Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace z/OS
Created by Guest
Created on Aug 16, 2012

Enhance SERVAUTH class to control use of Remote Execution (REXECD, RSHD, REXEC, RSH, orexecd, orshd, orexec, orsh) for PCI

I would like SAF checks added for the SERVAUTH class to RACF control who can use Remote Execution (REXECD, RSHD, REXEC, RSH, orexecd, orshd, orexec, orsh) tcpip applications.

This is in response to our PCI auditors that are requiring we have external security control over them. Simply turning them off is not enough.

Idea priority Urgent
  • Guest
    Reply
    |
    Dec 7, 2020

    This item is not in our plans but is being kept in our backlog.

  • Guest
    Reply
    |
    Nov 19, 2015

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - z Systems Software
    Product - z/OS Communications Server

    For recording keeping, the previous attributes were:
    Brand - WebSphere
    Product family - Enterprise Networking
    Product - z/OS Communications Server

  • Guest
    Reply
    |
    Oct 18, 2012

    This requirement will be accepted as an uncommitted candidate, but if it was implemented, the likely direction would be the broader implementation discussed in the above comment thread.

  • Guest
    Reply
    |
    Sep 20, 2012

    Joel, after our e-mail exchange and some internal discussions, I don't believe that what you've proposed is a complete solution.   The reason is that such a SERVAUTH resource would only protect the actual rsh, rexec, etc. executables that ship with Comm Server.   However, since the protocols for (as well as source code implementations of) these commands are publicly available, it would be a relatively small effort for a user to just implement their own version of any of these commands for use on z/OS.   Such implementations would completely bypass the SERVAUTH checks that would be built into the IBM-supplied commands.   

    A more complete solution would be to put RACF controls on the ability for a z/OS userid to establish an outbound connection to a given remote port.  This could be done globally or it could be done so you could scope the controls to a specific set of remote IP addresses.  However, such a solution would again involve configuration beyond just RACF.   

    Please let me know your reaction to  these observations and whether the more generalized solution is something you would be likely to use.

  • Guest
    Reply
    |
    Sep 20, 2012

    Joel responded to the above question via e-mail.  The following summarizes his answer:

    For Joel's needs, using the PORTACCESS resource in the SERVAUTH class adds too much complexity because of health checking.  Specifically, Joel has to collect a significant amount of verification data on a somewhat regular basis for his PCI auditors.  Given the volume of information to be collected, he would prefer to have a single point of control for enforcement and reporting - he sees that single point of control as RACF.  If PORTACCESS is part of the solution, then he must also snapshot the TCPIP PROFILE and provide correlation information between the RACF ACLs and the related PORTACCESS statements in the profile.

    Based on this, Joel would prefer a SERVAUTH profile that secures any use of RSH and REXEC for the client or daemon as well.

  • Guest
    Reply
    |
    Aug 30, 2012

    Have you looked at using the PORTACCESS resource in the SERVAUTH class to protect access to the server-side applications here?  That essentially controls which users can bind to the the listening socket for the given application.   Granted, that does not address the client-side apps, but please let me know if PORTACCESS meets your needs for the server-side applications.  If so, then we can narrow the scope of this requirement to rexec, rsh, orexec and orsh.