Steps for verifying the configuration

Verify that the TCP/IP stack is configured as intended.

Before you begin

See z/OS Communications Server: IP Configuration Guide for information about networking in a multilevel-secure environment.

Procedure

Perform the following steps:

  1. TCP/IP stack is running under the intended user ID. If the stack is a submitted job, check the USER= parameter on the job card. If the stack is a started procedure, check the STDATA segment of the profile in the STARTED class.
  2. TCP/IP stack is running with the intended security label. If the stack is a submitted job, check the SECLABEL= parameter on the job card. If the stack is a started procedure or SECLABEL= was not specified on the job card, check the default security label in the USER profile. Verify that the user ID is permitted to the SECLABEL profile. If running with the RACF® SECLBYSYSTEM option, verify that the security label is active on this system image.
  3. TCP/IP stack recognizes the multilevel-secure environment. The TCPIP.PROFILE must contain a valid NETACCESS statement with the following:
    • INBound
    • OUTBound
    • At least one valid security zone definition
  4. TCP/IP stack has the intended IP addresses defined. Verify the IP addresses on DEVICE and INTERFACE statements in the TCPIP.PROFILE. Verify the IP addresses on VIPADEFINE, VIPABACKUP, VIPARANGE and VIPADISTRIBUTE statements in the TCPIP.PROFILE. Verify that IP addresses are manually configured for IPv6 interfaces. Verify that the INTFID keyword is specified on all IPv6 interfaces. Verify that the IPADDR keyword is specified on all IPv6 interfaces that support autoconfiguration.
  5. TCP/IP stack has IP addresses mapped into the intended network security zones. Verify that the base IP address, mask and zone name are correct on each line in NETACCESS statement in the TCPIP.PROFILE. Verify that these addresses are in security zones:
    • INADDR_ANY (IPv4 0.0.0.0/32, IPv6 ::/128)
    • LOOPBACK (IPv4 127.0.0.1/8, IPv6 ::1/128)
    • Any required Multicast (IPv4 224.0.0.0/4, IPv6 FF00::/8)
    Tips:
    • The D TCPIP,,N,ACC,NETW console command displays the current NETACCESS statement configuration. The SERVAUTH profile name covering the security zone resource name and the security label defined on that profile are also shown.
    • The security zone that a IP address is currently configured into is displayed by the D TCPIP,,N,ACC,NETW,ipaddress console command.
  6. SERVAUTH resources are covered by the intended profile. The RLIST SERVAUTH resource_name AUTHUSER RACF command displays the discrete or generic profile that most closely matches the specified resource name. It also displays the universal access, the security label, the access list and the conditional access list for that profile.
Parent topic: Diagnosing multilevel security consistency check messages (EZD1215-EZD1234)