TCPIPINFO USING VMSECURE IN THE TCP/IP FOR VM
APAR Identifier ...... II11256 Last Changed ........ 04/09/21 TCPIPINFO USING VMSECURE IN THE TCP/IP FOR VM Symptom ...... IN INCORROUT Status ........... CLOSED CAN Severity ................... 4 Date Closed ......... 98/06/12 Component .......... INFOPALIB Duplicate of ........ Reported Release ......... 001 Fixed Release ............ Component Name PA LIB INFO ITE Special Notice Current Target Date .. Flags SCP ................... Platform ............ Status Detail: ASSIGNMENT - APAR has been assigned to a programmer. PE PTF List: PTF List: Parent APAR: Child APAR list: ERROR DESCRIPTION: *************************************************************** * Topic: VMSECURE and TCP/IP Servers * * Last Update: 21 Sept 2004 (GWS) * * * * This informational APAR contains information relevant to * * running any TCP/IP levels, * * in conjunction with the VMSECURE product from Sterling * * Software, Inc., for controlling access to minidisks and/or * * SFS directories. * * * * This information may also prove useful when other external * * security manager offerings -- such as ACF2 -- are used, as * * similar changes will be necessary. However, it's * * recommended that you contact the support center associated * * with the security package in use, for detailed information * * about any changes that are required. * * * *************************************************************** Purpose of this Informational APAR: To provide information to customers who are installing TCP/IP running the VMSECURE security package from Sterling Software, Inc. =============================================================== Additional References ===================== Sterling Software, Inc. Support Center: 1-703-264-8100 Technical Information: The following guidelines should be completed prior to proceeding with individual TCP/IP server customization. Following the "General Requirements" section are instructions for specific TCP/IP server machines that utilize the function provided by VMSECURE. =============================================================== General Requirements: 1) Contact Sterling Software's VMSECURE technical support, and request a copy of the VALIDAT ASSEMBLE file to be used with TCP/IP. This routine performs DIAG A0 subfunction '0004' to validate passwords. The following steps should be followed to create a VALIDAT MODULE from the VMSECURE supplied VALIDAT ASSEMBLE code. After the VALIDAT MODULE has been created, it must then be placed on a disk in the search order of the server virtual machines that need to use it. It's recommended that the executable VALIDAT MODULE be installed on the "server common" disk (by default, this is the TCPMAINT 198). This disk is guaranteed to be in the search order of all TCP/IP service virtual machines. To generate an executable VALIDAT MODULE from the Sterling Software-supplied source, perform the following steps: a) Assemble the source file. The syntax to use is: assemble VALIDAT b) Generate the executable load module using the following command sequence: LOAD VALIDAT (CLEAR NOAUTO RLDSAVE GENMOD These commands will create a VALIDAT MODULE and a LOAD MAP file on the A-disk. The LOAD MAP file can be discarded. The VALIDAT MODULE should be installed as instructed above. c. Assemble the RPIUVMX source file and generate an executable RPIUCMS MODULE. The syntax to use is: GLOBAL MACLIB DMSGPI DMSOM OSMACRO OSMACRO1 ASMAHL RPIUVMX LOAD RPIUVMX (CLEAR RLDSAVE GENMOD RPIUCMS MODULE A2 (SYSTEM These commands will generate an RPIUCMS MODULE and a LOAD MAP on the A-disk. The LOAD MAP can be discarded. The RPIUCMS MODULE should be installed as instructed above. *NOTE* if you do not need local modifications to the supplied VALIDAT and RPIUVMX ASSENBLE files, or if you are unable to assemble them on your system you can also use the Computer Associates supplied VALIDAT MODULE and RPIUCMS MODULE. 2) The following statement SHOULD be included in the directory definition for each TCP/IP server that accesses VMSECURE for security validation: IUCV DUALPASS Its benefit is seen in the situation when the FTP server attempts to validate a userid / password pair, but the VMSECURE service machine is not available for some reason. Without the DUALPASS statement, the validation will fail with a specification check; when this statement included, validation will be performed via an alternate path. Note: Inclusion of the IUCV DUALPASS statement is not a "hard" or immediate requirement. However, you should consider it's use. ============================================================== SYSTEM DTCPARMS File Customization: Server configuration exit execs (such as FTPDXIT EXEC) are no longer provided with TCP/IP FL 310 or higher. For information about server configuration with a higher level please see "Chapter 5 - Methods of Server Configuration" of the "TCP/IP Planning and Customization" publication. This chapter explains the use of the IBM (or SYSTEM) DTCPARMS file which is now used for server customization. If you are using VMSECURE as your External Security Manager (ESM), the parameters and values indicated below should be made to your SYSTEM DTCPARMS file. =============================================================== FTP Server (FTPSERVE) Customization: 1) FTP class definition changes: .* File Transfer Protocol (FTP) daemon :nick.ftp :type.class :name.FTP daemon :command.SRVRFTP :runtime.PASCAL :diskwarn.YES :anonymous.NO :ESM_Enable.YES :ESM_Validate. :ESM_Racroute. .* For VMSECURE, change the ESM_validate. tag to: .* :ESM_Validate.VALIDAT .* For VMSECURE, change the :ESM_racroute tag to: :ESM_Racroute.YES 2) In the VM:SEcure AUTHORIZ CONFIG file, include the following two lines: GRANT DIAGPCHK TO "ftp_server_userid" GRANT SURROGAT TO "ftp_server_userid" where "ftp_server_userid" is replaced by the user ID of the FTP server machine (the default user ID is: FTPSERVE). =============================================================== Rexec Daemon/Server (REXECD) Customization: 1) REXEC class definition changes: .* Remote Execution (REXEC) daemon :nick.rexec :type.class :name.Remote Execution daemon :command.REXECD :runtime.C :anonymous.NO :ESM_Enable.YES :ESM_Validate. :ESM_Racroute. .* For VMSECURE, RPIVAL should be changed to VALIDAT, as .* follows: :ESM_Validate.VALIDAT To allow RPIUCMS to be called for the REXEC logon by function available with z/VM 4.4.0 and above change the ESM_Racroute tag to: :ESM_Racroute.YES 2) In the VM:SEcure AUTHORIZ CONFIG file, include the following line: GRANT DIAGPCHK TO "rexec_server_userid" where "rexec_server_userid" is replaced by the user ID of the REXEC server machine (the default user ID is: REXECD). =============================================================== NFS Server (VMNFS) Customization: 1) NFS class definition changes: .* Network File System (NFS) daemon :nick.nfs :type.class :name.Network File System daemon :command.VMNFS :runtime.C :diskwarn.YES :anonymous.NO :ESM_Enable.YES :ESM_Validate. :ESM_Racroute. .* For eTrust VM:Secure, change the ESM_Validate tag to: :ESM_Validate.VALIDAT .* For eTrust VM:Secure, change the :ESM_Racroute tag to: :ESM_Racroute.YES 2) In the VM:SEcure AUTHORIZ CONFIG file, include the following two lines: GRANT DIAGPCHK TO "nfs_server_userid" GRANT SURROGAT TO "nfs_server_userid" where "nfs_server_userid" is replaced by the user ID of the NFS server machine (the default user ID is: VMNFS). Note: If "anonymous" mount requests are to be accepted from NFS clients, ensure the following conditions have been met: * An ANONYMOU user ID is defined on the VM/ESA host system. * The VMNFS server entry in the DTCPARMS file has been updated to specify: :Anonymous.YES =============================================================== Additional Notes: For certain environments, the presence of a secondary user definition for a TCP/IP server machine may cause password prompts to be issued by the ESM when client requests. This phenomenon has been seen with VMSECURE in cases where minidisks passwords are not defined; prompts issued by VMSECURE may be similar to the following: VMXACM0107R Enter MULT link password: VMXACM0107R Enter WRITE link password: VMXACM0107R Enter READ link password: The use of a secondary user definition in such an environment is not recommended. =============================================================== KEYWORDS: 5735FAL00 FL310 R310 TCP/IP TCPIP VM TCPIPINFO ESM VMSECURE VALIDATE FTPSERVE VMNFS REXECD =============================================================== LOCAL FIX: PROBLEM SUMMARY: PROBLEM CONCLUSION: TEMPORARY FIX: COMMENTS: closing info apr MODULES/MACROS: SRLS: RTN CODES: CIRCUMVENTION: MESSAGE TO SUBMITTER: