How IBM i 7.4 Improves Security
May 1, 2019 Alex Woodie
The unveiling of Db2 Mirror may have gotten the lion’s share of attention with last week’s introduction of IBM i enhancements. But IBM has also given its customer base some significant security upgrades with the new releases of IBM i, including enhancements to the Authority Collection and support for the latest over-the-wire encryption protocol.
“Our big things are around those two main themes – availability as well as security,” says Alison Butterill, IBM i product offering manager at IBM. “Those are the two main themes. But we have lots of things across the board.”
IBM gave customers significant new user-focused security capabilities two years ago with the introduction of Authority Collection in IBM i 7.3. Now, with versions version 7.4 and 7.3 technology refresh (TR) 6, IBM is doubling down on the Authority Collection function and expanding it in a big new way.
Authority Collection gave IBM i shops a way to determine the minimum authority that a user requires to complete an application function. Once the appropriate authority levels were determined, it was up to the administrator to implement the changes manually in IBM i’s security settings, or to use a third-party tool to do it for them.
The Authority Collection was well received by the community, since it helped to ensure that regular users were not going about their day-to-day work in user profiles that included special authorities, such as ALLOBJ, SPLCTL, and SECADM. The simple fact is that too many IBM i shops continue have too many users running with too much authority. The overuse of special authorities has been a recurring theme – and a well-documented problem — in IBM i security studies for over a decade.
When it launched, Authority Collection operated from the point of view of individual users. With IBM i 7.4, IBM has flipped the product’s viewpoint on its end and now allows customers to track authority requirements from the point of view of IBM i objects. The following object types are supported: QSYS file system; “root” (/); QOpenSys; user-defined file system; and document library objects.
IBM‘s Chief Architect for IBM i, Steve Will, explains:
“In the 7.3 version of it, it was a user-based thing, so you would check for example what your operator would do or your programmer would do,” Will tells IT Jungle in a recent briefing. “In 7.4, we given the other option, which is to say that I want to make sure that I have this particular object locked, no matter who it is that’s touching it or trying to do something with it. So now you can look at it the other way. You can say for any given object, I can prove to you that there’s nobody touching it who has more authority than they need.”
IBM i shops asked for the new object-focused view in Authority Collection, Will says. “This again is a requirement that we’ve gotten from folks who are trying to certify to security auditors that they’re securing things,” he says. “This kind of completes that story.”
Authority Collection gets several new SQL views for displaying and analyzing the authority data collected for objects. The SQL views cover any objects stored in the QSYS file system; in the “root” (/); QOpenSys, or user-defined file system; and also objects stored in document and folder objects, according to IBM. More information can be found in the Authority Collection section of the IBM Knowledge Center.
The other big security feature is support for TLS version 1.3. TLS is the latest version of Transport Layer Security (TLS), which is the encryption protocol used for securing data in motion (it was previously known as Secure Sockets Layer, or SSL). The specification for TLS version 1.3 was established in August 2018 and has been widely adopted by the computer industry since then, although there is still widespread use of TLS 1.2.
With support for TLS 1.3, IBM is giving users the latest tools for securing network traffic. “TLS 1.3 is the most modern, the most secure way of doing encrypted traffic,” Will says. “So a lot of our clients, particularly in the financial space and healthcare, are really after the most modern thing available even if they’re not quite ready to use it.”
IBM also updated the Digital Certificate Manager (DCM), an existing IBM i tool for managing the certificates used to enter into encrypted sessions. With IBM i 7.4, IBM has provided new DCM APIs that allow more aspects of the certificate management process to be automated.
Specifically, IBM is now providing APIs to manage application definition certificate assignments; to manage the certificate authority (CA) trust list; and to request a certificate renewal and import certificate into system store.
It’s worth noting that none of these security enhancements – support for object views in Authority Collection, support for TLS 1.3, nor extra automation in DCM – are supported in IBM i 7.3 TR6. That’s by design.
“We’ve got a number of enhancements in 7.4 that are especially related to security,” he says. “It’s often the case that major releases require significant security [updates]. Those things don’t tend to roll out as technology refreshes because they tend to be more pervasive.”