SNA Network Management Interface Security Requirements

Preparing the IBM Communications Server › Security Requirements for SNAMI › SNA Network Management Interface Security Requirements

SNA Network Management Interface Security Requirements

The security requirements for the SNA Network Management Interface are:

The user ID assigned to the VTAM address space must have an OMVS segment defined and have write access to the /var directory.
If you use a SERVAUTH class SAF resource to control access to the VTAM SNAMGMT server, the user ID assigned to the SOLVE SSI address space must be permitted access to the resource. The resource name is IST.NETMGMT.sysname.SNAMGMT, where sysname is the system name where the interface is used.

Access problems to /var and IST.NETMGMT.sysname.SNAMGMT are indicated by the presence of messages NSN58n in the SOLVE SSI log.

Examples: Setting IST.NETMGMT.sysname.SNAMGMT security

This example sets the security requirements in an CA ACF2 system:

SET RESOURCE(SER)
COMPILE
$KEY(IST) TYPE(SER)
  NETMGMT.sysname.SNAMGMT UID(uid) SERVICE(READ) ALLOW
STORE

SER
The value set in the CLASMAP definition in the GSO for SERVAUTH resources.
uid
The UID of the region user.

This example sets the security requirements in a CA Top Secret system:

TSS PER(userid) SERVAUTH(IST.NETMGMT.sysname.SNAMGMT) ACCESS(READ)

userid
The ACID of the region user.

This example sets the security requirements in a RACF system:

PER IST.NETMGMT.sysname.SNAMGMT CLASS(SERVAUTH) ID(userid) ACCESS(READ)

userid
The user ID of the region.

IPSec Network Management Interface Setup

If you use IPSec, you can use the IPSec Network Management Interface (IPSECNMI) of the product to monitor it. The interface requires the IKED daemon to be active.

IPSec Network Management Interface Security Requirements

The security requirements for the IPSec Network Management Interface are:

The user ID assigned to the SOLVE SSI address space must have:
- An OMVS segment defined
- Permission to enter the /var/sock directory
- Permission to write to the /var/sock/ipsecmgmt socket
If you use a SERVAUTH class SAF resource to restrict access to IPSec network management interface, the user ID assigned to the SOLVE SSI address space must be permitted to access to the resources:
```
EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY
EZB.NETMGMT.sysname.tcpipname.IPSEC.CONTROL
EZB.NETMGMT.sysname.sysname.IKED.DISPLAY
```
- sysname
  Specifies the system name where the interface is used.
- tcpipname
  Specifies the name of the TCP/IP stack.
If you don't use a SERVAUTH class SAF resource to restrict access to IPSec network management interface, the user ID assigned to the SOLVE SSI address space must be one of:
- An OMVS superuser
- Permitted to access to the FACILITY class SAF resource BPX.SUPERUSER.

Access problems to /var and EZB.NETMGMT.** are indicated by the presence of messages NIS58n in the SOLVE SSI log.

Examples: Setting EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY security

This example sets the security requirements in an CA ACF2 system:

SET RESOURCE(SER)
COMPILE
$KEY(EZB) TYPE(SER)
  NETMGMT.sysname.tcpipname.IPSEC.DISPLAY UID(uid) SERVICE(READ) ALLOW
STORE

SER
The value set in the CLASMAP definition in the GSO for SERVAUTH resources.
Uid
The UID of the region user.

This example sets the security requirements in a CA Top Secret system:

TSS PER(userid) SERVAUTH(EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY) ACCESS(READ)

Userid
The ACID of the region user.

This example sets the security requirements in a RACF system:

PER EZB.NETMGMT.sysname.tcpipname.IPSEC.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)

Userid
The user ID of the region.