1. Mainframe Adapter for SNA User’s Guide
  2. Providing Security
  3. Mapping User IDs
  4. Configuring User ID Mapping
  5. Determining Security Parameters
  6. Determining Security Parameters for Outbound Requests

5.2.3.1.2 Determining Security Parameters for Outbound Requests

If security is to be enforced by both the local domain and the host system for each request outbound from the local domain, the following settings must be configured:

  • The UBBCONFIG file SECURITY parameter must be set to one ofUSER_AUTH, ACL, or MANDATORY_ACL.
  • The DMCONFIG file DM_LOCAL_DOMAINS section SECURITY parameter must be set to DM_USER_PW.
  • The DMCONFIG file DM_SNALINKS SECURITY parameter must be set to IDENTIFY or VERIFY.
  • The SNA stack must be configured with the appropriate parameter for IDENTIFY or VERIFY.
  • The ATTACHSEC level for the connection definition in the host system must be set to IDENTIFY or VERIFY to match the DMCONFIG file DM_SNALINKS SECURITY parameter.

Configurations on Oracle Tuxedo Side

The following table shows settings for the SECURITY parameters in the UBBCONFIG and DMCONFIG files required to achieve local domain and host system security combinations for outbound requests.

Note:

Security setting combinations other than those shown in the tables will have unpredictable results.

Table 5-2 Security Settings for Outbound Requests from Local Domain

Security Combinations Settings  
Local Host UBBCONFIG SECURITY DM_LOCAL_DOMAIN S SECURITY DM_SNALINKS SECURITY Remote Verification
No No NONE or APP_PW NONE or APP_PW   Not Applicable
Yes No USER_AUTH, ACL, or MANDATORY_ACL DM_USER_PW   Not Applicable
No Yes NONE or APP_PW NONE or APP_PW   INVALID
Yes Yes USER_AUTH, ACL, or MANDATORY_ACL DM_USER_PW   UID or UID+PW

For a request sent to the host system, the local principal user ID is located in the domain security table and the associated remote user ID, or user ID and password, are put into the conversation start-up request before being sent over the LU6.2 conversation. This situation occurs if SECURITY is set to IDENTIFY or VERIFY in the DM_SNALINKS section of the DMCONFIG file. If the direct user ID mapping option is specified, the local principal user ID is put into the conversation startup request.

Configurations on Mainframe Side

On Mainframe side, set the following:

  1. Set these parameters to YES in the CICS system initialization configuration file:
    SEC=YES 
XTRAN=YES

    When they are specified, only the users defined can access corresponding transactions. You can define valid users in the profile using RACF, for example: PERMIT * CLASS(TCICSTRN) ID(GUMENG) ACCESS(READ) * can be replaced by the transaction name if you want to control individual transaction.

  2. Configure the SNA stack with the appropriate parameter for IDENTIFY or VERIFY.
  3. Set the ATTACHSEC level for the connection definition in the host system to IDENTIFY or VERIFY to match the DMCONFIG file DM_SNALINKS SECURITY parameter.

Parent topic: Determining Security Parameters