- Add Native OS/390 Authentication
Rocket Agent for OS/390 is a native VTAM application that virtually
eliminates such opportunities for attackers, and hidden costs,
by introducing token-based, two-factor authentication directly
into existing logon routines for OS/390 and z/OS environments.
Instead of static passwords, randomly-generated token codes
change each end user's authentication code literally once per
minute. This creates an impossibly small opportunity for intrusion
by another party, and even prevents accidental disclosure of passwords
resulting from end user neglect. SecurID authentication not only
prevents identity theft, but also creates a robust audit trail
of every login event, guaranteeing that access is easily traced
to a valid user every time.
Any activity of the Agent requires two factors that can never
be used more than once. Every individual in the network gets a
new password automatically every minute. If someone tries to use
someone else's Token, or copies someone else's logon, they will
fail. If a Token is lost or stolen it is virtually useless until
the real owner reports it missing and a new one assigned, at which
point it is perfectly useless.
Authenticating on the OS/390 means that users only need to carry
a single Token for enterprise-wide authentication, since SecurID
can be implemented on every platform. In addition, corporations
may customize their authentication schemes for an even greater
level of security with Rocket's Application Programming Interfaces
Rocket Agent for OS/390 provides essential security capabilities
for OS/390, including:
ˇ Protection from all forms of unauthorized user terminal access
ˇ Enhancement of and compatibility with the security systems
of the OS/390 base operating system (all versions)
ˇ Meeting auditor requirements for strong authentication (rather
than static passwords)
ˇ Securing of applications in IBM's CICS Transaction Server
for OS/390 environment
Rocket Agent's native OS/390 authentication also allows companies
to confidently grow the amount of applications handled by their
mainframe, to gain the advantages of the cost-effectiveness made
possible by the unmatched scalability of those systems, rather
than expanding their high-maintenance client/server networks.
The latter approach places a far greater burden on costs -- as
the network grows, the cost of adding routers and firewalls increases
exponentially, as well as the cost of individually configuring
each for SecurID authentication. Administrative overhead also
balloons, as does the time and effort expended on the continual
patching for Windows and Unix.
In Partnership with RSA Security
Rocket Agent for OS/390 is offered in partnership with RSA Security
as an extension of their industry standard SecurID technology.
Rocket Agent works like other RSA ACE/Agents, used in conjunction
with RSA ACE/Server and RSA SecurID tokens.
RSA has chosen Rocket Software as their partner to market, support,
and add Rocket's mainframe expertise to its ongoing development.
Rocket has assumed development of the former RSA ACE/Agent for
OS/390, and will customize and resell RSA's portfolio of integrated
security products to Rocket Agent customers. Rocket and RSA Security
will work actively together to extend your OS/390 security investment
into the future.
The Rocket Agent is the only authentication solution for OS/390
and z/OS that enables mainframes to interconnect seamlessly with
the RSA network. As a partner in the RSA SecurIDŽ Ready program.,
the Rocket Agent is tested by RSA to ensure complete compatibility
with all interrelated products.
Rocket and RSA Security will work actively together to extend
OS/390 security investment into the future. Rocket Software's
extensive experience as an IBM Solution Provider -- developing
and supporting products for IBM's premier computing environments
-- makes it the ideal provider for RSA SecurID needs on OS/390.
Accessing host through Rocket Agent on the OS/390
Why control authentication from OS/390, when it is already being
controlled at all points on other, connected systems? In terms
of overall security, it's only logical to authenticate point closest
to a corporation's most valuable assets. But besides being much
less vulnerable, authenticating on the OS/390 is also far more
efficient, drawing on the unmatched scalability and performance
of mainframe systems.
Storing the corporation's security data repository on the mainframe
system gives additional benefits, deriving from the nature of
the technology. It's more physically secure, due simply to the
fact that access to mainframe installations is already restricted
as a matter of course. As we've discussed, Rocket Agent also permits
single sign-on through SecurID, meaning employees can spend more
time doing business and less time trying to keep track of multiple
passwords or Tokens.
ˇ Minimum risk, network traffic, and maintenance
ˇ Logons extended safely to thin clients, very large numbers
ˇ Additional authentication check-points can easily be built
into existing applications
Features and Functionality
ˇ Provides strong, two-factor authentication for OS/390 systems.
ˇ Adds security in addition to RACF, CA-ACF2 or CA-Top Secret.
ˇ Allows you to require RSA SecurID authentication to any
system connected via VTAM.
ˇ Provides an audit trail with the online event log; integrates
with SMF batch logging.
ˇ Prompts users with your custom designed warning message
before they connect.
ˇ Authenticates users regardless of the device used to access
ˇ Supports all RSA SecurID form factors including key fobs,
hardware tokens, pin pads and software tokens.
ˇ Functions seamlessly with existing RSA ACE/Server solutions.
ˇ Provides seamless integration between the RSA ACE/Agent
for OS/390 audit log and the IBM SMF batch logging system.
ˇ Configures to require RSA SecurID authentication for all
devices or only those you select.
ˇ Provides a customizable greeting screen that presents the
username and passcode prompt with warnings about unauthorized
access to their system. (This is required by law in some U.S.
States in order to prosecute hackers).
ˇ Offers an option that allows authentication upon demand,
from within a CICS task. The customer may select when and where
to invoke this authentication.
CICS API for Rocket Agent for OS/390
Provides authentication on demand anywhere within a CICS application
More than thirty million people use IBM's Customer Information
Control System (CICS) for online transaction management and connectivity.
CICS handles more than thirty billion transactions per day, worth
more than US$1 trillion.
Rocket Agent for OS/390 provides an optional Rocket Agent API
for CICS Server for OS/390. This component supplies the end user
with a capability that allows RSA SecurID authentication upon
demand, from within a CICS task. This authentication is completely
under the control of the user and may be placed within the application
wherever it is necessary to secure access to transactions, programs
Authenticate at critical steps in a process:
ˇ Before cutting a check
ˇ Before authorizing a transaction
ˇ Before authorizing a change in a formula
How it works
Rocket Agent for OS/390 is a native VTAM application that functions
much like a security guard, standing between the user and a protected
resource or device to enforce two-factor authentication via using
RSA ACE/Server software.
When a logon is attempted, the Rocket Agent for OS/390 first
challenges the user to provide a valid user ID, Personal Identification
Number (PIN) and a unique, randomly generated token code from
his or her RSA SecurID authenticator. These credentials are passed
from the Rocket Agent to the RSA ACE/Server for authentication.
The logon process is fast and easy.
No matter what device or network protocol is used in your environment,
the Rocket Agent for OS/390 protects access to your system. Whether
users are connecting from an emulator or an actual terminal using
SNA, TCP/IP, Token Ring, Ethernet, etc., the Rocket Agent for
OS/390 will interrupt the connection and challenge users for their
RSA SecurID token code.
For existing RSA ACE/Server and RSA SecurID customers, the Rocket
Agent for OS/390 provides an opportunity to extend the security
provided by two-factor authentication to employees and other individuals
who access mission critical applications and systems inside the
network environment. By adding Rocket Agent, organizations can
continue to leverage the RSA ACE/Server and RSA SecurID authenticators
already deployed in their environment. The Rocket Agent solution
is complementary to native OS/390 security and management products,
such as RACF, CA-Top Secret and CA-ACF2.
Future Developments and Enhancements
Rocket Software is currently working on expanding its range
of offerings for OS/390 authentication, to bring the enhanced
security of SecurID to (the entire mainframe environment). Rocket
will more closely integrate its Agent for OS/390 with other security
offerings on the mainframe, such as IBM Resource Access Control
RSA Security's technology will play a key role in the ongoing
evolution of Rocket's enterprise security solutions. One of the
areas currently being addressed is application control, to be
able to restrict usage at a more granular level, by task or transaction.
The first implementation of this has already been achieved with
the Rocket CICS API -- opening the door to customers implementing
any number of additional authorization "checkpoints" for their
particularly sensitive CICS transactions.
The CICS API is just the first in a line of application programming
interfaces that Rocket Software will deliver in the very near
future. The second, an API for IBM Websphere, should be available
in early 2002.
APIs are currently under development for:
Rocket is also examining how Rocket Agent for OS/390 can meet the
challenge of two-factor authentication in USS (Unix System Services)
and TCP/IP facilities. These facilities represent a different security
challenge than VTAM since they are, by their very definition, designed
to be open systems -- and therefore present potential security threats
for the OS/390 environment. Rocket will block these potential weaknesses
with enhancements appropriate to these environments, extending the
advantages of single sign-on more comprehensively to every OS/390
ˇ IBM WebSphere