REXECD Configuration Chapter Contains Incorrect Information
APAR Identifier ...... PQ21844 Last Changed ........ 99/03/26
REXECD CONFIGURATION CHAPTER CONTAINS INCORRECT INFORMATION
Symptom ...... DD DOC Status ........... CLOSED DOC
Severity ................... 3 Date Closed ......... 99/03/26
Component .......... 5735FAL00 Duplicate of ........
Reported Release ......... 310 Fixed Release ............
Component Name TCP/IP V2 FOR V Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: APARCLOSURE - APAR is being closed.
PE PTF List:
PTF List:
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
Customer is attempting to configure several FL310 servers for
use; for this environment, an external security manager (ESM)
is also in use. In addition to several documentation errors,
the customer has also found certain aspects of the
configuration process to be difficult, especially with regard
to ESM-related parameters, and the use of DTCPARMS "generated"
parameters versus the use of parameters specified directly for
a given server command.
The REXECD configuration chapter (Chapter 18) of the TCP/IP
FL310 "Planning and Customization" book (SC24-5847) is
representative of the errors encountered during the
configuration process. Significant among these are:
- Information in the "Using RACF" section is not correct. The
left parenthesis <"("> in the sample ":Parms." entry in this
section should be not be present -- it's use will cause an
initialization error.
- Text that discusses the VALIDATE EXEC is not correct; this
file is not supplied with TCP/IP FL310.
- The section "Starting the Server" should be revised to
elaborate on the use of DTCPARMS entries to provide ESM and
Anonymous support, instead of the '-r' and '-s' parameters.
LOCAL FIX:
The '-r' and '-s' startup parameters should not be specified
as part of a ":Parms." entry for the REXECD server (in the
DTCPARMS file). Instead, the necessary "ESM"-related tags and
values should be used for a RACF (or other ESM) environment
in place of the '-r' parameter. Similarly, the ":Anonymous.YES"
and any required "rexec_agent" DTCPARMS entries should be used
to enable anonymous rexec support, instead of "-s RXAGENTn"
parameters.
PROBLEM SUMMARY:
****************************************************************
* USERS AFFECTED: TCP/IP administrators who need to configure *
* the REXECD server. *
****************************************************************
* RECOMMENDATION: UPDATE DOCUMENTATION *
****************************************************************
Various documentation errors and shortcomings are present in
the TCP/IP FL310 "Planning and Customization" book (SC24-5847)
which, when taken as a whole, make configuring certain TCP/IP
server virtual machines prone to error. The configuration
information for the REXECD server is one such topic that is
affected by these problems.
Documentation in the following chapters needs to be corrected
and improved so that the server configuration process can be
completed more readily, and with fewer errors.
o Chapter 18 - "Configuring the REXECD Virtual Machine"
o Chapter 5 - "Methods of Server Configuration"
o Appendix C - "Using TCP/IP with an External Security
PROBLEM CONCLUSION:
The revised information that follows will be included in any
future updates to the following publication(s):
SC24-5847-00 -- TCP/IP Function Level 310 Planning and
Customization
===============================================================
Chapter 18, "Configuring the REXECD Virtual Machine",
pp. 291-294
Section: "Updating the DTCPARMS File for REXECD", p. 291
--------
The initial paragraph in this section should be:
When the REXEC server is started, the TCP/IP server
initialization program searches specific DTCPARMS files for
configuration definitions that apply to this server. Tags
that affect the REXEC server are:
<Tags as currently listed remain...>
The "Note" in this section should indicate the following:
Note: You should modify the DTCPARMS file for the REXEC
server if you:
o Run the server with an External Security Manager (ESM),
such as RACF/VM.
o Choose to enable anonymous rexec capabilities.
o Override default command parameters for this server.
Section: "Using RACF", p. 292
--------
This section should be re-titled as: "REXECD with an External
Security Manager", and should contain only the following
paragraph:
The REXEC server can be configured such that client
authentication will be under the control of an external
security manager (ESM), such as RACF/VM. For more
information, see Appendix A, "Using TCP/IP with an External
Security Manager"
(Note that ALL references to the VALIDATE EXEC within this
chapter -- and in other sections of the "TCP/IP Function Level
310 Planning and Customization" book -- are erroneous. The
VALIDATE EXEC file is NOT supplied with TCP/IP Function Level
310.)
Section: "Starting the Server", p. 292
--------
The initial paragraph for this section should be:
REXEC services are initiated using the REXECD command.
<Syntax diagram shown remains...>
The following parameter descriptions are changed, as follows:
Parameter Description
--------- -------------------------------------------------
-r Indicates an external security manager is to be
used to validate VM user IDs and passwords
supplied by rexec clients.
It is recommended that you not specify this
parameter as part of a ":Parms." definition for
this server, but instead use an ":ESM_Enable.YES"
entry in the DTCPARMS file. For more
information, see Chapter 5, "Automatic Generation
of Selected Startup Parameters".
For more information about configuring the REXEC
server to control access to system resources,
see Appendix C, "Using TCP/IP with an External
Security Manager"
-s agent_id Identifies the "agent_id" virtual machine as a
member of the anonymous client agent server pool.
All such agents must have ":Class.rexec_agent"
and ":For.REXECD" (the user ID of the rexec
server) entries included in their DTCPARMS file
server definitions. By default, only the
RXAGENT1 agent machine is defined in this file.
It is recommended that you not specify this
parameter as part of a ":Parms." definition for
this server, but instead use an ":Anonymous.YES"
entry in the DTCPARMS file. For more
information, see Chapter 5, "Automatic Generation
of Selected Startup Parameters".
Figure 14 is removed; it does not convey useful information
with respect to the use of DTCPARMS file entries for server
configuration.
"Note 1" of the "Notes" section that follows "Figure 14" is
removed; it is not correct.
===============================================================
Chapter 5, "Methods of Server Configuration" , p. 29
Section: "Format of DTCPARMS", p. 30
--------
The section should be re-titled to: "DTCPARMS File Format" and
should include the following changes:
The first paragraph should indicate the following:
The DTCPARMS file uses a format similar to CMS NAMES files and
is maintained using XEDIT. Two types of entries comprise this
file -- "server" definitions that identify specific server
virtual machines, and "class" definitions that define specific
attributes to support the application protocol used by a given
server.
The following sample entries define the configuration for the
TCPIP virtual machine:
<Existing ":Nick." sample entries remain...>
The paragraph that follows the TCPIP sample entries is expanded
to indicate the following:
The ":Nick.TCPIP" entry defines the TCPIP user ID as a
"server" entry type; this server is an instance of the "stack"
server "class". The ":Nick.stack" entry defines the
attributes and characteristics of the "stack" server class.
When entries are defined or modified, keep in mind the
following:
o Entries consist of "tags" and "tag values".
o Entries that define a server using a ":Type.Server"
definition must also include a ":Class." tag and
value to identify the "class" to which that server
belongs.
o Tags defined as part of a "server" entry will be used for
only that server instance (that is, the specific virtual
machine user ID identified by the ":Nick." tag).
o Tags defined as part of a "class" entry will be used
for all servers of that class (unless overriding tags are
defined as part of a "server" entry that references
the class).
<Existing items remain...>
Section: "DTCPARMS Tags", p. 30
--------
In "Table 2. DTCPARMS Tags for Configuring Servers", p. 32,
the ":PARMS." tag "Description" should read as follows:
Tag Description
-------- ----------------------------------------------------
:Parms. Defines startup parameters to be passed to the
server. Parameters should be specified as
defined by the syntax of the command associated
with this server.
Parameters that affect the security characteristics
of a sever are automatically generated through use
of the ":Anonymous." and :ESM_Enable." tags. Thus,
these parameters should not be specified using the
":Parms." tag. For information about parameters to
which this applies, see "Automatic Generation of
Selected Startup Parameters" on page 34.
Parameters provided through use of the ":Parms." tag
may override those that are automatically generated.
Section: "Automatic Generation of Selected Startup
-------- Parameters", p. 34
(This is a new section, added prior to the existing section
titled "Adding New Servers and Server Classes", p.34)
For certain IBM-supplied server classes, all parameters
related to the use of external security manager (ESM) or
anonymous user/login support are automatically generated
during the server initialization process.
The server classes, default server IDs, startup parameters,
and tags/values that affect this processing are listed in
"Table 3. Server Parameters Generated at Initialization".
For the servers listed in this table, the parameters indicated
should be omitted from any ":Parms." tag definitions used for
those servers; the tags and values shown should instead be
used, to allow these parameters to be generated during server
initialization.
Note: Failure to use the tags listed in Table 3 may result in
incorrect or insecure operation of the identified
servers.
=============================================================
| Table 3. Server Parameters Generated at Initialization |
|-----------------------------------------------------------|
| Server Class| Generated | Controlling DTCPARMS Tag/Value |
| (Server ID) | Parameter | |
|-----------------------------------------------------------|
| "rexec" | -r | :ESM_Enable.YES |
| (REXECD) | | |
| | -s | :Anonymous.YES (1) |
|-----------------------------------------------------------|
| "nfs" | R | :ESM_Enable.YES |
| | | |
| (VMNFS) | N | :Anonymous.YES |
|-----------------------------------------------------------|
| "ftp" | RACF | :ESM_Enable.YES |
| (FTPSERVE) | | |
| | ANONYMOU | :Anonymous.YES |
|-----------------------------------------------------------|
| "ndb_agent" | -r | :ESM_Enable.YES |
| (NDBSRVnn) | | |
=============================================================
Notes:
1. For the "-s" parameter to be generated as an REXEC startup
parameter for an REXEC server, the following conditions
must be met:
o At least one DTCPARMS file entry must be present that
defines a server of the "rexecd_agent" class.
o Each REXEC agent server entry must define its agent
virtual machine to be a server for a particular REXEC
server, through an appropriate ":For.userid" definition.
o The REXEC server entry (or the "rexec" class entry it
references) must include an ":Anonymous.YES" entry.
===============================================================
Appendix C, "Using TCP/IP with an External Security
Manager", pp. 511-514
Section: Introductory text, p. 511
--------
The introductory text for this appendix should indicate the
following:
<First paragraph remains unchanged...>
The FTP, LP, NDB agent, NFS and REXEC daemons (FTPSERVE,
LPSERVE, NDBSRVnn, VMNFS and REXECD servers, respectively) can
be configured to interface with an external security manager
(ESM) to provide system resource protection, if desired.
Resource Access Control Facility (RACF/VM) is an external
security manager that offers effective user verification,
resource authorization, and logging capabilities.
This appendix describes customization steps necessary to
configure the previously listed servers to interface with the
RACF/VM program product. If you use an external security
manager other than RACF/VM, consult the appropriate
publications for your security manager for similar
configuration information.
Section: "Authorization Interfaces", p. 512
--------
The text for this section should indicate the following:
Authorization interfaces are enabled and defined (for those
servers that can use them) by the following DTCPARMS tags:
Tag Description
-------------- ----------------------------------------------
:ESM_Enable. Indicates whether an External Security
Manager (ESM) is to be used to authenticate
and authorize access to resources managed by
this server. The default is NO.
:ESM_Validate. Identifies a program to validate user IDs and
passwords supplied by clients. The default
when no value is specified for this tag
is RPIVAL.
:ESM_Racroute. Identifies a program to initialize and
terminate the RACROUTE environment. The
default when no value is specified for this
tag is RPIUCMS.
The servers that follow can be configured to use RACF/VM
access control services through specification of an
":ESM_Enable.YES" entry:
o FTPSERVE
o LPSERVE
o NDBSRVnn
o REXECD
o VMNFS
This entry should be specified as part of the respective
":Class." definitions that are referenced by the
":Type.Server" entries which define these servers. This will
ensure that ALL servers of the same class will use the defined
ESM services.
Because the default values for the ":ESM_Validate." and
":ESM_Racroute." tags are appropriate for RACF/VM, these tags
are not required to define values for such an environment.
If an ESM other than RACF/VM is in use, it may be necessary to
define alternate values for the ":ESM_Validate." and
":ESM_Racroute." tags. Again, these tags should be included
in the appropriate DTCPARMS file ":Class." entries.
TEMPORARY FIX:
COMMENTS:
MODULES/MACROS:
SRLS: SC24584700
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER:
|
