23.1 Security certification

Over the years, security has become an essential requirement for information technology. Security consists of many measures, including:

  • Preventing unauthorized access to information (read and/or write)

  • Preventing unauthorized withholding of information or resources (for example, denial-of- service attacks)

  • Providing accurate user identification

IT managers need to know if the security of the system they are using, or intend to purchase, meets the security needs of their organization. To answer these questions, first, you need to define a set of criteria. Then, you need to have an appropriate organization certify that your IT system has been adequately tested and meets the designated criteria. The organization that usually performs this certfication is the appropriately qualified and recognized national certification body for each country. See, for example, http://www.bsi.de/zertifiz/itkrit/itsec-en.pdf.

Different sets of criteria exist:

  • Common Criteria are proposed at an international level for the United States, Canada, and the European Community.

  • ITSEC Information Technology Security Evaluation Criteria. ITSEC is the certification standard traditionally used in the European Community.

  • TCSEC Trusted Computer Security Evaluation Criteria (also called Orange Book). TCSEC is traditionally used in the United States and Canada.

For the future, it is anticipated that Common Criteria will become the de facto criteria. All future IBM certification will be to Common Criteria standards. For current information about Common Criteria for Linux on eServer platforms, see http://www.ibm.com/servers/eserver/zseries/security/certification.html.

For more information about Common Criteria, see http://www.commoncriteria.org/.

Common Criteria are designated by Evaluation Assurance Levels (EALs). Table 23-1 summarizes the different levels that have been defined. For a comprehensive definition, see http://www.commoncriteria.org/docs/EALs.html.

Table 23-1. Evaluation assurance levels


Functionally tested


Structurally tested


Methodically tested and checked


Methodically designed, tested, and reviewed


Semiformally designed and tested


Semiformally verified design and tested


Formally verified design and tested

Table 23-2 compares different criteria levels for ITSEC and TCSEC.

Table 23-2. ITSEC and TCSEC criteria






Inadequate assurance



Vendor assured



Independently tested



Independently assured



Structurally sound



Rigorous design



Assured design

23.1.1 LPAR certification

Logical partitioning on the mainframe, in the form of the underlying Processor Resource/Systems Manager (PR/SM) microcode, received the EAL5 certification level in March 2003. The certification was conducted with the PR/SM for the IBM eServer zSeries 900. Because the certification process is an extremely time-consuming and costly process, it cannot be performed for every single model and product on the mainframe.

EAL5 certification means that an independent body assessed the isolation of workload from one mainframe logical partition to another and determined that the isolation is equivalent to that of separate physical servers. You can be assured that one logical partition running a Web environment and another logical partition running production work, are truly separate and isolated while sharing common hardware resources on a single physical server.

23.1.2 VM integrity

VM integrity can be captured in the following short form:

VM integrity statement, short form

If you find any way for one guest machine to influence another, we will accept that as an integrity APAR.

There is no official certification of VM/ESA or z/VM comparable to the certification of PR/SM. However, the z/VM guest machine separation uses the same machine facilities that were created for, and are used by, PR/SM. Because of this, the same level of confidence can be placed in the z/VM and VM/ESA guest machine separation as in the PR/SM microcode. To this end, IBM makes an unequivocal system integrity statement for z/VM (in the publication z/VM General Information, GC24-5991), which is as follows:

VM integrity statement

System integrity is an important characteristic of z/VM. This statement extends IBM's previous statements on system integrity to the z/VM environment.

IBM has implemented specific design and coding guidelines for maintaining system integrity in the development of z/VM. Procedures have also been established to make the application of these design and coding guidelines a formal part of the design and development process.

However, because it is not possible to certify that any system has perfect integrity, IBM will accept APARs that describe exposures to the system integrity of z/VM or that describe problems encountered when a program, running in a virtual machine not authorized by a mechanism under the customer's control, introduces an exposure to the system integrity of z/VM, as defined in the following "z/VM System Integrity Definition" section.

IBM will continue its efforts to enhance the integrity of z/VM and to respond promptly when exposures are identified.

In the VM integrity statement, cited below, IBM promises that it will fix every exposure of the system integrity of z/VM.

z/VM system integrity definition

The z/VM control program system integrity is the inability of any program, running in a virtual machine not authorized by a z/VM control program mechanism under the customer's control or a guest operating system mechanism under the customer's control, to:

  • Circumvent or disable the control program real or auxiliary storage protection.

  • Access a resource protected by RACF. Resources protected by RACF include virtual machines, minidisks, and terminals.

  • Access a control program password-protected resource.

  • Obtain control in real supervisor state or with privilege class authority or directory capabilities greater than those it was assigned.

  • Circumvent the system integrity of any guest operating system that itself has system integrity as the result of an operation by any z/VM control program facility.

Real storage protection refers to the isolation of one virtual machine from another. CP accomplishes this by hardware dynamic address translation, start interpretive-execution guest storage extent limitation, and the Set Address Limit facility.

Auxiliary storage protection refers to the disk extent isolation implemented for minidisks/virtual disks through channel program translation.

Password-protected resource refers to a resource protected by CP logon passwords and minidisk passwords.

Guest operating system refers to a control program that operates under the z/VM control program.

Directory capabilities refer to those directory options that control functions intended to be restricted by specific assignment, such as those that permit system integrity controls to be bypassed or those not intended to be generally granted to users.

In short, since z/VM uses the same instructions as previous systems to isolate the different guests, IBM warrants the integrity of the virtual machine interface and will accept integrity APARs and will fix any problem that is exposed.

Linux on the Mainframe
Linux on the Mainframe
ISBN: 0131014153
EAN: 2147483647
Year: 2005
Pages: 199

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net