91 lines
6.1 KiB
HTML
91 lines
6.1 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Conversation level security" />
|
|
<meta name="abstract" content="Systems Network Architecture (SNA) logical unit (LU) 6.2 architecture identifies three conversation security designations that various types of systems in an SNA network can use to provide consistent conversation security across a network of unlike systems." />
|
|
<meta name="description" content="Systems Network Architecture (SNA) logical unit (LU) 6.2 architecture identifies three conversation security designations that various types of systems in an SNA network can use to provide consistent conversation security across a network of unlike systems." />
|
|
<meta name="DC.Relation" scheme="URI" content="rbal1elements.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../cl/addcmne.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../cl/chgcmne.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rbal1convosec" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Conversation level security</title>
|
|
</head>
|
|
<body id="rbal1convosec"><a name="rbal1convosec"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Conversation level security</h1>
|
|
<div><p>Systems Network Architecture (SNA) logical unit (LU) 6.2 architecture
|
|
identifies three conversation security designations that various types of
|
|
systems in an SNA network can use to provide consistent conversation security
|
|
across a network of unlike systems. </p>
|
|
<p>The SNA security levels are: </p>
|
|
<dl><dt class="dlterm">SECURITY(NONE)</dt>
|
|
<dd>No user ID or password is sent to establish communications.</dd>
|
|
<dt class="dlterm">SECURITY(SAME)</dt>
|
|
<dd>Sign the user on to the remote server with the same user ID as the local
|
|
server.</dd>
|
|
<dt class="dlterm">SECURITY(PGM)</dt>
|
|
<dd>Both a user ID and a password are sent for communications.</dd>
|
|
<dt class="dlterm">SECURITY(PROGRAM_STRONG)</dt>
|
|
<dd>Both a user ID and a password are sent for communications only if the
|
|
password will not be sent unencrypted, otherwise an error is reported. This
|
|
is not supported by DRDA<sup>®</sup> on <span class="keyword">i5/OS™</span>.</dd>
|
|
</dl>
|
|
<p>While the <span class="keyword">iSeries™</span> server
|
|
supports all four SNA levels of conversation security, DRDA uses only the first three. The target
|
|
controls the SNA conversation levels used for the conversation.</p>
|
|
<p>For the SECURITY(NONE) level, the target does not expect a user ID or password.
|
|
The conversation is allowed using a default user profile on the target. Whether
|
|
a default user profile can be used for the conversation depends on the value
|
|
specified on the DFTUSR parameter of the Add Communications Entry (ADDCMNE)
|
|
command or the Change Communications Entry (CHGCMNE) command for a given subsystem.
|
|
A value of *NONE for the DFTUSR parameter means the application server (AS)
|
|
does not allow a conversation using a default user profile on the target.
|
|
SECURITY (NONE) is sent when no password or user ID is supplied and the target
|
|
has SECURELOC(*NO) specified.</p>
|
|
<p>For the SECURITY(SAME) level, the remote server's SECURELOC value controls
|
|
what security information is sent, assuming the remote server is an <span class="keyword">iSeries</span>. If the SECURELOC value is *NONE,
|
|
no user ID or password is sent, as if SECURITY(NONE) had been requested; see
|
|
the previous paragraph for how SECURITY(NONE) is handled. If the SECURELOC
|
|
value is *YES, the name of the user profile is extracted and sent along with
|
|
an indication that the password has already been verified by the local server.
|
|
If the SECURELOC value is *VFYENCPWD, the user profile and its associated
|
|
password are sent to the remote server after the password has been encrypted
|
|
to keep its value secret, so the user must have the same user profile name
|
|
and password on both servers to use DRDA.</p>
|
|
<div class="note"><span class="notetitle">Note:</span> SECURELOC(*VFYENCPWD) is the most secure of these three options because
|
|
the most information is verified by the remote server; however, it requires
|
|
that users maintain the same passwords on multiple servers, which can be a
|
|
problem if users change one server but do not update their other servers at
|
|
the same time.</div>
|
|
<p>For the SECURITY(PGM) level, the target expects both a user ID and password
|
|
from the source for the conversation. The password is validated when the conversation
|
|
is established and is ignored for any following uses of that conversation.</p>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbal1elements.htm" title="When Distributed Relational Database Architecture (DRDA) is used, the data resources of each server in the DRDA environment should be protected.">Elements of security in an APPC network</a></div>
|
|
</div>
|
|
<div class="relref"><strong>Related reference</strong><br />
|
|
<div><a href="../cl/addcmne.htm">Add Communications Entry (ADDCMNE) command</a></div>
|
|
<div><a href="../cl/chgcmne.htm">Change Communications Entry (CHGCMNE) command</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |