Setting up conversation-level security with LU 6.2

Setting up a successful security system for use with the Server Option in a CICS LU 6.2 environment requires careful synchronization between SNA, CICS, and TRS. These steps are explained in the following subsections:

To allow an LU to support conversation-level security, you must set the PSERVIC parameter on the SNA logmode entry. Assign each LU a logmode corresponding to the desired level of security.

The 10th byte of PSERVIC determines security as follows:

• x’00’ – LOCAL

• x’12’ – IDENTIFY

• x’10’ – VERIFY

In your network definition to SNA, specify the mode you defined in the Logmode entry. You can apply the Logmode entry to a specific LU statement, or apply it globally through the PU statement.

SYBPU1    PU    CUADDR=041,DLOGMOD=M6P1024V,MAXBFRU=11,                 +
                 USSTAB=ISTINCDT,DELAY=0,SECNET=YES,ISTATUS=ACTIVE,     +
                 XID=YES,PUTYPE=2,VPACING=0,PACING=0
SYBLU01   LU    1        LOCADDR=0

In the CICS Connection Definition, set SEcurityname to specify a valid user ID, which will be used to determine the session authorization. Also, set the ATtachsec parameter, as shown in this example:

 OBJECT CHARACTERISTICS
         CEDA  View
         Connection:        SYB1
         Group:             SYBCONS
         DEscription:
     CONNECTION IDENTIFIERS
         Netname:           SYBLU01 
         INDsys:
     REMOTE ATTRIBUTES
         REMOTESystem:
         REMOTEName:
     CONNECTION PROPERTIES
         ACcessmethod:      SNA        SNA | IRc | INdirect | Xm
         Protocol:          Appc       Appc | Lu61
         SInglesess:        No         No | Yes
         DAtastream:        User       User | 3270 | SCs |STrfield |Lms
         RECordformat:      U          U | Vb
     OPERATIONAL PROPERTIES
 +         AUtoconnect:     All        No | Yes | All
 +         INService:       Yes        Yes | No
     SECURITY
         SEcurityname:      SYBUSER 
         ATtachsec:         Verify     Local | Identify | Verify
         Bindpassword:                 PASSWORD NOT SPECIFIED

In the CICS session definition under SESSION IDENTIFIERS, make sure the MOdename parameter matches the logmode in the SNA Logmode Entry. Based on this example (see steps 1 and 2), MOdename would be M6P1024V.

At the DirectConnect for z/OS Option, the TRS administrator sets up TRS for conversation-level security, along with other TRS security, based on site requirements. For details, see the chapter on security in the Mainframe Connect DirectConnect for z/OS Option Users Guide for Transaction Router Services.