Security

The TSO subsystem is considered a secure application program. That is, confidential data is handled on behalf of the user in ways that prevent unauthorized disclosure of the data. The CONFTXT parameter in the TSOKEY00 parmlib member determines whether output data is considered confidential text. The default is that the data is considered confidential. TSO/VTAM protects tracing of user data by setting the CONFTXT indicator in the NIB at the time the user logs on.

If CONFTXT=NO, VTAM® can perform buffer or I/O traces on the data. If CONFTXT=YES (the default), the data is considered confidential and no data is recorded. The CONFTXT parameter, however, does not apply to the TSO type VTAM trace for TPUT/TPG/TGET buffers; these are always traceable. For details, see information about initialization and tuning for your operating system.

VTAM supports TSO message security by invoking RACF® services to provide resource access control for:

Cross-address space TPUTs (such as the TSO SEND command), which:
- Control who can send messages to whom
- Ensure that a message will be received by the intended user
- Ensure that a cross-address-space message can be received only by a user with a security classification that is equal to or greater than the sender
Requests to open an ACB from a non-APF authorized application program or processor.

Note: The installation must ensure that both the sender and receiver of TSO/VTAM messages are authorized with the proper security level in the security management product. The TSO/VTAM user IDs should be registered with a class of SMESSAGE in the security management product.