Step 2: Configuring security server (or RACF equivalent) items

The RPCBIND cataloged procedure assumes that the procedure has the authority to run as a started task. To ensure that the RPCBIND procedure has the appropriate security server access, enter the following commands as shown in SEZAINST(EZARACF):

ADDUSER RPCBIND DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(0) HOME('/'))
RDEFINE STARTED RPCBIND.* STDATA(USER(RPCBIND))
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH

You can define the SAF resource profile EZB.RPCBIND.sysname.rpcbindname.REGISTRY in the SERVAUTH class to control which users can register or deregister applications with rpcbind. You can use wildcards. For example, if you use wildcard values for sysname and rpcbindname, the profile name is as follows:

EZB.RPCBIND.*.*.REGISTRY

In this example, suppose the MVS™ system name is MVS000 and the RPCBIND catalogued procedure is used to start the rpcbind server. This procedure uses the job name RPCBIND. RPCBIND is fewer than 8 characters, so the rpcbindname is RPCBIND1, and the profile name is as follows:

EZB.RPCBIND.MVS000.RPCBIND1.REGISTRY

The profile EZB.RPCBIND.sysname.rpcbindname.REGISTRY is optional. If it is not defined, all users can register and deregister applications with rpcbind. If the profile is defined, only users granted at least READ access to this resource profile can register or deregister applications with rpcbind.

In this example, if your SAF security product is RACF® and you want only the RPC server TRUESERV running under user ID TRUESERV to be able to register and deregister applications with rpcbind, you can use the following commands to define the profile EZB.RPCBIND.*.*.REGISTRY in the SERVAUTH class and grant TRUESERV read access to the profile:

RDEFINE SERVAUTH EZB.RPCBIND.*.*.REGISTRY UACC(NONE) 
PERMIT EZB.RPCBIND.*.*.REGISTRY ID(TRUESERV) ACCESS(READ) CLASS(SERVAUTH)

Requirements for a multilevel secure environment:

The profile EZB.RPCBIND.sysname.rpcbindname.REGISTRY is mandatory, and you must grant user IDs associated with trusted RPC servers at least READ access to this profile. For more information about running rpcbind in a multilevel secure environment, see z/OS UNIX rpcbind server.
If the SAF FACILITY class resource profile BPX.POE is defined, and your installation directs target assistance calls to rpcbind, you must grant the user ID assigned to rpcbind at least READ access to this profile. For more information on target assistance, see z/OS Communications Server: IP Programmer's Guide and Reference.

Tips:

The target assistance RPCs PMAPPROC_CALLIT, RPCBPROC_CALLIT, RPCBPROC_BCAST, and RPCBPROC_INDIRECT are defined in RFC 1833 (Binding Protocols for ONC RPC Version 2).
The RPC library routines clnt_broadcast and pmap_rmtcall() issue a target assistance request on behalf of the caller.
The rpcinfo utility issues a target assistance call when it is invoked with the -b option.

Guideline: If RPCBIND is the user ID assigned to the rpcbind server, you can use the following command to grant the user ID READ access to the profile:

PERMIT   BPX.POE CLASS(FACILITY) ID(RPCBIND) ACCESS(READ)