Bind-time security with LU6.2

A security check can be applied when a request to establish an APPC session is received from, or sent to, a remote system; that is, when the session is bound. This is called bind-time security (or, in SNA terms, session security), and is part of the CICS® implementation of the LU6.2 architecture.

Its purpose is to prevent an unauthorized system from binding a session to one of your CICS systems.

Bind-time security is optional in the LU6.2 architecture; you should not specify bind-time security if the remote system does not support it. SNA defines how session security is to be applied, and CICS TS conforms to this architecture. If you want to connect to another system, make sure the other system is also compatible with this architecture.

When you define an LU6.2 connection to a remote system, you assume that all inbound bind requests originate in that remote system, and that all outbound bind requests are routed to the same system. However, where there is a possibility that a transmission line might be switched or broken into, guard against unauthorized session binds by specifying session security at both ends of the connection.

For a bind request to succeed, both ends must hold the same session key, which is defined to RACF®. When a session is bound, the action CICS takes depends on:
  • How you specified the SEC and XAPPC system initialization parameters
  • How you specified the BINDSECURITY attribute of the CONNECTION definition
  • Whether you have defined an APPCLU security profile for the link.

If you have specified SEC=YES and XAPPC=YES in your SIT, and BINDSECURITY(YES) in your CSD connection definition, and BINDSECURITY(YES) is also specified for the partner system, a bind security validation will be attempted.

If you have BINDSECURITY(NO), then the SIT specification is immaterial.

Table 1 summarizes what happens.
Table 1. APPC bind-time security—relationship to resource definition
SEC value XAPPC value BINDSECURITY value RACF APPCLU profile Resulting CICS action
YES YES YES Defined (See note 1) CICS extracts the APPCLU profile from RACF at bind-time to verify the remote system.
YES YES YES Not defined CICS is unable to extract the APPCLU profile from RACF and therefore rejects the bind.
YES YES NO Any value CICS is unable to validate the bind, and rejects it.
YES NO Any value Any value CICS is unable to validate the bind, and rejects it.
NO Any value Any value Any value CICS is unable to validate the bind, and rejects it.
Note:
  1. If the RACF APPCLU profile is defined, but the session segment is locked or expired, and no value is specified for SESSKEY, the bind request is always rejected.
  2. The table shows the response when the partner has specified BINDSECURITY(YES).