Security checking done in AOR with IPIC

This depends on how LINKAUTH, SECURITYNAME and USERAUTH are specified in the AOR.

The link user ID shown in the tables Table 1, Table 2, and Table 3 is determined from the values of LINKAUTH and SECURITYNAME on the IPCONN definition. If LINKAUTH(SECUSER) is specified, the link user ID is determined from the SECURITYNAME attribute. If LINKAUTH(CERTUSER) is specified, the link user ID is determined from the external security manager such as RACF® which associates a user ID with the certificate passed by the TOR during SSL handshake. LINKAUTH(SECUSER) is the default. The default value for SECURITYNAME is the default user ID.

If the link user ID is the same as the region user ID for the AOR, then the link is deemed to have the same security as the AOR, and link security is omitted altogether. The effect of omitted link security depends on the value specified with the USERAUTH attribute for the IPCONN in the AOR:
  • If USERAUTH(LOCAL) is specified, security checking is done using the link user ID only.
  • If USERAUTH(DEFAULTUSER) is specified, only the default user ID for the AOR is used.
  • If USERAUTH(IDENTIFY) or USERAUTH(VERIFY) is specified, the link user ID is not used. Only the user ID received from the TOR is used to determine security.
USERAUTH(LOCAL) is the default.

Neither the region user ID for the TOR, nor the link user ID associated with the TOR's IPCONN definition for the AOR, is relevant to security checking in the AOR.

The following table shows how checking is done when USERAUTH(LOCAL) is specified.

Table 1. USERAUTH(LOCAL)
Region user ID for AOR Link user ID Checking in AOR
USERIDA Not specified Check against AOR DFLTUSER
USERIDA USERIDA Check against AOR DFLTUSER
USERIDA USERIDB Check against USERIDB

The following table shows how checking is done when USERAUTH(DEFAULTUSER) is specified.

Table 2. USERAUTH(DEFAULTUSER)
Region user ID for AOR Link user ID Checking in AOR
USERIDA Not specified Check against AOR DFLTUSER
USERIDA USERIDA Check against AOR DFLTUSER
USERIDA USERIDB Check against USERIDB and AOR DFLTUSER

The following table shows how checking is done when USERAUTH(IDENTIFY) or USERAUTH(VERIFY) is specified.

Table 3. USERAUTH(IDENTIFY) and USERAUTH(VERIFY)
Region user ID for AOR Link user ID Checking in AOR
USERIDA Not specified Transmitted user ID and AOR DFLTUSER
USERIDA USERIDA Transmitted user ID only
USERIDA USERIDB Transmitted user ID and USERIDB