Advanced z/OS Security: Crypto, Network, RACF, and Your Enterprise

Schedule

Start End Duration Location Details

Course Details

Advanced z/OS Security: Crypto, Network, RACF, and Your Enterprise

Course code: ES66G

Duration: 3.5 Days


Prerequisite:

You should have: 

•    General z/OS knowledge, including basic UNIX System Services skills
•    Experience configuring any of the web servers on z/OS
•    Basic knowledge of TCP/IP and RACF


Course Description:

System z continues to extend the value of the mainframe by leveraging robust security solutions, to help meet the needs of today's on demand, service-oriented infrastructures. System z servers have implemented leading-edge technologies, such as high-performance cryptography, multi-level security, large-scale digital certificate authority and lifecycle management; as well as improved Secure Sockets Layer (SSL) performance, advanced Resource Access Control Facility (RACF) function, and z/OS Intrusion Detection Services. This advanced z/OS security course presents the evolution of the current z/OS security architecture. It explores in detail, the various technologies that are involved in z/OS Cryptographic Services, z/OS Resource Access Control Facility (RACF), and z/OS Integrated Security Services. 

Course Objectives:

After taking this course, you should be able to:

•    Describe the components of network security, platform security, and transaction security on z/OS
•    Describe how RACF supports UNIX users and groups
•    Describe web server security flow on z/OS
•    Explain the contents and use of a digital certificate
•    Explain the difference between asymmetric and symmetric cryptographic techniques
•    Explain SSL V3 client authentication
•    Explain the basics of WebSphere Application Server and web services security
•    Utilize the RACDCERT command
•    Discuss the OCSF service providers
•    Explain VPN (IPSec), SSL/TSL, and AT-TLS and the differences between them
•    Discuss the z/OS Communication Server policy agent, IDS, and IP filtering
•    Describe and utilize System SSL
•    Explain how TN3270 and FTP SSL support works
•    Explain how IBM secure hardware cryptographic co-processors work
•    Explain how Kerberos authentication works
•    Explain the LDAP terms of DN, objectclass, attribute, schema, back end, and directory
•    Explain how to setup, customize, and operate z/OS PKI Services

Intended Audience:

•    This class is intended for z/OS system programmers and security specialists in charge of designing and implementing z/OS security for web-enabled applications.

Course Outlines:

•    Day 1
o    Welcome
o    Unit 1: Overview of z/OS security for on-demand business Unit 2: z/OS platform security: Part 1
o    Unit 3: z/OS platform security: Part 2
o    Unit 4: Introduction to digital certificates and PKI

•    Day 2
o    Unit 5: The SSL protocol
o    Unit 6: HTTP and Apache server, SSL client authentication and WebSphere Application Server security
o    Unit 7: RACF and digital certificates
o    Unit 8: Open Cryptographic Services Facility
o    Exercise 1: Controlling access using the httpd.config file Exercise 2: SSL protocol

•    Day 3
o    Exercise 2: SSL protocol (continued)
o    Unit 9: Introduction to z/OS Communications Server security features Unit 10: System SSL overview
o    Unit 11: TN3270 secure connection
o    Unit 12: FTP server and client secure connection
o    Unit 13: Cryptography overview: System z integrated cryptography

•    Day 4
o    Exercise 3: SSL client authentication and RACF auto registration
o    Unit 14: Network authentication services and Enterprise Identity Mapping Unit 15: LDAP Directory Services in z/OS and the Tivoli Director Server for z/OS
o    Unit 16: An introduction to OpenSSH for z/OS
o    Exercise 4: Securing FTP with SSL: FTPS, TLS, AT-TLS