Virtel addresses mainframe security through a variety of service interfaces provided by z/OS. This article summarises those interfaces and discusses some of the features that Virtel can provide in the context of securitywithin the mainframe.
Within Virtel, a business service or asset is defined as a Virtel transaction, for example:
- A 3270 application like CICS or TSO
- A web service accessed through Virtel
- Bespoke modernisation or integration scenarios and templates
- Administration functionality through Virtel directories
- Virtel macros
Such business assets have to be secured in order to protect the business domain from malicious or accidental access. As a centralised server running on the mainframe, Virtel capitalizes on its environment by interfacing with various mainframe security subsystems, be they internal like RACF or external such as a LDAP server. Thus, the advantage is that all security and user credentials held within the mainframe security databases are accessible to Virtel. If a Virtel transaction is defined as a secure transaction then, depending on the level of that security, Virtel will validate the user credentials, using standard security subsystem APIs, before allowing the user access to the target transaction, asset or service. Transaction security levels define how the user credentials will be validated. These security levels range from public (a transaction with no security) through to full certificate authentication.
Mainframe security: RACROUTE interface
For user ID validation, Virtel interfaces to the mainframe security subsystem through the common RACROUTE SAF API which supports z/OS RACF, ACF2 and TOPS security systems (for VSE environments, Virtel interfaces with the VSE Security Manager). The basic transaction security level will prompt the user for their credentials. Validation will then take place using the security subsystem: credentials may be passed through to the target application, thereby avoiding a duplicate sign-on scenario.
Virtel also uses this interface to protect its own internal resource and transactions, enabling an administrator to control which transactions a user has authority to. Transactions can be secured using a security profile, defined within the security subsystem. Virtel macros can also benefit from that protection, enabling administrators to control macro access at a global, group or user level.
Mainframe security: Single Sign-On and Passticket support
Passticket and supporting proxy servers like CA-SiteMinder© & IBM Tivoli WebSeal© provide an organization with a centralized enterprise-class secure single sign-on (SSO) and authentication system. These products tend to run on external server(s) and grant access to a business’s assets like web enabled applications or portals.
The basic process is to trap the incoming HTTP call request and establish some user credentials before allowing access to an asset: for example, user credentials can be extracted from the caller’s request, or determined by the caller’s IP address. The credentials will be validated against a LDAP or similar active directory server, either allowing or denying the caller access to the requested asset.
Security and asset control is managed by the SSO server which, as a central server, can validate credentials to all business assets, be it on the mainframe or other platforms. User ID and password administration for all assets can be controlled through the functions of the SSO software employed.
Virtel will integrate within this SSO infrastructure and process sign on request once they have passed validation. Moreover, Virtel provides its own validation of the SSO server through the use of internal rules.
Mainframe security: express logon with secure data
Virtel is capable of participating in a secure data connection using either server only or server/client authentication. This not only provides secure data traffic using HTTPS but can be exploited to provide secure sessions where no logon is required by the user. In this case the user’s ID is extracted from the client’s certificate, and a Passticket is generated to support an associated password.
Setting Virtel up to work with client and user certificates effectively removes the need for a user to provide a user ID and password. This is equivalent to the Express Logon Feature (ELF) provided by IBM’s Host on Demand service.
Mainframe security: controlling resource allocation
Virtel can provide controls that determine which mainframe assets or resources can be associated with a particular user, like allocating a logical unit name depending on an incoming caller’s IP address. These controls are implemented through Virtel rules and provide an additional security interface. Based upon a variety of credential data (user ID, calling IP address, domain name, etc.), Virtel administrators can determine which transactions, resources names etc. should be accessible within the mainframe.
As Virtel has access to both the incoming source and requested target asset metadata, it can control access using its internal scenario language as well as interfacing with external security subsystems, for optimised mainframe security