Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
LU 6.2 security z/OS Communications Server: SNA Network Implementation Guide SC27-3672-01 |
|
VTAM® LU 6.2 support provides
the following security functions for your network:
The encryption facility protects data passing over lines between network resources by permitting enciphering and deciphering of data for LU-LU sessions. For an application program or peripheral node logical unit to have cryptographic sessions, the host processor must support cryptography. For more information about the encryption facility, see Cryptography facility. LU 6.2 user ID verification is a conversation-level security protocol, taking place at the time a conversation is started. For more information about LU 6.2 conversation-level security, see the z/OS Communications Server: SNA Programmer's LU 6.2 Guide. LU 6.2 session-level LU-LU verification is a session-level security protocol that is used to verify the identity of each logical unit at the time the session is activated. LU 6.2 session-level LU-LU verification provides the ability to verify the identity of an application program partner LUs during the activation of sessions between type 6.2 LUs. VTAM-generated random data is encrypted using one of the data encryption standard algorithms. The encryption key is a password associated with each LU-LU pair. The encrypted data is carried on both the session activation request and the response so that each LU partner can verify the other partner for the session. The passwords used for session-level LU-LU verification are not coded on any VTAM definition statements but are implemented through an external security management product, such as RACF®. If you plan to use LU 6.2 session-level LU-LU verification, a security management product (such as RACF 1.9 or later) must be installed and active. In addition, a profile for the LU needs to be in the security management database. With RACF 1.9, the APPCLU class needs to be active and a profile of the LU needs to be in the APPCLU class. For an example of the appropriate RACF coding, see the z/OS Security Server RACF Security Administrator's Guide. During activation of LU 6.2 sessions involving control points, the VERIFYCP start option specifies whether VTAM performs session-level LU-LU verification. The VERIFY and SECLVL operands on the APPL definition statement identify the level of partner-LU security verification. If the application program is the PLU and an LU-LU password is defined for the partner LU, VTAM requests that LU-LU verification be performed during session activation. If a password is not defined, LU-LU verification is not requested. If the application program is the secondary logical unit, one of
the following conditions occurs:
If you are using LU 6.2 session-level LU-LU verification, you must
create the RACF profile using
either three-part or four-part names. Create the profile using a
four part name if one of the following is true.
Create a RACF profile using
a three part name if none of the above situations are true. See the
following examples of a three part name definition followed by a four
part name.
Note: Specifying VERIFY=OPTIONAL does not restrict the ability of
a logical unit without a corresponding LU-LU profile to establish
sessions with this application program.
If using RACF as your external security management product, the MODIFY PROFILES command enables you to reload an active application program set of existing defined RACF profiles. However, you cannot change the RACF profile with MODIFY PROFILES, only refresh it. The RACF profile contains the LU-LU password and only someone with RACF security clearance can change it. This can be helpful when the password for an LU-LU pair has been changed or when session activation errors are occurring. The profile changes affect only those sessions that are started after using the command; active sessions are not affected. |
Copyright IBM Corporation 1990, 2014
|