Maintaining access information files

You can control access to IBM® Connect:Direct® through the following components:

  • User authorization information file which contains local and remote user information records
  • Strong access control file
  • Program directory to limit access
  • IBM Connect:Direct’s ability to detect shadow passwords
  • Security exit

User Authorization Information File

In order for users to have access to IBM Connect:Direct and use IBM Connect:Direct commands and statements, you need to define a record for each user ID in the user authorization information file, called userfile.cfg. The user ID is the key to the local user information record. It must be a valid user ID on the local system and must be unique. To disable access to the software for a local user, delete or comment out the local user information record.

You can create a generic user ID by specifying an asterisk (*) as the user ID. If a user does not have a specific local user information record, the user authorizations will default to those specified in this generic record. If no generic local user information record is defined and no specific local user information record is defined for the user, the user cannot use IBM Connect:Direct.

IBM Sterling Connect:Direct may optionally use remote or API user information records to translate remote server or API user IDs to valid local user IDs where IBM Connect:Direct is installed.

If an snodeid parameter is not coded on the incoming Process, IBM Connect:Direct uses the proxy relationship defined in remote user information records to determine the rights of remote users to issue IBM Connect:Direct commands and statements.

API user information records may be coded for a client that connects securely and is trusted to present authentic users. The certificate common name (CN) will identify the trusted client to be specified in the API user information record.

Connect:Direct for UNIX uses the asterisk (*) character to establish generic mappings that facilitate mapping remote user IDs to local user IDs. The asterisk matches the node name or the host name. For example, you can specify *@node name to map the remote user ID to all user IDs at one node name, specify id@* to map to a specific user ID at all node names, or specify *@* to match all users at all node names.

Sample Mapping of Remote User IDs to Local User IDs

The following table displays sample remote user ID mappings to local user IDs using the special characters:

Remote User ID at Remote Node Name is mapped to Local User ID Result of Mapping
user @ * = test02 Remote user ID “user” on all remote nodes is mapped to local user ID test02.
* @ mvs.node3 = labs3 All remote user IDs on remote node mvs.node3 are mapped to local user ID labs3.
* @ * = vip01 All remote user IDs on all remote nodes are mapped to local user ID vip01.

You can generate all the records through the script-based customization procedure or generate only one or two records and use a text editor to generate additional records. After customization, you may want to modify some of the parameters. Use cdcust to create a new user file or a text editor to modify the file as necessary.

Sample User Authorization File

The following sample displays a user authorization file. In the sample, SAM1 is the remote user ID, MVS.SAM1.NODE is the remote node name, and sam is the local UNIX user ID.

SAM1@MVS.SAM1.NODE:\
   :local.id=sam:\
   :pstmt.upload=y:\
   :pstmt.upload_dir=/home/qatest/username/ndm/uploaddir:\
   :pstmt.download=y:\
   :pstmt.download_dir=/home/qatest/username/ndm/downloaddir:\
   :pstmt.run_dir=/home/qatest/username/ndm/rundir:\
   :pstmt.submit_dir=/home/qatest/username/ndm/submitdir:\
   :descrip=:
 sam:\
   :admin.auth=y:\
   :pstmt.copy.ulimit=y:\
   :pstmt.upload=y:\
   :pstmt.upload_dir=/home/qatest/username/ndm/uploaddir:\
   :pstmt.download=y:\
   :pstmt.download_dir=/home/qatest/username/ndm/downloaddir:\
   :pstmt.run_dir=/home/qatest/username/ndm/rundir:\
   :pstmt.submit_dir=/home/qatest/username/ndm/submitdir:\
   :name=:\
   :phone=:\
   :descrip=:\
   :cmd.s+conf=n:

Local User Information Record Format

The local user record, userid, defines the default values for each user ID. Most of the parameters in the local user information record can take the following values:

  • y—Indicates that you can perform the function. In the case of process and select statistics commands, you can affect Processes and view statistics owned by this user ID
  • n—Indicates that you cannot perform the function.
  • a—Indicates that you can issue commands for Processes owned by all users and generate statistics records for all users.
  • v—Indicates that you can issue commands for viewing purposes only.

If the same parameter is specified in the remote user information record and the local user information record, the parameter in remote user information record takes precedence unless it is a null value. When a null value is specified in the remote record, the local user record takes precedence.

The following table defines the local user information parameters. The default values are underlined.

Parameter Description Value
admin.auth Determines if you has administrative authority. If set to y, you can perform all of the commands by default, but the specific command parameters override the default. If set to n, the specific command parameters must be granted individually. y | n

y—User has administrative authority.

n—User does not have administrative authority.

The default is n.

client.cert_auth Determines if you can perform certificate authentication for client API connections.

y—Enables client certificate authentication for you

n—Disables client certificate authentication for you

y | n
client.source_ip

Use this parameter to list all of the IP addresses and/or host names that are valid for this user's API connection. If you specify values for this field, the IP address of this user's API connection is validated with the client.source_ip list. If the IP address does not match the one specified on the list, the connection is rejected.

A comma-separated list of client IP addresses or host names associated with client IP addresses.

The IP address of the client connection for this user must match the address configured in this field.

For example: nnn.nnn.nnn.nnn, localhost

cmd.chgproc Determines if you can issue the change process command.

A “y” value enables you to issue the command to targets owned by that user. Whereas, “a” allows you to issue the command to targets owned by all users.

y | n | a

y—Allows you to issue the command.

n—Prevents you from issuing the command. The default is n.

a—Allows you to issue the command against targets owned by all users.

cmd.delproc Determines if you can issue the delete process command.

A “y” value enables you to issue the command to targets owned by that user. Whereas, “a” allows you to issue the command to targets owned by all users.

y | n | a

y—Allows you to issue the command.

n—Prevents you from issuing the command. The default is n.

a—Allows you to issue the command against targets owned by all users.

cmd.flsproc Determines if you can issue the flush process command.

A “y” value enables you to issue the command to targets owned by that user. Whereas, “a” allows you to issue the command to targets owned by all users.

y | n | a

y—Allows you to issue the command.

n—Prevents you from issuing the command. The default is n.

a—Allows you to issue the command against targets owned by all users.

cmd.selproc Determines if you can issue the select process command.

A “y” value enables you to issue the command to targets owned by that user. Whereas, “a” allows you to issue the command to targets owned by all users.

y | n | a

y—Allows you to issue the command.

n—Prevents you from issuing the command. The default is n.

a—Allows you to issue the command against targets owned by all users.

cmd.viewproc Determines if you can issue the view process command.

A “y” value enables you to issue the command to targets owned by that user. Whereas, “a” allows you to issue the command to targets owned by all users.

y | n | a

y—Allows you to issue the command.

n—Prevents you from issuing the command. The default is n.

a—Allows you to issue the command against targets owned by all users.

cmd.selstats Determines if you can issue the select statistics command.

A “y” value enables you to issue the command to targets owned by that user. Whereas, “a” allows you to issue the command to targets owned by all users.

y | n | a

y—Allows you to issue the command.

n—Prevents you from issuing the command. The default is n.

a—Allows you to issue the command against targets owned by all users.

cmd.stopndm Determines if you can issue the stop command. y | n

y—Allows you to issue the command.

n—Prevents you from issuing the command. The default is n.

cmd.s+conf Determines if you can issue commands from network clients, such as IBM Control Center or Java API, to configure Connect:Direct Secure Plus.
Note: This parameter has no effect on local tools, such as spadmin.sh and spcli.sh.
y | n

y—Allows you to issue commands. The default is y.

n—Prevents you from issuing commands.

cmd.submit Determines if you can issue the submit process command. y | n

y—Allows you to issue the command.

n—Prevents you from issuing the command. The default is n.

cmd.trace Determines if you can issue the trace command. y | n

y—Allows you to issue the command.

n—Prevents you from issuing the command. The default is n.

descrip Permits the administrator to add descriptive notes to the record. Unlimited text string
name The name of you. User name
phone The phone number of you. user phone number
pstmt.copy Determines if you can issue the copy statement. y | n

y—Allows you to issue the command.

n—Prevents you from issuing the command. The default is n.

pstmt.copy.ulimit The action taken when the limit on you output file size is exceeded during a copy operation. The value for this parameter overrides the equivalent value for the ulimit parameter in the initialization parameters file. y | n | nnnnnnnn | nnnnnnnnK | nnnnnnnM | nnnnG

y—Honors you file size limit. If this limit is exceeded during a copy operation, the operation fails.

n—Ignores the limit. The default is n.

nnnnnnnn, nnnnnnnnK, nnnnnnnM, or nnnnG—Establishes a default output file size limit for all copy operations. K denotes 1024 bytes. M denotes 1048576 bytes. G denotes 1073741824 bytes. The maximum value you can specify is 1 TB.

pstmt.upload Determines if you can send files from this local node. If a file open exit is in use, this parameter is passed to the exit, but it is not enforced. y | n

y—Allows you to send files. The default is y.

n—Prevents you from sending files.

pstmt.upload_dir The directory from which you can send files. If a value is set for this parameter, then files can only be sent from this directory or subdirectories. The specified restriction is treated as the file system root while processing the send side of copy steps This means that any attempt to copy from a location outside of the specified restriction will fail, such as copying from a symbolic link inside the restriction that points to a location outside the restriction, or using parent directory references (../..) that attempt to navigate above the restriction. The restriction is the default directory for unqualified file specifications. A fully qualified file specification beginning at the actual system root will also succeed if the first part of the specification matches the restriction.
For example, assume file /aaa/bbb/ccc.txt exists on the system, and the directory restriction specified is /aaa. Then the following copy step specifications will succeed:
  • /aaa/bbb/ccc.txt
  • bbb/ccc.txt
  • /bbb/ccc.txt
Note: If a file open exit is in use, this parameter is passed to the exit, but is not enforced.
Directory path name
pstmt.download Determines if you can receive files to this local node. If a file open exit is in use, this parameter is passed to the exit, but it is not enforced. y | n

y—Allows you to receive files. The default is y.

n—Prevents you from receiving files.

pstmt.download_dir The directory to which you can receive files. If a value is set for this parameter, then files can only be received to this directory or subdirectories. The specified restriction is treated as the file system root while processing the receive side of copy steps. This means that any attempt to copy to a location outside of the specified restriction will fail, such as copying to a symbolic link inside the restriction that points to a location outside the restriction, or using parent directory references (../..) that attempt to navigate above the restriction. The restriction is the default directory for unqualified file specifications. A fully qualified file specification beginning at the actual system root will also succeed if the first part of the specification matches the restriction.
For example, assume directory /aaa/bbb exists on the system, and the directory restriction specified is /aaa. Then the following copy step specifications will succeed:
  • /aaa/bbb/ccc.txt
  • bbb/ccc.txt
  • /bbb/ccc.txt
Note: If a file open exit is in use, this parameter is passed to the exit, but is not enforced.
Directory path name
pstmt.run_dir The directory where IBM Connect:Direct is installed that contains the programs and scripts you executes with run job and run task statements. Any attempt to execute a program or script outside the specified directory fails.

The UNIX Restricted Shell provides enhanced security by restricting you to the commands contained in the pstmt.run_dir. If you does not specify pstmt.run_dir, the commands are started with the Bourne shell.

To restrict the use of special characters in the run directory, be sure to configure Y for the restrict:cmd initialization parameter. For more information on specifying the restrict:cmd initialization parameter, see Restrict Record.

Directory path name
pstmt.runjob Specifies whether you can issue the run job statement. y | n

y—Allows you to issue the statement.

n—Prevents you from issuing the statement. The default is n.

pstmt.runtask Specifies whether you can issue the run task statement. y | n

y—Allows you to issue the statement.

n—Prevents you from issuing the statement. The default is n.

pstmt.submit Specifies whether you can issue the submit statement. y | n

y—Allows you to issue the statement.

n—Prevents you from issuing the statement. The default is n.

pstmt.submit_dir The directory from which you can submit Processes. This is for submits within a Process. Directory path name
snode.ovrd Specifies whether you can code the snodeid parameter on the submit command and process and submit statements. y | n

y—Allows you to code the snodeid parameter

n—Prevents you from coding the snodeid parameter. The default is n.

pstmt.crc Gives you the authority to specify the use of CRC checking in a Process statement.

Setting this parameter to y enables you to override the initial settings in the initialization parameters or network map settings files.

y | n

y—Allows you to specify CRC checking on a Process statement.

n—Prevents you from specifying CRCchecking on a Process statement. The default is n.

fileagent.auth Determines if you can issue get/update File Agent JSON configuration command. A “v” value enables you to issue the get File Agent JSON configuration command. Whereas a “y” value enables you to issue both get/update File Agent JSON configuration command. The value "n" prevents you from issuing either commands.

y | n | v

y— Allows you to issue both get/update File Agent JSON configuration command.

n— Prevents you from issuing File Agent JSON configuration command.

v— Allows you to issue only get File Agent JSON configuration.

proclib.auth Determine if you can issue process library commands like add, delete, rename, list and get. A “v” value enables you to issue the get/list Process library command. Whereas a “y” value enables you to issue all the Process library commands. The value "n" prevents you from issuing any of the commands.

y | n | v

y— Allows you to issue all the process library commands.

n— Prevents you from issuing process library commands.

v— Allows you to only view the process library via get/list commands.

cmd.external.stat.log Determines if you can log stats in to Connect:Direct for UNIX from Integrated File Agent. A “y” value enables you to log stats from Integrated File Agent into Connect:Direct for Unix. A “n” value prevents you from logging stats from Integrated File Agent into Connect:Direct for Unix.

y | n

y— Allows you to log stats from Integrated File Agent into Connect:Direct for Unix stats.

n— Prevents you from logging stats from Integrated File Agent into Connect:Direct for Unix stats.

Remote User Information Record

The remote user information record contains a remote user ID and a remote node name that become the key to the record. The local.id parameter identifies a local user information record for this user. You must create a local user information record for the remote user.

Note: To prevent the remote user from using IBM Connect:Direct, delete or comment out the remote user information, unless the remote user specifies an SNODEID parameter in the Process.

The remote user information record is remote userid@remote node name. It specifies the user and remote node name pair defined as a remote user. This value becomes the key to the record and must be unique. Create a remote user information record for each user on a remote node that will communicate with this local node.

Following are the parameters for the remote user information record:

Parameter Description Value
local.id The local user ID to use for security checking on behalf of the remote user. The local.id parameter must identify a local user information record. Local user ID
pstmt.copy Determines if the user can issue the copy statement. y | n

y—Allows a user to issue the statement.

n—Prevents a user from issuing the statement. The default is n.

pstmt.upload Determines if the user can send files from this local node. If a file open exit is in use, this parameter is passed to the exit, but it is not enforced. y | n

y—Allows a user to send files. The default is y.

n—Prevents a user from sending files.

pstmt.upload_dir The directory from which you can send files. If a value is set for this parameter, then files can only be sent from this directory or subdirectories. The specified restriction is treated as the file system root while processing the send side of copy steps and is the default directory for unqualified file specifications. A fully qualified file specification beginning at the actual system root will also succeed if the first part of the specification matches the restriction.
For example, assume file /aaa/bbb/ccc.txt exists on the system, and the directory restriction specified is /aaa. Then the following copy step specifications will succeed:
  • /aaa/bbb/ccc.txt
  • bbb/ccc.txt
  • /bbb/ccc.txt
Note: If a file open exit is in use, this parameter is passed to the exit, but is not enforced.
Directory path name
pstmt.download Determines if the user can receive files to this local node. If a file open exit is in use, this parameter is passed to the exit, but it is not enforced. y | n

y—Allows a user to receive files. The default is y.

n—Prevents a user from receiving files.

pstmt.download_dir The directory to which you can receive files. If a value is set for this parameter, then files can only be received to this directory or subdirectories. The specified restriction is treated as the file system root while processing the receive side of copy steps and is the default directory for unqualified file specifications. A fully qualified file specification beginning at the actual system root will also succeed if the first part of the specification matches the restriction.
For example, assume directory /aaa/bbb exists on the system, and the directory restriction specified is /aaa. Then the following copy step specifications will succeed:
  • /aaa/bbb/ccc.txt
  • bbb/ccc.txt
  • /bbb/ccc.txt
Note: If a file open exit is in use, this parameter is passed to the exit, but is not enforced.
Directory path name
pstmt.run_dir The directory that contains the programs and scripts the user can execute with run job and run task statements. Any attempt to execute a program or script outside the specified directory fails.

To restrict the use of special characters in the run directory, be sure to configure Y for the restrict:cmd initialization parameter. For more information on specifying the restrict:cmd initialization parameter, see Restrict Record.

Directory path name
pstmt.submit_dir The directory from which the user can submit Processes. This is for submits within a Process. Directory path name
pstmt.runjob Specifies whether the user can issue the run job statement. y | n

y—Allows a user to issue the statement.

n—Prevents a user from issuing the statement. The default is n.

pstmt.runtask Specifies whether the user can issue the run task statement. y | n

y—Allows a user to issue the statement.

n—Prevents a user from issuing the statement. The default is n.

pstmt.submit Specifies whether the user can issue the submit statement. y | n

y—Allows a user to issue the statement.

n—Prevents a user from issuing the statement. The default is n.

descrip Permits you to add descriptive notes to the record. Text string

API User Information Record

The API user information record includes:
  • An API user ID and the certificate common name used for login from an API client to IBM Sterling Connect:Direct for UNIX, that become the key to the record.
  • The API_proxy parameter, which differentiates this user from a remote user information record.
  • The local.id parameter, which specifies a local user information record associated with this user.

Following are the parameters for the API user information record:

Parameter Description Value
local.id The local user ID to use for security checking on behalf of the remote user. The local.id parameter must identify a local user information record. Local user ID
API_proxy Determines if the user is an API user. y | n

y - User is API user

n - User is remote user

The default is n.

Note: client.cert_auth parameters must be set to y for the local user record used for authorization of the API user.
Note:

If the authenticated API user differs from the user authorized on Connect:Direct for UNIX, then a local.id mapping is required, and Connect:Direct for UNIX will use the local.id specification for authorization when signing-on this authenticated API user. However, the local.id mapping is not mandatory if Connect:Direct Web services and Connect:Direct for UNIX share an Identity provider, via LDAP, for example, or they use common user names, and ConnectDirect for Unix will use the API-user for authorization.

The API user information record is API userid@certificate common name. It specifies the user and certificate common name pair defined as a remote client user. This value becomes the key to the record and must be unique.

Create an API user information record for each API user on client side that will login to this node, via Multi factor Authentication from Connect:Direct Web Services, for example.

API user records should only be added for client applications that are trusted to authenticate the connecting user.

Strong Access Control File

To provide a method of preventing an ordinary user from gaining root access through IBM Connect:Direct, a strong access control file called sysacl.cfg is created at installation in the d_dir/ndm/SACL/ directory. By default, an ordinary user cannot access the root through Connect:Direct for UNIX. If you want to give an ordinary user root access through Connect:Direct for UNIX, you may need to access and update the sysacl.cfg file.

Note: The sysacl.cfg file must exist. If the file is deleted or corrupted, all users are denied access to Connect:Direct for UNIX.

The file layout of the sysacl.cfg file is identical to the user portion of the userfile.cfg file. Setting a value in the sysacl.cfg file for a user overrides the value for that user in the userfile.cfg file.

If root is defined as a local user in userfile.cfg, then the root:deny.access parameter, which is specified in the sysacl.cfg file, further allows, denies, or limits root access to IBM Connect:Direct. This parameter is required, even if root is not defined as a local user in userfile.cfg. The following values can be specified for the root:deny.access parameter:

Parameter Description Value
deny.access Allows, denies, or limits root access to IBM Connect:Direct y | n | d

y—No Processes can acquire root authority

n—PNODE Processes can acquire root authority, but SNODE Processes can not. This is the default value.

d—Any Process can acquire root authority

For example, given a userfile.cfg with the following entries:

remoteUser@remoteNode:\
:local.id=root:

root:\
:admin.auth=Y:

and sysacl.cfg with:
root:\
:deny.access={x, where x is as described below}:
  • Incoming process submitted by remoteUser@remoteNode
    • n, connection denied due to security failure
    • y, connection denied due to security failure
    • d, connection allowed to proceed
  • Outgoing process submitted on the local node by root
    • n, connection allowed to proceed
    • y, connection denied due to security failure
    • d, connection allowed to proceed

If a user is denied access because of the user:deny.access parameter is defined in the sysacl.cfg file for that user, a message is logged, and the session is terminated.

Automatic Detection of Shadow Passwords

Because shadow password files are available on some versions of the UNIX operating system, Connect:Direct for UNIX detects the use of shadow passwords automatically, if available.

Limiting Access to the Program Directory

The program directory provides enhanced security for the run task and run job process statements by limiting access to specified scripts and commands. Any attempt to execute a program or script outside the specified directory fails. The program directory is identified with the pstmt.run_dir parameter. If the program directory is specified, the UNIX restricted shell is invoked, providing enhanced security. If the program directory is not specified, the regular (Bourne) shell is invoked for executing commands with no restrictions.

The restricted shell is very similar to the regular (Bourne) shell, but it restricts the user from performing the following functions:

  • Changing the directory (cd)
  • Changing PATH or SHELL environment variables
  • Using command names containing a slash (/) character
  • Redirecting output (> and >>)

Additional information about the restricted shell can be found in the appropriate UNIX manual pages or UNIX security text books.

The restricted shell is started using only the environment variables HOME, IFS, PATH, and LOGNAME, which are defined as follows:
HOME=run_dir
IFS=whitespace characters (tab, space, and newline)
PATH=/usr/rbin and run_dir
LOGNAME=user's UNIX ID

Because environment variables are not inherited from the parent Process, no data can be passed to the script or command through shell environment variables. The restricted shell restricts access to specified scripts and commands, but it does not restrict what the scripts and commands can do. For example, a shell script being executed within the run_dir directory can change the value of PATH and execute command names containing a slash (/) character. For this reason, it is important that the system administrator controls which scripts and commands the user has access to and does not give the user write privileges to the run_dir directory or any of the files in the run_dir directory.

Security Exit

The Security Exit in the initialization parameters file, initparm.cfg, provides an interface to password support programs.

This exit generates and verifies passtickets and it also supports other password support programs. An example of other programs is PASSTICKET, part of the RACF security system available on MVS hosts and also supported by IBM on UNIX AIX and OS/2 computers using the NETSP product.

For more information on the Security Exit, see User Exit Record.