Step 3: Steps for authorizing the IKE daemon
- Add user ID IKED, and add IKED to the STARTED class.
- If IKED is defined using UID 0:
ADDUSER IKED DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(0) HOME('/'))
RDEFINE STARTED IKED.* STDATA(USER(IKED))
PERMIT BPX.DAEMON CLASS(FACILITY) ID(IKED) ACCESS(READ)
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
ACF2 Commands:
SET LID
INSERT IKED STC UID(0) HOME(/) GROUP(OMVSGRP)
SET R(FAC)
RECKEY BPX ADD( DAEMON UID(IKED UID) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
- If IKED is defined using a nonzero UID (for example, 300) and IKE GID (for example, 931), then IKED needs the following access:
ADDGROUP IKE OMVS(GID(931))
ADDUSER IKED DFLTGRP(IKE) OMVS(UID(300) HOME('/var/ike/')) NOPASSWORD
CONNECT IKED GROUP(IKE) UACC(READ)
RDEFINE STARTED IKED.* STDATA(USER(IKED))
PERMIT BPX.DAEMON CLASS(FACILITY) ID(IKED) ACCESS(READ)
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
ACF2 Commands:
SET LID
INSERT IKED STC UID(300) HOME(/var/ike/) GROUP(IKE)
SET P(GROUP) DIV(OMVS)
INSERT IKE GID(931)
SET R(FAC)
RECKEY BPX ADD( DAEMON UID(IKED UID) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
- Set the /var directory access to all using the following command:
chmod 777 /var
- If the /var/ike directory does not already exist, use a superuser ID to create it and modify this directory using the following commands:
mkdir /var/ike/
chown IKED /var/ike
chgrp IKE /var/ike
chmod 770 /var/ike
- If the /var/sock/ directory does not already exist, use a superuser ID to create it and set the access to all using the following commands:
mkdir /var/sock/
chown 0 /var/sock
chmod 777 /var/sock
- Define RACF definitions for IKED to retrieve IP security policies from Policy Agent:
RDEFINE SERVAUTH EZB.PAGENT.sysname.*.IPSEC UACC(NONE)
PERMIT EZB.PAGENT.sysname.*.IPSEC CLASS(SERVAUTH) ID(IKED) ACCESS(READ)
SETROPTS RACLIST(SERVAUTH) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
ACF2 Commands:
SET R(SER)
RECKEY EZB ADD( PAGENT.sysname.*-.IPSEC UID(IKED UID) SERVICE(READ) ALLOW)
F ACF2,REBUILD(SER)
Note that the default type code for SERVAUTH is SER. Replace SER with the appropriate type code listed in a SHOW CLASMAP command.
- Permit IKED to issue console messages directly without the BPXM023I message prefix:
RDEFINE FACILITY BPX.CONSOLE UACC(NONE)
PERMIT BPX.CONSOLE CLASS(FACILITY) ID(IKED) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
ACF2 Commands:
SET R(FAC)
RECKEY BPX ADD( CONSOLE UID(IKED UID) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
- Allow the IKED to access SYS1.PARMLIB as follows:
PERMIT SYS1.PARMLIB ID(IKED) ACCESS(READ)
ACF2 Commands:
SET RULE
RECKEY SYS1 ADD( PARMLIB UID(IKED UID) R(A))
- Enable the IKED to access certificates by issuing the appropriate commands.
- If the certificates used by the IKED are not site certificates, enable the IKED to access the certificates on an ESM key ring by issuing the following commands:
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IKED) ACCESS(READ)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IKED) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
ACF2 Commands:
SET R(FAC)
RECKEY IRR( DIGTCERT.LISTRING UID(IKED UID) SERVICE(READ) ALLOW)
RECKEY IRR( DIGTCERT.LIST UID(IKED UID) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
- If the certificates used by the IKED are site certificates, enable the IKED to access them by issuing the following commands:
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IKED) ACCESS(UPDATE)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IKED) ACCESS(READ)
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(IKED) ACCESS(CONTROL)
SETROPTS RACLIST(FACILITY) REFRESH
ACF2 Commands:
SET R(FAC)
RECKEY IRR( DIGTCERT.LISTRING UID(IKED UID) SERVICE(UPDATE) ALLOW)
RECKEY IRR( DIGTCERT.LIST UID(IKED UID) SERVICE(READ) ALLOW)
RECKEY IRR( DIGTCERT.GENCERT UID(IKED UID) SERVICE(DELETE) ALLOW)
F ACF2,REBUILD(FAC)
- Enable the IKED to run as nonswappable.
PERMIT BPX.STOR.SWAP CLASS(FACILITY) ID(IKED) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
ACF2 Commands:
SET R(FAC)
RECKEY BPX( STOR.SWAP UID(IKED UID) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
Step 4: Steps for authorizing the ipsec command
- Define access control for the ipsec
The ipseccommand uses both display and control features. You can control access to each feature independently.
- To control access to both the display and control capabilities of the ipseccommand, issue the following commands:
SETROPTS GENERIC(SERVAUTH)
RDEFINE SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.* UACC(NONE)
PERMIT IPSECCMD.sysname.tcpprocname.* CLASS(SERVAUTH) ID(userid) ACCESS(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
ACF2 Commands:
SET R(SER)
RECKEY EZB( IPSECCMD.sysname.tcpprocname.- UID(IKED UID) SERVICE(READ) ALLOW)
F ACF2,REBUILD(SER)
- To control access specifically to the display capabilities of the ipseccommand for a stack, issue the following commands:
RDEFINE SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.DISPLAY UACC(NONE)
PERMIT IPSECCMD.sysname.tcpprocname.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)
ACF2 Commands:
SET R(SER)
RECKEY EZB( IPSECCMD.sysname.tcpprocname.DISPLAY UID(IKED UID) SERVICE(READ) ALLOW)
- To control access specifically to the display capabilities of the ipseccommand for global defensive filters, issue the following commands:
RDEFINE SERVAUTH EZB.IPSECCMD.sysname.DMD_GLOBAL.DISPLAY UACC(NONE)
PERMIT IPSECCMD.sysname.DMD_GLOBAL.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)
ACF2 Commands:
SET R(SER)
RECKEY EZB( IPSECCMD.sysname.DMD_GLOBAL.DISPLAY UID(IKED UID) SERVICE(READ) ALLOW)
- To control access specifically to the control capabilities of the ipseccommand for a stack, issue the following commands:
RDEFINE SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.CONTROL UACC(NONE)
PERMIT IPSECCMD.sysname.tcpprocname.CONTROL CLASS(SERVAUTH) ID(userid) ACCESS(READ)
ACF2 Commands:
SET R(SER)
RECKEY EZB( IPSECCMD.sysname.tcpprocname.CONTROL UID(IKED UID) SERVICE(READ) ALLOW)
- To control access specifically to the control capabilities of the ipseccommand for global defensive filters, issue the following commands:
RDEFINE SERVAUTH EZB.IPSECCMD.sysname.DMD_GLOBAL.CONTROL UACC(NONE)
PERMIT IPSECCMD.sysname.DMD_GLOBAL.CONTROL CLASS(SERVAUTH) ID(userid) ACCESS(READ)
ACF2 Commands:
SET R(SER)
RECKEY EZB( IPSECCMD.sysname.DMD_GLOBAL.CONTROL UID(IKED UID) SERVICE(READ) ALLOW)
Tip: These SERVAUTH profiles provide ipsec command access to only the local stack. For information about SERVAUTH profiles for controlling ipsec command access for the network security services (NSS) server, see Network security services for the IPSec discipline.
- To refresh the in-storage RACF profiles in the SERVAUTH class, issue the following command:
SETROPTS RACLIST(SERVAUTH) REFRESH
ACF2 Command:
F ACF2,REBUILD(SER)
Step 5: Steps for setting up profiles in the CSFSERV resource class
- Determine the SAF profiles that you will use within the CSFSERV resource class:
Note that for ACF2, the default class type code for CSFSERV is SAF. Most sites change this type code to something more meaningful like CSF. For the purpose of these examples, CSF will be used. Replace CSF with the appropriate type code for CSFSERV listed in the SHOW CLASMAP command.
See ACF2 documentation section Integrated Cryptographic Service Facility for more details on this class and how to set it up for the first time in ACF2.
After verifying the CSFSERV class has been set up in ACF2, determine what profiles are needed using the IBM documentation and use the following RECKEY command template to write the appropriate rules. Put as many RECKEY commands between the SET and F ACF2,REBUILD commands as needed.
SET R(CSF)
RECKEY profile ADD( UID(userid) ALLOW)
F ACF2,REBUILD(CSF)