Configuring TCP/IP with multilevel security

A communications server IP stack that runs in a multilevel secure environment can be configured as either a restricted stack or an unrestricted stack.

About this task

Recommendations: Use an unrestricted stack for Db2. An unrestricted stack is configured with an ID that is defined with a security label of SYSMULTI. A single z/OS® system can concurrently run a mix of restricted and unrestricted stacks. Unrestricted stacks allow Db2 to use any security label to open sockets.

All users on a TCP/IP connection have the security label that is associated with the IP address that is defined on the server. If a user requires a different security label, the user must enter through an IP address that has that security label associated with it. If you require multiple IP addresses on a remote z/OS server, a workstation, or a gateway, you can configure multiple virtual IP addresses. This strategy can increase the number of security labels that are available on a client.

Remote users that access Db2 by using a TCP/IP network connection use the security label that is associated with the RACF® SERVAUTH class profile when the remote user is authenticated. Security labels are assigned to the database access thread when the Db2 server authenticates the remote server by using the RACROUTE REQUEST = VERIFY service.

If you use a trusted context for your TCP/IP connection, you can define a default security label for all users or specific security labels for individual users who use the trusted context. The security label that is defined in the trusted context overrides the one for the TCP/IP connection in RACF.