We have been using LDAP / SSO using Kerberos for several years now and it works pretty good. During our initial implementation however we had to lower our domain kerberos encryption level to one that the AS400 accepted. We then entered the following design change request with IBM and they finally implemented it with the following PTF's:
Fix Release Description
--------- --------- ----------------------------
SI42919 V7R1 Adds AES & RC4 encryption support (krb)
SI42957 V6R1 " "
SI43034 V5R4 " "
SI43918 V7R1 Updates KRB5 header file in QSYSINC
SI43919 V6R1 " "
SI43920 V5R4 " "
----BEGIN Design Change Request------
Design Change Request - Thank You for your Design Change Request submission regarding System i.
You request has been acknowledged and issued the following
Marketing Requirement Tracking number : MR0211113613
Document Status: Acknowledged
Title: Implement latest encryption types for use on Kerberos Authentication
Description : We would like IBM to support AES 128 and AES 256 encryption standards for
Kerberos on the IBM System i. DES is very old and was broken in 1999 within 22
hours (that probably means it can be broken in about 5 minutes using my iPhone
with today's processors). See here:
http://en.wikipedia.org/wiki/Data_Encryption_Standard
Here is a good snippet from Wikipedia:
DES is now considered to be insecure for many applications. This is chiefly due
to the 56-bit key size being too small; in January, 1999, distributed.net and
the Electronic Frontier Foundation collaborated to publicly break a DES key in
22 hours and 15 minutes (see chronology). There are also some analytical
results which demonstrate theoretical weaknesses in the cipher, although they
are infeasible to mount in practice. The algorithm is believed to be
practically secure in the form of Triple DES, although there are theoretical
attacks. In recent years, the cipher has been superseded by the Advanced
Encryption Standard (AES). Furthermore, DES has been withdrawn as a standard by
the National Institute of Standards and Technology (formerly the National
Bureau of Standards).
Nearly all operating systems today with the exception of the AS400 support
these higher encryption types when used with Kerberos (Windows operating
systems have supported it since 2007 and all linux variations have supported it
even earlier then that). As you may know AES 256 is now the default encryption
that all windows operating systems use as it's the most secure.
Even your own documentation at IBM states that it is recommended to use AES.
But unfortunately only your AIX operating system supports those standards and
has supported it for a very long time (below article dated in early 2007).
http://www.ibm.com/developerworks/aix/library/au-kerberosaes/index.html
PCI compliance standards mandate that DES encryption not be used for any type
of encryption in our organization and yet we are forced to use it because the
AS400 only supports the DES encryption menthod.
This should be a very high priority for IBM as the AS400 in it's current state
has a very weak Kerberos implementation.
----END Design Change Request------
Matt Olson
-----Original Message-----
From: brad.lovelady@xxxxxxxxxxxxxx [mailto:brad.lovelady@xxxxxxxxxxxxxx]
Sent: Friday, August 24, 2012 9:27 AM
To: midrange-l@xxxxxxxxxxxx
Subject: System i security management questions
All,
We have some consistency initiatives making the rounds therefore I would appreciate some opinions relative to following topics.
Anyone using LDAP/SSO to access their systems? If so do you have a favorable opinion of it?
I am also particularly interested in what software you all use help manage things like:
- Privilege management
- AUTLs
- Object security
- ID provisioning
Lastly, who handles System i security at your organization? (ie. System administrators, security team, etc)
***********************************
Bradford Lovelady
Operating Systems Engineer
Technology Infrastructure Services
Wells Fargo Bank l 200 Wildwood Pkwy l Birmingham, AL 35209 MAC W2691-010 Tel 205-938-1999 l Cell 205-826-2834
brad.lovelady@xxxxxxxxxxxxxx
Wells Fargo Confidential
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
midrange.com
