SirSafe control of access to passwords: Difference between revisions
m (link repair) |
m (→Model 204 Security Environments: add link) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 42: | Line 42: | ||
A Security Environment consists of: | A Security Environment consists of: | ||
<ul> | <ul> | ||
<li>An <code>interface</code> between <var class="product">Model 204</var> | <li>An <code>interface</code> between <var class="product">Model 204</var> and a particular security manager </li> | ||
and a particular security manager </li> | |||
<li>Certain <code>security parameters</code> that are specific to the interface </li> | <li>Certain <code>security parameters</code> that are specific to the interface </li> | ||
Line 49: | Line 48: | ||
Detailed information about how to install and configure a security interface for | Detailed information about how to install and configure a security interface for | ||
<var class="product">Model 204</var> can be found in the | <var class="product">Model 204</var> can be found in the | ||
[[Security interfaces overview|Model 204 security interfaces]] pages. | [[Security interfaces overview|Model 204 security interfaces]] pages. | ||
Each of the security manager interfaces supported by <var class="product">Model 204</var> implements a | Each of the security manager interfaces supported by <var class="product">Model 204</var> implements a | ||
default set of parameters, and it also provides a facility for customizing | default set of parameters, and it also provides a facility for customizing | ||
parameters that can be selected by the < | parameters that can be selected by the <var>[[SECPLIST parameter|SECPLIST]]</var> User 0 parameter. | ||
In order to determine if a particular Online is operating under the control of a | In order to determine if a particular Online is operating under the control of a | ||
security manager, and to determine the specific parameters in effect, you can | security manager, and to determine the specific parameters in effect, you can login as a system manager and execute the following command: | ||
login as a system manager and execute the following command: | |||
<p class="code">AUTHCTL VIEW | <p class="code">AUTHCTL VIEW | ||
</p> | </p> | ||
Line 67: | Line 65: | ||
<tr><th>RACF</th> | <tr><th>RACF</th> | ||
<td>Now known as the IBM Security Server, RACF is an IBM Program product. The HLQ parameter is <code>GROUP</code>, which has a default value of | <td>Now known as the IBM Security Server, RACF is an IBM Program product. The HLQ parameter is <code>GROUP</code>, which has a default value of <code>M204RACF</code>.</td></tr> | ||
<tr><th>TOPSECRET</th> | <tr><th>TOPSECRET</th> | ||
<td>CA-Top Secret is marketed by Computer Associates. The HLQ parameter is <code>ACID</code>, which has a default value of | <td>CA-Top Secret is marketed by Computer Associates. The HLQ parameter is <code>ACID</code>, which has a default value of <code>M204TOPS</code>.</td></tr> | ||
<tr><th>ACF2</th> | <tr><th>ACF2</th> | ||
Line 170: | Line 168: | ||
==Activating and deactivating SirSafe== | ==Activating and deactivating SirSafe== | ||
Until version 7.5 of Model 204, <var class="product">SirSafe</var> was distributed as a component of | Until version 7.5 of Model 204, <var class="product">SirSafe</var> was distributed as a component of | ||
the <var class="product">[[ | the <var class="product">[[Sirius Mods]]</var> product. | ||
Thereafter, it is a member of the [[RKTools]] product. | Thereafter, it is a member of the [[RKTools]] product. | ||
Latest revision as of 20:31, 7 December 2016
The Model 204 system manager uses the LOGCTL command to maintain database passwords in CCASTAT. Then SirSafe maps the individual file and group entries in CCASTAT into resources that may be controlled by a system security manager, such as RACF. Judicious use of naming standards simplifies the division of responsibility between the Model 204 system manager and a system security officer.
Overview
When SirSafe is active, it alters the process of verifying passwords for Private and Semipublic files and groups.
When CCASTAT is scanned for a matching password during the file or group open process,
an additional step is added for each entry that matches the password entered by the end-user.
Before the access rights associated with the entry are granted, a system security manager is
used to verify that the user has READ
access to that entry in CCASTAT.
If the user doesn't have READ
access, the entry is skipped, and CCASTAT processing continues as if the passwords did not match.
Thus, an end user could know a password, but be denied its use.
File or group password entries with the same password and different privileges
can be used to implement very flexible security schemes.
Password entries conveying "strong" access rights should be entered into
CCASTAT with index characters that collate low, such as blank or A
.
An entry with the same password and weaker privileges (like read-only)
could follow with a higher collating index, such as 1
.
Then the same password could give two different users different access rights,
depending upon rules enforced by a system security manager.
SirSafe also enhances control over when an end user is allowed to change the password for a particular file or group CCASTAT entry. Whenever Model 204 prompts for a password, the end user may enter the password value, followed by a colon (:) and a replacement password value. If the password is matched, then the replacement password value may be used to overlay the password value in the CCASTAT entry. Without SirSafe, a particular end user must be authorized to change all file or group passwords or to change none.
SirSafe adds another level of checking before end users are allowed to change a file or group password.
The end user must first have READ
access to the particular CCASTAT entry,
then if a replacement password value was provided, SirSafe checks for WRITE
access
to the CCASTAT entry.
If the end user has WRITE
access, the password is updated.
Otherwise, the update request is rejected.
This facility can prevent the accidental updating of a password shared by many people.
Model 204 Security Environments
Use of SirSafe requires an active Model 204 Security Environment. A Security Environment consists of:
- An
interface
between Model 204 and a particular security manager - Certain
security parameters
that are specific to the interface
Detailed information about how to install and configure a security interface for Model 204 can be found in the Model 204 security interfaces pages.
Each of the security manager interfaces supported by Model 204 implements a default set of parameters, and it also provides a facility for customizing parameters that can be selected by the SECPLIST User 0 parameter. In order to determine if a particular Online is operating under the control of a security manager, and to determine the specific parameters in effect, you can login as a system manager and execute the following command:
AUTHCTL VIEW
If an interface is active, AUTHCTL VIEW identifies it and list its current parameters. SirSafe adapts a parameter from each type of interface to form the High Level Qualifier (HLQ) used for mapping CCASTAT entries into virtual data set names. The parameter used for each interface and the interface defaults are as follows:
Interface type | Description and HLQ source |
---|---|
RACF | Now known as the IBM Security Server, RACF is an IBM Program product. The HLQ parameter is GROUP , which has a default value of M204RACF . |
TOPSECRET | CA-Top Secret is marketed by Computer Associates. The HLQ parameter is ACID , which has a default value of M204TOPS . |
ACF2 | CA-ACF2 is marketed by Computer Associates. The HLQ is formed by appending the value of the RESOURCE field to the constant R . Thus, the default is R204 . |
Mapping CCASTAT entries to data sets
SirSafe maps each file or group entry in CCASTAT to a corresponding data set name. When an end-user needs to access a particular CCASTAT entry (for example, the entry contains a match for a file or group open password entered by the user), the active Model 204 security interface is used to determine if the data set corresponding to that CCASTAT entry could be read (or written) by the user. Note that no attempt is made to open the particular data set, and the data set does not need to exist.
The data set names used by SirSafe for verifying CCASTAT access have four levels:
- The High Level Qualifier is determined by the active Model 204 security interface as previously described.
- The second qualifier is the string
FILE
orGROUP
, depending upon whether a file or group is being opened. - The third level is the name of the file or group.
- The final level is determined by the index character for the current CCASTAT entry.
It will contain the constant string
INDEX
, followed by the actual index character, if it is alphanumeric, or else by the two-character hexadecimal representation of the index character.
The following example shows the data set names used by SirSafe to check access for
some corresponding file password entries, assuming that the RACF interface is active
with the default RACF Control Group Name (M204RACF
):
file index corresponding "dataset" name :ALANPROC ... M204RACF.FILE.ALANPROC.INDEX40 :ALANPROC A ... M204RACF.FILE.ALANPROC.INDEXA :ALANPROC 1 ... M204RACF.FILE.ALANPROC.INDEX1 :ASDF ... M204RACF.FILE.ASDF.INDEX40 :BACKUP ... M204RACF.FILE.BACKUP.INDEX40
SirSafe modes for CCASTAT
SirSafe is controlled by parameters contained in a special CCASTAT entry
maintained by the AUTHCTL
system manager command (see AUTHCTL A SIRSAFE).
The special entry includes a list of allowed security environments and
a SirSafe mode specification as follows:
OPTIONAL | A CCASTAT that is set to OPTIONAL mode may be used by any Model 204 load module, with or without SirSafe support and regardless of the current security environment.
However, SirSafe will only control access to file and group entries in an optional CCASTAT when the current security environment matches one of those specified in the special SirSafe entry. Note: OPTIONAL mode only activates a subset of the SirSafe functionality. |
---|---|
REQUIRED | A CCASTAT that is set to REQUIRED mode may only be opened by a Model 204 load module with SirSafe installed and with a security
environment that matches one of those specified in the special SirSafeentry. The REQUIRED mode activates additional features of SirSafe. |
The REQUIRED attribute can be used to ensure that a specific security environment is used to control access to the file and group entries in CCASTAT. This is especially important when the value of passwords is widely known and SirSafe provides the security instead of relying on secrecy.
Support of "visible" passwords
When SirSafe is REQUIRED for a CCASTAT, then no file or grouppassword can be used unless the end-user is allowed access to the CCASTAT entry containing the password. As explained earlier in this section, one benefit of this is that different end-users can be given different privileges when using the same password to open the same file or group. Another benefit is that passwords themselves can be freely shared and distributed, that is, they do not need to be kept a secret.
When SirSafe is REQUIRED for a CCASTAT, it supports so-called visible file and group passwords. Extensions to the LOGCTL, LOGFILE, and LOGGRP commands allow visible passwords to be entered, maintained, and displayed in clear text. This can greatly simplify management of multiple passwords for a particular file or group, since there is no guessing about the password value.
Ordinary (invisible) file or group passwords are maintained by the LOGCTL command, using either a colon (:) to indicate a file entry or a comma (,) to indicate a group entry. Visible entries are indicated by a different pair of special characters: The "greater than" symbol (>) indicates a visible file entry, and the "plus sign" (+) indicates a visible group entry.
The LOGFILE and LOGGRP commands are extended to display the password value for visible entries, else a field of asterisks:
LOGFILE PROCFILE >PROCFILE A THEMAN X'BFFF' 0, 0, 0, 0, 0, ALL :PROCFILE B ******** X'0761' 0, 0, 0, 0, 0, ALL >PROCFILE 4 THEMAN X'0221' 0, 0, 0, 0, 0, ALL
In the example above, there are three password table entries for the file PROCFILE
.
Two of them, for the same password, are visible.
In this example, a user in the "file managers" group could get access to the
slot associated with index character A
, while everyone else could get access
to the slot associated with index character 4
.
Activating and deactivating SirSafe
Until version 7.5 of Model 204, SirSafe was distributed as a component of the Sirius Mods product. Thereafter, it is a member of the RKTools product.
Once SirSafe is installed, the AUTHCTL A SIRSAFE command may be used to activate SirSafe for the current CCASTAT.
Activation adds a special control entry that contains the execution parameters for SirSafe. If the REQUIRED keyword is present, the version number of CCASTAT will be altered. This prevents the CCASTAT from being opened by Model 204 load modules without SirSafe support or without the proper security environment.
For example, the following command would activate SirSafe as REQUIRED and usable only with RACF, using the default value for the GROUP parameter:
AUTHCTL A SIRSAFE REQUIRED MVSRW RACF=M204RACF
The contents of the SirSafe special entry may be displayed by the AUTHCTL LIST SIRSAFE command. The current SirSafe parameters can be replaced using the AUTHCTL C SIRSAFE command, or deleted using the AUTHCTL D SIRSAFE command.
Note: If any visible passwords have been stored, they must all be deleted before the SirSafe environment can be deleted or changed from REQUIRED to OPTIONAL.
Identifying file/group CCASTAT entries
Most Model 204 password tables contain a jumble of entries that have accumulated over time. Frequently a system manager just adds a new password when emergency access is required for a file. Without visible passwords, it is very easy to lose track of which password corresponds to a particular index character. Confusion is especially likely when a password is added that has the same value as one that occurs earlier in the collating sequence.
SirSafe implements an extension to the LOGFILE and LOGGRP commands that allows the Model 204 system manager to create a map of the relationship between password values and index characters. It can also be used to identify password entries that have duplicate password values.
The PWDLOCATE keyword can be used with the LOGFILE or LOGGRP command to
cause the system to prompt the user for a password value to be "ANDed" with the
other search conditions.
The PWDLOCATE option could be used to diagnose a problem concerning a failure to achieve the desired access:
Suppose a System Manager added a password with the value WRITE
with index
character A
, but the user reports the password "didn't work."
LOGCTL shows the following:
logfile alanproc :ALANPROC ******** X'0201' 0, 0, 0, 0, 0, ALL :ALANPROC A ******** X'BFFF' 0, 0, 0, 0, 0, ALL :ALANPROC 1 ******** X'0CCC' 0, 0, 0, 0, 0, ALL
You could use the PWDLOCATE option to identify all of the password
entries that have the password value WRITE
:
logfile pwdlocate alanproc *** M204.0347: PASSWORD :ALANPROC ******** X'0201' 0, 0, 0, 0, 0, ALL :ALANPROC A ******** X'BFFF' 0, 0, 0, 0, 0, ALL
This example shows that the CCASTAT entry for file ALANPROC
with the blank index character
also has the password value WRITE
, and because it occurs first in the collating sequence, it is being used.
For more information about the PWDLOCATE option, see Selecting entries by password.
Moving file/group CCASTAT entries
Because SirSafe controls access to individual file or group entries in CCASTAT, the index character for a password entry is very important. Naming conventions should be used to enable a few generic dataset rules to cover many files and groups.
A good convention to start with includes the following:
- Reserve the blank character for system manager emergency use.
- Reserve a few other low-collating characters (like A through E) for mapping unrecognized passwords, so "warning rules" can be used to identify their users.
- Reserve the next few characters (like F through H) for all high-power file management passwords.
- Reserve index characters that collate high, like numeric digits, for less-powerful, "public" passwords.
Most Model 204 password tables contain entries that were allocated in a haphazard fashion with no particular order. In order to assist with a migration to a more orderly structure, SirSafe implements a facility for copying a file or group password entry from its current slot to a slot with a different index character. The LOGCTL R command is used to copy the identified file or group CCASTAT entry. If the specified entry is located, the user is prompted for the index character to be used for the copy:
logctl r :procfile *** M204.0374: ENTER INDEX CHARACTER FOR REPLICATE 4 >PROCFILE 4 ******** X'BFFF' 0, 0, 0, 0, 0, ALL *** M204.0376: PARAMETERS ACCEPTED *** M204.0345: CCASTAT UPDATED
Note: The sequence of LOGCTL R
followed by LOGCTL D
moves a file or group entry in CCASTAT.
Enhanced SECURE command
SirSafe extends the SECURE command so that a file or group can be set to open only when SirSafe is active (that is, the CCASTAT mode may be OPTIONAL or REQUIRED, but there must be a valid security environment). This provides an easier-to-manage facility for helping to avoid exposures to counterfeited password tables. This facility is activated with the following command:
SECURE FILE SIRSAFE
The CCASTAT modes are described in SirSafe modes for CCASTAT, and the security environment is described in Model 204 Security Environments.