Event 26(1A): APPCLU

This event is logged by RACROUTE REQUEST=AUDIT,EVENT='APPCLU'. This event applies to establishing a session between two logical units (referred to as the local LU and the partner LU) in accordance with the System Network Architecture (SNA). VTAM® and CICS® call RACF® for security information stored in general resource profiles in the APPCLU class.

Each profile contains an 8-byte session key that is used in verification; the two LUs must have corresponding profiles with identical keys so that the handshaking of encrypted data is successful.

The explanations of the event code qualifiers for Event 26 are:

 0(0)

PARTNER VERIFICATION WAS SUCCESSFUL The handshaking was successful. The LUs established a connection.

 1(1)

SESSION ESTABLISHED WITHOUT VERIFICATION No handshaking was done, but the LUs were still allowed to establish a connection, with the knowledge that the partners were not verified.

 2(2)

LOCAL LU KEY WILL EXPIRE IN 5 DAYS OR LESS The handshaking was successful; this qualifier was set to tell users when the local LU's session key would expire.

 3(3)

PARTNER LU ACCESS HAS BEEN REVOKED Too many unsuccessful attempts were made at matching the session key.

 4(4)

PARTNER LU KEY DOES NOT MATCH THIS LU KEY An attempt was made to establish a session, but the session keys did not match. For example, the two sets of identical data encrypted with the two keys did not match.

 5(5)

SESSION TERMINATED FOR SECURITY REASONS One or both of the APPCLU profiles involved have the keyword LOCK specified in their session information, preventing any connections from being made. This keyword enables the security administrator to temporarily prevent specific connections without deleting any profiles.

 6(6)

REQUIRED SESSION KEY NOT DEFINED The local LU had VERIFY=REQUIRED coded on its APPL statement, indicating that session level verification must be used on all sessions with the LU. One of the following occurred:

• The local LU is the primary LU and no password was defined in RACF for the LU pair.
• The partner LU is the primary LU, but the bind it sent to the local LU did not contain random data (which would indicate that the partner is using session level verification also).

 7(7)

POSSIBLE SECURITY ATTACK BY PARTNER LU The local LU sent out a random number to another LU as part of the handshaking process of establishing a session. That same number then came in from a third LU for the local LU to encrypt. It is a coincidence that the same number is chosen; the number is 64 bits of random data.

It may be that an unauthorized user is attempting to steal the encrypted response.

 8(8)

SESSION KEY NOT DEFINED FOR PARTNER LU The local LU had VERIFY=OPTIONAL coded on its APPL statement. There was a password defined in the local LU's RACF profile for the LU-LU pair, indicating that session level verification should be used on all sessions between the two LUs. However, the partner LU tried to start a session without using session level verification.

 9(9)

SESSION KEY NOT DEFINED FOR THIS LU The local LU had VERIFY=OPTIONAL coded on its APPL statement. No password was defined in the local LU's RACF profile for the LU-LU pair, indicating that session level verification may not be used to establish sessions with this LU. However, the partner LU tried to establish a session using session level verification.

10(A)

SNA SECURITY-RELATED PROTOCOL ERROR The LU trying to establish a connection is not responding correctly according to the handshaking protocol.

11(B)

PROFILE CHANGE DURING VERIFICATION The handshaking was attempted, but it is evident that one of the LU's profiles (specifically the session key) changed in the middle of the handshaking, making its success impossible.

12(C)

EXPIRED SESSION KEY The session key in one or both of the APPCLU profiles has expired.