Security
This chapter describes the security features that are provided by IBM Content Manager OnDemand (Content Manager OnDemand). It also provides examples of available components and their usage to create a secure environment.
In this chapter, we cover the following topics:
6.1 Content Manager OnDemand security overview
The amount of security that is employed by an organization varies by organization and is normally proportional to the cost of data loss because of security leaks or other issues.
For any system, the first layer of security is its environment. Several attributes are included in a secure environment:
•Physical security: Controlling physical access to the system and ensuring that the system is protected from both natural and man-made disasters.
•Data security: Controlling access to online data by using both authentication and authorization techniques; controlling access to offline data, including all backup copies of the data, data storage sites, and encryption of the backup copies of data.
•Personnel security: Hiring trusted employees, limiting employee access based on employee role, and redundancy.
Although environmental security is beyond the scope of this book, it is important to be aware of and prepare for security in these areas.
This section describes what Content Manager OnDemand can provide from a security perspective.
Content Manager OnDemand is a flexible and scalable system. This flexibility allows the deployment of multiple security features by using multiple methodologies. The descriptions within this chapter are examples of the available components and their usage to create a secure environment.
Figure 6-1 outlines many of the components that are part of Content Manager OnDemand’s security features.
Figure 6-1 Content Manager OnDemand security overview
The complete security cycle begins with code creation through data loading, storage, and access, and ends with data (and index) expiration. The following list outlines different types of security that are described in this chapter. Within each type, different security techniques can be implemented.
•Code creation:
– Controlled environment
– Code scanning
– Quality assurance testing
•Data separation:
– Multiple systems: Allowing users access only to the system that contains data that is relevant to them
– Multiple object servers
– Multiple archive subsystems
– Application programming interface (API) access: Web server, web services, and Content Management Interoperability Services (CMIS)
•Data security:
– Administrative features: Login inactivity, disabling a user, locking out a user, and defining password rules
– Content Manager OnDemand data model: Application groups (AGs) and folders
– Query restrictions
– Annotation security
– Securing access to Content Manager OnDemand commands (stash file)
•Data encryption:
– Data at Rest
– Data in Motion: Secure communication between the server and the clients (Secure Sockets Layer (SSL))
•Security exits:
– User security and permissions exit (ARSUSEC)
– Unified logon exit (ARSPTGN)
– System log exit
6.2 Code security
The Content Manager OnDemand code is developed in a secure environment that follows IBM guidelines. The Content Manage OnDemand development lab follows multiple preferred practice methodologies to ensure the highest possible code and security standards. The goal is to ensure that the code “works as designed”, does not perform any malicious actions, and is resistant to external security breach attempts. In this section, we describe examples of the practices that are followed.
6.2.1 Controlled environment
During development, all code is reviewed by two or more developers and passes through a structured process within the development organization to ensure the integrity of the code. The code is periodically scanned to ensure that no foreign code is included and to ensure that safe programming techniques are applied. The following practices are applied:
•Limited access: The source code is only accessible to the Content Management OnDemand team.
•Secure systems: The code is stored on secured systems behind the IBM firewall and can only be accessed by the Content Management Development team.
•Code reviews: All code modifications are reviewed by two or more developers on the team.
•Separation of duties: Separate development, build, and test teams exist.
•Redundancy: Two or more developers are familiar with each aspect (function and module) of the code.
6.2.2 Code scanning
The code is scanned three times, once at the beginning of the release or fix pack, once during the middle of the development process, and the last time at the end of the development process. Each time, three types of scans are performed:
•Code scan: This type of scanning searches for code that is external to the Content Manager OnDemand developed code. The goal is to ensure that no code is unknowingly inserted into the source code and to verify that all of the external code that is used is correctly licensed and will not result in any future legal action.
•Appscan source: This type of scanning searches for “bad code”. It verifies that all variables and pointers are correctly initialized, and that during the program operation, the values of variables and pointers can be changed only through the “correct” code path and cannot be altered by external sources.
•Appscan Web: This penetration testing program is run against the common gateway interface (CGI) code to identify any potential security flaws.
6.2.3 Quality assurance testing
The quality assurance (QA) testing is run in parallel with the code development through the development cycle. When developers create new code, they perform their own unit test to ensure that the code works as intended. These unit tests are then passed to the QA team for automation. The QA team automates these tests and adds other newly automated tests to the regression bucket.
Every time a new build occurs, which is nightly during peak development, automated regression and performance tests are run. These automated tests are run on the multiple operating systems that are supported by Content Manage OnDemand (Windows, Linux, AIX, IBM i, Linux on System z®, and z/OS). The goal is to detect any defects or performance impact so that it can be corrected the following day.
Periodically, endurance and stress tests are run to ensure that the code can run for long periods and under heavy workloads.
A specialized subset of these tests and cloud-specific tests are run against the Cloud release of Content Management OnDemand.
6.3 Data separation
Content Manager OnDemand allows the separation (compartmentalization) of the organization’s data into multiple separate partitions. Specific groups of users can access only the partitions that contain data that relates to their operations. The separation of data can be at the system level, the object server level, and the archive server level.
6.3.1 Multiple systems
The organization’s data can be spread over two or more separate systems. As illustrated in Figure 6-2, User Group A can access only Content Manager OnDemand server A and cannot access any other Content Manager OnDemand system or any other Content Manager OnDemand data. If necessary, you can create a super user group that can access multiple systems.
System access restrictions can be implemented by one or more of the following means:
•A web server.
•Firewalls, switches, or other network devices.
•Only the correct user group is authenticated to use the system.
Figure 6-2 Data separation at the system level
6.3.2 Multiple object servers
Data can also be separated at the object server level. In this case, the application group (AG) data tables that contain the indexes that point to separated data are also separated. Therefore, access to the AG data table is allowed only to users who need that data. As illustrated in Figure 6-3 on page 136, User Group A of AG Data Tables Part A is pointed to (allowed access to) the data on Object Server A, and User Group B of AG Data Tables Part B is pointed to the data on Object Server B.
Figure 6-3 Data separation at the object server level
6.3.3 Multiple archive servers
Data can be separated at the archive level. Typically, in this implementation, as illustrated in Figure 6-4, the application group (AG) data tables remain separate and User Group A’s data is stored on the Tivoli Storage Manager system A server, and User Group B’s data is stored on the Tivoli Storage Manager system B server. The two Tivoli Storage Manager servers are separate systems. This same type of separation is also possible by using object access method (OAM) on z/OS systems. OAM enables the separation of data by placing the data in different OAM collections on different storage devices.
Figure 6-4 Data separation at the archive level
6.4 API access
An important component of Content Manager OnDemand is the Content Manager OnDemand Web Enablement Kit (ODWEK) Java APIs. These APIs are used to build applications that access the Content Manager OnDemand server. Various applications can be built by using the APIs. Examples of applications include IBM Content Navigator (ICN) and CMIS. By using the ODWEK APIs, you can also build your own application server or web services applications.
All of these types of applications address the following situations:
•Users communicating and interacting with a mid-tier, custom-built access mechanism that controls access to the Content Manager OnDemand server. For example, the mid-tier application can control whether a Content Manager OnDemand user request is accepted or rejected, and if it is accepted, which Content Manager OnDemand server the request is routed to.
•The network transmissions between the ODWEK Java APIs and the Content Manager OnDemand server use a proprietary Content Manager OnDemand protocol and optionally can be encrypted by using SSL.
•The network transmissions between the mid-tier custom application and the users can optionally be encrypted by using SSL.
•By using an optional user proxy implementation, multiple users can share a user ID and password, therefore reducing the number of actual logons to the Content Manager OnDemand server while maintaining secure access to the system through the custom-built access mechanism.
•The Java APIs can pass a security token through to the Content Manager OnDemand server. This token can then be captured by the security exit and the exit can perform the required special processing.
Figure 6-5 shows controlling access at the web server.
Figure 6-5 Data separation at the web server (mid-tier)
6.5 Data security
Access to the Content Manager OnDemand data tables is secured through various methods. These methods include a secure data model, user authentication, SQL Query support, annotation security, and securing access to the Content Manager OnDemand commands. These methods are described in further detail in this section.
6.5.1 Content Manager OnDemand object-owner model
Content Manager OnDemand internal security is based on an object-owner model, which is illustrated in Figure 6-6. Details about the object-owner model are in the IBM Content Manager OnDemand for Multiplatforms, V9.5, Administration Guide, SC19-3352. In this context, a Content Manager OnDemand instance is an implementation of the library server, one or more object servers, the data access, and the storage model. The data access and storage are implemented in the form of objects. The following objects are all Content Manager OnDemand objects:
•Users
•Groups
•Application groups
•Folders
•Cabinets
•Applications
•Holds
•Storage set
•Printers
Figure 6-6 Content Manager OnDemand internal security
The Content Manager OnDemand object-owner model design handles the following situations:
•A single system administrator to control one or more Content Manager OnDemand instances through a single Administrator Client interface.
•Flexibility to create user administrators who manage users and groups for a specific Content Manager OnDemand instance.
•Flexibility to create report administrators who manage application groups, folders, and cabinets for a specific instance.
•Implementing report security that is based on limiting object access to selected groups of users.
•Elimination access to Content Manager OnDemand objects unless explicit permission is granted.
In summary, with this model, organizations can separate and isolate report (data) ingestion and access to various users and groups. Additionally, organizations that provide billing, payroll, accounting, and bill presentment services for a number of other companies (their clients) also benefit from this model, because users from one company are isolated from the data and users of another company. Furthermore, large systems can decentralize system administration so that report and user administrators can be delegated for the management of components of the overall Content Manager OnDemand system.
6.5.2 Administrative features
Use the Administrator Client to control user logon parameters. These parameters are set in the Login Information tab in the System Parameters window, as shown in Figure 6-7.
Figure 6-7 Administrator Client - setting the logon restrictions
We describe these parameter settings in the following subsections.
Check Previously Used Passwords
This setting specifies whether you want users to be able to reuse a previous password. You can make users create up to 10 unique passwords before they can reuse a previous password. Use this setting to enforce security policies. For example, you can force the user to not reuse the eight most recent passwords.
Disable Or Lock Out After Failed Logins
This setting specifies whether you want to limit the number of failed login attempts by a user. You can limit the number of login attempts, specify how many failed attempts you want to permit, and specify whether to disable or lock out the user after the user exceeds that number of attempts.
If you choose to disable a user, the user must request that the system administrator re-enable the user ID.
If you choose to lock out the user, the user must wait to attempt another login. You specify how many minutes to wait in the Number Of Minutes To Lock Out User field.
LDAP authentication
Use Lightweight Directory Access Protocol (LDAP) to store authentication values on a separate organizationally centralized server that is remote from Content Manager OnDemand. LDAP can be used in place of the user security exit to manage basic login authentication. Figure 6-8 shows how Content Manager OnDemand works with LDAP.
Figure 6-8 Content Manager OnDemand works with LDAP
You can specify whether you want to use LDAP authentication in your Content Manager OnDemand server.
When you enable LDAP authentication, the Content Manager OnDemand server makes an authentication request to the LDAP server every time it receives a login request from the client. The Content Manager OnDemand server processes the client request only after the user information is verified by the LDAP server.
If you use LDAP, consider the following scenarios:
•The LDAP server runs on another system and it connects to Content Manager OnDemand through TCP/IP.
In this scenario, a time delay occurs between when the verification request is issued by Content Manager OnDemand and the result is returned to Content Manager OnDemand. The length of this time depends on the Internet Protocol network connection, the response time of the LDAP server, and the current LDAP workload.
•Users with admin-level security bypass LDAP.
You can compare an admin user’s response time to a production user’s response time to determine the LDAP impact.
•The LDAP server or the connection to the LDAP server fails.
When this scenario happens, users cannot log in to Content Manager OnDemand, except for users with admin-level security.
Login Processing (case sensitivity)
With this parameter, you can specify whether user IDs and passwords are case-sensitive. By default, user IDs and passwords are case-insensitive. When you add a user, Content Manager OnDemand converts lowercase letters in the user ID to uppercase letters.
A person can type letters in a user ID in uppercase, lowercase, or mixed case letters. For example, if you add the user LaGuarde, a person can enter LAGUARDE, laguarde, or LaGuarde to log on to the server.
If you select User ID to be case-sensitive, a user must type the user ID exactly as it was entered when the user was added. For example, if you add the user ID LaGuarde, the user must enter LaGuarde to log on to the server.
If you set a password as case-sensitive, a user must enter the password exactly as it was entered when the user was added.
|
Important: Do not change the case-sensitive settings for user IDs and passwords after you install the system.
Decide whether to make user IDs and passwords case-sensitive when you install the system. Change the defaults if necessary, but do not change the settings later. Otherwise, the following situations occur:
•If user IDs are initially case-insensitive and you later choose User ID to be case-sensitive, user IDs that were added before you changed the parameter must be entered in uppercase. The same is true for passwords.
•If user IDs are initially case-sensitive and you later clear the case-sensitive restriction, the user IDs that were added before you changed the parameter might contain mixed or lowercase letters, which are no longer valid. The same is true for passwords.
Note: If users log on to Content Manager OnDemand with the IBM CICS® client program, you must configure the system to ignore the case of user IDs and passwords.
|
Maximum Password Age
This setting specifies a time limit for passwords and determines when Content Manager OnDemand prompts users to change passwords. The default setting is Password Never Expires, which means that passwords do not expire and Content Manager OnDemand never prompts users to change passwords.
If you click Password Always Expires, users must change to new passwords each time that they log on to a server. To set a specific time limit for passwords, select Expires In __ Days and enter the number of days that passwords are valid in the space that is provided. The value can be 1 - 365.
Minimum Password Length
This setting specifies whether passwords are required. If passwords are required, it specifies the minimum number of characters that passwords can contain. The default value is At Least 8 Characters, which means that passwords must contain at least eight characters.
If you click Permit Blank Password, which means that passwords are not required, the valid password length is 0 - 128.
To set a specific minimum password length, click At Least __ Characters and enter a number in the space that is provided. The value can be 1 - 128.
When a user changes a password, the client checks the number of characters that the user entered. The new password must contain the minimum number of characters. Otherwise, the user receives an error message.
Password Expiration Notification
This setting specifies whether to notify users that their password expires within the specified number of days.
Changing an Expired Password
Content Manager OnDemand provides password expiration processing to help you manage security on the system. You can set a value that represents the time in days that passwords that are assigned to users remain valid. After a user’s password reaches the value that you specify, the user must change the password.
After a password reaches the expiration value, the next time the user logs on to a server, Content Manager OnDemand prompts the user to enter a new password. The user must enter the current password, a new password, and verify the new password by reentering the new password.
Session Inactivity Time Out
This setting specifies when Content Manager OnDemand terminates sessions between inactive clients and the server. The default setting is Time Out in 60 Minutes. Never Time Out means that Content Manager OnDemand does not terminate a session, regardless of how long the client remains inactive.
To set a specific inactivity timeout, click Time Out In __ Minutes and enter the number of minutes in the space provided. The value can be 1 - 1440 (24 hours). The period of inactivity is measured between requests to a server. For example, when a user enters a query, Content Manager OnDemand searches the database and builds the document list. This action completes a request to the server. If the user does not work with the items in the document list, open another folder, or start another query before the inactivity timeout occurs, Content Manager OnDemand automatically terminates the session with the client.
Use caution when you set the inactivity timeout. Choose the correct amount of time when you specify this setting. For example, assume that you set the inactivity timeout to 10. You log on to Content Manager OnDemand to add an application group. Creating the application group might take you 15 minutes to complete. After you enter all of the information about the application group, you click OK to create the application group. Content Manager OnDemand issues a message that a timeout occurred. You must log off the server, and you cannot save the information that you entered about the application group.
System Logging
This setting specifies the messages that Content Manager OnDemand saves in the system log. Content Manager OnDemand provides the system log to help you track activity and monitor the system. Content Manager OnDemand saves messages that are generated by the various programs, such as the ARSLOAD program. Content Manager OnDemand can save a message in the system log when the following events occur:
•A user logs on to the system.
•A user logs off the system.
•A user logon fails.
•Application group data is queried, retrieved, loaded, updated, deleted, or maintained.
System Log Comments
This setting specifies whether the Administrator Client displays the System Log Comments window when you perform an add, update, or delete operation.
You can enable comments and also specify whether the comments are required. If the comments are required, the user must enter one or more characters in the Comments field.
User Login Inactivity
This setting specifies whether you want to disable users who do not log in after the specified number of days. Users must contact the system administrator to enable their user IDs.
Query Restriction
This setting specifies the restriction to access to folders and application groups based on index values. This setting is specified on the Permissions tab of the Update an Application Group window, as shown in Figure 6-9 on page 144. You can set a restriction with the internal Content Manager OnDemand security. The access restriction for an application group is controlled through internal or external permissions (for example, RACF).
Figure 6-9 Update query restriction
When a user is given access to the application group, access can be further restricted to a subset of the application group data by using a query restriction setting on the application group. The query restriction is added to an SQL “where clause” that enforces the restriction.
Figure 6-9 is an example of a query that is restricted to statements with a balance that exceeds 200. This query restriction is for all users with access to the application group (*PUBLIC) that do not have a separate query restriction.
6.5.3 SQL macro support
Macro support can be used in SQL statements, including the query restriction. With the macro support, the macro can be substituted by the appropriate value for the creation of SQL statements that include current object values, such as application group name or user ID. The available macros are listed in Table 6-1 on page 145.
Table 6-1 Available macros
|
Name
|
Description
|
|
$ODUSERID
|
The user ID that is used to log in to Content Manager OnDemand.
|
|
$ODALIAS
|
The alias that is defined to Content Manager OnDemand for the user’s session.
|
|
$ODAGNAME
|
The application group name.
|
|
$ODAGID
|
The application group internal identifier.
|
The substitution does not include any necessary quotes for the macro, so you must ensure that you use the correct quotation marks for the macro, if required, for example:
WHERE ag_field in (SELECT value FROM <customer_table> where userid = '$ODUSERID')
If you log on to Content Manager OnDemand as USER1, the SQL changes to the following syntax:
WHERE ag_field in (SELECT value FROM <customer_table> where userid = 'USER1')
6.5.4 Annotations security
Content Manager OnDemand allows the secure creation and viewing of annotations (notes). This capability is enabled through the Administrator Client window, as shown in Figure 6-10.
Figure 6-10 Add annotation authority
Controlling annotation creation
In Figure 6-10 on page 145, in the Add Authority section, specify the types of annotations (referred to as “notes” in Content Manager OnDemand Client) that can be added by a user. This selection applies to all users with authority to add annotations in the system.
You can select the following types of annotations:
•Allow Public: Allows the user to add public annotations. Public annotations of a document can be viewed by anyone who opens that document.
•Allow Private to User: Allows the user to add private annotations to a document. These annotations can be viewed only by the user that created the note, application group administrators, and system administrators.
•Allow Private to Group: Allows the user to add annotations to a document. These annotations can be viewed only by a specific group of users.
•Allow Text Annotations: Allows the user to add text annotations.
•Allow Graphic Annotations: Allows the user to add graphic annotations.
Controlling annotations viewing
In the Annotation section of the Permissions tab of the Add an Application Group window, specify the default viewing scope for all annotations, as shown in Figure 6-11.
Figure 6-11 Annotation viewing
You can select the following scopes:
•View: Lets the user view annotations.
•Add: Lets the user add annotations to documents.
•Delete: Lets the user delete annotations.
•Update: For text annotations, lets the user update the location of an annotation on the page (by dragging the annotation marker to a new spot on the page). For graphical annotations, this scope lets the user update the various characteristics of an annotation.
•Copy: For text annotations, lets the user copy the text of an annotation to the clipboard.
6.5.5 Securing access with ARSSTASH and the stash file
Use the stash files and the ARSSTASH command to securely store and pass a password to Content Manager OnDemand commands without the passwords appearing in the clear (unencrypted text). The ARSSTASH command is used to encrypt the password by using Advanced Encryption Standard (AES)-128 encryption and storing it in a file that is called a stash file (an encrypted password file). The path to that stash file is then specified with the -p parameter to those commands that require a password. The stash file is retrieved and decrypted, and the password that is stored in the stash file is used. Therefore, the -p parameter that is stored in JCL or other scripts or programs does not need to contain a clear text password.
|
Multiplatforms: Stash files are the method of choice for securely storing passwords on a Content Manager OnDemand for Multiplatforms server. Unified login does not work when you use a Content Manager OnDemand for Multiplatforms server. Therefore, stash files are the only mechanism that is provided to prevent passwords from being specified in “clear text” for the various Content Manager OnDemand commands that require passwords.
|
Special case for z/OS and IBM i
If you are using a z/OS server, consider using the z/OS unified login mechanism instead of the stash file. Unified login provides the same functionality as stash files, which means that the passwords are not stored unencrypted when at rest (for example, in JCL or scripts) but without the additional burden of managing stash files. For example, when a password is changed for a user, stash files that contain the encrypted password for that user must also be changed.
If you are using an IBM i server, you might not need to use stash files because if you are signed on to the IBM i server with a user profile that is defined to Content Manager OnDemand and that has enough authority to perform the function you are running, Content Manager OnDemand uses the IBM i user profile for that function (such as ARSDOC or ARSLOAD). The -u and -p parameters are not required, therefore relieving you of the need to show or store a password in clear text.
Accessing the stash file
Access to the stash file must be restricted by using file system permissions and other security as appropriate. The stash file that is used by an instance is specified in the ARS.INI file (or in the registry on Windows) with the SRVR_OD_STASH parameter, for example:
SRVR_OD_STASH=/opt/IBM/ondemand/V9.5/config/ars.stash
At IBM i version 7.2 and later, the following commands support the optional password stash file (STASHFILE) parameter:
* ADDRPTOND
* MRGSPLFOND
* STRMONOND
Using the stash file
The stash file can be used by these commands:
•arsadmin
•arsdoc
•arsload
•arsmaint
•arsrd
•arsxml
In our example, we use arsload. The supported values for the -a parameter are available in the arsstash help output.
The preferred method is to set a user ID and password for each command in the stash file. Then, the arsload command can be run without specifying the -u userid or the -p password parameter. This method is always recommended when you run the arsload command as a daemon. To use this method, first run the arsstash command to store the user ID and password for the arsload command:
arsstash -a 3 -s ars.stash -u <userid>
Then, enter and verify the password when you are prompted. When you run arsload, omit the -u and -p parameters. The arsload command obtains the arsload user ID and password from the stash file.
A second method is to specify the -u parameter for another Content Manager OnDemand user ID that exists in the stash file. To use this method, first run the arsstash command to store the user ID and password in the stash file:
arsstash -a 1 -s ars.stash -u <userid>
Then, enter and verify the password when you are prompted. When you run arsload, specify the -u <userid> and -p <stash file> parameters. The arsload command obtains the password for the specified user ID from the stash file.
|
Notes:
•You can continue to run the arsload command with the password in clear text. However, the arsload command generates a warning that specifying the password in clear text is being deprecated and to use the stash file instead.
•The stash file works with Content Manager OnDemand security, LDAP, and IBM i security.
•After you save the user ID and password in the stash file, remember to change the password anytime that you change the user’s password in Content Manager OnDemand; otherwise, the load fails. The ARSLOAD program can accept an expired password. However, the ARSLOAD program fails if an incorrect password is specified.
|
Stash file information for z/OS
To use arsstash with Content Manager OnDemand for z/OS, the Integrated Cryptographic Service Facility (ICSF) must be available on the z/OS system to provide AES-128 encryption. The encryption can be performed in either software or hardware.
In the examples, a started task name of CSF is used. If CSF is not running, when you try to create a stash file, you get the following message, which does not identify the problem:
Verify OnDemand Password:
ARS1602E The stash file >/u/myuser/prodstash.stash< is invalid.
/usr/lpp/ars/V9R5M0/bin: >
To verify that CSF is up and running so that Content Manager OnDemand V9.5 can use it, use the MODIFY command against ARSSOCKD.
On a system where ICSF is up and running, run the following command:
F ARSSOCKD,D,ICSF
ARS0438I 15.21.18 DISPLAY ICSF
CSFIQF RC=00, RSN=00000000, AES=3, FMID=HCR7780
On a system where CSF is not running, run the following command:
F ARSSOCKD,D,ICSF
ARS0438I 15.28.36 DISPLAY ICSF
CSFIQF RC=12, RSN=00000000, AES=0, FMID=N/A
6.6 Data encryption
Encrypting data is a way of providing security and protection to your Content Manager OnDemand data.
6.6.1 Encrypting data at rest
Depending on how the database tables and archived data are stored, you can encrypt the data by using either DB2 encryption or device encryption. The advantage of encrypting the data is to make it “unintelligible” to unauthorized access even if it is accessed (as an extreme example, the storage device is stolen). The cost of encrypting the data is increased processor consumption and slower response time. This cost varies based on the device and encryption methods that are used.
Backup data must always be encrypted because it is more susceptible to unauthorized access.
6.6.2 Encrypting data in motion: Secure communications
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) allow secure communication between the Content Manager OnDemand server and the Content Manager OnDemand clients. Since Content Manager OnDemand version 8.5, support for SSL and its successor, TLS, is enabled for all transmissions between the Content Manager OnDemand servers and clients. When this section mentions SSL, the same information applies to TLS, unless otherwise noted.
SSL is the standard technology for creating secure connections between servers and clients. The secure connection allows authentication and verification, and data encryption. Authentication and verification allow both the client and server to verify that they are communicating with the intended receiver. Data encryption prevents the packets of information that are traveling through the network to be viewed by anyone who can access the network.
During an SSL handshake, a client and server securely exchange digital signatures and encryption keys by using a public-key algorithm (usually Rivest-Shamir-Adleman algorithm (RSA)). The client and server establish a secure connection with this identity and key information. After the client and server establish a secure session, they transmit the data to each other, encrypting it with a symmetric algorithm, such as AES.
Trusted parties, which are called certificate authorities (CAs), issue digital certificates to verify the identity of an entity, such as a client or a server. The digital certificate serves the following purposes:
•Verifies the identity of the owner
•Makes the public key of the owner available
The IBM Global Security Kit (GSKit) provides libraries for data encryption and SSL communication.
The GSKit package also installs the iKeyman key management utility (gsk7ikm), which you can use to create key databases, public-private key pairs, and certificate requests. For information about the iKeyman utility and the GSKCmd command-line interface, see the IBM Developer Kit and Runtime Environment, iKeyman 8.0 User’s Guide at the following website:
|
Note: Implementation of SSL is optional. The Content Manager OnDemand server can be configured to listen on either a non-SSL port or an SSL port, or it can listen on both types of ports. To implement SSL, click New server. In the Add a Server window that opens, select Use Secure Sockets Layer. If your server does not support SSL, SSL is not used even if you select this check box.
|
After a Content Manager OnDemand client (for example, the Content Manager OnDemand Windows client, ARSDOC, or OnDemand Web Enablement Kit (ODWEK) Java API) is configured to log on to a Content Manager OnDemand library server with SSL, all communication to and from that client is performed by using SSL:
•Between the client and the library server
•Between the client and the object servers
To use SSL, it must be enabled on both the server and the client components of Content Manager OnDemand.
Important considerations exist when you use SSL. We describe them in the following subsections.
Separate port number
In addition to the standard (non-SSL) port, a separate port number is identified on the Content Manager OnDemand server to support the secure connection. This separate port number allows both SSL and non-SSL connections to operate concurrently. When a client connects to the SSL port, it negotiates a connection through a handshake procedure during which the client and server agree on the session parameters to use to maintain a secure connection. Session keys are generated that allow the encryption and decryption of the data that is sent between the client and server.
Processor consumption
SSL improves security by encrypting and decrypting data across the network. The encryption and decryption occur at the application layer, which consumes the additional processing cycles for both the sending and receiving systems. Therefore, consider using SSL only for sessions where it is needed. Consider adding additional processor resources on the Content Manager OnDemand server or clients to manage the increased overhead processing.
Digital certificates
With SSL, the identities of the parties are verified by using digital certificates. Digital certificates have expiration dates. After a digital certificate expires, Content Manager OnDemand will not be able to establish connections through SSL. Therefore, always be aware and plan ahead to avoid expired certificates.
ODWEK
The support of SSL and ODWEK refers specifically to the transfer of data between ODWEK and the Content Manager OnDemand servers and it does not imply a level of support from the browser to ODWEK. The use of SSL from the browser to ODWEK was always allowed and it does not require any support from ODWEK. It is the application and the web developer’s responsibility to enable such support.
arsload
GSKIT is initialized one time for each arsload invocation. When you load multiple documents, it is more effective to concatenate the documents (such as TIFF images) and generic index files and load multiple documents at a time. Also, when you load multiple documents, use arsload as the daemon.
6.7 Security exits
The Content Manager OnDemand security exits allow customers to implement their own customized security methods based on their internal requirements and needs. You can use the security exit to customize and enhance the security functions within a Content Manager OnDemand system.
6.7.1 User security and permissions exits
Content Manager OnDemand provides a user exit so that you can implement your own user exit program to identify and authenticate users that log on to the system. If you use only Content Manager OnDemand internal security, the security exit is not needed.
You can use the security user exit to authenticate a user’s password. For example, you might want to enforce a sort of password uniqueness or allow logons to occur only at specific times in the day. You can also build a user proxy mechanism to allow users that are not already in the Content Manager OnDemand user database to access the system.
The permissions exit is called during login if the permissions exit is turned on for folder and application groups. It is also called during a search when the permissions exit is turned on for an SQL query string or document.
Use the user security exit and the permissions exit to augment the security-related processing of the following activities or events:
•User authentication (checking user security):
– Log on.
– Change a password.
– Add a user ID.
– Delete a user ID.
•Resource authorization (checking user permissions):
– Access to a Content Manager OnDemand folder.
– Access to a Content Manager OnDemand application group.
– Restrict access to specific documents.
– Control the SQL search criteria that are used for searching folders.
The user-written exit routine (or set of exit routines) can interact with another security system to determine whether the activity is allowed or disallowed.
|
Important: When you implement your own security user exit program, you bypass the logon verification processing that is built into the base Content Manager OnDemand product. We advise caution when you bypass the Content Manager OnDemand user and password restrictions. The security of the system can easily be subverted by malicious or defective code. Only use code that you trust.
|
When you set the user security exit, set the following parameters:
•Set the Maximum Password Age parameter to the value that best matches the main logic of the user exit program (permit/deny). The Maximum Password Age parameter is set on the System Parameters dialog box, which is accessed by using the Administrator Client.
•Set the Maximum Password Age parameter to Never Expires so that users are not prompted to change their passwords. If you are restricting the change password function to a limited number of users, this setting is probably the best overall setting because most users are never automatically prompted to change their password.
Content Manager OnDemand for Multiplatforms
The security user exit runs the ARSUSEC program when a user attempts to log on to the system. A sample C program is provided in the EXITS directory. To implement your own security user exit program, add your specific code to the sample that is provided (for example, you can call another program from the ARSUSEC program). For more information about functions, parameters, and return codes, see the ARSCSXIT.H file. Then, compile the ARSUSEC program and move or copy the executable program to the BIN directory. Then, restart the library server to use the security user exit program.
The arsuperm (permissions exit) can be modified in the same way and needs to be placed in the /opt/IBM/ondemand/V9.5/exits directory.
Content Manager OnDemand for i server
By default, the Content Manager OnDemand for i server activates the security exit and uses IBM i security. If the security exit is not enabled, the Content Manager OnDemand user ID and password have no relationship to the IBM i user ID and password, and all of the Content Manager OnDemand system parameter settings are honored. You can enable or disable this exit at an individual instance level.
User Security Exit (ARSUSEC on z/OS only)
On z/OS, the ARSUSEC exit invokes the ARSUSECZ security exit module. The security exit allows the communication with an external security manager, such as RACF, which then determines whether the specific activity is allowed.
When you enable the exits to implement the required level or type of security, the user ID must be defined for both TSO and Content Manager OnDemand.
Figure 6-12 is an overview of the security system exits interface.
Figure 6-12 Security exits interface
With the ARCCSXIT_SECURITY_OKAY_BUT_VALIDATE_IN_OD return code option, a user can act on a request and then the option allows Content Manager OnDemand to perform the standard security processing. For example, do not allow a new password to match an old password in a change-password request; the password must be changed.
Table 6-2 lists the z/OS modules or executable files that ship with Content Manager OnDemand.
Table 6-2 Security exit modules
|
Module
|
Description
|
|
ARSUPERM
|
This c-module provides the interface between the Content Manager OnDemand system and the ARSUSECX module.
|
|
ARSUSEC
|
This c-module provides the interface between the Content Manager OnDemand system and the ARSUSECX module.
|
|
ARSUSECA
|
The mapping of the data structure that is presented to the exit routine is associated with the exit point that is defined by ARSUSEC in assembler.
|
|
ARSUSECH
|
The mapping of the data structure that is presented to the exit routine is associated with the exit point that is defined by ARSUSEC in C.
|
|
ARSUSECJ
|
This sample JCL stream is for assembling and binding ARSUSECX and ARSUSECZ.
|
|
ARSUSECX
|
This interface module is for the MVS Dynamic Exit Facility.
|
|
ARSUSECZ
|
This module is the Security Exit Module Sample.
|
All modules are in the SARSINST library. The sequence of this exit, using the MVS Dynamic Exit Facility, is different from the classical interface with exit modules or a security exit in an IBM CICS environment. The kernel code was updated to allow external security. The Content Manager OnDemand kernel code calls a dynamic link library (DLL) as an interface to the exit. Modules ARSUSEC and ARSUPERM are provided as C source code modules and as executable files. You do not need to change and recompile them.
The source is delivered mainly for understanding the entire security system exit. If you want to change the modules, they must be recompiled and bound as a C dynamic link library (DLL). These modules communicate with the ARSUSECX module, which is an interface to the MVS Dynamic Exit Facility. The security exit module ARSUSECZ is the delivered sample that shows how to perform security checks with a Security Exit Facility (SAF) interface. RACF is a program that uses SAF. ARSUSECH is a C source code module that passes the data structure as input for every exit (ARSUSECZ) that is provided. ARSUSEA provides the same function in assembler language.
|
Note: More than one security exit can be defined to the MVS Dynamic Exit Facility. For example, you can define a different security exit for each instance.
Tip: The only module that you must change is the provided source code ARSUSECZ to meet your requirements. It must be assembled and linked into a library that is accessible for the MVS Dynamic Exit Facility.
|
6.7.2 Security systems other than SAF (z/OS only)
The sample that is provided with the Content Manager OnDemand installation is an SAF sample. However, other installations use their own security system or use their security system as an enhancement together with the SAF environment. These systems can be accessed if they provide a correct assembler callable interface. The security exit sample code contains an example for every function. These functions can be changed or updated in the sample code.
For example, if your folder permissions are stored in an external security system without any SAF interface, this part must be updated to call this external security system.
Content Manager OnDemand SAF resource classes
You must define SAF resource classes ARS1FLDR and ARS1APGP for the folders and application group. For more information about the resource classes, see the section, “OnDemand SAF resource classes”, in the IBM Content Manager OnDemand for z/OS - Configuration Guide, SC19-3363.
|
Important: Even if the security exit can check the user ID and password against SAF or other security systems, every user must be defined in Content Manager OnDemand in every instance. You can use the ARSXML program to create users in batch mode, and use it as a command from the UNIX System Services command line and use a file as input.
|
Activating the security and permission exits (ARS.INI)
Activation of the security exit is controlled by settings in the ARS.INI file. The settings and their corresponding events are listed in Table 6-3.
Table 6-3 ARS settings and the corresponding enabled events
|
ARS.INI statement
|
Enabled event
|
|
SRVR_FLAGS_SECURITY_EXIT=1
(This setting is the default for Content Manager OnDemand for i. If you do not want to use IBM i security for the new instance, change the security setting to 0.)
|
Logon.
Changing the password.
Adding or deleting a user ID through the Content Manager OnDemand administrator interface.
|
|
SRVR_FLAGS_FOLDER_APPLGRP_EXIT=1
|
Activates the folder or the application group permission.
|
|
SRVR_FLAGS_SQL_QUERY_EXIT=1
|
Activates the SQL query exit.
|
|
SRVR_FLAGS_DOCUMENT_EXIT=1
|
Activates the document permission exit.
|
Implementing the security exit in a z/OS environment
The module ARSUSECX interfaces with the MVS Dynamic Exit Facility:
•It defines the logical exit point name, ARS.SECURITY.
•It routes the control to a set of associated exit routines and processes the results of their execution.
|
Note: The sample processes the feedback of the exit one at a time, even if you are running more than one exit.
|
An exit routine must be eligible for execution by associating a logical exit point (ARS.SECURITY). In this example, the MVS Dynamic Exit Facility provides several methods to perform this association. You can use the PROGXX statement in Sys1.Parmlib to define exits to the Dynamic Exit Facility at IPL time (Exit statement for PROGXX).
The following example shows the exit statement for PROGXX:
EXIT ADD EXITNAME(ARS.SECURITY) MODNAME(ARSUSECZ)
In addition, you can use the following operator command to add the exit:
SETPROG EXIT,ADD,EXITNAME=ARS.SECURITY,MODENAME=ARSUSECZ
|
Important: The load module must be in a link pack area (LPA) or an LNLKLST dataset.
|
6.7.3 Unified logon exit (ARSPTGN): z/OS only
With the Content Manager OnDemand unified login exit (ARS.PTGN), you can run the Content Manager OnDemand command-line utilities (such as ARSLOAD) without requiring a specified user ID and password.
This facility to log on without specifying a password specifies a PassTicket as a password when you use a RACROUTE REQUEST=VERIFY call. Figure 6-13 shows the unified logon exit. CMOD in the figure stands for Content Manager OnDemand.
Figure 6-13 Unified logon exit
To enable PassTicket in a security manager, such as RACF, you must complete the following steps:
1. Activate the PKTDATA class.
2. Define a secured sign-on application key for each application.
3. Run SETROPTS RACLIST(PTKTDATA).
6.7.4 System log user exit
Content Manager OnDemand generates messages about the various actions that occur on the system. For example, when a user logs on the system, Content Manager OnDemand generates a message that contains the date and time, the type of action, the user ID, and other information. Unless you specify otherwise, certain messages are automatically saved in the system logging facility. You can configure the system to save other messages in the system logging facility.
The system log user exit allows access to all of these messages. The exit can then use these messages for further processing. For example, an email can be generated when a load fails, or when a user’s system access pattern is abnormal and requires attention. For more information about the system log, see 11.4.1, “System log exit for Multiplatforms” on page 250 and 11.4.2, “System log exit for z/OS” on page 253.
6.8 Summary
Content Manager OnDemand provides a secure environment. Security features within Content Manager OnDemand allow access control to the data and the APIs that access the data. The data itself is controlled at rest and in motion (SSL). Additional exits that are external to Content Manager OnDemand can be created that allow the creation of customized extensions to the Content Manager OnDemand internal security.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.