A security context is a data structure that contains information
about the cryptographic state of a program on the client communicating
with the server, and is required for RPC message security services.
NFS clients create security contexts with the z/OS NFS server as
part of the RPCSEC_GSS protocol of data flow. The z/OS NFS server
accepts security context requests subject to the following restrictions
and recommendations:
- The z/OS NFS server does not support channel bindings.
- The z/OS NFS server never initiates any requests as an agent of
NFS clients and therefore recommends that clients do not use credential
delegation services while creating security contexts.
- The z/OS NFS server does not support the Out Of Sequence Detection
services of GSS API. It expects NFS clients to have the seq_req_flag
parameter turned off on their calls to GSS API gss_init_sec_context.
- The z/OS NFS server recommends that the clients do not use the
Message Replay services of the GSS API. It expects NFS clients to
have the replay_det_req_flag turned off on their calls to the GSS
API gss_init_sec_context. Note that the z/OS NFS server's implementation
of the RPCSEC protocol provides for the protection against replay
attacks.
- The z/OS NFS server does not allow clients to authenticate as
anonymous principals.
- The z/OS NFS server recommends that NFS clients use mutual authentication
services during context creation. The z/OS NFS server will still
honor context creation requests from NFS clients that are unable to,
or choose not to, use mutual authentication services in the GSS-API.
However, clients that would require RPC callbacks from the z/OS NFS
server have to support accepting security contexts with mutual authentication,
because the z/OS NFS server always initiates security contexts with
mutual authentication services.