If you use bind-time security with LU6.2, you must define profiles in the
APPCLU general resource class: the APPCLU resource class is used to verify
the identity of APPC partner logical units (LU type 6.2) during VTAM® session establishment.
To do this, take the following steps:
- Ask your VTAM system programmer for the following information for each
session partner:
- The network ID and the LU identifiers.
- For each pair of session partners, create two profiles in the APPCLU general
resource class.
On one system, enter the following RDEFINE command:
RDEFINE APPCLU netid1.luid1.luid2 UACC(NONE)
SESSION(SESSKEY(password))
On
the other system, enter the following RDEFINE command:
RDEFINE APPCLU netid2.luid2.luid1 UACC(NONE)
SESSION(SESSKEY(password))
where:
- netid1
- netid2
- are the network IDs (NETID) of the partners. These IDs are specified on
the VTAM start option NETID, which is in the ATCSTRxx member of SYS1.VTAMLST.
- luid1
- luid2
- are the LU names of the partners. In each case, the first LU name specified
is the local LU name and the second is the remote LU name.
- session-key
- is the 16-hexadecimal-digit or 8-character password that matches the session
key of the remote system. Enclose hexadecimal digits in quotes; for example, SESSKEY(X'0123456789ABCDEF').
You
should specify the same session key in both systems: if the session keys do
not match, the session cannot be established.
Although RACF does not
require that you specify a session key, CICS will reject the bind if no session
key is specified.
- Define the attributes of the sessions between the partners of each LU
pair. To do this, define a SESSION segment for each APPCLU profile using the
SESSION option of the RDEFINE and RALTER commands. You can specify the following
information in each SESSION segment:
- CONVSEC
- Specifies the levels of security checking performed for each conversation
between the partners of the LU pair. CICS does not use this information; instead
it uses the information specified in the ATTACHSEC operand of the CONNECTION definition.
- INTERVAL
- Specifies the maximum number of days the session key is valid before it
must be changed.
You should be aware of the impact this may have on the
users at the remote end of the link. If either password expires, the link
cannot be established. Depending upon the auditing of the profile records,
ICH415I messages may or may not be written out. See Specifying bind-time security for LU6.2.
(CICS issues message DFHZC4942 to the CSNE destination when the password has
expired.) Ensure that you are aware when a password interval is about to expire
so that links do not fail for this reason. CICS does not display messages
when the password is about to expire, but it does write records to the SMF
log.
- LOCK
- Marks the profile as locked. If the profile is locked, the session does
not bind, and CICS issues message DFHZC4941.
- NOLOCK
- Marks the profile as unlocked.
For more information about controlling on controlling VTAM LU6.2 binds,
see the z/OS Security Server RACF Security Administrator's Guide.