The commands used to authorize the ipsec command
are in EZARACF in the SEZAINST data set.
Procedure
Perform the following steps to authorize the ipsec command
to RACF®:
- Define access control for the ipsec command. The ipsec command uses both display and control
features. You can control access to each feature independently.
- To control access to both the display and control capabilities
of the ipsec command, issue the following commands:
SETROPTS GENERIC(SERVAUTH)
RDEFINE SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.* UACC(NONE)
PERMIT EZB.IPSECCMD.sysname.tcpprocname.* CLASS(SERVAUTH) ID(userid) ACCESS(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
- To control access specifically to the display capabilities of
the ipsec command for a stack, issue the following
commands:
RDEFINE SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.DISPLAY UACC(NONE)
PERMIT EZB.IPSECCMD.sysname.tcpprocname.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)
- To control access specifically to the display capabilities of
the ipsec command for global defensive filters,
issue the following commands:
RDEFINE SERVAUTH EZB.IPSECCMD.sysname.DMD_GLOBAL.DISPLAY UACC(NONE)
PERMIT EZB.IPSECCMD.sysname.DMD_GLOBAL.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)
- To control access specifically to the control capabilities of
the ipsec command for a stack, issue the following
commands:
RDEFINE SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.CONTROL UACC(NONE)
PERMIT EZB.IPSECCMD.sysname.tcpprocname.CONTROL CLASS(SERVAUTH) ID(userid) ACCESS(READ)
- To control access specifically to the control capabilities of
the ipsec command for global defensive filters,
issue the following commands:
RDEFINE SERVAUTH EZB.IPSECCMD.sysname.DMD_GLOBAL.CONTROL UACC(NONE)
PERMIT EZB.IPSECCMD.sysname.DMD_GLOBAL.CONTROL CLASS(SERVAUTH) ID(userid) ACCESS(READ)
Tip: These SERVAUTH profiles provide
ipsec command
access to only the local stack. For information about SERVAUTH profiles
for controlling
ipsec command access for the network
security services (NSS) server, see
Network security services for the IPSec discipline.
- To refresh the in-storage RACF profiles
in the SERVAUTH class, issue the following command:
SETROPTS RACLIST(SERVAUTH) REFRESH