Universal Command Server for IBM i - UACL Example

Owned by
Former user (Deleted)
Last updated: Jan 17, 2023 by
Stonebranch
1 min read

Universal Command Server for IBM i

The following set of rules permit services for the subnet 10.20.30 and denies all other connections unless an X.509 certificate is presented that maps to certificate ID operations.

ucmd_access     10.20.30.,*,*,allow,auth
ucmd_access     ALL,*,*,deny,auth

ucmd_cert_access  operations,*,allow,auth
ucmd_cert_access  *,*,deny,auth


When no certificate is presented that maps to a certificate ID, the following set of rules effectively permit connections from any host, but has limited access from host 10.20.30.40 to user TS1004 on that host.

  • No host can execute commands as local user root.
  • User TS1004 on host 10.20.30.40 can execute commands as local user tsup1004 without providing the password.
  • Users TS1004 from host 10.20.30.40 can execute commands as any local user by providing the local user password.

When a certificate is presented that maps to a certificate ID, certificate ID joe can request local user ID tsup1004 without a password.

  • Certificate ID joe is allowed to execute commands with any other local user ID with a password.
  • Certificate ID operations cannot run anything.
  • All other certificate IDs can execute commands with any user ID except for root with a password.
ucmd_access     10.20.30.40,TS1004,tsup1004,allow,noauth
ucmd_access     10.20.30.40,TS1004,*,allow,auth
ucmd_access     10.20.30.40,*,*,deny,auth
ucmd_access     ALL,*,root,deny,auth

ucmd_cert_access   joe,tsup1004,allow,noauth
ucmd_cert_access   joe,*,allow,auth
ucmd_cert_access   operations,*,deny,auth
ucmd_cert_access   *,root,deny,auth

Components

Universal Command Server for IBM i