z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Setting up your system to use APPC/MVS and VTAM

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

This document assumes that you have a basic understanding of VTAM® and APPC/MVS. For information about configuring VTAM and implementing APPC/MVS, see z/OS MVS Initialization and Tuning Guide and z/OS MVS Planning: APPC/MVS Management. See also RACF Version 2 Release 2 Technical Presentation Guide and RACF Version 2 Release 2 Installation and Implementation Guide.

When you define an RRSF node that uses the APPC protocol, you specify the LU name of the node on the TARGET command. The LU must be defined to VTAM on the node being TARGETed. LUs are defined through the LUADD statement in the APPCPMxx member of SYS1.PARMLIB. The LUs that you define for RRSF must be NOSCHED LUs.

Guideline: Protect the information flowing between RRSF nodes by specifying VERIFY=REQUIRED on the APPC LU (ACB) definitions in the SYS1.VTAMLST library concatenation.

If you specify VERIFY=REQUIRED, then to obtain proper RACF® protection you must activate the APPCLU class and must code the parameter CONVSEC(ALREADYV) on the profiles in this class. The SETROPTS command issued to activate the APPCLU class should specify: 
SETROPTS CLASSACT(APPCLU) +
        GENERIC(APPCLU)  +
        AUDIT(APPCLU)
You must create RACF profiles to protect the APPC resources. Assume a network with two nodes MVS1 and MVS2, for example. Node MVS1 needs a profile similar to the following for completion of the VERIFY=REQUIRED setup: 
RDEFINE APPCLU netid.locallu.partnerlu UACC(NONE) +
     SESSION(SESSKEY(session-key) CONVSEC(ALREADYV))
or, if you have VTAM configured with network-qualified names on (NQNAMES=YES): 
RDEFINE APPCLU localnetid.locallu.partnernetid.partnerlu UACC(NONE) +
     SESSION(SESSKEY(session-key) CONVSEC(ALREADYV))
You get the netid or localnetid value in the RDEFINE command from the NETID keyword in the VTAM ATCSTRxx SYS1.VTAMLST member. The profile for node MVS1 might look like this: 
RDEFINE APPCLU NET1.RM41MVS1.RM42MVS1 UACC(NONE) +
     SESSION(SESSKEY(session-key) CONVSEC(ALREADYV))
Node MVS2 needs a profile similar to the following to define the LU-LU relationship from its perspective: 
RDEFINE APPCLU NET1.RM42MVS1.RM41MVS1 UACC(NONE) +
     SESSION(SESSKEY(session-key) CONVSEC(ALREADYV))
The SESSKEY value in the RDEFINE commands for MVS1 and MVS2 must be identical.

For RRSF, you must specify CONVSEC(ALREADYV) on the RDEFINE for the APPCLU resources.

The RACF subsystem address space becomes an APPC/MVS server. It does this by registering through the Register_For_Allocates service of the APPC/MVS API. During the registration process, APPC/MVS uses RACF to determine if the caller is authorized to assume the server role for the requested transaction program. If the registration is successful, then APPC/MVS creates an allocate queue for the RRSF APPC server, which is a task within the RACF subsystem address space. The RRSF APPC server then becomes responsible for processing the allocate requests for which it has registered.

Parent topic: Preparing to configure an RRSF network

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014