Managing inbound TCP/IP-based connection requests

DRDA connections that use TCP/IP have fewer security controls than do connections that use SNA protocols. When planning to control inbound TCP/IP connection requests, you must decide whether you want the requests to have authentication information, such as RACF® passwords, RACF PassTickets, and Kerberos tickets, passed along with authorization IDs.

About this task

Attention: To protect your authentication information, use the z/OS® Communications Server IP Application Transparent Transport Layer Security (AT-TLS) to secure your network connections. To complement the use of AT-TLS, set the TCPALVER subsystem parameter of installation panel DSNTIP5 to SERVER_ENCRYPT. Setting this parameter to SERVER_ENCRYPT provides the strongest level of security. Connections are accepted only if user credentials are provided to authenticate the user ID, and strong encryption is used to protect the user ID and credentials.

Procedure

To manage inbound TCP/IP-based connection requests:

For requests that use RACF passwords or PassTickets, enter the following RACF command to indicate which user IDs that use TCP/IP are authorized to access DDF (the distributed data facility address space): 
PERMIT ssnm.DIST CLASS(DSNR) ID(yyy) ACCESS(READ)
  WHEN(APPCPORT(TCPIP))

Consider the following questions:

Do you permit access by TCP/IP? If the serving Db2 for z/OS subsystem has a DRDA port and resynchronization port specified in the BSDS, Db2 is enabled for TCP/IP connections.

Do you manage inbound IDs through Db2 or RACF? All IDs must be passed to RACF or Kerberos for processing. No option exists to handle incoming IDs through Db2.

Do you trust the partner? TCP/IP does not verify partner LUs, as SNA does. If your requesters support mutual authentication, use Kerberos to handle this authentication on the requester side.

If you use passwords, are they encrypted? Passwords can be encrypted through:

  • RACF using PassTickets
  • DRDA password encryption support. Db2 for z/OS as a server supports DRDA-encrypted passwords and encrypted user IDs with encrypted passwords. See Security mechanisms for DRDA and SNA for more information about using DRDA encryption.

If you use Kerberos, are users authenticated? If your distributed environment uses Kerberos to manage users and perform user authentication, Db2 for z/OS can use Kerberos security services to authenticate remote users.

Do you translate inbound IDs? Inbound IDs are not translated when you use TCP/IP.

How do you associate inbound IDs with secondary IDs? To associate an inbound ID with secondary IDs, modify the default connection exit routine (DSN3@ATH). TCP/IP requests do not use the sign-on exit routine.