IBM Mainframe Forum Index
 
Log In
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Register
 

Is there a way to restrict user login based on host name?


IBM Mainframe Forums -> All Other Mainframe Topics
Post new topic   This topic is locked: you cannot edit posts or make replies.
View previous topic :: View next topic  
Author Message
Ravi GA

New User


Joined: 20 Mar 2020
Posts: 12
Location: India

PostPosted: Wed Dec 23, 2020 8:01 am
Reply with quote

Hello,

This is a Mainframe security related question.
I wanted to know is there a way to restrict user login based on the host name? For example let's say there is a user whose host name is usera.zzz.com and the associated Mainframe ID of this user is "USERA1". This user uses TN3270 client installed on Windows to logon to Mainframes. Now if this user tries to logon using ID "USERB1" (another user's Mainframe ID), is there a way to restrict the access with some meaningful message? Since the host name "usera.zzz.com" is attached to ONLY "USERA1", if that user enters ANY id other than "USERA1" (at the terminal) we should be able to fail the logon process. Is there a way to do this? Similarly user B should only be able to enter ID "USERB1".
Back to top
View user's profile Send private message
Rohit Umarjikar

Global Moderator


Joined: 21 Sep 2010
Posts: 3076
Location: NYC,USA

PostPosted: Wed Dec 23, 2020 10:30 am
Reply with quote

Host names or ip are same for any connection across the users , so what’s the real use case ?
Back to top
View user's profile Send private message
Ravi GA

New User


Joined: 20 Mar 2020
Posts: 12
Location: India

PostPosted: Wed Dec 23, 2020 12:24 pm
Reply with quote

Rohit Umarjikar wrote:
Host names or ip are same for any connection across the users , so what’s the real use case ?


No IP address changes when you disconnect from VPN and connect back again. IP address is not same.
Use case :- If a Mainframe user, say USERA, somehow gets password of USERB then we can't prevent USERA from logging in using USERB's credentials. My question is "Is there a way to prevent such unauthorized access by checking the host name while logging in to Mainframes"?
Back to top
View user's profile Send private message
enrico-sorichetti

Superior Member


Joined: 14 Mar 2007
Posts: 10886
Location: italy

PostPosted: Wed Dec 23, 2020 12:32 pm
Reply with quote

if somebody got somebody else credentials,
Your organisation has bigger problems than the lowly technicalities

remember...
security is 10% technicalities 90% good practices and education and proper actions for violations

everywhere using somebody else credential is reason for lawful dismissal

but as far as Your question, YES it can be done

have Your security people look at the manuals for the appropriate definitions to prevent a user from logging on to a specific application

www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.ikjb400/part4.htm
Back to top
View user's profile Send private message
Rohit Umarjikar

Global Moderator


Joined: 21 Sep 2010
Posts: 3076
Location: NYC,USA

PostPosted: Wed Dec 23, 2020 3:59 pm
Reply with quote

Ravi GA wrote:
Rohit Umarjikar wrote:
Host names or ip are same for any connection across the users , so what’s the real use case ?


No IP address changes when you disconnect from VPN and connect back again. IP address is not same.
Use case :- If a Mainframe user, say USERA, somehow gets password of USERB then we can't prevent USERA from logging in using USERB's credentials. My question is "Is there a way to prevent such unauthorized access by checking the host name while logging in to Mainframes"?

I am saying from the connection perspective to the mainframes the ip is same or host. Why would that change ?
Second, most of the companies have single sign on with multi layer login security with OPT and all, try implementing that.
Third, it’s employees responsibility not to share passwords or write anywhere where other employees can misuse, it’s code of conduct as then it’s not just mainframes but everywhere else you need such preventive measures.
And last you could have a login script that can send email alter to the user upon login once a day or something like that , talk to security team at your site for all possible alternatives.
Back to top
View user's profile Send private message
enrico-sorichetti

Superior Member


Joined: 14 Mar 2007
Posts: 10886
Location: italy

PostPosted: Wed Dec 23, 2020 4:41 pm
Reply with quote

the proper way is not to restrict the HOST or the IP address
but to control the access to each application

what if for some reason the organisation has to move things around
( move an application to a different - as You call it - host ? )

with the proper RACF/ACF/TSS setup YOU have just to do ... NOTHING
the security setup has already taken care of everything

whit Your attempted/suggested setup somebody will have to modify the home built access control system in order to keep things going

why waste time on horse manure when there are / have been for years consolidate techniques to control access to the needed resources
Back to top
View user's profile Send private message
Ravi GA

New User


Joined: 20 Mar 2020
Posts: 12
Location: India

PostPosted: Wed Dec 23, 2020 5:32 pm
Reply with quote

enrico-sorichetti wrote:
if somebody got somebody else credentials,
but as far as Your question, YES it can be done

have Your security people look at the manuals for the appropriate definitions to prevent a user from logging on to a specific application

www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.ikjb400/part4.htm


Thanks for the link but I have reviewed this link before posting my question. In this link the closest that I could find (that could work) was logon exits but unfortunately the PARM list doesn't have the IP address of the host from which the user is trying to login. If it had the IP address, I could have used "GETHOSTBYADDR" to determine the host name. Also with this setup nobody needs to change access control system if things move around. When I spoke with some of the people that have worked on TN3270/RACF etc, they said it's not possible to accomplish this without applying hooks in the TCP/IP driver module EZBTIINI that resides in ECSA. As per them below is the hook point to get information about host trying to connect to Mainframes,

1287451C | A78E 00FF | CHI R8,X'FF'
12874520 | A724 FFF3 | BRC X'2',*-X'1A'
12874524 | B914 0008 | LGFR R0,R8
12874528 | E50F E000 F000 | MVCDK X'0'(R14),X'0'(R15) == Hook point
1287452E | B219 0000 | SAC X'0'
12874532 | EBEC D368 0096 | LMH R14,R12,X'368'(R13)
12874538 | 98EC D2F0 | LM R14,R12,X'2F0'(R13)
1287453C | 9AEC D32C | LAM AR14,AR12,X'32C'(R13)
12874540 | 07FE | BCR X'F',R14

I setup SLIP traps at the above point (at which point it will be in cross memory mode. HOME==> TN3270, primary ==> TCP/IP, secondary ==> OMVS) and noticed that at the above hook point it builds some undocumented control block "CFGMREQ" and this control block holds various information including the IP address of the host. I could use this hook along with logon exits to accomplish what I want to do but inserting system hooks is the last option that we could pursue. So I wanted to check with experts on this forum to explore alternative options.
Back to top
View user's profile Send private message
Ravi GA

New User


Joined: 20 Mar 2020
Posts: 12
Location: India

PostPosted: Wed Dec 23, 2020 5:39 pm
Reply with quote

[quote="Rohit Umarjikar"]
Ravi GA wrote:
Rohit Umarjikar wrote:
Host names or ip are same for any connection across the users , so what’s the real use case ?

I am saying from the connection perspective to the mainframes the ip is same or host. Why would that change ?
Second, most of the companies have single sign on with multi layer login security with OPT and all, try implementing that.
Third, it’s employees responsibility not to share passwords or write anywhere where other employees can misuse, it’s code of conduct as then it’s not just mainframes but everywhere else you need such preventive measures.
And last you could have a login script that can send email alter to the user upon login once a day or something like that , talk to security team at your site for all possible alternatives.

1. I dont understand how IP could be same from connection perspective to the Mainframes.
2. Do you mean OTP via email?
3. Yes but security breaches do happen and we trying to capture security breach events.
Back to top
View user's profile Send private message
Rohit Umarjikar

Global Moderator


Joined: 21 Sep 2010
Posts: 3076
Location: NYC,USA

PostPosted: Wed Dec 23, 2020 5:55 pm
Reply with quote

The ip address of the pc on which emulators is running is different but the ip given in the emulator to connect to the mainframe LPAR don’t change. We are talking two different ips.
Please follow up with RACF Security admin at your site and other thoughts above and you might as well research any third party products that provides these services.
Back to top
View user's profile Send private message
Ravi GA

New User


Joined: 20 Mar 2020
Posts: 12
Location: India

PostPosted: Wed Dec 23, 2020 5:58 pm
Reply with quote

Rohit Umarjikar wrote:
The ip address of the pc on which emulators is running is different but the ip given in the emulator to connect to the mainframe LPAR don’t change. We are talking two different ips.
Please follow up with RACF Security admin at your site and other thoughts above.

Yes I am looking for the IP address of the PC that initiated the connection request to TN3270 server on Mainframes.
Back to top
View user's profile Send private message
enrico-sorichetti

Superior Member


Joined: 14 Mar 2007
Posts: 10886
Location: italy

PostPosted: Wed Dec 23, 2020 8:04 pm
Reply with quote

just take a decision so that we do not waste any time ...

if You want to check if a user is allowed to connect to an application
regardless of the location of the application and of the user

the proper way is to define the relevant RACF profiles and grant access to the USERs

if you changed your mind and want to control the connections between IP addresses than the right way is to define the proper firewall rules

time to lock the topic and let the TS open a new one once he has reached a decision on his requirements
Back to top
View user's profile Send private message
Rohit Umarjikar

Global Moderator


Joined: 21 Sep 2010
Posts: 3076
Location: NYC,USA

PostPosted: Wed Dec 23, 2020 10:00 pm
Reply with quote

Cleared up and locked.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   This topic is locked: you cannot edit posts or make replies. View Bookmarks
All times are GMT + 6 Hours
Forum Index -> All Other Mainframe Topics

 


Similar Topics
Topic Forum Replies
No new posts How to Login in to cics region and is... CICS 9
No new posts System add a USER parm when job submi... TSO/ISPF 4
No new posts Sort based on the record type DFSORT/ICETOOL 1
No new posts To Omit records based n SORT condition DFSORT/ICETOOL 6
No new posts can an ISPF appl save user changes in... TSO/ISPF 14
Search our Forums:

Back to Top