z/OS Installation - TCP/IP Configuration

Owned by
Former user (Deleted)
Last updated: Nov 29, 2022 by
IT Stonebranch
Version comment
2 min read

Overview

This page describes optional Universal Agent and TCP/IP configuration topics. Whether these steps are required or desirable depends on your local TCP/IP configuration.

Specifying TCP/IP Affinity

Universal Agent programs are considered generic client and server programs in IBM's TCP/IP terminology. They do not have an affinity for a specific transport provider (TCP/IP started task). The programs will utilize the appropriate transport provider based on TCP/IP configuration.

An affinity to a specific transport provider can be established for any Universal Agent program using Language Environment variable _BPXK_SETIBMOPT_TRANSPORT. The variable value specifies the TCP/IP started task name the program must use as its transport provider.

The JCL illustration below establishes affinity to TCP/IP started task TCPIPA:


TCP/IP Resource Protection

The IBM TCP/IP product (Communications Server) offers optional protection to TCP/IP resources using SAF interfaces. The protection is implemented with a set of resource profiles defined in the SERVAUTH class.

If you are using the TCP/IP resource protection, you must permit appropriate privileges to the user profiles with which Universal Agent executes. Refer to the IBM Communications Server: IP Configuration Guide for complete details on TCP/IP resource protection. The TCP/IP resource profiles and the Universal Agent required access are discussed in the following sections.

Stack Access Control

The SAF resource profile EZB.STACKACCESS.sysname.tcpname in the SERVAUTH class controls which user profiles have access to a TCP/IP stack. All user profiles with which Universal Agent executes require READ access to the appropriate TCP/IP stack access profile.

Port Access Control

The SAF resource profile EZB.PORTACCESS.sysname.tcpname.SAF keyword in the SERVAUTH class controls access to specific non-ephemeral port ranges.

The Universal Broker binds to a service port (defaults to 7887). The user profile with which the Universal Broker started task executes requires READ access to any resource that protects this port.

The Universal Enterprise Controller binds to a service port (defaults to 8778). The user profile with which the Universal Enterprise Controller started task executes requires READ access to any resource that protects this port.

Network Access Control

The SAF resource profile EZB.NETACCESS.sysname.tcpname.zonename in the SERVAUTH class controls access to security zones. A security zone defines networks and hosts by IP address. All user profiles with which Universal Agent executes require READ access to the appropriate TCP/IP security zones profile.

Socket Option Access Control

The SAF resource profile EZB.SOCKOPT.sysname.tcpname.SO_BROADCAST in the SERVAUTH class controls access to the socket SO_BROADCAST option.

No Universal Agent programs use the SO_BROADCAST socket option, so no user profiles require access.