pre-con ed: ca acf2 and ca top secret – part 2: advanced security controls
TRANSCRIPT
World®’16
CAACF2andCATopSecret– Part2:AdvancedSecurityControls
JohnPinkowski- ProductOwner
MFX39EB
MAINFRAMEANDWORKLOADAUTOMATION
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ForInformationalPurposesOnlyTermsofthisPresentation
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2016isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.
CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i) affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember1,2016,andissubjecttochangeorwithdrawalbyCAatanytimewithout notice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.
Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Morethan70percentofcorporatemission-essentialdataresidesonthemainframe.Doyouhaveenoughsecuritycontrolsinplacetoprotectit?ThissessionwilldoadeepdiveintothemostgranularconfigurationandsecuritycontrolsofCATopSecret®andCAACF2™,andprovideawalk-throughofwhyit'sabsolutelynecessarytoimplementgranularsecurityinmainframeenvironments.
JohnPinkowski
CATechnologies
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
CASECAUTRESOURCECLASS
NEWGENCERTGRANULARITYCONTROLS
1
2
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheCASECAUTResource
§ CAACF2r15introducedthenewpre=definedresorruce clas ofCASECAUT.TheinternalCLASSMAPrecordwithTYPE=AUT.
§ CATopSecretr15introducedthenewresourcedefinitiontable(RDT)classofCASECAUT.
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheCASECAUTResource
§ Supplementsexistingadministrativeauthoritiesbyprovidingtheabilitytoauthorizeuserstoperformadministrativefunctionsoverpasswords,passwordfields,andcertificateswithoutaddinganyhigh-levelprivilegestotheuser.
§ Togranularlycontroladministrativefunctionsinordertopreventusersfromperformingadministrationtasksthattheyshouldnotbeauthorizedtodo.Forinstance,modifyingthepasswordsforuserID’soutsideoftheirscope,likeahigh-levelsecurityadmin.Conversely,CASECAUTcanbeusedtoallowcertainadministrativefunctionsforusebyanIDwhileblockingothers.Forinstance,allowingaHelp-Deskadministratortomodifyanotheruser’spassword,butnotchangeanyofthepasswordrequirements,likenumberofspecialcharactersrequired.
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ChangingPasswordFields(CATopSecret)Thefollowingshowstheauthorizationsneededtochangepassword-relatedfields:
FieldName CASECAUTEntityName ApplicableCommandsforcmd Qualifier
ASUSPEND TSSCMD.USER.cmd.ASUSPEND REMOVE
KERBVIO TSSCMD.USER.cmd.KERBVIO REMOVE
NOPW TSSCMD.USER.cmd.NOPW CREATE,ADDTO,orREMOVE
NOPWCHG TSSCMD.USER.cmd.NOPWCHG CREATE,ADDTO,orREMOVE
PASSWORD TSSCMD.USER.cmd.PASSWORD CREATE,ADDTO,orREPLACE
PHRASE TSSCMD.USER.cmd.PHRASE CREATE,ADDTO,orREPLACE
PSUSPEND TSSCMD.USER.cmd.PSUSPEND ADDTOorREMOVE
SUSPEND TSSCMD.USER.cmd.SUSPEND CREATE,ADDTO,orREMOVE
VSUSPEND TSSCMD.USER.cmd.VSUSPEND ADDTOorREMOVE
XSUSPEND TSSCMD.USER.cmd.XSUSPEND ADDTOorREMOVE
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
NEWPWRestrictions(CATopSecret)ThefollowingshowstheauthorizationsneededtobypassPWADMINNEWPWrestrictions:
FieldName CASECAUTEntityName ApplicableCommandsforcmd Qualifier
PASSWORD(newpw) TSSCMD.USER.cmd.PWADMIN.NO CREATE,ADDTO,orREPLACE
PASSWORD(newpw) TSSCMD.USER.cmd.PWADMIN.EXP CREATE,ADDTO,orREPLACE
PASSWORD(newpw) TSSCMD.USER.cmd.PWADMIN.INT CREATE,ADDTO,orREPLACE
PASSWORD(newpw) TSSCMD.USER.cmd.PWADMIN.ZEROINT CREATE,ADDTO,orREPLACE
PASSWORD(newpw) TSSCMD.USER.cmd.PWADMIN.HISTBYP ADDTOorREPLACE
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DigitalCertificateandKeyringCommands(CATopSecret)Thefollowingshowstheauthorizationsneededtoissuedigitalcertificateandkeyring-relatedcommands:
Command CASECAUTEntityName
ADD TSSCMD.CERTUSER.ADDTO
CHKCERT TSSCMD.CERTUSER.CHKCERT
EXPORT TSSCMD.CERTUSER.EXPORT
GENCERT TSSCMD.CERTUSER.GENCERT
GENREQ TSSCMD.CERTUSER.GENREQ
P11TOKEN TSSCMD.DIGTCRT.P11TOKEN.tokencmd
REKEY TSSCMD.CERTUSER.REKEY
REMOVE TSSCMD.CERTUSER.REMOVE
ROLLOVER TSSCMD.CERTUSER.ROLLOVER
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RunningUtilities(CATopSecret)ThefollowingshowstheauthorizationsneededtoexecuteTSSbatchutilities:
Utility CASECAUTEntityName
TSSXTEND CASECAUT(TSSUTILITY.TSSXTEND)
TSSFAR CASECAUT(TSSUTILITY.TSSFAR)
TSSAUDIT CASECAUT(TSSUTILITY.TSSAUDIT)
TSSCHART CASECAUT(TSSUTILITY.TSSCHART)
TSSUTIL CASECAUT(TSSUTILITY.TSSUTIL)
TSSSIM CASECAUT(TSSUTILITY.TSSSIM)
TSSCFILE CASECAUT(TSSUTILITY.TSSCFILE)
TSSTRACK CASECAUT(TSSUTILITY.TSSTRACK)
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ControllingPassword/PasswordFieldAdministration(CAACF2)FieldName CASECAUTResource Name
PASSWORD ACFCMD.USER.PASSWORD
PWPHRASE ACFCMD.USER.PWPHRASE
PWP-VIO ACFCMD.USER.PWP-VIO
PSWD-VIO ACFCMD.USER.PSWD-VIO
PSEDCVIO ACFCMD.USER.PSWDCVIO
KERB-VIO ACFCMD.USER.KERB-VIO
CANCEL ACFCMD.USER.CANCEL
SUSPEND ACFCMD.USER.SUSPEND
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ControllingCertificateAdministration(CAACF2)Certificate Command Resource Names
CHKCERT ACFCMD.DIGTCERT.CHKCERT
CHANGE ACFCMD.DIGTCERT.ALTER
CONNECT ACFCMD.DIGTCERT.CONNECT
DELETE ACFCMD.DIGTCERT.DELETE
EXPORT ACFCMD.DIGTCERT.EXPORT
EXPORT (KEYRING) ACFCMD.DIGTCERT.EXPORTKEY
GENCERT ACFCMD.DIGTCERT.GENCERT
GENREQ ACFCMD.DIGTCERT.GENREQ
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ControllingCertificateAdministration(CAACF2)Certificate Command Resource Names
INSERT ACFCMD.DIGTCERT.ADD
INSERT (CERTMAP) ACFCMD.DIGTCERT.ADDMAP
INSERT (KEYRING) ACFCMD.DIGTCERT.ADDRING
LIST ACFCMD.DIGTCERT.LIST
P11TOKEN BIND ACFCMD.DIGTCERT.P11TOKEN.BIND
P11TOKEN IMPORT ACFCMD.DIGTCERT.P11TOKEN.IMPORT
P11TOKEN UNBIND No CASECAUT auth’s required.
REKEY ACFCMD.DIGTCERT.REKEY
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ControllingCertificateAdministration(CAACF2)Certificate Command Resource Names
REMOVE ACFCMD.DIGTCERT.REMOVE
RENEW ACFCMD.DIGTCERT.RENEW
ROLLOVER ACFCMD.DIGTCERT.ROLLOVER
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
GranularCertificateAdministrationToTurnOn/OffGranularAdministration
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
GranularCertificateAdministration
§ NewCertificate/KeyringAdministration– UseRDATALIBclass– Accessisgiventospecificcertificate/keyring– Rulescanbemasked– Scopingcanbeusedtorestrictaccessfurther– SimilarrulesusedbyR_datalibcallableservice(DataPut,DataRemove)
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessionsSESSION# TITLE DATE/TIME/ROOM
MFX119S EncryptionandHashingandKeys– Oh,my! 11/16/2016at1:45pmJasmineE
MFX118S HowisBuyingaHomeLikeJustifyingDataSecurityInvestments?DevelopingReturnonSecurityInvestment(ROSI)Analysis 11/16/2016at3:00pmJasmineE
MFX173S TheImportanceofMainframeSecurityEducation 11/16/20163:45pmJasmineE
MFX172S TheKeytoComplyingWithNewRegulationsandStandards:ComprehensiveMainframeSecurity 11/16/2016at4:30pmJasmineE
MFT174S MainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData 11/17/201612:45pmMainframeTheater
MFT175S GapsinYourDefense:HackingtheMainframe 11/17/20163:00pmMainframeTheater
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeTechTalksandDemos– ExpoFloor
MFT53THowCanMainframeSecuritybeMadeEasier?
11/16/2016@12:45pmMainframeTheater
MainframeSecurityandEnterpriseSecurityDemos
SCT38T SCX05EPAMThreatAnalytics
11/17/2016@4:00pmSecurityTheater
GoverningYourPrivilegedUsers
11/16/2016@3:45pmSecurityTheater