CONNX for VSAM / QSAM / PDS is implemented as a Windows PC client and a set of batch programs, including a Listener (CNXRUNB) and a Server (CNXVSD0B). When a user connects from a client application through a supported interface (ODBC, JDBC, OLE DB or .NET), the client CONNX user ID / password is mapped to an OS/390 / z/OS user ID / password via the CONNX Data Dictionary.
The encrypted user ID / password is sent via TCP/IP to the CONNX TCP/IP Listener program CNXRUNB , which decrypts the user ID / password and executes the RACF (Resource Access Control Facility) VERIFY macro. If the user ID / password sent from the CONNX PC client is valid, program CNXRUNB starts program CNXVSD0B as a subtask in the CNXRUNB started task or batch job address space. Refer to steps 1 through 3 in Figure 1. Once started, program CNXVSD0B sets up a separate TCP/IP connection to the invoking CONNX PC client.
CONNX PC Client requests and VSAM / QSAM / PDS data responses flow back and forth directly from the CONNX PC client to the dedicated CNXVSD0B subtask. Refer to steps 4 and 5 in Figure 1. For the default case, the host-side RACF dataset security rules defined for the CNXVSD0B subtask user IDs (#1, #2, or #3) determine the type of file access granted to each CONNX PC client.
The default security option observes the host-side security rules defined for user ID / password verification, and per-user ID for VSAM / QSAM / PDS file access. In order for these rules to be enforced, programs CNXRUNB and CNXVSD0B must run from an APF (Authorized Program Facility) load library. The operator command (SETPROG APF) necessary to add the CONNX started task load library to the APF list is documented in the CONNX Installation Guide.
The host-side security rules for user ID / password verification and dataset access can be enabled or disabled for CONNX client-server connections via a CONNX environment variable (CNXNOPREAUTHORIZE). Setting CNXNOPREAUTHORIZE to a non-zero value instructs the CONNX VSAM / QSAM / PDS TCP/IP Listener and Server programs to bypass user ID / password verification and file access security checks. Once the listener program (CNXRUNB) starts a server program (CNXVSD0B) subtask, client requests and VSAM data flow from the CONNX PC client to the server subtask and back via a dedicated TCP/IP socket connection. In this case, the host-side security rules defined for the CNXRUNB user ID (#0) attach to each CNXVSD0B server subtask, and determine the type of file access granted to the CONNX PC client.
This security option bypasses the need to execute the CONNX programs from an APF-authorized load library, but all dataset access derives from the single user ID which executes listener program CNXRUNB as a started task or a batch job. An advantage to this approach is that host-side data set security rules for CONNX PC clients need only be defined for each user ID which starts program CNXRUNB.
For both options, the CONNX Administrator should consider taking advantage of the client-side security features implemented in the CONNX Data Dictionary (CDD). The first line of defense is only to import selected VSAM / QSAM / PDS files into the CDD. Additionally, the CONNX Administrator can restrict file access based on CONNX user IDs and groups defined via the security menu features in the CONNX Data Dictionary Manager.
In some cases, a physical VSAM file is composed of multiple logical files or sub-files. The CONNX Data Dictionary Manager can be used to define and enforce security rules based on these logical files, as well as on the underlying physical data sets. Further, column- and row-level security can be implemented by defining one or more CONNX views against the imported VSAM physical or logical files, and by authorizing individual or groups of CONNX user IDs to execute the CONNX client-side views.
Similarly, host-side dataset security rules for PDS (partitioned data set) files are implemented at the dataset level. CONNX client-side security can restrict file access per-PDS member, as well as to specific columns or rows within a PDS member.
The CONNX client-side approach to security complements and enhances most host-side security products, which implement file access rules on a per-physical file basis. In all cases, the security rules defined in the CONNX Data Dictionary take precedence over the host-side security rules. For more information on CONNX client-side security, refer to the CONNX online User Reference Guide.
Figure 1
Figure 2
