16A AS400 Architecture and Security PDF

PART 16-A
AS/400 ARCHITECTURE & SECURITY
Leen van Rij
kpmg IRM
vrije Universiteit amsterdam
31 March 2003
File 16-A AS400 architecture & security

© 2003
LvR/VU
Contents MAR/2003
CONTENTS
• History
• Architecture
• Application and Operating System/400
(AS/400 and OS/400)
• Physical security levels
• Logical security levels
• Object management
• Security implementation
• Special security feature
• Auditing
• (Part X. Only for the AS/400 auditor)
Note
AS/400 = hardware
OS/400 = operating system
AS/400 architecture & security 2
1
LvR/VU
Contents ... MAR/2003
Contents Group structure

Literature Object header authority
Highlights Object data authority
History Object authority Grouping
Architecture Public authorization
Communication support Private authority
Machine Interface AS/400 Authorization list
Database System Authorization Check flow
Integrated File System Adopted security
Single level storage Dedicated service tools
Object oriented Journaling
Object types Security definition interface
Physical security ONLY FOR THE AS/400 AUDITOR:
Logical security levels Limited users
Integrity checking Library security
Special authorizations Physical versus logical file security
User classes Authority holder
Pre-defined user profiles Adopted security
User profile Journaling
Group profile
LvR/VU
Optional literature MAR/2003
OPTIONAL LITERATURE
• IBM “AS/400 System Concepts”
• IBM “AS/400 Security Concepts & Planning”
• IBM “AS/400 Guide to enabling C2 security”
• IBM “Application System/400 Technology”
• Ernst & Young “A practical approach to logical access control”

McGraw-Hill (1993) (see chapter “AS/400 access control”)
• Ernst & Young “Technical reference series: Audit, Control and Security of
the IBM AS/400” (1994) (description, control objectives, audit questions)
• Fred de Koning e.a. “Beveiliging en controle in een AS/400-omgeving”

Paardekooper & Hoffman (1995)
2
LvR/VU
Optional literature . . . MAR/2003
STRUCTURE OF: Ernst AS/400

& Audit
Young Reference
• Overview • System security

» system keylock
• Hardware
» system values
• Software » authorities
• Logical access path » user and group profiles
» authorization lists
• Utilities » etc.
• Backup and Recovery • Procedural and administrative
• Objects controls
• Libraries • Control Concerns
• Initial menus and programs • Examples
LvR/VU
Security topology MAR/2003
TOPOLOGY OF SECURITY LAYERS
End user
Network security
Measures depend upon security
Security in system/service objectives and the enterprise’s
‘Frontdoor’ security strategy
Security in application
Physical Access control

security of the Trusted Computing
computing center Operating system Base (TCB - certified
Hardware using US Department
Computing
of Defense standards)
center staff
DATA
Note: The security measures in the network, services and applications may use the ‘Access
Control’ in the TCB. Although this access control mechanism may have been classified in
accordance with the US DoD standards, the actual security depends upon how the security facilities
are used.
3
LvR/VU
Access path within AS/400 (MEY model) MAR/2003
AS/400 model, see

End users MIS personnel Ernst & Young book
on logical access
control
OS/400
OS/400communication
communicationfunctions
functions
User
Userprofiles
profiles
security
OS/400
Objectsecurity
Initial Command
Initialmenu
menu Command
processors
processors
Object
Application
Applicationsoftware
software Tools
Tools&&utilities
utilities
OS/400
OS/400data
database
basemanagement
managementfunctions
functions
DATA
LvR/VU
Highlights MAR/2003
HIGHLIGHTS FOR THE EDP AUDITOR
1. Apropriate security levels active
2. Identification, Authentication (User and Group profiles)
3. Special Authorizations
4. Public and Specific Authorization (including Authorization list)
5. Dedicated Service Tools
6. Journaling
4
LvR/VU
History of AS/400 MAR/2003
HISTORY OF APPLICATION SYSTEM/400 (AS/400)
System/34
System/34 1974
Data Base
included System/38 1978
in OS System/38
System/36 1982
System/36
AS/400 1987
AS/400
AS/400-Y10
PowerPC
PowerPCAS/400
AS/400 1995
LvR/VU
Architecture AS/400 MAR/2003
System
System Main
Main
processor
processor storage
storage
BCU
BCU BCU
BCU BCU
BCU
IOBU
IOBU IOBU
IOBU
IOBU
IOBU
Display
Communication BE
BE
UU
Printer IOBU
IOBU DASD BE
BE
UU
DASD = Direct Access Storage Device (disks)
BCU = Bus Control Unit
IOBU = I/O Bus Unit (Communication Controller)
BEU = Bus Extentsion Unit
5
LvR/VU
Architecture AS/400 ... MAR/2003
ARCHITECTURE
• Untill 1995, the system processor was designed with the System/370
architecture which is also used in mainframes with the S/390
architecture
• The system processor had a 32 bit data path and a 48 bit addressing
structure to address 281 Tera bytes
• The addressing architecture is designed to handle 64 bit addressing,

which is fully implemented in the newer systems using the PowerPC
architecture
LvR/VU
Communication protocols MAR/2003
PHYSICAL CONNECTION PROTOCOLS

For communication purposes AS/400 supports on the physical layer a
variety of data link and network protocols
A standard port is used for
• ECS (Electric Customer Support) Logical Terminal / Application
= End user
Optional adapters supports the protocols connection
• ASYNC (ASYNChronous) Transaction Services
• BSC (Binary Synchronous Communication) Presentation Services
• SDLC (Synchronous Data Link Control)
• X.21, X.25, X.31, V.24, V.35 and V.36 Data Flow Control
• ISDN (Integrated Services Digital Network) Transmission Control
• Twinaxial Data Link Control
• Ethernet Path Control
• Token-ring Data Link Control
• FDDI (Fiber Distributed Data Interface) al
• Wireless LAN Physic Physical Control
• Fax (V.34) n
nnectio
co
6
LvR/VU
Communication protocols ... MAR/2003
NETWORK PROTOCOLS
To manage network access AS/400 supports the most common available
network protocols.
Logical Terminal / Application

= End user
connection
• Asynchronous Transaction Services
• Binary Synchronous Communications (BSC)
• System Network Architecture (SNA) Presentation Services
• Advanced Peer-to-Peer Network (APPN) Data Flow Control
• Transmission Control Protocol/Internet Protocol
Transmission Control
(TCP/IP)
• Open Systems Interconnection (OSI) Path Control
• Multiprotocol Transport Networking (MPTN) Data Link Control
al
Physic Physical Control
tion
connec
LvR/VU
Communication protocols ... MAR/2003
APPLICATION COMMUNICATION PROTOCOLS

To enable applications using communication AS/400 supports call
interfaces like
• Advanced Program-to-Program Communications (APPC)
Terminal / Application
• SNA Distribution Services (SNADS)
= End user
• Distributed Remote Data Access
• Open Systems Interconnection (OSI) Transaction Services
• Object Distribution Facility (ODF)
Presentation Services
• Client Access/400
• Transmission Control Protocol (TCP) Data Flow Control
• File Transfer Protocol (FTP)
Transmission Control
• Simple Mail Transfer Protocol (SMTP)
• Simple Network Management Protocol (SNMP) Path Control
• User Datagram Protocol (UDP)
Data Link Control
• Line Printer Requester/Line Printer Daemon Protocol
al
• TELNET Physic Physical Control
tion
connec
7
LvR/VU
Machine interface AS/400 MAR/2003
MACHINE INTERFACE AS/400
Compilers Applica-
Utilities tions
High-level machine
Operating System/400 (OS/400)
Vertical Micro Code
Horizontal Micro Code
Hardware
LvR/VU
Machine interface AS/400 ... MAR/2003
MACHINE INTERFACE AS/400

• The AS/400 is a layered architecture machine
• To use the hardware only high-level machine instructions are available
• The high level machine instructions are understood by the VERTICAL
MICROCODE layer and translated to basic machine instructions
• The basic machine instructions are implemented by the HORIZONTAL

MICROCODE layer and transfered to the hardware
• The hardware layer executes the instruction
• The Vertical and Horizontal Micro Code layer together with the
hardware is called the HIGH-LEVEL MACHINE
• With the PowerPC architecture there is only one layer of microcode to
implement the machine interface.
8
LvR/VU
Machine interface AS/400 ... MAR/2003
The three machine layers, called the high-level machine, also provide many functions
normally implemented in the Operating System
TRADITIONAL
TRADITIONAL OPERATING SYSTEM/400
OPERATING
OPERATINGSYSTEM
SYSTEM (OS/400)
Task
Taskmanagement
management AS/400 HARDWARE
Resource
Resourcemanagement
management (Machine interface )
Storage Task management
Storagemanagement
management
Database Resource management
Databasemanagement
management Storage management
Security management
Security management Data access
etc.
etc. Database management
TRADITIONAL Security management
TRADITIONAL
HARDWARE etc.
HARDWARE
Machine
Machineinterface
interface Hardware
Hardware
Hardware
Note: Implementing functions in micro code benefits the system’s performance

LvR/VU
Database system MAR/2003
INTEGRATED DATABASE SYSTEM

AS/400 has an integrated Database management system. It is a BASE
feature of the AS/400
• Within AS/400 Database access is only allowed by ONE Application
Programming Interface (API).
• Access security will be done by this interface and there is no redundant
access control mechanisme available. There is only one focal point for
access control
• The Database is designed on two concepts
– The physical files, containing the data
– The logical files gives the posibility to define an alternate view to the
data records and fields
The user, when authorized, can access the data directly from the
physical file or through the logical file
• The AS/400 Database system is also used as a physical storage by the
product Data Base 2 (DB2/400) which extend the Data Base features
9
LvR/VU
Database system ... MAR/2003
INTEGRATED DATABASE SYSTEM

The AS/400 system can be used as a Database server. To connect to the
AS/400 Database, protocols from different vendors are supported. These
protocols are
• Open Database Connect (ODBC) from Microsoft

• Data Access Language (DAL) from Appel
• System Query Language Connect (SQL CON) from Oracle
• Distributed Relational Database Architecture (DRDA) from IBM
System A System B
AS/400
Database X Database Y
LvR/VU
Integrated File System MAR/2003
INTEGRATED FILE SYSTEM (IFS)
To extend the use of the AS/400 system, file server architectures from
different vendors can be handled by the integrated file system. The
integrated file system supports a set of industry standard APIs to the
streamfile system and the hierarchical directory. The file access
protocols which are supported by AS/400 are:
• Root file system: OS/2, DOS and Windows NT compatible

• QOpenSys file system: Posix, XPG, UNIX compatible
• QLANSrv file system: OS/2 Lan Manager compatible
AS/400
File system X File system Y
10
LvR/VU
Single level storage MAR/2003
RE
Traditional mainframe with
an address space per user and AS/400 - OS/400
TU
IT NT
separate data sets on disks
EC
CH RE
264 bytes = 16.000.000
OS/390
AR FFE
Tera bytes address
space
space
space
space
DI
addressspace
addressspace
addressspace
GBaddress
GBaddress
GBaddress
Object:
Object:program
program
22GB
22GB
22GB
Object:
Object:screen
screen
DASD Object:
Object:“data”
“data”
AS/400: everything in one virtual address space

LvR/VU
Single level storage ... MAR/2003
SINGLE LEVEL STORAGE

AS/400 provides single-level addressability of all virtual storage. This is transparent
addressing, making both MAIN an AUXILIARY storage appear contiguous to an
end user and an application
One virtual address space
SYSTEM
SYSTEM MAIN
MAINSTORAGE
STORAGE
PROCESSOR
PROCESSOR AUXILIARY STORAGE
paging
on DASD
VAT DIR
VAT = Virtual Address Translation

DIR = Directory used by VAT to keep track of virtual storage contents
Note: When data or instructions are needed for executing by the system processor it will
be brought into main storage. When there is a shortage of main storage the data and/or
instruction not needed anymore are transfered back to auxiliary storage on DASD
11
LvR/VU
Single level storage ... MAR/2003
AS/400 single-level storage gives the ability to have data storage

independent of device types. All data including programs, source, data,
databases etc. are mapped into this single virtual address space
AS/400 VIRTUAL ADDRESS SPACE
Program
ProgramA123
A123 Program
ProgramA143
A143 Data
DataGFHJ
GFHJ
e c ts
j
Data
Data5RF
5RF Program
ProgramXG63
XG63
Command
CommandAB6
AB6
oMenub
Menu567
567 Menu
Menu765
765 Command
CommandUY
UY
Queue
Queue Etc.
Etc.etc.
etc.etc.
etc.till
tillmaximum
maximumspace
space
LvR/VU
Object oriented MAR/2003
OBJECT ORIENTED DESIGN

Definition: Everything on the system that can be stored or retrieved is
contained in an object
The high level machine is designed to treat everything the same through the
use of a generic object structure
General object structure
Object
Objecttype
type OBJECT HEADER
(Control Information)
Owner
Owner
Public
PublicAuthorithy
Authorithy
etc. FUNCTIONAL OBJECT (data)
etc.
Data
Data(e.g.,
(e.g.,data
datarecords,
records,programs,
programs,sources,
sources,etc.
etc.))
12
LvR/VU
Object types MAR/2003
OBJECT TYPES
To storage information in the AS400 system there are defined 73 different
types of objects, e.g.
Type Contents
• Library − object names (like a directory)
• Data − data records (database records)
• Program − executable programs
• Source − source of programs like cobol, pascal, C etc.
• User profile − userid descriptions and priviledges
• Journal − logging records
• Job queue − jobs to handle
• Output queue − output from jobs
• Device description − device parameters
• Job description − job control language
LvR/VU
Object administration MAR/2003
OBJECT ADMINISTRATION OBJECT X
START LIBRARY 1 MEMBER

MEMBERAA
OBJECT SEARCH MEMBER
MEMBERBB
OBJECT
OBJECTXX
MEMBER
MEMBERCC
OBJECT
OBJECTYY
QSYS OBJECT
OBJECTZZ OBJECT Y
LIBRARY 1
LIBRARY 2
LIBRARY 2 DATABASE
OBJECT
OBJECTKK
LIBRARY 3
OBJECT
OBJECTLL
OBJECT
OBJECTMM
13
LvR/VU
Physical security MAR/2003
KEYLOCK SWITCH Normal Manual

On front panel AS/400, with a
physical key (to be stored
safely)
Secure Auto
Keylock
Keylock Power
Powerdown
down Remote
Remoteoror Main
Main Attended
Attended
position
position command
command timed
timedIPL
IPL switch
switchIPL
IPL IPL
IPL
SECURE
SECURE YES
YES NO
NO NO
NO NO
NO
AUTO
AUTO YES
YES YES
YES NO
NO NO
NO
NORMAL
NORMAL YES
YES YES
YES YES
YES NO
NO
MANUAL
MANUAL YES
YES NO
NO YES
YES YES
YES
Note: In position MANUAL, attended IPL, special service tools are available (Dedicated Service Tools)
LvR/VU
Logical security levels MAR/2003
LOGICAL SECURITY LEVELS

AS/400 is designed to activate different levels of security. The levels are
controlled by setting the system parameter ∗QSECURITY(xx)
• 10 - no security
• 20 - userid and password checking
• 30 - object authorization verification
• 40 - application must use AS/400 call interface
• 50 - DoD C2 security
Note: to guarantee data integrity, at least the system parameter *QSECURITY(30)

must be set by the Security administrator prior to user access to the system
14
LvR/VU
Logical security levels ... MAR/2003
DESCRIPTION OF SECURITY LEVELS

• 10 - No security level at all. A user-profile will be automaticaly be defined
when a user signs on
• 20 - User-profile and password must be defined prior to sign on
• 30 - Like 20, but access to objects is also controlled (resource access control
active). The user must have the appropriate access authority to use the
resources.
• 40 - Like 30, but the machine interface cannot be used directly by the
programs. It can only be used through the AS/400 call interface. All access is
controlled/checked by AS/400. Journalling must be active so reports can be
created
• 50 - Extend level 40 to meet DoD C2 classification. The users are only allowed
to access their own objects through the AS/400 defined Application
Programming Interface (API). Bypassing journalling of an object access is no
longer possible
LvR/VU
Integrity checking MAR/2003
INTEGRITY CHECKING
ISOLATION: AS/400 has system state and user state
programs
Security level = 10, 20 and 30

• user and system programs can freely interact with the high-level
machine
Security level = 40
• the APIs (Application Program Interface) must be used by a user
program to interact with a system program
Security level = 50
• the APIs must also be used by a user program to interact with another
user program
15
LvR/VU
Integrity checking ... MAR/2003
INTEGRITY CHECKING
no integrity
System State Domain System State Domain
problem
• integrity problem when not checked

• API must be used with level 40
integrity
User State Domain problem User State Domain
• intentionally no problem
• no journalling of activities
• level 50 enforces use of API in the user domain
LvR/VU
Special authorizations MAR/2003
SPECIAL AUTHORIZATIONS
Within the AS/400 system there are definitions with a system wide
authority scope. When a user is defined with a special authorization
he/she is able to do
PRIVILEDGE AUTHORIZED TO DO
• ∗ALLOBJ − access every system resource
• ∗SECADM − create / change user profiles
• ∗SAVSYS − save / restore
• ∗JOBCTL − manipulate jobs on the system
• ∗SPLCTL − all spool functions
• ∗SERVICE − service functions
• ∗AUDIT − audit related functions
• ∗IOSYSCFG − change system configuration
16
LvR/VU
User classes MAR/2003
USER CLASSES
FR
∗ALLOBJ ∗SECO
∗SERVICE ∗IOSYSCFG
∗SPLCTL
PR
YSO
∗SECA ∗S MR
DM ∗PG
∗SECADM ∗JOBCTL
∗SAVSYS
LvR/VU
User classes . . . MAR/2003
USER CLASSES
Special authorities can be grouped together. These grouping is called a
USERCLASS
class ∗SECOFR ∗SECADM ∗SYSOPR ∗PGMR ∗USER

authority
∗ALLOBJ ∗ 10/20 10/20 10/20 10/20
∗SECADM ∗ ∗
∗SAVSYS ∗ ∗ ∗ ∗ 10/20
∗JOBCTL ∗ ∗ ∗ ∗
∗SPLCTL ∗
∗SERVICE ∗
∗IOSYSCFG ∗
Note: 10/20 refer to the security level 10 and 20. When one of these is active,
the ∗ALLOBJ authority is assigned to this classes automaticly. The ∗
refers to security level 30, 40 and 50
17
LvR/VU
Pre-defined user profiles MAR/2003
PRE-DEFINED USER PROFILES

When AS/400 is installed, there are 6 prefined user profiles available to
access the system. They are to create other user profiles to access the
system. The 6 default userids are
• QSECOFR
• QPGMR
• QSYSOPR
• QSRV
• QSRVBAS
• QUSER
Note: The passwords must be changed as soon as the system is IPLed for
the first time, to prevent other users to sign on with these highly
authorized userids
LvR/VU
User profile MAR/2003
USER PROFILE
With security level 20 or higher, the user can only access the system if
there is a user profile defined. A user profile can be created through a
panel interface or by issuing the CRTUSRPRF command. The contents
of the user-profile may be
USER PROFILE (is an object)

• Userid • Password
• User class • Password expiration
• Group name (up to 16 groups) • Special authority
• Initial program • Accounting code
• Initial menu • Limited capability
• Current library
( Note: This is only a partial content )

18
LvR/VU
Authentication MAR/2003
AUTHENTICATION
System wide password syntax options
• QPWDMINLEN minimum length of password
• QPWDMAXLEN maximum length (up to 10 characters)
• QPWDRQDDIF new password must differ from 32 previous
• QPWDLMTCHR specify up to 10 characters not allowed for password
• QPWDPOSDIF character in new must be different from character in same
position in old
• QPWDLMTREP characters not be used more than once
• QPWDLMTAJC numbers 0 to 9 not next to another
• QPWDVLDPGM use password syntax checker
• QPWDRQDDGT at least one numeric
Other system wide password options
• QPWDEXPITV maximum number of days the password is valid
• QMAXSIGN maximum number of unsuccessful sign-on attempts
• QDSPSGNINF display date/time of last sign-on etc. after successful sign-on
LvR/VU
Group profile MAR/2003
GROUP PROFILE
A group profile has the same structure as a user profile: it becomes a group
profile when it is named as a group in a user profile. The contents of the
group profile may be
GROUP PROFILE (is an object)
• Userid (is groupname) • Password (∗NONE)

• User class (class for group) • Password expiration (not relevant)
• Group (∗NONE) • Special authority (for group)
• Initial program (not relevant) • Accounting code (not relevant)
• Initial menu (not relevant) • Limited capability (not relevant)
• Current library (not relevant)
( Note: This is only a partial contents )

19
LvR/VU
Group structure MAR/2003
GROUP STRUCTURE
Group
Groupprofile
profile Group
Groupprofile
profile
GROUP
GROUPAA GROUP
GROUPBB
User
Userprofile
profile User
Userprofile
profile User
Userprofile
profile User
Userprofile
profile
USER
USERA1A1 USER
USERA2A2 USER
USERB1B1 USER
USERB2B2
Group=A
Group=A Group=A,B
Group=A,B Group=B
Group=B Group=B
Group=B
• The groups are independent definitions and do not have any relation to
one another
• A user can be a member of maximum 16 groups
LvR/VU
Object header authority MAR/2003
OBJECT HEADER AUTHORITY
HEADER
HEADER
functional
functionaldata
data
AS/400 is object oriented: all stored information is contained in an object.

There are 3 authority levels to control the header information
This authority is specific for every user-object combination. The user may
!
AUTHORITY ACCESS RIGHTS to HEADER
• ∗OBJOPR − use/look at the object information
• ∗OBJMGT − grant other users to use the object
• ∗OBJEXIST − totally control the object
20
LvR/VU
Object data authority MAR/2003
OBJECT DATA AUTHORITY
header
header
FUNCTIONAL
FUNCTIONALDATA
DATA
Prior to access the contents of the object, the user must have at least ∗OBJOPR
authority to the object. If so, data access can be controlled with five different
levels
AUTHORITY ACCESS RIGHTS to FUNCTIONAL DATA
!
• ∗READ - Read the entries of the functional data
• ∗ADD - Add entries to the functional data
• ∗UPD - Update entries of the functional data
• ∗DLT - Delete entries of the functional data
• ∗EXECUTE - Only execute the related program
LvR/VU
Object authority MAR/2003
OBJECT AUTHORITY
The get access to the object the user needs at least access to the header
information before he/she is allowed to access the data part of the object. To
have access to the data the user needs in addition to the header access at least
read access to the data part of the object. In this example all users have read
access to the data.
PUBLIC authority
START SEARCH ∗OBJOPR ∗READ
data
21
LvR/VU
Object authority grouping MAR/2003
OBJECT AUTHORITY GROUPING
∗OBJEXIST ∗ALL
∗OBJMGT
∗CHAN SE
GE ∗U
∗OBJOPR
∗DLT
∗READ
∗UPD
∗ADD
LvR/VU
Object authority grouping . . . MAR/2003
OBJECT AUTHORITY GROUPING

Object header and functional data access authorities can be grouped to
system defined values, controlling the access to the object
Combination Object authority Data authority
∗USE ∗OBJOPR ∗READ

∗CHANGE ∗OBJOPR ∗READ, ∗ADD, ∗UPD, ∗DLT
∗ALL ∗OBJOPR ∗READ
∗OBJMGT ∗ADD
∗OBJEXIST ∗UPD, ∗DLT
∗EXCLUDE Access always denied
∗LIBCRTAUT Access determined by the library where the object is
registered
∗USER DEF Combination defined by the user
22
LvR/VU
Public authorization MAR/2003
PUBLIC AUTHORIZATION
When most of the users must have the same access authority to the object,
this access authority is set into the object header. The authorization is
called PUBLIC and is given to the object during creation
OBJECT
OBJECTHEADER
HEADER
Object All Users
Objecttype
type
Owner
Owner
PUBLIC authority ∗∗USE
PUBLICauthority USE
FUNCTIONAL
FUNCTIONALDATA
DATA
Note: In this example all users have read access to this object
(∗USE includes ∗OBJOPR and ∗READ)
LvR/VU
Private authority MAR/2003
PRIVATE AUTHORITY
When a specific user must have limited or higher access rights related to
the public authority, the user’s access is administrated in his/her user
profile extension
header
header USER PROFILE (is an object)
user
userinformation
information
list
listof
ofowned
ownedobjects
objects
LIST
LISTOF
OFOBJECTS
OBJECTSAUTHORIZED
AUTHORIZED
TO
TOACCESS
ACCESSWITH
WITHTHE
THEAUTHORITY
AUTHORITY Single User
OBJEXAMPLE ∗∗CHANGE
OBJEXAMPLE CHANGE
Note: When there is a private access definition for the object, lower then the
public authority, it will be marked in the object header
23
LvR/VU
Authorization list MAR/2003
AUTHORIZATION LIST
Another possibility to control access is to create an authorization list. This

list will be created when there are users or groups with different access
rights to a group of objects
An object can be connected to this authorization list
The advantage of an authorization list is that it can be created prior to the

creation of the object and it will not be deleted when an object is deleted
When another object is created and it needs the same authorization scheme
this newly created object can be connected to the same list
LvR/VU
Authorization list ... MAR/2003
AUTHORIZATION LIST CONTENTS

The authorization list by itself is also an object. The list is treated as every
other object in the system
header
header
AUTHORIZATION LIST (is an object)
ANJA
ANJA ∗∗ALL
ALL
EDWIN
EDWIN ∗∗CHANGE
CHANGE
RONALD
RONALD ∗∗USE
USE
LEEN
LEEN ∗∗AUTLMGT
AUTLMGT
∗∗PUBLIC
PUBLIC ∗∗EXCLUDE
EXCLUDE
The example above shows a list which can be used by an object to control its
access rights. There is also defined a specific access control authorization
called ∗AUTLMGT. This gives the user (or group) the ability to maintain this
authorization list
Note: When the public authorization in the object specifies that the authority list
will be used the entry ∗PUBLIC will give the public authorization
24
LvR/VU
Authorization list ... MAR/2003
AUTHORIZATION LIST CONNECTION

When an object is created or changed the authorization list can be specified.
The architecture gives the possibility to specify only ONE list per object
Object authorizations are defined in

Authorization List ABC Authorization List ABC
Object
Objecttype
type
Owner
Owner
ANJA ∗ALL AUTHORIZATION
EDWIN ∗CHANGE
AUTHORIZATIONLIST LISTABC
ABC
RONALD ∗USE
Public authority∗∗AUTL
Publicauthority AUTL
LEEN ∗AUTLMGT
∗PUBLIC ∗EXCLUDE
Functional
Functionaldata
data
Note: In this example the public authority is now used from the
authorization list entry ∗PUBLIC
LvR/VU
Authorization check flow MAR/2003
AUTHORIZATION CHECK FLOW

Authorization check flow sequence:
1. Special authority of the user
2. Specific authority of the user
3. User on authorization list
4. Special authority of the group
5. Specific authority of the group
6. Group on authorization list
7. PUBLIC authority in object
8. PUBLIC on authorization list
AS/400 looks whether the user has a Special authority. If no Special authority,
the next step will be to look for a Specific authority defined etc. When any
authorization definition for the object is found the search will stop
This mechanism is called exclusive access control and is the opposite of
accumulated access control
25
LvR/VU
Adopted security MAR/2003
ADOPTED SECURITY
• AS/400 security allows a user to adopt the access authorization of the
owner of a program
• When a user is allowed to execute a program owned by another user, the
authority can be adopted
• The user then has the same access authority to the objects as the owner
of it
!
w ed
LUDE al
lo
∗EXC t DATA
DATAB23B23
no
∗USE fo
r BAS
Via program BAS
of user B: allowed
User A User B
LvR/VU
Adopted security ... MAR/2003
ADOPTED SECURITY: an example
Owner
Owneruser
userBB
Public authority∗∗EXCLUDE
Public authority EXCLUDE
DATA
DATAB23
B23
User A has
• ∗EXCLUDE for data B23
Owner
Owneruser
userBB
• ∗USE for program BAS
Public authority∗∗USE
Publicauthority USE
PROGRAM
PROGRAMBAS:
BAS:Adopting
Adoptingauthority
authority
active
active
Note: In this example, user B has access authority of ∗ALL to the object
with data B23. User A can only access it through the program BAS
26
LvR/VU
Adopted security: another example MAR/2003
ADOPTED SECURITY: another example

When a program allows adoption of the authority of the program owner, the
program must be created with the command
CRTPGM PROG(B2S) USRPRF(∗OWNER)
When program adoption is active, the authority will be propagated by

subsequently called programs
DATA
DATAX24
X24
∗U
SE
for
B2S
User A User B User X

LvR/VU
Adopted security: another example ... MAR/2003
ADOPTED SECURITY: another example

User A has
• ∗USE for program B2S
• ∗EXCLUDE for data X24
Owner
Owneruser
userBB
PROGRAM
PROGRAMB2S:B2S:call
callprogram
programX2U
X2U
∗USE
Owner
Owneruser
userXX
DATA
DATAX24
X24
PROGRAM
PROGRAMX2U
X2U
PROGRAM X2U has ALSO ∗USE authority to DATA X24

Note: Adopted security is the only accumulated security within AS/400
27
LvR/VU
Dedicated Service Tools MAR/2003
DEDICATED SERVICE TOOLS

Dedicated service tools are used to solve problems occuring in the licensed
internal code and to work with disk configurations. To use these tools the
system must be attendedly IPLed with the key lock in position
MANUAL. There are three levels of DST authorization
• SECURITY
Used by the security officer to do all DST functions and change the DST
passwords
• FULL
To use all DST functions except DST passwords changes
• BASIC
To use DST functions not affecting sensitive data
Note: The security officer must change the DST passwords after installing
the system. With the CHGDSTPWD the DST passwords can be reset
LvR/VU
Journaling MAR/2003
JOURNALING
The journal entries can be selectively retrieved from the journal receiver.
Sample object definitions are available for saving the different journal
entry types
Journal
Journalactivated
activated
AS/400
AS/400 with
SECURITY withsystem
systemvalue
value
SECURITYEVENT
QAUDJRN((∗∗JRN)
EVENT QAUDJRN JRN)
Journal
Journallevel
levelactivated
activated
with
withsystem
systemvalues
valuese.g.
e.g.
∗∗AUTFAIL ∗ PGMFAIL
AUTFAIL ∗PGMFAIL
Security
Securityofficer
officer
Journal
Journalreceiver
receiver
USERRECV
USERRECV
28
LvR/VU
Security definition interface MAR/2003
SECURITY DEFINITION INTERFACE

Menu interface (started with GO SECURITY)
Define User Profile Command interface
User Profile ________ CRTUSRPRF Create user profile

Password ________ CHGUSRPRF Change user profile
Password Expired ________ DLTUSRPRF Delete user profile
User Class ________ DSPUSRPRF Display user profile
Current library ________ CHGPWD Change password
Initial Program ________ DSPAUTUSR Display authorized users
Initial Menu ________ CHGPRF Change profile
(normal users)
== > command WRKUSRPRF Work with user profile
LvR/VU
ONLY FOR THE AS/400 AUDITOR MAR/2003
PART
PART X
X
ADDITIONAL
ADDITIONAL INFORMATION
INFORMATION
ONLY
ONLY FOR
FOR THE
THE AS/400
AS/400 AUDITOR
AUDITOR
29
LvR/VU
Limited users MAR/2003
LIMITED USERS
Restrictions can be defined in the user profile, the so called limited

capability (LMTCPB)
Users can be limited to change the initial menu, initial program and
current library. When a user does a sign on, the user profile definition
may contain an initial menu to display or a program to execute. The
signed on user can only use this menu structure or can only execute the
defined program when limited capabilities = YES
When a user is PARTIAL limited (also defined in the user-profile) the user
may change the main menu and is allowed to issue commands from the
command line
LvR/VU
Library security MAR/2003
LIBRARY SECURITY
To administrate the existence of the object a library is used. Libraries are

also objects and to find the existence of an object the user needs at least
∗USE access to the library to search for the objects described in it
Give the public authority for the objects in the library as high as necessary
and the public authority for the library ∗EXCLUDE
Authority for the library must be given to individual users
30
LvR/VU
Library security ... MAR/2003
LIBRARY SECURITY
USER C USER B has ∗USE Public ∗∗USE

Public USE
DATA
DATA
LIBRARY A
Owner
Owneruser
userAA
Publicauthority EXCLUDE Public ∗∗USE
Public USE
OBJECT
OBJECTAA DATA
DATA
OBJECT
OBJECTBB
OBJECT
OBJECTCC Public ∗∗USE
Public USE
etc.
etc.
DATA
DATA
LvR/VU
Physical versus logical file security MAR/2003
PHYSICAL VERSUS LOGICAL FILE SECURITY
A physical file which contains the physical records can be accessed directly
by the users or indirectly with a logical file definition. This logical file
definition can give a different view to the physical data
The following physical file object P cannot be accessed directly because the
user has no access to the header information
By given access to a logical file with certain view to the physical data, a user
only has access to that part of the data
31
LvR/VU
Physical versus logical file security ... MAR/2003
PHYSICAL VERSUS LOGICAL FILE SECURITY

OBJECT L1
Public authority∗∗OBJOPR
Publicauthority OBJOPR
Data Descr. Spec. FILE P
Data Descr. Spec.
RECORDS
authority∗∗NONE
RECORDS Public
FIELDS Publicauthority NONE
FIELDS AAEN
ENBB
PHYSICAL
PHYSICALFILE
FILEPP Data
DataDescr.
Descr.Spec.
Spec.
OBJECT L2 RECORDS
RECORDS
FIELDS
FIELDS
Public authority∗∗CHANGE
Publicauthority CHANGE
Data
DataDescr.
Descr.Spec.
Spec. DATA
DATA
RECORDS
RECORDS
FIELDS
FIELDS XXEN
ENYY
PHYSICAL
PHYSICALFILE
FILEPP
LvR/VU
Authority holder MAR/2003
AUTHORITY HOLDER
AS/400 gives the opportunity to setup an object authority before the creation
of an object. This mechanisme is called an authority holder. The authority
holder is a dummy object header containing all header information of an
object. It will be connected to the object’s data part when the data is
created
AUTHORITY HOLDER
Public authority ∗USE Object header created in advance
Connected when DATA is created
DATA created in the future
32
LvR/VU
Adopted security MAR/2003
ADOPTED SECURITY: an example
Owner
Owneruser
userBB
Public authority EXCLUDE
DATA
DATAB23
B23
User A has
• ∗EXCLUDE for data B23
Owner
Owneruser
userBB
• ∗USE for program BAS
Public authority∗∗USE
Public authority USE
PROGRAM
PROGRAMBAS:
BAS:Adopting
Adoptingauthority
authority
active
active
Note: In this example, user B has access authority of ∗ALL to the object
with data B23. User A can only access it through the program BAS
LvR/VU
Adopted security: search sequence MAR/2003
ADOPTED SECURITY: SEARCH SEQUENCE

The search for program A can be changed by the library sequence. When
program B calls program A, program A will be found in Library B
SEARCH
Library
LibraryBBcontaining
containing program
programAAand
andprogram
programBB
Library
LibraryAAcontaining
containingprogram
programAA
If Library A is placed in front of Library B, program A is found in the other

library which can result in the execution of a controlled program and give
unpredicted results like a security breach
SEARCH
Library
LibraryAAcontaining
containing program
programAA
Library
LibraryBBcontaining
containing program
programAAand
andprogram
programBB
33
LvR/VU
Adopted security ... MAR/2003
ADOPTED SECURITY
To eliminate the possibility to use the library sequence the program call
should supply the library name by using the ‘qualified name’ in the
CALL command
CALL Lib (B)/PROGRAM(A)
Program A will only be used from lib B
Another way to eliminate this security problem is not to call the program,
but to transfer control (TFRCTL) to program A
With TFRCTL program A will not adopt the authorization of user B. This
can only be done when appropriate for the program logic flow
LvR/VU
Journaling MAR/2003
JOURNALING
To activate journaling the security officer must create the
QSYS/QAUDJRN journal and a journal receiver. The journal located in
the system library, acts as an intermediary
The journal receiver is the object that will hold journal entries and can be
defined by the security officer using his/her own naming conventions
The journal is created with the following commands
CRTJRN JRN(QAUDJRN) LIB(QSYS)
QAUDJRN(∗JRN)
QAUDLVL(∗AUTFAIL ∗PGMFAIL)
JRNRCV(USERRECV)
To set the level of journaling the system value QAUDLVL must be set.
Possible values are
∗NONE, ∗AUTFAIL, ∗SAVRST, ∗DELETE, ∗SECURITY, ∗CREATE,
∗OBJMGT and ∗PGMFAIL
34

16A AS400 Architecture and Security PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

16A AS400 Architecture and Security PDF

Încărcat de

Drepturi de autor:

Formate disponibile

PART 16-A

AS/400 ARCHITECTURE & SECURITY

Leen van Rij

vrije Universiteit amsterdam

File 16-A AS400 architecture & security

Contents Group structure

AS/400 architecture & security 3

• IBM “AS/400 Security Concepts & Planning”

• IBM “AS/400 Guide to enabling C2 security”

• IBM “Application System/400 Technology”

• Ernst & Young “A practical approach to logical access control”

• Fred de Koning e.a. “Beveiliging en controle in een AS/400-omgeving”

AS/400 architecture & security 4

STRUCTURE OF: Ernst AS/400

• Overview • System security

AS/400 architecture & security 5

TOPOLOGY OF SECURITY LAYERS

Physical Access control

AS/400 model, see

HIGHLIGHTS FOR THE EDP AUDITOR

1. Apropriate security levels active

2. Identification, Authentication (User and Group profiles)

4. Public and Specific Authorization (including Authorization list)

5. Dedicated Service Tools

AS/400 architecture & security 8

HISTORY OF APPLICATION SYSTEM/400 (AS/400)

AS/400 architecture & security 9

• The addressing architecture is designed to handle 64 bit addressing,

AS/400 architecture & security 11

PHYSICAL CONNECTION PROTOCOLS

Logical Terminal / Application

APPLICATION COMMUNICATION PROTOCOLS

MACHINE INTERFACE AS/400

Vertical Micro Code

Horizontal Micro Code

AS/400 architecture & security 15

MACHINE INTERFACE AS/400

• The basic machine instructions are implemented by the HORIZONTAL

AS/400 architecture & security 16

Note: Implementing functions in micro code benefits the system’s performance

INTEGRATED DATABASE SYSTEM

INTEGRATED DATABASE SYSTEM

• Open Database Connect (ODBC) from Microsoft

AS/400 architecture & security 19

INTEGRATED FILE SYSTEM (IFS)

• Root file system: OS/2, DOS and Windows NT compatible

File system X File system Y

AS/400 architecture & security 20

AS/400: everything in one virtual address space

SINGLE LEVEL STORAGE

One virtual address space

VAT = Virtual Address Translation

AS/400 single-level storage gives the ability to have data storage

AS/400 architecture & security 23

OBJECT ORIENTED DESIGN

AS/400 architecture & security 24

OBJECT ADMINISTRATION OBJECT X

START LIBRARY 1 MEMBER

AS/400 architecture & security 26

KEYLOCK SWITCH Normal Manual

AS/400 architecture & security 27

LOGICAL SECURITY LEVELS

Note: to guarantee data integrity, at least the system parameter *QSECURITY(30)