Previous Topic: LPRNext Topic: Storing Distributed Files in a CA View Data Repository

Processing Distributed Files for Mainframe StorageSecurity Considerations

Security Considerations

Security access for distributed files is handled by the repository system using the same security rules and methods that secure your data. CA Spool's LPD Interface was designed for use behind firewalls, and you should implement the system in a secured environment. When a file is transferred, CA Spool's LPD Interface supplies the user ID sent by the LPR command in addition to the information defined in the LPDDEST statement. The user ID passed may not match what is set up in your repository system. The value passed in the USERID field is dependent on the originating system from which the document is passed. Sometimes, the user ID matches the name of the machine the file was transferred from. To override the user ID, you can set a value on the LPDDEST statement using the FUSERID parameter.

You should review existing site standards regarding file naming conventions prior to the implementation of this solution to ensure that you are set up to enforce security rules to limit file access. You can define standard report naming conventions to fit your current security and report retention rules by use of the FNAME parameter on the LPDDEST statement.

You can set up CA Spool's LPD Interface to restrict a requestor by their IP-address, for example:

LPDSERV TCPNS=NO, DAM=DUMMY
LPDDEST QDEST=LPDPRT, QHOST=172.24.78*

In the example, DAM=DUMMY on the LPDSERV statement indicates that all print requests, by default, are ignored. The QHOST parameter on the LPDDEST statement contains a masked IP address so that only IP-addresses starting with 172.24.78 are able to send something to LPDPRT.

Note: According to RFC 1179, LPR/LPD protocol print requests must be issued from source port 721 through 731. Using most TCP/IP stacks, you have to be authorized to use source ports below 1024. As with most LPD implementations, CA Spool's LPD Interface does not validate this by default. However, you can specify PORTVAL=YES or PORTVAL=SUPV on the LPDSERV statement to instruct CA Spool's LPD Interface to validate that the source port is in the valid range.