1 / 30

Connectivity to z/OS using DB2 Connect with Kerberos Authentication Davy Goethals

Connectivity to z/OS using DB2 Connect with Kerberos Authentication Davy Goethals . GSE CICS and IMS/DB2 working group 11/10/2007 Zemst . Agenda . Introduction Use of DB2 connect at Sidmar What is Kerberos authentication ? Practical Implementation

whitney
Download Presentation

Connectivity to z/OS using DB2 Connect with Kerberos Authentication Davy Goethals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Connectivity to z/OS using DB2 Connect with Kerberos Authentication Davy Goethals GSE CICS and IMS/DB2 working group 11/10/2007 Zemst

  2. Agenda • Introduction • Use of DB2 connect at Sidmar • What is Kerberos authentication ? • Practical Implementation • Current status & Future

  3. Introduction • Kerberos is an authentication protocol developed in the late 1980 to secure a distributed client-server environment : • User wants to be sure to connect to the right server • Server wants to be sure that the user is who he claims to be • Part of DCE (promoted by OSF) initially in the Unix world • Based on encryption : • Insecure client machines • Insecure networks • Locally secured servers can interchange reliable information

  4. Introduction • Kerberos can be used in a DB2 connect environment to create a single logon environment • No need anymore to provide a mainframe user/password to DB2 on z/OS

  5. Use of DB2 connect at Sidmar MAINFRAME DB2 for z/OS DB2 Connect EE SQL and stored procedures UNIX Servers Windows clients Windows Servers DB2 Connect PE TCP/IP SAP VB ODBC OLE DB .NET

  6. Use of DB2 connect at Sidmar • User has to provide mainframe userid/password • Or application uses hardcoded generic userid with non-expiring passwords • To avoid declaration of RACF users • To avoid password problems • To allow /restrict authorities • Problems : • Management of passwords (helpdesk) • Super users with known passwords • Accountability • Use of trusted clients ?

  7. What is Kerberos ? Kerberos (Cerberus) was the mythological three-headed dog that guarded the entrance to the underworld. Unless you could get past Kerberos, you could not leave the underworld

  8. What is Kerberos ? • Securely authenticate a user in an unsecured network environment • Three tier architecture: • Client • Kerberos Key Distribution Center (KDC) – trusted third party • Application server • Use of encrypted tickets (credentials) instead of userid/password over the network • Provided by KDC • Limited lifetime • Only understood by client and server

  9. What is Kerberos ? KDC is a central repository : • Knows all clients (with principal identifier) • Knows all application servers (with principal identifier) • REALM : set of clients and servers served by a single KDC (domain) • KDC and clients/servers use a private encryption key to encrypt data over the network • Principal needs to verify it’s identity only once in the REALM • Kerberos allows the client to validate the identity of the server (mutual authentication)

  10. What is Kerberos ? • Phase 1 : authentication service exchange • Client authenticates himself providing username and gets ticket granting ticket • Phase 2 : ticket granting service exchange • Client asks service ticket to use in communication with server • Phase 3 : client/server authentication exchange • Client and server authenticate each other • Share a encryption key to exchange encrypted messages

  11. What is Kerberos ? • Inter REALM operation • Client from one REALM can communicate with server from other REALM • REALMs have TRUST relationships and share secret inter-realm keys • Ex: Windows domain and z/OS domain • Multiple, hierarchical realms are possible • Client has to authenticate only once to his local REALM

  12. Windows Kerberos is integrated in the Windows OS KDC is part of Directory Server Definitions in Domain Controller & DNS Z/OS Kerberos is integrated with RACF KDC is part of RACF database All administration is done by RACF commands Special Kerberos started task to communicate with client What is Kerberos ?

  13. DB2 connect and Kerberos DB2 uses SAF services : MAINFRAME - Ticket validation - Maps Kerberos principal in the ticket to RACF userid DB2 for z/OS RACF KDC GSS protocol Do you support Kerb? Windows Domain Controller DNS KDC DB2 Connect PE ticket Windows clients Windows userid authentication

  14. Practical implementation • Workstation : • Db2 connect database directory • KSETUP command • Windows domain • Define trust with host realm • Add entries in DNS • z/OS • Create host realm • Define trust with windows realm • Define DB2 as Kerberos application • Start Kerberos started task • Map window users to RACF userids

  15. Practical implementation on workstation • DB2 Connect database directory : • Add database entries with • Authentication = KERBEROS • Principal name = db2service/host@hostREALM • Command : “Db2 catalog database dbname at node nodename authentication kerberos target principal db2service/hostname@hostREALM “

  16. Database 11 entry: Database alias = DB2PD Database name = DB2P Node name = DB2P Database release level = a.00 Comment = DB2 productie d Directory entry type = Remote Authentication = KERBEROS Principal name = db2/omvsdb2p@ES1.SIDMAR.AGN Catalog database partition number = -1 Alternate server hostname = Alternate server port number = Practical implementation on workstation • Database 4 entry: • Database alias = DB2P • Database name = DB2P • Node name = DB2P • Database release level = a.00 • Comment = DB2 productie • Directory entry type = Remote • Authentication = SERVER • Catalog database partition number = -1 • Alternate server hostname = • Alternate server port number = Applications use DB2PD instead of DB2P in connection string and no longer provide a user/password

  17. Practical implementation on workstation db2 => connect to DB2P user siddago Enter current password for siddago: Database Connection Information Database server = DB2 OS/390 8.1.5 SQL authorization ID = SIDDAGO Local database alias = DB2P db2 => connect to DB2P SQL30082N Attempt to establish connection failed with security reason "3" ("PASSWORD MISSING"). SQLSTATE=08001 db2 => connect to DB2PD Database Connection Information Database server = DB2 OS/390 8.1.5 SQL authorization ID = SIDDAGO Local database alias = DB2PD db2 => connect to DB2PD user siddago Enter current password for siddago: SQL30082N Attempt to establish connection failed with security reason "36" ("CLIENT SECURITY PLUGIN ERROR"). SQLSTATE=08001 db2 =>

  18. Practical implementation on workstation • KSETUP command to define the host realm on each workstation : • KSETUP //addkdc hostREALMKDCname • Ex : KSETUP //addkdc ES1.SIDMAR.AGN kerberos.es1.sidmar.agn • Ksetup.exe can be downloaded from Microsoft support websites

  19. Practical implementation on Windows domain • Define host realm as trusted domain (TRUST) in Windows domain controller • Add entries in DNS for host realm including password

  20. Practical implementation on z/OS • Create host REALM • RDEFINE REALM KERBDFLT KERB(KERBNAME( host realmname) PASSWORD(…) ticket lifetime parameters • Ex : rdefine realm kerbdflt kerb(kerbname(es1.sidmar.agn) password mintktlfe(15) deftklte(36000) maxtktlfe(86400)) • Add KERBDFLT profile in REALM RACF class for local realm

  21. Practical implementation on z/OS • Add Kerberos trust definitions (in pairs) • RDEFINE REALM /../ host realm /krbtgt/ windows realm KERB(PASSWORD(……)) • Ex : rdefine realm /…/es1.sidmar.agn/krbtgt/sidmar.be Kerb(password(…)) • RDEFINE REALM /../ windows realm /krbtgt/ host realm KERB(PASSWORD(……)) • Ex : rdefine realm /…/sidmar.be/krbtgt/es1.sidmar.agn Kerb(password(…))

  22. Practical implementation on z/OS • Define each DB2 as a local Kerberos principal • ALTUSER db2stc userid PASSWORD(…) NOEXPIRED KERB(KERBNAME( db2/db2stc userid)) • Ex : altuser omvsdb2p password(..) noexpired kerb(kerbname(db2/omvsdb2p)) • KERBNAME = local principal name • Principal is defined as RACF user with KERBEROS segment

  23. Practical implementation on z/OS • Start Kerberos started task SKRBKDC : //********************************************************************* //* * //* Procedure for starting the Kerberos Security Server * //* * //********************************************************************* //SKRBKDC PROC REGSIZE=256M,OUTCLASS='R' //*-------------------------------------------------------------------- //GO EXEC PGM=EUVFSKDC,REGION=&REGSIZE,TIME=1440, // PARM=('ENVAR("LANG=En_US.IBM-1047"),TERM(DUMP) X // / 1>DD:STDOUT 2>DD:STDERR') //**STEPLIB DD DISP=SHR,DSN=EUV.SEUVFLNK //STDOUT DD SYSOUT=&OUTCLASS,DCB=LRECL=250, // FREE=END,SPIN=UNALLOC //STDERR DD SYSOUT=&OUTCLASS,DCB=LRECL=250, // FREE=END,SPIN=UNALLOC //SYSOUT DD SYSOUT=&OUTCLASS, // FREE=END,SPIN=UNALLOC //CEEDUMP DD SYSOUT=&OUTCLASS, // FREE=END,SPIN=UNALLOC

  24. Practical implementation on z/OS • Start Kerberos started task SKRBKDC : EUVF04001I Security server version 3.16, Service level 0000000. EUVF04002I Security runtime version 3.16, Service level 0000000. EUVF04158I Kerberos KDC services are enabled. EUVF04069I Listening for requests on network interface 176.132.15.8. EUVF04069I Listening for requests on network interface 176.132.15.20. EUVF04069I Listening for requests on network interface 176.132.15.25. EUVF04069I Listening for requests on network interface 176.132.15.7. EUVF04069I Listening for requests on network interface 176.132.15.23. EUVF04069I Listening for requests on network interface 176.132.15.16. EUVF04069I Listening for requests on network interface 176.132.15.24. EUVF04069I Listening for requests on network interface 176.132.15.6. EUVF04069I Listening for requests on network interface 176.132.38.8. EUVF04069I Listening for requests on network interface 176.132.35.1. EUVF04069I Listening for requests on network interface 176.133.8.24. EUVF04069I Listening for requests on network interface 176.132.8.1. EUVF04058I System SYSM has joined the Kerberos security server group. EUVF04058I System SYSE has joined the Kerberos security server group.

  25. Practical implementation on z/OS • Map windows users to RACF userids used as primary authorization- id in DB2 • -RDEFINE KERBLINK /…/foreign realm name /foreign principalname APPLDATA(‘racf userid’) • Ex : rdefine kerblink /…/sidmar.be/siddago appldata(‘siddago’) )) • KERBLINK = foreign principal • Local Principal is defined as RACF user with KERBEROS segment

  26. Practical implementation on z/OS • Map windows users to RACF userids • each time the racf password changes, a new key is generated to be used in the encrypted ticket

  27. STATUS today • Workstations : • New Db2 connect package distributed with additional database entries • KSETUP.exe executed at login • Windows domain • Host REALM defined as trusted realm • DNS entries added • z/OS • host realm created • Trusted pair with windows realm • Different DB2’s defined as local Kerberos principals • Kerberos started task running • Map window users to RACF userids

  28. Next • Inform developers and end users about new DB2 data sources • Convert applications with hardcoded userid/password : • Change connection string • Add db2 authorizations to tables • Define new racf userids with kerberos segment • Revoke DB2 connect application users • Use Kerberos also for ftp

  29. More info …. • RACF documentation • DB2 Connect documentation • SHARE presentation Paul de Graaff : OS/390 Security Server (RACF) Interoperability with Windows 2000 Case Studies • IBM redbook SG24-6540-00 : Putting the Latest z/OS Security Features to Work

  30. Questions ? • Email : davy.goethals@arcelormittal.com

More Related