ipsec command SERVAUTH profile

Security product authorization (for example, RACF®) is required to use the ipsec command. You must define a profile in the SERVAUTH class to enable control over the ipsec command function. You can define separate profiles during installation to control access to different aspects of the ipsec command. The format of the profile when accessing a local stack is as follows: 
EZB.IPSECCMD.sysname.stackname.command_type
Where:
sysname
The name of the system on which the ipsec command is allowed to run.
stackname
The tcpprocname value of the local TCP/IP stack for which the ipsec command is authorized. Specify the stackname value DMD_GLOBAL to authorize the use of the global defensive filter option (-G). The wildcard value asterisk (*) authorizes the use of the global defensive filter option and authorizes all stacks.
command_type
The ipsec command type; either DISPLAY or CONTROL
Table 1. ipsec command SERVAUTH class resource names
Resource names in SERVAUTH class ipsec options
EZB.IPSECCMD.sysname.stackname.* All ipsec options
EZB.IPSECCMD.sysname.stackname.DISPLAY
-f display
-F display
-m display
-k display
-y display
-t
-i
-o
EZB.IPSECCMD.sysname.stackname.CONTROL
-f default
-f reload
-F add
-F delete
-F update
-m activate
-m deactivate
-k deactivate
-k refresh
-y activate
-y deactivate
-y refresh
EZB.IPSECCMD.sysname.DMD_GLOBAL.DISPLAY
-F display -G
EZB.IPSECCMD.sysname.DMD_GLOBAL.CONTROL
-F add -G
-F delete -G
-F update -G
EZB.IPSECCMD.sysname.stackname.CONTROL (for each stack to which the global command applies)
-F add -G
-F delete -G
-F update -G
When accessing a remote stack using the NSS server, the following format applies: 
EZB.NETMGMT.sysname.clientname.IPSEC.command_type
Where:
sysname
The system name on which the ipsec command is allowed to run.
clientname
The name of an NSS client.
command_type
The ipsec command type; either DISPLAY or CONTROL.

Requirement: You must define these profiles on the system where the NSS server and the ipsec command are running

Resource names in SERVAUTH class ipsec options
EZB.NETMGMT.sysname.clientname.IPSEC.* All ipsec options
EZB.NETMGMT.sysname.clientname.IPSEC.DISPLAY
  • -f display
  • -m display
  • -k display
  • -y display
  • -t
  • -i
  • -o
EZB.NETMGMT.sysname.clientname.IPSEC.CONTROL
  • -f default
  • -f reload
  • -m activate
  • -m deactivate
  • -k deactivate
  • -k refresh
  • -y activate
  • -y deactivate
  • -y refresh

Restriction: You cannot display and manage defensive filters for an NSS client that is managed by the NSS server.

Use the following format when querying IKED for NSS configuration information using the ipsec -w command: 
EZB.NETMGMT.sysname.sysname.IKED.DISPLAY
Where:
sysname
The name of the system on which the ipsec command is allowed to run.
Requirement: This profile must be defined on the system where IKED and the ipsec command are running.
The format of the profile when accessing the NSS server using the ipsec -x command is: 
EZB.NETMGMT.sysname.sysname.NSS.DISPLAY
Where:
sysname
The name of the system on which the ipsec command is allowed to run.
Requirement: This profile must be defined on the system where the NSS server and the ipsec command are running.

If the security product is RACF, you can use the control statements in the sample JCL job that is provided in SEZAINST(EZARACF) to define these authorizations. If the SERVAUTH class is not active or if a matching SERVAUTH policy is not found, the ipsec request is rejected.

Tip: Authorization is not required for the help option (ipsec -?).