F1REWALL

Function

This exit will turn your VTAM into a firewall which will allow or reject sessions being setup. All session related info must be defined in a separate RACF class.

Defining ISTEXCAA to the system

Simply assemble and link the ISTEXCAA exit into your VTAM loadlibray.

Add the F1REWALL class to the RACF class descriptor table (ICHRRCDE)

Add the F1REWALL class to the SAF router (ICHRFR01)

Re-IPL your system (Yes, unfortunately this is still required to add RACF classes)

Using the F1REWALL

The best way to start using the F1REWALL is to first activate the F1REWALL class (SETR CLASSACT(F1REWALL) GENERIC(F1REWALL) GENCMD(F1REWALL) RACLIST(F1REWALL)
In order to tell VTAM to re-initialize the exit, issue MODIFY NET,EXIT,ID=ISTEXCAA,OPTION=REPL (This is only nessesary when activating/deactivating the F1REWALL class. The exit will RACLIST the profiles upon initialization)
The exit will now issue messages indicating that sessions are being 'allowed' this means that there are no suitable profiles found to either grant or reject session setup.
Once a profile exists, and the sessions are allowed, the messages will disappear. Rejected sessions will always generate a message.

RACF profiles

The basic profile format is:

primnet.plu.secnet.slu

If userid '*' has access to the profile, or the profile has uacc(read) (recommended) then session setup is allowed.
If the session setup is not allowed by means of the profile, and the session setup is the result of a CLSDST PASS, then an additional check may grant access. Profile

primnet.plu.secnet.slu.initnet.ilu

is checked and if this profile exists and access is granted, then session setup will be allowed.
This may be used to only allow network access through the use of specific VTAM monitors (such as TPX, NVAS, NetMaster or any other).

DOWNLOAD

Sourcecode is distributed in distribution file istexcaa.zip (IEBUPDTE format)