Securing TCPIP Ports with the SERVAUTH Resource Class

Document ID : KB000033267
Last Modified Date : 14/02/2018
Show Technical Document Details

To secure TCPIP ports is zOS with CA Top Secret secure SERVAUTH(EZB.PORTACCESS.sysname.tcpname.safname):

The resource name syntax for the SERVAUTH Resource Class is as follows:

EZB.PORTACCESS.sysname.tcpname.safname

sysname - Local SMF ID. Can use * for masking/wildcard.

tcpname - TCPIP started task jobname. Can use * for masking/wildcard.

safname - Esoteric name coded in port reservation. 1-8 characters. First position is alpha character and not numeric.
The "SAF name" is provided on the PORTRANGE definition in the PROFILE member.

Example:

TSS ADD(owningacid) SERVAUTH(EZB.PORT) <---Skip if previously done.

TSS PER(stc_acid) SERVAUTH(EZB.PORTACCESS.SYSA.TCPIPA.WPCELL) ACCESS(READ)

'SYSA' is the SMFid for system A.
'TCPIPA' is the jobname for the TCIP started task that runs on SYSA.
'WPCELL' is defined in the TCP parms member SYS1.TCPPARMS(PROFELXC) with
...
...
...
PORTRANGE
 28500 100 TCP * SAF WPCELL
...
...
...

To authorize STCs/acid to all ports on all systems:

TSS PER(tcp_stc_acid) SERVAUTH(EZB.PORTACCESS.*.*.UNRSVTCP) ACCESS(READ)
TSS PER(tcp_stc_acid) SERVAUTH(EZB.PORTACCESS.*.*.UNRSVUPD) ACCESS(READ)

For more details on Using SERVAUTH to Protect TCP Port Usage from IBM, please refer to:

http://www-01.ibm.com/support/docview.wss?uid=tss1wp100673