Defining security authorization for Policy Agent

Complete this task to define the appropriate security authorizations for Policy Agent.

About this task

The policies managed by Policy Agent can significantly affect system operation. Therefore, you must restrict the list of z/OS® user IDs under which Policy Agent is allowed to run. To do this, you must define certain resources and controls in your system’s security management product, such as RACF®.

Procedure

Complete the following steps to set up security definitions for Policy Agent in RACF.

  1. Define the PAGENT user ID.

    In this example, Policy Agent runs under the z/OS user ID named PAGENT and has a default group (DFLTGRP) of OMVSGRP and an OMVS segment with a UID of 0.

    ADDUSER PAGENT DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/'))
  2. Define the PAGENT started task to RACF.

    In this example, Policy Agent runs as a z/OS started task named PAGENT. To define the Policy Agent started task to RACF, use the RDEFINE command to create the PAGENT.* profile in the STARTED class. (The SETROPTS commands are included for completeness. These commands have no effect when the STARTED class is already activated.)

    SETROPTS CLASSACT(STARTED)
SETROPTS RACLIST(STARTED)
SETROPTS GENERIC(STARTED)
RDEFINE STARTED PAGENT.* STDATA(USER(PAGENT)) 
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
  3. Grant Policy Agent the ability to make socket requests during TCP/IP stack initialization.

    A TCP/IP stack initializes before Policy Agent installs policies into the stack. During the initialization window, only user IDs that are permitted to the EZB.INITSTACK.sysname.tcpname profile in the SERVAUTH class can make socket requests.

    The following example shows the RACF commands to define a generic EZB.INITSTACK.** resource profile and grants READ access to the PAGENT user ID.

    SETROPTS GENERIC(SERVAUTH)
SETROPTS CLASSACT(SERVAUTH) RACLIST(SERVAUTH)
RDEFINE SERVAUTH EZB.INITSTACK.** UACC(NONE)
PERMIT EZB.INITSTACK.** CLASS(SERVAUTH) ACCESS(READ) ID(PAGENT)
SETROPTS RACLIST(SERVAUTH) REFRESH
    In addition to PAGENT, also grant READ access to the following applications:
    • OMPROUTE
    • SNMP agent and subagents
    • NAMED
    • Other applications that do not require AT-TLS but that you want to start prior to general applications
  4. Grant access to authorized users to manage the PAGENT started task.

    To restrict management access to the PAGENT started task, define a MVS.SERVMGR.PAGENT profile in the OPERCMDS resource class and permit authorized users access to this profile, as in the following example: 

    SETROPTS CLASSACT(OPERCMDS)
SETROPTS RACLIST (OPERCMDS)
RDEFINE OPERCMDS (MVS.SERVMGR.PAGENT) UACC(NONE)
PERMIT MVS.SERVMGR.PAGENT CLASS(OPERCMDS) ACCESS(CONTROL) ID(PAGENT)
SETROPTS RACLIST(OPERCMDS) REFRESH
  5. Consider restricting access to the pasearch command.

    You can use the z/OS UNIX pasearch command to display policy definitions. The output from this command indicates whether policy rules are active and shows the policy definition attributes. However, you might not want every user to be able to see the policy definitions. To restrict access to the pasearch command, define an appropriate resource profile in the SERVAUTH resource class, as described in step 1 of "Steps for configuring the Policy Agent" in z/OS Communications Server: IP Configuration Guide.

What to do next

Continue with Creating the Policy Agent configuration files.