Use the NETACCESS statement to configure network access control. Specifically, it allows for the one-to-one mapping between a network, subnetwork or host and a Security Access Facility (SAF) resource name. The network specifications are used to build an internal data structure that maps networks, subnetworks and hosts to SAF resource names. The mapping is used to construct a complete resource name that is passed to the Security Product to determine the user's permission to access the network resource. The most specific mapping is used to determine the resource name for the SAF authorization check.
If the network resource does not have an assigned mapping, no SAF check is performed. If the network resource does have an assigned mapping, the SERVAUTH class must be active, the resource name must be defined, and the user ID making the request must have at least read access to the resource.
Inbound socket commands include application requests to bind a socket, accept a TCP connection and any command that transfers data into the application from a socket. Outbound socket commands include application requests to connect a socket and any command that transfers data from the application into the socket.
Multilevel-security is an enhanced security environment that can be configured on a z/OS® Communications Server system. In this environment the Security Server and trusted resource managers enforce mandatory access control (MAC) policies in addition to the usual discretionary access control (DAC) policies. For more information about the multilevel-security environment and configuring z/OS Communications Server in that environment, see the multilevel-security information in the z/OS Communications Server: IP Configuration Guide.
Syntax
Rule: Specify the parameters in the order shown here.
.------------------------------------------. .-NOINBound-. .-OUTBound---. .-CACHEALL----. V | >>-NETAccess--+-----------+--+------------+--+-------------+----+-ipv4_addr/num_mask_bits-+--saf_resname-+--ENDNETAccess->< '-INBound---' '-NOOUTBound-' +-CACHEPERMIT-+ +-ipv4_addr address_mask--+ '-CACHESAME---' +-ipv6_addr/prefixlength--+ +-DEFAULT--+---+----------+ | '-0-' | '-DEFAULTHome-------------'
Parameters
- NOINBOUND
- Specifies that network access control checking is disabled for inbound socket commands. This is the default value.
- INBOUND
- Specifies that network access control checking is enabled for inbound socket commands.
- OUTBOUND
- Specifies that network access control checking is enabled for outbound socket commands. This is the default value.
- NOOUTBOUND
- Specifies that network access control checking is disabled for outbound socket commands.
- CACHEALL
- Specifies that when a SAF call is made to check a user's access
to a security zone, the result is cached regardless of whether access
is permitted or denied. Subsequent checks of the user's access to
the security zone are resolved using the cached results. This
is the default value.
This parameter allows an external security manager to write an audit record for only the first access check made for a user for each security zone.
- CACHEPERMIT
- Specifies that when a SAF call is made to check a user's access
to a security zone, the result is cached when access is permitted,
but not when access is denied. Subsequent checks of the user's access
to a permitted security zone are resolved using the cached results.
Subsequent checks of the user's access to a denied security zone are
resolved by another SAF call.
This parameter allows an external security manager to write an audit record for only the first access check made for a user for each permitted security zone, and for all access checks made for a user for each denied security zone.
- CACHESAME
- Specifies that when a SAF call is made to check the access
of a user to a security zone, the result is cached when access is
permitted, but not when access is denied.
If the user is permitted to access the security zone, subsequent checks of the user access to the security zone are resolved using the cached results as long as the user associated with the socket and the IP address being accessed are unchanged. However, if the user that is associated with the socket changes or if the IP address being accessed changes from the previous packet that is received or sent over the socket, the next access check is resolved by another SAF call.
Subsequent checks of the user access to a denied security zone are resolved by another SAF call.
This parameter allows an external security manager to write an audit record for all denied access checks that are made for a user for each denied security zone and for the first of multiple successive access checks made for a socket under the same user and for the same IP address in a permitted security zone.
- ipv4_addr/num_mask_bits
- Specifies the network for which security product access control is required for user requests. The num_mask_bits field is used to create an address mask that is bit-contiguous from left to right. This address mask is logically ANDed with the ipv4_addr value to create the network address for which access control is required.
- ipv4_addr address_mask
- Specifies the network for which security product access control of user requests is required. The address_mask value is a bit mask (expressed in dotted decimal form) that is bit-contiguous from left to right. The address_mask value is logically ANDed with the ipv4_addr value to create the network address for which access control is required.
- ipv6_addr/prefixlength
- Specifies the IPv6 network for which security product access control is required. The ipv6_addr is an IPv6 address in colon-hexadecimal format. The prefixlength value is a decimal value specifying how many of the leftmost contiguous bits of the address comprise the prefix. The value is in the range of 1 - 128. IPv4-mapped IPv6 addresses and IPv6 addresses with the reserved prefix ::/96 are not allowed.
- DEFAULT
- Specifies that security product access control of user requests is required for any networks not specifically defined by other NETACCESS statement entries. If DEFAULTHOME is not specified, DEFAULT maps all addresses, local and remote, not mapped by other entries. If DEFAULTHOME is also specified, DEFAULT maps all remote addresses not mapped by other entries. Use of the address_mask value of 0 on this entry is deprecated.
- DEFAULTHOME
- Specifies that security product access control of user requests is required for all IP addresses that are local to this stack and not specifically defined by other NETACCESS statement entries. When this parameter is specified, security product access control of user requests is also required for addresses dynamically defined by SYSPLEX services and IPv6 link-local and global addresses that are automatically assigned for an interface.
- saf_resname
- Specifies the final qualifier of a security product resource name.
The maximum length is eight characters. The profile name has the following
format:
EZB.NETACCESS.sysname.tcpname.saf_resnamewhere
- EZB.NETACCESS is constant.
- sysname is the value of the MVS™ &SYSNAME. system symbol.
- tcpname is the name of the procedure used to start the TCP stack.
- saf_resname is the 1-8 character value following the network specification.
If the installation's SAF compliant security product (for example, RACF®) supports the SERVAUTH class, the installation has activated the SERVAUTH class, a profile covering this resource name has been created in the SERVAUTH class, and the effective user ID is permitted to the resource, then it is allowed to access the network.
Steps for modifying
To modify any values on the NETACCESS statement, use a VARY TCPIP,,OBEYFILE command with a data set that contains a new NETACCESS statement. All existing network entries are deleted and replaced with the entries from the new NETACCESS statement. Active connections are reauthorized whenever the user ID the active connections are running under has changed or a new NETACCESS statement is loaded.
For more information about the VARY TCPIP commands, see z/OS Communications Server: IP System Administrator's Commands .
Statement dependency
- A security server must be running and the SERVAUTH class must be active or all users are denied access to all network addresses mapped to a security zone.
- A resource profile name must be defined for a security zone or all users are denied access to all network addresses mapped to that security zone.
- Each user must be authorized to the security zone containing their static or Dynamic IP address.
- Servers such as HTTPD, FTPD, and INETD must have the user ID they accept work under authorized to all security zones that contain their intended clients' addresses.
- The FTP anonymous user (ANONYMO) must be authorized to the security zones containing clients that are allowed anonymous access.
- Users must be authorized to the security zone containing the name server address they use to avoid resolver failures.
- To protect security zone definitions, authority to modify the initial profile data set and issue VARY TCPIP,,OBEYFILE commands must be controlled.
- When local addresses, or the DEFAULTHOME or DEFAULT parameters
are specified and inbound checking is enabled, servers and other applications
that explicitly bind must be permitted to the bind address.
- Define address 127.0.0.1/8 or address ::1/128 into a security zone to control binds to the IPv4 or IPv6 loopback addresses, respectively.
- Define address 0.0.0.0/32 or address ::/128 into a security zone to control binds to the IPv4 INADDR_ANY address, or to the IPv6 unspecified address (in6addr_any), respectively.
- Use the BIND parameter on the PORT statement to optionally override binds to the IPv4 INADDR_ANY address, or to the IPv6 unspecified address (in6addr_any), with a bind to the specific local address specified on the BIND parameter. Permit the job to the security zone for that address.
- An IPv6 address should not be configured unless the TCP/IP stack is IPv6 enabled. If the stack is not IPv6 enabled, then all entries following an IPv6 entry are ignored and a message is issued.
Examples
NETACCESS INBOUND OUTBOUND CACHEPERMIT ; check both ways, cache permits only
192.168.0.0/16 CORPNET ; Net address
192.168.113.19/32 HOST1 ; Specific host address
192.168.113.0 255.255.255.0 SUBNET1 ; Subnet address
192.168.112.0 255.255.248.0 SUBNET2 ; Subnet address
192.168.192.0/24 CAMPUS ; Subnet address
192.168.214.0/24 CAMPUS ; Subnet address
fe80::6:2900:1dc:21bc/128 HOST2 ; IPv6 specific host address
2001:0DB8::/16 GLBL ; IPv6 global network
DEFAULTHOME HOME ; Optional Default local zone
DEFAULT DEFZONE ; Optional Default zone
ENDNETACCESSUsage notes
- The NETACCESS statement is optional.
- The initial profile or a VARY TCPIP,,OBEYFILE command data set can contain multiple NETACCESS statements.
- The first NETACCESS statement of each configuration data set that is executed resets the flags to OUTBOUND, NOINBOUND, and CACHEALL and clears any existing NETACCESS list prior to processing the flags and entries in that statement.
- Subsequent NETACCESS statements in the same configuration data set override any flags specified and add or replace specified entries in the list. Default flag values do not override previously specified values
- Specifying a DEFAULT is optional. If you do not specify a default, Network Access Control applies only to the networks which are explicitly listed in NETACCESS statements.
- When an incorrect NETACCESS entry is encountered, all entries following that entry in that NETACCESS statement are ignored. IPv4 entries as well as any DEFAULT and DEFAULTHOME entries should precede the first IPv6 entry, to ensure that they are accepted, if the TCP/IP stack is not IPv6 enabled.
- If the new NETACCESS list is empty at the end of the configuration data set, Network Access Control is disabled.