Client Identifiers
One client can be represented by many different Client Identifiers.
For example, Telnet might assign an LU based on client host name,
assign an application based on a client IP address, and assign a USS
table based on connection link or interface name. See Mapping Objects to Client Identifiers for details about how these Client Identifiers are used to map Objects.
In some cases, two different Client Identifiers that represent the
same client are used on mapping statements to map the same type of
Object. In these cases, Telnet must determine which Client Identifier
to use when assigning the Object. See Client Identifier selection rules for
more details. The complete list of Client Identifiers and mapping
examples follow:
- User ID or USERGROUP name - If the CLIENTAUTH SAFCERT parameter
is used with a secure connection, the client is required to send its
client certificate to Telnet for client authentication. The SAFCERT
option indicates that the client certificate can be translated to
a User ID by a security product such as RACF®. Telnet translates the certificate as soon as the SSL handshake
is done. The resulting User ID is associated with the connection.
Objects can be mapped to the connection based on an exact User ID,
or Objects can be mapped to a USERGROUP name containing exact User
IDs and wildcarded User IDs. For example, mobile employees need to
be assigned a unique set of LU names and the manager must always be
assigned LU name LUMOBL01. These employees are not within a secure
network and always use client authenticated secure connections. Their
certificates are translated to User IDs by Telnet.
USERGROUP USGMOBL1 MOBL0002 MOBL0003 MOBL1%%C ENDUSERGROUP LUGROUP LUGMOBL1 LUMOBL02..LUMOBL20 ENDLUGROUP LUMAP LUMOBL01 USERID,MOBL0001 ; mgr mapping LUMAP LUGMOBL1 USERGRP,USGMOBL1 ; employee mapping
Rule: The specification of the Client Identifier type USERID is required on the mapping statement. If you do not specify this type, Telnet assumes that the name is a link or interface name.Tip: The specification of the Client Identifier type USERGRP is optional. The following statement is equivalent to the last LUMAP statement in the previous example:LUMAP LUGMOBL1 USGMOBL1
- Host name or HNGROUP name - If the network dynamically assigns
IP addresses, the same client will not have the same IP address from
one connection to the next. With static host names, Objects can be
mapped to clients based on their host name, or Objects can be mapped
to HNGROUP names containing exact host names and wildcarded host names. For example, LUADMNM is mapped to exact host name ADMIN.DEPT1.GROUP1.COM,
and application INVENTRY is mapped to HNGROUP name HNGINV.
HNGROUP HNGINV INV1.DEPT1.GROUP1.COM *.DEPT3.GROUP1.COM **.GROUP3.COM ENDHNGROUP LUMAP LUADMNM HOSTNAME,ADMIN.DEPT1.GROUP1.COM DEFAULTAPPL INVENTRY HNGRP,HNGINV
Tip: The specification of the Client Identifier types HOSTNAME and HNGRP is optional. The following two mapping statements are equivalent to the last two statements in the previous example:LUMAP LUADMNM ADMIN.DEPT1.GROUP1.COM DEFAULTAPPL INVENTRY HNGINV
- Client (source) IP address or IPGROUP name - Client IP address
is the most common method used to map Objects to the client. In a
static network, Objects can be mapped to clients based on the exact
IP address, or Objects can be mapped to IPGROUP names containing exact
IP addresses and subnets. For example, LUADMN is mapped to exact IP
address 1.1.1.1, and application PAYROLL is mapped to IPGROUP name
IPGPAY.
IPGROUP IPGPAY 1.1.2.2 1.1.2.3 ;IPv4 addresses 255.255.0.0:2.2.0.0 ;IPv4 subnet 2001:0DB8:9:11:15:4 ;IPv6 address 6C11:10::0/96 ;IPv6 subnet 6.1.3.4..6.1.3.8 ;IPv4 range 2AB0::12:5:1321..2AB0::12:5:1410 ;IPv6 range ENDIPGROUP LUMAP LUADMN IPADDR,1.1.1.1 DEFAULTAPPL PAYROLL IPGRP,IPGPAY
Tips:- The specification of the Client Identifier types IPADDR and IPGRP
is optional. The following two mapping statements are equivalent to
the last two statements in the previous example:
LUMAP LUADMN 1.1.1.1 DEFAULTAPPL PAYROLL IPGPAY
- The IP/subnet combinations of 0.0.0.0:0.0.0.0 (IPv4 only) and 0::0/0 (IPv4 and IPv6) are special cases that include all connections. This might be useful if you want to have a default mapping with a higher priority than the NULL client identifier.
- The client IP address can be either an IPv4 or IPv6 IP address. IP address ranges can also be specified and are treated as if individual IP addresses were coded. An IPv4 range can vary in the last octet only. An IPv6 range can vary in the last two hexadecimal bytes only.
- The specification of the Client Identifier types IPADDR and IPGRP
is optional. The following two mapping statements are equivalent to
the last two statements in the previous example:
- Destination IP address or DESTIPGROUP name - A destination IP
address is the host address that is the destination for a Telnet connection.
Linkname can be used as a Client Identifier to map Objects to destination
IP addresses when the linkname is static and defined in the profile.
However, if the destination IP address is a dynamic Virtual IP Address
(VIPA) , the linkname is not known before the VIPA is created. In
this case, destination IP address is the ideal solution. In other
cases, specifying the destination IP address in the Telnet profile
may be more clear than specifying the linkname. For example, two TCP/IP
stacks are backups for each other. Telnet connections to stack 1 (VIPA
5.5.5.1) use logon manager application APPL1 by default, and connections
to stack 2 (VIPA 51CB:C3E4::9:4) use logon manager application APPL2
by default. If one of the stacks becomes unavailable, the other will
take over and dynamically add the failing stack's VIPA. The dynamic
linkname created is not easily predicted. Use the following statements
in the profile of each stack to ensure users connecting to 5.5.5.1
always get APPL1 and users connecting to 51CB:C3E4::9:4 always get
APPL2 regardless of which stack is used.
DEFAULTAPPL APPL1 DESTIP,5.5.5.1 DEFAULTAPPL APPL2 DESTIP,51CB:C3E4::9:4
Rule: The specification of the Client Identifier type DESTIP is required on the mapping statement. If you do not specify this type, Telnet assumes that the IP addresses are client (source) IP addresses.Tip: When the destination IP address is the IP address of a dynamic XCF address, multiple linkname values can be associated with the IP address. Telnet will use the first linkname associated with the IP address in the home list. If a dynamic XCF destination is used as a Client Identifier, it is recommended that DESTIP be used instead of linkname. Results can vary using linkname. - Linkname or LINKGROUP name - A linkname is defined by the TCP/IP
LINK or INTERFACE statement. The linkname defines a host IP address
that is a destination address for clients connecting to Telnet. Linkname
can be useful in cases where Object assignment is dependent on the
client destination IP address instead of the client source IP address.
Several linknames can be defined and the same LU mapping or other
Object mapping might be wanted for several linknames. In this case,
a LINKGROUP can be defined and used on a single mapping statement.
For example, based on the statements below, a client connecting to
LINK1 IP address will be assigned an LU from the LUGROUP name LUGLNKS
and will establish a session with TPX1. A client connecting to LINK2
IP address will be assigned an LU from the LUGROUP name LUGLNKS and
will establish a session with TPX2. Because LINK1 and LINK2 are not
group names, host names, or IP addresses, they are assumed to be linknames.
The Client Identifier type, LINKNAME, can be used for clarity but
is not required.
LINKGROUP LNKGRP1 LINK1 LINK2 ENDLINKGROUP LUMAP LUGLNKS LINKGRP,LNKGRP1 DEFAULTAPPL TPX1 LINKNAME,LINK1 DEFAULTAPPL TPX2 LINKNAME,LINK2
Tips:- The specification of the Client Identifier types LINKNAME and
LINKGRP is optional. The following three mapping statements are equivalent
to the last three statements in the previous example:
LUMAP LUGLNKS LNKGRP1 DEFAULTAPPL TPX1 LINK1 DEFAULTAPPL TPX2 LINK2
- When the destination IP address is the IP address of a dynamic XCF address, multiple linkname values can be associated with the IP address. Telnet will use the first linkname associated with the IP address in the home list. If a dynamic XCF destination is used as a Client Identifier, it is recommended that DESTIP be used instead of linkname. Results can vary using linkname.
- The specification of the Client Identifier types LINKNAME and
LINKGRP is optional. The following three mapping statements are equivalent
to the last three statements in the previous example:
- NULL (no Client Identifier) - The NULL Client Identifier type
indicates that no Client Identifier was specified. The NULL Client
Identifier is valid on the DEFAULTAPPL, LINEMODEAPPL, USSTCP, and
INTERPTCP mapping statements. It is the implied Client Identifier
for the DEFAULTLUS, DEFAULTLUSSPEC, DEFAULTPRT, and DEFAULTPRTSPEC
Objects. ParmsGroup and MonitorGroup are the only Objects that cannot
be mapped to the NULL Client Identifier. The NULL Client Identifier
mapped Objects are the last Objects checked when assigning Objects
to a client. For example, assume a client does not match any Client
Identifier in the profile for DEFAULTAPPL or USSTCP. You can put the
user into session with a security application, named SecAppl, that
can verify the user is authorized to use the company's system. The
Client Identifier field is blank.
DEFAULTAPPL SECAPPL