To secure TCPIP ports is zOS with CA Top Secret secure SERVAUTH(EZB.PORTACCESS.sysname.tcpname.safname):
The resource name syntax for the SERVAUTH Resource Class is as follows:
sysname - Local SMF ID. Can use * for masking/wildcard.
tcpname - TCPIP started task jobname. Can use * for masking/wildcard.
safname - Esoteric name coded in port reservation. 1-8 characters. First position is alpha character and not numeric.
The "SAF name" is provided on the PORTRANGE definition in the PROFILE member.
TSS ADD(owningacid) SERVAUTH(EZB.PORT) <---Skip if previously done.
TSS PER(stc_acid) SERVAUTH(EZB.PORTACCESS.SYSA.TCPIPA.WPCELL) ACCESS(READ)
'SYSA' is the SMFid for system A.
'TCPIPA' is the jobname for the TCIP started task that runs on SYSA.
'WPCELL' is defined in the TCP parms member SYS1.TCPPARMS(PROFELXC) with
28500 100 TCP * SAF WPCELL
To authorize STCs/acid to all ports on all systems:
TSS PER(tcp_stc_acid) SERVAUTH(EZB.PORTACCESS.*.*.UNRSVTCP) ACCESS(READ)
TSS PER(tcp_stc_acid) SERVAUTH(EZB.PORTACCESS.*.*.UNRSVUPD) ACCESS(READ)
For more details on Using SERVAUTH to Protect TCP Port Usage from IBM, please refer to:
Release: TOPSEC00200-15-Top Secret-Security