•
|
When the DM_LOCAL_DOMAINS security parameter is set to NONE or APP_PW, no action is taken by the Gateway with regard to security.
|
•
|
However, when the UBBCONFIG file security parameter is set to APP_PW, the application password is validated by an AUTHSVC when clients join the application. The AUTHSVC is provided by the user application.
|
•
|
The UBBCONFIG file SECURITY parameter must be set to one of USER_AUTH, ACL, or MANDATORY_ACL.
|
•
|
The DMCONFIG file DM_LOCAL_DOMAINS section SECURITY parameter must be set to DM_USER_PW.
|
•
|
The DMCONFIG file DM_SNALINKS SECURITY parameter must be set to IDENTIFY.
|
Table 4‑1 shows settings for the
SECURITY parameters in the
UBBCONFIG and
DMCONFIG files required to achieve local domain and host system security combinations for inbound requests from the host system.
|
|
|
|
|
|
DM_LOCAL_DOMAINS SECURITY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
USER_AUTH, ACL, or MANDATORY_ACL
|
|
|
|
local-netid/remote-netid: The network ID (NETID) of the partners. These IDs are specified in the VTAM start option
NETID, which is in the
ATCSTRxx member of
SYS1.VTAMLST.
luid1/luid2: The LU names of the partners. In each case, the first LU name specified is the local LU name, and the second LU name is the partner LU name.
•
|
The UBBCONFIG file SECURITY parameter must be set to one of USER_AUTH, ACL, or MANDATORY_ACL.
|
•
|
The DMCONFIG file DM_LOCAL_DOMAINS section SECURITY parameter must be set to DM_USER_PW.
|
•
|
The DMCONFIG file DM_SNALINKS SECURITY parameter must be set to IDENTIFY or VERIFY.
|
•
|
The ATTACHSEC level for the connection definition in the host system must be set to IDENTIFY or VERIFY to match the DMCONFIG file DM_SNALINKS SECURITY parameter.
|
Table 4‑2 shows settings for the
SECURITY parameters in the
UBBCONFIG and
DMCONFIG files required to achieve local domain and host system security combinations for outbound requests.
|
|
|
|
|
|
DM_LOCAL_DOMAINS SECURITY
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* can be replaced by the transaction name if you want to control individual transaction.
3.
|
Set the ATTACHSEC level for the connection definition in the host system to IDENTIFY or VERIFY to match the DMCONFIG file DM_SNALINKS SECURITY parameter.
|
Three sections in the DMCONFIG file contain parameters affecting Oracle Tuxedo Mainframe Adapter for SNA control of access to the ATMI local domain:
•
|
DM_LOCAL_DOMAINS section contains a SECURITY parameter which specifies the type of security enforced for the ATMI local domain.
|
•
|
DM_SNALINKS section contains a SECURITY parameter that records the security in effect for the host system.
|
•
|
DM_ACCESS_CONTROL section contains local access control lists used by the ATMI local domain to associate local resources with host systems permitted to have access to them.
|
Caution:
|
Do not delete the DMCONFIG binary file before running the dmloadcf command. Tables of remote users, remote passwords, and remote mappings are stored in this file. If deleted, all security information must be re-entered.
|
The SECURITY parameter settings in this section work in conjunction with the
SECURITY parameter in the
RESOURCES section of the ATMI local domain’s
UBBCONFIG file to establish how Oracle Tuxedo Mainframe Adapter for SNA controls access to the ATMI local domain. The parameter takes the form:
If this parameter is set to NONE or
APP_PW, the local domain takes no action with regard to security. If this parameter is set to
DM_USR_PW, the local domain enforces security according to the setting in the
UBBCONFIG file (refer to “Setting
DMCONFIG File Security Parameters”).
This section of the DMCONFIG file is dedicated to Oracle Tuxedo Mainframe Adapter for SNA parameters. It records the security in effect for the host system. It correlates to the values set for the
ATTACHSEC parameter in the connection resource definition. In the following parameter definition,
remote refers to the ATMI domain and
local refers to the host system. The parameter takes the form:
The values LOCAL and
IDENTIFY are roughly equivalent to
NONE and
APP_PW for the
SECURITY parameter in the
DMCONFIG file.
The RESOURCES section in this file contains a
SECURITY parameter that works in conjunction with the
SECURITY parameter in the
DMCONFIG file to establish how Oracle Tuxedo Mainframe Adapter for SNA controls access to the ATMI local domain. This parameter takes the form:
Same as APP_PW, but additional authorization is required on a per-user basis.
Same as USER_AUTH, but additional access-control checks are done on service names, queue names, and event names. If no
Access Control Lists (ACL) exists for a given name, access is granted.
Same as ACL, but if no ACL exists for a given name, access is denied.
In most cases, the UBBCONFIG file has already been configured and you do not need to establish the
SECURITY parameter settings, but examining this file enables you to see how Oracle Tuxedo Mainframe Adapter for SNA enforces security.
If this parameter is set to NONE, no security is enforced. If set to
APP_PW, the local ATMI domain’s Authorization Server prompts for the application password. If set to
USER_AUTH,
ACL, or
MANDATORY_ACL, the qualified security is enforced as specified.
To use direct user ID mapping, use the -m parameter in the
GWSNAX process start-up command line entry. This parameter allows you to establish direct user ID mapping, rather than ATMI-to-host user ID mapping.
Use the addusr ATMI command to add an ATMI local domain user ID and password to the remote domain user and password file. Enter the following command:
Use the addumap ATMI command to map a local domain principal user ID number to a remote domain user name. The user ID must be added before it can be mapped. Refer to the “
Adding a User ID and Password” section. Enter the following command:
Use the delumap ATMI command to remove the mapping for a local domain principal user ID to a remote domain user name. Enter the following command:
Use the delusr ATMI command to remove a local ATMI domain user ID and password from the remote domain user and password file. The mapping for a user ID must be removed before the user ID can be removed. Enter the following command:
Use the modusr ATMI command to modify a local domain user’s password recorded in a remote domain’s user and password file. Enter the following command:
a.
|
In the RESOURCES section, add SECURITY USER_AUTH.
|
b.
|
In the SERVERS section, add the AUTHSVR server.
|
Note:
|
SECURITY USER_AUTH level implies that application passwords, user IDs, and user passwords are required to join the application. AUTHSVR is the ATMI-supplied authentication server. It advertises the service AUTHSVC.
|
2.
|
Enter the tmloadcf command to load the ATMI configuration, for example:
|
7.
|
Enter the dmloadcf command to load the domain configuration. For example:
|
8.
|
Enter the tmboot command to boot the ATMI domain, for example:
|
a.
|
In the DM_LOCAL_DOMAINS section, add the parameter:
|
b.
|
In the DM_SNALINKS section, add the parameter for the remote link:
|
Replace MYCONNGRP with the name of the group that contains your connection definitions.
Replace MYCONNGRP with the name of the group that contains your connection definitions.
1.
|
Change the SECURITY parameter in the DMCONFIG file to IDENTIFY.
|
2.
|
Change the ATTACHSEC parameter on the connection to IDENTIFY.
|
2.
|
Edit the GWSNAX entry in the UBBCONFIG file to add the -n option with the desired min and max.
|
If crmlkoff,
crmlkon, or
crmdown are used with encrypted CRM, no additional command line arguments are needed.
1.
|
Edit the GWSNAX entry in the UBBCONFIG file to add the -n option in CPLOT with the desired min and max to determine acceptable range of cipher suites.
|
2.
|
Define the SEC_PRINCIPAL_NAME, SEC_PRINCIPAL_LOCATION, and SEC_PRINCIPAL_PASSVAR parameters for the GWSNAX process in *MACHINES sections in the UBBCONFIG file.
|
1.
|
Define the CRM -n option with the desired min and max to determine acceptable range of cipher suites ( -n SSL:min:max) in CRM command line.
|
2.
|
Define -S to specify SSL configuration file.
|
3.
|
Edit the SEC_PRINCIPAL_NAME, SEC_PRINCIPAL_LOCATION, and SEC_PRINCIPAL_PASSVAR parameters for CRM process in the SSL configuration file specified by the -S option.
|
1.
|
Define -S to specify SSL configuration file in CRM command line.
|
2.
|
Edit GSK_KEYRING_FILE, GSK_KEYRING_PW, and GSK_KEYRING_LABEL in the SSL configuration file specified by the -S option.
|
GSK_KEYRING_FILE indicates the absolute certificate file path for the secure session or SSL environment.
GSK_KEYRING_PW points to the password for the certificate store file to be used for the secure session or SSL environment.
GSK_KEYRING_LABEL specifies the certificate label associated with the certificate in the certificate store to be used for the secure session or SSL environment.
Table 4‑3 lists the processes that support authentication.
3.
|
If crmlkoff, crmlkon, or crmdown are used with a CRM with authentication enabled, use the -u<keyfile> command line option as described in SNACRM in Appendix A, “ Administrative Command Reference Pages.”
|