Cited references and notes

1. Kerberos was developed by the Massachusetts Institute of Technology (MIT).
2. “BSAFE,” or more formally RSA BSAFE Crypto-C, is one of a family of security toolkits developed and marketed by RSA Security Inc. The toolkit provides a wide selection of cryptographic software engines and algorithms and is commonly used within IBM security products.
3. A revoked user ID may be reactivated easily through administrative action after appropriate investigation.
4. Remember, with digital certificates, the trusted third party (the certificate authority) needs to be actively involved only during the issuing of the X.509 version 3 digital certificates, which is usually arranged to occur rarely.
5. The Generic Security Services Application Programming Interface (GSS-API) offers a standard interface for application programmers to access security services that are supported by lower-level functions, such as the operating system.
6. CICS is an application server that provides industrial-strength, on-line transaction management for mission-critical applications.
7. The IMS family of products includes the IMS Hierarchical Database Manager, the IMS Transaction Manager, and a growing set of tools for application development, business intelligence, systems and data management, and the deployment of e-business applications.
8. RACF profiles are arranged in data areas known as profile “segments.” The base segment, which is always present, contains basic information such as the user ID and password. Optional segments can be added, via RACF administrative support, to contain additional information. Two examples of additional user profile segments are the CICS segment and the OS/390 UNIX system services segment.
9. SNA is Systems Network Architecture. The Communications Server SNA support is provided by the VTAM component (Virtual Telecommunications Access Method).
10. Subarea SNA functions in a hierarchical manner. Each subarea node provides services for and control over peripheral nodes. In a subarea network, VTAM serves as a type 5 node, which is the highest-level node in the subarea hierarchy. Peripheral nodes require the services of a VTAM subarea node to communicate with other peripheral nodes and subareas nodes in the subarea network.
11. APPN functions in a peer-to-peer manner. A network node provides network services for its own end users and end nodes. A network node can be implemented on multiple platforms and does not require VTAM involvement in setting up communications between peers.
12. A logical unit (LU) represents an end user to the SNA and APPN network. End user sessions are called LU-LU sessions. LU 6.2 is an LU type that is used for application-to-application communications. LU 6.2 uses the Advanced Peer-to-Peer Communications protocol (APPC).
13. A control point (CP) is a component of an APPN node. It is responsible for managing the node and its resources.
14. Triple DES is a symmetric cryptographic algorithm. It provides stronger encryption than DES by applying the DES algorithm three times, using either two or three 56-bit cryptographic keys.
15. IPSec is defined by the IETF by Request for Comments (RFC) 2401–2406, 2409, 2410.
16. SNMP v3 is a secure network management protocol. It provides data origin authentication, integrity, and privacy for SNMP messages, as well as access control to SNMP resources. It is defined by RFCs 2271–2275.
17. OSPF (open shortest path first network routing protocol) MD5 authentication is defined by RFC 2328.
18. DNS (Domain Name System) provides numerous TCP/IP directory services, including a mapping of host names to IP addresses. Using cryptographic authentication, Secure DNS ensures that DNS replies are not spoofed, and that they are from a trusted system. Secure DNS is defined by RFC 2535.
19. The syslog daemon provides a system logging facility available to applications. Syslog records can be logged to a variety of destinations, such as files and devices.
20. See http://www.itsec.gov.uk/info.
21. The following are some Web sites relevant to this paper: http://www.ibm.com/servers/eserver/zseries, http://www.ibm.com/servers/eserver/zseries/zos, http://www.ibm.com/servers/eserver/zseries/zos/racf, and http://www.ibm.com/servers/eserver/zseries/zos/security.