Securing APIs throughout the enterprise - IBM€¦ · Securing APIs throughout the enterprise z API Roadshow Eric Phan z Systems IT Specialist ... Use for securing access to mainframe,

1 © 2015 IBM Corporation© 2017 IBM Corporation

Z

Securing APIs throughout the enterprisez API RoadshowEric Phanz Systems IT [email protected]

2 ©2016IBMCorporation2 © 2017 IBM Corporation

Agenda• 09:30Registration&Coffee• 10:00Welcome&TrendsintheAPIEconomy:theBusinessOpportunity• 10:30CreatingAPIsfrommainframeapplicationswithz/OSConnect• 11:30BREAK• 12:15CreatingandmanagingAPIswithAPIConnect• 13:15LUNCH• 14:00SecuringAPIsfromEnd-to-End• 15:00ArchitectureOptionsforAPIEnablingzSystems• 15:45 IBMEngagementOfferings&ClosingComments• 16:00CLOSE

3 ©2016IBMCorporation3 © 2016 IBM Corporation3 ©2016IBMCorporation3 © 2017 IBM Corporation

§ Know who is invoking the API (Authentication)

§ Control access to APIs (Authorization)– End user– Application– Server

§ Know who invoked the APIs (Audit)

§ Ensure that the data has not been altered in transit (Data Integrity – Non Repudiation)

§ Ensure confidentiality of data in transit (Data Confidentiality)

§ Protect against malicious replay of a previous request (Non replay)

§ Limit number of requests (Traffic control and Rate limiting)

ConsiderationsforsecuringRESTAPIs


Session Agenda• Introduction

• z/OSConnectSecurity

• APIConnectSecurity

• DataPower Security

• EndtoEndsecurityscenario

• Summary

5 ©2016IBMCorporation5 © 2016 IBM Corporation5 ©2016IBMCorporation5 © 2017 IBM Corporation5

Integration solution

Description Recommendation

z/OS Connect EE V2.0

Extends the support available with z/OS Connect V1. Includes tooling for API creation and deployment.

Use to enable unified REST interface for CICS, IMS and DB2. Avoids multiple data transformations (use REST/JSON as message format from the client to the mainframe). Use to enable discovery of APIs

IBM API Connect Comprehensive API lifecycle to Create, Run, Manage and Enforce APIs and Microservices.DataPower and Node.js deployment options

Use to create APIs and microservicesthat consume z Systems APIsManage and secure z System APIs created by z/OS Connect

IBM DataPowerGateway

SOA and mobile security gateway.

Use for securing access to mainframe, and as runtime for API Gateway.

StrategicRESTAPIsolutions

Create Run

ManageSecure

6

Considersecurityindepth

CICSz/OSConnectDataPower

Otherchannels

Web

Mobile

JSON/REST

JSON/HTTPz/OS

JSON/REST

APIConnect

• Confidentiality• Integrity

• Authenticate(user)

Protect

• Authorize(application)

• Authorize(user)• Audit • Authorize(user)

Limit

• Audit• Audit

• Authorize(user)• Authorize(user)

• Audit


z/OS Connect Security


z/OSConnectEESecurityoverview

WOLAServiceLayerSecurity

Libertyz/OS

CICSRegion

Program

RoleAccess

GroupAccess

Authentication

APILayerSecurity

z/OSConnectEEV2.0

SAFSecurityinsupportofserverruntime

TrustedServer

l SAFinsupportofruntimel Encryption(aka"SSL"or"TLS")l Authentication(basic,clientcertificates,3rd partyauthentication)

l Role-basedauthorizationl Optionalgroup-basedauthorizationl Identitypropagationintobackend

Encryption Encryption

Propagation

AuthorizationandAudit


z/OSConnectsecurityisconfiguredinserver.xml

<keyStore id="defaultKeyStore" password="Liberty"/>

<webAppSecurity allowFailOverToBasicAuth="true" />

<basicRegistry id="basic1" realm="zosConnect"> <user name="Fred" password="fredpwd" />

</basicRegistry>

<authorization-roles id="zos.connect.access.roles"><security-role name="zosConnectAccess">

<user name="Fred"/> </security-role>

</authorization-roles>

z/OSConnectEEV2.0

WhoAreYou?Authentication

AreYouAllowed?Authorization

SecureLink?Encryption

1

1

2

2

3

3

Thiscanbeturnedoffusing"requireAuth"and"requireSecure"=falseelementsinXML


"Hardening"SecurityinSAFSAFKeyringsforTLSLibertyz/OScanbeinstructedtogotoSAFforitskeyandtruststoreAddappSecurity-2.0 featureandsomeotherXMLupdatestoindicateSAFistheregistryRemovethe<keyStore>elementanddefinetheSAFkeyring

Authentication/AuthorizationRemovethe<basicRegistry>and<authorization-roles>fromserver.xmlAddzosSecurity-1.0 featureReplacewith<safRegistry>and<safAuthorization>alongwithotherXMLtodefinetheSAFregistryandEJBROLEdefinitions.

ClientCertificatesandSAFChangethebasicauth settingto"false"(orremove).ChangetwoelementsintheSAFSSLdefinitiontoenableclientcertificateauthorizationagainstSAFcertificates.ClientcertificatethenrelatestoSAFuserid andthatbecomesthesecurityprincipal.

<keyStore id="defaultKeyStore" password="Liberty"/>

<webAppSecurity allowFailOverToBasicAuth="true" />

<basicRegistry id="basic1" realm="zosConnect"> <user name="Fred" password="fredpwd" />

</basicRegistry>

<authorization-roles id="zos.connect.access.roles"><security-role name="zosConnectAccess">

<user name="Fred"/> </security-role>

</authorization-roles>

KeyStore

ClientCerts

Authentication/Authorization

"Basic"securitysettingsfromearlier...


SAFinSupportoftheServerRuntime

WOLA

CICSRegion

Program

Libertyz/OS

z/OSConnectEEV2.0

LibertyAngel

STARTED CBIND

SERVER

WP102604Techdoc

SAFSERVERprofilesTheseallowordenyanIDaccesstoauthorizedservices.TheyareneededtouseWOLAandaccessingSAF(amongotherthings)z/OSConnectinstanceneedsaccesstoLibertyAngelprocessandspecificserverprocesses(e.g SAF,WLM,WOLA)

SAFSTARTEDprofilesTheseassignanIDtothestartedtaskforLibertyProfileisbasedontheJCLprocname,withJOBNAMEqualifierpossibleaswell

SAFCBINDprofilesTheseallowordenytheabilitytoWOLAregisterintotheLibertyserverProfileisbasedonthe"threepartname"intheLibertyserver.xml

Formoredetails,consultthe"GettingStarted"guide:


Libertysecurity

12

Liberty security provides protection for web resources (z/OS Connect is a servlet):

1. An HTTP(S) client requests a web resource in the WebContainer

2. WebContainer delegates security check to the WebSecurity Collaborator

3. WebSecurity Collaborator prompts the user to enter credentials and uses the Authentication service to authenticate the user

4. Authentication service authenticates, creates, and returns the subject

5. WebSecurity Collaborator uses Authorization service to perform a user authorization check

6. Authorization service returns the authorization result to the WebSecurity Collaborator

7. WebSecurity Collaborator returns the result of the security check about whether the user is authorized

8. WebContainer serves or rejects the requested resource


RESTClients

This protects the conversation between the client and the server:

Libertyz/OS

TrustedServer

ThisismoreafunctionofLibertyitselfratherthanofz/OSConnectEEV2.0

RESTClient

Iwishtoestablishaconnectiontoyou

HereismyservercertsignedbyaCA

AcknowledgementandTLSestablishment

ItrustyoubasedonCA,pleaseagreetoTLSSAF

Java-basedkey/trustfilesEasytosetup,butlesscontrolbysecurityadministrators

SAFkeyringsThisisunderthecontrolofsecurityadministrators

Important to understand where the TLS sessions start and end:

RESTClients Libertyz/OS

SAFStart Terminate

Start Terminate

TheclientTLSsessionsmaycomeandgofrequently.Ifthat'stheresponsibilityofamid-tiertrustedserver,thentheoverheadofsetup/teardownisthere,notonthez/OSsystem

Thissessioncanbemuchlonger-livedandthuslesssetup/teardownoverhead

YoucanmanageSAF-basedcertificatesmoreeasilyherebecausepotentialclientsarelimitedandknown

Encryption("SSL",ormoreaccurately,"TLS")


HTTPS

SSL• V1.0(1994)• V2.0(1995)• V3.0(1996)- POODLEattack 2014TLS• V1.0(1999)• V1.1(2006)• V1.2(2008)• V1.3(draft)


Encryption

1.Symmetric

Thesecret

2.Asymmetric

#@4R;t9l<PAlgorithmKey

AES256

Thesecret E4”!KLs(l$

AlgorithmKey1

RSAPublicKey

AlgorithmKey2

RSAPrivateKey

• Keypair

• Handshake• Signature• Etc…


Several different ways this can be accomplished:

RESTClient

Libertyz/OS

ID/PW Okay!

BasicAuthentication

ServerpromptsforID/PWClientsuppliesID/PWServerchecksregistry:l Basic(server.xml)l LDAPl SAF

RESTClient

Libertyz/OS

Okay!

ClientCertificate

Serverpromptsforcert.ClientsuppliescertificateServervalidatescertandmapstoanidentity

Registryoptions:l LDAPl SAF

TLSClientCert

Couldbeatrustedserver

TrustedServer

Libertyz/OS

ThirdPartyAuthentication

Clientauthenticatesto3rd partyseverClientreceivesatrusted3rd partytokenTokenflowstoLibertyz/OSandismappedtoanidentity

Registryoptions:l LDAPl SAF

Token(LTPA,other)

RESTClient

3rdParty

ID/PW

AuthOkay

Cert

='FRED'IdentityMapping

Authentication


Overviewofz/OSConnectinterceptorsThe interceptor framework provides a way to call code to do pre-invoke work and then again to do post-invoke work:

BackendProgram

Request

Response

Interceptor AInterceptor B

Interceptor AInterceptor B

In server.xml you can:

• Define ‘global interceptors,’ which apply to all configured APIs and services

• Define interceptors specific to a given configured API or service

z/OS Connect comes with an authorization interceptor (which user can access which API or service) and an audit interceptor (for SMF recording)

It is also possible to write your own interceptor and have it called as part of request/response processing


The “authorization interceptor” is a supplied piece of interceptor code that will check to see if the user has the authority to perform the action requested:

Allowed to Enter?

AdministratorFull authority

OperatorStart, Stop, Deploy ….

InvokeInvoke service only

“Fred” Yes

No

Go Away

Controlled by a defined

“role”

What the interceptor provides

Authorizationinterceptor

ReaderDiscover and read


Audit(SMF)InterceptorThe audit interceptor writes SMF 123.1 records. Below is an example of some of the information captured:

• System Name• Sysplex Name• Job Name• Job Prefix• Address Space Stoken

• Arrival Time• Completion Time• Target URI• Input JSON Length• Response JSON Length• Method Name• API or Service Name• Userid• Mapped user name

ServerIdentificationSection

UserDataSection


Record£:144;Type:120; Size:2212;Date:MonFeb1615:56:09GMT+01:002015;SystemID:ZT01;SubsystemID:WAS;Flag:94;Subtype:11 (LibertyRequestActivity);

£SubtypeVersion:1;Indexofthisrecord:0;Totalnumberofrecords:1;recordcontinuationtoken*0000000000000000-------- -------- *£Triplets:2;Triplet£:1;offsetDec:72;offsetHex:48;lengthDec:80;lengthHex:50;counTriplet£:2;offsetDec:152;offsetHex:98;lengthDec:2060;lengthHex:80c;

Triplet£:1;Type:LibertyServerInfoSection;ServerInfoVersion:1;SystemName(CVTSNAME):ZT01;Sysplex Name:ZT00PLEX;JobID :STC06791;JobName :MOPZCO1;Stoken *00000514000003b6-------- -------- *

Triplet£:2;Type:UserDataSection;Version:1;DataType:102;DataLength:251;dataversion:1;arrivalTime*ce84612141b6586a-------- -------- *completionTime*ce84612144cc7969-------- -------- *targetURI:/placeOrder;inputLength:207;servicename:placeOrder;methodname:PUT;responseLength:244;userid :JeanLeclerc;mapped userid :EMPLOY1;

AuditplaceOrder requests


IdentityPropagationtoBackend

CICSRegion

Program

Libertyz/OS

z/OSConnectEEV2.0

IMSRegion

ProgramIMSConnect

WOLA

TCP

<zosLocalAdapters useCicsTaskUserId="true"wolaGroup="GROUP" wolaName2="NAME1" wolaName3="NAME2" />

Identity

TheCICSlinkservertasksupportstheassertionofidentityfromLibertyz/OSoverWOLA

TheIMSadapterforz/OSConnectEEV2.0supportstheassertionofidentityoverTCPtoIMSConnectandintotheIMSregion

Thisiswhattellsz/OSConnectEEV2.0toasserttheidentityoveraWOLAconnectiontoCICS


API Connect Security


APIEndpointsaddtheirownsecurity

policy

APIConnectSecurityoverview

APIGateway

APIEndpoint

RESTAPI

Authentication/Authorization

Pre-processing

l Encryption(aka"SSL"or"TLS")l TLSProfilesetsTLSconfigurations(keystore,trustore,protocol)

l TheAPIGatewayenforceAPIsecuritywithAPIKey,BasicAuth orOAuth

l APISecuritycanbeappliedtoanentireAPIorspecificAPIoperations

l Throttlingisappliedaccordingtosubscriptionplans

InvokingAPI Encryption

TrustedServer

TLSProfile

APISecurity

Throttling

TLSProfile

UserCustomPolicies

AssemblyFlow

InvokingAPI

LoopBackApplication


APIConnect- TLS

Identitycertificates

Trustedcertificates

Authorizedprotocols

TLS/SSLis configured using TLSprofiles


APIConnect- APISecurity

APIsareprotected using Securitydefinitions

3typesofSecuritydefinitions supported• APIkey• BasicAuth• OAuth


APIConnect- APISecuritygranularity

API-level Securitydefinitions

Oncedefined theSecuritydefinitions can be enabled forthewhole APIorperoperation

Multipleoptionscan beconfigured,toallow multipleways toauthenticate/authorize

Operation-level Securitydefinitions

…

Forinstance,aspecific Securitypolicy can be applied totheGEToperation for/items


APIConnect- APIkey

AnAPIkeyandAPIsecretaregenerated foreach newregistered ApplicationontheDeveloper Portal


APIConnect- BasicAuth

TheBasicAuthorization headeris verified against anAuthentication serveroranLDAPregistry

HTTPcalltoAuthenticationServerwithBasicAuth

Code200:Authenticated +Authorized

Code401:NotAuthenticated

Code403:NotAuthorized

Authentication/Authorizationagainst LDAPregistry


APIConnect- OAuth

APIConnect supportsdifferent OAuth flows.AnOAuth ProviderAPI is configured which providestheURLoftheOAuthproviderAPI'stokenorauthorizationPath.

Required scopes


APIConnect- Plans

APIConnect managesProducts;each Productcan havemultipleAPIsandmultipleSubscription Plans.ASubscription Plandefines:

• thenecessity toapprove asubscription• theratelimit forAPIcalls


DataPower Security


e.g.REST(JSON/XML)overHTTPS

MobileFirstServer,WASND

e.g.RESTorSOAPoverHTTP(S)ormessaging

CICSIMSDB2

Otherservers,WebApps,otherservices

DataPowerGatewayAppliance

• Security, Control, Integration & Optimization of mobile workload• Enforcement point for centralized security policies• Authentication, Authorization, LTPA, SAML, OAuth 2.0, Audit• Threat protection for XML and JSON• Message validation and filtering• Centralized management and monitoring point• Traffic control / Rate limiting• Integration with MobileFirst Server• Available as a physical or virtual appliance

DataPower SecurityFeatures


AAA

ExtractIdentity

HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509SAML AssertionIP AddressLTPA TokenCustom

Authenticate

ExtractResource

URLSOAP OperationHTTP OperationCustom

LDAPSystem/z NSS (RACF, SAF)Tivoli Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom

Authorize Audit &Post-Process

MapIdentity

MapResource

OAuth 2.0LDAPActiveDirectorySystem/z NSSTivoli Access ManagerSAMLXACMLCustom

Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SAMLGenerate LTPAMap Tivoli Federated Identity

External Access Control Server or Onboard Identity Management Store

input output

DataPower AAA


Jumbo JSON Payload

• Label - Value Pairs• Label String Length (characters)• Value String Length (characters)• Number Length (characters)

• Threat Protection• Maximum nesting depth (levels)• Maximum document size (bytes)

Label String

Nesting Depth of 3

Value StringNumber

DocumentSize

DataPower JSONprotection


DataPower TrafficcontrolandRatelimiting


End to End security scenario


OfficesuppliesBluemix application

Emailand addressvalidationfeaturesareaddedusingBluemix services.ThesefeaturesdonotcurrentlyexistintheCICSapplication.


z/OSConnectEEV2.0

CatalogManager

CICS

1. Userlogsin2. Authenticateuser3. CheckBluemix applicationisauthorizedtouseAPI4. MapdistributedIDtoaRACFuserID5. CheckuserisauthorizedtouseAPI6. Auditrequest7. Checkuserisauthorizedtoruntransaction

Node.js

Demoarchitecture– securityrequirements

Gateway

JeanLeclerc

23

1

4

6

57


1. User logs into Bluemix application using "distributed" user ID (“JeanLeclerc”) and password

Exampledemoscenario

Bluemix

userID/pwdHTTPS/JSON

LDAP

HTTPS/JSONIdentity in token

z/OSConnect

z/OS

RACF

CICS

1

COMMAREA+ mapped identity

RACMAPID(EMPLOY1)MAPUSERDIDFILTER(NAME('UID=JeanLeclerc,OU=employees,O=mop,C=fr'))REGISTRY(NAME('*'))

2 4 57

3

JeanLeclerc

6

2. DataPower authenticatesuserinLDAPandforwardsdistributedIDinLTPAtokentoAPIConnect

3. APIConnectcheckstheBluemixapplicationclientIDandforwardsrequesttoz/OSConnect4. z/OSConnectvalidatesLTPAtokenandmapsdistributedIDtoRACFuserIDEMPLOY1

5. z/OSConnectusesRACFuserIDforauthorizationcheckingi.e istheuserauthorizedtocalltheAPI

6. z/OSConnectauditstherequesti.e whoinvokedtheAPI(auditrecordincludesdistributedandRACFids)

7. z/OSConnectpassesRACFuserIDtoCICSfortransactionauthorization

DataPower APIConnect


O=m

op,C=fr

OU=employees

UID=JeanLeclerc

UID=AliceNevers

OU=customers

UID=MarieDupond

UID=PierreDuclos

OU=partner1

UID=ArthurLeroy

UID=JulieLaforest

OU=partner2

UID=RoryWilliams

UID=RoseMoubinou

ExampleDN:UID=JeanLeclerc,OU=employees,O=mop,C=fr

EMPLOY1

EMPLOY2

CUSTOM

PARTNE1

PARTNE2

Useridentitiesandmappings RACFID


Serviceauthorization

inquireCatalog

inquireSingle

placeOrder

AliceNevers

RACFgroupGMINVOKE

GMINVOKE

SMINVOKE

EMPLOY2JeanLeclercEMPLOY1

PierreTabardEMPLOY3RACFuserID


Record£:144;Type:120; Size:2212;Date:MonFeb1615:56:09GMT+01:002015;SystemID:ZT01;SubsystemID:WAS;Flag:94;Subtype:11 (LibertyRequestActivity);

£SubtypeVersion:1;Indexofthisrecord:0;Totalnumberofrecords:1;recordcontinuationtoken*0000000000000000-------- -------- *£Triplets:2;Triplet£:1;offsetDec:72;offsetHex:48;lengthDec:80;lengthHex:50;counTriplet£:2;offsetDec:152;offsetHex:98;lengthDec:2060;lengthHex:80c;

Triplet£:1;Type:LibertyServerInfoSection;ServerInfoVersion:1;SystemName(CVTSNAME):ZT01;Sysplex Name:ZT00PLEX;JobID :STC06791;JobName :MOPZCO1;Stoken *00000514000003b6-------- -------- *

Triplet£:2;Type:UserDataSection;Version:1;DataType:102;DataLength:251;dataversion:1;arrivalTime*ce84612141b6586a-------- -------- *completionTime*ce84612144cc7969-------- -------- *targetURI:/placeOrder;inputLength:207;servicename:placeOrder;methodname:PUT;responseLength:244;userid :JeanLeclerc;mapped userid :EMPLOY1;

AuditplaceOrder requests


FlowingaRACFIDtoCICS

WOLAService

DFH0XCMNCOMMAREA

orContainer

BBO$LINKservertask

CICSMOBP

BBOATRUETaskRelatedUserExit

MZ**InvocationTask

WOLA

CICSregionRACFID(CICSMOBP)

z/OSConnect

LibertyServer

<zosLocalAdaptersuseCicsTaskUserId="true"

FlowedRACFID(EMPLOY1)

43

JeanLeclerc

<safCredentialsmapDistributedIdentities="true"


WOLAService

DFH0XCMNCOMMAREA

orContainer

BBO$LINKservertask

CICS

BBOATRUETaskRelatedUserExit

MZ**InvocationTask

WOLA

TransactionNamesetinLibertyserver.xml

§ EnablesCICStransactionauthorization

§ Alsomakesiteasiertocapturecpu formobiletransactionse.g capturecpu fortransstartingMZ*

• inquireCatalog transid=MZIC

• inquireSingle transid=MZIS

• placeOrder trans id=MZPO

z/OSConnect

LibertyServer <localAdaptersConnectService id="inquireCatalog"registerName="CICSMOB1"serviceName="DFH0XCMN"linkTaskTranID="MZIC"connectionFactoryRef="wolaCF"/>

Settransactionid

44


FlowRACFIDtoCICS

45


Summary


Summary

RESTClients

Libertyz/OS

z/OSConnectEEV2.0

CICSRESTClients

Registry(basicorSAF)

RESTClientsRESTClients

Libertyz/OS

z/OSConnectEEV2.0

CICS

SAFTrustedServer

LDAPorother

Token

Cert

z/OSConnectmaybethemainsecuritycontrolpoint

Proxy

Firewall Firewall

Orsomethingmorecomplexismorerealistic.Buttheprinciplesofauthentication,authorization,audit,encryption…stillapply.


Thank you!

Any Questions?

Documents

Securing APIs throughout the enterprise - IBM€¦ · Securing APIs throughout the enterprise z API Roadshow Eric Phan z Systems IT Specialist ... Use for securing access to mainframe,