Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Terminal ID based restricted MVSLOGIN z/OS Network File System Guide and Reference SC23-6883-00 |
|
When the z/OS NFS Server is used in SECURITY (saf or safexp) mode, it is necessary for users on NFS clients to issue an NFS Client Enabling Utility MVSLOGIN command from the NFS client system before they can access any files on the NFS Server. Normally, assuming the user has a valid z/OS userid and password, this is not a problem and will successfully provide the user with access to the z/OS system through NFS. However, with the appropriate RACF configuration specifications, the z/OS NFS server also provides the ability to restrict MVSLOGINs based on an NFS client's IP address. In order to support this capability, the z/OS NFS server transforms
an NFS client's IP address into an 8-byte character string, which
is then used as the Terminal ID (termid) for that NFS Client. Each
decimal number of the IP address is transformed into two hex digits.
For example:
To use this capability, the z/OS system administrator must:
For more details on the RACF configuration specifications, see z/OS Security Server RACF Security Administrator's Guide. This feature is supported by z/OS NFS only for IPv4 IP addresses in saf or safexp SECURITY mode, and only in NODHCP mode. The z/OS NFS Server does not support this capability for IPv6 IP addresses (because an IPv6 IP address is too large for this mapping algorithm ), or in DHCP mode (because IP addresses change dynamically in DHCP mode). Note: This feature is also supported with RPCSEC_GSS authentication.
However, since mvslogin is no longer required with RPCSEC_GSS, the
RACF authentication is done automatically based on the Kerberos
segment of the RACF ID.
|
Copyright IBM Corporation 1990, 2014
|