|
View previous topic :: View next topic
|
| Author |
Message |
Ravi GA
New User
Joined: 20 Mar 2020
Posts: 12
Location: India
|
|
|
|
Hello,
This is a Mainframe security related question.
I wanted to know is there a way to restrict user login based on the host name? For example let's say there is a user whose host name is usera.zzz.com and the associated Mainframe ID of this user is "USERA1". This user uses TN3270 client installed on Windows to logon to Mainframes. Now if this user tries to logon using ID "USERB1" (another user's Mainframe ID), is there a way to restrict the access with some meaningful message? Since the host name "usera.zzz.com" is attached to ONLY "USERA1", if that user enters ANY id other than "USERA1" (at the terminal) we should be able to fail the logon process. Is there a way to do this? Similarly user B should only be able to enter ID "USERB1". |
|
| Back to top |
|
 |
Rohit Umarjikar
Global Moderator
Joined: 21 Sep 2010
Posts: 3053
Location: NYC,USA
|
|
|
|
| Host names or ip are same for any connection across the users , so what’s the real use case ? |
|
| Back to top |
|
|
Ravi GA
New User
Joined: 20 Mar 2020
Posts: 12
Location: India
|
|
|
|
| Rohit Umarjikar wrote: |
| Host names or ip are same for any connection across the users , so what’s the real use case ? |
No IP address changes when you disconnect from VPN and connect back again. IP address is not same.
Use case :- If a Mainframe user, say USERA, somehow gets password of USERB then we can't prevent USERA from logging in using USERB's credentials. My question is "Is there a way to prevent such unauthorized access by checking the host name while logging in to Mainframes"? |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
if somebody got somebody else credentials,
Your organisation has bigger problems than the lowly technicalities
remember...
security is 10% technicalities 90% good practices and education and proper actions for violations
everywhere using somebody else credential is reason for lawful dismissal
but as far as Your question, YES it can be done
have Your security people look at the manuals for the appropriate definitions to prevent a user from logging on to a specific application
www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.ikjb400/part4.htm |
|
| Back to top |
|
|
Rohit Umarjikar
Global Moderator
Joined: 21 Sep 2010
Posts: 3053
Location: NYC,USA
|
|
|
|
| Ravi GA wrote: |
| Rohit Umarjikar wrote: |
| Host names or ip are same for any connection across the users , so what’s the real use case ? |
No IP address changes when you disconnect from VPN and connect back again. IP address is not same.
Use case :- If a Mainframe user, say USERA, somehow gets password of USERB then we can't prevent USERA from logging in using USERB's credentials. My question is "Is there a way to prevent such unauthorized access by checking the host name while logging in to Mainframes"? |
I am saying from the connection perspective to the mainframes the ip is same or host. Why would that change ?
Second, most of the companies have single sign on with multi layer login security with OPT and all, try implementing that.
Third, it’s employees responsibility not to share passwords or write anywhere where other employees can misuse, it’s code of conduct as then it’s not just mainframes but everywhere else you need such preventive measures.
And last you could have a login script that can send email alter to the user upon login once a day or something like that , talk to security team at your site for all possible alternatives. |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
the proper way is not to restrict the HOST or the IP address
but to control the access to each application
what if for some reason the organisation has to move things around
( move an application to a different - as You call it - host ? )
with the proper RACF/ACF/TSS setup YOU have just to do ... NOTHING
the security setup has already taken care of everything
whit Your attempted/suggested setup somebody will have to modify the home built access control system in order to keep things going
why waste time on horse manure when there are / have been for years consolidate techniques to control access to the needed resources |
|
| Back to top |
|
|
Ravi GA
New User
Joined: 20 Mar 2020
Posts: 12
Location: India
|
|
|
|
Thanks for the link but I have reviewed this link before posting my question. In this link the closest that I could find (that could work) was logon exits but unfortunately the PARM list doesn't have the IP address of the host from which the user is trying to login. If it had the IP address, I could have used "GETHOSTBYADDR" to determine the host name. Also with this setup nobody needs to change access control system if things move around. When I spoke with some of the people that have worked on TN3270/RACF etc, they said it's not possible to accomplish this without applying hooks in the TCP/IP driver module EZBTIINI that resides in ECSA. As per them below is the hook point to get information about host trying to connect to Mainframes,
1287451C | A78E 00FF | CHI R8,X'FF'
12874520 | A724 FFF3 | BRC X'2',*-X'1A'
12874524 | B914 0008 | LGFR R0,R8
12874528 | E50F E000 F000 | MVCDK X'0'(R14),X'0'(R15) == Hook point
1287452E | B219 0000 | SAC X'0'
12874532 | EBEC D368 0096 | LMH R14,R12,X'368'(R13)
12874538 | 98EC D2F0 | LM R14,R12,X'2F0'(R13)
1287453C | 9AEC D32C | LAM AR14,AR12,X'32C'(R13)
12874540 | 07FE | BCR X'F',R14
I setup SLIP traps at the above point (at which point it will be in cross memory mode. HOME==> TN3270, primary ==> TCP/IP, secondary ==> OMVS) and noticed that at the above hook point it builds some undocumented control block "CFGMREQ" and this control block holds various information including the IP address of the host. I could use this hook along with logon exits to accomplish what I want to do but inserting system hooks is the last option that we could pursue. So I wanted to check with experts on this forum to explore alternative options. |
|
| Back to top |
|
|
Ravi GA
New User
Joined: 20 Mar 2020
Posts: 12
Location: India
|
|
|
|
[quote="Rohit Umarjikar"]
| Ravi GA wrote: |
| Rohit Umarjikar wrote: |
| Host names or ip are same for any connection across the users , so what’s the real use case ? |
I am saying from the connection perspective to the mainframes the ip is same or host. Why would that change ?
Second, most of the companies have single sign on with multi layer login security with OPT and all, try implementing that.
Third, it’s employees responsibility not to share passwords or write anywhere where other employees can misuse, it’s code of conduct as then it’s not just mainframes but everywhere else you need such preventive measures.
And last you could have a login script that can send email alter to the user upon login once a day or something like that , talk to security team at your site for all possible alternatives. |
1. I dont understand how IP could be same from connection perspective to the Mainframes.
2. Do you mean OTP via email?
3. Yes but security breaches do happen and we trying to capture security breach events. |
|
| Back to top |
|
|
Rohit Umarjikar
Global Moderator
Joined: 21 Sep 2010
Posts: 3053
Location: NYC,USA
|
|
|
|
The ip address of the pc on which emulators is running is different but the ip given in the emulator to connect to the mainframe LPAR don’t change. We are talking two different ips.
Please follow up with RACF Security admin at your site and other thoughts above and you might as well research any third party products that provides these services. |
|
| Back to top |
|
|
Ravi GA
New User
Joined: 20 Mar 2020
Posts: 12
Location: India
|
|
|
|
| Rohit Umarjikar wrote: |
The ip address of the pc on which emulators is running is different but the ip given in the emulator to connect to the mainframe LPAR don’t change. We are talking two different ips.
Please follow up with RACF Security admin at your site and other thoughts above. |
Yes I am looking for the IP address of the PC that initiated the connection request to TN3270 server on Mainframes. |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
just take a decision so that we do not waste any time ...
if You want to check if a user is allowed to connect to an application
regardless of the location of the application and of the user
the proper way is to define the relevant RACF profiles and grant access to the USERs
if you changed your mind and want to control the connections between IP addresses than the right way is to define the proper firewall rules
time to lock the topic and let the TS open a new one once he has reached a decision on his requirements |
|
| Back to top |
|
|
Rohit Umarjikar
Global Moderator
Joined: 21 Sep 2010
Posts: 3053
Location: NYC,USA
|
|
|
|
| Cleared up and locked. |
|
| Back to top |
|
|
|
|
