Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Network security services NMI: Configuring the interface z/OS Communications Server: IP Programmer's Guide and Reference SC27-3659-02 |
|
Access to the network security services (NSS) server's
network management interface is controlled through RACF® (or an equivalent external security manager
product) resource definitions in the SERVAUTH class. Most of these
resource names contain the NSS client's name. The client name is
defined by the client.
Tip: When you override the clientname value for an NSS IPSec client, ensure that the name you
define does not match the name of an existing NSS client on the NSS
server system. If the names match, users with authority to manage
IP security on that system also gain authority to remotely manage
the NSS client, because the SERVAUTH resource names are identical.
The z/OS® system
administrator can restrict access to NSS network management interfaces
as follows:
Requirement: For applications
that use the interface, the MVS user ID must be permitted to the defined resource. Additionally,
permitted client applications must have permission to enter the /var/sock
directory and to write to the /var/sock/nss socket. Ensure that the
NSSD OMVS user ID has write access to the /var/sock directory (or
ensure that it has permission to create this directory).
Guideline: If you are developing
a feature for a product to be used by other parties, include instructions
in your documentation indicating that administrators must define and
give appropriate permission to the given security resource to use
that feature.
|
Copyright IBM Corporation 1990, 2014
|