Securing mobile access to CICS Session2009 [email protected] © 2014 IBM Corporation Please Note IBM’s statements regarding its plans, directions, and intent are subject to.
Download ReportTranscript Securing mobile access to CICS Session2009 [email protected] © 2014 IBM Corporation Please Note IBM’s statements regarding its plans, directions, and intent are subject to.
Securing mobile access to CICS Session2009 [email protected] © 2014 IBM Corporation Please Note IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 1 Agenda In this session... • CICS secure integration Review What’s different for mobile? • Mobile security challenges Secure device Secure mobile app Secure transaction • CICS mobile security topologies Direct access to CICS Worklight Server DataPower z/OS Connect • Example scenario • Summary and Questions 2 CICS secure integration - review 3270 CICS Secured Environment Security Manager Flowed User ID - security token for external user Resource Classes TM Flowed Identity CICS Default User ID http:// Request Q SOAP RM Region User ID Data Server Default User ID – used when no credentials have been established Region User ID – SSL/ TLS used for checking CICS region access to system resources CICS TS V5 Authentication - CICS requires a password or digital certificate or SAML token or Kerberos token Identification - CICS requires an 8-character userid for use with its external security manager Authorization - CICS uses ESM to authorize the userid to a specified resource class Confidentiality/Integrity - CICS uses TLS/SSL or WS-Security 3 What’s different for CICS access from a mobile device? Authentication Protecting access to mainframe applications might require strong authentication or two-factor authentication (2FA). In some cases the device itself may need to be authenticated. Identification Still need a RACF id for running CICS task. But how to map mobile user’s identity to a RACF id? Authorization How to grant a mobile user, or system, access to CICS resources. Is a RACF id sufficient? Risk-based access (RBA) may be required. Confidentiality Need to protect sensitive data in the network and maybe on the device itself. Integrity Need to ensure that information that arrives to CICS has not been altered. What about the integrity of the mobile app? Audit May need to audit more information about the request, for example mobile device id ? 5 Risk-based access Governed Policy • Context • Context On-site inside emergency room On the hospital network Authorized doctor on shift At coffee shop On an unsecured network Authorized doctor on call Function: All app features Data: Full data access and storage Security: Single-factor authentication Function: Designated features only Data: Specific encrypted data Security: Multi-factor authentication 6 Mobile security challenges Mobility is the top target for investment increases in the next two years, ahead of cloud; but security and insufficient skills are barriers to adoption Barriers to Adoption Security Mobile security is the leading inhibitor to adopting mobile The leading security concern is the handling of confidential data, followed by identity and access management and virus/malware. Skills Very few (7%) have no skill gaps at all in mobile. Around a quarter have considerable skill gaps in mobile and 40% have moderate skill gaps. % will develop/acquire the skill over the next two years Mobile security and privacy Mobile integration Mobile application management Mobile device management Mobile application architecture, design, and development Source: IBM Center for Applied Insights (Bluemine) 8 69% 68% 67% 62% 58% Top mobile security concerns • Risk of theft or loss • Malware • Man in the middle • Data leakage • Useful sources of information: IBM X-Force ® Research and Development (2013 Trend & Risk Report) Open Web Application Security Project (OWASP) Mobile Security Project 9 Addressing mobile security challenges 1. Secure the mobile device 2. Secure the mobile application 3. Secure the transaction over the network and throughout the enterprise Mobile apps WiFi 2. Develop, test and deliver safe applications Web sites Internet CICS 1. Secure endpoint device and data Corporate Intranet & Systems Telecom Provider Security Gateway 10 3. Secure access to enterprise applications and data CICS mobile security topologies CICS mobile security topologies CICS COBOL, PL/I, C/C++, and Java Services DataPower Gateway Appliance z/OS Connect IBM Statement of Direction: IBM intends to deliver IBM WebSphere Liberty z/OS Connect (z/OS Connect) as a common program component of WebSphere Application Server for z/OS, IMS Enterprise Suite for z/OS, CICS Transaction Server for z/OS, and CICS Transaction Gateway. z/OS Connect is intended to provide a simplified, secure, and scalable gateway functionality to route web, cloud, and mobile application traffic that accesses applications provided by the aforementioned z/OS products, as well as z/OS Batch and z/OS UNIX™ System Services applications. 15 CICS mobile security topologies JSON/http(s) JSON/http(s) CICS JSON or XML / http(s) COBOL, PL/I, C/C++, and Java Services WOLA JCICS JSON/http(s) DataPower Gateway Appliance 16 JSON/ http(s) z/OS Connect Direct to CICS - Feature Pack for Mobile Extensions Capabilities Deployment scenarios Benefits • Authentication: HTTP Basic, SSL client authentication • Authorization: Assign trans ID (and optionally RACF user ID) for CICS task using URIMAP • Confidentiality/integrity: SSL/TLS or Virtual Private Network (VPN) • Mobile app (B2E) with limited number of internal users • Basic authentication or SSL client authentication are sufficient • No interoperability required with enterprise-wide security solutions • Direct access requires minimal investment in mobile infrastructure JVMServer CICS TS V5.1 Pipeline JSON/https JSON/http CICS Axis2 Web Services support 17 LINK Business Logic Program Direct to CICS - WebSphere Liberty Capabilities Deployment scenarios Benefits • Authentication: HTTP Basic, SSL client authentication, Forms login, LTPA single signon (SSO), Trust Association Interceptor • Authorization: Assign trans ID (and optionally user ID) for CICS task using URIMAP and/or authorization by JEE roles • Confidentiality/integrity: SL/TLS or Virtual Private Network (VPN) • Mobile app (B2E) with limited number of internal users • No interoperability required with enterprise-wide security solutions • Optimal for java-based services or use JCICS to call COBOL application • Direct access requires minimal investment in mobile infrastructure • Full range of Liberty security features JVMServer JSON/https JSON/http WebSphere Liberty Web Container 18 CICS TS V5.2 JCICS Business Logic Program CICS TS V5.2 Worklight security Capabilities Deployment scenarios Benefits • Authentication: HTTP Basic, form-based,Custom • Device authentication • Offline authentication • Application updates and authenticity • Authorization: Policy • Interoperate: LDAP, WebSphere • Small enterprise, B2E app • Traditional web user authentication mechanisms are sufficient • Minimal interoperability required with enterprise-wide security solutions • Take advantage of Worklight security capabilities Additional security benefits when Worklight server is deployed to Linux for System z: • Opportunity to eliminate encryption between Worklight server and CICS • Hardware crypto, Hipersockets, EAL4+ certification Linux on System z z/OS Hipersockets DB2 JSON / HTTP(s) CICS IMS LDAP WAS 19 IBM Worklight overview Worklight Studio The most complete, extensible environment with maximum code reuse and per-device optimization Worklight Server Unified notifications, runtime skins, version management, security, integration and delivery ← Worklight Device Runtime Components Extensive libraries and client APIs that expose and interface with native device functionality Worklight Console A web-based console for real-time analytics and control of your mobile apps and infrastructure 20 IBM Worklight Server on System z Linux on z z/OS Linux on z Application Code • Security and Authentication • Back-end Data Integration • Caching and local data z/OS Worklight Server Device Runtime Server-side App Code -- WAS CICS Application Center Enterprise App Store SAP SQL Worklight Console JSON Translation Push Notifications Authentication WMB SOAP HTTP/REST Adapter Library Analytics 21 Cast Iron • Ensure that only specific applications on specific devices can connect to enterprise systems Worklight Server Device Runtime Server-side Application Code JSON Translation Authentication Stats Aggregation • Extensible framework for authentication of mobile application users Client-side App Resources • Cross Platform Technology • • • Security and Authentication Back-end Data Integration Post-deployment control and Diagnostics Direct Update Mobile Web Apps Protecting data on the Unified Push device Adapter Library Notifications Application Code Worklight Security Features Enforcing security updates • Encrypt data on the device • Enforce security updates • Propagate identity to enterprise systems Encrypted offline cache Offline authentication Secure challengeresponse on startup App authenticity testing Mobile platform as a trust factor Authentication integration framework Data protection realms Coupling device id with user id Streamlining Corporate security processes Providing robust authentication and authorization 22 Jailbreak and malware detection Proven platform security Remote disable Direct update SSL with server identity verification Code obfuscation Application Security Worklight Components – basic flow Client Code Worklight Adapter Procedure A Security Test Worklight Server Procedure B CICS COBOL, PL/I, C/C++, and Java Services CICS Service 23 Worklight Components – security check Client Code Worklight Adapter Procedure A Security Test Procedure B Custom authentication code CICS Service 24 Worklight Components – connectivity Easy to switch between HTTP and HTTPS Client Code Worklight Adapter Procedure A Security Test Procedure B CICS Service 25 DataPower security Capabilities Deployment scenarios Benefits • Authentication: HTTP Basic, form-based, WS-*, SSL, Kerberos, SAML, LTPA, OAuth • Authorization: LDAP, ISAM, SiteMinder, SAML, XACML, OAuth, System z (RACF) • Interoperate: LDAP, SiteMinder, ISAM, TFIM, WebSphere • When mobile apps are heavily focused on REST/API/web service based interactions • High volume or internet (B2C) mobile access • DMZ or non-DMZ • Support for Web APIs • Additional benefits of DataPower as mobile security gateway • Threat protection • Supports a wide range of authentication and authorization models • Good integration with System z (RACF, z/OS identity propagation) DB2 JSON or XML / HTTP(s) JSON / HTTP(s) CICS IMS DataPower Gateway Appliance WAS 26 DataPower Mobile Security Features Available as a physical or virtual appliance CICS IMS DB2 DataPower Gateway Appliance Worklight, WAS ND e.g. REST (JSON/XML) over HTTPS • • • • • • • • e.g. SOAP over HTTP(S) or messaging Security, Control, Integration & Optimization of mobile workload Enforcement point for centralized security policies Authentication, Authorization, SAML, OAuth 2.0, Audit Threat protection for XML and JSON Message validation and filtering Centralized management and monitoring point Traffic control / Rate limiting Integration with Worklight 27 Other servers, Web Apps, other services DataPower JSON protection Nesting Depth of 3 Document Size Label String Value String Number • Label - Value Pairs • • • • Label String Length (characters) Value String Length (characters) Number Length (characters) Threat Protection • • Maximum nesting depth (levels) Maximum document size (bytes) Jumbo JSON Payload 28 What is SAML? • • • Security Assertion Markup Language (SAML) is an XML-based framework for describing and exchanging security information A SAML token may be “Self Issued” or issued by an Security Token Service (STS) Issued and maybe signed or unsigned SAML provides a solution for a number of problems: - It provides an open standard for exchanging security information between Service Providers (SP) - It provides a means for end-to-end auditing - It provides a common source for user role or authority-based information 29 Example project For more information on this project go to session ACI-2015 : Improving the Integration Between Distributed Security & CICS Date/Time : Thu, 01-May, 10:30 AM-11:30 AM Create and sign SAML token HTTPS/ JSON User 1 Staff Gateway HTTPS/ JSON Customer Gateway CICS2 Pipeline Channel Services Staff App Cust 1 CICS1 HTTPS/ SOAP DataPower HTTPS/ JSON Use SAML token for identity and application authorization checking HTTPS/ JSON HTTPS/ SOAP Identity + Authorization attributes DPL Identity + Authorization attributes DataPower Customer App • • • RACF Gateway (DataPower) authenticates mobile user and creates a SAML token SAML token is passed to all back-end business services as proof of identity SAML token also contains mobile user’s ‘context’ which is used for application authorization checks 30 SAML token – part 1 <saml2:Assertion ID="_285BFE4D057C7CB1151358933567848" When token was issued IssueInstant="2013-01-23T09:32:30.808Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> Name of STS <saml2:Issuer>Name-of-STS</saml2:Issuer> <Signature> <SignedInfo> <CanonicalizationMethod.../> <SignatureMethod.../> <Reference URI="#_285BFE4D057C7CB1151358933567848"/> </SignedInfo> <SignatureValue>Signature-of-Token</SignatureValue> Signature of token <KeyInfo> <X509Data> <X509Certificate>Public-Key-of-Certificate</X509Certificate> Certificate used to verify signature </X509Data> </KeyInfo> </Signature> 31 SAML token – part 2 Name of Subject <saml2:Subject> <saml2:NameID>MyName</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> </saml2:Subject> Timeframe token is valid for <saml2:Conditions NotBefore="2013-01-23T09:32:30.808Z" NotOnOrAfter="2013-01-23T10:32:30.808Z"> <saml2:AudienceRestriction> <saml2:Audience>http://TheRelyingParty.com</saml2:Audience> </saml2:AudienceRestriction> Intended receiver of token </saml2:Conditions> <saml:AuthnStatement AuthnInstant="2013-01-23T09:32:29.500Z" SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac"> When authentication occurred <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> How user authenticated </saml:AuthnContext> </saml:AuthnStatement> 32 SAML token – part 3 <saml2:AttributeStatement> <saml2:Attribute Name=“PersonAffiliation"> <saml2:AttributeValue>Manager</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name=“CreditLimit"> <saml2:AttributeValue>500.00</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name=“Channel"> <saml2:AttributeValue>Mobile</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> 33 Some attributes that specify things like what role the user has, maximum values etc. DataPower as a reverse proxy for Worklight server Capabilities Deployment scenarios Benefits • Combined capabilities of Worklight and DataPower • When hybrid mobile apps use a combination of web and Restful interactions • High volume or internet mobile access • Benefits of DataPower as a mobile security gateway for Worklight on zLinux • LDAP user registry shared between DataPower and Worklight Linux on System z DB2 JSON or XML / HTTP(s) JSON / HTTP(s) z/OS CICS DataPower XG45 or XI52 IMS LDAP 34 WAS z/OS Connect Capabilities (z/OS Connect) Deployment scenarios Benefits • Authentication: HTTP Basic, SSL client authentication • Authorization: RACF, LDAP • Confidentiality/integrity: SSL/TLS • Provides unified security for different back-end systems • Provides a way to discover with a simple REST call all the services that z/OS supports • When want unified RESTful interface to z/OS back-end applications that run in CICS, IMS, WebSphere or batch jobs z/OS JSON / HTTP(s) JSON / HTTP(s) WebSphere Liberty CICS z/OS Connect IMS DataPower gateway appliance WebSphere Batch RACF or LDAP 35 z/OS Connect WAS Liberty z/OS Pre-invoke Interceptors BlueMix CloudOE Java CloudOE JSON/ HTTP(s) pre-invoke zosConnect pre-invoke JSON to/from byte[] (Cobol copybook) Post-invoke Interceptors post-invoke WOLA JCICS HTTP pre-invoke Javascript WOLA IMS Connect HTTP Mobile/ APIM Batch WOLA CICS post-invoke IMS post-invoke pre-invoke WAS HTTP post-invoke pre-invoke Other Other post-invoke • • Framework that allows interceptors, or methods, to be executed around the invocation of the service z/OS Connect provides implementations of service security authorization and SMF-based auditing • com.ibm.wsspi.zos.connect.Authorization() • com.ibm.wsspi.zos.connect.Audit() 36 Example scenario So how to chose the right mobile security solution? Type of user • • Security requirements B2E B2C • • • • Type of mobile app • • • • Web Native Hybrid Worklight? Sensitivity of data and transactions • • • Type of access • • Intranet/extranet Internet Financial? Personal? Will sensitive data be stored on the device? Security standards Number of users • • • Authentication Authorization Confidentiality Integrity • • Small (10s to 100s) Medium (1000s) Large (or unknown?) Company Government or external body Existing security architecture • • 38 User registry Security products GENAPP Mobile SupportPac 4. CICS service handler converts the request to the Channel interface of the GENAPP application 1. Mobile user sends an insurance policy request CICS Worklight GENAPP Mobile Inquire Adapter Service Pipeline GENAPP Security Test 2. Custom DB2 security test 3. On successful authentication the CICS application is invoked by a Worklight adapter 39 5. The GENAPP Cobol application processes the insurance policy request and updates the GENAPP database GENAPP – fictional security requirements • Authentication Users must authenticate before using the app The authenticity of the mobile app must be assured • Identification Against existing LDAP user registry • Authorization Mobile access to CICS transactions must be authorized • Confidentiality Confidentiality of data in transmit must be protected • Integrity Integrity of data in transmit must be protected • Audit Mobile access to CICS transactions must be audited • Threat protection Need to protect against unexpected surges in mobile requests 40 GENAPP security solution 2. User authentication and single sign-on (SSO). 5. Application updates and application authenticity testing 6. Mobile initiated transactions to run under unique transaction id and user id associated with Worklight server GENAPP mobile app https SOAP or JSON JSON JSON DataPower Adapter https CICS https Worklight Server Worklight Runtime Session Token RACF 4. Threat protection 7. Integration with existing and traffic control 1. Data integrity and RACF access control Credentials encryption for all mobile communications LDAP 3. Integration with existing user directory 41 Agenda In this session... • CICS secure integration We reviewed how you secure access to CICS today And what’s the same and what’s different for mobile • Mobile security challenges Security is considered an inhibitor to mobile adoption Solutions are available to secure the device, the mobile app and the end to end transaction. • CICS mobile security topologies Direct access to CICS Worklight Server DataPower z/OS Connect • Example scenario And we showed an example • Summary and Questions 42 Questions? 43 We Value Your Feedback Don’t forget to submit your Impact session and speaker feedback! Your feedback is very important to us – we use it to continually improve the conference. Use the Conference Mobile App or the online Agenda Builder to quickly submit your survey • Navigate to “Surveys” to see a view of surveys for sessions you’ve attended 44 44 Win a CICS Workshop! Collecting CICS session stickers for your entry? Don’t forget to pick one up before you go! 45 Follow us… ibmcics @ibm_cics ibmcics CICS Hursley CICS Hursley CICSbuzz ibm.com/cics/news Visit us at… System z Software Solutions Suite Toscana 3609 Monday 11:00 – 18:00 Tuesday & Wednesday 8:00 – 18:00 Thursday 8:00 – 16:00 Book your appointment at ibm.biz/zsolsuite Plus Lunch & Learns 12:00 – 13:00 daily – book a slot! System z Peds Infrastructure Matters zone of the EXPO Monday 10:00 – 19:30 Tuesday 10:00 – 19:30 Wednesday 10:00 – 14:30 Pop by for a chat about CICS! Lost? Dazed and confused about CICS or z at Impact? Visit the zConcierge - System z Software Solutions Suite - Toscana 3609 46 Generation z [noun] those with under 10 years experience on the mainframe Meet us: No sales pitches, no marketing, just drinks with other Generation z’s 19:30 Wednesday April 30 Public House, The Venetian Get the lowdown on what’s going on Follow us: @ibmgenz Join us: Build a community of like-minded people System z Stack Exchange 47 Thank You Legal Disclaimer • © IBM Corporation 2014. All Rights Reserved. • The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. • References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. • If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete: Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. • If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete: All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. • Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. • If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete: Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. • If you reference Java™ in the text, please mark the first use and include the following; otherwise delete: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. • If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete: Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. • If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete: Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. • If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete: UNIX is a registered trademark of The Open Group in the United States and other countries. • If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete: Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. • If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.