Authenticating partner LUs

If RACF® has already validated the identity of an LU and if you trust incoming IDs from the LU, you do not need to validate them by an authentication token.

About this task

You can choose whether to require an authentication token from a particular LU.

Procedure

To authenticate partner LUs, choose one of the following options:

If you do not want Db2 to require an authentication token from a particular LU, check that you have defined Db2 to VTAM® with SECACPT=ALREADYV. Then put an A in the SECURITY_IN column of the row in the SYSIBM.LUNAMES table that corresponds to the other LU.
Your acceptance level for requests from that LU is now already verified. Requests from that LU are accepted without an authentication token.
If you want Db2 to require an authentication token from a particular LU, put a V in the SECURITY_IN column in the SYSIBM.LUNAMES table.
Your acceptance level for requests from that LU is now verify.

What to do next

If you require an authentication token, you must register every acceptable incoming ID and its password with RACF.

If an authentication token does accompany a request, Db2 calls RACF to check the authorization ID against it.

Note: Each request to RACF to validate authentication tokens results in an I/O operation, which has a high performance cost.

Note: To eliminate the I/O, allow RACF to cache security information in VLF. To activate this option, add the IRRACEE class to the end of z/OS® VLF member COFVLFxx in SYS1.PARMLIB, as follows:

CLASS NAME(IRRACEE)
EMAJ (ACEE)