TCP/IP stack initialization access control
A TCP/IP stack initializes before Policy Agent installs configured policies into the stack. This leaves a window of time where connections that should be covered by AT-TLS are clear text connections. The RACF® resource EZB.INITSTACK.sysname.tcpname in the SERVAUTH class is used to block stack access, except for the user IDs permitted to the resource. While in this initialization window, any socket request from an unauthorized application receives the same errno (EAGAIN with JrTcpNotActive) received prior to the stack coming up.
Checking is done only if the TCP/IP profile activates AT-TLS. If there is no profile in the SERVAUTH class covering this resource name, all socket requests fail, including those from Policy Agent. Checking ceases the first time that the Policy Agent indicates AT-TLS policy is complete, or if a TCP/IP profile change deactivates AT-TLS.
When the limited access window begins, non-scrollable message EZZ4248E is written to the system console stating that TCP/IP is waiting for Policy Agent to install AT-TLS policies. The message is released when the restriction ends. You can delay the start of AUTOLOG procedures during this window of time by specifying the optional DELAYSTART parameter with the TTLS subparameter on the AUTOLOG entry for that procedure; when specified, the procedure will start after the EZZ4248E message is deleted and message EZZ4250I is issued indicating that AT-TLS services are available.
You must permit a limited set of administrative applications to the profile to ensure full initialization of the stack. If Policy Agent is dependent on other applications in your environment, they must also be permitted. You can permit other applications that do not require AT-TLS and that you want to start prior to general applications. At a minimum, the following applications should be permitted to the profile:
- Policy Agent
- OMPROUTE
- SNMP agent and subagents
- NAMED
For examples of the security product commands needed to create this resource profile name and grant users access to it, see member EZARACF in sample data set SEZAINST.