46 lines
4.6 KiB
HTML
46 lines
4.6 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Restrict APPC sessions" />
|
|
<meta name="abstract" content="Use object authority to control access to APPC sessions." />
|
|
<meta name="description" content="Use object authority to control access to APPC sessions." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvappcsetup.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="appcrestrict" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Restrict APPC sessions</title>
|
|
</head>
|
|
<body id="appcrestrict"><a name="appcrestrict"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Restrict APPC sessions</h1>
|
|
<div><p>Use object authority to control access to APPC sessions.</p>
|
|
<p>As security administrator on a source system, you can use object authority to control who can attempt to access other systems. Set the public authority for APPC device descriptions to *EXCLUDE and give *CHANGE authority to specific users. Use the QLMTSECOFR system value to prevent users with *ALLOBJ special authority from using APPC communications.</p>
|
|
<p>As security administrator on a target system, you can also use authority to APPC devices to prevent users from starting an APPC session on your system. However, you need to understand what user ID will be attempting to access the APPC device description.</p>
|
|
<div class="tip"><span class="tiptitle">Tip:</span> You can use the Print Publicly Authorized Objects (<span class="cmdname">PRTPUBAUT *DEVD</span>) command and the Print Private Authorities (<span class="cmdname">PRTPVTAUT *DEVD</span>) command to find out who has authority to device descriptions on your system.</div>
|
|
<p>When your system uses APPN, it automatically creates a new APPC device when no existing device is available for the route that the system has chosen. One method for restricting access to APPC devices on a system that is using APPN is to create an authorization list. The authorization list contains the list of users who should be authorized to APPC devices. You then use the Change Command Default (<span class="cmdname">CHGCMDDFT</span>) command to change the <span class="cmdname">CRTDEVAPPC</span> command. For the authority (AUT) parameter on the <span class="cmdname">CRTDEVAPPC</span> command, set the default value to the authorization list that you created.</p>
|
|
<p>You use the location password (<span class="parmname">LOCPWD</span>) parameter in the APPC device description to validate the identity of another system that is requesting a session on your system, on behalf of a user or an application. The location password can help you detect an imposter system.</p>
|
|
<p>When you use location passwords, you must coordinate with security administrators for other systems in the network. You must also control who can create or change APPC device descriptions and configuration lists. The system requires *IOSYSCFG special authority to use the commands that work with APPC devices and configuration lists.</p>
|
|
<div class="tip"><span class="tiptitle">Tip:</span> When you use APPN, the location passwords are stored in the QAPPNRMT configuration list rather than in device descriptions.</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvappcsetup.htm" title="This group of articles discuss various aspects of setting up security for APPC sessions.">Set up APPC security</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |