UCMD_REQUEST - UCMD UACL Entry

Owned by Stonebranch (Deactivated)
Feb 06, 2023
2 min read

Description

A UCMD_REQUEST UACL entry allows or denies access to Universal Command Server services based on client identification and request type.

If access is permitted, the UCMD_REQUEST also specifies whether or not user authentication is required.


There are two forms of the UCMD_REQUEST entry based on the client identification method:

  • ucmd_request form is for IP-based client identification.
  • ucmd_cert_request is for X.509 certificate-based client identification.


A ucmd_request UACL entry is matched if all of the following occur:

  • Request comes from an IP address identified by host.
  • Remote end is executing as user remote_user.
  • Remote user is requesting to execute a command as local user local_user.


A ucmd_cert_request UACL entry is matched if both of the following occur:

  • Request comes from a client with a certificate identifier of certid.
  • Remote user is requesting to execute a command as local user local_user.


The first matching rule is used to control access.

Usage

Method

Syntax

IBM i

UNIX

Windows

z/OS

UACL File Keyword

ucmd_request host,remote_user,local_user,req_type,req_name,access,auth

(tick)

(tick)

(tick)

(tick)

UACL File Keyword

ucmd_cert_request certid,local_user,req_type,req_name,access,auth

(tick)

(tick)

(tick)

(tick)

Values

req_type

req_type specifies the type of request that the Universal Command Manager is requesting.

Valid values for req_type are:

Value

Description

IBM i

Windows

UNIX

z/OS

cmd

IBM i command (may be user-defined).

(tick)




rexx

Single line consisting entirely of REXX statements (maximum 1000 bytes).

(tick)




cmdref

Request is for the execution of a command reference.

  • req_name is the command reference name, which is case insensitive.
     

    UNIX

    req_name is case sensitive.

(tick)

(tick)

(tick)

(tick)

shell

Request is for the execution of a shell command or shell script:

  • For a shell command, req_name is the name of the command.
  • For a shell script, req_name is empty.


(tick)

(tick)

(tick)

stc

Request is for the execution of a started task.

  • req_name is the started task command, which is case insensitive.




(tick)

req_name

req_name further qualifies the request by its specified name.

Valid values for req_name depend on the req_type value.

req_name includes any options provided by the Universal Command Manager.

For Example

ucmd -c "cmd3 o1 o2" -cmd_type cmdref ...

This command will not match the following UACL entry:

ucmd_request ALL,*,*,cmdref,cmd3,allow,auth

Since the options o1 and o2 are part of the request name field, the UACL entry must be written as:

ucmd_request "ALL,*,*,cmdref,cmd3*,allow,auth"

access

Valid values for access are:

  • deny
    Service is denied. A message is returned to the remote end. The connection is closed.
  • allow
    Service is accepted and processed.

auth

Valid values for auth are:

  • auth
    Local user account must be authenticated. The Manager must provide a proper user ID and password.

  • noauth
    Local user account does not require user authentication. The Manager still must supply a password to satisfy command syntax rules, but it will not be verified. Any password value will suffice.
     

    Note

    noauth should be used with care. Turning off user authentication may violate your local security policies on the Server system.

    Windows

    noauth is not a valid value.


See UACL Entries for details on host, remote_user, local_user, and certid specification syntax.