Security Details

> >

| Register

MVS Direct API Product Links

MVS Direct API

MVS Direct API - CA-7 Support

MVS Direct API - CA-Endevor Support

MVS Direct API - CA-Spool Support

MVS Direct API - CA-Top Secret Support

MVS Direct API - CA-View Support

MVS Direct API - CyberFusion Support

MVS Direct API - InfoMan Support

MVS Direct API - IOF Support

MVS Direct API - NDM Support

Installation Requirements

Protocol Definition

Security Details

MVS Security Overview

C-Cubed utilizes the Z/OS APPC/MVS core component to establish connections to MVS. The task that is started by APPC/MVS on behalf of a C-Cubed client runs under the security context of the logon-id and password supplied by the client. This avoids any SAF checks / APF authorization requirements by the C-Cubed server program, as it is running under the security context of the user. Any request that the user makes from a C-Cubed client will be limited automatically by the MVS security package (RACF, CA-TopSecret, CA-ACF2, etc) since the user is running under their own security context (just like a batch job).

Here's a breakdown of the communications flow between a C-Cubed PC client and MVS:

PC C-Cubed client initiates a connection to MVS using the supplied UID / PWD.
encrypted request is sent via TCP/IP to the C3TCPSR1 task, requesting a new session for the client-supplied UID / PWD. Note that the C3TCPSR1 task only initiates connections for C-Cubed clients - no other C-Cubed client functionality is processed.
C3TCPSR1 task issues ATBALC call to APPC/MVS, requesting a new session for the client-supplied UID / PWD.
APPC/MVS task request new session from ASCH/MVS for the client-supplied UID / PWD.
ASCH/MVS starts a new session task, executing the C-Cubed C3MVSCOM APPC Transaction Program. Note that this session task (named APPCTPC3) runs under the client-supplied UID / PWD security context.
PC C-Cubed client can then issue requests to the new C3MVSCOM session task. Note that the C3MVSCOM program requires no SAF checking / APF authorization, as it is running in the client-supplied security context.

It should be noted that it is the installation's responsibility to configure their MVS security package in such a way that a user-id and password is required when connecting to MVS via APPC. This includes forcing SECACPT=CONV on VTAM LU definitions, setting specific user-id's for started tasks, etc. Please refer to your MVS security products' administration guide on how to setup and secure APPC/MVS work entering the system.

Encryption Notes

Encryption of transferred data between the client and the server is dependent upon the transport layer in use, either TCP or APPC. The APPC transport layer has both encryption and compression built-in to the transport layer, but is only enabled if the installation configures it as such. The TCP transport layer does not contain any built-in functionality for encryption or compression. In either case, the latest version of C-Cubed products have proprietary encryption built-in to the products that utilize the C-Cubed protocol.

It should be noted that it is the installation's responsibility to configure and enforce the use of encryption used by the C-Cubed products that support encryption. Encryption configuration is disabled by default, and must be enabled by the installation after product install.

Note that C-Cubed products prior to version 7 do not have any configurable encryption built-in to the products - all data is passed in clear EBCDIC character set text for version 6 and prior.

| Privacy Statement | Terms Of Use Xhtml 1.0 CSS 2.0