MODIFY SECURITY command


Increase the cryptography specification for an LU:

>>-MODIFY-- --procname--,--SECURITY--,--ID--=--lu_name---------->

                                               (1)     
                         .-,--ENCRTYPE--=--DES-----.   
>--,--ENCR--=--+-COND-+--+-------------------------+-----------><
               +-OPT--+  '-,--ENCRTYPE--=--TDES24--'   
               '-REQD-'

Notes:

ENCRTYPE cannot be downlevel. If the current value is TDES24, MODIFY SECURITY ENCRTYPE=DES will not be allowed.


Modify which cryptographic key name is used for an LU:

>>-MODIFY-- --procname--,--SECURITY--,--ID--=--lu_name---------->

>--,--CKEY--=--+-ALTERNATE-+-----------------------------------><
               '-PRIMARY---'


Initiate SLU authentication for an LU:

>>-MODIFY-- --procname--,--SECURITY--,--ID--=--lu_name---------->

>--,--CERTIFY--=--YES------------------------------------------><


Increase the message authentication specification for an LU:

>>-MODIFY-- --procname--,--SECURITY--,--ID--=--lu_name---------->

>--,--MAC--=--+-COND-+------------------------------------------>
              '-REQD-'   

>--+--------------------------------------------------+--------><
   '-,--MACTYPE--=--+-CRC--+----------------------+-+-'   
                    |      '-,--MACLNTH--=--+-2-+-' |     
                    |                       '-4-'   |     
                    '-DES--+----------------------+-'     
                           '-,--MACLNTH--=--+-4-+-'       
                                            +-6-+         
                                            '-8-'

Abbreviations

Operand	Abbreviation
MODIFY	F
ALTERNATE	ALT
PRIMARY	PRIM

Purpose

The MODIFY SECURITY command is a superset of the MODIFY ENCR command. Using this command, you can change the cryptographic and the message authentication requirements for application program logical units and device-type logical units.

Operands

procname

The procedure name for the command. If procname in the START command was specified as startname.ident, where startname is the VTAM® start procedure and ident is the optional identifier, either startname.ident or ident can be specified for procname.

If procname in the START command was startname, startname must be specified for procname.

CERTIFY=YES

Indicates that SLU authentication (verifying that the SLU is using the same cryptographic key as the PLU) is to be performed by the PLU, if encryption is being used.

CKEY

Indicates whether VTAM is to use the primary or alternate cryptographic key name to generate cryptographic session keys for this logical unit.

This indicator is initialized to PRIMARY, and cannot be explicitly set with the LU definition statement. If you do not specify CKEY, the current CKEY value is unchanged.

CKEY affects only the secondary logical unit (SLU) key; it does not affect the cross domain (CP/SSCP) keys.

CKEY=ALTERNATE: Specifies that VTAM use the alternate cryptographic key name to generate cryptographic session keys. The alternate name is either the name on the LU definition statement or the value of the CKEYNAME operand with the suffix .ALT.ALT. For example, name.ALT.
CKEY=PRIMARY: Specifies that VTAM use the primary cryptographic key name to generate cryptographic session keys. The primary name is either the name on the LU definition statement or the value of the CKEYNAME operand.

ENCR

Specifies the new cryptography specifications of the logical unit.

Note: The level of the cryptography specification can be only raised. Any attempt to lower the level is rejected. The new level is effective for all future sessions involving the logical unit; existing active or pending sessions are not affected.

ENCR=OPT: Raises the level of the logical unit's cryptography specification from no cryptography to optional (capable of cryptography).
ENCR=COND: Raises the level of the logical unit's cryptography specification from no cryptography or optional to required (that is, all user sessions must be encrypted) if both sides support encryption. If the session partner does not support encryption, the session does not fail; instead, a session is established with no encryption of data.
ENCR=REQD: Raises the level of the logical unit's cryptography specification from no cryptography or optional (or selective or conditional for application programs) to required (that is, all user sessions must be encrypted).

ENCRTYPE

Specifies the minimum type of encryption that VTAM should use on behalf of the logical unit when performing session level encryption. The new ENCRTYPE level is effective for all subsequent sessions involving the logical unit; currently active or pending sessions are not affected.

ENCRTYPE=DES: Specifies that VTAM must use a minimum of DES encryption with an 8–byte key when performing session level encryption. This is the default.
Note: If the current value of ENCRTYPE=TDES24, then ENCRTYPE=DES will not be allowed.
ENCRTYPE=TDES24: Specifies that VTAM must use a minimum of Triple_DES encryption with a 24–byte key performing session level encryption.

Note: When the DES method of message encryption (MACTYPE=DES) is also in use for this application or LU, the encryption type used as part of the message authentication logic is determined by the ENCRTYPE keyword. The ENCRTYPE keyword defaults to DES and this is the current type of encryption VTAM uses in message authentication today. However, if ENCRTYPE=TDES24, message authentication will use a minimum of Triple-DES with 24–byte key when calculating the MAC code.

ID=lu_name

Specifies the name of the LU whose security specification you want to change.

Tip: If you are specifying a model resource (APPL or CDRSC), you can use wildcard characters in the name you specify. The use of wildcard characters on the ID operand does not depend on the value of the DSPLYWLD start option. For model resources, any current clone resources are unaffected by this command, but future clone resources and their sessions are affected.

The ID must represent the type of LU that can be modified by the remaining operands:

CKEY

Device-type LU

ENCR

Application program, device-type LU, or CDRSC

ENCRTYPE

Application program, device-type LU, or CDRSC

MAC

Application program LU

MACTYPE

Application program LU

MACLNTH

Application program LU

MAC

Specifies the new message authentication specifications for the logical unit (application program or device). The value you specify must be higher than the current value. Any attempt to lower the level is rejected.

MAC values, in ascending order, are:

NONE
COND (conditional)
REQD (required)

The new MAC level is effective for all subsequent sessions involving the logical unit; currently active or pending sessions are not affected. If you do not specify the MAC operand, the current MAC value is unchanged.

MAC=COND: Raises the level of the application program message authentication specifications from NONE to COND (conditional); that is, if the session partners are MAC capable, each side uses message authentication codes. If one session partner does not support the function, the session does not fail; instead, a session is established but without any message authentication of data.
MAC=REQD: Raises the level of the message authentication specification of an application program or logical unit from NONE or conditional (COND), to required; that is, all user sessions must use message authentication codes.

MACLNTH

Specifies the minimum length, in bytes, of the message authentication code that is to be generated. For MACTYPE=DES, valid values are 4, 6, or 8. For MACTYPE=CRC, valid values are 2 or 4.

MACTYPE

Specifies the method to use when message authentication codes are created and checked.

MACTYPE=CRC: Specifies that an internal VTAM service is used to create a cyclic redundancy check (CRC) for data on the specified conversation.
MACTYPE=DES: Specifies that VTAM uses message authentication code services as provided in the Common Cryptographic Architecture (CCA) specification. The message authentication code calculation support is described in the ANSI X 9.9 standard.