Abbreviations
Operand |
Abbreviation |
MODIFY |
F |
ALTERNATE |
ALT |
PRIMARY |
PRIM |
Purpose
The MODIFY SECURITY
command is a superset of the MODIFY ENCR command. Using this command,
you can change the cryptographic and the message authentication requirements
for application program logical units and device-type logical units.
Operands
- procname
- The procedure name for the command. If procname in
the START command was specified as startname.ident,
where startname is the VTAM® start procedure and ident is
the optional identifier, either startname.ident or ident
can be specified for procname.
If procname in the START command was startname,
startname must be specified for procname.
- CERTIFY=YES
- Indicates that SLU authentication (verifying that the SLU is using
the same cryptographic key as the PLU) is to be performed by the PLU,
if encryption is being used.
- CKEY
- Indicates whether VTAM is
to use the primary or alternate cryptographic key name to generate
cryptographic session keys for this logical unit.
This
indicator is initialized to PRIMARY, and cannot be explicitly set
with the LU definition statement. If you do not specify CKEY, the
current CKEY value is unchanged.
CKEY affects only the secondary
logical unit (SLU) key; it does not affect the cross domain (CP/SSCP)
keys.
- CKEY=ALTERNATE
- Specifies that VTAM use
the alternate cryptographic key name to generate cryptographic session
keys. The alternate name is either the name on the LU definition statement
or the value of the CKEYNAME operand with the suffix .ALT.ALT.
For example, name.ALT.
- CKEY=PRIMARY
- Specifies that VTAM use
the primary cryptographic key name to generate cryptographic session
keys. The primary name is either the name on the LU definition statement
or the value of the CKEYNAME operand.
- ENCR
- Specifies the new cryptography specifications of the logical unit.
Note: The
level of the cryptography specification can be only raised. Any attempt
to lower the level is rejected. The new level is effective for all
future sessions involving the logical unit; existing active or pending
sessions are not affected.
- ENCR=OPT
- Raises the level of the logical unit's cryptography specification
from no cryptography to optional (capable of cryptography).
- ENCR=COND
- Raises the level of the logical unit's cryptography specification
from no cryptography or optional to required (that is, all user sessions
must be encrypted) if both sides support encryption. If the session
partner does not support encryption, the session does not fail; instead,
a session is established with no encryption of data.
- ENCR=REQD
- Raises the level of the logical unit's cryptography specification
from no cryptography or optional (or selective or conditional for
application programs) to required (that is, all user sessions must
be encrypted).
- ENCRTYPE
- Specifies the minimum type of encryption
that VTAM should use on behalf
of the logical unit when performing session level encryption. The
new ENCRTYPE level is effective for all subsequent sessions involving
the logical unit; currently active or pending sessions are not affected.
- ENCRTYPE=DES
- Specifies that VTAM must
use a minimum of DES encryption with an 8–byte key when performing
session level encryption. This is the default.
Note: If the current
value of ENCRTYPE=TDES24, then ENCRTYPE=DES will not be allowed.
- ENCRTYPE=TDES24
- Specifies that VTAM must
use a minimum of Triple_DES encryption with a 24–byte key performing
session level encryption.
Note: When the DES method of message encryption
(MACTYPE=DES) is also in use for this application or LU, the encryption
type used as part of the message authentication logic is determined
by the ENCRTYPE keyword. The ENCRTYPE keyword defaults to DES and
this is the current type of encryption VTAM uses
in message authentication today. However, if ENCRTYPE=TDES24, message
authentication will use a minimum of Triple-DES with 24–byte
key when calculating the MAC code.
- ID=lu_name
- Specifies the name of the LU whose security specification you
want to change.
Tip: If you are specifying a model resource (APPL or CDRSC),
you can use wildcard characters in the name you specify. The use of
wildcard characters on the ID operand does not depend on the value
of the DSPLYWLD start option. For model resources, any current clone
resources are unaffected by this command, but future clone resources
and their sessions are affected.
The ID must represent the
type of LU that can be modified by the remaining operands:
-
- CKEY
- Device-type LU
- ENCR
- Application program, device-type LU, or CDRSC
- ENCRTYPE
- Application program, device-type LU, or CDRSC
- MAC
- Application program LU
- MACTYPE
- Application program LU
- MACLNTH
- Application program LU
- MAC
- Specifies the new message authentication specifications for the
logical unit (application program or device). The value you specify
must be higher than the current value. Any attempt to lower the level
is rejected.
MAC
values, in ascending order, are:
- NONE
- COND (conditional)
- REQD (required)
The new MAC level is effective for all subsequent sessions
involving the logical unit; currently active or pending sessions are
not affected. If you do not specify the MAC operand, the current MAC
value is unchanged.
- MAC=COND
- Raises the level of the application program message authentication
specifications from NONE to COND (conditional); that is, if the session
partners are MAC capable, each side uses message authentication codes.
If one session partner does not support the function, the session
does not fail; instead, a session is established but without any message
authentication of data.
- MAC=REQD
- Raises the level of the message authentication specification of
an application program or logical unit from NONE or conditional (COND),
to required; that is, all user sessions must use message authentication
codes.
- MACLNTH
- Specifies the minimum length, in bytes, of the message authentication
code that is to be generated. For MACTYPE=DES, valid values
are 4, 6, or 8. For MACTYPE=CRC, valid values are 2 or 4.
- MACTYPE
- Specifies the method to use when message authentication codes
are created and checked.
- MACTYPE=CRC
- Specifies that an internal VTAM service
is used to create a cyclic redundancy check (CRC) for data on the
specified conversation.
- MACTYPE=DES
- Specifies that VTAM uses
message authentication code services as provided in the Common Cryptographic
Architecture (CCA) specification. The message authentication code
calculation support is described in the ANSI X 9.9 standard.