Session level authentication is a session level security protocol that enables two LUs to authenticate each other while they are activating a session. It is also known as LU-LU verification.
Because an LU is effectively the "gateway" into a system from the network, you might consider this level of authentication to be sufficient in certain circumstances. For example, if your queue manager needs to exchange messages with a remote queue manager that is running in a controlled and trusted environment, you might be prepared to trust the identities of the remaining components of the remote system after the LU has been authenticated.
Session level authentication is achieved by each LU verifying its partner's password. The password is called an LU-LU password because one password is established between each pair of LUs. The way that an LU-LU password is established is implementation dependent and outside the scope of SNA.
Figure 9 illustrates the flows for session level authentication.
The protocol for session level authentication is as follows. The numbers in the procedure correspond to the numbers in Figure 9.
The primary LU then encrypts the random data that it received in the BIND response and sends the encrypted data (ERD2) to the secondary LU in a Function Management Header 12 (FMH-12).
In an enhanced version of the protocol, which provides better protection against man in the middle attacks, the secondary LU computes a DES Message Authentication Code (MAC) from RD1, RD2, and the fully qualified name of the secondary LU, using its copy of the LU-LU password as the key. The secondary LU sends the MAC to the primary LU in the BIND response instead of ERD1.
The primary LU authenticates the secondary LU by computing its own version of the MAC, which it compares with the MAC received in the BIND response. The primary LU then computes a second MAC from RD1 and RD2, and sends the MAC to the secondary LU in the FMH-12 instead of ERD2.
The secondary LU authenticates the primary LU by computing its own version of the second MAC, which it compares with the MAC received in the FMH-12.
For information about how to configure session level authentication, see the books for your SNA subsystem. For more general information about session level authentication, see Systems Network Architecture LU 6.2 Reference: Peer Protocols, SC31-6808.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
ls1snasess |