IBM added additional security functions in 7.2 to further establish the Power Systems IBM i operating system as a world-class securable environment.
Here's an overview of the new security functionality, along with links to other useful resources:
- The first major enhancement, row and column access control (RCAC), was developed by the DB2 and security development teams. RCAC includes controls that are attached to the DB2 table and provides a comprehensive solution for limiting access to critical business data. As a data-centric solution, it’s easier to create, administer, and change over time as business rules change. This support provides the ability to manage security at the DB2 row and/or column level. Row level security provides the ability to authorize users to individual rows of data. For example, members of a group profile called “PAYROLL” can see all rows in the table, while members of a group profile called “MANAGERS” can see only rows in the table for their employees. In addition, column masking is also supported. For example, members of group profile “PAYROLL” can see complete social security numbers, while members of group profile “MANAGERS” will see xxx-xxx-5555 (data is masked).
- A significant change involves many security audit records. Many of the audit records that are written to the QAUDJRN security audit journal will now include both the “old” security values in addition to the “new” security values. This gives a before and after snapshot of the data. In previous releases, only the new values were logged in the audit data. Also, two new values have been added to the QAUDLVL system value (*PTFOPR and *PTFOBJ) to audit PTF-related operations on the system.
- In the POWER8 hardware, a new “in-core” crypto accelerator has been added. This will improve performance of certain cryptographic operations (AES and SHA-2 message digest) and the performance benefits will be automatic—no application changes required. System support, such as SSL, VPN, SW tape encryption, and application use of the crypto services APIs, will benefit.
- Support is added to the single sign-on capabilities of IBM i that are enabled via the Enterprise Identity Mapping and Network Authentication Services (Kerberos) function. Both the FTP and Telnet client and server for IBM i have been enhanced to support SSO.
- An object type parameter has been added to the Work with Owned Objects (WRKOBJOWN), Work with Objects by Primary Group (WRKOBJPGP) and Work with Object by Private Authority (WRKOBJPVT) CL commands. This new parameter gives users the ability to work with objects of a specific object type(s).
- New support has been added to the QPWDRULES system value. A new optional value, *ALLCRTCHG, requires all IBM i passwords to conform to the password syntax rules. This includes passwords set by the system administrator via the CRT and CHGUSRPRF commands.
- Numerous changes have been added in the cryptographic services area of the system. Support for new algorithms and modes, such as the Elliptic Curve algorithms, are now supported. In addition, System SSL and VPN have been enhanced to use the new cryptographic support available in 7.2. Other changes in System SSL include the support for TLSv1.1 and TLSv1.2, support for the Elliptic Curve cipher suites, and new support called Online Certificate Status Protocol which enables a method to determine the revocation status for a digital certificate.
- Additional Certificate Authority support has been added into Digital Certificate Manager and system SSL. This support allows for the creation of multiple digital certificates using RSA and ECC cryptographic algorithms and the assigning of multiple certificates to applications enabled for SSL.
For more details, see the IBM wiki that provides information on all OS enhancements included in 7.2.
For Carol Woodbury's take on 7.2 security, watch her on-demand webinar >