Protecting IUCV, APPC/VM, and VMCF

Writing Resource Rules › Protecting IUCV, APPC/VM, and VMCF

Protecting IUCV, APPC/VM, and VMCF

The Inter‑User Communication Vehicle (IUCV), Advanced Program‑to‑Program Communications/VM, and the Virtual Machine Communication Facility (VMCF) define communication paths for the transfer of data between two processes (for example, virtual machines and CP system services). With CA ACF2 for z/VM, you can specify a fine degree of audit and control when establishing and terminating IUCV, APPC/VM, or VMCF communication paths.

You must supply the VMSAF LID attribute for the service machine to perform an APPC/VM path connection with password validation. This includes APPC/VM VTAM support (AVS) service machines.

The following terms are used in this section:

Initiator@Machine: Invokes a request to perform a data or message transfer.
Target Machine: Specifies the recipient of a request to perform a data or message transfer. This recipient is not necessarily a virtual machine, but can also be a CP system service or an application‑defined resource ID.

When you issue a request to establish or terminate an IUCV, APPC/VM, or VMCF path connection, CA ACF2 for z/VM can allow, prevent, or log the action with a resource rule. CA ACF2 for z/VM checks the resource rule this way. (Each rule entry defines an IUCV, APPC/VM, or VMCF path connection from an initiator virtual machine to a target machine.)

CA ACF2 for z/VM validates the user ID of the target machine as a rule set $KEY value.
CA ACF2 for z/VM validates the user ID, CP system service, or resource ID of the initiator machine as a UID value of an entry in the rule set. For this value, standard UID masking applies.
The rule set type codes are IUC (to validate IUCV and APPC/VM) or VMC (to validate VMCF) by default. You can modify these values.

Invalid path attempts or loggings using IUCV, APPC/VM, or VMCF resource rule validation are reported in the Resource Event Log (ACFRPTRV).