cics transaction server v3.1 © 2005 ibm corporation security enhancements steve zemblowski...
TRANSCRIPT
CICS Transaction Server V3.1
© 2005 IBM Corporation
Security Enhancements
Steve Zemblowski
CICS Transaction Server V3.1
© 2005 IBM Corporation5
Session Agenda Support for Transport Layer Security (TLS)
Support for mixed case passwords
Cipher suites
– Support for AES cipher suites
– Specification of minimum and maximum encryption level
Changes to revocation processing
– EXEC CICS VERIFY processing
– Certificate revocation lists
Performance enhancements
– SSL caching support
– Support for increased number of secure connections
CICS Transaction Server V3.1
© 2005 IBM Corporation7
CICS support for Transport Layer Security
Latest version of the Secure Sockets Layer protocol
– Specification documented in RFC 2246
z/OS 1.4 System SSL incorporates:
– SSL 2.0
– SSL 3.0
– TLS 1.0
CICS now uses new System SSL APIs
– Those used in CICS TS 2.3 are now deprecated by z/OS
CICS Transaction Server V3.1
© 2005 IBM Corporation9
CICS support for Mixed Case Passwords
Will require z/OS 1.7
– Mixed case support is mentioned in z/OS 1.7 preview
CESN enhancements
– Will not translate password field to upper case
• Similar to CEDA
– Will issue appropriate caution messages
• DFHCE3540 Ensure that passwords are entered in the correct case.
CICS Transaction Server V3.1
© 2005 IBM Corporation11
Cipher Suites
Support for AES cipher suites
– 128-bit and 256-bit encryption
Specification of cipher suites to be used for encryption
– Allows for a minimum and maximum level of encryption
• If partner doesn’t support the selected choices no connection will be established
• Specified on:– TCPIPSERVICE for inbound HTTP and IIOP requests
– CORBASERVER for outbound IIOP requests
– URIMAP for outbound HTTP requests
CICS Transaction Server V3.1
© 2005 IBM Corporation13
Cipher Suites…
Range of available cipher suites for CICS to use is specified in the SIT
– ENCRYPTION={STRONG | MEDIUM | WEAK}
• For compatibility – ENCRYPTION=NORMAL will be treated as ENCRYPTION=MEDIUM
Selection of cipher suites and order of preference
– Specified in CIPHERS attribute
• 2 digit code indicating cipher suite• Order determines preference
– e.g. CIPHERS(352F0A0504)
• Replaces PRIVACY parameter
CICS Transaction Server V3.1
© 2005 IBM Corporation15
Cipher Suites…
CICS Transaction Server V3.1
© 2005 IBM Corporation17
Cipher Suites…
CICS Transaction Server V3.1
© 2005 IBM Corporation19
Cipher Suites…
CICS Transaction Server V3.1
© 2005 IBM Corporation21
Changes to Revocation Processing
Current releases of CICS
– Do not check the revoked status of a USERID for:
• EXEC CICS VERIFY• ATTACHSEC(VERIFY)• START with USERID
– Do not check if a connection to a GROUP was revoked
Revoked status of a user ID or a user’s group connection now honored by CICS 3.1
CICS Transaction Server V3.1
© 2005 IBM Corporation23
Certificate Revocation Lists
Digital Certificates
– Are used in the process of validating signed data or securely transmitting encryption keys
– Have a limited lifetime
• Specified in the certificate’s contents• Can be explicitly revoked
CICS Transaction Server V3.1
© 2005 IBM Corporation25
Certificate Revocation Lists
Digital Certificates…
– General certificate validation flow is as follows:
• The recipient of signed data verifies that the claimed identity of the user is in accordance with the identity contained in the certificate
• The recipient validates that no certificate in the path is revoked and that all certificates are within their validity periods
• The recipient verifies that the data has not been altered since signing, by using the public key in the certificate
CICS Transaction Server V3.1
© 2005 IBM Corporation27
Certificate Revocation Lists
A Certificate Revocation List (CRL) is a file that lists all invalid and revoked certificates for a specific Certificate Authority (CA)
CAs periodically update their CRLs and make them available for others to publish in local Lightweight Directory Access Protocol (LDAP) directories
– Available for download
– Retrieved information stored in an LDAP server– z/OS 1.4 Security Server LDAP Server Administration and Use – z/OS 1.5 Cryptographic Services PKI Guide and Reference
CICS Transaction Server V3.1
© 2005 IBM Corporation29
Configuring the LDAP server for CRLs
Configuration file is /etc/ldap/slapd.conf
adminDN is administrator’s distinguished name
adminPW is administrator’s password
suffix specifies one or more partial distinguished names that are roots of the naming hierarchies contained in the LDAP server
You will need one suffix for each CA for which you want to store CRLs
suffix O=Verisign\\, Incsuffix O=Thawte Consulting, C=ZA
Note that two backslashes are required to escape special characters in suffix
CICS Transaction Server V3.1
© 2005 IBM Corporation30
Configuring the LDAP server for CRLS - Notes
The LDAP server’s configuration file contains many directives, but the ones of interest areadminDN and adminPW, which are the authentication credentials of the LDAP administrator.These credentials are needed to perform an update of the LDAP server.
Each of the LDAP distinguished name hierarchies has to be identified by a suffix configuration directive.Before a distinguished name entry to contain a Certificate Authority’s certificate revocation list entry canbe created, there has to be a suffix entry for that Certificate Authority’s name.
CICS Transaction Server V3.1
© 2005 IBM Corporation31
Certificate Revocation Lists
New SIT parameter, CRLPROFILE
– Specifies the name of a RACF profile in the LDAPBIND general resource class where LDAP bind information is stored
– The profile contains a PROXY segment, which contains the following fields:
• LDAPHOST– Specifies the name of the LDAP server where the certificate revocation lists
are stored
• BINDDN– The LDAP distinguished name of a user who is allowed to access certificate
revocation lists in the LDAP server
• BINDPW– A password that authenticates the BINDDN
Note: this parameter is introduced in APAR PK04622
CICS Transaction Server V3.1
© 2005 IBM Corporation33
Certificate Revocation Lists
CICS provides a utility transaction to download a CRL
– CCRL transaction
• Can be invoked from a terminal– CCRL url-list url-list
> e.g. CCRL http://crl.verisign.com/ATTClass1Individual.crl
• Can be invoked as a started task– EXEC CICS START TRANSID(CCRL)
FROM(’http://crl.verisign.com/ATTClass1Individual.crl’) LENGTH(92) INTERVAL(960000)
CICS Transaction Server V3.1
© 2005 IBM Corporation35
LDAP authentication data
The CCRL transaction will prompt you for the adminDN and adminPW when entered from a terminal
When used from a program, insert an admin scheme URL into the URL list:
admin://admindn:adminpw
CICS Transaction Server V3.1
© 2005 IBM Corporation36
LDAP authentication data - Notes
Write access to the LDAP server usually requires you to provide the LDAP administrator’sauthentication data; adminDN and adminPW. The CCRL transaction will prompt you forthese if you execute it at a terminal.
Otherwise you will have to provide the special “admin” scheme URL whose only purpose is to provide this information in the URL list that is processed by CCRL. This fake URL has the format:
admin://admindn:adminpw
where admindn and adminpw are replaced by the actual values from the slapd.conf configuration file.
CICS Transaction Server V3.1
© 2005 IBM Corporation37
Performance Enhancements
CICS support for SSL caching
– Allows session ID information to be shared across the sysplex
OTE exploitation by CICS SSL connection management
– New SP mode TCB
• Reduces system storage requirements
– Existing S8 TCBs
• Now only allocated for the duration of the SSL requests• Provides for increased number of simultaneous SSL sessions
CICS Transaction Server V3.1
© 2005 IBM Corporation39
Performance Enhancements
SSL Sysplex Caching
– Today the SSL session id is cached local to every CICS region
• If the same client connects to a different CICS region a full SSL handshake is required– Impacts cloned CICS listener regions
SSL Client
z/OS 1 z/OS 2
CICS
Listener 1
CICS
Listener 2
CICS Transaction Server V3.1
© 2005 IBM Corporation41
Performance Enhancements
SSL Sysplex Caching…
– Makes server session information across a sysplex
• Requires all systems in the sysplex to use the same ESM• Requires SSL Started Task (GSKSRVR) to be implemented
– Supports TLS 1.0 and SSL 3.0 protocols
– GSKSRVR Environment Variables
> GSK_LOCAL_THREADS: number of threads
> GSK_SIDCACHE_SIZE: sysplex session cache size in megabytes
> GSK_SIDCACHE_TIMEOUT: session cache entry timeout in minutes
• Enable CICS to use sysplex caching– SIT parameter
> SSLCACHE={CICS | SYSPLEX }
CICS Transaction Server V3.1
© 2005 IBM Corporation43
SSL Open Transaction Environment Exploitation
Current SSL implementation
– Uses a separate S8 TCB for each SSL requests
• Fixed pool size– Specified by SSLTCBS
• Each TCB has its own LE enclave• S8 TCB is assigned for the duration of the requesting task
CICS Transaction Server V3.1
© 2005 IBM Corporation45
SSL Open Transaction Environnent Exploitation…
OTE implementation
– SP TCB
• Created when KEYRING is specified in the SIT• Owns the LE enclave and SSL cache
– S8 TCBs
• Variable pool size– Controlled by MAXSSLTCBS parameter
• Runs as a UNIX pthread• Assigned for the duration of the request
CICS Transaction Server V3.1
© 2005 IBM Corporation47
Monitoring
Changed monitoring group DFHTASK
– New monitoring fields
• MAXSTDLY– The elapsed time in which the user task waited to obtain a CICS SSL
TCB (S8 mode), because the CICS system had reached the limit set by the system initialization parameter MAXSSLTCBS
– Changed monitoring fields
• DSCHMDLY– The elapsed time the user task waited for re-dispatch after a CICS
Dispatcher change-TCB mode request was issued by or on behalf of the user task. Now applies any TCB processing.
CICS Transaction Server V3.1
© 2005 IBM Corporation49
Statistics Sample Statistics Report
TCB TCBs Attached Op. System Op. System Total TCB Total TCB DS TCB TCB CPU/Disp
Mode Current Peak Waits Wait Time Dispatch Time CPU Time CPU Time Ratio
__________________________________________________________________________________________________________________
QR 1 1 1,339 00:36:52.76362 00:00:03.83933 00:00:03.11027 00:00:00.12582 81.0%
RO 1 1 11 01:02:05.45171 00:00:00.30343 00:00:00.02823 00:00:00.00045
CO 1 1 2 01:05:22.12533 00:00:00.00008 00:00:00.00018 00:00:00.00014
SZ 1 1 2 00:27:20.17500 00:00:00.00005 00:00:00.09745 00:00:00.09742
RP 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000
FO 1 1 15 01:03:41.17645 00:00:00.74589 00:00:00.07492 00:00:00.00040
SL 1 1 2 01:02:22.85484 00:00:00.00031 00:00:00.00036 00:00:00.00002
SO 1 1 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000
SP 1 1 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000
D2 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000
JM 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000
S8 25 25 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000
L8 1 1 6 00:00:00.01315 00:00:00.35665 00:00:00.00177 00:00:00.00004
J8 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000
J9 1 1 4 00:00:00.03895 00:00:04.41789 00:00:01.21668 00:00:00.00024
X8 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000
X9 0 0 0 00:00:00.00000 00:00:00.00000 00:00:00.00000 00:00:00.00000
CICS Transaction Server V3.1
© 2005 IBM Corporation51
Statistics… Sample Statistics Report
TCB Pool . . . . . . . . . . . . . . . . . : SSL
Current TCBs attached in this TCB Pool . . : 1 Current TCBs in use in this TCB Pool . . . . . : 0
Peak TCBs attached in this TCB Pool. . . . : 1 Peak TCBs in use in this TCB Pool. . . . . . . : 0
Max TCB Pool Limit (MAXSSLTCBS). . . . . . : 22 Times at Max TCB Pool Limit (MAXSSLTCBS) . . . : 0
Requests Delayed by Max TCB Pool Limit . . : 0 Current Requests Delayed by Max TCB Pool Limit : 0
Total Max TCB Pool Limit delay time. . . . : 00:00:00.00000 Peak Requests Delayed by Max TCB Pool Limit. . : 0
Average Max TCB Pool Limit delay time. . . : 00:00:00.00000 Total Delay time for current delayed . . . . . : 00:00:00.00000
Average Delay time for current delayed . . . . : 00:00:00.00000
Total number of TCB Mismatch Waits . . . . : 0 Current TCB Mismatch waits . . . . . . . . . . : 0
Total TCB Mismatch wait time . . . . . . . : 00:00:00.00000 Peak TCB Mismatch waits. . . . . . . . . . . . : 0
Average TCB Mismatch wait time . . . . . . : 00:00:00.00000 Total Wait time for current Mismatch Waits . . : 00:00:00.00000
Average Wait time for current Mismatch Waits . : 00:00:00.00000
Requests Delayed by MVS storage constraint : 0
Total MVS storage constraint delay time. . : 00:00:00.00000
Average MVS storage constraint delay time. : 00:00:00.00000
CICS Transaction Server V3.1
© 2005 IBM Corporation53
Statistics… Sample Statistics Report
TCP/IP
______
TCP/IP Status. . . . . . . . . . . . . . . . . . . . . . : OPEN
SSLCACHE setting . . . . . . . . . . . . . . . . . . . . : CICS
Active SSL TCBs. . . . . . . . . . . . . . . . . . . . . : 0
Maximum SSL TCBs (MAXSSLTCBS). . . . . . . . . . . . . . : 22
Max IP Sockets (MAXSOCKETS) limit. . . . . . . . . . . . : 1,500
Number of times the MAXSOCKETS limit was reached . . . . : 0
Current Active IP Sockets. . . . . . . . . . . . . . . . : 4
Current number of inbound sockets. . . . . . . . . . . . : 7
Peak number of inbound sockets . . . . . . . . . . . . . : 7
Current number of non-persistent outbound sockets. . . . : 0
Peak number of non-persistent outbound sockets . . . . . : 0
Current number of persistent outbound sockets. . . . . . : 0
Peak number of persistent outbound sockets . . . . . . . : 0
Number of inbound sockets created. . . . . . . . . . . . : 0
Number of outbound sockets created . . . . . . . . . . . : 0
Number of outbound sockets closed. . . . . . . . . . . . : 0
Total number of inbound and outbound sockets created . . : 0
Number of create socket requests delayed by MAXSOCKETS . : 0
Total MAXSOCKETS delay time. . . . . . . . . . . . . . . : 00:00:00.00000
Average MAXSOCKETS delay time. . . . . . . . . . . . . . : 00:00:00.00000
Number of create requests that timed-out at MAXSOCKETS . : 0
Current create socket requests delayed by MAXSOCKETS . . : 0
Peak create socket requests delayed by MAXSOCKETS. . . . : 0
Total delay time for current create requests delayed . . : 00:00:00.00000
Average delay time for current create requests delayed . : 00:00:00.00000
CICS Transaction Server V3.1
© 2005 IBM Corporation55
Systems Programming Interface
INQUIRE TCPIPSERVICE, CORBASERVER and URIMAP
– CIPHERS
– NUMCIPHERS
INQUIRE TCPIP
– CRLSERVER
– SSLCACHE
INQUIRE and SET DISPATCHER
– MAXSSLTCBS
– ACTSSLTCBS
CICS Transaction Server V3.1
© 2005 IBM Corporation57
Summary
Support for TLS 1.0
Mixed case password support
Support for cipher suites
– New AES 128 and 256 encodings
– Specification of minimum and maximum encryption level
New Certificate Revocation Lists utility transaction
Performance enhancements
– SSL session id caching
– OTE exploitation