WIXLIB

Securing z/VM TCP/IPWith a focus on TLS/SSL Server and Digital CertificatesBrian W. Hugenbruch, CISSP@BwhugenIBM Z Security for Virtualization and Cloudz/VM Development Lab: Endicott, NY, USV13.0b – Last updated 13 March 2018 for z/VM V6.4

TrademarksThe following are trademarks of the International Business Machines Corporation in the United States, other countries, or both.Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is notactively marketed or is not significant within its relevant market.Those trademarks followed by are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States.For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml:*, IBM Systems, IBM System z10 , IBM System Storage , IBM System Storage DS , IBM BladeCenter , IBM System z , IBM System p , IBM System i ,IBM System x , IBM IntelliStation , IBM Power Architecture , IBM SureOne , IBM Power Systems , POWER , POWER6 , POWER7 , POWER8 , Power ,IBM z/OS , IBM AIX , IBM i, IBM z/VSE , IBM z/VM , IBM i5/OS , IBM zEnterprise , Smarter Planet ,Storwize , XIV , PureSystems , PureFlex ,PureApplication , IBM Flex System , Smarter StorageThe following are trademarks or registered trademarks of other companies.Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of IntelCorporation or its subsidiaries in the United States and other countries.UNIX is a registered trademark of The Open Group in the United States and other countries.Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.* All other products may be trademarks or registered trademarks of their respective companies.Notes:Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user willexperience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed.Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actualenvironmental costs and performance characteristics will vary depending on individual customer configurations and conditions.This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change withoutnotice. Consult your local IBM business contact for information on the product or services available in your area.All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance,compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.22

DisclaimerThe information contained in this document has not been submitted to any formal IBM test and isdistributed on an "AS IS" basis without any warranty either express or implied. The use of this informationor the implementation of any of these techniques is a customer responsibility and depends on thecustomer's ability to evaluate and integrate them into the operational environment. While each item mayhave been reviewed by IBM for accuracy in a specific situation, there is no guarantee that the same orsimilar results will be obtained elsewhere. Customers attempting to adapt these techniques to their ownenvironments do so at their own risk.In this document, any references made to an IBM licensed program are not intended to state or implythat only IBM's licensed program may be used; any functionally equivalent program may be used instead.Any performance data contained in this document was determined in a controlled environment and,therefore, the results which may be obtained in other operating environments may vary significantly. Usersof this document should verify the applicable data for their specific environments.It is possible that this material may contain reference to, or information about, IBM products (machinesand programs), programming, or services that are not announced in your country. Such references orinformation must not be construed to mean that IBM intends to announce such IBM products,programming or services in your country.3

Names of Configuration Files used in this PresentationPROFILE TCPIP – controls TCP/IP operations and configuration– Sits on the TCPMAINT.198 disk, usually accessed at Filemode D– May have a different filename, will always be filetype TCPIP– ASSORTEDPARMS, INTERNALCLIENTPARMS, PORT, HOME, OBEY IBM DTCPARMS – controls configurations of Service Virtual Machines– Often renamed as yoursys .DTCPARMS– Also on TCPMAINT.198– Different definitions for SSL configuration, what TLS protocols are allowed,explains where the certificate database is– For FTP, enables/disables anonymous access, turns on RACF exits4

AgendaIntroducing the z/VM TLS/SSL Server– Managing Digital Certificates in the z/VM environment– Configuring the SSL Server And Configuring a 3270 Client for Secure Communication– Recent Changes– Frequently Asked QuestionsBack-Up Topics– Being your own Certificate Authority– Debugging the TLS/SSL Server5

Introducing the z/VM TLS/SSLServer6

This is your LinuxONE System On tyManagerNetTCP/IPSVMSVMTrafficwithTLSVSWITCHRole Based Access ControlsVirtual Memory ManagementzYour VirtualizationPlatformArchitected VM SeparationPR/SM (one LinuxONE Logical Partition)Crypto ExpressCPACFOSA7

Why Does Securing z/VM TCP/IP Matter to Me?Managing security controls for the hypervisor is a fundamental part of enterprisesecurity managementThis includes connectivity to the hypervisor layer– If your guests are secure, and your hypervisor is not – your guests are not as secure as they should be.This line of thinking applies both to smaller shops and to larger shops– Controlling potential damage– Auditability of privileged commands– Restrictions on access to data– Enforcing scope of responsibilityAdditionally, encrypting traffic may be mandated by clients, partners, vendors,industry regulations, or governing bodies.8

What can we do to secure z/VM TCP/IP? (1 of 2)Enable the TLS/SSL Server– Allows (or requires) encrypted traffic to and from the hypervisor– For TN3270 connections, it requires a client certificateEnable z/VM service virtual machines (SVMs) to use TLS/SSL as well– Telnet, FTP, SMTP– Port-based controls for other services (web servers, or even SMAPI)Apply service to TCP/IP– Especially security-relevant PTFs– Lack of currency means gaps in security may appear!9

What can we do to secure z/VM TCP/IP? (2 of 2)Adjust other controls as pertinent:– TIMEMARK for timing out Telnet sessions (PROFILE TCPIP)– Disable Anonymous FTP if appropriate (SRVRFTP.CONFIG)– Make sure RESTRICTLOWPORTS is enabled (PROFILE TCPIP)– SMTP FORWARDMAIL (disabled by default in z/VM 6.4)– Remove unused TCP/IP SVMs (NOLOG in USER DIRECT)– Enable services for RACFVM control Security labeling for services if appropriate (or SYSNONE for TCPIP) RACF configuration for SSLSERV later in this presentation10

z/VM 6.4 TLS/SSL yBWHUGENz/VM 6.4NetworkPR/SM (one IBM Z Logical Partition)Crypto ExpressCPACF A CMS-based server associated with the TCP/IP stack Secures point-to-point traffic to your hypervisor Telnet, FTP and SMTP provide “dynamic” SSL traffic Port-based “static” SSL 1

A digital certificate is a unique identifierContains:– Public key– X.509 information– Digital signatureA mechanism forauthenticating identitywhen exchanging acryptographic secret12

The server authenticates itself to the user KADMINBWHUGENz/VM 6.4NetworkPR/SM (one IBM Z Logical Partition)Server’s public key andcertificateCrypto rivate keyand .p1213

The client authenticates itself to the server(TN3270 LByGSKADMINBWHUGENz/VM 6.4NetworkPR/SM (one IBM Z Logical Partition)Client’scertificateCrypto rivate keyand .p1214

z/VM TLS/SSL Server – Certificate temSSLByGSKADMINBWHUGENz/VM 6.4NetworkPR/SM (one IBM Z Logical Partition)Crypto Express Userid GSKADMINCPACFBFS/etc/gskadm/Database.kdb Specifically for certificate management for one z/VM LPAR PROFILE enrolls in and accesses appropriate filepools and directories Gskkyman command-line application runs here–Manages databases stored in a Byte-File System (BFS)–TLS Servers and LDAP Servers can share databases and certificates15

Certificate Management for z/VM TLSLogging onto GSKADMIN:Profile.: Setting up BFS environment.Profile.: Determining what is currently mounted.Nothing is mountedProfile.: Mounting root file system.Profile.: Mounting GSKSSLDB file space at: /etc/gskadm/Profile.: Setting working directory to: /etc/gskadm/Profile.: (for direct access to key database files).Profile.: Checking mounts.Mount point '/etc/gskadm'Type Stat MountedBFSR/W '/./VMBFS:VMSYS:GSKSSLDB/'Mount point '/'Type Stat MountedBFSR/W '/./VMBFS:VMSYS:ROOT/'Profile.: Checking current directory content.Directory '/etc/gskadm'[.]Profile.: Setup complete; Environment prepared for use of GSKKYMAN16

GSKADMIN Looking aroundopenvm listfDirectory '/etc/gskadm'Update-Dt Update-Tm Type Links02/02/2013 02:41:00F101/31/2013 19:45:47F101/31/2013 19:46:09F101/31/2013 19:46:09F101/31/2013 15:44:32F102/06/2013 11:12:43F102/01/2013 08:23:04F102/01/2013 08:22:55F101/31/2013 19:20:46F101/31/2013 19:39:56F1Ready; T 0.01/0.01 ath name component'certfips.arm''mct210s1.cert''Database tcpip10.kdb''Database tcpip10.rdb''Database tcpip10.sth''FipsDatabase tcpip10.kdb''FipsDatabase tcpip10.rdb''FipsDatabase tcpip10.sth''Mct2root.cert''MCT210BH.cert'17

GSKADMIN Using gskkymangskkymanDatabase Menu1234567-Create new databaseOpen databaseChange database passwordChange database record lengthDelete databaseCreate key parameter fileDisplay certificate file (Binary or Base64 ASN.1 DER)0 - Exit programEnter option number:18