Previous Topic: Securing LU-LU Sessions Part 2 - APPCLUNext Topic: Administering TP Profile and Side-Information Files

Implementing Security for APPC z/OSImplementing APPC SecuritySAF Operator Commands for Persistent Verification

SAF Operator Commands for Persistent Verification

Persistent Verification (PV) is a type of conversational signon security that significantly reduces the number of I/Os and updates sent to the Security File and the number of ACIDs and passwords that are transmitted between local and remote LUs. Persistent Verification is used whenever the SECACPT parameter on the VTAM APPL statement is set to PERSISTV. It is also used whenever the CONVSEC parameter on the APPCLU statement for the link is set to PERSISTV.

With PV, a copy of the user's signed‑on information is kept in extended CSA storage. Keeping this information available greatly reduces the calls to the Security File. The existing LINKID, SESSKEY, and CONVSEC keywords define the information needed to create session keys and how the session keys are used in APPC/OS/390 conversation.

Two SAF operator commands, CASF DISPLAY and CASF SIGNOFF, are used to monitor the sign‑on information that is stored in the ECSA. CASF DISPLAY is used to determine what authorities are being used by various LUs. CASF SIGNOFF is used to remove an ACID's signed‑on information from the Sign‑On List.

Displaying Signed_On_From List for an LU

To enable administrators to monitor system use, an SAF operator command is supported to display information by local LU (APPL), by remote LU (POE), by userid (USER), by group (GROUP) or by security label (SECLABEL). The syntax of this command is:

CASF DISPLAY (APPL|POE|USER|GROUP|SECLABEL)

The issuer must have READ authority for the resource name for the OPERCMDS class.

The following example shows the command you would issue to determine who is signed on from the remote LU named L09IX004.

CASF DISPLAY POE(L09IX004)

In response to this command, the Signed_On_From list for remote LU L09IX004 is displayed. If none of the optional parameters are entered, a list of all the entries in the POE/APPL table will be displayed.

Removing Users From Signed_On_From List

A similar operator command exists to remove users from the Signed_On_From list. The issuer of this command must have UPDATE authority for the resource name for the OPERCMDS class. Although the parameters for the remove command are the same as the parameters for the display command (APPL,POE,USER,GROUP,SECLABEL), three parameters are required: APPL, POE, and USER.

The syntax of the remove command is:

CASF SIGNOFF APPL POE USER (GROUP|SECLABEL)

The following example shows the command you would issue to signoff user HOWPA02 from local LU L08IX003 and remote LU L09IX004.

CASF SIGNOFF APPL(L08IX003),POE(L09IX004),USER(HOWPA02)