z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for administering SERVAUTH class profiles to enable RRSF to use TCP/IP node connections

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Perform the following steps to define the required SERVAUTH profiles on each node to be enabled to use TCP/IP connections:
  1. Determine whether access to the TCP/IP stack is protected. If it is, the following resource is protected in the SERVAUTH class:
    EZB.STACKACCESS.sysname.tcpname

    ______________________________________________________________________

  2. If the TCP/IP stack is not protected, skip this step.

    If it is protected, add the user ID of the RACF® subsystem to the access list for the TCP/IP stack:

    Example:
    PERMIT EZB.STACKACCESS.NODE1.TCPIP CLASS(SERVAUTH) ID(RACFSUB) ACCESS(READ)
    Note: If the TCP/IP stack is protected, do not skip this step even when the user ID of RACF subsystem has the TRUSTED or PRIVILEGED attribute on your system.

    ______________________________________________________________________

  3. If a SAF name is assigned to the RRSF listener port in the TCP/IP profile, protect the listener port with a profile that protects the following resource: 
    EZB.PORTACCESS.sysname.stack-name.SAF-name
    Examples:
    RDEFINE SERVAUTH EZB.PORTACCESS.NODE1.TCPIP.RRSF
-or-
RDEFINE SERVAUTH EZB.PORTACCESS.*.*.RRSF

    Specify the SAF name provided by the programmer in Before you begin.

    ______________________________________________________________________

  4. Add the user ID of the RACF subsystem to the access list for the RRSF listener port:
    Example:
    PERMIT EZB.PORTACCESS.NODE1.TCPIP.RRSF CLASS(SERVAUTH) ID(RACFSUB) ACCESS(READ)
    Note: Do not skip this step even when the user ID of RACF subsystem has the TRUSTED or PRIVILEGED attribute on your system.

    ______________________________________________________________________

  5. Activate your SERVAUTH profile changes, as follows.
    • If the SERVAUTH class is not already active, activate and RACLIST it.
      Example:
      SETROPTS CLASSACT(SERVAUTH) RACLIST(SERVAUTH)
    • If the SERVAUTH class is already active and RACLISTed, refresh it.
      Example:
      SETROPTS RACLIST(SERVAUTH) REFRESH

    ______________________________________________________________________

When you are finished, you have administered the SERVAUTH class profiles required to enable each RRSF node to use TCP/IP node connections.

Parent topic: Administer profiles in the SERVAUTH class to enable RRSF to use TCP/IP node connections

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014