Informational APAR
Using VMSECURE in the TCP/IP for VM Environment
APAR Identifier ...... II06478 Last Changed ........ 99/06/28
TCPIPINFO USING VMSECURE IN THE TCP/IP FOR VM ENVIRONMENT
Symptom ...... IN INCORROUT Status ........... CLOSED CAN
Severity ................... 4 Date Closed ......... 92/10/26
Component .......... INFOPALIB Duplicate of ........
Reported Release ......... 001 Fixed Release ............
Component Name PA LIB INFO ITE Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: Not Available
PE PTF List:
PTF List:
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
***************************************************************
* Topic: VMSECURE and TCP/IP Servers *
* Last Update: 28 June 1999 (MAC) *
* *
* This informational APAR contains information relevant to *
* running TCP/IP for VM, in conjunction with the VMSECURE *
* product from Sterling Software, Inc., for controlling *
* access to minidisks and/or SFS directories. *
* *
* This information may also prove useful when other external *
* security manager offerings -- such as ACF2 -- are used, as *
* similar changes will be necessary. However, it's *
* recommended that you contact the support center associated *
* with the security package in use, for detailed information *
* about any changes that are required. *
* *
***************************************************************
Purpose of this Informational APAR:
To provide information to customers who are installing TCP/IP
for VM on systems that are running the VMSECURE security
package from Sterling Software, Inc.
===============================================================
Additional References
=====================
Sterling Software, Inc. Support Center: 1-703-264-8100
Technical Information:
The following guidelines should be completed prior to
proceeding with individual TCP/IP server customization.
Following the "General Requirements" section are instructions
for specific TCP/IP server machines that utilize the function
provided by VMSECURE.
===============================================================
General Requirements:
1) Contact Sterling Software's VMSECURE technical support group
and request a copy of the VALIDATE ASSEMBLE file to be used
with TCP/IP for VM. This routine performs DIAG A0
subfunction '0004' to validate passwords. The following
steps should be followed to create a VALIDATE MODULE from
the Sterling Software-supplied VALIDATE ASSEMBLE code.
After the VALIDATE MODULE has been created, then must then
be placed on a disk in the search order of the server
virtual machines that need to use it. It's recommended
that the executable VALIDATE MODULE be installed on the
"server common" disk (by default, this is the TCPMAINT
591). This disk is guaranteed to be in the search order of
all TCP/IP service virtual machines.
To generate an executable VALIDATE MODULE from the Sterling
Software-supplied source, perform the following steps:
a) Assemble the source file using the VMFASM command. The
syntax to use is:
VMFASM VALIDATE "cntrl_file_name"
where "cntrl_file_name" is:
DMSSP - If the system on which the source is being
assembled is at CMSLEVEL CMS Release 5 or
CMS Release 6.
DMSXA - If the system on which the source is being
assembled is at CMSLEVEL CMS Release 5.5
or CMS Release 5.6.
DMSVM - If the system on which the source is being
assembled is at CMSLEVEL CMS Release 7
higher.
b) Generate the executable load module using the following
command sequence:
LOAD VALIDATE (CLEAR NOAUTO RLDSAVE
GENMOD
These commands will create a VALIDATE MODULE and a LOAD
MAP file on the A-disk. The LOAD MAP file can be
discarded. The VALIDATE MODULE should be installed as
instructed above.
2) The TCP/IP-supplied TCPRUN EXEC must be at a maintenance
level of APAR PN29712 (PTF UN29366), or higher. If the
your site does not have this maintenance applied, it should
be obtained and applied to the system before you continue
with this procedure.
3) The following statement SHOULD be included in the directory
definition for each TCP/IP server that accesses VMSECURE
for security validation:
IUCV DUALPASS
Its benefit is seen in the situation when the FTP server
attempts to validate a user ID / password pair, but the
VMSECURE service machine is not available for some reason.
Without the DUALPASS statement, the validation will fail
with a specification check; when this statement included,
validation will be performed via an alternate path.
Note: Inclusion of the IUCV DUALPASS statement is not a
"hard" or immediate requirement. However, you should
consider it's use.
===============================================================
FTPSERVE Customization:
1) The FTPSERVE "initialization user exit" (FTPDEXIT EXEC)
must be modified to specify that a "RACF interface" is to
be used. This will cause FTPSERVE to issue calls to the
security interface, via the RACFLINK EXEC. The "racf"
parameter should be added to the REXX assignment statement
for the "parms" variable:
parms = 'racf'
(This is line 85 of the V2R2 base level of the FTPDEXIT
EXEC; line 101 for V2R3 and V2R4). However, if the
FTPDEXIT has already been customized, this assignment may
also be done in the "Prelude" section of FTPDEXIT; you
should verify that all assignments of the "parms" variable
are correct.)
2) If you're using TCP/IP for VM V2R3 or TCP/IP for VM V2R4,
the FTPDRACF EXEC must be modified as follows:
Change line: ESM_validate_module = 'RPIVAL'
To: ESM_validate_module = 'VALIDATE'
Change line: ESM_INIT_Command = 'RPIUCMS INIT'
To: ESM_INIT_Command = 'RPIDUMY INIT'
The RPIDUMY MODULE is provided for TCP/IP V2R3 via APAR
PN66801; for TCP/IP V2R4, this module is included in the
product base.
3) In the AUTHORIZ CONFIG file, include the following two
lines:
GRANT DIAGPCHK TO "ftp_server_userid"
GRANT SURROGAT TO "ftp_server_userid"
where "ftp_server_userid" is replaced by the actual user ID
of the FTP server (the default is FTPSERVE).
===============================================================
REXECD Customization:
1) The REXECD "initialization user exit" (REXECXIT EXEC) must
be modified to specify that a "RACF interface" is to be
used. This will cause REXECD to issue calls to the
security interface, via the VALIDATE EXEC. The "-r"
parameter should be added to the REXX assignment statement
for the "parms" variable:
parms = '-r'
(This is line 85 of the V2R2 base level of the REXECXIT
EXEC; line 101 for V2R3; line 105 for V2R4). However, if
the REXECXIT has already been customized, this assignment
may also be done in the "Prelude" section of REXECXIT; you
should verify that all assignments of the "parms" variable
are correct.)
2) In the AUTHORIZ CONFIG file, include the following line:
GRANT DIAGPCHK TO "rexecd_server_userid"
where "rexecd_server_userid" is replaced by the actual
user ID of the REXECD server.
3) If you're using TCP/IP for VM V2R3 or TCP/IP for VM V2R4,
the REXDRACF EXEC must be modified as follows:
Change line: ESM_validate_module = 'RPIVAL'
To: ESM_validate_module = 'VALIDATE'
The 'VALIDATE' associated with this change is the
(VMSECURE) VALIDATE MODULE, previously described.
===============================================================
VMNFS Customization:
1) For TCP/IP V2R2, see "Configuring the Network File
System" "TCP/IP Version 2 Release 2 for VM: Planning and
Customization" (SC31-6082-01), Chapter 16, p. 268, "VMNFS
With RACF", for more information.
For TCP/IP V2R3, see "Configuring the Network File
System" "TCP/IP Version 2 Release 3 for VM: Planning and
Customization" (SC31-6082-02), Chapter 17, p. 210, "VMNFS
With RACF", for more information.
For TCP/IP V2R4, see "Configuring the Network File
System" "TCP/IP Version 2 Release 4 for VM: Planning and
Customization" (SC31-6082-03), Chapter 17, p. 260, "VMNFS
With RACF", for more information.
However, instead of using the RACF-supplied VALIDATE
MODULE, the previously created VALIDATE MODULE should be
copied/renamed with a file name of: VERIFYPW MODULE.
It's the customer's responsibility to ensure the VERIFYPW
MODULE is loaded as a nucleus extension, prior to
executing the VMNFS MODULE. This can be accomplished by
modifying the VMNFSXIT EXEC.
The following code segment can be used as a model for
modifications to the VMNFS server initialization exit
(VMNFSXIT EXEC), so that the validation module as a
nucleus extension. It assumes the appropriate version of
an executable module has been created with the name
VERIFYPW MODULE, and that this module is resident on a
disk in the VMNFS server machine's search order. As with
the VALIDATE MODULE, the recommended installation disk is
the "server common" disk (TCPMAINT 591).
/* Sample code segment - NUCXLOAD of validation module */
'NUCXDROP VERIFYPW' /* Drop if already loaded */
'NUCXLOAD VERIFYPW (SYSTEM' /* Try the NUCXLOAD */
saverc = rc /* Save NUCXLOAD retcode */
If saverc <> 0 Then /* NUCXLOAD successful? */
Do /* No, process the error */
::: /* Error code as required */
End /* End - process error */
This sample code can be added at line 117 of the V2R2 base
level of the VMNFSXIT EXEC; line 132 for V2R3; line 141 for
V2R4.
Note: It's recommended that appropriate error recovery
code is implemented, which should include processing
that prevents the server from completing
initialization.
2) In the AUTHORIZ CONFIG file, include the following two
lines:
GRANT DIAGPCHK TO "vmnfs_server_userid"
GRANT SURROGAT TO "vmnfs_server_userid"
where "vmnfs_server_userid" is replaced by the actual user
ID of the VMNFS server (the default is VMNFS).
===============================================================
Additional Notes:
For certain environments, the presence of a secondary user
definition for a TCP/IP server machine may cause password
prompts to be issued by the ESM when client requests. This
phenomenon has been seen with VMSECURE in cases where
minidisks passwords are not defined; prompts issued by
VMSECURE may be similar to the following:
VMXACM0107R Enter MULT link password:
VMXACM0107R Enter WRITE link password:
VMXACM0107R Enter READ link password:
The use of a secondary user definition in such an environment
is not recommended.
===============================================================
If additional information is required concerning the VALIDATE
ASSEMBLE file, AUTHORIZ CONFIG file parameters, or the
DUALPASS directory definition, please contact the Sterling
Software support center.
===============================================================
To the Customer:
If you have suggestions to improve this Informational APAR,
please open a problem record with the TCP/IP Level 2 support,
group using the appropriate component ID.
We appreciate your suggestions.
===============================================================
KEYWORDS: 5735FAL00 V2R3 R230 V2R4 R240 TCP/IP TCPIP TCPIPINFO
VM ESM VMSECURE VALIDATE FTPSERVE VMNFS REXECD
===============================================================