Controlling the Use of VTAM ACBs

As described in Planning Sessions, one of the first steps in setting up an APPC/MVS environment is defining APPC LUs to VTAM® by specifying them on VTAM APPL statements. Corresponding access method control blocks (ACBs) are then opened from the APPC address space when APPC is started on your MVS system.

Each LU has a name that is unique in the network. All requests for conversations with a particular TP include the name of the LU where the inbound TP resides. For example, in Figure 1, TPA specifies LU02 in its allocate request for a conversation with TPB.

To prevent non-APF-authorized programs from opening an ACB for a specific LU, or from registering as a member of a VTAM generic resource group, and thus perhaps intercepting requests addressed to that LU name, you can define the LU names in the RACF® VTAMAPPL resource class with a universal access of NONE.

To create the RACF profiles and protect the APPC LUs, do the following:

  1. Gather the names of the APPC LUs, as they are specified in the ACBNAME parameter on VTAM APPL statements and, if necessary, give them to your security administrator.
  2. For each LU to be protected, the security administrator should create a RACF profile in the VTAMAPPL class, with the profile name matching the ACBNAME specified on the VTAM APPL statement, and give a universal access of NONE, for example: 
    RDEFINE VTAMAPPL acbname UACC(NONE)

    The ACB for that LU can then be opened only by APPC/MVS and other APF-authorized programs.

  3. If the LUs are also members of a VTAM generic resource group, the security administrator should create a RACF profile in the VTAMAPPL class, with the profile name matching the generic resource name specified on the GRNAME parameter in LUADD statements for the LUs. For example: 
    RDEFINE VTAMAPPL generic-name UACC(NONE)

    This VTAMAPPL definition protects against unauthorized use of only the generic resource name; it does not protect specific LUs in the generic resource group. To protect those LUs, you need to use the VTAMAPPL definition shown in Step 2.

If you were creating VTAMAPPL profiles for the LUs shown in Figure 1, you would substitute LU02 for acbname in an RDEFINE command on that z/OS system. If the partner system was also protected by RACF, you could protect LU01 with a similar command on its system.

Figure 1. Security for LU01 and LU02
When you are ready to start using the protection defined in the VTAMAPPL profiles for each LU, the security administrator should activate the VTAMAPPL class and activate SETROPTS RACLIST processing for the class. For example: 
SETROPTS CLASSACT(VTAMAPPL) RACLIST(VTAMAPPL)
Any time a VTAMAPPL profile is changed, SETROPTS RACLIST processing for the VTAMAPPL class must be refreshed for the change to take effect: 
SETROPTS RACLIST(VTAMAPPL) REFRESH
Parent topic: LU Security: Protecting APPC/MVS Logical Units