Secondary authorization function

Because this sample session management exit routine does not use the initial authorization function, all LU sessions are authorized by the secondary authorization function. This sample session management exit routine function examines the network ID of the secondary and primary logical units (SLU and PLU).

If the network ID associated with both LUs is the same as the host's network ID, GWVTAM, that is passed to the routine in the environment vectors, the session setup is allowed to continue. However, if the network ID of either the SLU or the PLU differs from the host's network ID, the network identifier registration table is examined.

If the table indicator in the first byte of the user data storage area is set to either X'FF' or X'F0', the cross-network session setup is rejected. If the table indicator is not set to that value, the network ID of the appropriate LU is compared to the entries in the network identifier registration table to determine if the request is valid. If the network ID is not contained in the table, the session request is rejected.

The secondary authorization function parameter list contains the addresses of the PLU and the SLU resource identification control vectors (RICs). These RICs contain the network identifier associated with both the real and alias LU names.

Using the sample network environment shown in Figure 1, assume there is a cross-network session request from a terminal (N02L0256) in NET1 for a destination logical unit (A50CICS) in NET2. A sample portion of the PLU RIC that is passed to the session management exit routine in the gateway VTAM® (G10VTAM) for this terminal-initiated session is shown in Figure 1.

Figure 1. Sample portion of PLU resource identification control vector

Shows sample portion of PLU RIC passed to SME routine in gateway VTAM for this terminal-initiated session.

RICs contain more information related to the LU session request than is used by the sample session management exit routine. For example, the PLU and SLU RICs contain the real and alias names of the LU session partners. The session management exit routine can be expanded to authorize session setup based on the LU name of the DLU or OLU partner. The session management exit routine might analyze a specific naming convention associated with the LUs, or the network identifier registration table might be expanded to include LU name registration, depending upon the security requirements of the network or application session partners.

After it receives the RIC, the session management exit routine must locate the network ID of the gateway VTAM host. This information is the first entry following the vector list header.

***********************************************************************
*        SME ROUTINE - SECONDARY AUTHORIZATION FUNCTION
***********************************************************************
SECAUTH  EQU   *
         L     R2,0(R11)        ADDRESS OF ENVIRONMENT VECTORS
         CLI   3(R2),X'06'      ENSURE HOST NETID VECTOR
         BNE   ABEND            TERMINATE - NO NETID CONTROL VECTOR
         SR    R3,R3            CLEAR WORK REGISTER 3
         IC    R3,2(R2)         LENGTH OF HOST NETID
         LTR   R3,R3            ENSURE HOST NETID AVAILABLE
         BZ    ABEND            TERMINATE - NO HOST NETID START OPTION
         LA    R2,4(R2)         ADDRESS OF HOST NETID
***********************************************************************

The next task is to examine the network identifiers that are passed for the PLU and SLU in the RICs. There are two network IDs in each RIC, one associated with the real name and the other with the alias name of the LU.

In this sample, the only network identifier that is important is the real network ID for each LU. The real network ID in each RIC must be examined to determine the direction of session setup. The direction of session setup is determined by which LU initiates the session, the mechanism used to initiate the session (terminal-initiated logon, automatic logon, or third-party logon), or both the LU and mechanism used.

The usage indicator (byte 4, bit 1) in the RIC identifies whether the resource, either PLU or SLU, is the target. Therefore, this indicator can be checked to determine whether the RIC for the PLU is the DLU or the OLU. The same task can be performed for the SLU by examining the indicator in the RIC.

The following sample code is used to examine the real network ID in the RICs for the primary and secondary LUs. The network ID in the RIC for the PLU is first compared to the host network ID. If both are the same, the real network ID in the RIC for the SLU must be examined. If the PLU and host network IDs are not the same, the real network ID for the PLU is compared to the entries in the network identifier registration table. If there is no match, the session request is considered to be from a network that is not valid and the session is rejected.

Note: In the sample, an execute (EX) instruction is used to compare the network IDs and the PLU or the SLU names because the name length in the RIC appears to be variable. VTAM, however, always uses 8-character names that are padded with blanks. Therefore, you are not required to use the EX instruction. You can use a compare (CLC) instruction with a length of eight to perform this task.

***********************************************************************
*
** LOCATE PLU RESOURCE INFORMATION CONTROL VECTOR - REAL NETID
*
SECAUS1  EQU   *
         LA    R15,0        RETURN CODE - ASSUME ACCEPT SESSION REQUEST
         SR    R5,R5            CLEAR REGISTER 5
         L     R4,12(R11)       PLU RIC ADDRESS
         LA    R4,4(R4)         PLU RIC SSCPNAME ADDRESS
         IC    R5,0(R4)         PLU RIC SSCPNAME LENGTH
         LTR   R5,R5            TEST SSCPNAME FOR ZERO LENGTH
         BZ    SECAUS3C         NO SSCPNAME - SESSION SETUP FAILURE
         AR    R4,R5        PLU RIC REAL NETID ADDRESS VECTOR MINUS ONE
         LA    R4,1(R4)         PLU RIC NETID LENGTH ADDRESS
         IC    R5,0(R4)         PLU RIC NETID LENGTH
         LTR   R5,R5            PLU RIC TEST NETID FOR ZERO LENGTH
         BZ    SECAUS3C         PLU RIC NETID LENGTH INCORRECT
         BCTR  R5,0             PLU RIC NETID LENGTH MINUS ONE
         LA    R4,1(R4)         PLU RIC NETID ADDRESS
*
** COMPARE THE PLU RIC NETID TO HOST NETID IN THE ENVIRONMENT VECTOR
** IF PLU RIC NETID EQUALS HOST NETID THEN PROCESS SLU RIC NETID
** ELSE EXAMINE NETID REGISTRATION TABLE FOR VALID NETWORK IDENTIFIER
*
         EX    R4,NETID        COMPARE PLU RIC REAL NETID TO HOST NETID
         BNE   SECAUS3          PLU NETID NOT EQUAL GATEWAY VTAM
*
** LOCATE SLU RESOURCE INFORMATION CONTROL VECTOR - REAL NETID
*
SECAUS2  EQU   *
         SR    R5,R5            CLEAR WORK REGISTER 5
         L     R4,16(R11)       SLU RIC ADDRESS
         LA    R4,4(R4)         SLU RIC SSCPNAME ADDRESS
         IC    R5,0(R4)         SLU RIC SSCPNAME LENGTH
         LTR   R5,R5            TEST SSCPNAME FOR ZERO LENGTH
         BZ    SECAUS3C         NO SSCPNAME - SESSION SETUP FAILURE
         AR    R4,R5        SLU RIC REAL NETID ADDRESS VECTOR MINUS ONE
         LA    R4,1(R4)         SLU RIC NETID LENGTH ADDRESS
         IC    R5,0(R4)         SLU RIC NETID LENGTH
         LTR   R5,R5            SLU RIC TEST NETID FOR ZERO LENGTH
         BZ    SECAUS3C         SLU RIC NETID LENGTH INCORRECT
         BCTR  R5,0             SLU RIC NETID LENGTH MINUS ONE
         LA    R4,1(R4)         SLU RIC NETID ADDRESS
*
** COMPARE THE SLU RIC NETID TO HOST NETID IN THE ENVIRONMENT VECTOR
** IF SLU RIC NETID EQUALS HOST NETID THEN MUST BE SAME NETWORK SESSION
** ELSE EXAMINE NETID REGISTRATION TABLE FOR VALID NETWORK IDENTIFIER
*
         EX    R4,NETID        COMPARE SLU RIC REAL NETID TO HOST NETID
         BE    RETURN      SLU NETID EQUALS GATEWAY VTAM - SAME NETWORK
*
** EXAMINE NETID REGISTRATION TABLE FOR VALID NETWORK IDENTIFIER
*
SECAUS3  EQU   *
         L     R2,8(R11)        USER DATA FIELD ADDRESS
         L     R2,0(R2)         USER DATA STORAGE AREA ADDRESS
         CLI   0(R2),X'F0'      TEST FOR NETID TABLE LOADED
         BE    SECAUS3C         NETID TABLE NOT LOADED - REJECT
*                                 SESSION REQUEST
         CLI   0(R2),X'FF'      TEST FOR INVALID NETID TABLE
         BE    SECAUS3C         NETID TABLE INVALID - REJECT
*                                 SESSION REQUEST
         L     R2,4(R2)         NETID REGISTRATION TABLE ADDRESS
         L     R3,0(R2)         NETID TABLE ENTRY COUNT
         LA    R2,4(R2)         NETID TABLE ENTRY ADDRESS
*
** COMPARE THE PLU OR SLU RIC REAL NETID TO NETID REGISTRATION
** TABLE ENTRY
*
SECAUS3A EQU   *
         EX    R5,NETID        COMPARE PLU/SLU RIC NETID TO TABLE ENTRY
         BE    RETURN        ACCEPT SESSION REQUEST - VALID NETID ENTRY
SECAUS3B EQU   *
         LA    R2,8(R2)         NEXT NETID TABLE ENTRY ADDRESS
         BCT   R3,SECAUS3A      NETID TABLE ENTRY COUNT NOT
*                                 ZERO - CONTINUE SEARCH
*
** END NETID REGISTRATION TABLE SEARCH - NO VALID ENTRY OR NETID
** NOT LOADED.
** RETURN CODE - REJECT CROSS NETWORK SESSION REQUEST
*
SECAUS3C EQU   *
         LA    R15,8            NO ENTRY IN NETID REGISTRATION TABLE
*                                OR NETID TABLE NOT LOADED
         B     RETURN           EXIT TO VTAM
*
** INSTRUCTION EXECUTED TO COMPARE: PLU RIC REAL NETID TO HOST NETID
**                                  PLU RIC REAL NETID TO NETID
**                                  REGISTRATION TABLE ENTRY
**                                  SLU RIC REAL NETID TO HOST NETID
**                                  SLU RIC REAL NETID TO NETID
**                                  REGISTRATION TABLE ENTRY
*
NETID    CLC   0(0,R4),0(R2)    NETID COMPARE INSTRUCTION
*
***********************************************************************