MODIFY SECURITY command
Increase the cryptography specification for an LU:
Notes:
- 1 ENCRTYPE cannot be downlevel. If the current value is TDES24, MODIFY SECURITY ENCRTYPE=DES will not be allowed.
Abbreviations
Operand | Abbreviation |
---|---|
MODIFY | F |
ALTERNATE | ALT |
PRIMARY | PRIM |
Purpose
The MODIFY SECURITY command is a superset of the MODIFY ENCR command. Using this command, you can change the cryptographic and the message authentication requirements for application program logical units and device-type logical units.
Operands
- procname
- The procedure name for the command. If procname in the START command was specified as startname.ident, where startname is the VTAM® start
procedure and ident is the optional identifier,
either startname.ident or ident can be specified for procname.
If procname in the START command was startname, startname must be specified for procname.
- CERTIFY=YES
- Indicates that SLU authentication (verifying that the SLU is using the same cryptographic key as the PLU) is to be performed by the PLU, if encryption is being used.
- CKEY
- Indicates whether VTAM is
to use the primary or alternate cryptographic key name to generate
cryptographic session keys for this logical unit.
This indicator is initialized to PRIMARY, and cannot be explicitly set with the LU definition statement. If you do not specify CKEY, the current CKEY value is unchanged.
CKEY affects only the secondary logical unit (SLU) key; it does not affect the cross domain (CP/SSCP) keys.- CKEY=ALTERNATE
- Specifies that VTAM use
the alternate cryptographic key name to generate cryptographic session
keys. The alternate name is either the name on the LU definition statement
or the value of the CKEYNAME operand with the suffix .ALT.ALT. For example,
name
.ALT. - CKEY=PRIMARY
- Specifies that VTAM use the primary cryptographic key name to generate cryptographic session keys. The primary name is either the name on the LU definition statement or the value of the CKEYNAME operand.
- ENCR
- Specifies the new cryptography specifications of the logical unit. Note: The level of the cryptography specification can be only raised. Any attempt to lower the level is rejected. The new level is effective for all future sessions involving the logical unit; existing active or pending sessions are not affected.
- ENCR=OPT
- Raises the level of the logical unit's cryptography specification from no cryptography to optional (capable of cryptography).
- ENCR=COND
- Raises the level of the logical unit's cryptography specification from no cryptography or optional to required (that is, all user sessions must be encrypted) if both sides support encryption. If the session partner does not support encryption, the session does not fail; instead, a session is established with no encryption of data.
- ENCR=REQD
- Raises the level of the logical unit's cryptography specification from no cryptography or optional (or selective or conditional for application programs) to required (that is, all user sessions must be encrypted).
- ENCRTYPE
- Specifies the minimum type of encryption
that VTAM should use on behalf
of the logical unit when performing session level encryption. The
new ENCRTYPE level is effective for all subsequent sessions involving
the logical unit; currently active or pending sessions are not affected.
- ENCRTYPE=DES
- Specifies that VTAM must
use a minimum of DES encryption with an 8–byte key when performing
session level encryption. This is the default. Note: If the current value of ENCRTYPE=TDES24, then ENCRTYPE=DES will not be allowed.
- ENCRTYPE=TDES24
- Specifies that VTAM must use a minimum of Triple_DES encryption with a 24–byte key performing session level encryption.
Note: When the DES method of message encryption (MACTYPE=DES) is also in use for this application or LU, the encryption type used as part of the message authentication logic is determined by the ENCRTYPE keyword. The ENCRTYPE keyword defaults to DES and this is the current type of encryption VTAM uses in message authentication today. However, if ENCRTYPE=TDES24, message authentication will use a minimum of Triple-DES with 24–byte key when calculating the MAC code. - ID=lu_name
- Specifies the name of the LU whose security specification you
want to change. Tip: If you are specifying a model resource (APPL or CDRSC), you can use wildcard characters in the name you specify. The use of wildcard characters on the ID operand does not depend on the value of the DSPLYWLD start option. For model resources, any current clone resources are unaffected by this command, but future clone resources and their sessions are affected.The ID must represent the type of LU that can be modified by the remaining operands:
-
- CKEY
- Device-type LU
- ENCR
- Application program, device-type LU, or CDRSC
- ENCRTYPE
- Application program, device-type LU, or CDRSC
- MAC
- Application program LU
- MACTYPE
- Application program LU
- MACLNTH
- Application program LU
-
- MAC
- Specifies the new message authentication specifications for the
logical unit (application program or device). The value you specify
must be higher than the current value. Any attempt to lower the level
is rejected. MAC values, in ascending order, are:
- NONE
- COND (conditional)
- REQD (required)
The new MAC level is effective for all subsequent sessions involving the logical unit; currently active or pending sessions are not affected. If you do not specify the MAC operand, the current MAC value is unchanged.- MAC=COND
- Raises the level of the application program message authentication specifications from NONE to COND (conditional); that is, if the session partners are MAC capable, each side uses message authentication codes. If one session partner does not support the function, the session does not fail; instead, a session is established but without any message authentication of data.
- MAC=REQD
- Raises the level of the message authentication specification of an application program or logical unit from NONE or conditional (COND), to required; that is, all user sessions must use message authentication codes.
- MACLNTH
- Specifies the minimum length, in bytes, of the message authentication code that is to be generated. For MACTYPE=DES, valid values are 4, 6, or 8. For MACTYPE=CRC, valid values are 2 or 4.
- MACTYPE
- Specifies the method to use when message authentication codes
are created and checked.
- MACTYPE=CRC
- Specifies that an internal VTAM service is used to create a cyclic redundancy check (CRC) for data on the specified conversation.
- MACTYPE=DES
- Specifies that VTAM uses message authentication code services as provided in the Common Cryptographic Architecture (CCA) specification. The message authentication code calculation support is described in the ANSI X 9.9 standard.