Define a security zone name for the INADDRANY and LOOPBACK
addresses. Define a security label and security zone name for all
unknown systems in the multilevel secure network.
Procedure
Perform the following steps to configure global definitions
for all stacks:
- Define a security zone name for the INADDRANY and LOOPBACK
addresses.
- Define a NETACCESS profile for this zone in the SERVAUTH
class for each stack. This profile should be specific with respect
to the z/OS® system name and
TCP stack job name, and should have the same security label as the
stack job. You are most likely to make this profile UACC(READ).
- Define a NETACCESS statement that maps the INADDRANY
and LOOPBACK IP addresses of any system into this security zone name.
You can place this statement in a shared data set and include it in
the PROFILE.TCPIP file of other z/OS systems
in the network.
- Define one security label that has the lowest security
level and one category that is not used in any other security labels. This security label can then be used for all unknown systems.
Mandatory access control access under this security label will be
more restrictive than under SYSLOW.
A task using this security
label will have R/O access to resources with SYSLOW, W/O access to
resources with SYSHIGH, and R/W access to resources with this security
label and SYSMULTI. The task will have no access to resources with
any other security labels because they will be disjoint.
Any
resources created under this security label will be readable only
by tasks running under this security label, SYSHIGH, and SYSMULTI.
This significantly reduces the risk from unintended and publicly readable
or executable SYSLOW resources.
- Define a security zone name for all unknown systems in
the multilevel secure network.
- Define a NETACCESS profile for this zone in the SERVAUTH class.
This profile can be generic with respect to the z/OS system name and TCP stack job name. If
your installation supports communications with unknown systems on
all z/OS systems, make this
profile UACC(READ). If your installation does not support communications
with unknown systems on all z/OS systems,
make this profile UACC(NONE).
- Define a NETACCESS DEFAULT statement that maps all unspecified
IP addresses into this security zone name. You can place this statement
in a shared data set and include it in the PROFILE.TCPIP file of other z/OS systems in the network.