Steps for controlling whether an application can bind to create a DVIPA within a specific VIPARANGE subnet

You can define a System Authorization Facility (SAF) resource profile in the SERVAUTH class to control which applications can bind to create dynamic VIPAs (DVIPAs) within a specific VIPARANGE subnet.

Procedure

Perform the following steps to control whether an application can bind to create a DVIPA within a specific VIPARANGE subnet for use by only that application:

  1. Define the EZB.BINDDVIPARANGE.sysname.tcpname.resname resource profile in the SERVAUTH class. For example, to protect a VIPARANGE subnet for application APPL1, you can define the EZB.BINDDVIPARANGE.sysname.tcpname.APPL1 resource profile using the following command: 
    RDEFINE SERVAUTH (EZB.BINDDVIPARANGE.sysname.tcpname.APPL1) UACC(NONE)
  2. On the VIPARANGE statement, include the SAF parameter with a resname value that matches the resname value of the EZB.BINDDVIPARANGE.sysname.tcpname.resname resource profile. For example: 
    VIPARANGE DEFINE 255.255.255.255 10.10.10.1 SAF APPL1

    For more information about the SAF parameter on the VIPARANGE statement, see z/OS Communications Server: IP Configuration Reference.

  3. Give the user ID that is associated with the application READ access to the EZB.BINDDVIPARANGE.sysname.tcpname.resname resource. For example: 
    PERMIT EZB.BINDDVIPARANGE.sysname.tcpname.APPL1 ACCESS(READ) CLASS(SERVAUTH) ID(userid)
  4. Refresh the resource profile by issuing the following RACF® command: 
    SETROPTS RACLIST(SERVAUTH) REFRESH

Results

In this example, sysname is the name of the MVS™ system, userid is the user ID that is associated with the application, and tcpname is the job name of the TCP/IP started task. For information about how the job name for a started task, such as TCP/IP, is determined, see Steps for controlling which applications can bind to create a DVIPA.

Results:
  • If the SAF parameter is specified and the user ID has READ access to the resource, then the bind is processed.
  • If the SAF parameter is specified and the user ID does not have READ access to the resource, then the bind fails.
  • If the SAF parameter is specified but the resource profile is not defined, then the bind fails.
  • All of the following profile specifications that include wildcard values match the EZB.BINDDVIPARANGE.sysname.tcpname.resname resource profile name:
    • EZB.BINDDVIPARANGE.*.*
    • EZB.BINDDVIPARANGE.**
    • EZB.BINDDVIPARANGE.*.*.*

    The most specific match to a resource profile is always used.

Parent topic: Defining a security profile for binding to DVIPAs in the VIPARANGE statement