Release : 16.0

Component : CA ACF2 for z/OS

The TCP/IP SERVAUTH Class can be used to secure access via the IPv6 or IPv4 address of the user. The TERMID on a RACROUTE REQUEST=VERIFY call will no longer be used as the source ID when an IPv6-based port of entry is trying to gain access to a system, resource or dataset. Instead, IBM has created a new SESSION type, IP, and a new port-of-entry (POE) class, SERVAUTH. The new SERVAUTH keyword on the VERIFY RACROUTE call specifies the address of the identifier of the server through which a user is trying to gain access to the system. The address points to a 1-byte length field followed by a 64-byte data area, which contains the name of a resource in the SERVAUTH class. This resource name is the network access security zone name that contains the IPv6 address of the user. Security zone mappings are defined in the NETACCESS parameter block in a TCP/IP profile.

For example:

Created an ACF2 X(SGP) group for SERVAUTH.

DE24 / IPGROUP LAST CHANGED BY USER002 ON 10/28/20-15:24
                      INCLUDE(SERVAUTH) SOURCE               

 Added Source group to logonid USER002:

USER002              USER002  RON - TEST SERVAUTH
ACCESS               ACC-CNT(3) ACC-DATE(10/29/20) ACC-SRCE(SERVAUTH)
                     ACC-TIME(10:21)
PASSWORD             KERB-VIO(0) KERBCURV() PSWA1TOD(00/00/00-00:00
                     PSWA2TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-INV(0)
                     PSWD-TOD(10/28/20-15:16) PSWD-VIO(0) PSWDCVIO(0)
                     PWP-DATE(00/00/00) PWP-VIO(0)
TSO                  DFT-PFX(USER002)
STATISTICS           CRE-TOD(10/28/20-15:16) SEC-VIO(1)
                     UPD-TOD(10/29/20-10:21)
RESTRICTIONS         PREFIX(USER002) SOURCE(IPGROUP)                         

Updated TCP/IP Netaccess definitions in TCPIP Profile as follows:

; ----------------------------------------------------------------------
NETACCESS
 10.73.2.222/32  TSTSPC
 10.0.0.0/8      BROADCOM
ENDNETACCESS
; ----------------------------------------------------------------------

Setup SERVAUTH rule so that USER002 can only access system from TSTSPC.  All other users can access from anywhere.

*RESOURCE RULE EZB STORED BY USER002 ON 10/28/20-15:22
$KEY(EZB) TYPE(SER)
 NETACCESS.-.TSTSPC UID(USER002) SERVICE(READ) ALLOW
 NETACCESS.- UID(USER002) SERVICE(READ) PREVENT
 NETACCESS.- UID(*) SERVICE(READ) ALLOW                     

ACF2 SECTRACE showing accessing DB2 from TSTSPC for userid USER002 is the only IP address that is allowed.

CAS21D0I JOBNAME: MC24DIST USERID:  DB2STCID ASID: 0057
CAS21D1I PROGRAM: DSNVEUS3 RB CURR: DSNVEUS3 APF:  YES  SFR/RFR: 0/0:0
CAS21D3I SAFDEF:  VERIFY   INTERNAL MODE: GLOBAL
CAS2200I RACROUTE REQUEST=VERIFY,RELEASE=7760,SESSION=IP, 
CAS2200I          SERVAUTH='EZB.NETACCESS.DE24.TCPIP.TSTSPC',STAT=ASIS,
CAS2200I          SMC=YES,ACEE=,APPL='MC24DB2',ENVIR=CREATE,ENCRYPT=YES,
CAS2200I          ERROROPT=ABEND,LOC=ANY,LOG=ASIS,MSGSP=0,NESTED=NO, 
CAS2200I          PASSCHK=YES,PASSWRD='*SUPPRESSED*',TOKNOUT=,
CAS2200I          USERID='USER002',WORKA=                              

ACF2 SECTRACE showing accessing DB2 from another machine within Broadcom resulted in the 8/48.

CAS21D0I TRACEID: RON1     EVENT#:  00020512
CAS21D0I JOBNAME: MC24DIST USERID:  DB2STCID ASID: 0057
CAS21D1I PROGRAM: DSNVEUS3 RB CURR: DSNVEUS3 APF:  YES  SFR/RFR: 8/48:0
CAS21D3I SAFDEF:  VERIFY   INTERNAL MODE: GLOBAL
CAS2200I RACROUTE REQUEST=VERIFY,RELEASE=7760,SESSION=IP, 
CAS2200I          SERVAUTH='EZB.NETACCESS.DE24.TCPIP.BROADCOM', 
CAS2200I          STAT=ASIS,SMC=YES,ACEE=,APPL='MC24DB2',ENVIR=CREATE, 
CAS2200I          ENCRYPT=YES,ERROROPT=ABEND,LOC=ANY,LOG=ASIS,MSGSP=0,
CAS2200I          NESTED=NO,PASSCHK=YES,PASSWRD='*SUPPRESSED*',TOKNOUT=,
CAS2200I          USERID='USER002',WORKA=       

For details see ACF2 documentation section: "Securing IPv6 Addresses".

For details on the TCPIP Profile NETACCESS statement see 'NETACCESS statement'.