Implementing Security
IBM® Connect:Direct® provides a range of security options to meet diverse security requirements. These options can be part of IBM Connect:Direct, part of interfaces to other security software, sample exits, or available from user-customized exit routines.
IBM Connect:Direct provides support for passwords and/or passphrases up to 64 characters. Password can also mean passphrase in most instances with exception when referencing dataset passwords.
When PROCESSes supply PNODEID and/or SNODEID passwords,
password longer than 8 characters cannot be used when the PROCESS
is using PNODE=SNODE, SNA or SNUF protocols.
Note: Be aware that when
a user signs on to Connect:Direct using a passphrase (a password that
is longer than 8 characters), all PROCESSes submitted must override
the PNODEID and SNODEID userids and passwords if the process is to
use PNODE=SNODE, SNA or SNUF protocols (these protocols only support
passwords of 8 characters or less).
Note: All sample exits define the proper AMODE and RMODE settings within the source member
themselves. All user exits should be link-edited with AMODE=31 and capable of executing in 31-bit
mode. Each user exit should preserve the mode in which it was invoked and return to the caller in
the proper mode. Modules written to execute in 31-bit mode can be link-edited with RMODE=ANY or
RMODE=24. Check the source for the sample exits to see how IBM Connect:Direct defines the proper AMODE and
RMODE settings.
IBM Connect:Direct for z/OS® provides the following security features:
| Security Option | Description |
|---|---|
| User Specified Program Limitation Feature | Provide security for user specified program names (Exit and Run Task programs) by checking names against a user configured table of names. Refer to User Specified Program Limitation Feature. |
| Security exits | Secures signon processing, job streams, and application programs. IBM Connect:Direct provides four security exits and includes samples in the sample library. See Security Exits for more information. |
| SECURITY.EXIT initialization parameter | Specifies a stage 2 security exit. This exit is invoked during signon and Process start and data set access. Signon or file access requests are passed directly to the security exit for authorization checking. For more information, see SECURITY.EXIT | SECURITY = module name | (module name,DATASET|ALL,PSTKT) | (module name,DATASET|ALL) | OFF. |
| IBM Connect:Direct Authorization Facility | Provides signon security and assigns IBM Connect:Direct functional
authority if you do not specify or comment out the SECURITY.EXIT initialization
parameter. Use this facility if your installation does not have a
security package. See IBM Connect:Direct Functional
Authority for information. Note: The IBM Connect:Direct Authorization
Facility provides no data set access security checking. Authorization File describes
the User Authorization file in detail.
|
| IBM Sterling Connect:Direct Secure Point-of-Entry | Secures the entry of an outside user to your system. Point-of-entry processing occurs before security exits are called. See Sterling Connect:Direct Secure Point-of-Entry for more information. |
| Trusted Node Security | Enables you to enforce more restrictive security parameters on specific nodes in your network. For example, each adjacent node can be defined as internal or external in its relationship to the local node of that network map. See Trusted Node Security for more information. |
IBM Connect:Direct supports the following security options:
| Security Option | Description |
|---|---|
| IBM Connect:Direct Secure Plus | Provides enhanced security for IBM Connect:Direct. It uses cryptography to secure data during transmission. You select the security protocol, cipher suites, and other encryption options to use with the IBM Connect:Direct Secure Plus product. One such option is Strong Password Encryption (SPE), which you can use to secure passwords at rest within the TCQ and AUTH files. SPE uses the TDESCBC112 encryption algorithm of IBM Connect:Direct Secure Plus so if you have the IBM Connect:Direct Secure Plus component configured, and then take the necessary steps to enable the SPE feature, SPE will be in effect. See the IBM Connect:Direct Secure Plus for z/OS Implementation Guide for more information. |
| CA-ACF2 | External security package that secures files, users, and IBM Connect:Direct functions. |
| IBM® Resource Access Control Facility (RACF®) | External security package that secures files, users, and IBM Connect:Direct functions. |
| CA-TOP SECRET | External security package that secures files, users, and IBM Connect:Direct functions. |
| Firewall Navigation | Enables you to control access to a IBM Connect:Direct system running behind a firewall. See Configuring Firewall Navigation. |