1 / 25

Introducing AIX Version 6.1 Daniel Sobik

2. AIX V6.1 Role Based Access Control (RBAC). . Go Green

oke
Download Presentation

Introducing AIX Version 6.1 Daniel Sobik

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Introducing AIX Version 6.1 Daniel Sobik This chart deck is intended for education related to the announcement of AIX 6 in 4Q 2007 This is the Seller presentation and is not intended for use with clients Jay Kruemcke AIX Program Director jayk@us.ibm.com Austin, TXThis chart deck is intended for education related to the announcement of AIX 6 in 4Q 2007 This is the Seller presentation and is not intended for use with clients Jay Kruemcke AIX Program Director jayk@us.ibm.com Austin, TX

    2. 2 AIX V6.1 Role Based Access Control (RBAC) Role Based Access Control(RBAC)is designed to improve security and manageability by allowing administrators to delegate system adminis- trative duties to non-root users. RBAC in AIX has been enhanced to provide very fine granular authorizations, which by name identify the privileged operation that they control. These authorizations can be used to create the required roles necessary and assign those roles to the users required to manage the system. Such non root us- ers will be able to assume the role and perform the allowed privi- leged operations. Role Based Access Control(RBAC)is designed to improve security and manageability by allowing administrators to delegate system adminis- trative duties to non-root users. RBAC in AIX has been enhanced to provide very fine granular authorizations, which by name identify the privileged operation that they control. These authorizations can be used to create the required roles necessary and assign those roles to the users required to manage the system. Such non root us- ers will be able to assume the role and perform the allowed privi- leged operations.

    3. 3 Role Based Access Control (RBAC) Authorizations Mechanism to grant access to commands or certain functionality. Context aware. Roles A container for authorizations that can be assigned to a user. Privileges Process attribute that allows process to bypass a security restriction. Not context aware. Authorizations vs. Privileges Auths exist only outside of kernel, Privs only inside Auths enable access to commands, Privs enable execution of single functions e.g. "run mkuser" vs. "PV_DAC_W"

    4. 4

    5. 5 AIX V6.1 Security Expert The AIX Security Expert was introduced with Technology Level 5 up- date to the AIX V5.3 OS and provides clients with the capability to manage more than 300 system security settings from a single inter- face and the ability to export and import those security settings between systems. AIX 6 includes an enhancement to the Security Ex- pert to store security templates in a Lightweight Directory Protocol (LDAP) directory for use across a client's enterprise. The AIX Security Expert was introduced with Technology Level 5 up- date to the AIX V5.3 OS and provides clients with the capability to manage more than 300 system security settings from a single inter- face and the ability to export and import those security settings between systems. AIX 6 includes an enhancement to the Security Ex- pert to store security templates in a Lightweight Directory Protocol (LDAP) directory for use across a client's enterprise.

    6. 6 Secure by Default (SbD) AIX 6 introduces three new security installation options Trusted AIX (MLS) LSPP/EAL4+ SbD - Secure by Default SbD is new default security option Installs a minimal set of software Deletes components that use weak authorization (bos.net.tcp.client| server) and runs AIX Security Expert to apply hardening for level "high" Additional software installed on as-needed basis "Bottom Up" Approach Reverses traditional "Top Down" approach of full install followed by hardening Thorough planning strongly suggested Can all applications' requisites be fulfilled by this install template?

    7. 7 Secure FTP Based on OpenSSL needed to setup and handle keys and certificates ftp and ftpd are secured using TLS protocol Command channel and data channel are encrypted Nice add-on to OpenSSH's 'scp' and 'sftp' e.g. data exchange with legacy systems not offering SSH Client usage is 'ftp -s ...' TLS stuff is configured in user’s ~/.ftpcnt file Server usage is implicit TLS stuff is configured in /etc/ftpd.cnf

    8. 8 AIX V6.1 Encrypting Filesystem The IBM Journaled Filesystem Extended (JFS2) provides for even greater data security with the addition of a new capability to en- crypt the data in a filesystem. Clients can select from a number of different encryption algorithms. The encrypted data can be backed up in encrypted format, reducing the risk of data being compromised if backup media is lost or stolen. The JFS2 encrypting filesystem can also prevent the compromise of data even to root-level users. The IBM Journaled Filesystem Extended (JFS2) provides for even greater data security with the addition of a new capability to en- crypt the data in a filesystem. Clients can select from a number of different encryption algorithms. The encrypted data can be backed up in encrypted format, reducing the risk of data being compromised if backup media is lost or stolen. The JFS2 encrypting filesystem can also prevent the compromise of data even to root-level users.

    9. 9 Encrypted File System (EFS) Embedded in JFS2, not stacked, for performance and reliability all JFS2 operations can be performed with an EFS mounting and unmounting, increasing and decreasing size, defragmenting, removing, ... but no NFS or GPFS support In stacked FSs, data may be lost through strong encryption when crypto meta data write and data write are out of sync Each file is encrypted with a separate key (stored in its EAs) Encryption/Decryption happens in memory, not on storage hence no DIO/CIO User keystore gets opened by login password or separate pw login pw is distinct from keystore pw holds user's private and public key (asymmetric encryption, RSA) public key is used to access shared secret for file en/decryption (symmetric encryption, AES) hybrid approach for the sake of performance (e.g. like TLS)

    10. 10 Encrypted File System (EFS) Prereqs CryptoLite in C (CLiC) library and kernel extension must be installed and loaded Enhanced RBAC must be enabled (default in AIX6) EFS must be explicity enabled (can be done at any time using 'efsenable') New and existing FSs can be encrypted smitty crfs -> "Enable EFS? [yes]" 'crfs' or 'chfs' along with "-a efs=yes" not to be applied on "/", /usr, /var and /opt since keystore can't be opened during boot but that's OK, since EFS' main focus is on protecting user/application data encrypted files can be identified by 'ls -U' # ls -U file* -rw-r--r--- 1 root system 0 May 14 13:22 file1 -rw-r--r--e 1 root system 0 May 14 13:22 file2 User key management is provided with 'efskeymgr' command Performance penalty is said to be low*) best practice: use it selectively where needed, not everywhere e.g. on sensitive filesystems only, selected DB columns, etc.

    11. 11 Encrypted File System (EFS) Two keystore protection modes Root Admin Mode Pro: Root can reset user and group key store access passwords Con: Root might be able to gain access to a user’s key store and encrypted files Root Guard Mode Pro: Root cannot reset user and group key store access passwords Con: Root cannot gain access to a user’s key store and encrypted files, even when neccessary! EFS backup Best Practices Backup raw encrypted form Backup the file owner’s keystore The file owner’s keystore password must also be "saved" or files must be reencrypted in a timely manner when keystore pw changes

    12. 12 AIX AND System p Security Certifications Plans*

    13. 13 AIX V6.1 Concurrent Kernel Maintenance Concurrent AIX kernel updates: Concurrent AIX kernel updates will deliver some kernel updates as Interim Fixes that will not require a system reboot to be put into effect. This new capabil- ity will provide IBM with a tool to reduce the number of planned outages required to maintain a secure, reliable system. Concurrent AIX kernel updates: Concurrent AIX kernel updates will deliver some kernel updates as Interim Fixes that will not require a system reboot to be put into effect. This new capabil- ity will provide IBM with a tool to reduce the number of planned outages required to maintain a secure, reliable system.

    14. 14 AIX V6.1 POWER6 Storage Keys POWER6 Storage Keys: POWER6 Storage Keys exploitation of the POWER6 processor storage key feature brings a mainframe-inspired reliability and capability to the UNIX market for the first time. Storage keys can reduce the number of intermittent outages associated with undetected memory overlays inside the kernel. Applications can also use the POWER6 Storage Key feature to in- crease the reliability of large, complex applications running under the AIX V5.3 or AIX V6.1 operating system. POWER6 Storage Keys: POWER6 Storage Keys exploitation of the POWER6 processor storage key feature brings a mainframe-inspired reliability and capability to the UNIX market for the first time. Storage keys can reduce the number of intermittent outages associated with undetected memory overlays inside the kernel. Applications can also use the POWER6 Storage Key feature to in- crease the reliability of large, complex applications running under the AIX V5.3 or AIX V6.1 operating system.

    15. 15 AIX 6 dynamic tracing with probevue Trace existing programs without recompiling Dynamic placement of trace probes For debugging and performance analysis Tracable Calls: AIX system calls, application functions, and application calls to library functions Dynamic tracing language called Vue Initial support only for “C” programs

    16. 16 AIX V6.1 Systems Director Console for AIX AIX V6.1 provide a new graphical systems console, the IBM Systems Director Console for AIX. The Systems Director Con- sole for AIX provides a responsive Web access to common systems man- agement tools such as the Systems Management Interface Tool (SMIT) and offers integration into the IBM Systems Director. The Systems Director Console for AIX is included with AIX V6.1. The IBM Systems Director Con- sole for AIX is built on a lightweight infrastructure and provides an easy-to-use interface for the Web-enabled administration of AIX management tasks. The console provides a single user interface for system management and administration operations and can be accessed from any supported Web browser. IBM Systems Director Console for AIX gives the user a powerful interface to manage AIX servers and software and provides a graphical Web-based interface to enable the user to manage remote systems and resources. The IBM Systems Director Console includes these features: o AIX V6.1 provides browser-based access to the popular System Management Interface Tool (SMIT). Users can access AIX operating system management functions in a Web browser. o Distributed Command Execution Manager provides the capability to securely execute systems management commands on multiple sys- tems. AIX V6.1 includes all the infrastructure needed for the IBM Systems Director Console for AIX. The Console is not a prerequisite for IBM Systems Director, but it is designed to have a similar management interface and shares a common technol- ogy base. AIX V6.1 provide a new graphical systems console, the IBM Systems Director Console for AIX. The Systems Director Con- sole for AIX provides a responsive Web access to common systems man- agement tools such as the Systems Management Interface Tool (SMIT) and offers integration into the IBM Systems Director. The Systems Director Console for AIX is included with AIX V6.1. The IBM Systems Director Con- sole for AIX is built on a lightweight infrastructure and provides an easy-to-use interface for the Web-enabled administration of AIX management tasks. The console provides a single user interface for system management and administration operations and can be accessed from any supported Web browser. IBM Systems Director Console for AIX gives the user a powerful interface to manage AIX servers and software and provides a graphical Web-based interface to enable the user to manage remote systems and resources. The IBM Systems Director Console includes these features: o AIX V6.1 provides browser-based access to the popular System Management Interface Tool (SMIT). Users can access AIX operating system management functions in a Web browser. o Distributed Command Execution Manager provides the capability to securely execute systems management commands on multiple sys- tems. AIX V6.1 includes all the infrastructure needed for the IBM Systems Director Console for AIX. The Console is not a prerequisite for IBM Systems Director, but it is designed to have a similar management interface and shares a common technol- ogy base.

    17. 17 Systems Director for AIX

    18. 18 IBM Systems Director Console Remote AIX management from a web browser Verify Fileset installation lslpp -h sysmgt.pconsole.rte Use SRC to control the director console # lssrc -s pconsole Subsystem Group PID Status pconsole pconsole 319644 active Stop and start with startsrc and stopsrc Access from your browser http://HostName:5335/ibm/console View and save commands like smit Config file /pconsole/lwi/conf/overrides/config.properties

    19. 19 pConsole PMR "The following has also been brought to my attention from the pconsole team... . There is a setting that may also be tried: . Uncomment the "#-clean=true" line in the file: . /pconsole/lwi/conf/overrides/config.properties . This allows a refresh of the bundle data for the pconsole instance. The pconsole system would then be restarted with: . stopsrc -s pconsole startsrc -s pconsole . With this setting enabled, the pconsole server startup will take a little longer (i.e. 30 sec), but no runtime performance penalties should occur. It has not been formally decided as of yet, but this setting may become the default in future. "

    20. 20 VMM Page Replacement – new defaults AIX 5L minperm% = 20 maxperm% = 80 maxclient% = 80 strict_maxperm = 0 strict_maxclient = 1 lru_file_repage = 1 page_steal_method = 0 AIX 6 (new install) minperm% = 3 maxperm% = 90 maxclient% = 90 strict_maxperm = 0 strict_maxclient = 1 lru_file_repage = 0 page_steal_method = 1

    21. 21 WPAR command support From global LPAR use the -@ flag to designate WPAR # ps -ef -@ ec08 WPAR UID PID PPID C STIME TTY TIME CMD ec08 root 217128 389182 0 15:00:58 - 0:00 /usr/sbin/rsct/b ec08 root 266398 389182 0 15:00:21 - 0:00 /usr/sbin/rsct/b ec08 root 278634 389182 0 15:00:20 - 0:00 /usr/sbin/rpc.lo ec08 root 290942 389182 0 15:00:18 - 0:00 /usr/sbin/biod 6 From WPAR use normal commands # ps -ef UID PID PPID C STIME TTY TIME CMD root 217128 389182 0 15:00:58 - 0:00 /usr/sbin/rsct/bin/IBM.Sensor root 266398 389182 0 15:00:21 - 0:00 /usr/sbin/rsct/bin/rmcd -a IB root 278634 389182 0 15:00:20 - 0:00 /usr/sbin/rpc.lockd -d 0 root 290942 389182 0 15:00:18 - 0:00 /usr/sbin/biod 6 root 1 0 0 15:00:04 - 0:00 /etc/init

    22. 22 WPAR command support Some commands are not supported from WPAR # netstat -rn^M Routing tables^M Destination Gateway Flags Refs Use If Exp Groups^M netstat : Permission error, unable to continue.^M Network adapters are alias on global partition # ifconfig en0 en0: flags=1e080863,480<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,... inet 9.19.51.153 netmask 0xffffff00 broadcast 9.19.51.255 inet 9.19.51.154 netmask 0xffffff00 broadcast 9.19.51.255 tcp_sendspace 262144 tcp_recvspace 262144 rfc1323 1

    23. 23 AIX V6.1 Hardware Support Systems based on POWER4, POWERPC 970, POWER5 and POWER6 processors are supported 32- and 64-bit applications will continue to run unchanged on AIX 6 64-bit kernel only AIX 6 will support systems based on the PPC970, POWER4, Power5 and Power6 processors at all chip frequencies. Since almost all AIX 6 features will be available on all systems, clients may decide to move up to AIX 6 on older hardware just to take advantage of the new features such as WPARs, Application Mobility and Role Based Access control. AIX 6 will only run the 64 bit kernel. This will enable even greater scalability in the future. Just like on AIX 5L, 32 bit and 64 bit applications will continue to run on AIX 6 – no recompilation is necessary. Because AIX 6 only includes the 64bit kernel, 32 bit device drivers and kernel extensions will not be supported on AIX 6. Most device drivers and kernel extensions are already available in 64-bit format, so we are expecting few issues related to the discontinuing of the 32-bit kernel AIX 6 will support systems based on the PPC970, POWER4, Power5 and Power6 processors at all chip frequencies. Since almost all AIX 6 features will be available on all systems, clients may decide to move up to AIX 6 on older hardware just to take advantage of the new features such as WPARs, Application Mobility and Role Based Access control. AIX 6 will only run the 64 bit kernel. This will enable even greater scalability in the future. Just like on AIX 5L, 32 bit and 64 bit applications will continue to run on AIX 6 – no recompilation is necessary. Because AIX 6 only includes the 64bit kernel, 32 bit device drivers and kernel extensions will not be supported on AIX 6. Most device drivers and kernel extensions are already available in 64-bit format, so we are expecting few issues related to the discontinuing of the 32-bit kernel

    24. 24 POWER6 Delivers with your Choice of AIX or Linux

    25. 25

    26. 26 AIX Version 6.1

More Related