This event is logged by RACROUTE REQUEST=AUDIT,EVENT='APPCLU'.
This event applies to establishing a session between two logical units
(referred to as the local LU and the partner LU) in accordance with
the System Network Architecture (SNA). VTAM®
and CICS® call RACF® for security information stored in general
resource profiles in the APPCLU class.
Each profile contains an 8-byte session key that is used in verification;
the two LUs must have corresponding profiles with identical keys so
that the handshaking of encrypted data is successful.
The explanations of the event code qualifiers for Event 26 are:
- 0(0)
- PARTNER VERIFICATION WAS SUCCESSFUL The handshaking was
successful. The LUs established a connection.
- 1(1)
- SESSION ESTABLISHED WITHOUT VERIFICATION No handshaking
was done, but the LUs were still allowed to establish a connection,
with the knowledge that the partners were not verified.
- 2(2)
- LOCAL LU KEY WILL EXPIRE IN 5 DAYS OR LESS The handshaking
was successful; this qualifier was set to tell users when the local
LU's session key would expire.
- 3(3)
- PARTNER LU ACCESS HAS BEEN REVOKED Too many unsuccessful
attempts were made at matching the session key.
- 4(4)
- PARTNER LU KEY DOES NOT MATCH THIS LU KEY An attempt was
made to establish a session, but the session keys did not match. For
example, the two sets of identical data encrypted with the two keys
did not match.
- 5(5)
- SESSION TERMINATED FOR SECURITY REASONS One or both of
the APPCLU profiles involved have the keyword LOCK specified in their
session information, preventing any connections from being made. This
keyword enables the security administrator to temporarily prevent
specific connections without deleting any profiles.
- 6(6)
- REQUIRED SESSION KEY NOT DEFINED The local LU had VERIFY=REQUIRED
coded on its APPL statement, indicating that session level verification
must be used on all sessions with the LU. One of the following occurred:
- The local LU is the primary LU and no password was defined in RACF for the LU pair.
- The partner LU is the primary LU, but the bind it sent to the
local LU did not contain random data (which would indicate that the
partner is using session level verification also).
- 7(7)
- POSSIBLE SECURITY ATTACK BY PARTNER LU The local LU sent
out a random number to another LU as part of the handshaking process
of establishing a session. That same number then came in from a third
LU for the local LU to encrypt. It is a coincidence that the same
number is chosen; the number is 64 bits of random data.
It may
be that an unauthorized user is attempting to steal the encrypted
response.
- 8(8)
- SESSION KEY NOT DEFINED FOR PARTNER LU The local LU had
VERIFY=OPTIONAL coded on its APPL statement. There was a password
defined in the local LU's RACF profile
for the LU-LU pair, indicating that session level verification should
be used on all sessions between the two LUs. However, the partner
LU tried to start a session without using session level verification.
- 9(9)
- SESSION KEY NOT DEFINED FOR THIS LU The local LU had VERIFY=OPTIONAL
coded on its APPL statement. No password was defined in the local
LU's RACF profile for the LU-LU
pair, indicating that session level verification may not be used to
establish sessions with this LU. However, the partner LU tried to
establish a session using session level verification.
- 10(A)
- SNA SECURITY-RELATED PROTOCOL ERROR The LU trying to establish
a connection is not responding correctly according to the handshaking
protocol.
- 11(B)
- PROFILE CHANGE DURING VERIFICATION The handshaking was
attempted, but it is evident that one of the LU's profiles (specifically
the session key) changed in the middle of the handshaking, making
its success impossible.
- 12(C)
- EXPIRED SESSION KEY The session key in one or both of the
APPCLU profiles has expired.