Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Data access control

You can protect individual services from accesses via insecure clients with the help of the encryption functions. A client may only access protected services if it is a trusted client or if it is able to encrypt using the requisite method.

You can protect a service by assigning encryption level 2 or 5 to the corresponding service TAC´(5 only on Unix, Linux and Windows systems):

TAC ...,ENCRYPTION-LEVEL=2 (encryption according to the AES-CBC algorithm)

TAC ...,ENCRYPTION-LEVEL=5 (encryption according to the AES-GCM algorithm)

If a service is protected in this manner, then the following is true:

  • A client generated as trusted can start such a service without using encryption.

  • For non-trusted clients the service belonging to the transaction code is only started if the client has passed the input message encrypted with the requisite method. Otherwise

    • In the case of UPIC clients, conversation establishment is rejected by openUTM.

    • In the case of VTSU partners, this leads to a BADTAC or message K009 is output.

    If the service is called via a transaction code without user data (e.g. for terminal emulations via a function key) or started due to service chaining, then the service is also started without encryption. openUTM encrypts then all dialog output messages to the client. openUTM expects all further input messages from the client to be encrypted for multi-step services. If the input message contains unencrypted user data, then the service is terminated abnormally.

Encryption is optional when you generate a service TAC as follows (default):

TAC ...,ENCRYPTION-LEVEL=NONE

Information for encryption on the KDCS program interface

You also have the possibility of writing separate program units that execute an access authorization check. Encryption data is displayed on the program interface for the INIT PU call. The following information is displayed:

  • the encryption levels that are generated for the client and transaction code

  • whether encryption was negotiated for the conversation

  • whether the client supports encryption in principle

  • whether the last input message was encrypted


Powered by Atlassian Confluence and Scroll Viewport.