Hi
You will have to enable the security exits (Stage 1 and Stage 2) for option 2.
Client authentication is only an added security layer for TLS and enabled
within Secure+. It has nothing to do with the actual transfer access required
to place files. For this you will need local userids with their respective
remote userids defined in the AUTH file.
Regards
Andre
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
Gilson Cesar de Oliveira
Sent: Tuesday, November 07, 2023 23:15
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Connect Direct - AUthentication using Proxy
⚠️ CAUTION: EXTERNAL SENDER - Please be careful when opening links and
attachments. ⚠️ Please report any suspicious mail to phish...@nedbank.co.za.
Nedbank Information Security
Dear list,
We are planning to enable Security in Connect Direct for
external partners and we can see, as far as I understood, three options:
1. Enable Security exit and define all the external userids to
authenticate using this exit with interface to RACF;
2. Create an internal userid which will be translated using the proxy
(AUTH file) and allowing some functions within the Connect Direct
(Authorization File).
For example, external userid JOHN, when starting a transmission to node
CD.NODE.L1 will be "INTUSER" which will have authority in RACF to create a
dataset with HLQ=TST.FILE.CPY1
3. Authentication with Certificate and Node. Using this option will
allow the user JOHN from node CD.NODE.L1 to be authenticated using the node and
the Common Name (CN) defined in the certificate without using userid and
password.
For all the options described above, we have some questions:
* Do we need to enable the security exits (Stage 1 and Stage 2) for
option 2?
* In option 3, do we need to enable anything else than the
configuration in Secure+ to enable Cliente Auth ?
* For option 3, where the authentication is made using node and
certificate, does the user can transfer files or only submit process ??
* For option 3, do we need to define an internal userid through the
proxy and allow this userid to create datasets when transmitting data to our
internal node ??
If someone have any experience with it and could help, I really appreciate that.
Thanks in advance,
Gilson
--
O software antivírus AVG realizou uma checagem de vírus neste e-mail.
http://www.avg.com/
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
********************
Nedbank Limited group of companies (Nedbank) disclaimer and confidentiality
notice:
This email, including any attachments (email), contains information that is
confidential and is meant only for intended recipients. You may not share or
copy the email or any part of it, unless the sender has specifically allowed
you to do so. If you are not an intended recipient, please delete the email
permanently and let Nedbank know that you have deleted it by replying to the
sender or calling the Nedbank Contact Centre on +27 (0)800 555 111 (local) or
+27 (0)10 2170 000 (international).
This email is not confirmation of a transaction or a Nedbank statement and is
not offering or inviting anyone to take up any financial products or services,
unless the content specifically indicates that it does so. Nedbank will not be
liable for any errors or omissions in this email. The views and opinions are
those of the author and not necessarily those of Nedbank.
The names of the Nedbank Board of Directors and Company Secretary are available
here: http://www.nedbank.co.za/terms/DirectorsNedbank.htm. Nedbank Ltd Reg No
1951/000009/06.
********************
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
