Rocket Strong Authentication Expert for z/OS Rocket Strong...rexx •A provisioned user is a user who will be processed by SAE A non-provisioned user follows the normal traditional

1

© 2014 Rocket Software, Inc. All Rights Reserved.

© 2014 Rocket Software Inc. All Rights Reserved.

Two-Factor Authentication

on z/OS with Rocket Strong

Authentication Expert

Joris Cornette

t: +49 (0) 2159 69 97 14 • m: +49 (0) 160 96 46 93 27 • e: [email protected]

www.rocketsoftware.com

mailto:[email protected]

http://www.rocketsoftware.com/

http://www.rocketsoftware.com/

2



Agenda

Rocket Software

Management Questions

Rocket Strong Authentication Expert Overview

• How does SAE work?

• How do you get SAE operational?

• Authentication

Some considerations

Questions and Answers

3



Who are we?

4


© 2014 Rocket Software Inc. All Rights Reserved. 4 4

5


© 2014 Rocket Software Inc. All Rights Reserved. 5 5

6



Questions from the Management

7



Questions from your Chief Security Officer

“Are our system administrators still logging in to the mainframe with passwords that change only once per month?”

• Especially stolen administrator passwords open the front door

“Are there production scripts that use hard coded non-changing passwords to access the mainframe?”

• FTP is a good (bad) example

“Are you ready for an audit for regulatory compliance?”

• Or maybe you just had one and must take action now …

8



Strong Authentication Expert

How does it work?

9



How does SAE work?

Requirement:

• Critical mainframe access (logon) should use a two-factor authentication system (with help of tokens, cards or key fobs) instead of a single static password

SAE is a solution based on 2 architectural components: • z/OS authentication requestor

The SAE started tasks

• One of these external two-factor authentication managers

RSA ACE/Server

RADIUS

o e.g. SafeNet Authentication Manager

http://www.google.be/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=-iT_y5jW5Pl4wM&tbnid=WbCkdrx6z9qPZM:&ved=0CAUQjRw&url=http://www.pokerstars.com/de/poker/room/features/security/token/&ei=HTaGUv_YCrG-4AOZ1oHAAg&bvm=bv.56643336,d.dmg&psig=AFQjCNGSi2-WtsiBFoTQFA5HOTp_Uj9fYQ&ust=1384613736260545

10



SAE Architecture

SAE RUNAGENT +

SAE RUNRAZA / R SAE VTAM

Application

SAE External

Security Manager

Interface

(TSO, FTP etc.)

SAE CICS API

SAE ASM API

Authentication

Manager

z/OS Platform

RACF* Database

Distributed Platform

* RACF or ACF2 or TopSecret

11



SAE Operation Modes

ESM mode (External Security Management) • SAE activates RACF Exit Points

• SAE thus sees every authentication attempt to the mainframe environment

Regardless of access method (as long as it passes thru RACF)

VTAM mode • SAE allows administrators to insert a two-factor authentication

screen into the VTAM logon process using the SAE VTAM application

When logon is successful, the site dependent Post-Authentication menu will appear (e.g. a Session Manager panel)

Any RACF (e.g. for TSO and FTP) logon is left unaffected

ESM mode and VTAM mode are not compatible on one LPAR

12



SAE Process Flow for ESM Mode

ICHRIX01

ICHRIX02

13



SAE Process Flow for VTAM Mode

14



SAE ESM Mode Components

Exploits ESM-specific exit programs for RACF

Agent main started task

• Checks user provisioning

When STC not running or user is not provisioned in SAE,

authentication will proceed as before (native RACF)

• Communicates with the RACF exit programs and the Protocol

Handler

Protocol Handler started task

• Communicates with external authentication manager (like

ACE/Server or RADIUS)

2 versions depending upon whether ACE/Server or RADIUS is used

• Ensure that this Protocol Handler starts first after IPL

15



SAE Recap

SAE allows access to two-factor authentication on

z/OS using:

• Something you know (PIN)

• Something you possess (temporary tokencode)

2 Points of integration on z/OS

• External Security Manager (ESM) to exploit RACF

• VTAM Application for online applications

16




How to get it operational?

17



SAE Installation

Install SAE using SMP/E

• Base Install followed by RECEIVE – APPLY – ACCEPT

Integrate SAE in RACF and z/OS

Run Setup option of the RAZMAIN rexx to

• Create the runtime environment for SAE

Several VSAM settings files

• Configure SAE

• Set up SAE preferences

Perform additional steps depending on ESM mode or VTAM mode

• Integrates in ACE/Server

• Integrates in RADIUS

SAE requires 2 z/OS started tasks

• RUNAGENT (Core agent)

• One of these:

RUNRAZA (ACE/Server Protocol Handler)

RUNRAZR (RADIUS Protocol Handler)

18



SAE RACF and z/OS Integration (1)

Copy members RAZLIX01 and RAZLIX02 from SRAZLOAD into a z/OS LPALIB

• Rename these members to ICHRIX01 and ICHRIX02

ICHRIX01 (RACINIT preprocessing exit routine) is used before user identification, user verification and terminal authorization checking

ICHRIX02 (RACINIT postprocessing exit routine) is used after user identification, user verification and terminal authorization checking

• If identical exits already in use, glue code is required and Rocket Support will help

• Concatenate this LPALIB with the exits to the LPA list

Use SRAZPARM member RAZIEALP as a guide to updating existing LPALSTxx member

Practice?

19



SAE RACF and z/OS Integration (2)

Add RAZLALU to the Authorized Command List

• Use SRAZPARM member RAZIKJTS as a guide for

updating existing IKJTSOxx PARMLIB member

Add the SRAZLOAD PDS to the active LINKLIST

and APF authorize this PDS

• Use SRAZPARM member RAZPRG13 as a guide to

updating your existing PROGxx PARMLIB member

20



SAE Configuration and Administration Tool

21



SAE authentication system SETUP

22



SAE authentication system SETUP

This is where the z/OS

installer wants help

23



SAE RACF User Provisioning Process

Users are provisioned thru the Provisioning option of the RAZMAIN rexx • A provisioned user is a user who will be processed by SAE

A non-provisioned user follows the normal traditional logon process

• Only an SAE admin can provision users

• The first user of RAZMAIN to do the SAE Setup becomes the first SAE admin and can define other SAE admins

• JCL is provided for batch provisioning of users

Provisioning is only needed for ESM Mode • Provisioning is not used for VTAM Mode – seeing the SAE VTAM screen is

clear sign that you will go to the Authentication Server

24



SAE RACF User Provisioning

25



SAE RACF User Provisioning Details

Associate Mainframe RACF ID with • RADIUS logon name or

• ACE/Server logon name

Set PIN value and length • PIN value might be left blank and will be set at first logon (even preferred)

Setup a Fallback Preference • Specifies whether the user can fall back and use regular RACF

authentication if there is a problem with the authentication by the authentication server

• At least one admin user should be allowed fallback (?)

This exploits the RACF User Segment in the RACF data base

26



Provisioned users must also be known in RSA

Define the user on ACE/Server as

having a user defined PIN, but not

set it to anything: when the user

logs in for the first time, they will be

prompted to set their PIN - In ESM

mode, the default TSO new

password field is used for this.

27




Authentication

28



SAE RACF Authentication

SAE exit code sees every logon attempt • User logs in as normally via TSO, FTP etc

For provisioned users (e.g. for RSA/RADIUS Tokens or Key Fobs) • User enters the first 2 characters of the PIN followed by the temporary

tokencode generated by the device

SAE automatically fills in the rest of their PIN as long as the first 2 are correct

Together this is the password

• Exit code puts user credentials through the SAE alternative processing

Exit code ICHRIX01 controls with help of the ACE/Server or RADIUS server whether user is allowed to logon

• You can only retry logon when a new tokencode is displayed

For non-provisioned users • Exit code passes control back to the ESM for normal RACF processing flow

• User uses regular RACF password

29



SAE Process Flow (ESM and ACE/Server)

User is

provisioned

?

PIN

matched?

RACF

Fallback

enabled in

SAE

?

ACE says

OK

?

Return YES to RACF

No Further Processing

Return to RACF

Regular Processing

Return NO to RACF

No Further Processing

Return to RACF

Regular Processing

SAE sends request to ACE/Server

(User ID, PIN and token code)

Y Y

Y

Y

N N N

N

30



SAE VTAM Authentication

Preparatory actions • Create new VTAM Application ID for SAE e.g. RAZNET

• Register this VTAM Application ID during rexx processing at installation time e.g. RAZNET

2 possibilities: • Simple: Use a LOGON APPLID(RAZNET) command

• More complex: Use VTAMLST and TCPIP PARMS to have the SAE APPLID automatically opened on specific 3270 connections

The SAE Logon screen is presented • User enters userid and PIN+Token

• Once authenticated, next step is configurable (samples are provided)

Forward to Menu

Directly open specific application such as TSO

31



SAE VTAM Integration

Enforcing the SAE VTAM Application on 3270

connections (also known as assigning terminal

ownership to the Rocket SAE in VTAM)

• Specify LUNAME

• Specify IP Address/Hostname

• Specify Port

• Contact Technical Support for the details

32



Process Flow for VTAM logon

33



The SAE ASM API

34




Considerations

35



Considerations (1)

FTP user ids

• Should userids used for FTP be subject to two-factor

authentication?

Possibly but …

o When the FTP process starts the token is maybe no longer valid

Better:

o Set up special non-provisioned userids for FTP who are only capable of

FTP processing

Experiences?

Best practices?

36



Considerations (2)

Session Managers • Session Managers normally provide transparent logon to the

sessions

SAE ESM will interrupt the transparency for provisioned users and will expect PIN+Token for each session logon

o Note: only for provisioned users

Alternative:

o Implement the VTAM mode and request the PIN+Token for the VTAM application

o However, because you can not have VTAM mode and ESM mode simultaneously, this protects the front door but leaves the windows open

But the userid used for VTAM mode can be enforced on the next panel

We feel it is better to use the ESM mode for the sessions

o Toggling between sessions remains transparent

Experiences?

Best practices?

37



Considerations (2)

38



Considerations (3)

Strong Authentication in the DR case

• If you decide for two-factor authentication, make sure that

you can reach the ACE/Server or RADIUS environments

from the DR center to avoid general fallback

Experiences?

Best practices?

Users must be trained …

• To avoid their userids being revoked

Especially when the same RSA device is used for mainframe and

distributed logon

• In setting/obtaining a new PIN with SAE in ESM or VTAM

mode

39




Questions and Answers

40



Questions?

41



Documents

Rocket Strong Authentication Expert for z/OS Rocket Strong...rexx •A provisioned user is a user who will be processed by SAE A non-provisioned user follows the normal traditional