Anda di halaman 1dari 34

PART 16-A AS/400 ARCHITECTURE & SECURITY

Leen van Rij


kpmg IRM vrije Universiteit amsterdam 31 March 2003

File 16-A AS400 architecture & security

2003

Contents

LvR/VU MAR/2003

CONTENTS
History Architecture Application and Operating System/400 (AS/400 and OS/400) Physical security levels Logical security levels Object management Security implementation Special security feature Auditing (Part X. Only for the AS/400 auditor) Note AS/400 = hardware OS/400 = operating system
AS/400 architecture & security 2

Contents ...
Contents Literature Highlights History Architecture Communication support Machine Interface AS/400 Database System Integrated File System Single level storage Object oriented Object types Physical security Logical security levels Integrity checking Special authorizations User classes Pre-defined user profiles User profile Group profile AS/400 architecture & security Group structure Object header authority Object data authority Object authority Grouping Public authorization Private authority Authorization list Authorization Check flow Adopted security Dedicated service tools Journaling Security definition interface ONLY FOR THE AS/400 AUDITOR: Limited users Library security Physical versus logical file security Authority holder Adopted security Journaling

LvR/VU MAR/2003

Optional literature

LvR/VU MAR/2003

OPTIONAL LITERATURE
IBM AS/400 System Concepts IBM AS/400 Security Concepts & Planning IBM AS/400 Guide to enabling C2 security IBM Application System/400 Technology Ernst & Young A practical approach to logical access control McGraw-Hill (1993) (see chapter AS/400 access control) Ernst & Young Technical reference series: Audit, Control and Security of the IBM AS/400 (1994) (description, control objectives, audit questions) Fred de Koning e.a. Beveiliging en controle in een AS/400-omgeving Paardekooper & Hoffman (1995)
AS/400 architecture & security 4

Optional literature . . .

LvR/VU MAR/2003

STRUCTURE OF:

Ernst & Young

AS/400 Audit Reference

Overview Hardware Software Logical access path Utilities Backup and Recovery Objects Libraries Initial menus and programs

System security
system keylock system values authorities user and group profiles authorization lists etc.

Procedural and administrative controls Control Concerns Examples


5

AS/400 architecture & security

Security topology
TOPOLOGY OF SECURITY LAYERS
End user Network security Frontdoor Security in system/service Security in application Physical security of the computing center Computing center staff Access control Operating system Hardware

LvR/VU MAR/2003

Measures depend upon security objectives and the enterprises security strategy

DATA

Trusted Computing Base (TCB - certified using US Department of Defense standards)

Note: The security measures in the network, services and applications may use the Access Control in the TCB. Although this access control mechanism may have been classified in accordance with the US DoD standards, the actual security depends upon how the security facilities are used.
AS/400 architecture & security 6

Access path within AS/400 (MEY model) End users MIS personnel

LvR/VU MAR/2003

OS/400 communication functions OS/400 communication functions User profiles User profiles Initial menu Initial menu Application software Application software Command Command processors processors Tools & utilities Tools & utilities

AS/400 model, see Ernst & Young book on logical access control

OS/400 data base management functions OS/400 data base management functions

DATA
AS/400 architecture & security 7

Object security Object security

OS/400

Highlights

LvR/VU MAR/2003

HIGHLIGHTS FOR THE EDP AUDITOR


1. 2. 3. 4. 5. 6. Apropriate security levels active Identification, Authentication (User and Group profiles) Special Authorizations Public and Specific Authorization (including Authorization list) Dedicated Service Tools Journaling

AS/400 architecture & security

History of AS/400

LvR/VU MAR/2003

HISTORY OF APPLICATION SYSTEM/400 (AS/400) System/34 System/34 Data Base included in OS System/36 System/36 AS/400 AS/400 AS/400-Y10 PowerPC AS/400 PowerPC AS/400
AS/400 architecture & security

1974 System/38 System/38 1978 1982 1987 1995


9

Architecture AS/400

LvR/VU MAR/2003

System System processor processor


BCU BCU IOBU IOBU Display Printer IOBU IOBU

Main Main storage storage


BCU BCU IOBU IOBU IOBU IOBU Communication DASD BE BE U U BE BE U U BCU BCU

DASD BCU IOBU BEU

= Direct Access Storage Device (disks) = Bus Control Unit = I/O Bus Unit (Communication Controller) = Bus Extentsion Unit
10

AS/400 architecture & security

Architecture AS/400 ...

LvR/VU MAR/2003

ARCHITECTURE
Untill 1995, the system processor was designed with the System/370 architecture which is also used in mainframes with the S/390 architecture The system processor had a 32 bit data path and a 48 bit addressing structure to address 281 Tera bytes The addressing architecture is designed to handle 64 bit addressing, which is fully implemented in the newer systems using the PowerPC architecture

AS/400 architecture & security

11

Communication protocols

LvR/VU MAR/2003

PHYSICAL CONNECTION PROTOCOLS


For communication purposes AS/400 supports on the physical layer a variety of data link and network protocols A standard port is used for Logical ECS (Electric Customer Support) Optional adapters supports the protocols connection ASYNC (ASYNChronous) BSC (Binary Synchronous Communication) SDLC (Synchronous Data Link Control) X.21, X.25, X.31, V.24, V.35 and V.36 ISDN (Integrated Services Digital Network) Twinaxial Data Link Control Ethernet Token-ring FDDI (Fiber Distributed Data Interface) al Physic Wireless LAN n Fax (V.34) nnectio
co
AS/400 architecture & security

Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control

12

Communication protocols ...

LvR/VU MAR/2003

NETWORK PROTOCOLS
To manage network access AS/400 supports the most common available network protocols.
Logical connection Asynchronous Binary Synchronous Communications (BSC) System Network Architecture (SNA) Advanced Peer-to-Peer Network (APPN) Transmission Control Protocol/Internet Protocol (TCP/IP) Open Systems Interconnection (OSI) Multiprotocol Transport Networking (MPTN) Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control

al Physic connec
AS/400 architecture & security

tion
13

Communication protocols ...

LvR/VU MAR/2003

APPLICATION COMMUNICATION PROTOCOLS


To enable applications using communication AS/400 supports call interfaces like
Advanced Program-to-Program Communications (APPC) SNA Distribution Services (SNADS) Distributed Remote Data Access Open Systems Interconnection (OSI) Object Distribution Facility (ODF) Client Access/400 Transmission Control Protocol (TCP) File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) User Datagram Protocol (UDP) Line Printer Requester/Line Printer Daemon Protocol al TELNET Physic
tion connec
AS/400 architecture & security 14

Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control

Machine interface AS/400

LvR/VU MAR/2003

MACHINE INTERFACE AS/400

Compilers Utilities

Applications High-level machine


15 LvR/VU MAR/2003 16

Operating System/400 (OS/400)


Vertical Micro Code Horizontal Micro Code Hardware
AS/400 architecture & security

Machine interface AS/400 ...

MACHINE INTERFACE AS/400


The AS/400 is a layered architecture machine To use the hardware only high-level machine instructions are available The high level machine instructions are understood by the VERTICAL MICROCODE layer and translated to basic machine instructions The basic machine instructions are implemented by the HORIZONTAL MICROCODE layer and transfered to the hardware The hardware layer executes the instruction The Vertical and Horizontal Micro Code layer together with the hardware is called the HIGH-LEVEL MACHINE With the PowerPC architecture there is only one layer of microcode to implement the machine interface.
AS/400 architecture & security

Machine interface AS/400 ...

LvR/VU MAR/2003

The three machine layers, called the high-level machine, also provide many functions normally implemented in the Operating System TRADITIONAL TRADITIONAL OPERATING SYSTEM OPERATING SYSTEM Task management Task management Resource management Resource management Storage management Storage management Database management Database management Security management Security management etc. etc. TRADITIONAL TRADITIONAL HARDWARE HARDWARE Machine interface Machine interface Hardware Hardware OPERATING SYSTEM/400 (OS/400) AS/400 HARDWARE (Machine interface ) Task management Resource management Storage management Data access Database management Security management etc. Hardware

Note: Implementing functions in micro code benefits the systems performance


AS/400 architecture & security 17

Database system

LvR/VU MAR/2003

INTEGRATED DATABASE SYSTEM


AS/400 has an integrated Database management system. It is a BASE feature of the AS/400 Within AS/400 Database access is only allowed by ONE Application Programming Interface (API). Access security will be done by this interface and there is no redundant access control mechanisme available. There is only one focal point for access control The Database is designed on two concepts The physical files, containing the data The logical files gives the posibility to define an alternate view to the data records and fields The user, when authorized, can access the data directly from the physical file or through the logical file The AS/400 Database system is also used as a physical storage by the product Data Base 2 (DB2/400) which extend the Data Base features
AS/400 architecture & security 18

Database system ...

LvR/VU MAR/2003

INTEGRATED DATABASE SYSTEM


The AS/400 system can be used as a Database server. To connect to the AS/400 Database, protocols from different vendors are supported. These protocols are Open Database Connect (ODBC) from Microsoft Data Access Language (DAL) from Appel System Query Language Connect (SQL CON) from Oracle Distributed Relational Database Architecture (DRDA) from IBM

System A
Database X
AS/400 architecture & security

System B
AS/400 Database Y
19

Integrated File System

LvR/VU MAR/2003

INTEGRATED FILE SYSTEM (IFS)


To extend the use of the AS/400 system, file server architectures from different vendors can be handled by the integrated file system. The integrated file system supports a set of industry standard APIs to the streamfile system and the hierarchical directory. The file access protocols which are supported by AS/400 are: Root file system: OS/2, DOS and Windows NT compatible QOpenSys file system: Posix, XPG, UNIX compatible QLANSrv file system: OS/2 Lan Manager compatible AS/400 File system X
AS/400 architecture & security

File system Y
20

10

Single level storage Traditional mainframe with an address space per user and separate data sets on disks OS/390 2 GB address space 2 GB address space 2 GB address space 2 GB address space 2 GB address space 2 GB address space

LvR/VU MAR/2003

DI AR FFE CH RE IT NT EC TU RE

AS/400 - OS/400 264 bytes = 16.000.000 Tera bytes address space Object: program Object: program Object: screen Object: screen Object: data Object: data

DASD

AS/400: everything in one virtual address space


AS/400 architecture & security 21

Single level storage ...

LvR/VU MAR/2003

SINGLE LEVEL STORAGE


AS/400 provides single-level addressability of all virtual storage. This is transparent addressing, making both MAIN an AUXILIARY storage appear contiguous to an end user and an application

One virtual address space


SYSTEM SYSTEM PROCESSOR PROCESSOR VAT

MAIN STORAGE MAIN STORAGE DIR paging

AUXILIARY STORAGE on DASD

VAT = Virtual Address Translation DIR = Directory used by VAT to keep track of virtual storage contents Note: When data or instructions are needed for executing by the system processor it will be brought into main storage. When there is a shortage of main storage the data and/or instruction not needed anymore are transfered back to auxiliary storage on DASD
AS/400 architecture & security 22

11

Single level storage ...

LvR/VU MAR/2003

AS/400 single-level storage gives the ability to have data storage independent of device types. All data including programs, source, data, databases etc. are mapped into this single virtual address space

AS/400 VIRTUAL ADDRESS SPACE Program A123 Program A143 Program A123 Program A143 Data 5RF Data 5RF Command AB6 Command AB6 Queue Queue
AS/400 architecture & security

Program XG63 Program XG63

Menu 567 Menu 765 Command UY Menu 567 Menu 765 Command UY Etc. etc. etc. till maximum space Etc. etc. etc. till maximum space
23

cts je b

Data GFHJ Data GFHJ

Object oriented

LvR/VU MAR/2003

OBJECT ORIENTED DESIGN


Definition: Everything on the system that can be stored or retrieved is contained in an object The high level machine is designed to treat everything the same through the use of a generic object structure

General object structure


Object type Object type Owner Owner Public Authorithy Public Authorithy etc. etc. OBJECT HEADER
(Control Information)

FUNCTIONAL OBJECT (data)

Data (e.g., data records, programs, sources, etc. )) Data (e.g., data records, programs, sources, etc.
AS/400 architecture & security 24

12

Object types

LvR/VU MAR/2003

OBJECT TYPES
To storage information in the AS400 system there are defined 73 different types of objects, e.g.

Type
Library Data Program Source User profile Journal Job queue Output queue Device description Job description

Contents
object names (like a directory) data records (database records) executable programs source of programs like cobol, pascal, C etc. userid descriptions and priviledges logging records jobs to handle output from jobs device parameters job control language
25

AS/400 architecture & security

Object administration

LvR/VU MAR/2003

OBJECT ADMINISTRATION
START OBJECT SEARCH LIBRARY 1
OBJECT X OBJECT X OBJECT Y OBJECT Y

OBJECT X MEMBER A MEMBER A MEMBER B MEMBER B MEMBER C MEMBER C OBJECT Y

QSYS
LIBRARY 1 LIBRARY 2 LIBRARY 3

OBJECT Z OBJECT Z

LIBRARY 2 DATABASE
OBJECT K OBJECT K OBJECT L OBJECT L OBJECT M OBJECT M

AS/400 architecture & security

26

13

Physical security

LvR/VU MAR/2003

KEYLOCK SWITCH
On front panel AS/400, with a physical key (to be stored safely)

Normal

Manual

Secure
Keylock Keylock position position SECURE SECURE AUTO AUTO NORMAL NORMAL MANUAL MANUAL Power down Power down command command YES YES YES YES YES YES YES YES Remote or Remote or timed IPL timed IPL NO NO YES YES YES YES NO NO Main Main switch IPL switch IPL NO NO NO NO YES YES YES YES

Auto
Attended Attended IPL IPL NO NO NO NO NO NO YES YES

Note: In position MANUAL, attended IPL, special service tools are available (Dedicated Service Tools)
AS/400 architecture & security 27

Logical security levels

LvR/VU MAR/2003

LOGICAL SECURITY LEVELS


AS/400 is designed to activate different levels of security. The levels are controlled by setting the system parameter QSECURITY(xx) 10 - no security 20 - userid and password checking 30 - object authorization verification 40 - application must use AS/400 call interface 50 - DoD C2 security

Note: to guarantee data integrity, at least the system parameter *QSECURITY(30) must be set by the Security administrator prior to user access to the system
AS/400 architecture & security 28

14

Logical security levels ...

LvR/VU MAR/2003

DESCRIPTION OF SECURITY LEVELS


10 - No security level at all. A user-profile will be automaticaly be defined when a user signs on 20 - User-profile and password must be defined prior to sign on 30 - Like 20, but access to objects is also controlled (resource access control active). The user must have the appropriate access authority to use the resources. 40 - Like 30, but the machine interface cannot be used directly by the programs. It can only be used through the AS/400 call interface. All access is controlled/checked by AS/400. Journalling must be active so reports can be created 50 - Extend level 40 to meet DoD C2 classification. The users are only allowed to access their own objects through the AS/400 defined Application Programming Interface (API). Bypassing journalling of an object access is no longer possible
AS/400 architecture & security 29

Integrity checking

LvR/VU MAR/2003

INTEGRITY CHECKING ISOLATION: AS/400 has system state and user state programs
Security level = 10, 20 and 30 user and system programs can freely interact with the high-level machine Security level = 40 the APIs (Application Program Interface) must be used by a user program to interact with a system program Security level = 50 the APIs must also be used by a user program to interact with another user program
AS/400 architecture & security 30

15

Integrity checking ...

LvR/VU MAR/2003

INTEGRITY CHECKING
System State Domain no integrity problem System State Domain

integrity problem when not checked API must be used with level 40

integrity User State Domain problem User State Domain intentionally no problem no journalling of activities level 50 enforces use of API in the user domain
AS/400 architecture & security 31

Special authorizations

LvR/VU MAR/2003

SPECIAL AUTHORIZATIONS
Within the AS/400 system there are definitions with a system wide authority scope. When a user is defined with a special authorization he/she is able to do

PRIVILEDGE ALLOBJ SECADM SAVSYS JOBCTL SPLCTL SERVICE AUDIT IOSYSCFG

AUTHORIZED TO DO
access every system resource create / change user profiles save / restore manipulate jobs on the system all spool functions service functions audit related functions change system configuration
32

AS/400 architecture & security

16

User classes

LvR/VU MAR/2003

USER CLASSES ALLOBJ SERVICE SPLCTL


SECA
DM

SECO

FR

IOSYSCFG
R OP YS MR S PG

SECADM

JOBCTL SAVSYS

AS/400 architecture & security

33

User classes . . .

LvR/VU MAR/2003

USER CLASSES
Special authorities can be grouped together. These grouping is called a USERCLASS class SECOFR SECADM SYSOPR PGMR USER authority

ALLOBJ SECADM SAVSYS JOBCTL SPLCTL SERVICE IOSYSCFG

10/20

10/20

10/20

10/20 10/20

Note: 10/20 refer to the security level 10 and 20. When one of these is active, the ALLOBJ authority is assigned to this classes automaticly. The refers to security level 30, 40 and 50
AS/400 architecture & security 34

17

Pre-defined user profiles

LvR/VU MAR/2003

PRE-DEFINED USER PROFILES


When AS/400 is installed, there are 6 prefined user profiles available to access the system. They are to create other user profiles to access the system. The 6 default userids are QSECOFR QPGMR QSYSOPR QSRV QSRVBAS QUSER

Note: The passwords must be changed as soon as the system is IPLed for the first time, to prevent other users to sign on with these highly authorized userids
AS/400 architecture & security 35

User profile

LvR/VU MAR/2003

USER PROFILE
With security level 20 or higher, the user can only access the system if there is a user profile defined. A user profile can be created through a panel interface or by issuing the CRTUSRPRF command. The contents of the user-profile may be

USER PROFILE (is an object)


Userid User class Group name (up to 16 groups) Initial program Initial menu Current library
Password Password expiration Special authority Accounting code Limited capability

( Note: This is only a partial content )


AS/400 architecture & security 36

18

Authentication

LvR/VU MAR/2003

AUTHENTICATION
System wide password syntax options
QPWDMINLEN QPWDMAXLEN QPWDRQDDIF QPWDLMTCHR QPWDPOSDIF QPWDLMTREP QPWDLMTAJC QPWDVLDPGM QPWDRQDDGT minimum length of password maximum length (up to 10 characters) new password must differ from 32 previous specify up to 10 characters not allowed for password character in new must be different from character in same position in old characters not be used more than once numbers 0 to 9 not next to another use password syntax checker at least one numeric maximum number of days the password is valid maximum number of unsuccessful sign-on attempts display date/time of last sign-on etc. after successful sign-on
37

Other system wide password options


QPWDEXPITV QMAXSIGN QDSPSGNINF
AS/400 architecture & security

Group profile

LvR/VU MAR/2003

GROUP PROFILE
A group profile has the same structure as a user profile: it becomes a group profile when it is named as a group in a user profile. The contents of the group profile may be

GROUP PROFILE (is an object)


Userid User class Group Initial program Initial menu Current library (is groupname) (class for group) (NONE) (not relevant) (not relevant) (not relevant) (NONE) Password expiration (not relevant)
Password Special authority

(for group) Accounting code (not relevant) Limited capability (not relevant)

( Note: This is only a partial contents )


AS/400 architecture & security 38

19

Group structure

LvR/VU MAR/2003

GROUP STRUCTURE
Group profile Group profile GROUP A GROUP A Group profile Group profile GROUP B GROUP B

User profile User profile USER A1 USER A1 Group=A Group=A

User profile User profile USER A2 USER A2 Group=A,B Group=A,B

User profile User profile USER B1 USER B1 Group=B Group=B

User profile User profile USER B2 USER B2 Group=B Group=B

The groups are independent definitions and do not have any relation to one another A user can be a member of maximum 16 groups
AS/400 architecture & security 39

Object header authority

LvR/VU MAR/2003

OBJECT HEADER AUTHORITY HEADER HEADER

functional data functional data

AS/400 is object oriented: all stored information is contained in an object. There are 3 authority levels to control the header information This authority is specific for every user-object combination. The user may

AUTHORITY

ACCESS RIGHTS to HEADER


use/look at the object information grant other users to use the object totally control the object

OBJOPR OBJMGT OBJEXIST


AS/400 architecture & security

!
40

20

Object data authority

LvR/VU MAR/2003

OBJECT DATA AUTHORITY


header header

FUNCTIONAL DATA FUNCTIONAL DATA

Prior to access the contents of the object, the user must have at least OBJOPR authority to the object. If so, data access can be controlled with five different levels

AUTHORITY

ACCESS RIGHTS to FUNCTIONAL DATA


- Read the entries of the functional data - Add entries to the functional data - Update entries of the functional data - Delete entries of the functional data - Only execute the related program

READ ADD UPD DLT EXECUTE

!
41 LvR/VU MAR/2003

AS/400 architecture & security

Object authority

OBJECT AUTHORITY
The get access to the object the user needs at least access to the header information before he/she is allowed to access the data part of the object. To have access to the data the user needs in addition to the header access at least read access to the data part of the object. In this example all users have read access to the data. PUBLIC authority START SEARCH

OBJOPR READ

data

AS/400 architecture & security

42

21

Object authority grouping

LvR/VU MAR/2003

OBJECT AUTHORITY GROUPING OBJEXIST OBJMGT


CHAN
GE

ALL
SE

DLT

OBJOPR READ UPD ADD

AS/400 architecture & security

43

Object authority grouping . . .

LvR/VU MAR/2003

OBJECT AUTHORITY GROUPING


Object header and functional data access authorities can be grouped to system defined values, controlling the access to the object Combination Object authority Data authority

USE CHANGE ALL

OBJOPR OBJOPR OBJOPR OBJMGT OBJEXIST

READ READ, ADD, UPD, DLT READ ADD UPD, DLT

EXCLUDE Access always denied LIBCRTAUT Access determined by the library where the object is USER DEF
registered Combination defined by the user

AS/400 architecture & security

44

22

Public authorization

LvR/VU MAR/2003

PUBLIC AUTHORIZATION
When most of the users must have the same access authority to the object, this access authority is set into the object header. The authorization is called PUBLIC and is given to the object during creation

OBJECT HEADER OBJECT HEADER

Object type Object type Owner Owner PUBLIC authority USE PUBLIC authority USE

All Users

FUNCTIONAL DATA FUNCTIONAL DATA


Note: In this example all users have read access to this object (USE includes OBJOPR and READ)
AS/400 architecture & security 45

Private authority

LvR/VU MAR/2003

PRIVATE AUTHORITY
When a specific user must have limited or higher access rights related to the public authority, the users access is administrated in his/her user profile extension header header user information user information list of owned objects list of owned objects LIST OF OBJECTS AUTHORIZED LIST OF OBJECTS AUTHORIZED TO ACCESS WITH THE AUTHORITY TO ACCESS WITH THE AUTHORITY OBJEXAMPLE CHANGE OBJEXAMPLE CHANGE Note: When there is a private access definition for the object, lower then the public authority, it will be marked in the object header
AS/400 architecture & security 46

USER PROFILE (is an object)

Single User

23

Authorization list

LvR/VU MAR/2003

AUTHORIZATION LIST
Another possibility to control access is to create an authorization list. This list will be created when there are users or groups with different access rights to a group of objects An object can be connected to this authorization list The advantage of an authorization list is that it can be created prior to the creation of the object and it will not be deleted when an object is deleted When another object is created and it needs the same authorization scheme this newly created object can be connected to the same list

AS/400 architecture & security

47

Authorization list ...

LvR/VU MAR/2003

AUTHORIZATION LIST CONTENTS


The authorization list by itself is also an object. The list is treated as every other object in the system header header ANJA ANJA EDWIN EDWIN RONALD RONALD LEEN LEEN PUBLIC PUBLIC

AUTHORIZATION LIST (is an object) ALL ALL CHANGE CHANGE USE USE AUTLMGT AUTLMGT EXCLUDE EXCLUDE

The example above shows a list which can be used by an object to control its access rights. There is also defined a specific access control authorization called AUTLMGT. This gives the user (or group) the ability to maintain this authorization list Note: When the public authorization in the object specifies that the authority list will be used the entry PUBLIC will give the public authorization
AS/400 architecture & security 48

24

Authorization list ...

LvR/VU MAR/2003

AUTHORIZATION LIST CONNECTION


When an object is created or changed the authorization list can be specified. The architecture gives the possibility to specify only ONE list per object Authorization List ABC Object authorizations are defined in Authorization List ABC Object type Object type Owner Owner AUTHORIZATION LIST ABC AUTHORIZATION LIST ABC Public authority AUTL Public authority AUTL Functional data Functional data

ANJA ALL EDWIN CHANGE RONALD USE AUTLMGT LEEN PUBLIC EXCLUDE

Note: In this example the public authority is now used from the authorization list entry PUBLIC
AS/400 architecture & security 49

Authorization check flow

LvR/VU MAR/2003

AUTHORIZATION CHECK FLOW


Authorization check flow sequence: 1. Special authority of the user 2. Specific authority of the user 3. User on authorization list 4. Special authority of the group 5. Specific authority of the group 6. Group on authorization list 7. PUBLIC authority in object 8. PUBLIC on authorization list AS/400 looks whether the user has a Special authority. If no Special authority, the next step will be to look for a Specific authority defined etc. When any authorization definition for the object is found the search will stop This mechanism is called exclusive access control and is the opposite of accumulated access control
AS/400 architecture & security 50

25

Adopted security

LvR/VU MAR/2003

ADOPTED SECURITY
AS/400 security allows a user to adopt the access authorization of the owner of a program When a user is allowed to execute a program owned by another user, the authority can be adopted The user then has the same access authority to the objects as the owner of it ! d we LUDE llo DATA B23 EXC DATA B23 ta no

USE fo r BAS

User A
AS/400 architecture & security

Via program BAS of user B: allowed User B


51

Adopted security ...

LvR/VU MAR/2003

ADOPTED SECURITY: an example


Owner user B Owner user B Public authority EXCLUDE Public authority EXCLUDE

User A has EXCLUDE for data B23 USE for program BAS

DATA B23 DATA B23 Owner user B Owner user B Public authority USE Public authority USE PROGRAM BAS: Adopting authority PROGRAM BAS: Adopting authority active active

Note: In this example, user B has access authority of ALL to the object with data B23. User A can only access it through the program BAS
AS/400 architecture & security 52

26

Adopted security: another example

LvR/VU MAR/2003

ADOPTED SECURITY: another example


When a program allows adoption of the authority of the program owner, the program must be created with the command CRTPGM PROG(B2S) USRPRF(OWNER) When program adoption is active, the authority will be propagated by subsequently called programs DATA X24 DATA X24
U SE for

B2S

User A
AS/400 architecture & security

User B

User X
53

Adopted security: another example ...

LvR/VU MAR/2003

ADOPTED SECURITY: another example User A has USE for program B2S EXCLUDE for data X24
Owner user B Owner user B PROGRAM B2S: call program X2U PROGRAM B2S: call program X2U

USE
Owner user X Owner user X PROGRAM X2U PROGRAM X2U

DATA X24 DATA X24

PROGRAM X2U has ALSO USE authority to DATA X24 Note: Adopted security is the only accumulated security within AS/400
AS/400 architecture & security 54

27

Dedicated Service Tools

LvR/VU MAR/2003

DEDICATED SERVICE TOOLS


Dedicated service tools are used to solve problems occuring in the licensed internal code and to work with disk configurations. To use these tools the system must be attendedly IPLed with the key lock in position MANUAL. There are three levels of DST authorization SECURITY Used by the security officer to do all DST functions and change the DST passwords FULL To use all DST functions except DST passwords changes BASIC To use DST functions not affecting sensitive data Note: The security officer must change the DST passwords after installing the system. With the CHGDSTPWD the DST passwords can be reset
AS/400 architecture & security 55

Journaling

LvR/VU MAR/2003

JOURNALING
The journal entries can be selectively retrieved from the journal receiver. Sample object definitions are available for saving the different journal entry types AS/400 AS/400 SECURITY EVENT SECURITY EVENT Journal activated Journal activated with system value with system value QAUDJRN ((JRN) QAUDJRN JRN) Journal level activated Journal level activated with system values e.g. with system values e.g. AUTFAIL PGMFAIL AUTFAIL PGMFAIL Security officer Security officer Journal receiver Journal receiver USERRECV USERRECV
AS/400 architecture & security 56

28

Security definition interface

LvR/VU MAR/2003

SECURITY DEFINITION INTERFACE


Menu interface (started with GO SECURITY) Define User Profile User Profile Password Password Expired User Class Current library Initial Program Initial Menu == > command ________ ________ ________ ________ ________ ________ ________ Command interface CRTUSRPRF CHGUSRPRF DLTUSRPRF DSPUSRPRF CHGPWD DSPAUTUSR CHGPRF WRKUSRPRF Create user profile Change user profile Delete user profile Display user profile Change password Display authorized users Change profile (normal users) Work with user profile

AS/400 architecture & security

57

ONLY FOR THE AS/400 AUDITOR

LvR/VU MAR/2003

PART X PART X ADDITIONAL INFORMATION ADDITIONAL INFORMATION ONLY FOR THE AS/400 AUDITOR ONLY FOR THE AS/400 AUDITOR

AS/400 architecture & security

58

29

Limited users

LvR/VU MAR/2003

LIMITED USERS
Restrictions can be defined in the user profile, the so called limited capability (LMTCPB) Users can be limited to change the initial menu, initial program and current library. When a user does a sign on, the user profile definition may contain an initial menu to display or a program to execute. The signed on user can only use this menu structure or can only execute the defined program when limited capabilities = YES When a user is PARTIAL limited (also defined in the user-profile) the user may change the main menu and is allowed to issue commands from the command line

AS/400 architecture & security

59

Library security

LvR/VU MAR/2003

LIBRARY SECURITY
To administrate the existence of the object a library is used. Libraries are also objects and to find the existence of an object the user needs at least USE access to the library to search for the objects described in it Give the public authority for the objects in the library as high as necessary and the public authority for the library EXCLUDE Authority for the library must be given to individual users

AS/400 architecture & security

60

30

Library security ...

LvR/VU MAR/2003

LIBRARY SECURITY USER C USER B has USE


Public USE Public USE DATA DATA Public USE Public USE DATA DATA Public USE Public USE DATA DATA
AS/400 architecture & security 61

LIBRARY A
Owner user A Owner user A Public authority EXCLUDE Public authority EXCLUDE OBJECT A OBJECT A OBJECT B OBJECT B OBJECT C OBJECT C etc. etc.

Physical versus logical file security

LvR/VU MAR/2003

PHYSICAL VERSUS LOGICAL FILE SECURITY


A physical file which contains the physical records can be accessed directly by the users or indirectly with a logical file definition. This logical file definition can give a different view to the physical data The following physical file object P cannot be accessed directly because the user has no access to the header information By given access to a logical file with certain view to the physical data, a user only has access to that part of the data

AS/400 architecture & security

62

31

Physical versus logical file security ...

LvR/VU MAR/2003

PHYSICAL VERSUS LOGICAL FILE SECURITY


OBJECT L1 Public authority OBJOPR Public authority OBJOPR Data Descr. Spec. Data Descr. Spec. RECORDS RECORDS FIELDS A EN B FIELDS A EN B PHYSICAL FILE P PHYSICAL FILE P OBJECT L2 Public authority CHANGE Public authority CHANGE Data Descr. Spec. Data Descr. Spec. RECORDS RECORDS FIELDS X EN Y FIELDS X EN Y PHYSICAL FILE P PHYSICAL FILE P
AS/400 architecture & security 63

FILE P Public authority NONE Public authority NONE Data Descr. Spec. Data Descr. Spec. RECORDS RECORDS FIELDS FIELDS DATA DATA

Authority holder

LvR/VU MAR/2003

AUTHORITY HOLDER
AS/400 gives the opportunity to setup an object authority before the creation of an object. This mechanisme is called an authority holder. The authority holder is a dummy object header containing all header information of an object. It will be connected to the objects data part when the data is created AUTHORITY HOLDER Public authority USE Object header created in advance

Connected when DATA is created DATA created in the future

AS/400 architecture & security

64

32

Adopted security

LvR/VU MAR/2003

ADOPTED SECURITY: an example


Owner user B Owner user B Public authority EXCLUDE Public authority EXCLUDE

User A has EXCLUDE for data B23 USE for program BAS

DATA B23 DATA B23 Owner user B Owner user B Public authority USE Public authority USE PROGRAM BAS: Adopting authority PROGRAM BAS: Adopting authority active active

Note: In this example, user B has access authority of ALL to the object with data B23. User A can only access it through the program BAS
AS/400 architecture & security 65

Adopted security: search sequence

LvR/VU MAR/2003

ADOPTED SECURITY: SEARCH SEQUENCE


The search for program A can be changed by the library sequence. When program B calls program A, program A will be found in Library B SEARCH SEARCH Library B containing program A and program B Library B containing program A and program B Library A containing program A Library A containing program A

If Library A is placed in front of Library B, program A is found in the other library which can result in the execution of a controlled program and give unpredicted results like a security breach Library A containing program A Library A containing program A Library B containing program A and program B Library B containing program A and program B
66

AS/400 architecture & security

33

Adopted security ...

LvR/VU MAR/2003

ADOPTED SECURITY
To eliminate the possibility to use the library sequence the program call should supply the library name by using the qualified name in the CALL command CALL Lib (B)/PROGRAM(A) Program A will only be used from lib B Another way to eliminate this security problem is not to call the program, but to transfer control (TFRCTL) to program A With TFRCTL program A will not adopt the authorization of user B. This can only be done when appropriate for the program logic flow

AS/400 architecture & security

67

Journaling

LvR/VU MAR/2003

JOURNALING
To activate journaling the security officer must create the QSYS/QAUDJRN journal and a journal receiver. The journal located in the system library, acts as an intermediary The journal receiver is the object that will hold journal entries and can be defined by the security officer using his/her own naming conventions The journal is created with the following commands CRTJRN JRN(QAUDJRN) LIB(QSYS) QAUDJRN(JRN) QAUDLVL(AUTFAIL PGMFAIL) JRNRCV(USERRECV) To set the level of journaling the system value QAUDLVL must be set. Possible values are

NONE, AUTFAIL, SAVRST, DELETE, SECURITY, CREATE, OBJMGT and PGMFAIL


AS/400 architecture & security 68

34