Steps for authorizing resources for the DMD and the ipsec command

You need to define and authorize the DMD user ID, permit the DMD user ID to SYS1.PARMLIB, and define the SERVAUTH profiles necessary to be able to add, update, delete, and display defensive filters

Perform the following steps to authorize access to the appropriate resources:

1. Define and authorize the DMD user ID. The DMD is a z/OS® UNIX application that you can start from the z/OS UNIX shell or from an MVS™ started procedure. Before starting the DMD, you must define the DMD user ID to the external security manager. If you start the DMD from an MVS started procedure, the DMD user ID must also be authorized to the STARTED class. In the following example, the DMD user ID is defined with UID 0:

   ADDUSER  DMD     DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(0)  HOME('/'))
   RDEFINE  STARTED  DMD.*            STDATA(USER(DMD))
   SETROPTS RACLIST(STARTED) REFRESH
   SETROPTS GENERIC(STARTED) REFRESH

   You can define the DMD with a nonzero UID. For additional steps that you must take when the DMD UID is nonzero, see Steps for configuring the DMD.

2. Permit the DMD user ID to SYS1.PARMLIB. The DMD uses the TCP/IP component trace (CTRACE) to perform service-level tracing. The default DMD component trace parmlib member is stored in SYS1.PARMLIB. The DMD user ID must be permitted to access SYS1.PARMLIB.

   Issue the following command:

   PERMIT   SYS1.PARMLIB  ID(DMD) ACCESS(READ)

3. Define SERVAUTH profiles to control the users that are allowed to manage defensive filters. For information about defining the SERVAUTH profiles needed for a user to be able to add, update, delete, and display defensive filters, see Step 4: Authorizing the ipsec command to the external security manager. Additional information about command security and the SERVAUTH profile is available in z/OS Communications Server: IP System Administrator's Commands.