A security check can be applied when a request to establish an APPC session is received from, or sent to, a remote system; that is, when the session is bound. This is called bind-time security (or, in SNA terms, session security), and is part of the CICS® implementation of the LU6.2 architecture. Its purpose is to prevent an unauthorized system from binding a session to one of your CICS systems.
Bind-time security is optional in the LU6.2 architecture; you should not specify bind-time security if the remote system does not support it. SNA defines how session security is to be applied, and CICS TS conforms to this architecture. If you want to connect to another system (including CICS systems before CICS/ESA), make sure the other system is also compatible with this architecture.
When you define an LU6.2 connection to a remote system, you assume that all inbound bind requests originate in that remote system, and that all outbound bind requests are routed to the same system. However, where there is a possibility that a transmission line might be switched or broken into, guard against unauthorized session binds by specifying session security at both ends of the connection.
If you have SEC=YES and XAPPC=YES in your SIT, and BINDSECURITY(YES) in your CSD connection definition, and BINDSECURITY(YES) is also specified for the partner system, a bind security validation will be attempted.
If you have BINDSECURITY(NO), then the SIT specification is immaterial.
SEC value | XAPPC value | BINDSECURITY value | RACF APPCLU profile | Resulting CICS action |
---|---|---|---|---|
YES | YES | YES | Defined (See note 1) | CICS extracts the APPCLU profile from RACF at bind-time to verify the remote system. |
YES | YES | YES | Not defined | CICS is unable to extract the APPCLU profile from RACF and therefore rejects the bind. |
YES | YES | NO | Any value | CICS is unable to validate the bind, and rejects it. |
YES | NO | Any value | Any value | CICS is unable to validate the bind, and rejects it. |
NO | Any value | Any value | Any value | CICS is unable to validate the bind, and rejects it. |