Security Technical Implementation Guide (STIG) - IBM

137 downloads 426 Views 116KB Size Report
IBM Initiate Master Data Service. Security Technical Implementation Guide. (STIG ). Version 9 Release 7. GC19-3161-02 ...
IBM Initiate Master Data Service

Security Technical Implementation Guide (STIG) Version 9 Release 7


IBM Initiate Master Data Service

Security Technical Implementation Guide (STIG) Version 9 Release 7


Note Before using this information and the product that it supports, read the information in “Notices and trademarks” on page 11.

© Copyright IBM Corporation 1995, 2011. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents IBM Initiate Master Data Service installation in a STIG environment . . . 1 Installing the Master Data Engine in a STIG environment . . . . . . . . . . . Database account creation . . . . . . . Installing the Message Broker Suite in a STIG environment . . . . . . . . . . . Installing IBM Initiate Inspector in a STIG environment . . . . . . . . . . . Installing IBM Initiate Web Reports in a STIG environment . . . . . . . . . . .

© Copyright IBM Corp. 1995, 2011

. .

. .

. 1 . 3



. 5



. 6



. 7

Installing IBM Initiate Workbench in a STIG environment . . . . . . . . . . .



. 7

Legal Statement . . . . . . . . . . . 9 Notices and trademarks . . . . . . . 11 Contacting IBM . . . . . . . . . . . 15



Security Technical Implementation Guide (STIG)

IBM Initiate Master Data Service installation in a STIG environment This information outlines a basic road map for installing the IBM® Initiate Master Data Service® in a STIG (Security Technical Implementation Guide) environment (for example, federal government installation). It does not provide instructions for installation. Specific installation instructions are provided in the individual component guides. Federal Information Processing Standards (FIPS) is a security standard developed by the federal government and compliance is required if you are installing in a STIG environment. The Master Data Engine, brokers, command-line utilities which communicate over SSL, IBM Initiate® Inspector and IBM Initiate Web Reports can be FIPS140-2 enabled. Two important items to note when creating FIPS-compliant Master Data Engineinstances: v Several of the engine Java Runtime Engine files are updated when creating a FIPS-compliant instance. Because of this update, you cannot have a FIPS-compliant instance and a non-FIPS compliant instance sharing the same Master Data Engine (MAD_ROOTDIR). v If you uninstall and then reinstall a Master Data Engine, you must first remove the FIPS-compliant instance and recreate it after the engine reinstall.

Installing the Master Data Engine in a STIG environment There are specific steps you must take to install the Master Data Engine in a STIG environment.

Before you begin Before beginning the installation, see “Database account creation” on page 3.

About this task Instructions for installing the Master Data Engine are found in the IBM Initiate Master Data Service Engine Installation Guide. It is important to note that STIG DB0150, DB0160, and DB0350 regulations are in place to direct database table ownership. The regulations concern such items as: v database tables must be owned by the application owner account v Oracle-object ownership is not limited to SYS, SYSTEM, and Application Owner v the application owner account must be inactive during normal operation and not be disabled except for update and maintenance tasks v user accounts should not have system privileges. Specifically, DB0150 and DB0160 combine into a requirement that the table owner cannot be the same account that is used to normally operate the application. The "table owner is the user” model is the default installation methodology used by IBM Initiate Master Data Service. Because of this default model, special actions

© Copyright IBM Corp. 1995, 2011


must be taken to permit the database user to be different from the table owner. These actions are explained in the "Database account creation" topic. The suggested hub configuration method for the IBM Initiate Master Data Service is to create two Oracle accounts. One account with administrative privileges to create, delete and modify tables, and another account without these privileges. The basic steps required to establish appropriate security levels for the Master Data Engine are as follows.

Procedure 1. Install the Master Data Engine. Review Chapters 1 and 2 of the IBM Initiate Master Data Service Engine Installation Guide before embarking on the installation. Specifically, you must review “Conducting pre-installation tasks”. 2. Install the AES encryption key and IV files. See "AES Encryption" in the IBM Initiate Master Data Service Engine Installation Guide. 3. Run the madpwd3 utility to generate encrypted AES passwords. You must run the utility separately for each account needed. For example, you must run it one time to create a password for your admin user account and a second time to create a password for your non-admin-privileges user account. Information about using the utility is provided in "Using Utilities" in the IBM Initiate Master Data Service Engine Installation Guide. 4. The Department of Defense STIG requirement is that database connections must timeout after a period of inactivity. To support this requirement, the MAD_DBXTEST variable must be set to “1” (which is the default) in the com.initiate.server.system.cfg file. This setting causes the database connection to be tested and, if not open, reconnected before attempting to run any database commands. 5. Create your data source using the madconfig utility and then test the data source using the encrypted madpwd3 output value. See “Creating a Master Data Engine data source” in the IBM Initiate Master Data Service Engine Installation Guide. 6. Create your Master Data Engine instance. Most STIG implementations require that your instance is FIPS-compliant and that your MPINet communications is over HTTP, as opposed to the standard TCP/IP protocol. a. Create a FIPS-compliant engine instance using madconfig. To enable FIPS compliance, you must instruct madconfig to show prompts that are normally hidden during standard instance creation. The command to display the hidden prompts is madconfig create_instance

The FIPS enablement process is documented in "FIPS Compliance and STIG Environments" in the IBM Initiate Master Data Service Engine Installation Guide. Information about creating instances is provided in "Installing the Master Data EngineEnvironment" in the IBM Initiate Master Data Service Engine Installation Guide. Specifically, you want to review “Completing the Master Data Engine installation worksheets” and “Creating a Master Data Engine instance”. When creating the FIPS-enabled instance, the engine JVM security policies are modified to the correct encryption libraries. It important to note that updating the configuration after instance creation by changing FIPS=false to FIPS=true does not actually enable FIPS encryption.


Security Technical Implementation Guide (STIG)

b. Answer ‘n’ to the prompt “Will this Master Data Engine instance provide MPINet over TCP/IP?”. Then answer ‘y' to the prompt “Will this Master Data Engine instance provide MPINet over HTTP?”. 7. To abide by the STIG DB0150, DB0160 and DB0350 regulations, follow these steps. Make sure that you have reviewed "Database account creation" first. a. On initial instance creation, specify the admin account and associated encrypted password. b. Then run the madhubcreate, madentcreate, and madhubload utilities along with any other utilities or actions that require admin privileges during initial configuration of the engine. c. After the instance has been created, the com.initiate.server.jdbc.cfg file must be edited to contain the name and encrypted password of the database user account. The admin account is then deactivated. For upgrades: Before running an upgrade_instance or other administrative function requiring an administrative database user, the engine must be stopped, the admin user reactivated and the com.initiate.server.jdbc.cfg configuration changed to the admin user. When the upgrade is finished, restore the configuration to the user account and deactivate the admin account. Important: If you are using an external LDAP server and attempting to connect to a FIPS-compliant engine instance, you must configure your LDAP to use TSLv1.

Database account creation Before installing the Master Data Engine, you must create database accounts that comply with STIG DB0150, DB0160, and DB0350 regulations. To ensure that your implementation complies with DB0150, DB0160 and DB0350, it is suggested that you first create an administration instance. The administration instance must use a database “application owner” name and password. All other instances should be created with a database user name and password that does not have administrative permission and does not own any tables. Use the administration instance to create, configure, and administer the hub database tables as indicated in the installation and operation guides. Before go-live, the database user must have access granted to the database application owner tables. Depending on the database server on which the software is installed, public synonyms or aliases might need to be created. The grant access command can only be used on one table at a time. The easiest way to accomplish this task is by using an SQL SELECT statement to generate all of the GRANT ACCESS commands. Oracle SQL example: For Oracle, an example of the madsql command would be: madsql > [path]/grantAcccess.SQL select ’grant access SELECT,INSERT,UPDATE,DELETE on ’||table_name|| ’ to [database user account];’ from user_tables;

Remember, Oracle uses the || to indicate concatenation. Other databases use different syntax. IBM Initiate Master Data Service installation in a STIG environment


Oracle uses a table named user_tables, with a column names table_name to store the tables. Other databases use different table name storage constructs. After the SQL file has been created, review it to ensure correctness. Run the file with the following madsql command: madsql -sqlFile [path]/grantAccess.SQL

Microsoft SQL Server: The granting of access should be sufficient for Informix® and Microsoft SQL Server. To test, connect to the database using the database user name and password. Verify that the user account does not have any tables defined for its workspace by using the following: select name from sysobjects where type = ’U’

Next, attempt a select command from one of the hub tables without any owner qualification to ensure that access has been granted. Oracle and IBM DB2®: Granting access alone is not sufficient to access the tables without owner name qualification. For Oracle, you must create public synonyms and for IBM DB2 you must create aliases. These commands can only be used for one table at a time. Th easiest method is to use an sql command to build all of the create commands. Oracle example using madsql: madsql > [path]/createSynonyms.SQL select ’create or replace public synonym ’||table_name|| ’ for [table owner].’||table_name||’;’ from user_tables

Review the file to ensure that command syntax is correct and then run the file using the following madsql command: madsql -sqlFile [path]/createSynonyms.SQL

IBM DB2 does not allow the creation of public synonyms. It uses an alias in place of global synonym. Aliases can only be created by a sysAdmin account. After running the SQL, attempt to select data from a hub table without using the owner prefix. After ensuring that the database user account can access the tables without using the owner prefix, create the needed runtime instances that use the database user account. From “go-live” forward, these non-administrative instances should be used for normal application operation. The administration instance that uses the database table owner account should be stopped and the database application owner account disabled when not actively performing administrative tasks. For many functions, such as creating new entity types or attribute types, Workbench must be connected to the administration instance. Obviously, the database table owner account must be enabled and the administration instance must be started before connecting to the instance with Workbench.


Security Technical Implementation Guide (STIG)

Installing the Message Broker Suite in a STIG environment There are specific steps you must take to install the Message Broker Suite in a STIG environment.

About this task Instructions for installing the Message Broker Suite are found in the IBM Initiate Master Data Service Message Broker Suite Reference . The Message Broker Suite components store data in unencrypted queue files on the disk. If sensitive data is being passed through the brokers, you must create an operating-system-encrypted hard disk or hard disk partition to protect this data while at rest. When creating a broker instance, ensure that the instance home directory is on this encrypted storage. The basic steps required to establish appropriate security levels for the Message Broker Suite are as follows.

Procedure 1. Install the Message Broker Suite. Review the installation instructions in the IBM Initiate Master Data Service Message Broker Suite Reference before embarking on the installation. 2. Install the AES encryption key and IV files. See AES Encryption, in the IBM Initiate Master Data Service Engine Installation Guide. 3. Run the madpwd3 utility to generate the encrypted AES password. Information about all utilities is provided in "Using Utilities" in the IBM Initiate Master Data Service Engine Installation Guide. 4. Create your data source using the madconfig utility and then test the data source using the encrypted madpwd3 output value. See “Create a data source” in the IBM Initiate Master Data Service Message Broker Suite Reference . 5. Create your broker instances using madconfig. a. If sensitive data is being passed through the broker, make sure that the instance home directory is located on encrypted storage. b. To create a FIPS-compliant broker instance, you must instruct madconfig to display prompts that are normally hidden during standard instance creation. The command to display the hidden prompts is: madconfig create_inbound_instance

c. To permit communication over HTTP, enter y to the prompt “Will the Master Data Engine provide MPINet communications over HTTP”. If you entered “y”, the environment variable MAD_COMTYPE is set to HTTP in the services.ini file. If you entered “n”, the variable is not set and does not display in the .ini file. To permit MPINet over HTTP for the IBM Initiate-IHE or web-enabled brokers, you must change the appropriate startup script for the container they are using. For example to enable SSL in the brokers on Tomcat, you must set the appropriate environment variables to the startup.* script. To enable MPINet over HTTP, set the MAD_COMTYPE variable to HTTP in the startup.* script. (Note that inbound in the command must change based on the broker type; for example, outbound or mapping). The FIPS enablement process is documented in "FIPS Compliance and STIG Environments" in the IBM Initiate Master Data Service Engine Installation Guide. Information about IBM Initiate Master Data Service installation in a STIG environment


creating broker instances is provided in "Installation of the Message Broker Suite" in the IBM Initiate Master Data Service Message Broker Suite Reference .

Installing IBM Initiate Inspector in a STIG environment There are specific steps you must take to install IBM Initiate Inspector in a STIG environment.

About this task Instructions for installing IBM Initiate Inspector are found in the IBM Initiate Inspector Installation and Configuration Guide. The IBM Initiate Inspector data files do not contain actual application data. They do contain metadata such as table names, column names, and data types that can assist an unauthorized user in accessing the data. Because of this potential, IBM Initiate Inspector relies on the operating system for security and user authentication. IBM Initiate Inspector should only be installed and used on an encrypted disk or disk partition with limited access. When creating projects and saving data files always use the encrypted disk partition. The basic steps required to establish the appropriate security levels for IBM Initiate Inspector are as follows.

Procedure 1. Install the Master Data Engine and create a FIPS-compliant instance. This step must be done before installing IBM Initiate Inspector. 2. Install IBM Initiate Inspector. See the appropriate installation section in the IBM Initiate Inspector Installation and Configuration Guide. There are separate sections for Apache Tomcat, Oracle® WebLogic Server®, and IBM WebSphere® Application Server. 3. After installation, access the IBM Initiate Inspector Engine Coordinates page. a. If you are using MPINet over HTTP communications: v The Port must be set to value of the “embedded webserver port” defined during Engine instance creation. v Then check the MPINet over HTTP box to permit MPINet communication over HTTP. If not checked, MPINet communication defaults to TCP/IP communication. b. Check SSL and FIPS Enabled. When prompted, enter TLSv1 as the SSL Version and TLS as the SSL Library. After completion, the following lines are contained in your file: com.initiatesystems.sdk.seclib=TLS com.initiatesystems.sdk.sslversion=TLSv1 UseHTTP=true

If your implementation requires users to accept a usage agreement before accessing IBM Initiate Inspector, you can define the usage text, and the header and footer text, from the Coordinates page > Security Messages.


Security Technical Implementation Guide (STIG)

Installing IBM Initiate Web Reports in a STIG environment There are specific steps you must take to install the IBM Initiate Web Reports in a STIG environment.

About this task Instructions for installing IBM Initiate Web Reports are found in the IBM Initiate Web Reports Installation and Configuration Guide. The basic steps required to establish appropriate security levels for Web Reports are as follows.

Procedure 1. Install the Master Data Engine and create a FIPS-compliant instance. This step must be done before installing IBM Initiate Web Reports. 2. Install IBM Initiate Web Reports. 3. After installation, add the following lines to your file. v For FIPS compliance: com.initiatesystems.sdk.seclib=TLS com.initiatesystems.sdk.sslversion=TLSv1

v For MPINet over HTTP: UseHTTP=true

If your implementation requires users to accept a usage agreement before accessing Web Reports, see Add Security Messages in the IBM Initiate Web Reports Installation and Configuration Guide.

Installing IBM Initiate Workbench in a STIG environment There are specific steps you must take to install IBM Initiate Workbench in a STIG environment.

About this task Instructions for installing IBM Initiate Workbench are found in the IBM Initiate Workbench Installation Guide. As a stand-alone client application, IBM Initiate Workbench does not require user authentication before execution. IBM Initiate Workbench also stores data in clear text, unencrypted format on the disk. The basic steps require to establish appropriate security levels for IBM Initiate Workbench are as follows.

Procedure 1. Install the Master Data Engine and create a FIPS-compliant instance. This step must be done before installing IBM Initiate Workbench. 2. Install IBM Initiate Workbench. 3. Create a connection to your engine/hub by accessing the Initiate menu. a. Select Register Hubs to Projects. b. On the Hub Connections dialog, select Add. c. On the Add Hub Connection dialog, check Use MPINet over HTTP. If not checked, communication defaults to TCP/IP communication.

IBM Initiate Master Data Service installation in a STIG environment


d. Next, check Use SSL for MPINet. Then checkTLSv1 from the SSL Version options.


Security Technical Implementation Guide (STIG)

Legal Statement Licensed Materials – Property of IBM © Copyright IBM Corporation, 1995, 2011. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, Initiate, and Initiate Master Data Service are trademarks of IBM Corp., registered in many jurisdictions worldwide. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Other product and service names might be trademarks of IBM, or other companies. This Program is licensed under the terms of the license agreement accompanying the Program. This license agreement may be either located in a Program directory folder or library identified as "License" or "Non-IBM License", if applicable, or provided as a printed license agreement. Please read this agreement carefully before using the Program. By using the Program, you agree to these terms.

© Copyright IBM Corp. 1995, 2011



Security Technical Implementation Guide (STIG)

Notices and trademarks This information was developed for products and services offered in the U.S.A.

Notices IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web

© Copyright IBM Corp. 1995, 2011


sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation J46A/G4 555 Bailey Avenue San Jose, CA 95141-1003 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to


Security Technical Implementation Guide (STIG)

IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs. Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows: © (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights reserved. If you are viewing this information softcopy, the photographs and color illustrations may not appear.

Trademarks IBM, the IBM logo, and are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at The following terms are trademarks or registered trademarks of other companies: Adobe is a registered trademark of Adobe Systems Incorporated in the United States, and/or other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

Notices and trademarks



Security Technical Implementation Guide (STIG)

Contacting IBM You can contact IBM for customer support, software services, product information, and general information. You also can provide feedback to IBM about products and documentation. The following table lists resources for customer support, software services, training, and product and solutions information. Table 1. IBM resources Resource

Description and location

IBM Support Portal

You can customize support information by choosing the products and the topics that interest you at entry/portal/Overview/Software/ Information_Management/IBM Initiate_Master_Data_Service

Software services

You can find information about software, IT, and business consulting services, on the solutions site at businesssolutions/


You can manage links to IBM web sites and information that meet your specific technical support needs by creating an account on the My IBM site at

Training and certification

You can learn about technical training and education services designed for individuals, companies, and public organizations to acquire, maintain, and optimize their IT skills at

IBM representatives

You can contact an IBM representative to learn about solutions at

Providing feedback The following table describes how to provide feedback to IBM about products and product documentation. Table 2. Providing feedback to IBM Type of feedback


Product feedback

You can provide general product feedback through the Consumability Survey at consumability-survey

© Copyright IBM Corp. 1995, 2011


Table 2. Providing feedback to IBM (continued) Type of feedback


Documentation feedback

To comment on the information center, click the Feedback link on the top right side of any topic in the information center. You can also send comments about PDF file books, the information center, or any other documentation in the following ways: v Online reader comment form: v E-mail: [email protected]


Security Technical Implementation Guide (STIG)

Printed in USA
