Conversation level security

Systems Network Architecture (SNA) logical unit (LU) 6.2 architecture identifies three conversation security designations that various types of systems in an SNA network can use to provide consistent conversation security across a network of unlike systems.

The SNA security levels are:

SECURITY(NONE)
No user ID or password is sent to establish communications.
SECURITY(SAME)
Sign the user on to the remote server with the same user ID as the local server.
SECURITY(PGM)
Both a user ID and a password are sent for communications.
SECURITY(PROGRAM_STRONG)
Both a user ID and a password are sent for communications only if the password will not be sent unencrypted, otherwise an error is reported. This is not supported by DRDA® on i5/OS™.

While the iSeries™ server supports all four SNA levels of conversation security, DRDA uses only the first three. The target controls the SNA conversation levels used for the conversation.

For the SECURITY(NONE) level, the target does not expect a user ID or password. The conversation is allowed using a default user profile on the target. Whether a default user profile can be used for the conversation depends on the value specified on the DFTUSR parameter of the Add Communications Entry (ADDCMNE) command or the Change Communications Entry (CHGCMNE) command for a given subsystem. A value of *NONE for the DFTUSR parameter means the application server (AS) does not allow a conversation using a default user profile on the target. SECURITY (NONE) is sent when no password or user ID is supplied and the target has SECURELOC(*NO) specified.

For the SECURITY(SAME) level, the remote server's SECURELOC value controls what security information is sent, assuming the remote server is an iSeries. If the SECURELOC value is *NONE, no user ID or password is sent, as if SECURITY(NONE) had been requested; see the previous paragraph for how SECURITY(NONE) is handled. If the SECURELOC value is *YES, the name of the user profile is extracted and sent along with an indication that the password has already been verified by the local server. If the SECURELOC value is *VFYENCPWD, the user profile and its associated password are sent to the remote server after the password has been encrypted to keep its value secret, so the user must have the same user profile name and password on both servers to use DRDA.

Note: SECURELOC(*VFYENCPWD) is the most secure of these three options because the most information is verified by the remote server; however, it requires that users maintain the same passwords on multiple servers, which can be a problem if users change one server but do not update their other servers at the same time.

For the SECURITY(PGM) level, the target expects both a user ID and password from the source for the conversation. The password is validated when the conversation is established and is ignored for any following uses of that conversation.

Related reference
Add Communications Entry (ADDCMNE) command
Change Communications Entry (CHGCMNE) command