Terminal ID based restricted MVSLOGIN

When the z/OS NFS Server is used in SECURITY (saf or safexp) mode, it is necessary for users on NFS clients to issue an NFS Client Enabling Utility MVSLOGIN command from the NFS client system before they can access any files on the NFS Server. Normally, assuming the user has a valid z/OS userid and password, this is not a problem and will successfully provide the user with access to the z/OS system through NFS. However, with the appropriate RACF configuration specifications, the z/OS NFS server also provides the ability to restrict MVSLOGINs based on an NFS client's IP address.

In order to support this capability, the z/OS NFS server transforms an NFS client's IP address into an 8-byte character string, which is then used as the Terminal ID (termid) for that NFS Client. Each decimal number of the IP address is transformed into two hex digits. For example:

IP address: is transformed into
12.15.16.32: 0C0F1020
9.157.161.12: 099DA10C

To use this capability, the z/OS system administrator must:

Activate the RACF class TERMINAL. This is done with the RACF command:
```
SETROPTS CLASSACT(TERMINAL) RACLIST(TERMINAL)
```
Define the proper resource in the TERMINAL class. This is done with the RACF command:
```
RDEFINE TERMINAL termid UACC(NONE)  
```
where termid is the terminal Id as generated by the z/OS NFS server using the algorithm cited previously in this section.
Assume a termid value of 099DA10C is specified, then NFS client with IP address 9.157.161.12 cannot successfully execute the MVSLOGIN NFS Client Enabling Utility for users, which have NONE access for the termid class.
Refresh the RACF class TERMINAL. This is done with the RACF command:
```
SETROPTS RACLIST(TERMINAL) REFRESH 
```
Grant permission to some users (for example, USER4 and USER5) from the NFS client with IP address 9.157.161.12 to successfully execute the MVSLOGIN NFS Client Enabling Utility. This is done with the RACF command:
```
PERMIT 099DA10C CLASS(TERMINAL) ID(USER4 USER5) ACCESS(ALTER)
SETROPTS RACLIST(TERMINAL) REFRESH 
```

For more details on the RACF configuration specifications, see z/OS Security Server RACF Security Administrator's Guide.

This feature is supported by z/OS NFS only for IPv4 IP addresses in saf or safexp SECURITY mode, and only in NODHCP mode. The z/OS NFS Server does not support this capability for IPv6 IP addresses (because an IPv6 IP address is too large for this mapping algorithm ), or in DHCP mode (because IP addresses change dynamically in DHCP mode).

Note: This feature is also supported with RPCSEC_GSS authentication. However, since mvslogin is no longer required with RPCSEC_GSS, the RACF authentication is done automatically based on the Kerberos segment of the RACF ID.