Securing TCPIP Ports with the SERVAUTH Resource Class

book

Article ID: 33267

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

To secure TCPIP ports is zOS with CA Top Secret secure SERVAUTH(EZB.PORTACCESS.sysname.tcpname.safname):

The resource name syntax for the SERVAUTH Resource Class is as follows:

EZB.PORTACCESS.sysname.tcpname.safname

sysname - Local SMF ID. Can use * for masking/wildcard.

tcpname - TCPIP started task jobname. Can use * for masking/wildcard.

safname - Esoteric name coded in port reservation. 1-8 characters. First position is alpha character and not numeric.
The "SAF name" is provided on the PORTRANGE definition in the PROFILE member.

Example:

TSS ADD(owningacid) SERVAUTH(EZB.PORT) <---Skip if previously done.

TSS PER(stc_acid) SERVAUTH(EZB.PORTACCESS.SYSA.TCPIPA.WPCELL) ACCESS(READ)

'SYSA' is the SMFid for system A.
'TCPIPA' is the jobname for the TCIP started task that runs on SYSA.
'WPCELL' is defined in the TCP parms member SYS1.TCPPARMS(PROFELXC) with
...
...
...
PORTRANGE
 28500 100 TCP * SAF WPCELL
...
...
...

To authorize STCs/acid to all ports on all systems:

TSS PER(tcp_stc_acid) SERVAUTH(EZB.PORTACCESS.*.*.UNRSVTCP) ACCESS(READ)
TSS PER(tcp_stc_acid) SERVAUTH(EZB.PORTACCESS.*.*.UNRSVUPD) ACCESS(READ)

For more details on Using SERVAUTH to Protect TCP Port Usage from IBM, please refer to:

http://www-01.ibm.com/support/docview.wss?uid=tss1wp100673

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: