Introduction U41241-J-Z125-1-76 1

Introduction The rapid expansion of the Internet and increasingly mobile and more powerful end devices are the driving force behind development in information and communication technology. This process of evolution can be directly observed by anyone who has a PC or a telephone and who wishes to profit increasingly from this trend at work. In particular, this trend is leading to increasing changes in the traditional data center: Company internal, and also inter-company processes, that were once paper-oriented, are now dependent on information and communication technology ranging from the simple electronic address book right through to "e-business". In order to do this, the previously isolated server networks are required not only to communicate with each other, but also in a controlled manner with an Internet that is open to the world at large. New applications are often operated on separate systems that are set up alongside the existing servers. As a result the data center covers a wide range of different operating systems and hardware platforms. Existing applications are given new interfaces that allow them, for example, to be accessed via a standard Web browser. The implementation of web interfaces for traditional applications is often carried out on special front-end systems that are added to the servers. It is obvious that all these developments demand new measures to guarantee the security of data center operation. Security is in the interest of both the operator and the individual users: The operator needs to be able to guarantee the availability and security of their system for all users. And users do not wish to be held responsible for the unauthorized actions of others. BS2000/OSD, in conjunction with SECOS (BS2000/OSD) and the product TranSON (Transaction Security in Open Networks) from Siemens AG, makes it possible to ensure effective protection of applications against unauthorized access from the Internet and still provide secure access to BS2000/OSD applications via public channels. U41241-J-Z125-1-76 1

Eine Dokuschablone von Frank Flachenecke

Authentication the first step towards enterprise security The first step when accessing all IT applications is authentication; the user must prove their identity. This means that authentication is of particular importance in guaranteeing the IT security of a company. Problems faced by traditional authentication methods The traditional, and still the most widely used, method of authentication is by means of a user ID and password. The password authentication method appears cost-effective because no special IT infrastructure is required in order to implement it. But this does not take into account that this method puts the responsibility very firmly on the shoulders of the individual users. The changes in information and communication technology are highlighting the problems created by this: The administration effort on the part of the user The risk that passwords can be guessed or overheard U41241-J-Z125-1-76 3

SingleSignOnwithSECOSandTranSON Authentication The solution: Single Sign On with SECOS and TranSON The problems of using passwords for authentication purposes can be eliminated for applications that run on BS2000/OSD by implementing SECOS and TranSON. But the use of TranSON is not restricted just to BS2000/OSD applications: It can also be used to secure access to R/3 applications, via telnet connections, to protected areas of a web server and many other types of access. The solution offers effective protection for applications and systems while remaining convenient for the user: Single Sign On reduces, or avoids the administration effort required by the use of passwords. Cryptographic authentication prevents attempts to guess passwords. Encrypted transfer secures both the confidentiality and integrity of the information. Lowering the administration effort of password methods: Single Sign On Users are required to access an increasing number of applications and the number of passwords a single user requires increases accordingly. It may be necessary to form each of the passwords for the various applications according to a different set of rules. And it is also often necessary to change the various passwords at varying intervals. This means that users are faced with a dilemma: Secure passwords are difficult to guess, but also difficult to remember. If a user behaves in a security-conscious manner and chooses passwords that are difficult to guess, then they have a great deal of administration effort keeping track of the passwords that they have used. This also increases the effort required for user administration: User administration must be in a position to reset passwords and release IDs that have been blocked as a result of expired passwords. The Single Sign On concept provides a solution to the error-prone maintenance of the password method: Each user signs on once at their specific authentication authority and thus proves their identity. Only this authentication authority records how each user proves their identity. For each subsequent action initiated by the user, the result of the initial single sign-on procedure is used automatically. This Single Sign On takes place between the user and the TranSON server proxy. The server generates certificates in accordance with X.509 v3. These are then used by applications to check the access authorization of the user. Under BS2000/OSD, TranSON supports TIAM (as of version 13.0B), openutm (as of version 5.1) and openft (as of version 8.0) in conjunction with FTAC. It is also possible for many other applications (for example, R/3 or a web server) to use the services provided by the TranSON server. 4 U41241-J-Z125-1-76

Authentication SingleSignOnwithSECOSandTranSON Preventing passwords from being guessed: Cryptographic authentication The almost "traditional" form of attack on all procedures protected by a password is to simply try out a list of passwords for various applications and user IDs (also known as "dictionary attack"). Today's scenarios provide new opportunities for attacks of this type: The opening up of networks to e-business data traffic makes it possible for potential hackers to connect to servers that were once isolated within internal networks. If an application does not use one-way encryption for passwords, the application administrators have the opportunity to see the passwords used by the application users. They are then able to use these passwords/user IDs to try to access other applications. Attack by means of trying out common passwords can be effectively prevented using cryptographic authentication procedures without putting too much strain on the memory of the user. The users "secret" is, in this case, not a password that they are required to remember, it is instead a key to a cryptographic procedure. This key is never transferred across the network, it remains on the system of the user. TranSON uses a cryptographic procedure based on asymmetric algorithms. This procedure is characterized by the fact that the private key of the user does not need to be stored on a TranSON server. The private key can, in the simplest of cases, be saved in a file on the PC oftheuser,oritcouldevenbestoredonachipcard. For the BS2000/OSD applications that are supported, this means that it is unnecessary to store and manage passwords on the server. The authorization is the certificate validated by the TranSON server. This effectively eliminates all danger of privileged users gaining unauthorized access to passwords. U41241-J-Z125-1-76 5

SingleSignOnwithSECOSandTranSON Authentication Securing confidentiality and integrity of information: Encrypted transfer The user and the application that they are using generally communicate across channels whose security cannot be controlled. Persons with access to the systems over which data flows are able to eavesdrop on the data traffic or manipulate it. Here there are also new applications that offer attackers new opportunities: Each application that has migrated from paper to the Internet or intranet offers persons with access to the communication system new opportunities for unwanted manipulation. Many activities which have, until now, been handled within the computer center can be handled from mobile systems, for example, via the telephone network or the Internet. This increases the number of possible points of attack along the communication path. Not just the password, but also the subsequent exchange of data between the user and an application must be protected against unauthorized eavesdropping or manipulation. This can be achieved most effectively by encrypting information for transfer. Thus, even when information is transferred using an "insecure" channel for example, the telephone network or the Internet connection of a service provider the confidentiality and integrity of the information can still be ensured. TranSON can be used to agree encryption based on SSL/TLS for each connection. This implementation is not subject to any USA export restrictions. 6 U41241-J-Z125-1-76

How does Single Sign On with TranSON work? The components of TranSON TranSON is a modular product used to implement secure communication channels for TCP/ IP-based client/server applications. The TranSON solution is based on TLS 1.0 (Transport Layer Security) which is the Internet standard for secure TCP/IP connections. TLS is an adapted version of SSL 3.0 (Secure Socket Layer). TranSON consists of the following components: The TranSON server proxy serves to initiate the secure communication channel on the server side. It also forwards jobs to the authentication server and, as required, to the audit server. With average network traffic conditions, a TranSON server proxy can serviceupto500clients. The sever proxy is used to control which applications are forwarded to which target system using which adapter. The TranSON authorization server manages the authorization data of the users. The authorization data is required to obtain access to applications secured using the Single Sign On procedure. The KDCSIGN IDs for openutm applications are also stored here. A range of standard databases can be used as the basis for the authorization data. The TranSON audit server (optional) is used for logging and auditing. The TranSON certification authority (optional) is used to generate and manage certificates. The TranSON client proxy serves to initiate the secure communication channel on the client side and also handles user authentication. To meet the highest security requirements, authentication can be implemented using a chip card (various different models are supported) and an associated personal identification number (or PIN). The TranSON client proxy must be installed on all clients (e.g. PCs) that want to use thesinglesignonprocedure. U41241-J-Z125-1-76 7

System overview How does Single Sign On work? System overview This section provides a schematic comparison of a traditional configuration for authentication and a TranSON configuration and indicates the advantages of the TranSON solution: Configuration without Single Sign On with TranSON and SECOS: Passwords must be managed separately for each application and specified for each authentication Different authentication data and quality for the applications Applications Network openft openutm Client TIAM Passwords are transferred unprotected* * openft always transfers the request description data, including the passwords, in encrypted form. 8 U41241-J-Z125-1-76

How does Single Sign On work? System overview Configuration with Single Sign On with TranSON and SECOS: Only one authentication procedure all secret passwords and key data remain on the client Cryptographic authentication and authorization for all applications TranSON authorization Network openft openutm Client TIAM TranSON client proxy Encrypted transfer of all data TranSON server proxy U41241-J-Z125-1-76 9

Eine Dokuschablone von Frank Flachenecke

Introducing Single Sign On with TranSON In order to be able to use Single Sign On with TranSON within BS2000/OSD you will need the following components: A system that will serve as the TranSON server (server under Solaris, Linux or Windows NT) running the TranSON server software as of V1.4 and the BS2000 Service Adapter (which is also on the TranSON CD) BS2000/OSD-BC as of V3.0 SECOS (BS2000/OSD) as of V4.0 BCAM as of V15.0 (with the following patches: A0447513, A0452365, A0459390) TIAM as of V13.0B (with patch A0447522) openutm (BS2000/OSD) as of V5.1 for Single Sign On support for openutm applications openft (BS2000/OSD) as of V8.0 in conjunction with FTAC for Single Sign On support for File Transfer Installing and configuring the TranSON server components Installation and configuration of the components of the TranSON server are described in the user documentation for TranSON. This can be found on the TranSON product CD. The configuration of the individual components is carried out using separate graphical interfaces and can be extended at any time. The TranSON server components can all be installed on the same computer or on separate machines. The following sections contain additional notes for settings that are either required or may be useful for BS2000/OSD systems. U41241-J-Z125-1-76 11

Installing and configuring TranSON server components IntroducingSingleSignOn Configuring the TranSON server proxy During configuration of the server proxy, entries are made in the Routing tab for the server on which the applications to be protected with the Single Sign On procedure are located. For applications on BS2000/OSD, the following are required: i The IP address and port number (e. g. 1110 for $DIALOG) of the application: This data can be obtained from the BS2000/OSD network administrator. The adapter that is to be used: A special adapter has been provided for applications on BS2000/OSD. If this is not offered explicitly in the selection under Adapter then "CUSTOM" must be specified here and the path to the BS2000 adapter BS2SSO.DLL specified in the Library field. In the field Init Function for the BS2000 adapter, the specification "Init" must be made (default). Changes to the routing table of the server proxy are only effective after the service has been restarted. During a restart all connections running over the TranSON server are terminated. It is recommended that the configuration is set up with the future in mind and that you also enter BS2000/OSD systems and associated applications that you don't yet want to include in Single Sign On. Configuring the TranSON authorization server In the user administration facilities of TranSON you must enter the permitted users for each of the managed services either directly or using role definitions. For applications on BS2000/OSD, the following entries are of importance: Each service is defined using its IP address and port number and can be assigned a meaningful name. For each user, the Serial Number of their certificate within the certification authority is entered in TranSON. To identify the certification authority a unique, freely selectable serial number is assigned in the data center for each user and each application. This number is to be enteredintheinputscreenauthorization Administration in the field Serial Number. For openutm applications you can also specify an additional user ID which can be used to carry out the KDCSIGN procedure. Example of the syntax: Userid=UTMUID Ca-Id=555 This specification can be made in the input screen Service Definition in the area Single Sign On in the field with LOGIN. 12 U41241-J-Z125-1-76

Introducing Single Sign On Introducing a TranSON server in a BS2000/OSD network The Serial Number is used by the BS2000/OSD applications in conjunction with the CA- Id as the identification criterion for the user specified under the name "CERTIFICATE" (For more information see below in section Making TranSON user data known to the BS2000/OSD applications ). Then the permitted applications are specified for each user. These entries are in addition to and take priority over the entries made in the applications themselves. Changes to the authorization database take effect during productive operation. Introducing a TranSON server in a BS2000/OSD network The TranSON server must be made known to BCAM as a partner computer. Its name must also be entered as a partner system of openft if these applications are to be protected by TranSON. With openutm applications, the TranSON server proxy must only generated if it is to communicate with a UTM application without using the Single Sign On function via OSI TP or a socket connection. When BCAM activates the TranSON server proxy (/BCIN command) the server usage must be specified using the parameter TRANSON-USAGE=*ON. Since the communication between the TranSON server proxy and BS2000/OSD systems is not encrypted, the connection between the two must be protected from unauthorized access. This is done by generating the network appropriately (TranSON server and BS2000/OSD system in a isolated LAN segment). Making TranSON user data known to the BS2000/OSD applications The BS2000/OSD applications are set up in such a way that, unlike the traditional method of authentication, they are also able to accept the certificates validated by TranSON. For TIAM ($DIALOG application) this is done by entering a list of validated certificates for each user ID. The certificates are identified by a pair of numbers (certificate ID, CA ID) that are entered for the holder of the certificate at the TranSON authorization server. For each security-relevant action, the certificate ID and CA ID are logged by SAT in addition to the user ID. In a similar way to a personal user ID this data serves to provide personal proof of identification for user IDs that are used by several persons. U41241-J-Z125-1-76 13

Making TranSON user data known to applications IntroducingSingleSignOn The following example shows a certificate with the serial number 22222222 and the CA ID 555 (the origin of these values is described in section Configuring the TranSON authorization server on page 12) for the user ID SYSPRIV: /MODIFY-LOGON-PROTECTION USER-ID=SYSPRIV, - / NET-DIALOG-ACCESS=*YES(ADD-CERTIFICATE=22222222( - / CERTIFYING-AUTHORITY=555)) This setting allows both access methods to $DIALOG in parallel: The "traditional" form, as specified for DIALOG-ACCESS and via the TranSON certificate. ThismakesitpossibleforauserataPCwiththeTranSONclientinstalledtoworkwiththe application in the same way as users without the TranSON client. This applies even if both users are using the same user ID. A configuration of this type is particularly helpful during theintroductionphase. Storage of the certificate ID and CA ID is carried out in a similar way for openutm and openft: openutm USER... CERTIFICATE=..., CERTIFICATE-AUTHORITY=... openft /CREATE-FT-PROFILE... TRANSFER-ADMISSION=*CHIPCARD(... - / CERTIFICATE=...(CERTIFIC-AUTHORITY=...) /MODIFY-FT-PROFILE... TRANSFER-ADMISSION=*CHIPCARD(... - / CERTIFICATE=...(CERTIFIC-AUTHORITY=...) The exact command and statement syntax can be found in the appropriate manuals for SECOS [1], openutm [2] and openft [3]. 14 U41241-J-Z125-1-76

Introducing Single Sign On Configuring TranSON clients Configuring TranSON clients The TranSON client proxy is installed from the CD to the client systems along with the administration program. In order to access to applications on BS2000/OSD, the following data must be specified: The path name of the program that is to be used for access: terminal emulation e. g. with M9750 the path is the file MT9750n.exe. If you are working under Windows NT and using 16-bit programs, then you do i not enter the program itself. Instead you must enter the path of the 16-bit emulator (Ntvdm.exe, usually under C:\WinNT\systemr32\Ntvdm.exe). The IP address and the port of the BS2000/OSD system on which the application is running. You can enter "0" as the port, as a result all accesses to the specified IP address are monitored. Configuration with openft The configuration of openft partners is not carried out in the TranSON client proxy. Each BS2000/OSD system that openft is to communicate with via TranSON must be configured in TNS (Transport Name Service) via a partner entry with a proxy specification (see the online help of the configuration program TNSUI). Subsequent action Once the TranSON client software has been installed completely you can, if you choose, entirely block the traditional authentication paths for BS2000/OSD applications. Before you do this, you should check to see whether the authorized users of an ID only use applications that support authentication with TranSON. This is currently not the case with, for example, DCAM applications. For TIAM ($DIALOG application) the command /MODIFY-LOGON-PROTECTION is used to block the class DIALOG-ACCESS: /MODIFY-LOGON-PROTECTION USER-ID=SYSPRIV, DIALOG-ACCESS=*NO When a setting like this has been made, dialog access to the user ID SYSPRIV is only possible via TranSON certificates. U41241-J-Z125-1-76 15

Eine Dokuschablone von Frank Flachenecke

Additional information Additional information can be found on the Internet and in manuals from Fujitsu Siemens Computers. Internet You will find additional information about SECOS on the Internet under: http://www.fujitsu-siemens.com/servers/secos/secos_us.htm Information about TranSON can be found under: http://www.transon.com/ Manuals [1] SECOS (BS2000/OSD) Security Control System User Guide Target group BS2000 system administrators BS2000 users working with extended access protection for files Contents Capabilities and application of the functional units: SRPM (System Resources and Privileges Management) SRPMSSO (Single Sign On) GUARDS (Generally Usable Access Control Administration System) GUARDDEF (Default Protection) GUARDCOO (Co-owner Protection) SAT (Security Audit Trail). Order Number: U5605-J-Z125-6-76 U41241-J-Z125-1-76 17

Support when setting up Single Sign On Additional information [2] openutm (BS2000/OSD, UNIX,WIndows) Generating Applications User Guide Target group This manual addresses users who wish to transfer files or implement file management using openft. Contents The manual describes the features of openft. The description also covers the optional components openft-ac for admission and access protection, and openft-ftam for supporting FTAM functionality. The command interface and messages are dealt with in detail. Order Number: U41226-J-Z135-1-76 [3] openft für BS2000 Enterprise File Transfer in the Open World User Guide Target group This manual addresses users who wish to transfer files or implement file management using openft. Contents The manual describes the features of openft. The description also covers the optional components openft-ac for admission and access protection, and openft-ftam for supporting FTAM functionality. The command interface and messages are dealt with in detail. Order Number: U3932-J-Z135-10-76 Support when setting up Single Sign On with TranSON Fujitsu Siemens Computers also provides support when setting up Single Sign On with TranSON and SECOS as well as for the installation and introduction of SECOS. Should you require advice or assistance, please contact the appropriate person as detailed under http://www.fujitsu-siemens.com/servers/secos/conta_us.htm. 18 U41241-J-Z125-1-76

Contents Introduction... 1 Authentication the first step towards enterprise security... 3 Problemsfacedbytraditionalauthenticationmethods... 3 Thesolution:SingleSignOnwithSECOSandTranSON... 4 Lowering the administration effort of password methods: Single Sign On......... 4 Preventing passwords from being guessed: Cryptographic authentication........ 5 Securing confidentiality and integrity of information: Encrypted transfer.......... 6 How does Single Sign On with TranSON work?... 7 ThecomponentsofTranSON... 7 Systemoverview... 8 Introducing Single Sign On with TranSON... 11 InstallingandconfiguringtheTranSONservercomponents... 11 ConfiguringtheTranSONserverproxy... 12 ConfiguringtheTranSONauthorizationserver... 12 IntroducingaTranSONserverinaBS2000/OSDnetwork... 13 MakingTranSONuserdataknowntotheBS2000/OSDapplications... 13 ConfiguringTranSONclients... 15 Configuration with openft... 15 Subsequent action... 15 Additional information... 17 Internet... 17 Manuals........... 17 SupportwhensettingupSingleSignOnwithTranSON... 18 U41241-J-Z125-1-76

SECOS V4.0 (BS2000/OSD) Single Sign On with BS2000/OSD Brief Description Target group BS2000 system administrators BS2000 users working with Single Sign On Contents HowdoesSingleSignOnwithTranSONandSECOSwork? Notes on the installation and configuration of the TranSON components Edition: May 2001 File: seco_sso.pdf Copyright Fujitsu Siemens Computers GmbH, 2001. All rights reserved. Delivery subject to availability; right of technical modifications reserved. All hardware and software names used are trademarks of their respective manufacturers. U41241-J-Z125-1-76

Fujitsu Siemens computers GmbH User Documentation 81730 Munich Germany Fax: (++49) 700 / 372 00000 Comments Suggestions Corrections e-mail: manuals@fujitsu-siemens.com http://manuals.fujitsu-siemens.com Submitted by Comments on SECOS V4.0 Single Sign On with BS2000/OSD U41241-J-Z125-1-76

Information on this document On April 1, 2009, Fujitsu became the sole owner of Fujitsu Siemens Computers. This new subsidiary of Fujitsu has been renamed Fujitsu Technology Solutions. This document from the document archive refers to a product version which was released a considerable time ago or which is no longer marketed. Please note that all company references and copyrights in this document have been legally transferred to Fujitsu Technology Solutions. Contact and support addresses will now be offered by Fujitsu Technology Solutions and have the format @ts.fujitsu.com. The Internet pages of Fujitsu Technology Solutions are available at http://ts.fujitsu.com/... and the user documentation at http://manuals.ts.fujitsu.com. Copyright Fujitsu Technology Solutions, 2009 Hinweise zum vorliegenden Dokument Zum 1. April 2009 ist Fujitsu Siemens Computers in den alleinigen Besitz von Fujitsu übergegangen. Diese neue Tochtergesellschaft von Fujitsu trägt seitdem den Namen Fujitsu Technology Solutions. Das vorliegende Dokument aus dem Dokumentenarchiv bezieht sich auf eine bereits vor längerer Zeit freigegebene oder nicht mehr im Vertrieb befindliche Produktversion. Bitte beachten Sie, dass alle Firmenbezüge und Copyrights im vorliegenden Dokument rechtlich auf Fujitsu Technology Solutions übergegangen sind. Kontakt- und Supportadressen werden nun von Fujitsu Technology Solutions angeboten und haben die Form @ts.fujitsu.com. Die Internetseiten von Fujitsu Technology Solutions finden Sie unter http://de.ts.fujitsu.com/..., und unter http://manuals.ts.fujitsu.com finden Sie die Benutzerdokumentation. Copyright Fujitsu Technology Solutions, 2009