Changing your multilevel secure networking environment

Changes to certain parts of your multilevel secure configuration should be well planned. Changes to the NETACCESS statement in PROFILE.TCPIP, the security label associated with the TCPIP started task, the security label associated with the EZB.STACKACCESS or EZB.NETACCESS profiles in the SERVAUTH class, or the definition of profiles in the SECLABEL class can result in an IP address being associated with a different security label. These changes imply that corresponding changes have been implemented that affect the security management of the affected systems. For systems that support mandatory access control policy enforcement, those policies must be updated at the same time. For systems that do not support mandatory access control policy enforcement, the physical user access procedures, system data content, firewall configurations, and router configurations must be updated at the same time.

The safest method of controlling mandatory access control policy changes is to use the RACF® options MLSTABLE and MLQUIET. When the RACF options are set to MLACTIVE, MLSTABLE, and NOMLQUIET, TCP/IP does not permit an existing NETACCESS configuration to be changed with a VARY TCPIP,,OBEYFILE command. When the RACF option MLQUIET is set, RACF requires the TCP/IP job user ID to be RACF SPECIAL to open data sets referenced by VARY TCPIP,,OBEYFILE commands. For more information on setting and using these options, see z/OS Security Server RACF Security Administrator's Guide.

In an MLSTABLE environment, all user and application access to data should be halted before entering the MLQUIET environment. All network access can be halted by stopping all TCP/IP stacks. If security administrators must access the system through the TN3270E Telnet server (Telnet), consider running a restricted stack with only Telnet for the security administrators. Permit the Telnet NACUSERID or the procedure's user ID to the EZB.STACKACCESS profile for this stack. Stop all other TCP/IP stacks. After the local policy changes and all coordinated changes on other systems are complete, set NOMLQUIET and restart your production TCP/IP stacks and network servers.

Every stack running on a system with the RACF option MLACTIVE does an internal consistency check on several PROFILE.TCPIP statements and their associated SERVAUTH profiles. This consistency checking occurs at the end of initial profile processing, after the VARY TCPIP,,OBEYFILE command modifies the profile, and whenever RACLIST is issued for the SERVAUTH or SECLABEL classes. Some applications, such as OMPROUTE, also cause the consistency checking to occur because they internally issue an equivalent of the VARY TCPIP,,OBEYFILE command. TCP/IP writes a message to the job log for each inconsistency it finds that could compromise the security of information flowing through the stack. If inconsistencies are found, a final message (EZD1217I) summarizing the number of problems found is written to the system console.

By default, the stack will continue running when inconsistencies are found. It is recommended that you override this default by specifying GLOBALCONFIG MLSCHKTERMINATE in PROFILE.TCPIP, or in the data set referenced by a VARY TCPIP,,OBEYFILE command, before starting production workloads. Before making security related configuration changes, it is recommended that you first stop all production workloads. You can then specify GLOBALCONFIG NOMLSCHKTERMINATE in PROFILE.TCPIP or in the data set referenced by a VARY TCPIP,,OBEYFILE command. This parameter can be changed only from MLSCHKTERMINATE to NOMLSCHKTERMINATE when the RACF option NOMLSTABLE is set or when both MLSTABLE and MLQUIET are set.

The stack performs the following consistency checks:

• The stack does not currently have a NETACCESS statement configured.
• The TCP/IP job security label must be currently active on this system.
• A STACKACCESS profile for this stack must exist.
• The STACKACCESS profile must have the same security label as the TCP/IP job.
• The NETACCESS statement must have both INBOUND and OUTBOUND turned on.
• A NETACCESS profile must exist for each defined NETACCESS security zone.
• If NETACCESS DEFAULTHOME is configured, it must have a zone with the same security label as the TCP/IP job.
• If NETACCESS TcpStackSourceVIPA is configured, it must be in a zone with the same security label as the TCP/IP job.
• The special address INADDR_ANY (0.0.0.0) must be in a NETACCESS security zone.
• The special address INADDR_ANY (0.0.0.0) must be in a zone with the same security label as the TCP/IP job.
• On an IPv6-enabled stack, the special IPv6 unspecified address [in6addr_any (::)] must be in a NETACCESS security zone.
• On an IPv6-enabled stack, the special IPv6 unspecified address [in6addr_any (::)] must be in a zone with the same security label as the TCP/IP job.
• On an IPv6-enabled stack, every INTERFACE statement must have a manually configured INTFID. (OSA-Express for Unified Resource Manager (OSM) interfaces are exempt from this check.)
• On an IPv6-enabled stack, every INTERFACE that supports autoconfiguration must have at least one manually configured IPADDR. (OSM interfaces are exempt from this check.)
• On an IPv6-enabled stack with dynamic XCF, DYNAMICXCF INTFID must be configured on the IPCONFIG6 statement.
• Every home address on the stack must be in a NETACCESS security zone. (OSM interfaces are exempt from this check.)
• Every home address that is not a VIPA must be in a zone with the same security label as the TCP/IP job. (OSM interfaces are exempt from this check.)
• Every home address that is a VIPA must be in a zone with an equivalent security label as the TCP/IP job.
• On a restricted stack, VIPAs must not be in a security zone with the SYSMULTI security label.

There are several consistency checks that are not performed by the stack. These remain the responsibility of the system security administrator:

• The NetAccess zone definitions must agree across stacks. It is recommended that common definitions from a shared data set be included in all stack profiles.
• Subnetworks or networks are entirely contained in a single NetAccess security zone. NetAccess checks for authorization to a specific destination address, but broadcast packets are delivered to all addresses within a subnetwork or network. Addresses owned by multilevel secure stacks are the only addresses that can be safely configured into a network security zone different than their subnetwork or network.
• RACF definitions must be consistent across RACF data sets. It is recommended that installations use RACF facilities to manage this consistency. SECDATA and SECLABEL class profile consistency is critical to preserve the meaning of SECLABEL profile names. It is suggested that installations define SERVAUTH profiles for all zones that are generic across all systems and stacks, except those containing the loopback address and the unspecified address (IPv4 INADDR_ANY and IPv6 in6addr_any).

Continue making changes to either PROFILE.TCPIP statements or RACF profiles until no consistency errors are reported. Then, specify GLOBALCONFIG MLSCHKTERMINATE in PROFILE.TCPIP, or in the data set referenced by a VARY TCPIP,,OBEYFILE command. At that point, it is safe to set NOMLQUIET and restart production workloads.