TCP server security

Start of changeThe TCP server authenticates a user by verifying a user credential, which is either a combination of a user ID and a password or of a user ID and a PassTicket, or a client certificate. Depending on how you want to manage access, you can additionally base this authentication on security group membership, access to an application security profile, or both.End of change

The TCP server authenticates users when a connection is established and a logon request is received.

Start of changeThe user ID and password of the client or a client certificate that can be mapped to a user ID must be defined to the security system on the z/OS® system where the TCP server is running.End of change

Start of changeIf you use PassTicket instead of password for user authentication, you must define an APPL class profile for the TCP server and specify the SecurityAppl parameter. For details of PassTicket-based authentication, see the topic "Enabling RACF PassTicket" in the IMS Tools Base Configuration Guide.End of change

Start of changeAdditional methods of controlling access to the TCP serverEnd of change

You can manage two types of security schemes to further restrict client access to the TCP server: group based and application class based.

Group-based security
You can specify the SecurityGroup parameter if you want the TCP server to limit access by user ID membership in the specified security group.

When you specify the SecurityGroup parameter, users must be a member of the specified security group to be successfully authenticated by the TCP server.

If the SecurityGroup value is NONE or is not specified in the configuration file of the server and defaults to NONE, a group name is not used when user IDs are authenticated.

Application class-based security
You can specify the SecurityAppl parameter if you want to use an APPL class resource-based security scheme.

By specifying the SecurityAppl parameter, only users that have READ access to that application profile can access the TCP server.

If the SecurityAppl value is NONE or the application name is not defined as an APPL class profile and defaults to NONE, APPL class checking is not performed.

You can specify any combination of these parameters in the TCP server PROCLIB configuration member.