Interoperability with IBM Host Systems
Interoperability with IBM Host Systems |
|
In most cases, you need to control who can access SNA Server resources in your environment. The method you use to secure those resources depends on your host environment and the types of services you wish to offer your users.
Users or groups who require access to 3270 sessions from workstations using SNA Server Client applications must be members of the SNA Server subdomain. By virtue of their subdomain membership, users and groups are also members of the Windows 2000 domain of which the subdomain is a part. Once enrolled in the SNA Server subdomain, you can assign specific 3270 (LU type 2) resources to the appropriate accounts. Users can access only the specific resources you allocate to them.
To maintain security in your environment, it is recommended that you use domain security to authenticate users, and then limit their access by assigning them only specified resources.
Users who want Advanced Peer-to-Peer Communications (APPC) access need not be defined in the SNA Server subdomain, but they must be members of the Windows 2000 domain. For 5250 terminal access using a computer running SNA Server Client software within the network, the AS/400 supplies the required logon security for access to the AS/400. For APPC access programmed into specific applications, security is maintained through the actual programmatic conversation, if required.
TN3270 and TN5250 services are secured by specifying client workstation IP addresses that have permission to use the resources provided. In the case of TN3270E clients, a workstation name can be specified in place of the client IP address. The method used to verify workstations can also be used to allow only specified IPs to request resources allocated to them.
Access to AS/400 shared folders that are made available to Windows 2000 domain users using the Shared Folders Gateway Service can be controlled by specifying permissions for the resulting shared volumes and files. Permissions are set using the standard Windows 2000 method for local shares.
In some cases, you might want to provide open-ended access to LUs provided by SNA Server. To allow unrestricted access through Windows 2000 domain–authenticated services, you can use the Guest account or the Everyone group account.
To provide access using the Guest account, enable the account in the Windows 2000 domain as described in Windows 2000 Server Help. Add the Guest account to the SNA Server subdomain, and assign LUs to the account.
To provide access using the Everyone account, add the Everyone account to the SNA Server subdomain and assign LUs to the account.
To allow unrestricted access to TN3270 or TN5250 services, you can create LUs without specifying an IP or workstation name for each.