Telnet can be in a multilevel secure environment that uses security
labels. For more information about preparing for IP networking in
a multilevel secure environment, see Preparing for IP networking in a multilevel secure environment and z/OS Planning for Multilevel Security and the
Common Criteria. To ensure correct security label comparisons,
Network Access Control (NAC) must also be active for Telnet. For more
information about NAC, see Network Access Control.
If multilevel security is active, Telnet ensures the security label
of the selected LU is compatible with the security label of the client.
- Telnet retrieves the security label of the client when the connection
is accepted.
- Telnet assigns a security label to all LUGROUPs based on the first
LU name in the group. The first single LU name in the group is used.
If no single LU names exist, the first LU name within the first LU
range is used.
- If multilevel security is active, an LUGROUP EXIT is required
to have at least one LU name in the group. The LU name is used to
obtain a security label for the group. The name is passed to the exit
in the parameter list and can be used or ignored by the exit.
- A single LU name on a mapping statement is treated as an LUGROUP
with one LU name. That LU name is used to obtain the security label
for the LUGROUP created by Telnet.
When multilevel security is active, LU lookup uses the following
process:
- The security label of the client is compared with that of the
mapped LUGROUP. If the group is compatible, Telnet searches for an
available LU in the group. If not compatible, the LUGROUP is skipped.
- Telnet retrieves the security label of the selected LU and compares
it with the security label of the LUGROUP. If the selected LU is not
compatible with the LUGROUP, the LU is deactivated and no other LU
in the group is tried.
- If the LUGROUP was not compatible or no LU was available, the
steps are repeated for each mapped LUGROUP until an LU is found or
all LUGROUPs are checked.