>CICS of organization "A" is connected (LU6.2 Connection) to CICS of >organization "B". No problem with that. I looked into the CDRM and found >some other application of organization "B" defined in VTAMLST of oranization >"A". Tried LOGON APPLID(xxx) and gpt the GMtran of org. "B" (if it is the >default, I can travel in this CICS...). I also riched TSO logon etc. > >Now, I want to block (at) org "b" ability to get to org "a" applications >other then the CICS connection that was agreed between Org "A" and "B". Is >this possible? >I also want to block the ability to enter logon applid command (may be by >userid, even of the solution will require entering userid & password). How >to achive that? >What other alternatives are offered to connect to vtam applications when USS >tab is displaied, other then LOG APPLID and selecting from the uss tab? I >mean, is there any bypass to LOG APPLID if blocked? > In general, VTAM security has never been implemented because long ago when it started everyone thought SNA Pt-to-Pt lines provided it all. Today almost all the SNA expertise to even attempt it is extinct, education is even lacking. But even for those who have done it, it is only a false sense of security.
Back a few years there was a free VTAM SME exit offered to show you what was coming into your VTAM network from SNI connections. Installed it on the fly and ran it for 2 hours believing little would show; Wrong-O smart one. It scared us silly. Especially with Hercules and MVS 3.8 VTAM which works today and can be on the other end, or jumps into the middle of a real connection, it is truely frightful. So there are companies which offer a SNA Firewall (installs dynamically) to truely secure the VTAM SNI connections and lets us sleep sound at night. It is imperative the one chosen handles not only SNI but LU6/0/1/2, etc. Another benefit is when you are connected to Company A and also Company B. If they find out about each other, then A can connect to B using your network saving each the expense of making a separate connection. With the Firewall one has the ability to look at the BIND and even for connections which are approved, it can see the parameters coded and let you know if they are inefficient (working fine but eating your lunch). Yes, no one would ever run their TCP/IP systems without a Firewall, except I am guessing 99%+ of those who have SNA, it never even occurs to them they are highly exposed. jim ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
