Complete this task to define the appropriate security authorizations for Policy
Agent.
About this task
The policies managed by Policy Agent can significantly affect system operation. Therefore, you must restrict the list of z/OS® user IDs under which Policy Agent is allowed to run. To do this, you must define certain resources and controls in your system’s security management product, such as RACF®.
Procedure
Complete the following steps to set up security definitions for Policy Agent in RACF.
-
Define the PAGENT user ID.
In this example, Policy Agent runs under the z/OS user ID
named PAGENT and has a default group (DFLTGRP) of OMVSGRP and an OMVS segment with a UID of 0.
ADDUSER PAGENT DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/'))
-
Define the PAGENT started task to RACF.
In this example, Policy Agent runs as a z/OS started task
named PAGENT. To define the Policy Agent started task to RACF, use the RDEFINE command to create the PAGENT.* profile in the
STARTED class. (The SETROPTS commands are included for completeness. These
commands have no effect when the STARTED class is already activated.)
SETROPTS CLASSACT(STARTED)
SETROPTS RACLIST(STARTED)
SETROPTS GENERIC(STARTED)
RDEFINE STARTED PAGENT.* STDATA(USER(PAGENT))
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
-
Grant Policy Agent the ability to make socket requests during TCP/IP stack
initialization.
A TCP/IP stack initializes before Policy Agent installs policies into the stack. During the
initialization window, only user IDs that are permitted to the
EZB.INITSTACK.sysname.tcpname profile in the SERVAUTH class
can make socket requests.
The following example shows the RACF commands to
define a generic EZB.INITSTACK.** resource profile and grants READ access to the PAGENT user ID.
SETROPTS GENERIC(SERVAUTH)
SETROPTS CLASSACT(SERVAUTH) RACLIST(SERVAUTH)
RDEFINE SERVAUTH EZB.INITSTACK.** UACC(NONE)
PERMIT EZB.INITSTACK.** CLASS(SERVAUTH) ACCESS(READ) ID(PAGENT)
SETROPTS RACLIST(SERVAUTH) REFRESH
In addition to PAGENT, also grant READ access to the following applications:
- OMPROUTE
- SNMP agent and subagents
- NAMED
- Other applications that do not require AT-TLS but that you want to start prior to general
applications
-
Grant access to authorized users to manage the PAGENT started task.
To restrict management access to the PAGENT started task, define a
MVS.SERVMGR.PAGENT profile in the OPERCMDS resource class and permit authorized
users access to this profile, as in the following example:
SETROPTS CLASSACT(OPERCMDS)
SETROPTS RACLIST (OPERCMDS)
RDEFINE OPERCMDS (MVS.SERVMGR.PAGENT) UACC(NONE)
PERMIT MVS.SERVMGR.PAGENT CLASS(OPERCMDS) ACCESS(CONTROL) ID(PAGENT)
SETROPTS RACLIST(OPERCMDS) REFRESH
-
Consider restricting access to the pasearch command.
You can use the z/OS
UNIX
pasearch command to display policy definitions. The output from this command
indicates whether policy rules are active and shows the policy definition attributes. However, you
might not want every user to be able to see the policy definitions. To restrict access to the
pasearch command, define an appropriate resource profile in the SERVAUTH resource
class, as described in step 1 of "Steps for configuring the Policy Agent" in z/OS Communications Server: IP Configuration Guide.