Steps for authorizing the ipsec command to RACF

The commands used to authorize the ipsec command are in EZARACF in the SEZAINST data set.

Procedure

Perform the following steps to authorize the ipsec command to RACF®:

  1. Define access control for the ipsec command. The ipsec command uses both display and control features. You can control access to each feature independently.
    • To control access to both the display and control capabilities of the ipsec command, issue the following commands: 
      SETROPTS GENERIC(SERVAUTH)
RDEFINE  SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.* UACC(NONE)
PERMIT   EZB.IPSECCMD.sysname.tcpprocname.* CLASS(SERVAUTH) ID(userid) ACCESS(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
    • To control access specifically to the display capabilities of the ipsec command for a stack, issue the following commands: 
      RDEFINE  SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.DISPLAY UACC(NONE)
PERMIT   EZB.IPSECCMD.sysname.tcpprocname.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)
    • To control access specifically to the display capabilities of the ipsec command for global defensive filters, issue the following commands: 
      RDEFINE  SERVAUTH EZB.IPSECCMD.sysname.DMD_GLOBAL.DISPLAY UACC(NONE)
PERMIT   EZB.IPSECCMD.sysname.DMD_GLOBAL.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)
    • To control access specifically to the control capabilities of the ipsec command for a stack, issue the following commands: 
      RDEFINE  SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.CONTROL UACC(NONE)
PERMIT   EZB.IPSECCMD.sysname.tcpprocname.CONTROL CLASS(SERVAUTH) ID(userid) ACCESS(READ)
    • To control access specifically to the control capabilities of the ipsec command for global defensive filters, issue the following commands: 
      RDEFINE  SERVAUTH EZB.IPSECCMD.sysname.DMD_GLOBAL.CONTROL UACC(NONE)
PERMIT   EZB.IPSECCMD.sysname.DMD_GLOBAL.CONTROL CLASS(SERVAUTH) ID(userid) ACCESS(READ)
    Tip: These SERVAUTH profiles provide ipsec command access to only the local stack. For information about SERVAUTH profiles for controlling ipsec command access for the network security services (NSS) server, see Network security services for the IPSec discipline.
  2. To refresh the in-storage RACF profiles in the SERVAUTH class, issue the following command: 
    SETROPTS RACLIST(SERVAUTH) REFRESH
Parent topic: Step 3: Authorizing the ipsec command to the external security manager