User Authorization to View Packet Payload Data

Preparing the IBM Communications Server › User Authorization to View Packet Payload Data

User Authorization to View Packet Payload Data

Because IP packets can contain sensitive information, authority to view the payload data must be granted by your external security system (CA ACF2 for z/OS, CA Top Secret for z/OS, or RACF). The user must have READ access to NETMSTR.PKTTRACE.region, where region is the region's ACB name, as specified in the PRI= parameter in the RUNSYSIN member.

CA Top Secret

To set up definitions to allow access to SmartTrace in your region with ACB NMTEST, issue the following commands:

TSS ADD(dept) IBMFAC(NETMSTR)
TSS PERMIT(USER1) IBMFAC(NETMSTR.PKTTRACE.*) ACCESS(NONE)

To allow user USER1 to access SmartTrace data, issue the following command:

TSS PERMIT(USER1) IBMFAC(NETMSTR.PKTTRACE.NMTEST) ACCESS(CONTROL)

CA ACF2

To set up definitions to allow access to SmartTrace in your region with ACB NMTEST, issue the following commands:

[ACF]
SET RESOURCE(FAC)
COMPILE *
$KEY(NETMSTR.PKTTRACE.*) TYPE(FAC)

To allow user USER1 to access SmartTrace data, issue the following command:

$KEY(NETMSTR.PKTTRACE.NMTEST) TYPE(FAC) USER1(USER1) READ(ALLOW)
STORE
[END]

RACF

To set up definitions to allow access to SmartTrace in your region with ACB NMTEST, issue the following commands:

RDEFINE FACILITY NETMSTR.PKTTRACE.* UACC(NONE)
RDEFINE FACILITY NETMSTR.PKTTRACE.NMTEST UACC(NONE)
SETROPTS RACLIST(FACILITY) REFRESH

To allow user USER1 to access SmartTrace data, issue the following command:

PERMIT NETMSTR.PKTTRACE.NMTEST CLASS(FACILITY) ID(USER1) ACCESS(READ)

User Authorization for IP Security Functions

If you use IPSec, your security system must authorize the individual users for read access to the SERVAUTH resource:

To view data about IP security:
```
EZB.IPSECCMD.sysname.stackname.DISPLAY
```
To perform a control function against a tunnel:
```
EZB.IPSECCMD.sysname.stackname.CONTROL
```

Examples: Authorizing IP security displays and commands

This example authorizes IP security on a CA ACF2 system:

$KEY(MVS) TYPE(OPR) EZB.IPSECCMD.sysname.stackname- UID(uid_string) SERVICE(READ) ALLOW

This example authorizes IP security on a CA Top Secret System:

TSS PER(acid) OPERCMD(EZB.IPSECCMD.sysname.stackname) ACCESS(READ)

This example authorizes IP security on a RACF System:

PE EZB.IPSECCMD.sysname.stackname CLASS(SERVAUTH) ID(uuuuuuu) ACCESS(READ)