Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Using Persistent Verification (PV) z/OS MVS Planning: APPC/MVS Management SA23-1388-00 |
||||||||||||||||||||||
Programming Interface Information
With VTAM® 3.4 or later and RACF® installed, APPC/MVS can receive persistent verification requests. Persistent verification (PV) is an option that LUs can specify on outbound allocate (attach) requests. Persistent verification is an application security mechanism that maintains lists of verified user IDs and reduces the flow of passwords across the network. APPC/MVS LUs can receive but cannot send persistent verification requests. To use persistent verification on your system, you must:
On sessions that allow persistent verification, the following sequence
of events establishes persistent verification for user IDs passed
on that session:
MVS operators can use the RACF #DISPLAY SIGNON command to display the signed-on-from list and the #SIGNOFF command to remove entries from the signed-on-from list while a session is active. For example, the following command would search the signed-on-from
list for user USER01 to see if that user is signed on for persistent
verification from LU01. If USER01 is signed on from that specific
port of entry (POE), a list is returned to the operator console.
The following operator command would remove user USER01 from the
signed-on-from list of LU02:
See z/OS Security Server RACF Command Language Reference for more information about these commands. When the operator removes an entry from the signed-on-from list, RACF grants control to the persistent verification verb exit, which sends a request to the partner LU to remove the entry from the signed-on-to list. When the request is complete, the operator receives RACF message IRRE006I, which contains a return and reason code. The return and reason codes are documented in z/OS Security Server RACROUTE Macro Reference. The return and reason codes for the persistent verification verb exit are:
If you are using a security product other than RACF, the persistent verification verb exit return and reason codes may be different from those listed above. Diagnosing PV ProblemsThere are some situations in which signed-on-to and signed-on-from lists might not be identical, possibly causing an erroneous return code of security_not_valid from an allocate request. For example, a partner application might have two windows, one that starts a conversation with a "sign-on" request, and a second that starts another conversation to the same LU and passes a "signed-on" indicator. If for some reason the second allocate reached the inbound LU first, the user ID would not be found on the signed-on-from list yet, and the "signed-on" request would be rejected. The user would need to try that request again later. See SNA LU 6.2 Reference: Peer Protocols for more information about using persistent verification. End of Programming Interface Information
|
Copyright IBM Corporation 1990, 2014
|