SLU authentication

During establishment of a cryptographic session, the secondary LU (SLU) verifies that the primary LU (PLU) is using the same cryptographic key. However, if the SLU does not reject a session when the partners are using different session keys, subsequent data flowing over the session is lost because proper deciphering of the data cannot be performed by the SLU. By specifying the CERTIFY=YES operand, the verification that both partners are using the same session key is performed by both the PLU and the SLU. If the session keys are not the same, the session is not established.

The CERTIFY operand can be coded for a resource in the following major nodes:
  • Application program
  • Local SNA
  • Logical unit (LU) group
  • Model
  • Network Control Program
  • Switched
In addition, the CERTIFY operand can be specified on the MODEENT macro in the logon mode table. See the z/OS Communications Server: SNA Resource Definition Reference for additional information about coding the CERTIFY operand.
Notes:
  1. SLU authentication is performed if CERTIFY=YES is specified for either session partner.
  2. CERTIFY=YES is supported by both the 3174 and 3276 cryptographic features. To determine support for other devices, see the specific device documentation.
Parent topic: Security features