(This article describes the SERVAUTH resource class, used with IBM mainframe computers as a feature of the RACF computer security software.)

The SERVAUTH resource class (new with RACF 2.10 and with RACF 2.8 with certain PTFs applied) supports TCP/IP security by controlling these four functions:

1. Access to the TCP stack (that is, to use TCP/IP itself)

2. Net access (specfying who can access a specified network)

3. Port access (specifying who can use which TCP and UDP ports) [UDP is another protocol, similar to TCP in that it rides on top of IP, but different in that it is connectionless.)

4. TN3270 Secure Telnet Port Access

As you can see, the SERVAUTH class fills in some important, previously-missing controls for TCP/IP.

This class must be RACLISTed, so you might set it up with this command:

SETR CLASSACT(SERVAUTH) RACLIST(SERVAUTH) AUDIT(SERVAUTH) GENERIC(SERVAUTH)

Rules in this class all have names beginning: EZB.xxx. where xxx indicates which of these four functions is being controlled.

1. Access to the TCP stack (that is, to use TCP/IP itself)

This call to RACF is not made for socket() calls issued in the TCP/IP address space, the USS address space, or the VTAM address space. This RACF call is also not made by releases of TCP/IP earlier than 2.10. When RACF is called for this check, if there is no matching rule, then all access requests are permitted. At least READ access is sufficient.

SERVAUTH rules for this function have names like:

RDEF SERVAUTH EZB.STACKACCESS.sysname.tcpname UACC(..) ...

where sysnameU is the name of the MVS system
(&SYSNAME as specified by the MVS system programmer) and
tcpname is the name of the TCP/IP started task

2) Net access (specifying who can access a specified network)

This prevents a user from accessing a given network, subnetwork, or host. RACF is called for this check when a TCP/IP packet is sent. You could use this to restrict which users are permitted to access the Internet or your intranet. READ access is sufficient.

SERVAUTH rules for this function have names like:

RDEF SERVAUTH EZB.NETACCESS.sysname.tcpname.netname UACC(..) ...

where sysname is the name of the MVS system (&SYSNAME as specified by the MVS system programmer) and
tcpname is the name of the TCP/IP started task and
netname is the name of the network, subnetwork, or host as identified in the NETACCESS statement in PROFILE.TCPIP.

3) Port access (specifying who can use which TCP and UDP ports)

You would use this to prevent a programmer from writing his own programs which use a given port, then executing those programs to "hijack" the port. (For example, such a program might otherwise take over the e- mail port, browse all e-mail, and then pass it on to the real e-mail server.) READ access is sufficient.

SERVAUTH rules for this function have names like:

RDEF SERVAUTH EZB.sysname.tcpname.portname UACC(..) ...

where sysname is the name of the MVS system (&SYSNAME as specified by the MVS system programmer) and
tcpname is the name of the TCP/IP started task and portname is the RACF name for the port, as specified in the SAF operand of the PORT or PORTRANGE statement in PROFILE.TCPIP.

4) TN3270 Secure Telnet Port Access

This is used to restrict users from using a secure port (where the previous function restricted access to any port). When a port is secured with SSL (Secure Sockets Layer), this use of SERVAUTH prevents unauthorized users from accessing the port. This extra control is used in conjunction with the CLIENTAUTH statement in PROFILE.TCPIP. RACF is called only if the CLIENTAUTH statement specifies SAFCERT. READ access is sufficient.

SERVAUTH rules for this function have names like:

RDEF SERVAUTH EZB.TN3270.sysname.tcpname.PORTnnnnn UACC(..) ...

where sysname is the name of the MVS system (&SYSNAME as specified by the MVS system programmer) and
tcpname is the name of the TCP/IP started task and
nnnnn is the port number (zero-filled on the left if necessary)

About the Author

Stuart Henderson is a consultant and trainer who specializes in effective EDP audits and computer security. He has helped hundreds of organizations make better use of security software such as RACF, ACF2, and TopSecret. He has also helped these organizations address the technical and organizational issues surrounding cross-platform security. As President of the Henderson Group, he directs a variety of activities in support of the computer security and EDP audit communities. These include: seminars, consulting services, articles, and speeches. He is an experienced system programmer who has earned the Certified Internal Auditor, Certified Management Accountant, and Certified Data Processor designations. His seminars on computer security and audit of: MVS, DB2, RACF, VTAM, and other subjects are taught nationwide. He teaches Certified Information Systems Auditor review courses for the National Capital Area Chapter of the ISACA.

He speaks to groups such as the Computer Security Institute, the DPMA, the ISSA, and the ISACA. Some of his topics have been: "What System Programmers Know that DSOs and EDP Auditors Should (or How I Would Break into Your System and What You Should be Doing to Stop Me)", What Non-Data Processing Executives Should Know and Do About Computer Security", "Combining VAX/VMS Security with IBM Mainframe Security", and "Tools for Maintaining Single Point of Control for Security". He is founder of the New York RACF Users Group and Editor of its newsletter. His website is at http://stuhenderson.com. He can be reached at (301) 229-7187 or stu@stuhenderson.com.

Copyright ©: 2000, Stuart C. Henderson
Revised - November 27, 2000
URL: http://www.stuhenderson.com