Why Security for APPC?

Cooperative processing allows application programs to establish communications with partner programs on other systems, and to share work, data, and services between systems and across networks. This ability to access other programs and all the resources at their disposal poses special security considerations for installations that use cooperative processing.

APPC/MVS is a cooperative processing interface on MVS/ESA. With APPC/MVS, transaction programs (TPs) on MVS can initiate (allocate) conversations with partner programs on systems throughout an SNA network. The partner programs can likewise allocate conversations with TPs on MVS. In an unprotected network, all a TP has to know to start a conversation is the name of an inbound TP and the logical unit (LU) on which the inbound TP is located. Unless certain precautions are taken, it is possible for unauthorized conversations to take place. To protect your z/OS system from unauthorized conversation requests, you might want to take some of the following steps:

Limit the logical units from which conversation requests can enter your system
Ensure that inbound requests for conversations with your system contain security information such as a user ID and password
Limit, by user ID, those users who can request a particular TP on your system
Limit the administrators who can define TPs to APPC/MVS
Ensure that TPs on MVS run in the appropriate security environment, one that represents the requester of the MVS TP.
Minimize the flow of passwords across the network.

This chapter discusses these and other security mechanisms for cooperative processing and describes how you can implement them using APPC/MVS and RACF®.