/O Bus Unit (Communication Controller)BEU = Bus Extentsion Unit

6


LvR/VU MAR/2003Architecture AS/400 ...

ARCHITECTURE

• Untill 1995, the system processor was designed with the System/370 architecture which is also used in mainframes with the S/390 architecture

• The system processor had a 32 bit data path and a 48 bit addressing structure to address 281 Tera bytes

• The addressing architecture is designed to handle 64 bit addressing, which is fully implemented in the newer systems using the PowerPC architecture


LvR/VU MAR/2003Communication protocols

PHYSICAL CONNECTION PROTOCOLSFor communication purposes AS/400 supports on the physical layer a

variety of data link and network protocolsA standard port is used for

• ECS (Electric Customer Support)Optional adapters supports the protocols

• ASYNC (ASYNChronous)• BSC (Binary Synchronous Communication)• SDLC (Synchronous Data Link Control)• X.21, X.25, X.31, V.24, V.35 and V.36• ISDN (Integrated Services Digital Network)• Twinaxial Data Link Control• Ethernet• Token-ring• FDDI (Fiber Distributed Data Interface)• Wireless LAN• Fax (V.34)

Logical connection

Physical

connection

Terminal / Application = End user

Transaction Services

Presentation Services

Data Flow Control

Transmission Control

Path Control

Data Link Control

Physical Control

7


LvR/VU MAR/2003Communication protocols ...

NETWORK PROTOCOLSTo manage network access AS/400 supports the most common available

network protocols.

• Asynchronous• Binary Synchronous Communications (BSC)• System Network Architecture (SNA)• Advanced Peer-to-Peer Network (APPN)• Transmission Control Protocol/Internet Protocol

(TCP/IP)• Open Systems Interconnection (OSI)• Multiprotocol Transport Networking (MPTN)

Logical connection

Physical

connection




Data Flow Control


Path Control

Data Link Control

Physical Control


LvR/VU MAR/2003Communication protocols ...

APPLICATION COMMUNICATION PROTOCOLSTo enable applications using communication AS/400 supports call

interfaces like • Advanced Program-to-Program Communications (APPC)• SNA Distribution Services (SNADS)• Distributed Remote Data Access• Open Systems Interconnection (OSI)• Object Distribution Facility (ODF)• Client Access/400• Transmission Control Protocol (TCP)• File Transfer Protocol (FTP)• Simple Mail Transfer Protocol (SMTP)• Simple Network Management Protocol (SNMP)• User Datagram Protocol (UDP)• Line Printer Requester/Line Printer Daemon Protocol• TELNET




Data Flow Control


Path Control

Data Link Control

Physical ControlPhysical

connection

8


LvR/VU MAR/2003Machine interface AS/400

MACHINE INTERFACE AS/400

Hardware

Compilers

Utilities

Applica-tions

Vertical Micro Code

Horizontal Micro Code

Operating System/400 (OS/400)

Hig

h-le

vel m

achi

ne


LvR/VU MAR/2003Machine interface AS/400 ...

MACHINE INTERFACE AS/400

• The AS/400 is a layered architecture machine

• To use the hardware only high-level machine instructions are available

• The high level machine instructions are understood by the VERTICAL MICROCODE layer and translated to basic machine instructions

• The basic machine instructions are implemented by the HORIZONTALMICROCODE layer and transfered to the hardware

• The hardware layer executes the instruction

• The Vertical and Horizontal Micro Code layer together with the hardware is called the HIGH-LEVEL MACHINE

• With the PowerPC architecture there is only one layer of microcode to implement the machine interface.

9


LvR/VU MAR/2003Machine interface AS/400 ...

TRADITIONAL OPERATING SYSTEM

Task managementResource managementStorage managementDatabase managementSecurity managementetc.

TRADITIONAL OPERATING SYSTEM

Task managementResource managementStorage managementDatabase managementSecurity managementetc.

OPERATING SYSTEM/400(OS/400)

The three machine layers, called the high-level machine, also provide many functionsnormally implemented in the Operating System

TRADITIONAL HARDWARE

Machine interfaceHardware

TRADITIONAL HARDWARE

Machine interfaceHardware

AS/400 HARDWARE(Machine interface )Task managementResource managementStorage managementData accessDatabase managementSecurity managementetc.

Hardware

Note: Implementing functions in micro code benefits the system’s performance


LvR/VU MAR/2003Database system

INTEGRATED DATABASE SYSTEMAS/400 has an integrated Database management system. It is a BASE

feature of the AS/400• Within AS/400 Database access is only allowed by ONE Application

Programming Interface (API).• Access security will be done by this interface and there is no redundant

access control mechanisme available. There is only one focal point for access control

• The Database is designed on two concepts– The physical files, containing the data– The logical files gives the posibility to define an alternate view to the

data records and fieldsThe user, when authorized, can access the data directly from thephysical file or through the logical file

• The AS/400 Database system is also used as a physical storage by the product Data Base 2 (DB2/400) which extend the Data Base features

10


LvR/VU MAR/2003Database system ...

INTEGRATED DATABASE SYSTEM

The AS/400 system can be used as a Database server. To connect to the AS/400 Database, protocols from different vendors are supported. These protocols are

• Open Database Connect (ODBC) from Microsoft

• Data Access Language (DAL) from Appel

• System Query Language Connect (SQL CON) from Oracle

• Distributed Relational Database Architecture (DRDA) from IBM

System A System BAS/400

Database YDatabase X


LvR/VU MAR/2003Integrated File System

INTEGRATED FILE SYSTEM (IFS)

To extend the use of the AS/400 system, file server architectures from different vendors can be handled by the integrated file system. The integrated file system supports a set of industry standard APIs to thestreamfile system and the hierarchical directory. The file access protocols which are supported by AS/400 are:

• Root file system: OS/2, DOS and Windows NT compatible• QOpenSys file system: Posix, XPG, UNIX compatible• QLANSrv file system: OS/2 Lan Manager compatible

AS/400

File system YFile system X

11


LvR/VU MAR/2003Single level storage

2 G

B a

ddre

ss sp

ace

2 G

B a

ddre

ss sp

ace

2 G

B a

ddre

ss sp

ace

2 G

B a

ddre

ss sp

ace

2 G

B a

ddre

ss sp

ace

2 G

B a

ddre

ss sp

ace

Traditional mainframe with an address space per user and separate data sets on disks

DASD

264 bytes = 16.000.000Tera bytes address space

Object: programObject: program

Object: screenObject: screen

Object: “data”Object: “data”

OS/390

AS/400 - OS/400

AS/400: everything in one virtual address space

DIFFE

RENT

ARCHITECTURE


LvR/VU MAR/2003Single level storage ...

SINGLE LEVEL STORAGEAS/400 provides single-level addressability of all virtual storage. This is transparent

addressing, making both MAIN an AUXILIARY storage appear contiguous to an end user and an application

pagi

ng

SYSTEMPROCESSOR

SYSTEMPROCESSOR

VAT = Virtual Address TranslationDIR = Directory used by VAT to keep track of virtual storage contentsNote: When data or instructions are needed for executing by the system processor it will be brought into main storage. When there is a shortage of main storage the data and/or instruction not needed anymore are transfered back to auxiliary storage on DASD

AUXILIARY STORAGEon DASD

MAIN STORAGEMAIN STORAGE

DIRVAT

One virtual address space

12


LvR/VU MAR/2003Single level storage ...

AS/400 single-level storage gives the ability to have data storage independent of device types. All data including programs, source, data, databases etc. are mapped into this single virtual address space

Program A123Program A123

Data 5RF Data 5RF

Command AB6Command AB6 Menu 567Menu 567 Menu 765Menu 765 Command UYCommand UY

QueueQueue

Program A143Program A143

Program XG63 Program XG63

Data GFHJData GFHJ

AS/400 VIRTUAL ADDRESS SPACE

Etc. etc. etc. till maximum spaceEtc. etc. etc. till maximum spaceobjects


LvR/VU MAR/2003Object oriented

OBJECT ORIENTED DESIGN

Definition: Everything on the system that can be stored or retrieved is contained in an object

The high level machine is designed to treat everything the same through the use of a generic object structure

Object type OwnerPublic Authorithyetc.

Object type OwnerPublic Authorithyetc.

Data (e.g., data records, programs, sources, etc. )Data (e.g., data records, programs, sources, etc. )

OBJECT HEADER(Control Information)

General object structure

FUNCTIONAL OBJECT (data)

13


LvR/VU MAR/2003Object types

OBJECT TYPES

To storage information in the AS400 system there are defined 73 different types of objects, e.g.

Type Contents• Library − object names (like a directory)• Data − data records (database records)• Program − executable programs • Source − source of programs like cobol, pascal, C etc.• User profile − userid descriptions and priviledges• Journal − logging records• Job queue − jobs to handle• Output queue − output from jobs• Device description − device parameters• Job description − job control language


LvR/VU MAR/2003Object administration

OBJECT ADMINISTRATION

OBJECT X

OBJECT Y

OBJECT Z

OBJECT X

OBJECT Y

OBJECT Z

LIBRARY 1

OBJECT Y

MEMBER A

MEMBER B

MEMBER C

MEMBER A

MEMBER B

MEMBER C

OBJECT X

OBJECT K

OBJECT L

OBJECT M

OBJECT K

OBJECT L

OBJECT M

LIBRARY 2

QSYS

LIBRARY 1

LIBRARY 2

LIBRARY 3

DATABASE

START OBJECT SEARCH

14


LvR/VU MAR/2003Physical security

Keylock Power down Remote or Main Attendedposition command timed IPL switch IPL IPL

SECURE YES NO NO NO

AUTO YES YES NO NO

NORMAL YES YES YES NO

MANUAL YES NO YES YES

Keylock Power down Remote or Main Attendedposition command timed IPL switch IPL IPL

SECURE YES NO NO NO

AUTO YES YES NO NO

NORMAL YES YES YES NO

MANUAL YES NO YES YES

Note: In position MANUAL, attended IPL, special service tools are available (Dedicated Service Tools)

Normal Manual

AutoSecure

KEYLOCK SWITCHOn front panel AS/400, with a physical key (to be stored safely)


LvR/VU MAR/2003Logical security levels

LOGICAL SECURITY LEVELS

AS/400 is designed to activate different levels of security. The levels are controlled by setting the system parameter ∗QSECURITY(xx)

• 10 - no security

• 20 - userid and password checking

• 30 - object authorization verification

• 40 - application must use AS/400 call interface

• 50 - DoD C2 security

Note: to guarantee data integrity, at least the system parameter *QSECURITY(30) must be set by the Security administrator prior to user access to the system

15


LvR/VU MAR/2003Logical security levels ...

• 10 - No security level at all. A user-profile will be automaticaly be defined when a user signs on

• 20 - User-profile and password must be defined prior to sign on

• 30 - Like 20, but access to objects is also controlled (resource access control active). The user must have the appropriate access authority to use the resources.

• 40 - Like 30, but the machine interface cannot be used directly by the programs. It can only be used through the AS/400 call interface. All access is controlled/checked by AS/400. Journalling must be active so reports can be created

• 50 - Extend level 40 to meet DoD C2 classification. The users are only allowed to access their own objects through the AS/400 defined Application Programming Interface (API). Bypassing journalling of an object access is no longer possible

DESCRIPTION OF SECURITY LEVELS


LvR/VU MAR/2003Integrity checking

INTEGRITY CHECKING

ISOLATION: AS/400 has system state and user state programs

Security level = 10, 20 and 30• user and system programs can freely interact with the high-level

machine

Security level = 40• the APIs (Application Program Interface) must be used by a user

program to interact with a system program

Security level = 50• the APIs must also be used by a user program to interact with another

user program

16


LvR/VU MAR/2003Integrity checking ...

INTEGRITY CHECKING

System State Domain System State Domainno integrity

problem

User State Domain User State Domain

• integrity problem when not checked• API must be used with level 40

• intentionally no problem• no journalling of activities• level 50 enforces use of API in the user domain

integrity problem


LvR/VU MAR/2003Special authorizations

SPECIAL AUTHORIZATIONSWithin the AS/400 system there are definitions with a system wide

authority scope. When a user is defined with a special authorization he/she is able to do

PRIVILEDGE AUTHORIZED TO DO• ∗ALLOBJ − access every system resource• ∗SECADM − create / change user profiles• ∗SAVSYS − save / restore • ∗JOBCTL − manipulate jobs on the system• ∗SPLCTL − all spool functions• ∗SERVICE − service functions• ∗AUDIT − audit related functions• ∗IOSYSCFG − change system configuration

17


LvR/VU MAR/2003User classes

∗ALLOBJ

∗SECADM

∗SPLCTL∗IOSYSCFG∗SERVICE

∗JOBCTL

∗SAVSYS

USER CLASSES

∗SECOFR

∗SECADM∗SYSOPR

∗PGMR


LvR/VU MAR/2003User classes . . .

USER CLASSESSpecial authorities can be grouped together. These grouping is called a

USERCLASS

class ∗SECOFR ∗SECADM ∗SYSOPR ∗PGMR ∗USERauthority

∗ALLOBJ ∗ 10/20 10/20 10/20 10/20 ∗SECADM ∗ ∗∗SAVSYS ∗ ∗ ∗ ∗ 10/20∗JOBCTL ∗ ∗ ∗ ∗∗SPLCTL ∗∗SERVICE ∗∗IOSYSCFG ∗

Note: 10/20 refer to the security level 10 and 20. When one of these is active, the ∗ALLOBJ authority is assigned to this classes automaticly. The ∗refers to security level 30, 40 and 50

18


LvR/VU MAR/2003Pre-defined user profiles

PRE-DEFINED USER PROFILES

When AS/400 is installed, there are 6 prefined user profiles available to access the system. They are to create other user profiles to access the system. The 6 default userids are

• QSECOFR• QPGMR• QSYSOPR• QSRV• QSRVBAS• QUSER

Note: The passwords must be changed as soon as the system is IPLed for the first time, to prevent other users to sign on with these highly authorized userids


LvR/VU MAR/2003

USER PROFILEWith security level 20 or higher, the user can only access the system if

there is a user profile defined. A user profile can be created through a panel interface or by issuing the CRTUSRPRF command. The contents of the user-profile may be

• Userid • Password• User class • Password expiration• Group name (up to 16 groups) • Special authority• Initial program • Accounting code• Initial menu • Limited capability• Current library

( Note: This is only a partial content )

User profile

USER PROFILE (is an object)

19


LvR/VU MAR/2003Authentication

AUTHENTICATIONSystem wide password syntax options• QPWDMINLEN minimum length of password• QPWDMAXLEN maximum length (up to 10 characters)• QPWDRQDDIF new password must differ from 32 previous• QPWDLMTCHR specify up to 10 characters not allowed for password• QPWDPOSDIF character in new must be different from character in same

position in old• QPWDLMTREP characters not be used more than once• QPWDLMTAJC numbers 0 to 9 not next to another• QPWDVLDPGM use password syntax checker• QPWDRQDDGT at least one numericOther system wide password options• QPWDEXPITV maximum number of days the password is valid• QMAXSIGN maximum number of unsuccessful sign-on attempts• QDSPSGNINF display date/time of last sign-on etc. after successful sign-on


LvR/VU MAR/2003Group profile

GROUP PROFILEA group profile has the same structure as a user profile: it becomes a group

profile when it is named as a group in a user profile. The contents of the group profile may be

• Userid (is groupname) • Password (∗NONE)• User class (class for group) • Password expiration (not relevant)• Group (∗NONE) • Special authority (for group)• Initial program (not relevant) • Accounting code (not relevant)• Initial menu (not relevant) • Limited capability (not relevant) • Current library (not relevant)

( Note: This is only a partial contents )

GROUP PROFILE (is an object)

20


LvR/VU MAR/2003Group structure

GROUP STRUCTURE

• The groups are independent definitions and do not have any relation to one another

• A user can be a member of maximum 16 groups

Group profileGROUP A

Group profileGROUP A

Group profileGROUP B

Group profileGROUP B

User profileUSER A1Group=A

User profileUSER A1Group=A

User profileUSER A2Group=A,B

User profileUSER A2Group=A,B

User profileUSER B1Group=B





LvR/VU MAR/2003Object header authority

OBJECT HEADER AUTHORITY

HEADERHEADERfunctional datafunctional data

AS/400 is object oriented: all stored information is contained in an object. There are 3 authority levels to control the header information

This authority is specific for every user-object combination. The user may

AUTHORITY ACCESS RIGHTS to HEADER• ∗OBJOPR − use/look at the object information• ∗OBJMGT − grant other users to use the object• ∗OBJEXIST − totally control the object

!

21


LvR/VU MAR/2003

OBJECT DATA AUTHORITY

Prior to access the contents of the object, the user must have at least ∗OBJOPRauthority to the object. If so, data access can be controlled with five different levels

AUTHORITY ACCESS RIGHTS to FUNCTIONAL DATA• ∗READ - Read the entries of the functional data • ∗ADD - Add entries to the functional data• ∗UPD - Update entries of the functional data• ∗DLT - Delete entries of the functional data• ∗EXECUTE - Only execute the related program

Object data authority

headerheader

FUNCTIONAL DATAFUNCTIONAL DATA

!


LvR/VU MAR/2003Object authority

OBJECT AUTHORITY

∗OBJOPR ∗READPUBLIC authority

The get access to the object the user needs at least access to the header information before he/she is allowed to access the data part of the object. To have access to the data the user needs in addition to the header access at least read access to the data part of the object. In this example all users have read access to the data.

START SEARCH

data

22


LvR/VU MAR/2003Object authority grouping

∗OBJEXIST

∗UPD

∗DLT ∗OBJOPR

∗OBJMGT

∗READ

∗ADD

OBJECT AUTHORITY GROUPING

∗ALL

∗CHANGE ∗USE


LvR/VU MAR/2003Object authority grouping . . .

OBJECT AUTHORITY GROUPINGObject header and functional data access authorities can be grouped to

system defined values, controlling the access to the object

Combination Object authority Data authority

∗USE ∗OBJOPR ∗READ

∗CHANGE ∗OBJOPR ∗READ, ∗ADD, ∗UPD, ∗DLT

∗ALL ∗OBJOPR ∗READ∗OBJMGT ∗ADD∗OBJEXIST ∗UPD, ∗DLT

∗EXCLUDE Access always denied∗LIBCRTAUT Access determined by the library where the object is

registered∗USER DEF Combination defined by the user

23


LvR/VU MAR/2003Public authorization

PUBLIC AUTHORIZATION

When most of the users must have the same access authority to the object, this access authority is set into the object header. The authorization is called PUBLIC and is given to the object during creation

Note: In this example all users have read access to this object (∗USE includes ∗OBJOPR and ∗READ)

OBJECT HEADERObject typeOwnerPUBLIC authority ∗USE

OBJECT HEADERObject typeOwnerPUBLIC authority ∗USE

FUNCTIONAL DATAFUNCTIONAL DATA

All Users


LvR/VU MAR/2003Private authority

PRIVATE AUTHORITYWhen a specific user must have limited or higher access rights related to

the public authority, the user’s access is administrated in his/her user profile extension

headerheader

user informationuser information

list of owned objectslist of owned objects

LIST OF OBJECTS AUTHORIZEDTO ACCESS WITH THE AUTHORITY

OBJEXAMPLE ∗CHANGE

LIST OF OBJECTS AUTHORIZEDTO ACCESS WITH THE AUTHORITY

OBJEXAMPLE ∗CHANGE

Note: When there is a private access definition for the object, lower then the public authority, it will be marked in the object header

USER PROFILE (is an object)

Single User

24


LvR/VU MAR/2003Authorization list

AUTHORIZATION LIST

Another possibility to control access is to create an authorization list. This list will be created when there are users or groups with different access rights to a group of objects

An object can be connected to this authorization list

The advantage of an authorization list is that it can be created prior to the creation of the object and it will not be deleted when an object is deleted

When another object is created and it needs the same authorization scheme this newly created object can be connected to the same list


LvR/VU MAR/2003Authorization list ...

AUTHORIZATION LIST CONTENTSThe authorization list by itself is also an object. The list is treated as every

other object in the system

headerheader

ANJA ∗ALLEDWIN ∗CHANGERONALD ∗USELEEN ∗AUTLMGT∗PUBLIC ∗EXCLUDE


AUTHORIZATION LIST (is an object)

The example above shows a list which can be used by an object to control its access rights. There is also defined a specific access control authorization called ∗AUTLMGT. This gives the user (or group) the ability to maintain this authorization list

Note: When the public authorization in the object specifies that the authority list will be used the entry ∗PUBLIC will give the public authorization

25


LvR/VU MAR/2003Authorization list ...

AUTHORIZATION LIST CONNECTIONWhen an object is created or changed the authorization list can be specified.

The architecture gives the possibility to specify only ONE list per object

Note: In this example the public authority is now used from the authorization list entry ∗PUBLIC

Object typeOwnerAUTHORIZATION LIST ABCPublic authority ∗AUTL

Object typeOwnerAUTHORIZATION LIST ABCPublic authority ∗AUTL

Functional dataFunctional data

Authorization List ABC


Object authorizations are defined in Authorization List ABC


LvR/VU MAR/2003Authorization check flow

AUTHORIZATION CHECK FLOWAuthorization check flow sequence:1. Special authority of the user2. Specific authority of the user 3. User on authorization list4. Special authority of the group 5. Specific authority of the group6. Group on authorization list7. PUBLIC authority in object8. PUBLIC on authorization list

AS/400 looks whether the user has a Special authority. If no Special authority, the next step will be to look for a Specific authority defined etc. When any authorization definition for the object is found the search will stop

This mechanism is called exclusive access control and is the opposite of accumulated access control

26


LvR/VU MAR/2003Adopted security

ADOPTED SECURITY• AS/400 security allows a user to adopt the access authorization of the

owner of a program• When a user is allowed to execute a program owned by another user, the

authority can be adopted• The user then has the same access authority to the objects as the owner

of it

DATA B23DATA B23not

allow

ed !

Via program BASof user B: allowed

User A User B

∗USE for BAS

∗EXCLUDE


LvR/VU MAR/2003Adopted security ...

Owner user B Public authority ∗EXCLUDE


Owner user B Public authority ∗USE


User A has• ∗EXCLUDE for data B23• ∗USE for program BAS

Note: In this example, user B has access authority of ∗ALL to the object with data B23. User A can only access it through the program BAS

ADOPTED SECURITY: an example

DATA B23DATA B23

PROGRAM BAS: Adopting authority active


27


LvR/VU MAR/2003

DATA X24DATA X24

Adopted security: another example

ADOPTED SECURITY: another example

When a program allows adoption of the authority of the program owner, the program must be created with the command

CRTPGM PROG(B2S) USRPRF(∗OWNER)

When program adoption is active, the authority will be propagated by subsequently called programs

∗USE for B2S

User A User B User X


LvR/VU MAR/2003Adopted security: another example ...

∗USE

Note: Adopted security is the only accumulated security within AS/400

ADOPTED SECURITY: another exampleUser A has• ∗USE for program B2S• ∗EXCLUDE for data X24

Owner user B Owner user B

PROGRAM B2S: call program X2UPROGRAM B2S: call program X2U

Owner user X Owner user X

PROGRAM X2UPROGRAM X2U DATA X24DATA X24

PROGRAM X2U has ALSO ∗USE authority to DATA X24

28


LvR/VU MAR/2003Dedicated Service Tools

DEDICATED SERVICE TOOLSDedicated service tools are used to solve problems occuring in the licensed

internal code and to work with disk configurations. To use these tools the system must be attendedly IPLed with the key lock in position MANUAL. There are three levels of DST authorization

• SECURITYUsed by the security officer to do all DST functions and change the DSTpasswords

• FULLTo use all DST functions except DST passwords changes

• BASICTo use DST functions not affecting sensitive data

Note: The security officer must change the DST passwords after installing the system. With the CHGDSTPWD the DST passwords can be reset


LvR/VU MAR/2003Journaling

The journal entries can be selectively retrieved from the journal receiver. Sample object definitions are available for saving the different journal entry types

AS/400SECURITY EVENT

AS/400SECURITY EVENT

Journal activatedwith system value

QAUDJRN (∗JRN)

Journal activatedwith system value

QAUDJRN (∗JRN)

Journal level activated with system values e.g.∗AUTFAIL ∗PGMFAIL

Journal level activated with system values e.g.∗AUTFAIL ∗PGMFAIL

Security officerJournal receiver

USERRECV

Security officerJournal receiver

USERRECV

JOURNALING

29


LvR/VU MAR/2003Security definition interface

SECURITY DEFINITION INTERFACE

Menu interface (started with GO SECURITY)

Command interface

CRTUSRPRF Create user profileCHGUSRPRF Change user profileDLTUSRPRF Delete user profileDSPUSRPRF Display user profileCHGPWD Change passwordDSPAUTUSR Display authorized usersCHGPRF Change profile

(normal users)WRKUSRPRF Work with user profile

Define User Profile

User Profile ________Password ________Password Expired ________User Class ________Current library ________Initial Program ________Initial Menu ________

== > command


LvR/VU MAR/2003ONLY FOR THE AS/400 AUDITOR

PART X

ADDITIONAL INFORMATION

ONLY FOR THE AS/400 AUDITOR

PART X

ADDITIONAL INFORMATION

ONLY FOR THE AS/400 AUDITOR

30


LvR/VU MAR/2003Limited users

LIMITED USERS

Restrictions can be defined in the user profile, the so called limited capability (LMTCPB)

Users can be limited to change the initial menu, initial program and current library. When a user does a sign on, the user profile definition may contain an initial menu to display or a program to execute. The signed on user can only use this menu structure or can only execute the defined program when limited capabilities = YES

When a user is PARTIAL limited (also defined in the user-profile) the user may change the main menu and is allowed to issue commands from the command line


LvR/VU MAR/2003Library security

LIBRARY SECURITY

To administrate the existence of the object a library is used. Libraries are also objects and to find the existence of an object the user needs at least ∗USE access to the library to search for the objects described in it

Give the public authority for the objects in the library as high as necessary and the public authority for the library ∗EXCLUDE

Authority for the library must be given to individual users

31


LvR/VU MAR/2003Library security ...

Owner user APublic authority ∗EXCLUDE

Owner user APublic authority ∗EXCLUDE

OBJECT A

OBJECT B

OBJECT Cetc.

OBJECT A

OBJECT B

OBJECT Cetc.

LIBRARY A

USER C USER B has ∗USE Public ∗USEPublic ∗USE

Public ∗USEPublic ∗USE

Public ∗USEPublic ∗USE

DATADATA

DATADATA

DATADATA

LIBRARY SECURITY


LvR/VU MAR/2003Physical versus logical file security

PHYSICAL VERSUS LOGICAL FILE SECURITY

A physical file which contains the physical records can be accessed directly by the users or indirectly with a logical file definition. This logical file definition can give a different view to the physical data

The following physical file object P cannot be accessed directly because the user has no access to the header information

By given access to a logical file with certain view to the physical data, a user only has access to that part of the data

32


LvR/VU MAR/2003Physical versus logical file security ...

OBJECT L1

Public authority ∗OBJOPRPublic authority ∗OBJOPR

Data Descr. Spec.

RECORDSFIELDS A EN BPHYSICAL FILE P

Data Descr. Spec.

RECORDSFIELDS A EN BPHYSICAL FILE P

OBJECT L2

Public authority ∗CHANGEPublic authority ∗CHANGE

Data Descr. Spec.

RECORDSFIELDS X EN YPHYSICAL FILE P

Data Descr. Spec.

RECORDSFIELDS X EN YPHYSICAL FILE P

Public authority ∗NONEPublic authority ∗NONE

Data Descr. Spec.

RECORDSFIELDS

Data Descr. Spec.

RECORDSFIELDS

DATADATA

PHYSICAL VERSUS LOGICAL FILE SECURITY

FILE P


LvR/VU MAR/2003Authority holder

AUTHORITY HOLDERAS/400 gives the opportunity to setup an object authority before the creation

of an object. This mechanisme is called an authority holder. The authority holder is a dummy object header containing all header information of an object. It will be connected to the object’s data part when the data is created

Public authority ∗USE

AUTHORITY HOLDER

DATA created in the future

Connected when DATA is created

Object header created in advance

33


LvR/VU MAR/2003Adopted security





User A has• ∗EXCLUDE for data B23• ∗USE for program BAS

Note: In this example, user B has access authority of ∗ALL to the object with data B23. User A can only access it through the program BAS

ADOPTED SECURITY: an example

DATA B23DATA B23




LvR/VU MAR/2003Adopted security: search sequence

The search for program A can be changed by the library sequence. When program B calls program A, program A will be found in Library B

If Library A is placed in front of Library B, program A is found in the other library which can result in the execution of a controlled program and give unpredicted results like a security breach

Library B containing program A and program B

Library A containing program A


Library A containing program ASEA

RC

H




Library B containing program A and program BSEA

RC

H

ADOPTED SECURITY: SEARCH SEQUENCE

34


LvR/VU MAR/2003Adopted security ...

ADOPTED SECURITY

To eliminate the possibility to use the library sequence the program call should supply the library name by using the ‘qualified name’ in the CALL command

CALL Lib (B)/PROGRAM(A)

Program A will only be used from lib B

Another way to eliminate this security problem is not to call the program, but to transfer control (TFRCTL) to program A

With TFRCTL program A will not adopt the authorization of user B. This can only be done when appropriate for the program logic flow


LvR/VU MAR/2003Journaling

JOURNALINGTo activate journaling the security officer must create the

QSYS/QAUDJRN journal and a journal receiver. The journal located in the system library, acts as an intermediary

The journal receiver is the object that will hold journal entries and can be defined by the security officer using his/her own naming conventions

The journal is created with the following commandsCRTJRN JRN(QAUDJRN) LIB(QSYS) QAUDJRN(∗JRN)QAUDLVL(∗AUTFAIL ∗PGMFAIL)JRNRCV(USERRECV)

To set the level of journaling the system value QAUDLVL must be set. Possible values are

∗NONE, ∗AUTFAIL, ∗SAVRST, ∗DELETE, ∗SECURITY, ∗CREATE, ∗OBJMGT and ∗PGMFAIL

16-a as400 architecture & security - kuyperkuypers.nl · • ernst & young “technical...

Documents