Permitting access from remote requesters

You can use the DSNR RACF® class to access the distributed data address space and to control access from remote requesters.

About this task

The following RACF commands let the users in the group DB2USER access DDF on the DSN subsystem. These DDF requests can originate from any partner in the network.

Procedure

  • For example, to permit READ access on profile DSN.DIST in the DSNR class to DB2USER, issue the following RACF command:
    PERMIT  DSN.DIST   CLASS(DSNR) ID(DB2USER)  ACCESS(READ)
    If you want to ensure that a specific user can access only when the request originates from a specific LU name, you can use WHEN(APPCPORT) on the PERMIT command.

    For example, to permit access to Db2 distributed processing on subsystem DSN when the request comes from USER5 at LUNAME equal to NEWYORK, issue the following RACF command:

    PERMIT DSN.DIST CLASS(DSNR) ID(USER5) ACCESS(READ) +
           WHEN(APPCPORT(NEWYORK))
  • For connections that come through TCP/IP, use the RACF APPCPORT class or the RACF SERVAUTH class with TCP/IP Network Access Control to protect unauthorized access to Db2.
    To use the RACF APPCPORT class, perform the following steps:
    1. Activate the ACCPORT class by issuing the following RACF command:
      SETROPTS CLASSACT(APPCPORT) REFRESH
    2. Define the general resource profile and name it TCPIP. Specify NONE for universal access and APPCPORT for class. Issue the following RACF command:
      RDEFINE APPCPORT (TCPIP) UACC(NONE)
    3. Permit READ access on profile TCPIP in the APPCPORT class. To permit READ access to USER5, issue the following RACF command:
      PERMIT TCPIP ACCESS(READ) CLASS(APPCPORT) ID(USER5)
    4. Permit READ access on profile DSN.DIST in the DSNR class. To permit READ access to USER5, issue the following RACF command:
      PERMIT DSN.DIST CLASS(DSNR) ID(USER5) ACCESS(READ) +
             WHEN(APPCPORT(TCPIP))
    5. Refresh the APPCPORT class by issuing the following RACF command:
      SETROPTS CLASSACT(APPCPORT) REFRESH RACLIST(APPCPORT)
  • If the RACF APPCPORT class is active on your system, and a resource profile for the requesting LU name already exists, you must permit READ access to the APPCPORT resource profile for the user IDs that Db2 uses.

    You must permit READ access even when you are using the DSNR resource class. Similarly, if you are using the RACF APPL class and that class restricts access to the local Db2 LU name or generic LU name, you must permit READ access to the APPL resource for the user IDs that Db2 uses.

    Recommendation: Use z/OS® Communications Server IP Network Access Control and z/OS Security Server RACF SERVAUTH class if you want to use the port of entry (POE) for remote TCP/IP connections.

    To use the RACF SERVAUTH class and TCP/IP Network Access Control, perform the following steps:

    1. Set up and configure TCP/IP Network Access Control by using the NETACCESS statement that is in your TCP/IP profile.
      For example, suppose that you need to allow z/OS system access only to IP addresses from 9.0.0.0 to 9.255.255.255. You want to define these IP addresses as a security zone, and you want to name the security zone IBM®. Suppose also that you need to deny access to all IP addressed outside of the IBM security zone, and that you want to define these IP addresses as a separate security zone. You want to name this second security zone WORLD. To establish these security zones, use the following NETACCESS clause:
      NETACCESS INBOUND OUTBOUND
      ; NETWORK/MASK         SAF
        9.0.0.0/8          IBM
        DEFAULT            WORLD
      ENDNETACCESS

      Now, suppose that USER5 has an IP address of 9.1.2.3. TCP/IP Network Access Control would determine that USER5 has an IP address that belongs to the IBM security zone. USER5 would be granted access to the system. Alternatively, suppose that USER6 has an IP address of 1.1.1.1. TCP/IP Network Access Control would determine that USER6 has an IP address that belongs to the WORLD security zone. USER6 would not be granted access to the system.

    2. Activate the SERVAUTH class by issuing the following TSO command:
      SETROPTS CLASSACT(SERVAUTH)
    3. Activate RACLIST processing for the SERVAUTH class by issuing the following TSO command:
      SETROPTS RACLIST(SERVAUTH)
    4. Define the IBM and WORLD general resource profiles in RACF to protect the IBM and WORLD security zones by issuing the following commands:
      RDEFINE SERVAUTH (EZB.NETACCESS.ZOSV1R5.TCPIP.IBM) UACC(NONE)
      RDEFINE SERVAUTH (EZB.NETACCESS.ZOSV1R5.TCPIP.WORLD) UACC(NONE)
    5. Permit USER5 and SYSDSP read access to the IBM profile by using the following commands.
      PERMIT EZB.NETACCESS.ZOSV1R5.TCPIP.IBM ACCESS READ CLASS(SERVAUTH) ID(USER5)
      PERMIT EZB.NETACCESS.ZOSV1R5.TCPIP.IBM ACCESS READ CLASS(SERVAUTH) ID(SYSDSP)
    6. Permit SYSDSP read access to the WORLD profile by using the following command:
      PERMIT EZB.NETACCESS.ZOSV1R5.TCPIP.WORLD ACCESS READ CLASS(SERVAUTH) ID(USER5)
    7. For these permissions to take effect, refresh the RACF database by using the following command:
      SETROPTS CLASSACT(SERVAUTH) REFRESH RACLIST(SERVAUTH)