Defining profiles in the APPCLU general resource class

If you use bind-time security with LU6.2, you must define profiles in the APPCLU general resource class: the APPCLU resource class is used to verify the identity of APPC partner logical units (LU type 6.2) during VTAM® session establishment.

To do this, take the following steps:
  1. Ask your VTAM system programmer for the following information for each session partner:
    • The network ID and the LU identifiers.
  2. For each pair of session partners, create two profiles in the APPCLU general resource class.
    On one system, enter the following RDEFINE command:
    RDEFINE APPCLU netid1.luid1.luid2 UACC(NONE)
            SESSION(SESSKEY(password))
    On the other system, enter the following RDEFINE command:
    RDEFINE APPCLU netid2.luid2.luid1 UACC(NONE)
             SESSION(SESSKEY(password))
    where:
    netid1
    netid2
    are the network IDs (NETID) of the partners. These IDs are specified on the VTAM start option NETID, which is in the ATCSTRxx member of SYS1.VTAMLST.
    luid1
    luid2
    are the LU names of the partners. In each case, the first LU name specified is the local LU name and the second is the remote LU name.
    session-key
    is the 16-hexadecimal-digit or 8-character password that matches the session key of the remote system. Enclose hexadecimal digits in quotes; for example, SESSKEY(X'0123456789ABCDEF').

    You should specify the same session key in both systems: if the session keys do not match, the session cannot be established.

    Although RACF does not require that you specify a session key, CICS will reject the bind if no session key is specified.

  3. Define the attributes of the sessions between the partners of each LU pair. To do this, define a SESSION segment for each APPCLU profile using the SESSION option of the RDEFINE and RALTER commands. You can specify the following information in each SESSION segment:
    CONVSEC
    Specifies the levels of security checking performed for each conversation between the partners of the LU pair. CICS does not use this information; instead it uses the information specified in the ATTACHSEC operand of the CONNECTION definition.
    INTERVAL
    Specifies the maximum number of days the session key is valid before it must be changed.

    You should be aware of the impact this may have on the users at the remote end of the link. If either password expires, the link cannot be established. Depending upon the auditing of the profile records, ICH415I messages may or may not be written out. See Specifying bind-time security for LU6.2. (CICS issues message DFHZC4942 to the CSNE destination when the password has expired.) Ensure that you are aware when a password interval is about to expire so that links do not fail for this reason. CICS does not display messages when the password is about to expire, but it does write records to the SMF log.

    LOCK
    Marks the profile as locked. If the profile is locked, the session does not bind, and CICS issues message DFHZC4941.
    NOLOCK
    Marks the profile as unlocked.

For more information about controlling on controlling VTAM LU6.2 binds, see the z/OS Security Server RACF Security Administrator's Guide.