TCPIPINFO USING VMSECURE IN THE TCP/IP FOR VM
APAR Identifier ...... II11256 Last Changed ........ 04/09/21
TCPIPINFO USING VMSECURE IN THE TCP/IP FOR VM
Symptom ...... IN INCORROUT Status ........... CLOSED CAN
Severity ................... 4 Date Closed ......... 98/06/12
Component .......... INFOPALIB Duplicate of ........
Reported Release ......... 001 Fixed Release ............
Component Name PA LIB INFO ITE Special Notice
Current Target Date .. Flags
SCP ...................
Platform ............
Status Detail: ASSIGNMENT - APAR has been assigned to a
programmer.
PE PTF List:
PTF List:
Parent APAR:
Child APAR list:
ERROR DESCRIPTION:
***************************************************************
* Topic: VMSECURE and TCP/IP Servers *
* Last Update: 21 Sept 2004 (GWS) *
* *
* This informational APAR contains information relevant to *
* running any TCP/IP levels, *
* in conjunction with the VMSECURE product from Sterling *
* Software, Inc., for controlling access to minidisks and/or *
* SFS directories. *
* *
* This information may also prove useful when other external *
* security manager offerings -- such as ACF2 -- are used, as *
* similar changes will be necessary. However, it's *
* recommended that you contact the support center associated *
* with the security package in use, for detailed information *
* about any changes that are required. *
* *
***************************************************************
Purpose of this Informational APAR:
To provide information to customers who are installing TCP/IP
running the VMSECURE security package from Sterling Software,
Inc.
===============================================================
Additional References
=====================
Sterling Software, Inc. Support Center: 1-703-264-8100
Technical Information:
The following guidelines should be completed prior to
proceeding with individual TCP/IP server customization.
Following the "General Requirements" section are instructions
for specific TCP/IP server machines that utilize the function
provided by VMSECURE.
===============================================================
General Requirements:
1) Contact Sterling Software's VMSECURE technical support, and
request a copy of the VALIDAT ASSEMBLE file to be used
with TCP/IP. This routine performs DIAG A0
subfunction '0004' to validate passwords. The following
steps should be followed to create a VALIDAT MODULE from
the VMSECURE supplied VALIDAT ASSEMBLE code. After
the VALIDAT MODULE has been created, it must then be
placed on a disk in the search order of the server virtual
machines that need to use it. It's recommended that the
executable VALIDAT MODULE be installed on the "server
common" disk (by default, this is the TCPMAINT 198). This
disk is guaranteed to be in the search order of all TCP/IP
service virtual machines.
To generate an executable VALIDAT MODULE from the Sterling
Software-supplied source, perform the following steps:
a) Assemble the source file. The syntax to use is:
assemble VALIDAT
b) Generate the executable load module using the following
command sequence:
LOAD VALIDAT (CLEAR NOAUTO RLDSAVE
GENMOD
These commands will create a VALIDAT MODULE and a LOAD
MAP file on the A-disk. The LOAD MAP file can be
discarded. The VALIDAT MODULE should be installed as
instructed above.
c. Assemble the RPIUVMX source file and generate an executable
RPIUCMS MODULE.
The syntax to use is:
GLOBAL MACLIB DMSGPI DMSOM OSMACRO OSMACRO1 ASMAHL RPIUVMX
LOAD RPIUVMX (CLEAR RLDSAVE
GENMOD RPIUCMS MODULE A2 (SYSTEM
These commands will generate an RPIUCMS MODULE and a
LOAD MAP on the A-disk. The LOAD MAP can be discarded.
The RPIUCMS MODULE should be installed as instructed
above.
*NOTE* if you do not need local modifications to the supplied
VALIDAT and RPIUVMX ASSENBLE files, or if you are unable to
assemble them on your system you can also use the Computer
Associates supplied VALIDAT MODULE and RPIUCMS MODULE.
2) The following statement SHOULD be included in the directory
definition for each TCP/IP server that accesses VMSECURE
for security validation:
IUCV DUALPASS
Its benefit is seen in the situation when the FTP server
attempts to validate a userid / password pair, but the
VMSECURE service machine is not available for some reason.
Without the DUALPASS statement, the validation will fail
with a specification check; when this statement included,
validation will be performed via an alternate path.
Note: Inclusion of the IUCV DUALPASS statement is not a
"hard" or immediate requirement. However, you should
consider it's use.
==============================================================
SYSTEM DTCPARMS File Customization:
Server configuration exit execs (such as FTPDXIT EXEC) are no
longer provided with TCP/IP FL 310 or higher. For information
about server configuration with a higher level please see
"Chapter 5 - Methods of Server Configuration" of the "TCP/IP
Planning and Customization" publication.
This chapter explains the use of the IBM (or SYSTEM) DTCPARMS
file which is now used for server customization. If you are
using VMSECURE as your External Security Manager (ESM), the
parameters and values indicated below should be made to your
SYSTEM DTCPARMS file.
===============================================================
FTP Server (FTPSERVE) Customization:
1) FTP class definition changes:
.* File Transfer Protocol (FTP) daemon
:nick.ftp :type.class
:name.FTP daemon
:command.SRVRFTP
:runtime.PASCAL
:diskwarn.YES
:anonymous.NO
:ESM_Enable.YES
:ESM_Validate.
:ESM_Racroute.
.* For VMSECURE, change the ESM_validate. tag to:
.*
:ESM_Validate.VALIDAT
.* For VMSECURE, change the :ESM_racroute tag to:
:ESM_Racroute.YES
2) In the VM:SEcure AUTHORIZ CONFIG file, include the following
two lines:
GRANT DIAGPCHK TO "ftp_server_userid"
GRANT SURROGAT TO "ftp_server_userid"
where "ftp_server_userid" is replaced by the user ID of the
FTP server machine (the default user ID is: FTPSERVE).
===============================================================
Rexec Daemon/Server (REXECD) Customization:
1) REXEC class definition changes:
.* Remote Execution (REXEC) daemon
:nick.rexec :type.class
:name.Remote Execution daemon
:command.REXECD
:runtime.C
:anonymous.NO
:ESM_Enable.YES
:ESM_Validate.
:ESM_Racroute.
.* For VMSECURE, RPIVAL should be changed to VALIDAT, as
.* follows:
:ESM_Validate.VALIDAT
To allow RPIUCMS to be called for the REXEC logon by function
available with z/VM 4.4.0 and above change the ESM_Racroute tag
to:
:ESM_Racroute.YES
2) In the VM:SEcure AUTHORIZ CONFIG file, include the following
line:
GRANT DIAGPCHK TO "rexec_server_userid"
where "rexec_server_userid" is replaced by the user ID of
the REXEC server machine (the default user ID is: REXECD).
===============================================================
NFS Server (VMNFS) Customization:
1) NFS class definition changes:
.* Network File System (NFS) daemon
:nick.nfs :type.class
:name.Network File System daemon
:command.VMNFS
:runtime.C
:diskwarn.YES
:anonymous.NO
:ESM_Enable.YES
:ESM_Validate.
:ESM_Racroute.
.* For eTrust VM:Secure, change the ESM_Validate tag to:
:ESM_Validate.VALIDAT
.* For eTrust VM:Secure, change the :ESM_Racroute tag to:
:ESM_Racroute.YES
2) In the VM:SEcure AUTHORIZ CONFIG file, include the following
two lines:
GRANT DIAGPCHK TO "nfs_server_userid"
GRANT SURROGAT TO "nfs_server_userid"
where "nfs_server_userid" is replaced by the user ID of the
NFS server machine (the default user ID is: VMNFS).
Note: If "anonymous" mount requests are to be accepted from
NFS clients, ensure the following conditions have been
met:
* An ANONYMOU user ID is defined on the VM/ESA host
system.
* The VMNFS server entry in the DTCPARMS file has been
updated to specify:
:Anonymous.YES
===============================================================
Additional Notes:
For certain environments, the presence of a secondary user
definition for a TCP/IP server machine may cause password
prompts to be issued by the ESM when client requests. This
phenomenon has been seen with VMSECURE in cases where
minidisks passwords are not defined; prompts issued by
VMSECURE may be similar to the following:
VMXACM0107R Enter MULT link password:
VMXACM0107R Enter WRITE link password:
VMXACM0107R Enter READ link password:
The use of a secondary user definition in such an environment
is not recommended.
===============================================================
KEYWORDS: 5735FAL00 FL310 R310 TCP/IP TCPIP VM TCPIPINFO
ESM VMSECURE VALIDATE FTPSERVE VMNFS REXECD
===============================================================
LOCAL FIX:
PROBLEM SUMMARY:
PROBLEM CONCLUSION:
TEMPORARY FIX:
COMMENTS:
closing info apr
MODULES/MACROS:
SRLS:
RTN CODES:
CIRCUMVENTION:
MESSAGE TO SUBMITTER: