Steps for configuring global definitions for all stacks

Define a security zone name for the INADDRANY and LOOPBACK addresses. Define a security label and security zone name for all unknown systems in the multilevel secure network.

Procedure

Perform the following steps to configure global definitions for all stacks:

  1. Define a security zone name for the INADDRANY and LOOPBACK addresses.
    1. Define a NETACCESS profile for this zone in the SERVAUTH class for each stack. This profile should be specific with respect to the z/OS® system name and TCP stack job name, and should have the same security label as the stack job. You are most likely to make this profile UACC(READ).
    2. Define a NETACCESS statement that maps the INADDRANY and LOOPBACK IP addresses of any system into this security zone name. You can place this statement in a shared data set and include it in the PROFILE.TCPIP file of other z/OS systems in the network.
  2. Define one security label that has the lowest security level and one category that is not used in any other security labels. This security label can then be used for all unknown systems. Mandatory access control access under this security label will be more restrictive than under SYSLOW.

    A task using this security label will have R/O access to resources with SYSLOW, W/O access to resources with SYSHIGH, and R/W access to resources with this security label and SYSMULTI. The task will have no access to resources with any other security labels because they will be disjoint.

    Any resources created under this security label will be readable only by tasks running under this security label, SYSHIGH, and SYSMULTI. This significantly reduces the risk from unintended and publicly readable or executable SYSLOW resources.

  3. Define a security zone name for all unknown systems in the multilevel secure network.
    • Define a NETACCESS profile for this zone in the SERVAUTH class. This profile can be generic with respect to the z/OS system name and TCP stack job name. If your installation supports communications with unknown systems on all z/OS systems, make this profile UACC(READ). If your installation does not support communications with unknown systems on all z/OS systems, make this profile UACC(NONE).
    • Define a NETACCESS DEFAULT statement that maps all unspecified IP addresses into this security zone name. You can place this statement in a shared data set and include it in the PROFILE.TCPIP file of other z/OS systems in the network.
Parent topic: Planning stacks on your z/OS systems