Security Guide for IBM i V6

1 CoverSecurity Guide for IBM i CookJuan Carlos CantalupoMinHoon LeeExplains the top Security management practices from an IBM i point of viewProvides a comprehensive hands-on Guide to IBM i Security featuresIncludes IBM i Version enhancements, such as encrypted ASP and backup, and intrusion detectionInternational Technical Support OrganizationSecurity Guide for IBM i 2009SG24-7680-00 Copyright International Business Machines Corporation 2009. All rights to Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Edition (May 2009)This edition applies to IBM i (formerly i5/OS) , orginally made available March 2008. Its product number is : Before using this information and the product it supports, read the information in Notices on page xiii.

2 Copyright IBM Corp. 2009. All rights .. xiiiTrademarks .. xivPreface .. xvThe team that wrote this book .. xvBecome a published author .. xviiComments welcome.. xviiPart 1. Security concepts.. 1 chapter 1. Security management practices.. Computer Security .. Security compliance .. Security management .. Assets, vulnerabilities, threats, risks, and countermeasures .. Security controls .. Roles and responsibilities .. Information classification.. Security implementation layers .. More information .. 11 chapter 2. Security process and policies.. Security program .. Security policy .. Baselines .. Standards .. Guidelines .. Procedures .. Security process model .. Identifying and documenting the Security requirements .. Planning and writing a Security policy.

3 Implementing the Security policy .. Monitoring for implementation accuracy .. Monitoring for compliance with the Security policy .. Independent Security policy and implementation review.. Security policy contents .. Considerations for Security policy content.. Processes .. Security controls .. More information .. 22 chapter 3. IBM i Security overview .. IBM i architecture .. What the System i offers .. Security at the system layer .. Security at the network layer.. Security at the application layer .. 32 Part 2. The basics of IBM i Security .. 35iv Security Guide for IBM i 4. IBM i Security fundamentals .. Global settings .. Security system values .. Common Criteria .. Locking system values .. Network attributes.

4 Work management elements .. Communication configuration .. User profiles and group profiles .. Individual user profiles .. Group profiles .. IBM-supplied user profiles.. Resource protection .. Information access .. Authority for new objects in a library .. Object ownership .. Public authority .. Protection strategies .. Authorization search sequence.. Output distribution .. Save and restore considerations .. Securing commands .. Authorization lists .. Creating an authorization list .. Authorization list details .. Registered exit points .. Benefits of exit programs .. Registration facility .. Exit programs .. Limiting access to program functions .. Backup and recovery for Security information.

5 96 chapter 5. Security tools .. Security Wizard .. Running the Security Wizard.. Security wizard reports .. Security auditing tools .. Security Tools menu .. Customizing your Security .. Java policy tool .. 113 chapter 6. Security audit journal.. Audit journal .. Planning for Security auditing .. Creating the Security audit journal.. Creating a journal receiver .. Creating a Security audit journal .. System values that control Security auditing .. Using the Security audit journal for reports .. Security audit journal .. Audit journal flow.. Journal entry types .. Converting Security audit journal entries .. User and object auditing .. 120 Contents User auditing .. Object auditing .. Action auditing.

6 Third-party tools .. 124 chapter 7. Confidentiality and integrity .. Data confidentiality and integrity .. Object signing .. Objects that can be signed .. Advantages of digital object signing .. Signature commands .. Considerations .. Prerequisites .. Virus scanning.. Exit points .. System values.. Setting Security policy properties for virus scanning .. Data encryption .. Data encryption in DB2 Universal Database.. Encryption and decryption APIs .. 141 chapter 8. Disk and tape data encryption .. Disk data in an ASP encryption.. Creating an encrypted auxiliary storage pool .. Backing up encrypted auxiliary storage pool.. Restoring encrypted auxiliary storage pools .. Consideration in a clustering environment.

7 Backup encryption.. Hardware-based tape encryption .. Software-based encryption .. Considerations for encrypting backup data.. Decrypting your data .. More information .. 163 Part 3. Network Security .. 165 chapter 9. TCP/IP Security .. The TCP/IP model.. Controlling which TCP/IP servers start automatically .. Configuring the autostart value for a TCP/IP server .. More information .. Controlling the start of TCP/IP interfaces .. Controlling the start of Point-to-Point Profiles .. Port restrictions .. Configuring port restrictions .. More information .. Exit programs .. FTP exit program example .. Configuring exit programs .. More information .. IP packet filtering.. Activating IP packet filtering rules .. Network Address Translation.

8 Configuring NAT .. 181vi Security Guide for IBM i More information .. Intrusion detection system .. IBM i and intrusion detection and prevention capabilities .. Overview: IBM i intrusion detection system implementation .. Policy management .. Intrusion detection system setup and start .. Analyzing intrusion attempts .. More information .. Point-to-Point Protocol .. Security considerations for Point-to-Point Protocol.. Configuring Point-to-Point Protocol profiles .. More information .. RADIUS.. Enabling RADIUS support .. More information .. HTTP proxy server .. Reverse proxy server .. Configuring the HTTP server as a proxy server .. More information .. SOCKS .. Client SOCKS support on the System i platform.

9 Configuring client SOCKS support .. More information .. OpenSSH and OpenSSL .. Portable Utilities for i5/OS .. OpenSSH .. OpenSSL .. More information .. Secure socket APIs .. Security considerations for e-mail .. Controlling e-mail access .. Preventing e-mail access .. Securing e-mail .. More information .. Security considerations for FTP .. 216 chapter 10. Cryptographic support.. Encryption versus hashing .. Encryption methods .. Symmetric keys.. Asymmetric keys .. Digital signature .. Digital certificate .. Digital Certificate Manager .. Issuing certificates .. Using DCM .. Prerequisites .. Accessing DCM components .. More information .. Secure Sockets Layer .. Securing applications with SSL.

10 OpenSSL .. Supported SSL and TLS protocols .. 229 Contents Using certificates within the SSL protocol .. SSL handshake.. Enabling SSL on IBM i standard server applications .. More information .. Hardware cryptographic support .. Software requirements .. Examples of using the hardware cryptographic products .. Configuring the hardware Cryptographic Coprocessor .. More information .. Data encryption and key management .. IBM i encryption key management enhancements .. Key management .. Master key .. DB2 for i5/OS built-in SQL encryption.. Cryptographic Services APIs .. Common Cryptographic Architecture (CCA) APIs .. Summarization of IBM i cryptographic support .. More information .. 249 chapter 11. Virtual private network.