z/OS Security Server Support › Firewall Technologies

Firewall Technologies

z/OS provides the ability to run a firewall under USS. Support is distributed with the Communication Server and with the Security Server. The z/OS Firewall Technologies reduces, but does not necessarily eliminate the need for a non‑z/OS platform firewall. The firewall is not configured using CA Top Secret. Administration is performed through configuration files.

To set up the z/OS Firewall Technologies with CA Top Secret

1. Enter the commands:

   TSS CREATE (FWGRP) TYPE(GROUP)
               NAME(‘Firewall Group’)
               DEPT(OMVSDEPT)
   

   TSS ADD(FWGRP)
          GID(nn)
   

   A group definition for use with the firewall is created. Any unused GID number is allowed.

2. Enter the commands:

   TSS CREATE(FWKERN) TYPE(USER)
                      NAME(‘Firewall Startup ID’)
                      DEPT(OMVSDEPT)
                      FACILITY(STC,BATCH)
                      PASS(password,0)
   

   TSS ADD(FWKERN) GROUP(FWGRP)
                   DFLTGRP(FWGRP)
                   HOME(/usr/lpp/fw/home/fwkern/)
                   OMVSPGM(/bin/sh)
                   UID(0)
   

   TSS ADD(STC) PROCNAME(FWKERN)
                ACID(FWKERN)
   

   TSS MODIFY(OMVSTABS)
   

   A Firewall startup address space ID is defined.

3. Enter the commands:

   TSS ADD(anydept) IBMFAC(FWKERN.)
   

   TSS PERMIT(FWKERN) IBMFAC(FWKERN.START.REQUEST)
                      ACCESS(UPDATE)
   

   FWKERN is allowed to issue start commands.

4. Enter the commands:

   TSS ADD(STC) PROCNAME(ICAPSLOG)
                ACID(FWKERN)
   

   TSS ADD(STC) PROCNAME(ICAPSOCK)
                ACID(FWKERN)
   

   TSS ADD(STC) PROCNAME(ICAPPFTP)
                ACID(FWKERN)
   

   TSS ADD(STC) PROCNAME(ICAPFLOG)
                ACID(FWKERN)
   

   TSS ADD(STC) PROCNAME(ICAPTNAT)
                ACID(FWKERN)
   

   Additional started tasks used by the firewall daemons are defined.

5. Enter the commands:

   TSS PERMIT(FWKERN) DSN(TCPIP.*)
                      ACCESS(READ) 
   

   FWKERN is given access to READ the TCP/IP data sets.

   The high level qualifier of these data sets might have been renamed from “TCPIP” when installed on your system.

6. Enter the commands:

   TSS PERMIT(FWKERN) IBMFAC(BPX.SMF)
                      ACCESS(READ)
   

   The FWKERN ACID is permitted to the SMF logging facility.

7. Enter the commands::

   TSS PERMIT(FWKERN) IBMFAC(BPX.DAEMON)
                      ACCESS(READ)
   

   The PFTP server is permitted to the BPX.DAEMON facility.

8. Enter the command::

   TSS ADD(administrator) GROUP(FWGRP)
   

   Firewall administrators are members of the group FWGRP or have superuser authority.

9. Enter the commands:

   TSS ADD(dept) CSFSERV(service‑name)
   

   TSS PERMIT(acid) CSFSERV(service‑name)
                    ACCESS(READ)
   

   Firewall Technologies has the ability to invoke z/OS Integrated Cryptographic facilities to perform internal security functions. These services are protected using the resource class CSFSERV. Users are now permitted to the individual services necessary.

For information on the individual service‑names, see the IBM Firewall manuals and the ICSF/MVS Administrators Guide.