Use the NETACCESS statement to
configure network access control. Specifically, it allows for the
one-to-one mapping between a network, subnetwork or host and a Security
Access Facility (SAF) resource name. The network specifications are
used to build an internal data structure that maps networks, subnetworks
and hosts to SAF resource names. The mapping is used to construct
a complete resource name that is passed to the Security Product to
determine the user's permission to access the network resource. The
most specific mapping is used to determine the resource name for the
SAF authorization check.
If the network resource does not have
an assigned mapping, no SAF check is performed. If the network resource
does have an assigned mapping, the SERVAUTH class must be active,
the resource name must be defined, and the user ID making the request
must have at least read access to the resource.
Inbound socket
commands include application requests to bind a socket, accept a TCP
connection and any command that transfers data into the application
from a socket. Outbound socket commands include application requests
to connect a socket and any command that transfers data from the application
into the socket.
Multilevel-security is an enhanced security
environment that can be configured on a z/OS® Communications
Server system.
In this environment the Security Server and trusted resource managers
enforce mandatory access control (MAC) policies in addition to the
usual discretionary access control (DAC) policies. For more information
about the multilevel-security environment and configuring z/OS Communications
Server in
that environment, see the multilevel-security information in the z/OS Communications Server: IP Configuration
Guide.
Syntax
Rule: Specify the parameters
in the order shown here.
.------------------------------------------.
.-NOINBound-. .-OUTBound---. .-CACHEALL----. V |
>>-NETAccess--+-----------+--+------------+--+-------------+----+-ipv4_addr/num_mask_bits-+--saf_resname-+--ENDNETAccess-><
'-INBound---' '-NOOUTBound-' +-CACHEPERMIT-+ +-ipv4_addr address_mask--+
'-CACHESAME---' +-ipv6_addr/prefixlength--+
+-DEFAULT--+---+----------+
| '-0-' |
'-DEFAULTHome-------------'
Parameters
- NOINBOUND
- Specifies that network access control checking is disabled for
inbound socket commands. This is the default value.
- INBOUND
- Specifies that network access control checking is enabled for
inbound socket commands.
- OUTBOUND
- Specifies that network access control checking is enabled for
outbound socket commands. This is the default value.
- NOOUTBOUND
- Specifies that network access control checking is disabled for
outbound socket commands.
- CACHEALL
- Specifies that when a SAF call is made to check a user's access
to a security zone, the result is cached regardless of whether access
is permitted or denied. Subsequent checks of the user's access to
the security zone are resolved using the cached results. This
is the default value.
This parameter allows an external security
manager to write an audit record for only the first access check made
for a user for each security zone.
- CACHEPERMIT
- Specifies that when a SAF call is made to check a user's access
to a security zone, the result is cached when access is permitted,
but not when access is denied. Subsequent checks of the user's access
to a permitted security zone are resolved using the cached results.
Subsequent checks of the user's access to a denied security zone are
resolved by another SAF call.
This parameter allows an external
security manager to write an audit record for only the first access
check made for a user for each permitted security zone, and for all
access checks made for a user for each denied security zone.
- CACHESAME
- Specifies that when a SAF call is made to check the access
of a user to a security zone, the result is cached when access is
permitted, but not when access is denied.
If the user is permitted
to access the security zone, subsequent checks of the user access
to the security zone are resolved using the cached results as long
as the user associated with the socket and the IP address being accessed
are unchanged. However, if the user that is associated with the socket
changes or if the IP address being accessed changes from the previous
packet that is received or sent over the socket, the next access check
is resolved by another SAF call.
Subsequent checks of the user
access to a denied security zone are resolved by another SAF call.
This
parameter allows an external security manager to write an audit record
for all denied access checks that are made for a user for each denied
security zone and for the first of multiple successive access checks
made for a socket under the same user and for the same IP address
in a permitted security zone.
- ipv4_addr/num_mask_bits
- Specifies the network for which security product access control
is required for user requests. The num_mask_bits field
is used to create an address mask that is bit-contiguous from left
to right. This address mask is logically ANDed with the ipv4_addr value
to create the network address for which access control is required.
- ipv4_addr address_mask
- Specifies the network for which security product access control
of user requests is required. The address_mask value
is a bit mask (expressed in dotted decimal form) that is bit-contiguous
from left to right. The address_mask value
is logically ANDed with the ipv4_addr value
to create the network address for which access control is required.
- ipv6_addr/prefixlength
- Specifies the IPv6 network for which security product access control
is required. The ipv6_addr is an IPv6 address
in colon-hexadecimal format. The prefixlength value
is a decimal value specifying how many of the leftmost contiguous
bits of the address comprise the prefix. The value is in the
range of 1 - 128. IPv4-mapped IPv6 addresses and IPv6 addresses
with the reserved prefix ::/96 are not allowed.
- DEFAULT
- Specifies that security product access control of user requests
is required for any networks not specifically defined by other NETACCESS
statement entries. If DEFAULTHOME is not specified, DEFAULT maps all
addresses, local and remote, not mapped by other entries. If DEFAULTHOME
is also specified, DEFAULT maps all remote addresses not mapped by
other entries. Use of the address_mask value of 0 on this entry is
deprecated.
- DEFAULTHOME
- Specifies that security product access control of user requests
is required for all IP addresses that are local to this stack and
not specifically defined by other NETACCESS statement entries. When
this parameter is specified, security product access control of user
requests is also required for addresses dynamically defined by SYSPLEX
services and IPv6 link-local and global addresses that are automatically
assigned for an interface.
- saf_resname
- Specifies the final qualifier of a security product resource name.
The maximum length is eight characters. The profile name has the following
format:
EZB.NETACCESS.sysname.tcpname.saf_resname
where
- EZB.NETACCESS is constant.
- sysname is the value of the MVS™ &SYSNAME. system symbol.
- tcpname is the name of the procedure
used to start the TCP stack.
- saf_resname is the 1-8 character value
following the network specification.
If the installation's SAF compliant security product (for
example, RACF®) supports the
SERVAUTH class, the installation has activated the SERVAUTH class,
a profile covering this resource name has been created in the SERVAUTH
class, and the effective user ID is permitted to the resource, then
it is allowed to access the network.
Steps for modifying
To
modify any values on the NETACCESS statement, use a VARY TCPIP,,OBEYFILE
command with a data set that contains a new NETACCESS statement. All
existing network entries are deleted and replaced with the entries
from the new NETACCESS statement. Active connections are reauthorized
whenever the user ID the active connections are running under has
changed or a new NETACCESS statement is loaded.
For
more information about the VARY TCPIP commands,
see z/OS Communications Server: IP System Administrator's
Commands .
Statement dependency
- A security server must be running and the SERVAUTH class must
be active or all users are denied access to all network addresses
mapped to a security zone.
- A resource profile name must be defined for a security zone or
all users are denied access to all network addresses mapped to that
security zone.
- Each user must be authorized to the security zone containing their
static or Dynamic IP address.
- Servers such as HTTPD, FTPD, and INETD must have the user ID they
accept work under authorized to all security zones that contain their
intended clients' addresses.
- The FTP anonymous user (ANONYMO) must be authorized to the security
zones containing clients that are allowed anonymous access.
- Users must be authorized to the security zone containing the name
server address they use to avoid resolver failures.
- To protect security zone definitions, authority to modify the
initial profile data set and issue VARY TCPIP,,OBEYFILE commands must
be controlled.
- When local addresses, or the DEFAULTHOME or DEFAULT parameters
are specified and inbound checking is enabled, servers and other applications
that explicitly bind must be permitted to the bind address.
- Define address 127.0.0.1/8 or address ::1/128 into a security
zone to control binds to the IPv4 or IPv6 loopback addresses, respectively.
- Define address 0.0.0.0/32 or address ::/128 into a security zone
to control binds to the IPv4 INADDR_ANY address, or to the IPv6 unspecified
address (in6addr_any), respectively.
- Use the BIND parameter on the PORT statement to optionally override
binds to the IPv4 INADDR_ANY address, or to the IPv6 unspecified address
(in6addr_any), with a bind to the specific local address specified
on the BIND parameter. Permit the job to the security zone for that
address.
- An IPv6 address should not be configured unless the TCP/IP stack
is IPv6 enabled. If the stack is not IPv6 enabled, then all entries
following an IPv6 entry are ignored and a message is issued.
Examples
NETACCESS INBOUND OUTBOUND CACHEPERMIT ; check both ways, cache permits only
192.168.0.0/16 CORPNET ; Net address
192.168.113.19/32 HOST1 ; Specific host address
192.168.113.0 255.255.255.0 SUBNET1 ; Subnet address
192.168.112.0 255.255.248.0 SUBNET2 ; Subnet address
192.168.192.0/24 CAMPUS ; Subnet address
192.168.214.0/24 CAMPUS ; Subnet address
fe80::6:2900:1dc:21bc/128 HOST2 ; IPv6 specific host address
2001:0DB8::/16 GLBL ; IPv6 global network
DEFAULTHOME HOME ; Optional Default local zone
DEFAULT DEFZONE ; Optional Default zone
ENDNETACCESS
Usage notes
- The NETACCESS statement is optional.
- The initial profile or a VARY TCPIP,,OBEYFILE command data set
can contain multiple NETACCESS statements.
- The first NETACCESS statement of each configuration data set that
is executed resets the flags to OUTBOUND, NOINBOUND, and CACHEALL
and clears any existing NETACCESS list prior to processing the flags
and entries in that statement.
- Subsequent NETACCESS statements in the same configuration data
set override any flags specified and add or replace specified entries
in the list. Default flag values do not override previously specified
values
- Specifying a DEFAULT is optional. If you do not specify a default,
Network Access Control applies only to the networks which are explicitly
listed in NETACCESS statements.
- When an incorrect NETACCESS entry is encountered, all entries
following that entry in that NETACCESS statement are ignored. IPv4
entries as well as any DEFAULT and DEFAULTHOME entries should precede
the first IPv6 entry, to ensure that they are accepted, if the TCP/IP
stack is not IPv6 enabled.
- If the new NETACCESS list is empty at the end of the configuration
data set, Network Access Control is disabled.