Implementing distributed access at remote locations
To enable distributed access to sensitive employee data, the Spiffy security plan requires certain security measures to be implemented at the remote locations.
About this task
The following actions must occur at the remote locations to enable distributed access for the Spiffy security plan:
- For SNA connections, the Spiffy security planners must include
an entry in table SYSIBM.LUNAMES for the LU name of the central location.
The entry must specify an outbound ID translation for attachment requests
to that location. For example, the following table shows an entry in SYSIBM.LUNAMES for LUCENTRAL.The value of O for USERNAMES indicates that translation checking is performed on outbound IDs, but not on inbound IDs. The value of P for SECURITY_OUT indicates that outbound connection requests contain a user password and a RACF® PassTicket.
Table 1. The SYSIBM.LUNAMES table at the remote location LUNAME USERNAMES SECURITY_OUT LUCENTRAL O P - For TCP/IP connections, the Spiffy security planners must include
an entry in table SYSIBM.IPNAMES for the LU name that is used by the
central location. The content of the LUNAME column is used to generate RACF PassTickets. The entry must
specify outbound ID translation for requests to that location. For example, the following table shows an entry in SYSIBM.IPNAMES for LUCENTRAL.
Table 2. The SYSIBM.IPNAMES table at the remote location LINKNAME USERNAMES SECURITY_OUT IPADDR LUCENTRAL R central.vnet.ibm.com - The Spiffy security planners must include entries in table SYSIBM.USERNAMES
to translate outbound IDs. For example, the following table shows two entries in SYSIBM.USERNAMES.MEL1234 is translated to MGRD11 before it is sent to the LU that is specified in the LINKNAME column. All other IDs are translated to CLERK before they are sent to that LU.
Table 3. The SYSIBM.USERNAMES table at the remote location TYPE AUTHID LINKNAME NEWAUTHID O MEL1234 LUCENTRAL MGRD11 O blank LUCENTRAL CLERK
Exception: For a product other
than Db2 for z/OS®, the actions at the remote location might
be different. If you use a different product, check the documentation
for that product. The remote product must satisfy the requirements
that are imposed by the central subsystem.