ibm-information-center/dist/eclipse/plugins/i5OS.ic.ddp_5.4.0.1/rbal1convosec.htm

91 lines
6.1 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Conversation level security" />
<meta name="abstract" content="Systems Network Architecture (SNA) logical unit (LU) 6.2 architecture identifies three conversation security designations that various types of systems in an SNA network can use to provide consistent conversation security across a network of unlike systems." />
<meta name="description" content="Systems Network Architecture (SNA) logical unit (LU) 6.2 architecture identifies three conversation security designations that various types of systems in an SNA network can use to provide consistent conversation security across a network of unlike systems." />
<meta name="DC.Relation" scheme="URI" content="rbal1elements.htm" />
<meta name="DC.Relation" scheme="URI" content="../cl/addcmne.htm" />
<meta name="DC.Relation" scheme="URI" content="../cl/chgcmne.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rbal1convosec" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Conversation level security</title>
</head>
<body id="rbal1convosec"><a name="rbal1convosec"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Conversation level security</h1>
<div><p>Systems Network Architecture (SNA) logical unit (LU) 6.2 architecture
identifies three conversation security designations that various types of
systems in an SNA network can use to provide consistent conversation security
across a network of unlike systems. </p>
<p>The SNA security levels are: </p>
<dl><dt class="dlterm">SECURITY(NONE)</dt>
<dd>No user ID or password is sent to establish communications.</dd>
<dt class="dlterm">SECURITY(SAME)</dt>
<dd>Sign the user on to the remote server with the same user ID as the local
server.</dd>
<dt class="dlterm">SECURITY(PGM)</dt>
<dd>Both a user ID and a password are sent for communications.</dd>
<dt class="dlterm">SECURITY(PROGRAM_STRONG)</dt>
<dd>Both a user ID and a password are sent for communications only if the
password will not be sent unencrypted, otherwise an error is reported. This
is not supported by DRDA<sup>®</sup> on <span class="keyword">i5/OS™</span>.</dd>
</dl>
<p>While the <span class="keyword">iSeries™</span> server
supports all four SNA levels of conversation security, DRDA uses only the first three. The target
controls the SNA conversation levels used for the conversation.</p>
<p>For the SECURITY(NONE) level, the target does not expect a user ID or password.
The conversation is allowed using a default user profile on the target. Whether
a default user profile can be used for the conversation depends on the value
specified on the DFTUSR parameter of the Add Communications Entry (ADDCMNE)
command or the Change Communications Entry (CHGCMNE) command for a given subsystem.
A value of *NONE for the DFTUSR parameter means the application server (AS)
does not allow a conversation using a default user profile on the target.
SECURITY (NONE) is sent when no password or user ID is supplied and the target
has SECURELOC(*NO) specified.</p>
<p>For the SECURITY(SAME) level, the remote server's SECURELOC value controls
what security information is sent, assuming the remote server is an <span class="keyword">iSeries</span>. If the SECURELOC value is *NONE,
no user ID or password is sent, as if SECURITY(NONE) had been requested; see
the previous paragraph for how SECURITY(NONE) is handled. If the SECURELOC
value is *YES, the name of the user profile is extracted and sent along with
an indication that the password has already been verified by the local server.
If the SECURELOC value is *VFYENCPWD, the user profile and its associated
password are sent to the remote server after the password has been encrypted
to keep its value secret, so the user must have the same user profile name
and password on both servers to use DRDA.</p>
<div class="note"><span class="notetitle">Note:</span> SECURELOC(*VFYENCPWD) is the most secure of these three options because
the most information is verified by the remote server; however, it requires
that users maintain the same passwords on multiple servers, which can be a
problem if users change one server but do not update their other servers at
the same time.</div>
<p>For the SECURITY(PGM) level, the target expects both a user ID and password
from the source for the conversation. The password is validated when the conversation
is established and is ignored for any following uses of that conversation.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbal1elements.htm" title="When Distributed Relational Database Architecture (DRDA) is used, the data resources of each server in the DRDA environment should be protected.">Elements of security in an APPC network</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="../cl/addcmne.htm">Add Communications Entry (ADDCMNE) command</a></div>
<div><a href="../cl/chgcmne.htm">Change Communications Entry (CHGCMNE) command</a></div>
</div>
</div>
</body>
</html>