Protecting Special Resources › IUCV, APPC/VM, and VMCF Validation and Logging › Important Information

Important Information

Important details apply when creating IPC resource rules:

• The CA ACF2 for VM service machine and the VM operating system are allowed unconditional IUCV and VMCF access. You do not need to write IPC resource rules for the CA ACF2 for VM service machine and the VM operating system.
• An CA ACF2 for VM front‑end feature to IPC resource rules lets you mediate which target machines are secured for validation. We provide this feature with the COMSEC operand of the VMXAOPTS macro in HCPAC0. The default COMSEC specification is (INCLUDE,-), securing all virtual machines and CP services for IUCV and VMCF resource rule validation.

  The COMSEC=(INCLUDE,ALL) option does not secure all virtual machines, CP services, and resource IDs for IPC validation. ALL is a valid target name for VMCF only that you can specify as a $KEY value for VMCF resource validation. ALL indicates that CA ACF2 for VM validates all virtual machines and CP services for VMCF, not those for IUCV or APPC/VM. (INCLUDE,ALL) does not perform resource rule validation for IUCV or APPC/VM.

• IUCV, APPC/VM, and VMCF resource rules initiate a one way path connection. If you want virtual machines to initiate the communication path in either direction, you need two rules.

  $KEY(VMSYSU) TYPE(IUC)
   UID(TLCAMS) ALLOW
   
  $KEY(VMTARG) TYPE(IUC)
   UID(TLCPJM) ALLOW
  

  The first rule lets TLCAMS issue an IUCV CONNECT to VMSYSU. The second rule lets TLCPJM issue an IUCV CONNECT to VMTARG. TLCAMS is the initiator in the first rule. TLCPJM is the initiator in the second rule.

• The IUCV and VMCF fields of the RESCLASS VMO record define the type codes required for IUCV and VMCF resource rules, respectively. The IUCV field also defines the type code for APPC/VM resource rules. IUCV and APPC/VM always share the same type code. The defaults are IUCV(IUC) and VMCF(VMC). These values implement type codes IUC (to validate IUCV and APPC/VM) and VMC (to validate VMCF).
• You can specify the resource rule's type code in the RESTYPE VMO record to implement $KEY resource name masking for IPC resource rules. This type code must be the same value that is specified in the IUCV and VMCF operands of the RESCLASS VMO record. You can use standard UID masking in individual rule entries.
• You can specify the percent sign (%) in IPC rules to indicate a literal asterisk (*) of a target you want to protect.

  COMPILE
  ACFCMP510I ACF compiler entered
   
  $KEY(%MSG) TYPE(IUC)
   UID(TLCAMS) ALLOW
   
  ACFCMP551I Total record length=144 bytes ‑ 3 percent utilized
   
  RESOURCE
  

  The target of this IUCV rule is *MSG, a CP system service. The percent sign (%) lets you indicate that *MSG is the literal name of the target to protect, not MSG prefixed by some character. To indicate *MSG in the SRVMOPTS COMSEC list, specify %MSG, just like in the $KEY value.

• You should never use the following resource IDs for APPC/VM rules: ANY, ALLOW, or SYSTEM. Also, a resource ID should not be identical to a user ID.
• The TSAF virtual machine issues APPC/VM CONNECT and SEVER on behalf of remote initiator machines. This also applies to any user‑written APPC/VM communications servers. The APPC/VM communications server virtual machine is validated for access, not the originator who issued the request to the server.
• The access permissions specified in rule entries perform the following functions:

  ALLOW

  Validates an IPC communication path. CA ACF2 for VM does not create audit records.

  LOG

  Validates an IPC communication path. CA ACF2 for VM creates audit records when the IPC path is established and terminated. This access permission is important for systems running in a C2‑rated environment, as the National Computer Security Center (NCSC) defines.

  PREVENT

  Stops the IPC communication path. CA ACF2 for VM creates audit records for the invalid access attempt. The user and the operator receive CA ACF2 for VM error messages.

CA ACF2 for VM ignores the SERVICE and VERIFY keywords for resource rules for IUCV, APPC/VM, and VMCF communications.

Normal source and shift controls apply to the validation process.