Remove superuser UID(0) for NetMaster STC user
search cancel

Remove superuser UID(0) for NetMaster STC user

book

Article ID: 211275

calendar_today

Updated On:

Products

NetMaster Network Automation NetMaster Network Management for TCP/IP NetMaster File Transfer Management

Issue/Introduction

Currently, the userid related to the Netmaster Region STC is defined as a superuser with UID(0).  Can UID(0) be safely removed, without losing any functionality that is currently available? What are the security requirements? 

Environment

Release : 12.2

Component : CA NetMaster Network Management for TCP/IP

Resolution

NetMaster no longer requires UID(0) access.

Here are the NetMaster documentation sections that outline what is needed as a replacement.

Setting up the OMVS segment

If you are implementing daemon processing for user level authorization, then the region STC must be a superuser.

  • For ACF2: To define a non-zero superuser, specify the RESTRICT keyword on the INSERT for the started task user ID.
  • For RACF: To define a non-zero superuser, specify TRUSTED(YES) on the RDEFINE for the started task user ID.


For more information about OMVS UID numbers, see the IBM UNIX System Services Planning guide.

Prepare the IBM TCP/IP Server

It would be good to review the entire section, but below you can find the subsections that talk about Superuser authority.
You may already have them defined correctly, but it's good to verify.

subsection  Set Up the zERT Detail Information Service

Configure the user ID assigned to the NetMaster SSI (NMSSI) as follows:

  • If a profile for the resource is defined, the user ID must have READ access to the SERVAUTH class resource named EZB.NETMGMT.sysname.tcpname.SYSTCPER.
  • If a profile for the resource is not defined, the user ID must be a superuser.

 

subsection IPSec Network Management Interface Setup
If you do not use a SERVAUTH class resource to control access, the SOLVE SSI user ID must have one of the following authorities:

  • An OMVS superuser
  • Permitted to access to the FACILITY class SAF resource BPX.SUPERUSER

subsection OSAENTA Setup 

The user ID assigned to the NETMASTER SSI (NMSSI):

  • must have READ access to the SERVAUTH class resource named ‘EZB.NETMGMT.sysname.tcpname.SYSTCPOT’ if a profile for the resource is defined
  • must be a superuser if a profile for the resource is not defined.

subsection NMFTP Monitor Access to NMI API SMF Records

This is relevant only if you are running the Netmaster File Transfer Management product.
You can use one of the following methods to grant the NMFTP Monitor region access to Network Management Interface (NMI) API SMF records:

  • SERVAUTH
  • BPX.SUPERUSER

If you want to ensure the highest level of security, define the SERVAUTH profile name EZB.NETMGMT. SERVAUTH is the recommended method.

Powered by Wolken Software