Security product authorization (for example, RACF®) is required to use the
ipsec command.
You must define a profile in the SERVAUTH class to enable control
over the
ipsec command function. You can define
separate profiles during installation to control access to different
aspects of the
ipsec command. The format of the
profile when accessing a local stack is as follows:
EZB.IPSECCMD.sysname.stackname.command_type
Where:
- sysname
- The name of the system on which the ipsec command
is allowed to run.
- stackname
- The tcpprocname value of the local TCP/IP
stack for which the ipsec command is authorized.
Specify the stackname value DMD_GLOBAL
to authorize the use of the global defensive filter option (-G).
The wildcard value asterisk (*) authorizes the use of the global
defensive filter option and authorizes all stacks.
- command_type
- The ipsec command type; either DISPLAY or CONTROL
Table 1. ipsec command SERVAUTH class
resource names | Resource names in SERVAUTH class |
ipsec options |
|---|
| EZB.IPSECCMD.sysname.stackname.* |
All ipsec options |
| EZB.IPSECCMD.sysname.stackname.DISPLAY |
-f display
-F display
-m display
-k display
-y display
-t
-i
-o
|
| EZB.IPSECCMD.sysname.stackname.CONTROL |
-f default
-f reload
-F add
-F delete
-F update
-m activate
-m deactivate
-k deactivate
-k refresh
-y activate
-y deactivate
-y refresh
|
| EZB.IPSECCMD.sysname.DMD_GLOBAL.DISPLAY |
-F display -G
|
| EZB.IPSECCMD.sysname.DMD_GLOBAL.CONTROL |
-F add -G
-F delete -G
-F update -G
|
| EZB.IPSECCMD.sysname.stackname.CONTROL
(for each stack to which the global command applies) |
-F add -G
-F delete -G
-F update -G
|
When accessing a remote stack using the NSS server, the
following format applies:
EZB.NETMGMT.sysname.clientname.IPSEC.command_type
Where:
- sysname
- The system name on which the ipsec command
is allowed to run.
- clientname
- The name of an NSS client.
- command_type
- The ipsec command type; either DISPLAY or CONTROL.
Requirement: You must define these profiles on
the system where the NSS server and the ipsec command
are running
| Resource names in SERVAUTH class |
ipsec options |
|---|
| EZB.NETMGMT.sysname.clientname.IPSEC.* |
All ipsec options |
| EZB.NETMGMT.sysname.clientname.IPSEC.DISPLAY |
- -f display
- -m display
- -k display
- -y display
- -t
- -i
- -o
|
| EZB.NETMGMT.sysname.clientname.IPSEC.CONTROL |
- -f default
- -f reload
- -m activate
- -m deactivate
- -k deactivate
- -k refresh
- -y activate
- -y deactivate
- -y refresh
|
Restriction: You cannot display and manage defensive
filters for an NSS client that is managed by the NSS server.
Use the following format when querying IKED for NSS configuration
information using the
ipsec -w command:
EZB.NETMGMT.sysname.sysname.IKED.DISPLAY
Where:
- sysname
- The name of the system on which the ipsec command
is allowed to run.
Requirement: This profile must be defined on
the system where IKED and the
ipsec command
are running.
The format of the profile when accessing the NSS server
using the
ipsec -x command is:
EZB.NETMGMT.sysname.sysname.NSS.DISPLAY
Where:
- sysname
- The name of the system on which the ipsec command
is allowed to run.
Requirement: This profile must be defined on
the system where the NSS server and the
ipsec command
are running.
If the security product is RACF,
you can use the control statements in the sample JCL job that is provided
in SEZAINST(EZARACF) to define these authorizations. If the SERVAUTH
class is not active or if a matching SERVAUTH policy is not found,
the ipsec request is rejected.
Tip: Authorization is not required for the help
option (ipsec -?).