Configuration of Security - Universal Command Security

Overview

Universal Command access controls consist of the following profile types:

  • Remote Access profiles control Universal Command's access to remote systems.
  • Stdio Access profiles control Universal Command's access to local data sets used as standard input, output or error.

Universal Command Remote Access Profile

The remote access profile controls Universal Command Manager's access to specific remote systems running Universal Agent. The remote system is identified by the IP address of the remote system, the port number on which the Manager is connecting to the remote system, and the remote system user ID with which the Manager is requesting the command to be executed.

Universal Command Manager identifies a remote system with the REMOTE_HOST and REMOTE_PORT configuration options, and the remote user ID with the USER_ID configuration option.

The remote access profile has the following format:

UCMD.Iipaddress.Pport.userid


The following table identifies the fields that comprise the profile name.

Field

Description

ipaddress

Numeric dotted-form IP address of the remote host as specified by the REMOTE_HOST option. The format of the IP address is four three-character numeric fields. Each field represents one number of the IP address. For example, IP address 256.10.2.123 is formatted as 256010002123.

port

Numeric port number on which Universal Broker is listening as specified by the REMOTE_PORT option. The default Universal Broker port number is 7887. The format of the port number is a five-digit number. For example, port 7887 is formatted as 07887.

userid

Remote user identifier with which Universal Command Manager will execute the remote command as specified by the USER_ID option.
 
Whether or not a user identifier is required depends on the Universal Command Server configuration. If no user identifier is specified for the Manager, the userid value is <BLANK>.
 
The value userid is upper case. Some remote hosts may have case-sensitive user identifiers. All user identifiers specified on the Manager are translated to upper case for building the profile.

Universal Command Standard I/O Access Profile

The standard I/O (stdio) access profile controls Universal Command Manager's access to data sets allocated for standard I/O. The standard I/O ddnames are UNVIN for standard input, UNVOUT for standard output, and UNVERR for standard error, unless otherwise changed with the SIO_LOCAL_FILE configuration option.

The standard I/O access profile has the following format:

UCMD.stdio.Iipaddress.Pport.allocation


The following table identifies the fields that comprise the profile name.

Field

Description

stdio

Standard I/O file which the profile is for. Valid values are:

  • STDIN for the standard input file.
  • STDOUT for the standard output file.
  • STDERR for the standard error file.

ipaddress

Numeric dotted-form IP address of the remote host as specified by the REMOTE_HOST option. The format of the IP address is four three-character numeric fields. Each field represents one number of the IP address. For example, IP address 256.10.2.123 is formatted as 256010002123.

port

Numeric port number on which Universal Broker is listening as specified by the REMOTE_PORT option. The default Universal Broker port number is 7887. The format of the port number is a five-digit number. For example, port 7887 is formatted as 07887.

allocation

Entity that is allocated to the standard I/O ddname. There are a number of different items that may be allocated to a ddname. The following formats are available:

  • A data set allocation is represented by Ddsn, where dsn is the data set name. For example, a ddname allocation of PROD.APPL.DATA is formatted as DPROD.APPL.DATA.
    • If allocating a PDS and a member name is specified, do not include the member name in the profile name, only the PDS name.
    • If allocating a relative generation data set, do not include the relative number in the profile name, only the GDG name.
  • A JES SYSIN, SYSOUT or SUBSYS= allocation is represented by the value SUBSYS.
  • A temporary data set allocation is represented by the value TEMPORARY.
  • A DUMMY or NULLFILE allocation is represented by the value NULLFILE.
  • A USS path name allocation is represented by Upath, where path is the USS path name. For example, a ddname allocation of /prod/appl/data is formatted as U/prod/appl/data.
    • USS path name support starts at z/OS 1.4. Prior to z/OS 1.4, the path name is not available to format the profile name. The value used for path in this case is UNKNOWNUSSPATHNAME.
    • USS path names are case sensitive. The Universal Agent class must be defined with the CASE=ASIS parameter to support case sensitive profile names.
       
      The maximum length of the profile name is 246 characters. The maximum length of a USS path name allocated to a ddname is 256 characters. It is possible the path name may be truncated in formatting the profile name. Truncation does not result in an error condition.

Universal Command Security Profile Definitions

These examples illustrate sample RACF commands that can be used to define Universal Command security profiles and permit z/OS user identifiers access to those profiles. Refer to the IBM RACF documentation for complete details on RACF commands.

Example 1

Assume that you want to restrict Universal Command Manager for z/OS access to remote host 10.23.90.2. The following profile would restrict access to only those z/OS users who have read access to the profile UCMD.I010023090002.*.*.

The following TSO commands define the required profile and permits access to TSO user TSO555.

RDEF $UNV (UCMD.I010023090002.*.*) UACC(NONE)
PE UCMD.I010023090002.*.* CLASS($UNV) ID(TSO555) ACCESS(READ)

Example 2

Assume that you run all Universal Brokers on privileged port 1000. To enforce the policy that z/OS Managers connect only to port 1000, define profile UCMD.*.*.* with universal access none and define UCMD.*.P01000.* with universal access read.

The following TSO commands define the required profiles.

RDEF $UNV (UCMD.*.*.*) UACC(NONE)
RDEF $UNV (UCMD.*.P01000.*) UACC(READ)

Example 3

Assume that you want to restrict root access to all hosts from Universal Command Manager for z/OS. The following profile would restrict root access to only those z/OS users who have read access to the profile UCMD.*.*.ROOT.

The following TSO command defines the required RACF profile.

RDEF $UNV (UCMD.*.*.ROOT) UACC(NONE)

Example 4

Assume that you want to restrict Universal Command Manager access to data sets PROD.*. You also don't want Universal Command Manager to use any temporary data sets. The following profiles would restrict access to only those z/OS users who have read access to the profile.

The following TSO command defines the required RACF profile.

RDEF $UNV (UCMD.STD*.*.*.DPROD.**) UACC(NONE)
RDEF $UNV (UCMD.STD*.*.*.TEMPORARY) UACC(NONE)