Writing Resource Rules › Protecting IUCV, APPC/VM, and VMCF › Important Information

Important Information

Important details apply when you create IUCV, APPC/VM, or VMCF resource rules:

• To activate IUCV, APPC/VM, and VMCF support, specify the IUCVVLD and VMCFVLD operands in the OPTS VMO record. See the Administrator Guide for additional information.
• The COMSEC operand of the SRVMOPTS or the VMXAOPTS macro indicates the name of each target machine, CP service, and resource ID secured for IUCV, APPC/VM, and VMCF resource rule validation.

  The default COMSEC specification is (INCLUDE,‑). It secures all virtual machines, CP services, and resource IDs for IUCV, APPC/VM, and VMCF resource rule validation. You must write resource rules to use IUCV, APPC/VM, and VMCF communications with this default setting.

  To secure a CP system service in the COMSEC list, a percent sign (%) represents an asterisk (*) to distinguish it from the masking character. For example, to exclude the *MSG service in a COMSEC EXCLUDE list, enter (EXCLUDE,%MSG). The specification COMSEC=(INCLUDE,ALL) does not secure all virtual machines, CP services, and resource IDs for IUCV, APPC/VM, and VMCF validation. ALL is a valid target name for VMCF only (specified as a $KEY value for VMCF resource validation). ALL indicates that all virtual machines and CP services for VMCF are validated, not those for IUCV or APPC/VM. INCLUDE, ALL does not perform resource rule validation for IUCV or APPC/VM.

• The IUCV and VMCF operands of the RESCLASS VMO record define the type codes required for IUCV, APPC/VM, and VMCF resource rules, respectively. The defaults are IUCV=(IUC) (implementing type code IUC for IUCV and APPC/VM validation) and VMCF=(VMC) (implementing type code VMC for VMCF validation). You can modify these values.
• You must write an IUCV, APPC/VM, or VMCF resource rule set and store it on the Infostorage database. The $KEY value for a resource rule is the target machine. For example:

  $KEY(DIRM2) TYPE(IUC)
   UID(TLC) LOG
  

This rule set establishes a communication path initiation, allowing users with the TLC‑ UID mask to issue an IUCV CONNECT to DIRM2. Because the LOG access permission is specified, CA ACF2 for z/VM creates an SMF record when the IUCV path is established and terminated. This rule would also allow an APPC/VM CONNECT to a DIRM2 resource ID.

• Create additional IUCV, APPC/VM, and VMCF resource rules with the COMPILE subcommand of the RESOURCE setting. Here is an example of creating the resource rule set shown above:

  acf
  ACF
  set resource(iuc)
  RESOURCE
  compile
  ACFpgm510I ACF COMPILER ENTERED
  $KEY(dirm2) type(iuc)
   uid(TLC) log
  end
  ACFpgm551I TOTAL RECORD LENGTH=NN BYTES NN PERCENT UTILIZED
  store
  ACFpgm769I RULE DIRM2 STORED
  end
  

You can display the resource rules on the Infostorage database with the DECOMP subcommand of the RESOURCE setting. Each rule entry defines a one‑way IUCV, APPC/VM, or VMCF path connection from an initiator virtual machine to a target machine. A separate rule is required for each recipient to perform an IUCV, APPC/VM, and VMCF data or message transfer. In each rule, you must specify the logonid of the target machine or CP service as the $KEY value. The UID portion of the rule entry is the initiator machine.