For an APPC conversation to take place, you need to define the LUs to VTAM. This is done by coding VTAM APPL statements. At this point you can also use VTAM to verify a TP's authorization to use a particular session and remove inbound conversations that do not provide the appropriate level of security information. This is done by:
The VTAMAPPL, SECACPT, and VERIFY keywords are discussed briefly in the next sections. For information, see the IBM Planning: APPC Management Guide.
When a TP on one LU initiates a conversation with a TP on another LU that conversation takes place across a session. Corresponding access method control blocks (ACBs) are opened from the APPC address space when APPC is started on your z/OS system. To prevent non‑APF authorized programs from opening ACBs dedicated to APPC processing, and thereby potentially intercepting message traffic destined for APPC, you should define the acbnames to CA Top Secret via the VTAMAPPL keyword. To do so, use the following syntax:
TSS ADDTO(owner‑acid) VTAMAPPL(acbname)
Note: It is recommended that the owning ACID be that of the APPC department to which the STC ACIDs belong.
If you are aware of certain ACIDs who should not be authorized to use a particular ACB or set of ACBs you can also use ACTION(DENY). For example to restrict USER01 from opening the ACB123 session use the following syntax:
TSS PERMIT(USER01) VTAMAPPL(ACB123)
ACTION(DENY)
Regardless of whether or not you have secured ACBs through VTAMAPPL, you can still indicate whether or not VTAM will verify that the partner LU is authorized to establish a session with the host LU. This is specified through the VERIFY parameter on the VTAM APPL statement. There are three operands to choose from:
VTAM does not have to verify the partner LU; the default.
VTAM should verify those partner LUs that have defined LU‑LU passwords (known as sesskeys or session keys).
VTAM must verify every partner LU.
When verification is required, VTAM compares the sesskeys assigned to each LU. These sesskeys can be established when you define authorized LU‑LU links to the APPCLU record. For more information on the CA Top Secret SESSKEY keyword, see LINKID Keywords; for information on IBM session keys, see the IBM VTAM Resource Definition Reference.
The CA Top Secret VTAMAPPL resource class and the VERIFY parameter of the VTAM APPL statement are both used to secure session usage. The SECACPT values on the VTAM APPL statement carry that security one step further by extending it to the conversation level. When you are defining an LU to VTAM, you must specify the greatest level of security to be allowed on inbound requests for TPs at the LU. This is done by specifying one of the following operands on the APPL statement's SECACPT keyword:
Requests that contain no security information; the default.
Requests with specified security information.
Requests with specified security information and requests indicating that security information has already been verified.
Use ALREADYV only between equally secured LUs
Requests with persistent verification and access security information.
Requests with either already verified security information or persistent verification and access security information.
When specifying a value for the SECACPT keyword you should keep in mind the nature of the TPs using that LU. For example, if TPA issues a conversation request with SECURITY_PGM, a userid and password will be provided. Therefore, CONV would be the appropriate SECACPT value for the LU that TPA will be issuing a conversation request to.
The SECACPT value indicates the default level of acceptable conversation security. This value can later be overridden by the CONVSEC value supplied when LU‑LU authorized links are defined to the CA Top Secret APPCLU record.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|