CONNX Data Integration Suite 14.8.0 | Installation Guide | Installation Steps | Installing Mainframe-Compatible Server | CONNX for VSAM and QSAM | CONNX for VSAM - Started Task/Batch | Uninstalling CONNX Started Task Components | Dataset Security
 
Dataset Security
Default Option
CONNX for VSAM / QSAM / PDS is implemented as a Windows PC client and a set of batch programs, including a Listener (CNXRUNB) and a Server (CNXVSD0B). When a user connects from a client application through a supported interface (ODBC, JDBC, OLE DB or .NET), the client CONNX user ID and password is mapped to a z/OS user ID and password via the CONNX Data Dictionary.
The encrypted user ID and password is sent via TCP/IP to the CONNX TCP/IP Listener program, which decrypts the user ID and password and executes the RACF (Resource Access Control Facility) VERIFY macro. If the user ID and password sent from the CONNX PC client is valid, the Listener program starts the Server program in the Listener started task or batch job address space. Refer to steps 1 through 3 in the figure below. Once started, the Server program sets up a separate TCP/IP connection to the invoking CONNX PC client.
CONNX PC client requests and VSAM / QSAM / PDS data responses flow back and forth directly from the CONNX PC client to the dedicated Server. Refer to steps 4 and 5 in the figure below. For the default case, the host-side RACF dataset security rules defined for the Server user IDs (#1, #2, or #3) determine the type of file access granted to each CONNX PC client.
The default security option observes the host-side security rules defined for user ID and password verification, and per-user ID for VSAM / QSAM / PDS file access. In order for these rules to be enforced, the Listener and Server programs must run from an APF (Authorized Program Facility) load library. The operator command (SETPROG APF) necessary to add the CONNX started task load library to the APF list is documented in the CONNX Installation Guide.
VSAM security / QSAM / PDS security graphic
Alternate Option
The host-side security rules for user ID and password verification and dataset access can be enabled or disabled for CONNX client-server connections via a CONNX environment variable (CNXNOPREAUTHORIZE). Setting CNXNOPREAUTHORIZE to a non-zero value instructs the CONNX VSAM / QSAM / PDS TCP/IP Listener and Server programs to bypass user ID and password verification and file access security checks. Once the Listener program starts a Server program, client requests and VSAM data flow from the CONNX PC client to the Server and back via a dedicated TCP/IP socket connection. In this case, the host-side security rules defined for the Listener user ID (#0) attach to each Server, and determine the type of file access granted to the CONNX PC client.
This security option bypasses the need to execute the CONNX programs from an APF-authorized load library, but all dataset access derives from the single user ID which executes the Listener program as a started task or a batch job. An advantage to this approach is that host-side data set security rules for CONNX PC clients need only be defined for each user ID which starts the Listener program.
VSAM security / QSAM / PDS security graphic on client side
CONNX Client-Side Security Enhances Host-Side Security
For both options, the CONNX Administrator should consider taking advantage of the client-side security features implemented in the CONNX Data Dictionary (CDD). The first line of defense is only to import selected VSAM / QSAM / PDS files into the CDD. In addition, the CONNX Administrator can restrict file access based on CONNX user IDs and groups defined via the security menu features in the CONNX Data Dictionary Manager.
In some cases, a physical VSAM file is composed of multiple logical files or sub-files. The CONNX Data Dictionary Manager can be used to define and enforce security rules based on these logical files, as well as on the underlying physical data sets. Further, column- and row-level security can be implemented by defining one or more CONNX views against the imported VSAM physical or logical files, and by authorizing individual or groups of CONNX user IDs to execute the CONNX client-side views.
Similarly, host-side dataset security rules for PDS (partitioned data set) files are implemented at the dataset level. CONNX client-side security can restrict file access per-PDS member, as well as to specific columns or rows within a PDS member.
The CONNX client-side approach to security complements and enhances most host-side security products, which implement file access rules on a per-physical file basis. In all cases, the security rules defined in the CONNX Data Dictionary take precedence over the host-side security rules. For more information on CONNX client-side security, refer to the Reference Guide.