RESTRICTAPPL

In addition to the ALLOWAPPL statement, Telnet provides more restrictive access to applications. The RESTRICTAPPL statement requires the user to enter a valid user ID and password before the application name is used to initiate a session. Specify the PASSWORDPHRASE parameter statement in Telnet configuration to expand the password length limit on the solicitor screen. You can use either a password or a password phrase with this option.

The user ID specified can be any valid user ID and does not need to be related to the user ID specified for the application. If you code the CERTAUTH option on the RESTRICTAPPL statement, the user does not need to supply a user ID if a client certificate is received and a user ID is derived from the client certificate. In this case, if the user ID derived from the client certificate matches a user ID on the RESTRICTAPPL statement, Telnet immediately initiates a session and does not request a password or password phrase from the user.

For example, use the following statement to allow users USER1, USER2, USER3, USER4, and USER5 access to the PAYROLL application. At the solicitor screen, the user enters USER1, their password or password phrase, and the PAYROLL application name. Telnet verifies that USER1 and the password or password phrase are valid and then immediately initiates a session with PAYROLL.

RESTRICTAPPL PAYROLL
   USER USER1
   USER USER2
   USER USER3
   USER USER4
   USER USER5

Like ALLOWAPPL, the application name can have a wildcard value by using an asterisk (*). The USER value can also have a wildcard value by using an asterisk. The user ID and password or password phrase combination is used by Telnet to verify the password or password phrase given for that user ID. In no way is the user ID and password or password phrase used by the application. No matter how the application name request arrived at the server (from DEFAULTAPPL or USSMSG10), Telnet uses the solicitor screen to prompt for the user ID and password or password phrase. After the user ID is validated and a password or password phrase is obtained, Telnet submits the user ID and password or password phrase pair for authorization to a security program such as RACF®. The user ID and password or password phrase check authorizes the client to connect to the application through Telnet. The application itself might also ask for a user ID and password or password phrase pair that can be completely different than the pair entered at the Telnet solicitor screen. The user ID and password or password phrase pair that is entered at the Telnet solicitor screen is not passed to the host application. The user ID and password or password phrase pair is solicited only after the user enters an application name on the solicitor (or USSMSG10) screen. If a second application is reached through the original application using CLSDST-PASS, the second application is verified and Telnet will solicit a new user ID and password or password phrase pair if necessary.

When searching for a match with the input application name, Telnet will find the most specific match whether it is on the ALLOWAPPL or RESTRICTAPPL statement. If each statement has the same name specified, the RESTRICTAPPL entry is used. For example, TSO has its own user ID and password or password phrase requirement and probably does not need the additional Telnet security check. However, the Telnet security check may be needed for all other applications. This example can be supported with the following statements.

 RESTRICTAPPL   *
   USER   *
 ALLOWAPPL   TSO*