Setting up reserved port number definitions in PROFILE.TCPIP
Figure 1 shows a portion of the sample configuration file for the TCP/IP address space, PROFILE.TCPIP. This sample can be copied from SEZAINST(SAMPPROF). Figure 1 includes the portion of the sample that shows how to set up reserved port number definitions. Descriptions for the statements follow Figure 1.
; ======================================================================
; Application configuration
; ======================================================================
;
; AUTOLOG: Supplies TCPIP with the procedure names to start and the
; time value to wait at TCP start up for any of those procedures
; to terminate if they are active.
;
; AUTOLOG 5
; FTPD JOBNAME FTPD1 ; FTP Server
; LPSERVE ; LPD Server
; OMPROUTE ; OMPROUTE Server
; OSNMPD ; SNMP Agent Server
; PAGENT ; Policy Agent Server
; PORTMAP ; Portmap Server (SUN 3.9)
; PORTMAP JOBNAME PORTMAP1 ; USS Portmap Server (SUN 4.0)
; RXSERVE ; Remote Execution Server
; SMTP ; SMTP Server
; ENDAUTOLOG
;
; ----------------------------------------------------------------------
;
; PORT: Reserves a port for specified job names
;
; - A port that is not reserved in this list can be used by any user.
; If you have TCP/IP hosts in your network that reserve ports
; in the range 1-1023 for privileged applications, you should
; reserve them here to prevent users from using them.
; The RESTRICTLOWPORTS option on TCPCONFIG and UDPCONFIG will also
; prevent unauthorized applications from accessing unreserved
; ports in the 1-1023 range.
;
; - A PORT statement with the optional keyword SAF followed by a
; 1-8 character name can be used to reserve a PORT and control
; access to the PORT with a security product such as RACF.
; For port access control, the full resource name for the security
; product authorization check is constructed as follows:
; EZB.PORTACCESS.sysname.tcpname.safname
; where:
; EZB.PORTACCESS is a constant
; sysname is the MVS system name (substitute your sysname)
; tcpname is the TCPIP jobname (substitute your jobname)
; safname is the 1-8 character name following the SAF keyword
;
; When PORT access control is used, the TCP/IP application
; requiring access to the reserved PORT must be running under a
; USERID that is authorized to the resource. The resources
; are defined in the SERVAUTH class.
;
; For an example of how the SAF keyword can be used to enhance
; security, see the definition below for the FTP data PORT 20
; with the SAF keyword. This definition reserves TCP PORT 20 for
; any jobname (the *) but requires that the FTP user be permitted
; by the security product to the resource:
; EZB.PORTACCESS.sysname.tcpname.FTPDATA in the SERVAUTH class.
;
; - The BIND keyword is used to force a generic server (one that
; binds to the IPv4 INADDR_ANY address, or the IPv6 unspecified
; address, in6addr_any) to bind to the specific IP address that
; is specified following the BIND keyword. This capability could
; be used, for example, to allow z/OS UNIX telnet and telnet
; 3270 servers to both bind to TCP port 23.
; The IP address that follows bind must be in IPv4 (dotted
; decimal) or IPv6 (colon-hexadecimal) format and may be
; any valid address for the host including VIPA and dynamic
; VIPA addresses.
;
; The special jobname of OMVS indicates that the PORT is reserved
; for any application with the exception of those that use the Pascal
; API.
;
; The special jobname of * indicates that the PORT is reserved
; for any application, including Pascal API socket applications.
; Jobname may be specified as a prefix of zero to seven characters
; ending in *.
;
; The special jobname of RESERVED indicates that the PORT is
; blocked. It will not be available to any application.
;
; GUIDELINE: When IPSECURITY is enabled, UDP ports 500 and 4500
; should either be reserved for IKED (if it is in use) or should
; be marked RESERVED.
;
; TIP: The PORT statement can also be used to control application
; access to unreserved ports by configuring PORT entries where the
; port number is replaced by the keyword UNRSV.
;
PORT
7 UDP MISCSERV ; Miscellaneous Server - echo
7 TCP MISCSERV ; Miscellaneous Server - echo
9 UDP MISCSERV ; Miscellaneous Server - discard
9 TCP MISCSERV ; Miscellaneous Server - discard
19 UDP MISCSERV ; Miscellaneous Server - chargen
19 TCP MISCSERV ; Miscellaneous Server - chargen
20 TCP * NOAUTOLOG ; FTP Server
; 20 TCP * NOAUTOLOG SAF FTPDATA ; FTP Server
21 TCP FTPD1 ; FTP Server
23 TCP TN3270 ; Telnet 3270 Server
; 23 TCP INETD1 BIND 9.67.113.3 ; z/OS UNIX Telnet server
25 TCP SMTP ; SMTP Server
111 TCP PORTMAP ; Portmap Server (SUN 3.9)
111 UDP PORTMAP ; Portmap Server (SUN 3.9)
; 111 TCP PORTMAP1 ; Unix Portmap Server (SUN 4.0)
; 111 UDP PORTMAP1 ; Unix Portmap Server (SUN 4.0)
123 UDP SNTPD ; Simple Network Time Protocol Server
135 UDP LLBD ; NCS Location Broker
161 UDP OSNMPD ; SNMP Agent
389 TCP LDAPSRV ; LDAP Server
443 TCP HTTPS ; http protocol over TLS/SSL
443 UDP HTTPS ; http protocol over TLS/SSL
; 500 UDP IKED ; CS IKE daemon
512 TCP RXSERVE ; Remote Execution Server
514 TCP RXSERVE ; Remote Execution Server
; 512 TCP * SAF OREXECD ; z/OS UNIX Remote Execution Server
; 514 TCP * SAF ORSHELLD ; z/OS UNIX Remote Shell Server
; 515 TCP LPSERVE ; LPD Server
; 515 TCP AOPLPD ; Infoprint LPD Server
520 UDP OMPROUTE ; OMPROUTE Server (IPv4 RIP)
521 UDP OMPROUTE ; OMPROUTE Server (IPv6 RIP)
750 TCP MVSKERB ; Kerberos
750 UDP MVSKERB ; Kerberos
751 TCP ADM@SRV ; Kerberos Admin Server
751 UDP ADM@SRV ; Kerberos Admin Server
; 1700 TCP PAGENT NOAUTOLOG ; Policy Agent pagentQosListener port
; 1701 TCP PAGENT NOAUTOLOG ; Policy Agent pagentQosCollector port
3000 TCP CICSTCP ; CICS Socket
3389 TCP MSYSLDAP ; LDAP Server for Msys
; 4159 TCP NSSD ; CS NSS daemon
; 4500 UDP IKED ; CS IKE daemon
;16310 TCP PAGENT NOAUTOLOG ; Policy Agent server listener port
;
; ----------------------------------------------------------------------
;
; PORTRANGE: Reserves a range of ports for specified jobnames.
;
; In a common INET (CINET) environment, the port range indicated by
; the INADDRANYPORT and INADDRANYCOUNT in your BPXPRMxx parmlib member
; should be reserved for OMVS.
;
; The special jobname of OMVS indicates that the PORTRANGE is reserved
; for ANY z/OS UNIX socket application.
;
; The special jobname of * indicates that the PORTRANGE is reserved
; for any socket application, including Pascal API socket
; applications.
; Jobname may be specified as a prefix of zero to seven characters
; ending in *.
;
; The special jobname of RESERVED indicates that the PORTRANGE is
; blocked. It will not be available to any application.
;
; The SAF keyword is used to restrict access to the PORTRANGE to
; authorized users. See the use of SAF on the PORT statement above.
;
;
; PORTRANGE 2000 1000 TCP RESERVED
; PORTRANGE 3000 500 TCP APPL1*
; PORTRANGE 4000 1000 TCP OMVS
; PORTRANGE 4000 1000 UDP OMVS
; PORTRANGE 5000 6000 TCP * SAF RANGE1
;
; ----------------------------------------------------------------------
;
; SACONFIG: Configures the SNMP TCP/IP subagent
; The SACONFIG statement specified in this sample prevents the
; activation of the TCP/IP subagent. If you want the
; TCP/IP subagent started during stack initialization, either
; remove the sample statement, or respecify the statement as
; follows, supplying a COMMUNITY and AGENT parameter value:
;
; SACONFIG ENABLED COMMUNITY communityname AGENT portnum
;
; If you remove the sample statement, the TCP/IP subagent will be
; started with a COMMUNITY value of 'public', and an
; AGENT port value of 161.
;
SACONFIG DISABLED
;The following list describes the statements that are shown in Figure 1. For more information about any of these statements, see z/OS Communications Server: IP Configuration Reference. For information specific to IPv6 support, see z/OS Communications Server: IPv6 Network and Application Design Guide.
- AUTOLOG
- Use AUTOLOG to list the procedure names that should start when the
TCPIP address space starts. It is also used to supply a timeout value
for detecting hung procedures at TCP/IP initialization time. The timeout
value is the time TCP/IP should allow for a procedure to come down
when, at startup, it is still active and TCP/IP is attempting to AUTOLOG
the procedure again. A hung procedure is active to MVS™, but is not listening on the socket that
is reserved for it via the PORT statement. When AUTOLOG detects a
hung task, TCP/IP checks every 10 seconds (until the timeout value
has expired) to see if the procedure has come down. If the procedure
comes down during one of these 10 second intervals, it is restarted.
If the procedure is still active when the time interval specified
by the timeout value expires, then TCP/IP cancels and restarts the
procedure.
The AUTOLOG statement shown in Figure 1 has a timeout value of five minutes.
In the first AUTOLOG statement the FTP Server shows FTPD JOBNAME FTPD1. This means when the TCPIP address space starts, the FTPD procedure will be started via the MVS START FTPD command. Because FTPD forks a child process that actually listens on PORT 21, the autolog task verifies that FTPD1 is listening on port 21.
Similarly, when the TCPIP address space starts, the autolog task starts the remaining 10 tasks.
Unless the tasks in the AUTOLOG list are in the PORT reservation list, the autolog task does not check for hung tasks every five minutes.Note:- If you run multiple TCP/IP address spaces, ensure that the second address space AUTOLOG list does not cancel the procedures of the first. In those cases, an installation might require different procedure names for the servers for each address space. For more information about multiple stacks, see Port management overview.
- You can use the AUTOLOG statement to automatically start generic servers in a single stack environment, but you should be careful using the AUTOLOG statement to start generic servers in a multiple stack environment. Instead, you could use an operations automation software package (IBM® and other vendors provide these) to start generic servers automatically. For a list of generic servers provided by TCP/IP, see Generic servers in a CINET environment.
For those procedures that require parameters to be used on the MVS START command, there is a PARMSTRING option.
You should delay the start of AUTOLOG procedures that require AT-TLS services by specifying the optional DELAYSTART parameter with the TTLS subparameter on the AUTOLOG entry for the procedure. If you specify this parameter and subparameter, the procedure will start after the Policy Agent has installed the AT-TLS policy and AT-TLS services are available.
You should delay the start of AUTOLOG procedures that bind to a dynamic VIPA by specifying the optional DELAYSTART parameter with the DVIPA subparameter on the AUTOLOG entry for the procedure. If you specify this parameter and subparameter, the procedure will not start until the TCP/IP stack has joined the sysplex group and processed the dynamic VIPA configuration.
For a procedure that will bind to a dynamic VIPA and that requires AT-TLS services, you should specify DELAYSTART DVIPA TTLS. When more than one DELAYSTART subparameter is specified, all of the processing steps defined for those subparameters must complete before the procedure is started.
For more information, see z/OS Communications Server: IP Configuration Reference.
- PORT
- Use the PORT statement to do the following configuration:
- Reserve ports for different jobs and optionally limit access to
these ports by user ID
Use PORT to reserve ports for different jobs and to prevent rogue applications from taking ports intended for specific servers, such as port 21, which is needed by FTP. For each port entry, the port number, protocol, and procedure name are specified. The first port entry shows port 7 UDP reserved for the miscellaneous echo server for procedure MISCSERV. Similarly, port 7 of TCP is also reserved for the same server. In this example, six ports are reserved for the miscellaneous server.
NOAUTOLOG can be specified, as in the port 20 TCP * in Figure 1. In this way, the port is reserved for an OMVS forked task so that the FTP server can fork tasks to port 20 as each FTP user logs in.
Use the DELAYACKS and NODELAYACKS options to allow an installation to delay their acknowledgments so they can be combined with data to be sent to foreign hosts. Unless a performance reason is needed, DELAYACKS should be used to delay the transmission of acknowledgments.
Use the SHAREPORT parameter or the SHAREPORTWLM parameter when reserving a port to be shared across multiple TCP listeners. This is not valid for UDP. To understand how these PORT statement parameters are used, see z/OS Communications Server: IP Configuration Reference. Use the Netstat ALL/-A report to determine whether port sharing is being used for a TCP listener. If port sharing is being used, this report indicates which type is being used.
Typically, reserving a port for a specific job name is sufficient. If the port must instead be reserved for a specific user ID or a set of user IDs, use the SAF keyword to specify the name of a SAF resource to be associated with the port. The user ID associated with the application that attempts to bind to the port must be permitted to the SAF resource.
The BIND keyword is used to force a generic server (one that binds to INADDR_ANY or in6addr_any) to bind to the specific IP address that is specified following the BIND keyword. This capability could be used, for example, to enable the z/OS® UNIX Telnet and TN3270E Telnet servers to both bind to TCP port 23 on different IP addresses. The IP address that follows BIND can be any valid address for the host, including VIPA and dynamic VIPA addresses. The address supplied can be either an IPv4 address (in dotted decimal format) or an IPv6 address (in colon-hexadecimal format). IPv4-mapped IPv6 addresses are not supported. For multiple servers to bind to the same port with this function, the IP address for each server must be unique.
RESERVED indicates that the port is not available for use by any user.
- Control application access to unreserved ports
You can also use the PORT statement to control application access to unreserved ports by configuring one or more PORT statements in which the port number is replaced by the keyword UNRSV. The UNRSV keyword refers to any unreserved port (any port number that has not been reserved by a PORT or PORTRANGE statement). If you configure the RESTRICTLOWPORTS parameter on the TCPCONFIG or UDPCONFIG profile statement, PORT UNRSV statements for the corresponding protocol control access only to unreserved ports above port 1023. If you do not configure the RESTRICTLOWPORTS parameter, PORT UNRSV statements control access to all unreserved ports in the range 1-65535. The type of access that is controlled by the PORT UNRSV statement is specified (explicitly or by default) by the WHENBIND or WHENLISTEN keywords.
If you configure one or more PORT UNRSV statements for a protocol, access is unconditionally denied to any application that explicitly binds to an unreserved port and that does not match the protocol and job name on any of the configured PORT UNRSV statements. Applications that explicitly bind to an unreserved port and that do match the protocol and job name on a PORT UNRSV statement are allowed to access the unreserved port, unless the access is restricted by the SAF or DENY keywords. If the SAF keyword is specified, the user ID associated with the application that attempts to access the port must be permitted to the specified SAF resource. If the DENY keyword is specified, access is unconditionally denied.
For UDP sockets, the access permission is checked when an unreserved port is specified on an explicit bind. The WHENBIND keyword is the only access option that is allowed for UDP ports.
For TCP sockets, access can be controlled when an unreserved port is specified on an explicit bind (WHENBIND) or when a listen is issued on a user-specified port that was not reserved for the application (WHENLISTEN).
For more information about controlling access to unreserved ports, see Port access control. For more information about the PORT statement and its parameters, see z/OS Communications Server: IP Configuration Reference.
- Reserve ports for different jobs and optionally limit access to
these ports by user ID
- PORTRANGE
- PORTRANGE is a statement used to reserve a range of ports for specified job names.
- SACONFIG
- SACONFIG is the statement used to configure the information about the SNMP TCP/IP subagent. The AGENT keyword on this statement is used to specify the port number to be used when the TCP/IP subagent connects to the SNMP agent. Omission of this statement causes TCPIP to assume the default value of SACONFIG ENABLED COMMUNITY public AGENT 161. For more information on the SACONFIG profile statement, see z/OS Communications Server: IP Configuration Reference.