Carol President and Co-Founder SkyView Partners, Inc

Transcription

1 Carol President and Co-Founder SkyView Partners, Inc Copyright SkyView Partners, Inc, Al Rights Reserved. 1 V7R1 and TRs (Technology Releases) 25 SkyView Partners, Inc.,

2 26 Two types of exit points for CL commands QIBM_QCA_CHG_COMMAND Change (changes the command string) QIBM_QCA_RTV_COMMAND Retrieve (called prior to the command being run) Retrieve has a new option to call AFTER the command is run 27 SkyView Partners, Inc.,

3 New functions to manage: TOOLBOX APPLICATION SERVER ACCESS = ODBC and JDBC DDM / DRDA 29 Helps to determine how/where the command was run Run from CL pgm now contains: 'Y' maps to *IPGM, *BPGM, *IMOD, *BMOD 'R' maps to *IREXX, *BREXX 'E' maps to *EXEC 'B' maps to *BATCH 'N' maps to *INTERACT 30 SkyView Partners, Inc.,

4 SQL programming enhancement: a FIELDPROC is a user-written exit routine that transforms values in a single column. Used by vendors to encrypt values in a specific column. Masking support is also available, e.g, xxxx-xxxxxx Can now specify a group profile for the User profile the value QDDMDRDASERVER for the Server. 32 SkyView Partners, Inc.,

5 New in V7R2 (c) SkyView Partners, Inc, *PTFOBJ Changes to PTF objects during PTF operations *PTFOPR PTF operations such as load, apply or removal of a PTF 36 SkyView Partners, Inc.,

6 AX Row and column access control (RCAC) PF and PU for new *PTFOPR and *PTFOBJ values X2 Query manager profile changes 37 AD Auditing value changes AU Attribute changes CA Authority changes CP User profile changes (Note: only the previous special authority values have been added) DI Directory server GR Generic record (added changes to the function usage (Application Administration) settings) PA Program adopt PG Primary group changes RA Restore object authority changes (added the name of the authorization list) RJ Restore job description (added name that had been specified in the job description) RO Ownership changes for restored objects RZ Primary group changes for restored objects 38 SkyView Partners, Inc.,

7 CIPHER algorithms used for SSL older algorithms removed. See changes on the QSSLCSL system value New version of Java Web servers including new authentication methods and updated encryption support PASE now runs the most current AIX version (v7.1) OpenSSL version in use within PASE is now V1.01g Updated encryption algorithms for IBM i VPN support 39 TLS version 1.1 (TLSv1.1) and 1.2(TLSv1.2) are now available Online Certificate Status Protocol (OCSP) is now supported. This is a method for determining when a digital certificate has been revoked DCM now supports the ability to assign multiple certificates to a server Services using the AES and SHA-2 algorithms such as the crypto services APIs, software tape encryption and system-supplied SSL and VPN connections will see a performance gain on POWER8 hardware. 40 SkyView Partners, Inc.,

8 The following commands now accept and object type so you can scope your search: WRKOBJOWN work with objects by owner WRKOBJPGP work with objects by primary group WRKOBJPVT work with objects by private authorities SkyView Partners, Inc.,

9 43 QPWDCHGBLK (Block password change) Time (in hours) that must elapse between running CHGPWD Purpose is to prevent changing multiple times and reusing same password Does not affect changing password via CHGUSRPRF Can override in the user profile QPWDEXPWRN (Password expiration warning) Number of days prior to password expiring to start showing the password expiration warning 7 (default), valid values: SkyView Partners, Inc.,

10 *PWDSYSVAL or *CHRLMTAJC *CHRLMTREP *DGTLMTAJC *DGTLMTFST *DGTLMTLST *DGTMAXn *DGTMINn *LMTSAMPOS *LMTPRFNAME *LTRLMTAJC *LTRLMTFST *LTRLMTLST *LTRMAXn *LTRMINn *MAXLENnnn *MINLENnnn *MIXCASEnnn *REQANY3 *SPCCHRLMTAJC *SPCCHRLMTFST *SPCCHRLMTLST *SPCCHRMAXn *SPCCHRMINn V7R2 *ALLCRTCHG 45 Once you specify something other than *PWDSYSVAL, then the following are ignored: QPWDLMTAJC QPWDLMTCHR QPWDLMTREP QPWDMAXLEN QPWDMINLEN QPWDPOSDIF QPWDRQDDGT 46 SkyView Partners, Inc.,

11 47 48 SkyView Partners, Inc.,

12 49 Rows: Using SQL, can put rules in place at the file level (outside of program logic) to limit which users can see which rows Has the potential to eliminate logical files Columns: Using SQL, can put rules in place at the file level to determine who can see the full contents of a field in a column or a masked value 50 SkyView Partners, Inc.,

13 Requires installation of BOSS option 47 IBM Advanced Data Security for i (no charge) To administer, someone needs to have the Security Administration function usage or QIBM_DB_SECADM privilege as defined in Application Administration SkyView Partners, Inc.,

14 53 Allows you to define RCAC privileges but also more Enables separation of duties. Users with this privilege can change the object s owner and grant/revoke authority to tables even without having direct authority to the table itself! 54 SkyView Partners, Inc.,

15 Object level security takes precedence. If you have permission as defined by RCAC you must first have object authority. Once activated, just like object security, it s in effect for every object access method ftp, ODBC, queries, command such as UPDDTA and RUNQRY, etc 55 CREATE PERMISSION emp_info ON hr FOR ROWS WHERE ( VERIFY_GROUP_FOR_USER(SESSION_USER, MGR01') = 1 AND dept = '001' ) OR ( VERIFY_GROUP_FOR_USER (SESSION_USER, MGR02') = 1 AND dept = '002' ) OR ( VERIFY_GROUP_FOR_USER (SESSION_USER, DIRECTOR') = 1 ) OR ( CURRENT_USER = 'APP_OWN' ) ENFORCED FOR ALL ACCESS ENABLE; COMMIT; ALTER TABLE hr ACTIVATE ROW ACCESS CONTROL; COMMIT; VERIFY_GROUP_FOR_USER is a new SQL function added in V7R2 SESSION_USER = profile trying to access the file CURRENT_USER = Owner of last program set to USRPRF(*OWNER) 56 SkyView Partners, Inc.,

16 The absence of authority prevents access to data In previous example, if more departments are added, will need to grant additional permissions or they will not see their data Need to consider how production issues are debugged If using a tool to elevate privileges, may need to grant privileges to the profile being adopted or swapped to so they can access the data No indication that the data is subsetted When copying files to QA or Dev systems, may need to grant additional row privileges for testing Need to make sure that users will still get correct data if data is already being filtered via a logical file or program logic 57 Or query new QSYS2/SYSCONTROLS catalog 58 SkyView Partners, Inc.,

17 59 Masking is NOT a replacement for encryption! May be a good option for test systems if you don t already have a process to mask production data. Need to consider program logic is a record read and then written back? If so, the masked data may be written, over-writing your data. New check constraint support will help prevent this. See When restoring an RCAC-protected file to another system, data will not be accessible if BOSS option 47 isn t installed. 60 SkyView Partners, Inc.,

18 61 62 SkyView Partners, Inc.,

19 Mike Cain s blog DB2 for i SQL Reference manual 01.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_72/ db2/rbafzpdf.pdf Redpaper great resource! Details of the AX audit journal entry Security Reference 01.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_72/r zarl/sc pdf 63 SkyView Partners YouTube Channel: IBM i Security Administration and Compliance Technical updates IBM i Information Center 64 SkyView Partners, Inc.,