AT-TLS security updates

There are several updates required to your security setup for AT-TLS to work properly. This section has sample RACF® commands to do the required setup.

For more information about RACF commands, see Security Server RACF Command Language Reference (SA22–7687).

As mentioned in Policy Agent started task, you use a started task to run the Policy Agent. This requires the definition of a started task user ID and a profile in the STARTED class.

#  define started task user ID
#  BPX.DAEMON permit is required for non-zero UID
ADDUSER PAGENTD DFLTGRP(SYS1) OMVS(UID(0) SHARED HOME('/')) +
  NAME('TCP/IP POLICY AGENT') NOPASSWORD

#  define started task
RDEFINE STARTED PAGENT.* STDATA(USER(PAGENTD) GROUP(SYS1)) +
  DATA('TCP/IP POLICY AGENT')

#  refresh to dynamically activate the changes
SETROPTS RACLIST(STARTED) REFRESH

Define a profile named MVS.SERVMGR.PAGENT in the OPERCMDS class and give user ID PAGENTD CONTROL access to it. The profile restricts who can start the Policy Agent. If the profile is not defined, and access to it is prevented through a generic profile, PAGENTD will not be able to start the Policy Agent, which will prevent TCP/IP stack initialization.

#  restrict startup of policy agent
RDEFINE OPERCMDS MVS.SERVMGR.PAGENT UACC(NONE) +
  DATA('restrict startup of policy agent')
PERMIT MVS.SERVMGR.PAGENT CLASS(OPERCMDS) ACCESS(CONTROL) ID(PAGENTD)

#  refresh to dynamically activate the changes 
SETROPTS RACLIST(OPERCMDS) REFRESH

As mentioned in AT-TLS configuration in PROFILE.TCPIP, the Policy Agent is started after TCP/IP is initialized. This means there is a (small) window where applications can use the TCP/IP stack without the TTLS policy being enforced. Define the EZB.INITSTACK.** profile in the SERVAUTH class to prevent access to the stack during this time window, except for applications with READ access to the profile. You must permit a limited set of administrative applications to the profile to ensure full initialization of the stack, as documented in TCP/IP stack initialization access control of Communications Server IP Configuration Guide (SC31-8775).

Note: The Policy Agent issues message EZD1586I when all policies are active.

#  activate the SERVAUTH class
SETROPTS GENERIC(SERVAUTH)
SETROPTS CLASSACT(SERVAUTH) RACLIST(SERVAUTH)

#  block stack access between startup and AT-TLS availability
RDEFINE SERVAUTH EZB.INITSTACK.** UACC(NONE)
#  Policy Agent
PERMIT EZB.INITSTACK.** CLASS(SERVAUTH) ACCESS(READ) ID(PAGENTD)
#  OMPROUTE daemon
PERMIT EZB.INITSTACK.** CLASS(SERVAUTH) ACCESS(READ) ID(OMPROUTE)
#  SNMP agent and subagents
PERMIT EZB.INITSTACK.** CLASS(SERVAUTH) ACCESS(READ) ID(OSNMPD)
PERMIT EZB.INITSTACK.** CLASS(SERVAUTH) ACCESS(READ) ID(IOBSNMP)
#  NAME daemon
PERMIT EZB.INITSTACK.** CLASS(SERVAUTH) ACCESS(READ) ID(NAMED)

#  refresh to dynamically activate the changes
SETROPTS RACLIST(SERVAUTH) REFRESH

(Optional) The z/OS® UNIX pasearch command displays active policy definitions. Define profile EZB.PAGENT.** in the SERVAUTH class to restrict access to the pasearch command. Replace the #tcpadmin placeholder with valid user IDs or RACF group names.

#  restrict access to pasearch command
RDEFINE SERVAUTH EZB.PAGENT.** UACC(NONE) + 
  DATA('restrict access to pasearch command')
PERMIT EZB.PAGENT.** CLASS(SERVAUTH) ACCESS(READ) ID(#tcpadmin)

#  refresh to dynamically activate the changes
SETROPTS RACLIST(SERVAUTH) REFRESH

Use the following commands to verify your setup:

#  verify started task setup
LISTGRP SYS1 OMVS
LISTUSER PAGENTD OMVS
RLIST STARTED PAGENT.* ALL STDATA

#  verify Policy Agent startup permission
RLIST OPERCMDS MVS.SERVMGR.PAGENT ALL

#  verify initstack protection
RLIST SERVAUTH EZB.INITSTACK.** ALL

#  verify pasearch protection
RLIST SERVAUTH EZB.PAGENT.** ALL