TCP/IP Security in a z/OS Environment using Policy Agent & RACF

Code: TCPIPSECZ

Been everywhere and found nothing…

Do you need a Custom Course or Solution?

specify your requirements

Description

This course provides a practical and comprehensive introduction to securing TCP/IP in a z/OS environment using RACF and Policy Agent (PAGENT). It is designed for technical staff responsible for implementing and managing network security on z/OS, and covers how RACF, SAF, SERVAUTH, digital certificates, SSL/TLS, SSHD, SFTP, AT-TLS, and Policy Agent work together to protect network resources, applications, ports, commands, and communications.

Participants will learn both the concepts and the implementation steps needed to secure z/OS network services in real environments. The course includes protection of TN3270, FTP/FTPS, IP Security, IDS, DMD, IKED, filtering, QoS, and certificate-based security, while also explaining how PAGENT policies control access and enforce rules across users, applications, and systems. It is well suited for those who already understand TCP/IP on z/OS and want to strengthen their ability to deploy robust, policy-based mainframe network security.

Audience

Any technical staff responsible for setting up security in a TCP/IP for z/OS environment.

Prerequisites

Students should have an understanding of TCP/IP under z/OS and if possible, RACF Security.

Objectives

  • Understand how RACF works
  • Explain how z/OS SAF, especially RACF, is used to protect your network and communicationsDiscuss the RACF Security profiles required to protect access to various network resources
  • Understand how cryptography, Ciphers and SSL/TSL work in a z/OS environment
  • Explain how to implement the TLS and SSL protocol technology to protect data exchanges between
    client and server applications
  • Implement the SSH daemon and SFTP
  • Describe how digital certificates can be implemented and used within z/OS and how various clients
    and servers use the certificates
  • Implement Native TN3270/TLS security and Native FTPS/TLS security
  • Explain how Digital Certificates are used in a policy-based z/OS environment
  • Explain the rules and policies used in the Policy Agent (PAGENT) to dictate how users, applications
    and organizations access and use their IT resources
  • Understand how the PAGENT can be configured as a Central Policy Server
  • Implement TN3270/Telnet security and FTPS using AT-TLS with PAGENT policies
  • Explain how other applications use AT/TLS with PAGENT implement IP Security
  • Explain how to Implement TRMD and IKED
  • Permit or deny IP packets into and out of z/OS using IP Filtering with IP Security
  • Describe at a high level how the IPSec tunnel traverses a NAT or NAPT device
  • Implement IDS
  • Implement DMD
  • Describe the QoS concepts and how to implement QoS.

Topics

  • Understanding RACF Network Security
    • Why secure the TCP/IP network
    • IBMs Resource Access Control Facility (RACF)
    • Main RACF - z/OS components
    • How does RACF work?
    • Multi-level Security labels
    • RACF profiles: Group profiles, User profiles, General resource profiles
    • Implementing Program control and APF for z/OS load libraries
    • Implementing UNIX protection for Daemons, Program Control and APF
    • RACF commands
  • Protecting Network Resources
    • Tasks that need protection with SERVAUTH Class
    • Policy based networking
    • SERVAUTH Resource Class responsibilities
    • SERVAUTH Resource Class
    • Protecting the TCPIP stack
    • Protecting your network access
    • Application considerations when using NETACCESS
    • Using the NETSTAT and PING commands to check protection
    • Protecting your network ports
    • RACF definitions for protecting network ports
    • Using the NETSTAT command to check PORT access
    • Protecting the use of socket options
    • What are network commands
    • Protecting network commands - z/OS TCPIP commands
    • Protecting network commands - NETSTAT and ONESTAT commands
    • SSL and Crypto devices
    • Three types of encryption keys
    • Clear Key processing
    • Secure Key processing
    • Master Keys and Key Data Sets
    • Protected Key/Wrapping Key
  • SSHD and SFTP using SSL
    • SSHD UNIX files
    • SSHD - Using ICSF and /dev/random
    • SSHD - Creating configuration files
    • SSHD - Creating SSHD server keys
    • SSHD - Set up SSHD server userids
    • SSHD - Create SSHD server started task
    • SSHD - TCP configuration
    • SSHD - Verify z/OS DNS / Resolver operation
    • FTPS and SFTP
    • Pros and cons of FTPS and SFTP
    • Customizing the PROFILE & SERVICES datasets
  • RACF & Digital Certificates
    • Cryptography in Internet applications
    • Public key cryptography overview
    • What is a digital certificate?
    • Public key & certificate
    • Uses for certificates in applications
    • Secure Sockets Layer (SSL)
    • Digital certificates and RACF
    • How RACF uses digital certificates
    • RACF classes & commands
    • RACDCERT
    • RACF certificate generation
    • RACDCERT command
    • Creating a certificate
    • Gencert examples
    • Introduction to policy based networking
    • The Policy Agent
    • RACF and PAGENT
    • Define a User for PAGENT
    • Give authorized users access to start and stop PAGENT
    • Securing the pasearch command and initialising PAGENT before TCPIP
    • Other address spaces that will need RACF profiles
    • Central policy server
    • SERVAUTH authorisation for Policy Client
    • Basic configuration
    • Defining the Tcp Image statements
    • Image definitions
    • Logging
    • PAGENT commands
    • Traffic Regulation Management Daemon
    • Policy infrastructure management services
    • Implementation and operations
    • Parameters for policy infrastructure management services
    • Installation of configuration files
    • PAGENT requirements
    • CSFSERV resource class
    • Example for AT-TLS
    • Example of Intrusion Detection Services
    • Example of IP filtering
    • Example of IP Security
    • Example of Network Address Translation
    • Example of IKE protocols
    • Example of Quality of Service
    • SNMP overview
    • SNMP in operation
  • IP Security
    • Defense Manager Daemon installation
    • DMD Configuration File
    • DMD started procedure
    • Ipsec F command
    • The Ipsec -t command
    • Protecting network commands - EZACMD REXX program
    • Protecting FTP access
    • Other FTP profiles
    • Protecting TN3270 Secure Telnet Port
    • Protecting the MODDVIPA command
  • Cryptography, SSL, Ciphers & Digital Certificates
    • Overview
    • What is a digital certificate?
    • Public key & certificate
    • Uses for certificates in applications
    • Secure Sockets Layer (SSL)
    • Secret key cryptography
    • Ciphers used in secret key cryptography
    • Notes on secret key ciphers
    • Public key cryptography
    • Public key ciphers
    • Message integrity
    • Message digest algorithms
    • Message Authentication Codes
    • Using the ciphers
    • Ciphers
    • SSL protocol
    • How SSL works
    • SSL Session ID
    • The SSL layer
    • System SSL
    • System SSL on z/OS
    • Why TLS
    • Hardware cryptography on System Z
    • Crypto support in z/OS
    • Key rings
    • RACDCERT ring functions
    • Certification installation
    • RACDCERT ADD examples
    • Certification installation
    • Certificate management
    • Exploiters of certificates
    • Exporting a certificate
    • Certificates are packaged in formats
    • Renew a certificate
    • Examples of REKEY and ROLLOVER
    • Certificate mapping
    • RACF Key Rings
    • Global FACILITY class profiles
    • Sharing a private key
    • RDATALIB Class
    • RACDCERT granular administration
    • RACDCERT granular control
    • Listing, removing & deleting
  • Secured TN3270 and FTPS
    • What is TN3270 security?
    • How native TN3270 security can be applied with TLS
    • Description of TN3270 native connection security
    • Dependencies for Telnet server native connection security
    • Example of definitions
    • Encryption algorithms (cipher suites)
    • RACF permissions
    • What is FTP security?
    • Software and hardware prerequisites
    • Configuring FTP native TLS security
    • Logging onto the Server with FileZilla
  • Introduction to Policy Agent
    • Setting up IPSec on z/OS
    • Setting up IKED
    • The IKED catalogued procedure and configuration file
    • Reserve the ports and RACF changes
    • Digital certificates for IKED
    • Authorizing Callable Services
    • Other actions for IPSec
    • Commands for IPSec
    • Using the IPSec policy in z/OS
  • Intrusion Detection Services & Defense Manager Daemon
    • Basic concepts
    • Scan policies
    • There are different types of scan events
    • Attack policies
    • Attack policy notification
    • Traffic regulation policies
    • TCP traffic regulation
    • UDP traffic regulation
    • Implementing IDS
    • Creating the IDS policy
    • IDS traffic descriptors
    • IDS Requirement Maps
    • Creating a new IDS Requirement Map
    • IDS scans
    • Scan Levels
    • Modify IDS scans
    • IDS Traffic Regulation
    • z/OSMF selection of requirement map
    • Defensive filtering overview
    • Simulate mode
    • Installation of defensive filtering
    • Filter types

Price (ex. VAT)

€ 3.040,00 per person

Duration

4 days

Schedule

Please send us a message with the form below

Delivery methods

  • Classroom
  • On-site (at your location)
  • Virtual (instructor online)

Guaranteed Courses

 View courses 

Questions?

Write us and we will contact you to discuss your requirements
contact us