2010 app only access
DESCRIPTION
Security Implementation based on granting access when user is in application by either adoption or swapping of user profileTRANSCRIPT
© Wayne O Evans Consulting 2010
AOA Application Only Access
1
Presented by
Wayne O. Evans
© Wayne O Evans Consulting 2010
AOA Application Only Access
2
DISCLAIMERThe security recommendations and any programming source are offered "AS IS" for your consideration. Wayne O. Evans Consulting makes nowarranties or representations as to the quality of the examples.ALL WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE SPECIFICALLY DISCLAIMED.
REPRODUCTIONPermission is granted to make a limited number of copies of this material for non-commercial purposes, provided this page and the title page are included iSeries and OS/400 are registered trademarks of the IBM corporation
Client Access Express
© Wayne O Evans Consulting 2010
AOA Application Only Access
3
Webster's Dictionary
Hacker"An expert at programming and solving problems with a computer."
Hackers do not always apply their expertise in appropriate ways
(The clever are not always good.)
© Wayne O Evans Consulting 2010
AOA Application Only Access
4
The HACKER is likelyto be a curious employee
within your company
Curiosity is the one of the permanent and certain
characteristics of a vigorous mind
© Wayne O Evans Consulting 2010
AOA Application Only Access
5
You must take the initiative to
protect your datafrom hackers
© Wayne O Evans Consulting 2010
AOA Application Only Access
6
Application Only Access
GeneralQuery ConsiderationsLimitations
Conclusion
IntroductionAOA Implementation
Outline
© Wayne O Evans Consulting 2010
AOA Application Only Access
7
Close the DoorRestrict the Ways
to Access Data
Example• Menu Security• Exit programs
Resource SecurityRestrict Access
to Production Data
Example • Object authority • Library authority
BEST
Strategies to Protect Data
© Wayne O Evans Consulting 2010
AOA Application Only Access
8
Close the DoorLimitations
• No protection outside of application
• May miss a back door. New doors each release
• Some doors have no locks
Strengths• Easy to
Implement• Widely used
in OS/400
© Wayne O Evans Consulting 2010
AOA Application Only Access
9
Resource SecurityStrengths• Protects from all
methods of access• Protection outside of
application• Design will protect
future interfaces
Limitations• Not easy to
implement as menu security
• Potential performance considerations
© Wayne O Evans Consulting 2010
AOA Application Only Access
10
WorkstationEmulation
Fixed FunctionDisplays
Menu security was effective when users had no other system access
Menu Security
Today OS/400 has other ways to
access data
Menu Security – 1980s
© Wayne O Evans Consulting 2010
AOA Application Only Access
11
Exit Programs can restrict requests from PC
WorkstationEmulation PC
ExitProgram
Menu Security
Fixed FunctionDisplays
PC adds Other Ways to Access Data• Workstation• Messages• Printer Support• Shared Folders &
Documents• Remote Commands• File Transfer• API – Data Queue• API – ODBC• IFS
© Wayne O Evans Consulting 2010
AOA Application Only Access
12
1. The SOURCE system sends a to OS/400 TARGET
SOURCESYSTEM
TARGET SYSTEM
request
request2. OS/400 calls the exit program named in network attribute DDMACC or PSCACC3. User exit program looks at request and sets return code 1= accept request 0= reject request
DDMACC or PCSACC
EXIT1
EXIT1 request
Exit Programs
© Wayne O Evans Consulting 2010
AOA Application Only Access
13
• Workstation Pass Through
• DDM• Submit Remote
Command• File Access
• TCP/IP FTP
Exit Programs can restrict some, but not ALL network
requests
Network Access Adds Ways to Access DataWorkstationEmulation PC
ExitProgramMenu
Security
Fixed FunctionDisplays
© Wayne O Evans Consulting 2010
AOA Application Only Access
14
CONSLUSION:Must use other controls
No exits available
Network Access With No Exits• ICF – Program Start
Requests• User Applications• QY2FTML
• Remote Data Base• Some non-IBM ODBC
drivers
© Wayne O Evans Consulting 2010
AOA Application Only Access
15
Data Access Exposure
DESTRUCTION Accidental or intentional deletion of data
MODIFICATION Changing of data content
DISCLOSURE Reveal data content
Potential Loss of Information
© Wayne O Evans Consulting 2010
AOA Application Only Access
16
Object Owner is Group Profile
ProductionData
Users are authorized to ➤ Delete ➤ Modify ➤ DisplayDoes not protect data
USER
ProductionOwnerGroupProfile
EndUser
EndUser
EndUser
Security Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
17
JDE
Production Data Production Data Production Data
JDE Profile owns production data
EndUser
EndUser
EndUser
End users are members of JDE group
End users share ownership of production dataUsers are authorized to Delete Modify Display
Security Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
18
EndUser 1. xxxxx
2. xxxxx3. xxxxxOption __
End users are limited to menus
LMTCPB(*YES) prevents entry of commands
• Some users may be authorized to enter commands
Client Access/400 users may be allowed to perform functions not on application menu• File Transfer (Upload and Download)• Run CL Commands
Menu Security
© Wayne O Evans Consulting 2010
AOA Application Only Access
19
Production Data
*PUBLIC *ALL
Users are authorized to ➤ Delete ➤ Modify ➤ DisplayDoes not protect data
USER
*PUBLIC authority *ALLSecurity Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
20
Selecting Level of Access
Production Data
*ALL
Object Authority
Users are authorized to ➤ Display ➤ Modify ➤ Delete USERUSERUSER
Does not protect data
*CHANGE*USE
*EXCLUDE No user access to dataSTOP
© Wayne O Evans Consulting 2010
AOA Application Only Access
21
2. Selected users have access to programs that adopt needed authority
GOApplication
Program
ADOPTOWNER
USERUSERUSER
1. No user authority to data
Production Data
USERUSERUSER *EXCLUDE
STOP
Application Only Access
© Wayne O Evans Consulting 2010
AOA Application Only Access
22
The user must be authorized to all objects required
PGM1
PGM 2
PAYROLL
FILE_B
PGM1PGM2
PAYROLLFILE_B
Without Adopted Authority
© Wayne O Evans Consulting 2010
AOA Application Only Access
23
Program adoption gives a user access while a program is running.
OWNER PGM2 PAYROLL FILEB
Program owneris authorized
to objects
PGM1
PGM 2
PAYROLL
FILE_BPGM1
ADOPT
OWNER
User is authorizedto the program The user is notauthorized toother objects
Adopted Authority
© Wayne O Evans Consulting 2010
AOA Application Only Access
24
PAYROLL
PGM1PGM2
PAYROLLFILE_B
QUERYDFUFile Transfer
• Granting users authority ➤ Introduces potential exposure
• Adopted authority eliminates the need to give users access
Access denied
QUERY
PGM1
Adopted Authority
© Wayne O Evans Consulting 2010
AOA Application Only Access
25
Application Only Access
GeneralQuery ConsiderationsLimitations
Conclusion
IntroductionAOA Implementation
Outline
© Wayne O Evans Consulting 2010
AOA Application Only Access
26
ProductionData
End users are members of group that owns production data
Ownership allows users to ➤ Delete ➤ Modify ➤ Display
ProductionOwnerGroupProfile
EndUser
EndUser
EndUser
Existing Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
27
ProductionData
Initial program in user profile names the entry
program for the application
End User
Application Program
Application controls the
users access to data
INLPGM
Existing Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
28
1. Program must be observable * Not true for some third party applications 2. Changing the program may invalidate you warranty
Application Program
CHGPGM PGM( ) USRPRF(*OWNER)
Application Program
ADOPTOWNER
Conclusion: Do not modify application programs
LIMITATIONS
How to Adopt Authority
© Wayne O Evans Consulting 2010
AOA Application Only Access
29
BeforeEnd User
INLPGMPGM1
PGM1ApplicationProgram
AfterEnd User
INLPGMSHELL1
PGM1ApplicationProgram
SHELL1CALL PGM1
ADOPTOWNER
1. Create SHELL program that adopts
2. Change user profile initial program (INLPGM)
How to Adopt Authority
© Wayne O Evans Consulting 2010
AOA Application Only Access
30
Interactive Jobs• Adopted authority gives the application access• Called programs get adopted authority propagated
Submitted Jobs• DO NOT get adopted authority
Production Data
BatchProgram
SHELL1CALL PGM1
ADOPTOWNER
Design Considerations
© Wayne O Evans Consulting 2010
AOA Application Only Access
31
The entry (first) programcan adopt and propagateadopted authority to called programsMay be multiple entry programs
Some installations solve problem of finding the entry
program by having every program adopt
BatchEntry Pgm
ADOPTOWNER
ADOPTOWNER
ADOPTOWNER
ADOPTOWNERBatch
Entry Pgm
ADOPTOWNER
How to Adopt in Batch
© Wayne O Evans Consulting 2010
AOA Application Only Access
32
2. Restrict *PUBLIC access to shell program Authorize selected users
*PUBLIC - *EXCLUDEGRPAPP1 - *USE
1. Create a shell program to adopt
PGM CALL QCMD ENDPGM
ADOPT1ADOPTOWNER
3. Change routing entry to call shell program
Subsystem Description
Routing EntryNBR RTGDTA PGM 1 *ANY ADOPT1
Subsystem Description
Routing EntryNBR RTGDTA PGM 1 *ANY QCMD
Before After
Shell Program for Batch
© Wayne O Evans Consulting 2010
AOA Application Only Access
33
QUESTION: How do I handle a mix of users some that adopt different groups?ANSWER: Create a routing program that CALLS programs that adopt different owners.
RoutingPgm
Pgm1ADOPTGRP1
Pgm2ADOPTGRP2
Pgm3ADOPTGRP3
Batch Considerations
© Wayne O Evans Consulting 2010
AOA Application Only Access
34
QUESTION: How does program determine what program to call for a user?ANSWER: The program checks the users authority (CHKOBJ) before calling.
Public - *EXCLUDEGTP1 -*USE
Public - *EXCLUDEGTP2 -*USE
Public - *EXCLUDEGTP31 -*USE
Public - *USEQCMD
RoutingPgm
Pgm1ADOPTGRP1
Pgm2ADOPTGRP2
Pgm3ADOPTGRP3
Batch Considerations
© Wayne O Evans Consulting 2010
AOA Application Only Access
35
PGM CALL QCMD ENDPGM
AOA_QCMD1 ADOPTGRP1
PGM CALL QCMD ENDPGM
AOA_QCMDn ADOPTGRPn
Subsystem Description
Routing EntryNBR RTGDTA PGM 1 *ANY AOA_QCMD
PGM if user is authorized TFRCTL AOA_QCMD1
: if user is authorized TFRCTL AOA_QCMDn
TFRCTL QCMDENDPGM
AOA_QCMD
Public - *EXCLUDEGRPn -*USE
Public - *EXCLUDEGTP1 -*USE
Batch Considerations
© Wayne O Evans Consulting 2010
AOA Application Only Access
36
AOA_QCMD Program /************************************************************//* Name: AOA_QCMD *//* Program used as a routing entry for the batch subsystem *//* This program transfers to programs that adopt *//* CHKOBJ is used to avoid logging any authority violations*//************************************************************/PGM AOA_QCMD1:CHKOBJ OBJ(AOA_QCMD1) OBJTYPE(*PGM) AUT(*EXECUTE) MONMSG CPF0000 EXEC(GOTO AOA_QCMD2) TFRCTL AOA_QCMD1 AOA_QCMD2:RCVMSG MSGTYPE(*EXCP) CHKOBJ OBJ(AOA_QCMD2) OBJTYPE(*PGM) AUT(*EXECUTE) MONMSG CPF0000 EXEC(GOTO AOA_QCMD3) TFRCTL AOA_QCMD2 /* repeated for each group */AOA_QCMDn:RCVMSG MSGTYPE(*EXCP) CHKOBJ OBJ(AOA_QCMDn) OBJTYPE(*PGM) AUT(*EXECUTE) MONMSG CPF0000 EXEC(GOTO QCMD) TFRCTL AOA_QCMDn QCMD: RCVMSG MSGTYPE(*EXCP) TFRCTL QSYS/QCMDEXIT: ENDPGM
© Wayne O Evans Consulting 2010
AOA Application Only Access
37
An Alternative To Adoption
•Swap Don’t Adopt Replace adopted authority with a dynamic change of the group profile
• Swap will replace the authority for a user
• Adopt will add to the authority for a user
© Wayne O Evans Consulting 2010
AOA Application Only Access
38
Swap• Swap is traditionally
used to change the user profile for a job
UserProfile
OtherUser
ProfileSWAP
• Swap can be used to change the group profile
GROUP
UserProfile
SWAP
OtherGROUP
UserProfile
© Wayne O Evans Consulting 2010
AOA Application Only Access
39
Should I Adopt or Swap?
?
??
?
?
?
??
?
?
?
?
?
???
?
?
© Wayne O Evans Consulting 2010
AOA Application Only Access
40
Comparison of Techniques
• Less Performance – Adopted authority is checked last
• Requires two options – Batch Adopt – Interactive Adopt– Server Swap
• Adopts lasts for invocation– Easy to drop adopted access– Automatic drop when
application ends
• Better Performance
• Same solution in – Batch– Interactive– Server Jobs
• Swap lasts for job• Can transfer of created
objects to group profile automatically
© Wayne O Evans Consulting 2010
AOA Application Only Access
41
or• Either technique works • Differences are minor – almost
a tossup
Comparison of Techniques
Swap unless you need to drop
© Wayne O Evans Consulting 2010
AOA Application Only Access
42
Swap Group /****************************************************/ /* SWAPGROUP -- Swap Group profile */ /* This program changes the group profile. */ /* Swap the process to use the new group profile */ /* */ /* Installation instructions */ /* 1. Compile program */ /* CRTCLPGM PGM(LIB/SWAPGROUP ) */ /* SRCFILE( ) USRPRF(*OWNER) */ /* 2. Change owner of the program to user QSECOFR. */ /* Adopted authority allows the program to swap */ /* user profiles without providing a password */ /* CHGOBJOWN OBJ(LIB/SWAPGROUP) */ /* OBJTYPE(*PGM) NEWOWN(QSECOFR) */ /****************************************************/PGM &NEWGROUP DCL &NEWGROUP *CHAR 10 DCL &OLDGROUP *CHAR 10 DCL &USER *CHAR 10 DCL &STATUS *CHAR 10 DCL &HANDLE *CHAR 12
© Wayne O Evans Consulting 2010
AOA Application Only Access
43
Swap GroupRTVJOBA USER(&USER) /* single stream the job */ ALCOBJ SWAP *DTAARA *EXCLUSIVE WAIT(500) RTVUSRPRF USRPRF(&USER) STATUS(&STATUS) + GRPPRF(&OLDGROUP) CHGUSRPRF USRPRF(&USER) STATUS(*ENABLED) + GRPRPF(&NEWGROUP) CALL QSYGETPH (&USER '*NOPWD' &HANDLE) CHGUSRPRF USRPRF(&USER) STATUS(&STATUS) + GRPPRF(&OLDGROUP) DLCOBJ SWAP *DTAARA *EXCLUSIVE CALL QWTSETP (&HANDLE) ENDPGMMust single stream job to prevent two jobs trying to
swap same profile at same time
© Wayne O Evans Consulting 2010
AOA Application Only Access
44
Can library security be used to
protect data??
??
?
?
?
??
?
?
?
?
?
???
?
?
© Wayne O Evans Consulting 2010
AOA Application Only Access
45
1. Restrict access to library Authorize the library to users that should access the objects in the library2. *PUBLIC access to objects in the libraryEasy to manage authority
GRPSALES - *USE *PUBLIC - *EXCLUDE
*PUBLIC-*CHANGEPGM*PUBLIC-*USE
LibraryWhat is Library Security?
© Wayne O Evans Consulting 2010
AOA Application Only Access
46
*PUBLIC - *EXCLUDE
Interactive
1. Initial program can adopt authority need2. Add library to library list
APP_LIB
Initial Program
ADOPTOWNER
Library Security
© Wayne O Evans Consulting 2010
AOA Application Only Access
47
JOB
1. Interactive user submits a batch job Application
Program
ADOPTOWNER
JOBQJOBJOBJOBJOB2. Batch job is placed on JOBQ
JOBJOB
JOBJOB
3. Batch job fails to start
JOBWhy?
Conclusion: Library security causes a problem in batch
*PUBLIC *EXCLUDELIBDefault for submitted
jobs is to use library list from batch job
"Not authorized to Library"
STOP
Problem with Batch Job Start
© Wayne O Evans Consulting 2010
AOA Application Only Access
48
What is wrong with this solution?
Get avoid not authorized failure Authorize group to library *PUBLIC - *EXCLUDE
GRPAPP1- *USE
*PUBLIC-*CHANGE
LIBBatch job will start
USER Users in group can access the production data directly
Just what we are trying to stop
Can not use library security;Must secure individual objects
Attempt to Fix Batch Problem
© Wayne O Evans Consulting 2010
AOA Application Only Access
49
or*PUBLIC - *EXCLUDE GRPAPP1 - *USE
Exclude *PUBLIC andauthorize the group
*USE - Read only access OK*EXCLUDE - No access allowed
outside application
LIB
Solution1. Authorize *PUBLIC to library or
*PUBLIC-*USE
2. Secure the individual objects in production libraries *PUBLIC-
*USE or*EXCLUDE
Secure Individual Objects
© Wayne O Evans Consulting 2010
AOA Application Only Access
50
For best performance: 1. Authorize the OWNER2. Optionally authorize a second using the PGP (Primary Group Profile) authority of object. This is the read-only profile used by Query
Owner: OWNAPP1 - *ALLPGP: GRPREAD1 - *USEDefault: *PUBLIC - *EXCLUDE
How to Secure ObjectsOwner and Primary Group Profile
© Wayne O Evans Consulting 2010
AOA Application Only Access
51
LIBRARY Authorization ListGRPREAD1 *USEGRPREAD2 *USEGRPPGMR *USE*PUBLIC *EXCLUDE
When multiple users must be authorized to objects authorization lists are recommended:1. One location to secure multiple objects2. Can change the authority for open files
How to Secure ObjectsAuthorization Lists
© Wayne O Evans Consulting 2010
AOA Application Only Access
52
?
??
?
?
?
??
?
?
?
?
?
???
?
?
Can I make these changesand still keep my system
operational?
Yes use the followingprocess…
© Wayne O Evans Consulting 2010
AOA Application Only Access
53
• Successful implementation takes time• Make changes gradually to avoid disruption of production
ProductionOwnerGroupProfile
EndUser
EndUser
EndUser
Current
GRP_APP1GroupProfile
EndUser
EndUser
EndUser
OWN_APP1
ProductionOwner
AOA Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
54
ProductionOwnerGroupProfile
EndUser
EndUser
EndUser
Current
2. Create new group profile
GRP_APP1GroupProfile
No change to current users
3. Create programs used to swap/adopt
1. Change *PUBLIC authority forproduction objects
4. Create test user profile
TestUser
AOA Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
55
ProductionOwnerGroupProfile
EndUser
EndUser
EndUser
Current
ProductionOwnerGroupProfile
EndUser
EndUser
Current
ProductionOwnerGroupProfile
Current
5. Test applications using test profile 6. Change one end user to new group and adopt/swap profiles
GRP_APP1GroupProfile
TestUser
8. Change remaining end users 7. Test applications by end user
EndUser
EndUser
EndUser
AOA Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
56
Application Only Access
GeneralQuery ConsiderationsLimitations
Conclusion
IntroductionAOA Implementation
Outline
© Wayne O Evans Consulting 2010
AOA Application Only Access
57
REQUIREMENTS
Query users are allowed READ-ONLY access
QueryUSER
© Wayne O Evans Consulting 2010
AOA Application Only Access
58
Allow Read-Only access for QUERYWhy?
*EXCLUDE
Production Data
USER
Application Program
ADOPTOWNER
Query
QueryUSER ADOPT
Read Only
QUERY allows OUTFILE capability with the potential of accidental modification of
production data, if the user is authorized
REQUIREMENTS
© Wayne O Evans Consulting 2010
AOA Application Only Access
59
3. Interactive queries work *EXCLUDE
Production Data
Query
10. Run Query1. User selects option for query
2. Run program that adopts read-only access
ApplicationProgram
ADOPTRead Only
Do you want users running interactive queries?
Query Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
60
Batch QUERY
4. RUNQRY command invokes command processing program to run the query
10. Run Query in Batch1. Interactive user
selects option to run a query in batch
2. Batch job is submitted for RUNQRY command
JOBQRUNQRY
RUNQRYRUNQRY
RUNQRYRUNQRYRUNQRYRUNQRYRUNQRYRUNQRYRUNQRY
3. Batch job startsRUNQRYRUNQRY
RUNQRYRUNQRY
Batch Query Overview
© Wayne O Evans Consulting 2010
AOA Application Only Access
61
*EXCLUDE
ProductionData
SBMJOB1. Batch queries get “Not Authorized” message
Query STOP
Two potential problems:
SBMJOB
QueryRouting
Program
ADOPTOWNER
2. Batch query has read and write access routing program adopts
REQUIREMENT“Allow Read-Only access for QUERY”
Batch Query Considerations
© Wayne O Evans Consulting 2010
AOA Application Only Access
62
1. Adopt read only access2. Prevent any adopted access that allows write
Two problems to solve:
Solution:
Query
Shell Program
ADOPT Read Only
Write a shell program1. Adopt a user profile that has read only access DROP
2. Create shell program with attribute USEADPAUT(*NO) preventing previous adopted authority
Batch Query Considerations
© Wayne O Evans Consulting 2010
AOA Application Only Access
63
IBM Batch QUERY
➤ Create a new RUNQRY command to call a user program that adopts a profile with read only access.➤ Specify USEADPAUT(*NO) to prevent and other adopted authority
IBM Batch QUERY
RUNQRY
CALLIBM_CPP
ADOPTRead Only
RUNQRY
As shipped by IBM Modification
DROP
Query Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
64
How to Adopt in Batch
The query can access the data using the adopted
read-only access to production data.
IT WORKS!!
What problem exists with this solution?
Level 40-50 prevents use of internal system interfaces with state/domain protection
IBM Batch QUERY
CALLIBM_CPP
ADOPTRead Only
RUNQRYDROP
Query Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
65
• Create an alternate RUNQRY command
• Execute the IBM QSYS/RUNQRY
Shell Program
ADOPTRead OnlyRUNQRY
IBM Batch QUERY
QSYS/RUNQRY
• Rebuild command RUNQRY string
Can not CALLthe IBM CPP
at level 40 or 50
IBM Batch QUERY
CALLIBM_CPP
ADOPTRead OnlyRUNQRY
STOP
DROP
How to ADOPT at Level 40
© Wayne O Evans Consulting 2010
AOA Application Only Access
66
ALTSYS*PUBLIC - *USE1. Create the library ALTSYS
PGM
RUNQRYADOPT
READ ONLY2. Put “new” RUNQRY command and PGM in ALTQSYS3. Put ALTSYS on the library list before QSYS QSYS
QUSRSYSCHGSYSVAL QSYSLIBL (ALTQSYS QSYS QUSRSYS…)
ALTSYS
AOA Implementation
© Wayne O Evans Consulting 2010
AOA Application Only Access
67
• Can not adopt for PC initiated jobs– If you start router with user profile of
the production owner, the application works but user can use interfaces to perform operations outside of application
• Difficult to distinguish a request from a valid PC application and ad hoc request by PC user (hacker)
AOA Limitations
© Wayne O Evans Consulting 2010
AOA Application Only Access
68
How to get access to data- Cannot adopt when PC request starts job.
PGMCannotadopt
request
AOA Limitations
© Wayne O Evans Consulting 2010
AOA Application Only Access
69
PROBLEM How to get access to data… Cannot adopt when PC request starts
PGMCannotadopt
request
SOLUTION 1. Use exit program to swap to OWNER profile
2. Use stored procedures that can adopt
AOA Limitations
© Wayne O Evans Consulting 2010
AOA Application Only Access
70
PGMCannotadopt
request
Exit Program CALL QSYGETPHCALL QWTSETP
API used to swap user profile of job
Registration Facility
Exit Pgm Name
EndUser
Profile
OwnerUser
ProfileSWAP
Swap in Exit Program
© Wayne O Evans Consulting 2010
AOA Application Only Access
71
Stored ProcedureDynamic SQL Request
SELECT ... CALL PGK
Server Job
SQLPKG
ADOPTOWNER
Server Job
SQLServer
*EXCLUDE
ProductionDataSTOP
ODBC ODBC
Comparison of Methods
© Wayne O Evans Consulting 2010
AOA Application Only Access
72
The authority is checked using the user profiles of the application
server job and the owner of the SQL package.
CRTSQLRPG PGM( ) SRCFILE( ) USRPRF(*OWNER) DYNUSRPRF(*OWNER)
SQLPKG
ADOPTOWNER
Creating the Stored Procedure
© Wayne O Evans Consulting 2010
AOA Application Only Access
73
Is the from a valid application or a hacker? - The request looks the same from PC program or hacker ad hoc request.
request
request
This is an area where more IBM support could be added
AOA Limitations
© Wayne O Evans Consulting 2010
AOA Application Only Access
74
Is the from a valid application or a hacker?
request
Data Queue
SOLUTION (Proposed)1. Before starting the have the PC application send to an encoded message to a data queue 2. The exit program that swaps user profiles or the SQL procedure would receive from the data queue and verify the request
Data Queue
request
AOA Solution
© Wayne O Evans Consulting 2010
AOA Application Only Access
75
Application Only Access
GeneralQuery ConsiderationsLimitations
Conclusion
IntroductionAOA Implementation
Outline
© Wayne O Evans Consulting 2010
AOA Application Only Access
76
Overview Application Only Access
Security implementation strategy that restricts access to production data
except for selected applications
STOP ProductionData
PC accessNetwork Access
Other access
© Wayne O Evans Consulting 2010
AOA Application Only Access
77
Users are allowed to access production data when using
authorized programs.
ProductionData
GOUSER
Application Program
ADOPTOWNER
Programs adopt authority of data owner
Overview Application Only Access
© Wayne O Evans Consulting 2010
AOA Application Only Access
78
OWN_APP1
ProductionOwner
Production data and programs are owned by a user profile whose only
purpose is to OWN objects
ProductionData Files
Application Programs
ADOPTOWNER
Application Programs
ADOPTOWNER
Application Programs
ADOPTOWNER
Overview Application Only Access
© Wayne O Evans Consulting 2010
AOA Application Only Access
79
Application Program
ADOPTOWNER
GRP_APP1GroupProfile
EndUser
EndUser
EndUser
Users are members of group profiles. The group profiles are authorized to run application programs that adopt needed access for production data
Overview Application Only Access
© Wayne O Evans Consulting 2010
AOA Application Only Access
80
• Uses OS/400 security
Client AccessCommand Entry
Network Access
• Protects Data Today
• Protects Data in Future
• Can be integrated into existing menu security systems
Application Only Access
© Wayne O Evans Consulting 2010
AOA Application Only Access
81
• Can be used for existing applications ➤ Little or no change to existing programs ➤ New shell programs ➤ No change to user interface• Has been used successfully in several OS/400 installationsIt takes time to convert an existing application
Application Only Access
© Wayne O Evans Consulting 2010
AOA Application Only Access
82
• If you have additional questions or want more information please contact me!
Phone: (520) 578-7785 [email protected]
www.WOEvans-security.com
© Wayne O Evans Consulting 2010
AOA Application Only Access
83
Estimation of Work Involved• We are embarking on a project to set up
Application Only security. Of course we have been put into a position where we need to estimate the amount of time it will take to implement the changes.
• I would need much more detail to do an estimate but the following are some of the items that would affect an estimate. Here are some of issues that will affect the amount of time
© Wayne O Evans Consulting 2010
AOA Application Only Access
84
Estimation of Work Involved• Does management support project or are
you going to have to justify each change?– YES, management supports efforts and is
willing to make some change to business practices and operations.
– NO, don't waste your company’s time and your efforts.
Get full management support or find another task
© Wayne O Evans Consulting 2010
AOA Application Only Access
85
Estimation of Work Involved• Are you already at security level 40?
NO – get to security level 40 before starting
• Do you have good security practices in place (help desk, change management)?NO – project will be more difficult
add 10-50% to estimate
• Are objects currently owned by established owners? NO – when objects are owned by programmers and
developers, add 50% to final estimate
© Wayne O Evans Consulting 2010
AOA Application Only Access
86
Estimation of Work Involved• Do you have object management
software/tools to assist in security changes?– PentaSafe’s PSSecure OAM tool perform tasks
such as:- change ownership of objects- change authority of objects- check for compliance to “security model”
NO – add 5-10 days to create simple toolsYES – do you know how to use tools?
(NO - add 1 day to learn tools)
© Wayne O Evans Consulting 2010
AOA Application Only Access
87
Estimation of Work Involved• How many vendor packages are you
running?– All our software is home grown; we have source (this is
best situation; unless software is a nightmare, changes can be done in 2 days)
– Most users are running same software with the same application owner group profile; one major software vendor like JDE, MAPICS, etc. (add 3 days to write simple shell programs)
– Multiple vendors where users run one or more software packages and switch between them (Add 2 days to sort out how to approach implementation and 5 days for programs)
© Wayne O Evans Consulting 2010
AOA Application Only Access
88
Estimation of Work Involved• How well do you understand security
implementation on existing software?– Add time to learn application security design
• Are your users running ODBC, IFS, or file transfer?
– Add 2-4 days to write exit programs to swap group profiles
Design MUST use swap because cannot adopt in server applications.
© Wayne O Evans Consulting 2010
AOA Application Only Access
89
Estimation of Work Involved• Are users running query tools over
production files? NO – are you sure? Can save 2-5 days YES – next question is important…
• How security sensitive is your data?Low – users can "read" data for PC downloads
and query without restrictions (setting public authority to *USE is OK)
High – users should not access data except in selected applications (add 5-7 days to adopt read only access)
© Wayne O Evans Consulting 2010
AOA Application Only Access
90
Estimation of Work Involved• Do you have a test environment or must
changes be made on a production system?No – add 50% if you must avoid disrupting
production• Are you running data mining or tools?
Yes – add 10-20% to total estimate to get tools to run with proper access