You can use System Authorization Facility (SAF) to control which z/OS® users can access specific TCP/IP resources, which protects against unauthorized user access to these resources.
You define SAF resource profiles in the SERVAUTH class to control access to the TCP/IP resources. After you define a SAF resource profile, a local user can access the associated TCP/IP resource if their user ID has at least READ access to the resource.
z/OS Communication Server programs call SAF to determine which users have access to protected resources. The user's credentials, a resource name, and a requested level of access (READ, UPDATE, and so on) are provided to SAF. SAF has three defined return codes:
The following situations can result in a no-decision return code from SAF:
When SAF returns a no-decision return code, the resource manager decides whether to allow access. The No SAF decision column in Table 1 indicates the action that the resource manager takes for each resource.
Table 1 summarizes the SERVAUTH resource names that are used by TCP/IP.
Function | Description | No SAF decision | SERVAUTH resource name |
---|---|---|---|
Broadcast access control | Provides ability to control whether an application is permitted to set the SO_BROADCAST socket option needed to send broadcast datagrams | Permit | EZB.SOCKOPT.sysname.tcpname.SO_BROADCAST |
CIM provider access control | Provides ability to restrict access to CIM data | Deny | EZB.CIMPROV.sysname.tcpname |
DCAS server access control | Controls ability to access DCAS server based on SAF user ID associated with TLS-authenticated X.509 client certificate | Permit | EZA.DCAS.cvtsysname |
Fast Response Cache Accelerator (FRCA) Access Control | Provides ability of user to create FRCA cache (FRCA used by web servers for caching static web pages in the stack) | Deny, see result 1 | EZB.FRCAACCESS.sysname.tcpname |
FTP server access control | Controls ability to access FTP server based on SAF user ID used to log in | Permit | EZB.FTP.sysname.ftpdaemonname.PORTxxxxx |
FTP SITE command control | Provides ability to restrict usage of SITE DUMP and DEBUG commands (commands generate large amount of output) | Permit | EZB.FTP.sysname.ftpdname.SITE.DUMP EZB.FTP.sysname.ftpdname.SITE.DEBUG |
FTP z/OS UNIX file system access control | Provides ability to generally restrict FTP user access to the z/OS UNIX file system | Permit | EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS |
ipsec command access control | Provides ability to control ipsec command usage | Deny | EZB.IPSECCMD.sysname.tcpname.command_type EZB.IPSECCMD.sysname.DMD_GLOBAL.command_type |
IPSec network management interface (NMI) access control for control requests (local) | Controls whether a user can issue NMI control requests to the local IKE daemon to manage IP filtering and IPSec function (for example, activate and deactivate requests) pertaining to a local TCP/IP stack | Deny | EZB.NETMGMT.sysname.tcpname.IPSEC.CONTROL |
IPSec NMI access control for display requests (local) | Controls whether a user can issue NMI monitoring requests to the local IKE daemon to retrieve IP filtering and IPSec monitoring data pertaining to a local TCP/IP stack | Deny | EZB.NETMGMT.sysname.tcpname.IPSEC.DISPLAY |
IPSec NMI and ipsec command access control | Controls whether a user can issue:
|
Deny | EZB.NETMGMT.sysname.sysname.IKED.DISPLAY |
IPSec NMI and ipsec command access control for control requests (remote) | Controls whether a user can issue:
|
Deny | EZB.NETMGMT.sysname.clientname.IPSEC.CONTROL |
IPSec NMI and ipsec command access control for display requests (remote) | Controls whether a user can issue:
|
Deny | EZB.NETMGMT.sysname.clientname.IPSEC.DISPLAY |
IPv6 Advanced Socket API access control | Provides ability to control whether an application
is permitted to set IPv6 advanced socket API options: IPv6_NEXTHOP IPv6_TCLASS IPv6_RTHDR IPV6_HOPOPTS IPV6_DSPOPTS IPV6_RTHDRDSTOPT IPV6_PKTINFO IPV6_HOPLIMIT |
Deny, see result 2 | EZB.SOCKOPT.sysname.tcpname.IPV6_NEXTHOP EZB.SOCKOPT.sysname.tcpname.IPV6_TCLASS EZB.SOCKOPT.sysname.tcpname.IPV6_RTHDR EZB.SOCKOPT.sysname.tcpname.IPV6_HOPOPTS EZB.SOCKOPT.sysname.tcpname.IPV6_DSTOPTS EZB.SOCKOPT.sysname.tcpname.IPV6_RTHDRDSTOPTS EZB.SOCKOPT.sysname.tcpname.IPV6_PKTINFO EZB.SOCKOPT.sysname.tcpname.IPV6_HOPLIMIT |
Netstat command access control | Provides ability to restrict Netstat usage | Permit, see result 3 | EZB.NETSTAT.sysname.tcpname.netstat_option |
Network security services (NSS) NMI and command access control | Controls whether a user can issue:
|
Deny | EZB.NETMGMT.sysname.sysname.NSS.DISPLAY |
NSS server access control | Controls whether an NSS IPSec client can register with the NSS server for the NSS IPSec certificate service | Deny | EZB.NSS.sysname.clientname.IPSEC.CERT |
NSS server access control | Controls whether an NSS IPSec client can register with the NSS server for the NSS IPSec remote management service | Deny | EZB.NSS.sysname.clientname.IPSEC.NETMGMT |
NSS server access control | Controls whether an NSS XMLAppliance client can register with the NSS server for the XMLAppliance SAFAccess service. | Deny | EZB.NSS.sysname.clientname.XMLAPPLIANCE.SAFACCESS |
NSS server access control | Controls whether an NSS XMLAppliance client can register with the NSS server for the XMLAppliance certificate service. | Deny | EZB.NSS.sysname.clientname.XMLAPPLIANCE.CERT |
NSS server access control | Controls whether an NSS XMLAppliance client can register with the NSS server for the XMLAppliance private key service. | Deny | EZB.NSS.sysname.clientname.XMLAPPLIANCE.PRIVKEY |
NSS server certificate access control | Controls whether an NSS client can access a CERTAUTH certificate on the key ring of the NSS server | Deny | EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH |
NSS server certificate access control | Controls whether an NSS client can access a PERSONAL or SITE certificate on the key ring of the NSS server | Deny | EZB.NSSCERT.sysname.mappedlabelname.HOST |
NSS server private key access control | Controls whether an NSS XMLAppliance client can access the private key for a certificate on the key ring of the NSS server | Deny | EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY |
OSM access control | Controls ability to access the intranode management network using OSM interfaces | Deny | EZB.OSM.sysname.tcpname |
Partner information ioctl access control | Controls whether an application can use the SIOCGPARTNERINFO ioctl to obtain partner security credentials within a sysplex or subplex over a trusted TCP connection | Deny | EZB.IOCTL.sysname.tcpprocname.PARTNERINFO |
Policy Agent command control | Provides ability to restrict pasearch command, IKE daemon, policy clients, and nslapm2 usage by type | Deny | EZB.PAGENT.sysname.image.ptype |
Real-time application-controlled TCP/IP trace NMI access control - Open request | Controls whether an application can invoke the NMI to open a trace; intended for network management applications | Deny | EZB.TRCCTL.sysname.tcpname.OPEN |
Real-time application-controlled TCP/IP trace NMI access control - Set filters | Controls whether an application can invoke the NMI to set filters for packet trace; intended for network management applications | Deny | EZB.TRCCTL.sysname.tcpname.PKTTRACE |
Real-time application-controlled TCP/IP trace NMI access control - Set filters | Controls whether an application can request IPSec cleartext data on a packet trace filter | Deny | EZB.TRCSEC.sysname.tcpname.IPSEC |
Real-time application-controlled TCP/IP trace NMI access control - Set filters | Controls whether an application can invoke the NMI to set filters for data trace; intended for network management applications | Deny | EZB.TRCCTL.sysname.tcpname.DATTRACE |
Real-time application-controlled TCP/IP trace NMI access control - Set filters | Controls whether an application can request AT-TLS cleartext data on a data trace filter | Deny | EZB.TRCSEC.sysname.tcpname.ATTLS |
Real-time OSAENTA information service access control | Provides ability to restrict access to select real-time OSAENTA packet trace records accessible using the OSAENTA information service; intended for network management applications | Deny, see result 4 | EZB.NETMGMT.sysname.tcpname.SYSTCPOT |
Real-time SMF information service access control | Provides ability to restrict access to select real-time SMF records accessible using the SMF information service; intended for network management applications | Deny, see result 4 | EZB.NETMGMT.sysname.tcpname.SYSTCPSM |
Real-time TCP connection information service access control | Provides ability to restrict access to the TCP connection information using TCP connection information service; intended for network management applications | Deny, see result 4 | EZB.NETMGMT.sysname.tcpname.SYSTCPCN |
Real-time TCP/IP packet trace service access control | Provides ability to restrict access to select real-time packet trace records accessible using the TCP/IP packet trace service; intended for network management applications | Deny, see result 4 | EZB.NETMGMT.sysname.tcpname.SYSTCPDA |
SNMP agent control | Provides control over usage of SNMP subagents that connect to the SNMP agent by using a TCP connection | Permit | EZB.SNMPAGENT.sysname.tcpname |
TCP/IP local port access control | Controls user ability to bind to a non-ephemeral TCP or UDP port | Deny | EZB.PORTACCESS.sysname.tcpname.port_safname |
TCP/IP netaccess access control | Controls local user inbound and outbound access to network resources, and local user access to local IP address when explicitly binding to local interface (or using job-specific or destination-specific source IP addresses) | Deny | EZB.NETACCESS.sysname.tcpname.zonename |
TCP/IP stack access control | Controls user ability to open a socket and get host name or host ID | Permit | EZB.STACKACCESS.sysname.tcpname |
TCP/IP stack initialization access control | Controls ability of applications to open a socket before AT-TLS policy is loaded into the TCP/IP stack | Deny | EZB.INITSTACK.sysname.tcpname |
TN3270E Telnet server access control | Controls ability to access TN3270E Telnet server based on SAF user ID associated with TLS-authenticated X.509 client certificate | Deny | EZB.TN3270.sysname.tcpname.PORTxxxxx |
VIPARANGE access control for any VIPA range (bind) | Controls whether an application can create a DVIPA by binding to a DVIPA that is specified by any VIPARANGE statement | Permit | EZB.BINDDVIPARANGE.sysname.tcpname |
VIPARANGE access control for any VIPA range (MODDVIPA and ioctl) | Provides access control for all VIPARANGE statements,
and controls whether a user or application can perform the following
tasks:
|
Deny, see result 5 | EZB.MODDVIPA.sysname.tcpname |
VIPARANGE access control for a specific VIPA range (bind) | Controls whether an application can create an application-specific DVIPA, by binding to a DVIPA that is specified by a VIPARANGE statement that includes the SAF parameter with the same value for resname. | Deny | EZB.BINDDVIPARANGE.sysname.tcpname.resname |
VIPARANGE access control for a specific VIPA range (MODDVIPA and ioctl) | Provides access control for a specific VIPARANGE
statement that includes the SAF parameter with the same value for resname,
and controls whether a user or application can perform the following
tasks:
|
Deny | EZB.MODDVIPA.sysname.tcpname.resname |
Results:
|