Use the PORT statement to reserve a port for one or more specified job names or to control application access to unreserved ports.
.------------------------------------------------------------------. V | >>-PORT----+-num--+-TCP-+--+-RESERVED-----------------+-------------------+-+->< | '-UDP-' '-jobname--+-------------+-' | | '-| Options |-' | | .-WHENLISTEN-. | '-UNRSV--+-TCP--+-jobname--+-------------+-+--+------------+-+-' | | '-SAF resname-' | '-WHENBIND---' | | '-*--+-------------+-------' | | +-DENY--------+ | | '-SAF resname-' | | .-WHENBIND-. | '-UDP--+-jobname--+-------------+-+--+----------+---' | '-SAF resname-' | '-*--+-------------+-------' +-DENY--------+ '-SAF resname-' Options .-DELAYAcks---. |--+-----------+--+-------------+--+--------------+-------------> '-NOAUTOLog-' '-NODELAYAcks-' +-SHAREPort----+ '-SHAREPORTWLM-' >--+---------------+--+---------------+--+--------+-------------| '-BIND --ipaddr-' '-SAF --resname-' '-NOSMCR-'
Requirement: For z/OS® UNIX applications that are invoked by INETD, ensure that the port number defined for the application in the /etc/services file is the same as the port number reserved for the application on the PORT statement.
Use PORT UNRSV statements to indicate which applications or users are permitted to access application-specified unreserved ports. PORT UNRSV statements control access to all unreserved ports in the range 1 - 65535 unless RESTRICTLOWPORTS is configured; however, when RESTRICTLOWPORTS is configured, PORT UNRSV statements control access to unreserved ports only above port 1023. For UDP, access control is applied when an application issues a bind to a particular port number to establish a local port. For TCP, access control is applied depending on the value of the WHENBIND or WHENLISTEN parameter.
If neither DENY nor the SAF keyword is specified, an application that matches the protocol and specified job name [the job name can be an asterisk (* )] on a PORT UNRSV statement can access unreserved ports. If DENY is specified, all applications are denied access to unreserved ports for the specified protocol. If the SAF keyword is specified, applications that match the PORT UNRSV statement must also have user access to the SAF SERVAUTH resource which is indicated by the SAF keyword, to be permitted to access an unreserved port.
Guideline: In a Common INET (CINET) environment with multiple stacks and no established stack affinity, an explicit bind to port 0 is converted to a bind to a specific port in the CINET range. If you have not reserved the ports in your CINET range for jobname OMVS, the explicit bind to port 0 is treated as an explicit bind to an unreserved port.
For multiple TCP reservations for the same port, or for multiple PORT UNRSV statements for the same protocol, the TCP/IP stack searches these PORT statements for the closest match (if any) to the application's job name. If you specified the job name using a wildcard on more than one of these statements, the TCP/IP stack matches the application job name to a PORT statement jobname value using the most specific value first and the least specific value (or value *, if it was specified) last.
Restriction: To reserve a port that is to be monitored by AUTOLOG, the jobname name must exactly match (no wildcards) the jobname name on the AUTOLOG statement.
The environment in which the application is run determines the job name to be associated with a particular client or server application.
The following list explains how to determine the jobname value given the environment in which the application is run:
Reserved Port Options:
As incoming client connections arrive for this port and IP address, TCP/IP distributes them across the listeners. Specification of this keyword causes incoming connection requests for the port to be distributed among the listeners using a weighted round-robin distribution method based on the servers' accept Efficiency Fractions (SEFs) of the listeners sharing the port. The SEF is a measure, calculated at intervals of approximately one minute, of the efficiency of the server application in accepting new connection requests and managing its backlog queue. Alternatively, SHAREPORTWLM can be coded instead; SHAREPORTWLM changes the connection distribution algorithm.
If the same port is reserved for multiple job names, SHAREPORT or SHAREPORTWLM needs to be specified on only one instance of the port reservation. SHAREPORTand SHAREPORTWLM are valid only for TCP ports. The last setting of either SHAREPORT or SHAREPORTWLM is used for all TCP/IP servers that use that port.
The SHAREPORTWLM option can be used instead of SHAREPORT. Like SHAREPORT, SHAREPORTWLM causes incoming connections to be distributed among a set of TCP listeners; however, unlike SHAREPORT, the listener selection is based on WLM server-specific recommendations, modified by the SEF values for each listener. WLM server-specific recommendations are acquired at intervals of approximately 1 minute from the Work Load Manager and reflect the listener's capacity to handle additional work.
If the same port is reserved for multiple job names, SHAREPORT or SHAREPORTWLM needs to be specified on only one instance of the port reservation. SHAREPORT and SHAREPORTWLM are valid only for TCP ports. The last setting of either SHAREPORT or SHAREPORTWLM is used for all TCP/IP servers that use that port.
Result: zAAP and zIIP processor capacity is automatically included when the SHAREPORTWLM parameter is specified and all systems in the sysplex are V1R9 or later.
You can specify either an IPv4 address (in dotted decimal notation) or an IPv6 address (in hexadecimal notation). IPv4-mapped IPv6 addresses and IPv6 addresses with the reserved prefix ::/96 are not supported.
Rule: The BIND ipaddr parameter does not apply to the PORTRANGE statement.
EZB.PORTACCESS.sysname.tcpname.resname
where If the SAF keyword is specified and a user tries to bind to the port and is not allowed access to the resource, the BIND socket call fails.
Tip: The SAF keyword is ignored when VTAM opens a UDP port for Enterprise Extender (EE) network connections. However, it can still be used to prevent other address spaces that are using the same name as the VTAM started task from opening the port.
This is optional and valid for TCP or UDP protocols.
If the jobname parameter is specified as an asterisk (*), any user ID that is RACF-permitted to the resource specified by the resname value is allowed to bind to the port specified by the value; APF or superuser authority is not required.
This permits multiple users access to the protected port. However, the stack allows only one user to actually BIND to the port at a time. Use SHAREPORT or SHAREPORTWLM to override this behavior for TCP ports.
Guideline: If an application binds to an IP address that is also specified in a VIPARANGE statement subnet, then additional security verification might occur to determine whether the application can create the dynamic VIPA (DVIPA). This additional verification might occur whether the application explicitly binds to the DVIPA address or whether the application binds to the unspecified address and is converted to the DVIPA address using the BIND parameter. For information about security profiles for binding to DVIPAs in the VIPARANGE statement, see z/OS Communications Server: IP Configuration Guide.
Unreserved Port Options:
A PORT UNRSV protocol * DENY statement is needed only if no other PORT UNRSV statements are configured for the specified protocol and you want to prevent all access to unreserved ports using that protocol.
Rule: Every PORT UNRSV statement for the TCP protocol must use the same access control option. You cannot specify , or default to, the WHENLISTEN parameter on some statements and specify the WHENBIND parameter on other statements.
Rule: Every PORT UNRSV statement for the TCP protocol must specify, or default to, the same access control option. You cannot specify the WHENLISTEN parameter on some statements and specify the WHENBIND parameter on other statements.
To change a parameter value, you must delete the existing PORT statement by using the DELETE PORT statement, then redefine with the new PORT statement.
The following example was used for test configuration and is provided here for illustration only. The sample profile, SEZAINST(SAMPPROF), contains the most current assignments.
PORT
7 UDP MISCSERV ; Miscellaneous Server - echo
7 TCP MISCSERV ; Miscellaneous Server - echo
9 UDP MISCSERV ; Miscellaneous Server - discard
9 TCP MISCSERV ; Miscellaneous Server - discard
19 UDP MISCSERV ; Miscellaneous Server - chargen
19 TCP MISCSERV ; Miscellaneous Server - chargen
20 TCP * NOAUTOLOG ; FTP Server
; 20 TCP * NOAUTOLOG SAF FTPDATA ; FTP Server
21 TCP FTPD1 ; FTP Server
23 TCP TN3270 ; Telnet 3270 Server
; 23 TCP INETD1 BIND 9.67.113.3 ; z/OS UNIX Telnet server
25 TCP SMTP ; SMTP Server
111 TCP PORTMAP ; Portmap Server (SUN 3.9)
111 UDP PORTMAP ; Portmap Server (SUN 3.9)
; 111 TCP PORTMAP1 ; Unix Portmap Server (SUN 4.0)
; 111 UDP PORTMAP1 ; Unix Portmap Server (SUN 4.0)
123 UDP SNTPD ; Simple Network Time Protocol Server
135 UDP LLBD ; NCS Location Broker
161 UDP OSNMPD ; SNMP Agent
389 TCP LDAPSRV ; LDAP Server
443 TCP HTTPS ; http protocol over TLS/SSL
443 UDP HTTPS ; http protocol over TLS/SSL
; 500 UDP IKED ; CS IKE daemon
512 TCP RXSERVE ; Remote Execution Server
514 TCP RXSERVE ; Remote Execution Server
; 512 TCP * SAF OREXECD ; z/OS UNIX Remote Execution Server
; 514 TCP * SAF ORSHELLD ; z/OS UNIX Remote Shell Server
; 515 TCP LPSERVE ; LPD Server
; 515 TCP AOPLPD ; Infoprint LPD Server
520 UDP OMPROUTE ; OMPROUTE Server (IPv4 RIP)
521 UDP OMPROUTE ; OMPROUTE Server (IPv6 RIP)
580 UDP NCPROUT ; NCPROUTE Server
750 TCP MVSKERB ; Kerberos
750 UDP MVSKERB ; Kerberos
751 TCP ADM@SRV ; Kerberos Admin Server
751 UDP ADM@SRV ; Kerberos Admin Server
; 1700 TCP PAGENT NOAUTOLOG ; Policy Agent pagentQosListener port
; 1701 TCP PAGENT NOAUTOLOG ; Policy Agent pagentQosCollector port
3000 TCP CICSTCP ; CICS Socket
3389 TCP MSYSLDAP ; LDAP Server for Msys
; 4159 TCP NSSD ; CS NSS daemon
; 4500 UDP IKED ; CS IKE daemon
;16310 TCP PAGENT NOAUTOLOG ; Policy Agent server listener port
;
The following examples control application access to unreserved ports:
PORT UNRSV TCP * DENY WHENBIND
PORT UNRSV TCP * DENY WHENLISTEN
PORT UNRSV TCP ABC* WHENLISTEN
Guideline: If the ports that applications ABC* are accessing are predictable, you should use PORT reservation statements for those specific ports instead of using the PORT UNRSV statement.
PORT UNRSV TCP MYAPP1
PORT UNRSV TCP * SAF GENERIC
PORT UNRSV UDP * SAF GENERIC
PORT
514 UDP OMVS ; syslogd Server
This port is
required for syslogd to accept log data from remote syslogd servers. PORT 514 UDP SYSLOGD1