Security

Description: z/OS® Communications Server includes the following enhancements for security:
  • IBM Health Checker for z/OS FTP ANONYMOUS JES - A new IBM Health Checker for z/OS application health check is provided to help determine whether your FTP server allows anonymous users to submit jobs. When ANONYMOUS is enabled, it is recommended that ANONYMOUSLEVEL be set to 3 and ANONYMOUSFILETYPEJES be set to FALSE. Otherwise, anonymous users can submit jobs to run on the system.
    Dependency: You must start the IBM Health Checker for z/OS to use the new application health check.

    When change was introduced: z/OS V2R2 and V2R1 with the PTF for APAR PI47637 and OA49668

  • IBM Health Checker for z/OS MVRSHD RHOSTS DATA - A new IBM Health Checker for z/OS application health check is provided to help determine whether your MVRSHD server is active and whether RSH clients are using RHOSTS.DATA datasets for authentication. The MVRSHD server supports the RSH and REXEC protocols which transfer user ID and password information in the clear. There is also the potential of weak authentication for RSH clients using RHOSTS.DATA datasets. This authentication method allows remote command execution without requiring the RSH client to supply a password.
    Dependency: You must start the IBM Health Checker for z/OS to use the new application health check.

    When change was introduced: z/OS V2R2 and V2R1 with the PTF for TCP/IP APAR PI51640 and SNA APAR OA50122

  • IBM Health Checker for z/OS SNMP agent public community name - A new IBM Health Checker for z/OS application health check is provided to help determine whether your SNMP agent is configured with a community name of public. Because the SNMP community name of public is a well-known name, it should not be used with community-based security due to security considerations.
    Dependency: You must start the IBM Health Checker for z/OS to use the new application health check.

    When change was introduced: z/OS V2R2 and V2R1 with the PTF for APAR PI51640 and OA50122

  • Start of changeIBM Health Checker for z/OS SMTPD MAIL RELAY - A new IBM Health Checker for z/OS application health check is provided to help determine whether your SMTP server is configured as a mail relay. Specifying the INBOUNDOPENLIMIT statement to a valid non-zero value or allowing it to default to the value of 256 causes the SMTP server to open a listening port and implicitly become exploitable by remote users as a mail relay.
    Dependency: You must install TCP/IP APAR PI51640 and SNA APAR OA50122 and start the IBM® Health Checker for z/OS to use the new application health check.

    When change was introduced: z/OS V2R2 and V2R1 with the PTF for TCP/IP APAR PI51640 and SNA APAR OA50122

    End of change
  • SMF 119 TCP connection termination record (subtype 2) enhanced to provide IP filter information - IP filter information is provided in the SMF 119 TCP connection termination record (subtype 2). The name of the IP filter rules associated with inbound and outbound traffic for a connection are included in a new section of the record, if IP filtering is being done for a connection. The data is also available through the SYSTCPCN real-time network monitoring interface (NMI).
    Restrictions:

    The IP filter section is included if IP filtering is active and an IP filter rule applies to the traffic. The IP filter section is not included for intra-host connections because IP filtering is not done for those connections.

    The filter rule information reflects the IP filter rules in place at the time that the connection is terminated. If IP filter policy changes while a connection is active, only the names of the IP filter rules in place at the time of the termination are included.

    Dependency:

    SMF configuration option TCPTERM must be configured on the SMFCONFIG TCP/IP profile statement for the SMF 119 TCP connection termination record (subtype 2) to be generated.

    The TCPCONNSERVICE parameter must be configured on the NETMONITOR TCP/IP profile statement for the SMF 119 TCP connection termination data to be available through the SYSTCPCN real-time NMI interface.

    When change was introduced: z/OS V2R2 with the PTF for APAR PI69920

  • VTAM 3270 intrusion detection services - 3270 data stream intrusion detection services (IDS) is enabled to detect and act on violations of the 3270 data stream protocol. The 3270 IDS function monitors all 3270 data streams for primary logical units (PLUs) that are connected to the z/OS VTAM instance. Specific types of 3270 sessions can be exempted from IDS monitoring at the VTAM or application major node level if IDS monitoring is not needed for those sessions.

    The 3270 IDS function monitors 3270 data streams for any attempt to write past the end of input fields or to modify protected fields. When these types of events are detected, appropriate actions are taken according to the VTAM configuration. The possible actions include logging the event, tracing the relevant inbound and outbound PIUs for later analysis, notifying the PLU of the event with a sense code, and even terminating the SNA session.

    When change was introduced:z/OS V2R2 with the PTF for APAR OA49911 and z/OS V2R1 with the PTF for APAR OA48802.

  • Start of changeAT-TLS enablement for DCAS - The Digital Certificate Access Server (DCAS) is enhanced to use Application Transparent Transport Layer Security (AT-TLS). To use TLSv1.2 to secure the connection, you must define AT-TLS policies for the DCAS. The Configuration Assistant for z/OS Communications Server provides a default AT-TLS policy to simplify defining the AT-TLS policy for DCAS.

    Migrate to AT-TLS to allow the DCAS to use the latest support for SSL/TLS. Configuring TLS/SSL by using the DCAS configuration file is supported, but such support is deprecated and will no longer be enhanced.

    Dependency: The Policy Agent must be active.

    When change was introduced: z/OS V2R2 and with the PTF for APAR PM96898 for z/OS V2R1

    End of change
  • Start of changeNetwork security enhancements for SNMP - The SNMP Agent, the z/OS UNIX snmp command, and the SNMP manager API are enhanced to support the Advanced Encryption Standard (AES) 128-bit cipher algorithm as an SNMPv3 privacy protocol for encryption. The AES 128-bit cipher algorithm is a stronger encryption protocol than the current Data Encryption Standard (DES) 56-bit algorithm. AES is a symmetric cipher algorithm that the National Institute of Standards (NIST) selects to replace DES. RFC 3826, The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model (USM), specifies that Cipher Feedback Mode (CFB) mode is to be used with AES encryption. See Related protocol specifications in New Function Summary for information about accessing RFCs.
    Dependency: To use AES 128-bit encryption, the z/OS Integrated Cryptographic Services Facility (ICSF) must be configured and started.

    When change was introduced: z/OS V2R2 and with the PTF for APAR PM96901 for z/OS V2R1

    End of change
  • Start of changeTLS security enhancements for Policy Agent - Centralized Policy Agent is enabled to support TLSv1.1 and TLSv1.2 with a new set of TLSv1.2 2-byte specific ciphers. In addition, the import services between the Policy Agent and IBM Configuration Assistant for z/OS Communications Server allow user-defined AT-TLS policies to create a secure SSL connection.

    When change was introduced: z/OS V2R2 and with the PTF for APAR PM96891 for z/OS V2R1

    End of change
  • Start of changeTLS security enhancements for sendmail - z/OS UNIX sendmail is enabled to support TLSv1.1 and TLSv1.2 with a new set of TLSv1.2 2-byte specific ciphers.

    When change was introduced: z/OS V2R2 and with the PTF for APAR PM96896 for z/OS V2R1

    End of change
  • AT-TLS certificate processing enhancements - Application Transparent TLS (AT-TLS) is enhanced to support the following features that System SSL provides.
    • RFC 5280 PKIX certificate and CRL profile. With this support, you can perform certificate validation according to RFC 5280.
    • Enhanced certificate revocation capabilities:
      • Retrieval of revocation information through the Online Certificate Status Protocol (OCSP)
      • Retrieval of Certificate Revocation Lists (CRLs) over HTTP
      • More flexible processing of CRLs through LDAP

    When change was introduced: z/OS V2R2

  • Simplified access permissions to ICSF cryptographic functions for IPSec - In prior releases, network applications that are sending or receiving IPSec protected traffic were required to be permitted to certain SAF resource profiles in the CSFSERV class when protection of the ICSF cryptographic operations was requested. The requirement is to be eliminated. You are no longer required to permit all network applications that are sending or receiving IPSec protected traffic to the relevant SAF resources in the CSFSERV class. Only the user ID that is associated with the TCP/IP stack must be permitted to the SAF resource profiles.

    When change was introduced: z/OS V2R2

  • TCPIP profile IP security filter enhancements - The default IP filters as defined in the TCP/IP profile data set are enhanced to support traffic direction specifications, address ranges, port ranges, ranges on relevant type and code values, and MIPv6 and Opaque protocol types.

    When change was introduced: z/OS V2R2

  • TLS session reuse support for FTP and AT-TLS applications (AT-TLS) - The SIOCTTLSCTL ioctl system call is enhanced to perform the following actions:
    • AT-TLS applications can retrieve the session ID for the secure socket.
    • AT-TLS applications can request that a session is reused on a socket by retrieving and setting the session token.

    When change was introduced: z/OS V2R2

  • TLS session reuse support for FTP and AT-TLS applications (FTP) - FTP is enhanced to support SSL session reuse. When using native SSL or AT-TLS, z/OS FTP supports reusing the SSL session ID of the control connection or a previous data connection on the subsequent data connections within an FTP session without port binding.

    When change was introduced: z/OS V2R2

  • AT-TLS support for TLS v1.2 and related features - Application Transparent TLS (AT-TLS) currency with z/OS System SSL is supported. Support is added for the following functions that are provided by System SSL:
    • Renegotiation (RFC 5746) in z/OS V1R12
    • Elliptic Curve Cryptography (RFC 4492 and RFC 5480) in z/OS V1R13
    • TLSv1.2 (RFC 5246) in z/OS V2R1
    • AES GCM Cipher Suites (RFC 5288) in z/OS V2R1
    • Suite B Profile (RFC 5430) in z/OS V2R1
    • ECC and AES GCM with SHA-256/384 (RFC 5289) in z/OS V2R1

    When change was introduced: z/OS V2R1

  • Enhanced IDS IP fragment attack detection - The Intrusion Detection Services (IDS) IP fragment attack type is enhanced to detect fragment overlays that change the data in the packet. In addition, the IP fragment attack detection is extended to IPv6 traffic.

    When change was introduced: z/OS V2R1

  • Improve auditing of NetAccess rules - Control over the level of caching that is used for network access control checks is introduced. You can reduce the level of caching to pass more network access control checks to the System Authorization Facility (SAF). Passing more network access control checks to SAF allows the security server product to provide more meaningful auditing of access control checks.

    An additional enhancement entails including the IP address that the user is attempting to access in the log string that is provided to the security server product on each network access control check.

    When change was introduced: z/OS V2R1

  • Improved FIPS 140 diagnostics - Enhanced diagnostics for the IKE and NSS daemons and the AT-TLS function are provided when FIPS 140 processing is required.

    Integrated Cryptographic Services Facility (ICSF) is required when FIPS 140 is configured for the IKE or NSS daemons or for an AT-TLS group. Starting in V2R1, these daemons and the AT-TLS groups will fail to initialize if ICSF is not active.

    When change was introduced: z/OS V2R1

  • Limit defensive filter logging - The existing defensive filtering function provides a mechanism to install temporary filters to either deny attack packets or log when a packet would have been denied if blocking mode was used. You can now limit the number of defensive filter messages that are written to syslogd for a blocking or simulate mode filter. You can configure a default limit to be used for all defensive filters that are added to a TCP/IP stack. You can also specify a limit when adding an individual defensive filter with the z/OS UNIX ipsec command.

    When change was introduced: z/OS V2R1

  • QDIO Outbound flood prevention - CSM storage constraints are relieved when processing ICMP Timestamp requests.

    Because the z/OS TCP/IP stack replies to these requests, a flood of such requests can cause problems under the right conditions. Such a flood causes the TCP/IP stack to back up because it cannot get the responses out quickly enough, which results in a constrained CSM condition.

    If the constrained CSM condition is not relieved, it might cause a stack outage. This behavior might happen with:
    • Other ICMP requests that always generate a response (for example, echo requests)
    • UDP requests to an application that behaves in a similar manner

    QDIO outbound packets will be dropped when CSM storage is constrained and the outbound queues are congested. This support alleviates these problems.

    When change was introduced: z/OS V2R1

  • TN3270 client-bound data queueing limit - MAXTCPSENDQ, a new parameter in the Telnet profile, is introduced to prevent large amounts of storage from being held for data that is destined for an unresponsive Telnet client.

    When change was introduced: z/OS V2R1

Reference information: See the following topics in z/OS Communications Server: New Function Summary for detailed descriptions that include any applicable restrictions, dependencies, and steps on using the functions:
  • IBM Health Checker for z/OS FTP ANONYMOUS JES
  • IBM Health Checker for z/OS MVRSHD RHOSTS DATA
  • IBM Health Checker for z/OS SNMP agent public community name
  • SMF 119 TCP connection termination record (subtype 2) enhanced to provide IP filter information
  • VTAM 3270 intrusion detection services
  • Start of changeAT-TLS enablement for DCASEnd of change
  • Start of changeIBM Health Checker for z/OS SMTPD MAIL RELAYEnd of change
  • Start of changeNetwork security enhancements for SNMPEnd of change
  • TLS security enhancements for Policy Agent
  • TLS security enhancements for sendmail
  • Start of changeAT-TLS certificate processing enhancementsEnd of change
  • Simplified access permissions to ICSF cryptographic functions for IPSec
  • TCPIP profile IP security filter enhancements
  • TLS session reuse support for FTP and AT-TLS applications (AT-TLS)
  • TLS session reuse support for FTP and AT-TLS applications (FTP)
  • AT-TLS support for TLS v1.2 and related features
  • Enhanced IDS IP fragment attack detection
  • Improve auditing of NetAccess rules
  • Improved FIPS 140 diagnostics
  • Limit defensive filter logging
  • QDIO Outbound flood prevention
  • TN3270 client-bound data queueing limit
Parent topic: Start of changeCommunications Server new functions to considerEnd of change