Intermediate Servers
You can also write a program that does not actually manage a resource, but that controls access to another program that does manage a resource. This type of middle program resides in an intermediate server virtual machine.
As with server virtual machines that manage resources, intermediate server virtual machines must be properly set up and authorized. The system administrator should be the person to do this. (z/VM: Connectivity contains the necessary information.)
An intermediate server can set up to intercept all connection requests that are intended for a final target—a resource manager program. When the program in an intermediate server gets such a connection request, it must then make its own connection to the final target (the resource manager program). When the intermediate server makes this connection on behalf of a source program, it should forward the user ID of the requesting virtual machine as the access security user ID—not the user ID of its own virtual machine. The intermediate server can specify the original source user ID in CPI Communications and in the APPC/VM assembler interface.
In addition, an intermediate server should also validate incoming data that a source program sends. This is because a source program could have the proper authorization to connect to the intermediate server, but could accidentally or maliciously send incorrect data.