Hi You will have to enable the security exits (Stage 1 and Stage 2) for option 2. Client authentication is only an added security layer for TLS and enabled within Secure+. It has nothing to do with the actual transfer access required to place files. For this you will need local userids with their respective remote userids defined in the AUTH file.
Regards Andre -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Gilson Cesar de Oliveira Sent: Tuesday, November 07, 2023 23:15 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Connect Direct - AUthentication using Proxy ⚠️ CAUTION: EXTERNAL SENDER - Please be careful when opening links and attachments. ⚠️ Please report any suspicious mail to phish...@nedbank.co.za. Nedbank Information Security Dear list, We are planning to enable Security in Connect Direct for external partners and we can see, as far as I understood, three options: 1. Enable Security exit and define all the external userids to authenticate using this exit with interface to RACF; 2. Create an internal userid which will be translated using the proxy (AUTH file) and allowing some functions within the Connect Direct (Authorization File). For example, external userid JOHN, when starting a transmission to node CD.NODE.L1 will be "INTUSER" which will have authority in RACF to create a dataset with HLQ=TST.FILE.CPY1 3. Authentication with Certificate and Node. Using this option will allow the user JOHN from node CD.NODE.L1 to be authenticated using the node and the Common Name (CN) defined in the certificate without using userid and password. For all the options described above, we have some questions: * Do we need to enable the security exits (Stage 1 and Stage 2) for option 2? * In option 3, do we need to enable anything else than the configuration in Secure+ to enable Cliente Auth ? * For option 3, where the authentication is made using node and certificate, does the user can transfer files or only submit process ?? * For option 3, do we need to define an internal userid through the proxy and allow this userid to create datasets when transmitting data to our internal node ?? If someone have any experience with it and could help, I really appreciate that. Thanks in advance, Gilson -- O software antivírus AVG realizou uma checagem de vírus neste e-mail. http://www.avg.com/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ******************** Nedbank Limited group of companies (Nedbank) disclaimer and confidentiality notice: This email, including any attachments (email), contains information that is confidential and is meant only for intended recipients. You may not share or copy the email or any part of it, unless the sender has specifically allowed you to do so. If you are not an intended recipient, please delete the email permanently and let Nedbank know that you have deleted it by replying to the sender or calling the Nedbank Contact Centre on +27 (0)800 555 111 (local) or +27 (0)10 2170 000 (international). This email is not confirmation of a transaction or a Nedbank statement and is not offering or inviting anyone to take up any financial products or services, unless the content specifically indicates that it does so. Nedbank will not be liable for any errors or omissions in this email. The views and opinions are those of the author and not necessarily those of Nedbank. The names of the Nedbank Board of Directors and Company Secretary are available here: http://www.nedbank.co.za/terms/DirectorsNedbank.htm. Nedbank Ltd Reg No 1951/000009/06. ******************** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN