Security checking done in AOR with IPIC
This depends on how LINKAUTH, SECURITYNAME and USERAUTH are specified in the AOR.
The link user ID shown in the tables Table 1, Table 2, and Table 3 is determined from the values of LINKAUTH and SECURITYNAME on the IPCONN definition. If LINKAUTH(SECUSER) is specified, the link user ID is determined from the SECURITYNAME attribute. If LINKAUTH(CERTUSER) is specified, the link user ID is determined from the external security manager such as RACF® which associates a user ID with the certificate passed by the TOR during SSL handshake. LINKAUTH(SECUSER) is the default. The default value for SECURITYNAME is the default user ID.
- If USERAUTH(LOCAL) is specified, security checking is done using the link user ID only.
- If USERAUTH(DEFAULTUSER) is specified, only the default user ID for the AOR is used.
- If USERAUTH(IDENTIFY) or USERAUTH(VERIFY) is specified, the link user ID is not used. Only the user ID received from the TOR is used to determine security.
Neither the region user ID for the TOR, nor the link user ID associated with the TOR's IPCONN definition for the AOR, is relevant to security checking in the AOR.
The following table shows how checking is done when USERAUTH(LOCAL) is specified.
Region user ID for AOR | Link user ID | Checking in AOR |
---|---|---|
USERIDA | Not specified | Check against AOR DFLTUSER |
USERIDA | USERIDA | Check against AOR DFLTUSER |
USERIDA | USERIDB | Check against USERIDB |
The following table shows how checking is done when USERAUTH(DEFAULTUSER) is specified.
Region user ID for AOR | Link user ID | Checking in AOR |
---|---|---|
USERIDA | Not specified | Check against AOR DFLTUSER |
USERIDA | USERIDA | Check against AOR DFLTUSER |
USERIDA | USERIDB | Check against USERIDB and AOR DFLTUSER |
The following table shows how checking is done when USERAUTH(IDENTIFY) or USERAUTH(VERIFY) is specified.
Region user ID for AOR | Link user ID | Checking in AOR |
---|---|---|
USERIDA | Not specified | Transmitted user ID and AOR DFLTUSER |
USERIDA | USERIDA | Transmitted user ID only |
USERIDA | USERIDB | Transmitted user ID and USERIDB |