cics transaction server v3.1 © 2005 ibm corporation security enhancements steve zemblowski...

CICS Transaction Server V3.1

© 2005 IBM Corporation

Security Enhancements

Steve Zemblowski

[email protected]


© 2005 IBM Corporation5

Session Agenda Support for Transport Layer Security (TLS)

Support for mixed case passwords

Cipher suites

– Support for AES cipher suites

– Specification of minimum and maximum encryption level

Changes to revocation processing

– EXEC CICS VERIFY processing

– Certificate revocation lists

Performance enhancements

– SSL caching support

– Support for increased number of secure connections



CICS support for Transport Layer Security

Latest version of the Secure Sockets Layer protocol

– Specification documented in RFC 2246

z/OS 1.4 System SSL incorporates:

– SSL 2.0

– SSL 3.0

– TLS 1.0

CICS now uses new System SSL APIs

– Those used in CICS TS 2.3 are now deprecated by z/OS



CICS support for Mixed Case Passwords

Will require z/OS 1.7

– Mixed case support is mentioned in z/OS 1.7 preview

CESN enhancements

– Will not translate password field to upper case

• Similar to CEDA

– Will issue appropriate caution messages

• DFHCE3540 Ensure that passwords are entered in the correct case.



Cipher Suites

Support for AES cipher suites

– 128-bit and 256-bit encryption

Specification of cipher suites to be used for encryption

– Allows for a minimum and maximum level of encryption

• If partner doesn’t support the selected choices no connection will be established

• Specified on:– TCPIPSERVICE for inbound HTTP and IIOP requests

– CORBASERVER for outbound IIOP requests

– URIMAP for outbound HTTP requests



Cipher Suites…

Range of available cipher suites for CICS to use is specified in the SIT

– ENCRYPTION={STRONG | MEDIUM | WEAK}

• For compatibility – ENCRYPTION=NORMAL will be treated as ENCRYPTION=MEDIUM

Selection of cipher suites and order of preference

– Specified in CIPHERS attribute

• 2 digit code indicating cipher suite• Order determines preference

– e.g. CIPHERS(352F0A0504)

• Replaces PRIVACY parameter



Cipher Suites…



Changes to Revocation Processing

Current releases of CICS

– Do not check the revoked status of a USERID for:

• EXEC CICS VERIFY• ATTACHSEC(VERIFY)• START with USERID

– Do not check if a connection to a GROUP was revoked

Revoked status of a user ID or a user’s group connection now honored by CICS 3.1



Certificate Revocation Lists

Digital Certificates

– Are used in the process of validating signed data or securely transmitting encryption keys

– Have a limited lifetime

• Specified in the certificate’s contents• Can be explicitly revoked




Digital Certificates…

– General certificate validation flow is as follows:

• The recipient of signed data verifies that the claimed identity of the user is in accordance with the identity contained in the certificate

• The recipient validates that no certificate in the path is revoked and that all certificates are within their validity periods

• The recipient verifies that the data has not been altered since signing, by using the public key in the certificate




A Certificate Revocation List (CRL) is a file that lists all invalid and revoked certificates for a specific Certificate Authority (CA)

CAs periodically update their CRLs and make them available for others to publish in local Lightweight Directory Access Protocol (LDAP) directories

– Available for download

– Retrieved information stored in an LDAP server– z/OS 1.4 Security Server LDAP Server Administration and Use – z/OS 1.5 Cryptographic Services PKI Guide and Reference



Configuring the LDAP server for CRLs

Configuration file is /etc/ldap/slapd.conf

adminDN is administrator’s distinguished name

adminPW is administrator’s password

suffix specifies one or more partial distinguished names that are roots of the naming hierarchies contained in the LDAP server

You will need one suffix for each CA for which you want to store CRLs

suffix O=Verisign\\, Incsuffix O=Thawte Consulting, C=ZA

Note that two backslashes are required to escape special characters in suffix



Configuring the LDAP server for CRLS - Notes

The LDAP server’s configuration file contains many directives, but the ones of interest areadminDN and adminPW, which are the authentication credentials of the LDAP administrator.These credentials are needed to perform an update of the LDAP server.

Each of the LDAP distinguished name hierarchies has to be identified by a suffix configuration directive.Before a distinguished name entry to contain a Certificate Authority’s certificate revocation list entry canbe created, there has to be a suffix entry for that Certificate Authority’s name.




New SIT parameter, CRLPROFILE

– Specifies the name of a RACF profile in the LDAPBIND general resource class where LDAP bind information is stored

– The profile contains a PROXY segment, which contains the following fields:

• LDAPHOST– Specifies the name of the LDAP server where the certificate revocation lists

are stored

• BINDDN– The LDAP distinguished name of a user who is allowed to access certificate

revocation lists in the LDAP server

• BINDPW– A password that authenticates the BINDDN

Note: this parameter is introduced in APAR PK04622




CICS provides a utility transaction to download a CRL

– CCRL transaction

• Can be invoked from a terminal– CCRL url-list url-list

> e.g. CCRL http://crl.verisign.com/ATTClass1Individual.crl

• Can be invoked as a started task– EXEC CICS START TRANSID(CCRL)

FROM(’http://crl.verisign.com/ATTClass1Individual.crl’) LENGTH(92) INTERVAL(960000)



LDAP authentication data

The CCRL transaction will prompt you for the adminDN and adminPW when entered from a terminal

When used from a program, insert an admin scheme URL into the URL list:

admin://admindn:adminpw



LDAP authentication data - Notes

Write access to the LDAP server usually requires you to provide the LDAP administrator’sauthentication data; adminDN and adminPW. The CCRL transaction will prompt you forthese if you execute it at a terminal.

Otherwise you will have to provide the special “admin” scheme URL whose only purpose is to provide this information in the URL list that is processed by CCRL. This fake URL has the format:

admin://admindn:adminpw

where admindn and adminpw are replaced by the actual values from the slapd.conf configuration file.



Performance Enhancements

CICS support for SSL caching

– Allows session ID information to be shared across the sysplex

OTE exploitation by CICS SSL connection management

– New SP mode TCB

• Reduces system storage requirements

– Existing S8 TCBs

• Now only allocated for the duration of the SSL requests• Provides for increased number of simultaneous SSL sessions




SSL Sysplex Caching

– Today the SSL session id is cached local to every CICS region

• If the same client connects to a different CICS region a full SSL handshake is required– Impacts cloned CICS listener regions

SSL Client

z/OS 1 z/OS 2

CICS

Listener 1

CICS

Listener 2




SSL Sysplex Caching…

– Makes server session information across a sysplex

• Requires all systems in the sysplex to use the same ESM• Requires SSL Started Task (GSKSRVR) to be implemented

– Supports TLS 1.0 and SSL 3.0 protocols

– GSKSRVR Environment Variables

> GSK_LOCAL_THREADS: number of threads

> GSK_SIDCACHE_SIZE: sysplex session cache size in megabytes

> GSK_SIDCACHE_TIMEOUT: session cache entry timeout in minutes

• Enable CICS to use sysplex caching– SIT parameter

> SSLCACHE={CICS | SYSPLEX }



SSL Open Transaction Environment Exploitation

Current SSL implementation

– Uses a separate S8 TCB for each SSL requests

• Fixed pool size– Specified by SSLTCBS

• Each TCB has its own LE enclave• S8 TCB is assigned for the duration of the requesting task



SSL Open Transaction Environnent Exploitation…

OTE implementation

– SP TCB

• Created when KEYRING is specified in the SIT• Owns the LE enclave and SSL cache

– S8 TCBs

• Variable pool size– Controlled by MAXSSLTCBS parameter

• Runs as a UNIX pthread• Assigned for the duration of the request



Monitoring

Changed monitoring group DFHTASK

– New monitoring fields

• MAXSTDLY– The elapsed time in which the user task waited to obtain a CICS SSL

TCB (S8 mode), because the CICS system had reached the limit set by the system initialization parameter MAXSSLTCBS

– Changed monitoring fields

• DSCHMDLY– The elapsed time the user task waited for re-dispatch after a CICS

Dispatcher change-TCB mode request was issued by or on behalf of the user task. Now applies any TCB processing.



Statistics Sample Statistics Report

TCB TCBs Attached Op. System Op. System Total TCB Total TCB DS TCB TCB CPU/Disp

Mode Current Peak Waits Wait Time Dispatch Time CPU Time CPU Time Ratio

__________________________________________________________________________________________________________________

QR 1 1 1,339 00:36:52.76362 00:00:03.83933 00:00:03.11027 00:00:00.12582 81.0%

RO 1 1 11 01:02:05.45171 00:00:00.30343 00:00:00.02823 00:00:00.00045

CO 1 1 2 01:05:22.12533 00:00:00.00008 00:00:00.00018 00:00:00.00014

SZ 1 1 2 00:27:20.17500 00:00:00.00005 00:00:00.09745 00:00:00.09742

RP 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000

FO 1 1 15 01:03:41.17645 00:00:00.74589 00:00:00.07492 00:00:00.00040

SL 1 1 2 01:02:22.85484 00:00:00.00031 00:00:00.00036 00:00:00.00002

SO 1 1 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000

SP 1 1 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000

D2 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000

JM 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000

S8 25 25 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000

L8 1 1 6 00:00:00.01315 00:00:00.35665 00:00:00.00177 00:00:00.00004

J8 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000

J9 1 1 4 00:00:00.03895 00:00:04.41789 00:00:01.21668 00:00:00.00024

X8 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000

X9 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000



Statistics… Sample Statistics Report

TCB Pool . . . . . . . . . . . . . . . . . : SSL

Current TCBs attached in this TCB Pool . . : 1 Current TCBs in use in this TCB Pool . . . . . : 0

Peak TCBs attached in this TCB Pool. . . . : 1 Peak TCBs in use in this TCB Pool. . . . . . . : 0

Max TCB Pool Limit (MAXSSLTCBS). . . . . . : 22 Times at Max TCB Pool Limit (MAXSSLTCBS) . . . : 0

Requests Delayed by Max TCB Pool Limit . . : 0 Current Requests Delayed by Max TCB Pool Limit : 0

Total Max TCB Pool Limit delay time. . . . : 00:00:00.00000 Peak Requests Delayed by Max TCB Pool Limit. . : 0

Average Max TCB Pool Limit delay time. . . : 00:00:00.00000 Total Delay time for current delayed . . . . . : 00:00:00.00000

Average Delay time for current delayed . . . . : 00:00:00.00000

Total number of TCB Mismatch Waits . . . . : 0 Current TCB Mismatch waits . . . . . . . . . . : 0

Total TCB Mismatch wait time . . . . . . . : 00:00:00.00000 Peak TCB Mismatch waits. . . . . . . . . . . . : 0

Average TCB Mismatch wait time . . . . . . : 00:00:00.00000 Total Wait time for current Mismatch Waits . . : 00:00:00.00000

Average Wait time for current Mismatch Waits . : 00:00:00.00000

Requests Delayed by MVS storage constraint : 0

Total MVS storage constraint delay time. . : 00:00:00.00000

Average MVS storage constraint delay time. : 00:00:00.00000



Statistics… Sample Statistics Report

TCP/IP

______

TCP/IP Status. . . . . . . . . . . . . . . . . . . . . . : OPEN

SSLCACHE setting . . . . . . . . . . . . . . . . . . . . : CICS

Active SSL TCBs. . . . . . . . . . . . . . . . . . . . . : 0

Maximum SSL TCBs (MAXSSLTCBS). . . . . . . . . . . . . . : 22

Max IP Sockets (MAXSOCKETS) limit. . . . . . . . . . . . : 1,500

Number of times the MAXSOCKETS limit was reached . . . . : 0

Current Active IP Sockets. . . . . . . . . . . . . . . . : 4

Current number of inbound sockets. . . . . . . . . . . . : 7

Peak number of inbound sockets . . . . . . . . . . . . . : 7

Current number of non-persistent outbound sockets. . . . : 0

Peak number of non-persistent outbound sockets . . . . . : 0

Current number of persistent outbound sockets. . . . . . : 0

Peak number of persistent outbound sockets . . . . . . . : 0

Number of inbound sockets created. . . . . . . . . . . . : 0

Number of outbound sockets created . . . . . . . . . . . : 0

Number of outbound sockets closed. . . . . . . . . . . . : 0

Total number of inbound and outbound sockets created . . : 0

Number of create socket requests delayed by MAXSOCKETS . : 0

Total MAXSOCKETS delay time. . . . . . . . . . . . . . . : 00:00:00.00000

Average MAXSOCKETS delay time. . . . . . . . . . . . . . : 00:00:00.00000

Number of create requests that timed-out at MAXSOCKETS . : 0

Current create socket requests delayed by MAXSOCKETS . . : 0

Peak create socket requests delayed by MAXSOCKETS. . . . : 0

Total delay time for current create requests delayed . . : 00:00:00.00000

Average delay time for current create requests delayed . : 00:00:00.00000



Systems Programming Interface

INQUIRE TCPIPSERVICE, CORBASERVER and URIMAP

– CIPHERS

– NUMCIPHERS

INQUIRE TCPIP

– CRLSERVER

– SSLCACHE

INQUIRE and SET DISPATCHER

– MAXSSLTCBS

– ACTSSLTCBS



Summary

Support for TLS 1.0

Mixed case password support

Support for cipher suites

– New AES 128 and 256 encodings

– Specification of minimum and maximum encryption level

New Certificate Revocation Lists utility transaction

Performance enhancements

– SSL session id caching

– OTE exploitation

cics transaction server v3.1 © 2005 ibm corporation security enhancements steve zemblowski...

Documents