search cancel

Netmaster Region STC remove superuser UID(0).

book

Article ID: 211275

calendar_today

Updated On:

Products

NetMaster Network Automation NetMaster Network Management for TCP/IP NetMaster File Transfer Management

Issue/Introduction

We have been requested to remove UID(0) from our Netmaster Region STC. We do not want to lose the functionality we currently have with our Netmaster Region STC defined as a superuser, but there are quite a few security changes required.  


Would you be able to list the security requirements or direct us what sections and/or manuals that we can find all the information needed, and still have the Netmaster functionality remain the same?


Also can you provide the consequences of not running Netmaster Region STC as a superuser?

Environment

Release : 12.2

Component : CA NetMaster Network Management for TCP/IP

Resolution

Netmaster no longer requires UID(0) access.

Our Installing Guide outlines what is needed as a replacement.

First is Setting up the OMVS segment

If you are implementing daemon processing for user level authorization, then the region STC must be a superuser.
For ACF2: To define a non-zero superuser, specify the RESTRICT keyword on the INSERT for the user ID.
For RACF: To define a non-zero superuser, specify TRUSTED(YES) on the RDEFINE for the user ID
For more information about OMVS UID numbers, see the IBMUNIX System Services Planning guide.

 

All other information is in the Prepare the IBM TCP/IP Server section.
It would be good to review the entire section, but below I have outlined those that talk about Superuser authority.
You may already have them defined correctly, but it's good to verify.
This is the link to the main section


subsection  Set Up the zERT Detail Information Service

Configure the user ID assigned to the NetMaster SSI (NMSSI) as follows:

If a profile for the resource is defined, the user ID must have READ access to the SERVAUTH class resource named EZB.NETMGMT.sysname.tcpname.SYSTCPER.
If a profile for the resource is not defined, the user ID must be a superuser.

 

subsection IPSec Network Management Interface Setup
If you do not use a SERVAUTH class resource to control access, the SOLVE SSI user ID must have one of the following authorities:

An OMVS superuser
Permitted to access to the FACILITY class SAF resource BPX.SUPERUSER

 

subsection OSAENTA Setup 

The user ID assigned to the NETMASTER SSI (NMSSI)

must have READ access to the SERVAUTH class resource named ‘EZB.NETMGMT.sysname.tcpname.SYSTCPOT’ if a profile for the resource is defined; or
must be a superuser if a profile for the resource is not defined.


subsection NMFTP Monitor Access to NMI API SMF Records

This is relevant only if you are running the Netmaster File Transfer Management product.
You can use one of the following methods to grant the NMFTP Monitor region access to Network Management Interface (NMI) API SMF records:

SERVAUTH
BPX.SUPERUSER
SERVAUTH
If you want to ensure the highest level of security, define the SERVAUTH profile name EZB.NETMGMT.

SERVAUTH is the recommended method.