z/OS Communications Server: IP Programmer's Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Network security services NMI: Configuring the interface

z/OS Communications Server: IP Programmer's Guide and Reference
SC27-3659-02

Access to the network security services (NSS) server's network management interface is controlled through RACF® (or an equivalent external security manager product) resource definitions in the SERVAUTH class. Most of these resource names contain the NSS client's name. The client name is defined by the client.
  • For an NSS IPSec client, the default value of a client name takes the form sysname_stackname, where the sysname value is the MVS™ system name of the client, and the stackname value is the TCP/IP stack name that it represents. You can override the clientname value in the client's IKE daemon configuration file on the NssStackConfig statement or in the IBM® Configuration Assistant NSS Perspective on the Client IPSec Settings tab.
  • For an NSS XMLAppliance client, the default value of a client name is left up to the client application's implementation.
Tip: When you override the clientname value for an NSS IPSec client, ensure that the name you define does not match the name of an existing NSS client on the NSS server system. If the names match, users with authority to manage IP security on that system also gain authority to remotely manage the NSS client, because the SERVAUTH resource names are identical.
The z/OS® system administrator can restrict access to NSS network management interfaces as follows:
  • Access to remote NSS IPSec client monitoring functions (those that request information only from an NSS IPSec client through the NSS server) within this interface can be restricted by defining a RACF (or equivalent external security manager product) resource EZB.NETMGMT.sysname.clientname.IPSEC.DISPLAY in the SERVAUTH class (where sysname represents the MVS system name where the interface is being invoked, and clientname is the name of the NSS IPSec client).
  • Access to the remote NSS IPSec client control functions (those that take some action) is controlled through the EZB.NETMGMT.sysname.clientname.IPSEC.CONTROL resource (where sysname represents the MVS system name where the interface is being invoked, and clientname is the name of the NSS IPSec client).
  • Access to NSS server monitoring functions (those that request information only about the server itself) is controlled through the resource EZB.NETMGMT.sysname.sysname.NSS.DISPLAY in the SERVAUTH class (where the sysname value represents the MVS system name where the interface is being invoked).
Requirement: For applications that use the interface, the MVS user ID must be permitted to the defined resource. Additionally, permitted client applications must have permission to enter the /var/sock directory and to write to the /var/sock/nss socket. Ensure that the NSSD OMVS user ID has write access to the /var/sock directory (or ensure that it has permission to create this directory).
Guideline: If you are developing a feature for a product to be used by other parties, include instructions in your documentation indicating that administrators must define and give appropriate permission to the given security resource to use that feature.
Parent topic: Network security services (NSS) network management NMI

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014