Authenticating systems across SNA connections

When a remote system uses an SNA connection to communicate with your CICS® system, it must first establish a session with your system. That session is created by an exchange of flows called a BIND. You can associate a password with the BIND. This process is known as bind-time security, or LU-LU verification. It enables each system to verify the identity of the other.

These passwords are not sent between the two systems. Each system demonstrates its knowledge of the password by being able to correctly encrypt random numbers that are supplied by the partner, using the password as a key. The bind is successful only when both systems can establish that they have the same password.

Figure 1 shows the SNA flows that are exchanged to support bind-time security. If either system discovers that the encrypted value received is not the value that is expected, it flows an SNA UNBIND request to the remote system, and a session is not established.

Figure 1. The bind password exchange

Bind passwords are set up in the SNA product that is managing your SNA connectivity. Refer to your SNA product documentation for a description of how to set the bind password for a connection.

Note:

Bind-time security is optional in the SNA LU 6.2 architecture. Because it is optional, the remote systems to which you are connecting might not support BIND passwords.
To maintain maximum confidence in the identity of each connected system, it is recommended that different bind passwords be used between each pair of systems that you are configuring. However, when the number of systems grows, this might become unmanageable. Therefore, unique bind passwords are not a requirement of the SNA LU 6.2 architecture and so are not enforced.

It is important that you are familiar with the descriptions of bind security that are given in the documentation for the SNA product that you are using.