Is having an OMVS segment on a userid with RACF SPECIAL an issue?
I seem to recall that in the past adding an OMVS segment to a userid with RACF SPECIAL was considered a no-no. Something to do with the posiibility of the userid being hijacked thereby allowing access to its SPECIAL attribute. Is this still a concern (was it ever?) and if so are there ways to prevent such hijacking? TIA (Posted on both RACF IBM-Main lists) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Prevent FTP from root
We have numerous external clients and on occasion have found that depending on what product they use for FTP, their file transfer may in some fashion refer to our root directory or potentially the file transfer client being used defaults to a root directory. In order to prevent such access were planning to change each userids OMVS segment to have a HOME directory of: /u/userid. (Currently we just use / .) Anyone know of any gotchas with this plan? TIA (Posted on both RACF IBM-Main lists) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: two-way encryption format for password encryption in IBM Tivoli Directory Servers (ldap) - TIM TAM
Thanks Walt. 1) - We're concerned with the TIM account passwords. 2) - ITDS servers run AIX 6.1. From: Walt Farrell wfarr...@us.ibm.com To: IBM-MAIN@bama.ua.edu Date: 01/20/2012 09:10 AM Subject:Re: two-way encryption format for password encryption in IBM Tivoli Directory Servers (ldap) - TIM TAM Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu On Wed, 18 Jan 2012 11:14:57 -0600, Bruce Wheatley bwheat...@cds.ca wrote: One of our middleware support staff has brought this possible exposure to our attention: By using the two-way encryption format, a super user in ITDS (e.g cn=root) can run the ldapsearch command or any other ldap client tool to retrieve user passwords in clear text format. Questions: 1) - Is this scenario accurate? 2) - What changes can we make to prevent a 'root' user from gaining this access? TIA for your help. A few aspects of your question seem unclear to me, Bruce. (1) Are you talking about the LDAP bind passwords that a user would use when connecting to the ITDS LDAP server, or to the TIM account passwords stored in TIM entries within the LDAP database? (2) Which platform is your ITDS server running on? Note that if you're talking about the LDAP bind passwords you have a choice of storing them in a one-way or two-way encryption format, based on the LDAP configuration options you choose. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
two-way encryption format for password encryption in IBM Tivoli Directory Servers (ldap) - TIM TAM
One of our middleware support staff has brought this possible exposure to our attention: By using the two-way encryption format, a super user in ITDS (e.g cn=root) can run the ldapsearch command or any other ldap client tool to retrieve user passwords in clear text format. Questions: 1) - Is this scenario accurate? 2) - What changes can we make to prevent a 'root' user from gaining this access? TIA for your help. Bruce Wheatley The Canadian Depository for Securities Limited Toronto, ON M5H 2C9 bwheat...@cds.ca -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
SFTP and FSSEC error
Wondering what we've missed in setting up for external users to use SFTP transmissions. Similar messages are appearing for different customers. This is the error: ICH408I USER(PAAA123) GROUP(G1234) NAME(CDS FTP ) 888 /tmp/ssh-PAAA123 CL(FSSEC ) FID(009D) INSUFFICIENT AUTHORITY TO CHOWN EFFECTIVE UID(089001) EFFECTIVE GID(009300) Here is the ownership: /u/paaa123ls -l /tmp/ drwx-- 2 PAAA123 OMVSGRP 4096 Aug 23 13:33 ssh-PAAA123 PAAA123 created the directory to begin with. Also posted to RACF List. TIA Bruce Wheatley Senior Information Security Analyst The Canadian Depository for Securities Limited 85 Richmond St. W. Toronto, ON M5H 2C9 (416) 365-8417 bwheat...@cds.ca -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SFTP and FSSEC error
Mark, No it's never been defined. Is it recommended for SFTP? Thanks. Mark Jacobs mark.jac...@custserv.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 08/24/2011 02:47 PM Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject Re: SFTP and FSSEC error Do you have the CHOWN.UNRESTRICTED profile in the UNIXPRIV class defined in your security product? Mark Jacobs On 08/24/11 14:28, Bruce Wheatley wrote: Wondering what we've missed in setting up for external users to use SFTP transmissions. Similar messages are appearing for different customers. This is the error: ICH408I USER(PAAA123) GROUP(G1234) NAME(CDS FTP ) 888 /tmp/ssh-PAAA123 CL(FSSEC ) FID(009D) INSUFFICIENT AUTHORITY TO CHOWN EFFECTIVE UID(089001) EFFECTIVE GID(009300) Here is the ownership: /u/paaa123ls -l /tmp/ drwx-- 2 PAAA123 OMVSGRP 4096 Aug 23 13:33 ssh-PAAA123 PAAA123 created the directory to begin with. Also posted to RACF List. TIA Bruce Wheatley Senior Information Security Analyst The Canadian Depository for Securities Limited 85 Richmond St. W. Toronto, ON M5H 2C9 (416) 365-8417 bwheat...@cds.ca -- Mark Jacobs Time Customer Service Tampa, FL Some people are electrifying, they light up a room when they leave. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
SFTP clients and certificates
Question from our sysprog group: Is it true that most SFTP clients do not support certificates? TIA Bruce Wheatley Senior Information Security Analyst The Canadian Depository for Securities Limited 85 Richmond St. W. Toronto, ON M5H 2C9 (416) 365-8417 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SFTP clients and certificates
Thanks Walt. Here's some words of explanation for the issue that generated the original question: We thought you could store everything in RACF, but we ran into this problem: If the SSH client end is not z/os (in this case WINSCP) and you export it's public key, RACF on the server says it is not a valid certificate when you try to import it. If instead, you create the certificate with the client public/private key pair in RACF and export it, when attempting to import on the client WINSCP it says it is not a valid key. So we have set up the SSH server on z/os with it's host key pair in a RACF certificate, z/os SSH client keys in certificates in RACF , but public keys for clients like WINSCP are in /$HOME/.ssh2/authorization. We would have liked to have everything in RACF. Bruce Wheatley Senior Information Security Analyst The Canadian Depository for Securities Limited 85 Richmond St. W. Toronto, ON M5H 2C9 (416) 365-8417 bwheat...@cds.ca Walt Farrell wfarr...@us.ibm.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 01/21/2011 11:43 AM Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject Re: SFTP clients and certificates On Fri, 21 Jan 2011 08:47:58 -0600, Bruce Wheatley bwheat...@cds.ca wrote: Question from our sysprog group: Is it true that most SFTP clients do not support certificates? I'm not sure they asked the question they really intended, so it would help to know why they are asking the question. Whether the client supports certificates or not has no bearing on whether you can use certificates and keyrings on z/OS to store the public/private OpenSSH keys when you have IBM Ported Tools for z/OS V1.2. The client can use a standard OpenSSH public/private key file stored on their system, while the server can use certificates and SAF keyrings for both its public/private key and for the client's public/private key. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
TIM/TAM - using reports for Role adminisitration
Wondering what report I can use that will capture any administraion done to roles, e.g., adding, deleting etc. Note, I need the report that shows the administration of the role itself not the one that shows when users are added or removed from roles. TIA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
TSM
Any way to allow TSM administraors to restore files without their being able to read the files, no matter where they restore them to? TIA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html