LU mapping with multilevel security active
Telnet can be in a multilevel secure environment that uses security labels. For more information about preparing for IP networking in a multilevel secure environment, see Preparing for IP networking in a multilevel secure environment and z/OS Planning for Multilevel Security and the Common Criteria. To ensure correct security label comparisons, Network Access Control (NAC) must also be active for Telnet. For more information about NAC, see Network Access Control.
If multilevel security is active, Telnet ensures the security label of the selected LU is compatible with the security label of the client.
- Telnet retrieves the security label of the client when the connection is accepted.
- Telnet assigns a security label to all LUGROUPs based on the first
LU name in the group. The first single LU name in the group is used.
If no single LU names exist, the first LU name within the first LU
range is used.
- If multilevel security is active, an LUGROUP EXIT is required to have at least one LU name in the group. The LU name is used to obtain a security label for the group. The name is passed to the exit in the parameter list and can be used or ignored by the exit.
- A single LU name on a mapping statement is treated as an LUGROUP with one LU name. That LU name is used to obtain the security label for the LUGROUP created by Telnet.
When multilevel security is active, LU lookup uses the following process:
- The security label of the client is compared with that of the mapped LUGROUP. If the group is compatible, Telnet searches for an available LU in the group. If not compatible, the LUGROUP is skipped.
- Telnet retrieves the security label of the selected LU and compares it with the security label of the LUGROUP. If the selected LU is not compatible with the LUGROUP, the LU is deactivated and no other LU in the group is tried.
- If the LUGROUP was not compatible or no LU was available, the steps are repeated for each mapped LUGROUP until an LU is found or all LUGROUPs are checked.