Setting up security

Edit online

The Network Access Manager (NAM) can either serve as a stand-alone security system or provide an interface to the security system of your choice.

Member KLKINNAM in library -THILEV-.SKLSPARM contains the security system information. KLKINNAM defines one or more control points, each of which selects a security system and names a VSAM file to store NAM information. When NAM is the chosen security system, the VSAM file also holds encrypted security information. By default, CL/SuperSession uses only one control point, so that all users access applications through the same security system.

The initial configuration you installed specifies the NAM database as the security system. The sections in this chapter describe interface procedures to NAM and to other security systems including RACF, CA-ACF2, and CA-TOP SECRET.

Note: If you use PassPhrase support then you must use SAF.

In addition, if you use the HelpDesk as a session, the HOSTGATE configuration member must specify USERDATA OPTIONAL (see the USERDATA data element in the Gateway Configuration section of the IBM CL/SuperSession Customization Guide).

To enable Passphrase support for the product, add the following commands to KLSSTART: 

NAM SET PASSPHRS USEPHRS:1

Name each Network Entry Point from which Passphrase support is desired:

NAM SET PASSPHRS PHRSCPS:SSTRMZ1/SSTRMZ4/SSTRMZ7/+
SSTRMZ0/SSTRMZ5/SSTRMZ6
Note:

MFA uses the Passphrase credentials field. Consequently, to use MFA, the control point must be configured for Passphrase support. Thus, MFA also requires the use of SAF.

MFA users need to indicate that the unlock screen should:

  • re-validate the password/token rather than compare it to the value saved at logon time NTD KLSSOPTS 'KLSOPTEU 1‘

  • re-validate to unlock.

KLGSSHG and KLSVSELA are relatively common members of PTFs, making it tedious to maintain and re-incorporate customizations after installed maintenance. A new sample user exit is provided, allowing manipulating User Data before it is given to the application. The sample code provided introduces a User Data keyword, &VIGPTKT, that will be replaced with a PassTicket for the target application.

Instructions for activating and using KLSPTKTX, along with sample code for resolving &VIGPTKT are included in the SKLSPNLS(KLSPTKTX) member.

To enable this user exit, add the following command to KLSSTART:

NTD KLSSOPTS 'KLSOPTPX 1'